Instead of the user's chosen password (in this case " Nev1r-G0nna-G2ve-.") this newly calculated hash becomes the actual password to the file. By too long, we mean longer than 64 bytes (characters), explains the researcher. When producing password-protected ZIP archives with AES-256 mode enabled, the ZIP format uses the PBKDF2 algorithm and hashes the password provided by the user, if the password is too long. Try to hash the first password with SHA1 and decode the hexdigest to ASCII. That hash (as raw bytes) becomes the actual password. ZIP uses PBKDF2, which hashes the input if it's too big. Twitter user Unblvr seems to have figured out the mystery: Responding to Sharoglazov's demo, a curious reader, Rafa raised an important question, "How?" While the ZIP was encrypted with the longer password, using either password extracted the archive successfully. Like the researcher's ZIP archive, ours was created with the aforementioned longer password, and with AES-256 encryption mode enabled. We used both p7zip (7-Zip equivalent for macOS) and another ZIP utility called Keka. Two different passwords for same ZIP file result in successful extraction (Sharoglazov)īleepingComputer was able to successfully reproduce the experiment using different ZIP programs.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |