diff --git a/doc/html/en/Argon2.html b/doc/html/en/Argon2.html new file mode 100644 index 00000000..73b72a80 --- /dev/null +++ b/doc/html/en/Argon2.html @@ -0,0 +1,175 @@ + + + + +VeraCrypt - Free Open source disk encryption with strong security for the Paranoid + + + + + + +
+VeraCrypt +
+ + + +
+

+Documentation +>> +Hash Algorithms +>> +Argon2id +

+ +
+

Argon2id

+
+Argon2id is a memory-hard key derivation function designed to resist both time-memory trade-off attacks and side-channel attacks. It was selected as the winner of the Password Hashing Competition (PHC) in 2015 and is defined in RFC 9106. VeraCrypt supports Argon2id as an alternative to PBKDF2-HMAC for header key derivation. +
+ +

Key Features

+ + +

Argon2 Variants

+
+Argon2 has three variants: +
+ + +

Parameters in VeraCrypt

+
+VeraCrypt uses Argon2id with the following parameter configuration: +
+ +

Memory Cost (m_cost)

+
+The amount of memory used during the key derivation process, controlled by the PIM value: +
+ + +

Time Cost (t_cost)

+
+The number of iterations performed during the key derivation process: +
+ + +

Parallelism

+
+The number of parallel threads used during computation: +
+ + +

Advantages over PBKDF2

+ + +

Usage Considerations

+
+When using Argon2id in VeraCrypt: +
+ + +

Technical Specifications

+
+Algorithm: Argon2id as defined in RFC 9106
+Internal hash: BLAKE2b
+Salt size: 512 bits (same as PBKDF2-HMAC)
+Output length: Variable, depending on the encryption algorithm (e.g., 256 bits for AES-256, 768 bits for AES-Twofish-Serpent cascade)
+Version: Argon2 version 0x13 (19 decimal) +
+ +
+For more information about PIM values and their effect on Argon2id parameters, see the + +Personal Iterations Multiplier (PIM) section. +
+ +

Next Section >>

+
diff --git a/doc/html/en/Encryption Scheme.html b/doc/html/en/Encryption Scheme.html index da3830f9..0c34062f 100644 --- a/doc/html/en/Encryption Scheme.html +++ b/doc/html/en/Encryption Scheme.html @@ -50,10 +50,15 @@ Hidden Operating System). If there is a hidden volume within this volume (or
  • Now VeraCrypt attempts to decrypt the standard volume header read in (1). All data used and generated in the course of the process of decryption are kept in RAM (VeraCrypt never saves them to disk). The following parameters are unknown† and have to be determined through the process of trial and error (i.e., by testing all possible combinations of the following):
      -
    1. PRF used by the header key derivation function (as specified in PKCS #5 v2.0; see the section +
    2. Key Derivation Function (KDF) and associated parameters: +
        +
      • PBKDF2-HMAC: PRF used by the header key derivation function (as specified in PKCS #5 v2.0; see the section Header Key Derivation, Salt, and Iteration Count), which can be one of the following: -

        HMAC-SHA-512, HMAC-SHA-256, HMAC-BLAKE2S-256, HMAC-Whirlpool. If a PRF is explicitly specified by the user, it will be used directly without trying the other possibilities.

        +HMAC-SHA-512, HMAC-SHA-256, HMAC-BLAKE2S-256, HMAC-Whirlpool, HMAC-Streebog.
        • +
      • Argon2id: Memory-hard key derivation function with internal BLAKE2b hash function.
        • +
      +

      If a PRF is explicitly specified by the user, it will be used directly without trying the other possibilities.

