Solved

Questions on compression softare

Posted on 2015-01-28
37
160 Views
Last Modified: 2015-02-03
We have been using for some time 2 compression programs; WinZip v9 (6028) and WinRar v4.20 (64-bit).  We haven't felt the need to upgrade these version, yet we have been inform we HAVE to buy the latest because these version security schemes are out date and we will be unprotected.  We doubt this to be true, so like always, we turn to the Experts for strait-forward orientation.  So the questions:

- Must we upgrade these versions to latest & why?
- Which is better WinZip or WinRar?
- Due to what has been in the press about the government
  wanting back-doors to apps like skype & others, how secure are
  these compression software? (see pic of each of their encryption security)
- Finally, should we consider buying another besides
  WinZip or WinRar?
0
Comment
Question by:rayluvs
  • 16
  • 9
  • 8
  • +1
37 Comments
 

Author Comment

by:rayluvs
ID: 40575474
forgot the pics:

WINZIP:
winzip
WINRAR:
winrar
0
 
LVL 4

Expert Comment

by:Jim Riddles
ID: 40575766
Have you thought of trying 7zip?  It is open source and available free of charge for all uses.  It supports many compression formats, including ZIP and RAR.  It supports AES-256 encryption for 7z and ZIP formats.

I have used it for years, and it has proven to be an invaluable tool.

http://www.7-zip.org/
0
 

Author Comment

by:rayluvs
ID: 40575773
Thanx for the link; yes we have tried it.  Any opinion on my questions?
0
 
LVL 4

Accepted Solution

by:
Jim Riddles earned 100 total points
ID: 40575814
Concerning WinZIP v9, as long as you choose AES-256 encryption, your files as as safe as they can be, for now.

With WinRAR, v4 uses AES-128 while v5.x uses AES-256 encryption.  Meaning that your data will be safer.

If you are comfortable with using the versions of the software you have, then continue to do so.  Upgrading WinRAR would be advisable, but WinZIP is as secure as it is in the latest version.

I stand by my original recommendation of 7zip, if only because it frees you from the concern of paying for upgrades.

Have a great day!
0
 

Author Comment

by:rayluvs
ID: 40575830
Thanx for the info.  We have used 7zip years back and don't remember why we stopped.  Maybe we take another look at to'.

How do you compare 7zip against WinZip?
0
 
LVL 4

Expert Comment

by:Jim Riddles
ID: 40575856
Not having used WinZIP for a decade, at least, I don't have much of an opinion on the software, to be honest.  I only remember that I thought the GUI was okay, and it did a "good enough" job for my purposes.  I looked for a replacement as soon it went the shareware model.

For years I used the built-in functionality of Windows Explorer or the Mac Finder to compress and uncompress ZIP files.  Until I started running into RAR files, etc.  That is when I did some looking and found 7zip.  It simply does everything that I require.
0
 

Author Comment

by:rayluvs
ID: 40575970
But what is it that makes so good in your experience? What do you see that sticks out for a regular user to go directly to 7zip? (maybe give some highlight of your experience with 7zip)
0
 
LVL 4

Assisted Solution

by:Jim Riddles
Jim Riddles earned 100 total points
ID: 40576087
For me personally, my uses are fairly simple.  I need to compress files and/or folders and I need to uncompress files and/or folders.  Sometimes I need to email a file to someone that I want to compress first.  With Windows shell integration, I am able to right click on the file/folder and select "Compress and email" to have it compress the file and automatically begin and email with the resulting file as an attachment.  That only works with desktop email applications, as far as I know, but it is very handy.

Being able to generate a checksum for files is handy, as well.  Although I don't use that feature heavily.  It can also be used to keep a folder synced with a zipped archive.  Sort of a manual backup tool.

I guess the important question to ask is what your company's needs are.  Compare them against the features available in WinZIP, WinRAR, 7zip and any other compression utilities out there.  See what is the best fit for your needs.  Honestly, I can't imagine a scenario where WinZIP or WinRAR is a better choice, but I suppose a company may have a policy banning the use of open source software.  Don't laugh...I have encountered quite a few companies that aren't comfortable because they think the software is untested, unpolished, unsupported, etc.
0
 
LVL 53

Assisted Solution

by:McKnife
McKnife earned 100 total points
ID: 40576272
Hi rayluvs.

