A Sweet Taste for Intruders: Honey Encryption

In the BA hack over 380,000 customers had their credit card details stolen, so let’s look at a way of making fake credit card details. In…
Photo by Danika Perkinson on Unsplash

A Sweet Taste for Intruders: Honey Encryption

In the BA hack over 380,000 customers had their credit card details stolen, so let’s look at a way of making fake credit card details. In this case we will create an encryption method which makes the credit card values look valid, but where they are actually encrypted. It is basically the art of turning encrypted values into something which looks valid.

An intruder can get into a company’s database with your customers details, and the details will be encrypted with a secret key. They then try a range of keys and search for a valid credit card as a result, and then find one key that matches.

I am going to demo Honey encryption in this article. If you want to try it, it is here:

  • credit_card=4117700001669792, secret=20481017, guess=34963288. Try
  • credit_card=4117700001669792, secret=20481017, guess=20481017. Try

Giving the game away…

A problem we thus have with encryption is that an intruder will use brute-force to determine the key used to encrypt data. They will thus try a range of keys or pass phrases until they get a valid output. In this case when an intruder tries a key it will generate an exception in the software, which identifies that the key is not valid. With computing power increasing, by the day, it is becoming difficult to protect data with encryption keys that remain secret.

So Honey Encryption is a new method which aims to produce a valid output for an invalid key, so that they intruder things they have the correct key. For example we have a credit card of “4117700001669792” and we have a secret key of “2048101736616812280”:

Credit card: 4117700001669792
Secret key: 2048101736616812280

Let’s try a guess key of “3496328831800304765”:

Guess key: 3496328831800304765

Now we have a seed value which is generated as:

HEX(SEED): 0x2ce349b63c78dc00L
CIPHERTEXT: 3499041942528787192

and the result is a valid credit card detail of:

HEX(GUESSED_SEED): 0xa6c97f3f6e685L
MESSAGE: 377441000172464

The intruder thinks they have cracked the credit card. “Yipee!!” … they say, but they try it and it doesn’t work, so they try again and find another one .. but that doesn’t work either.

Now we try the correct key and we should now generate the correct credit card:

Credit card: 4117700001669792
Secret key: 2048101736616812280
Guess key: 2048101736616812280
HEX(SEED): 0x2ce349b63c78ea00L
CIPHERTEXT: 3499041942528799992
HEX(GUESSED_SEED): 0x2ce349b63c78ea00L
MESSAGE: 4117700001669792

And it works … and that is Honey Encryption. We have defeated the cracker!

Background

Valid Visa cards begin with a ‘4’, Mastercard with a ‘5’, Discover with a ‘6’ and American Express with a ‘3’. Each are 15 or 16 digits long:

  • Visa (16 digits): 492918349075441, 453200186426703
  • Mastercard (16 digits): 5377729552071050, 5298514886542646
  • Discover (digits): 6011176856973435, 6011240850269503
  • American Express (15 digits): 346784559173846, 343134243702795

We can then create a list of valid credit card details ‘ Create prefixes dictionary ‘prefix’: [numRandom, cardLength, probWeight]:

'604646': [0, 16, 1], 
‘519293’: [0, 16, 1], 
‘519290’: [0, 16, 1], 
‘479293’: [0, 16, 1], 
‘435744’: [0, 16, 1], 
‘421323’: [0, 16, 1], 
‘377441’: [0, 15, 1] 
}

you will also find: ‘377441’: [0, 15, 1] and you will see that is the one that has been matched in the incorrect card number:

377441000172464

and where the end part is generated with a range number. As far as the intruder is concerned this looks like a valid American Express card number. We then create a table an match a seed value to them, so that each of the credit cards are equally possible. The input value is then matched to the table. If they correct value is entered, the correct credit card is returned otherwise it will be a random one.

Conclusion

Honey encryption is a new method where a cracker will not be able to determine when they have the correct key. We could do the same with any sensitive data that we have such as the surname of a person or a CVS number.

References

[1] Juels, Ari, and Thomas Ristenpart. “Honey encryption: Security beyond the brute-force bound.” Advances in Cryptology–EUROCRYPT 2014. Springer Berlin Heidelberg, 2014. 293–310.

http://pages.cs.wisc.edu/~rist/papers/HoneyEncryptionpre.pdf