WinZIP AES AE-2 Encryption Vulnerability Found! PowerArchiver may be vulnerable!

  • WinZIP AES AE-2 Encryption Vulnerability Found! PowerArchiver may be vulnerable!

    A vulnerability has been found in the WinZIP AES AE-2 Encryption Method to encrypt and protect ZIP files.

    From the documentation I have read about PowerArchiver, PowerArchiver has implemented the same AES AE-2 Encryption Method that WinZIP uses to encrypt ZIP files to maintain compatability between the two programs. Based upon that statement, there is a good chance that PowerArchiver’s ZIP AES AE-2 Encryption Method is also vulnerable.

    For more information, please see the link below.

  • conexware

    Actually PowerArchiver only reads AE-2, does not create it.

    PowerArchiver creates and reads PkWare’s AES encryption and is more secure than WinZips AE-2 encryption, although separate from few WinZip’s inherited issues - problems outlined in that paper are problematic in a sense that a. people will not manage their data securly, b. way compression formats work in general.

    Based on my experience, most people are by far more vunerable due to the passwords they use to encrypt their data, which are in 99% cases extremly vunerable to dictionary based attacks and almost never randomized nor is ever correct password key lenght used which makes using 256 bit AES encryption unsecure.


  • I have to use WinZip at work; I hate it! I never liked WinZip and I never will! With all the other programs to choose from, WinZip should NOT be so popular! I don’t know why it is! Here’s just another example as to why it shouldn’t be!

    On this subject, if AES (Rijndael) was compromised, PowerArchiver shines because it has other encryption options to choose from. All encryption programs should be this robust; there should ALWAYS be other options to choose from in case one algorithm is cracked! It has happened (DES-56 bit) and will definitely happen again (Rijndael (AES)-128 bit will definitely be cracked in our lifetime).

    Which brings up a problem with the PowerArchiver documentation… it states:

    “PowerArchiver has 5 different methods of encryption available with Rijndael - AES (default) being the most secure.”

    Rijndael is NOT the most secure of the 5 offered. Just because it was chosen as the AES doesn’t mean it’s the absolute best; there were a number of factors in the consideration. After doing some research, of the 5 offered I’d choose Blowfish. If Twofish were offered I’d probably choose that over Blowfish. (Twofish was an AES finalist.) Wish List… Wish List: add Twofish encryption.

    In my honest opinion, of the 5 that PowerArchiver offers, only 3 are viable: Blowfish and the 2 Rijndael offerings. But all are significantly better than the previous PKZIP attempt at encryption.

    As the Administrator has stated, the password is definitely the weakest link in all of the encryption methods!!!

  • conexware

    Just to mention it - AES was not compromised, article talks about how attacker can find connection and might be able to compromise data based on someone sending the file via email, someone else recovering it and knowing something about data from zip header info, which is unencryped. It is all by very, very, very long shot and more deals in absolute security. It very much deals with how compression utilities have always worked.

    In that sense, PAE is more secure since nobody knows anything about data encrypted.

    Nevertheless, compared to standard zip 2.04g encryption, all these techniques seem as space age technology.

    If you are really concerned about security, this would be my priority:
    1. chosing coorect, randomized, long password (minimum of 10 characters)
    2. securing your own computer against both external and on the site attacks by encrypting important data at all times.

    In any case, thanks for liking PA! :-)

    All everyone should keep in mind that not all data needs to be encrypted, we get few emails per week from people that forgot their PAE passwords for important working material that probably should not have been encrypted at all, such us mid-term papers, etc, etc. :-).

Log in to reply