Attacking and repairing the WinZip encryption scheme

Proceedings of the ACM Conference on Computer and Communications Security

Volumn , Issue , 2004, Pages 72-81

  Kohno, Tadayoshi ^a  

^a UNIVERSITY OF CALIFORNIA   (United States)

Author keywords

Applied cryptography; Attacks; Compression; Encryption; Security fixes; Winzip; Zip

Indexed keywords

COMPUTER ARCHITECTURE; COMPUTER CRIME; COMPUTER OPERATING SYSTEMS; COMPUTER SOFTWARE; DATA COMPRESSION; DATA STORAGE EQUIPMENT; ELECTRONIC MAIL; INFORMATION RETRIEVAL;

APPLIED CRYPTOGRAPHY; ATTACKS; SECURITY FIXES; WINZIP;

PUBLIC KEY CRYPTOGRAPHY;

EID: 14844299379     PISSN: 15437221     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.1145/1030083.1030095     Document Type: Conference Paper

References (27)

1. M. Bellare and C. Namprempre. Authenticated encryption: Relations among notions and analysis of the generic composition paradigm. In T. Okamoto, editor, Advances in Cryptology - ASIACRYPT 2000, volume 1976 of Lecture Notes in Computer Science, pages 531-545. Springer-Verlag, Berlin Germany, Dec. 2000.
2. M. Bellare and P. Rogaway. Encode-then-encipher encryption: How to exploit nonces or redundancy in plaintexts for efficient cryptography. In T. Okamoto, editor, Advances in Cryptology - ASIACRYPT 2000, volume 1976 of Lecture Notes in Computer Science, pages 317-330. Springer-Verlag, Berlin Germany, Dec. 2000.
3. D. Benedetto, E. Caglioti, and V. Loreto. Language trees and Zipping. Physical Review Letters, 88(4), Jan. 2002.
4. 28 steps. Information Processing Letters, 84, 2002.
5. E. Biham and P. Kocher. A known plaintext attack on the PKZIP stream cipher. In B. Preneel, editor, Fast Software Encryption' 94, volume 1008 of Lecture Notes in Computer Science. Springer-Verlag, Berlin Germany, 1994.
6. R. Canetti and H. Krawczyk. Analysis of key-exchange protocols and their use for building secure channels. In B. Pfitzmann, editor, Advances in Cryptology - EUROCRYPT 2001, volume 2045 of Lecture Notes in Computer Science, pages 451-472. Springer-Verlag, Berlin Germany, 2001.
7. J. Daemen and V. Rijmen. The Design of Rijndael. Springer-Verlag, Berlin Germany, 2002.
8. P. Deutsch. DEFLATE compressed data format specification version 1.3. IETF RFC 1951, May 1996.
9. Info-ZIP. Info-ZIP note, 20011203, Dec. 2001. Available at ftp://ftp.info-zip.org/pub/infozip/doc/appnote-011203-iz.zip.
10. K. Jallad, J. Katz, and B. Schneier. Implementation of chosen-ciphertext attacks against PGP and GnuPG. In A. H. Chan and V. D. Gligor, editors, Information Security, 5th International Conference, volume 2433 of Lecture Notes in Computer Science, pages 90-101. Springer-Verlag, Berlin Germany, 2002.
11. D. W. Jones. The Case of the Diebold FTP Site, July 2003. Available at http://www.cs.uiowa.edu/~jones/voting/dieboldftp.html.
12. B. Kaliski. PKCS #5: Password-based cryptography specification version 2.0. IETF RFC 2898, Sept. 2000.
13. J. Katz and B. Schneier. A chosen ciphertext attack against several e-mail encryption protocols. In Ninth USENIX Security Symposium, 2000.
14. J. Katz and M. Yung. Unforgeable encryption and chosen ciphertext secure modes of operation. In B. Schneier, editor, Fast Software Encryption 2000, volume 1978 of Lecture Notes in Computer Science, pages 284-299. Springer-Verlag, Berlin Germany, Apr. 2000.
15. J. Kelsey. Compression and information leakage of plaintext. In J. Daemen and V. Rijmen, editors, Fast Software Encryption 2002, volume 2365 of Lecture Notes in Computer Science, pages 263-276. Springer-Verlag, Berlin Germany, 2002.
16. T. Kohno. Attacking and repairing the WinZip encryption scheme. Cryptology ePrint Archive Report 2004/078, http://eprint.iacr.org/2004/078/, 2004. Full version of this paper.
17. H. Krawczyk. The order of encryption and authentication for protecting communications (or: How secure is SSL?). In J. Kilian, editor, Advances in Cryptology - CRYPTO 2001, volume 2139 of Lecture Notes in Computer Science, pages 310-331. Springer-Verlag, Berlin Germany, Aug. 2001.
18. I. Mironov. (Not so) random shuffles of RC4. In M. Yung, editor, Advances in Cryptology - CRYPTO 2002, volume 2442 of Lecture Notes in Computer Science, pages 304-319. Springer-Verlag, Berlin Germany, 2002.
19. PKWARE. APPNOTE.TXT - .ZIP File Format Specification, Apr. 2004. Version 6.2.0, available at http://wvw.pkware.com/products/enterprise/white_papers/ appnote.txt.
20. PKWARE. APPNOTE.TXT - .ZIP File Format Specification, Jan. 2004. Version 6.1.0, replaced by [19].
21. P. Rogaway. Authenticated encryption with associated data. In V. Atluri, editor, Proceedings of the 9th Conference on Computer and Communications Security, Nov. 2002.
22. M. Stay. ZIP attacks with reduced known plaintext. In M. Matsui, editor, Fast Software Encryption 2001, volume 2355 of Lecture Notes in Computer Science, pages 124-134. Springer-Verlag, Berlin Germany, 2001.
23. D. Wagner and B. Schneier. Analysis of the SSL 3.0 protocol. In Proceedings of the Second USENIX Workshop on Electronic Commerce, 1996.
24. WinZip Computing, Inc. AES encryption information: Encryption specification AE-2, Jan. 2004. Version 1.02, available at http://www.winzip.com/ aes_info.htm.
25. WinZip Computing, Inc. Download WinZip add-ons, Apr. 2004. Available at http://www.winzip.com/daddons.htm.
26. WinZip Computing, Inc. Homepage, Mar. 2004. Available at http://www.winzip.com/.
27. WinZip Computing, Inc. What's new in WinZip 9.0, Mar. 2004. Available at http://www.winzip.com/whatsnew90.htm.