Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
CNS 378
While remaining politically neutral is one of the fundamental tenets of the educational
system, the Internet has permeated even this stereotypically geriatric arena. Technological issues
are the hot-button topics of this election, and are present regardless of political leaning. The
Democrats use e-mail, the Republicans use e-mail, and the Independents use email; e-mail has
become as much a part of societal operation as face-to-face communication, postal mail, and the
telephone.
The problem is that the information being stored and transmitted has not been protected,
an issue found on almost every computer and network across the globe. Generally, this does not
present a problem, but people began using free Yahoo! e-mail accounts to conduct official
government business. While this is nothing short of offensive, it presents a picture perfect
a very larger puzzle. There are a number of options available for public-key encryption of e-
mail: PGP, GPG, etc. As opposed to discussing these types of encryption, a more available,
user-friendly method will be discussed. In order to investigate this issue, the program WinZip
WinZip is the industry leader in file compression software, and is responsible for the
proliferation of the popular .zip file extension. More importantly, the software is available for
download and includes all options during the trial period. The ease of acquisition and the
1|P age
company's vast resources allowed WinZip to integrate a very important aspect into newer
versions of the program, encryption based on Dr. Brian Gladman's AES encryption schema [1].
WinZip encrypts these files using the U.S. Government's National Institute of Science
and Technology (NIST) Advanced Encryption Standard (AES), and is FIPS-197 Certified [6].
Additionally, WinZip supports AES encryption in both the 125-bit and 256-bit flavors. In order
to fully appreciate the significance of WinZip encryption, AES as an encryption scheme must be
investigated.
While the FIPS-197 Certification Document [4] proves an invaluable resource in regards
to the actual operation of AES, it describes concepts to an almost obtuse mathematical extent. In
light of this, Wikipedia [2] was also used a reference because it presents a more digestible
perspective about the encryption. These sources provide the background for the following
fixed array of bytes called the "State." The cipher goes through a number of steps to encrypt the
plain-text to cipher-text, and then reverses this process to decrypt the information. The AES
encryption scheme has a number of steps that are described in the following paragraphs.
The four primary steps of the AES encryption scheme are as follows: Key Expansion,
Initial Round, Rounds, and Final Round. AES, like most other ciphers uses a key schedule to
create the encryption key. In the case of AES, this Key Expansion step expands a short-key to a
series of round keys, which will be used later. During the Initial Round step, the AddRoundKey
operation is performed, which derives a subkey from the key schedule and combines it with the
"State."
2|P age
The Rounds phase is next and is composed of a number of sub-phases: SubBytes,
ShiftRows, MixColumns, and another AddRoundKey. The SubBytes step linearly replaces bytes
based on the lookup table. The ShiftRows operation transposes "State" rows by shifting them
cyclically. Next, the MixColumns step mixes "State" columns to combine the four bytes.
Finally, another AddRoundKey operation is performed as described above. The final phase of
AES encryption is appropriately titled the Final Round, and utilizes all steps of the Rounds phase
As previously discussed, AES is provided in two easy to digest flavors; the extremely
powerful 125-bit version and the more robust 256-bit version. The 256-bit AES encryption
scheme has not been broken and is certified for NSA "Top Secret" level government documents,
but even the 128-bit version of the scheme is incredibly difficult to crack [2]. The development
team from AES described this in the original specifications document when they wrote,
"Assuming that one could build a machine that could recover a DES key in a second (i.e., try 255
keys per second), then it would take that machine approximately 149 thousand-billion (149
trillion) years to crack a 128-bit AES key. To put that into perspective, the universe is believed to
be less than 20 billion years old" [3]. Obviously, it is quite a tall order to brute-force crack even
WinZip uses the AES encryption scheme to make the content of encrypted files
inaccessible without the appropriate password. WinZip does this in a way the developers
describe as, "AES-encrypted files are stored within the guidelines of the standard Zip file format
using only a new 'extra data' field, a new compression method code, and a value in the CRC field
dependant on the encryption version. The basic Zip file format is otherwise unchanged" [6].
