dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
7771

mouse
Premium Member
join:2007-03-29
australia

mouse

Premium Member

Encryption via 7Zip or specialised programs

Just wondering if the encryption offered by 7Zip is as good as using specialised programs like Axcrypt or truecrypt. Don't want to compare the features and ways these programs can be used, only curious if cracking the code is concerned it's the same security?

Ian1
Premium Member
join:2002-06-18
ON

Ian1

Premium Member

said by mouse:

Just wondering if the encryption offered by 7Zip is as good as using specialised programs like Axcrypt or truecrypt. Don't want to compare the features and ways these programs can be used, only curious if cracking the code is concerned it's the same security?

7 ZIP uses AES-256. Very strong. Don't know how strong their password hashing is though. It uses SHA-256, but not sure if it is iterative the way Axcrypt is. But pick a strong enough password and that shouldn't be an issue.

joepwpb
Premium Member
join:2000-12-15
West Palm Beach, FL

joepwpb to mouse

Premium Member

to mouse
7Zip gives you a choice of AES-256 and the much less secure Zip Crypto. Here's some additional info from the help file:

Encryption method

Specifies the encryption method. For 7z format, it can be only AES-256. For ZIP format you can select ZipCrypto or AES-256. Use ZipCrypto, if you want to get archive compatible with most of the ZIP archivers. AES-256 provides stronger encryption, but now AES-256 is supported only by 7-Zip, WinZip and some other ZIP archivers.

Joe P

mouse
Premium Member
join:2007-03-29
australia

mouse

Premium Member

so if I understand that fully, while the encryption is identical there is a difference with respect to the password hashing. Guess I need to find out what a difference that makes.
HELLFIRE
MVM
join:2009-11-25

HELLFIRE to mouse

MVM

to mouse
From 7Zip's homepage

7-Zip also supports encryption with AES-256 algorithm. This algorithm uses cipher key with length of 256 bits. To create that key 7-Zip uses derivation function based on SHA-256 hash algorithm. A key derivation function produces a derived key from text password defined by user. For increasing the cost of exhaustive search for passwords 7-Zip uses big number of iterations to produce cipher key from text password.

If you're REALLY paranoid and are savvy with code, download and read over the source files.

Regards

mouse
Premium Member
join:2007-03-29
australia

mouse

Premium Member

Hellfire - I am neither paranoid nor savvy with code (lol) and would not have a clue what to look for, just want someone more cluey to tell me if one has an advantage over the other. At the moment I am getting the feeling that for my limited needs, it does not really matter.

Ian1
Premium Member
join:2002-06-18
ON

Ian1 to mouse

Premium Member

to mouse
said by mouse:

so if I understand that fully, while the encryption is identical there is a difference with respect to the password hashing. Guess I need to find out what a difference that makes.

Hmm....I looked again, and I found out that 7-zip does hash your password iteratively...

"7-Zip also supports encryption with AES-256 algorithm. This algorithm uses cipher key with length of 256 bits. To create that key 7-Zip uses derivation function based on SHA-256 hash algorithm. A key derivation function produces a derived key from text password defined by user. For increasing the cost of exhaustive search for passwords 7-Zip uses big number of iterations to produce cipher key from text password."

Assuming a "big number" is a lot, sounds pretty good.

Basically this just means that brute-forcing the 7-zip authentication would take a lot longer. When you hear of sites being breached, often it's a case of a simple hash system being used (only once), making brute-force of the password easier.

This is why I meant that it's irrelevant if you pick a strong password.

Re-hashing it just adds to the length of time for the cracker to check each individual password in a brute-force attack. I believe Axcrypt hashes a number of time based on the speed of the PC it is installed on. So it has some "future-proofing" built in.

A ten digit password like hY9*D%P&7k would take up to 20 years to uncover at 100 billion guesses per second. But if the password is re-hashed 10,000 times, that's 200,000 years.

angussf
Premium Member
join:2002-01-11
Tucson, AZ

angussf to mouse

Premium Member

to mouse
said by mouse:

Just wondering if the encryption offered by 7Zip is as good as using specialised programs like Axcrypt or truecrypt. Don't want to compare the features and ways these programs can be used, only curious if cracking the code is concerned it's the same security?

Truecrypt is for volume or whole-disk encryption and requires admin rights to be installed.

