Password verification takes 5 minutes

Topics: Technical Issues
Sep 12, 2015 at 9:07 PM
Edited Sep 12, 2015 at 9:18 PM
Hey,

I encrypted my whole System SSD with VeraCrypt 1.13.
The System does start in the Bootloader.
I enter my password and skip PIM.
Then "password verification" comes up and takes at least 5 ?!?!?! minutes to finish.
Afterwards my system starts as usual and everything works fine.

My System is a Lenovo ThinkPad W530 with Saumsung 840 SSD and i7 quadcore on Windows 7 Pro 64 Bit...
So wha's wrong?
I think this isn't usual.
Sep 12, 2015 at 9:52 PM
Nothing is wrong. VeraCrypt is a high-security system. Get yourself a cup of coffee while the password verification is running.
Sep 12, 2015 at 9:53 PM
The issue is the bootloader is 16-bit and with the higher iterations performed on the hash algorithms by VeraCrypt causes this issue.

Using a password of 20 or more characters, you can decrease the number of program default iterations by using the PIM feature.

https://veracrypt.codeplex.com/wikipage?title=Personal%20Iterations%20Multiplier%20%28PIM%29

There are feature requests for rewriting the bootloader to use 32-bit followed by 64-bit for OS's that support 64-bit. However, this is not a trivial task. You can vote-up the feature at the links below and any other issues that are important to you.

https://veracrypt.codeplex.com/workitem/27

https://veracrypt.codeplex.com/workitem/72
Sep 12, 2015 at 10:40 PM
Edited Sep 12, 2015 at 10:43 PM
I use 20 plus characters.

I used Truecrypt before on my second system which has a slower CPU. I used the same password and verification never took longer than 1 second.

1 Second to 5 minutes ?!

I don´t think Veracrypt is 300 times more secure... so I don't know if it's worth waiting 300 times as long...

And if you do a misstake (which sometimes happens if you use 20 plus passwords) you need to wait at least 10 minutes...
Sep 12, 2015 at 11:49 PM
Edited Sep 12, 2015 at 11:51 PM
Please read the link I provided regarding PIM and how you can use this to lower the value for system encryption. In order to adjust the PIM lower, you have to use a password with 20 or characters.

Merely changing the password to a greater length does not change the PIM automatically.

You can read the differences between TrueCrypt and VeraCrypt at the link below. Scroll down to read the differences in the iterations. The low iterations in TrueCrypt was noted in the audit performed in 2014.

https://veracrypt.codeplex.com/

TrueCrypt audit reports are located at the link below.

https://opencryptoaudit.org/
Coordinator
Sep 12, 2015 at 11:56 PM
Just to confirm Enigma2Illusion: just use the change password function to set a small PIM value (1 or greater). The new password can be identical to the current one.
In the documentation link you can find screenshots about the steps required ("Changing/clearing the PIM" section).
Sep 13, 2015 at 1:16 PM
And there is no loss of security if I use a PIM?

What is a small PIM value? 10? 100? 1000?
Coordinator
Sep 13, 2015 at 1:38 PM
As noted in the documentation, the default PIM used by VeraCrypt when PIM is left empty is equivalent to 98. Anything below it will give you a security level lower than the default but it will be higher than TrueCrypt in all cases.
Basically, when using a small PIM, the strength of the password becomes more important and so its value must be selected carefully to avoid common attacks.

As for the PIM value, it is up to you to choose the one that will give you the best balance between usability and security. Judging by the 5 minutes boot time you have, a PIM between 1 and 10 should give you a more reasonable boot time. Of course the PIM value you will choose is also secret and you should remember it to be able to boot.

A strength comparison with TrueCrypt which always used the aging RIPEMD-160 for system encryption:
  • PIM = 1 and SHA-256: 4 times stronger than TrueCrypt
  • PIM = 1 and RIPEMD-160: 2 times stronger than TrueCrypt
  • default PIM and SHA-256: 400 times stronger than TrueCrypt
  • default PIM and RIPEMD-160: 300 times stronger than TrueCrypt
Sep 13, 2015 at 1:39 PM
_When creating a volume or when changing the password, the user has the possibility to specify a PIM value by checking the "Use PIM" checkbox which in turn will make a PIM field available in the GUI so a PIM value can be entered.

The PIM is treated like a secret value that must be entered by the user each time alongside the password. If the incorrect PIM value is specified, the mount/boot operation will fail.

Using high PIM values leads to better security thanks to the increased number of iterations but it comes with slower mounting/booting times.
With small PIM values, mounting/booting is quicker but this could decrease security if a weak password is used. ...

