Honey Encryption

Line 1: 2 Given Name Surname

Line 2: dept. name of the organisation

line 3: Name of the organisation

(of Affiliation)
line 4: City, Country
line 5: email address or ORCID

Abstract— Many corporations and companies now encrypt the attacker will be able to tell that this bogus message is not
their data before sending it over an insecure network. Although the genuine one. A brute force attack can use HE to decode
many hackers save private information by using various attack a ciphertext into a meaningful false plaintext that is not the
tactics, such as brute force attacks, many of them do not even original communication. It is therefore protected from brute
know it. Password-based encryption algorithms (PBE) are used force attacks by this encryption. It is the core component of
by organizations to protect their private information. As a HE, and it is responsible for mapping the message space
result of weak or repeated passwords provided by users, the into the seed space of a binary bits string via a DTE. After
present PBE techniques are vulnerable to brute force assaults. the ciphertext has been encrypted, the key and seed are
As a result of the weakness of password-based encryption XORed. Once the seed location has been determined, DTE
algorithms, we developed honey encryption as a solution (HE). may map it back to its original plaintext message. This
Text-based messages can be protected from brute-force threats technique can fool attackers even if the key is wrong [4]. In
by using honey encryption or honeywords. On the other hand, the current HE algorithm, the message space can only
the standard HE has a message size constraint in the DTE accommodate four messages at any given time.
process and a storage overhead problem in the honeywords
production process. As a result, our proposed honey encryption
method employs a discrete distribution function in the DTE
process instead of a cumulative distribution function to address II. Associated Work
message space constraints. For the most part, encryption methods rely on
passwords (PBE). There is a risk that these systems will be
Keywords— Cryptography, Honey Encryption (HE), Honey attacked by the use of many guesses. As a result, Honey
Objects, Brute-force Attack, Password Cracking, Password-based encryption [4] aims to solve this problem by making it more
Encryption (PBE), Distribution-Transforming Encoder (DTE) difficult for attackers to obtain access to sensitive information
by guessing passwords. A valid-looking decrypted message is
I. Introduction
generated for each candidate key by the system. As a result, it
is difficult to determine which
There are many companies across the world that coding scheme that can produce bogus plaintext messages
desire to send private communications in a non-secure way. [3]. As a result of the meaninglessness of these messages,
Since they want to protect their confidential information,
they employ end-to-end encryption services. It is possible to
read encrypted messages using the end-to-end encryption
technique [1]. Most businesses utilise the password-based
encryption (PBE) technique since users can pick and
remember their keys. Because hackers may quickly decrypt
the message to locate the keys via various methods, the
present PBE algorithms are ineffective. As a result, apps and
websites that employ encryption algorithms are vulnerable
to brute force assaults [2]. There are several approaches that
researchers are using in order to prevent brute force assaults
from occurring. Many modern systems have implemented
the two countermeasure approaches against brute force
assaults. The first way is to make it more difficult for
attackers to timing the assault. Many systems secure data by
increasing key length pseudorandom number generator as
the time complexity grows. Hashing algorithms such as
MD5 and SHA256 were developed to speed up
computations [3]. Although the brute force approach can
expose the secret in a polynomial time, it is not
recommended.
For this reason, honeywords are employed in many
cryptosystems as a way to secure the keys. Because
honeywords are stored in the password files, the attacker
will have difficulty stealing them if the system employs the
honeyword generating technique. To attack the hashing
password file, attackers employ fake passwords or
honeywords, namely brute force attacks. The second
technique uses the ASCII code table to create a statistical
password is valid. Protect sensitive data in a variety of honey encryption technique by employing newer
applications by using honey encryption. honeyword generation and hashing algorithms.
For instance, honey encryption tricks an attacker
into believing that an erroneously guessed key is legitimate. III. Literature Overview
Because of the storage overhead and message space
limitation, the existing system can work. Our solution to It's essential to have a basic grasp of encryption
the message capacity constraint and storage overhead techniques to appreciate how Honey encryption originated.
problem is a new system that we've developed. With this An adversary conducting a brute-force attack to get the key
new honeywords technique, storage costs can be cut in half. used for encrypting a message receives trash or an error
Aside from that, it's easy to fix the typo safety issue. We signal as the expected result when attempting an incorrect
utilise a unique hashing and salting technique to secure key in traditional password-based encryption. If the key is
password data. Compared to the conventional MD5 hashing wrong, this output serves as a warning sign, and he
method and the hashing algorithm using differential continues his search until he finds something credible that
masking and salt, this algorithm has a shorter hashing and may be the plaintext. Because of the uneven distribution, he
salting time. Our system can solve the message size rapidly discards the message during his attack. There's a
limitation problem using DTE compared to the previous good chance that he'll be able to retrieve the
message/plaintext with additional time. Fig. 1 demonstrates
how a password-based encryption method responds to a
brute force assault.
A. Strong Encoder Criteria

Keep two things in mind while

creating a plausible/convincing
deceptive:
 The deceptive messages must be challenging to
tell apart from the actual ones. The honey (decoy)
message is key to successfully deceiving an
enemy. No one should distinguish between the
decoy and real messages, not even automated tools
and people [3]. They must be selected from the
Fig-1 distribution of potential messages similar to the
plaintext's probability distribution. Honey
Encryption is performed by a recipient who uses a messages that seem as they are
key and cypher to protect his message and sends the
encrypted message to the recipient. Recipients decode the
text using the same algorithm and key as the sender.
Someone who intercepts ciphertext may attempt to retrieve
the message by guessing the key at random, but this is not
guaranteed. Since plaintext is not uniformly distributed in a
typical environment, an attacker can know right once
whether or not the key he gave is correct [3]. In this article,
we briefly outline an attack model for the HE scheme.
Cipher = encryption (M, K) for a message M. For example,
K and M come from a known distribution. This
communication M is the target of an enemy who wants to
retrieve it. To decipher C, he tries a variety of other keys.
Every time he presses a key, he receives M1,..., Mn. M is
guaranteed to be on his list for a minimal entropy
distribution like passwords. Because people pick basic
passwords that might be readily guessed, this is a possibility.
Defensive users should also be aware that hackers are aware
of how they select passwords.
Determining whether or not the competitor will be
able to select out the message M from all n potential
messages relies on how likely it is that one of the keys he
attempted was right. Unaware attackers might still be
trapped with fake data since they don't know the target
message. To win, the player must identify the message from
the list of messages that he collected during his attack.
According to Figure 2, the Honey Encryption Scheme can
resist brute force attacks.

Fig-2
 used in the actual world are needed to model attacker will have to travel through a probability
human language. To be effective, a deceptive distribution that isn't predicted [5].
message must be persuasive. So that the attacker
may be deceived, it must be complicated for him to
identify the difference between a decoy message A. Honey Encryption (HE) Scheme:
and an actual one.
When it comes to this construct's implementation,
 As a result, the DTE must mimic human speech it's all about the message space, where all possible password
while concealing the actual text's structure. It is values are stored. To begin with, there's a Distribution-
essential to understand the context and substance Transforming Encoder (DTE), which encodes or decodes
of the language used by humans in emails and
other human-generated documents. Better security the message space using the functions given. Using a given
is provided by an encoder that does not disclose value of n, the possible values are mapped to a seed value.
the message/internal plaintext's backbone. As a result, seeds are distributed based on the chance of
finding the password [3]. The seeds are assigned a greater
probability than the improbable passwords, just as they are
B. Introducing Salt to Hashes for the more common passwords.

When a password is saved as a basic hash, it's not B. Message Space

guaranteed to be safe. Two of hashes' greatest virtues are
also their worst weaknesses: they are tiny and rapid to
create and easy to store. Salted passwords can be used to A collection of functions called Message Space
solve this problem. Before hashing, a random string called Probability Fxns, as stated in work by JR, can be used to
salt is added to the password. It creates a fresh string every encrypt a message.
time the same password hash is used.
C. DTE

