Is zip's encryption really bad?

24

3

The standard advice for many years regarding compression and encryption has been that the encryption strength of zip is bad.

Is this really the case in this day and age?

I read this article about WinZip (it has had the same bad reputation). According to that article the problem is removed provided you follow a few rules when choosing your password.

  1. At least 12 characters in length
  2. Be random not contain any dictionary, common words or names
  3. At least one Upper Case Character
  4. Have at least one Lower Case Character
  5. Have at least one Numeric Character
  6. Have at least one Special Character e.g. $,£,*,%,&,!

This would result in roughly 475,920,314,814,253,000,000,000 possible combinations to brute force

Please provide recent (say past five years) links to back up your information.

Nifle

Posted 2010-05-25T15:54:52.630

Reputation: 31 337

3How is this not constructive, @random? – Dan Dascalescu – 2014-07-17T05:10:04.713

Answers

29

The weakness of the old encryption was due to the weakness of the chosen encryption algorithm.

Nowadays one can use industry grade encryption via 'AES', which is used everywhere (and is under heavy attack but as it seems pretty hard to attack). As the site you cited stated: the weakest spot is in the passphrase and the rules you mentioned especially address that problem.

Theses rules do not apply to the passphrase for the old encryption, since that old encryption was very weak in itself, no matter if you choose a good password or not.

The statement of

the problem is removed provided you follow a few rules when choosing your password.

is not true, since the real solution to encrypt ZIP files securely is to choose a strong encryption algorithm AND a strong password. The strongest password is worth nothing if the encryption algorithm is weak.

Read also http://www.info-zip.org/FAQ.html#crypto and http://www.topbits.com/how-can-i-recover-a-zip-password.html

akira

Posted 2010-05-25T15:54:52.630

Reputation: 52 754

2Some good insights and links. But did you really answer my question? It's a bit unclear. – Nifle – 2010-05-25T16:51:30.453

i think it is: a) you can now choose a better encryption cypher (aes256 instead of pkzip-homebrew-whatever) and b) i stated that the problem was not removed by choosing a better passphrase but by picking a better cypher (see a)). – akira – 2010-05-25T20:16:40.500

3@Nifle, it did. Zip encryption was bad because the algorithm was rubbish. In newer versions of zip, you can now choose from more secure algorithm. As long as you select one of the secure algorithm, then the security is no worse than other similar product. Standard security issues like choice of passphrase and implementation aside. i.e. The weakest chain is no longer in the algorithm used. – KTC – 2010-05-26T16:21:04.147

There is another bit you neglected to mention, that AES is a block cipher, and can only encrypt fixed-length blocks of data. Thus, to encrypt longer files, fancy schemes have been developed to generate new keys for every block. Unfortunately, developers occasionally overlook this, and make their software encrypt every block with the same keys, see [https://en.wikipedia.org/wiki/Cipher-block_chaining] – Eroen – 2012-02-25T09:22:35.153

@Eroen: look at the question .. hows your comment related to that? – akira – 2012-02-25T11:46:42.650

@akira: It is not directly related to the question, but informs on a failing of the above answer. The Q. asks if X is bad in respect Y, the A. (among other things) incorrectly explains how to identify goodness in respect Y, my C. points out this incorrectness. – Eroen – 2012-02-25T12:00:04.693

@Eroen: so, what exactly are you saying / what exactly is your point? you "proved" that AES is bad? that some idiots can not implement it right? that AES is worse than pkzip's algorithm? – akira – 2012-02-25T12:23:33.137

You imply that the use of AES encryption means it will be difficult for somebody else to access your data afterwards (two first sentences). I wanted to point out that this has occasionally turned out to be incorrect and that applying AES to a file will not necessarily encrypt it securely, even with an epic passpoem. – Eroen – 2012-02-25T12:43:26.140

@Eroen: so you want to emphasize that a faulty implemented algorithm is not good at all? well done sir, well done. AES is industry standard not for the reason it could be implemented faulty. "securely is to choose a strong encryption algorithm AND a strong password" means just that: implemented and USED correctly. even when someone implemented pkzip-encryption correctly it would still be weak due to the weakness of the algorithm. and AES being a block-cipher does not change one tiny bit of truthiness. – akira – 2012-02-25T17:11:59.213

-3

Symmetric encryption is problematic. It's well and good to say, "Just use Waq3$f^t>p~6pWr as your password, and you're fine!" but you're leaving a huge door open to social engineering and user carelessness.

So I would say, hypothetically, assuming a first class password, you're okay using symmetric key encrypted zip programs that offer proven encryption algorithms, but in the real world the dependence on password strength is a huge weakness.

@Akira: I didn't say it was bad, I said it was problematic and it is. With public key (asymmetric) encryption, you have a constant level of security. If you have a 1024 bit key, your data is 1024 bit encrypted.

