Forums Community Unhappy with version 2 Reply To: Unhappy with version 2

#6103 Reply

Gerard

Wow! I’m amazed to learn that encrypted ZIP’s are so easily broken. That is scary! I’ve never used WinZip or 7Zip as primary encryption solutions, but I’ve recommended them to others.

Please don’t let what I’ve said deter you from recommending ZIP files to other people because they do provide a good degree of security for the average person.

Assume Bob wants to send his cousin Eve his holiday photographs. Bob doesn’t have a fast upload speed (or he’s got limited data) and/or Eve has a slow download speed (or limited data). His collection averages at about 5GB so he decides to mail it on a DVD. Because 5GB is too big for the average DVD he makes a ZIP file and for privacy adds a password. The compressed size is 3.5 GB and the password is 16 characters long.

This scenario is a perfect example of where ZIP is the most appropriate format. Even if the disk got lost in the mail anybody finding it wouldn’t be able to open it. Whilst they might be nosy and try the DVD in their computer, they’re unlikely to:

  • Upload the contents of the DVD to a distributed cloud service (time consuming and expensive)
  • Have access to the relevant password cracking software and know how to use it and
  • Be willing to pay for the server costs for running the password software until it breaks the encryption

It doesn’t make sense for them to do that; nobody is that nosy!

Now if Bob was the head of an international criminal gang then police may surreptitiously intercept the mail, copy the files, put the disk back into the postal system and then get busy cracking it. The difference is that he’d be worth the time and effort.

If you’re emailing files to somebody then a ZIP file (or AxCrypt file) make good sense. Most email servers now use TLS which encrypt the traffic to-from the mail services (e.g. Outlook to Gmail). Whilst an employee of either organization can read the contents of the emails it is quite a bit more difficult (but by no means impossible) to view the contents. Even if they managed to do so, providing you use a password protected ZIP, then they’re not going to be able to view the data without more expense (on top of the time/cost breaking the email TLS).

 

I figured if they used AES they should be fine. Obviously I would starve as a cryptographer. Live and learn.

There’s an old joke:

If You’re Typing the Letters A-E-S Into Your Code You’re Doing It Wrong

You can also mess things up if you use an insecure mode of operation like ECB; for many purposes I’d recommend GCM. If you’re interested in learning more about AES there’s an excellent lecture on YouTube but you need some understanding of mathematics.

The majority of programmers aren’t cryptographers, I think Svante is a programmer primarily, but he uses BouncyCastle which is a respected cryptographic library designed by professional cryptographers thus he can rely upon it being well-designed and secure.

From a very cursory glance at the various parts of AxCrypt’s source code it looks okay to me but only a detailed audit could confirm this.

Whilst AxCrypt has a freemium business model 7-Zip is free. The 7-Zip maintainer is less responsive than Svante and there are dozens of outstanding bugs in 7-Zip [1], [2], [3], [4], [5]. Bugs 3, 4 and 5 are potentially very dangerous. Those are a small selection; you can look up the others yourself.

I’m not blaming 7-Zip, I’m guessing their developer has no source of income from the software, but it goes to show you how easily catastrophic errors can be made in the programming and why relying on exclusively free software can be a bad idea.

Even if you manage to design a super secure encryption program with proper implementation of the cryptography you’ve then got to trust the operating system, the antivirus, other software on the system and the array of hardware in your system. It’s all about making your system as secure as possible and hoping that the hackers will go elsewhere. If you’re targeted there’s little you can do to protect yourself.