Professional Documents
Culture Documents
nd
Line 1: 2 Given Name Surname
line 2: dept. name of the organisation
(of Affiliation)
line 3: Name of the organisation
(of Affiliation)
line 4: City, Country
line 5: email address or ORCID
D. Honey Encryption
III. CURRENT STATE OF THE ART
Honey Encryption (HE) can prevent an opponent from
learning anything from the ciphertext that will help them A. Credit Card Details and RSA Secret Keys
decrypt the plaintext. For security beyond brute-force, it A few real-world instances of HE may be found in [2]. In
assures that any decryption of ciphertext with an incorrect the first instance, credit card numbers, PIN codes, and
key would give a reasonable appearing plaintext, which the CVVs are compatible with HE since the message space is
attacker cannot readily use to identify whether the highly organised. This is even more so when we consider
decryption has been successful or not. To crack a weak the size and scope of the CC fraud business, which is fueled
password, you need to perform a brute-force offline assault by more skilled cyber-criminals. This means that decryption
to get the plaintext. This might help reduce the vulnerability efforts during brute-force attacks on PBE-protected CC data
to brute-force assaults. This makes it hard to verify whether will display when the correct plaintext has been recovered.
the decryption was successful even when a weak password How HE works with RSA secret keys is also demonstrated.
had been used. It is recommended that users use PBE to encrypt their
Its primary security aim is to prevent an attacker from private keys in case of a data breach. If a decryption attempt
recovering the original plaintext from a ciphertext with a succeeds owing to the structure and legality of the plaintext,
high degree of certainty. For this to be achieved, the an attacker might conduct aniofflineibrute-force assault on
message and key must have high entropy. the encryptediRSA key. The authorsiuse a solid proof of
If both the message and the key are low-entropy, it is still theorem to support their HE examples, which also discusses
possible to establish message recovery security using HE. deployment issues. To ensure that the decrypted result is
Semantic security may be achieved by using HE if the key is valid, it is vital to ensure that the password is entered
correctly.
B. Generic Alphabet and Simple Messaging System messages. Making the honey messages look like real chat
This credit card HE method has been implemented in conversations by using text databases such as movie scripts
with a lot of dialogue instead of descriptions.
practice by researchers in [6]. However, they do not
presume that the outputs must be words in the English It is demonstrated in a demonstration of the software in action
language but instead provide a general HE scheme for an how a recipient with the right password may effectively
alphabet such as a-z. "bcde" may be produced by decrypting decrypt and decode chat messages. An attacker who intercepts
a message M = "aabb" using the incorrect key K. A huge communications and attempts to decode them with the
hash table was explored, however, the researchers decided incorrect password is presented with a collection of invalid but
to make use of each letter's independence. As a result, they convincing messages. These tests show the difference between
had to create a simple communications scheme that dealt encrypted text when using the right key and an erroneous key.
with a simple format; questions and replies. According to their experiment study, Honey Chatting's efficacy
is impacted by some elements, including the message's length.
There are about 2^154 distinct relevant meanings in
English, even when sentences are confined to 140
characters. Even more challenging is the fact that English E. GenoGuard
has many dependencies and grammatical restrictions, Scientists have developed GenoGuard, a programme that
mainly when the response is limited to a yes-or-no, as in employs HE methods to safeguard genetic data. This has led
this implementation, questions and responses may be to an increase in the processing of genetic data that may be
described as having a simple structure. It was possible to utilised in healthcare, research and consumer services, and
produce over 100,000,000 distinct phrases by combining the legal proceedings or for forensic purposes. Cloud platforms
Natural Language Toolkit (nltk) with a bespoke Probability are being used to store, analyse, and share genetic data by
Distribution Function. In [6], you can find the code for all large corporations like Google. The potential for scientific
three implementations. and medical development is enormous, but the security and
privacy of the data is also a worry.
Health insurance firms and businesses might use personal
C. Kamouflage and NoCrack genetic data to discriminate against workers or to refuse
When N – 1 decoy vaults are encrypted with decoy master treatment to patients if it falls into the wrong hands. It could
passwords, Kamouflage provides cracking resistance for even be used for blackmail if it falls into the wrong hands.
vaults. As much as Kamouflage's theory looks to satisfy Long-term secure storage of genomic data is complex since
security objectives, researchers in [3] have discovered minor genomic data may be traced back to family members.
