Wednesday, 23 January 2008

WinZip Encryption Password Security

Recently I have received several Emails asking about WinZip encryption, and specifically whether it is good enough for business use, especially in light of the current climate of data breaches in the UK, where serious data breaches involving public information are announced almost on a weekly basis. So can WinZip do the job to encrypt sensitive data held on disks posted through public postal systems? Well the answer is Yes, but only if used properly…

With WinZip encryption, it is important to understand older versions of WinZip, pre-version 9, uses its own proprietary encryption, which simply broken. Essentially data archived with WinZip version 8 or below, using “WinZip Encryption” with passwords of any strength can very easily be recovered. WinZip version 9 and above has the option to use an industry strength and NIST approved encryption algorithm, namely AES (Advance Encryption Protocol). The application provides the choice of several strengths (bit length – the longer the stronger), AES-128, AES-192 and AES-256, you may as well pick the strongest bit level AES-256, although AES-128 is currently strong enough to the do the job to industry best practice and standards.

The weakness in using WinZip AES encryption, is it uses “Symmetric” encryption, which means it uses a single private password to encrypt and decrypt the Zip archive. Therefore complexity and strength of the password is “the” protection and weak point, as the bad guys have unlimited attempts at guessing and trying password combinations to decrypt the WinZip archive. One of the password breaking attacks these bad guys use is a dictionary attack, which is as it sounds, tries regular words found in the dictionary as well as commonly used passwords, usually the cracker (the bad guy) has his own specific database of commonly used and known passwords, so passwords like “Pa55word” are extremely weak and just doesn’t cut it.

Another attack to crack WinZip passwords is a “Brute Force” attack; this attack tries every single combination of characters possible e.g. aaaa to zzzz. I carried out some testing for this post on my home PC, I was able to crack a 6 digit password of completely random upper case, lower case and numeric values in 1 hour 15 minutes (see image below). For every digit length of the password the longer it takes to brute force, so when I tried to brute force a 7 digit password it took a several days and I think it would took a couple of months to crack an 8 digit password on my not so powerful home computer. So I would say 8 character passwords just aren’t strong enough for WinZip AES password encryption.

The main factor to consider with the brute force attack is the processing power (the speed) of the computer trying the combinations. The bad guys can increase their processing power by networking several computers and using them in tandem to reduce the time to find the password. I previously posted about using PS3 to brute force passwords, as a PS3’s multi-thread type processor (which is used by the new generation of PCs), can try several combinations at the same time and therefore be very efficient for brute force attacks.

There is another attack which could be used which attack the AES encryption algorithm itself, however AES is so powerful at these sorts of bit lengths, that these sorts of attacks aren’t really a viable option for business security at the moment, and there certainly aren’t any known issues with AES, which used and approved by leading banks and the military, therefore I’m not going to go into further detail within this post.

So with WinZip AES encryption the password strength is the key aspect to the security of the encryption, therefore my own suggestion is for the following password rules provide a business level of strong encryption (Are you reading this HMRC?)

The WinZip password should be…

1. At least 12 characters in length
2. Be random not contain any dictionary, common words or names
3. At least one Upper Case Character
4. Have at least one Lower Case Character
5. Have at least one Numeric Character
6. Have at least one Special Character e.g. $,£,*,%,&,!

There is nothing black and white or anything written down about this, this is my own suggestion and recommendation (jn the year 2008). If you are struggling to create these sorts of complex password, I suggest you check out password generation applications, or look at online sites like GRC.com, which has a free online random password generator, which does an excellent job in generating good strength random passwords.

Most significantly within the password, by introducing at least one “special character”, makes the password extremely difficult to brute force, usually the bad guys don’t even try brute forcing trying any special characters, as it takes an impossibility long time to try all the combinations inclusive of special characters. So if I added special characters to my 6 digit password, the time it takes to successfully brute force increases 12 fold, the longer the password using special characters, the greater the factor of increase.

To give an idea of the numbers we are talking, using the rules I listed as a minimum, roughly we are talking about 475,920,314,814,253,000,000,000 possible combinations to brute force, which equates to around 13,851,104,153,269 hours processing time on a regular PC, bur don’t forget you can use multiple PCs and more powerful machines to conduct a brute force attack, so just divide their number/power by the processing time, however with these sorts of numbers I think it’s more than strong enough protection. You might be thinking I’m going a little too far with 12 character length password as a minimum standard, as I do tend to lean on the side of caution so perhaps you are right, like I said it’s your call. So here’s the numbers for a random 10 character alpha, numeric with special characters for comparison 53,861,511,409,490,000,000 combinations, which equates to 17,179,869,184 hours processing time, 10 characters without special characters is 839,299,365,868,340,000 combinations taking 24,426,825 hours, so you can see the factor effect of using special characters with the password.

Of course these sorts of complex length passwords require good password management and decent business processes in place; it’s no good using a decent length complex password and writing it down on disk you send!

Finally there is one final issue to consider with WinZip, is that even without knowing the password, you are able to browse the AES encrypted WinZip archive and read the file names, so it may be a good idea to Zip the file to a single zip file to hide the file names, and then Zip it again with AES encryption.

So WinZip encryption can be used to protect sensitive information in transit, but given a choice of options, my personal preference would be to use a product like PGP (or the free version GnuPG), which uses Asymmetric encryption, which helps to take the sting out of password management while providing better end-to-end guarantees. I can post specifically about PGP and Asymmetric encryption if asked (please post in the comments). Oh if you found this post useful, please post a positive comment, as it will encourage me to post further “how-to” posts.

58 comments:

Anonymous said...

Are you aware of SecureZIP for Windows? Created by the folks that originated the ZIP format, it supports both passphrase and digital certificate based encryption. Moreover, passphrase complexity controls are configurable. In the enterprise setting, configurations can be locked down and enforced.

See www.pkware.com, and to download a free copy for non-commerical use, see www.securezip.com....

Dave Whitelegg CISSP said...

Thanks for mentioning SecureZip, it certainly does have better security options than WinZip, http://www.pkware.com/index.php?option=com_content&task=view&id=240&Itemid=321 and is definitely Recommended.

Anonymous said...

What is your opinion on securing payroll data for transport across the internet using WinZip AES encryption?

Dave Whitelegg CISSP said...

Using WinZip with AES Encryption is good enough to secure payroll data is public transit, but only if a complex, decent length is used, as stated in the main post above. AES is an industry wide approved encryption algorithm, the problem with using WinZip encryption is the password strength, which is it's weakness.

However, if I was responsible for the security of transferring payroll data for Point A to Point B, I would recommend purchasing an application like PGP (less than £50 a license), which can elminate the password management issues and enforce secure end to end encryption process, which is less reliant the user following a written process procedures correctly. User mistakes are big cause of most data breaches, where possible you don't want to rely a person doing something the right way, if technology (software) can handle the important security aspects instead, especially if the cost of doing so is low.

Anonymous said...

WinRAR can encrypt file names in RAR files, and also uses AES

Brian said...

Thanks for the post Dave. It was very interesting to read and definately gave me some insight into Winxip and AES.

Would definately be interested in a blog about PGP (or equivalent) usage and what the benefits are.
Thanks

Anonymous said...

Very useful post.
To sum up the problem - even if you use AES you are allowing humans to create the passwords and without training (outside your organisation as well as inside) humans are not good at creating passwords.

Anonymous said...

Very usefull post.

It realy helped me to do the proper thing to have beter level of confidence using those kind of tools.

Thanks a lot,

Anonymous said...

thanks dave .. very useful

Anonymous said...

Thank your very much for an easily understandable post.

Anonymous said...

Really interesting and good post. Winrar use a 128bit AES encryption, so Winzip is better. There is a free compressor (7-zip) that use a AES256.
Anyway, I always use PGP with at least 32 characters password, full of lowe/uppercase, numbers and lots of special keys. It's a bit uncomfortable to remember and long -time to digit, I hope it's secure.
I'm very interested in Dave's PGP experience.

P.C. - Italy

Anonymous said...

If you look near the bottom of the page in the WinZip help file (about encryption) you'll see this:
Note that, if you are using 256-bit AES encryption, the fact that HMAC-SHA-1 produces a 160-bit result means that regardless of the password that you specify, the search space for the encryption key is unlikely to reach the theoretical 256-bit maximum, and cannot be guaranteed to exceed 160 bits. This is discussed in section B.1.1 of the RFC 2898 document.

Noel said...

Dave, would it be possible to know which password cracker you used in the Winzip test? Looks an interesting tool from the screenshot

Dave Whitelegg CISSP said...

Hi Noel, Google "winzip password recovery"

Anonymous said...

Dave - good Blog re ZIP compression and encryption etc. Your tip using GRC's unique key generator is spot on and I have already started using it.

I am facing the challenge of securing media on an FTP server that needs to be accessible, but with a password that would not be that hard to brute force.

One thought, you encrypt a file to send or leave on an FTP, how do you tell the recipient what the key is?

You have to send that in the clear I presume, especially if it is multi digit with complexity, rather than a pass phrase which is easy to brute force.

One thought, have a file that both sender and recipient have on their systems, a photo, text file, wav etc, anything innocuous and tell the recipient of your encrypted file that the key is the MD5 checksum of such and such a picture, bingo you have a 32 character near random key which does not have to be transported. Use Hashcalc ( win 32,it is free ), verify that you have the same result by confirming that last 4 digits.

Yes I know this is not a perfect solution, but probably a start, and would make a file practicably unfeasible to brute force.

Keep up the good work. iweua

Anonymous said...

Straight-forward, clear, article and comments - Thanks

Anonymous said...

Answered all of my concerns and provided some great tips. Thanks.

jgoetzin said...

you cannot hide the filenames within a winzip archive, they are always visible,

regards

Jean

Tomislav said...

Thanks for a very useful post! This is exactly what I needed! However, I must add here that in some cases (such as mine right now) WinZip showing the archive contents is actually a great advantage over (for example) PGP, since i need my client to see the contents but not be able to open them. If you have any other suggestions than WinZip on how to do that (in a more secure way), please share...


Tomislav

Anonymous said...

You mention to get around Winzip not encrypting file names, to zip and zip it again with encryption. I don't understand how to do that. How do you zip a zip? There are no options in Winzip to do that.

Dave Whitelegg CISSP said...

It's not ideal but if your file names are sensitive...You could either create a self executing ".exe" zip file first and then zip it OR rename the file extension of the zip file from .zip to something else, which will allow WinZip to rezip and encrypt.

"Finally there is one final issue to consider with WinZip, is that even without knowing the password, you are able to browse the AES encrypted WinZip archive and read the file names, so it may be a good idea to Zip the file to a single zip file to hide the file names, and then Zip it again with AES encryption."

Anonymous said...

SecureZIP includes an option to encrypt file names along with the data.

Bill said...

I know another software can recover lost or forgotten passwords for encrypted ZIP archives. It's Zip Password Tool. It accepts Zip-archives created using WinZip, PKZip, WinRAR or any other ZIP-compatible software.

Anonymous said...

When the encryped file is a DOC or TXT file Windows XP leaves a plaintext version of the file in:
C:\Documents and Settings\User Name\Local Settings\Temp
This clearly makes a nonsense of trying to protect sensitive data.
Do you know of a way to prevent Windows from performing this action?

Anonymous said...

Thank you for the interesting article.
One critical security issue in any specific encryption package is the quality of algorithm implementation.
If a bug is introduced by the software package developer, the vendor can claim "AES encryption" and "super-duper random number generators" and "512 bit hashing algorithms" and "128-bit password enforcement policy" but the results are still as secured as plain text.
And since both WinZip and WinRAR are closed systems, to assess the quality of implementation will require a careful and lengthy analysis of input vectors vs resulting output. I wonder if this has been done.

Anonymous said...

Thanks for this thought provoking and helpful article.

Anonymous said...

I have always used patterns to created long, strong, but easy passwords.
For instance, type every key above the key.
q = q1
a = aq1
b = bgt5

Pick a short word and enter it two times. One time as-is the other holding the shift key.

The word fish becomes the password: fr4i8sw2hy6FR$I*SW@HY^

Very strong, very easy, and you can write it (fish) down with compromising security.

Anonymous said...

For work with zip files advise use-corrupt zip files,tool is free as far as i know,it compatible with all Windows family: Windows 98, Windows Me, Windows NT 4.0, Windows 2000, Windows XP, Windows XP SP2, Windows 2003 and Windows Vista,will open your file with *.zip extension or SFX self-extracting archive and analyze compressed documents,can work on old PC's, recovery time will be much longer, when comparing with more powerful PC's, because except file size recovery process depends on CPU performance.

Cosect said...

I´m using discryptor.net to encrypt my data. It is userfriendly and really fast.

Anonymous said...

Thanks, that was very useful info about the filenames being revealed in a zip. Have to resort to a zip within a folder within a zip.

Dave Whitelegg said...

Thanks for all the comments, I think it's time to follow up on this post, as there are many alternative products which can make life a lot easier. I was only speaking with the folks at SecureZip/pkware last week, who say they have a product which is free for personal "home" usage - SecureZip express.

My Family said...

I have been doing alot of research on compression and encryption apps. there is alot of zip utilities such as secure zip and pkware, but your write up has explained alot and I have a better understanding of what I'm looking for.However, I am interested in a specific zip application that you may be able to give me your thoughts on. The application name is AxCrypt. it is a free application but has some neat features, such as a file shredder and a rename file feature. The downside is that its only AES 128. thanks

Anonymous said...

An observation about using brute force to break an encryption scheme....

It's commmon place to discuss how long it would take a 'standard' PC to perform such a task.