      A password entered by the user (to which one or more keyfiles may have been applied – see the section Keyfiles), a PIM value (if specified) and the salt read in (1) are passed to the header key derivation function, which produces a sequence of values (see the section diff --git a/doc/html/en/Hash Algorithms.html b/doc/html/en/Hash Algorithms.html index d8eb626e..00accb67 100644 --- a/doc/html/en/Hash Algorithms.html +++ b/doc/html/en/Hash Algorithms.html @@ -34,13 +34,14 @@

      Hash Algorithms

      -In the Volume Creation Wizard, in the password change dialog window, and in the Keyfile Generator dialog window, you can select a hash algorithm. A user-selected hash algorithm is used by the VeraCrypt Random Number Generator as a pseudorandom "mixing" function, - and by the header key derivation function (HMAC based on a hash function, as specified in PKCS #5 v2.0) as a pseudorandom function. When creating a new volume, the Random Number Generator generates the master key, secondary key (XTS mode), and salt. For more +In the Volume Creation Wizard, in the password change dialog window, and in the Keyfile Generator dialog window, you can select a hash algorithm when using PBKDF2-HMAC as the key derivation function. When Argon2id is selected as the key derivation function, no hash algorithm selection is available as Argon2id uses its own internal BLAKE2b hash function. +
      +
      +For PBKDF2-HMAC, the user-selected hash algorithm is used by the VeraCrypt Random Number Generator as a pseudorandom "mixing" function, and by the header key derivation function (HMAC based on a hash function, as specified in PKCS #5 v2.0) as a pseudorandom function. When creating a new volume, the Random Number Generator generates the master key, secondary key (XTS mode), and salt. For more information, please see the section Random Number Generator and section Header Key Derivation, Salt, and Iteration Count.
      -
      -VeraCrypt currently supports the following hash algorithms:
      +VeraCrypt currently supports the following hash algorithms for PBKDF2-HMAC:
      • BLAKE2s-256 diff --git a/doc/html/en/Header Key Derivation.html b/doc/html/en/Header Key Derivation.html index 0123d119..1b4872c9 100644 --- a/doc/html/en/Header Key Derivation.html +++ b/doc/html/en/Header Key Derivation.html @@ -44,22 +44,31 @@ Encryption Scheme and system encryption), the area is encrypted in XTS mode (see the section -Modes of Operation). The method that VeraCrypt uses to generate the header key and the secondary header key (XTS mode) is PBKDF2, specified in PKCS #5 v2.0; see - -[7]. +Modes of Operation). VeraCrypt supports two key derivation functions for generating header keys: PBKDF2 (specified in PKCS #5 v2.0) and Argon2id. + +

        PBKDF2-HMAC Key Derivation

        -512-bit salt is used, which means there are 2512 keys for each password. This significantly decreases vulnerability to 'off-line' dictionary/'rainbow table' attacks (pre-computing all the keys for a dictionary - of passwords is very difficult when a salt is used) [7]. The salt consists of random values generated by the - -VeraCrypt random number generator during the volume creation process. The header key derivation function is based on HMAC-SHA-512, HMAC-SHA-256, HMAC-BLAKE2S-256, HMAC-Whirlpool or HMAC-Streebog (see [8, 9, 20, 22]) – the user selects which. The length of the derived +The PBKDF2 method uses HMAC-based pseudorandom functions with the following hash algorithms available: SHA-512, SHA-256, BLAKE2s-256, Whirlpool, or Streebog (see [8, 9, 20, 22]) – the user selects which. The length of the derived key does not depend on the size of the output of the underlying hash function. For example, a header key for the AES-256 cipher is always 256 bits long even if HMAC-SHA-512 is used (in XTS mode, an additional 256-bit secondary header key is used; hence, two 256-bit keys are used for AES-256 in total). For more information, refer to [7]. A large number of iterations of the key derivation function have to be performed to derive a header key, which increases the time necessary to perform an exhaustive search for passwords (i.e., brute force attack) [7].
        + +

        Argon2id Key Derivation

        -

        Prior to version 1.12, VeraCrypt always used a fixed number of iterations That depended only on the volume type and the derivation algorithm used. +Argon2id is a memory-hard key derivation function that provides resistance against both time-memory trade-off attacks and side-channel attacks. Unlike PBKDF2-HMAC, Argon2id does not use a separate hash algorithm selection – it uses its own internal hash function (BLAKE2b). Argon2id requires three parameters: memory cost (amount of memory used), time cost (number of iterations), and parallelism (number of threads). VeraCrypt sets the parallelism parameter to 1 for all cases.

