How often do you leave your computer or mobile device unattended? And how much personal or financial information is stored on those devices? It may surprise you to know that in many cases that information can be easily obtained by a malicious person who has physical access to your device, even if they cannot figure out your password! Fortunately, most operating system manufacturers provide a “disk encryption” solution which scrambles your data and binds it to a password that only you know. Microsoft calls it BitLocker, Apple calls it FileVault, but whatever it is called, basic solutions have some serious drawbacks. One solution, TrueCrypt, has added some advanced features to provide more thorough security to their users, but it has been known for some time that these techniques are lacking under certain situations.
HiVE (PDF) is a new solution for disk encryption which provides more security than all existing schemes. It does not rely on heuristics or obfuscation techniques, but rather strong cryptographic primitives which can be mathematically proven.
We release HiVE to the public. HiVE is currently implemented as a Linux kernel module on top of device mapper.
To see exactly what advantages HiVE provides, it is necessary to look into the background of existing disk encryption techniques.
Hidden Volume Encryption
Disk encryption is a vital technology for our modern world, where more and more sensitive information is being stored on unsecured machines, including cell phones and other mobile devices. Consequently, there are many commercial and built-in solutions for securing sensitive data through encryption. One of the most widely used programs is TrueCrypt. The authors of TrueCrypt even provide a feature that goes above and beyond regular disk encryption, which they call hidden volume encryption.
The motivating idea is that, if someone recovers your device with an encrypted drive, they might now know what data is on the drive, but they know that something is on the it. They can, therefore, try to coerce you into revealing the key which unlocks the drive. They know that such a key must exist, so they can escalate the coercion until you give in.
The remedy to this problem is to allow a user to store two separate encrypted volumes, one inside the other. The inner volume has a separate encryption key from the outer volume, and is stored in the “free” space of that volume. This scheme takes crucial advantage of the fact that encrypted data looks like random bits to someone who doesn’t have the key. Therefore, the user can reveal to a coercer the password to the outer volume, while keeping the inner volume, with their more sensitive data, a secret. The coercer has no way to prove that a second volume exists, since it is plausible that the user had only one encrypted volume in the first place.
However, there are two problems with TrueCrypt. The first is that it is no longer actively developed, and the maintainers have actually discouraged its use at the moment. There are efforts to transition the code to new maintainers and update it, but that could take some time. The second, and more interesting, problem is that this hidden volume technique is only secure against a very limited coercer: one which has one-time access to the machine. If they can read from the disk on more than one occasion (say, while the user is away from their desk for the evening), the existence of a hidden volume can be easily discovered. That is where HiVE comes in.
HiVE is a more robust implementation of hidden volume encryption, which is secure in more situations and against more capable attackers. Particularly, it has the following advantages:
- Instead of being limited to a single hidden volume, HiVE neatly allows for many hidden volumes. This is an advantage because, if single hidden volumes ever became widespread, a coercer could simply assume that you have a hidden volume and have a reasonable chance of being right. Allowing for a variable number of hidden volumes means that they can never be sure whether you have one more volume or if you have given up all of your keys.
- Even if an adversary can see the encrypted disk on separate occasions, they cannot be sure whether further hidden volumes exist. It is very reasonable that a determined attacker could access your machine more than once, so it is necessary to close this security hole to have a more robust solution.
- The security of HiVE is provably secure against a powerful “chosen plaintext” attacker, which means that it will provide very strong security in practice.
HiVE is able to accomplish this through use of a powerful cryptographic tool called Oblivious RAM. For full details, please reference the complete paper, which will appear at the 2014 ACM Conference on Computer and Communications Security.
HiVE currently works on Linux, and requires device mapper support in the kernel (tested on 3.13.6, 64 bit). It is packaged as both a kernel module and a userland utility.
We invite the community to participate in the further development of HiVE, e.g., for porting to different platforms and general performance improvement. If you are interested in improving HiVE, please contact the authors.
Userland tools - ver.2014.11.03 README
Kernel module - ver.2014.11.03 README
Please carefully check the READMEs in the two packages for installation.
Limitations of current implementation:
While the scheme conceptually supports any number of hidden volumes, the current version only allows for two. A future release will add support for more volumes.
HiVE device-mapper target is free software licensed under GPLv2. © 2014 the authors
HiVE userland tool is free software licensed under GPLv3. © 2014 the authors
We are currently offering (paid) internships at Northeastern University/Boston to advance the development of HiVE. Please contact the team!
To avoid misunderstandings and misconceptions about HiVE, we have uploaded a FAQ. We will keep maintaining this FAQ over time.
This material is based upon work supported by the National Science Foundation under Grant Number 1218197.
Any opinions, findings, and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the National Science Foundation.