Utility to open WINZIP with AES encyption

Is there a free utility which recipients of a ZIP archive can get to do
no more than extract the files from AES-encrypted ZIPs?

-------

I use Winzip Pro 10.0.6698 and create standard archives with a ZIP file
extension which I send as an email attachment. I do not create self-
extracting EXE files as many company firewalls block EXEs attached to
emails.

For sensitive data, I use either 128-bit AES or 256-bit AES encryption
in Winzip.

When my receipents do not have Winzip they find they can not open the
AES-encrypted zip file. How do I get around this? Is there a free
utility which recipients can obtain in order to only extract files from
my AES-encrypted ZIPs?

Re: Utility to open WINZIP with AES encyption

Post removed (X-No-Archive: yes)

Re: Utility to open WINZIP with AES encyption

> One-o wrote:
>
>> I use Winzip Pro 10.0.6698 and create standard archives with a ZIP
>> file extension which I send as an email attachment. I do not
>> create self- extracting EXE files as many company firewalls block
>> EXEs attached to emails.

On 20 Feb 2007, Sebastian Gottschalk wrote:
>
> Of course, in terms of encryption this would be utterly stupid.
>

Please explain what you mean.

>> For sensitive data, I use either 128-bit AES or 256-bit AES
>> encryption in Winzip.
>
> Nah, can't be that sensitive.
>

Actually it is.

>> When my receipents do not have Winzip they find they can not open
>> the AES-encrypted zip file. How do I get around this? Is there a
>> free utility which recipients can obtain in order to only extract
>> files from my AES-encrypted ZIPs?
>
> 7-Zip does so. But please, stop calling the files ZIP files. This
> name is commonly reserved for RFC-conformant PKZIP 2.x compatible
> files.
>

7-Zip does not open AES-encrypted files created by Winzip which is
what I am looking for. Try it and see.

Winzip creates its archive files with the ZIP extension and that is
what I am referring to. I don't control what Winzip chooses to use
as an extension. I just refer to it.

It sounds as if you may be bringing here a point about "ZIP" you
could be better off making direct to the authors of Winzip.

Re: Utility to open WINZIP with AES encyption

Post removed (X-No-Archive: yes)

Re: Utility to open WINZIP with AES encyption

On Feb 21, 9:50 pm, Sebastian Gottschalk wrote:
> one-o wrote:
> >> One-o wrote:
>
> >>> I use Winzip Pro 10.0.6698 and create standard archives with a ZIP
> >>> file extension which I send as an email attachment. I do not
> >>> create self- extracting EXE files as many company firewalls block
> >>> EXEs attached to emails.
>
> > On 20 Feb 2007, Sebastian Gottschalk wrote:
>
> >> Of course, in terms of encryption this would be utterly stupid.
>
> > Please explain what you mean.
>
> Presume an attacker which has the capability to change the file. He
> attaches his own payload, which captures the password, unpacks the content
> and modifies the target system to report this file without the payload,
> then sends ou the captures password.
>
> >>> For sensitive data, I use either 128-bit AES or 256-bit AES
> >>> encryption in Winzip.
>
> >> Nah, can't be that sensitive.
>
> > Actually it is.
>
> No, it isn't, because the implementation in WinZip is well-known to be
> broken. Thus, you might leak some data.
>

Actually according to NIST WinZip's AES implementation is FIPS 192
certified:
http://csrc.nist.gov/cryptval/aes/aesval.html

Re: Utility to open WINZIP with AES encyption

Doh made a typo, that should say FIPS 197.

Re: Utility to open WINZIP with AES encyption

On 22 Feb 2007, wrote:

> On Feb 21, 9:50 pm, Sebastian Gottschalk wrote:
>> one-o wrote:
>> >> One-o wrote:
>>
>> >>> I use Winzip Pro 10.0.6698 and create standard archives with a
>> >>> ZIP file extension which I send as an email attachment. I do
>> >>> not create self- extracting EXE files as many company
>> >>> firewalls block EXEs attached to emails.
>>
>> > On 20 Feb 2007, Sebastian Gottschalk wrote:
>>
>> >> Of course, in terms of encryption this would be utterly stupid.
>>
>> > Please explain what you mean.
>>
>> Presume an attacker which has the capability to change the file.
>> He attaches his own payload, which captures the password, unpacks
>> the content and modifies the target system to report this file
>> without the payload, then sends ou the captures password.
>>
>> >>> For sensitive data, I use either 128-bit AES or 256-bit AES
>> >>> encryption in Winzip.
>>
>> >> Nah, can't be that sensitive.
>>
>> > Actually it is.
>>
>> No, it isn't, because the implementation in WinZip is well-known
>> to be broken. Thus, you might leak some data.
>>
>
> Actually according to NIST WinZip's AES implementation is FIPS 192
> certified:
> http://csrc.nist.gov/cryptval/aes/aesval.html
>

I wonder if Sebastian is going to reply?

Re: Utility to open WINZIP with AES encyption

Post removed (X-No-Archive: yes)

Re: Utility to open WINZIP with AES encyption

On Feb 26, 3:20 am, Sebastian Gottschalk wrote:
> Zak wrote:
> >>> No, it isn't, because the implementation in WinZip is well-known
> >>> to be broken. Thus, you might leak some data.
>
> >> Actually according to NIST WinZip's AES implementation is FIPS 192
> >> certified:
> >>http://csrc.nist.gov/cryptval/aes/aesval.html
>
> > I wonder if Sebastian is going to reply?
>
> Eh... why should I?

Well you did so why are you asking us?

> The evaluation says nothing about the implementation of
> the storage format. And I guess you can use Google yourself to find the
> details on the vulnerabilities of this implementation.

Did a quick google, there were some articles from early'ish in 2006
and older. All of the issues I could find seem to have been addressed
by WinZip Computing. I suppose there may be an issue if one party is
using an older version of the software....but that's true of any
software. If we suggest people not use software because it's had bugs
or vulnerabilities in the past then we'd be hard pressed to suggest
any software package to anyone (there's no such thing as bug free
software).

Re: Utility to open WINZIP with AES encyption

Post removed (X-No-Archive: yes)