4

A client says they can't accept password-protected PDFs to put in their payroll system, so I have to send them without security. I don't want to send unsecured PDFs via e-mail because e-mail is inherently insecure. I figured a good alternative was, instead of password-protecting each PDF, I could encrypt the containing folder with 7ZIP, which I got from https://www.7-zip.org/ You can see the encryption box at the bottom-right:

enter image description here

At first I was optimistic about this option, but a quick Google search led me to articles such as this one where apparently there are easy to find tools, such as 7z Cracker:

"7z Cracker is an opensource cracking tool which can extract any password protected 7zip file".

I also found this answer in this forum that talks about John The Ripper:

"John The Ripper can crack these AES-256 encrypted archives."

Does this mean that 7ZIP encryption is basically useless? Are these password crackers effective at circumventing this security measure? Secondly, are password-protected PDFs also this easy to break into?

Marquizzo
  • 1,907
  • 4
  • 9
  • 13
  • Related question from Cryptography [7zip : Why does encrypting the same file with AES-256 not give the same output?](https://crypto.stackexchange.com/q/77546/18298) and details about 7Zip. – kelalaka Oct 27 '20 at 09:51

4 Answers4

4

TL;DR: You are fine, generate a long password (60+ chars), send the file by mail and the password by SMS, fax, snail-mail or phone call.

Does this mean that 7ZIP encryption is basically useless?

Short answer: No.

Long answer: It depends on the password.

A password cracker just tries passwords over and over again, either by trying all words on a dictionary (a very large file filled with words), or by trying all possible combinations. Given enough time, every password can be broken. But sometimes the Universe itself won't exist long enough for that.

Are these password crackers effective at circumventing this security measure?

Yes, if your password is trivial, or if someone ever used it somewhere. Passwords must be unique. So generate a password, don't choose one. And while you are generating the password, create a 64-byte password and you don't need to worry for a couple thousand millennia.

But the password must be sent by another media. Sending a AES-CBC encrypted file with 120-byte password is useless if the password is the body of the email. So send the file by email, and the password by SMS, Signal message, fax, or any other media.

Secondly, are password-protected PDFs also this easy to break into?

If "easy" is just downloading a program and running it, yes, it's that easy. But if "easy" is actually breaking the password, it will depend entirely on the password. That 64-byte auto generated password is as close to impossible as it could be.

ThoriumBR
  • 50,648
  • 13
  • 127
  • 142
  • 4
    64char random password is pure overkill. A 20 char random password, being about 128bits of strength, would consume more energy than the sun will put out in its lifetime. This number is large enough that you start bumping up against information theory and thermodynamics. A 64char password would have 421bits of entropy, which is more than 256bit AES provides. – Bengie Oct 28 '20 at 01:06
  • You are right... But I like round numbers, and on my book, 64 is a round number and 20 isn't! – ThoriumBR Oct 28 '20 at 01:27
  • 1
    @ThoriumBR Well 32 is also a round number, right? :) – nobody Apr 23 '21 at 19:59
  • @nobody yep! 32 is round, as is 1024... but 20 and 1000 aren't. – ThoriumBR Apr 24 '21 at 21:45
3

7zip is secure since it uses AES-256 in CBC mode that can provide CPA security and there is no problem there. Keep in mind that CBC has no integrity and authentication. The real problem comes from the human side; the password!

7zip uses 219-times iterated SHA256 to derive the AES-256 key from passwords. SHA256 is not a memory-hard function and therefore this is not safe from massive parallelization. The collaborative power of Bitcoin miners can reach around 292 double SHA256 in a year. A single Nvidia RTX 390 can calculate 9502.7 MH/s... Therefore one needs a really good password mechanism to be secure from the password list/guess/search attacks.

  • A password with high entropy like generated from diceware is recommended XKCD.
  • Use a password manager like keepass that handles this for you.

Additionally; You need to transfer the password to the other party this means that you need a secure channel to do this. A signal program is a good candidate, or you can go for Diffie-Hellman Key Exchange (DHKE), better its Elliptic curve version (ECDH) to establish a key, and then use a key derivation function to derive a long password.

kelalaka
  • 5,409
  • 4
  • 24
  • 47
  • The “2^19-times iterated SHA-256” comparison with “2^92 double SHA25” was a bit confusing. Sounds like you’re not comparing apples to apples... which one is stronger? – Marquizzo Oct 27 '20 at 21:48
  • Bitcoin miners calculate SHA256(SHA256(d)) It is also written as SHA256d. So the 2^92 ( it is approx.) is 2 times 2^92 SHA256 calculations. With 2^19 iteration they can compute 2^75 SHA256 with 2^19 iterations. – kelalaka Oct 27 '20 at 21:51
  • Uh, it was typo, it is SHA256 not SHA25 there is no such thing. Sorry! – kelalaka Oct 27 '20 at 22:10
2

The information that you are seeing may be referring to known bugs that were reported in 2019 concerning weak random number generation, and a flaw in the way that the IV is generated, in versions of 7zip at that time:

https://threadreaderapp.com/thread/1087848040583626753.html

https://sourceforge.net/p/sevenzip/bugs/2176/

It seems that these bugs have been fixed in later versions of 7zip, so if you are using a current version of 7zip, then this no longer applies.

mti2935
  • 19,868
  • 2
  • 45
  • 64
1

Password crackers are basically programs that take a massive password list and bruteforce the zip file in hopes of getting a positive hit (right password).

Quick fix is to just set up a strong password that has a probability of not being in a password list (Recommended to use a random password generator with min. 20 characters, alphanumeric, upper and lower case, symbols and characters...etc).

There are of course other types of crackers where it generates all possible combinations from A to Z but that would take millions of years to crack.

EDIT: As for PDFs, I assume there's no vulnerabilities present that will enable a threat actor to decrypt the file. Follow the password protocol I mentioned above and you'll be fine. I'm not a professional in this so if anyone knows stuff about hacking/decrypting PDFs, please let me know, I'm curious.

Crashie
  • 23
  • 4