Presentation is loading. Please wait.

Presentation is loading. Please wait.

Honey Encryption: Security Beyond the Brute-Force Bound

Published byLoraine Thomas Modified over 9 years ago

Similar presentations

Presentation on theme: "Honey Encryption: Security Beyond the Brute-Force Bound"— Presentation transcript:

1 Honey Encryption: Security Beyond the Brute-Force Bound
Authors: Ari Juels, Thomas Ristenpart Presented by: Shengye Wan Some slides come from Thomas Ristenpart and Tuan Tran

2 Problem– A Simple Case Password Manager

3 Problem– A Simple Case (Cont’d)
Cracking a password manager: Brute-force Attack

4 Problem– Other Cases Information leakage caused by cracking encrypted database: biggest hacking case in China’s Internet history, 6 million users RSA secret keys: 100, , 9883, 16 Cookies, other bearer tokens, other: authentication values Non-authentication related? English language text

5 Threat Model Password-Based Encryption (PBE)
low-entropy or weak secrets, most commonly user-chosen passwords Message-Recover(MR) attack --The attacker could use brute-force to guess the password --Once the attacker decrypt one message successfully, he or she could get much more information.

6 Outline Threat Model Related Work Motivation Intro & Framework
Technical Details Result Conclusion Discussion

7 Related Work– Hashing and Salt
In cryptography, a salt is random data that is used as an additional input to a one-way function that hashes a password or passphrase. In a typical setting, the salt and the password are concatenated and processed with a cryptographic hash function, and the resulting output is stored with the salt in a database. Salt only slows down attacks by constant factor.

8 Related Work– Recent Research
Kamouflage system --It conceals a true password vault encrypted under a true master password among N bogus vaults encrypted under bogus master passwords. Kamouflage requires O(N) storage. Comparison 1) With a suitable DTE, HE offers the possibility of realizing similar functionality and security with O(1) storage. 2) HE doesn’t need to prepare plausible decoys.

9 Motivation– Decoys Decoys, fake objects that look real.
Honeypots, fake computer systems intended to attract and study attacks. Honeytokens, which are data objects whose use signals a compromise. Honeywords, a system encompassing the use of passwords as honeytokens. False documents, false network traffic, and many variants.

10 Motivation– Password Distribution

11 Motivation– Idea Case Always return a password looks like the true password

12 Introduction Honey Encryption(HE) Providing MR security
Providing semantic security (when keys are sufficiently unpredictable and adversaries are computationally bounded) --For any probabilistic, polynomial-time algorithm (PPTA): Information determined by ciphertext of m + m’s length = Information determined only by m’s length (taken from any distribution of messages)

13 Introduction (Cont’d)
Same API as password-based encryption scheme HE uses special encodings to ensure that decrypting ciphertext with wrong key yields fresh sample from designer’s estimate of message distribution. compact ciphertexts (unlike explicitly stored decoys) Good encoding: Attacker provably can’t pick out right message

14 Framework Encryption maps a key and message to a ciphertext.
Decryption recovers messages from ciphertexts. With the wrong key, decryption will emit a plaintext that “looks” plausible. Its cornerstone is distribution-transforming encoder (DTE).

15 Technical Details Encrypting a message M involves a two-step procedure. 1)Applying DTE to M to obtain a seed S. 2)Encrypting the seed S using the key K, yielding an HE ciphertext C. Conventional encryption scheme must have message space equal to the seed space. All ciphertexts must decrypt under any key to a valid seed.

16 Technical Details– Working Flow
Using hash value to encrypt/decrypt a prime number

17 Working Flow (Cont’d) Using hash value to encrypt/decrypt a prime number

18 Distribution-Transforming Encoder
A pair DTE = (encode, decode) of algorithms. encode takes as input a message m ∈ M and outputs a value in a set S, the seed space. decode takes as input a value s ∈ S and outputs a message m ∈ M. An important attribution for DTE: Pr[decode(encode(M)) = M] = 1.

19 DTE (Cont’d) A DTE encodes a priori knowledge of the message distribution pm. Applying the decode to uniformly sampled seed provides sampling close to that of a target distribution pm. A secure DTE is such that attacker can not distinguish: A pair (m, s) generated by selecting m from pm and encoding it to obtain seed s. A pair (m, s) generated by selecting a seed s uniformly at random and decoding it to obtain message M.

20 Inverse sampling DTE Let Fm be the cumulative distribution function associated with a known message distribution pm. Inverse sampling picks a value according to pm by selecting S ∈ S = [0,1) and outputs Mi such that Fm(Mi−1) ≤ S < Fm(Mi). For input message Mi: Encodes by picking uniformly from the range [Fm(Mi−1), Fm(Mi)) Decodes by computing Fm-1(S).

