Security Characteristics


Encryption algorithms

BestCrypt Volume Encryption allows the user to encrypt data with a number of encryption algorithms known as strong algorithms. Every algorithm is implemented with the largest possible key size defined in the algorithm's specification:

AES (Rijndael)256-bit key
Camellia256-bit key
RC6256-bit key
Serpent256-bit key
Twofish256-bit key


Encryption mode

BestCrypt Volume Encryption utilizes XTS encryption mode with all encryption algorithms listed above. XTS mode is specially designed for applications working on disk sector level and is more secure than other popular modes used earlier (like Cipher Block Chaining (CBC) mode).


Password-based key derivation function

BestCrypt Volume Encryption stores encryption keys for user's data (Data Key) in an encrypted form. The software uses another key derived from password to encrypt the Data Key.

It is important to use a proven algorithm to derive key from password, because weak algorithms make various attacks to the password possible and even easy. BestCrypt Volume Encryption utilizes scrypt algorithm as a password-based key derivation function.

Scrypt requires intensive computational resources to derive a key from a password and it allows customizing its internal variables to make the computational efforts even harder. As a result, attacking passwords becomes a substantially more difficult task because of the long time and intense processing power required to test every password. Read more about scrypt algorithm in the RFC 7914 document.


Embedded password strength estimator

To secure your data, it is important to use passwords that are difficult to guess. Utilities that can attack passwords (using a mounting dictionary attack, for example) are very powerful and it is not immediately obvious for a user to realize, how strong is the password he/she is creating.

BestCrypt Volume Encryption utilizes Zxcvbn password strength estimating algorithm at the point, when the user creates a new password to encrypt disk volumes. The user can see in the same dialog window progress indicator together with a text description of the password strength he/she is entering.

As official GitHub Zxcvbn repository states: "zxcvbn is a password strength estimator inspired by password crackers. Through pattern matching and conservative estimation, it recognizes and weighs 30k common passwords, common names and surnames according to US census data, popular English words from Wikipedia and US television and movies, and other common patterns like dates, repeats (aaa), sequences (abcd), keyboard patterns (qwertyuiop), and l33t speak."

Two-Factor user authentication

BestCrypt Volume Encryption supports hardware SafeNet eToken and Yubikey devices. They are small removable devices connected to the USB port and designed to store data in a secure form. While BestCrypt Volume Encryption supports the use of USB drives for this purpose, users can also store encryption keys on eToken devices. Regardless of a userís hardware of choice, this type of two-factor authentication allows users to store encryption keys separate from their encrypted computers for an added level of security.

To gain access to an encrypted volume, a user must insert eToken, Yubikey or USB stick and enter an appropriate password. Encrypted data cannot be accessed without any of these Two Factors - without the password or without the removable device.


Pre-boot authentication

BestCrypt Volume Encryption allows the user to encrypt System and Boot volumes. When the user encrypts System/Boot volume, he/she must enter an appropriate password before the computer starts loading the Windows operating system. Without the password, BestCrypt Volume Encryption will not be able to transparently decrypt the disk sectors where Windows stores system files. Hence, without the password (and hardware eToken, if used) it is impossible to boot a computer where the System / Boot volume(s) are encrypted.


Note that Microsoft terminology of System and Boot volumes is not so obvious: System Volume is a volume where computer starts to load operating system(s) from; Boot Volume is a volume where operating system (Windows) stores its system files.



See also: