From a57a79c61da52b84236a4641ac23b2924fff88b6 Mon Sep 17 00:00:00 2001 From: Mounir IDRASSI Date: Mon, 21 Mar 2022 00:14:33 +0100 Subject: [PATCH] Update documentation to add Blake2s-256 and remove RIPEMD-160 --- .../{RIPEMD-160.html => BLAKE2s-256.html} | 16 +++++++++----- doc/html/Command Line Usage.html | 6 +++--- doc/html/Documentation.html | 2 +- doc/html/Encryption Scheme.html | 2 +- doc/html/FAQ.html | 11 +--------- doc/html/Hash Algorithms.html | 4 ++-- doc/html/Header Key Derivation.html | 21 ++++++++++--------- doc/html/Program Menu.html | 2 +- doc/html/Random Number Generator.html | 4 ++-- 9 files changed, 33 insertions(+), 35 deletions(-) rename doc/html/{RIPEMD-160.html => BLAKE2s-256.html} (66%) diff --git a/doc/html/RIPEMD-160.html b/doc/html/BLAKE2s-256.html similarity index 66% rename from doc/html/RIPEMD-160.html rename to doc/html/BLAKE2s-256.html index a67c8dc6..097b714f 100644 --- a/doc/html/RIPEMD-160.html +++ b/doc/html/BLAKE2s-256.html @@ -31,15 +31,21 @@ >> Hash Algorithms >> -RIPEMD-160 +BLAKE2s-256

-

RIPEMD-160

+

BLAKE2s-256

-RIPEMD-160, published in 1996, is a hash algorithm designed by Hans Dobbertin, Antoon Bosselaers, and Bart Preneel in an open academic community. The size of the output of RIPEMD-160 is 160 bits. RIPEMD-160 is a strengthened version of the RIPEMD hash algorithm - that was developed in the framework of the European Union's project RIPE (RACE Integrity Primitives Evaluation), 1988-1992. RIPEMD-160 was adopted by the International Organization for Standardization (ISO) and the IEC in the - ISO/IEC 10118-3:2004 international standard [21].
+

+BLAKE2 is a cryptographic hash function based on BLAKE, created by Jean-Philippe Aumasson, Samuel Neves, Zooko Wilcox-O'Hearn, and Christian Winnerlein. It was announced on December 21, 2012. The design goal was to replace the widely used, but broken, MD5 and SHA-1 algorithms in applications requiring high performance in software. BLAKE2 provides better security than SHA-2 and similar to that of SHA-3 (e.g. immunity to length extension, indifferentiability from a random oracle, etc...).
+BLAKE2 removes addition of constants to message words from BLAKE round function, changes two rotation constants, simplifies padding, adds parameter block that is XOR'ed with initialization vectors, and reduces the number of rounds from 16 to 12 for BLAKE2b (successor of BLAKE-512), and from 14 to 10 for BLAKE2s (successor of BLAKE-256).
+BLAKE2b and BLAKE2s are specified in RFC 7693. +

+

+VeraCrypt uses only BLAKE2s with its maximum output size of 32-bytes (256 bits). +

+
Next Section >>
diff --git a/doc/html/Command Line Usage.html b/doc/html/Command Line Usage.html index d244df1e..4b8f828d 100644 --- a/doc/html/Command Line Usage.html +++ b/doc/html/Command Line Usage.html @@ -49,7 +49,7 @@

Command Line Usage

/hash -It must be followed by a parameter indicating the PRF hash algorithm to use when mounting the volume. Possible values for /hash parameter are: sha256, sha-256, sha512, sha-512, whirlpool, ripemd160 and ripemd-160. When /hash is omitted, VeraCrypt will try +It must be followed by a parameter indicating the PRF hash algorithm to use when mounting the volume. Possible values for /hash parameter are: sha256, sha-256, sha512, sha-512, whirlpool, blake2s and blake2s-256. When /hash is omitted, VeraCrypt will try all possible PRF algorithms thus lengthening the mount operation time. @@ -306,9 +306,9 @@

VeraCrypt Format.exe (VeraCrypt Volume Creation Wizard):

Syntax

-

VeraCrypt.exe [/tc] [/hash {sha256|sha-256|sha512|sha-512|whirlpool |ripemd160|ripemd-160}][/a [devices|favorites]] [/b] [/c [y|n|f]] [/d [drive letter]] [/e] [/f] [/h [y|n]] [/k keyfile or search path] [tryemptypass [y|n]] [/l drive letter] [/m {bk|rm|recovery|ro|sm|ts|noattach}] +

VeraCrypt.exe [/tc] [/hash {sha256|sha-256|sha512|sha-512|whirlpool |blake2s|blake2s-256}][/a [devices|favorites]] [/b] [/c [y|n|f]] [/d [drive letter]] [/e] [/f] [/h [y|n]] [/k keyfile or search path] [tryemptypass [y|n]] [/l drive letter] [/m {bk|rm|recovery|ro|sm|ts|noattach}] [/p password] [/pim pimvalue] [/q [background|preferences]] [/s] [/tokenlib path] [/v volume] [/w]

