vii
LIST OF FIGURES
Figure
Page
3.1 A RAR5 archive with packed size and compression information highlighted
18
4.1 Box Plot of the distributions of different file types. . . . . . . . . . . .
19
4.2 The original alice29.rar archive with the compression method circled and
the total file size inside the rectangle . . . . . . . . . . . . . . . . . . .
24
4.3 The modified alice29-prime.rar with the compression method circled and
the total file size inside the rectangle . . . . . . . . . . . . . . . . . . .
25
viii
ABSTRACT
Arthur-Durett, Kristine MS, Purdue University, December 2014. The weakness of
WinRAR encrypted archives to compression side-channel attacks. Major Professor:
Eugene Spafford.
This paper explores the security of WinRAR encrypted archives. Previous works
concerning potential attacks against encrypted archives are studied and evaluated for
practical implementation. These attacks include passive actions examining the effects
of compression ratios of archives and the files contained, the study of temporary ar
tifacts and active man-in-the-middle attacks on communication between individuals.
An extensive overview of the WinRAR software and the functions implemented within
it is presented to aid in understanding the intricacies of attacks against archives.
Several attacks are chosen from the literature to execute on WinRAR v5.10. Select
file types are identified through the examination of compression ratios. The appear
ance of a file in an archive is determined through both the appearance of substrings
in the known area of an archive and the comparison of compression ratios.
Finally, the author outlines a revised version of an attack that takes advantage
of the independence between the compression and encryption algorithms. While a
previous version of this attack only succeeded in removing the encryption from an
archive, the revised version is capable of fully recovering an original document from
a encrypted compressed archive. The advantages and shortcomings of these attacks
are discussed and some countermeasures are briefly mentioned.
1
1. INTRODUCTION
Malware droppers are Trojans used as container files to deliver files onto a destination
host computer [1]. In the field of digital forensics, a dropper may be implemented
to obscure data relevant to a crime. Additionally, individuals can use compressed
archives in corporate espionage cases where large amounts of data is removed from
a system. Compression software such as WinZip and WinRAR are popular choices
for concealing incriminating information. Both software packages offer encryption in
addition to data compression, which makes them ideal for these purposes.
The use of compression and encryption creates an issue for forensic investigators
who may need to access archived files for valuable information. Password search
attacks and dictionary attacks are commonly used methods to gain access to an
archived file. With some software packages, such as WinZip versions prior to 9.0,
the encryption function is weak to these attacks [2]. However, for passwords with
length longer than six characters, WinRAR appears secure [3]. Attacks against the
encryption itself, such as related-key attacks introduced by Biryukov et al, exist [4,5].
In an effort to provide knowledge about an archive’s content to investigators,
this paper will explore alternative attacks against the WinRAR software. These
include examination of side-channels and exploitation of the interaction between the
compression and encryption functions. While recovering the full contents of an archive
may not be possible with these attacks, the intention is to reveal information about
the contents. This may provide the knowledge that an investigator needs or assist in
determining whether password cracking efforts are worthwhile on an archive.
2
1.1 Related Work
Attacks against the encryption of an archive are a natural starting point to con
sider. The goal of attacks against the Advanced Encryption Standard (AES) is to
recover the key used in the algorithm. The key can then be used to decrypt the
contents of an encrypted file or message. There are a variety of methods, such as
Meet-in-the-Middle, differential or related-key attacks, that have been introduced to
discover the secret key.
Meet-in-the-Middle attacks require pairs of plaintexts and their corresponding
ciphertexts. The attacker will attempt to decrypt the ciphertext while simultaneously
encrypting the plaintext with the hope of finding a key that will cause these operations
to converge. Demirci and Sel¸cuk provide an outline to a Meet-in-the-Middle attack
on 8-round AES-256 [6]. This attack is shown to have complexity of 2
200
.
Another class of attacks are a form of differential analysis called impossible differ
entials. In contrast to the original differential attacks which look for characteristics
that hold true with a high probability, impossible differentials look for extremely
low-probability differentials. Once identified, these characteristics can be used to re
cover the key. Lu and Dunkelman introduce an impossible differential attacks that is
effective on 8-round AES with a complexity of 2
229.7
[7].
Finally, Biryukov introduces several variations of related-key attacks against AES
256 with considerable improvements in time complexity [4, 5, 8]. In the related-key
model, the attacker uses several keys with a known relation between them. When
these keys are used in the encryption function, the attacker is able to trace character
istics of the function induced by the relationship. From this, the key can be recovered.
Biryukov et al present a practical attack that is capable of recovering the key for a
9-round version of AES-256 in only 2
39
time [4]. Biryukov also presents a related-key
attack that works in conjunction with a boomerang attack to recover the key from
full 14-round AES-256 in 2
99.5
time [5].
Dostları ilə paylaş: |