VeraCrypt
aboutsummaryrefslogtreecommitdiff
path: root/doc
diff options
context:
space:
mode:
authorMounir IDRASSI <mounir.idrassi@idrix.fr>2022-03-21 00:14:33 +0100
committerMounir IDRASSI <mounir.idrassi@idrix.fr>2022-03-21 01:18:48 +0100
commita57a79c61da52b84236a4641ac23b2924fff88b6 (patch)
treed8bdd1252f784c59f011994c9146dfaa413104a2 /doc
parent4a1be156f78f7c8bdfe3908a8b21a00fbe53f4f2 (diff)
downloadVeraCrypt-a57a79c61da52b84236a4641ac23b2924fff88b6.tar.gz
VeraCrypt-a57a79c61da52b84236a4641ac23b2924fff88b6.zip
Update documentation to add Blake2s-256 and remove RIPEMD-160
Diffstat (limited to 'doc')
-rw-r--r--doc/html/BLAKE2s-256.html (renamed from doc/html/RIPEMD-160.html)16
-rw-r--r--doc/html/Command Line Usage.html6
-rw-r--r--doc/html/Documentation.html2
-rw-r--r--doc/html/Encryption Scheme.html2
-rw-r--r--doc/html/FAQ.html11
-rw-r--r--doc/html/Hash Algorithms.html4
-rw-r--r--doc/html/Header Key Derivation.html21
-rw-r--r--doc/html/Program Menu.html2
-rw-r--r--doc/html/Random Number Generator.html4
9 files changed, 33 insertions, 35 deletions
diff --git a/doc/html/RIPEMD-160.html b/doc/html/BLAKE2s-256.html
index a67c8dc6..097b714f 100644
--- a/doc/html/RIPEMD-160.html
+++ b/doc/html/BLAKE2s-256.html
@@ -31,15 +31,21 @@
<img src="arrow_right.gif" alt=">>" style="margin-top: 5px">
<a href="Hash%20Algorithms.html">Hash Algorithms</a>
<img src="arrow_right.gif" alt=">>" style="margin-top: 5px">
-<a href="RIPEMD-160.html">RIPEMD-160</a>
+<a href="BLAKE2s-256.html">BLAKE2s-256</a>
</p></div>
<div class="wikidoc">
-<h1>RIPEMD-160</h1>
+<h1>BLAKE2s-256</h1>
<div style="text-align:left; margin-top:19px; margin-bottom:19px; padding-top:0px; padding-bottom:0px">
-RIPEMD-160, published in 1996, is a hash algorithm designed by Hans Dobbertin, Antoon Bosselaers, and Bart Preneel in an open academic community. The size of the output of RIPEMD-160 is 160 bits. RIPEMD-160 is a strengthened version of the RIPEMD hash algorithm
- that was developed in the framework of the European Union's project RIPE (<em style="text-align:left">RACE Integrity Primitives Evaluation</em>), 1988-1992. RIPEMD-160 was adopted by the International Organization for Standardization (ISO) and the IEC in the
- ISO/IEC 10118-3:2004 international standard [21].</div>
+<p>
+BLAKE2 is a cryptographic hash function based on BLAKE, created by Jean-Philippe Aumasson, Samuel Neves, Zooko Wilcox-O'Hearn, and Christian Winnerlein. It was announced on December 21, 2012. The design goal was to replace the widely used, but broken, MD5 and SHA-1 algorithms in applications requiring high performance in software. BLAKE2 provides better security than SHA-2 and similar to that of SHA-3 (e.g. immunity to length extension, indifferentiability from a random oracle, etc...).<br/>
+BLAKE2 removes addition of constants to message words from BLAKE round function, changes two rotation constants, simplifies padding, adds parameter block that is XOR'ed with initialization vectors, and reduces the number of rounds from 16 to 12 for BLAKE2b (successor of BLAKE-512), and from 14 to 10 for BLAKE2s (successor of BLAKE-256).<br/>
+BLAKE2b and BLAKE2s are specified in RFC 7693.
+</p>
+<p>
+VeraCrypt uses only BLAKE2s with its maximum output size of 32-bytes (256 bits).
