A client says they can’t accept password-protected PDFs to put in their payroll system, so I have to send them without security. I don’t want to send unsecured PDFs via e-mail because e-mail is inherently insecure. I figured a good alternative was, instead of password-protecting each PDF, I could encrypt the containing folder with 7ZIP, which I got from https://www.7-zip.org/ You can see the encryption box at the bottom-right:
At first I was optimistic about this option, but a quick Google search led me to articles such as this one where apparently there are easy to find tools, such as 7z Cracker:
“7z Cracker is an opensource cracking tool which can extract any password protected 7zip file”.
I also found this answer in this forum that talks about John The Ripper:
“John The Ripper can crack these AES-256 encrypted archives.”
Does this mean that 7ZIP encryption is basically useless? Are these password crackers effective at circumventing this security measure? Secondly, are password-protected PDFs also this easy to break into?
Below are the methods you can try. The first solution is probably the best. Try others if the first one doesn’t work. Senior developers aren’t just copying/pasting – they read the methods carefully & apply them wisely to each case.
TL;DR: You are fine, generate a long password (60+ chars), send the file by mail and the password by SMS, fax, snail-mail or phone call.
Does this mean that 7ZIP encryption is basically useless?
Short answer: No.
Long answer: It depends on the password.
A password cracker just tries passwords over and over again, either by trying all words on a dictionary (a very large file filled with words), or by trying all possible combinations. Given enough time, every password can be broken. But sometimes the Universe itself won’t exist long enough for that.
Are these password crackers effective at circumventing this security measure?
Yes, if your password is trivial, or if someone ever used it somewhere. Passwords must be unique. So generate a password, don’t choose one. And while you are generating the password, create a 64-byte password and you don’t need to worry for a couple thousand millennia.
But the password must be sent by another media. Sending a AES-CBC encrypted file with 120-byte password is useless if the password is the body of the email. So send the file by email, and the password by SMS, Signal message, fax, or any other media.
Secondly, are password-protected PDFs also this easy to break into?
If “easy” is just downloading a program and running it, yes, it’s that easy. But if “easy” is actually breaking the password, it will depend entirely on the password. That 64-byte auto generated password is as close to impossible as it could be.
7zip is secure since it uses AES-256 in CBC mode that can provide CPA security and there is no problem there. Keep in mind that CBC has no integrity and authentication. The real problem comes from the human side; the password!
7zip uses 219-times iterated SHA256 to derive the AES-256 key from passwords. SHA256 is not a memory-hard function and therefore this is not safe from massive parallelization. The collaborative power of Bitcoin miners can reach around 292 double SHA256 in a year. A single Nvidia RTX 390 can calculate 9502.7 MH/s… Therefore one needs a really good password mechanism to be secure from the password list/guess/search attacks.
- A password with high entropy like generated from diceware is recommended XKCD.
- Use a password manager like keepass that handles this for you.
Additionally; You need to transfer the password to the other party this means that you need a secure channel to do this. A signal program is a good candidate, or you can go for Diffie-Hellman Key Exchange (DHKE), better its Elliptic curve version (ECDH) to establish a key, and then use a key derivation function to derive a long password.
The information that you are seeing may be referring to known bugs that were reported in 2019 concerning weak random number generation, and a flaw in the way that the IV is generated, in versions of 7zip at that time:
It seems that these bugs have been fixed in later versions of 7zip, so if you are using a current version of 7zip, then this no longer applies.
Password crackers are basically programs that take a massive password list and bruteforce the zip file in hopes of getting a positive hit (right password).
Quick fix is to just set up a strong password that has a probability of not being in a password list (Recommended to use a random password generator with min. 20 characters, alphanumeric, upper and lower case, symbols and characters…etc).
There are of course other types of crackers where it generates all possible combinations from A to Z but that would take millions of years to crack.
EDIT: As for PDFs, I assume there’s no vulnerabilities present that will enable a threat actor to decrypt the file. Follow the password protocol I mentioned above and you’ll be fine. I’m not a professional in this so if anyone knows stuff about hacking/decrypting PDFs, please let me know, I’m curious.