.ZIP Standard to Fragment?

fudgefactor7 writes "As IDG.NET tells us, the venerable .ZIP compression standard is about to undergo a bit of a schism. PKWare and WinZip, the "big two" in the .ZIP format biz are (unfortunately) going to be making their respective releases incompatible (to an extent) and an archive made with one may not be accessible from another. The problem lies with PKWare not giving information to WinZip, thus making WinZip to go it alone."

Splitting Those ZIPs

[Ken@WearableTech]

The post was a little hyped. PKWare and WinZip only split on the encryption of the Zip file. I for one have long since encrypted Zip files with PGP when I needed that security. Zip encryption has always been a joke, and I doubt that too many are going to replace what ever trusted methods they have come up with for PKWare or WinZip's new method.

It is too bad that they split, but I use Zip files for compression not encryption. The compression is still cross-compatible, so life will go on.

Re:Splitting Those ZIPs

[grub]

I for one have long since encrypted Zip files with PGP when I needed that security

PGP zips files before encrypting them. At least older versions did. See this page

Re:Splitting Those ZIPs

[Surak]

WinZip and PKZip are ALREADY incompatible in some areas.

From Pkware's web store:
# Virtually Unlimited .ZIP File Size allows for .ZIP files exceeding 4-gigabyte archive limitation of other .ZIP products; create archives in excess of a terabyte in size!
# More Files-per-archive allows a practically unlimited number of files files per .ZIP file â" greatly exceeding the 65,535 compressed files limit of other .ZIP products.


These two limitations used to appear in old versions of PKZip (2.04G and earlier), and still appear in the open-source (BSD license) Info-ZIP utilities, upon which WinZip is based. Thus for large zip files, WinZip and PKZip are already incompatible (i.e., WinZip doesn't support anything larger than 4GB, and supports a max of 65,535 files inside a Zip file -- WinZip will NOT read these files). I think there's also a mention of new compression methods not supported by WinZip as well, but I couldn't seem find it again.

Re:Splitting Those ZIPs

[agentZ]

They are still out there, thanks to Skylarov's old company. Elcomsoft makes an Advanced Zip Password Recovery tool.

Re:Splitting Those ZIPs

[WD]

Yeah, but don't forget one of the main advantages of using zip... It'll join multiple files into one archive.

Re:Splitting Those ZIPs

[Surak]

Um, I've hit those limits before and I am neither. I've had to move *large* amounts of CAD data over FTP, and ZIPping or tarballing all the files down is the only practical way. Tarballing is fine until some you have to send it to some lame Windows user who complains he can't open it because WinZip insists on ungzipping a tarball to a tar file in a temporary directory first, rather than streaming it as happens on *nix with 'gzip -dc foo.tar.gz | tar xvf -'

Re:Splitting Those ZIPs

[jdew]

tar? _all_ it does is join multiple files together

Re:Splitting Those ZIPs

[Phantasmo]

Yup, still does. It uses code from Info-ZIP (so GPG probably uses zlib, same thing) to compress the file before encrypting: a compressed file is, in theory, non-repetitive data and is therefore less crack-able.

So, try tar or compress-less zip to package up a bunch of files and then encrypt with PGP/GPG.

Re:Splitting Those ZIPs

[ymgve]

Not really. RAR has two modes, 'solid' archiving where all the files in the archive is one big compressed stream, and 'non-solid', where each file is compressed individually.

Re:Splitting Those ZIPs

[klui]

Under HPUX 10.20/11.x all you need to do is recompile Info-ZIP with a flag and it will support large files. Never had bumped into max number of files before.

Re:Splitting Those ZIPs

[ComputerSlicer23]

Sorry Charlie, if a zip file was very reptitive, it'd be more compressible. A well compressed file looks like random data (so does encrypted data). If it doesn't, get a better compressor. Repeative data is redundant, compressing removes the redundancies. That's the general idea of compression.

Yes, the header will match the magic bytes, but that is also true of nearly any file format. All DOS executables start with MZ, GIF's start with a specific set of bytes. Linux executables normally start with ELF within the first handful of bytes, most perl scripts have perl on the first line. Every file format listed in the magic file has some easily recognizable format.

Also encrypting a file normally doesn't make it any large then to pad out the block size. I know that DES and RSA don't. I can't recall any from when I read the first edition of Applied Cryptography that did.

Kirby

Re:More importantly..

[jat850]

Should be compatible with all of them:

Neither PKWare nor WinZip encrypt archived files by default. This means the vast majority of .zip files will probably continue to adhere to the old, universal format for the foreseeable future.

So it sounds like the only change is in the encryption methods used in each program.

Re:More importantly..

[pir8garth]

Correct...most users that want encryption probably do so after the fact, and thus the mainstream application of using zips shouldn't be effected. The only issue here that I see is if people, or more specifically companies agree to encrypt zip files for security purposes, they must make sure that a standard program is choosen/used to prevent corrupt file confusion.

Re:non issue ..

[afidel]

you would think so from the article, but reality so far has shown differently. I have already run into two instances where someone using the beta copy of winzip9 used the new format by accident and those people using pkware or xp's built in zip readers could not read the file because of some header issue or something like that. Once they rezipped the file with the winzip8 option (aparantly that's what they did as both posts said something to that effect) no one had a problem reading the file. I hope that whatever issue is causing this is removed before the release version.

