Utility to open WINZIP with AES encyption - Firewalls

This is a discussion on Utility to open WINZIP with AES encyption - Firewalls ; Is there a free utility which recipients of a ZIP archive can get to do no more than extract the files from AES-encrypted ZIPs? ------- I use Winzip Pro 10.0.6698 and create standard archives with a ZIP file extension which ...

+ Reply to Thread
Results 1 to 11 of 11

Thread: Utility to open WINZIP with AES encyption

  1. Utility to open WINZIP with AES encyption

    Is there a free utility which recipients of a ZIP archive can get to do
    no more than extract the files from AES-encrypted ZIPs?

    -------

    I use Winzip Pro 10.0.6698 and create standard archives with a ZIP file
    extension which I send as an email attachment. I do not create self-
    extracting EXE files as many company firewalls block EXEs attached to
    emails.

    For sensitive data, I use either 128-bit AES or 256-bit AES encryption
    in Winzip.

    When my receipents do not have Winzip they find they can not open the
    AES-encrypted zip file. How do I get around this? Is there a free
    utility which recipients can obtain in order to only extract files from
    my AES-encrypted ZIPs?

  2. Re: Utility to open WINZIP with AES encyption

    One-o wrote:

    > I use Winzip Pro 10.0.6698 and create standard archives with a ZIP file
    > extension which I send as an email attachment. I do not create self-
    > extracting EXE files as many company firewalls block EXEs attached to
    > emails.


    Of course, in terms of encryption this would be utterly stupid.

    > For sensitive data, I use either 128-bit AES or 256-bit AES encryption
    > in Winzip.


    Nah, can't be that sensitive.

    > When my receipents do not have Winzip they find they can not open the
    > AES-encrypted zip file. How do I get around this? Is there a free
    > utility which recipients can obtain in order to only extract files from
    > my AES-encrypted ZIPs?


    7-Zip does so. But please, stop calling the files ZIP files. This name is
    commonly reserved for RFC-conformant PKZIP 2.x compatible files.

  3. Re: Utility to open WINZIP with AES encyption

    > One-o wrote:
    >
    >> I use Winzip Pro 10.0.6698 and create standard archives with a ZIP
    >> file extension which I send as an email attachment. I do not
    >> create self- extracting EXE files as many company firewalls block
    >> EXEs attached to emails.


    On 20 Feb 2007, Sebastian Gottschalk wrote:
    >
    > Of course, in terms of encryption this would be utterly stupid.
    >


    Please explain what you mean.

    >> For sensitive data, I use either 128-bit AES or 256-bit AES
    >> encryption in Winzip.

    >
    > Nah, can't be that sensitive.
    >


    Actually it is.

    >> When my receipents do not have Winzip they find they can not open
    >> the AES-encrypted zip file. How do I get around this? Is there a
    >> free utility which recipients can obtain in order to only extract
    >> files from my AES-encrypted ZIPs?

    >
    > 7-Zip does so. But please, stop calling the files ZIP files. This
    > name is commonly reserved for RFC-conformant PKZIP 2.x compatible
    > files.
    >


    7-Zip does not open AES-encrypted files created by Winzip which is
    what I am looking for. Try it and see.

    Winzip creates its archive files with the ZIP extension and that is
    what I am referring to. I don't control what Winzip chooses to use
    as an extension. I just refer to it.

    It sounds as if you may be bringing here a point about "ZIP" you
    could be better off making direct to the authors of Winzip.

  4. Re: Utility to open WINZIP with AES encyption

    one-o wrote:

    >> One-o wrote:
    >>
    >>> I use Winzip Pro 10.0.6698 and create standard archives with a ZIP
    >>> file extension which I send as an email attachment. I do not
    >>> create self- extracting EXE files as many company firewalls block
    >>> EXEs attached to emails.

    >
    > On 20 Feb 2007, Sebastian Gottschalk wrote:
    >>
    >> Of course, in terms of encryption this would be utterly stupid.
    >>

    >
    > Please explain what you mean.


    Presume an attacker which has the capability to change the file. He
    attaches his own payload, which captures the password, unpacks the content
    and modifies the target system to report this file without the payload,
    then sends ou the captures password.

    >>> For sensitive data, I use either 128-bit AES or 256-bit AES
    >>> encryption in Winzip.

    >>
    >> Nah, can't be that sensitive.

    >
    > Actually it is.


    No, it isn't, because the implementation in WinZip is well-known to be
    broken. Thus, you might leak some data.

    > 7-Zip does not open AES-encrypted files created by Winzip which is
    > what I am looking for. Try it and see.


    Tried, saw and found it working.

    > Winzip creates its archive files with the ZIP extension and that is
    > what I am referring to. I don't control what Winzip chooses to use
    > as an extension. I just refer to it.


    D'Oh! That doesn't make it a ZIP file. Just like renaming a .TXT file to
    ..AVI doesn't comvert it to an AVI video.

    The format, thus the real content that decides whether people can actually
    use it is described RFC 1951, 1952 and the PKZIP specification. The WinZip
    9.0 AES-encrypted stuff is a proprietary and non-compatible thing, thus you
    should even be happy that people tolerate the .ZIP file extension on it and
    actually wrote a free implementation for it.

  5. Re: Utility to open WINZIP with AES encyption


    "One-o" wrote in message news:Xns98DDEF5048A6364A18E@127.0.0.1...

    > Is there a free utility which recipients of a ZIP archive can get to do
    > no more than extract the files from AES-encrypted ZIPs?


