Will the contents of a password protected Zip 2.0 file be safe for a week

Question

I will need to distribute a file to people for a challenge and I need them to open the file at the same time. The file will be provided a couple of days before the challenge. For maximum compatibility (so no need for 3rd party software, just OS supplied tools) I was thinking of using a password protected Zip 2.0 file.

After some reading I think this will be OK, but I'm not sure. I can't seem to find information on my specific use case (the file only needs to be secret for a short amount of time).

There will be only one file and I will use a 5 word diceware password to make it easy for entering the password while keeping quite a bit of enthropy.

Will this keep my file secure for about a week, assuming people don't have access to big computing clusters?

Answer 1

I just stumbled on http://www.tomshardware.com/reviews/password-recovery-gpu,2945-5.html. Although it's a bit old, it does give me some perspective. It mentions ~30 million password tries per second on a Zip 2.0 file. So if someone had a that can perform 10 times as much tries per second, they would need (6^5)^5 / 300 000 000 = ~94767626766 seconds = ~3000 years. I don't think anyone will be spending time and money on a 200000 node cluster to bring this down to ~5 days.

@SEJPM, thanks for your comment that gave further thought to my own question. I was wondering, how did you come up with 2^44.8? If I calculate (6^5)^5 / 7 / 24 / 3600 I get 2^45.4. Is there a something I'm overlooking?

Answer 2

To my current knowledge, the content of a Zip 2.0 file is likely safe for a week, assuming

• the password has large entropy (>95 bits; 16 random characters among uppercase, lowercase and digits qualify, and will work with most pkzip-2-crypto-compatible unarchivers); with 64 bits, I would not bet the house against a determined adversary with a large FPGA (or GPU) farm, and a some prior effort on that problem;
• there is a single file in the archive;
• very little is known by the adversary about that file; especially, its beginning is pretty much unknown, and no large sub-string of it is known;
• the archive is made by the relatively well studied PKZIP 2.04g of 1993-02-01 (md5 e5a48751250ffa94a8cf2ecaf8073098), with no unusual option except -s, running on a machine (or Virtual Memory, DOS emulation..) that does not interfere with the operation of its RNG; there exist other zip programs that generate encrypted archives compatible with PKZIP 2.04g, but have a predictable RNG, making them unsafe.

For details and references, see this.

Answer 3

The PKZIP legacy encryption is a stream cipher with a 96-bit state.

From this answer about the possibility of brute forcing an encrypted archive

Baring hypothesis change or progress in some of the above, it is inconceivable that the original file data can be recovered from the archive using anything remotely comparable to the computing effort that a GPU cluster can make in its operational life: if we had a thousand units of some kind each weeding a hundred thousand keys per microsecond for a century, odds are one in a thousand that the right key would be found.

The answer also refers to several papers published about known plaintext attacks on this cipher. The problem here is that, because the files are compressed, there is little real known plaintext to use.