Retro video games delivered to your door every month!
Click above to get retro games delivered to your door ever month!
X-Hacker.org- PKZIP 2.0 Reference Guide - Norton Guide http://www.X-Hacker.org [<<Previous Entry] [^^Up^^] [Next Entry>>] [Menu] [About The Guide]

  USING DATA ENCRYPTION

  The PKZIP utilities offer the ability to protect stored data through
  encryption.  You should use PKZIP's encryption ability in place of any
  other encryption on files you intend to compress.

  This encryption ability has been made integral to the function of PKZIP
  and PKUNZIP to prevent the encryption from interfering with PKZIP's
  ability to compress.  If you feel the need to encrypt your data to protect
  it, and are intending to compress the data as well, you should then use
  the encryption of PKZIP.  Using the encryption capability of a spreadsheet
  or database program will prevent PKZIP from compressing the data
  efficiently.

  Encryption is enabled in PKZIP by use of the -s option.  The encryption
  key, sometimes referred to as a "password", follows directly after the -s

     C:\>pkzip test.zip -ssecret d:\payroll\*.dbf

  Above, all the "dbf" files from the payroll directory have been compressed
  into a .ZIP file called "test.zip".  During the compression they are also
  being encrypted based upon the key of "secret".

  The encryption scheme used by PKZIP is complex and robust.  The encryption
  key is used to generate a number of binary encryption keys which are in
  turn used to determine how the compressed data is altered.  Neither the
  original key or the derived keys are stored with the .ZIP file, nor are
  they retained anywhere else for that matter.  This means you must remember
  the encryption key.

     +-------------------------------------------------------------------+
     | IF YOU LOSE THE ORIGINAL ENCRYPTION KEY YOU WILL NEVER BE ABLE TO |
     | EXTRACT THE FILE(S).                                              |
     +-------------------------------------------------------------------+

  It is also not possible to derive the original keys by examining the
  compressed data, or by analysis of original data versus encrypted data.
  This means that if you loose the key, there is no way to find it.  PKWARE
  Inc.  has no special means or technology for deriving the key or
  extracting the data without the key.

  Also note that a minute change in the key completely alters the encryption
  scheme.  This means that the key must be exact.  Any change in spelling,
  capitalization or punctuation causes a key to be completely different.  Be
  certain that you know what the encryption key is and will not lose,
  forget, or mistype it.

         +------------------------------------------------+
         | DO NOT TRUST YOUR MEMORY ALONE.  WRITE IT DOWN.|
         +------------------------------------------------+

  Capitalization is also important.  "Secret", "secret" and "SECRET" are all
  completely different encryption keys.  You should realize that a person
  who knows you could attempt to extract a file you have encrypted by using
  words they think you will use or can remember easily.  This would be items
  such as:

     . Your Spouse's name

     . Your Social Security Number

     . Your Address

     . Your Dog's name

     . Etc...


  Long Keys

  It is possible to have extremely long keys, or keys with spaces in them.
  The length of the encryption key is limited only by the length of a DOS
  command line.  To use a key with spaces in it, you must enclose the
  password in quotation marks:

     C:\>pkzip test.zip -s"mary had a little lamb" *.dbf

  Passwords of this sort may be easy to remember, while proving to be very
  secure.  Remember to use phrases that are not obvious to someone who knows
  you.


  Complex Keys

  If PKZIP or PKUNZIP is specified with only the -s and no encryption key
  following, the user is prompted for an encryption key.

     C:\>zip test -s *.com

   PKZIP (R)  FAST!  Create/Update Utility  Version 2
   Copr. 1989-1992 PKWARE Inc.  All Rights Reserved.  PKZIP/h for help
   PKZIP Reg. U.S. Pat. and Tm. Off.   Patent No. 5,051,745

   Password ? ******

   . 80486 CPU detected.
   . XMS version 2.00 detected.
   . Novell Netware version 3.11 detected.
   . Using Super Fast Compression.

   Creating ZIP: TEST.ZIP
   Adding: COMMAND.COM  Deflating (36%), done.
   Adding: 4DOS.COM     Deflating (34%), done.

