Public/VeraCrypt
1
0
Fork 0
mirror of https://github.com/veracrypt/VeraCrypt.git synced 2025-11-11 02:58:02 -06:00
Code Activity

Documentation: Use "KDF" instead of "PKCS-5 PRF". Add Argon2 related information.

Browse Source
This commit is contained in:
Mounir IDRASSI
2025-08-08 23:38:40 +09:00
parent 54c39e4eb2
commit 26a754b198
7 changed files with 255 additions and 30 deletions
Download Patch File Download Diff File Expand all files Collapse all files

175
doc/html/en/Argon2.html Normal file
View File

@@ -0,0 +1,175 @@
<!DOCTYPE html>
<html lang="en">
<head>
<meta http-equiv="content-type" content="text/html; charset=utf-8" />
<title>VeraCrypt - Free Open source disk encryption with strong security for the Paranoid</title>
<meta name="description" content="VeraCrypt is free open-source disk encryption software for Windows, Mac OS X and Linux. In case an attacker forces you to reveal the password, VeraCrypt provides plausible deniability. In contrast to file encryption, data encryption performed by VeraCrypt is real-time (on-the-fly), automatic, transparent, needs very little memory, and does not involve temporary unencrypted files."/>
<meta name="keywords" content="encryption, security"/>
<link href="styles.css" rel="stylesheet" type="text/css" />
</head>
<body>
<div>
<a href="Documentation.html"><img src="VeraCrypt128x128.png" alt="VeraCrypt"/></a>
</div>
<div id="menu">
<ul>
<li><a href="Home.html">Home</a></li>
<li><a href="Code.html">Source Code</a></li>
<li><a href="Downloads.html">Downloads</a></li>
<li><a class="active" href="Documentation.html">Documentation</a></li>
<li><a href="Donation.html">Donate</a></li>
<li><a href="https://sourceforge.net/p/veracrypt/discussion/" target="_blank">Forums</a></li>
</ul>
</div>
<div>
<p>
<a href="Documentation.html">Documentation</a>
<img src="arrow_right.gif" alt=">>" style="margin-top: 5px">
<a href="Hash%20Algorithms.html">Hash Algorithms</a>
<img src="arrow_right.gif" alt=">>" style="margin-top: 5px">
<a href="Argon2id.html">Argon2id</a>
</p></div>
<div class="wikidoc">
<h1>Argon2id</h1>
<div style="text-align:left; margin-top:19px; margin-bottom:19px; padding-top:0px; padding-bottom:0px">
Argon2id is a memory-hard key derivation function designed to resist both time-memory trade-off attacks and side-channel attacks. It was selected as the winner of the Password Hashing Competition (PHC) in 2015 and is defined in RFC 9106. VeraCrypt supports Argon2id as an alternative to PBKDF2-HMAC for header key derivation.
</div>
<h3>Key Features</h3>
<ul style="text-align:left; margin-top:18px; margin-bottom:19px; padding-top:0px; padding-bottom:0px">
<li style="text-align:left; margin-top:0px; margin-bottom:0px; padding-top:0px; padding-bottom:0px">
<strong>Memory-hard:</strong> Requires a configurable amount of memory, making it resistant to specialized hardware attacks
</li>
<li style="text-align:left; margin-top:0px; margin-bottom:0px; padding-top:0px; padding-bottom:0px">
<strong>Side-channel resistant:</strong> Combines data-dependent and data-independent memory access patterns
</li>
<li style="text-align:left; margin-top:0px; margin-bottom:0px; padding-top:0px; padding-bottom:0px">
<strong>Internal hash function:</strong> Uses BLAKE2b internally, eliminating the need for separate hash algorithm selection
</li>
<li style="text-align:left; margin-top:0px; margin-bottom:0px; padding-top:0px; padding-bottom:0px">
