dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
4895
share rss forum feed


mouse
Premium
join:2007-03-29
australia

Encryption via 7Zip or specialised programs

Just wondering if the encryption offered by 7Zip is as good as using specialised programs like Axcrypt or truecrypt. Don't want to compare the features and ways these programs can be used, only curious if cracking the code is concerned it's the same security?



Ian
Premium
join:2002-06-18
ON
kudos:3

said by mouse:

Just wondering if the encryption offered by 7Zip is as good as using specialised programs like Axcrypt or truecrypt. Don't want to compare the features and ways these programs can be used, only curious if cracking the code is concerned it's the same security?

7 ZIP uses AES-256. Very strong. Don't know how strong their password hashing is though. It uses SHA-256, but not sure if it is iterative the way Axcrypt is. But pick a strong enough password and that shouldn't be an issue.
--
“Any claim that the root of a problem is simple should be treated the same as a claim that the root of a problem is Bigfoot. Simplicity and Bigfoot are found in the real world with about the same frequency.” – David Wong


joepwpb
Premium
join:2000-12-15
West Palm Beach, FL
reply to mouse

7Zip gives you a choice of AES-256 and the much less secure Zip Crypto. Here's some additional info from the help file:

Encryption method

Specifies the encryption method. For 7z format, it can be only AES-256. For ZIP format you can select ZipCrypto or AES-256. Use ZipCrypto, if you want to get archive compatible with most of the ZIP archivers. AES-256 provides stronger encryption, but now AES-256 is supported only by 7-Zip, WinZip and some other ZIP archivers.

Joe P



mouse
Premium
join:2007-03-29
australia
reply to mouse

so if I understand that fully, while the encryption is identical there is a difference with respect to the password hashing. Guess I need to find out what a difference that makes.


HELLFIRE
Premium
join:2009-11-25
kudos:18
reply to mouse

From 7Zip's homepage

7-Zip also supports encryption with AES-256 algorithm. This algorithm uses cipher key with length of 256 bits. To create that key 7-Zip uses derivation function based on SHA-256 hash algorithm. A key derivation function produces a derived key from text password defined by user. For increasing the cost of exhaustive search for passwords 7-Zip uses big number of iterations to produce cipher key from text password.

If you're REALLY paranoid and are savvy with code, download and read over the source files.

Regards


mouse
Premium
join:2007-03-29
australia

Hellfire - I am neither paranoid nor savvy with code (lol) and would not have a clue what to look for, just want someone more cluey to tell me if one has an advantage over the other. At the moment I am getting the feeling that for my limited needs, it does not really matter.



Ian
Premium
join:2002-06-18
ON
kudos:3
reply to mouse

said by mouse:

so if I understand that fully, while the encryption is identical there is a difference with respect to the password hashing. Guess I need to find out what a difference that makes.

Hmm....I looked again, and I found out that 7-zip does hash your password iteratively...

"7-Zip also supports encryption with AES-256 algorithm. This algorithm uses cipher key with length of 256 bits. To create that key 7-Zip uses derivation function based on SHA-256 hash algorithm. A key derivation function produces a derived key from text password defined by user. For increasing the cost of exhaustive search for passwords 7-Zip uses big number of iterations to produce cipher key from text password."

Assuming a "big number" is a lot, sounds pretty good.

Basically this just means that brute-forcing the 7-zip authentication would take a lot longer. When you hear of sites being breached, often it's a case of a simple hash system being used (only once), making brute-force of the password easier.

This is why I meant that it's irrelevant if you pick a strong password.

Re-hashing it just adds to the length of time for the cracker to check each individual password in a brute-force attack. I believe Axcrypt hashes a number of time based on the speed of the PC it is installed on. So it has some "future-proofing" built in.

A ten digit password like hY9*D%P&7k would take up to 20 years to uncover at 100 billion guesses per second. But if the password is re-hashed 10,000 times, that's 200,000 years.
--
“Any claim that the root of a problem is simple should be treated the same as a claim that the root of a problem is Bigfoot. Simplicity and Bigfoot are found in the real world with about the same frequency.” – David Wong


angussf
Premium
join:2002-01-11
Tucson, AZ
kudos:4
reply to mouse

said by mouse:

Just wondering if the encryption offered by 7Zip is as good as using specialised programs like Axcrypt or truecrypt. Don't want to compare the features and ways these programs can be used, only curious if cracking the code is concerned it's the same security?

Truecrypt is for volume or whole-disk encryption and requires admin rights to be installed.

