mirror of
https://github.com/veracrypt/VeraCrypt
synced 2024-11-27 21:43:29 +01:00
Update documentation to add Blake2s-256 and remove RIPEMD-160
This commit is contained in:
parent
4a1be156f7
commit
a57a79c61d
@ -31,15 +31,21 @@
|
||||
<img src="arrow_right.gif" alt=">>" style="margin-top: 5px">
|
||||
<a href="Hash%20Algorithms.html">Hash Algorithms</a>
|
||||
<img src="arrow_right.gif" alt=">>" style="margin-top: 5px">
|
||||
<a href="RIPEMD-160.html">RIPEMD-160</a>
|
||||
<a href="BLAKE2s-256.html">BLAKE2s-256</a>
|
||||
</p></div>
|
||||
|
||||
<div class="wikidoc">
|
||||
<h1>RIPEMD-160</h1>
|
||||
<h1>BLAKE2s-256</h1>
|
||||
<div style="text-align:left; margin-top:19px; margin-bottom:19px; padding-top:0px; padding-bottom:0px">
|
||||
RIPEMD-160, published in 1996, is a hash algorithm designed by Hans Dobbertin, Antoon Bosselaers, and Bart Preneel in an open academic community. The size of the output of RIPEMD-160 is 160 bits. RIPEMD-160 is a strengthened version of the RIPEMD hash algorithm
|
||||
that was developed in the framework of the European Union's project RIPE (<em style="text-align:left">RACE Integrity Primitives Evaluation</em>), 1988-1992. RIPEMD-160 was adopted by the International Organization for Standardization (ISO) and the IEC in the
|
||||
ISO/IEC 10118-3:2004 international standard [21].</div>
|
||||
<p>
|
||||
BLAKE2 is a cryptographic hash function based on BLAKE, created by Jean-Philippe Aumasson, Samuel Neves, Zooko Wilcox-O'Hearn, and Christian Winnerlein. It was announced on December 21, 2012. The design goal was to replace the widely used, but broken, MD5 and SHA-1 algorithms in applications requiring high performance in software. BLAKE2 provides better security than SHA-2 and similar to that of SHA-3 (e.g. immunity to length extension, indifferentiability from a random oracle, etc...).<br/>
|
||||
BLAKE2 removes addition of constants to message words from BLAKE round function, changes two rotation constants, simplifies padding, adds parameter block that is XOR'ed with initialization vectors, and reduces the number of rounds from 16 to 12 for BLAKE2b (successor of BLAKE-512), and from 14 to 10 for BLAKE2s (successor of BLAKE-256).<br/>
|
||||
BLAKE2b and BLAKE2s are specified in RFC 7693.
|
||||
</p>
|
||||
<p>
|
||||
VeraCrypt uses only BLAKE2s with its maximum output size of 32-bytes (256 bits).
|
||||
</p>
|
||||
</div>
|
||||
<div style="text-align:left; margin-top:19px; margin-bottom:19px; padding-top:0px; padding-bottom:0px">
|
||||
<a href="SHA-256.html" style="text-align:left; color:#0080c0; text-decoration:none; font-weight:bold.html">Next Section >></a></div>
|
||||
</div><div class="ClearBoth"></div></body></html>
|
@ -49,7 +49,7 @@ <h1>Command Line Usage</h1>
|
||||
</tr>
|
||||
<tr>
|
||||
<td><em>/hash</em></td>
|
||||
<td>It must be followed by a parameter indicating the PRF hash algorithm to use when mounting the volume. Possible values for /hash parameter are: sha256, sha-256, sha512, sha-512, whirlpool, ripemd160 and ripemd-160. When /hash is omitted, VeraCrypt will try
|
||||
<td>It must be followed by a parameter indicating the PRF hash algorithm to use when mounting the volume. Possible values for /hash parameter are: sha256, sha-256, sha512, sha-512, whirlpool, blake2s and blake2s-256. When /hash is omitted, VeraCrypt will try
|
||||
all possible PRF algorithms thus lengthening the mount operation time.</td>
|
||||
</tr>
