BugTraq
PowerArchiver: Uses insecure legacy PKZIP encryption when AES is selected (CVE-2014-2319) Mar 12 2014 08:20PM
Hanno Böck (hanno hboeck de)
PowerArchiver: Uses insecure legacy PKZIP encryption when AES is
selected (CVE-2014-2319)

References

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2319
http://int21.de/cve/CVE-2014-2319-powerarchiver.html
http://www.powerarchiver.com/2014/03/12/powerarchiver-2013-14-02-05-rele
ased/

Background

ftp://utopia.hacktic.nl/pub/crypto/cracking/pkzip.ps.gz

Description

The compression tool PowerArchiver version 14.02.03 creates files with
an insecure encryption method even if the user selects a (secure) AES
encryption in the GUI.

If a user clicks on the "Encrypt Files" and selects "AES 256-bit" for
encryption, the outcoming file will not be AES-encrypted. It will
instead use the legacy PKZIP encryption, which uses a broken
encryption algorithm.

Note that there are different ways in PowerArchiver to create an
encrypted ZIP file, the issue only appears when using the "Encrypt
Files"-Button.

The PKZIP encryption has been broken by Biham/Kocher in 1994.

The vendor ConeXware has released version 14.02.05 which fixes the
issue. It also disables completely support for creating archives with
the broken legacy ZIP encryption.

Disclosure Timeline

2014-03-10: Issue found, vendor contacted
2014-03-10: Vendor replies, confirms issue
2014-03-12: Vendor publishes fixed version

--
Hanno Böck
http://hboeck.de/

mail/jabber: hanno (at) hboeck (dot) de [email concealed]
GPG: BBB51E42
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)

iQIcBAEBCgAGBQJTIMGpAAoJEKWIAHK7tR5CJp0P/3hY3okaVCOa2DsgAwg2Bff4
WxLAVxuFQQyW6/fyvX4uDtCyy/UvkY6pKuk0YH/3q0Gh+1BJEaQYAEjA5SEKg/EJ
XZ00Y4KTkLGmCd6PJYwQRlnKLdhm88GoSw2GV5aY5XCd/ZlLF0VLFNLgQir1WZN4
5cS+8Yjsv7NMQT3XFHBPEcRiOB+dVvWj41Xxmr89NuDePWqK0/oMouUQL9IT7CN4
NoXFH/rjRCe8AqHvfThpwwLvuOlGiyo7gilkxk8WTzL4EKH43CTMZ19P3NRrfaHV
jgVkOA7uwNrEQpUkkxjHVBjCkoQ2I0Q9aBPXkCSPqPzzXgj9/V74/tG3GXCnyjd5
SsrvyObe9cl2ClAraM1o+c25IE671qiErF7wcCl2YEjgc8woWm9bLOa20OuvM+Gf
I+hQH103R33nDlZbk8wRNIRk1V2rqndHhci9FVtFGGL6zndsQqUH4Oe0x5yLoYWu
b90nMDuYfDBOcuxLueI5b9mH5FAJ47Lj3b6IcjEpPs2yat4LRT6SRjYxMpBGxMZL
lVnuZi2lPMHuZjRNDavjjMje/BgB2ksV33M36W7Emq/utwmHBlH+hSCsSQUHuh9X
EtStOvUklvQVrx5EfOLFak/qAGcjPXvYytAjMXNZqGrb29cP7POPWqGmlWUjN4vq
AtmfSPJeUvtsdaGbAeF1
=d0P7
-----END PGP SIGNATURE-----

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus