ZipCrypto security

Anonymous
2010-02-16
2012-12-09
  • Anonymous - 2010-02-16

    Hi,

    I would like to know how insecure ZipCrypto is in my setting (I already distributed the file and want to check how large of a threat I'm facing):

    A zip file A.zip, 4 MB, containing 40-50 files, created with the newest 7-Zip with ZipCrypto, password protected (55 characters including special chars). A.zip is compressed in B.zip with the same password. So B.zip has only one file in it which is A.zip.

    Now, as far as I have found out, there are two three attacks (correct me if I'm wrong):

    - Brute force: not an option for 55 characters
    - Winzip vulnerability: does not apply, as tested with ARCHPR.
    - Plain text: as there is only one file, and the part that all zip files have in common is 10 bytes at maximum, this is not an option either.

    Am I right to feel "safe" (in my special case) or do I need to take actions?

    By the way, based on what I read in the last hour, it's a pity that ZipCrypto is the default setting in 7-Zip.

    bersbers

     
  • dos386

    dos386 - 2010-02-18

    > (I already distributed the file and want to check how large of a threat I'm facing):

    > A zip file A.zip, 4 MB, containing 40-50 files, created with the newest 7-Zip with ZipCrypto,
    > password protected (55 characters including special chars). A.zip is compressed in B.zip
    > with the same password. So B.zip has only one file in it which is A.zip.

    BAD :-(

    1. Don't encrypt the inner ZIP
    2. Use "Store" for the inner ZIP

    or just use TAR ;-)

    > Now, as far as I have found out, there are two three attacks (correct me if I'm wrong):
    > - Brute force: not an option for 55 characters 

    Missed one: Brute force on the key (96 bits only + poor algorithm) 

    > By the way, based on what I read in the last hour, it's a pity that ZipCrypto is the default setting in 7-Zip.

    NO. ZipCrypto is COOL for ZIP format :-)

    If you need security just switch fully on the safe side with 7-ZIP format :-)

     

Log in to post a comment.

Get latest updates about Open Source Projects, Conferences and News.

Sign up for the SourceForge newsletter:





No, thanks