PKWare Files a Patent Application for Secure .zip

prostoalex writes "The battle of ZIP formats might intensify as PKWare filed an application with USPTO to obtain a patent on its Secure Zip technology, which pretty much involves archiving with strong cryptography. If the patent gets granted, PKWare will license its algorithms for other software manufacturers. A representative of Aladdin Systems summed it up: "The good thing about the .zip file format was that you knew you could send it to everyone. Now that's getting broke.""

Use PGP

[unixwin]

zip & use pgp even better use bzip2 and pgp
secure and compressed

Re:Use PGP

[Nathan+Ramella]

Doesn't PGP already compress things before it encrypts? (Adds to the difficulty in decyphering it..)

Re:Use PGP

[FrankoBoy]

Indeed.

Re:Use PGP

[daveq]

The reason it encrypts beforehand is that you can't really compress encrypted data. Well encrypted data should appear random.

PGP's algorithm of choice for compression may not be as cool as yours though, so you may want to use bzip2 anyway for particularly large files.

Re:Use PGP

[yintercept]

Of course, if this is one of those "we've patented the world" claims, then any program that produces an encrypted file that is smaller than the original would be in violation of the patent.

There is still room for encryption programs that make files bigger. I've been thinking of making a program that would automatically pad a document with additional legal verbiage and routinely add one billable hour, and see if I could sell it to the legal community.

That's fine and all....

[flewp]

but I want a secure zipper. So many people are trying to get into my pants it's outrageous.

Ironic quote from Aladdin Systems

[extrarice]

[quote]
A representative of Aladdin Systems summed it up: "The good thing about the .zip file format was that you knew you could send it to everyone. Now that's getting broke."
[/quote]

This quote is funny coming from a company that sells a competing compression format (.sit)

Re:Ironic quote from Aladdin Systems

I would not consider .sit a competitor to .zip. StuffIt is the .zip for the Mac niche. It's the only archive format out there that is sensitive to Mac OS resource forks. For certain types of Mac files (read: most), putting your data into a zip archive will render them useless. Though reliance on the resource fork is decreasing in Mac OS X.

Aladdin writes software handles zip files, too. So they DO care about inter-operability. They have a perfectly honest and legitimate interest in this.

Re:Ironic quote from Aladdin Systems

[innate]

You're partly right. StuffIt was the main compression format until OS X came along, but it's not the only format that preserves resource forks.

Today you'll mainly see .dmg (disk image) format, which features compression, optional encryption, and preserves resource forks. Also common are .pkg (a compressed installer, which can include files with resource forks) and .tar.gz files (I don't think they preserve resource forks).

And some folks still use Stuffit .sit files.

Text compression

[smeenz]

It's good to see Aladdin Systems are demonstrating their lossy text compression technology by saying that the ZIP format is "getting broke" rather than "getting broken"

</tongue>

7-zip

[fredrikj]

Everybody, start using the (open source) 7-zip instead.

Re:7-zip

[pla]

Everybody, start using the (open source) 7-zip instead.

No kidding. It amazes me that a lot more people don't use this - It handles all the major formats (zip, tar, gz, bz2, cab, no "sit", though) better than the "native" program for them does, and hey, open source to boot. And, its "7z" format really does get 10-30% better compression than even bzip2.


Gotta agree with the other response to you, though - the interface needs MAJOR work. It doesn't "look" bad, but feels very counterintuitive. Hell, if they totally eliminated the psuedo-explorer-esque look and just let me drag-and-drop, I'd consider it perfect.

extensions

[exhilaration]

Ideally, a new extension should be used for any format that is incompatible with existing ZIP archives. For example, EZP for encrypted zip, or SZP for secure zip.

But it's likely that they'll keep using ZIP because of its brand recognition. That's really too bad, but at the same it might frustrate people enough to get them to try another compression format, like BZIP.

Re:extensions

[dmeranda]

What's an extension? I use Content-Types like application/x-patented-zip and name all my Zip(TM) files "archive.this.is.not.tar", and when I am forced to use Windows I never see an "extension".