+</p>
+</div>
<div style="text-align:left; margin-top:19px; margin-bottom:19px; padding-top:0px; padding-bottom:0px">
<a href="SHA-256.html" style="text-align:left; color:#0080c0; text-decoration:none; font-weight:bold.html">Next Section &gt;&gt;</a></div>
</div><div class="ClearBoth"></div></body></html>
diff --git a/doc/html/Command Line Usage.html b/doc/html/Command Line Usage.html
index d244df1e..4b8f828d 100644
--- a/doc/html/Command Line Usage.html
+++ b/doc/html/Command Line Usage.html
@@ -49,7 +49,7 @@
</tr>
<tr>
<td><em>/hash</em></td>
-<td>It must be followed by a parameter indicating the PRF hash algorithm to use when mounting the volume. Possible values for /hash parameter are: sha256, sha-256, sha512, sha-512, whirlpool, ripemd160 and ripemd-160. When /hash is omitted, VeraCrypt will try
+<td>It must be followed by a parameter indicating the PRF hash algorithm to use when mounting the volume. Possible values for /hash parameter are: sha256, sha-256, sha512, sha-512, whirlpool, blake2s and blake2s-256. When /hash is omitted, VeraCrypt will try
all possible PRF algorithms thus lengthening the mount operation time.</td>
</tr>
<tr>
@@ -306,9 +306,9 @@ If it is followed by <strong>n</strong> or <strong>no</strong>: the password dia
</tbody>
</table>
<h4>Syntax</h4>
-<p>VeraCrypt.exe [/tc] [/hash {sha256|sha-256|sha512|sha-512|whirlpool |ripemd160|ripemd-160}][/a [devices|favorites]] [/b] [/c [y|n|f]] [/d [drive letter]] [/e] [/f] [/h [y|n]] [/k keyfile or search path] [tryemptypass [y|n]] [/l drive letter] [/m {bk|rm|recovery|ro|sm|ts|noattach}]
+<p>VeraCrypt.exe [/tc] [/hash {sha256|sha-256|sha512|sha-512|whirlpool |blake2s|blake2s-256}][/a [devices|favorites]] [/b] [/c [y|n|f]] [/d [drive letter]] [/e] [/f] [/h [y|n]] [/k keyfile or search path] [tryemptypass [y|n]] [/l drive letter] [/m {bk|rm|recovery|ro|sm|ts|noattach}]
[/p password] [/pim pimvalue] [/q [background|preferences]] [/s] [/tokenlib path] [/v volume] [/w]</p>
-<p>&quot;VeraCrypt Format.exe&quot; [/n] [/create] [/size number[{K|M|G|T}]] [/p password]&nbsp; [/encryption {AES | Serpent | Twofish | Camellia | Kuznyechik | AES(Twofish) | AES(Twofish(Serpent)) | Serpent(AES) | Serpent(Twofish(AES)) | Twofish(Serpent) | Camellia(Kuznyechik) | Kuznyechik(Twofish) | Camellia(Serpent) | Kuznyechik(AES) | Kuznyechik(Serpent(Camellia))}] [/hash {sha256|sha-256|sha512|sha-512|whirlpool|ripemd160|ripemd-160}]
+<p>&quot;VeraCrypt Format.exe&quot; [/n] [/create] [/size number[{K|M|G|T}]] [/p password]&nbsp; [/encryption {AES | Serpent | Twofish | Camellia | Kuznyechik | AES(Twofish) | AES(Twofish(Serpent)) | Serpent(AES) | Serpent(Twofish(AES)) | Twofish(Serpent) | Camellia(Kuznyechik) | Kuznyechik(Twofish) | Camellia(Serpent) | Kuznyechik(AES) | Kuznyechik(Serpent(Camellia))}] [/hash {sha256|sha-256|sha512|sha-512|whirlpool|blake2s|blake2s-256}]
[/filesystem {None|FAT|NTFS|ExFAT|ReFS}] [/dynamic] [/force] [/silent] [/noisocheck] [FastCreateFile] [/quick]</p>
<p>Note that the order in which options are specified does not matter.</p>
<h4>Examples</h4>
diff --git a/doc/html/Documentation.html b/doc/html/Documentation.html
index 5626301b..f9315c22 100644
--- a/doc/html/Documentation.html
+++ b/doc/html/Documentation.html
@@ -78,7 +78,7 @@
</li></ul>
</li><li><strong><a href="Hash%20Algorithms.html">Hash Algorithms</a></strong>
<ul>
-<li><a href="RIPEMD-160.html">RIPEMD-160</a>
+<li><a href="BLAKE2s-256.html">BLAKE2s-256</a>
</li><li><a href="SHA-256.html">SHA-256</a> </li><li><a href="SHA-512.html">SHA-512</a> </li><li><a href="Whirlpool.html">Whirlpool</a>
</li><li><a href="Streebog.html">Streebog</a></li></ul>
</li><li><strong><a href="Supported%20Operating%20Systems.html">Supported Operating Systems</a></strong>
diff --git a/doc/html/Encryption Scheme.html b/doc/html/Encryption Scheme.html
index e159c7e8..88c586a2 100644
--- a/doc/html/Encryption Scheme.html
+++ b/doc/html/Encryption Scheme.html
@@ -54,7 +54,7 @@ Hidden Operating System</a>). If there is a hidden volume within this volume (or
