3

I am looking at encrypted zip files (using PKzip format) and I don't understand how the encryption scheme is encoded in the binary format. In my research, I found this paper outlining the various encryption schemes used in PKzip formatted files. I found that the encrypted files I've been looking at match the magic number format 50 4b 03 04 outlined in the article. According to the paper, the encryption scheme type used can be determined from the 2-bytes after the file name in the file (17 00 for "Strong Encryption" and 01 99 for "WinZip AES encryption". It does not state such a signature for "Traditional PKWare Encryption".

I created an encrypted zip file using Keka to examine the contents and see what kind of encryption was used. Neither of the magic numbers mentioned in the article appeared after the file name, instead I found the bytes 54 73. In fact, upon adding some more bytes to the plaintext file that I encrypted, I noticed that after encrypting, these bytes changed just a little bit, suggesting that they are not in fact an indicator of the encryption scheme used. I've looked at the output of zipdetails to try and see if there are any more details on the encryption scheme used, but the output simply states that the file is encrypted. Are there any useful tools to analyze and determine the encryption scheme used in an encrypted PKzip file?

saltthehash
  • 316
  • 5
  • 11
  • 1
    Why do you want the encryption scheme, that will not help if you do not know the encryption key. – zaph Aug 14 '17 at 19:46
  • Firstly, I want to better understand the structure of a zip file. What I'm finding in these zip files does not match with what I've read and I want to know why. Secondly, depending on the encryption scheme, knowing the key is irrelevant if a weak encryption method is used (as demonstrated by the paper I cited for the traditional pkzip encryption scheme). As for block ciphers, even using them incorrectly can leave them vulnerable to attack (e.g., using ECB mode, padding oracle attacks with CBC mode, non-random nonces in CTR mode, etc.) – saltthehash Aug 15 '17 at 04:48

1 Answers1

5

Use the 7z command line tool and check for the Method.

$ 7z l -slt /tmp/test.zip 

7-Zip [64] 16.02 : Copyright (c) 1999-2016 Igor Pavlov : 2016-05-21
p7zip Version 16.02 (locale=utf8,Utf16=on,HugeFiles=on,64 bits,8 CPUs x64)

Scanning the drive for archives:
1 file, 318 bytes (1 KiB)

Listing archive: /tmp/test.zip

--
Path = /tmp/test.zip
Type = zip
Physical Size = 318

----------
Path = etc/shells
Folder = -
Size = 179
Packed Size = 132
Modified = 2016-02-26 00:50:13
Created = 
Accessed = 
Attributes = _ -rw-r--r--
Encrypted = +
Comment = 
CRC = 57BC32BA
Method = ZipCrypto Deflate
Host OS = Unix
Version = 20
Volume Index = 0
Wodin
  • 3,243
  • 1
  • 26
  • 55