Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Generic User Avatar

Password reuse between diferent archive file formats, potential for compromise?


  • Please log in to reply
No replies to this topic

#1 rp88

rp88

  •  Avatar image
  • Members
  • 3,762 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:01:47 PM

Posted 04 May 2024 - 11:18 AM

Consider the following scenario:
You upload files for backup purposes to an online service, but you don't trust them not to datamine your files to train AIs. Also you know there is some small risk the service could be compromised and all files land in the hands of an attacker who happens to have enough time, skill and bother to try breaking any cryptography he finds, in the hope he can find profitable secrets within some of the vast collection of files he stole.

But you're somewhat protected, because any time you uploaded files to the online service you encryppted them and packed them in to archive files first.

And you used the same password, of >9 characters, not a word in the Oxford dictionary... for all the different files you backed up there.

But you didn't always encrypt in the same way, sometimes you were on a PC with Engrampa (Linux's GUI 7z compressor) on it, so you made 7z files with password protection and with the bos for hiding the file name list ticked too. Other times you were on a different PC, and collected files up in to unencrypted zip files, then used gpg to do gpg -c file_name.zip which produced file_name.zip.gpg which you then uploaded.

Now consider an attacker having access to some of these files:
backups_volume_1.7z
backups_volume_2.zip.gpg
and so on...

As the same password is used on both archives, is there any vulnerability introduced?

What if the very same file is present in both formats, say you acccidentally backed up the same folder twice, once via each method:
backups_folder_old.7z
and backups_folder_old.zip.gpg

To my understanding engrampa's 7z crypto, and gpg's symettric crypto are, by default, the same algorithm, atleast very similar, both aes-256 of some sort.

Does this mean having access to the same folder of files, encrypted in both different ways but with the same password ach time, would give an attacker enough info to work out the password, or otherwise crack in to one or the other of the archive files and decrypt the password, even if he never managed to get a plain text password exposed (so he wouldn't be able to reuse it on any other encrypted files with the same password but toally different contents).

This is a hypothetical situation, but I'm particularly trying to understand if storing encrypted files which have the same password, but different programs for encryption, together, risks compromising the security that encryption is supposed to provide.

Thanks

Edited by rp88, 04 May 2024 - 11:30 AM.

Back to visiting this site, every so often, been so busy in previous years.

BC AdBot (Login to Remove)

 





1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users