Can a sniffer read a zip file?

[Magueta]

Greetings.

This is more of a general security question. If a text file is zipped can someone with a network sniffer put the file together, unzip it, and read it? If yes, does zipping it make it any harder to do?

P.S. I know that gpg is an easy way around the problem but one doesn't always send to people who have the skills or desire to set it up on their own systems.

Joe

[Dark Ninja]

Yes, it is possible.

I would think (though I don't know for sure) that it would be a little more difficult.

There are programs that you can use to encrypt a file one time, and when the person executes that file, it asks for a password. The person just needs to know the password. (The program isn't even required on their computer. Kind of like a self-extracting ZIP archive.)

[bwkaz]

As long as they get all of it, they can uncompress all of it. If they only get a part of the zip file, then they can only uncompress part of the original.

Since the algorithm that any zip utility uses is reversible without any prior knowledge about the data (including WinZip/PKZip, gzip, and bzip2), that means that the data flying across the network can also be turned back into the original without any prior knowledge. (And most zip formats, including gzip and bzip2 at least, include magic numbers so that programs know when they're looking at a .gz file, for example. These magic numbers will give the attacker the exact algorithm to use when decompressing.)

It wouldn't really even be that much more difficult. As soon as the attacker sees the magic number for gzip, they would apply a de-gzipping program to the result, and bingo.

The most secure way to do any communication is to rely solely on the unknown-ed-ness of the keys used to do your encryption, not the unknown-ed-ness of the algorithm (and since compression algorithms don't require keys at all, they're totally insecure). You could also use an ssh tunnel, for example (or scp/sftp), which creates an encrypted connection to send cleartext data. The result on the other end is cleartext, but nobody sniffing the actual exchange would be able to see that, because it'd be encrypted then. This doesn't work too well for mail, though.

[Magueta]

That's kind of what I thought. A temporary solution for me was to create a .rar archive that requires a password, thanks Dark Ninja. However, I know that there are utilities designed to find that password but it's gonna have to do.

Joe

[Alex Cavnar, aka alc6379]

Originally posted by Magueta
That's kind of what I thought. A temporary solution for me was to create a .rar archive that requires a password, thanks Dark Ninja. However, I know that there are utilities designed to find that password but it's gonna have to do.

Joe

Wait... I thought ZIP could support passwords, too?

[bwkaz]

The encryption that WinZip uses when you give it an archive password is really weak. I'm not sure about RAR's encryption, but I'd bet it's really weak too.

Try getting a program that takes a password and generates an AES key from it, then encrypts / decrypts the target file with AES.

If none exist, try writing one. This seems to be a decent library that does AES for you, given a key:

http://fp.gladman.plus.com/cryptogra...logy/rijndael/

It seems to be Windows at the moment, but if it doesn't rely on any Windows APIs to do the actual AES encryption, then it'll be portable.

[Magueta]

I wasn't aware of this when I first used Winrar but it actually uses AES-128 encryption. You can read about it here --> http://www.win-rar.com/index.php?lan...cle_id=52&kb=1

As far as writing one of my own, I haven't done any programming in a year or so and would take a while to get back into shape.
Thanks BWKAZ.

Joe

[Dark Ninja]

Originally posted by bwkaz
The encryption that WinZip uses when you give it an archive password is really weak. I'm not sure about RAR's encryption, but I'd bet it's really weak too.

Try getting a program that takes a password and generates an AES key from it, then encrypts / decrypts the target file with AES.

If none exist, try writing one. This seems to be a decent library that does AES for you, given a key:

http://fp.gladman.plus.com/cryptogra...logy/rijndael/

It seems to be Windows at the moment, but if it doesn't rely on any Windows APIs to do the actual AES encryption, then it'll be portable.

Yeah, this is what I was referring to. I *know* the WinZip/RAR/etc. passwords are very weak. I mean, I don't *know* personally or anything. I mean...I know 'cause...um...someone told me. Yeah! That's it!

Anyway, yeah, go AES.