Can password-protected zip files be broken without brute force?
In direct meaning, you mentioned (extracting data), no. But keep in mind, however, that any program (or user), in any password-protected ZIP archive, can (without knowing the password):
- browse list of files,
- check file types1.
ZIP files can also be "broken" in the meaning, that you can overwrite exisiting, password-protected file, stored inside ZIP file, with another file, named the same, without knowing the password.
All these mentioned operations does not give attacker access to contents (he or she is still unable to extract data), only list it or destroy it. So I'm mentioning this only as a possible side effects, you may be not aware of. Some people treats this as security leaks, stating that for this reasons, ZIP files are insecure, but other my assume that security is not violated, even with these mentioned "additions".
Since contents of ZIP file can be changed, without knowing the password, by replacing a password-protected file with another one, we can speak about complete insecurity in psychological terms (social engineering, hacking etc.). The attacker can alter contents of ZIP file, without knowing the password and claim to its victim that it is unchanged. Victim, without knowing above mentioned side-effects, may incorrectly assume, that archive hasn't been changed or its contents aren't altered, since he or she (the victim) is the only person, that knows the password.
Here you have my simple question about security of ZIP files, which turned out to be a very good readout, with a lot of useful answers and comments.
1Try to send encrypted, password-protected ZIP containing EXE file via Gmail to see this "in action". Gmail will be able to detect, that you're sending an executable file (and prevent you from doing so) even though, it does not know password, your ZIP is protected with. Side note: It is also both funny and surprising, that renaming the very same file, by giving it different extension (i.e. file.not-zip) can completely disarm this "protection" mechanism and allow you to send archive containing executable file. Funny, because Gmail is able to "break" encrypted, password-protected ZIP to "save" user from sending executable files, but "dies" completely on file rename.
ZIP files are encrypted with AES-256, and the key is derived using a slow key-derivation function (KDF), which makes bruteforce and dictionary attacks generally infeasible. There are no currently known ways to bypass the encryption.
No, as far as I'm aware, there are no current viable attack vectors other than brute forcing the password.