<strong>Tunable parameters:</strong> Allows adjustment of memory cost, time cost, and parallelism
</li>
</ul>
<h3>Argon2 Variants</h3>
<div style="text-align:left; margin-top:19px; margin-bottom:19px; padding-top:0px; padding-bottom:0px">
Argon2 has three variants:
</div>
<ul style="text-align:left; margin-top:18px; margin-bottom:19px; padding-top:0px; padding-bottom:0px">
<li style="text-align:left; margin-top:0px; margin-bottom:0px; padding-top:0px; padding-bottom:0px">
<strong>Argon2d:</strong> Uses data-dependent memory access, resistant to time-memory trade-off attacks but vulnerable to side-channel attacks
</li>
<li style="text-align:left; margin-top:0px; margin-bottom:0px; padding-top:0px; padding-bottom:0px">
<strong>Argon2i:</strong> Uses data-independent memory access, resistant to side-channel attacks but more vulnerable to time-memory trade-off attacks
</li>
<li style="text-align:left; margin-top:0px; margin-bottom:0px; padding-top:0px; padding-bottom:0px">
<strong>Argon2id:</strong> Hybrid approach that combines both variants, providing resistance to both attack types (used by VeraCrypt)
</li>
</ul>
<h3>Parameters in VeraCrypt</h3>
<div style="text-align:left; margin-top:19px; margin-bottom:19px; padding-top:0px; padding-bottom:0px">
VeraCrypt uses Argon2id with the following parameter configuration:
</div>
<h4>Memory Cost (m_cost)</h4>
<div style="text-align:left; margin-top:19px; margin-bottom:19px; padding-top:0px; padding-bottom:0px">
The amount of memory used during the key derivation process, controlled by the PIM value:
</div>
<ul style="text-align:left; margin-top:18px; margin-bottom:19px; padding-top:0px; padding-bottom:0px">
<li style="text-align:left; margin-top:0px; margin-bottom:0px; padding-top:0px; padding-bottom:0px">
<strong>Formula:</strong> m_cost(pim) = min(64 MiB + (pim - 1) × 32 MiB, 1024 MiB)
</li>
<li style="text-align:left; margin-top:0px; margin-bottom:0px; padding-top:0px; padding-bottom:0px">
<strong>Range:</strong> 64 MiB to 1024 MiB (capped at PIM = 31)
</li>
<li style="text-align:left; margin-top:0px; margin-bottom:0px; padding-top:0px; padding-bottom:0px">
<strong>Default:</strong> 96 MiB (equivalent to PIM = 2)
</li>
</ul>
<h4>Time Cost (t_cost)</h4>
<div style="text-align:left; margin-top:19px; margin-bottom:19px; padding-top:0px; padding-bottom:0px">
The number of iterations performed during the key derivation process:
</div>
<ul style="text-align:left; margin-top:18px; margin-bottom:19px; padding-top:0px; padding-bottom:0px">
<li style="text-align:left; margin-top:0px; margin-bottom:0px; padding-top:0px; padding-bottom:0px">
<strong>For PIM ≤ 31:</strong> t_cost(pim) = 3 + floor((pim - 1) / 3)
</li>
<li style="text-align:left; margin-top:0px; margin-bottom:0px; padding-top:0px; padding-bottom:0px">
<strong>For PIM > 31:</strong> t_cost(pim) = 13 + (pim - 31)
</li>
<li style="text-align:left; margin-top:0px; margin-bottom:0px; padding-top:0px; padding-bottom:0px">
<strong>Default:</strong> 3 iterations (equivalent to PIM = 2)
</li>
</ul>
<h4>Parallelism</h4>
<div style="text-align:left; margin-top:19px; margin-bottom:19px; padding-top:0px; padding-bottom:0px">
The number of parallel threads used during computation:
</div>
<ul style="text-align:left; margin-top:18px; margin-bottom:19px; padding-top:0px; padding-bottom:0px">
<li style="text-align:left; margin-top:0px; margin-bottom:0px; padding-top:0px; padding-bottom:0px">
<strong>Value:</strong> Fixed at 1 thread for all cases in VeraCrypt
