mirrors/VeraCrypt
1
0
Fork 0
mirror of https://github.com/veracrypt/VeraCrypt.git synced 2026-05-22 04:21:29 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
79bee911bee7e1785e5123077e44bd66974f0833
VeraCrypt/doc/html/en/Argon2id.html
Mounir IDRASSI c3ce2db9ac Document fixed Argon2id header key size 
Argon2id includes the requested output length in its computation, so deriving 192 bytes and using a prefix is not equivalent to deriving only the selected cipher's key material length. This differs from PBKDF2, where the prefix property made this detail invisible.

VeraCrypt derives the maximum header key material currently needed by the supported cipher/cascade set, which is 192 bytes, and then uses the required prefix for the selected encryption algorithm. For AES-XTS this means the first 64 bytes of the 192-byte Argon2id output are used.

Make this design rule explicit in code and documentation by introducing ARGON2_HEADER_KEYDATA_SIZE instead of relying implicitly on GetMaxPkcs5OutSize. If a future cipher or cascade requires more than 192 bytes, that must be handled as an explicit format/design change.

Document the 192-byte Argon2id header KDF output requirement so third-party implementations derive the same header key material.

References: https://github.com/veracrypt/VeraCrypt/issues/1614
2026-05-21 18:10:06 +09:00

175 lines
9.8 KiB
HTML
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
<!DOCTYPE html>
<html lang="en">
<head>
<meta http-equiv="content-type" content="text/html; charset=utf-8" />
<title>VeraCrypt - Free Open source disk encryption with strong security for the Paranoid</title>
<meta name="description" content="VeraCrypt is free open-source disk encryption software for Windows, Mac OS X and Linux. In case an attacker forces you to reveal the password, VeraCrypt provides plausible deniability. In contrast to file encryption, data encryption performed by VeraCrypt is real-time (on-the-fly), automatic, transparent, needs very little memory, and does not involve temporary unencrypted files."/>
<meta name="keywords" content="encryption, security"/>
<link href="styles.css" rel="stylesheet" type="text/css" />
</head>
<body>
<div>
<a href="Documentation.html"><img src="VeraCrypt128x128.png" alt="VeraCrypt"/></a>
</div>
<div id="menu">
<ul>
<li><a href="Home.html">Home</a></li>
<li><a href="Code.html">Source Code</a></li>
<li><a href="Downloads.html">Downloads</a></li>
<li><a class="active" href="Documentation.html">Documentation</a></li>
<li><a href="Donation.html">Donate</a></li>
<li><a href="https://sourceforge.net/p/veracrypt/discussion/" target="_blank">Forums</a></li>
</ul>
</div>
<div>
<p>
<a href="Documentation.html">Documentation</a>
<img src="arrow_right.gif" alt=">>" style="margin-top: 5px">
<a href="Key%20Derivation%20Algorithms.html">Key Derivation Algorithms</a>
<img src="arrow_right.gif" alt=">>" style="margin-top: 5px">
<a href="Argon2id.html">Argon2id</a>
</p></div>
<div class="wikidoc">
<h1>Argon2id</h1>
<div style="text-align:left; margin-top:19px; margin-bottom:19px; padding-top:0px; padding-bottom:0px">
Argon2id is a memory-hard key derivation function designed to resist both time-memory trade-off attacks and side-channel attacks. It was selected as the winner of the Password Hashing Competition (PHC) in 2015 and is defined in RFC 9106. VeraCrypt supports Argon2id as an alternative to PBKDF2-HMAC for header key derivation.
</div>
<h3>Key Features</h3>
<ul style="text-align:left; margin-top:18px; margin-bottom:19px; padding-top:0px; padding-bottom:0px">
<li style="text-align:left; margin-top:0px; margin-bottom:0px; padding-top:0px; padding-bottom:0px">
<strong>Memory-hard:</strong> Requires a configurable amount of memory, making it resistant to specialized hardware attacks
</li>
