Why You Should Never Use Zipcrypto
Why You Should Never Use Zipcrypto
Zip
Crypto in Windows
Exploiting ZipCrypto
Exploiting ZipCrypto through a widely known plain text attack is straightforward and doesn’t require
sophisticated technical skills. Although I will walk you through the steps, I am obviously not doing so to help
go out and hack someone. I simply want to show you how basic and easy this exploit really is.
Requirements
• Download encrypted.zip
Steps
3. Zip the file and call it encrypted.zip. Do not use a password and use the same compression algorithm as
the encrypted archive. (If you wish, you can download plain.zip using the link supplied above, which already
has the plain.txt file in it.)
2
4. Feed both files to bkcrack using the following command line:
[12:01:52] Keys
Once the keys have been obtained, any files in the zip can be deciphered using the following command line:
This example extracted the Tux_ecb.jpg file. The resulting image should look like this:
3
Congratulations, you have successfully decrypted the zip file!
Additionally
We included multiple files in the encrypted.zip (MIT License, HTML file), so that you can practice and go off
the beaten track!
AES-256
By now you’re probably wondering: If you should never use ZipCrypto, then what is the alternative? Well, we
strongly recommend AES-256, which is the industry standard for zip encryption and has been proven to be
quite strong and safe. Unfortunately, Windows does not have native support for this. However, most third-
party archivers such as 7Zip, Winrar, and Winzip support it.