<li>PRF used by the header key derivation function (as specified in PKCS #5 v2.0; see the section
<a href="Header%20Key%20Derivation.html">
<em>Header Key Derivation, Salt, and Iteration Count</em></a>), which can be one of the following:
-<p>HMAC-SHA-512, HMAC-SHA-256, HMAC-RIPEMD-160, HMAC-Whirlpool. If a PRF is explicitly specified by the user, it will be used directly without trying the other possibilities.</p>
+<p>HMAC-SHA-512, HMAC-SHA-256, HMAC-BLAKE2S-256, HMAC-Whirlpool. If a PRF is explicitly specified by the user, it will be used directly without trying the other possibilities.</p>
<p>A password entered by the user (to which one or more keyfiles may have been applied &ndash; see the section
<a href="Keyfiles%20in%20VeraCrypt.html">
<em>Keyfiles</em></a>), a PIM value (if specified) and the salt read in (1) are passed to the header key derivation function, which produces a sequence of values (see the section
diff --git a/doc/html/FAQ.html b/doc/html/FAQ.html
index 8b2fabc7..24e2cc57 100644
--- a/doc/html/FAQ.html
+++ b/doc/html/FAQ.html
@@ -65,8 +65,7 @@ VeraCrypt adds enhanced security to the algorithms used for system and partition
It also solves many vulnerabilities and security issues found in TrueCrypt.<br>
As an example, when the system partition is encrypted, TrueCrypt uses PBKDF2-RIPEMD160 with 1000 iterations whereas in VeraCrypt we use
<span style="text-decoration:underline">327661</span>. And for standard containers and other partitions, TrueCrypt uses at most 2000 iterations but VeraCrypt uses
-<span style="text-decoration:underline">655331 </span>for RIPEMD160 and <span style="text-decoration:underline">
-500000 </span>iterations for SHA-2 and Whirlpool.<br>
+<span style="text-decoration:underline">500000 </span>iterations.<br>
This enhanced security adds some delay only to the opening of encrypted partitions without any performance impact to the application use phase. This is acceptable to the legitimate owner but it makes it much harder for an attacker to gain access to the encrypted
data.</div>
</div>
@@ -524,14 +523,6 @@ volume header</a> and if it fails, it attempts to decrypt the area within the vo
use the password typed in the 'Current Password' field.)</div>
<div style="text-align:left; margin-top:19px; margin-bottom:19px; padding-top:0px; padding-bottom:0px">
<br style="text-align:left">
-<strong style="text-align:left">When I use HMAC-RIPEMD-160, is the size of the header encryption key only 160 bits?</strong></div>
-<div style="text-align:left; margin-top:19px; margin-bottom:19px; padding-top:0px; padding-bottom:0px">
-No, VeraCrypt never uses an output of a hash function (nor of a HMAC algorithm) directly as an encryption key. See the section
-<a href="Header%20Key%20Derivation.html" target="_blank" style="text-align:left; color:#0080c0; text-decoration:none.html">
-Header Key Derivation, Salt, and Iteration Count</a> in the <a href="https://www.veracrypt.fr/en/Documentation.html" target="_blank" style="text-align:left; color:#0080c0; text-decoration:none">
-documentation</a> for more information.</div>
-<div style="text-align:left; margin-top:19px; margin-bottom:19px; padding-top:0px; padding-bottom:0px">
-<br style="text-align:left">
<strong style="text-align:left">How do I burn a VeraCrypt container larger than 2 GB onto a DVD?</strong><br style="text-align:left">
<br style="text-align:left">
The DVD burning software you use should allow you to select the format of the DVD. If it does, select the UDF format (ISO format does not support files larger than 2 GB).</div>
diff --git a/doc/html/Hash Algorithms.html b/doc/html/Hash Algorithms.html
index 9e59aa66..ea8c19ea 100644
--- a/doc/html/Hash Algorithms.html
+++ b/doc/html/Hash Algorithms.html
@@ -44,7 +44,7 @@ Header Key Derivation, Salt, and Iteration Count</a>.</div>
VeraCrypt currently supports the following hash algorithms:</div>
<ul style="text-align:left; margin-top:18px; margin-bottom:19px; padding-top:0px; padding-bottom:0px">
