April 14, 2017 at 22:58 #6099
- Yes, it is effective against a completely random 32 character password however no home user is going to have a computer anywhere near fast enough (not even if augmented with GPUs) to crack a 7-Zip password which is why I suggested the Amazon Cloud. Google and Microsoft offer worthy alternatives. Because of the way 7-Zip implemented their encryption the hashing doesn’t slow down brute force sufficiently. 7-Zip is not recommended by NIST so U.S. agencies don’t use it for encryption purposes. The only approved encryption/compression software in the U.S. is PKWARE’s SecureZIP – large federal agencies use it; e.g. the DoJ, FAA, HHS.
- Some of the vulnerabilities in 7-Zip were fixed but the developer only has a finite amount of time on his hands. He’s not getting paid to develop it and there are doubtless other vulnerabilities still undiscovered.
- Without prejudice to those vulnerabilities which have been fixed there are still known vulnerabilities which weaken the encryption which is why the attack I described earlier is feasible and works in the real world.
- The Zip format was never designed with security in mind. It’s difficult to go back and retrospectively secure software particularly now the compression format has become a de facto standard. There are many research papers out there about the weakness of the format in general. It works very well at what it was designed for: data compression. But there are all sorts of attacks against pieces of software like that which can assist in decryption
- To make a similar attack against even AxCrypt 1.7’s encryption would take hundreds of millions (if not billions) of years because of the cryptographic library implemented by AxCrypt. Meanwhile an equivalent attack in the Zip format would take hours, if not minutes, depending upon the format used.