Encryption key derivation

WinAbility Encryption Driver (Driver) implements the PBKDF2  (Password-Based Key Derivation Function) algorithm. This algorithm uses a hash function to derive key material from the password chosen by the user.

The Driver currently uses the following hash functions for the key derivation:

• SHA3-512  (Secure Hash Algorithm 3 with 512 bits of output)
  
  
• SHA2-512  (Secure Hash Algorithm 2 with 512 bits of output)
  
  
• SHA2-COMBO (Secure Hash Algorithm 2 with 512 bits of output combined with the Wirlpool hash algorithm)
  
  This combination algorithm first obtains the outputs from the algorithms SHA2-512  and Whirlpool , each producing an independent 512-bit digest. (The two independent hash functions are used to avoid dependence on one specific hash function.) The two outputs from these hash functions are than XORed together, byte for byte, to produce a combined 512-bit value. The process can be represented as the following pseudo-code function:

  	function SHA2_COMBO( var input )
  	{
  		var hash1 = SHA2_512( input );
  		var hash2 = WHIRLPOOL( input );
  		var digest = (hash1 XOR hash2 );
  
  		return digest;
  	}
  

Generation of the encryption key from the intermediate hash value of the password

When the user enters a password, the application obtains its plain-text representation in the UNICODE^™ format. Such binary representation of the user's password is then used as the input to the SHA2-COMBO function (descrived above). The 512-bit output is then used as an input to the SHA2-256 function. The resulting 256-bit hash value is then used as the intermediate hash value of the password. If the user has selected the option to remember the password for the duration of the current computer session, this intermediate hash value (rather than the plain test form) of the password is stored in the computer memory.

The 256-bit intermediate hash value obtained in the previous step is used together with the salt value from the volume descriptor key structure as the input to the PBKDF2 algorithm, that is executed repeatedly (2048 iterations with the SHA2-512 or SHA2-COMBO hash functions, or 8192 iterations with the SHA3-512 hash function, for each portion of the key material) until the required quantity of the key material is generated. For example, for the AES-128 encryption in the CBC mode, the Driver generates 256 bits of the key material, of which the first 128 bits are used as the encryption key, and the remaining 128 bits are used as the initial initialization vector.

---

Copyright © 2025, WinAbility® Software Corporation  . All rights reserved