Article 35999 of alt.security: sryckman@airmail.net writes: >>Also,ask yourself why you use a password protection when you expect >>that it can be broken. >In whose lifetime ? All the supposed .ZIP password decryption programs I've >seen are limited to like 20 or 30 character long password searches and take >forever. FZC is no exception to this, it is one of the fastest that I have looked >at but it still takes days to work through password possibilities on a 486/50. >To that ends, any files I send across the network with a password on them >have a minimum of a 40 character password consisting of upper, lower and >punctuation symbols. I let a check run for 9 days on my Pentium 66 at the >office when I went on vacation once and it was only about 1/2 the way >through the possibilities when I came back. That was with a 24 character >password with upper, lower and punctuation on it. Even if they could handle >a longer password (FZC is limited to 24 character passwords if I remember >correctly) it would take a lifetime to find the match. It is true that if the keyspace is large it will take much too long to search it. [though I find it hard to believe that you could search through 0.5 of (26+26+10)^24 in 9 days on a P-66. That would mean 5 x10^41 keys searched,in only 9 days. The "1/2 the way" must be WAY of ] However,in the case of PKZIP,the encryption can also be broken in a few hours on a PC if you know about 13 byts of the compressed file. (ie bytes after compression). It doesn't matter how long your password was then,if you have an unencrypted version of (a part of)one file in the archive,you can find a working password. I have not mentioned this to the poster who asked for a solution,because AFAIK there is no program publicly available that implements this attack. This attack was discovered by Paul Kocher. You can find a paper (by him and Eli Biham) decribing it on his website, http://www.cryptography.com Boudewijn >Steve Ryckman, Technical Supervisor >Security Information & Management Systems, Inc. >Part of the process in using passwords and encryption is also testing it yourself >and knowing what you can expect. Yep. And another part is knowing that a good password on a bad algorithm still isn't secure. The hardest part is knowing which algorithms to use :-) -- +-------------------------------------------------------------------+ |Boudewijn Visser |E-mail:visser@ph.tn.tudelft.nl |finger for | |Dep. of Applied Physics,Delft University of Technology |PGP-key | +-- my own opinions etc --------------------------------------------+