Is it possible to gain access to a password-protected WinRAR file without brute-forcing it?

-2

My reasoning: password-protected WinRar zip files are locally-stored. Therefore, the password - or some key to cracking them - must be locally-stored, too. It strikes me that it'd be much easier to find where that password or key is stored on the machine rather than brute-forcing it - a solution which, after more than 7 characters, becomes virtually impossible anyway. At best, the password is hidden somewhere in the registry. At worse, it's in the zip file itself and involves the use of a Hex editor, which is still much more likely to be effective than attempting to crack the password manually.

Does anyone know whether this is possible at all? If it is, where and how can the password to WinRAR zip files be retrieved? If it isn't, why?

Hashim

Posted 2017-01-25T22:51:53.717

Reputation: 6 967

Without brute forcing it? Either find a flaw in the encryption itself (and probably score big on the various $$$ challenges/bounties) or enter the correct password. There's really no other way about it. – Michael Frank – 2017-01-26T01:02:54.857

1Ahhh.....is this something you SHOULD be doing? What is your specific interest here? – mdpc – 2017-01-26T01:14:01.250

1@MichaelFrank I think his root issue is conflating how authentication and encryption work and the role passwords play in each. – music2myear – 2017-01-26T16:38:35.323

Answers

4

Your assumptions are incorrect.

The password is, optimally, in the creator's mind or stored somewhere else away from the data (less optimal).

When you encrypt a file you create the password for that encryption and keep it to yourself or divulge it only to the intended recipient of that encrypted file if it is not meant for self-storage.

When you are decrypting a file, the program asks you for the password and cannot decrypt the file until you give it that password.

Just give a few moments thought to this: If the password were locally stored, even as a hash, how secure would that encrypted file be? It would be silly to the point of stupidity to create a system like that, and it could not, in any way, be called secure.

UPDATE for comments 1

I'm guessing you're confusing authentication and encryption.

In authentication a hashed copy of the password is compared against a stored hash, and then the yes or no comes back to allow or disallow the login.

In encryption the password is more likely a key portion of a formula. We know WHERE in the formula that password goes, and we know the rest of the formula, but without the password the decryption process will not match the encrypted data and will fail.

In authentication, a strong password only lessens the chance that the password will be guessed or that the hash will be recognized and reversed through dictionary attacks.

In encryption, a strong password could actually improve the "quality" of the encryption upon the data.

Another thing: If encryption worked like authentication, then you wouldn't even need to find the password. The data would always be encrypted using the same formula, and your password would simply tell legitimate programs it was acceptable to decrypt or encrypt the data using a different piece of data, and THAT would be a key worth finding and therefore would very likely be found.

But in reality, because the password is actually PART of the encryption formula, knowing the password for one piece of encrypted information does not decrease the security of other information encrypted even using the same system.

music2myear

Posted 2017-01-25T22:51:53.717

Reputation: 34 957

As per basic principles of computing, if a locally-stored file or directory is password-protected, it needs something to check user input against - .i.e. the password in a correct form - to determine whether the user's inputted password is or is not correct. If it's a self-contained zip file, then it's likely that information will exist only in the code of the zip file itself. If it's not, then it must be stored online and retrieved, which is very, very unlikely; I doubt WinRAR stores passwords to every single ZIP files on its own servers. Yes, in an ideal world it would be "optimal"... – Hashim – 2017-01-26T00:39:54.503

...if it didn't work like that for security purposes - but chances are it doesn't, because the real world isn't ideal, and all security has some vulnerability somewhere. Your argument that it cannot be that way because it would be silly for security is a fallacy - if it has to be that way, there's no other choice. In this instance, I don't think it's all that crazy to expect it either - WinRAR password encryption is hardly considered the pinnacle of security, and needing to retrieve a password via a hex editor or the like in order to get access to one is a pretty high barrier to entry. – Hashim – 2017-01-26T00:40:34.307

1Nope, nope, and nope. I suggest you study how encryption works, because that ain't it. Encryption is no the same as authentication, which is where you appear to be getting confused. When you log in to a computer, it checks a hash of your password against a stored hash. The hashing is so that the password cannot be reversed, though there is such thing on some systems as a "pass the hash" attack. In encryption this doesn't happen. The password is a key that completes a formula. We know the rest of the formula and WHERE the key goes, but the data will not extract unless the RIGHT key is entered. – music2myear – 2017-01-26T00:47:53.667

One other thing, WinRAR is actually pretty close to the pinnacle of encrypted security. It uses AES 256 as its default encryption method which is acceptable by the US government for securing information marked up to Secret. It could work for Top Secret so, if there were other controls upon the data and systems used. Don't assume so much. – music2myear – 2017-01-26T00:59:44.497

Asked: 2017-01-25T22:51:53.717

Viewed: 607 times

Active: 2017-01-26T00:56:04.333