This made me grin: "yet we have been inform we HAVE to buy the latest because these version security schemes are out date and we will be unprotected.  We doubt this to be true" - well, why can't your informer answer this? Then we could take these answers and argue about them. Maybe he knows more then us? Who knows :)

Our company uses 7-zip but not for encryption. We ceased to use winzip or -rar long ago because 7zip has all we need and is free, small and so far flawless.

So please ask your informer about details and we will discuss those.
0
 

Author Comment

by:rayluvs
ID: 40576366
Jim, so you use it basic stuff.  We do also, but we use it for moving some sensitive data (for this, we use WinZip since it has 256AES encryption, for some reason we haven't identify if our version of WinRar uses 256AES).

McKnife, good advice and we just asked.  To our surprise, it comes down to preference, no real reason for his recommendation not to use the ZIP & RAR. That being said, we are more confident with both product.  

But why you don't use 7zip for encryption?
0
 
LVL 53

Expert Comment

by:McKnife
ID: 40576462
We may not use it since we need to follow governmental guidelines for the data that is classified. Only certified software may be used (in our case: chiasmus/sirrix trusted disk)
0
 

Author Comment

by:rayluvs
ID: 40576503
Understood.

To finalize the question,

- how about the possibility, or how difficult is WinZip/WinRar to crack?
  (basing on that MS gave back-door access to the government
   http://www.technobuffalo.com/2013/07/11/microsoft-gave-the-nsa-direct-backdoor-access-to-outlook-skype/)

- also, we understand all software is possible for reverse engineering, if that was done
   on WinRar, WinZip, 7zip, etc., how viable would be help crack a compresses/encrypted file?
0
 
LVL 53

Assisted Solution

by:McKnife
McKnife earned 100 total points
ID: 40577142
That is impossible to judge. If you think, some american agency might be interested in your data, they can demand any american company to build a backdoor or to disclose ways to bypass security functions if such a way is present in your version - we don't know that.

To reverse engineer open source software is not needed, the source is open to anyone. For payware like winzip, we don't know the code and cannot judge how hard it is to reverse engineer that. The encryption part itself cannot be reverse engineered, only the implementation of it. That means that if there's a design weakness in the way the program works, it could be found by rev. engineers. You will not be able to do something against it, nor judge how probable that is. But you will have to agree that software needs to be updated (kept current against vulnerabilities) and that will be costly with winzip.
0
 
LVL 4

Expert Comment

by:Jim Riddles
ID: 40577253
rayluvs,

As @McKnife says, it is impossible to say.  Any US based company could be coerced by the US Government to include a backdoor in their product, but on the other hand the same could be said of any other government.  Read the article here.

One benefit of using open source software is that you will have a generally fast turn time to address vulnerabilities.  No software is immune from compromises, but with the open source community, you can be certain that they will address any vulnerabilities in a timely fashion.
0
 
LVL 38

Assisted Solution

by:Rich Rumble
Rich Rumble earned 300 total points
ID: 40577379
This is perfect for my article here:
http://www.experts-exchange.com/Security/Encryption/A_12134-Choosing-the-right-encryption-for-your-needs.html
and here: http://www.experts-exchange.com/Security/Misc/A_12386-How-secure-are-passwords.html
They it even explains which Compression Suite is easier to attack! The encryption actually matters little, all 3 (7z,Rar,Zip) are sound in that regard, it's the password chosen, that is the weakest link in all 3 cases. You can try for yourself, but RAR is the slowest to attack from a password perspective, known plain-text attacks don't work anymore like they did with early versions of winZip (<ver 7) .
I'd recommend 7z over the others, it's faster to compress and decompress typically, supports as much if not more (compression types) than the rest, and the compression is often better, depends on the data.
-rich
0
 

Author Comment

by:rayluvs
ID: 40577925
Thank you very much for your info!! Just read your links; couldn't stop reading on to the other links you referred!!  Can we conclude that using a good password and maybe changing them periodically, if necessary (like you said, “password is weakest link”).

Have some questions though:

In your paper “How secure are passwords”, you say we are used to using “Symmetric encryption” when protecting zips file, but also states “encryption is a reversible process”, why encryption reversible under Symmetric encryption and above you say “all 3 (7z,Rar,Zip) are sound in that regard”?

In you link “Choosing the right encryption for your needs”, when you say “Winrar's password guessing is the slowest I've encountered, WinZip the fastest and 7Zip being in the middle ", what do you mean by “Slowest, Fastest and Middle?

