You can get away with as few as seven bytes of plaintext and 2^40 work
if you have other files in the archive. Five of the thirteen bytes are
only used for filtering, so if you have other files you can use the
password check bytes instead of known plaintext bytes. Also, in
kocher's attack, you can get six bits of one byte. Kocher throws it out
and requires one more byte of known plaintext, but you can guess those
two bits (raising the workload from 2^38 to 2^40).
Accessdata has another attack that runs in ~2 hours on a 500MHz pentium,
but the details are a secret, sorry.
--
Mike Stay
Programmer / Crypto guy
AccessData Corp.
[EMAIL PROTECTED]
