A Known Plaintext Attack on the PKZIP Stream Cipher

Table 3. Complexity of the attack by the size of the known plaintext and any other le which is encrypted by the same key. This known plaintext attack breaks the cipher using 40 (compressed) known plaintext bytes, or about the 200 rst uncompressed bytes (if the le is compressed), with complexity 2 34. Using about 10000 known plaintext bytes, the complexity is reduced to about 2 27. Table 3 describes the complexity of the attack for various sizes of known plaintext. The original key (password) can be constructed from the internal representation. An implementation of this attack in software was applied against the PKZIP cipher contest. It found the key \f7 30 69 89 77 b1 20" (in hexadecimal) within a few hours on a personal computer. A variant of the attack requires only 13 known plaintext bytes, in price of a higher complexity 2 38. Since the last two bytes (one in version 2.04g) of the 12 prepended bytes are always known, if the known plaintext portion of the le is in its beginning, the attack requires only 11 (12) known plaintext bytes of the compressed le. (In version 1.10 several additional prepended bytes might be predictable, thus the attack might actually require even fewer known plaintext bytes.) We conclude that the PKZIP cipher is weak and that it should not be used to protect valuable information. References 1. PKWARE, Inc., General Format of a ZIP File, technical note, included in PKZIP 1.10 distribution (pkz110.exe: le appnote.txt). Table 2. Complexity of nding the key itself 3.6 The Key (Password) The internal representation of the key suuces to break the cipher. However, we can go even further and nd the key itself from this internal representation with the complexities summarized in Table 2. The algorithm tries all key lengths 0, 1, 2, : : : , up to some maximal length; for each key length it does as described in the following paragraphs. For l 4 it knows key0 1?l and key0 1. Only l 4 key bytes are entered to the crc32 calculations that update key0 1?l into key0 1. Crc32 is a linear function, and these l 4 key bytes can be recovered, just as key0 n , : : : , key0 n?3 recovered above. Given the l key bytes, we reconstruct the internal representation, and verify that we get key1 1 and key2 1 as expected …