From: “L. DEkel” <dekel@carmel.haifa.ac.il>
To: cypherpunks@toad.com
Message Hash: 78e2ca72b73e2f3747bb1f9aa4e58a76ab069859635102df2b7ec18529e9f826
Message ID: <Pine.A32.3.91.951122035639.51855A-100000@carmel.haifa.ac.il>
Reply To: N/A
UTC Datetime: 1995-11-23 01:51:58 UTC
Raw Date: Thu, 23 Nov 1995 09:51:58 +0800
From: "L. DEkel" <dekel@carmel.haifa.ac.il>
Date: Thu, 23 Nov 1995 09:51:58 +0800
To: cypherpunks@toad.com
Subject: PKZIP - Encryption
Message-ID: <Pine.A32.3.91.951122035639.51855A-100000@carmel.haifa.ac.il>
MIME-Version: 1.0
Content-Type: text/plain
PKZIP Encryption - Practical approach
=====================================
Note: I am discussing PKZIP ver. 2.xx encryption,
but the abstracts isn't about a particular encryption.
ABSTRACT:
Practical security often differs from Theoretical security.
If I asked you, would you make the effort of renting a box at the bank's safe
for putting only $1 inside, then when you want it you'll have to drive to town,
at opening hours, and be escorted by an armed guard to the safe, just to get
the $1, I can guess what your answer will be.
The same thing goes for Cryptography, What you are trying to protect,
it's importance, price, value, determines the steps you would be wiling to take
to ensure a safe and strong encryption.
If you want to hide a game from your kid brother, you can use some
basic algorithm of encryption (say XOR), but say want to hide proofs that you
killed someone you better use a stronger algorithm (say IDEA).
To conclude: The system you should choose for security depends on:
1. How sensitive is the data you want to hide.
2. Who is the potential cracker of your system.
3. How convenient is the Crypto system for use. (*)
(*) This is not so trivial, as security = 1/convenience, you can, for example
force users to change their passwords every 2 min. very secure, but that
not very Practical.
PKZIP Encryption:
PKZIP encryption is often said to be: Weak, "a joke" ,"a deception" etc.
Maybe it's time to put things in the right perspective.
One must realize (yet again) the difference between:
Theoretical Cryptography - and - Practical Cryptography:
>From the Theoretical side, there is an excellent article:
"A Known Plaintext Attack on the PKZIP Stream Cipher", by Eli Biham and
Paul C. Kocher., that proposes an attack on the algorithm using known plaintext
method. The writers come to the conclusion that: "The PKZIP cipher is weak,
and should not be used to protect valuable data".
Criticism:
0). Only the you can define what is "valuable data" for yourself,
this could be an abstract question.
[see above ABSTRACT discussion]
1). The proposed attack is largely Theoretical, in "laboratory conditions",
whereas a ciphertext-only attack, more like what we often find in the real
world, is Harder.
The article doesn't propose any effective ciphertext-only attack.
(It seems the writers only tried to give a general assessment of the algorithm
strength, which they did very well).
Note: A Very limited Known-plaintext attack is possible against PKZIP,
as specific information about the Header of the archive file is Known,
but this attack is of complexity 2^38 or higher, so it's not very effective,
however it is a possible for an expert Cryptanalyst. (This is still Easier
than ciphertext-only attack - we meet in the street).
Thus, the theoretical attack is good in telling us about the encryption
algorithm, it's strength and weaknesses, and knowledge is always better then
ignorance, But, in real world, such an attack can be rendered ineffective, or
impractical in terms of resources consumed, time spent, money etc.
Don't get the wrong impression, in general, Cryptographic research is
Good, it helps determine the overall strength of an algorithm, make suggestions
as to possible improvements, warn against weak keys, back-doors etc. But we
must separate the Practical from the Theoretical, and it works both ways too.
A one-time-pad (OTP) for example, is considered theoretically
unbreakable, but in practice OTP systems has been broken more than once, as
long as there are people making Human mistakes: loosing secret keys, encryption
a message with the OTP more than once, etc.
So: Theoretical encryption strength != Practical encryption Strength
2). Considering the "many" cracking utilities in the market:
there is almost NO ready made, software that really crack the PKZIP algorithm
(crack = cryptanalysis, that is Really analyzing the algorithm, not guessing
games), in fact there is No software that can really crack Any modern
algorithm such as DES, IDEA etc, That is except maybe CBW which is the closest
thing to Really cracking the crypt(1) for unix, or some commercial products
for cracking WordPerfect encryption or so. (The strength of PKZIP 1.xx/2.xx
encryption is much greater than the above crypt(1) and WordPerfect).
All the "Great" utilities are just fancy passwords guessers at best,
none of them analyze the ciphertext.
True, some of them are good guessers, but their "strength" depends on the
Weakness of the password (password = The cryptographic Key).
The stronger the password the less chance the "cracker-util" will crack it.
The best crackers in the market performs a "limited" brute force attack,
if they are good. "limited" is referred to "dictionary attacks", such as the
cracker doesn't perform a complete Keyspace (brute-force) search, instead it
perform a "Subset keysapce search", i.e. choosing some elements of the
Keysapce (say english words) and trying them. (There is the option, in some
crackers, including crackers for PKZIP, such as FZC, to perform a more
"orderd" Keyspace, that is checking sequences of Keys, e.g: All-5-uppercase
letters only- keys).
The conclusion from this section is, that if you choose a Long enough, Hard to
find (say random chars) password such as "x@J60!fv_Zd4%", then you are quite
safe from these "horrid" crackers.
That last statement is good for choosing passwords in general.
Final note:
PKZIP is not a crypto system it's an Archiver with a password protection
option. If You want to protect your secret cherry cake recipe from your
mother, you can safely use PKZIP protection (assuming your mother isn't a
top cryptographer working for NSA). If you want to hide the formula for
Cold fusion - use PGP.
And remember, there is always the "rubber hose" cryptography option.
,,,,,
DEkel
'''''
Return to November 1995
Return to ““Perry E. Metzger” <perry@piermont.com>”