Federal workers and the public in general might be mistaken about the security of .zip files, Sen. Ron Wyden says, and he’s asking the National Institute of Standards and Technology to issue guidance on the best way to send sensitive files over the internet.
“Many people incorrectly believe password-protected .zip files can protect sensitive data. Indeed, many password-protected .zip files can be easily broken with off-the-shelf hacking tools,” the Oregon Democrat writes in a letter obtained by CyberScoop. “This is because many of the software programs that create .zip files use weak encryption algorithms by default.”
Part of Wyden’s concerns stem from the fact that although there are two common types of encryption options available for .zip files, people may be using the weaker option without realizing it. Those files are more vulnerable to password crackers, Wyden says, such as Advanced Archive Password Recovery.
“Given the ongoing threat of cyber attacks by foreign state actors and high-profile data breaches, this is a potentially catastrophic national security problem that needs to be fixed,” Wyden writes to NIST Director Walter G. Copan. NIST cybersecurity guidance — whether issued specifically for federal networks or the public in general — is highly influential, so any action by the agency would potentially have an effect on security practices nationwide.
“The government must ensure that federal workers have the tools and training they need to safely share sensitive data,” Wyden writes.
Of the two common forms of .zip encryption — Zip 2.0 legacy encryption and Advanced Encryption Standard — the AES is generally understood to be stronger. But there are numerous pieces of software available for creating .zip files, and users might not be aware of which encryption standard their app uses. Even if users are taking advantage of AES, there are varying levels of it, depending on the size of the keys used to encrypt data. The 256-bit AES version is generally understood to be stronger than the 128-bit AES version, for example.
Also, in most cases, the only protection for a .zip file is the password itself, notes Dave Kennedy, founder of cybersecurity company TrustedSec. A second layer of user verification isn’t really available.
“Unlike other password technologies, zip files in general do not support two-factor authentication and are subject to the same types of attacks as other password systems,” Kennedy says.
Kennedy, a former analyst at the National Security Agency, told CyberScoop that in security tests for customers, his company has an 87 percent success rate in cracking zip files within a few hours and a 97 percent success rate within a week.
NIST has engaged in .zip file security standards before. The AES came to be as a result a 1997 NIST competition, which was kicked off in part because the Data Encryption Standard, then two decades old, “was growing vulnerable in the face of advances in cryptanalysis and the exponential growth in computing power.” AES has since been adopted as a Federal Information Processing Standard.
A NIST spokesperson said the agency is reviewing the letter and will respond to Wyden directly.
Sean Lyngaas contributed to this story.