VeraCrypt文档-加密方案

Encryption Scheme

加密方案

When mounting a VeraCrypt volume (assume there are no cached passwords/keyfiles) or when performing pre-boot authentication, the following steps are performed:

当装载VeraCrypt卷（假设没有缓存的密码/密钥文件）或执行预启动身份验证时，将执行以下步骤：

1. The first 512 bytes of the volume (i.e., the standard volume header) are read into RAM, out of which the first 64 bytes are the salt (see VeraCrypt Volume Format Specification). For system encryption (see the chapter System Encryption), the last 512 bytes of the first logical drive track are read into RAM (the VeraCrypt Boot Loader is stored in the first track of the system drive and/or on the VeraCrypt Rescue Disk).
   ​
   卷的前512个字节（即标准卷头）被读取到RAM中，其中前64个字节是salt（请参阅VeraCrypt卷格式规范）。对于系统加密（请参阅“系统加密”一章），第一个逻辑驱动器磁道的最后512字节被读取到RAM中（VeraCrypt引导加载程序存储在系统驱动器的第一个磁道或VeraCrypt-Recue Disk上）。
   ​
2. Bytes 65536–66047 of the volume are read into RAM (see the section VeraCrypt Volume Format Specification). For system encryption, bytes 65536–66047 of the first partition located behind the active partition* are read (see the section Hidden Operating System). If there is a hidden volume within this volume (or within the partition behind the boot partition), we have read its header at this point; otherwise, we have just read random data (whether or not there is a hidden volume within it has to be determined by attempting to decrypt this data; for more information see the section Hidden Volume).
   ​
   卷的65536–66047字节被读取到RAM中（请参阅VeraCrypt卷格式规范一节）。对于系统加密，位于活动分区*后面的第一个分区的字节65536–66047将被读取（请参阅隐藏操作系统一节）。如果在这个卷内（或在引导分区后面的分区内）有一个隐藏的卷，我们此时已经读取了它的标头；否则，我们只读取随机数据（其中是否有隐藏卷必须通过尝试解密该数据来确定；有关更多信息，请参阅隐藏卷一节）。
   ​
3. Now VeraCrypt attempts to decrypt the standard volume header read in (1). All data used and generated in the course of the process of decryption are kept in RAM (VeraCrypt never saves them to disk). The following parameters are unknown† and have to be determined through the process of trial and error (i.e., by testing all possible combinations of the following):
   
   现在VeraCrypt尝试解密（1）中读取的标准卷标头。解密过程中使用和生成的所有数据都保存在RAM中（VeraCrypt从不将其保存到磁盘）。以下参数未知†，必须通过试错过程（即通过测试以下所有可能的组合）来确定：
   1. PRF used by the header key derivation function (as specified in PKCS #5 v2.0; see the section Header Key Derivation, Salt, and Iteration Count), which can be one of the following:
      ​
      标头密钥派生函数使用的PRF（如PKCS#5 v2.0中所指定；请参阅“标头密钥派生、Salt和迭代计数”一节），它可以是以下之一：
      ​

      HMAC-SHA-512, HMAC-SHA-256, HMAC-RIPEMD-160, HMAC-Whirlpool. If a PRF is explicitly specified by the user, it will be used directly without trying the other possibilities.
      
      HMAC-SHA-512、HMAC-SHA-256、HMAC-RIPEMD-160、HMAC-Whirlpool。如果用户明确指定了PRF，则将直接使用它，而不尝试其他可能性。

      A password entered by the user (to which one or more keyfiles may have been applied – see the section Keyfiles), a PIM value (if specified) and the salt read in (1) are passed to the header key derivation function, which produces a sequence of values (see the section Header Key Derivation, Salt, and Iteration Count) from which the header encryption key and secondary header key (XTS mode) are formed. (These keys are used to decrypt the volume header.)
      ​
      用户输入的密码（可能应用了一个或多个密钥文件-请参阅密钥文件一节）、PIM值（如果指定）和读取的salt（1）被传递给头密钥推导函数，它产生一系列值（请参阅Header Key Derivation、Salt和Iteration Count一节），由此形成标头加密密钥和次标头密钥（XTS模式）。（这些密钥用于解密卷标头。）
      ​

