analysis of the winzip encryption method
play

Analysis of the WinZip Encryption Method Paper by: Tadayoshi Kohno - PowerPoint PPT Presentation

Nov 24, 2023 •95 likes •492 views

Analysis of the WinZip Encryption Method Paper by: Tadayoshi Kohno Presented by: Ken, Mike, Jeremy & Paul The popular compression utility for Microsoft Windows computers Easy-to-use AES encryption - Advanced Encryption version

  1. Analysis of the WinZip Encryption Method Paper by: Tadayoshi Kohno Presented by: Ken, Mike, Jeremy & Paul

  2. The popular compression utility for Microsoft Windows computers • “Easy-to-use AES encryption” - Advanced Encryption version two (AE-2) – Derives AES and HMAC-SHA1 keys from user’s passphrase • Encrypts compression output with with AES-CTR • Authenticates resulting ciphertext with HMAC-SHA1

  3. A Secure Implementation? • Proven secure MAC: – HMAC-SHA1 • Proven secure Encryption: – AES in counter mode • Proven secure combination: – Encrypt-then-MAC

  4. But… “ Security products must be evaluated as a whole, and the security of a whole product may not follow as a simple corollary of the security of the underlying components.”

  5. Compression and Encryption • WinZip creates two records for each file – Main file record – Central directory record • Each Zip archive contains (in order): – The main file records concatenated together – The central directory records concatenated together – An End-of-Archive record Note: A WinZip archive can contain multiple files. Each file is compressed/encrypted independently .

  6. Archive Contents The Main File Record The Central Directory Record Directory Record Indicator File Record Indicator Version Made By Extraction Version Needed Extraction Version Needed General Purpose Bit Flag General Purpose Bit Flag Compression Method Compression Method Last Modified Time Last Modified Time Last Modified Date Last Modified Date 32-Bit CRC 32-Bit CRC Compressed Size Compressed Size Uncompressed Size Uncompressed Size Filename Length Filename Length Extra Field Length Extra Field Length Filename File Comment Length Extra Field Disk Number Start File Data Internal/External File Attributes Relative Header Offset Filename Extra Field File Comment

  7. Archive Contents The Main File Record The Central Directory Record Directory Record Indicator File Record Indicator Version Made By Extraction Version Needed Version Needed to Extract General Purpose Bit Flag General Purpose Bit Flag Compression Method Compression Method Last Modified Time Last Modified Time Last Modified Date Last Modified Date 32-Bit CRC 32-Bit CRC Compressed Size Compressed Size Uncompressed Size Uncompressed Size Filename Length Filename Length Extra Field Length Extra Field Length Filename File Comment Length Extra Field Disk Number Start File Data Internal/External File Attributes Relative Header Offset Filename Extra Field File Comment

  8. Important Archive Contents The Main File Record The Central Directory Record Compression Method Compression Method Last Modified Time Last Modified Time Last Modified Date Last Modified Date 32-Bit CRC 32-Bit CRC Uncompressed Size Uncompressed Size Filename Filename Extra Field Extra Field File Data With AE-2 Encryption Enabled With AE-2 Encryption Enabled the Extra Fields Contain: the File Data Field Contains: Extra Fields Header ID Salt Data Size Password Verification Value Version Number Encrypted File Data Vendor ID Authentication Code Encryption Strength Actual Compression Method

  9. File Encryption and Authentication Code Process Encrypted Compressed Record 1 Plaintext-1 Plaintext-1 Ciphertext-1 Ciphertext MAC AES in CTR HMAC Mode -SHA1 (Counter=0) Metadata-1 Record 2 Ciphertext-2 Ciphertext MAC Record 3 Ciphertext-3 Ciphertext MAC Record n Ciphertext-n Ciphertext MAC Salt-n Passphrase Metadata-n Salt-n File Record n MAC Ciphertext-n n Password Verification Value

  10. Counter Mode AES Encryption CTR-0 CTR-1 CTR-2 CTR-n F F F F M 0 X 0 M 2 X 2 M n X n X 1 M 1 Xor Xor Xor Xor C 0 C 1 C 2 C n