Axcrypt and 7-Zip are file-level compressors which can be run without admin rights. A completely portable (no install required) version of 7-Zip can be downloaded from portableapps.com.

If you use either, when encrypting files to be sent over a public service like email don't forget to encrypt the file name as well as the file contents. If you have an encrypted 7-zip file, even without the password you can read the file names unless certain conditions are met.
Axantum Software AB | AxCrypt | Usage Tips
»www.axantum.com/AxCrypt/Tips.htm···ile_name
...but the file name reveals information too!

In many cases, just the file name is enough to violate privacy. You can then use the AxCrypt -> Rename option from the the right-click menu. The file will be given a completely anonymous name, but the original name is restored when you decrypt or open the file.
You can also encypt filenames with 7-Zip, but you have to use 7z (not ZIP) compression. If you don't encrypt the filenames, then anyone can view the included filenames without the password; the password is only required to decompress the files. If you do encrypt the filenames, the password is required even to look inside the 7z archive. The recipient has to have 7-Zip (or a compatible program, like Total Commander with the 7-Zip addon) to decompress the 7z format.

Be careful when installing AxCrypt, it often comes with adware.
Axantum Software AB | AxCrypt | Download
»www.axantum.com/axcrypt/downloads.html
The downloads may include advertisement offers for additional software to finance further development of AxCrypt via the OpenCandy network, or via Softonic Universal Downloader. You may decline OpenCandy offers by selecting the 'I do not accept' radio buttton at the offer screen, and Softonic offers by unchecking the checkbox. You must still accept license agreement in the first dialog. Please read more here.
--
Angus S-F
GeoApps, Tucson, Arizona, USA
»geoapps.com/
»www.linkedin.com/in/angussf
»geoapps.blogspot.com/


mouse
Premium
join:2007-03-29
australia
reply to mouse

Thanks Angus for the good comparison between the two progs and

also to Ian for explaining the hashing aspect of it. That part was unclear to me before but I now see the benefit of that.



driveby

@sbcglobal.net
reply to angussf

said by angussf:

Truecrypt is for volume or whole-disk encryption and requires admin rights to be installed.

TrueCrypt also does file encryption. It isn't only for volume and whole disk encryption. (File encryption is actually the first noted "Main Feature" on the homepage).

Also there is a portable version. It does require admin rights to run, but does not need to be "installed" first.


teddy

join:2002-02-20
Kingston, ON
Reviews:
·voip.ms
·Start Communicat..
·Cogeco Cable

said by driveby :

TrueCrypt also does file encryption. It isn't only for volume and whole disk encryption. (File encryption is actually the first noted "Main Feature" on the homepage).

Actually, the first feature noted on their home page I see is:
"Creates a virtual encrypted disk within a file and mounts it as a real disk. "

TrueCrypt does volumes (a file which contains a file system) and entire partitions or drives. It cannot encrypt individual files. At best you create a container (volume) and use it for a single file.

The closest thing to TrueCrypt for individual files would be PGP in my opinion.


driveby

@mullvad.net

said by teddy:

Actually, the first feature noted on their home page I see is:
"Creates a virtual encrypted disk within a file and mounts it as a real disk. "

Exactly! As I pointed out, TrueCrypt does file containers, not just volume or whole disk containers.

The question was about 7zip, which is a file container. I took Angussf as stating that TrueCrypt could only make a container out of volume or a whole disk, and not out of a file. I showed that TrueCrypt also does file containers (and not just volume or whole disk).

Because it can do file containers, it is comparable then to 7zip for that type of purpose. That's what I was pointing out.

Thx

scottp99

join:2010-12-11

Glad TrueCrypt is mentioned.
Because I am quite concerned of it.
Its a bit "shady" to me that TC has not been updated recently now. Secondly, their forum boards only accepts ISP based emails when signing up. Third, we do not know still who the developers are. Does this tell you guys something?

So I wouldnt even consider TC as my choice yet.



Ian
Premium
join:2002-06-18
ON
kudos:3

said by scottp99:

Its a bit "shady" to me that TC has not been updated recently now.

Perhaps it hasn't needed to be, in the last year? Why fix something that isn't broken?
--
“Any claim that the root of a problem is simple should be treated the same as a claim that the root of a problem is Bigfoot. Simplicity and Bigfoot are found in the real world with about the same frequency.” – David Wong

OZO
Premium
join:2003-01-17
kudos:2

Good point. But computer users are usually brainwashed with idea, that everything must be updated, or it's outdated... It comes from commercialization of software development and particularly from monetizing on it.
--
Keep it simple, it'll become complex by itself...