<li style="text-align:left; margin-top:0px; margin-bottom:0px; padding-top:0px; padding-bottom:0px">
-<a href="RIPEMD-160.html"><strong style="text-align:left.html">RIPEMD-160</strong></a>
+<a href="BLAKE2s-256.html"><strong style="text-align:left.html">BLAKE2s-256</strong></a>
</li><li style="text-align:left; margin-top:0px; margin-bottom:0px; padding-top:0px; padding-bottom:0px">
<a href="SHA-256.html"><strong style="text-align:left.html">SHA-256</strong></a>
</li><li style="text-align:left; margin-top:0px; margin-bottom:0px; padding-top:0px; padding-bottom:0px">
@@ -54,5 +54,5 @@ VeraCrypt currently supports the following hash algorithms:</div>
</li><li style="text-align:left; margin-top:0px; margin-bottom:0px; padding-top:0px; padding-bottom:0px">
<strong style="text-align:left"><a href="Streebog.html">Streebog</a></strong>
</li></ul>
-<p><a href="RIPEMD-160.html" style="text-align:left; color:#0080c0; text-decoration:none; font-weight:bold.html">Next Section &gt;&gt;</a></p>
+<p><a href="BLAKE2s-256.html" style="text-align:left; color:#0080c0; text-decoration:none; font-weight:bold.html">Next Section &gt;&gt;</a></p>
</div><div class="ClearBoth"></div></body></html>
diff --git a/doc/html/Header Key Derivation.html b/doc/html/Header Key Derivation.html
index 860c85e0..d8896904 100644
--- a/doc/html/Header Key Derivation.html
+++ b/doc/html/Header Key Derivation.html
@@ -52,21 +52,22 @@ Modes of Operation</a>). The method that VeraCrypt uses to generate the header k
512-bit salt is used, which means there are 2<sup style="text-align:left; font-size:85%">512</sup> keys for each password. This significantly decreases vulnerability to 'off-line' dictionary/'rainbow table' attacks (pre-computing all the keys for a dictionary
of passwords is very difficult when a salt is used) [7]. The salt consists of random values generated by the
<a href="Random%20Number%20Generator.html" style="text-align:left; color:#0080c0; text-decoration:none.html">
-VeraCrypt random number generator</a> during the volume creation process. The header key derivation function is based on HMAC-SHA-512, HMAC-SHA-256, HMAC-RIPEMD-160, or HMAC-Whirlpool (see [8, 9, 20, 22]) &ndash; the user selects which. The length of the derived
- key does not depend on the size of the output of the underlying hash function. For example, a header key for the AES-256 cipher is always 256 bits long even if HMAC-RIPEMD-160 is used (in XTS mode, an additional 256-bit secondary header key is used; hence,
+VeraCrypt random number generator</a> during the volume creation process. The header key derivation function is based on HMAC-SHA-512, HMAC-SHA-256, HMAC-BLAKE2S-256, HMAC-Whirlpool or HMAC-Streebog (see [8, 9, 20, 22]) &ndash; the user selects which. The length of the derived
+ key does not depend on the size of the output of the underlying hash function. For example, a header key for the AES-256 cipher is always 256 bits long even if HMAC-SHA-512 is used (in XTS mode, an additional 256-bit secondary header key is used; hence,
two 256-bit keys are used for AES-256 in total). For more information, refer to [7]. A large number of iterations of the key derivation function have to be performed to derive a header key, which increases the time necessary to perform an exhaustive search
for passwords (i.e., brute force attack)&nbsp;[7].</div>
<div style="text-align:left; margin-top:19px; margin-bottom:19px; padding-top:0px; padding-bottom:0px">
-<p>Prior to version 1.12, VeraCrypt always used a fixed number of iterations depending on the volume type and the derivation algorithm used:</p>
-<ul>
-<li>For system partition encryption (boot encryption), <strong>200000</strong> iterations are used for the HMAC-SHA-256 derivation function and
-<strong>327661</strong> iterations are used for HMAC-RIPEMD-160. </li><li>For standard containers and other partitions, <strong>655331</strong> iterations are used for HMAC-RIPEMD-160 and
-<strong>500000</strong> iterations are used for HMAC-SHA-512,&nbsp;HMAC-SHA-256 and HMAC-Whirlpool.