|
||||
<tr>
|
||||
@ -306,9 +306,9 @@ <h4>VeraCrypt Format.exe (VeraCrypt Volume Creation Wizard):</h4>
|
||||
</tbody>
|
||||
</table>
|
||||
<h4>Syntax</h4>
|
||||
<p>VeraCrypt.exe [/tc] [/hash {sha256|sha-256|sha512|sha-512|whirlpool |ripemd160|ripemd-160}][/a [devices|favorites]] [/b] [/c [y|n|f]] [/d [drive letter]] [/e] [/f] [/h [y|n]] [/k keyfile or search path] [tryemptypass [y|n]] [/l drive letter] [/m {bk|rm|recovery|ro|sm|ts|noattach}]
|
||||
<p>VeraCrypt.exe [/tc] [/hash {sha256|sha-256|sha512|sha-512|whirlpool |blake2s|blake2s-256}][/a [devices|favorites]] [/b] [/c [y|n|f]] [/d [drive letter]] [/e] [/f] [/h [y|n]] [/k keyfile or search path] [tryemptypass [y|n]] [/l drive letter] [/m {bk|rm|recovery|ro|sm|ts|noattach}]
|
||||
[/p password] [/pim pimvalue] [/q [background|preferences]] [/s] [/tokenlib path] [/v volume] [/w]</p>
|
||||
<p>"VeraCrypt Format.exe" [/n] [/create] [/size number[{K|M|G|T}]] [/p password] [/encryption {AES | Serpent | Twofish | Camellia | Kuznyechik | AES(Twofish) | AES(Twofish(Serpent)) | Serpent(AES) | Serpent(Twofish(AES)) | Twofish(Serpent) | Camellia(Kuznyechik) | Kuznyechik(Twofish) | Camellia(Serpent) | Kuznyechik(AES) | Kuznyechik(Serpent(Camellia))}] [/hash {sha256|sha-256|sha512|sha-512|whirlpool|ripemd160|ripemd-160}]
|
||||
<p>"VeraCrypt Format.exe" [/n] [/create] [/size number[{K|M|G|T}]] [/p password] [/encryption {AES | Serpent | Twofish | Camellia | Kuznyechik | AES(Twofish) | AES(Twofish(Serpent)) | Serpent(AES) | Serpent(Twofish(AES)) | Twofish(Serpent) | Camellia(Kuznyechik) | Kuznyechik(Twofish) | Camellia(Serpent) | Kuznyechik(AES) | Kuznyechik(Serpent(Camellia))}] [/hash {sha256|sha-256|sha512|sha-512|whirlpool|blake2s|blake2s-256}]
|
||||
[/filesystem {None|FAT|NTFS|ExFAT|ReFS}] [/dynamic] [/force] [/silent] [/noisocheck] [FastCreateFile] [/quick]</p>
|
||||
<p>Note that the order in which options are specified does not matter.</p>
|
||||
<h4>Examples</h4>
|
||||
|
@ -78,7 +78,7 @@ <h1>Table of Contents</h1>
|
||||
</li></ul>
|
||||
</li><li><strong><a href="Hash%20Algorithms.html">Hash Algorithms</a></strong>
|
||||
<ul>
|
||||
<li><a href="RIPEMD-160.html">RIPEMD-160</a>
|
||||
<li><a href="BLAKE2s-256.html">BLAKE2s-256</a>
|
||||
</li><li><a href="SHA-256.html">SHA-256</a> </li><li><a href="SHA-512.html">SHA-512</a> </li><li><a href="Whirlpool.html">Whirlpool</a>
|
||||
</li><li><a href="Streebog.html">Streebog</a></li></ul>
|
||||
</li><li><strong><a href="Supported%20Operating%20Systems.html">Supported Operating Systems</a></strong>
|
||||
|
@ -54,7 +54,7 @@ <h1>Encryption Scheme</h1>
|
||||
<li>PRF used by the header key derivation function (as specified in PKCS #5 v2.0; see the section
|
||||
<a href="Header%20Key%20Derivation.html">
|
||||
<em>Header Key Derivation, Salt, and Iteration Count</em></a>), which can be one of the following:
|
||||
<p>HMAC-SHA-512, HMAC-SHA-256, HMAC-RIPEMD-160, HMAC-Whirlpool. If a PRF is explicitly specified by the user, it will be used directly without trying the other possibilities.</p>
|
||||
<p>HMAC-SHA-512, HMAC-SHA-256, HMAC-BLAKE2S-256, HMAC-Whirlpool. If a PRF is explicitly specified by the user, it will be used directly without trying the other possibilities.</p>
|
||||
<p>A password entered by the user (to which one or more keyfiles may have been applied – see the section
|
||||
<a href="Keyfiles%20in%20VeraCrypt.html">
|
||||
