[codec] Support for writing AES-encrypted ZIP files

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

[codec] Support for writing AES-encrypted ZIP files

Christopher Schultz-2
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

All,

According to
https://commons.apache.org/proper/commons-compress/limitations.html,
ZIP support does not include AES encryption when *writing* archives.

I'm wondering if that was a design decision or just that nobody has
volunteered to write the export code to support that feature.

I've been using the library that was once hosted at
https://code.google.com/p/winzipaes, but is would be nice to have it
available through commons-compress as well.

- -chris
-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl2PWUgACgkQHPApP6U8
pFhzoxAAtOY3sjNV+KomHrQqQWgo5Tm4r3QT/sdUoeIi5uQHoiajUEuviot5F4jt
Ql+qgPqDrDAoDUN05/XI3ArQeWwHYzTPi4gDaTATVXmigAYV04PqcyF2w9sZq/t6
zr2giRdDjg/24LzSLx3O/aX+eCLU1ekqtAPUdCI3vpLfC+ymElaIedD+G748GwKz
4xLwZG/eWnTeyWaP6SFaKXmlPexCIAt/FSQh0ztmmSn2ivvLkMTMMsvXbXLVwWQ2
A0JSPBqywuS5RSGAS8ebX5p7BKbw4jdlxVqyGbgv7yFYQMEOuaI6oOFRdTb5ujgg
bXYM/hR5wNuveHZON5VqFVj5gnDQDp9GMm8iw0ueJYDxviCVzP6XVeLuUCCZeFf6
Kz78Q5W65jIylMTGpWc7nXVvWou2aKf8esODPWlvAuXN4EJOkpBBk2zThGnLl4ox
qiAhAt2Ma3KCNYcTfV0Yx8Pk5PGTkMuhhSjh/oxNQ2amFQ38Jjkvp3feZ1WxgCDC
GCE+mPAVYu6AMmZmDyIa6jB3O3RgMY3ZsGitrKRinkh+pqDE/MhAiIHbM6q9HK4l
QSD4yE2xPc6ud5hMeoNhoHr1un4BoWQ4cPno9oO6Yj6pzU5EHUq4TRTIITrMkg3O
OIB1UIcxovYFkIOVZ/+U1GtCyNmY2MHEX05y/iB3TpM0fM8jHIQ=
=Xhbd
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: [compress] Support for writing AES-encrypted ZIP files

sebb-2-2
Fixing subject prefix

On Sat, 28 Sep 2019 at 14:00, Christopher Schultz
<[hidden email]> wrote:

>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> All,
>
> According to
> https://commons.apache.org/proper/commons-compress/limitations.html,
> ZIP support does not include AES encryption when *writing* archives.
>
> I'm wondering if that was a design decision or just that nobody has
> volunteered to write the export code to support that feature.
>
> I've been using the library that was once hosted at
> https://code.google.com/p/winzipaes, but is would be nice to have it
> available through commons-compress as well.
>
> - -chris
> -----BEGIN PGP SIGNATURE-----
> Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/
>
> iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl2PWUgACgkQHPApP6U8
> pFhzoxAAtOY3sjNV+KomHrQqQWgo5Tm4r3QT/sdUoeIi5uQHoiajUEuviot5F4jt
> Ql+qgPqDrDAoDUN05/XI3ArQeWwHYzTPi4gDaTATVXmigAYV04PqcyF2w9sZq/t6
> zr2giRdDjg/24LzSLx3O/aX+eCLU1ekqtAPUdCI3vpLfC+ymElaIedD+G748GwKz
> 4xLwZG/eWnTeyWaP6SFaKXmlPexCIAt/FSQh0ztmmSn2ivvLkMTMMsvXbXLVwWQ2
> A0JSPBqywuS5RSGAS8ebX5p7BKbw4jdlxVqyGbgv7yFYQMEOuaI6oOFRdTb5ujgg
> bXYM/hR5wNuveHZON5VqFVj5gnDQDp9GMm8iw0ueJYDxviCVzP6XVeLuUCCZeFf6
> Kz78Q5W65jIylMTGpWc7nXVvWou2aKf8esODPWlvAuXN4EJOkpBBk2zThGnLl4ox
> qiAhAt2Ma3KCNYcTfV0Yx8Pk5PGTkMuhhSjh/oxNQ2amFQ38Jjkvp3feZ1WxgCDC
> GCE+mPAVYu6AMmZmDyIa6jB3O3RgMY3ZsGitrKRinkh+pqDE/MhAiIHbM6q9HK4l
> QSD4yE2xPc6ud5hMeoNhoHr1un4BoWQ4cPno9oO6Yj6pzU5EHUq4TRTIITrMkg3O
> OIB1UIcxovYFkIOVZ/+U1GtCyNmY2MHEX05y/iB3TpM0fM8jHIQ=
> =Xhbd
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [hidden email]
> For additional commands, e-mail: [hidden email]
>

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: [compress] Support for writing AES-encrypted ZIP files

Stefan Bodewig
In reply to this post by Christopher Schultz-2
[thanks to sebb for changing the subject line]

On 2019-09-28, Christopher Schultz wrote:

> According to
> https://commons.apache.org/proper/commons-compress/limitations.html,
> ZIP support does not include AES encryption when *writing* archives.

You must have looked at the entry for 7z. Unfortunately we don't support
reading of any of the encrytion mechanisms available for ZIP archives
either.

> I'm wondering if that was a design decision or just that nobody has
> volunteered to write the export code to support that feature.

For 7z it merely is the latter. Somebody contributed code for reading
but nobody has taken the time to implement writing so far.

For ZIP the situation is not that clear. There exists a very weak
feature that is called "traditional encryption" that some people could
use to decrypt old password protected archives. Then there is WinZIP AES
that you mention yourself. For both of them we simply haven't had
anybody write the code.

https://issues.apache.org/jira/browse/COMPRESS-251
https://issues.apache.org/jira/browse/COMPRESS-247

And then there is PKWare's own "strong encryption" feature which is what
commercial tools likely use for encryption. In order to implement that
one needs a license from PKWare. PKWare is not willing to provde such a
license for an open source library - I've asked. So we'll never be able
to implement that.

See "Incorporating PKWARE Proprietary Technology into Your Product" in
https://pkware.cachefly.net/webdocs/casestudies/APPNOTE.TXT

WinZIP AES has been on my personal TODO list for years, I just have
never come around to it. I guess you know what I'm talking about
yourself.

> I've been using the library that was once hosted at
> https://code.google.com/p/winzipaes, but is would be nice to have it
> available through commons-compress as well.

This seems to have moved to https://github.com/mobsandgeeks/winzipaes

It looks abandoned - last commit more than four years ago - and I don't
see which license the code would be under.

A long while ago it seems to have been under the Apache Software
License, at least this is what my comment on

https://issues.apache.org/jira/browse/COMPRESS-88

says (not that I recalled ever writing that before I went back to the
issues :-).

Actually WinZIP AES itself looks pretty much straight forward. It is
implemented as a separate "compression method" - unlike PKWare's strong
encryption feature which does a lot more than that and in particular
encrypts metadata in additon to the contents.

https://www.winzip.com/win/en/aes_info.html

It shouldn't be too difficult to implement using JCE, it's mostly a
matter of finding the time to do so.

The zip package itself hasn't been designed with extension in mind and
so far we have only plugged in non-standard compression methods for
reading (a few of the old methods, bzip2 and deflate64). It is quite
possible that adding one for writing is quite a bit more work.

https://issues.apache.org/jira/browse/COMPRESS-143

Stefan

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]