Public/VeraCrypt
1
0
Fork 0
mirror of https://github.com/veracrypt/VeraCrypt.git synced 2026-01-02 11:59:44 -06:00
Code Activity

Documentation: Use "KDF" instead of "PKCS-5 PRF". Add Argon2 related information.

Browse Source
This commit is contained in:
Mounir IDRASSI
2025-08-08 23:38:40 +09:00
parent 54c39e4eb2
commit 26a754b198
7 changed files with 255 additions and 30 deletions
Download Patch File Download Diff File Expand all files Collapse all files

35
doc/html/en/Header Key Derivation.html
View File

@@ -44,22 +44,31 @@ Encryption Scheme</a> and <a href="VeraCrypt%20Volume%20Format%20Specification.h
VeraCrypt Volume Format Specification</a>). In volumes created by VeraCrypt (and for
<a href="System%20Encryption.html" style="text-align:left; color:#0080c0; text-decoration:none">
system encryption</a>), the area is encrypted in XTS mode (see the section <a href="Modes%20of%20Operation.html" style="text-align:left; color:#0080c0; text-decoration:none">
Modes of Operation</a>). The method that VeraCrypt uses to generate the header key and the secondary header key (XTS mode) is PBKDF2, specified in PKCS #5 v2.0; see
<a href="References.html" style="text-align:left; color:#0080c0; text-decoration:none">
[7]</a>.</div>
Modes of Operation</a>). VeraCrypt supports two key derivation functions for generating header keys: PBKDF2 (specified in PKCS #5 v2.0) and Argon2id.</div>
<h3>PBKDF2-HMAC Key Derivation</h3>
<div style="text-align:left; margin-top:19px; margin-bottom:19px; padding-top:0px; padding-bottom:0px">
512-bit salt is used, which means there are 2<sup style="text-align:left; font-size:85%">512</sup> keys for each password. This significantly decreases vulnerability to 'off-line' dictionary/'rainbow table' attacks (pre-computing all the keys for a dictionary
of passwords is very difficult when a salt is used) [7]. The salt consists of random values generated by the
<a href="Random%20Number%20Generator.html" style="text-align:left; color:#0080c0; text-decoration:none">
VeraCrypt random number generator</a> during the volume creation process. The header key derivation function is based on HMAC-SHA-512, HMAC-SHA-256, HMAC-BLAKE2S-256, HMAC-Whirlpool or HMAC-Streebog (see [8, 9, 20, 22]) &ndash; the user selects which. The length of the derived
The PBKDF2 method uses HMAC-based pseudorandom functions with the following hash algorithms available: SHA-512, SHA-256, BLAKE2s-256, Whirlpool, or Streebog (see [8, 9, 20, 22]) the user selects which. The length of the derived
key does not depend on the size of the output of the underlying hash function. For example, a header key for the AES-256 cipher is always 256 bits long even if HMAC-SHA-512 is used (in XTS mode, an additional 256-bit secondary header key is used; hence,
two 256-bit keys are used for AES-256 in total). For more information, refer to [7]. A large number of iterations of the key derivation function have to be performed to derive a header key, which increases the time necessary to perform an exhaustive search
for passwords (i.e., brute force attack)&nbsp;[7].</div>
<h3>Argon2id Key Derivation</h3>
<div style="text-align:left; margin-top:19px; margin-bottom:19px; padding-top:0px; padding-bottom:0px">
<p>Prior to version 1.12, VeraCrypt always used a fixed number of iterations That depended only on the volume type and the derivation algorithm used.
Argon2id is a memory-hard key derivation function that provides resistance against both time-memory trade-off attacks and side-channel attacks. Unlike PBKDF2-HMAC, Argon2id does not use a separate hash algorithm selection it uses its own internal hash function (BLAKE2b). Argon2id requires three parameters: memory cost (amount of memory used), time cost (number of iterations), and parallelism (number of threads). VeraCrypt sets the parallelism parameter to 1 for all cases.</div>
<div style="text-align:left; margin-top:19px; margin-bottom:19px; padding-top:0px; padding-bottom:0px">
512-bit salt is used for both key derivation functions, which means there are 2<sup style="text-align:left; font-size:85%">512</sup> keys for each password. This significantly decreases vulnerability to 'off-line' dictionary/'rainbow table' attacks (pre-computing all the keys for a dictionary
of passwords is very difficult when a salt is used) [7]. The salt consists of random values generated by the
<a href="Random%20Number%20Generator.html" style="text-align:left; color:#0080c0; text-decoration:none">
VeraCrypt random number generator</a> during the volume creation process.</div>
<div style="text-align:left; margin-top:19px; margin-bottom:19px; padding-top:0px; padding-bottom:0px">
<p>Prior to version 1.12, VeraCrypt always used PBKDF2-HMAC with a fixed number of iterations that depended only on the volume type and the hash algorithm used.
Starting from version 1.12, the <a href="Personal%20Iterations%20Multiplier%20%28PIM%29.html">
PIM </a>field (<a href="Personal%20Iterations%20Multiplier%20%28PIM%29.html">Personal Iterations Multiplier</a>) enables users to have more control over the number of iterations used by the key derivation function.</p>
<p>
PIM </a>field (<a href="Personal%20Iterations%20Multiplier%20%28PIM%29.html">Personal Iterations Multiplier</a>) enables users to have more control over the computational parameters used by the key derivation function.</p>
<h4>PBKDF2-HMAC Parameters</h4>
<p>When a <a href="Personal%20Iterations%20Multiplier%20%28PIM%29.html">
PIM </a>value is not specified or if it is equal to zero, VeraCrypt uses the default values expressed below:<br/>
<ul>
@@ -69,12 +78,16 @@ PIM </a>value is not specified or if it is equal to zero, VeraCrypt uses the def
</li></ul>
</p>
<p>When a <a href="Personal%20Iterations%20Multiplier%20%28PIM%29.html">
PIM </a>value is given by the user, the number of iterations of the key derivation function is calculated as follows:</p>
PIM </a>value is given by the user, the number of iterations of the PBKDF2 key derivation function is calculated as follows:</p>
<ul>
<li>For system encryption that doesn't use SHA-512 or Whirlpool: Iterations = <strong>PIM x 2048</strong>
</li><li>For system encryption that uses SHA-512 or Whirlpool: Iterations = <strong>15000 &#43; (PIM x 1000)</strong>
</li><li>For non-system encryption and file containers: Iterations = <strong>15000 &#43; (PIM x 1000)</strong>
</li></ul>
<h4>Argon2id Parameters</h4>
<p>When Argon2id is selected as the key derivation function, the PIM value controls both memory and time costs as described in the <a href="Personal%20Iterations%20Multiplier%20%28PIM%29.html">PIM section</a>. If no PIM is specified, default parameters equivalent to PIM = 12 are used (416 MiB memory, 6 iterations).</p>
</div>
<div style="text-align:left; margin-top:19px; margin-bottom:19px; padding-top:0px; padding-bottom:0px">
Header keys used by ciphers in a cascade are mutually independent, even though they are derived from a single password (to which keyfiles may have been applied). For example, for the AES-Twofish-Serpent cascade, the header key derivation function is instructed