<em>Keyfiles</em></a>), a PIM value (if specified) and the salt read in (1) are passed to the header key derivation function, which produces a sequence of values (see the section
|
||||
|
@ -65,8 +65,7 @@ <h1>Frequently Asked Questions</h1>
|
||||
It also solves many vulnerabilities and security issues found in TrueCrypt.<br>
|
||||
As an example, when the system partition is encrypted, TrueCrypt uses PBKDF2-RIPEMD160 with 1000 iterations whereas in VeraCrypt we use
|
||||
<span style="text-decoration:underline">327661</span>. And for standard containers and other partitions, TrueCrypt uses at most 2000 iterations but VeraCrypt uses
|
||||
<span style="text-decoration:underline">655331 </span>for RIPEMD160 and <span style="text-decoration:underline">
|
||||
500000 </span>iterations for SHA-2 and Whirlpool.<br>
|
||||
<span style="text-decoration:underline">500000 </span>iterations.<br>
|
||||
This enhanced security adds some delay only to the opening of encrypted partitions without any performance impact to the application use phase. This is acceptable to the legitimate owner but it makes it much harder for an attacker to gain access to the encrypted
|
||||
data.</div>
|
||||
</div>
|
||||
@ -524,14 +523,6 @@ <h1>Frequently Asked Questions</h1>
|
||||
use the password typed in the 'Current Password' field.)</div>
|
||||
<div style="text-align:left; margin-top:19px; margin-bottom:19px; padding-top:0px; padding-bottom:0px">
|
||||
<br style="text-align:left">
|
||||
<strong style="text-align:left">When I use HMAC-RIPEMD-160, is the size of the header encryption key only 160 bits?</strong></div>
|
||||
<div style="text-align:left; margin-top:19px; margin-bottom:19px; padding-top:0px; padding-bottom:0px">
|
||||
No, VeraCrypt never uses an output of a hash function (nor of a HMAC algorithm) directly as an encryption key. See the section
|
||||
<a href="Header%20Key%20Derivation.html" target="_blank" style="text-align:left; color:#0080c0; text-decoration:none.html">
|
||||
Header Key Derivation, Salt, and Iteration Count</a> in the <a href="https://www.veracrypt.fr/en/Documentation.html" target="_blank" style="text-align:left; color:#0080c0; text-decoration:none">
|
||||
documentation</a> for more information.</div>
|
||||
<div style="text-align:left; margin-top:19px; margin-bottom:19px; padding-top:0px; padding-bottom:0px">
|
||||
<br style="text-align:left">
|
||||
<strong style="text-align:left">How do I burn a VeraCrypt container larger than 2 GB onto a DVD?</strong><br style="text-align:left">
|
||||
<br style="text-align:left">
|
||||
The DVD burning software you use should allow you to select the format of the DVD. If it does, select the UDF format (ISO format does not support files larger than 2 GB).</div>
|
||||
|
@ -44,7 +44,7 @@ <h1>Hash Algorithms</h1>
|
||||
VeraCrypt currently supports the following hash algorithms:</div>
|
||||
<ul style="text-align:left; margin-top:18px; margin-bottom:19px; padding-top:0px; padding-bottom:0px">
|
||||
<li style="text-align:left; margin-top:0px; margin-bottom:0px; padding-top:0px; padding-bottom:0px">
|
||||
<a href="RIPEMD-160.html"><strong style="text-align:left.html">RIPEMD-160</strong></a>
|
||||
<a href="BLAKE2s-256.html"><strong style="text-align:left.html">BLAKE2s-256</strong></a>
|
||||
</li><li style="text-align:left; margin-top:0px; margin-bottom:0px; padding-top:0px; padding-bottom:0px">
|
||||
<a href="SHA-256.html"><strong style="text-align:left.html">SHA-256</strong></a>