Seriously, the true value of their intellectual "property" (sic) is that of their trademarked brand name. As an archive format it is pretty uninteresting. Everybody knows what "zip" means. Adding a patent in this area to me seems like a dumb move; another one of those all-to-common desparation moves by a failing company to have the USPTO save it. In the late 1990s companies looked for VC firms to save them from their own shortcomings, today the trendy savior seems to be the USPTO.

To me this move just screams "Use our patented technology to secure your important files....BTW you must use only our software and we can revoke your rights to use our patent at any time rendering your important files so secure that not even you can read them legally again!" That's enough to keep me from using their format; it's my data and I don't want my access to it to be contingent upon some party outside of my control.

just another example...

[Satan's+Librarian]

of a a company going to hell after its founder is gone, it can't innovate anymore, and it starts getting beaten to a pulp by its competitors.

seems like a familiar story to me.

Re:just another example...

[FattMattP]

Can't innovate anymore? How about can't innovate to start with? Phil Katz took an open-source program, copied it wholesale, rewrote some stuff in assembler, and ignored the original author's license entirely.

Why not GPG?

[David+Hume]

zip & use pgp

Why not zip and then use GPG?

I'll stick to bzip

[Aeonsfx]

Hmm, I don't see why this is such a big deal.... bzip pretty much compresses higher than 'em all. That plus, its GNU-free ^_^ zip? I don't really see why encryption was ever a critical feature in the format, (I thought it was a bunch of proprietary schemes to begin with) but I'll continue to use it to send some files.

The next widespread compression

[interiot]

The replacement for pkzip should be gzip. Not only is it specified in the open via rfc but it's implemented in internet explorer and friends.

Re:The next widespread compression

[Ian+Bicking]

I believe the zip format allows for much faster decryption of individual files inside an archive, compared with tar+gzip -- pkzip keeps an index of all the files in the archive, whereas gzip is content neutral, so you have to decompress to get at the underlying tar file.

.gz.tar would be something different (a tar with its constituent files gzipped). I know nothing about how efficient tar is about accessing individual files, but I don't believe it's very efficient.

Zip+encryption?

[AnotherBlackHat]

Gotta wonder how they got that past the examiner.
"No no, pkzip isn't prior art... the patent only covers the novel idea of using strong encryption"

-- this is not a .sig

PK

[semanticgap]

For those too young to remember - PK are initials of late Phil Katz, the original author of PKZip, a pretty unusual character. Here's a link about how he died.

AFAIK the company is now run by his mom pretty much.

encrypting version of gnu tar

[phr2]

Would an encrypting version of GNU Tar be prior art? I put Blowfish into GNU Tar in the mid 90s and posted to Usenet about it in 1996 and at various other times. I've offered to send out copies and a few people have asked for and gotten them. I'd think that constitutes publication.

There's also a Usenet thread about encrypting archive programs including some modified Zip programs.

Some notes about the pkzip encryption.

It's important to note how the strong encryption
differs from other pkzip crypto methods.
A zip45 file begins with:

central file header signature 4 bytes (0x02014b50)
version made by 2 bytes
version needed to extract 2 bytes
general purpose bit flag 2 bytes ... etc ...

In a zip file, if the GENERAL PURPOSE bit flag is set
(bit 0 of the 2 byte field) it means the file is encrypted.

The PKZIP encryption scheme was designed by Roger
Schalfly, who is evidently the son of the famous
(1980s anti-women's rights) republican spin mastah
Phyllis Schlafly. But anyway.

Each encrypted file has an extra 12 bytes stored at
the start of the data area defining the encryption
header for that file. The encryption header is originally
set to random values, and then itself encrypted, using
three, 32-bit keys. The key values are initialized using
the supplied encryption password. After each byte
is encrypted, the keys are then updated using
pseudo-random number generation techniques in
combination with the same CRC-32 algorithm
used in PKZIP and described elsewhere in this document.

