Does password protecting an archived file actually encrypt it?

  • For example if I use WinRAR to encrypt a file and put a password on the archive how secure is it? I keep a personal journal and am thinking of doing this, or is there a better way? It's just one huge .docx file.

    Depends on the algorithm used by the file format. Some old "password protection" schemes just set a flag "password protected"; nowadays, there is always some sort of encryption (but then again, there are various broken encryption schemes, especially if the authors of the tool cook them up on their own). A much better option, security-wise would be using some system that has encryption as the primary goal (e.g. a TrueCrypt container), not as an afterthought to the primary function (as is the case with WinRAR). As for the legal question, ask a lawyer (no, seriously).

    "Out of curiosity, can what someone writes in their journal be used to incriminate someone in court?" Usually, yes. In the UK it's the worst: you face up to 2 or 5 years of prison (depending on the case) for not giving your encryption password - and that's besides whatever other fine or jail sentence you get for the case itself.

    @Luc how would they prove the defendant didn't forget the password (or it had been changed by someone else)?

    @Celeritas Exactly: they can't. Or worse: what if you have random data and they think it's encrypted? The law states, if I remember correctly, that if they can "reasonably assume" it's encrypted, you must provide the password.

    If you're going down the route of encrypting with a tool other than the compression software, remember to compress first and encrypt second, or your compression rate will be zero.

    In case of WinRAR, people often use password, but when attacker know extension of file, it can be used to speed up brute force. For example, when attacker try to bruteforce docx document, it can be a little bit faster by checking header of file for well-known format of file. Structure of docx is XML compressed by ZIP, thus begin of decrypted/not-crypted file will be (hexa) 50 4B 03 04 and bruteforce application try to decrypt only firt 4 bytes and when first 4 bytes equal to known file-type, then try to decrypt whole file. This feature is used in advanced breakers to speed up process :-)

    To prevent this, WinRAR have small feature "Encrypt file names". If checked, attacker will not have chance to know (from archive file), what type of file (by extension) is inside of archive :)

    Please note that these answers are likely to be specific to version 3 of RAR format. RAR5 uses PBKDF2-SHA256 and AES-256 in CBC mode.

    Note: I edited the question to remove the legal part of the question, but that may influence the answers out there. Maybe not such a good idea in retrospect. On the other hand, it seems pretty unrelated to the main question... Maybe something for a trusted user / mod to handle.

  • Summary: yes, but use VeraCrypt instead.

    From the documentation:

    WinRAR offers you the benefit of industry strength archive encryption using AES (Advanced Encryption Standard) with a key of 128 bits.

    So yes, the data is encrypted. This is only one of the elements of security, however. Another important element is how the key is derived from the password: what kind of key strengthening is performed? The slower the derivation of the key from the password, the more costly it is for an attacker to find the password (and hence the key) by brute force. A weak password is toast anyway, but good key strengthening can make the difference for a reasonably complex but still memorable password. WinRAR uses 262144 rounds of SHA-1 with a 64-bit salt, that's good key strengthening.

    An academic paper has been written on the security of WinRAR: On the security of the WinRAR encryption feature by Gary S.-W. Yeo and Raphael C.-W. Phan (ISC'05). Quoting from the abstract (I haven't read the full text, it doesn't seem to be accessible without paying):

    In this paper, we present several attacks on the encryption feature provided by the WinRAR compression software. These attacks are possible due to the subtlety in developing security software based on the integration of multiple cryptographic primitives. In other words, no matter how securely designed each primitive is, using them especially in association with other primitives does not always guarantee secure systems. Instead, time and again such a practice has shown to result in flawed systems. Our results, compared to recent attacks on WinZip by Kohno, show that WinRAR appears to offer slightly better security features.

    The advantage of using the encryption built into the RAR format is that you can distribute an encrypted RAR archive to anyone with WinRAR, 7zip or other common software that supports the RAR format. For your use case, this is irrelevant. Therefore I recommend using a software that is dedicated to encryption.

    The de facto standard since you're using Windows was TrueCrypt. TrueCrypt provides a virtual disk which is stored as an encrypted file. Not only is this more secure than WinRAR (I trust TrueCrypt, which is written with security in mind from day 1, far more than any product whose encryption is an ancillary feature), it is also more convenient: you mount the encrypted disk by providing your password, then you can open files on the disk transparently, and when you've finished you unmount the encrypted disk. Sadly TrueCrypt is no longer in active development but it's successor VeraCrypt is. VeraCrypt is based on TrueCrypt and is compatible with the old TrueCrypt containers.