</li>
<li style="text-align:left; margin-top:0px; margin-bottom:0px; padding-top:0px; padding-bottom:0px">
<strong>Rationale:</strong> Ensures consistent behavior across different hardware configurations
</li>
</ul>
<h3>Advantages over PBKDF2</h3>
<ul style="text-align:left; margin-top:18px; margin-bottom:19px; padding-top:0px; padding-bottom:0px">
<li style="text-align:left; margin-top:0px; margin-bottom:0px; padding-top:0px; padding-bottom:0px">
<strong>Memory hardness:</strong> Requires significant memory allocation, making GPU and ASIC attacks more expensive
</li>
<li style="text-align:left; margin-top:0px; margin-bottom:0px; padding-top:0px; padding-bottom:0px">
<strong>Modern design:</strong> Specifically designed to resist contemporary attack methods
</li>
<li style="text-align:left; margin-top:0px; margin-bottom:0px; padding-top:0px; padding-bottom:0px">
<strong>Side-channel resistance:</strong> Built-in protections against cache-timing and other side-channel attacks
</li>
<li style="text-align:left; margin-top:0px; margin-bottom:0px; padding-top:0px; padding-bottom:0px">
<strong>Standardization:</strong> Officially standardized in RFC 9106
</li>
</ul>
<h3>Usage Considerations</h3>
<div style="text-align:left; margin-top:19px; margin-bottom:19px; padding-top:0px; padding-bottom:0px">
When using Argon2id in VeraCrypt:
</div>
<ul style="text-align:left; margin-top:18px; margin-bottom:19px; padding-top:0px; padding-bottom:0px">
<li style="text-align:left; margin-top:0px; margin-bottom:0px; padding-top:0px; padding-bottom:0px">
<strong>Memory requirements:</strong> Ensure sufficient RAM is available, especially with higher PIM values
</li>
<li style="text-align:left; margin-top:0px; margin-bottom:0px; padding-top:0px; padding-bottom:0px">
<strong>Performance:</strong> Higher memory costs may result in slower mounting times but provide better security
</li>
<li style="text-align:left; margin-top:0px; margin-bottom:0px; padding-top:0px; padding-bottom:0px">
<strong>Compatibility:</strong> Available in VeraCrypt versions that support multiple key derivation functions
</li>
<li style="text-align:left; margin-top:0px; margin-bottom:0px; padding-top:0px; padding-bottom:0px">
<strong>No hash selection:</strong> Unlike PBKDF2-HMAC, no separate hash algorithm needs to be chosen
</li>
</ul>
<h3>Technical Specifications</h3>
<div style="text-align:left; margin-top:19px; margin-bottom:19px; padding-top:0px; padding-bottom:0px">
<strong>Algorithm:</strong> Argon2id as defined in RFC 9106<br/>
<strong>Internal hash:</strong> BLAKE2b<br/>
<strong>Salt size:</strong> 512 bits (same as PBKDF2-HMAC)<br/>
<strong>Output length:</strong> Variable, depending on the encryption algorithm (e.g., 256 bits for AES-256, 768 bits for AES-Twofish-Serpent cascade)<br/>
<strong>Version:</strong> Argon2 version 0x13 (19 decimal)
</div>
<div style="text-align:left; margin-top:19px; margin-bottom:19px; padding-top:0px; padding-bottom:0px">
For more information about PIM values and their effect on Argon2id parameters, see the
<a href="Personal%20Iterations%20Multiplier%20%28PIM%29.html" style="text-align:left; color:#0080c0; text-decoration:none">
Personal Iterations Multiplier (PIM)</a> section.
</div>
<p><a href="SHA-256.html" style="text-align:left; color:#0080c0; text-decoration:none; font-weight:bold">Next Section &gt;&gt;</a></p>
</div><div class="ClearBoth"></div></body></html>