The following is the basic steps required to decrypt a file:

1) Initialize the three 32-bit keys with the password.
2) Read and decrypt the 12-byte encryption header, further
initializing the encryption keys.
3) Read and decrypt the compressed data stream using the
encryption keys.

For step one, you jack up your karma whorin' by pasting
the following key sets:

Key(0) > 24)
end update_keys

In step two, often associated with total karma whorin',
one also (*cough* karma whore) loops through the
buffer with:
loop for i > 8
end decrypt_byte

After the header is decrypted, the last 1 or 2 bytes in
Buffer should be the high-order word/byte of the CRC for
the file being decrypted, stored in Intel low-byte/
high-byte order. Versions of PKZIP prior to 2.0 used a
2 byte CRC check; a 1 byte CRC check is used on
versions after 2.0. This can be used to test if the
password supplied is correct or not.

In step 3, we continue to blatantly violate copyright laws
while whorin' karam with:

loop until done
read a character into C
Temp - C ^ decrypt_byte()
update_keys(temp)
output Temp
end loop

So that's about it.

If they get a patent...

[brianosaurus]

I can't even believe there is any doubt they will receive a patent for this, even if it isn't anything particularly interesting. In fact I'll be presently surprised if the PTO actually recognizes the existance of plenty of prior art. Maybe they don't even need to recognize prior art, just the fact that encrypting a zip file is obvious.

Its insane that you can patent "Doing something someone already did, but doing it to THIS instead of THAT." I can, perhaps, buy an argument that encryption (like the first time anyone did it) was patentable. Maybe even that different algorithms for encryption could be patentable.

But once encryption is there, applying encryption to ANYTHING should not be patentable. A zip file is just data. Encrypting it (or encrypting the contents) is not a novel concept.

So while I would love to see the PTO demonstrate some miniscule amount of clue and reject the patent, I will be very surprised if they actually do.

What's worth a patent?

[jetmarc]

Ok, I know that ZIP is known for notoriously weak security.

But is it worth a PATENT to now associate the "security" features of ZIP
with "strong cryptography algorithms"?

That's like Microsoft filing a patent for a "not crashing OS", as reaction
to market research reports that show how people are not happy anymore with
traditional (crashing) MS products.

WinZip Publishes AES Encryption Standard

[----]

With the WinZip 9.0 Beta announcement there is this little tidbit ...

"Advanced encryption
WinZip 9.0 supports 128- and 256-bit key AES encryption, which provide much greater cryptographic security than the traditional Zip 2.0 encryption method used in earlier versions of WinZip.

WinZip 9.0's advanced encryption (FIPS-197 certified) uses the Rijndael cryptographic algorithm which, in 2001, was specified by the National Institute of Standards and Technology (NIST) in Federal Information Processing Standards (FIPS) Publication 197 as the Advanced Encryption Standard (AES).

After a three-year competition, the AES was announced by NIST as an approved encryption technique for use by the U.S. government, private businesses, and individuals. When properly implemented as a key component of an overall security protocol, the AES permits a very high degree of cryptographic security, yet is fast and efficient in operation.

WinZip's AES encryption is just as easy to use as traditional Zip 2.0 encryption: all you have to do is select the encryption strength and specify your password.

Note: recipients to whom you send AES-encrypted Zip files must have a compatible Zip file utility in order to decrypt the files. At this time, WinZip 9.0 is required. We have, however, published the full specification for creating WinZip-compatible AES-encrypted Zip files, and we expect that other Zip file utility vendors will provide support for the format. "

Funny, it sounds like either they already reverse engineered the pkware zip encryption, or established their own encryption.

I wonder how many times users will complain to company xyz (that is using pkware encryption for their products) about their files not working in winzip, before company xyz will drop their pkware proprietary encryption in favor of winzip's published (and functional) encryption.

/* ---- */

Re:OS operating system common formats

[DeeKayWon]

No, zip makes zip files. compress makes .Z files.

