Elcomsoft.com » Password Recovery Software » Advanced Archive Password Recovery

 

Known plaintext attack (ZIP)

 

Previous  Top  Next

Introduction

 

ZIP files have a strong encryption algorithm. First, the password isn't stored anywhere in a password-protected archive. The ZIP archiver converts the password you've entered into three 32-bit encryption keys, and then uses them to encrypt the whole archive. Because of this, the total complexity of the ZIP attack is 2^96, i.e., we would have to try all possible key combinations. This is really a lot – even using all the computers in the world, it is not possible to check all of them, unfortunately… However, this algorithm isn't as strong as the DES, RSA, IDEA, and similar algorithms. One of the ways of breaking ZIP protection is using known-plaintext attack. If you're interested in the details of attack, find the paper "A Known Plaintext Attack on the PKZIP Stream Cipher" by Eli Biham and Paul Kocher. ARCHPR's implementation of plaintext attack is very close to that paper, with some minor modifications.

 

Having an encrypted file created by the ZIP archiver, and the same file in unencrypted form, we can make some calculations and retrieve the encryption keys used to protect that file. Usually, a ZIP archive contains several files and all of them have the same password (and therefore the same encryption keys). This means that if we get the encryption keys for one of these files, we'll be able to unprotect all the others! Furthermore, it won't take as much time as trying all possible combinations of encryption keys. To perform plaintext attack, all you need is one file from the archive, compressed by the same archiver and by the same method as an encrypted one.

 

Selecting the correct archiver is a bit complex, however; unfortunately, the ZIP file format doesn't contain any data which might help to identify the archiver. In fact, you may need to try several archivers (of course, only if you don't remember which particular utility you've used). A good check that the plain file is correct is the size difference between it and the encrypted file: the encrypted file must be exactly 12 bytes larger. Also, the files must have the same CRC and uncompressed sizes. ARCHPR automatically checks these conditions for selected files, so all you need to do is to create a "plain" ZIP archive.

 

Description

 

To perform plaintext attack you need to:

 

Find an unencrypted file which also exists in the password-protected archive.
Compress it with the same method and the same ZIP archiver as used in the encrypted archive. Note that this is required because ARCHPR checks file sizes and file checksums. (You can, however, use plaintext attack on a partial file; see the description below).
Run ARCHPR, select encrypted archive, then select "plaintext" attack and browse for archive with unencrypted file.

 

After that, ARCHPR will check the files, and if there are matching ones, the attack is started.

 

There are two stages in "plaintext" attack, plus two password search additions (note that timings are estimated for Intel Celeron working at 366 MHz):

 

1. Keys reduction cycle. At this stage, ARCHPR needs about 34 megabytes of (virtual) memory. This cycle takes from one to three minutes (depending on the size of the plaintext). If you haven't got enough physical memory, it may take a bit more time. After this stage, ARCHPR will free most of that memory and work with only 2-4 megabytes. Please also note that the time required to complete this stage cannot be estimated, and so for the first few minutes the progress indicator will read 0%, after that it'll start to increase rapidly.

 

2. Searching matching keys. This is the main stage of "plaintext" attack. Now you can see how much time you need (worst case) to recover the archive. Depending on the size of the plaintext, this stage can take from 5 minutes to several hours. At that stage, you can stop the attack at any time without risk; the program will write a resume value into the Start from field (and save it into the project file, of course). Note that the first stage (keys reduction cycle) will be performed again upon resuming (but it only takes a few minutes).

 

When ARCHPR finds valid keys, it tries to find the password correlated with them. Due to some reasons, the password search can be easily done for 9 characters long (and shorter) passwords with any symbols, and passwords with up to 10 printable symbols – during a couple of minutes.

 

If ARCHPR can retrieve the password, it'll display the standard statistics message with it, if it can't – with encryption keys only. Please note that in most cases you don't need the original password because having encryption keys you can easily decrypt the ZIP archive so it will not require the password to unzip it.

 

Attack on partial file

 

Sometimes ZIP archives (where the one is password-protected and the second isn't) may differ in size. For example, WinZip can create such ones if the source file almost cannot be compressed. Encrypted files has 12 bytes at least, so when WinZip starts the compression routine, it may select another method to keep compression ratio good. But note that it is very unusual case. However, you can perform plaintext attack on such files anyway – just keep in password-protected archive only one file (that will be attacked); of course, backup your original files first. And keep only one file in "plaintext" archive as well. Run the attack, and ARCHPR will ask for confirmation for "partial" attack. Click 'Yes' and select the number of bytes to use as plaintext. Because we don't know how many bytes can be the same, it's good idea to start from 1-3Kb (it most cases it's enough) and decrease this number if ARCHPR won't be able to find encryption keys.

 

Current version notes

 

1. "Plaintext" file must be at least 12 bytes long.

2. "Plaintext" attack can be saved on the second stage only; after restarting, the first stage will be performed (again) anyway.

3. No time estimation for the first stage. But you can expect that it'll take a few minutes.

4. In any case, you need about 34 megabytes of RAM. If you don't have so much RAM, you need enough space on the for swap file on the disk (and patience – using virtual RAM will greatly decrease the performance). So, we recommend to use the "known plaintext" attack with at least 40-48 megabytes of RAM.

 

Test results

 

Here are the results (benchmarks) of "known plaintext" attack for the different files (on Intel Celeron 366MHz with 64MB RAM).

 

File size (bytes)

Stage #1 time

Stage #2 time




16

20s

2d 12h

32

33s

8h 30m

64

38s

3h 30m

128

45s

1h 45m

256

52s

42m

512

52s

20m

1024

52s

8m

2048

1m 5s

5m 30s

4096

1m 5s

4m

8192

1m 14s

4m

16384

1m 30s

4m

32768

2m 10s

4m

 


Get more information about Advanced Archive Password Recovery
Get full version of Advanced Archive Password Recovery

(c) 2008 ElcomSoft Co.Ltd.