Ben Dahl

CNS 378

The Fatass and The Jackass:

A Tale of Electronic Faux-Pas

While remaining politically neutral is one of the fundamental tenets of the educational

system, the Internet has permeated even this stereotypically geriatric arena. Technological issues

are the hot-button topics of this election, and are present regardless of political leaning. The

Democrats use e-mail, the Republicans use e-mail, and the Independents use email; e-mail has

become as much a part of societal operation as face-to-face communication, postal mail, and the

telephone.

The problem is that the information being stored and transmitted has not been protected,

an issue found on almost every computer and network across the globe. Generally, this does not

present a problem, but people began using free Yahoo! e-mail accounts to conduct official

government business. While this is nothing short of offensive, it presents a picture perfect

opportunity to investigate the applications of encryption in a formal setting.

While e-mail is obviously a pressing issue as it relates to encryption, it is only a piece of

a very larger puzzle. There are a number of options available for public-key encryption of e-

mail: PGP, GPG, etc. As opposed to discussing these types of encryption, a more available,

user-friendly method will be discussed. In order to investigate this issue, the program WinZip

and the AES encryption standard will be discussed.

WinZip is the industry leader in file compression software, and is responsible for the

proliferation of the popular .zip file extension. More importantly, the software is available for

download and includes all options during the trial period. The ease of acquisition and the

1|P age
company's vast resources allowed WinZip to integrate a very important aspect into newer

versions of the program, encryption based on Dr. Brian Gladman's AES encryption schema [1].

WinZip encrypts these files using the U.S. Government's National Institute of Science

and Technology (NIST) Advanced Encryption Standard (AES), and is FIPS-197 Certified [6].

Additionally, WinZip supports AES encryption in both the 125-bit and 256-bit flavors. In order

to fully appreciate the significance of WinZip encryption, AES as an encryption scheme must be

investigated.

While the FIPS-197 Certification Document [4] proves an invaluable resource in regards

to the actual operation of AES, it describes concepts to an almost obtuse mathematical extent. In

light of this, Wikipedia [2] was also used a reference because it presents a more digestible

perspective about the encryption. These sources provide the background for the following

paragraphs, and a wealth of additional information is provided by both resources.

AES is a substitution-permutation network that operates in a finite field and focuses on a

fixed array of bytes called the "State." The cipher goes through a number of steps to encrypt the

plain-text to cipher-text, and then reverses this process to decrypt the information. The AES

encryption scheme has a number of steps that are described in the following paragraphs.

The four primary steps of the AES encryption scheme are as follows: Key Expansion,

Initial Round, Rounds, and Final Round. AES, like most other ciphers uses a key schedule to

create the encryption key. In the case of AES, this Key Expansion step expands a short-key to a

series of round keys, which will be used later. During the Initial Round step, the AddRoundKey

operation is performed, which derives a subkey from the key schedule and combines it with the

"State."

2|P age
 The Rounds phase is next and is composed of a number of sub-phases: SubBytes,

ShiftRows, MixColumns, and another AddRoundKey. The SubBytes step linearly replaces bytes

based on the lookup table. The ShiftRows operation transposes "State" rows by shifting them

cyclically. Next, the MixColumns step mixes "State" columns to combine the four bytes.

Finally, another AddRoundKey operation is performed as described above. The final phase of

AES encryption is appropriately titled the Final Round, and utilizes all steps of the Rounds phase

except for MixColumns [2, 4].

As previously discussed, AES is provided in two easy to digest flavors; the extremely

powerful 125-bit version and the more robust 256-bit version. The 256-bit AES encryption

scheme has not been broken and is certified for NSA "Top Secret" level government documents,

but even the 128-bit version of the scheme is incredibly difficult to crack [2]. The development

team from AES described this in the original specifications document when they wrote,

"Assuming that one could build a machine that could recover a DES key in a second (i.e., try 255

keys per second), then it would take that machine approximately 149 thousand-billion (149

trillion) years to crack a 128-bit AES key. To put that into perspective, the universe is believed to

be less than 20 billion years old" [3]. Obviously, it is quite a tall order to brute-force crack even

the lowest provided AES encryption option.

WinZip uses the AES encryption scheme to make the content of encrypted files

inaccessible without the appropriate password. WinZip does this in a way the developers

describe as, "AES-encrypted files are stored within the guidelines of the standard Zip file format

using only a new 'extra data' field, a new compression method code, and a value in the CRC field

dependant on the encryption version. The basic Zip file format is otherwise unchanged" [6].

