A Security Analysis of Honey Vaults

Honey encryption (HE) protected password vaults (called honey vaults) are promising tools that allow a user to store multiple passwords (called a password vault) and encrypt them with a master password using HE. In case password vaults are somehow leaked and the attackers launch offline password guessing, honey vaults can yield decoy password vaults for incorrect guesses, forcing an offline guessing attacker to interact with the authentication server to identify whether passwords in decrypted vaults are correct or not. Therefore, honey vaults transform the offline guessing attacker into an online guessing attacker, i.e., honey vault distinguishing attacker.In online guessing, attackers can adopt various attacks to perform multiple guesses against multiple vaults, but the existing theoretical message recovery (MR) security for HE only focuses on the advantage of one-time guess against a single vault, which cannot accurately model realistic attackers and thus can not provide practical advice for users’ vault security. To address this issue, we propose a theoretically-grounded optimal strategy for distinguishing attackers, and manage to derive a much tighter upper bound on the advantage against MR security. Particularly, we provide much tighter upper/lower bounds for advantage against HE-related cryptographic security games, i.e., the security of distribution transforming encoder (DTE), known message attack, and known side information attack. This provides a better understanding of the actual security of honey encryption.To better understand the security of honey vault systems, we instantiate our optimal strategy into three practical attacks and propose an encoding attack. Extensive experiments against two major honey vault systems demonstrate that our four attacks can improve the attack success rate by 1.15-4.35 times compared with their counterparts. For the intersection attack, we propose a feature attack against Cheng et al.’s incremental update mechanism (at USENIX SEC’21), and our attack can breach their mechanism with 87%-93% advantage.