Encryption Algorithms
AES
The Advanced Encryption Standard (AES) specifies a FIPS-approved
cryptographic algorithm (Rijndael, designed by Joan Daemen and Vincent
Rijmen, published in 1998) that may be used by US federal departments
and agencies to cryptographically protect sensitive information [3].
TrueCrypt uses AES with 14 rounds and a 256-bit key (i.e., AES-256,
published in 2001) operating in XTS mode .
In June 2003, after the NSA (US National Security Agency) conducted
a review and analysis of AES, the U.S. CNSS (Committee on National
Security Systems) announced in [1] that the design and strength of
AES-256 (and AES-192) are sufficient to protect classified information
up to the Top Secret level. This is applicable to all U.S. Government
Departments or Agencies that are considering the acquisition or use of
products incorporating the Advanced Encryption Standard (AES) to satisfy
Information Assurance requirements associated with the protection of
national security systems and/or national security information [1].
Serpent
Designed by Ross Anderson, Eli Biham, and Lars Knudsen; published in
1998. It uses a 256-bit key, 128-bit block, and operates in XTS mode . Serpent was one of the AES
finalists. It was not selected as the proposed AES algorithm even
though it appeared to have a higher security margin than the winning
Rijndael [4]. More concretely, Serpent appeared to have a high security margin, while Rijndael appeared to have only an adequate
security margin [4]. Rijndael has also received some criticism
suggesting that its mathematical structure might lead to attacks in the
future [4].
In [5], the Twofish
team presents a table of safety factors for the AES finalists. Safety
factor is defined as: number of rounds of the full cipher divided by the
largest number of rounds that has been broken. Hence, a broken cipher
has the lowest safety factor 1. Serpent had the highest safety factor of
the AES finalists: 3.56 (for all supported key sizes). Rijndael-256 had
a safety factor of 1.56.
In spite of these facts, Rijndael was considered an appropriate selection for the AES
for its combination of security, performance, efficiency,
implementability, and flexibility [4]. At the last AES Candidate
Conference, Rijndael got 86 votes, Serpent got 59 votes, Twofish 31 got votes, RC6 got 23 votes, and MARS got 13 votes [18, 19].*
* These are positive votes. If negative votes are
subtracted from the positive votes, the following results are obtained:
Rijndael: 76 votes, Serpent: 52 votes, Twofish: 10 votes, RC6: -14
votes, MARS: -70 votes [19].
Twofish
Designed by Bruce Schneier, John Kelsey, Doug Whiting, David Wagner,
Chris Hall, and Niels Ferguson; published in 1998. It uses a 256-bit
key and 128-bit block and operates in XTS mode. Twofish was one of the AES finalists. This cipher uses key-dependent S-boxes. Twofish may be viewed as a collection of 2128
different cryptosystems, where 128 bits derived from a 256-bit key
control the selection of the cryptosystem [4]. In [13], the Twofish team
asserts that key-dependent S-boxes constitute a form of security margin
against unknown attacks [4].
Cascades
AES-Twofish
Two ciphers in a cascade [15, 16] operating in XTS mode (see the section Modes of Operation). Each 128-bit block is first encrypted with Twofish (256-bit key) in XTS mode and then with AES
(256-bit key) in XTS mode. Each of the cascaded ciphers uses its own
key. All encryption keys are mutually independent (note that header keys
are independent too, even though they are derived from a single
password – see Header Key Derivation, Salt, and Iteration Count). See above for information on the individual cascaded ciphers.
AES-Twofish-Serpent
Three ciphers in a cascade [15, 16] operating in XTS mode (see the section Modes of Operation). Each 128-bit block is first encrypted with Serpent (256-bit key) in XTS mode, then with Twofish (256-bit key) in XTS mode, and finally with AES
(256-bit key) in XTS mode. Each of the cascaded ciphers uses its own
key. All encryption keys are mutually independent (note that header keys
are independent too, even though they are derived from a single
password – see the section Header Key Derivation, Salt, and Iteration Count). See above for information on the individual cascaded ciphers.
Serpent-AES
Two ciphers in a cascade [15, 16] operating in XTS mode (see the section Modes of Operation). Each 128-bit block is first encrypted with AES (256-bit key) in XTS mode and then with Serpent
(256-bit key) in XTS mode. Each of the cascaded ciphers uses its own
key. All encryption keys are mutually independent (note that header keys
are independent too, even though they are derived from a single
password – see the section Header Key Derivation, Salt, and Iteration Count). See above for information on the individual cascaded ciphers.
