Why a ZIP file can be decrypted with two different passwords?

You may have read this post in bleepingcomputer.com website, which is stating that a password-protected ZIP archive can be decrypted with two different passwords. That is true: as the article explains, you can decrypt files from a ZIP archive by using the SHA-1 hash of the password used to encrypt the compressed files; however, i order to make this happen, there must be the following conditions:

1. the ZIP archive must be encrypted with the AES-256 encryption algorithm;
2. the password must be long.

The two conditions are connected: if you try to encrypt a ZIP archive with the mentioned algorithm and you type a long password (more than 20 characters), the ZIP format enables the PBKDF2 algorithm that works this way:

1. The long password is hashed using SHA-1 to get 160 bits long output;
2. the output of the hashing process becomes the true password of the archive.

It doesn’t matter if you type a 2000 characters password: it will always be reduced to a 20 characters long string. If you know the password, you could calculate its SHA-1 hash and just use that to decrypt the archive.

Please note, as the researcher told, this is not a security flaw, just because you would need to know the original password, so the entire process explained above is quite useless.

What really worry us is that in 2022 ZIP format is still using SHA-1, a hashing algorithm that now is deprecated because it’s subject to “collision attacks” – see the explanation here. An attacker could forge a SHA-1 hash that matches the one that could decrypt the files. It’s just a hypothesis but it’s not a remote chance to meet such attack.

Beside all these considerations, we must say it once for all: ZIP format has great problems with encryption.

The original encryption algorithm designed by PKWARE – usually called as “ZipCrypto” – was based on CRC calculations, so that an attacker would need just a small portion of the file header to decode the password used using a dictionary-based attack.

Later, the ZIP format was updated with WinZip’s AES-128 and AES-256 implementations: the files started to be encrypted with a very solid algorithm (even today) and these encryption schemes made their way into the ZIP format standard, but that was the last update to the encryption features of this format – see here. However, AES-256 in ZIP format gets initialized with a SHA-1 hashed password, as explained above.

So, how can users protect their compressed files?

We made ZipGenius and we’re telling it loudly: don’t use ZIP embedded encryption features! No one, including AES ones. You’d better use a true encryption tool like our Czip X, which puts a ZIP file into a secure “container” because it uses better algorithms, TwoFish, Blowfish and AES, plus a better passphrase hashing algorithm, SHAKE, which derives directly from the stronger SHA-3 algorithm.