4

I thought that ZIP file passwords were a fairly decent protection.

I came across this video, that seems to indicate otherwise.

https://www.youtube.com/watch?v=SqRSNuJSm4o [12 minutes view time]

Synopsis:

The guy uses a zip2exe program to create a self-extracting archive from a password-protected zip file, which he then runs without using the password and unzips the archive.

What do you think of it? Does it only apply to his particular setup, and if so, what is it in his setup that makes it easy to break the password?

mcu
  • 173
  • 1
  • 1
  • 6
  • 1
    Ok, what I should have asked, does it only apply to his particular setup, and if so, what is it in his setup that makes it easy to break the password? – mcu Jul 03 '15 at 20:25
  • 1
    Question is much better. I retracted my votes and Phillip has your answer. – schroeder Jul 03 '15 at 20:30
  • @coding4fun I amended my answer. The password doesn't appear to be broken. NSIS appears to extract empty files when working with encrypted ZIP archives. – Philipp Jul 03 '15 at 20:38
  • The so-called "duplicate" asked about one specific protection mechanism this one is more general. – Peter Green Mar 27 '17 at 01:28

1 Answers1

13

The ZIP format supports several variants of password-protection of a file.

The early password protection system in ZIP is known to be seriously flawed. However, later versions of the format provide far better protection, including support for stock encryption algorithms like AES to which no known attacks exist.

The author of the video appears to be using WinRAR. RARLabs, developers of WinRAR, try to promote their proprietary RAR format, and claim that ZIP does not support AES encryption. That's simply misinformation, considering that competing products like 7-zip do support it. I would suspect that they intentionally use a weak implementation of ZIP to make their own format look better in comparison.

But Nullsoft Installation System (NSIS) does not actually seem to contain a cracker for weak ZIP archives. Why should it? It's a sofware for building installers, not a cracking tool.

Notice that the presentator does not try to actually open any of the unpacked files. The directory structure of a ZIP archive isn't encrypted, so it can be read without the password. Working with encrypted archives is quite out of scope for an installer builder, so the developers likely didn't even bother to detect encrypted files. A telltale sign that the unpacked files are in fact just garbage is this screenshot from the unpacked directory at 11:00. enter image description here Notice something? Hint:

The only visible file here shows a filesize of 0 bytes. The other unpacked files likely don't look much better.

Philipp
  • 49,017
  • 8
  • 127
  • 158
  • What about Window's built-in zip program? Does it use AES by default? Can Windows unzip AES-encrypted zip files? – mcu Jul 03 '15 at 20:13
  • 1
    I, too, would have liked to have seen the files actually accessible. The self-extractor may have simply build the directory structure and not decrypted the files. – schroeder Jul 03 '15 at 20:23
  • 1
    @coding4fun No, the default ZIP support by Windows Explorer does not support AES. – Philipp Jul 03 '15 at 20:29
  • 2
    Good catch on the file size! Yeah - I call BS on the video. Nothing has been cracked. In fact, it might have nothing to do with the particular program he used to zip or to create the self-extractor. – schroeder Jul 03 '15 at 20:30
  • I thought it was suspicious that he did not open any of the files, but I thought maybe I was missing something. – mcu Jul 03 '15 at 20:34
  • And that "catalog" and "mail" are both mis-spelt. – Eureka Jul 27 '18 at 22:37