<img src="arrow_right.gif" alt=">>" style="margin-top: 5px">

<a href="Header%20Key%20Derivation.html">Header Key Derivation, Salt, and Iteration Count</a>

</p></div>

<div class="wikidoc">

<h1>Header Key Derivation, Salt, and Iteration Count</h1>

<div style="text-align:left; margin-top:19px; margin-bottom:19px; padding-top:0px; padding-bottom:0px">

Header key is used to encrypt and decrypt the encrypted area of the VeraCrypt volume header (for

<a href="System%20Encryption.html" style="text-align:left; color:#0080c0; text-decoration:none.html">

system encryption</a>, of the keydata area), which contains the master key and other data (see the sections

<a href="Encryption%20Scheme.html" style="text-align:left; color:#0080c0; text-decoration:none.html">

Encryption Scheme</a> and <a href="VeraCrypt%20Volume%20Format%20Specification.html" style="text-align:left; color:#0080c0; text-decoration:none.html">

VeraCrypt Volume Format Specification</a>). In volumes created by VeraCrypt (and for

<a href="System%20Encryption.html" style="text-align:left; color:#0080c0; text-decoration:none.html">

system encryption</a>), the area is encrypted in XTS mode (see the section <a href="Modes%20of%20Operation.html" style="text-align:left; color:#0080c0; text-decoration:none.html">

Modes of Operation</a>). The method that VeraCrypt uses to generate the header key and the secondary header key (XTS mode) is PBKDF2, specified in PKCS #5 v2.0; see

<a href="References.html" style="text-align:left; color:#0080c0; text-decoration:none.html">

[7]</a>.</div>

<div style="text-align:left; margin-top:19px; margin-bottom:19px; padding-top:0px; padding-bottom:0px">

512-bit salt is used, which means there are 2<sup style="text-align:left; font-size:85%">512</sup> keys for each password. This significantly decreases vulnerability to 'off-line' dictionary/'rainbow table' attacks (pre-computing all the keys for a dictionary

of passwords is very difficult when a salt is used) [7]. The salt consists of random values generated by the

<a href="Random%20Number%20Generator.html" style="text-align:left; color:#0080c0; text-decoration:none.html">

VeraCrypt random number generator</a> during the volume creation process. The header key derivation function is based on HMAC-SHA-512, HMAC-SHA-256, HMAC-BLAKE2S-256, HMAC-Whirlpool or HMAC-Streebog (see [8, 9, 20, 22]) &ndash; the user selects which. The length of the derived

key does not depend on the size of the output of the underlying hash function. For example, a header key for the AES-256 cipher is always 256 bits long even if HMAC-SHA-512 is used (in XTS mode, an additional 256-bit secondary header key is used; hence,

two 256-bit keys are used for AES-256 in total). For more information, refer to [7]. A large number of iterations of the key derivation function have to be performed to derive a header key, which increases the time necessary to perform an exhaustive search

for passwords (i.e., brute force attack)&nbsp;[7].</div>

<div style="text-align:left; margin-top:19px; margin-bottom:19px; padding-top:0px; padding-bottom:0px">

<p>Prior to version 1.12, VeraCrypt always used a fixed number of iterations That depended only on the volume type and the derivation algorithm used.

Starting from version 1.12, the <a href="Personal%20Iterations%20Multiplier%20%28PIM%29.html">

PIM </a>field (<a href="Personal%20Iterations%20Multiplier%20%28PIM%29.html">Personal Iterations Multiplier</a>) enables users to have more control over the number of iterations used by the key derivation function.</p>

<p>

<p>When a <a href="Personal%20Iterations%20Multiplier%20%28PIM%29.html">

PIM </a>value is not specified or if it is equal to zero, VeraCrypt uses the default values expressed below:<br/>

<ul>

<li>For system partition encryption (boot encryption) that uses SHA-256, BLAKE2s-256 or Streebog, <strong>200000</strong> iterations are used.</li>

</li></ul>

</p>

<p>When a <a href="Personal%20Iterations%20Multiplier%20%28PIM%29.html">

PIM </a>value is given by the user, the number of iterations of the key derivation function is calculated as follows:</p>

<ul>

<li>For system encryption that doesn't use SHA-512 or Whirlpool: Iterations = <strong>PIM x 2048</strong>

</li></ul>

</div>

<div style="text-align:left; margin-top:19px; margin-bottom:19px; padding-top:0px; padding-bottom:0px">

Header keys used by ciphers in a cascade are mutually independent, even though they are derived from a single password (to which keyfiles may have been applied). For example, for the AES-Twofish-Serpent cascade, the header key derivation function is instructed

to derive a 768-bit encryption key from a given password (and, for XTS mode, in addition, a 768-bit

<em style="text-align:left">secondary</em> header key from the given password). The generated 768-bit header key is then split into three 256-bit keys (for XTS mode, the