9
doc/html/en/Encryption Scheme.html
View File

@@ -50,10 +50,15 @@ Hidden Operating System</a>). If there is a hidden volume within this volume (or
</li><li>Now VeraCrypt attempts to decrypt the standard volume header read in (1). All data used and generated in the course of the process of decryption are kept in RAM (VeraCrypt never saves them to disk). The following parameters are unknown&dagger; and have
to be determined through the process of trial and error (i.e., by testing all possible combinations of the following):
<ol type="a">
<li>PRF used by the header key derivation function (as specified in PKCS #5 v2.0; see the section
<li>Key Derivation Function (KDF) and associated parameters:
<ul>
<li><strong>PBKDF2-HMAC:</strong> PRF used by the header key derivation function (as specified in PKCS #5 v2.0; see the section
<a href="Header%20Key%20Derivation.html">
<em>Header Key Derivation, Salt, and Iteration Count</em></a>), which can be one of the following:
<p>HMAC-SHA-512, HMAC-SHA-256, HMAC-BLAKE2S-256, HMAC-Whirlpool. If a PRF is explicitly specified by the user, it will be used directly without trying the other possibilities.</p>
HMAC-SHA-512, HMAC-SHA-256, HMAC-BLAKE2S-256, HMAC-Whirlpool, HMAC-Streebog.</li>
<li><strong>Argon2id:</strong> Memory-hard key derivation function with internal BLAKE2b hash function.</li>
</ul>
<p>If a PRF is explicitly specified by the user, it will be used directly without trying the other possibilities.</p>
<p>A password entered by the user (to which one or more keyfiles may have been applied &ndash; see the section
<a href="Keyfiles%20in%20VeraCrypt.html">
<em>Keyfiles</em></a>), a PIM value (if specified) and the salt read in (1) are passed to the header key derivation function, which produces a sequence of values (see the section

9
doc/html/en/Hash Algorithms.html
View File

@@ -34,13 +34,14 @@
<div class="wikidoc">
<h1>Hash Algorithms</h1>
<div style="text-align:left; margin-top:19px; margin-bottom:19px; padding-top:0px; padding-bottom:0px">
In the Volume Creation Wizard, in the password change dialog window, and in the Keyfile Generator dialog window, you can select a hash algorithm. A user-selected hash algorithm is used by the VeraCrypt Random Number Generator as a pseudorandom &quot;mixing&quot; function,
and by the header key derivation function (HMAC based on a hash function, as specified in PKCS #5 v2.0) as a pseudorandom function. When creating a new volume, the Random Number Generator generates the master key, secondary key (XTS mode), and salt. For more
In the Volume Creation Wizard, in the password change dialog window, and in the Keyfile Generator dialog window, you can select a hash algorithm when using PBKDF2-HMAC as the key derivation function. When Argon2id is selected as the key derivation function, no hash algorithm selection is available as Argon2id uses its own internal BLAKE2b hash function.
</div>
<div style="text-align:left; margin-top:19px; margin-bottom:19px; padding-top:0px; padding-bottom:0px">
For PBKDF2-HMAC, the user-selected hash algorithm is used by the VeraCrypt Random Number Generator as a pseudorandom &quot;mixing&quot; function, and by the header key derivation function (HMAC based on a hash function, as specified in PKCS #5 v2.0) as a pseudorandom function. When creating a new volume, the Random Number Generator generates the master key, secondary key (XTS mode), and salt. For more
information, please see the section <a href="Random%20Number%20Generator.html" style="text-align:left; color:#0080c0; text-decoration:none">
Random Number Generator</a> and section <a href="Header%20Key%20Derivation.html" style="text-align:left; color:#0080c0; text-decoration:none">
Header Key Derivation, Salt, and Iteration Count</a>.</div>
<div style="text-align:left; margin-top:19px; margin-bottom:19px; padding-top:0px; padding-bottom:0px">
VeraCrypt currently supports the following hash algorithms:</div>
VeraCrypt currently supports the following hash algorithms for PBKDF2-HMAC:</div>
<ul style="text-align:left; margin-top:18px; margin-bottom:19px; padding-top:0px; padding-bottom:0px">
<li style="text-align:left; margin-top:0px; margin-bottom:0px; padding-top:0px; padding-bottom:0px">
<a href="BLAKE2s-256.html"><strong style="text-align:left">BLAKE2s-256</strong></a>