  11. WinZip Security Problems: � Interactions between compression and the AE-2 encryption method. � The names of files and their interpretations � Information leakage from encrypted files' metadata � Interactions with AE-1 and a chosen-protocol attack � Archives with both encrypted and unencrypted files. � Key collisions and repeated keystreams

  12. Exploiting the Interaction Between Compression and Encryption Alice Bob F.zip Mallory changes the F ′ .zip compression method of F.zip to create F ′ .zip Recall that the metadata is not Authenticated , therefore Mallory can change these values without voiding the HMAC-SHA1 tag. • When Bob attempts to decrypt F ′ .zip (with the wrong compression method), the contents will be garbage.

  13. Create Encrypted Zip Archive Using 128-bit AES Encryption

  14. Change Compression Method Values: 08 00 Compressed 00 00 Not Compressed

  15. Decryption of the Modified Archive - WinZip 9.0

  16. Garbage… •If Mallory obtains this garbage, he can reconstruct F.zip. •Is it practical for Mallory to obtain this garbage?

  17. Decryption of the Modified Archive - WinZip 9.0 SR-1

  18. Exploiting the Association of Applications to Filenames • A variant of the previous scenario could also be to simply change the filename extension. (i.e. from .doc to .xls) • Or the entire filename: Swap Alice-Salary.dat with Mallory-Salary.dat

  19. Information Leakage • *Cleartext Metadata: – Filenames, modified dates & times, CRC’s, & file lengths • Compression as a ‘Side-Channel’ (John Kelsey): – Compare original and compressed file sizes • Supplements pre-existing partial knowledge • Compare the compression ratios of related files • Why? – Engineering or Design Complexities – Functionality • The ability to view archive contents without entering the passphrase * The WinZip documentation notes the existence of such cleartext metadata, but does not address the security implications.

  20. AE-1 vs. AE-2 • Two methods of AES encryption used by WinZip. • Due to a security flaw in AE-1 (CRC of plaintext is included in unencrypted format in the output), it was replaced by AE-2 in WinZip 9.0 Beta 3. – The CRC is a 32-bit checksum used to detect corrupted data. • Backward compatibility is maintained, a little too well: – http://www.winzip.com/aes_info.htm • “Files encrypted using the AE-1 method do include the standard Zip CRC value. This, along with the fact that the vendor version stored in the AES extra data field is 0x0001 for AE-1 and 0x0002 for AE-2, is the only difference between the AE-1 and AE-2 formats.” • ZIP utilities that support AE-2 must support AE-1, and during decryption of AE-1 files, they should verify that the CRC matches.

  21. Backwards compatibility exploited • Adversary can force WinZip to use AE-1 decryption on an AE-2 encrypted file – Just change the vendor ID – Remember, everything else is the same: The same process is used to decrypt the file either way. • But now, WinZip will verify the CRC field!

  22. Adversary can guess the content Alice Bob F.zip Mallory F ′ .zip (Replaces F with F-prime) • Mallory guesses the content of a file in F.zip. • Mallory computes the CRC of his guess. • He then modifies F to F ′ : changes ID number from AE-2 to AE-1 and inserts the CRC of his guess into the CRC field of the file.

  23. Adversary can guess the content • Bob receives F ′ .zip and attempts to decrypt it. – If Mallory’s guess was correct, Bob will decrypt without errors. • If Mallory does not see a complaint, will assume guess was correct. – If Mallory’s guess was incorrect, Bob will get an error, and complain to Alice. • Mallory will intercept this complaint.

  24. Adversary can guess the content Alice Bob F.zip Mallory • Unfortunately, this is an online attack (requires active participation by Alice and Bob for each guess) – can we do better?

  25. Offline attack • If Bob includes WinZip’s error messages or log files (with the CRC) in his complaint to Alice. • Then, Mallory can intercept this complaint and conduct an offline attack.