<li style="text-align:left; margin-top:0px; margin-bottom:0px; padding-top:0px; padding-bottom:0px">
<strong>Side-channel resistant:</strong> Combines data-dependent and data-independent memory access patterns
</li>
<li style="text-align:left; margin-top:0px; margin-bottom:0px; padding-top:0px; padding-bottom:0px">
<strong>Internal hash function:</strong> Uses BLAKE2b internally, eliminating the need for separate hash algorithm selection
</li>
<li style="text-align:left; margin-top:0px; margin-bottom:0px; padding-top:0px; padding-bottom:0px">
<strong>Tunable parameters:</strong> Allows adjustment of memory cost, time cost, and parallelism
</li>
</ul>
<h3>Argon2 Variants</h3>
<div style="text-align:left; margin-top:19px; margin-bottom:19px; padding-top:0px; padding-bottom:0px">
Argon2 has three variants:
</div>
<ul style="text-align:left; margin-top:18px; margin-bottom:19px; padding-top:0px; padding-bottom:0px">
<li style="text-align:left; margin-top:0px; margin-bottom:0px; padding-top:0px; padding-bottom:0px">
<strong>Argon2d:</strong> Uses data-dependent memory access, resistant to time-memory trade-off attacks but vulnerable to side-channel attacks
</li>
<li style="text-align:left; margin-top:0px; margin-bottom:0px; padding-top:0px; padding-bottom:0px">
<strong>Argon2i:</strong> Uses data-independent memory access, resistant to side-channel attacks but more vulnerable to time-memory trade-off attacks
</li>
<li style="text-align:left; margin-top:0px; margin-bottom:0px; padding-top:0px; padding-bottom:0px">
<strong>Argon2id:</strong> Hybrid approach that combines both variants, providing resistance to both attack types (used by VeraCrypt)
</li>
</ul>
<h3>Parameters in VeraCrypt</h3>
<div style="text-align:left; margin-top:19px; margin-bottom:19px; padding-top:0px; padding-bottom:0px">
VeraCrypt uses Argon2id with the following parameter configuration:
</div>
<h4>Memory Cost (m_cost)</h4>
<div style="text-align:left; margin-top:19px; margin-bottom:19px; padding-top:0px; padding-bottom:0px">
The amount of memory used during the key derivation process, controlled by the PIM value:
</div>
<ul style="text-align:left; margin-top:18px; margin-bottom:19px; padding-top:0px; padding-bottom:0px">
<li style="text-align:left; margin-top:0px; margin-bottom:0px; padding-top:0px; padding-bottom:0px">
<strong>Formula:</strong> m_cost(pim) = min(64 MiB + (pim - 1) × 32 MiB, 1024 MiB)
</li>
<li style="text-align:left; margin-top:0px; margin-bottom:0px; padding-top:0px; padding-bottom:0px">
<strong>Range:</strong> 64 MiB to 1024 MiB (capped at PIM = 31)
</li>
<li style="text-align:left; margin-top:0px; margin-bottom:0px; padding-top:0px; padding-bottom:0px">
<strong>Default:</strong> 416 MiB (equivalent to PIM = 12)
</li>
</ul>
<h4>Time Cost (t_cost)</h4>
<div style="text-align:left; margin-top:19px; margin-bottom:19px; padding-top:0px; padding-bottom:0px">
The number of iterations performed during the key derivation process:
</div>
<ul style="text-align:left; margin-top:18px; margin-bottom:19px; padding-top:0px; padding-bottom:0px">
<li style="text-align:left; margin-top:0px; margin-bottom:0px; padding-top:0px; padding-bottom:0px">
<strong>For PIM ≤ 31:</strong> t_cost(pim) = 3 + floor((pim - 1) / 3)
</li>
<li style="text-align:left; margin-top:0px; margin-bottom:0px; padding-top:0px; padding-bottom:0px">
<strong>For PIM > 31:</strong> t_cost(pim) = 13 + (pim - 31)
</li>
<li style="text-align:left; margin-top:0px; margin-bottom:0px; padding-top:0px; padding-bottom:0px">
<strong>Default:</strong> 6 iterations (equivalent to PIM = 12)
</li>
</ul>
<h4>Parallelism</h4>
<div style="text-align:left; margin-top:19px; margin-bottom:19px; padding-top:0px; padding-bottom:0px">
The number of parallel threads used during computation:
</div>
<ul style="text-align:left; margin-top:18px; margin-bottom:19px; padding-top:0px; padding-bottom:0px">
