Score:0

How can a cryptographic algorithm be vulnerable?

in flag

I was looking for an encryption algorithm to use with my 7zip archives and I read that there is a solution called ZipCrypto that was said to be very vulnerable.

Since I'd suppose these type of vulnerabilities aren't of the kind of those found in an Application Security context (heap-based, stack-based...) and given that I don't know a lot about these kind of algorithms, how can a cryptographic solution be vulnerable and exploited?

kelalaka avatar
in flag
Might be a dupe of [What is safer: ZipCrypto or AES-256?](https://crypto.stackexchange.com/q/3791/18298) and [7zip : Why does encrypting the same file with AES-256 not give the same output?](https://crypto.stackexchange.com/q/77546/18298)
kelalaka avatar
in flag
See http://infozip.sourceforge.net/FAQ.html#crypto and [7zip provides ZipCrypto for backward compability](https://sourceforge.net/p/sevenzip/discussion/45797/thread/b91e4a57/) nothing more!
Score:0
si flag

In cryptography we have some standard sets of security notions. For encryption, those are explained here, for signatures they're explained here.

An algorithm is vulnerable if it doesn't meet the security notions its authors claim it meets. For encryption it's generally best to consider anything that doesn't satisfy the notion IND-CCA3 as "insecure"; while there are some cases where a system can remain secure with the weaker notions that tends to be an exception to the normal rule.

ZipCrypto doesn't even satisfy the weakest of the encryption security notions, IND-CPA. AES (as used in 7-Zip) is IND-CPA secure, though it doesn't satisfy the stronger notions. If you can't afford the risks of using a scheme that's only IND-CPA secure, consider age for encryption. Otherwise 7-zip's AES-CBC encryption is fine.

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.