  26. Attacking Zip Encryption at the File Level • Each file within the archive is encrypted separately • Not all files within the archive may be encrypted – some might just be compressed • Attacker can replace individual encrypted files with unencrypted files containing any content

  27. Attacking Zip Encryption at the File Level (2) Salaries.zip Alice-Salary Mallory-Salary Bob-Salary (encrypted) (encrypted) (encrypted) Fake Mallory-Salary (unencrypted) • Bob will receive no warning when decrypting. • Usability issue?

  28. Dictionary Attacks Passphrase AES Key Key Generator Salt HMAC-SHA1 Key •Salt (random value) used to impede dictionary attacks •Intended to prevent attacker from pre-computing associations between passphrases and keys.

  29. How do we fix these issues?

  30. Fixing Compression/Encryption Methods and File Names/Associations Authenticate everything!

  31. Fixing Compression/Encryption Methods and File Names/Associations • For WinZip – At minimum, the compression type value and file sizes should be MAC’d with the ciphertext • Can naturally extend this to include all data necessary to ensure the correct interpretation of the data as well (i.e. filenames, dates, sizes, and any other important metadata)

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Novel Encryption Method of GPS Information in Image File Using Format-preserving Encryption

Novel Encryption Method of GPS Information in Image File Using Format-preserving Encryption

Novel Encryption Method of GPS Information in Image File Using Format-preserving Encryption Changhyun Lee, Yeonju Choi, Hyeongmin Park, Kangbin Yim, and Sun-Young Lee Soonchunhyang University IMIS 2019 Presenter: Brandon Falk (

645 views • 21 slides
RSA Encryption 10 February 2012 RSA Encryption 10 February 2012 1/35 We saw some methods of

RSA Encryption 10 February 2012 RSA Encryption 10 February 2012 1/35 We saw some methods of

RSA Encryption 10 February 2012 RSA Encryption 10 February 2012 1/35 We saw some methods of encryption Wednesday, but none of these is good enough to be used in actual situations. Today well talk about one method, RSA Encryption, which is

1.01k views • 59 slides
Genomic Analysis Hoon Cho (MIT) and David Wu (Stanford) March, 2015 Homomorphic Encryption

Genomic Analysis Hoon Cho (MIT) and David Wu (Stanford) March, 2015 Homomorphic Encryption

Homomorphic Encryption for Genomic Analysis Hoon Cho (MIT) and David Wu (Stanford) March, 2015 Homomorphic Encryption Homomorphic encryption (HE): encryption schemes that support computation on ciphertexts Consists of three functions: m c

548 views • 26 slides
Outline Analysis of Algorithms Definition Aggregate Method Accounting Method

Outline Analysis of Algorithms Definition Aggregate Method Accounting Method

Outline Analysis of Algorithms Definition Aggregate Method Accounting Method Amortized Analysis Potential Method Examples : Binary Counter and Dynamic Table http://www.cp.eng.chula.ac.th/faculty/spj Cost of A Sequence of

379 views • 21 slides
Outline Analysis of Algorithms Definition Aggregate Method Accounting Method

Outline Analysis of Algorithms Definition Aggregate Method Accounting Method

Outline Analysis of Algorithms Definition Aggregate Method Accounting Method Amortized Analysis Potential Method Examples : Binary Counter and Dynamic Table http://www.cp.eng.chula.ac.th/faculty/spj Cost of A Sequence of

332 views • 14 slides
Ruby Monstas Session 17: Interlude: Encryption Encryption What comes to mind if you think about

Ruby Monstas Session 17: Interlude: Encryption Encryption What comes to mind if you think about

Ruby Monstas Session 17: Interlude: Encryption Encryption What comes to mind if you think about encryption? Encryption Certificates Crypto Currencies Public Key AES Encryption Privacy SSH VPN HTTPS TLS Quantum Digital Signatures

837 views • 46 slides
Usable Encryption Class Presentation for CMSC 818D Wei Bai S Application S Hardware

Usable Encryption Class Presentation for CMSC 818D Wei Bai S Application S Hardware

