40

For example if I use WinRAR to encrypt a file and put a password on the archive how secure is it? I keep a personal journal and am thinking of doing this, or is there a better way? It's just one huge .docx file.

Maarten Bodewes
  • 4,602
  • 15
  • 29
Celeritas
  • 10,089
  • 22
  • 79
  • 144
  • 7
    Depends on the algorithm used by the file format. Some old "password protection" schemes just set a flag "password protected"; nowadays, there is always some sort of encryption (but then again, there are various broken encryption schemes, especially if the authors of the tool cook them up on their own). A much better option, security-wise would be using some system that has encryption as the primary goal (e.g. a TrueCrypt container), not as an afterthought to the primary function (as is the case with WinRAR). As for the legal question, ask a lawyer (no, seriously). – Piskvor left the building Aug 08 '12 at 09:25
  • "Out of curiosity, can what someone writes in their journal be used to incriminate someone in court?" Usually, yes. In the UK it's the worst: you face up to 2 or 5 years of prison (depending on the case) for not giving your encryption password - and that's besides whatever other fine or jail sentence you get for the case itself. – Luc Aug 08 '12 at 15:05
  • 2
    @Luc how would they prove the defendant didn't forget the password (or it had been changed by someone else)? – Celeritas Aug 08 '12 at 18:07
  • 1
    @Celeritas Exactly: they can't. Or worse: what if you have random data and they think it's encrypted? The law states, if I remember correctly, that if they can "reasonably assume" it's encrypted, you must provide the password. – Luc Aug 08 '12 at 21:38
  • 1
    If you're going down the route of encrypting with a tool other than the compression software, remember to compress first and encrypt second, or your compression rate will be zero. – Buhb Aug 09 '12 at 07:10
  • 3
    In case of WinRAR, people often use password, but when attacker know extension of file, it can be used to speed up brute force. For example, when attacker try to bruteforce docx document, it can be a little bit faster by checking header of file for well-known format of file. Structure of docx is XML compressed by ZIP, thus begin of decrypted/not-crypted file will be (hexa) 50 4B 03 04 and bruteforce application try to decrypt only firt 4 bytes and when first 4 bytes equal to known file-type, then try to decrypt whole file. This feature is used in advanced breakers to speed up process :-) –  Aug 10 '12 at 19:29
  • 2
    To prevent this, WinRAR have small feature "Encrypt file names". If checked, attacker will not have chance to know (from archive file), what type of file (by extension) is inside of archive :) –  Aug 10 '12 at 19:29
  • Please note that these answers are likely to be specific to version 3 of RAR format. RAR5 uses PBKDF2-SHA256 and AES-256 in CBC mode. – Maarten Bodewes Sep 26 '15 at 12:57
  • Note: I edited the question to remove the legal part of the question, but that may influence the answers out there. Maybe not such a good idea in retrospect. On the other hand, it seems pretty unrelated to the main question... Maybe something for a trusted user / mod to handle. – Maarten Bodewes Sep 26 '15 at 12:59

7 Answers7

31

Summary: yes, but use VeraCrypt instead.


From the documentation:

WinRAR offers you the benefit of industry strength archive encryption using AES (Advanced Encryption Standard) with a key of 128 bits.

So yes, the data is encrypted. This is only one of the elements of security, however. Another important element is how the key is derived from the password: what kind of key strengthening is performed? The slower the derivation of the key from the password, the more costly it is for an attacker to find the password (and hence the key) by brute force. A weak password is toast anyway, but good key strengthening can make the difference for a reasonably complex but still memorable password. WinRAR uses 262144 rounds of SHA-1 with a 64-bit salt, that's good key strengthening.

An academic paper has been written on the security of WinRAR: On the security of the WinRAR encryption feature by Gary S.-W. Yeo and Raphael C.-W. Phan (ISC'05). Quoting from the abstract (I haven't read the full text, it doesn't seem to be accessible without paying):

In this paper, we present several attacks on the encryption feature provided by the WinRAR compression software. These attacks are possible due to the subtlety in developing security software based on the integration of multiple cryptographic primitives. In other words, no matter how securely designed each primitive is, using them especially in association with other primitives does not always guarantee secure systems. Instead, time and again such a practice has shown to result in flawed systems. Our results, compared to recent attacks on WinZip by Kohno, show that WinRAR appears to offer slightly better security features.

