, Volume 5, Issue 2, pp 115-123
Date: 08 Mar 2006

On the security of the WinRAR encryption feature

Rent the article at a discount

Rent now

* Final gross prices may vary according to local VAT.

Get Access


Originally written to provide the file compression feature, computer software such as WinRAR and WinZip now also provide encryption features due to the rising need for security and privacy protection of files within a computer system or for sharing within a network. However, since compression has been much in use well before users saw the need for security, most are more familiar with compression software than they are with security ones. Therefore, encryption-enabled compression software such as WinRAR and WinZip tend to be more widely used for security than a dedicated security software. In this paper, we present several attacks on the encryption feature provided by the WinRAR compression software. These attacks are possible due to the subtlety in developing security software based on the integration of multiple cryptographic primitives. In other words, no matter how securely designed each primitive is, using them especially in association with other primitives does not always guarantee secure systems. Instead, time and again such a practice has shown to result in flawed systems. Our results, compared to recent attacks on WinZip by Kohno, show that WinRAR appears to offer slightly better security features.

Gary S.-W. Yeo completed his B.Eng in Electronics & Computer Systems in the first half of 2005, and is currently working as an electronics engineer with a semiconductor fab facility.
Raphael C.-W. Phan is currently Director of the Information Security Research (iSECURES) Laboratory at the Swinburne University of Technology (Sarawak Campus) – SUTS, Kuching, Malaysia. Raphael researches on cryptography, cryptanalysis, authentication and key exchange protocols, smart card security, hash functions and digital watermarking. His work has been published in refereed journals published by IEE, IEEE, Elsevier Science and US Military Academy; and in internationally refereed cryptology conferences published by Springer-Verlag, Germany. He is referee for several IEEE journals on the area of information security. He is General Chair of Mycrypt '05 and Asiacrypt '07, Program Chair of the International Workshop on Information Security & Hiding (ISH '05), and technical Program Committee member of Mycrypt '05, the International Conference on Information Security & Cryptology (ICISC '05) and International Conference on Applied Cryptography & Network Security (ACNS '06).