Try something new

[TheNumberSix]

Perhaps if you find Winzip annoying, you might like to try a nice OSS alternative zip program without annoying nag screens?

I like 7-zip, it's free, has a context menu, supports tar.gz (which the native WinXP unzipper doesn't do) and it's light-weight.

They're hardly zip files

[maggard]

First off the issue isn't the compression, it's encryption. Thus the problem isn't a new one, it's been around since the first extension of zip to involve other sorts of mangling. No standard zip library can read those, it's just that the big two commercial vendors have 'til now kept compatibility with each-other's encryption routines.

The unfortunate part is that this is even being called "zip" at all. These aren't, they're zip with proprietary extensions for a completely different purpose. Zip is being used as a brand name and being "embraced and extended". Truth be told these should now be called zep or something files, not misrepresented as simply zip compressed files.

What will this all break? Well for the suckers who use the encryption they're locking themselves into that one vendor's proprietary extensions. They won't be able to send their compressed files or archives and reliably assume they'll be readable. With zip now a standard part of many OS's (even WinXP now includes it) these mislabeled files will cause confusion and increased complexity.

What can folks do about this? First reconsider corporate licenses for these increasingly un-zip applications. No need to increase the Help Desk's burden with unnecessary/non-standard extensions. Send out a memo reminding folks about policies regarding encrypting company material, the management of the keys used, and the real quality of the encryption used. Look at the free alternatives to the commercial apps, there's little that these applications do that can't be done just as well with free tools.

Zip's value lies in it being a standard. Don't support inappropriate proprietary extensions to it.

Re:Are they stupid?

[martin-k]

Au contraire. Compressing first makes pattern-detection in encrypted data more difficult. That's why PGP compresses first, then encrypts (besides the fact that PGPing something increases its file size, and compressing offsets that).

W - R - O - N - G

[FallLine]

The DCMA explicitly allows reverse engineering for interoperability and this is precisely what WinZip would be doing. http://www.loc.gov/copyright/legislation/dmca.pdf, Page 5, Exception #2. Please read it for yourseld and grab a clue. The tired assertion that the DCMA kills innovation is tired and largely false (at least insofar as it is popularly presented on slashdot)

Re:W - R - O - N - G

[OrenWolf]

What??

DeCSS Did nothing to prevent playback of anything, nor was it it's purpose.

The ONLY purpose of DeCSS was as a method for the DVd Consortium to reap license fees on the tech. DeCSS licensed *players*, not copyright holders. Piracy isn't the concern of the DVD Consortium with DeCSS - loss of revenue due to unlicensed *players* is.

And By the way, the Law doesn't say that reverse-engineering is legal only if the result isn't "too easy to circumvent the technology". The law shouldn't (and doesn't) care. Reverse-engineering for the purpose of interoperability, no clause about being too easy to "circumvent the technology".

Zips and Zips and Zips

[cshark]

That's a real shame. I thought the zip specification was open to anyone who wanted to use it? I stopped using Zips about three months ago in favor of the 7zip format. 7zips are smaller and more secure. The best part about 7z's is that it's an open source format. Fully documented, and entirely free. They also tend to be a lot smaller than standard .zip archives. Just an opinion.

Re:More importantly..

[mcg1969]

We're not talking about the old password encryption methods; we're talking about the new AES-based encryption methods implemen ted in WinZip 9 and PKZip.

distant second? thats generous

[Mondain98]

PKZip, while perfectly good, is running a distant second in popularity based on my observations.

I think the reality is that PKZip is running far behind. I'll go so far to say that RAR is ahead of them. I use RAR over ZIP any chance I can; if it werent for compatibility with "administrative assistant" types, I would do everything in RAR. Better compression, better features.

Re:More importantly..

[trickytree]

The Zip format has changed, and you will see this reflected if a) the archive is bigger than 4Gb, b) contains more than 65,000 files, or c) the user turned on Bzip compression in PK. 95% sounds about right.

Re:More importantly..

[cakoose]

I think that ZIP is more like .bz2.tar instead of .tar.bz2. This means that you can extract individual files without decompressing the whole archive. This is probably why Sun went with ZIP for JAR files (because it's convenient to get at some .class files without unzipping the whole thing).

This difference is also probably why .tar.gz and .tar.bz2 are usually smaller than ZIP archives. I don't think ZIP runs different files together so it can't take advantage of longer streams.

The joke's on them...

[poptones]

If you look at the volume of archives posted to usenet (and elsewhere) it's pretty obvious that both these are simply trying to catch up to RAR. The only thing I use winzip for now is opening windows CAB files. And I'm pretty sure winrar does that, now, too.

NSIS

[UnConeD]

Thankfully there's still some great Windows software around, like NSIS (by Nullsoft). It doesn't bother unzipping itself first (single EXE), it is small, it is powerful, open-source, .... The only thing that sucks is how you create an installer, you have to write a script in a language that's a mix between assembly, PHP and C. It's not at all hard if you're a programmer, but this is the reason why NSIS will never reach those stupid companies that put their Installer in an EXE in an EXE in a ZIP.
If someone were to make an NSIS-script wizard (for people who can't use the script-system) for basic actions and commonly used stuff, it would put InstallShield and friends to eternal shame.

Re:PkWare has already published the file INFO!!!!

[egoots]

...never mind.

I finally got through to the original IGN news article posting (and not just the slashdot replies) and it clarifies what the actual issues are. My parent post here didnt add anything useful.