Security considerations of ZIP password protected files
Recently I came across a dilemma when faced with proposal of a client to use password protected ZIP archives intended to be sent over email to 3rd party. Plain email protocols such as SMTP were not designed with security considerations. SMTP is a plain text protocol that, once intercepted, would allow an unauthorised individual to recover the content of the respective email.
There are options to send SMTP via SSL (Socket Secure Layer), but this requires that the destination SMTP server also supports SMTP over SSL, and RFCs related to SMTP do not mandate SSL.The task was then to assess the security of a password protected ZIP files. Google search reveals several tools worth trying against password cracking, but they are all based on brute force attacks of some kind. Given the customer uses sufficiently strong password, the question remains - how strong are password protected ZIP files? I decided to design a little experiment with the following setup.
I will create the total of four archives - two on Windows and two on Linux. The reason for this decision was to identify the differences of two operating systems. Each operating system will use two different compression formats - zip and 7z. After the archives were created, I would try to:
a) List the files in the archive not knowing the password
b) Add arbitrary files to the archive not knowing the password
c) Delete existing files from the archive not knowing the password.
This is how the experiment went exactly. I used 7zip utility on the Windows.
Then I created two text files which were added to the archive.
First archive named test2.zip was created using the zip format and AES-256 symmetric encryption
algorithm. These are the attributes of the test2.zip.
The second archive (test2.zip) was created on Windows using the zip compression format and AES-256 encryption.
The third archive (test3.zip) was created on Linux using the zip utility.
Finally, the fourth archive (test4.7z) is crested on Linux using the 7z utility.
The result are as follows.
Test2.zip created on Windows/zip format allows reading of the file list (not the content of the files, just their names), deleting the files and adding arbitrary files without knowing the password. I used "test-insertion-file" to test adding.
Test1.7z created on Windows/7z format allows reading of the file list, adding the arbitrary files, but not the deletion of the existing files. All without password. The screenshot below shows that the"Deleting" required password.
Test3.zip created in Linux/zip format allows reading of the file list, adding the arbitrary files and deleting the existing files. All without password. In that respect it behaves exactly like the Windows zip file. Still , both Windows zip and Linux zip do not allow reading the content of the password protected files.
Finally, test4.7z created on Linux/7z format does not allow reading the list of files, deleting or adding new files. Every operation required knowing the password. The screenshot below shows that an attempt to open the archive was interrupted by the password prompt.
The conclusion is that the only archive that provides both integrity and confidentiality is the 7z file created on Linux. 7z created on Windows allowed reading the file list and adding arbitrary files, although it did not allow deletion without the password.
A good discussion that draws similar conclusions to mine can be found on https://security.stackexchange.com/questions/35818/are-password-protected-zip-files-secure with the results similar to my investigation.
If you have no other more secure ways to send confidential data via SMTP (or any other unsecure protocol) and you need to use compressed archives with password protection, create them using the Linux 7z utility. It is not a good news for most of the Windows end users, especially in business environment where Windows OS is a prevalent operating system.
There are options to send SMTP via SSL (Socket Secure Layer), but this requires that the destination SMTP server also supports SMTP over SSL, and RFCs related to SMTP do not mandate SSL.The task was then to assess the security of a password protected ZIP files. Google search reveals several tools worth trying against password cracking, but they are all based on brute force attacks of some kind. Given the customer uses sufficiently strong password, the question remains - how strong are password protected ZIP files? I decided to design a little experiment with the following setup.
I will create the total of four archives - two on Windows and two on Linux. The reason for this decision was to identify the differences of two operating systems. Each operating system will use two different compression formats - zip and 7z. After the archives were created, I would try to:
a) List the files in the archive not knowing the password
b) Add arbitrary files to the archive not knowing the password
c) Delete existing files from the archive not knowing the password.
This is how the experiment went exactly. I used 7zip utility on the Windows.
Then I created two text files which were added to the archive.
First archive named test2.zip was created using the zip format and AES-256 symmetric encryption
algorithm. These are the attributes of the test2.zip.
The third archive (test3.zip) was created on Linux using the zip utility.
Finally, the fourth archive (test4.7z) is crested on Linux using the 7z utility.
The result are as follows.
Test2.zip created on Windows/zip format allows reading of the file list (not the content of the files, just their names), deleting the files and adding arbitrary files without knowing the password. I used "test-insertion-file" to test adding.
Test1.7z created on Windows/7z format allows reading of the file list, adding the arbitrary files, but not the deletion of the existing files. All without password. The screenshot below shows that the"Deleting" required password.
Test3.zip created in Linux/zip format allows reading of the file list, adding the arbitrary files and deleting the existing files. All without password. In that respect it behaves exactly like the Windows zip file. Still , both Windows zip and Linux zip do not allow reading the content of the password protected files.
Finally, test4.7z created on Linux/7z format does not allow reading the list of files, deleting or adding new files. Every operation required knowing the password. The screenshot below shows that an attempt to open the archive was interrupted by the password prompt.
The conclusion is that the only archive that provides both integrity and confidentiality is the 7z file created on Linux. 7z created on Windows allowed reading the file list and adding arbitrary files, although it did not allow deletion without the password.
A good discussion that draws similar conclusions to mine can be found on https://security.stackexchange.com/questions/35818/are-password-protected-zip-files-secure with the results similar to my investigation.
If you have no other more secure ways to send confidential data via SMTP (or any other unsecure protocol) and you need to use compressed archives with password protection, create them using the Linux 7z utility. It is not a good news for most of the Windows end users, especially in business environment where Windows OS is a prevalent operating system.
Comments
Post a Comment