21 Result By using HE, no attacker A can recover correct message with probability better than 1/2μ . Brute force bound: q/c2μ. q: attacking times c: constant factor c, c=10,000 μ: min-entropy of password

22 Conclusion Low-entropy secrets -> resources vulnerable.
HE yields plausible looking plaintexts under decryption with invalid keys. HE never provides worse security than existing PBE schemes. More generally, for human-generated messages (password vaults, e- mail, etc.), estimation of message distributions via DTEs is interesting as a natural language processing problem.

23 Discussion HE security does not hold when the adversary has some side information about the target message. Typos in passwords might confuse legitimate users in some settings. When DTE is poor, HE security falls back to normal PBE security.

24 Quiz For what scenario or application, HE could make a great contribution? Why do we want to know the distribution of messages? When do we call a DTE scheme correct?

25 Shengye Wan Department of Computer Science College of William and Mary
Thank You! Shengye Wan Department of Computer Science College of William and Mary

Download ppt "Honey Encryption: Security Beyond the Brute-Force Bound"

Similar presentations

1 Complexity ©D.Moshkovitz Cryptography Where Complexity Finally Comes In Handy…

1 Complexity ©D.Moshkovitz Cryptography Where Complexity Finally Comes In Handy…
CSC 774 Advanced Network Security

CSC 774 Advanced Network Security
CS 6262 Spring 02 - Lecture #7 (Tuesday, 1/29/2002) Introduction to Cryptography.

CS 6262 Spring 02 - Lecture #7 (Tuesday, 1/29/2002) Introduction to Cryptography.
Digital Signatures and Hash Functions. Digital Signatures.

Digital Signatures and Hash Functions. Digital Signatures.
CS457 – Introduction to Information Systems Security Cryptography 1b Elias Athanasopoulos

CS457 – Introduction to Information Systems Security Cryptography 1b Elias Athanasopoulos
Public Key Encryption Algorithm

Public Key Encryption Algorithm
CS426Fall 2010/Lecture 81 Computer Security CS 426 Lecture 8 User Authentication.

CS426Fall 2010/Lecture 81 Computer Security CS 426 Lecture 8 User Authentication.
Cryptography and Network Security Chapter 20 Intruders

Cryptography and Network Security Chapter 20 Intruders
First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown and edited by Archana Chidanandan Cryptographic Tools.

First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown and edited by Archana Chidanandan Cryptographic Tools.
BY MUKTADIUR RAHMAN MAY 06, 2010 INTERODUCTION TO CRYPTOGRAPHY.

BY MUKTADIUR RAHMAN MAY 06, 2010 INTERODUCTION TO CRYPTOGRAPHY.
November 1, 2006Sarah Wahl / Graduate Student UCCS1 Public Key Infrastructure By Sarah Wahl.

November 1, 2006Sarah Wahl / Graduate Student UCCS1 Public Key Infrastructure By Sarah Wahl.
Asymmetric Cryptography part 1 & 2 Haya Shulman Many thanks to Amir Herzberg who donated some of the slides from

Asymmetric Cryptography part 1 & 2 Haya Shulman Many thanks to Amir Herzberg who donated some of the slides from
CSE331: Introduction to Networks and Security Lecture 17 Fall 2002.

CSE331: Introduction to Networks and Security Lecture 17 Fall 2002.
15-349 Introduction to Computer and Network Security Iliano Cervesato 26 August 2008 – Modern Cryptography.

Introduction to Computer and Network Security Iliano Cervesato 26 August 2008 – Modern Cryptography.
Public Key Cryptography RSA Diffie Hellman Key Management Based on slides by Dr. Lawrie Brown of the Australian Defence Force Academy, University College,

Public Key Cryptography RSA Diffie Hellman Key Management Based on slides by Dr. Lawrie Brown of the Australian Defence Force Academy, University College,
1 NTRU: A Ring-Based Public Key Cryptosystem Jeffrey Hoffstein, Jill Pipher, Joseph H. Silverman LNCS 1423, 1998.

1 NTRU: A Ring-Based Public Key Cryptosystem Jeffrey Hoffstein, Jill Pipher, Joseph H. Silverman LNCS 1423, 1998.
Computer Security CS 426 Lecture 3

Computer Security CS 426 Lecture 3
Lecture 4 Cryptographic Tools (cont) modified from slides of Lawrie Brown.

Lecture 4 Cryptographic Tools (cont) modified from slides of Lawrie Brown.
Computer Science CSC 474Dr. Peng Ning1 CSC 474 Information Systems Security Topic 2.5 Public Key Algorithms.

Computer Science CSC 474Dr. Peng Ning1 CSC 474 Information Systems Security Topic 2.5 Public Key Algorithms.
1 Message Authentication and Hash Functions Authentication Requirements Authentication Functions Message Authentication Codes Hash Functions Security of.

1 Message Authentication and Hash Functions Authentication Requirements Authentication Functions Message Authentication Codes Hash Functions Security of.

Similar presentations

Ads by Google