Honey Encryption Algorithms – Security Combating Brute Force Attack


Up until now, AES has ruled the cyber and data security algorithms. The only point where AES failed was Brute Force Attack. Since then security developers have been trying to overcome this particular failure. Ari Jules and Thomas Ristenpart, have put forward an interesting spin to this problem known as Honey Encryption Applications. Taking its base from the cyber term, Honey, the encryption algorithm follows its footsteps.


Previously all the secure data was encrypted that yielded in cipher texts and only with the use of specified/agreed cipher-key would the plain-text be achieved. In previous encryption algorithms, when the attackers tried to penetrate the security layers, with the use of wrong cipher-key, they would receive jumbled up texts giving no meaning at all.  That would give the hackers idea that the key is wrong and they would move on further with different cipherkey. Honey Encryption (HE) addresses this technique. With every attack using the wrong cipherkey, HE will yield a fake plain-text or honey messages. This messages may seem legitimate but will be incorrect. This way the attackers will have a bunch of fake plain-texts all looking like actual text. So even if the attacker have the actual text they will have to narrow it down from the haystack of false texts.


The innovation in this scheme is the making of a distribution-transforming encoder (DTE). This DTE maps the space of un-encrypted, plain-text messages onto the seed space of n-bit strings. Taking into account the probability distribution, DTE assigns its ratio to the message. As the attacker has to go through expected probability distribution, the end result of brute force will give attacker null information.

Honey Encryption Scheme:

The two main things in this construct are the implementation of the message space where all the probable values of passwords are placed.  The second thing is the Distribution-transforming Encoder that encodes or decodes the message space using the specified functions.  The probable values are mapped to a seed, using a specified value of n. The seeds are distributed according to the probability of the occurrence of the password. Like for more common passwords, the seeds are given a higher probability as compared to the unlikely/uncommon passwords.

Message Space:

As defined in the paper by JR, the class MessageSpaceProbabilityFxns contains a set of functions that might be used to apply Encryption. They are defined as follows:

CUMULATIVE_DISTR(message) – gives cumulative probability defining the point where the message lies in ordered messages.

PROBABILITY_DISTR(message) – gives probability of the message that is input

NEXT_MESSAGE(message) – gives the next message in the message space

GET_INVERSE_CUMUL_DISTR_SAMPLES() – returns list of pre-calculated sampling of cumulative distribution values of messages

Distribution Transforming Encoder:

The DTE is constructed keeping the message distribution in consideration. The Encoding yields a “seed” value distributed uniformly. The seeds are mostly taken to be binary strings. The Encoder needs to have a decoder as well which when provided with the seed returns the text message. Encoding is a two step process called DTE-then-encrypt.

  • The DTE is applied to Message to obtain seed.
  • The obtained seed is encrypted using cipherkey that will give HE Cipher-text.

Loop Hole:

The security of this Encryption relies on the probability that is defined by the Encrypting Party. If by any means this probability is not calculated properly, the method fails. So in cases when the format or distribution of plain text is unknown or there is a large space of plain-texts, HE can’t be applied. Now keeping these factors in mind, the predictability is judged. So before applying this method, the plain-text needs to be monitored and then it needs to be mapped in a large space where all the outputs look plausible and match the likelihood of legitimacy.

Target Area:

The security provided by this encryption is best applicable for places having low-entropy. The developers, JR, proposed this scheme in the context of passwords. They may include generic alphabets, credit cards or plain text messages.


The founders aim to use HE to protect password manager services. Although the proposed system defends the users from Brute Force Attack but it is only partially applicable. So the concept is smart enough but it needs evolving.


Fields marked with an * are required


No comments yet. Be the first to chime in!