   2. Encryption algorithm: AES-256, Serpent, Twofish, AES-Serpent, AES-Twofish- Serpent, etc.
      
      加密算法：AES-256、Serpent、Twofish、AES Serpent和AES Twofish-Serpent等。
       
   3. Mode of operation: only XTS is supported
      
      操作模式：仅支持XTS
       
   4. Key size(s)
      
      密钥大小
4. Decryption is considered successful if the first 4 bytes of the decrypted data contain the ASCII string “VERA”, and if the CRC-32 checksum of the last 256 bytes of the decrypted data (volume header) matches the value located at byte #8 of the decrypted data (this value is unknown to an adversary because it is encrypted – see the section VeraCrypt Volume Format Specification). If these conditions are not met, the process continues from (3) again, but this time, instead of the data read in (1), the data read in (2) are used (i.e., possible hidden volume header). If the conditions are not met again, mounting is terminated (wrong password, corrupted volume, or not a VeraCrypt volume).
   
   如果解密数据的前4个字节包含ASCII字符串“VERA”，并且如果解密数据（卷头）的最后256个字节的CRC-32校验和与解密数据字节#8处的值匹配，则认为解密成功（此值对对手来说是未知的，因为它是加密的——请参阅VeraCrypt volume Format Specification一节）。如果不满足这些条件，则该过程再次从（3）继续，但这一次，使用在（1）中读取的数据，而不是在（2）中读取数据（即，可能的隐藏卷头）。如果再次不满足条件，装载将终止（密码错误、卷损坏或不是VeraCrypt卷）。
   ​
5. Now we know (or assume with very high probability) that we have the correct password, the correct encryption algorithm, mode, key size, and the correct header key derivation algorithm. If we successfully decrypted the data read in (2), we also know that we are mounting a hidden volume and its size is retrieved from data read in (2) decrypted in (3).
   
   现在我们知道（或以非常高的概率假设）我们有正确的密码、正确的加密算法、模式、密钥大小和正确的头密钥推导算法。如果我们成功地解密了在（2）中读取的数据，我们也知道我们正在装载一个隐藏卷，并且它的大小是从在（3）中解密的在（2中读取的数据中检索的。
    
6. The encryption routine is reinitialized with the primary master key** and the secondary master key (XTS mode – see the section Modes of Operation), which are retrieved from the decrypted volume header (see the section VeraCrypt Volume Format Specification). These keys can be used to decrypt any sector of the volume, except the volume header area (or the key data area, for system encryption), which has been encrypted using the header keys. The volume is mounted.
   
   使用主主密钥**和辅助主密钥（XTS模式-请参阅操作模式一节）重新初始化加密例程，这两个密钥是从解密的卷标头中检索的（请参阅VeraCrypt volume Format Specification一节）。这些密钥可用于解密卷的任何扇区，除了已使用头密钥加密的卷头区域（或用于系统加密的密钥数据区域）。卷已装入。
   ​

See also section Modes of Operation and section Header Key Derivation, Salt, and Iteration Count and also the chapter Security Model.

​另请参阅操作模式一节和标头密钥派生、Salt和迭代计数一节，以及安全模型一章。

* If the size of the active partition is less than 256 MB, then the data is read from the second partition behind the active one (Windows 7 and later, by default, do not boot from the partition on which they are installed).

*如果活动分区的大小小于256 MB，则从活动分区后面的第二个分区读取数据（默认情况下，Windows 7及更高版本不会从安装它们的分区启动）。

† These parameters are kept secret not in order to increase the complexity of an attack, but primarily to make VeraCrypt volumes unidentifiable (indistinguishable from random data), which would be difficult to achieve if these parameters were stored unencrypted within the volume header. Also note that in the case of legacy MBR boot mode, if a non-cascaded encryption algorithm is used for system encryption, the algorithm is known (it can be determined by analyzing the contents of the unencrypted VeraCrypt Boot Loader stored in the first logical drive track or on the VeraCrypt Rescue Disk).

†这些参数是保密的，不是为了增加攻击的复杂性，而是主要为了使VeraCrypt卷不可识别（与随机数据不可区分），如果这些参数未加密地存储在卷头中，这将很难实现。还要注意，在传统MBR引导模式的情况下，如果使用非级联加密算法进行系统加密，则该算法是已知的（可以通过分析存储在第一个逻辑驱动器轨道或VeraCrypt Rescue Disk上的未加密VeraCrypt-boot Loader的内容来确定）。

** The master keys were generated during the volume creation and cannot be changed later. Volume password change is accomplished by re-encrypting the volume header using a new header key (derived from a new password).

**主密钥是在创建卷期间生成的，以后无法更改。卷密码更改是通过使用新的标头密钥（源自新密码）重新加密卷标头来完成的。