Serpent-Twofish-AES
Three ciphers in a cascade [15, 16] operating in XTS mode (see the section Modes of Operation). Each 128-bit block is first encrypted with AES (256-bit key) in XTS mode, then with Twofish (256-bit key) in XTS mode, and finally with Serpent
(256-bit key) in XTS mode. Each of the cascaded ciphers uses its own
key. All encryption keys are mutually independent (note that header keys
are independent too, even though they are derived from a single
password – see the section Header Key Derivation, Salt, and Iteration Count). See above for information on the individual cascaded ciphers.
Twofish-Serpent
Two ciphers in a cascade [15, 16] operating in XTS mode (see the section Modes of Operation). Each 128-bit block is first encrypted with Serpent (256-bit key) in XTS mode and then with Twofish
(256-bit key) in XTS mode. Each of the cascaded ciphers uses its own
key. All encryption keys are mutually independent (note that header keys
are independent too, even though they are derived from a single
password – see the section Header Key Derivation, Salt, and Iteration Count). See above for information on the individual cascaded ciphers.
Modes of Operation
The mode of operation used by TrueCrypt for encrypted partitions, drives, and virtual volumes is XTS.
XTS mode is in fact XEX mode [12], which was designed by Phillip Rogaway in 2003, with a minor modification (XEX mode uses a single key for two different purposes, whereas XTS mode uses two independent keys).
In 2010, XTS mode was approved by NIST for protecting the confidentiality of data on storage devices [24]. In 2007, it was also approved by the IEEE for cryptographic protection of data on block-oriented storage devices (IEEE 1619).
Description of XTS mode:
Ci = EK1(Pi ^ (EK2(n) 
ai)) ^ (EK2(n) ai)
ai)) ^ (EK2(n) ai)
Where:
| | denotes multiplication of two polynomials over the binary field GF(2) modulo x128+x7+x2+x+1 |
K1 | is the encryption key (256-bit for each supported cipher; i.e, AES, Serpent, and Twofish) |
K2 | is the secondary key (256-bit for each supported cipher; i.e, AES, Serpent, and Twofish) |
i | is the cipher block index within a data unit; for the first cipher block within a data unit, i = 0 |
n | is the data unit index within the scope of K1; for the first data unit, n = 0 |
a | is a primitive element of Galois Field (2128) that corresponds to polynomial x (i.e., 2) |
Note: The remaining symbols are defined in the section Notation. | |
The size of each data unit is always 512 bytes (regardless of the sector size).
Summary
Encryption could be using the following algorithms:
Hash Algorithms
A user-selected hash algorithm use Random Number Generator as a pseudorandom "mixing" function, and by the
header key derivation function (HMAC based on a hash function, as
specified in PKCS #5 v2.0) as a pseudorandom function. When creating a
new volume, the Random Number Generator generates the master key,
secondary key (XTS mode), and salt.
Examples for hash algorithms:
- RIPEMD-160 RIPEMD-160, published in 1996, is a hash algorithm designed by Hans Dobbertin, Antoon Bosselaers, and Bart Preneel in an open academic community. The size of the output of RIPEMD-160 is 160 bits. RIPEMD-160 is a strengthened version of the RIPEMD hash algorithm that was developed in the framework of the European Union's project RIPE (RACE Integrity Primitives Evaluation), 1988-1992. RIPEMD-160 was adopted by the International Organization for Standardization (ISO) and the IEC in the ISO/IEC 10118-3:2004 international standard [21].
- SHA-512
SHA-512 is a hash algorithm designed by the NSA and published by NIST in FIPS PUB 180-2 [14] in 2002 (the first draft was published in 2001). The size of the output of this algorithm is 512 bits. - WhirlpoolThe Whirlpool hash algorithm was designed by Vincent Rijmen (co-designer of the AES encryption algorithm) and Paulo S. L. M. Barreto. The size of the output of this algorithm is 512 bits. The first version of Whirlpool, now called Whirlpool-0, was published in November 2000. The second version, now called Whirlpool-T, was selected for the NESSIE (New European Schemes for Signatures, Integrity and Encryption) portfolio of cryptographic primitives (a project organized by the European Union, similar to the AES competition). TrueCrypt uses the third (final) version of Whirlpool, which was adopted by the International Organization for Standardization (ISO) and the IEC in the ISO/IEC 10118-3:2004 international standard [21].
source:truecrypt
