Newsgroups: sci.crypt
Path: msuinfo!caen!uwm.edu!cs.utexas.edu!qt.cs.utexas.edu!yale.edu!think.com!ames!agate!stanford.edu!leland.Stanford.EDU!kocherp
From: kocherp@leland.Stanford.EDU (Paul Carl Kocher)
Subject: Ethics and software to find ZIP archive passwords
Message-ID: <1992Feb28.112824.18265@leland.Stanford.EDU>
Sender: news@leland.Stanford.EDU (Mr News)
Organization: DSG, Stanford University, CA 94305, USA
Date: Fri, 28 Feb 92 11:28:24 GMT
Lines: 20

     I have written some fairly fast routines that use a brute-force
approach to check passwords against the 16-bit checksum in zip files' 
encryption headers.  On my '386-33, testing all 4-digit lowercase 
combinations takes 76 seconds, including the time to generate
passwords, meaning that ten million attempts could easily be done
in half an hour.  

     I fear that if I release this, it will be mostly used by people
to get unauthorized access to others' data.  On the other hand, anyone 
who is determined enough could easily write a similar program.  Does
anyone have experience releasing programs, like this, that could be
misused?  My present inclination is to not release it, but I would 
welcome suggestions.

-- Paul Kocher

________kocherp@leland.stanford.edu_________kocherp@jacobs.cs.orst.edu________
I am an undergrad at Stanford seeking summer work or contract jobs programming
(IBM PC), doing technical writing, or assisting with research. Send e-mail for
resume if interested!  - Paul Kocher/Box 13554/Stanford CA 94309, 415/497-6438
