Recently I have received several Emails asking about WinZip encryption, and specifically, whether it is good enough for business use, especially in light of the current climate of data breaches in the UK, where serious data breaches involving public information are announced almost on a weekly basis. So can WinZip do the job to encrypt sensitive data held on disks posted through public postal systems? Well, the answer is Yes, but only if used properly…
With WinZip encryption, it is important to understand older versions of WinZip, pre-version 9, uses its own proprietary encryption, which simply broken. Essentially data archived with WinZip version 8 or below, using “WinZip Encryption” with passwords of any strength can very easily be recovered. WinZip version 9 and above has the option to use an industry strength and NIST approved encryption algorithm, namely AES (Advance Encryption Protocol). The application provides the choice of several strengths (bit length – the longer the stronger), AES-128, AES-192 and AES-256, you may as well pick the strongest bit level AES-256, although AES-128 is currently strong enough to the do the job to industry best practice and standards.
The weakness in using WinZip AES encryption is it uses “Symmetric” encryption, which means it uses a single private password to encrypt and decrypt the Zip archive. Therefore complexity and strength of the password are “the” protection and weak point, as the bad guys have unlimited attempts at guessing and trying password combinations to decrypt the WinZip archive. One of the password breaking attacks these bad guys use is a dictionary attack, which is as it sounds, tries regular words found in the dictionary, as well as commonly used passwords, usually the cracker (the bad guy), has his own specific database of commonly used and known passwords, so passwords like “Pa55word” are extremely weak and just doesn’t cut it.
Another attack to crack WinZip passwords is a “Brute Force” attack; this attack tries every single combination of characters possible e.g. aaaa to zzzz. I carried out some testing for this post on my home PC, I was able to crack a 6 digit password of a completely random upper case, lower case and numeric values in 1 hour 15 minutes (see image below). For every digit length of the password the longer it takes to brute force, so when I tried to brute force a 7 digit password it took several days and I think it would take a couple of months to crack an 8 digit password on my not so powerful home computer. So I would say 8 character passwords just aren’t strong enough for WinZip AES password encryption.
The main factor to consider with the brute force attack is the processing power (the speed) of the computer trying the combinations. The bad guys can increase their processing power by networking several computers and using them in tandem to reduce the time to find the password. I previously posted about using PS3 to brute force passwords, as a PS3’s multi-thread type processor (which is used by the new generation of PCs), can try several combinations at the same time and therefore be very efficient for brute force attacks.
There is another attack which could be used which attack the AES encryption algorithm itself, however AES is so powerful at these sorts of bit lengths, that these sorts of attacks aren’t really a viable option for business security at the moment, and there certainly aren’t any known issues with AES, which used and approved by leading banks and the military, therefore I’m not going to go into further detail within this post.
So with WinZip AES encryption, the password strength is the key aspect to the security of the encryption, therefore my own suggestion is for the following password rules provide a business level of strong encryption (Are you reading this HMRC?)
The WinZip password should be…
1. At least 12 characters in length
2. Be random not contain any dictionary, common words or names
3. At least one Upper Case Character
4. Have at least one Lower Case Character
5. Have at least one Numeric Character
6. Have at least one Special Character e.g. $,£,*,%,&,!
There is nothing black and white or anything written down about this, this is my own suggestion and recommendation (jn the year 2008). If you are struggling to create these sorts of a complex password, I suggest you check out password generation applications or look at online sites like GRC.com, which has a free online random password generator, which does an excellent job in generating good strength random passwords.
Most significantly within the password, by introducing at least one “special character”, makes the password extremely difficult to brute force, usually the bad guys don’t even try brute forcing trying any special characters, as it takes an impossibility long time to try all the combinations inclusive of special characters. So if I added special characters to my 6 digit password, the time it takes to successfully brute force increases 12 fold, the longer the password using special characters, the greater the factor of increase.
To give an idea of the numbers we are talking, using the rules I listed as a minimum, roughly we are talking about 475,920,314,814,253,000,000,000 possible combinations to brute force, which equates to around 13,851,104,153,269 hours processing time on a regular PC, bur don’t forget you can use multiple PCs and more powerful machines to conduct a brute force attack, so just divide their number/power by the processing time, however with these sorts of numbers I think it’s more than strong enough protection. You might be thinking I’m going a little too far with 12 character length password as a minimum standard, as I do tend to lean on the side of caution so perhaps you are right like I said it’s your call. So here’s the numbers for a random 10 character alpha, numeric with special characters for comparison 53,861,511,409,490,000,000 combinations, which equates to 17,179,869,184 hours processing time, 10 characters without special characters is 839,299,365,868,340,000 combinations taking 24,426,825 hours so you can see the factor effect of using special characters with the password.
