Presentation is loading. Please wait.

Presentation is loading. Please wait.

ATTACKS ON WINZIP ENCRYPTION

Published byHugo Griffin Modified over 6 years ago

Similar presentations

Presentation on theme: "ATTACKS ON WINZIP ENCRYPTION"— Presentation transcript:

1 ATTACKS ON WINZIP ENCRYPTION
Presenter: Sandhya Turaga

2 Agenda Introduction WinZip Encryption Architecture
Security issues & Possible attacks Fixes to minimize these Attacks

3 What is WinZip WinZip is a common compression utility on Microsoft windows machines. Even though the encryption schemes used in WinZip are very secure, the implementation of these schemes in WinZip encryption makes it vulnerable to many side channel attacks and “man in the middle“ attacks.

4 WinZip Encryption Architecture
Compresses files using “enhanced deflate” method Derives AES & HMAC-SHA1 keys from user’s password Encrypts each of these compressed files using AES encryption scheme in CTR mode

5 WinZip Encryption Architecture (contd…)
Authenticates the resulting cipher text with HMAC-SHA1 key Archives into WinZip archive

6 Possible Attacks Information Leakage Possible Attacks using Metadata
Attacks on filenames and file extensions

7 (contd…)Possible Attacks
Protocol rollback attack Archives with encrypted and unencrypted files Key collision and repeated key streams Dictionary attacks

8 Information Leakage Meta data appears in plain text in the archive
Metadata contains encrypted file’s original file name, length of the original plaintext file, length of the cipher text data In Metadata the following information is shown: Using the length of an uncompressed data stream and the length of the compressed output, Attacker can learn information about the uncompressed data -The length of the original plaintext file -Length of the resulting cipher text data -Encrypted file’s original file name -Chosen compression method and the length of the original file are not autehnticated.

9 Possible Attacks using Metadata
The unencrypted metadata can give way to “man-in-the-middle” attack Ex: An attack by changing original length of the file and the compression method Info.zip newInfo.zip Attacker Bob Alice

10 Attacks on filenames and extensions
An attacker can change the filename field of the main file record and central directory record since they both are unauthenticated. This won’t affect the MAC at the end of the file.

11 Protocol rollback attack
The encryption utility using AE-2 should also be able to read files encrypted in AE-1. Hence reads the unencrypted CRC field. Winzip’s detailed logs contain corrupted CRC and the expected correct CRC. This log message makes attacker’s life easy.

12 Archives with encrypted and unencrypted files
Winzip encrypts on a per file basis The correct password would extract all encrypted and unencrypted files Any file can be replaced by the attacker

13 Key collision and repeated key streams
Salt length Key size Encryption strength field 8 bytes 128 bits 01 12 bytes 192 bits 02 16 bytes 256 bits 03 WinZip takes the password and combines with Salt to generate the AES and HMAC-SHA1keys Collision ?

14 Key collision and repeated key streams (contd…)

15 Dictionary attacks A “Salt” is used to make the exhaustive search for pass-phrases impossible WinZip uses different salt value to encrypt each file, thereby increasing probability of collision with limited number of salt values in the attackers dictionary Ex: Salt length = 8 bytes and files encrypted per password ~ 232 then attacker needs to have 232 different salt values for HMAC-SHA1 dictionary

16 Fixes We can’t avoid these attacks totally so we can only minimize the amount of attacks. Encryption of Metadata Authenticating all the information that the extractor will use when reconstructing the original data

17 Fixes (contd…) Diversifying the AES & HMAC-SHA1 keys
Authenticating “central directory records” and “main file records” Increase the salt length & Making the initialization CTR value random Encrypt the entire “central data directory records” and remove the metadata information from main file records.

18 Q/A Any Questions?

19 References 1. http://www.winzip.com/aes_info.htm#non-files
2. 3.

Download ppt "ATTACKS ON WINZIP ENCRYPTION"

Similar presentations

Chapter 3 Public Key Cryptography and Message authentication.

