Protecting/Encrypting sensitive data with Winzip
I just found this somewhat excellent article on Winzip encryption by Dave Whitelegg who took the job of analyzing the different types of encryption provided by Winzip and proceeded to test them out to see how efficient they really are in real-world usage.
The url of the article is the following:
http://blog.itsecurityexpert.co.uk/2008/01/winzip-encryption-password-security.html
I fully recommend going through the entire article. The question on whether using Winzip encryption is fair or not tends to come up when talking about deliverables. If you have to send a series of deliverables that carry sensitive information (a draft or final report, slides, anything) to a client who doesn’t really use pgp/gpg nor any kind of secure communication channel, then you’re looking at either crafting a self-decrypting archive through PGP Desktop, some other option, or using Winzip encryption.
The article discusses what you need to be aware of, if you are planning on going for Winzip encryption.
Basically the main points are:
- Don’t use Winzip encryption prior to Winzip version 9. Earlier versions carried a home-grown implementation that was broken several times.
- Use AES, and go for the key-size of your will (the bigger the better you could say)
- Your password NEEDS TO BE (and don’t break any of these rules, cause that’s what makes the protection strong):
- At least 12 characters in length
- Be random not contain any dictionary, common words or names
- At least one Upper Case Character
- Have at least one Lower Case Character
- Have at least one Numeric Character
- Have at least one Special Character e.g. $,£,*,%,&,!
- Even if a file is protected/encrypted, Winzip permits you to browse around the directory structure, having access to the names of the encrypted files. Therefore it wouldn’t make sense to protect your super-secret client in bananas.zip if inside you’re going to find Report - Super Secret Client Name here - 2008.pdf
And that’s it. I guess one final comment would be that Winzip is not free. Have that in mind, we’re talking about a commercial application here.
Enjoy your day!