With symmetric key encryption you can have godlike security (1024 character password) or worthless security (1 character password), and you have no control over which you're going to end up with.

(Note: I didn't bother to talk about compromised keys because that effects both methods equally)

@Nifle: Agreed. Key exchange is the problem with public key crypto, but it's a much more reliable method. I tend to recommend against symmetric key encryption because it makes people think they're safe, when they may not be.

@Akira: Not sure what you're talking about, frankly. Just because private keys are often secured with a passphrase as an additional safeguard doesn't mean that symmetric/asymmetric encryption is "using symmetric keys for the real encryption." Asymmetric encryption uses two different keys: one for encryption, one for decryption. And calling higher bit encryption snake-oil is disingenuous at best: if that were the case then aes128 would be the same as aes256.

And comparing a one-time pad to any kind of machine crypto displays the worst sort of ignorance. They're secure because they're pure random noise of the kind that computers, by their very nature, are unable to produce. You're saying that, because one kind of symmetric key encryption is secure, then all kinds of symmetric key encryption are secure, which is an utter fallacy. And worse, you're holding the otp up against asymmetric encryption when they have the EXACT same key exchange problem!

Satanicpuppy

Posted 2010-05-25T15:54:52.630

Reputation: 6 169

1@satanicpuppy: the only problem with symetric encryption is the key-exchange. and thats exactly what asymetric encryption solves: the key-exchange. not the "symetric encryption is bad" part. – akira – 2010-05-25T17:15:18.397

Unfortunately exchanging public keys with co-workers and clients is a non-trivial task. So symmetric encryption is here to stay until Microsoft includes support for some PGP flavour natively (and per default) in Outlook. – Nifle – 2010-05-25T17:15:45.947

@satanicpuppy: gpg encrypts only the symetric keys via asymetric encryption, it uses the symetric keys for the real encryption. the best encryption you can get is a one-time-pad .. which is symetric encryption. so, do not fall into the trap of the oil-snake-high-bits-for-keys is in any ways safer than the currently used symetric cyphers as aes256 etc. the asymetric keys are normally secured by symetric encryption (passphrases) ... – akira – 2010-05-25T20:11:35.030

@Nifle: exactly. – akira – 2010-05-25T20:12:58.710

@satanicpuppy: "GnuPG is a hybrid encryption software program in that it uses a combination of conventional symmetric-key cryptography for speed, and public-key cryptography for ease of secure key exchange, typically by using the recipient's public key to encrypt a session key which is only used once. This mode of operation is part of the OpenPGP standard and has been part of PGP from its first version" – akira – 2010-05-26T14:22:00.657

@satanicpuppy: onetimepad: you said that symetric encryption is problematic. onetimepad uses symetric encryption. – akira – 2010-05-26T14:23:17.643

@satanicpuppy: if you read papers of crypto-researchers then you can see for what reason they tend to believe why, in case of "aes128 vs aes256", aes128 SEEMS to be more secure than aes256 .. which is why i brought up "high-bits-snake-oil". it is just not true that throwing a high number of bits into the security pool ads security PER SE. – akira – 2010-05-26T14:26:03.023

@satanicpuppy: i did not say that symetric encryption is secure per se, YOU stated that symetric encryption is problematic per default, which is not the case. and thats what i said. – akira – 2010-05-26T14:28:54.937

@satanicpuppy: and you should use the comment function if you want to comment. not your own answer. – akira – 2010-05-26T14:29:39.630

@satanicpuppy: read http://en.wikipedia.org/wiki/Hybrid_cryptosystem about how and why crypt-experts use the hybrid approach and why they do not think that "symetric encryption is problematic". the main problem, which asymetric encryption solved, is the key-exchange.

– akira – 2010-05-26T14:35:06.703

@satanicpuppy: and read http://www.gnupg.org/gph/en/manual.html#AEN210 as well.. just to quote a bit "Public-key ciphers are no panacea. Many symmetric ciphers are stronger from a security standpoint, and public-key encryption and decryption are more expensive than the corresponding operations in symmetric systems. Public-key ciphers are nevertheless an effective tool for distributing symmetric cipher keys, and that is how they are used in hybrid cipher systems."

– akira – 2010-05-26T14:37:56.417

@satanicpuppy: and http://www.slideshare.net/lovelace/openpgpgnupg-encryption page7 and onwards.