Chapter 3 Public Key Cryptography and Message authentication.
Hashes and Message Digests

Hashes and Message Digests
Lecture 5: Cryptographic Hashes

Lecture 5: Cryptographic Hashes
“Advanced Encryption Standard” & “Modes of Operation”

“Advanced Encryption Standard” & “Modes of Operation”
Hash Function. What are hash functions? Just a method of compressing strings – E.g., H : {0,1}*  {0,1} 160 – Input is called “message”, output is “digest”

Hash Function. What are hash functions? Just a method of compressing strings – E.g., H : {0,1}*  {0,1} 160 – Input is called “message”, output is “digest”
Transport Layer Security (TLS) Protocol Introduction to networks and communications(CS555) Prof : Dr Kurt maly Student:Abhinav y.

Transport Layer Security (TLS) Protocol Introduction to networks and communications(CS555) Prof : Dr Kurt maly Student:Abhinav y.
Computer Science CSC 474By Dr. Peng Ning1 CSC 474 Information Systems Security Topic 2.1 Introduction to Cryptography.

Computer Science CSC 474By Dr. Peng Ning1 CSC 474 Information Systems Security Topic 2.1 Introduction to Cryptography.
CS 6262 Spring 02 - Lecture #7 (Tuesday, 1/29/2002) Introduction to Cryptography.

CS 6262 Spring 02 - Lecture #7 (Tuesday, 1/29/2002) Introduction to Cryptography.
1 Encryption and Forensics/Data Hiding. 2 Cryptography Background See: For more information.

1 Encryption and Forensics/Data Hiding. 2 Cryptography Background See: For more information.
CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (7) AUTHENTICATION.

CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (7) AUTHENTICATION.
Cryptography and Network Security Chapter 6. Chapter 6 – Block Cipher Operation Many savages at the present day regard their names as vital parts of themselves,

Cryptography and Network Security Chapter 6. Chapter 6 – Block Cipher Operation Many savages at the present day regard their names as vital parts of themselves,
PIITMadhumita Chatterjee Security 1 Hashes and Message Digests.

PIITMadhumita Chatterjee Security 1 Hashes and Message Digests.
Exploring timing based side channel attacks against 802.11i CCMP Suman Jana, Sneha K. Kasera University of Utah Introduction

Exploring timing based side channel attacks against i CCMP Suman Jana, Sneha K. Kasera University of Utah Introduction
Security in Wireless LAN 802.11 Layla Pezeshkmehr CS 265 Fall 2003-SJSU Dr.Mark Stamp.

Security in Wireless LAN Layla Pezeshkmehr CS 265 Fall 2003-SJSU Dr.Mark Stamp.
Hash Functions Nathanael Paul Oct. 9, 2002. Hash Functions: Introduction Cryptographic hash functions –Input – any length –Output – fixed length –H(x)

Hash Functions Nathanael Paul Oct. 9, Hash Functions: Introduction Cryptographic hash functions –Input – any length –Output – fixed length –H(x)
Overview of Cryptography and Its Applications Dr. Monther Aldwairi New York Institute of Technology- Amman Campus INCS741: Cryptography.

Overview of Cryptography and Its Applications Dr. Monther Aldwairi New York Institute of Technology- Amman Campus INCS741: Cryptography.
Chapter 8.  Cryptography is the science of keeping information secure in terms of confidentiality and integrity.  Cryptography is also referred to as.

Chapter 8.  Cryptography is the science of keeping information secure in terms of confidentiality and integrity.  Cryptography is also referred to as.
Modes of Operation. Topics  Overview of Modes of Operation  EBC, CBC, CFB, OFB, CTR  Notes and Remarks on each modes.

Modes of Operation. Topics  Overview of Modes of Operation  EBC, CBC, CFB, OFB, CTR  Notes and Remarks on each modes.
Message Authentication Requirements Disclosure Release of message contents to any person or process not possessing the appropriate cryptographic key Traffic.

Message Authentication Requirements Disclosure Release of message contents to any person or process not possessing the appropriate cryptographic key Traffic.
Dan Johnson. What is a hashing function? Fingerprint for a given piece of data Typically generated by a mathematical algorithm Produces a fixed length.

Dan Johnson. What is a hashing function? Fingerprint for a given piece of data Typically generated by a mathematical algorithm Produces a fixed length.

Similar presentations

Ads by Google