Former RSA chief scientist Ari Juels has outlined a cunning way to foil crackers: let them think they've busted into a system and then give them fake data to play with.
The idea is not entirely novel because Juels last year proposed a scheme he called “Honeywords” in this paper, co-authored with RSA founder Ronald Rivest. Honeywords is a kind of “security by obscurity”, but in a good way: instead of an attacker stealing a table that has one password per user, the password table has the real password as well as a bunch of fakes – the “honeywords” – for each user.
More ReadingNew password system lets planet Earth do the hard workCEO Marissa Mayer puts on brave face as Yahoo! shows another lossTech giants CAN disclose US spooks' data demands - but with heavy restrictionsFancy a little kinky sex? GCHQ+NSA will know - thanks to ANGRY BIRDSLavabit, secure email? Hardly, says infosec wizard Moxie Marlinspike
As well as putting a potential fog of confusion in front of an attacker, a system could be setup to raise an alarm on attempts to log in using the honeywords, because that's a reliable indicator that the password table has been accessed.
Juels' new “Honey Encryption” proposal, with co-developer Thomas Ristenpart of the University of Wisconsin, takes this idea a step further, be refining a systems' response to unauthorised access attempts: instead of a login failure, the attacker would be served up fake data that resembles real data.
As MIT Review reports, even if an attacker eventually hits upon the right user ID / password combination, “the real data should be lost amongst the crowd of spoof data.”
For example, ten thousand attempts to get a credit card number would yield ten thousand fake-but-plausible numbers, leaving the attacker with the job of testing the validity of each number. Even better: if an attacker was trying to access a system's password store, each attempt failed at a master password would yield fake data.
MIT Review says Juels is now working on the code for a fake password vault generator for use with the Honey Encryption scheme. ®