Educause Security Discussion mailing list archives
Re: Zip encryption
From: Morrow Long <morrow.long () YALE EDU>
Date: Fri, 11 Jun 2010 13:45:37 -0400
You may also want or need to know that WinZip encryption and several other ZIP, file, folder and full disk encryption implementations are not FIPS-140-2 certified.
WinZip's AES implementation is FIPS-197 certified by NIST, however FIPS-140-2 certification (which is given in assurance levels 1, 2 or 3) considers more than just the specific encryption cipher as implemented in code.
You may need or want FIPS-140-2 certification, such as in cases where you wish to achieve HITECH Act "Safe Harbor" from EPHI disclosure notification requirements or if you need to meet DOD or FISMA C&A requirements for a particular government agency grant or contract.
References:
"WinZip AES is not FIPS 140-2 certified"
http://kb.winzip.com/kb/entry/65/
- Morrow
On Jun 11, 2010, at 1:29 PM, Alex Keller wrote:
it should be noted that you can typically peruse the directory structure and view all file names within a password protected zip archive without having the password. in some cases, that may be unacceptable data leakage.best, alex Alex Keller Systems Administrator Academic Technology, San Francisco State University Office: Burk Hall 153 Phone: (415)338-6117 Email: alkeller () sfsu edu On 6/11/2010 9:10 AM, Adam Nave wrote:7-zip gets a lot simpler if you use the right-click menus. It should be feasible to train specific people to create self- extracting password protected 7z archives.Sophos offers a free encryption tool that creates self-extracting password protected archives. I'm sure it's not the only tool of its kind.http://www.sophos.com/products/free-tools/sophos-free-encryption.htmlIf you want in-place shared folder encryption (for free) then TrueCrypt is pretty much your only option. Otherwise your users will be fumbling with multiple versions of the same zipped file, overwriting each other's work and generally being confused. There is a learning curve to TrueCrypt, but if you set it up correctly to start (automouting the folder for instance), then it won't be too bad.--Adam
Current thread:
- CampusGuard for PCI DSS assistance Sam Hooker (Jun 10)
- Re: CampusGuard for PCI DSS assistance Marley, Tim (Jun 10)
- Re: CampusGuard for PCI DSS assistance Michael Johnson (Jun 11)
- Entrust PKI System Chet Langin (Jun 11)
- Zip encryption Chet Langin (Jun 11)
- Re: Zip encryption Joel Rosenblatt (Jun 11)
- Re: Zip encryption Tonkin, Derek K. (Jun 11)
- Re: Zip encryption Adam Nave (Jun 11)
- Re: Zip encryption Alex Keller (Jun 11)
- Re: Zip encryption Morrow Long (Jun 11)
- Entrust PKI System Chet Langin (Jun 11)
- Re: Entrust PKI System Jesse Thompson (Jun 11)
- Re: CampusGuard for PCI DSS assistance Paul Kendall (Jun 11)