Essentially, additional information is being added into the header and the CRC, but the .zip file
3|P age
format remains unaltered. This is important because it would otherwise affect the compatibility
with different versions of the program. If the fundamental operations of the .zip format were
WinZip obviously utilizes a very robust encryption scheme, with little or no detriment to
the original file format. If this encryption is so powerful, how easy could it possibly be to use?
WinZip encryption requires no more than nine mouse clicks from the end user. Select the files to
be encrypted, right-click and select WinZip "Add to Archive." The user then selects "Encrypt
Added Files" and types in an archive name. After clicking "Add," WinZip will prompt the user
for the desired encryption type and the password for the file. Two more clicks complete the
operation and the final step is to close the encrypted archive file.
There are a number of possible uses for encryption of this type. Storage of encrypted
information is the first and most relevant of these options. Protection of information from prying
eyes on a local or wide area network is something that is dealt with on a regular basis. As
opposed to something like TrueCrypt which requires a more advanced user, WinZip is easy to
transmitted over the Internet. A file can be encrypted with WinZip and sent to the recipient as an
e-mail attachment. The file can then only be decoded by a trusted party, something that would
most certainly have prevented certain aforementioned political scandal. Unlike certain command
line e-mail encryption suites (GnuPG), this technique requires only knowledge of WinZip and
how to attach a file to an e-mail. In addition to this, there does not need to be a discussion about
the proliferation of a public key and how it differs from a private key with the user.
4|P age
WinZip isn't all sunshine and butterflies, because the encryption method is not without its
caveats. In the case of email, all information that will be encrypted needs to be added to the
email in the form of attachments. This may not be a significant amount of work, but it is
additional work nonetheless. The recipient also needs to have a copy of WinZip 10.0+ in order
to be able to decrypt the compressed file. Regardless of the proposed application of WinZip
encryption, the titles of the files are also still visible without having to enter the file password.
The contents of the files themselves are not accessible without the password, but the titles need
The final caveat of the entire scheme lies, much like many other systems, in the password
for the encrypted file itself. In order for this type of encryption to be effective, the password
must not be easily brute-forced. This generally means that the password is long and composed
of characters that make it difficult to remember. The password also needs to be transmitted from
the sender to the receiver in order for the information to be accessed, one of the fundamental
downfalls of private-key encryption. Essentially, two transactions are being performed. The
In an age where information is power and Google rules the world, encryption is no longer
an option, it is a necessity. The attention spans of the general population are measured in
powerful and also relevant, it must be protected from those who should not have access to it.
When an encryption tool as powerful as WinZip is so accessible and easy to use, the question it
elicits changes. It is no longer a question of if it should be used, but why wouldn't it be used? If
this question was properly answered by the politicians, no one would be inundated with news
5|P age
References
<http://www.cs.bc.edu/~straubin/cs381-05/blockciphers/rijndael_ingles2004.swf>.
[1] A Secure File Encryption Utility. 10 May 2007. Dr. Brian Gladman. 29 October 2008
<http://fp.gladman.plus.com/index.htm>.
<http://en.wikipedia.org/wiki/Advanced_Encryption_Standard>.
[3] CSRC - Cryptographic Toolkit. 2 October 2000. National Institute of Standards and Technology. 30
[4] Fips-197. 26 November 2001. National Institute of Standards and Technology. 30 October 2008
<http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf>.
[5] WinZip - AES Coding Tips For Developers. 21 July 2008. WinZip. 25 October 2008
<http://www.WinZip.com/aes_tips.htm>.
[6] WinZip - AES Encryption Information. November 2006. WinZip. 25 October 2008 2006
<http://www.WinZip.com/aes_info.htm>.
[7] WinZip - The Zip File Utility For Windows. November 2006. WinZip. 25 October 2008 2006
<http://www.WinZip.com/powertips.htm#encrypt>.
6|P age