cryptographic details of password-encrypted

A free file archiver for extremely high compression

Brought to you by: ipavlov

#646 cryptographic details of password-encrypted

Status: open

Owner: nobody

Labels: None

Priority: 5

Updated: 2025-07-15

Created: 2025-07-14

Creator: ronghan sun

Private: No

There are some find in AI result that 7zip use salt, AES256, PDKDF2. But i can not find description in o
official website. How can I find it, or could you provide the details?

Discussion

Igor Pavlov - 2025-07-14

7-zip supports aes for 7z and zip archives.
Algorhithms are different for these types.

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

ronghan sun - 2025-07-14

It for 7-zip (7za.exe), we use this for document cryptographic. How about it's password salt, encrypt and storage?(I believe 7z not storage password, it only storage key as I research)
Please provide some details, because in the official website only mentions AES256. Thanks a lot.

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Igor Pavlov - 2025-07-14

Archiving programs do not store encryption keys and passwords inside archive.
aes-256 key for 7z archive is derived from text password with many sha-256 iterations.
7-zip uses random 16-bytes IV salt for AES256-CBC. That salt is stored in archive. So same data with same password will generate different encryptred data in different calls, because salt is different.

❤️
2

Last edit: Igor Pavlov 2025-07-14

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

ronghan sun - 2025-07-15

So when I use below code call 7za.exe:
var p = new ProcessStartInfo
{
FileName = _exec7ZipPath,
Arguments = $"a \"{destination}\" \"{source}\" -p{password} -mhe",
WindowStyle = ProcessWindowStyle.Hidden
};
using (var process = Process.Start(p))
{
process.WaitForExit();
if (process.ExitCode > 0)
throw new ApplicationException();
}

It will call 7zAes.cpp but not Pbkdf2HmacSha1.cpp. It will create a random 16-bytes VI salt, also inculde 2^19 Iterations. Then call Sha256_Final function(in Sha256.c file) use salt and password to create a AES256-CBC key. It not use PBKDFv2, it use a custom key derivation algorithm.
Am I right? Thanks for your time and see if my analysis is right.

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Igor Pavlov - 2025-07-15

salt for key generation is empty, because we want fast decompression for small files in non-solid 7z archives.
key generation for 7z archive:
utf-16 password -> 2^19 iterations of special concatenation -> sha256 -> 256-bit key for AES.
And there is random 128-bit salt (IV) for aes256-cbc.

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

ronghan sun - 2025-07-15

When calling 7za.exe, will you consider using PBKDFv2 instead of custom Sha256 to generate keys?

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Igor Pavlov - 2025-07-15

PBKDFv2 is used for zip archive.
PBKDFv2 is not used for 7z archive. We don't want to change it, because we need compatibilty between all versions of 7-zip.

❤️
1

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Log in to post a comment.