Attacking and repairing the winZip encryption scheme

WinZip is a popular compression utility for Microsoft Windows computers, the latest version of which is advertised as having "easy-to-use AES encryption to protect your sensitive data." We exhibit several attacks against WinZip's new encryption method, dubbed "AE-2" or "Advanced Encryption, version two." We then discuss secure alternatives. Since at a high level the underlying WinZip encryption method appears secure (the core is exactly Encrypt-then-Authenticate using AES-CTR and HMAC-SHA1), and since one of our attacks was made possible because of the way that WinZip Computing, Inc. decided to fix a different security problem with its previous encryption method AE-1, our attacks further underscore the subtlety of designing cryptographically secure software.

[1]  Eli Biham,et al.  A Known Plaintext Attack on the PKZIP Stream Cipher , 1994, FSE.

[2]  Bruce Schneier,et al.  Analysis of the SSL 3.0 protocol , 1996 .

[3]  Peter Deutsch,et al.  DEFLATE Compressed Data Format Specification version 1.3 , 1996, RFC.

[4]  Burton S. Kaliski,et al.  PKCS #5: Password-Based Cryptography Specification Version 2.0 , 2000, RFC.

[5]  Jonathan Katz,et al.  A Chosen Ciphertext Attack Against Several E-Mail Encryption Protocols , 2000, USENIX Security Symposium.

[6]  Mihir Bellare,et al.  Encode-Then-Encipher Encryption: How to Exploit Nonces or Redundancy in Plaintexts for Efficient Cryptography , 2000, ASIACRYPT.

[7]  Jonathan Katz,et al.  Unforgeable Encryption and Chosen Ciphertext Secure Modes of Operation , 2000, FSE.

[8]  Michael Stay ZIP Attacks with Reduced Known Plaintext , 2001, FSE.

[9]  Hugo Krawczyk,et al.  The Order of Encryption and Authentication for Protecting Communications (or: How Secure Is SSL?) , 2001, CRYPTO.

[10]  Hugo Krawczyk,et al.  Analysis of Key-Exchange Protocols and Their Use for Building Secure Channels , 2001, EUROCRYPT.

[11]  Vittorio Loreto,et al.  Language trees and zipping. , 2002, Physical review letters.

[12]  Vincent Rijmen,et al.  The Design of Rijndael , 2002, Information Security and Cryptography.

[13]  Ilya Mironov,et al.  (Not So) Random Shuffles of RC4 , 2002, IACR Cryptol. ePrint Arch..

[14]  Eli Biham,et al.  How to decrypt or even substitute DES-encrypted messages in 228 steps , 2002, Inf. Process. Lett..

[15]  Phillip Rogaway,et al.  Authenticated-encryption with associated-data , 2002, CCS '02.

[16]  Jonathan Katz,et al.  Implementation of Chosen-Ciphertext Attacks against PGP and GnuPG , 2002, ISC.

[17]  John Kelsey,et al.  Compression and Information Leakage of Plaintext , 2002, FSE.