Winzip's 256bit-AES encryption & self-extracting files

I am thinking of using Winzip 11 to send some files securely and will
use Winzip's 256bit-AES encryption.

My recipients may not have Winzip, so I will use Winzip to make a self-
extracting archive.

Would a 256bit-AES self-extracting archive with be more crackable than a
256bit-AES ordinary zip archive?

Bakko

Bakko wrote:


> Would a 256bit-AES self-extracting archive with be more crackable than a
> 256bit-AES ordinary zip archive?


Yes, trivially, under the assumption of a modifying attacker. He could
modify the SFX part to transmit the password the user entered, then either
rewrite itself to the original SFX module or rootkitting the target system
to present itself as the original SFX. With the transmitted password, he can
decrypt the content.

Sebastian G.

"Bakko" <> wrote in message
news:Xns9A15D34F3C0AB64A18E@127.0.0.1...
>I am thinking of using Winzip 11 to send some files securely and will
> use Winzip's 256bit-AES encryption.
>
> My recipients may not have Winzip, so I will use Winzip to make a
> self-
> extracting archive.
>
> Would a 256bit-AES self-extracting archive with be more crackable
> than a
> 256bit-AES ordinary zip archive?


So how are you going to transmit the password for the recipient to
decrypt the file that would be just as secure as the encrypted file?
Since it sounds like you will be sending the file via e-mail to the
"recipients", have them get an e-mail cert, they send you their public
key, you use it to encrypt your file, and only they can decrypt it
using their private key. Otherwise, are you going to send them the
password in the clear in the same e-mail as has the attached encrypted
email? Are you going to send the password in a different email
despite the same malcontent that is sniffing your traffic to get the
encrypted attachment would also be sniffing it for another email with
the password? Call them over an unencrypted phone call? If you
password encrypt the file, just how are you going to get the password
to the recipient?

VanguardLH

On Sun 30 Dec 2007 09:41:20, VanguardLH wrote:
> "Bakko" <> wrote in message
>>
>>
>> I am thinking of using Winzip 11 to send some files securely and
>> will use Winzip's 256bit-AES encryption.
>>
>> My recipients may not have Winzip, so I will use Winzip to make a
>> self-extracting archive.
>>
>> Would a 256bit-AES self-extracting archive with be more crackable
>> than a 256bit-AES ordinary zip archive?
>>
>
> So how are you going to transmit the password for the recipient to
> decrypt the file that would be just as secure as the encrypted
> file? Since it sounds like you will be sending the file via e-mail
> to the "recipients", have them get an e-mail cert, they send you
> their public key, you use it to encrypt your file, and only they
> can decrypt it using their private key. Otherwise, are you going
> to send them the password in the clear in the same e-mail as has
> the attached encrypted email? Are you going to send the password
> in a different email despite the same malcontent that is sniffing
> your traffic to get the encrypted attachment would also be sniffing
> it for another email with the password? Call them over an
> unencrypted phone call? If you password encrypt the file, just how
> are you going to get the password to the recipient?


Hello VanguardLH, I wrote "recipients" (in the plural) because this
requirement comes up time and again with different people. But I'm
NOT sending the same file to a group of recipients. There is just
one recipient at a time.

The reason for securing the archive contents is that the data will be
sent on a CD and put into normal snail mail.

Although the data is sensitive it has no real value. The data is a
bit like someone's medical data. No one else has any use for it.
But if gets lost in the post then it will be very embarassing for the
person concerned!

I will phone the recipient with the password because the chance seems
vanishingly small of someone eavesdropping on my phone line for the
password to that sort of data.

My concern is that if the CD gets lost then maybe someone could crack
open the data if they were inquisitive?

That's why I want a very high level of data encryption. My question
to the group is if a high level of encryption is used (like AES-256)
as part of a SELF-EXTRACTING file then does the encryption provided
by AES-256 get compromised?

Do you have any info on this?

Bakko

Bakko wrote:


> My concern is that if the CD gets lost then maybe someone could crack
> open the data if they were inquisitive?


As I already said: You should worry much more about the CD being replaced
with a modified CD by the attacker.

Sebastian G.

