Re: Utility to open WINZIP with AES encyption



On 22 Feb 2007, <kingthorin@xxxxxxxxx> wrote:

On Feb 21, 9:50 pm, Sebastian Gottschalk <s...@xxxxxxxxx> wrote:
one-o wrote:
One-o wrote:

I use Winzip Pro 10.0.6698 and create standard archives with a
ZIP file extension which I send as an email attachment. I do
not create self- extracting EXE files as many company
firewalls block EXEs attached to emails.

On 20 Feb 2007, Sebastian Gottschalk <s...@xxxxxxxxx> wrote:

Of course, in terms of encryption this would be utterly stupid.

Please explain what you mean.

Presume an attacker which has the capability to change the file.
He attaches his own payload, which captures the password, unpacks
the content and modifies the target system to report this file
without the payload, then sends ou the captures password.

For sensitive data, I use either 128-bit AES or 256-bit AES
encryption in Winzip.

Nah, can't be that sensitive.

Actually it is.

No, it isn't, because the implementation in WinZip is well-known
to be broken. Thus, you might leak some data.


Actually according to NIST WinZip's AES implementation is FIPS 192
certified:
http://csrc.nist.gov/cryptval/aes/aesval.html


I wonder if Sebastian is going to reply?
.