Read both documents, but couldn't identify which is Compression Suite is easier to attack; which is it?
0
 
LVL 38

Assisted Solution

by:Rich Rumble
Rich Rumble earned 300 total points
ID: 40578043
Reversible in that password123 is used to decrypt and encrypt. In Asysmetric encryption, key1  is used to encrypt, and key2 is used to decrypt.
They are all "easy" to attack, that is get the hash and begin attacking, Rar is the slowest to compute each hash, 7zip second slowest, and winzip is faster to compute each hash itteration. Most recent winRar you get about 100-200 passwords tried per second, that's soooooooo slow when compared to say NTLM, MD5, SHA etc... But they aren't ultimately too different either, Rar is slower to try than 7z, but not by a large margin, same with winzip.
I'll get some solid figures in a bit, but they are pleasantly secure these days compared to when they first started to do archive crypto.

-rich
0
 

Author Comment

by:rayluvs
ID: 40578403
Ok, you mean that actual password is the "reversible" due to the unction of which is being used for: decrypt and encrypt.  And by "slow" you meant it takes longer; understood.

How about which is Compression Suite is easier to attack?
0
Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 
LVL 38

Expert Comment

by:Rich Rumble
ID: 40578757
Correct about the password, same one is used for both de/encryption. The attacks are the same, below are some speed tests for each format, note that depending on the tool used, speed could be a little better. These tests were done on a 24 core CPU, while it looks like 7zip is the slowest, it's only because some algorithms do not benefit from being multi-threaded (MPI), and other methods can be used to distribute the load so that 7z's numbers are closer to rar and winzip.
Benchmarking: rar, RAR3 (4 characters) [SHA1 AES 32/64]... (24xOMP) DONE
Raw:    329 c/s real, 30.0 c/s virtual

Benchmarking: RAR5 [PBKDF2-SHA256 128/128 SSE4.1 4x]... (24xOMP) DONE
Raw:    405 c/s real, 33.4 c/s virtual

Benchmarking: 7z, 7-Zip (512K iterations) [SHA256 AES 32/64]... (24xOMP) DONE
Raw:    66.6 c/s real, 4.3 c/s virtual

Benchmarking: ZIP, WinZip [PBKDF2-SHA1 4x SSE2]... (24xOMP) DONE
Raw:    13653 c/s real, 879 c/s virtual

Benchmarking: PKZIP [32/64]... (24xOMP) DONE
Many salts:     31142K c/s real, 3601K c/s virtual
Only one salt:  4159K c/s real, 2078K c/s virtual

Benchmarking: Office, 2007/2010 (SHA-1) / 2013 (SHA-512), with AES [32/64 OpenSSL]... (24xOMP) DONE
Raw:    542 c/s real, 40.2 c/s virtual

Benchmarking: oldoffice, MS Office <= 2003 [MD5/SHA1 RC4 32/64]... (24xOMP) DONE
Many salts:     2143K c/s real, 223945 c/s virtual
Only one salt:  1250K c/s real, 188975 c/s virtual

Benchmarking: PFX, PKCS12 (.pfx, .p12) [32/64]... (24xOMP) DONE
Raw:    6438 c/s real, 1378 c/s virtual

Benchmarking: pwsafe, Password Safe [SHA256 32/64]... (24xOMP) DONE
Raw:    3505 c/s real, 449 c/s virtual

Benchmarking: RACF [DES 32/64]... (24xOMP) DONE
Many salts:     3131K c/s real, 633781 c/s virtual
Only one salt:  1821K c/s real, 612544 c/s virtual

Benchmarking: Raw-MD5 [MD5 128/128 SSE4.1 12x]... (24xOMP) DONE
Raw:    4953K c/s real, 2727K c/s virtual

Benchmarking: LastPass, sniffed sessions [PBKDF2-SHA256 AES 128/128 SSE4.1 4x]... (24xOMP) DONE
Raw:    27246 c/s real, 1871 c/s virtual

Benchmarking: crypt, generic crypt(3) DES [?/64]... (24xOMP) DONE
Many salts:     14738 c/s real, 14667 c/s virtual
Only one salt:  14623 c/s real, 14658 c/s virtual

Last words: All 3 are very slow to attack (nowadays), so all 3 are equal in encryption strength. Passwords don't have to be changed if they are long, and would never be guessed. I think 7z compresses faster and farther than the other 2, but I deal in text data mostly. You would be fine with any choice, 7z is free and very popular, you don't have to use the 7z (lzma) format, it can make zip archives too. Just not rar, that's a proprietary algo and they don't share it.
-rich
0
 

