Are the files encrypted with the 7ZIP password cracker vulnerable?

275    Asked by Amitraj in Cyber Security , Asked on Mar 29, 2022

A client says they can't accept password-protected PDFs to put in their payroll system, so I have to send them without security. I don't want to send unsecured PDFs via email because email is inherently insecure. I figured a good alternative was, instead of password-protecting each PDF, I could encrypt the containing folder with 7ZIP, which I got from https://www.7-zip.org/  At first I was optimistic about this option, but a quick Google search led me to articles such as this one where apparently there are easy to find tools, such as 7z Cracker:

"7z Cracker is an open source cracking tool which can extract any password protected 7zip file". I also found this answer in this forum that talks about John The Ripper: "John The Ripper can crack these AES-256 encrypted archives." Does this mean that 7ZIP encryption is basically useless? Are these password crackers effective at circumventing this security measure? Secondly, are password-protected PDFs also this easy to break into?

Answered by Anil Jha

7zip password cracker is secure since it uses AES-256 in CBC mode that can provide CPA security and there is no problem there. Keep in mind that CBC has no integrity and authentication. The real problem comes from the human side; the password!  7zip uses 219-times iterated SHA256 to derive the AES-256 key from passwords. SHA256 is not a memory-hard function and therefore this is not safe from massive parallelization. The collaborative power of Bitcoin miners can reach around 292 double SHA256 in a year. A single Nvidia RTX 390 can calculate 9502.7 MH/s... Therefore one needs a really good password mechanism to be secure from the password list/guess/search attacks.

A password with high entropy generated from diceware is recommended XKCD. Use a password manager like keepass that handles this for you.  Additionally; You need to transfer the password to the other party this means that you need a secure channel to do this. A signal program is a good candidate, or you can go for Diffie-Hellman Key Exchange (DHKE), better its Elliptic curve version (ECDH) to establish a key, and then use a key derivation function to derive a long password.



Your Answer

Interviews

Parent Categories