[<<Previous Entry]
[^^Up^^]
[Next Entry>>]
[Menu]
[About The Guide]
USING DATA ENCRYPTION
The PKZIP utilities offer the ability to protect stored data through
encryption. You should use PKZIP's encryption ability in place of any
other encryption on files you intend to compress.
This encryption ability has been made integral to the function of PKZIP
and PKUNZIP to prevent the encryption from interfering with PKZIP's
ability to compress. If you feel the need to encrypt your data to protect
it, and are intending to compress the data as well, you should then use
the encryption of PKZIP. Using the encryption capability of a spreadsheet
or database program will prevent PKZIP from compressing the data
efficiently.
Encryption is enabled in PKZIP by use of the -s option. The encryption
key, sometimes referred to as a "password", follows directly after the -s
C:\>pkzip test.zip -ssecret d:\payroll\*.dbf
Above, all the "dbf" files from the payroll directory have been compressed
into a .ZIP file called "test.zip". During the compression they are also
being encrypted based upon the key of "secret".
The encryption scheme used by PKZIP is complex and robust. The encryption
key is used to generate a number of binary encryption keys which are in
turn used to determine how the compressed data is altered. Neither the
original key or the derived keys are stored with the .ZIP file, nor are
they retained anywhere else for that matter. This means you must remember
the encryption key.
+-------------------------------------------------------------------+
| IF YOU LOSE THE ORIGINAL ENCRYPTION KEY YOU WILL NEVER BE ABLE TO |
| EXTRACT THE FILE(S). |
+-------------------------------------------------------------------+
It is also not possible to derive the original keys by examining the
compressed data, or by analysis of original data versus encrypted data.
This means that if you loose the key, there is no way to find it. PKWARE
Inc. has no special means or technology for deriving the key or
extracting the data without the key.
Also note that a minute change in the key completely alters the encryption
scheme. This means that the key must be exact. Any change in spelling,
capitalization or punctuation causes a key to be completely different. Be
certain that you know what the encryption key is and will not lose,
forget, or mistype it.
+------------------------------------------------+
| DO NOT TRUST YOUR MEMORY ALONE. WRITE IT DOWN.|
+------------------------------------------------+
Capitalization is also important. "Secret", "secret" and "SECRET" are all
completely different encryption keys. You should realize that a person
who knows you could attempt to extract a file you have encrypted by using
words they think you will use or can remember easily. This would be items
such as:
. Your Spouse's name
. Your Social Security Number
. Your Address
. Your Dog's name
. Etc...
Long Keys
It is possible to have extremely long keys, or keys with spaces in them.
The length of the encryption key is limited only by the length of a DOS
command line. To use a key with spaces in it, you must enclose the
password in quotation marks:
C:\>pkzip test.zip -s"mary had a little lamb" *.dbf
Passwords of this sort may be easy to remember, while proving to be very
secure. Remember to use phrases that are not obvious to someone who knows
you.
Complex Keys
If PKZIP or PKUNZIP is specified with only the -s and no encryption key
following, the user is prompted for an encryption key.
C:\>zip test -s *.com
PKZIP (R) FAST! Create/Update Utility Version 2
Copr. 1989-1992 PKWARE Inc. All Rights Reserved. PKZIP/h for help
PKZIP Reg. U.S. Pat. and Tm. Off. Patent No. 5,051,745
Password ? ******
. 80486 CPU detected.
. XMS version 2.00 detected.
. Novell Netware version 3.11 detected.
. Using Super Fast Compression.
Creating ZIP: TEST.ZIP
Adding: COMMAND.COM Deflating (36%), done.
Adding: 4DOS.COM Deflating (34%), done.
Asterisks are displayed in place of each character as you enter the
encryption key. This feature offers added security in the event somone is
watching as you type in the password.
This method of entry may be easier or more comfortable to use. This also
allows you to enter characters for the encryption key which cannot
normally be entered from the keyboard.
In order to enter one of these characters, hold down the [ALT] key and
type the ASCII value of the character you wish to enter on the number pad.
When you release the [ALT] key the character equal to the value typed will
be entered into the Password field.
The [TAB] key and other keys which could not normally be used since they
would interfere with the PKZIP command line can be used when the password
is entered in this manner.
Passwords entered in this manner are limited to a maximum length of 64
characters.
Multiple Keys
Passwords can be used not only when creating a new .ZIP file but also when
files are being added to an already existing .ZIP file. Let's assume you
have a .ZIP file called "keyfun.zip" and it contains two files:
june91.wk1
june91.wp
We'll also say that neither of these files are encrypted. Now let's add
another file to this .ZIP file, and encrypt it while doing so:
C:\>pkzip keyfun.zip -sPiZzA sensitiv.txt
This will add the file "sensitiv.txt" with a encryption key of "PiZzA".
Now add another file to the same .ZIP file with a different key:
C:\>pkzip keyfun.zip -sDukeNUKE diary.txt
At this point you have four files in "keyfun.zip". Two are not encrypted
at all, and two are, but with different keys. A view of the file would
appear like this:
C:\>pkunzip -v keyfun
PKUNZIP (R) FAST! Extract Utility Version 2
Copr. 1989-1992 PKWARE Inc. All Rights Reserved. PKUNZIP/h for help
PKUNZIP Reg. U.S. Pat. and Tm. Off.
. 80486 CPU detected.
. EMS version 4.00 detected.
. XMS version 3.00 detected.