-

"VeraCrypt Format.exe" [/n] [/create] [/size number[{K|M|G|T}]] [/p password]  [/encryption {AES | Serpent | Twofish | Camellia | Kuznyechik | AES(Twofish) | AES(Twofish(Serpent)) | Serpent(AES) | Serpent(Twofish(AES)) | Twofish(Serpent) | Camellia(Kuznyechik) | Kuznyechik(Twofish) | Camellia(Serpent) | Kuznyechik(AES) | Kuznyechik(Serpent(Camellia))}] [/hash {sha256|sha-256|sha512|sha-512|whirlpool|ripemd160|ripemd-160}] +

"VeraCrypt Format.exe" [/n] [/create] [/size number[{K|M|G|T}]] [/p password]  [/encryption {AES | Serpent | Twofish | Camellia | Kuznyechik | AES(Twofish) | AES(Twofish(Serpent)) | Serpent(AES) | Serpent(Twofish(AES)) | Twofish(Serpent) | Camellia(Kuznyechik) | Kuznyechik(Twofish) | Camellia(Serpent) | Kuznyechik(AES) | Kuznyechik(Serpent(Camellia))}] [/hash {sha256|sha-256|sha512|sha-512|whirlpool|blake2s|blake2s-256}] [/filesystem {None|FAT|NTFS|ExFAT|ReFS}] [/dynamic] [/force] [/silent] [/noisocheck] [FastCreateFile] [/quick]

Note that the order in which options are specified does not matter.

Examples

diff --git a/doc/html/Documentation.html b/doc/html/Documentation.html index 5626301b..f9315c22 100644 --- a/doc/html/Documentation.html +++ b/doc/html/Documentation.html @@ -78,7 +78,7 @@

Table of Contents

  • Hash Algorithms
  • Supported Operating Systems diff --git a/doc/html/Encryption Scheme.html b/doc/html/Encryption Scheme.html index e159c7e8..88c586a2 100644 --- a/doc/html/Encryption Scheme.html +++ b/doc/html/Encryption Scheme.html @@ -54,7 +54,7 @@

    Encryption Scheme

  • PRF used by the header key derivation function (as specified in PKCS #5 v2.0; see the section Header Key Derivation, Salt, and Iteration Count), which can be one of the following: -

    HMAC-SHA-512, HMAC-SHA-256, HMAC-RIPEMD-160, HMAC-Whirlpool. If a PRF is explicitly specified by the user, it will be used directly without trying the other possibilities.

    +

    HMAC-SHA-512, HMAC-SHA-256, HMAC-BLAKE2S-256, HMAC-Whirlpool. If a PRF is explicitly specified by the user, it will be used directly without trying the other possibilities.

    A password entered by the user (to which one or more keyfiles may have been applied – see the section Keyfiles), a PIM value (if specified) and the salt read in (1) are passed to the header key derivation function, which produces a sequence of values (see the section diff --git a/doc/html/FAQ.html b/doc/html/FAQ.html index 8b2fabc7..24e2cc57 100644 --- a/doc/html/FAQ.html +++ b/doc/html/FAQ.html @@ -65,8 +65,7 @@

    Frequently Asked Questions

    It also solves many vulnerabilities and security issues found in TrueCrypt.
    As an example, when the system partition is encrypted, TrueCrypt uses PBKDF2-RIPEMD160 with 1000 iterations whereas in VeraCrypt we use 327661. And for standard containers and other partitions, TrueCrypt uses at most 2000 iterations but VeraCrypt uses -655331 for RIPEMD160 and -500000 iterations for SHA-2 and Whirlpool.
    +500000 iterations.
    This enhanced security adds some delay only to the opening of encrypted partitions without any performance impact to the application use phase. This is acceptable to the legitimate owner but it makes it much harder for an attacker to gain access to the encrypted data. @@ -524,14 +523,6 @@

    Frequently Asked Questions

    use the password typed in the 'Current Password' field.)

    -When I use HMAC-RIPEMD-160, is the size of the header encryption key only 160 bits?
    -
    -No, VeraCrypt never uses an output of a hash function (nor of a HMAC algorithm) directly as an encryption key. See the section - -Header Key Derivation, Salt, and Iteration Count in the -documentation for more information.
    -
    -
    How do I burn a VeraCrypt container larger than 2 GB onto a DVD?

    The DVD burning software you use should allow you to select the format of the DVD. If it does, select the UDF format (ISO format does not support files larger than 2 GB).
    diff --git a/doc/html/Hash Algorithms.html b/doc/html/Hash Algorithms.html index 9e59aa66..ea8c19ea 100644 --- a/doc/html/Hash Algorithms.html +++ b/doc/html/Hash Algorithms.html @@ -44,7 +44,7 @@

    Hash Algorithms

    VeraCrypt currently supports the following hash algorithms: -

    Next Section >>

    +

    Next Section >>

    diff --git a/doc/html/Header Key Derivation.html b/doc/html/Header Key Derivation.html index 860c85e0..d8896904 100644 --- a/doc/html/Header Key Derivation.html +++ b/doc/html/Header Key Derivation.html @@ -52,21 +52,22 @@