<em style="text-align:left">secondary</em> header key is split into three 256-bit keys too, so the cascade actually uses six 256-bit keys in total), out of which the first key is used by Serpent, the second key is used by Twofish, and the third by AES (in addition,

for XTS mode, the first secondary key is used by Serpent, the second secondary key is used by Twofish, and the third secondary key by AES). Hence, even when an adversary has one of the keys, he cannot use it to derive the other keys, as there is no feasible

method to determine the password from which the key was derived (except for brute force attack mounted on a weak password).</div>

<div style="text-align:left; margin-top:19px; margin-bottom:19px; padding-top:0px; padding-bottom:0px">

<a href="Random%20Number%20Generator.html" style="text-align:left; color:#0080c0; text-decoration:none; font-weight:bold.html">Next Section &gt;&gt;</a></div>

</div><div class="ClearBoth"></div></body></html>

<div>

<a href="Documentation.html"><img src="VeraCrypt128x128.png" alt="VeraCrypt"/></a>

</div>

<div id="menu">

<ul>

<li><a href="Home.html">Home</a></li>

<li><a href="/code/">Source Code</a></li>

<li><a href="Downloads.html">Downloads</a></li>

<li><a class="active" href="Documentation.html">Documentation</a></li>

<li><a href="Donation.html">Donate</a></li>

<li><a href="https://sourceforge.net/p/veracrypt/discussion/" target="_blank">Forums</a></li>

</ul>

</div>

<div>

<p>

<a href="Documentation.html">Documentation</a>

<img src="arrow_right.gif" alt=">>" style="margin-top: 5px">

<a href="Technical%20Details.html">Technical Details</a>

<img src="arrow_right.gif" alt=">>" style="margin-top: 5px">

<a href="Personal%20Iterations%20Multiplier%20(PIM).html">PIM</a>

</p></div>

<div class="wikidoc">

<h1>PIM</h1>

<div>

<p>PIM stands for &quot;Personal Iterations Multiplier&quot;. It is a parameter that was introduced in VeraCrypt 1.12 and whose value controls the number of iterations used by the header key derivation function. This value can be specified through the password dialog

or in the command line.</p>

<p>If no PIM value is specified, VeraCrypt will use the default number of iterations used in versions prior to 1.12 (see

<a href="Header%20Key%20Derivation.html">

Header Key Derivation</a>).</p>

<p>When a PIM value is specified, the number of iterations is calculated as follows:</p>

<ul>

</li></ul>

<p>Prior to version 1.12, the security of a VeraCrypt volume was only based on the password strength because VeraCrypt was using a fixed number of iterations.<br>

With the introduction of PIM, VeraCrypt has a 2-dimensional security space for volumes based on the couple (Password, PIM). This provides more flexibility for adjusting the desired security level while also controlling the performance of the mount/boot operation.</p>

<h3>PIM Usage</h3>

It is not mandatory to specify a PIM.</div>

<div><br>

When creating a volume or when changing the password, the user has the possibility to specify a PIM value by checking the &quot;Use PIM&quot; checkbox which in turn will make a PIM field available in the GUI so a PIM value can be entered.</div>

<div>&nbsp;</div>

<div>The PIM is treated like a secret value that must be entered by the user each time alongside the password. If the incorrect PIM value is specified, the mount/boot operation will fail.</div>

<div>&nbsp;</div>

<div>Using high PIM values leads to better security thanks to the increased number of iterations but it comes with slower mounting/booting times.</div>

<div>With small PIM values, mounting/booting is quicker but this could decrease security if a weak password is used.</div>

<div>&nbsp;</div>

<div>During the creation of a volume or the encryption of the system, VeraCrypt forces the PIM value to be greater than or equal to a certain minimal value when the password is less than 20 characters. This check is done in order to ensure that, for short passwords,

the security level is at least equal to the default level provided by an empty PIM.</div>

<div>&nbsp;</div>

<div>The PIM minimal value for short passwords is <strong>98</strong> for system encryption that doesn't use SHA-512 or Whirlpool and

<strong>485</strong> for the other cases. For password with 20 characters and more, the PIM minimal value is

<strong>1</strong>. In all cases, leaving the PIM empty or setting its value to 0 will make VeraCrypt use the default high number of iterations as explained in section

<a href="Header%20Key%20Derivation.html">

Header Key Derivation</a>.</div>

<div><br>

Motivations behind using a custom PIM value can be:<br>

<ul>

<li>Add an extra secret parameter (PIM) that an attacker will have to guess </li><li>Increase security level by using large PIM values to thwart future development of brute force attacks.

</li><li>Speeding up booting or mounting through the use of a small PIM value (less than 98 for system encryption that doesn't use SHA-512 or Whirlpool and less than 485 for the other cases)

</li></ul>

<p>The screenshots below show the step to mount a volume using a PIM equal to 231:</p>

<table style="margin-left:auto; margin-right:auto">

<tbody>

<tr>

<td><img src="Personal Iterations Multiplier (PIM)_VeraCrypt_UsePIM_Step1.png" alt=""></td>

</tr>

<tr>

<td><img src="Personal Iterations Multiplier (PIM)_VeraCrypt_UsePIM_Step2.png" alt=""></td>