Re: ZIP Encryption

Hello!
You wrote on Fri, 28 Dec 2007 08:20:58 -0800:

JN> A customer has asked me for higher encryption than "standard ZIP". Does
JN> anyone know what encryption levels are used for ZIPs to remain
JN> compatible with popular ZIP decompressors? Any other components out
JN> there that would work better than VCLZip in this regard?

Standard ZIP encryption is really weak.

WinZip in version 8.0 (if memory serves) has offered it's AES-based symmetric encryption, incompatible (of course) with other software. To make the things worse, PKWare offered it's own (as I think, more advanced) encryption method, based on X.509 certificates and optionally passwords. Surely this method is not a standard as well.

I am not aware of the state of things at the moment (I investigated the encryption in ZIP files about a year ago), but I don't think that the things have changed seriously enough to make the whole approach usable.

There are alternative methods to solving the problem. First of all, you can encrypt the files before packing.
Next, you can pack the files before encryption. For example, PGP 9.x from PGP Software puts multiple files to TAR file and then encrypts and compresses them. When you do decryption, the files are unpacked automatically (but again if PGP 9.x is used).

The only more or less standard approach that I see is OpenPGP encryption + compression. OpenPGP standard (RFCs 2440 and 4880) specifies that the data can be compressed before encryption. OpenPGP can use ZLib or BZIP methods of compression (alternative methods are possible but not standard and not widely used) and it can provide password-based encryption. The only drawback is that to extract the original data the recipient would need not a standard ZIP utility, but more or less standard PGP or GnuPG (gpg) utility. Note, that BZIP appeared only recently, so for compatibility you would need to use ZLib.

With best regards,
Eugene Mayevski
http://www.SecureBlackbox.com - the comprehensive component suite for network security

.

Relevant Pages

  • Re: Elliptic curves
    ... It is a "standard" which the SECG group (a self-appointed group, ... Turning a key-exchange system into an asymmetric encryption system is ... symmetrically encrypt your message with that session key. ... basically turns RSA encryption into a key exchange system). ...
    (sci.crypt)
  • EFS and System Cryptography Group Policy - Windows XP SP2
    ... Windows XP uses the Data Encryption Standard algorithm with a 56-bit ...
    (microsoft.public.windowsxp.security_admin)
  • Re: Data Erasure Products
    ... some jurisdictions a standard of encryption is considered to be a requirement ... have to say on this as they provide both encryption and erase products. ... when decommisioning DASD- would appear to be redundant. ... For IBM-MAIN subscribe / signoff / archive access instructions, ...
    (bit.listserv.ibm-main)
  • Re: IDS Management - Port Numbers
    ... > Does anyone know of a list of recognised (standard) port numbers for IDS/ ... The port is reconfigurable. ... ISS ECNRA Built-In Provider, Strong Encryption Version ... "Attila is less hated than Hitler, better known than Franco, ...
    (Focus-IDS)
  • Re: AES and Diehard
    ... >you could employ kill file, ... The result of encryption which might eventually develop ... a standard for crypto the 'diversity' of interests is ... compression algorithm could exploit in order to compress. ...
    (sci.crypt)