This project has moved. For the latest updates, please go here.

Key derivation

Topics: Technical Issues
May 3, 2016 at 6:38 PM
This has been discussed A LOT. And still, I feel the need to address this once again.
The amount of iterations done on key derivation is ludicrous.

Even without key stretching, a password that consists of merely 20 lower case letters would take extremely long to crack even with a trillion guesses per second.

Add in 8000 rounds of PBKDF2 and you're already being overkill. Yet that would only take 5 seconds or so, as opposed to 3 minutes. The PIM system is only making things burdensome and over-complicated.

I would suggest that VeraCrypt insist the user uses a minimal of 20 characters and then sticks with 8 times the amount of iterations that TrueCrypt uses instead of 300 times the amount. And get rid of the PIM system.

Running even a full minute of key derivation is just pure idiocy. The only thing it achieves is extending the attack from a few billion years to a few hundred billion years.
May 3, 2016 at 6:45 PM
Edited May 3, 2016 at 6:46 PM
I'd like to add that there had been a case where the FBI attempted to brute force a passphrase for a true-crypt encrypted drive for over a year after which they gave up. They may as well have continued for 50 more years and they'd still not succeed. If veracrypt wanted to improve on that; sure, make it take 8 times longer. but 300? come on. You're really just wasting precious time waiting for the thing to verify the password even if it makes no sense at all.
May 3, 2016 at 6:57 PM
MrJasper it doesn't seem you understood the idea here. Idrassi and the whole team are great programmers and we are very happy with the way all team is working. We follow on a project that is going to provide the maximum level of security, and is continue developing. The way the coordinators are increasing security is a MUST especially now that buying processing power is cheap and easy. So what the team is doing is absolutely OK.
May 3, 2016 at 7:10 PM
Edited May 3, 2016 at 7:19 PM
TheBadman wrote:
We follow on a project that is going to provide the maximum level of security, and is continue developing.
There is no maximum. You might aswell turn it into half an hour of key derivation. Or a day. The question here is, does it make sense to wait 30 seconds every time you boot your computer just to increase the brute-force attack from a few billion years to a few hundred billion years.

Imagine the following, lets say I have a unbreakable 10km high wall. Would it make sense to make it 10000km high just to be sure? Of course not, you'd be wasting concrete for no benefit.

There is absolutely no value in waiting so long on key derivation if it's already unattainable to crack a 20 character password at this moment. To make it future proof, as in a few hundred years or so, add 5 seconds of delay. Even if one assumes our computing power increases exponentially (it doesn't), a 20 character password with a healthy amount of delay is unbreakable now and a few decades from now.

Again, brute-forcing the entire key space of a 20 character lower-case-letter-only password with TrueCrypts key derivation of 2000 rounds will take centuries. increasing it to 100 centuries adds no value if it means NO ONE would want to use this to protect his /her computer.

EDIT:
TheBadman wrote:
MrJasper it doesn't seem you understood the idea here. Idrassi and the whole team are great programmers and we are very happy with the way all team is working.
I don't think anything you just said had anything to do with the argument I just made. I don't doubt these folks know how to program and that they're very content about their work. I'm just pointing out that they're making the software burdensome to use for no reason.
May 3, 2016 at 7:29 PM
Still the question remain, for what reason you propose to reduce the security level as an OPTION, from the moment you can chose the lenght of your password.
For example, you may chose a moderate easy password for encrypting the OS with default PIM - and yes wait 10 or 20 seconds, so what? - and save inside a strong protected container with strong password plus Keyfile if you wish for your more sensitive files.
In my opinion, i strongly support the idea to add security features exactly as the team is doing now.
May 3, 2016 at 7:45 PM
TheBadman wrote:
Still the question remain, for what reason you propose to reduce the security level as an OPTION, from the moment you can chose the lenght of your password.
For example, you may chose a moderate easy password for encrypting the OS with default PIM - and yes wait 10 or 20 seconds, so what? - and save inside a strong protected container with strong password plus Keyfile if you wish for your more sensitive files.
Please take a moment to read my previous comment (I'm just hoping you didn't).

You could extend the amount of time required to derive the password to weeks. Would that also be a "security feature"?
As I just said, you can NOT crack a TrueCrypt password in a reasonable amount of time as it is currently implemented in TrueCrypt as long as you have a proper password. So making the user wait yet another minute has no benefit.
It is not a "security feature" it is "security theater". Security theater, as opposed to actual security, only provides the 'sense' of security. Which is totally fine if it makes people feel significantly better. But in the case of VeraCrypt. You're waiting a full minute for nothing.
I would argue that, by making the process of unlocking your computer so slow and burdensome that the majority of people would rather not use it is only harming their security in the long run.
May 5, 2016 at 12:23 AM
I would like to add that the impact of using a large PIM value isn't clear until you try it.

If you have a great password, then the PIM can easily be kept under 10, but with a weak password, you might want it up to 200 -- likely never higher than that.

It would be good if there was a quick test and it showed the user what the impact of a PIM value would be. For example 10 seconds might have a PIM of 20, 30 seconds might have a PIM of 50. These numbers are plucked out of the ether, so to speak. Another alternative might be for the user to be asked "how long should it take to unlock the drive with this password", valid answers could be 5 seconds to 300 seconds and anything above 60 seconds might ask, "are you sure you want to wait this long every time you unlock the drive?" ...

Considering that many think the PIM value is important, it is also important that it varies and there is no default. But a more reasonable default than 300 should be acceptable and the "default" could be based (possibly) on the bit strength of the password, maybe even just the length of the password in bytes might be enough; in which case the /default/ PIM value will vary depending on password length, but be constant for that length unless a specific PIM value is provided by the user.
May 5, 2016 at 6:37 AM
I don't think 'PIM' values make any sense to anyone but techies. The average user doesn't want to be bothered with choosing an 'algorithm' let alone having to figure out what 'PIM' means. Certainly NO ONE wants to wait a minute for their computer to tell whether their password is correct or not.

Whether your password is 12 characters or 40. With a 1 second delay it's just not possible to crack within any feasible amount of time. If you want, sure, go ahead and make it 3 or 5 seconds. You could always add a check box that says "I'm a complete idiot and are willing to wait a minute for my disk to unlock for no reason" But having to wait a full minute isn't going to make you any more secure.

There's no point in making a program that no one wants to use. Please set some more sane defaults. And get rid of the PIM system.
May 6, 2016 at 12:01 PM
MrJasper wrote:
I would suggest that VeraCrypt insist the user uses a minimal of 20 characters and then sticks with 8 times the amount of iterations that TrueCrypt uses instead of 300 times the amount. And get rid of the PIM system.
If this is ever done, i guess the only people who will stay with VC will be the chess world champions, able to remember 20+ characters... and the secretaries of course, who will be keeping their passwords on a yellow sticky note glued on their pc monitors LOL
May 6, 2016 at 12:08 PM
Alex512 wrote:
If this is ever done, i guess the only people who will stay with VC will be the chess world champions, able to remember 20+ characters... and the secretaries of course, who will be keeping their passwords on a yellow sticky note glued on their pc monitors LOL
Alzheimer peanut chocolate party remix
There you go, it doesn't take a genius to remember 5 words. In case you're wondering, the amount of entropy this has is more most 20 character passwords and yet they're easy to remember.
May 6, 2016 at 11:00 PM
MrJasper wrote:
Alex512 wrote:
If this is ever done, i guess the only people who will stay with VC will be the chess world champions, able to remember 20+ characters... and the secretaries of course, who will be keeping their passwords on a yellow sticky note glued on their pc monitors LOL
Alzheimer peanut chocolate party remix
There you go, it doesn't take a genius to remember 5 words. In case you're wondering, the amount of entropy this has is more most 20 character passwords and yet they're easy to remember.
The amount of entropy in a 20 (random) character password would be probably in the range of (if there are 26 lowercase, 26 uppercase letters and say about 15 more characters that can be typed directly from the keyboard) ... to be precise: log[2] (26+26+15)^20 = 121,32 bits. On the other hand, if we have about ... 5000 english words which are being used frequently... then your 5 words passphrase would have an entropy of log[2] 5000^5 = 61,44 bits, which is still a lot, but not that much :)
May 7, 2016 at 8:10 AM
Edited May 7, 2016 at 8:15 AM
The amount of entropy in a 20 (random) character password would be probably in the range of (if there are 26 lowercase, 26 uppercase letters and say about 15 more characters that can be typed directly from the keyboard) ... to be precise: log[2] (26+26+15)^20 = 121,32 bits. On the other hand, if we have about ... 5000 english words which are being used frequently... then your 5 words passphrase would have an entropy of log[2] 5000^5 = 61,44 bits, which is still a lot, but not that much :)
Actually, there's 7776 words in the official diceware list. There's about 1,000,000 words in the English alphabet. (Estimate as of 2014). The thing is, you don't use the most commonly used words. You pick them at random with a dice, or you generate them if you're lazy. (And you could always use 6 or 7 words)
The point is, we've teached people to use hard to remember but short passwords like C(8Fan_!%TK. Or worse, make them think of a sentence and just use the first letter of each word. Using 6 or so random words is easier to remember than 8-20 random characters.

Don't forget the fact that our adversary most likely doesn't know which set of options the user had to make up his password. Whether he used letters, numbers and symbols, English words, english words mixed with car brand names, English words with random characters, Portuguese with Japanese words. Etc. So he'll still have go through all individual characters. In my example that's about 26^30 possibilities

So I guess my point is, it doesn't have to be hard to remember a High-Entropy password.

