Presentation is loading. Please wait.

Presentation is loading. Please wait.

ATTACKS ON WINZIP ENCRYPTION

Similar presentations


Presentation on theme: "ATTACKS ON WINZIP ENCRYPTION"— Presentation transcript:

1 ATTACKS ON WINZIP ENCRYPTION
Presenter: Sandhya Turaga

2 Agenda Introduction WinZip Encryption Architecture
Security issues & Possible attacks Fixes to minimize these Attacks

3 What is WinZip WinZip is a common compression utility on Microsoft windows machines. Even though the encryption schemes used in WinZip are very secure, the implementation of these schemes in WinZip encryption makes it vulnerable to many side channel attacks and “man in the middle“ attacks.

4 WinZip Encryption Architecture
Compresses files using “enhanced deflate” method Derives AES & HMAC-SHA1 keys from user’s password Encrypts each of these compressed files using AES encryption scheme in CTR mode

5 WinZip Encryption Architecture (contd…)
Authenticates the resulting cipher text with HMAC-SHA1 key Archives into WinZip archive

6 Possible Attacks Information Leakage Possible Attacks using Metadata
Attacks on filenames and file extensions

7 (contd…)Possible Attacks
Protocol rollback attack Archives with encrypted and unencrypted files Key collision and repeated key streams Dictionary attacks

8 Information Leakage Meta data appears in plain text in the archive
Metadata contains encrypted file’s original file name, length of the original plaintext file, length of the cipher text data In Metadata the following information is shown: Using the length of an uncompressed data stream and the length of the compressed output, Attacker can learn information about the uncompressed data -The length of the original plaintext file -Length of the resulting cipher text data -Encrypted file’s original file name -Chosen compression method and the length of the original file are not autehnticated.

9 Possible Attacks using Metadata
The unencrypted metadata can give way to “man-in-the-middle” attack Ex: An attack by changing original length of the file and the compression method Info.zip newInfo.zip Attacker Bob Alice

10 Attacks on filenames and extensions
An attacker can change the filename field of the main file record and central directory record since they both are unauthenticated. This won’t affect the MAC at the end of the file.

11 Protocol rollback attack
The encryption utility using AE-2 should also be able to read files encrypted in AE-1. Hence reads the unencrypted CRC field. Winzip’s detailed logs contain corrupted CRC and the expected correct CRC. This log message makes attacker’s life easy.

12 Archives with encrypted and unencrypted files
Winzip encrypts on a per file basis The correct password would extract all encrypted and unencrypted files Any file can be replaced by the attacker

13 Key collision and repeated key streams
Salt length Key size Encryption strength field 8 bytes 128 bits 01 12 bytes 192 bits 02 16 bytes 256 bits 03 WinZip takes the password and combines with Salt to generate the AES and HMAC-SHA1keys Collision ?

14 Key collision and repeated key streams (contd…)

15 Dictionary attacks A “Salt” is used to make the exhaustive search for pass-phrases impossible WinZip uses different salt value to encrypt each file, thereby increasing probability of collision with limited number of salt values in the attackers dictionary Ex: Salt length = 8 bytes and files encrypted per password ~ 232 then attacker needs to have 232 different salt values for HMAC-SHA1 dictionary

16 Fixes We can’t avoid these attacks totally so we can only minimize the amount of attacks. Encryption of Metadata Authenticating all the information that the extractor will use when reconstructing the original data

17 Fixes (contd…) Diversifying the AES & HMAC-SHA1 keys
Authenticating “central directory records” and “main file records” Increase the salt length & Making the initialization CTR value random Encrypt the entire “central data directory records” and remove the metadata information from main file records.

18 Q/A Any Questions?

19 References 1. http://www.winzip.com/aes_info.htm#non-files
2. 3.


Download ppt "ATTACKS ON WINZIP ENCRYPTION"

Similar presentations


Ads by Google