Author Comment

by:rayluvs
ID: 40579094
Thanx.  One last question, my version of WinRar v4.20 (64-bit) does it have AES-256 bit? And does the current version of 7z has AES-256?
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 40579497
Winrar 5 added 256-bit AES, 4 uses 128-bit. http://www.techno360.in/winrar-5/
7-zip has had 256-bit for 5-6 years now, as has winzip, since version 11 I believe. http://www.winzip.com/aes_info.htm
-rich
0
 
LVL 4

Expert Comment

by:Jim Riddles
ID: 40579711
Rich,

Per my earlier post (dated 2015-01-28 at 10:33:18), WinZIP has implemented AES-256 since v9.  If you look at the screenshot the OP posted, you will see the option available and checked.
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 40579842
I thought it might have, but not being a user of winzip I wasn't sure, looking over the article I linked they talk about some AES mode changes, and how even though they had 256 bit in 2004, it was not implemented fully beyond 192(now corrected, since 06). Winzip 8 or less was vulnerable to many attacks: https://www.elcomsoft.com/help/en/archpr/guaranteed_winzip_attack.html

Again these days it's not the crypto in these three products that is the weakest link anymore, it's the password, which brings up another article of mine: http://www.experts-exchange.com/Security/Misc/A_12386-How-secure-are-passwords.html
-rich
0
 
LVL 4

Expert Comment

by:Jim Riddles
ID: 40579851
Rich,

I have taken some time to read your articles...they are excellent.  It is nice to have a true security expert participating.  :)
0
 

Author Comment

by:rayluvs
ID: 40581277
Was about to close the question, and rereading the entries, had a question based on McKnife (ID: 40577142) entry of "The encryption part itself cannot be reverse engineered, only the implementation of it.": if an experience hacker or a security expert analyzed entire process of implementing the encryption of 7zip open source code, couldn't he/she come up with the password used by the user? In other words, Why encryption cannot be reverse engineered on any of these software?
0
 
LVL 38

Assisted Solution

by:Rich Rumble
Rich Rumble earned 300 total points
ID: 40581313
That's the point of most encryption, is it's strength when you know everything about it. Most encryption is fully able to be examined, MD5, SHA, AES, BlowFish, Skein, PGP etc... Anyone can design and algorithm they themselves can't break, opening it up to the world is what makes a good algorithm, AES is a good algorithm and everyone can try to break it if they want, they will not succeed. The password is the weakest link here :)
https://www.schneier.com/crypto-gram/archives/1998/1015.html#cipherdesign
-rich
0
 

Author Comment

by:rayluvs
ID: 40581592
Thanx again!
0
 

Author Comment

by:rayluvs
ID: 40581594
Thanx!
0
 
LVL 4

Expert Comment

by:Jim Riddles
ID: 40583781
I believe I deserve an assisted solution.  I addressed the questions in your original post.  The fact that Rich was able to go into detail about encryption itself is fantastic and he deservedly should be credited with the accepted solution, but I certainly believe I assisted.

Just my two cents.
0
 

Author Comment

by:rayluvs
ID: 40583860
I thought I did, but just reread the thread via my phone and you are correct, I haven't.

How can redistribute?
0
 
LVL 4

Expert Comment

by:Jim Riddles
ID: 40583876
I don't know.  It is okay...have a great day!
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 40583925
I requested ATTN for your Q, it's a link right under the question, someone should contact you shortly rayluvs.
-rich
0
 

Author Comment

by:rayluvs
ID: 40584477
Thanx, will do!
0
 

Author Comment

by:rayluvs
ID: 40584481
Doesn't work, the request says its filled.

req
When clicked, doesn't permit entry.

Moderator please advice.
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 40584513
Probably because I've already done it :)
0
 

Author Comment

by:rayluvs
ID: 40584525
Ok (hey sorry we didn't credit you, didn't mean to, thought it was done)
0

Featured Post

Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

Join & Write a Comment

You cannot be 100% sure that you can protect your organization against crypto ransomware but you can lower down the risk and impact of the infection.
By default, Carbonite Server Backup manages your encryption key for you using Advanced Encryption Standard (AES) 128-bit encryption. If you choose to manage your private encryption key, your backups will be encrypted using AES 256-bit encryption.
This tutorial demonstrates a quick way of adding group price to multiple Magento products.
You have products, that come in variants and want to set different prices for them? Watch this micro tutorial that describes how to configure prices for Magento super attributes. Assigning simple products to configurable: We assigned simple products…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now