Improved Forensic Recovery of PKZIP Stream Cipher Passwords

Sein Coray, Iwen Coisel, Ignacio Sanchez

Abstract

Data archives are often compressed following the PKZIP format and can optionally be encrypted with either the PKZIP stream cipher or the AES block cipher. In this article, we present new implementations of two attacks against the PKZIP stream cipher. To our knowledge, this is the first time those attacks have been demonstrated on Graphical Processing Unit (GPU). Our first implementation is retrieving archive passwords using the internal state of the PKZIP stream cipher obtained through the known-plaintext attack of Biham and Kocher. Passwords up to length 14 can be recovered within a month considering a single Nvidia 1080 Ti GPU. If one hundred of those cards are available, passwords up to length 15 would be recovered in less than 27 days. The second implementation is a more direct attack designed to retrieve an archive’s password without requiring any additional knowledge than the ciphertext. Experimental results show that our two implementations are at least ten times faster than the state of the art. This is an undeniable asset for investigators who may be particularly interested in further deepening their forensic analysis on an encrypted archive.

Download


Paper Citation


in Harvard Style

Coray S., Coisel I. and Sanchez I. (2019). Improved Forensic Recovery of PKZIP Stream Cipher Passwords.In Proceedings of the 5th International Conference on Information Systems Security and Privacy - Volume 1: ICISSP, ISBN 978-989-758-359-9, pages 328-335. DOI: 10.5220/0007360503280335


in Bibtex Style

@conference{icissp19,
author={Sein Coray and Iwen Coisel and Ignacio Sanchez},
title={Improved Forensic Recovery of PKZIP Stream Cipher Passwords},
booktitle={Proceedings of the 5th International Conference on Information Systems Security and Privacy - Volume 1: ICISSP,},
year={2019},
pages={328-335},
publisher={SciTePress},
organization={INSTICC},
doi={10.5220/0007360503280335},
isbn={978-989-758-359-9},
}


in EndNote Style

TY - CONF

JO - Proceedings of the 5th International Conference on Information Systems Security and Privacy - Volume 1: ICISSP,
TI - Improved Forensic Recovery of PKZIP Stream Cipher Passwords
SN - 978-989-758-359-9
AU - Coray S.
AU - Coisel I.
AU - Sanchez I.
PY - 2019
SP - 328
EP - 335
DO - 10.5220/0007360503280335