Anonymous (nobody@replay.com)
Tue, 13 Oct 1998 23:27:29 +0200
> Mike:
>
> The short answer to your question is any PRNG you want. Just generate
> 11 bytes for versions 2.x+ and 10 bytes for versions less than 2.0.
> The Zip file specification (appnote.txt) is silent on the point.
As has been mentioned, Eli Biham and Paul Kocher are not so silent --
http://www.uneedus.com/~dave/public/pkzip-crack.txt
ABSTRACT: The PKZIP program is one of the more widely used
archive/compression programs on personal computers. It also has many
compatible variants on other computers, and is used by most BBS's and ftp
sites to compress their archives. PKZIP provides a stream cipher which
allows users to scramble files with variable length keys (passwords). In
this paper we describe a known plaintext attack on this cipher, which can
find the internal representation of the key within a few hours on a
personal computer using a few hundred bytes of known plaintext. In many
cases, the actual user keys can also be found from the internal
representation. We conclude that the PKZIP cipher is weak, and should not
be used to protect valuable data.
(see the URL if you want the whole paper)
>
> Specifically, I am pretty sure, (as an ex-employee) PKZIP uses rand()
> from the C library. If not, it is still a Linear Congruential
> Multiplier PRNG. I have no clue what WinZip uses. Hopefully, it is
> not rand().
>
> > Anyone know what prng PKZIP and/or WinZip uses? (The spec asks for 11
> > random bytes as a kind of IV for the encryption).
> > --
> > Mike Stay
> > Cryptographer / Programmer
> > AccessData Corp.
> > mailto:staym@accessdata.com
>
> In Liberty,
> John Washhburn
The following archive was created by hippie-mail 7.98617-22 on Sat Apr 10 1999 - 01:15:21