Utility to open WINZIP with AES encyption

Of course, in terms of encryption this would be utterly stupid.

Nah, can't be that sensitive.

7-Zip does so. But please, stop calling the files ZIP files. This name is commonly reserved for RFC-conformant PKZIP 2.x compatible files.

Please explain what you mean.

Actually it is.

7-Zip does not open AES-encrypted files created by Winzip which is what I am looking for. Try it and see.

Winzip creates its archive files with the ZIP extension and that is what I am referring to. I don't control what Winzip chooses to use as an extension. I just refer to it.

It sounds as if you may be bringing here a point about "ZIP" you could be better off making direct to the authors of Winzip.

Presume an attacker which has the capability to change the file. He attaches his own payload, which captures the password, unpacks the content and modifies the target system to report this file without the payload, then sends ou the captures password.

No, it isn't, because the implementation in WinZip is well-known to be broken. Thus, you might leak some data.

Tried, saw and found it working.

D'Oh! That doesn't make it a ZIP file. Just like renaming a .TXT file to .AVI doesn't comvert it to an AVI video.

The format, thus the real content that decides whether people can actually use it is described RFC 1951, 1952 and the PKZIP specification. The WinZip

9.0 AES-encrypted stuff is a proprietary and non-compatible thing, thus you should even be happy that people tolerate the .ZIP file extension on it and actually wrote a free implementation for it.

DQoiT25lLW8iIDxvbmUtb0Bub21haWwuaW52YWxpZD4gd3JvdGUgaW4gbWVzc2FnZSBuZXdzOlhu czk4RERFRjUwNDhBNjM2NEExOEVAMTI3LjAuMC4xLi4uDQo+IElzIHRoZXJlIGEgZnJlZSB1dGls aXR5IHdoaWNoIHJlY2lwaWVudHMgb2YgYSBaSVAgYXJjaGl2ZSBjYW4gZ2V0IHRvIGRvIA0KPiBu byBtb3JlIHRoYW4gZXh0cmFjdCB0aGUgZmlsZXMgZnJvbSBBRVMtZW5jcnlwdGVkIFpJUHM/DQoN CkFzayBpbiBuZXdzOmFsdC5jb21wLmZyZWV3YXJl

Actually according to NIST WinZip's AES implementation is FIPS 192 certified:

Doh made a typo, that should say FIPS 197.

I wonder if Sebastian is going to reply?

Eh... why should I? The evaluation says nothing about the implementation of the storage format. And I guess you can use Google yourself to find the details on the vulnerabilities of this implementation.

Well you did so why are you asking us?

Did a quick google, there were some articles from early'ish in 2006 and older. All of the issues I could find seem to have been addressed by WinZip Computing. I suppose there may be an issue if one party is using an older version of the software....but that's true of any software. If we suggest people not use software because it's had bugs or vulnerabilities in the past then we'd be hard pressed to suggest any software package to anyone (there's no such thing as bug free software).

Oh, they now got competent? And even searched for further potential vulnerabilities? Doubtful, very doubtful. (Well, can't expect much from closed source crypto..)

Well, that depends on the numbers, the impact and the complexity of the bugs. Being too stupid to apply a simple block cipher to a linear format and then leaking information in multiple ways has a trendemous impact and is so laughably trivial that one should wonder how anyone could f*ck it up so hefty. Why should one ever trust this vendor again when it comes to crypto?