Usable Encryption Class Presentation for CMSC 818D Wei Bai S Application S Hardware Encryption S Web Encryption S Email Encryption OpenPGP S S/MIME S S Online Social Network Public Key Encryption S Encryption/Decryption

842 views • 26 slides
Functional Resonance Analysis Method Maher Ali Al-Quhali maa@wmu.se Elif Bal Besikci: ebb@wmu.se

Functional Resonance Analysis Method Maher Ali Al-Quhali maa@wmu.se Elif Bal Besikci: ebb@wmu.se

Malm, 30/10/2018 OpenRisk Project Baltic Sea case study: FRAM Functional Resonance Analysis Method Maher Ali Al-Quhali maa@wmu.se Elif Bal Besikci: ebb@wmu.se Functional Resonance Analysis Method FRAM is a method to analyze and model

592 views • 13 slides
Method Based on Morphological Analysis, Clustering and the Mahalanobis-Taguchi Method Hirohisa

Method Based on Morphological Analysis, Clustering and the Mahalanobis-Taguchi Method Hirohisa

A Test Case Recommendation Method Based on Morphological Analysis, Clustering and the Mahalanobis-Taguchi Method Hirohisa Aman 1) Takashi Nakano 2) Hideto Ogasawara 2) Minoru Kawahara 1) 1) Ehime University, Japan 2) Toshiba Corporation, Japan

793 views • 52 slides
Secret-Key Encryption Introduction Encryption is the process of encoding a message in such a

Secret-Key Encryption Introduction Encryption is the process of encoding a message in such a

Secret-Key Encryption Introduction Encryption is the process of encoding a message in such a way that only authorized parties can read the content of the original message History of encryption dates back to 1900 BC Two types of

533 views • 38 slides
Functional Encryption Lecture 27 Functional Encryption Plain encryption: for secure

Functional Encryption Lecture 27 Functional Encryption Plain encryption: for secure

Functional Encryption Lecture 27 Functional Encryption Plain encryption: for secure communication. Does not allow modifying encrypted data. Homomorphic Encryption: allows computation on encrypted data, but result remains encrypted Functional

987 views • 61 slides
Encryption at Rest in ZFS Tom Caputi tcaputi@datto.com Overview of Encryption Implementation 2

Encryption at Rest in ZFS Tom Caputi tcaputi@datto.com Overview of Encryption Implementation 2

Encryption at Rest in ZFS Tom Caputi tcaputi@datto.com Overview of Encryption Implementation 2 What is Encryption? Want to prevent someone (an attacker) from accessing private data Permissions arent good enough Root user can

788 views • 20 slides
TRAFFIC ANALYSIS: or... encryption is not enough Carmela Troncoso* IMDEA Software Institute

TRAFFIC ANALYSIS: or... encryption is not enough Carmela Troncoso* IMDEA Software Institute

H2020-ICT-15 GA 688722 TRAFFIC ANALYSIS: or... encryption is not enough Carmela Troncoso* IMDEA Software Institute Summer school on real-world crypto and privacy 9 th June 2016 *Thanks to George Danezis for sharing slides Privacy in

862 views • 33 slides
Root Cause Analysis 1 Root Cause Analysis Root Cause Analysis is a method that is used to

Root Cause Analysis 1 Root Cause Analysis Root Cause Analysis is a method that is used to

Root Cause Analysis 1 Root Cause Analysis Root Cause Analysis is a method that is used to address a problem or non-conformance, in order to get to the root cause of the problem. It is used so we can correct or eliminate the cause,

389 views • 28 slides
Hi-C Differential Analysis: A new method using tree representation based on Contiguity

Hi-C Differential Analysis: A new method using tree representation based on Contiguity

Pratical case and Data State of the art Differential Analysis method based on CCHAC Conclusion Hi-C Differential Analysis: A new method using tree representation based on Contiguity Constrained Hierarchical Agglomerative Clustering (CCHAC)

644 views • 28 slides
Functional Encryption for Regular Languages Brent Waters Public Key Encryption

