Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Zip file with passwd security?

Tags:

security

We have client server based app which saves user related data into a zip file and sets the passwd to the zip file programatically. Just wondering if it could be considered as secure. Thanks N

like image 790
np. Avatar asked Mar 05 '10 10:03

np.


People also ask

Can you make a zip file password protected?

If you put the files you'd like to protect in a zip file, you can then apply a password. In Windows Explorer, highlight and right-click on the files you would like to put into a zipped file. Select Send to, then Zip folder (compressed). Double-click the zipped file, then select File and Add Password.


2 Answers

The "classic" encryption for Zip files is considered to be weak. It is breakable, quickly, by known methods. See: "A Known Plaintext Attack on the PKZIP Stream Cipher" for the original paper, by Biham and Kocher, from 1994. Yes, 16 years ago.

More recently there have been other exploits described, for example, the paper Yet another Plaintext Attack on ZIP's Encryption Scheme (WinZIP) says that a classic-zip encrypted file with 3 entries, and created by WinZip, can be cracked in 2 hours on a "pentium". This was based on an exploit of a weakness in the random number generator then-current WinZip v9.0 tool. I'm sure it would go much faster now, on current processors, but at the same time, I'm pretty sure WinZip, now at v12.0, has fixed this problem in their random number generator. Nevertheless, even without the specific-to-WinZip-v9 exploit, classic ZIP encryption remains weak.

This weak zip encryption that has been cracked is also known as "ZIP 2.0 encryption" or "PKZIP encryption".

Many modern ZIP toolkits also support AES encryption of ZIP entries. This is considered to be strong encryption, and is quite secure (** See note). WinZip, XCeed, and DotNetZip are three such tools that support reading and writing zip files with this encryption level. Among the three, DotNetZip is the only free option.

You didn't mention the library you use to programmatically produce the zip file. If you use DotNetZip, producing an AES-encrypted ZIP file in C# is as easy as this:

using (var zip = new ZipFile()) 
{
   zip.AddFile("MySensitiveFile.doc");
   zip.Encryption = EncryptionAlgorithm.WinZipAes128; 
   zip.Password = "Very.Secret!"; 
   zip.Save("MyEncryptedArchive.zip");
}

** note: Yoshi has published a paper entitled Attacking and Repairing the WinZip Encryption Scheme, describing exploits of WinZip's AES encryption to argue that WinZip's AES encryption is not secure. However, the exploits he describes rely on social-engineering or previous compromises or both. For example, the primary exploit described in the paper involves an attacker intercepting the encrypted zip file, modifying it, sending the modified copy to its intended recipient, getting the recipient to attempt to decrypt it and then send the result of that encryption back to the attacker, who can then decrypt the original file. This so-called "exploit" involves numerous leaps of faith, piled on the previous compromise of intercepted communication in both directions. No one has described any structural exploits of WinZip AES, on par with the exploits of ZIP classic encryption.

like image 134
Cheeso Avatar answered Nov 09 '22 14:11

Cheeso


use 7zip, that has better password security - and also tick the 'encrypt filenames' option

like image 44
SteelBytes Avatar answered Nov 09 '22 14:11

SteelBytes