--=_zucker.schokokeks.org-25646-1394655693-0001-2 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable PowerArchiver: Uses insecure legacy PKZIP encryption when AES is selected (CVE-2014-2319) References http://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCVE-2014-2319 http://int21.de/cve/CVE-2014-2319-powerarchiver.html http://www.powerarchiver.com/2014/03/12/powerarchiver-2013-14-02-05-release= d/ Background ftp://utopia.hacktic.nl/pub/crypto/cracking/pkzip.ps.gz Description The compression tool PowerArchiver version 14.02.03 creates files with an insecure encryption method even if the user selects a (secure) AES encryption in the GUI. If a user clicks on the "Encrypt Files" and selects "AES 256-bit" for encryption, the outcoming file will not be AES-encrypted. It will instead use the legacy PKZIP encryption, which uses a broken encryption algorithm. Note that there are different ways in PowerArchiver to create an encrypted ZIP file, the issue only appears when using the "Encrypt Files"-Button. The PKZIP encryption has been broken by Biham/Kocher in 1994. The vendor ConeXware has released version 14.02.05 which fixes the issue. It also disables completely support for creating archives with the broken legacy ZIP encryption. Disclosure Timeline 2014-03-10: Issue found, vendor contacted 2014-03-10: Vendor replies, confirms issue 2014-03-12: Vendor publishes fixed version --=20 Hanno B=C3=B6ck http://hboeck.de/ mail/jabber: hanno@hboeck.de GPG: BBB51E42 --=_zucker.schokokeks.org-25646-1394655693-0001-2 Content-Type: application/pgp-signature; name="signature.asc" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename=signature.asc -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iQIcBAEBCgAGBQJTIMGpAAoJEKWIAHK7tR5CJp0P/3hY3okaVCOa2DsgAwg2Bff4 WxLAVxuFQQyW6/fyvX4uDtCyy/UvkY6pKuk0YH/3q0Gh+1BJEaQYAEjA5SEKg/EJ XZ00Y4KTkLGmCd6PJYwQRlnKLdhm88GoSw2GV5aY5XCd/ZlLF0VLFNLgQir1WZN4 5cS+8Yjsv7NMQT3XFHBPEcRiOB+dVvWj41Xxmr89NuDePWqK0/oMouUQL9IT7CN4 NoXFH/rjRCe8AqHvfThpwwLvuOlGiyo7gilkxk8WTzL4EKH43CTMZ19P3NRrfaHV jgVkOA7uwNrEQpUkkxjHVBjCkoQ2I0Q9aBPXkCSPqPzzXgj9/V74/tG3GXCnyjd5 SsrvyObe9cl2ClAraM1o+c25IE671qiErF7wcCl2YEjgc8woWm9bLOa20OuvM+Gf I+hQH103R33nDlZbk8wRNIRk1V2rqndHhci9FVtFGGL6zndsQqUH4Oe0x5yLoYWu b90nMDuYfDBOcuxLueI5b9mH5FAJ47Lj3b6IcjEpPs2yat4LRT6SRjYxMpBGxMZL lVnuZi2lPMHuZjRNDavjjMje/BgB2ksV33M36W7Emq/utwmHBlH+hSCsSQUHuh9X EtStOvUklvQVrx5EfOLFak/qAGcjPXvYytAjMXNZqGrb29cP7POPWqGmlWUjN4vq AtmfSPJeUvtsdaGbAeF1 =d0P7 -----END PGP SIGNATURE----- --=_zucker.schokokeks.org-25646-1394655693-0001-2--