  Asterisks are displayed in place of each character as you enter the
  encryption key.  This feature offers added security in the event somone is
  watching as you type in the password.

  This method of entry may be easier or more comfortable to use.  This also
  allows you to enter characters for the encryption key which cannot
  normally be entered from the keyboard.

  In order to enter one of these characters, hold down the [ALT] key and
  type the ASCII value of the character you wish to enter on the number pad.
  When you release the [ALT] key the character equal to the value typed will
  be entered into the Password field.

  The [TAB] key and other keys which could not normally be used since they
  would interfere with the PKZIP command line can be used when the password
  is entered in this manner.

  Passwords entered in this manner are limited to a maximum length of 64
  characters.


  Multiple Keys

  Passwords can be used not only when creating a new .ZIP file but also when
  files are being added to an already existing .ZIP file.  Let's assume you
  have a .ZIP file called "keyfun.zip" and it contains two files:

     june91.wk1
     june91.wp

  We'll also say that neither of these files are encrypted.  Now let's add
  another file to this .ZIP file, and encrypt it while doing so:

     C:\>pkzip keyfun.zip -sPiZzA sensitiv.txt

  This will add the file "sensitiv.txt" with a encryption key of "PiZzA".

  Now add another file to the same .ZIP file with a different key:

     C:\>pkzip keyfun.zip -sDukeNUKE diary.txt

  At this point you have four files in "keyfun.zip".  Two are not encrypted
  at all, and two are, but with different keys.  A view of the file would
  appear like this:

   C:\>pkunzip -v keyfun
   PKUNZIP (R)   FAST!   Extract Utility   Version 2
   Copr. 1989-1992 PKWARE Inc. All Rights Reserved. PKUNZIP/h for help
   PKUNZIP Reg. U.S. Pat. and Tm. Off.

   . 80486 CPU detected.
   . EMS version 4.00 detected.
   . XMS version 3.00 detected.

   Searching ZIP: KEYFUN.ZIP

   Length  Method     Size Ratio   Date    Time    CRC-32  Attr  Name
    -----  -------   -----  ---  --------  -----  -------- ----  ------------
    11664  Deflate    6937  41%  01-30-92  11:57  183b5606 --w-  JUNE91.WK1
    76812  Deflate   23404  70%  01-30-92  12:03  971fea04 --w-  JUNE91.WP
     5327  Deflate    2082  61%  10-14-91  11:25  924efc72 --w-* SENSITIV.TXT
     3664  Deflate    1654  55%  04-04-91  10:32  c8d5c9cf --w-* DIARY.TXT
    -----            -----  ---                                  ------------
    97467            34077  66%                                        4

  Notice the * next to the Attribute column above.  This indicates that a
  file is encrypted.

  Now, if you try to extract the file with no decryption key present you
  will only be able to extract the two files that are not encrypted:

   PKUNZIP (R)   FAST!   Extract Utility   Version 2
   Copr. 1989-1992 PKWARE Inc. All Rights Reserved. PKUNZIP/h for help
   PKUNZIP Reg. U.S. Pat. and Tm. Off.

   . 80486 CPU detected.
   . EMS version 4.00 detected.
   . XMS version 3.00 detected.

   Searching ZIP: KEYFUN.ZIP
    Inflating: JUNE91.WK1
    Inflating: JUNE91.WP
   PKUNZIP: (W12) Warning! Skipping encrypted file: SENSITIV.TXT
   PKUNZIP: (W12) Warning! Skipping encrypted file: DIARY.TXT

  Extracting the file with a decryption key will extract any file that the
  key is valid for, but an error will be reported on any files with a
  different key.

   C:\>pkunzip keyfun -sPiZzA -o

   PKUNZIP (R)   FAST!   Extract Utility   Version 2
   Copr. 1989-1992 PKWARE Inc. All Rights Reserved. PKUNZIP/h for help
   PKUNZIP Reg. U.S. Pat. and Tm. Off.

   . 80486 CPU detected.
   . EMS version 4.00 detected.
   . XMS version 3.00 detected.