Axcrypt and 7-Zip are file-level compressors which can be run without admin rights. A completely portable (no install required) version of 7-Zip can be downloaded from portableapps.com.

If you use either, when encrypting files to be sent over a public service like email don't forget to encrypt the file name as well as the file contents. If you have an encrypted 7-zip file, even without the password you can read the file names unless certain conditions are met.
Axantum Software AB | AxCrypt | Usage Tips
»www.axantum.com/AxCrypt/ ··· ile_name
...but the file name reveals information too!

In many cases, just the file name is enough to violate privacy. You can then use the AxCrypt -> Rename option from the the right-click menu. The file will be given a completely anonymous name, but the original name is restored when you decrypt or open the file.
You can also encypt filenames with 7-Zip, but you have to use 7z (not ZIP) compression. If you don't encrypt the filenames, then anyone can view the included filenames without the password; the password is only required to decompress the files. If you do encrypt the filenames, the password is required even to look inside the 7z archive. The recipient has to have 7-Zip (or a compatible program, like Total Commander with the 7-Zip addon) to decompress the 7z format.

Be careful when installing AxCrypt, it often comes with adware.
Axantum Software AB | AxCrypt | Download
»www.axantum.com/axcrypt/ ··· ads.html
The downloads may include advertisement offers for additional software to finance further development of AxCrypt via the OpenCandy network, or via Softonic Universal Downloader. You may decline OpenCandy offers by selecting the 'I do not accept' radio buttton at the offer screen, and Softonic offers by unchecking the checkbox. You must still accept license agreement in the first dialog. Please read more here.

mouse
Premium Member
join:2007-03-29
australia

mouse

Premium Member

Thanks Angus for the good comparison between the two progs and

also to Ian for explaining the hashing aspect of it. That part was unclear to me before but I now see the benefit of that.

driveby
@sbcglobal.net

driveby to angussf

Anon

to angussf
said by angussf:

Truecrypt is for volume or whole-disk encryption and requires admin rights to be installed.

TrueCrypt also does file encryption. It isn't only for volume and whole disk encryption. (File encryption is actually the first noted "Main Feature" on the homepage).

Also there is a portable version. It does require admin rights to run, but does not need to be "installed" first.

teddy
join:2002-02-20
Kingston, ON

teddy

Member

said by driveby :

TrueCrypt also does file encryption. It isn't only for volume and whole disk encryption. (File encryption is actually the first noted "Main Feature" on the homepage).

Actually, the first feature noted on their home page I see is:
"Creates a virtual encrypted disk within a file and mounts it as a real disk. "

TrueCrypt does volumes (a file which contains a file system) and entire partitions or drives. It cannot encrypt individual files. At best you create a container (volume) and use it for a single file.

The closest thing to TrueCrypt for individual files would be PGP in my opinion.

driveby
@mullvad.net

driveby

Anon

said by teddy:

Actually, the first feature noted on their home page I see is:
"Creates a virtual encrypted disk within a file and mounts it as a real disk. "

Exactly! As I pointed out, TrueCrypt does file containers, not just volume or whole disk containers.

The question was about 7zip, which is a file container. I took Angussf as stating that TrueCrypt could only make a container out of volume or a whole disk, and not out of a file. I showed that TrueCrypt also does file containers (and not just volume or whole disk).

Because it can do file containers, it is comparable then to 7zip for that type of purpose. That's what I was pointing out.

Thx
scottp99
join:2010-12-11

scottp99

Member

Glad TrueCrypt is mentioned.
Because I am quite concerned of it.
Its a bit "shady" to me that TC has not been updated recently now. Secondly, their forum boards only accepts ISP based emails when signing up. Third, we do not know still who the developers are. Does this tell you guys something?

So I wouldnt even consider TC as my choice yet.

Ian1
Premium Member
join:2002-06-18
ON

Ian1

Premium Member

said by scottp99:

Its a bit "shady" to me that TC has not been updated recently now.

Perhaps it hasn't needed to be, in the last year? Why fix something that isn't broken?
OZO
Premium Member
join:2003-01-17

OZO

Premium Member

Good point. But computer users are usually brainwashed with idea, that everything must be updated, or it's outdated... It comes from commercialization of software development and particularly from monetizing on it.