The advantage of using the encryption built into the RAR format is that you can distribute an encrypted RAR archive to anyone with WinRAR, 7zip or other common software that supports the RAR format. For your use case, this is irrelevant. Therefore I recommend using a software that is dedicated to encryption.

The de facto standard since you're using Windows was TrueCrypt. TrueCrypt provides a virtual disk which is stored as an encrypted file. Not only is this more secure than WinRAR (I trust TrueCrypt, which is written with security in mind from day 1, far more than any product whose encryption is an ancillary feature), it is also more convenient: you mount the encrypted disk by providing your password, then you can open files on the disk transparently, and when you've finished you unmount the encrypted disk. Sadly TrueCrypt is no longer in active development but it's successor VeraCrypt is. VeraCrypt is based on TrueCrypt and is compatible with the old TrueCrypt containers.


Out of curiousity can what someone writes in their journal be used to incriminate someone in court?

This depends on the jurisdiction, but in general, yes, as they say in the movies, anything you say or write can be used against you. You may be legally compelled to reveal encryption keys, and may face further charges if you refuse.

Glorfindel
  • 2,263
  • 6
  • 19
  • 30
Gilles 'SO- stop being evil'
  • 51,415
  • 13
  • 121
  • 180
  • Weak key strengthening is one of the points I dislike about TrueCrypt. – CodesInChaos Aug 08 '12 at 12:16
  • 1
    @CodesInChaos I thought I remembered it did this right… Ok, [Can the TrueCrypt hash be slowed down?](http://security.stackexchange.com/questions/14218/can-the-truecrypt-hash-be-slowed-down/14231#14231) says 1000 iterations of SHA-512 with a good-sized salt. That's a bit fast but not altogether broken. Ah, I see that [WinRAR does more iterations](http://blog.zorinaq.com/?e=15) and uses a 64-byte salt (good enough). The use of ECB stands out as negatively, but for compressed data it's unlikely to matter. – Gilles 'SO- stop being evil' Aug 08 '12 at 12:37
  • 2
    You highly recommend Truecrypt, but I don't hear many arguments. Sure, they had security in mind since day one, but did they succeed? Is it really that much safer than WinRAR? How long would it take to crack a winrar archive vs truecrypt disk, given the same password? – Luc Aug 08 '12 at 15:02
  • 1
    @Luc I'm unable to find an academic security review of TrueCrypt. There has been no recent history of bad bugs, and a [success story](https://en.wikipedia.org/wiki/TrueCrypt#Operation_Satyagraha). Note that I recommend its basic disk encryption feature, not its “plausible deniability” features (which do advertise more than what they provide). Recent versions of WinRAR and Truecrypt use the same method to derive the key from the password, but WinRAR performs more iteration, so if everything else is equal cracking should take less time with Truecrypt, but not overwhelmingly so. – Gilles 'SO- stop being evil' Aug 08 '12 at 16:13
  • 2
    @CodesInChaos It appears our information was out of date: according to the [documentation](http://www.truecrypt.org/docs/?s=header-key-derivation), TrueCrypt uses PBKDF2, though with a lower iteration count than WinRAR. – Gilles 'SO- stop being evil' Aug 08 '12 at 16:14
  • Seems like it changed now to 256bits "WinRAR offers you the benefit of industry strength archive encryption using AES (Advanced Encryption Standard) with a key of 256 bits." – pinkpanther Jul 05 '16 at 18:41
  • 1
    @pinkpanther 256 vs 128 is irrelevant for the security of AES: 128 is already unbreakable. What matters is how AES is used — ECB is bad (and it's such an ignorant mistake that it makes one wonder what else they got wrong). – Gilles 'SO- stop being evil' Jul 05 '16 at 20:17
  • I would recommend mentioning stenography/plausible denyability (and possibly some very strong stenographic technologies like StegFS) as a way to fight being legally compelled to reveal encryption keys. – Samuel Allan Feb 08 '18 at 04:00