    Ask in news:alt.comp.freeware

  6. Re: Utility to open WINZIP with AES encyption

    On Feb 21, 9:50 pm, Sebastian Gottschalk wrote:
    > one-o wrote:
    > >> One-o wrote:

    >
    > >>> I use Winzip Pro 10.0.6698 and create standard archives with a ZIP
    > >>> file extension which I send as an email attachment. I do not
    > >>> create self- extracting EXE files as many company firewalls block
    > >>> EXEs attached to emails.

    >
    > > On 20 Feb 2007, Sebastian Gottschalk wrote:

    >
    > >> Of course, in terms of encryption this would be utterly stupid.

    >
    > > Please explain what you mean.

    >
    > Presume an attacker which has the capability to change the file. He
    > attaches his own payload, which captures the password, unpacks the content
    > and modifies the target system to report this file without the payload,
    > then sends ou the captures password.
    >
    > >>> For sensitive data, I use either 128-bit AES or 256-bit AES
    > >>> encryption in Winzip.

    >
    > >> Nah, can't be that sensitive.

    >
    > > Actually it is.

    >
    > No, it isn't, because the implementation in WinZip is well-known to be
    > broken. Thus, you might leak some data.
    >


    Actually according to NIST WinZip's AES implementation is FIPS 192
    certified:
    http://csrc.nist.gov/cryptval/aes/aesval.html


  7. Re: Utility to open WINZIP with AES encyption

    Doh made a typo, that should say FIPS 197.


  8. Re: Utility to open WINZIP with AES encyption

    On 22 Feb 2007, wrote:

    > On Feb 21, 9:50 pm, Sebastian Gottschalk wrote:
    >> one-o wrote:
    >> >> One-o wrote:

    >>
    >> >>> I use Winzip Pro 10.0.6698 and create standard archives with a
    >> >>> ZIP file extension which I send as an email attachment. I do
    >> >>> not create self- extracting EXE files as many company
    >> >>> firewalls block EXEs attached to emails.

    >>
    >> > On 20 Feb 2007, Sebastian Gottschalk wrote:

    >>
    >> >> Of course, in terms of encryption this would be utterly stupid.

    >>
    >> > Please explain what you mean.

    >>
    >> Presume an attacker which has the capability to change the file.
    >> He attaches his own payload, which captures the password, unpacks
    >> the content and modifies the target system to report this file
    >> without the payload, then sends ou the captures password.
    >>
    >> >>> For sensitive data, I use either 128-bit AES or 256-bit AES
    >> >>> encryption in Winzip.

    >>
    >> >> Nah, can't be that sensitive.

    >>
    >> > Actually it is.

    >>
    >> No, it isn't, because the implementation in WinZip is well-known
    >> to be broken. Thus, you might leak some data.
    >>

    >
    > Actually according to NIST WinZip's AES implementation is FIPS 192
    > certified:
    > http://csrc.nist.gov/cryptval/aes/aesval.html
    >


    I wonder if Sebastian is going to reply?

  9. Re: Utility to open WINZIP with AES encyption

    Zak wrote:

    >>> No, it isn't, because the implementation in WinZip is well-known
    >>> to be broken. Thus, you might leak some data.
    >>>

    >>
    >> Actually according to NIST WinZip's AES implementation is FIPS 192
    >> certified:
    >> http://csrc.nist.gov/cryptval/aes/aesval.html
    >>

    >
    > I wonder if Sebastian is going to reply?


    Eh... why should I? The evaluation says nothing about the implementation of
    the storage format. And I guess you can use Google yourself to find the
    details on the vulnerabilities of this implementation.

  10. Re: Utility to open WINZIP with AES encyption

    On Feb 26, 3:20 am, Sebastian Gottschalk wrote:
    > Zak wrote:
    > >>> No, it isn't, because the implementation in WinZip is well-known
    > >>> to be broken. Thus, you might leak some data.

    >
    > >> Actually according to NIST WinZip's AES implementation is FIPS 192
    > >> certified:
    > >>http://csrc.nist.gov/cryptval/aes/aesval.html

    >
    > > I wonder if Sebastian is going to reply?

    >
    > Eh... why should I?


    Well you did so why are you asking us?

    > The evaluation says nothing about the implementation of
    > the storage format. And I guess you can use Google yourself to find the
    > details on the vulnerabilities of this implementation.


    Did a quick google, there were some articles from early'ish in 2006
    and older. All of the issues I could find seem to have been addressed
    by WinZip Computing. I suppose there may be an issue if one party is
    using an older version of the software....but that's true of any
    software. If we suggest people not use software because it's had bugs
    or vulnerabilities in the past then we'd be hard pressed to suggest
    any software package to anyone (there's no such thing as bug free
    software).


  11. Re: Utility to open WINZIP with AES encyption

    kingthorin@gmail.com wrote:

    > Did a quick google, there were some articles from early'ish in 2006
    > and older. All of the issues I could find seem to have been addressed
    > by WinZip Computing.


    Oh, they now got competent? And even searched for further potential
    vulnerabilities? Doubtful, very doubtful. (Well, can't expect much from
    closed source crypto..)

    > I suppose there may be an issue if one party is
    > using an older version of the software....but that's true of any
    > software. If we suggest people not use software because it's had bugs
    > or vulnerabilities in the past then we'd be hard pressed to suggest
    > any software package to anyone (there's no such thing as bug free
    > software).


    Well, that depends on the numbers, the impact and the complexity of the
    bugs. Being too stupid to apply a simple block cipher to a linear format
    and then leaking information in multiple ways has a trendemous impact and
    is so laughably trivial that one should wonder how anyone could **** it up
    so hefty. Why should one ever trust this vendor again when it comes to
    crypto?

+ Reply to Thread