Edit: E.g doubt sling grutte shomei sambal sudo buenos
May 8, 2016 at 8:20 AM
MrJasper wrote:
Edit: E.g doubt sling grutte shomei sambal sudo buenos
good luck to those who can remember that :)
Coordinator
Jun 23, 2016 at 11:32 PM
Hi all,

I have been asked on Twitter to give an official feedback about this. As most VeraCrypt followers know, there have been a long debate about this since 2014 and the longest thread on this on Sourceforge has 217 posts.

Without going through all the debate that will never be setteled, let me be clear: I'm aware that the additional entropy provided by extra iterations is lower than the one provided by using larger password. Theoretical justification for this has been know for 20 years and readers can find research papers that explain this all over internet.

The main argument against VeraCrypt approach is that it is a waste of CPU time to require such huge key derivation complexity while using a strong password is enough. Basically, with such argument, using 1000 or even 256 iterations is enough and using at most 10K iterations is acceptable.

As for VeraCrypt justification behind default high iterations, it is based on the need to force a minimal work factor on the attacker regardless of password quality.
With the rapid development of GPU and ASIC based brute force solution (c.f. my post about Bitcoin mining ASIC), imposing such work factor increases the minimal cost needed to attack VeraCrypt volumes.
At the same time, with the growing power of CPUs, such high iterations have limited effect on mounting non system volumes for legitimate users: on a notebook with Core-i7, it takes less than 2 seconds to mount a volume that uses SHA-512 PRF.

Indeed, for MBR system encrypting, the boot is rather slow and this maybe annoying but in this case the new PIM feature brings an easy to use solution: it enables the user to have a quicker boot by using a small value (since version 1.18-BETA, it is possible to avoid PIM request at boot by storing PIM value on the disk).

The PIM feature serves also a double purpose:
  • It makes attacks harder since the attacker will have to guess the correct value before brute forcing the password.
  • it enables user to increase attacker minimal work factor with any change to VeraCrypt software.
For those who don't wish to remember this extra PIM value, VeraCrypt enables storing it on disk for favorites and for system encryption so that only the password is requested.

I hope this clarifies the logic behind VeraCrypt approach. Of course, not everybody will agree with these choices and I respect all other opinions. But at the same time, I ask people from the other side to avoid using aggressive and disrespectful language just because these paranoid looking choices don't fit in there own logical reasoning.
I think we are all working towards the same objective which is giving users the necessary tools to protect their privacy. In this context, constructive debate outside any dogma or intellectual dictatorship is important to keep ideas diversity alive and to maintain an enhanced security environment for all.
Jun 24, 2016 at 8:19 PM
Thank you for your reply!
First of all, my apologies for being rather harsh earlier. I may have misunderstood your reasoning for the key derivation proces and it didn't make sense to me at the time. To be frank, I still have my doubts about this approach but that doesn't justify being rude.
Since VeraCrypt is the only successor to the world's most used multi platform encryption tool it's an extremely important project and I felt somewhat upset when I got the above replies since they seemed extremely dismissive about the arguments I made. I should have considered the fact that this individual is not in any way officially associated with the developers so the comment I made earlier on twitter (now removed) was completely out of place.
I wish this project all the best and I would like to once more say that I am sorry about what I said earlier.
Coordinator
Jun 25, 2016 at 8:49 AM
Apologies accepted!
As I wrote above, I'm sure that we all have the same objective but being passionate about such subjects can sometimes drive the debate to negative territories.
I would like to take this opportunity to insist on the open nature of the project: all comments, remarks and contributions are welcomed.
We are living in challenging times both for security and privacy and so a project like VeraCrypt is in need of novel ideas and contributions from security experts and enthusiasts.
Jul 16, 2016 at 8:57 PM
Edited Jul 16, 2016 at 9:01 PM
affinity wrote:
It would be good if there was a quick test and it showed the user what the impact of a PIM value would be. For example 10 seconds might have a PIM of 20, 30 seconds might have a PIM of 50. These numbers are plucked out of the ether, so to speak. Another alternative might be for the user to be asked "how long should it take to unlock the drive with this password", valid answers could be 5 seconds to 300 seconds and anything above 60 seconds might ask, "are you sure you want to wait this long every time you unlock the drive?" ...
Keep in mind that the same PIM will create different impacts depending on the hardware. The impact on a Pentium-4 based computer will be quite different from the impact on a Skylake-era Xeon system.

It would be good to provide the user with feedback like this: "You have selected a <quality> security PIM. Processing the correct password will take an estimated M minutes, N seconds on this computer. Is that OK?" (where <quality> is one of these: very low, low, medium, high, very high).

I've created a new Issue to request this be added to Veracrypt. Please vote up if you agree!
https://veracrypt.codeplex.com/workitem/491