        + +
        +512-bit salt is used for both key derivation functions, which means there are 2512 keys for each password. This significantly decreases vulnerability to 'off-line' dictionary/'rainbow table' attacks (pre-computing all the keys for a dictionary + of passwords is very difficult when a salt is used) [7]. The salt consists of random values generated by the + +VeraCrypt random number generator during the volume creation process.
        + +
        +

        Prior to version 1.12, VeraCrypt always used PBKDF2-HMAC with a fixed number of iterations that depended only on the volume type and the hash algorithm used. Starting from version 1.12, the -PIM field (Personal Iterations Multiplier) enables users to have more control over the number of iterations used by the key derivation function.

        -

        +PIM field (Personal Iterations Multiplier) enables users to have more control over the computational parameters used by the key derivation function.

        + +

        PBKDF2-HMAC Parameters

        When a PIM value is not specified or if it is equal to zero, VeraCrypt uses the default values expressed below:

          @@ -69,12 +78,16 @@ PIM value is not specified or if it is equal to zero, VeraCrypt uses the def

        When a -PIM value is given by the user, the number of iterations of the key derivation function is calculated as follows:

        +PIM value is given by the user, the number of iterations of the PBKDF2 key derivation function is calculated as follows:

        • For system encryption that doesn't use SHA-512 or Whirlpool: Iterations = PIM x 2048
        • For system encryption that uses SHA-512 or Whirlpool: Iterations = 15000 + (PIM x 1000)
        • For non-system encryption and file containers: Iterations = 15000 + (PIM x 1000)
        + +

        Argon2id Parameters

        +

        When Argon2id is selected as the key derivation function, the PIM value controls both memory and time costs as described in the PIM section. If no PIM is specified, default parameters equivalent to PIM = 12 are used (416 MiB memory, 6 iterations).

        +
        Header keys used by ciphers in a cascade are mutually independent, even though they are derived from a single password (to which keyfiles may have been applied). For example, for the AES-Twofish-Serpent cascade, the header key derivation function is instructed diff --git a/doc/html/en/Personal Iterations Multiplier (PIM).html b/doc/html/en/Personal Iterations Multiplier (PIM).html index 794f8bac..4f3a6384 100644 --- a/doc/html/en/Personal Iterations Multiplier (PIM).html +++ b/doc/html/en/Personal Iterations Multiplier (PIM).html @@ -36,25 +36,56 @@

        PIM

        -

        PIM stands for "Personal Iterations Multiplier". It is a parameter that was introduced in VeraCrypt 1.12 and whose value controls the number of iterations used by the header key derivation function. This value can be specified through the password dialog +

        PIM stands for "Personal Iterations Multiplier". It is a parameter that was introduced in VeraCrypt 1.12 and whose value controls the computational parameters used by the header key derivation function. This value can be specified through the password dialog or in the command line.

        -

        When a PIM value is specified, the number of iterations is calculated as follows:

        +

        The exact meaning of PIM depends on the key derivation function (KDF) being used:

        + +

        PBKDF2-HMAC Key Derivation

        +

        When PBKDF2-HMAC is used, the PIM value controls the number of iterations as follows:

        • For system encryption that doesn't use SHA-512 or Whirlpool: Iterations = PIM x 2048
        • For system encryption that uses SHA-512 or Whirlpool: Iterations = 15000 + (PIM x 1000)
        • For non-system encryption and file containers: Iterations = 15000 + (PIM x 1000)
        -

        If no PIM value is specified, VeraCrypt will use the default number of iterations used in versions prior to 1.12 (see - - Header Key Derivation). This can be summarized as follows:
        -

          -
        • For system partition encryption (boot encryption) that uses SHA-256, BLAKE2s-256 or Streebog, 200000 iterations are used which is equivalent to a PIM value of 98.
          • -
        • For system encryption that uses SHA-512 or Whirlpool, 500000 iterations are used which is equivalent to a PIM value of 485.
          • -
        • For non-system encryption and file containers, all derivation algorithms will use 500000 iterations which is equivalent to a PIM value of 485.
          • -
        + +

