Recent Topics
-
UNSOLVED [Bug / Feature Request] Integrate offline Virtual Drive into the PowerArchiver installer
Tech Support3 -
UNSOLVED extracting issue
Tech Support7 -
SOLVED No Updates Shown
Tech Support5 -
UNSOLVED PowerArchiver resend codes doesn't work
Tech Support6 -
PowerArchiver and PACL for macOS
Tech Support3 -
UNSOLVED File Browser: Operations don't trigger UAC
Tech Support7 -
Fast Ring: PowerArchiver 2019 19.00.51/54/57/58/59
Tech Support24 -
SOLVED Problem: Backspace navigation in Explorer mode
Tech Support3 -
UNSOLVED Smart AI: Preferences not intuitive
Tech Support13 -
SOLVED Find file in archive.
Wishlist9 -
UNSOLVED PA 20.00.02 not executing .exe files from archive
Tech Support10 -
PACL 9.0 Beta 2
Tech Support24 -
UNSOLVED Minor UI question
Tech Support7 -
SOLVED Slow Download
General Chat3 -
SOLVED ZIPX-jpeg-compression
Tech Support2 -
SOLVED PA standard 2019 can not create PA-archives
Tech Support2 -
UNSOLVED The PACL does not extract files from the self-extracting archive
Tech Support3 -
UNSOLVED PA 19.00.57 - Drawing issue on file type collumn
Tech Support2 -
UNSOLVED PA 19.00.57 crashes Firefox 69.0.1 in module pashlext64.dll | UserCallWinProcCheckWow
Tech Support18 -
UNSOLVED Include all PowerArchive Toolbox features in the offline installer
Tech Support3
WinZIP AES AE-2 Encryption Vulnerability Found! PowerArchiver may be vulnerable!
-
WinZIP AES AE-2 Encryption Vulnerability Found! PowerArchiver may be vulnerable!
A vulnerability has been found in the WinZIP AES AE-2 Encryption Method to encrypt and protect ZIP files.
From the documentation I have read about PowerArchiver, PowerArchiver has implemented the same AES AE-2 Encryption Method that WinZIP uses to encrypt ZIP files to maintain compatability between the two programs. Based upon that statement, there is a good chance that PowerArchiver’s ZIP AES AE-2 Encryption Method is also vulnerable.
For more information, please see the link below.
http://eprint.iacr.org/2004/078/
-
Actually PowerArchiver only reads AE-2, does not create it.
PowerArchiver creates and reads PkWare’s AES encryption and is more secure than WinZips AE-2 encryption, although separate from few WinZip’s inherited issues - problems outlined in that paper are problematic in a sense that a. people will not manage their data securly, b. way compression formats work in general.
Based on my experience, most people are by far more vunerable due to the passwords they use to encrypt their data, which are in 99% cases extremly vunerable to dictionary based attacks and almost never randomized nor is ever correct password key lenght used which makes using 256 bit AES encryption unsecure.
thanks,
-
I have to use WinZip at work; I hate it! I never liked WinZip and I never will! With all the other programs to choose from, WinZip should NOT be so popular! I don’t know why it is! Here’s just another example as to why it shouldn’t be!
On this subject, if AES (Rijndael) was compromised, PowerArchiver shines because it has other encryption options to choose from. All encryption programs should be this robust; there should ALWAYS be other options to choose from in case one algorithm is cracked! It has happened (DES-56 bit) and will definitely happen again (Rijndael (AES)-128 bit will definitely be cracked in our lifetime).
Which brings up a problem with the PowerArchiver documentation… it states:
“PowerArchiver has 5 different methods of encryption available with Rijndael - AES (default) being the most secure.”
Rijndael is NOT the most secure of the 5 offered. Just because it was chosen as the AES doesn’t mean it’s the absolute best; there were a number of factors in the consideration. After doing some research, of the 5 offered I’d choose Blowfish. If Twofish were offered I’d probably choose that over Blowfish. (Twofish was an AES finalist.) Wish List… Wish List: add Twofish encryption.
In my honest opinion, of the 5 that PowerArchiver offers, only 3 are viable: Blowfish and the 2 Rijndael offerings. But all are significantly better than the previous PKZIP attempt at encryption.
As the Administrator has stated, the password is definitely the weakest link in all of the encryption methods!!!
-
Just to mention it - AES was not compromised, article talks about how attacker can find connection and might be able to compromise data based on someone sending the file via email, someone else recovering it and knowing something about data from zip header info, which is unencryped. It is all by very, very, very long shot and more deals in absolute security. It very much deals with how compression utilities have always worked.
In that sense, PAE is more secure since nobody knows anything about data encrypted.
Nevertheless, compared to standard zip 2.04g encryption, all these techniques seem as space age technology.
If you are really concerned about security, this would be my priority:
1. chosing coorect, randomized, long password (minimum of 10 characters)
2. securing your own computer against both external and on the site attacks by encrypting important data at all times.In any case, thanks for liking PA!
All everyone should keep in mind that not all data needs to be encrypted, we get few emails per week from people that forgot their PAE passwords for important working material that probably should not have been encrypted at all, such us mid-term papers, etc, etc. :-).