  • @SamuelAllan In the imagination of nerds, you mean. In practice, it doesn't really make any difference whether you say “I don't remember the key” or “I don't want to reveal the key”. Either you're in a democratic framework and you aren't compelled to incriminate yourself, or you aren't and then it deniability is not plausible and will only get you into further trouble. – Gilles 'SO- stop being evil' Feb 08 '18 at 09:33
  • @Gilles, you should research stenography before commenting, you DO reveal the key, except you reveal not the key to your truly private data (which is your other key) but the key to naughty-looking but not illegal data. This way you have in fact revealed the key, and there is no known way to prove that another key even exists. With encryption scemes like AES, if you reveal the key it is always possible to tell whether you have or haven't revealed the true key (the data decrypted will either be totally random or very organized), and hence you are pressured to reveal it. – Samuel Allan Feb 08 '18 at 17:54
  • @SamuelAllan When you reveal the fake key, in practice, it's obvious that it's the fake key. THat's why plausible deniability is almost always an illusion. It isn't plausible at all. There may be a small window where it's an implausible but legally acceptable excuse, but you're still in trouble. – Gilles 'SO- stop being evil' Feb 08 '18 at 18:03
  • @Gilles why is it obvious? If I have a whole filesystem with a fake key, a bunch of programs installed, facebook conversations and a couple of browsers? Of course if I spend 3 second on creating a 'realistic looking' fake environment it isn't going to work, but since I use stenography I might as well put some effort in and have 10-20 keys, where each looks realistic (and actually has use cases) – Samuel Allan Feb 08 '18 at 22:06
  • @Gilles my bad - I said 'stenography' instead of 'steganongraphy' which is actually the correct word, maybe that confused you.. Apologies – Samuel Allan Feb 10 '18 at 15:49
  • @Samuel The word is actually *steganography*. I hadn't even noticed your original typo. I understand what you mean and refute it. Don't pass off disagreement as confusion. – Gilles 'SO- stop being evil' Feb 10 '18 at 18:56
  • @Gilles, I think it is fair to sum up the main points in the following fashion: (1) From a cryptographic/mathematical perspective there currently is no public known technique to determine number and sizes of sections in a steganographic file system, (2) Practically - often (if not almost always) because of references in files and usage patterns (or a camera photographic your laptop use, you can almost always find ALTERNATIVE EVIDENCE to force the victim to reveal keys, here you are right. (3) However, if extreme effort is put in, one can make effective use of steganography. – Samuel Allan Feb 12 '18 at 19:01
  • "You may be legally compelled to reveal encryption keys," Nemo tenetur se ipsum accusare https://en.wikipedia.org/wiki/Right_to_silence – Zsolt Szilagy Nov 21 '21 at 13:55
8

From WinRAR benefits page:

WinRAR offers you the benefit of industry strength archive encryption using AES (Advanced Encryption Standard) with a key of 128 bits.

So yes, using password protection encrypts your file too. 7-Zip uses AES-256 encryption. Another approach to protect your files could be creating encrypted file (or disk) using TrueCrypt, where you can choose encryption algorithm that suits your needs.

Just remember to use strong password to prevent brute-force attack.

bretik
  • 1,870
  • 13
  • 22
  • 4
    The choice of encryption algorithm isn't that important unless it sucks. A bad KDF is much more common. – CodesInChaos Aug 08 '12 at 12:14
  • 1
    Seems like it changed now to 256bits "WinRAR offers you the benefit of industry strength archive encryption using AES (Advanced Encryption Standard) with a key of 256 bits." – pinkpanther Jul 05 '16 at 18:41
6

You mention "docx" so I assume that you are on Office 2007 or 2010. The encryption mechanism implemented there is OK, you must make sure that your password is strong enough. In other words you do not need to use an external program to protect your file.

