Are password-protected ZIP files secure?

  • Following my answer. If I can list contents of a password-protected ZIP file, check the file types of each stored file and even replace it with another one, without actually knowing the password, then should ZIP files be still treated as secure?

    This is completely insecure in terms of social engineering / influence etc.

    I can hijack (intercept) someone else's file (password-protected ZIP file) and I can replace one of the files it contains, with my one (fake, virus) without knowing the password. Replaced file will remain unencrypted, not password-protected inside the ZIP, but other files won't be modified.

    If a victim unpacks a password-protected archive, extracting program will ask for the password only once, not every time per each file. So end user will not see the difference -- whether the program does not ask for a password, because it already knows it (original file) or because the file being extracted doesn't need a password (file modified by me). This way, I can inject something really bad into a password-protected ZIP file, without knowing its password and count on the receiver assuming the file is unmodified.

    Am I missing something or is this really wrong? What can we say about the security terms of a solution, if password is not required to introduce any modification in a password-protected file?

    It is in the design of the ZIP archives that they're only _containers_. Encryption is done on the files not the container itself, so confidentiality & integrity are still granted for the _files_ inside. The ZIP archive itself isn't password-protected, but the files inside are. Actually, RAR files behave almost the same way, except that they give you the option encrypt the file list. You _can_ add fake files to a RAR file (not through WinRAR), but if the list of files is encrypted, then you cannot modify it, therefor the application opening it won't be able to list the fake file.

    Upon further reading, I've learned that ZIP uses AES in CBC mode, which doesn't really grant integrity. Although it's not that easy to modify the contents of your files, a persistent threat will eventually be able do that. **Please note**: The integrity problem is not, of course, that the files can be replaced. IMHO, getting your files replace and tampered with is alright, but not being able to detect such tampering _is_ the integrity problem.

    Could you zip your files (without password) and then zip that archive again (with password)? That way you would only have a single file that's password protected, and as you cannot access that one, you cannot modify the inner zip.

    @poke: Quite interesting idea! :]

    Yes you can, WinZip calls this "double zipping":

    Be careful of archive programs that unzip files to a temporary folder and then leave it there. 7zip does this and refuses to fix it. If you use 7zip, your encrypted files are NOT secure because they will inevitably be left unencrypted in a temporary folder somewhere.

    Why not just check the integrity with a checksum e.g. sha, md5?

  • bethlakshmi

    bethlakshmi Correct answer

    8 years ago

    To answer this, there needs to be a better definition of "secure" and/or "safe". It's always got to be defined in light of the purpose of the protection and the risk to the system. There's no one size fits all here, what's "safe enough" for one system, may be abysmally weak on another. And what's "safe enough" on another may be cost prohibitive or down right impractical in a different case.

    So, taking the typical concerns one by one:

    • Confidentiality - marginal at best. Confidentiality is usually rated in terms of how long it will take to gain access to the protected material. I may be able to change the zip file, but as a hacker it'll take me some amount of time either crack the password or brute force it. Not a lot of time, passwords are one of the weaker protections, and given the way zip files are often shared, social engineering one's way to the password is usually not hard.

    • Integrity - nope - as the asker points out - it's easy to change the package and make it look legitimate.

    • Availability - generally not applicable to this sort of security control - this usually refers to the risk of making a service unavailable - the data storing/packaging usually doesn't affect availability one way or the other.

    • Non repudiation - nope, no protection - anyone can modify the package, so anyone contributing to it has probable deniability.

    The trick is - how much better do you want to get? Encrypted email is an option - as a better protection. Although it poses it's own connectivity concerns. And there's many better ways to encrypt data - but the better options also involve key distribution challenges that can add time and cost concerns.

    As a quick way to package and share some data that you don't want to make completely public - it's better than nothing, and it's sometimes the only common denominator you can work out. For anything high-risk, I'd find a better option.

    What is weak about a strong password (such as 14 random characters) combined with a strong encryption method (such as AES-256)?

    I'm not clear what perspective your question is coming from? This person is specifically asking about the method of password protection as it relates to zip files and the problems were outlined pretty well in the question - in this instance, no matter how big or random your password, the zip file password lock doesn't lock much of anything. In *general* passwords are pretty weak - they are readily shared, and require that both sides know them (they are a shared secret) - so there's always the risk that someone else knows the password. So non-repudiation is a no-go with any password.

    I am talking purely about Confidentiality, and not about Integrity or any of the other values you correctly pointed out in the light of this question. You note "passwords are one of the weaker protections", and I simply want to point out that this statement is very relative. It all depends on the strength of the password and the encryption method, but also the way this shared secret is shared.

    @bethlakshmi "probable deniability" -- did you mean plausible deniability?

    FYI for those not familiar with the confidentiality/integrity/availability/non-repudiation terms wikipedia has a laymans description here: (personally i found the bullets in this answer to sound like a foreign language)

    to add "integrity"... couldn't you just provide a checksum file to the encrypted archive generated via `sha256sum`, yes/no?

License under CC-BY-SA with attribution

Content dated before 6/26/2020 9:53 AM