0

I came across these articles which imply (to me) that 7-Zip's AES implementation is not good:

https://twitter.com/3lbios/status/1087848040583626753

https://threadreaderapp.com/thread/1087848040583626753.html

What are the mitigations to this?

  1. How can a user make 7-Zip files more secure?

  2. What's a better GUI way to create encrypted archives on Windows?

schroeder
  • 123,438
  • 55
  • 284
  • 319
get_going
  • 123
  • 1
  • 7
  • Looks like it's certainly vulnerable to a known plaintext attack. This attack only applies if any of the contents of the archive are already in the possession of others. – multithr3at3d Jul 14 '19 at 13:48
  • 1
    General comment not about 7zip: The cryptography code of any software package that is not primarily about cryptography is not good. For example, a database server that does TLS, the TLS code (using openssl library) is probably not very good. The password storage is usually not good. The auth protocol is not good. For archiving software or document creation software, the password protection is usually not good. To get good security features, use software that only does the security/cryptography. – Z.T. Jul 14 '19 at 14:16
  • 1
    @kelalaka the predictable IV is only an issue when the attacker is having his plaintext encrypted and he wants to steal other encrypted text. In the vast majority of cases with 7-Zip this will be a non-issue as the person doing the encrypting is also providing the plaintext. – Swashbuckler Jul 15 '19 at 03:57
  • Edited to clarify how this question is different. The previous pages don't contain any solution or alternative. I am specifically asking for how to make 7-zip files more secure and/or another solution for secure encrypted archives. This will be helpful to others in future. Thanks. – get_going Jul 15 '19 at 12:24
  • 1
    The first link is directly applicable to your question. It says that the weak IV reported by the person you link to is not a problem. To answer your questions more directly, if the issue is in 7Zip code, then you cannot make it "more secure". Your second question is asking for a recommendation for a GUI-based windows file encryption program, which is off-topic here. – schroeder Jul 15 '19 at 12:37
  • @schroeder: Thanks. So doing something like increasing password length, won't impact this? Regarding Q2, isn't it relevant if this affects after programs like winzip or if users have an alternative? Someone else in the future can find the pertinent info on the same page. – get_going Jul 15 '19 at 15:45

0 Answers0