35
doc/html/en/Header Key Derivation.html
View File

@@ -44,22 +44,31 @@ Encryption Scheme</a> and <a href="VeraCrypt%20Volume%20Format%20Specification.h
VeraCrypt Volume Format Specification</a>). In volumes created by VeraCrypt (and for
<a href="System%20Encryption.html" style="text-align:left; color:#0080c0; text-decoration:none">
system encryption</a>), the area is encrypted in XTS mode (see the section <a href="Modes%20of%20Operation.html" style="text-align:left; color:#0080c0; text-decoration:none">
Modes of Operation</a>). The method that VeraCrypt uses to generate the header key and the secondary header key (XTS mode) is PBKDF2, specified in PKCS #5 v2.0; see
<a href="References.html" style="text-align:left; color:#0080c0; text-decoration:none">
[7]</a>.</div>
Modes of Operation</a>). VeraCrypt supports two key derivation functions for generating header keys: PBKDF2 (specified in PKCS #5 v2.0) and Argon2id.</div>
<h3>PBKDF2-HMAC Key Derivation</h3>
<div style="text-align:left; margin-top:19px; margin-bottom:19px; padding-top:0px; padding-bottom:0px">
512-bit salt is used, which means there are 2<sup style="text-align:left; font-size:85%">512</sup> keys for each password. This significantly decreases vulnerability to 'off-line' dictionary/'rainbow table' attacks (pre-computing all the keys for a dictionary
of passwords is very difficult when a salt is used) [7]. The salt consists of random values generated by the
<a href="Random%20Number%20Generator.html" style="text-align:left; color:#0080c0; text-decoration:none">
VeraCrypt random number generator</a> during the volume creation process. The header key derivation function is based on HMAC-SHA-512, HMAC-SHA-256, HMAC-BLAKE2S-256, HMAC-Whirlpool or HMAC-Streebog (see [8, 9, 20, 22]) &ndash; the user selects which. The length of the derived
The PBKDF2 method uses HMAC-based pseudorandom functions with the following hash algorithms available: SHA-512, SHA-256, BLAKE2s-256, Whirlpool, or Streebog (see [8, 9, 20, 22]) the user selects which. The length of the derived
key does not depend on the size of the output of the underlying hash function. For example, a header key for the AES-256 cipher is always 256 bits long even if HMAC-SHA-512 is used (in XTS mode, an additional 256-bit secondary header key is used; hence,
two 256-bit keys are used for AES-256 in total). For more information, refer to [7]. A large number of iterations of the key derivation function have to be performed to derive a header key, which increases the time necessary to perform an exhaustive search
for passwords (i.e., brute force attack)&nbsp;[7].</div>
<h3>Argon2id Key Derivation</h3>
<div style="text-align:left; margin-top:19px; margin-bottom:19px; padding-top:0px; padding-bottom:0px">
<p>Prior to version 1.12, VeraCrypt always used a fixed number of iterations That depended only on the volume type and the derivation algorithm used.
Argon2id is a memory-hard key derivation function that provides resistance against both time-memory trade-off attacks and side-channel attacks. Unlike PBKDF2-HMAC, Argon2id does not use a separate hash algorithm selection it uses its own internal hash function (BLAKE2b). Argon2id requires three parameters: memory cost (amount of memory used), time cost (number of iterations), and parallelism (number of threads). VeraCrypt sets the parallelism parameter to 1 for all cases.</div>
