CERIAS Tech Report 2015-01
The Weakness of WinRAR Encrypted Archives to Compression Side-channel Attacks
by Kristine Arthur-Durett
Center for Education and Research
Information Assurance and Security
Purdue University, West Lafayette, IN 47907-2086
THE WEAKNESS OF WINRAR ENCRYPTED ARCHIVES
TO COMPRESSION SIDE-CHANNEL ATTACKS
A Dissertation
Submitted to the Faculty
of
Purdue University
by
Kristine Arthur-Durett
In Partial Fulfillment of the
Requirements for the Degree
of
Master of Science
December 2014
Purdue University
West Lafayette, Indiana
ii
I would like to dedicate this work to my husband, James, and our children Maeke’a
and Henry for their love, patience and support.
iii
ACKNOWLEDGMENTS
I would first like to express my gratitude to the members of my committee for
providing me with guidance throughout the process of developing my thesis. In
particular, I would like to thank Dr. Eugene Spafford for introducing me to the
problem within and providing me with resources to begin my research. I extend
warm thanks to Dr. Melissa Dark for introducing me to the field of Information
Security and providing support and advice throughout my time in the program. I
would like to thank Dr. Samuel Wagstaff for his insightful recommendations as well
as providing me with the foundational knowledge that I needed. I would also like to
extend acknowledgement of Special Agent Michael Alford’s contributions in providing
information regarding practical issues and current methods in the problem space.
iv
TABLE OF CONTENTS
Page
LIST OF TABLES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
vi
LIST OF FIGURES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
vii
ABSTRACT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
viii
1 INTRODUCTION . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1
1.1 Related Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
2
2 WINRAR . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
6
2.1 WinRAR v5.0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
6
2.2 WinRAR encryption . . . . . . . . . . . . . . . . . . . . . . . . . .
7
2.3 WinRAR compression . . . . . . . . . . . . . . . . . . . . . . . . .
8
2.3.1 LZSS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
8
2.3.2 PPMII . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
9
2.3.3 Intel IA-32 . . . . . . . . . . . . . . . . . . . . . . . . . . . .
9
2.3.4 Delta encoding . . . . . . . . . . . . . . . . . . . . . . . . .
10
3 METHODS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
11
3.1 Compression ratios . . . . . . . . . . . . . . . . . . . . . . . . . . .
11
3.2 File detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
12
3.3 Man-in-the-Middle attack . . . . . . . . . . . . . . . . . . . . . . .
15
3.3.1 RAR5 file header . . . . . . . . . . . . . . . . . . . . . . . . .
17
4 RESULTS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
19
4.1 Compression ratios . . . . . . . . . . . . . . . . . . . . . . . . . . .
19
4.2 File detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
21
4.2.1 Appearance of substrings . . . . . . . . . . . . . . . . . . . .
22
4.2.2 Difference of ratios . . . . . . . . . . . . . . . . . . . . . . .
23
4.2.3 Man-in-the-Middle . . . . . . . . . . . . . . . . . . . . . . .
24
v
Page
5 SUMMARY . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
28
5.0.4 Discussion . . . . . . . . . . . . . . . . . . . . . . . . . . . .
28
5.0.5 Countermeasures . . . . . . . . . . . . . . . . . . . . . . . .
31
5.0.6 Conclusion and open questions . . . . . . . . . . . . . . . .
31
REFERENCES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
33
A Compression Corpa . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
36
B RAR file header . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
38
vi
LIST OF TABLES
Table
Page
3.1 Sample of compression ratio data. . . . . . . . . . . . . . . . . . . . . .
13
3.2 Number of repetitions of text strings of indicated length. . . . . . . . .
14
4.1 Descriptive statistics for compression ratio data . . . . . . . . . . . . .
20
4.2 ANOVA table for comparing compression ratios of different file types .
20
4.3 Tukey’s comparison of treatment means . . . . . . . . . . . . . . . . .
21
4.4 95% Confidence Intervals for different file type compression ratios . . .
21
4.5 SAS output of correlation between size and appearance of substrings where
the file is present . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
22
4.6 SAS output of correlation between size and appearance of substrings where
the file is not present . . . . . . . . . . . . . . . . . . . . . . . . . . . .
22
4.7 Hypothesis testing results for different levels of α . . . . . . . . . . . .
24
A.1 Details of compression testing files . . . . . . . . . . . . . . . . . . . .
36
B.1 RAR file header fields . . . . . . . . . . . . . . . . . . . . . . . . . . . .
38