"Bakko" <bakko@nomail.invalid> wrote in message
news:Xns9A16B548F71F064A18E@0.0.0.0...
> On Sun 30 Dec 2007 09:41:20, VanguardLH wrote:
>> "Bakko" <duff@nomail.invalid> wrote in message
>>>
>>>
>>> I am thinking of using Winzip 11 to send some files securely and
>>> will use Winzip's 256bit-AES encryption.
>>>
>>> My recipients may not have Winzip, so I will use Winzip to make a
>>> self-extracting archive.
>>>
>>> Would a 256bit-AES self-extracting archive with be more crackable
>>> than a 256bit-AES ordinary zip archive?
>>>
>>
>> So how are you going to transmit the password for the recipient to
>> decrypt the file that would be just as secure as the encrypted
>> file? Since it sounds like you will be sending the file via e-mail
>> to the "recipients", have them get an e-mail cert, they send you
>> their public key, you use it to encrypt your file, and only they
>> can decrypt it using their private key. Otherwise, are you going
>> to send them the password in the clear in the same e-mail as has
>> the attached encrypted email? Are you going to send the password
>> in a different email despite the same malcontent that is sniffing
>> your traffic to get the encrypted attachment would also be sniffing
>> it for another email with the password? Call them over an
>> unencrypted phone call? If you password encrypt the file, just how
>> are you going to get the password to the recipient?
>
>
> Hello VanguardLH, I wrote "recipients" (in the plural) because this
> requirement comes up time and again with different people. But I'm
> NOT sending the same file to a group of recipients. There is just
> one recipient at a time.
>
> The reason for securing the archive contents is that the data will
> be
> sent on a CD and put into normal snail mail.
>
> Although the data is sensitive it has no real value. The data is a
> bit like someone's medical data. No one else has any use for it.
> But if gets lost in the post then it will be very embarassing for
> the
> person concerned!
>
> I will phone the recipient with the password because the chance
> seems
> vanishingly small of someone eavesdropping on my phone line for the
> password to that sort of data.
>
> My concern is that if the CD gets lost then maybe someone could
> crack
> open the data if they were inquisitive?
>
> That's why I want a very high level of data encryption. My question
> to the group is if a high level of encryption is used (like AES-256)
> as part of a SELF-EXTRACTING file then does the encryption provided
> by AES-256 get compromised?
>
> Do you have any info on this?


Unless the NSA has you targeted, it is near impossible for any normal
user, even a hacker, to get at the contents of your encrypted .zip
file. For NSA, you'll probably expire when they crack it. I'm sure
there is a site somewhere that gives estimates of how long to crack
every possible combination for the different seeds and their lengths
that you could specify based on computer equipment that could handle
so many attempts per second but it's nothing of interest to me so I
can't give you one which means you'll have to Google for it. Remember
that when estimates are given as to how long it takes to crack an
encrypted file that it is an average, not for exercising all possible
combinations, and could even be cracked on the first combination.

A lot has to do with how strong you make the password used for the
seed in the encryption. Obviously if you used the recipient's name
that is listed on the envelope containing the shipped CD then it would
be pretty easy to crack that CD. Using their patient record, driver's
license, home street address, phone number, social security number,
and any other personal info that was associated to that recipient
would also be poor choices since someone else could obtain that info
and use it to decrypt the file. You really should use a random series
of alphanumeric characters (along with some non-alphanumeric
characters if the program permits them). If an attacker is getting in
within a time frame where the data still has some value to the
attacker then they are going to go with using all the personal info as
the password as they can dig up on the recipient or owner of that
file.