    Header Key Derivation, Salt, and Iteration Count

    512-bit salt is used, which means there are 2512 keys for each password. This significantly decreases vulnerability to 'off-line' dictionary/'rainbow table' attacks (pre-computing all the keys for a dictionary of passwords is very difficult when a salt is used) [7]. The salt consists of random values generated by the -VeraCrypt random number generator during the volume creation process. The header key derivation function is based on HMAC-SHA-512, HMAC-SHA-256, HMAC-RIPEMD-160, or HMAC-Whirlpool (see [8, 9, 20, 22]) – the user selects which. The length of the derived - key does not depend on the size of the output of the underlying hash function. For example, a header key for the AES-256 cipher is always 256 bits long even if HMAC-RIPEMD-160 is used (in XTS mode, an additional 256-bit secondary header key is used; hence, +VeraCrypt random number generator during the volume creation process. The header key derivation function is based on HMAC-SHA-512, HMAC-SHA-256, HMAC-BLAKE2S-256, HMAC-Whirlpool or HMAC-Streebog (see [8, 9, 20, 22]) – the user selects which. The length of the derived + key does not depend on the size of the output of the underlying hash function. For example, a header key for the AES-256 cipher is always 256 bits long even if HMAC-SHA-512 is used (in XTS mode, an additional 256-bit secondary header key is used; hence, two 256-bit keys are used for AES-256 in total). For more information, refer to [7]. A large number of iterations of the key derivation function have to be performed to derive a header key, which increases the time necessary to perform an exhaustive search for passwords (i.e., brute force attack) [7].
    -

    Prior to version 1.12, VeraCrypt always used a fixed number of iterations depending on the volume type and the derivation algorithm used:

    -
      -
    • For system partition encryption (boot encryption), 200000 iterations are used for the HMAC-SHA-256 derivation function and -327661 iterations are used for HMAC-RIPEMD-160.
    • For standard containers and other partitions, 655331 iterations are used for HMAC-RIPEMD-160 and -500000 iterations are used for HMAC-SHA-512, HMAC-SHA-256 and HMAC-Whirlpool. -
    -

    Starting from version 1.12, the +

    Prior to version 1.12, VeraCrypt always used a fixed number of iterations That depended only on the volume type and the derivation algorithm used. +Starting from version 1.12, the PIM field (Personal Iterations Multiplier) enables users to have more control over the number of iterations used by the key derivation function.

    +

    When a -PIM value is not specified or if it is equal to zero, VeraCrypt uses the default values expressed above.

    +PIM value is not specified or if it is equal to zero, VeraCrypt uses the default values expressed below:
    +
      +
    • For system partition encryption (boot encryption) that uses SHA-256, BLAKE2s-256 or Streebog, 200000 iterations are used.
      • +
    • For system encryption that uses SHA-512 or Whirlpool, non-system encryption and file containers, 500000 iterations are used. +
    +

    When a PIM value is given by the user, the number of iterations of the key derivation function is calculated as follows:

      diff --git a/doc/html/Program Menu.html b/doc/html/Program Menu.html index caed5f40..02ee86e6 100644 --- a/doc/html/Program Menu.html +++ b/doc/html/Program Menu.html @@ -73,7 +73,7 @@

      PKCS-5 PRF

      Security Requirements and Precautions).

    Volumes -> Set Header Key Derivation Algorithm

    -

    This function allows you to re-encrypt a volume header with a header key derived using a different PRF function (for example, instead of HMAC-RIPEMD-160 you could use HMAC-Whirlpool). Note that the volume header contains the master encryption key with which +

    This function allows you to re-encrypt a volume header with a header key derived using a different PRF function (for example, instead of HMAC-BLAKE2S-256 you could use HMAC-Whirlpool). Note that the volume header contains the master encryption key with which the volume is encrypted. Therefore, the data stored on the volume will not be lost after you use this function. For more information, see the section Header Key Derivation, Salt, and Iteration Count.
    diff --git a/doc/html/Random Number Generator.html b/doc/html/Random Number Generator.html index e5080389..8b9d934c 100644 --- a/doc/html/Random Number Generator.html +++ b/doc/html/Random Number Generator.html @@ -51,9 +51,9 @@

    Pool Mixing Function

    written to the pool, this function is applied to the entire pool.

    Description of the pool mixing function:

      -
    1. Let R be the randomness pool.
    2. Let H be the hash function selected by the user (SHA-512, RIPEMD-160, or Whirlpool). +
    3. Let R be the randomness pool.
    4. Let H be the hash function selected by the user (SHA-512, BLAKE2S-256, or Whirlpool).
    5. l = byte size of the output of the hash function H (i.e., if -H is RIPEMD-160, then l = 20; if H is SHA-512, l = 64) +H is BLAKE2S-256, then l = 20; if H is SHA-512, l = 64)
    6. z = byte size of the randomness pool R (320 bytes)
    7. q = z / l – 1 (e.g., if H is Whirlpool, then q = 4)
    8. Ris divided intol-byte blocksB0...Bq.

      For 0 ≤ i ≤ q (i.e., for each block B) the following steps are performed: