1 / 19

ATTACKS ON WINZIP ENCRYPTION

ATTACKS ON WINZIP ENCRYPTION. Presenter: Sandhya Turaga. Agenda. Introduction WinZip Encryption Architecture Security issues & Possible attacks Fixes to minimize these Attacks. What is WinZip. WinZip is a common compression utility on Microsoft windows machines.

wray
Download Presentation

ATTACKS ON WINZIP ENCRYPTION

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. ATTACKS ON WINZIP ENCRYPTION Presenter: Sandhya Turaga

  2. Agenda • Introduction • WinZip Encryption Architecture • Security issues & Possible attacks • Fixes to minimize these Attacks

  3. What is WinZip • WinZip is a common compression utility on Microsoft windows machines. • Even though the encryption schemes used in WinZip are very secure, the implementation of these schemes in WinZip encryption makes it vulnerable to many side channel attacks and “man in the middle“ attacks.

  4. WinZip Encryption Architecture • Compresses files using “enhanced deflate” method • Derives AES & HMAC-SHA1 keys from user’s password • Encrypts each of these compressed files using AES encryption scheme in CTR mode

  5. WinZip Encryption Architecture (contd…) • Authenticates the resulting cipher text with HMAC-SHA1 key • Archives into WinZip archive

  6. Possible Attacks • Information Leakage • Possible Attacks using Metadata • Attacks on filenames and file extensions

  7. (contd…)Possible Attacks • Protocol rollback attack • Archives with encrypted and unencrypted files • Key collision and repeated key streams • Dictionary attacks

  8. Information Leakage • Meta data appears in plain text in the archive • Metadata contains encrypted file’s original file name, length of the original plaintext file, length of the cipher text data

  9. Possible Attacks using Metadata • The unencrypted metadata can give way to “man-in-the-middle” attack • Ex: An attack by changing original length of the file and the compression method Info.zip newInfo.zip Attacker Bob Alice

  10. Attacks on filenames and extensions • An attacker can change the filename field of the main file record and central directory record since they both are unauthenticated. • This won’t affect the MAC at the end of the file.

  11. Protocol rollback attack • The encryption utility using AE-2 should also be able to read files encrypted in AE-1. • Hence reads the unencrypted CRC field. • Winzip’s detailed logs contain corrupted CRC and the expected correct CRC. • This log message makes attacker’s life easy.

  12. Archives with encrypted and unencrypted files • Winzip encrypts on a per file basis • The correct password would extract all encrypted and unencrypted files • Any file can be replaced by the attacker

  13. Key collision and repeated key streams • WinZip takes the password and combines with Salt to generate the AES and HMAC-SHA1keys • Collision ?

  14. Key collision and repeated key streams (contd…)

  15. Dictionary attacks • A “Salt” is used to make the exhaustive search for pass-phrases impossible • WinZip uses different salt value to encrypt each file, thereby increasing probability of collision with limited number of salt values in the attackers dictionary • Ex: Salt length = 8 bytes and files encrypted per password ~ 232 then attacker needs to have 232 different salt values for HMAC-SHA1 dictionary

  16. Fixes • We can’t avoid these attacks totally so we can only minimize the amount of attacks. • Encryption of Metadata • Authenticating all the information that the extractor will use when reconstructing the original data

  17. Fixes (contd…) • Diversifying the AES & HMAC-SHA1 keys • Authenticating “central directory records” and “main file records” • Increase the salt length & Making the initialization CTR value random • Encrypt the entire “central data directory records” and remove the metadata information from main file records.

  18. Q/A • Any Questions?

  19. References • 1. http://www.winzip.com/aes_info.htm#non-files • 2. www.cse.ucsd.edu/users/tkohno/papers/WinZip/ • 3. http://www.winzip.com/whatsnew90.htm

More Related