Breaches of databases with millions of passwords are becoming a commonplace threat to consumer security. Compromised passwords are also a feature of sophisticated targeted attacks, as the New York Times, for instance, reported of its own intrusions early this year. The most common defense is hashing, a cryptographic transformation of stored passwords that makes verification of incoming passwords easy, but extraction of stored ones hard. “Hard,” though, often isn’t hard enough:
Password cracking tools (such as “John the Ripper”) often easily defeat hashing.
I’ll describe a new defense called honeywords. Honeywords are decoys designed to be indistinguishable from legitimate passwords. When seeded in a password database, honeywords offer protection against an adversary that compromises the database and cracks its hashed passwords. The adversary must still guess which passwords are legitimate, and is very likely to pick a honeyword instead, creating a detectible event signaling a breach. I’ll also discuss a related idea, called honey encryption, which creates ciphertexts that decrypt under incorrect keys to seemingly valid messages.
Broadly speaking, Honeywords and honey encryption represent some of the first steps toward the principled use of decoys, a time-honored and increasingly important defense in a world of frequent and sophisticated security breaches.
Honeywords are honey encryption are joint work respectively with Ron Rivest (MIT) and Tom Ristenpart (U. Wisc).
Dr. Ari Juels is a roving chief scientist specializing in computer security.
He was Chief Scientist of RSA (The Security Division of EMC), Director of RSA Laboratories, and a Distinguished Engineer at EMC, where he worked until September 2013. He joined RSA in 1996 after receiving his Ph.D. in computer science from U.C. Berkeley.
His recent areas of interest include “big data” security analytics, cybersecurity, cloud security, user authentication, privacy, medical-device security, biometric security, and RFID / NFC security. As an industry scientist, Dr. Juels has helped incubate innovative new product features and products and advised on the science behind security-industry strategy. He is also a frequent public speaker, and has published highly cited scientific papers on many topics in computer security.
In 2004, MIT’s Technology Review Magazine named Dr. Juels one of the world’s top 100 technology innovators under the age of 35. Computerworld honored him in its “40 Under 40″ list of young industry leaders in 2007.
He has received other distinctions, but sadly no recent ones acknowledging his youth.
Host: Engin Kirda