Of course, these sorts of complex length passwords require good password management and decent business processes in place; it’s no good using a decent length complex password and writing it down on the disk you send!
Finally there is one final issue to consider with WinZip, is that even without knowing the password, you are able to browse the AES encrypted WinZip archive and read the file names so it may be a good idea to Zip the file to a single zip file to hide the file names, and then Zip it again with AES encryption.
So WinZip encryption can be used to protect sensitive information in transit, but given a choice of options, my personal preference would be to use a product like PGP (or the free version GnuPG), which uses Asymmetric encryption, which helps to take the sting out of password management while providing better end-to-end guarantees. I can post specifically about PGP and Asymmetric encryption if asked (please post in the comments). Oh if you found this post useful, please post a positive comment, as it will encourage me to post further “how-to” posts.
There is another attack which could be used which attack the AES encryption algorithm itself, however AES is so powerful at these sorts of bit lengths, that these sorts of attacks aren’t really a viable option for business security at the moment, and there certainly aren’t any known issues with AES, which used and approved by leading banks and the military, therefore I’m not going to go into further detail within this post.
So with WinZip AES encryption, the password strength is the key aspect to the security of the encryption, therefore my own suggestion is for the following password rules provide a business level of strong encryption (Are you reading this HMRC?)
The WinZip password should be…
1. At least 12 characters in length
2. Be random not contain any dictionary, common words or names
3. At least one Upper Case Character
4. Have at least one Lower Case Character
5. Have at least one Numeric Character
6. Have at least one Special Character e.g. $,£,*,%,&,!
There is nothing black and white or anything written down about this, this is my own suggestion and recommendation (jn the year 2008). If you are struggling to create these sorts of a complex password, I suggest you check out password generation applications or look at online sites like GRC.com, which has a free online random password generator, which does an excellent job in generating good strength random passwords.
Most significantly within the password, by introducing at least one “special character”, makes the password extremely difficult to brute force, usually the bad guys don’t even try brute forcing trying any special characters, as it takes an impossibility long time to try all the combinations inclusive of special characters. So if I added special characters to my 6 digit password, the time it takes to successfully brute force increases 12 fold, the longer the password using special characters, the greater the factor of increase.
To give an idea of the numbers we are talking, using the rules I listed as a minimum, roughly we are talking about 475,920,314,814,253,000,000,000 possible combinations to brute force, which equates to around 13,851,104,153,269 hours processing time on a regular PC, bur don’t forget you can use multiple PCs and more powerful machines to conduct a brute force attack, so just divide their number/power by the processing time, however with these sorts of numbers I think it’s more than strong enough protection. You might be thinking I’m going a little too far with 12 character length password as a minimum standard, as I do tend to lean on the side of caution so perhaps you are right like I said it’s your call. So here’s the numbers for a random 10 character alpha, numeric with special characters for comparison 53,861,511,409,490,000,000 combinations, which equates to 17,179,869,184 hours processing time, 10 characters without special characters is 839,299,365,868,340,000 combinations taking 24,426,825 hours so you can see the factor effect of using special characters with the password.
Of course, these sorts of complex length passwords require good password management and decent business processes in place; it’s no good using a decent length complex password and writing it down on the disk you send!
Finally there is one final issue to consider with WinZip, is that even without knowing the password, you are able to browse the AES encrypted WinZip archive and read the file names so it may be a good idea to Zip the file to a single zip file to hide the file names, and then Zip it again with AES encryption.
So WinZip encryption can be used to protect sensitive information in transit, but given a choice of options, my personal preference would be to use a product like PGP (or the free version GnuPG), which uses Asymmetric encryption, which helps to take the sting out of password management while providing better end-to-end guarantees. I can post specifically about PGP and Asymmetric encryption if asked (please post in the comments). Oh if you found this post useful, please post a positive comment, as it will encourage me to post further “how-to” posts.
