8

The web seems to be flooded by password removers. I'm however on the other side. I'm interested in security of my files.

If I have a WinRAR archive (> 1 Mbyte) and use a password (> 6 characters length with non-alphanumeric characters), how secure my archive will be?

Mastermind
  • 354
  • 3
  • 4
  • 9

3 Answers3

9

What I'm seeing (http://en.wikipedia.org/wiki/RAR) says that RAR3-format files use AES for the encryption algorithm. It's unclear to me on first glance if the RAR3 file format is published or if there are open source implementations of the decryption / uncompression algorithm. If the format isn't published / or there aren't free implementations of the decryption / uncompression algorithm I think I'd be pretty wary of the "security" since there's always the possibility that tricks like placing a known-plaintext into the header of every encrypted file, leaking bits of the key, etc could be at play.

The older RAR formats used a "proprietary encryption algorithm". You should always be VERY wary of programs that use "proprietary encryption algorithms". The phrase "proprietary encryption algorithm" is often code for "something knocked togther in a basement by a coder who doesn't really know much about cryptography", or more loosely as "has not been peer-reviewed".

Edit: I'm seeing what look to be free implementations of at least the uncompression portion of RAR3 (http://sourceforge.net/projects/java-unrar, for example). As long as the file format is out in the open it should be difficult for a large amount of your key's bits to be leaked by an untrustworthy implementation. Still, I'd feel better with something that's been peer reviewed or certified (FIPS, etc).

Evan Anderson
  • 141,071
  • 19
  • 191
  • 328
  • Of course having the source open (but not certifed) means that someone might be able to crack any open source implementation. It's interesting that in the edit you mention untrustworthy implementations; if it's not certified how do you know what's trustworthy? I'm not too worried about open encryption specs, cipher specs are regularly published and reviewed. Publishing the implementation does. Proprietary encryption is just fine compared to a "open" cipher as long as it's been certified. Novell Groupwise is an example of a proprietary encryption that's US Dept. of Commerce certified. – Jim B Jul 20 '09 at 17:48
  • 3
    @JimB: I don't consider open source software inherently "more secure" than closed source, but I'd definitely like to have the option to look at source code (or pay someone else to). Ultimately, you have to draw a line somewhere re: trust (trojanized compilers, microprocessors, etc, could exist). I'd much rather have a peer-reviewed cipher than a non-peer-reviewed "certified" proprietary cipher any day of the week. I will also happily agree that a cipher implementation isn't necessarily correct only because it is based on an openly available spec. – Evan Anderson Jul 20 '09 at 18:44
3

As you have stated there are password crackers/removers out there. I would not trust my files to a password protected archive files. I would suggest some type of file level encryption like GnuPG or AES Crypt

Adam
  • 581
  • 3
  • 8
  • 2
    I agree. Use an archiver for your archiving needs, and use a well-tested encryption program for your encryption needs. – Geoff Fritz Jul 20 '09 at 16:17
0

If I remember correctly then using password on an archive doesnt necessary include encryption (it's a separate option).

Evan's answer is much more informative when it comes to the algoritm :)

pauska
  • 19,532
  • 4
  • 55
  • 75