        Argon2id Key Derivation

        +

        When Argon2id is used, the PIM value controls both memory cost and time cost parameters:

        +
          +
        • Memory Cost (m_cost) in MiB:
          +m_cost(pim) = min(64 MiB + (pim - 1) * 32 MiB, 1024 MiB)
          +The memory cost increases by 32 MiB for each increment of PIM, starting from 64 MiB, and is capped at 1024 MiB when PIM reaches 31 or higher. +
          • +
        • Time Cost (t_cost) in iterations:
          +If PIM ≤ 31: t_cost(pim) = 3 + floor((pim - 1) / 3)
          +If PIM > 31: t_cost(pim) = 13 + (pim - 31)
          +The time cost increases by 1 iteration for every 3 increments of PIM when PIM ≤ 31, and by 1 iteration per PIM increment when PIM > 31. +
          • +
        • Parallelism: Fixed at 1 thread for all cases.
          • +
        + +

        Argon2id Examples:

        +
          +
        • For PIM = 12: Memory Cost = 416 MiB, Time Cost = 6 iterations
          • +
        • For PIM = 31: Memory Cost = 1024 MiB, Time Cost = 13 iterations
          • +
        • For PIM = 32: Memory Cost = 1024 MiB, Time Cost = 14 iterations
          • +
        + +

        If no PIM value is specified, VeraCrypt will use the default parameters used in versions prior to 1.12 for PBKDF2-HMAC (see + + Header Key Derivation). For Argon2id, default parameters are equivalent to PIM = 12:

        +
          +
        • PBKDF2-HMAC defaults:
          • +
            +
          • For system partition encryption (boot encryption) that uses SHA-256, BLAKE2s-256 or Streebog, 200000 iterations are used which is equivalent to a PIM value of 98.
            • +
          • For system encryption that uses SHA-512 or Whirlpool, 500000 iterations are used which is equivalent to a PIM value of 485.
            • +
          • For non-system encryption and file containers, all derivation algorithms will use 500000 iterations which is equivalent to a PIM value of 485.
            • +
          +
        • Argon2id defaults: Memory Cost = 416 MiB, Time Cost = 6 iterations (equivalent to PIM = 12)
          • +
        +

        Prior to version 1.12, the security of a VeraCrypt volume was only based on the password strength because VeraCrypt was using a fixed number of iterations.
        -With the introduction of PIM, VeraCrypt has a 2-dimensional security space for volumes based on the couple (Password, PIM). This provides more flexibility for adjusting the desired security level while also controlling the performance of the mount/boot operation.

        +With the introduction of PIM, VeraCrypt has a multi-dimensional security space for volumes based on the combination (Password, PIM, Key Derivation Function). This provides more flexibility for adjusting the desired security level while also controlling the performance of the mount/boot operation.

        PIM Usage

        It is not mandatory to specify a PIM.

        diff --git a/doc/html/en/Program Menu.html b/doc/html/en/Program Menu.html index ea23b428..9a49bdd2 100644 --- a/doc/html/en/Program Menu.html +++ b/doc/html/en/Program Menu.html @@ -59,7 +59,7 @@ Note: For information on how to change a password used for pre-boot authenticati See also the chapter Security Requirements and Precautions.

        -

        PKCS-5 PRF

        +

        KDF

        In this field you can select the algorithm that will be used in deriving new volume header keys (for more information, see the section Header Key Derivation, Salt, and Iteration Count) and in generating the new salt (for more information, see the section diff --git a/doc/html/ru/Program Menu.html b/doc/html/ru/Program Menu.html index 45d50ae0..47367e7a 100644 --- a/doc/html/ru/Program Menu.html +++ b/doc/html/ru/Program Menu.html @@ -60,7 +60,7 @@ См. также главу Требования безопасности и меры предосторожности.

        -

        PKCS-5 PRF

        +

        KDF

        В этом поле можно выбрать алгоритм, который будет использоваться для формирования (деривации) новых ключей заголовка тома (см. подробности в разделе