A Stack Overflow question covered the encryption algorithms for Office. This is closed-source code so if you are paranoid you should use TrueCrypt.

As for the second part of the question: it completely depends on the legal system you are in. There are two aspects to take into account:

  • whether it is legal to use the content against you (no matter if it is encrypted or not)
  • what happens if you do not give the encryption key and the crypto part is strong enough / correctly implemented so that access is not possible without it.
WoJ
  • 8,968
  • 3
  • 33
  • 51
  • 2
    I had a quick look at the [MS Office crypto spec](http://msdn.microsoft.com/en-us/library/cc313071%28v=office.12%29.aspx) and it looks like the “good” encryption mode uses AES and PBKDF2, but there are legacy modes as well. How do you know you're using the good mode? – Gilles 'SO- stop being evil' Aug 08 '12 at 15:51
  • 2
    The Appendix of the document mentions that AES 128 is used by default for Office for 2007+ . I will be meeting some MS security teams by autumn so I will ask the question about legacy algorithms and update my answer. – WoJ Aug 08 '12 at 19:18
  • 1
    I know it's been 5 years, but can you remember how that meeting with the security teams went, and if so, would you mind updating your answer? :-) – Hashim Aziz Apr 03 '17 at 04:43
3

Yes, WinRAR encrypts the archive when a password is used. I personally recommend 7-Zip application as it offers more flexibility. Yes, what you write anywhere can incriminate you as long as it is legal for the court to use that as evidence. The court can use your personal journal/diary against you. I'm not a lawyer though.

Matrix
  • 4,028
  • 14
  • 25
2

Different archive formats offer different levels of security, but they all suffer from the same flaw: you can't actually USE the file without extracting and unencrypting it. More importantly, this is done on-disk, which means a copy of your file without encryption remains on your computer. Programs like word tend to also create auto-save files which add even more unencrypted copies.

Your best bet is a whole-disk encryption solution, of which TrueCrypt is the leading contender.

tylerl
  • 82,665
  • 26
  • 149
  • 230
1

If you are afraid of potential legal problems about what you write, then WinRAR is not secure enough. There are a lot of rar password breaking programs out there.

I would recommand TrueCrypt . But make sure Word didn't make any copies of your current document in your temp folder.

jmn
  • 101
  • 1
  • 6
  • This answer is very out of date now. WinRAR now supports AES-256 encryption, and TrueCrypt is no longer developed (replaced by VeraCrypt). – Simon East Feb 09 '20 at 04:54
1

I feel compelled to offer some caveats because there are probably others reading this out of curiosity:

  1. The OP did not make reference to his country of residence, so I will assume that he is in the USA for the legal questions.
  2. Any encryption should be used under the assumption that it is not a foolproof security mechanism and can be breached by anyone, given enough time and force. It is - at best - a temporary hurdle that can be overcome.
  3. Anything stored electronically, whether on your computer or elsewhere, can be used against you in court provided it was obtained lawfully. It does not fall under the category of 5th Amendment privilege (not even a "journal"), nor does it vary by state or local jurisdiction. This has been to the SCOTUS multiple times and is considered settled law at this point.
  4. Failure to provide a decryption passphrase when ordered is considered contempt of court, with a penalty of imprisonment indefinitely (as long as it is withheld).

Therefore I would consider the initial questions to be irrelevant to each other.

Jens Erat
  • 23,816
  • 12
  • 75
  • 96
Jim S.
  • 11
  • 1
  • By use of strong stenography / plausible denyability it is possible to make it infeasible to prove that you have any other encryption keys. For example, you could have 3 sections in StegFS (internally organized) with 3 different password, 'abc123' 'supersecret' and 'abcdefghi'. The court asks you to provide decryption keys, you give them passwords 1, and reluctantly mention password 2. Due to the wonderful invention of cryptographic stenography it is now infeasible (until some major mathematical breakthough) to prove that a third key even exists – Samuel Allan Feb 08 '18 at 04:04
  • Wow... you can really be imprisoned *indefinitely* for not giving up a password? Sheesh. – Simon East Feb 09 '20 at 04:58