Re:No, that's not the reason

you're both right.. 'encrypted data' doesn't compress well not because it's random, but because it's redundancy is relative to the encryption method and not to specific patterns within text sets, image sets, number sets.. since conventional compression like burrows-wheeler, huffman, gzip, pkzip, etc. are all designed to remove patterns from 'natural' data sets you'll have much poorer compression rates.. but that hardly means the data is not compressible

help, I don't understand

[lfourrier]

1. "What we've filed a patent for is the whole method of combining.zip and strong encryption to create a secure.zip file," said Steve Crawford, the chief marketing officer at PKWare. The patent was filed with the Patent Office on July 16, he said.
2.In May of this year, WinZip developed its own method of strong encryption, which incompatible with the PKWare product.
3.Crawford believes that WinZip will be a potential licensee. "The basic approach of combining encryption of.zip is covered by the patent, so what WinZip has done, I believe, would be covered by the patent."

If 3 is true, 2 is clearly prior art. So why patent?

There is something rotten in IP kingdom.

Re:No, that's not the reason

I agree. Encrypted data which occupies the same space as the decrypted data should, in principle, be just as compressible as the decrypted data.

The problem (if it is indeed a problem) is that compressing the data may, in practice, be as hard as decrypting the data.

Threat to encrypted gzip?

[SEE]

It'd be interesting to see exactly what the scope of the claims are in the patent, since this is a potential threat to encrypted gzip as well.

How?

Zip and gzip use the same 'deflate' compression alogrithm. In fact, zlib was based on the Info-Zip code, a free software/open source alternative to pkzip, and the GZip homepage specifically credits Info-Zip as where "all this started", and mentions that the decompression code was based on the code of the major author of Info-Zip. And WinZip's .zip support is another direct derivative of this Info-Zip code.

So, gzip, zlib, Info-Zip, and WinZip all share common code from common authors implementing the same algorithm. As a result, it would take a very narrowly-tailored patent to allow gzip-and-encryption without allowing Winzip's zip-and-encryption.

If they're smart, it won't break .zip's usefulness

[charlesbakerharris]

If they patent the process, the smart thing for them to do would be to release the decoder as a part of their basic freeware utility, then charge for the ability to zip/compress everything.

That way, you could always still send either an unencrypted or an encrypted zip - you pay for the ability to encrypt them, fine, but you can unencrypt them easily enough no matter where you are or whose winzip you're using.

It's kinda like Acrobat - anyone can read their files, nobody can create them without buying the utility (blah blah freeware acrobat writers, I know...)

Except Katz didn't innovate that much.

[Watts+Martin]

Except that they started out in hell, because their founder ripped off Thom Henderson's ARC to make his original program.

Back in the BBS days, we were all rallied to support good ol' Phil against the evil Big Company, System Enhancement Associates, who was suing to keep Phil's faster PKARC from eating the original ARC program's lunch. BBS sysops were encouraged to boycott ARC. It worked. It ruined System Enhancement Associates.

Except the funny thing is, SEA was right. They won the lawsuit because Katz hadn't just reimplemented ARC, he stole their source code. That always gets left out of the retelling, even though the reason ZIP exists as a format is because Katz was ultimately prevented from using the ARC format and compression routine. The reality is also that even then, PKWare was a bigger company than SEA ever was. ARC was a commercial program, but had a very unusual license (for the time) allowing people free access to the source code if they wanted to port it to non-DOS platforms. Katz baldly abused this license and, in the end, got away with it. ZIP did end up with an improved compression scheme which I presume PKWare came up with, although there's some evidence that the all-but-ignored ARC 7 outperformed it. (PKARC was, IIRC, based on ARC 5.)

Ben Baker has a description of the history of this whole affair at the website of Thom Henderson (ARC's author). Henderson also has his own commentary, which I would describe as "gently acid."

Software patents hurt everyone

[JVert]

Software alone should be an exception from patents. Copyrights are ok to protect branding but patenting algorithims is like patenting a shortcut for a daily commute. People built cars and roads to you could use them as you wish. Same thought behind people building hardware and compilers.