IV. Working In designing the DTE, it is vital to keep the message

distribution in mind. The Encoding produces a "seed" value
The distribution-transforming encoder is the key that is evenly dispersed. In general, binary strings are
innovation in this method (DTE). There is a DTE that maps assumed to represent the seeds. In addition, the encoder
the plain text message space onto the seed space of n-bit must include a decoder that, when given a seed, returns the
strings. When calculating the message's ratio, DTE takes text message. When you encode, you go through a two-step
into account the probability distribution. A brute-force procedure known as DTE-then-encrypt:
assault will offer the attacker no information since the
1. The overhead of processing a significant amount of
1. The DTE is applied on Message to acquire seed data is prohibitive using honey encryption. DTE
for the Message object. (distribution-transforming encoder) must read the
2. It is encrypted using a cipher key to produce HE inverse table document and message space by hand
Cipher-text from the seed received before. to decode and encrypt too large messages for the
framework memory to hold under this technique
D. Loop-Hole: [6]. Decoding will be accelerated by having these
records in the memory (e.g., using the paired
In this case, the encryption's security is based on the pursuit approach).
probability that the encrypting party sets. However, if this
probability is not computed correctly, the procedure fails 2. Honey encryption will not be effective if the
to function [5]. So, HE can't be used in situations where message space is poorly constructed. As
the format or distribution of plain text is unclear or when long as
there is a significant amount of plain text. As a result of the msg space has not been adequately
these considerations, the predictability of the outcome is constructed. Although the plaintext created by
assessed. Hence, before implementing this approach, DTE from a poorly guess key looks to be a
plaintext must be watched and then mapped in a broad successfully decoded ciphertext, attackers can use
area where all the outputs appear credible and match the a separate approach to verify that the guess is
likelihood of validity. incorrect. Suppose the attacker has a mobile phone
number, he may contact it to check if it's correct
before committing the crime.
3. In addition, the level of security given by honey
encryption depends on the application. A message
is decrypted from the message space, regardless of
whether or not the key is accurate [6]. There is a
possibility that this functionality will leak some
legitimate messages, which may have a varying
Fig-3 impact on various applications. Even if an attacker
gets a legitimate identification number from the
system, they may not find out to whom it

V. Vulnerabilities of honey encryption algorithm

 belongs. As a result, the attacker has a limited decryption entails searching an inverted table for the correct
ability to utilise the identity to perpetrate crimes. plaintext message [2]. Therefore it is necessary to offer
interfaces with probability and inverse tables in message
space.
VI. Honey Encryption Security A. Honey encryption in banking
An encrypted collection of communications
that have specific features is protected by honey Passwords often contain uppercase and lowercase
encryption characters, numbers, and symbols. Too many people employ
Messages such as credit card numbers are examples of this. passwords that a third party can easily guess. The use of an
As the name suggests, a message space is a place where ATM requires a six-digit password, for example. To guard
messages may be delivered and received. Before encrypting against brute-force assaults on such passwords, honey
communication, the available message space must be encryption might be used. Passwords range from (000000-
calculated. There must be a mechanism to organize all the
communications in the region. After that, each message's 999999) in length. As a result of gradually sorting the
cumulative probability (CDF) and the chance of each message space, the probability(msg) function returns 1/N =
message appearing in the space must be calculated and PDF. The distribution may be unequal if many people use
recorded [7]. The distribution-transforming encoder (DTE) the same password [8]. For simplicity, we assume that
needs a seed space to map each message into a bit binary messages are evenly distributed; thus, the cumulative
string space. By comparing the message's PDF and CDF to probability(msg) function gives I / N.
the seed space, the DTE determines the seed range for each
message. Since each message must include at least one
seed, the available n-bit space for seeds must be large Password-based encryption (PBE) techniques are
enough. Each seed is randomly picked while encoding a vulnerable to brute-force assaults while safeguarding
message. sensitive data. Decryption, on the other hand, creates a
DTE should be viewed as a generic module that valid-looking plaintext message when the key is correctly
provides encryption and decryption methods. DTE encrypts guessed [8]. Honey-based encryption reduces the risk of
communications using the PDF and CDF probability. This this happening. Chinese identification numbers, mobile
results in DTE being able to use multiple APIs when
building the message space. A large part of DTE's job in phone numbers, and debit card passwords are the three
types of private data that are affected by the new rules.
 Depending on the application, honey encryption's
capacity to secure sensitive private data differs
significantly. A message is decrypted from the
message space, regardless of whether or not the
key is accurate. There is a possibility that this
functionality will leak some legitimate messages,
which might have a variety of effects on different
applications.

