Article 16905 of alt.security: Path: jac.zko.dec.com!crl.dec.com!crl.dec.com!bloom-beacon.mit.edu!news.tamu.edu!news.io.com!news.io.com!not-for-mail From: dfloyd@io.com (Douglas R. Floyd) Newsgroups: alt.security Subject: Re: Zip - Secure Date: 24 May 1995 02:15:11 -0500 Organization: Illuminati Online Lines: 46 Message-ID: <3pumdv$koa@pentagon.io.com> References: <3p9qh3$5ae@oveja.u-net.com> <2u1F6c2w165w@bif.com> NNTP-Posting-Host: pentagon.io.com In article <2u1F6c2w165w@bif.com>, A.Lizard wrote: >olli@oja.u-net.com (olli) writes: > >> I've heard a lot of rumours flying around that pk-zip isn't very secure, >> now so far no one has come up with anything, anyone on here know any >> different.. >> >> Olli. >> > >The version 1.x PKZIP... I know of a password crack program for >it. As for version 2.x , I'd be surprised if there wasn't one >that works, unless provisions were made to put some sort of delay >in the PKUNZIP code which would prevent more than 3 tries of less >per second of different passwords... anybody know for sure? > >I've heard that the version 2.x PKZ packages are using some sort >of DES based encryption, and are therefore more secure than the >version 1.x packages. > >However, if you want reasonably secure protection, you might as >well use PGP. Remember that if your intent is to send the files, >you need a secure way to transmit the password, and if you've >got one, why don't you use it to send the files? With PGP, you >just send or post your public key. > >For one-way file encryption, simply use the IDEA encryption built >into PGP. PGP has its own file compressor built in, or you can >compress the .ZIP file. > > A.Lizard > > ***PGP 2.6.2 key available on request or via key server.*** Best of all, if one needs an archive utility that uses a decent encryption algorithm is to get HPACK. HPACK can be obtained from ripem.msu.edu, and it supports a variety of encryptions, including support of PGP public keys to encrypt the archive with. If you don't want that, ZIP and PGP would be your best choice, like A.Lizard has stated. -- Douglas R. Floyd