   Searching ZIP: KEYFUN.ZIP
    Inflating: JUNE91.WK1
    Inflating: JUNE91.WP
    Inflating: SENSITIV.TXT
   PKUNZIP: (W14) Warning! Incorrect password for file: DIARY.TXT


  How secure is PKZIP encryption?

  There are many factors to consider when using PKZIP encryption.  There are
  also several levels and implications to consider.

  The first level of security is physical.  Who has access to the .ZIP file?
  You need to be aware of who might be able to get to sensitive data located
  on your machine, on your floppies, or on your personal network drive.

  The potential hazards of using data encryption cannot be stressed strongly
  enough.  Make certain that you will be able to recall what was used for
  the encryption key.  Also be certain that all people who need to be able
  to access this data have agreed upon how the encryption will be performed.

  It does happen that people encrypt very important data, and then go on
  "vacation" to a distant land, or meet their untimely demise, without first
  passing on the encryption key.  In these sorts of eventualities the data
  is gone.  So consider well before you encrypt or allow the encryption of
  information.  If this information is so vital to you that you feel you
  must encrypt it, consider what the loss of it would mean to you.

  All forms of encryption, including the one used by PKZIP, are open to
  "brute force" attacks.  This form of attack is simply the trying of many
  passwords until you find one that works.

  In order to help you protect your data from this sort of attack we present
  figures on how long a brute force attack, using a computer, would take.
  The scenario we present here assumes that your encrypted .ZIP file is
  being assaulted by a program which is designed specifically to do this.

  An encryption key may contain any valid ASCII character, not just A-Z in
  upper and lower case and punctuation marks.  However, most people will
  just use the latter.  The following table is indexed by the complexity of
  the password.  Across the top is the range of characters used.  The
  simplest assumes that only lower case letters from a to z were used.  The
  next column assumes that all printable characters were used (a to z in
  upper and lower case, punctuation, brackets, etc.).  The last column
  assumes a password containing the complete range of ASCII characters.

  The vertical index is the length of the password used.  This impacts the
  strength of the password greatly.  Think of it as a combination lock.  A
  combination lock with only two numbers would be much easier to break than
  one with three or four numbers.

  We recommend that if you need a truly secure encrypted file, use an
  encryption key of at least six characters.

  The last assumption made is about the speed of the attacking program.  For
  the purposes of this table, we assume that 10,000 possible keys are being
  attempted per second.

                        Password "Hacking" Time
    +-------------------------------------------------------------+
    |  Key   | 26 characters | 96 characters |   256 characters   |
    | Length |    (a-z)      | (a-z,A-Z,etc) |    (All ASCII)     |
    ---------+---------------+---------------+--------------------|
    |    3   | 2 seconds     | 1 minute      |  27 minutes        |
    ---------+---------------+---------------+--------------------|
    |    4   | 1 minute      | 2.35 hours    |  4 days            |
    ---------+---------------+---------------+--------------------|
    |    5   | 19 minutes    | 9 days        |  3 years           |
    ---------+---------------+---------------+--------------------|
    |    6   | 8.6 hours     | 2 years       |  891 years         |
    ---------+---------------+---------------+--------------------|
    |    7   | 9 days        | 238 years     |  2283 centuries    |
    ---------+---------------+---------------+--------------------|
    |    8   | 241 days      | 228 centuries |  584,546 cent.     |
    ---------+---------------+---------------+--------------------|
    |    9   | 17 years      | 21,945 cent.  |  149,643,989 cent. |
    ---------+---------------+---------------+--------------------|
    |   10   | 447 years     | 2,106,744     |  38,308,861,211    |
    |        |               |  centuries    |   centuries        |
    +-------------------------------------------------------------+

  Choose the complexity that you feel meets your needs, but keep in mind all
  that has been mentioned about losing and forgetting passwords.

  These figures represent the state of technology today.  PKWARE Inc.
  cannot predict future technologies which may allow faster attempts at
  decryption of a .ZIP file.

  Note that the above figures do not include the time needed to actually try
  all valid passwords.  This would increase the time by several hundred
  percent, dependent upon the length of the file.

Online resources provided by: http://www.X-Hacker.org --- NG 2 HTML conversion by Dave Pearson