 For each application, a different encryption

technique must be used due to the changing
message space. To implement honey encryption
to a given application, the developer must
Fig-4 design/modifying the message space and
inverted table.

VII. Lesson Learned VIII. Conclusion

During our study of honey encrypting, we found it to be Brute-force attacks can tell if the password-based
an effective countermeasure to the brute-force attacks. encryption (PBE) technique used to safeguard private data
There are a few drawbacks that we've found, however: is genuine based on the output of the decryption process.
With the help of the
 Since processing a big message space has a
significant cost, honey encryption is only suited for
tiny message spaces. For encryption and
decryption, If the msg space is larger than the
system's memory, DTE must read the message
space and inverted table file line-by-line.

 If the message area isn't carefully defined, honey

encryption won't protect against brute-force attacks
adequately. If the message space is not sufficiently
constructed, attackers can utilize additional
methods to establish that the key guess is
erroneous. A mobile phone number can be called
by the attacker to verify that it's correct.
honey encryption method. The use of symmetric or
asymmetric encryption algorithms as well as uniformly or
nonuniformly distributed message spaces is conceivable in
the design and deployment of applications. Our honey
encryption approach was evaluated, and a remedy was
proposed to reduce overhead.
Last but not least, we addressed the lessons
acquired through developing the honey encryption
method, implementing it and assessing it. Following are
some specific observations. Since processing an ample
message space has a significant cost, honey encryption is
only suited for tiny message spaces. For honey encryption
to work well, the message space must be carefully defined
for each application. Depending on the application, honey
encryption's capacity to secure sensitive private data
differs significantly. When it comes to honey encryption,
various applications require different implementations
since the message spaces vary.

References
[1] Infosec Resources. 2021. Honey Encryption - Infosec
Resources. [online] Available at:
<https://resources.infosecinstitute.com/topic/honey-encryption/>
[Accessed 16 August 2021].

[2] Whitney, L., 2021. LastPass CEO reveals details on

security breach. [online] CNET. Available at:
<https://www.cnet.com/tech/services-and-software/lastpass-ceo-
reveals-details-on-security-breach/> [Accessed 16 August 2021].

[3] Community.broadcom.com. 2021. Endpoint Protection -

Symantec Enterprise. [online] Available at:
<https://community.broadcom.com/symantecenterprise/communiti
es/community home/librarydocuments/viewdocument?
DocumentKey=74450cf5-2f11-48c5-8d92-
4687f5978988&CommunityKey=1ecf5f55-9545-44d6-b0f4-
4e4a7f5f5e68&tab=librarydocuments> [Accessed 16 August
2021].

[4] Lyne, J., 2021. Yahoo Hacked And How To Protect

Your Passwords. [online] Forbes. Available at:
<https://www.forbes.com/sites/jameslyne/2014/01/31/yahoo-
hacked-and-how-to-protect-your-passwords/?sh=65724599e1d8>
[Accessed 17 August 2021].

[5] Venafi.com. 2021. Honey Encryption and Machine

Identities | Venafi. [online] Available at:
<https://www.venafi.com/blog/honey-encryption-and-machine-
identities> [Accessed 17 August 2021].

[6] BU, M., 2021. An Intro to Honey Encryption:

Cryptographic Parlor Tricks for Passwords. [online] McAfee Blogs.
Available at: <https://www.mcafee.com/blogs/enterprise/cloud-
security/cryptographic-parlor-tricks-for-passwords-an-introduction-
to-honey-encryption/> [Accessed 17 August 2021].

[7] Juels, A. and Ristenpart, T., 2014. Honey Encryption:

Encryption beyond the Brute-Force Barrier. IEEE Security &
Privacy, 12(4), pp.59-62.

[8] Tan, S. and Samsudin, A., 2017. Enhanced Security of

Internet Banking Authentication with EXtended Honey Encryption
(XHE) Scheme. Innovative Computing, Optimisation and Its
Applications, pp.201-216.