– akira – 2010-05-26T14:45:37.167

@akira: You're not even addressing what I'm talking about. Onetime pads are the definition of problematic: hand generated, hand transferred. Symmetric key encryption is problematic because the key generation is left in the hands of the enduser (when they choose their passphrase or whatever), and that is a massive problem. – Satanicpuppy – 2010-05-26T16:02:35.190

@akira: You can quote the gpg manual all you like, but that doesn't change the fact that the encryption is done via asymmetric keys. The symmetric part only applies to encrypting the private key for storage. If I locked my house with a key, and then stored the key in a combination box that was stored in a secure location, by your logic, my house would be locked with a combination lock. Encrypting the private key is in no way required for asymmetric key encryption. – Satanicpuppy – 2010-05-26T16:07:21.857

@satanicpuppy: you have obviously NOT read the links. it is common practice, to encrypt only the session key via asymetric encryption, the message itself is encrypted symetrical. – akira – 2010-05-26T16:18:50.033

@satanicpuppy: to take your metaphor: the key inside the box is secured by asymetric encryption. the key inside the box is a very large combination lock. so, yes, your house would be secured by a combination lock. because the real problem is not the gigantic lock for house or that it is a gigantic combination lock, the real problem is to transport the BOX to other people. – akira – 2010-05-26T16:30:35.030

@Akira: But that's not how asymmetric key crypto even WORKS! The private key is encrypted, but that is never shared! It's encrypted so that, if someone breaks into your machine, they have to do a little more work to get your private key. The public key is the shared key, and, since the public key cannot DECRYPT anything, it's not a problem. To go back to the house argument, there is a key that can unlock the door and there is a key that can lock the door. You protect the key that can UNLOCK it, but the key that LOCKS it, you leave on a hook right by the door. – Satanicpuppy – 2010-05-26T16:55:41.100

@Akira: That's why the key-sharing problem is solvable via public-key encryption, because it doesn't matter who can ENCRYPT traffic, but only in who can DECRYPT traffic. The same is NOT true for symmetric key encryption which is why its inherently a weaker system: since there is only one key, key transfer is extremely important, and that's the weakest part of the system. – Satanicpuppy – 2010-05-26T17:03:06.963

@satanicpuppy: your misconception is, that i did not understand how asymetric encryption (ae) works, which i do. the advantage of ae is, that it allows to exchange information without exchanging a key before beeing able to decrypt the encrypted message. and that by the cost of performance. it is as (practically) hard to brute-force an ae-key(pair) than to break a good se-key. in practice, every day, the plain-text you want to encrypt, is encrypted by a randomly created, symetric session key, and that key is encrypted by ae (the public keys of the receivers). that is a fact. – akira – 2010-05-26T17:47:02.070

@satanicpuppy: regarding the house metaphor: i didnt claim, that this is how ae works. i described how the whole gpg/pgp package works. ae guards the lock to the house, not the house. once you get that into your head, you will understand what i am talking about. – akira – 2010-05-26T17:52:32.337

@satanicpuppy: http://www.encryptionanddecryption.com/algorithms/encryption_algorithms.html#difference "Asymmetric encryption algorithms (also known as public-key algorithms) need at least a 3,000-bit key to achieve the same level of security of a 128-bit symmetric algorithm"

– akira – 2010-05-26T18:01:27.667

@Akira: What's your point? Do you HAVE a point? The only thing I've said is that there are problems with symmetric key encryption, which you've never refuted, despite all the tangents you keep jumping on to. If you actually have a meaningful point, by all means, continue. – Satanicpuppy – 2010-05-26T18:15:07.057

@satanicpuppy: "Symmetric encryption is problematic", that is the point. you describe asymetric encryption as the silver bullet, which it is not. you have social engineering and user carelessness with ae as well. again, the "problematic aspect" is not the symetric cypher (given that you pick a strong one), it is the key exchange. the next point is, that you HAVE control over the length of the used passphrase/key in winzip (which was the question about). and if you decide to choose a good password, then you will have good security, ESPECIALLY with symetric encryption. and that is the point. – akira – 2010-05-26T18:35:38.250

@Akira: Okay,. My point is that user-generated passphrases are weaker and less reliable then pre-generated keys, and I think that, even if you stipulate a length, the social engineering angle is going to be much more prevalent (people tend to write down long keys). Also, I think that the potential for weak passwords builds a false sense of security (i.e.the data are encrypted, but the password is vulnerable to a weak dictionary attack). In a nutshell: users don't have as much input in asymmetric systems, and I think that's a good thing. – Satanicpuppy – 2010-05-26T19:00:42.220

@Nifle, @satanicpuppy, @akira: download a lot of episodes of http://www.grc.com/securitynow.htm , kick back and relax while you listen to them, then have this argument again :)

– RCIX – 2010-05-29T09:37:00.943

@RCIX: "Well, and of course we also have virtually unbreakable cryptography with a symmetric block cipher, where we use a long key, like maybe 256 bits." (http://www.grc.com/sn/sn-034.txt). i do not see how that adds anything new to the discussion.

– akira – 2010-11-06T12:35:24.027

@RCIX: "In fact, it takes so long that the asymmetric ciphers, the so-called “public key ciphers,” are not used to encrypt messages. They’re used to encrypt keys." – akira – 2010-11-06T12:50:08.320