So I wanted to encrypt some files. Thought about using 7z+password. Stackexchange folks said "Didn't review it but it should be fine. You can browse the code yourself". So I did. After a few mins I noticed they use 8byte "random" IV. Yes, half of IV is zeroes. But it gets worse.— Michal Stanek @ 36c3 (@3lbios) January 22, 2019
Insecure AES crypto implementation in 7zip found by user
It was a magical moment when I learned about compression. It was early 2000, and someone enchanted me by nothing but zipping handful of files to carry inside a 3.5 inch floppy which was not possible earlier. ?
Later on, I stumbled on ripping audio CDs and DVD movies. I was circling around the amazing power compression techniques which was also helpful for getting scene ripped games.
With the rapid development on free and open source front, 7-Zip (also written as 7zip or Sevenzip) started to shine. The developer, Igor Pavlov is also behind the superior LZMA for data compression which is the basis of 7-Zip’s native 7z format.
The 7z format is open and modular, similar to other popular archive formats like tar. With built-in AES-256 encryption support, people often use it for quick encrypted archiving. A dramatic twist in events: the AES implementation in 7z format is accused of not complying crypto standards.
Michal Stanek / @3lbios, a programmer casually started to audit the codebase after planning to encrypt some files. He was astonished to notice that initialization vector generating algorithm was written very poorly.
The random generator functions also do not rely on operating system provided standard libraries, but falls back to extremely naive internal implementations.
Yes, it uses PID and time(null) as seed. Yes, this is 7zip's random generation code running on your computers in 2019. More "cursed" code below. #7zip #encryption #facepalm #randomness #entropy #RNG #crypto #cryptofail pic.twitter.com/ntwYPKZgFW— Michal Stanek @ 36c3 (@3lbios) January 22, 2019
Michal quickly submitted the bug to the issue tracker of 7-Zip, along with possible fixes.
Hi, I was reading the code for 7z encryption and saw that it’s using a poor RNG for AES IV generation. What’s more, the IV seems to be only 8 bytes instead of the full 16 (half of it is always 0). This is a problem as the guarantee of AES-CBC security is a 128-bit IV that is truly random i.e. derived from a cryptographic PRNG.
Otherwise it resembles ECB for the first AES block and it might be easier to detect same block of plaintext in two ciphertexts. It may also decrease overall AES-CBC security.
It should be easy to fix, by setting iv_size to 16 instead of 8, removing the current RNG and using the one supplied by the OS, guaranteed to be a cryptographic PRNG.
For end users, no – ‘hackers’ still can’t magically break through your password protected 7z files (unless you’re still using one of these). Yes, the current implementation may partially reduce the strength of AES, but ‘cracking’ it is another story.
Besides, the key derivation function is very similar to RAR one, and uses more than 130000 SHA-256 transformations and brute force rate on modern CPU is very low, only several hundreds of passwords per second.
The cryptography enthusiasts found the situation interesting, and expressed their views.
Igor, the developer of 7Zip, hasn’t left any comment on the issue so far.
PiunikaWeb is a unique initiative that mainly focuses on investigative journalism. This means we do a lot of hard work to come up with news stories that are either ‘exclusive,’ ‘breaking,’ or ‘curated’ in nature. Perhaps that’s the reason our work has been picked by the likes of Forbes, Foxnews, Gizmodo, TechCrunch, Engadget, The Verge, Macrumors, and more. Do take a tour of our website to get a feel of our work. And if you like what we do, stay connected with us on Twitter (@PiunikaWeb) and other social media channels to receive timely updates on stories we publish.