What encryption algorithm is used?
The cryptological primitives are AES with 128-bit keys for encryption, and
SHA-1 for hashes.
The real answer is much more complex, as there are many ways to use and
combine these basic primitives.
In brief, with no attempt to explain further here:
- Passphrases are hashed with SHA-1 to 160 bits, whereof the most
significant 128 bits are used as a Key Encrypting Key.
- Using a Pseudo Random Number Generator specified in FIPS 186-2
operating on a 160-bit Seed and a 160-bit Key with SHA-1, a 128-bit
Master Data Encrypting Key is produced.
- Header data and plain text data is encrypted with
different derivations of the Master Data Encrypting Key.
- The PRNG Seed is a constant accumulating value, dependent on (the
presumably secret) user entered keys as well as a 256-byte entropy pool
collected continuously through mouse and windows movement, together with
further entropy from the system timer and time, as well as a free
running bit counter, and the Pentium time stamp counter if available.
- 128 bytes of the entropy pool is also saved persistently in the
registry.
- The data in the file consists of many header sections containing
information about the file size, file name and file modification times
as well as version information, integrity checksum etc.
- The Key Encrypting Key is wrapped with the NIST
AES Key Wrap Algorithm, with increased round count to 10000.
- All data concerning the file, namely exact size, original name, file
modification and the actual data, is encrypted in Cipher Block Chaining
mode with standard padding under different subkey variants of the Master
Data Encrypting Key, obtained by encrypting non-secret constants with
the Master Data Encrypting Key.
- The Initialization Vector for CBC-mode (the same is used for all
subkeys) is generated with the same PRNG as above.
- Before encryption, the data is compressed using the standard deflate
algorithm from RFC 1950 and RFC 1951.
- For integrity checking, a RFC 2104 HMAC-SHA1-128, is created for all
data (after encryption) except the initial header containing the magic
number GUID for file-type id and the HMAC itself.
Sometime in the distant future I may write a white-paper describing the
algorithms exactly in a more readable form than C++-code - which is what you
may look at currently for more details.