Posts

Showing posts from June, 2020

Security considerations of ZIP password protected files

Image
Recently I came across a dilemma when faced with proposal of a client to use password protected ZIP archives intended to be sent over email to 3rd party. Plain email protocols such as SMTP were not designed with security considerations. SMTP is a plain text protocol that, once intercepted, would allow an unauthorised individual to recover the content of the respective email. There are options to send SMTP via SSL (Socket Secure Layer), but this requires that the destination SMTP server also supports SMTP over SSL, and RFCs related to SMTP do not mandate SSL.The task was then to assess the security of a password protected ZIP files. Google search reveals several tools worth trying against password cracking, but they are all based on brute force attacks of some kind. Given the customer uses sufficiently strong password, the question remains - how strong are password protected ZIP files? I decided to design a little experiment with the following setup. I will create the total of four ...