Searching ZIP: KEYFUN.ZIP
Length Method Size Ratio Date Time CRC-32 Attr Name
----- ------- ----- --- -------- ----- -------- ---- ------------
11664 Deflate 6937 41% 01-30-92 11:57 183b5606 --w- JUNE91.WK1
76812 Deflate 23404 70% 01-30-92 12:03 971fea04 --w- JUNE91.WP
5327 Deflate 2082 61% 10-14-91 11:25 924efc72 --w-* SENSITIV.TXT
3664 Deflate 1654 55% 04-04-91 10:32 c8d5c9cf --w-* DIARY.TXT
----- ----- --- ------------
97467 34077 66% 4
Notice the * next to the Attribute column above. This indicates that a
file is encrypted.
Now, if you try to extract the file with no decryption key present you
will only be able to extract the two files that are not encrypted:
PKUNZIP (R) FAST! Extract Utility Version 2
Copr. 1989-1992 PKWARE Inc. All Rights Reserved. PKUNZIP/h for help
PKUNZIP Reg. U.S. Pat. and Tm. Off.
. 80486 CPU detected.
. EMS version 4.00 detected.
. XMS version 3.00 detected.
Searching ZIP: KEYFUN.ZIP
Inflating: JUNE91.WK1
Inflating: JUNE91.WP
PKUNZIP: (W12) Warning! Skipping encrypted file: SENSITIV.TXT
PKUNZIP: (W12) Warning! Skipping encrypted file: DIARY.TXT
Extracting the file with a decryption key will extract any file that the
key is valid for, but an error will be reported on any files with a
different key.
C:\>pkunzip keyfun -sPiZzA -o
PKUNZIP (R) FAST! Extract Utility Version 2
Copr. 1989-1992 PKWARE Inc. All Rights Reserved. PKUNZIP/h for help
PKUNZIP Reg. U.S. Pat. and Tm. Off.
. 80486 CPU detected.
. EMS version 4.00 detected.
. XMS version 3.00 detected.
Searching ZIP: KEYFUN.ZIP
Inflating: JUNE91.WK1
Inflating: JUNE91.WP
Inflating: SENSITIV.TXT
PKUNZIP: (W14) Warning! Incorrect password for file: DIARY.TXT
How secure is PKZIP encryption?
There are many factors to consider when using PKZIP encryption. There are
also several levels and implications to consider.
The first level of security is physical. Who has access to the .ZIP file?
You need to be aware of who might be able to get to sensitive data located
on your machine, on your floppies, or on your personal network drive.
The potential hazards of using data encryption cannot be stressed strongly
enough. Make certain that you will be able to recall what was used for
the encryption key. Also be certain that all people who need to be able
to access this data have agreed upon how the encryption will be performed.
It does happen that people encrypt very important data, and then go on
"vacation" to a distant land, or meet their untimely demise, without first
passing on the encryption key. In these sorts of eventualities the data
is gone. So consider well before you encrypt or allow the encryption of
information. If this information is so vital to you that you feel you
must encrypt it, consider what the loss of it would mean to you.
All forms of encryption, including the one used by PKZIP, are open to
"brute force" attacks. This form of attack is simply the trying of many
passwords until you find one that works.
In order to help you protect your data from this sort of attack we present
figures on how long a brute force attack, using a computer, would take.
The scenario we present here assumes that your encrypted .ZIP file is
being assaulted by a program which is designed specifically to do this.
An encryption key may contain any valid ASCII character, not just A-Z in
upper and lower case and punctuation marks. However, most people will
just use the latter. The following table is indexed by the complexity of
the password. Across the top is the range of characters used. The
simplest assumes that only lower case letters from a to z were used. The
next column assumes that all printable characters were used (a to z in
upper and lower case, punctuation, brackets, etc.). The last column
assumes a password containing the complete range of ASCII characters.
The vertical index is the length of the password used. This impacts the
strength of the password greatly. Think of it as a combination lock. A
combination lock with only two numbers would be much easier to break than
one with three or four numbers.
We recommend that if you need a truly secure encrypted file, use an
encryption key of at least six characters.
The last assumption made is about the speed of the attacking program. For
the purposes of this table, we assume that 10,000 possible keys are being
attempted per second.
Password "Hacking" Time
+-------------------------------------------------------------+
| Key | 26 characters | 96 characters | 256 characters |
| Length | (a-z) | (a-z,A-Z,etc) | (All ASCII) |
---------+---------------+---------------+--------------------|
| 3 | 2 seconds | 1 minute | 27 minutes |
---------+---------------+---------------+--------------------|
| 4 | 1 minute | 2.35 hours | 4 days |
---------+---------------+---------------+--------------------|
| 5 | 19 minutes | 9 days | 3 years |
---------+---------------+---------------+--------------------|
| 6 | 8.6 hours | 2 years | 891 years |
---------+---------------+---------------+--------------------|
| 7 | 9 days | 238 years | 2283 centuries |
---------+---------------+---------------+--------------------|
| 8 | 241 days | 228 centuries | 584,546 cent. |
---------+---------------+---------------+--------------------|
| 9 | 17 years | 21,945 cent. | 149,643,989 cent. |
---------+---------------+---------------+--------------------|
| 10 | 447 years | 2,106,744 | 38,308,861,211 |
| | | centuries | centuries |
+-------------------------------------------------------------+
Choose the complexity that you feel meets your needs, but keep in mind all
that has been mentioned about losing and forgetting passwords.
These figures represent the state of technology today. PKWARE Inc.
cannot predict future technologies which may allow faster attempts at
decryption of a .ZIP file.
Note that the above figures do not include the time needed to actually try
all valid passwords. This would increase the time by several hundred
percent, dependent upon the length of the file.
This page created by ng2html v1.05, the Norton guide to HTML conversion utility.
Written by Dave Pearson