flaws that degrade security below standard PBE. Decoy Security passwords protect data, but computer power and
master passwords follow the same template as their real password cracking technologies may develop to the point
counterparts. A brute-force offline attack will disclose the where decrypting data we presently deem safe is a simple
template whenever an attacker obtains any password operation in the future. The majority of earlier research and
(genuine or fake). implementations of HE relied on basic plaintext structures
Decoy master passwords are chosen evenly in line with the such as credit card data and encryption keys. However, this
master password template, which creates a second is changing now. For increasingly complex data structures,
such as genetic data, the authors acknowledged the
vulnerability. Because the distribution of decoy passwords
challenge of developing a HE scheme. Using a new tree-
is different from actual users, an attacker is more likely to
based approach, the GenoGuard system encodes genetic
guess the correct password fast if they guess passwords in data, then encrypts it with a password given by the patient.
order of popularity. Researchers can crack the password An adversary might utilise genotype-phenotype connections
with less effort using these two flaws; therefore, to discover a victim's genome, an example of a side-channel
Kamouflage has decreased security. To break the assault. As a result, GenoGuard's protection is superior to
Kamouflage vault, they only need 44 per cent as much work traditional HE.
as PBE demands for 10^3, and 24 per cent as much effort as
PBE requires for 10^4. When an attacker gets hold of a patient's genomic data and
The decoys should not give away the password. In addition attempts to decrypt it with the wrong password, GenoGuard
to breaking the Kamouflage method, the researchers produces an erroneous genomic sequence that appears
convincing. For service providers that offer DTC services to
developed a new system called NoCrack, a honey-vault
store genomes securely, the GenoGuard system was proven
service comparable to commercial password vaults such as
to be very efficient. Developing an efficient and precise
LastPass. So as not to introduce vulnerabilities, they DTE was a challenge for the GenoGuard authors, who
carefully designed and executed a HE scheme and expressed the hope that their work may encourage other
successfully reaped the security benefits of HE while academics to build HE schemes for actual, particular use
incurring minimum performance overheads. Open-source cases based on their work.
software, NoCrack's code may be found at [14].
A. Typo-safety
A significant concern with HE implementations is typo [1] Ieeexplore.ieee.org. 2021. Honey Encryption:
safety. Should an unintentional mistake occur during the Encryption beyond the Brute-Force Barrier. [online]
decryption process, the user would be presented with Availableiat:<http://ieeexplore.ieee.org/abstract/document/6
incorrect but plausible-looking data. As an example, if a 876246/> [Accessed 13 August 2021].
system administrator wants to decrypt a list of usernames
and passwords for a website they control, this might be [2] Juels, A. and Ristenpart, T., 2021. Honey Encryption:
problematic if they will be presented with convincing- Security Beyond the Brute-Force Bound.
looking usernames and passwords if they enter the
decryption password incorrectly, but they may not realise
that the plaintext is wrong until they have done additional [3] Ieeexplore.ieee.org. 2021. Cracking-Resistant Password
actions, such as migrating the erroneous data to a different Vaults Using Natural Language Encoders. [online]
server. A number of typo-safety solutions exist, such as Availableiat:<http://ieeexplore.ieee.org/abstract/document/7
checksums [2] or dynamic security layers [3], but this is a 163043/> [Accessed 13 August 2021].
topic that might be explored more in the future.
B. Honey Encryption HE Applications [4] Dl.acm.org. 2021. A bodyguard of lies | Proceedings of
Due to the complexity of DTE creation for each unique use the 19th ACM symposium on Access control models and
case, HE is still a relatively new idea with little practical technologies. [online] Available at:
applicability at this time. There are a limited number of HE <http://dl.acm.org/citation.cfm?id=2613088> [Accessed 13
implementations that focus on sophisticated natural August 2021].
English language. The development of DTEs for highly
structured data may be given more attention. Due to
Kamouflage [3], what appears to be a secure way of using [5] Dl.acm.org. 2021. Honeywords | Proceedings of the
high-encryption (HE) can deteriorate security beyond 2013 ACM SIGSAC conference on Computer &
conventional PBE if not adequately verified through attack communications security. [online] Available at:
simulation. <http://dl.acm.org/citation.cfm?id=2516671> [Accessed 13
August 2021].
V. CONCLUSION
Weak passwords in PBE is a persistent concern in computer [6] Courses.csail.mit.edu. 2021. [online] Available at:
security and will continue for many years. When paired with <https://courses.csail.mit.edu/6.857/2016/files/tyagi-wang-
computer speed improvements, password cracking wen-zuo.pdf> [Accessed 14 August 2021].
techniques are projected to improve, allowing more
encrypted data to be hacked by brute force. A remedy to this
dilemma may be found in HIM's teachings. To demonstrate [7] Ieeexplore.ieee.org. 2021. Honey chatting: A novel
how traditional PBE may be made more secure, we instant messaging system robust to eavesdropping over
proposed the idea of HE in this work. Some of the most communication. [online] Available at:
cutting-edge research in this field was discussed, and some <http://ieeexplore.ieee.org/abstract/document/7472064>
of the actual implementations created to date. [Accessed 14 August 2021].