Slashdot Mirror


PKWare and Winzip Reach A Secure Zip Compromise

richard_za writes "Until now the rival compression software vendors PKWare and Winzip have had different (incompatible) ways of password protecting the ZIP format. In a bid to prevent fragmentation of the standard they have agreed to have their software support opening of the other's files. They have however not agreed to support a single standard. PKZip's encryption is RSA-based while Winzip use an AES approach which is fully documented here. The Register is running this story. PKWare has this press release."

4 of 219 comments (clear)

  1. Re:Easy to crack? by Troed · · Score: 5, Interesting

    Old zip-encryption used three internal 32-bit keys - which by today's standard is quite easy to break. You need 11 bytes (or was it 14?) of known cleartext though when searching.

    The breaking of zip-encryption was considered to be quite a feat when it happened in the middle of the 90's, if memory serves me correctly.

  2. Symmetric vs. asymmetric by kasperd · · Score: 5, Interesting

    I doubt that PKZip is based only on RSA. RSA is an asymmetric encryption. For some purposes this is nice, but it is inefficient. For that reason you almost always use asymmetric encryption together with a symmetric encryption. You generate a one time symmetric encryption key. The data is encrypted with the symmetric key, typically in CBC or CFB mode. Then only the symmetric encryption key is encrypted asymmetrically, which means much better speed.

    Actually I think this is one of the cases, where there is no need for asymmetric encryption at all. So AES sounds like a better idea. Can anybody explain why PKZip use RSA? And which symmetric cipher is it combined with?

    --

    Do you care about the security of your wireless mouse?
  3. Why bother? by Ckwop · · Score: 5, Interesting

    I have PGP to encrypt the zip files.. This software has recieved a lot attention and we know that it's probably okay!

    The new standard these guys may agree will have recieved little public analysis when it is fielded.. Not something to trust at all!

    Simon.

  4. Re:Easy to crack? by Troed · · Score: 5, Interesting

    My passwords are usually >16 characters long, some are more than 30 (depends on the strength of the algorithm they're used in). While I agree that a lot of people use easy to guess passwords, the old zip encryption was most easily broken through the internal key - NOT by brute forcing the password. Do the math if you don't believe me ;)

    A-Z,a-z,0-9 and a few special chars makes a 24 char password contain 128 bits of entropy. That's secure enough for everyone using symmetric ciphers.