2

thanks for looking at my question, i have been getting several different answers to this question so i thought i might ask it here, when i create a random generated keyfile in veracrypt, does the size of the file mean anything? for example, does a larger file mean it's more secure?

when you generate a random key file it says that it can create the file anywhere between 64 and 1048576 bytes, so does that mean that a 1048576 byte file is more secure then a 64 byte file?

thanks.

How_To _Privacy
  • 67
  • 2

1 Answers1

2

When you generate a random key file it says that it can create the file anywhere between 64 and 1048576 bytes, so does that mean that a 1048576 byte file is more secure then a 64 byte file?

Mathematically speaking no. 64 bytes is 512 bit at which point guessing the keyfile is as expensive as guess the data encryption keys used for volume directly. Note that even if you use double or triple encryption a 512-bit random string is well beyond feasible for anybody to guess physically, as even guessing a 256-bit secret is.

The only argument for something larger than 64 bytes is that if you assume an attacker that can only say leak 1 byte per hour from memory / your filesystem (or something similarly slow), it would take longer to assemble 1MB than to assemble 64 byte. Of course the question of whether assuming such an adversary is sensible or not depends on your threat model...

In case you are wondering why it says above that the key is 512-bit long when AES-256 is used. The reason is that XTS uses two AES keys which are derived from the password in a secure manner transferring the security of the password to the combined key.

SEJPM
  • 45,967
  • 7
  • 99
  • 205
  • Wouldn't for AES256 anything beyond 256 bits be redundant? – eli Apr 19 '20 at 23:19
  • @eli The XTS mode used by most disk encryption programs needs two block cipher keys. – SEJPM Apr 20 '20 at 07:05
  • Ah, they made it so tricky and don't say these things until users are caught. Why don't they say we are dividing your password by 2? This can be a serious issue. A password that is 80 bits used in XTS mode is according to what you are saying is 2 40-bit passwords, which is as hard to crack as one 41-bit password (provided that decryption of either of two block cipher keys would reveal part of plaintext). This is substantial reduction i security compared to CBC and other modes. – eli Apr 20 '20 at 08:49
  • @eli That's not how this works. The password is processed with PBKDF2 and then fed into a combiner with the keyfile and the output of that is used as the 512-bit key, meaning the password will only be processed as a whole. – SEJPM Apr 20 '20 at 08:54
  • Oh, the PBKDF2 or any other KDF are mere "slowers" and do nothing to entropy. This should be obvious: as an adversary would try all 40-bits passwords (passed through KDF). It's the pre-image that counts. I don't know how the XTS is implemented, but if what you are saying is correct, users of the XTS mode need to be advised to choose long passphrases. – eli Apr 20 '20 at 09:01
  • @eli In this case the KDF is used to expand the password to the length required by the ciphers (512-bit). Then XTS takes the key and splits it in two. But the 512-bit that XTS gets are at least as hard to guess as the password or as hard to guess as the 512-bit string itself. – SEJPM Apr 20 '20 at 09:16
  • Let's get this right and put it simply. If I have a disk encrypted with the AES-256-XTS and I want to force the adversary to exhaust all 2^{256} possibilities if s/he wants to decrypt it surely, does my passphrase have to be 256 bits or 512 bits? (forget about keyfile, as the total password = password+keyfile. The keyfile is a software convenience or a 2FA). – eli Apr 20 '20 at 09:28
  • @eli In this case your password needs to have 256-bit security. – SEJPM Apr 20 '20 at 09:30
  • Ok, then, the veracrypt would need 32 bytes from the user not a 64 bytes key. It would expand it internally in whatever deterministic way that suits XTS (via KDF or simple key expansion). Asking user randomness for twice more than needed depletes the machine from the precious entropy. You may want to also edit your original response in a number of places. – eli Apr 20 '20 at 09:41