    Out of curiousity can what someone writes in their journal be used to incriminate someone in court?

    This depends on the jurisdiction, but in general, yes, as they say in the movies, anything you say or write can be used against you. You may be legally compelled to reveal encryption keys, and may face further charges if you refuse.

    Weak key strengthening is one of the points I dislike about TrueCrypt.

    @CodesInChaos I thought I remembered it did this right… Ok, Can the TrueCrypt hash be slowed down? says 1000 iterations of SHA-512 with a good-sized salt. That's a bit fast but not altogether broken. Ah, I see that WinRAR does more iterations and uses a 64-byte salt (good enough). The use of ECB stands out as negatively, but for compressed data it's unlikely to matter.

    You highly recommend Truecrypt, but I don't hear many arguments. Sure, they had security in mind since day one, but did they succeed? Is it really that much safer than WinRAR? How long would it take to crack a winrar archive vs truecrypt disk, given the same password?

    @Luc I'm unable to find an academic security review of TrueCrypt. There has been no recent history of bad bugs, and a success story. Note that I recommend its basic disk encryption feature, not its “plausible deniability” features (which do advertise more than what they provide). Recent versions of WinRAR and Truecrypt use the same method to derive the key from the password, but WinRAR performs more iteration, so if everything else is equal cracking should take less time with Truecrypt, but not overwhelmingly so.

    @CodesInChaos It appears our information was out of date: according to the documentation, TrueCrypt uses PBKDF2, though with a lower iteration count than WinRAR.

    Seems like it changed now to 256bits "WinRAR offers you the benefit of industry strength archive encryption using AES (Advanced Encryption Standard) with a key of 256 bits."

    @pinkpanther 256 vs 128 is irrelevant for the security of AES: 128 is already unbreakable. What matters is how AES is used — ECB is bad (and it's such an ignorant mistake that it makes one wonder what else they got wrong).

    I would recommend mentioning stenography/plausible denyability (and possibly some very strong stenographic technologies like StegFS) as a way to fight being legally compelled to reveal encryption keys.

    @SamuelAllan In the imagination of nerds, you mean. In practice, it doesn't really make any difference whether you say “I don't remember the key” or “I don't want to reveal the key”. Either you're in a democratic framework and you aren't compelled to incriminate yourself, or you aren't and then it deniability is not plausible and will only get you into further trouble.

    @Gilles, you should research stenography before commenting, you DO reveal the key, except you reveal not the key to your truly private data (which is your other key) but the key to naughty-looking but not illegal data. This way you have in fact revealed the key, and there is no known way to prove that another key even exists. With encryption scemes like AES, if you reveal the key it is always possible to tell whether you have or haven't revealed the true key (the data decrypted will either be totally random or very organized), and hence you are pressured to reveal it.

    @SamuelAllan When you reveal the fake key, in practice, it's obvious that it's the fake key. THat's why plausible deniability is almost always an illusion. It isn't plausible at all. There may be a small window where it's an implausible but legally acceptable excuse, but you're still in trouble.

    @Gilles why is it obvious? If I have a whole filesystem with a fake key, a bunch of programs installed, facebook conversations and a couple of browsers? Of course if I spend 3 second on creating a 'realistic looking' fake environment it isn't going to work, but since I use stenography I might as well put some effort in and have 10-20 keys, where each looks realistic (and actually has use cases)

    @Gilles my bad - I said 'stenography' instead of 'steganongraphy' which is actually the correct word, maybe that confused you.. Apologies

    @Samuel The word is actually *steganography*. I hadn't even noticed your original typo. I understand what you mean and refute it. Don't pass off disagreement as confusion.

    @Gilles, I think it is fair to sum up the main points in the following fashion: (1) From a cryptographic/mathematical perspective there currently is no public known technique to determine number and sizes of sections in a steganographic file system, (2) Practically - often (if not almost always) because of references in files and usage patterns (or a camera photographic your laptop use, you can almost always find ALTERNATIVE EVIDENCE to force the victim to reveal keys, here you are right. (3) However, if extreme effort is put in, one can make effective use of steganography.

License under CC-BY-SA with attribution

Content dated before 7/24/2021 11:53 AM