However, be aware that a well-resourcved agency wouldn't use a PC, not even a fast one, and not even many PCs working in tandem... They will use a hardware engine, probably a configurable one built of FPGAs. This is effectively a hardware implementation of any part of the search algorithm; it's not difficult to do, and once you're skilled in the art, it's hardly more difficult to 'program' the hardware than it is to write the same function in software.

This can easily run one thousand times faster than the equivalent software program on a PC. ad THEN they still have the option to scale up in parallel - it's only a matter of funds and whether you're worth their while allocating machine time to you.

So, if your potential enemy is in this league, you really need to add 3 or 4 zeros onto the number of hours you want your defences to last.

MANINTHEMOON

Romphotog said...

"I was able to crack a 6 digit password of completely random upper case, lower case and numeric values in 1 hour 15 minutes"

Congrat! However, is that because you KNEW the pw to be 6 digits? What if you dont know the length of the pw? You have to start at 1 and go up to say 16. Using English alpha low & upper case and numbers that is 62^16. Furthermore, I could use symbols, Arabic, Chinese, Cyrillic, etc. characters. No way could you hack even a 6 digit pw in less than a year.

Anonymous said...

Like - v useful

Anonymous said...

Many thanks, really useful.
Ivano

Anonymous said...

Brilliant - Has helped me identify solutions for my organsatino in ensuring data provacy and security both internally and externally when dealing with information classified as restricted.

Anonymous said...

Great artical really useful as I am contemplating cheaper alternatives to our currently underused Tumbleweed solution, this really helps.

David Ritchson said...

I had a problem with my files and gladly I was able to fix them. Thanks for the input of this helpful article. binary options trading

RICHARDSD said...

I am really enjoying reading your well written articles. It looks like you spend a lot of effort and time on your blog. I have bookmarked it and I am looking forward to reading new articles. Thanks for sharing. Keep up the good work!

Security cameras Colorado

Truckload Shipment said...

If you have important security requirements for your data, you should use WinZip's AES encryption. AES is the Advanced Encryption Standard, which is the result of a three-year competition.

Ads dating said...

This is a great inspiring article.I am pretty much pleased with your good work.You put really very helpful information. Keep it up. Keep blogging.

Anonymous said...

Thank you for this very insightful article.

ayumi said...

wonderful work! the way you discuss the subject i'm very impressed. i'll bookmark this webpage and be back more often to see more updates from you.

ayumi
www.brfe.net

Anonymous said...

Pretty nice post. I just stumbled upon your weblog
and wished to say that I have really enjoyed surfing around your blog posts.
After all I will be subscribing to your feed and I hope
you write again soon!

My page; Grigory Berezkin ()

Anonymous said...

Its such as you read my mind! You seem to understand
so much approximately this, such as you wrote the e book in it or something.
I feel that you simply can do with a few p.c. to power the message house
a bit, however instead of that, this is fantastic blog. An excellent read.
I'll definitely be back.

Here is my webpage Gregory Berezkin

aminos lahragui said...

Thanks, that was very useful info about the filenames being revealed in a zip. Have to resort to a zip within a folder within a zip.

my website :فوائد الزنجبيل

Mz nasir said...

Is it accurate to say that you are mindful of SecureZIP for Windows? Made by the people that began the ZIP form, it backs both passphrase and computerized authentication based encryption. Besides, passphrase multifaceted nature controls are configurable. In the endeavor setting, arrangements can be secured and authorized. Latest bridal fashion

jamshad hashmi said...

I simply wish to give you a big thumbs up for your
great information you have got right here on this
post. I will be coming back to your web site for more soo


and i have a napk

crack software said...


and i have a napk

Hafiz Shakeel said...

salute you man for this favor thanks man keep it up all done in favorable condition.
driver toolkit crack
tally erp 9 crack

aziz ur rehman said...

thanks for sharing this security tactic.
Final Cut x Pro Crack

atifa bushra said...

nice blogger good work keep it up....

softwarekeysale said...

nice post admin...thanks for shaing
Windows 7 Activator

Trends Vid said...

how i secure me site same like this WhatsApp Plus Apk Crack.

Maria Meer said...

I appreciate you for sharing That type of material.
We are a group of volunteers and opening a new scheme in our community.
Your site offered us with valuable info to work on.
You have done an impressive job and our whole community will be grateful to you for your great work on this site.
I’m sending it to my several friends. Thanks Man please Keep it Up.


Softhands

Maria Meer said...

Hello Man! You doing great Job at this web.
Outstanding post however , I was wondering if you could write a litte more on this topic?
I’d be very grateful if you could elaborate a little bit further. My Name is Maria Meer
Thank you!

If you want to read and also can publish your article that you want than visit "Articles Points" Thanks!

Ahsan Awan said...

hey this is best post admin