|
||||
</li><li style="text-align:left; margin-top:0px; margin-bottom:0px; padding-top:0px; padding-bottom:0px">
|
||||
@ -54,5 +54,5 @@ <h1>Hash Algorithms</h1>
|
||||
</li><li style="text-align:left; margin-top:0px; margin-bottom:0px; padding-top:0px; padding-bottom:0px">
|
||||
<strong style="text-align:left"><a href="Streebog.html">Streebog</a></strong>
|
||||
</li></ul>
|
||||
<p><a href="RIPEMD-160.html" style="text-align:left; color:#0080c0; text-decoration:none; font-weight:bold.html">Next Section >></a></p>
|
||||
<p><a href="BLAKE2s-256.html" style="text-align:left; color:#0080c0; text-decoration:none; font-weight:bold.html">Next Section >></a></p>
|
||||
</div><div class="ClearBoth"></div></body></html>
|
||||
|
@ -52,21 +52,22 @@ <h1>Header Key Derivation, Salt, and Iteration Count</h1>
|
||||
512-bit salt is used, which means there are 2<sup style="text-align:left; font-size:85%">512</sup> keys for each password. This significantly decreases vulnerability to 'off-line' dictionary/'rainbow table' attacks (pre-computing all the keys for a dictionary
|
||||
of passwords is very difficult when a salt is used) [7]. The salt consists of random values generated by the
|
||||
<a href="Random%20Number%20Generator.html" style="text-align:left; color:#0080c0; text-decoration:none.html">
|
||||
VeraCrypt random number generator</a> during the volume creation process. The header key derivation function is based on HMAC-SHA-512, HMAC-SHA-256, HMAC-RIPEMD-160, or HMAC-Whirlpool (see [8, 9, 20, 22]) – the user selects which. The length of the derived
|
||||
key does not depend on the size of the output of the underlying hash function. For example, a header key for the AES-256 cipher is always 256 bits long even if HMAC-RIPEMD-160 is used (in XTS mode, an additional 256-bit secondary header key is used; hence,
|
||||
VeraCrypt random number generator</a> during the volume creation process. The header key derivation function is based on HMAC-SHA-512, HMAC-SHA-256, HMAC-BLAKE2S-256, HMAC-Whirlpool or HMAC-Streebog (see [8, 9, 20, 22]) – the user selects which. The length of the derived
|
||||
key does not depend on the size of the output of the underlying hash function. For example, a header key for the AES-256 cipher is always 256 bits long even if HMAC-SHA-512 is used (in XTS mode, an additional 256-bit secondary header key is used; hence,
|
||||
two 256-bit keys are used for AES-256 in total). For more information, refer to [7]. A large number of iterations of the key derivation function have to be performed to derive a header key, which increases the time necessary to perform an exhaustive search
|
||||
for passwords (i.e., brute force attack) [7].</div>
|
||||
<div style="text-align:left; margin-top:19px; margin-bottom:19px; padding-top:0px; padding-bottom:0px">
|
||||
<p>Prior to version 1.12, VeraCrypt always used a fixed number of iterations depending on the volume type and the derivation algorithm used:</p>
|
||||
<ul>
|
||||
<li>For system partition encryption (boot encryption), <strong>200000</strong> iterations are used for the HMAC-SHA-256 derivation function and
|
||||
<strong>327661</strong> iterations are used for HMAC-RIPEMD-160. </li><li>For standard containers and other partitions, <strong>655331</strong> iterations are used for HMAC-RIPEMD-160 and
|
||||
<strong>500000</strong> iterations are used for HMAC-SHA-512, HMAC-SHA-256 and HMAC-Whirlpool.