Essentially, additional information is being added into the header and the CRC, but the .zip file

3|P age
format remains unaltered. This is important because it would otherwise affect the compatibility

with different versions of the program. If the fundamental operations of the .zip format were

changed, the file might not be able to be decompressed properly.

WinZip obviously utilizes a very robust encryption scheme, with little or no detriment to

the original file format. If this encryption is so powerful, how easy could it possibly be to use?

WinZip encryption requires no more than nine mouse clicks from the end user. Select the files to

be encrypted, right-click and select WinZip "Add to Archive." The user then selects "Encrypt

Added Files" and types in an archive name. After clicking "Add," WinZip will prompt the user

for the desired encryption type and the password for the file. Two more clicks complete the

operation and the final step is to close the encrypted archive file.

There are a number of possible uses for encryption of this type. Storage of encrypted

information is the first and most relevant of these options. Protection of information from prying

eyes on a local or wide area network is something that is dealt with on a regular basis. As

opposed to something like TrueCrypt which requires a more advanced user, WinZip is easy to

use and protects the contents of sensitive files.

In addition to storage, WinZip files can be used to protect sensitive information

transmitted over the Internet. A file can be encrypted with WinZip and sent to the recipient as an

e-mail attachment. The file can then only be decoded by a trusted party, something that would

most certainly have prevented certain aforementioned political scandal. Unlike certain command

line e-mail encryption suites (GnuPG), this technique requires only knowledge of WinZip and

how to attach a file to an e-mail. In addition to this, there does not need to be a discussion about

the proliferation of a public key and how it differs from a private key with the user.

4|P age
 WinZip isn't all sunshine and butterflies, because the encryption method is not without its

caveats. In the case of email, all information that will be encrypted needs to be added to the

email in the form of attachments. This may not be a significant amount of work, but it is

additional work nonetheless. The recipient also needs to have a copy of WinZip 10.0+ in order

to be able to decrypt the compressed file. Regardless of the proposed application of WinZip

encryption, the titles of the files are also still visible without having to enter the file password.

The contents of the files themselves are not accessible without the password, but the titles need

to be changed in order to totally obfuscate the information.

The final caveat of the entire scheme lies, much like many other systems, in the password

for the encrypted file itself. In order for this type of encryption to be effective, the password

must not be easily brute-forced. This generally means that the password is long and composed

of characters that make it difficult to remember. The password also needs to be transmitted from

the sender to the receiver in order for the information to be accessed, one of the fundamental

downfalls of private-key encryption. Essentially, two transactions are being performed. The

encrypted information needs to be distributed, along with the password.

In an age where information is power and Google rules the world, encryption is no longer

an option, it is a necessity. The attention spans of the general population are measured in

milliseconds and information is proliferated at an alarming rate. If this information is to remain

powerful and also relevant, it must be protected from those who should not have access to it.

When an encryption tool as powerful as WinZip is so accessible and easy to use, the question it

elicits changes. It is no longer a question of if it should be used, but why wouldn't it be used? If

this question was properly answered by the politicians, no one would be inundated with news

about "HI SARAH" e-mails.

5|P age
 References

[0] 2004 Rijndael. Boston College. 1 November 2008

<http://www.cs.bc.edu/~straubin/cs381-05/blockciphers/rijndael_ingles2004.swf>.

[1] A Secure File Encryption Utility. 10 May 2007. Dr. Brian Gladman. 29 October 2008

<http://fp.gladman.plus.com/index.htm>.

[2] Advanced Encryption Standard. 24 October 2008. Wikipedia. 27 October 2008

<http://en.wikipedia.org/wiki/Advanced_Encryption_Standard>.

[3] CSRC - Cryptographic Toolkit. 2 October 2000. National Institute of Standards and Technology. 30

October 2008 < http://csrc.nist.gov/archive/aes/index.html>.

[4] Fips-197. 26 November 2001. National Institute of Standards and Technology. 30 October 2008

<http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf>.

[5] WinZip - AES Coding Tips For Developers. 21 July 2008. WinZip. 25 October 2008

<http://www.WinZip.com/aes_tips.htm>.

[6] WinZip - AES Encryption Information. November 2006. WinZip. 25 October 2008 2006

<http://www.WinZip.com/aes_info.htm>.

[7] WinZip - The Zip File Utility For Windows. November 2006. WinZip. 25 October 2008 2006

<http://www.WinZip.com/powertips.htm#encrypt>.

6|P age