<li style="text-align:left; margin-top:0px; margin-bottom:0px; padding-top:0px; padding-bottom:0px">
<strong>Value:</strong> Fixed at 1 thread for all cases in VeraCrypt
</li>
<li style="text-align:left; margin-top:0px; margin-bottom:0px; padding-top:0px; padding-bottom:0px">
<strong>Rationale:</strong> Ensures consistent behavior across different hardware configurations
</li>
</ul>
<h3>Advantages over PBKDF2</h3>
<ul style="text-align:left; margin-top:18px; margin-bottom:19px; padding-top:0px; padding-bottom:0px">
<li style="text-align:left; margin-top:0px; margin-bottom:0px; padding-top:0px; padding-bottom:0px">
<strong>Memory hardness:</strong> Requires significant memory allocation, making GPU and ASIC attacks more expensive
</li>
<li style="text-align:left; margin-top:0px; margin-bottom:0px; padding-top:0px; padding-bottom:0px">
<strong>Modern design:</strong> Specifically designed to resist contemporary attack methods
</li>
<li style="text-align:left; margin-top:0px; margin-bottom:0px; padding-top:0px; padding-bottom:0px">
<strong>Side-channel resistance:</strong> Built-in protections against cache-timing and other side-channel attacks
</li>
<li style="text-align:left; margin-top:0px; margin-bottom:0px; padding-top:0px; padding-bottom:0px">
<strong>Standardization:</strong> Officially standardized in RFC 9106
</li>
</ul>
<h3>Usage Considerations</h3>
<div style="text-align:left; margin-top:19px; margin-bottom:19px; padding-top:0px; padding-bottom:0px">
When using Argon2id in VeraCrypt:
</div>
<ul style="text-align:left; margin-top:18px; margin-bottom:19px; padding-top:0px; padding-bottom:0px">
<li style="text-align:left; margin-top:0px; margin-bottom:0px; padding-top:0px; padding-bottom:0px">
<strong>Memory requirements:</strong> Ensure sufficient RAM is available, especially with higher PIM values
</li>
<li style="text-align:left; margin-top:0px; margin-bottom:0px; padding-top:0px; padding-bottom:0px">
<strong>Performance:</strong> Higher memory costs may result in slower mounting times but provide better security
</li>
<li style="text-align:left; margin-top:0px; margin-bottom:0px; padding-top:0px; padding-bottom:0px">
<strong>Compatibility:</strong> Available in VeraCrypt versions that support multiple key derivation functions
</li>
<li style="text-align:left; margin-top:0px; margin-bottom:0px; padding-top:0px; padding-bottom:0px">
<strong>No hash selection:</strong> Unlike PBKDF2-HMAC, no separate hash algorithm needs to be chosen
</li>
</ul>
<h3>Technical Specifications</h3>
<div style="text-align:left; margin-top:19px; margin-bottom:19px; padding-top:0px; padding-bottom:0px">
<strong>Algorithm:</strong> Argon2id as defined in RFC 9106<br/>
<strong>Internal hash:</strong> BLAKE2b<br/>
<strong>Salt size:</strong> 512 bits (same as PBKDF2-HMAC)<br/>
<strong>Header KDF output length:</strong> Fixed at 1536 bits (192 bytes) for the current VeraCrypt format. The required prefix is used for the selected encryption algorithm (for example, the first 64 bytes for AES (AES-256-XTS)). Third-party implementations must request 192 bytes from Argon2id before selecting the required prefix; requesting only the selected algorithm's key material length produces a different Argon2id output.<br/>
<strong>Version:</strong> Argon2 version 0x13 (19 decimal)
</div>
<div style="text-align:left; margin-top:19px; margin-bottom:19px; padding-top:0px; padding-bottom:0px">
For more information about PIM values and their effect on Argon2id parameters, see the
<a href="Personal%20Iterations%20Multiplier%20%28PIM%29.html" style="text-align:left; color:#0080c0; text-decoration:none">
Personal Iterations Multiplier (PIM)</a> section.
</div>
</div><div class="ClearBoth"></div></body></html>
Reference in New Issue View Git Blame Copy Permalink