Functional Encryption for Regular Languages Brent Waters Public Key Encryption

Functional Encryption for Regular Languages Brent Waters Public Key Encryption [DH76,M78,RSA78,GM84] Avoid Prior Secret Exchange PubK SK 2 Functional Encryption [SW05] Functionality: f( , ) MSK Authority Key: y 2 {0,1}* y SK CT: x

945 views • 16 slides
New Proof Methods for Attribute-Based Encryption: Achieving Full Security through Selective

New Proof Methods for Attribute-Based Encryption: Achieving Full Security through Selective

New Proof Methods for Attribute-Based Encryption: Achieving Full Security through Selective Techniques Allison Lewko Brent Waters Roots of Attribute-Based Encryption Moving beyond Public Key Encryption: CEO Manager 1 Manager 2 Bob

341 views • 19 slides
OpenVMS hypervised as-is artedi e.U. Agenda I so what is Hypervision ? and why is

OpenVMS hypervised as-is artedi e.U. Agenda I so what is Hypervision ? and why is

OpenVMS hypervised as-is artedi e.U. Agenda I so what is Hypervision ? and why is it needed/used ? Types of Hypervision why not OpenVMS ? Processor Architectures artedi e.U. Mai-16 2 Agenda - II what else is

660 views • 38 slides
Security of Mobility-as-a-Service(MaaS) applications on Mobile Phones. Alexander Blaauwgeers

Security of Mobility-as-a-Service(MaaS) applications on Mobile Phones. Alexander Blaauwgeers

Security of Mobility-as-a-Service(MaaS) applications on Mobile Phones. Alexander Blaauwgeers alexander.blaauwgeers@os3.nl University of Amsterdam Student Presentation for Research Project 1 RP1 Project Presentation Supervisor: Alex

522 views • 24 slides
Testbed for Multi-access Edge Computing V2X applications prototyping and evaluation Bilel CHERIF,

Testbed for Multi-access Edge Computing V2X applications prototyping and evaluation Bilel CHERIF,

Testbed for Multi-access Edge Computing V2X applications prototyping and evaluation Bilel CHERIF, Nicolas RIVIERE, Pascal BERTHOU, Yann LABIT SARA/TSF Team, LAAS-CNRS ERTS, January, 29th 2020 Laboratoire conventionn LAAS-CNRS avec

312 views • 20 slides
Security and Performance Analysis of Encrypted NoSQL Databases M.W. Grim BSc., Abe Wiersma BSc.

Security and Performance Analysis of Encrypted NoSQL Databases M.W. Grim BSc., Abe Wiersma BSc.

Security and Performance Analysis of Encrypted NoSQL Databases M.W. Grim BSc., Abe Wiersma BSc. Supervisor: F. Turkmen PhD February 6, 2017 University of Amsterdam Introduction Problem Securely storing BigData on NoSQL database systems.

669 views • 48 slides
Mobile security: Tips and tricks for securing your iPhone, Android and other mobile devices

Mobile security: Tips and tricks for securing your iPhone, Android and other mobile devices

Mobile security: Tips and tricks for securing your iPhone, Android and other mobile devices Presented by Michael Harris [MS, CISSP, WAPT] Systems Security Analyst University of Missouri Overview What data needs to be protected, what

407 views • 18 slides
Electrical Medical Records La Trobe University, Monash University, Victoria University and RMIT

Electrical Medical Records La Trobe University, Monash University, Victoria University and RMIT

Efficient and Secure Cloud Based Healthcare Systems for the Storage of Electrical Medical Records La Trobe University, Monash University, Victoria University and RMIT What We Will Cover Today Introduction and Motivation Introduction

472 views • 44 slides
Addressing Your Number 1 Security Risk: Data Privacy, Data Encryption A Complimentary

Addressing Your Number 1 Security Risk: Data Privacy, Data Encryption A Complimentary

Addressing Your Number 1 Security Risk: Data Privacy, Data Encryption A Complimentary Webinar From healthsystemCIO.com Sponsored by Proofpoint Your Line Will Be Silent Until Our Event Begins at 12:00 ET Thank You! Slide Deck:

468 views • 22 slides

More recommend