This project has moved. For the latest updates, please go here.

Maximum PIM value I can set

Topics: Users Discussion
Apr 1, 2016 at 5:22 AM
Hi,
I would like to what is the maximum PIM value I can set while creating a file container.
I could not find anything on that in documentation.

Can I have a 5 digit or 6 digit PIM value irrespective of whether my password length is 10 / 25 / 45

Example: Can i have PIM value as 47436 / 98321 / 245355. Is it overkill or will it result in some error or will take long time to mount a file container ?

Just curious to know. Thanks.
Apr 1, 2016 at 1:24 PM
Apr 3, 2016 at 7:39 AM
I checked documentation. But couldn't find any info. on maximum PIM usage.
Please correct me if I missed something in documentation ?
Apr 3, 2016 at 2:53 PM
Edited Apr 3, 2016 at 2:54 PM
There are no guarantees that the developer will continue providing software updates to VeraCrypt. Therefore VeraCrypt does not specify an upper limit on the PIM to future proof the product.

Even if the developer were to include a warning if the PIM value exceeded N value, that would be true for today's computer power and cracking techniques. As an example, TrueCrypt has 1000 iterations for system encryption and 2000 iterations for non-system encryption which have been identified by the security audits as being too weak for current computing power.

NOTE: PIM is not equal to the number of iterations, but a multiplier for the total iterations.

You can create a test file container with default PIM and determine if the time to mount is taking too long for you and adjust higher or lower based on your willingness to wait for the volume to mount. Per the documentation, for lower than default PIM values, your password will need to be 20 or more characters.
Apr 3, 2016 at 10:07 PM
The formula for non system volume is given as: Iterations = 15000 + (PIM x 1000)
This line[1] says "iterations" value is stored in a variable of type "int",a 4 byte data type.

Since you cant have a negative iteration value,the minimum value is 0 and the maximum value is (((2^32)/2)-1) aka 2147483647.

The above formula mentioned in the first sentence becomes: 2147483647 = 15000 + (PIM x 1000) giving a PIM value of "2147468":.

Therefore, maximum PIM value for a non system volume is "2147468"

You can do the math to get the maximum PIM value for system volume.

[1] https://github.com/veracrypt/VeraCrypt/blob/dc1593d60f63aa951c1463ade13c97cfde94d2f5/src/Common/Crypto.h#L200
Apr 5, 2016 at 5:11 AM
Actually, the PIM value is declared as signed init meaning the maximum positive number you can specify for the user input PIM value is 2147483647 and not 2147468.

https://sourceforge.net/p/veracrypt/code/ci/444d5031624e5cf0844a4ed73c27125f4a2f5304/

If I am understanding the code correctly, this means an overflow condition can occur due to noIterations cannot hold the result of the calculations if VolumePim is set to or near the maximum positive 2147483647 value.

get_pkcs5_iteration_count is also defined as init which can lead to an overflow condition if PIM value plus calculations exceed 2147483647 value.

The code should specify an upper limit for the PIM calculations that prevents an overflow conditions.
May 5, 2016 at 5:02 PM