This project has moved. For the latest updates, please go here.

RIPEMD-160 iterations

Topics: Technical Issues
Mar 17, 2015 at 11:29 PM
Edited Mar 17, 2015 at 11:32 PM
I noticed with all the drives I've converted over from TrueCrypt to VC by changing the password, I had left settings to the defaults. So my data drives show as RIPEMD-160 while containers seem to default to SHA-512.
RIPEMD-160 seems to use more iterations than SHA-512. Would this make it a better choice for someone looking for the most protection?
https://veracrypt.codeplex.com/wikipage?title=Header%20Key%20Derivation

I don't totally understand the technical explanations of the two. I'm just asking in layman's terms which of the two would offer better security from a brute force? AS far as why my data drives already had RIPEMD-160 set when I converted them over from TC to VC, Maybe that was the default when the drives were encrypted under TC?
Mar 18, 2015 at 12:49 AM
Edited Mar 18, 2015 at 2:05 AM
Mar 18, 2015 at 3:04 AM
Edited Mar 18, 2015 at 8:41 AM
No, it doesn't answer my question because there is more to it. For example: Although my data drive is encrypted with RIPEMD-160, I use a key file that was created with SHA 512 PRF. So how does that factor into the mix with regard to the final security end result?

Also note: I have two drives I changed the password/headers on both today. One drive is using RIPEMD-160 and the other SHA-512. Both drives however use the same SHA-512 key file. The results displayed in the Vol properties window have the same block and key sizes for both drives:

AES(Twofish)
  • Primary Key: Size 512
  • Secondary Key Size: 512
  • block Size: 128
  • Mod of Operation: XTS
Yes, at that link you posted, Idrassi mentions that RIPEMD-160 is old and deprecated.
But I thought that was sometimes good because it's been scrutinized and tested.

I also read today that RIPEMD-160 is better at preventing preimage attacks, while a collision attack has already been discovered in SHA 1 which I thought SHA 256, and 512 were based on.
https://eprint.iacr.org/2009/479.pdf

I can't make heads or tails of any of it because the math is way over my head.
https://eprint.iacr.org/2013/600.pdf
Coordinator
Mar 19, 2015 at 11:36 PM
Hi,

First of all, not all what is published in IACR eprint service is validated or even correct. This is merely a web space made available to researchers to share their work.

Moreover, as of today, there is no attack on full SHA-256 or SHA-512 algorithms, only reduced version. On the other hand, SHA-1 is broken in full version. Attacks on reduced versions exist for all cryptographic algorithms which doesn't make them insecure but gives an idea about the strength of their internal design.
RIPEMD-160 is based on an old design which has its own weakness but it doesn't receive as much attention as the new algorithms such as SHA-512 and AES because of its age and its deprecation by major system. The lack of a full attack doesn't necessary mean that it is more secure than other modern algorithms.

As far as VeraCrypt is concerned, more iterations are used for RIPEMD-160 because it offers less security for its output (160-bit versus 512 bits given by SHA-512/Whirlpool). So, RIPEMD-160 is considered less secure for key derivation and that's why a larger number of iterations was chosen to try to mitigate this. Definitely, you should move to SHA-512 or Whirlpool.

Concerning the random generation using RIPEMD-160 or SHA-512, this is another level different from the key derivation. Indeed, SHA-512/Whirlpool offer here also better properties than RIPEMD-160 so if you wish you can update your keyfile but it is not as critical as for key derivation.
Mar 22, 2015 at 9:27 AM
Edited Mar 22, 2015 at 9:40 AM
Thank you idrassi.

But what I'm not clear on still is: I used RIPEMD-160 on the drives when I re-created and converted my TrueCrypt headers to VeraCrypt only because it was the default and I wasn't sure what to use at the time. But as I mentioned, my keyfile was created using the default setting of SHA-512. So I guess my question is: Was there an advantage to using a SHA-512 key file even though the drive uses RIPEMD-160?

I don't get how the key file and the volume header work together. If the volume header on the drive uses RIPEMD-160 but the key file was made with SHA-512, would using the key file straighten the weak code by providing an advantage of strength that is missing from the weak RIPEMD-160 header?

I guess what I'm trying to ask is. What happens to the overall strength of an encrypted volume if you use a strong SHA-512 key with a weak RIPEMD-160 header on a drive? Is the end result any different?
Coordinator
Mar 24, 2015 at 7:47 AM
The hash function used for the keyfile generation is used only for the random bytes generation as base function to ensure a good mixing of random bytes. Once the keyfile is generated, it consists of random bytes and there is no link anymore to the hash function.

So, when a keyfile is used, it doesn't matter which algorithm was used to create it. What is important is the random generation quality. Of course, it is better to use a hash function with good cryptographic properties and SHA-512 has better properties than RIPEMD-160 but this is not as critical as the use of RIPEMD160 vs SHA512 in volume header.

So, to simplify: what is important is the hash used for the volume header. A key file a sequence of random bytes: it can be a mp3 file or generated using TrueCrypt/VeraCrypt, its role is to strengthen the password.
Mar 24, 2015 at 9:34 AM
ah I see now.

Once again, Great explanation! thank you!