|
||||
</li></ul>
|
||||
<p>Starting from version 1.12, the <a href="Personal%20Iterations%20Multiplier%20%28PIM%29.html">
|
||||
<p>Prior to version 1.12, VeraCrypt always used a fixed number of iterations That depended only on the volume type and the derivation algorithm used.
|
||||
Starting from version 1.12, the <a href="Personal%20Iterations%20Multiplier%20%28PIM%29.html">
|
||||
PIM </a>field (<a href="Personal%20Iterations%20Multiplier%20%28PIM%29.html">Personal Iterations Multiplier</a>) enables users to have more control over the number of iterations used by the key derivation function.</p>
|
||||
<p>
|
||||
<p>When a <a href="Personal%20Iterations%20Multiplier%20%28PIM%29.html">
|
||||
PIM </a>value is not specified or if it is equal to zero, VeraCrypt uses the default values expressed above.</p>
|
||||
PIM </a>value is not specified or if it is equal to zero, VeraCrypt uses the default values expressed below:<br/>
|
||||
<ul>
|
||||
<li>For system partition encryption (boot encryption) that uses SHA-256, BLAKE2s-256 or Streebog, <strong>200000</strong> iterations are used.</li>
|
||||
<li>For system encryption that uses SHA-512 or Whirlpool, non-system encryption and file containers, <strong>500000</strong> iterations are used.
|
||||
</li></ul>
|
||||
</p>
|
||||
<p>When a <a href="Personal%20Iterations%20Multiplier%20%28PIM%29.html">
|
||||
PIM </a>value is given by the user, the number of iterations of the key derivation function is calculated as follows:</p>
|
||||
<ul>
|
||||
|
@ -73,7 +73,7 @@ <h4>PKCS-5 PRF</h4>
|
||||
<em>Security Requirements and Precautions</em></a>).</p>
|
||||
</div>
|
||||
<h3>Volumes -> Set Header Key Derivation Algorithm</h3>
|
||||
<p>This function allows you to re-encrypt a volume header with a header key derived using a different PRF function (for example, instead of HMAC-RIPEMD-160 you could use HMAC-Whirlpool). Note that the volume header contains the master encryption key with which
|
||||
<p>This function allows you to re-encrypt a volume header with a header key derived using a different PRF function (for example, instead of HMAC-BLAKE2S-256 you could use HMAC-Whirlpool). Note that the volume header contains the master encryption key with which
|
||||
the volume is encrypted. Therefore, the data stored on the volume will <em>not</em> be lost after you use this function. For more information, see the section
|
||||
<a href="Header%20Key%20Derivation.html">
|
||||
<em>Header Key Derivation, Salt, and Iteration Count</em></a>.<br>
|
||||
|
@ -51,9 +51,9 @@ <h2>Pool Mixing Function</h2>
|
||||
written to the pool, this function is applied to the entire pool.</p>
|
||||
<p>Description of the pool mixing function:</p>
|
||||
<ol>
|
||||
<li>Let <em>R</em> be the randomness pool. </li><li>Let <em>H</em> be the hash function selected by the user (SHA-512, RIPEMD-160, or Whirlpool).
|
||||
<li>Let <em>R</em> be the randomness pool. </li><li>Let <em>H</em> be the hash function selected by the user (SHA-512, BLAKE2S-256, or Whirlpool).
|
||||
</li><li><em>l</em> = byte size of the output of the hash function <em>H</em> (i.e., if
|
||||
<em>H</em> is RIPEMD-160, then <em>l</em> = 20; if <em>H</em> is SHA-512, <em>l</em> = 64)
|
||||
<em>H</em> is BLAKE2S-256, then <em>l</em> = 20; if <em>H</em> is SHA-512, <em>l</em> = 64)
|
||||
</li><li><em>z</em> = byte size of the randomness pool <em>R </em>(320 bytes) </li><li><em>q</em> = <em>z</em> / <em>l</em> – 1 (e.g., if <em>H</em> is Whirlpool, then
|
||||
<em>q</em> = 4) </li><li>Ris divided intol-byte blocksB0...Bq.
|
||||
<p>For 0 ≤ i ≤ q (i.e., for each block B) the following steps are performed:</p>
|
||||
|
Loading…
Reference in New Issue
Block a user