<div style="text-align:left; margin-top:19px; margin-bottom:19px; padding-top:0px; padding-bottom:0px">
512-bit salt is used for both key derivation functions, which means there are 2<sup style="text-align:left; font-size:85%">512</sup> keys for each password. This significantly decreases vulnerability to 'off-line' dictionary/'rainbow table' attacks (pre-computing all the keys for a dictionary
of passwords is very difficult when a salt is used) [7]. The salt consists of random values generated by the
<a href="Random%20Number%20Generator.html" style="text-align:left; color:#0080c0; text-decoration:none">
VeraCrypt random number generator</a> during the volume creation process.</div>
<div style="text-align:left; margin-top:19px; margin-bottom:19px; padding-top:0px; padding-bottom:0px">
<p>Prior to version 1.12, VeraCrypt always used PBKDF2-HMAC with a fixed number of iterations that depended only on the volume type and the hash algorithm used.
Starting from version 1.12, the <a href="Personal%20Iterations%20Multiplier%20%28PIM%29.html">
PIM </a>field (<a href="Personal%20Iterations%20Multiplier%20%28PIM%29.html">Personal Iterations Multiplier</a>) enables users to have more control over the number of iterations used by the key derivation function.</p>
<p>
PIM </a>field (<a href="Personal%20Iterations%20Multiplier%20%28PIM%29.html">Personal Iterations Multiplier</a>) enables users to have more control over the computational parameters used by the key derivation function.</p>
<h4>PBKDF2-HMAC Parameters</h4>
<p>When a <a href="Personal%20Iterations%20Multiplier%20%28PIM%29.html">
PIM </a>value is not specified or if it is equal to zero, VeraCrypt uses the default values expressed below:<br/>
<ul>
@@ -69,12 +78,16 @@ PIM </a>value is not specified or if it is equal to zero, VeraCrypt uses the def
</li></ul>
</p>
<p>When a <a href="Personal%20Iterations%20Multiplier%20%28PIM%29.html">
PIM </a>value is given by the user, the number of iterations of the key derivation function is calculated as follows:</p>
PIM </a>value is given by the user, the number of iterations of the PBKDF2 key derivation function is calculated as follows:</p>
<ul>
<li>For system encryption that doesn't use SHA-512 or Whirlpool: Iterations = <strong>PIM x 2048</strong>
</li><li>For system encryption that uses SHA-512 or Whirlpool: Iterations = <strong>15000 &#43; (PIM x 1000)</strong>
</li><li>For non-system encryption and file containers: Iterations = <strong>15000 &#43; (PIM x 1000)</strong>
</li></ul>
<h4>Argon2id Parameters</h4>
<p>When Argon2id is selected as the key derivation function, the PIM value controls both memory and time costs as described in the <a href="Personal%20Iterations%20Multiplier%20%28PIM%29.html">PIM section</a>. If no PIM is specified, default parameters equivalent to PIM = 12 are used (416 MiB memory, 6 iterations).</p>
</div>
<div style="text-align:left; margin-top:19px; margin-bottom:19px; padding-top:0px; padding-bottom:0px">
Header keys used by ciphers in a cascade are mutually independent, even though they are derived from a single password (to which keyfiles may have been applied). For example, for the AES-Twofish-Serpent cascade, the header key derivation function is instructed

53
doc/html/en/Personal Iterations Multiplier (PIM).html
View File

@@ -36,25 +36,56 @@
<div class="wikidoc">
<h1>PIM</h1>
<div>
<p>PIM stands for &quot;Personal Iterations Multiplier&quot;. It is a parameter that was introduced in VeraCrypt 1.12 and whose value controls the number of iterations used by the header key derivation function. This value can be specified through the password dialog
<p>PIM stands for &quot;Personal Iterations Multiplier&quot;. It is a parameter that was introduced in VeraCrypt 1.12 and whose value controls the computational parameters used by the header key derivation function. This value can be specified through the password dialog
or in the command line.</p>
<p>When a PIM value is specified, the number of iterations is calculated as follows:</p>
<p>The exact meaning of PIM depends on the key derivation function (KDF) being used:</p>
<h3>PBKDF2-HMAC Key Derivation</h3>
<p>When PBKDF2-HMAC is used, the PIM value controls the number of iterations as follows:</p>
<ul>
<li>For system encryption that doesn't use SHA-512 or Whirlpool: Iterations = <strong>PIM x 2048</strong>
</li><li>For system encryption that uses SHA-512 or Whirlpool: Iterations = <strong>15000 &#43; (PIM x 1000)</strong>
</li><li>For non-system encryption and file containers: Iterations = <strong>15000 &#43; (PIM x 1000)</strong>
</li></ul>
<p>If no PIM value is specified, VeraCrypt will use the default number of iterations used in versions prior to 1.12 (see
<a href="Header%20Key%20Derivation.html">
Header Key Derivation</a>). This can be summarized as follows:<br/>
<ul>
<li>For system partition encryption (boot encryption) that uses SHA-256, BLAKE2s-256 or Streebog, <strong>200000</strong> iterations are used which is equivalent to a PIM value of <strong>98</strong>.</li>
<li>For system encryption that uses SHA-512 or Whirlpool, <strong>500000</strong> iterations are used which is equivalent to a PIM value of <strong>485</strong>.</li>
<li>For non-system encryption and file containers, all derivation algorithms will use <strong>500000</strong> iterations which is equivalent to a PIM value of <strong>485</strong>.</li>
</ul>
<h3>Argon2id Key Derivation</h3>
<p>When Argon2id is used, the PIM value controls both memory cost and time cost parameters:</p>
<ul>
<li><strong>Memory Cost (m_cost) in MiB:</strong><br/>
m_cost(pim) = min(64 MiB + (pim - 1) * 32 MiB, 1024 MiB)<br/>
The memory cost increases by 32 MiB for each increment of PIM, starting from 64 MiB, and is capped at 1024 MiB when PIM reaches 31 or higher.
</li>
<li><strong>Time Cost (t_cost) in iterations:</strong><br/>
If PIM ≤ 31: t_cost(pim) = 3 + floor((pim - 1) / 3)<br/>
If PIM > 31: t_cost(pim) = 13 + (pim - 31)<br/>
The time cost increases by 1 iteration for every 3 increments of PIM when PIM ≤ 31, and by 1 iteration per PIM increment when PIM > 31.
</li>
<li><strong>Parallelism:</strong> Fixed at 1 thread for all cases.</li>
</ul>
<p><strong>Argon2id Examples:</strong></p>
<ul>
<li>For PIM = 12: Memory Cost = 416 MiB, Time Cost = 6 iterations</li>
<li>For PIM = 31: Memory Cost = 1024 MiB, Time Cost = 13 iterations</li>
<li>For PIM = 32: Memory Cost = 1024 MiB, Time Cost = 14 iterations</li>
</ul>
<p>If no PIM value is specified, VeraCrypt will use the default parameters used in versions prior to 1.12 for PBKDF2-HMAC (see
<a href="Header%20Key%20Derivation.html">
Header Key Derivation</a>). For Argon2id, default parameters are equivalent to PIM = 12:
</p>
<ul>
<li><strong>PBKDF2-HMAC defaults:</strong></li>
<ul>
<li>For system partition encryption (boot encryption) that uses SHA-256, BLAKE2s-256 or Streebog, <strong>200000</strong> iterations are used which is equivalent to a PIM value of <strong>98</strong>.</li>
<li>For system encryption that uses SHA-512 or Whirlpool, <strong>500000</strong> iterations are used which is equivalent to a PIM value of <strong>485</strong>.</li>
<li>For non-system encryption and file containers, all derivation algorithms will use <strong>500000</strong> iterations which is equivalent to a PIM value of <strong>485</strong>.</li>
</ul>
<li><strong>Argon2id defaults:</strong> Memory Cost = 416 MiB, Time Cost = 6 iterations (equivalent to PIM = 12)</li>
</ul>
<p>Prior to version 1.12, the security of a VeraCrypt volume was only based on the password strength because VeraCrypt was using a fixed number of iterations.<br>
With the introduction of PIM, VeraCrypt has a 2-dimensional security space for volumes based on the couple (Password, PIM). This provides more flexibility for adjusting the desired security level while also controlling the performance of the mount/boot operation.</p>
With the introduction of PIM, VeraCrypt has a multi-dimensional security space for volumes based on the combination (Password, PIM, Key Derivation Function). This provides more flexibility for adjusting the desired security level while also controlling the performance of the mount/boot operation.</p>
<h3>PIM Usage</h3>
It is not mandatory to specify a PIM.</div>
<div><br>

2
doc/html/en/Program Menu.html
View File

@@ -59,7 +59,7 @@ Note: For information on how to change a password used for pre-boot authenticati
See also the chapter <a href="Security%20Requirements%20and%20Precautions.html">
<em>Security Requirements and Precautions</em></a>.</p>
<div style="margin-left:50px">
<h4>PKCS-5 PRF</h4>
<h4>KDF</h4>
<p>In this field you can select the algorithm that will be used in deriving new volume header keys (for more information, see the section
<a href="Header%20Key%20Derivation.html">
<em>Header Key Derivation, Salt, and Iteration Count</em></a>) and in generating the new salt (for more information, see the section

2
doc/html/ru/Program Menu.html
View File

@@ -60,7 +60,7 @@
См. также главу <a href="Security%20Requirements%20and%20Precautions.html">
<em>Требования безопасности и меры предосторожности</em></a>.</p>
<div style="margin-left:50px">
<h4>PKCS-5 PRF</h4>
<h4>KDF</h4>
<p>В этом поле можно выбрать алгоритм, который будет использоваться для формирования (деривации) новых ключей
заголовка тома (см. подробности в разделе
<a href="Header%20Key%20Derivation.html">