The PIM minimal value for short passwords is 98 for system encryption and 485 for non-system encryption and files containers. For password with 20 characters and more, the PIM minimal value is 1. In all cases, leaving the PIM empty or setting its value to 0 will make VeraCrypt use the default high number of iterations as explained in section Header Key Derivation._

Quoted from https://veracrypt.codeplex.com/wikipage?title=Personal%20Iterations%20Multiplier%20%28PIM%29
Coordinator
Sep 13, 2015 at 1:47 PM
Thank you @commenter8 for quoting the documentation.

Unfortunately it seems that many users don't take the time to read what have been put there :-( this is frustrating sometimes but hopefully with time things will be better.
Sep 13, 2015 at 1:52 PM
Edited Sep 13, 2015 at 1:54 PM
1337LEET wrote:
I use 20 plus characters.

I used Truecrypt before on my second system which has a slower CPU. I used the same password and verification never took longer than 1 second.

1 Second to 5 minutes ?!

I don´t think Veracrypt is 300 times more secure... so I don't know if it's worth waiting 300 times as long...
As idrassi points out in his 2nd post above, VeraCrypt (at default settings) actually IS 300 to 400 times stronger than TrueCrypt.

Now you get to decide whether you would rather get a cup of coffee while password verification is taking place, or use a lower PIM in order to weaken the security, or use a higher PIM to make the security even greater.
Sep 13, 2015 at 4:09 PM
@1337LEET

Mounir has posted on the topic of password length and its entropy that would be worth reading.
http://sourceforge.net/p/veracrypt/discussion/general/thread/09696187/#491d
Sep 14, 2015 at 1:57 PM
Okay, now I understand how to lower the verification time with a PIM... but I still don't understand why the hell Veracrypt needs 5 minutes wihile Truecrypt only takes 1 second with the exact same password? And pls don't tell me Veracrypt is high secure ... it isn't 300 times as secure as Truecrypt...
And I also asked some other users in a forum which told me there VeraCrypt verification takes between 10 seconds and 2 minutes. So why do I need 5 minutes?
Is the time it needs related to the length of the password? If the answer is yes then I think this is an implementation failure... isn't it?
My device has a Intel i7 3630QM quadcore processor... so I don't think that it is a hardware issue.
If there won't come an update soon which lowers the verification time to something like 30 seconds I'll change back to Truecrypt. (And I'm sure I'm not the only one)
Truecrypt is still the most secure option because it is the only one which has an audit... and no security issues were found. And if you use cascades and a good password I don't think that anyone on this planet is able to break it.
Veracrypt obviously is just a Truecrypt copy with some additional changes... but who prooves me that they didn't "invent" a backdoor?
Sep 14, 2015 at 5:08 PM
As I explained, it is the higher iterations performed on the hash algorithm as identified in the TrueCrypt audit reports that Mr. Mounir Idrassi has strengthened among other issues identified in both the audit reports and the discoveries Mr. Idrassi and users reported to fixed in the VeraCrypt project. If you read the audit reports, you know that TrueCrypt was released in 2004 when computing power was much less than today. The TrueCrypt 1000 iterations for the system encryption's hash RIPEMD-160 for today's computers is too low.

The PIM feature was added to allow users the option of faster boot/mount times versus the higher security of the default settings of VeraCrypt. Also with the PIM feature, you can increase the value beyond the defaults to have stronger header keys to help future proof the volumes for long term storage.

If you are using cascades for your system encryption, then it will take longer to mount as the hash is performed for each header key in the cascade encryption algorithm. Therefore if you are using a cascade of three encryption algorithms, then the hash iterations is performed for each of the three algorithms since the header keys are independent of each other in the cascade. Read the link below which has an example of the cascades and header keys.

https://veracrypt.codeplex.com/wikipage?title=Header%20Key%20Derivation

Your goal of system encryption verification time of 30 seconds will be an estimate of 14 for the PIM value when using a single encryption cipher for system encryption. 14 x 2048 = 28672. This assumes the 1000 iterations on TrueCrypt is taking 1 second on your system.

You can vote-up the feature request for benchmarking hashes and PIM at the link below.

https://veracrypt.codeplex.com/workitem/182

The password length will not alter the mount times. You are confusing the password length with the requirement in VeraCrypt to use a password of 20 or more characters to use a lower PIM. This is done to in the hopes that the user provides a stronger password to offset the security reduction when using lower hash iterations.

Unlike the TrueCrypt developers that stayed anonymous, Mr. Idrassi has made himself public and placed his professional security reputation on-the-line. You can read about Mounir's motivations at the link below.

http://sourceforge.net/p/veracrypt/discussion/general/thread/1ea6071e

There are plans to seek funding for an audit to be performed on VeraCrypt once Mounir feels that he has completed the major changes to VeraCrypt.

Mounir has made many improvements to VeraCrypt that you can review at the link below. Then click on the History label.

http://sourceforge.net/p/veracrypt/code/ci/master/tree/

Regarding backdoor, it comes down to trust. Many people used TrueCrypt with anonymous developers before an audit was performed to learn that no backdoors were discovered.