"Bakko" <> wrote in message
news:Xns9A16B548F71F064A18E@0.0.0.0...
> On Sun 30 Dec 2007 09:41:20, VanguardLH wrote:
>> "Bakko" <> wrote in message
>>>
>>>
>>> I am thinking of using Winzip 11 to send some files securely and
>>> will use Winzip's 256bit-AES encryption.
>>>
>>> My recipients may not have Winzip, so I will use Winzip to make a
>>> self-extracting archive.
>>>
>>> Would a 256bit-AES self-extracting archive with be more crackable
>>> than a 256bit-AES ordinary zip archive?
>>>
>>
>> So how are you going to transmit the password for the recipient to
>> decrypt the file that would be just as secure as the encrypted
>> file? Since it sounds like you will be sending the file via e-mail
>> to the "recipients", have them get an e-mail cert, they send you
>> their public key, you use it to encrypt your file, and only they
>> can decrypt it using their private key. Otherwise, are you going
>> to send them the password in the clear in the same e-mail as has
>> the attached encrypted email? Are you going to send the password
>> in a different email despite the same malcontent that is sniffing
>> your traffic to get the encrypted attachment would also be sniffing
>> it for another email with the password? Call them over an
>> unencrypted phone call? If you password encrypt the file, just how
>> are you going to get the password to the recipient?
>
>
> Hello VanguardLH, I wrote "recipients" (in the plural) because this
> requirement comes up time and again with different people. But I'm
> NOT sending the same file to a group of recipients. There is just
> one recipient at a time.
>
> The reason for securing the archive contents is that the data will
> be
> sent on a CD and put into normal snail mail.
>
> Although the data is sensitive it has no real value. The data is a
> bit like someone's medical data. No one else has any use for it.
> But if gets lost in the post then it will be very embarassing for
> the
> person concerned!
>
> I will phone the recipient with the password because the chance
> seems
> vanishingly small of someone eavesdropping on my phone line for the
> password to that sort of data.
>
> My concern is that if the CD gets lost then maybe someone could
> crack
> open the data if they were inquisitive?
>
> That's why I want a very high level of data encryption. My question
> to the group is if a high level of encryption is used (like AES-256)
> as part of a SELF-EXTRACTING file then does the encryption provided
> by AES-256 get compromised?
>
> Do you have any info on this?


Unless the NSA has you targeted, it is near impossible for any normal
user, even a hacker, to get at the contents of your encrypted .zip
file. For NSA, you'll probably expire when they crack it. I'm sure
there is a site somewhere that gives estimates of how long to crack
every possible combination for the different seeds and their lengths
that you could specify based on computer equipment that could handle
so many attempts per second but it's nothing of interest to me so I
can't give you one which means you'll have to Google for it. Remember
that when estimates are given as to how long it takes to crack an
encrypted file that it is an average, not for exercising all possible
combinations, and could even be cracked on the first combination.

A lot has to do with how strong you make the password used for the
seed in the encryption. Obviously if you used the recipient's name
that is listed on the envelope containing the shipped CD then it would
be pretty easy to crack that CD. Using their patient record, driver's
license, home street address, phone number, social security number,
and any other personal info that was associated to that recipient
would also be poor choices since someone else could obtain that info
and use it to decrypt the file. You really should use a random series
of alphanumeric characters (along with some non-alphanumeric
characters if the program permits them). If an attacker is getting in
within a time frame where the data still has some value to the
attacker then they are going to go with using all the personal info as
the password as they can dig up on the recipient or owner of that
file.

VanguardLH

"VanguardLH" <> wrote in
news::

> A lot has to do with how strong you make the password used for the
> seed in the encryption...

Truer words were never spoken! The password is almost always weaker than
the algorithm.

For example, to match the strength of a 256-bit encryption algorithm,
assuming truely random sequences of characters, you would require a
password at least 55 characters long if only lower-case was used, 45
characters long if upper-case and lower-case was used, 43 characters long
if upper-case, lower-case and numbers was used, and 39 characters long if
all 95 printable ASCII characters were used.

If the password consists of sequences of English words (Shannon entropy of
1.3 bits/character or so) then a passphrase 197 characters long would be
needed (to match the strength of a 256-bit encryption algorithm)

Very few real-world passwords/passphrases are anywhere close to this.

Regards,

nemo_outis

VanguardLH wrote:


> Unless the NSA has you targeted, it is near impossible for any normal
> user, even a hacker, to get at the contents of your encrypted .zip
> file.


WTF? It's a triviality.

> For NSA, you'll probably expire when they crack it.


Within milliseconds?

> I'm sure there is a site somewhere that gives estimates of how long to crack
> every possible combination for the different seeds and their lengths


Who cares? You get the right combination on the first hit.

> A lot has to do with how strong you make the password used for the
> seed in the encryption.


Not in this case.

Sebastian G.

On Sun, 30 Dec 2007 17:49:15 GMT, Bakko wrote:

> Although the data is sensitive it has no real value. The data is a
> bit like someone's medical data. No one else has any use for it.

WTF?
--
621 NW 53RD ST - STE 240; Boca Raton, FL. 33487
www.QualifyMe123.com We finance *anyone* 110%
"The trick is in tricking the Lender; we're the best !! "
{C} 954-242-5638; {P} 561-995-1469 x 322; {F} 561-995-1489

Chris Cheney

On Dec 2007 , Bakko <> wrote:
>>
>> That's why I want a very high level of data encryption. My
>> question to the group is if a high level of encryption is used
>> (like AES-256) as part of a SELF-EXTRACTING file then does the
>> encryption provided by AES-256 get compromised?
>>
>> Do you have any info on this?



On Mon 31 Dec 2007 00:13:53, VanguardLH <>
wrote:
>
> Unless the NSA has you targeted, it is near impossible for any
> normal user, even a hacker, to get at the contents of your
> encrypted .zip file. For NSA, you'll probably expire when they
> crack it.



Vanguard, I may not be making my question clear enough.

I accept that AES 256 is plenty secure enough and that Winzip's
implementation of it is good for .ZIP files.

The QUESTION I am asking is this:

Is the security of an AES 256 self-extracting
zip .EXE as good as an AES 256 .ZIP file?

I would like to know if a self extracting EXE has any weaknesses
compared to a ZIP (when both are encrypted).

Bakko