Geek Answers Handbook

Passwd protected mail file?

We have a client server based application that saves user-related data in a zip file and automatically installs passwd in a zip file. Just wondering if it can be considered safe. thanks N

+6
security
source share
4 answers

The "classic" encryption for Zip files is considered weak. It is rapidly destroyed by known methods. See β€œThe Famous Plaintext Attack on the PKZIP Stream Cipher ” for the original article, Biham and Kocher, since 1994. Yes, 16 years ago

More recently, other feats have been described, for example, paper. Another Plaintext Attack error on the ZIP encryption scheme (WinZIP) says that a file with a classic zip-encrypted file with three entries and WinZip created can be cracked in 2 hours on the "Pentium". This was based on the use of the then weak WinZip v9.0 tool in the random number generator. I am sure that now it will be much faster on modern processors, but at the same time I am sure that WinZip, now on v12.0, fixed this problem in its random number generator. However, even without an exploit from specific to WinZip-v9, classical ZIP encryption remains weak.

This weak hacked zip encryption is also known as "ZIP 2.0 encryption" or "PKZIP encryption."

Many modern ZIP tools also support AES encryption of ZIP records. This is considered strong encryption and reasonably secure (** See Note). WinZip, XCeed and DotNetZip are three of these tools that support reading and writing zip files with this level of encryption. Among the three, DotNetZip is the only free option.

You did not mention the library that you use to programmatically create a zip file. If you use DotNetZip, creating a ZIP file with the AES extension in C # is just as easy:

using (var zip = new ZipFile()) { zip.AddFile("MySensitiveFile.doc"); zip.Encryption = EncryptionAlgorithm.WinZipAes128; zip.Password = "Very.Secret!"; zip.Save("MyEncryptedArchive.zip"); }

** note: Yoshi published an article entitled Attack and Restore WinZip Encryption Scheme describing WinZip AES encryption exploits to claim that WinZip AES Encryption is not secure. However, the exploits he described rely on social engineering or previous compromises, or both. For example, the main exploit described in the document includes an attacker intercepting the encrypted zip file, changing it, sending the modified copy to its intended recipient, receiving the recipient trying to decrypt it, and then sending the result of this encryption back which can then decrypt the original file. This so-called β€œexploit” includes numerous leaps of faith, built on the previous compromise of intercepted communication in both directions. No one has described any WinZip AES structural exploits, along with ZIP classic encryption exploits.

+13
source share

use 7zip, which has better password protection, and also check the option "encrypt filenames"

+2
source share

What level? There are programs that can quickly crack password encryption in a zip file, so if it has to withstand any kind of effort, then no.

If it’s just a matter of ensuring that someone with a password can open it, and to avoid random prying eyes, then maybe.

If you want to have some reasonable protection halfway, I would try to secure the data and then run it through the right encryption software like gpg.

0
source share

You should ask yourself a couple of questions.

  • Where do you store zip files?
  • What permissions are associated with the zip file?
  • Is the password a strong password?

As a rule, it is a good habit to store user data in a folder that is located outside the website and not directly accessible. Password generators are also available and should be used.

0
source share

More articles:


All Articles