-</li></ul>
-<p>Starting from version 1.12, the <a href="Personal%20Iterations%20Multiplier%20%28PIM%29.html">
+<p>Prior to version 1.12, VeraCrypt always used a fixed number of iterations That depended only on the volume type and the derivation algorithm used.
+Starting from version 1.12, the <a href="Personal%20Iterations%20Multiplier%20%28PIM%29.html">
PIM </a>field (<a href="Personal%20Iterations%20Multiplier%20%28PIM%29.html">Personal Iterations Multiplier</a>) enables users to have more control over the number of iterations used by the key derivation function.</p>
+<p>
<p>When a <a href="Personal%20Iterations%20Multiplier%20%28PIM%29.html">
-PIM </a>value is not specified or if it is equal to zero, VeraCrypt uses the default values expressed above.</p>
+PIM </a>value is not specified or if it is equal to zero, VeraCrypt uses the default values expressed below:<br/>
+<ul>
+<li>For system partition encryption (boot encryption) that uses SHA-256, BLAKE2s-256 or Streebog, <strong>200000</strong> iterations are used.</li>
+<li>For system encryption that uses SHA-512 or Whirlpool, non-system encryption and file containers, <strong>500000</strong> iterations are used.
+</li></ul>
+</p>
<p>When a <a href="Personal%20Iterations%20Multiplier%20%28PIM%29.html">
PIM </a>value is given by the user, the number of iterations of the key derivation function is calculated as follows:</p>
<ul>
diff --git a/doc/html/Program Menu.html b/doc/html/Program Menu.html
index caed5f40..02ee86e6 100644
--- a/doc/html/Program Menu.html
+++ b/doc/html/Program Menu.html
@@ -73,7 +73,7 @@ Note: When VeraCrypt re-encrypts a volume header, the original volume header is
<em>Security Requirements and Precautions</em></a>).</p>
</div>
<h3>Volumes -&gt; Set Header Key Derivation Algorithm</h3>
-<p>This function allows you to re-encrypt a volume header with a header key derived using a different PRF function (for example, instead of HMAC-RIPEMD-160 you could use HMAC-Whirlpool). Note that the volume header contains the master encryption key with which
+<p>This function allows you to re-encrypt a volume header with a header key derived using a different PRF function (for example, instead of HMAC-BLAKE2S-256 you could use HMAC-Whirlpool). Note that the volume header contains the master encryption key with which
the volume is encrypted. Therefore, the data stored on the volume will <em>not</em> be lost after you use this function. For more information, see the section
<a href="Header%20Key%20Derivation.html">
<em>Header Key Derivation, Salt, and Iteration Count</em></a>.<br>
diff --git a/doc/html/Random Number Generator.html b/doc/html/Random Number Generator.html
index e5080389..8b9d934c 100644
--- a/doc/html/Random Number Generator.html
+++ b/doc/html/Random Number Generator.html
@@ -51,9 +51,9 @@
written to the pool, this function is applied to the entire pool.</p>
<p>Description of the pool mixing function:</p>
<ol>
-<li>Let <em>R</em> be the randomness pool. </li><li>Let <em>H</em> be the hash function selected by the user (SHA-512, RIPEMD-160, or Whirlpool).
+<li>Let <em>R</em> be the randomness pool. </li><li>Let <em>H</em> be the hash function selected by the user (SHA-512, BLAKE2S-256, or Whirlpool).
</li><li><em>l</em> = byte size of the output of the hash function <em>H</em> (i.e., if
-<em>H</em> is RIPEMD-160, then <em>l</em> = 20; if <em>H</em> is SHA-512, <em>l</em> = 64)
+<em>H</em> is BLAKE2S-256, then <em>l</em> = 20; if <em>H</em> is SHA-512, <em>l</em> = 64)
</li><li><em>z</em> = byte size of the randomness pool <em>R </em>(320 bytes) </li><li><em>q</em> = <em>z</em> / <em>l</em> &ndash; 1 (e.g., if <em>H</em> is Whirlpool, then
<em>q</em> = 4) </li><li>Ris divided intol-byte blocksB0...Bq.
<p>For 0 &le; i &le; q (i.e., for each block B) the following steps are performed:</p>