10

I am looking to encrypt my OS hard drive, and VeraCrypt caught my eye as a real good option.

I tried to encrypt my drive with it, and the resulting encrypted system, takes around a minute to decrypt. This timing is unacceptable by me. I can dedicate around 10 seconds for it.

After a little bit of research, I found out that one critical parameter can be changed to achieve faster timings - PIM

I tried to understand the usage of such thing, but I couldn't.

I presume that all readers here are familiar with AES-256, but just in case - It is considered practically (and also theoretically) impossible to brute-force this encryption....

So why do I really need this extra hashing rounds that slow me down extremely?

I am looking for practical reasons only, I don't care about some out of the world improbable computing force that maybe could be used to hack my system.

I do care about governments computing force.

Thanks

Yoav R.
  • 219
  • 1
  • 2
  • 6
  • AES-256 (and even AES-128) are considered unbreakable _with a random key_, but your key is not random. Your key is derived from your passphrase, and passphrases often aren't very good. Increasing the time it takes to derive the key improves resistance to brute force if your passphrase has less entropy than a random key (which is almost guaranteed). – AndrolGenhald Mar 16 '18 at 19:09
  • If you have a decent password and aren't absolutely committed to holding out against an APT, then a PIM value that causes the password to take a minute to hash is complete and total overkill. You should be able to tweak it to take a shorter amount of time like a few seconds. – Macil Mar 16 '18 at 22:09
  • Encryption takes quite some computing power. If you computer takes about a minute to decrypt (without manually setting any PIM) then your computer is just considered slow for modern standards. If you do not have the resources for a more powerful machine, and you do think a government might be your adversary, than you should just accept this fact. (You could also experiment with manually setting a lower PIM, to achieve higher speeds, but this puts more dependency in a strong passphrase to be secure.) – user258572 Mar 17 '18 at 10:01

1 Answers1

8

VeraCrypt's PIM is unnecessary if you use a sufficiently strong password.

What VeraCrypt's PIM is

In layman's terms, VeraCrypt's PIM defines the number of times your password is hashed before being used to decrypt the disk.

To be precise, each VeraCrypt volume is encrypted using a random master key. Your password is used as a base to decrypt the master key: what actually decrypts the master key is the result of a key derivation function which takes your password as input. This key derivation function repeats its internal hashing computation a number of times depending on the PIM.

From the VeraCrypt manual:

When a PIM value is specified, the number of iterations is calculated as follows:

  • For system encryption that doesn't use SHA-512 or Whirlpool: Iterations = PIM x 2048
  • For system encryption that uses SHA-512 or Whirlpool, non-system encryption and file containers: Iterations = 15000 + (PIM x 1000)

Implications of VeraCrypt's PIM

VeraCrypt's PIM increases both the time it takes you to decrypt the disk and the time it takes an attacker to brute-force your password. The stronger your password is, the longer a successful brute-force attack would take, the lower the PIM can be to make the attack impractical or anti-economical. Therefore if you use a sufficiently strong password then VeraCrypt's PIM is superfluous.

Using VeraCrypt's default PIM increases attack time and decryption time proportionately, while using a custom PIM increases attack time more than it increases decryption time, because the attacker would have to brute-force both the password and the PIM. The time increase of the attack in the last case is 1+2+3+...+PIM = PIM(PIM+1)/2 corresponding about to a square.

Assuming your password only uses English letters and numbers, increasing the PIM by a factor of 1000 (e.g. 500 --> 500000) roughly corresponds to increasing the password by just 4 characters (36^4 ~ (1000*1001)/2). In my opinion it is counter-productive because you need to memorize about the same number of characters with the added nuisance of increased decryption time.

All the above is unrelated with AES, which is a symmetric cypher used to decrypt the VeraCrypt volume after a random master key is derived.

Enos D'Andrea
  • 1,047
  • 5
  • 12
  • 3
    The PIM is not the number of hash iterations, it is a _multiplier_ on the number of iterations ("Personal Iterations Multiplier"). The PIM does not "use" a hashing function, it alters the number of iterations done with a hashing function. – AndrolGenhald Mar 16 '18 at 22:27
  • 2
    In fact it's not even the number of iterations of a hash. VeraCrypt uses PBKDF2, which is a little more complicated than just repetitive hashing. -1 however for claiming that this is only useful against an APT. It makes a _huge_ difference against _all_ kinds of attackers. – forest Mar 17 '18 at 01:01
  • @AndrolGenhald I included your correction, thanks. – Enos D'Andrea Mar 17 '18 at 04:53
  • 2
    Small nitpick, you're triangle number formula is slightly off. It should be `PIM*(PIM+1)/2`. – AndrolGenhald Mar 17 '18 at 15:23
  • 1
    Also, increasing the PIM by a factor of 1000 is only a 3 digit increase, which is approximately comparable to a 4 character increase in the password (assuming only lowercase and digits). The result of increasing the PIM by a factor of 1000 is actually `new_strength / old_strength = 1000*PIM*(1000*PIM+1)/2 / (PIM*(PIM+1) / 2)`, so the increase depends on the current PIM, although in reality the current PIM affects the increase in strength by less than an order of magnitude, and it's approximately equivalent to `1000^2 / 2`. – AndrolGenhald Mar 17 '18 at 16:10
  • I'm not convinced people will actually pick a random PIM in practice though. I'm not really sure why VeraCrypt decided to keep it secret. – AndrolGenhald Mar 17 '18 at 16:11
  • @AndrolGenhald the increase in computational time does not depend on the previous PIM as much as on the ratio between PIMs. Considering TI time for an iteration and PIM multiplier M, then TIME2 = TI * PIM * M * (PIM*M+1)/2 ~ TI*(PIM^2 * M^2)/2 ~ TIME1 * M^2 – Enos D'Andrea Mar 17 '18 at 17:25
  • @Enos I think I've got us a bit off track. You're comparison of PIM digits to password length is technically incorrect, but it only matters for impractically large PIMs. The bigger issue is that I think the whole thing is moot because the PIM isn't likely to be random. Having a larger PIM but writing it down on a post-it seems more realistic to me, and this still has value. – AndrolGenhald Mar 17 '18 at 17:57
  • I would recommend removing the thousands separator from 1000 and 5000. To an EN-GB or EN-US reader it looks like you are suggesting increasing the value by a factor of 1. – Monica Apologists Get Out Mar 19 '18 at 16:45