Slashdot Mirror

← Back to Stories (view on slashdot.org)

PKWare and Winzip Reach A Secure Zip Compromise

Posted by Hemos on from the kind-of-working-together.-sort-of dept.

richard_za writes "Until now the rival compression software vendors PKWare and Winzip have had different (incompatible) ways of password protecting the ZIP format. In a bid to prevent fragmentation of the standard they have agreed to have their software support opening of the other's files. They have however not agreed to support a single standard. PKZip's encryption is RSA-based while Winzip use an AES approach which is fully documented here. The Register is running this story. PKWare has this press release."

14 of 219 comments (clear)

  1. How many people really use encrypted Zip files by voss · · Score: 1, Insightful

    I find zip files to be a pain in the butt anyway even without encryption.

  2. no difference as far as the user is concerned by MrRTFM · · Score: 4, Insightful

    if either program opens the others files the user wont (and shouldn't have to) give a shit which method is used.

    "As long as it works"

    --
    You can't expect to wield supreme executive power, just because some watery tart threw a sword at you
    1. Re:no difference as far as the user is concerned by vasqzr · · Score: 5, Insightful

      What about those people who use a version that isn't the latest and greatest?

      2 standards only cause confusion. Remember the Word 95/97/2000 confusion?

      "Call him back and tell him we need it saved as Word 95!"

  3. Ten years too late by heironymouscoward · · Score: 5, Insightful

    Zip file management has virtually been absorbed into both Windows and Linux, and even if these two vendors agreed on a standard it would not mean much. PKzip became irrelevant when Infozip's portable zip tool became widely available, around 15 years ago. Further, all archiving tools today already deal with such a variety of formats that I can't see the crying need for a standard.

    --
    Ceci n'est pas une signature
  4. The issue is encryption standards by aheath · · Score: 5, Insightful
    The real issue here is that PKWARE and PKZIP chose to use RSA encryption to secure ZIP files. A digital certificate or a password can be used to encrypt the file. WinZip is use AES encryption to encrypt ZIP files. PKWARE products will now be able to read WinZIP encrypted ZIP files. WinZip products will now be able to read PKWARE encrypted ZIP files.

    There is still a problem with interoperability at the level of creating encrypted ZIP files. There is no longer a problem with interoperability at the level of reading encrypted ZIP files. The best way for this problem to go away would be for PKWARE to expand the SecureZIP standard to include RSA and AES encryption.

  5. Zip is ooold! by Anonymous Coward · · Score: 1, Insightful

    Call me a Troll, but I think the ZIP standard is outdated and bloated.
    As for me I'm happy with the RAR compression.
    It's smaller and well protected when it comes to encryption (AES).

  6. What's good in this? by Rosco+P.+Coltrane · · Score: 2, Insightful

    In a bid to prevent fragmentation of the standard they have agreed to have their software support opening of the other's files. They have however not agreed to support a single standard. PKZip's encryption is RSA-based while Winzip use an AES

    In other words, the standard is still fragmented, the new thing here is that both software now support both standard fragments, both double in size, and neither is more interesting for the end user than the other.

    --
    "A door is what a dog is perpetually on the wrong side of" - Ogden Nash
  7. Re:Easy to crack? by mwilliamson · · Score: 3, Insightful
    I don't care even if zip is using 2046 bit RSA keys...it's fairly easy to crack when all you have is a few dozen bits of entropy derived from a lame password. Remember, why bother brute forcing the key when is's easier to brute force the password used to generate the key. I'd bet most people using zip for encrypting their files choose dictionary passwords. Easy to crack? What do you think?

    BTW, the same doesn't quite hold true for PGP/GPG users because they use a key that includes much more entropy than which is derived from the password. Also, the password itself is useless in generating the key. If they choose lame passwords (or none at all), you'd still have to steal their key.

  8. Re:An issue for Windows users mainly by harmonica · · Score: 2, Insightful

    Every time someone sends you a zip archive that you need and that doesn't work because you don't have that particular Windows zip program X it will concern and annoy you.

  9. Re:I wonder if 7zip will support both? by tomstdenis · · Score: 2, Insightful

    Meh use tar/bzip2. That gets better compression than 7zip.

    --
    Someday, I'll have a real sig.
  10. Re:Symmetric vs. asymmetric by hey! · · Score: 3, Insightful

    Actually I think this is one of the cases, where there is no need for asymmetric encryption at all.

    That's only true if you are interested in creating an archive for your own future use. However, if you are interested in exchanging archives with other people, then you have the headache of key exchange, and assymetric encryption is quite useful. Probably most people who need to do this would prefer a solution that handles e-mail and other kinds of documents as well. However if you already have the public key infrastructure in place, it is probably going to be nice to use it for your zip archives too, in a belt-and-suspenders kind of way. I haven't looked at the PKZIP product, but the assymetric encryption should allow for digial signatures on archives as well, which would provide authentication and non-repudiaiton.

    I'd say that the PKZip way would be more attractive to companies that need enteprise wide security and may have built it around RSA, and the WinZip way would be adequate for users who simply want to avoid having people poke around in their files.

    --
    Post may contain irony: discontinue use if experiencing mood swings, nausea or elevated blood pressure.
  11. Creeping Featurism by irw · · Score: 5, Insightful

    As plugins to existing applications are so popular these days, I see this issue as an irrelevance.

    Both sides are competing using incompatible creeping featurism. Last I looked, Zip applications where supposed to combine and squash files (and that was enough).

    What should be done is to separate the operations:
    - file browsing (WinRAR's interface trumps both)
    - archiving (combining files)
    - compression
    - encryption

    and implement the latter three as functions of the first using plugins (and let the user choose).

    Incidentally, Zip's file format (directory last) sucks. It is practically impossible to do the following using zip:

    tar Bcf - . | gzip -1c | rsh -n over_there gzip -dc | tar -C /path -Bxvf -

    To this end, plugins suggested above should be written as filters where possible.

    I have no problem with browser-like interfaces combining other functions, but the Golden Rule still stands: One Tool, One Job.

  12. Re:RAR by Anonymous Coward · · Score: 1, Insightful

    The downside to RAR is that the format isn't stable.

    Since I don't keep up with the warez scene, on the very rare occasion that I download a RAR it's invariably incompatible with whatever version of WinRAR I have installed. Then I need to go download and install their new shareware crapola, fight with it's file assocations and explorer plugins and so on.

    Nice thing about Zip is that it hasn't really changed since the early 90s.

  13. Re:Do one thing... by Anonymous Coward · · Score: 1, Insightful

    If you want encryption on a per-file basis - again, use GPG on individual files before or after archiving.

    Compression after encryption = 0 bytes saved. There's too much random data to compress anything.

    However, encrypting after compression is a different story...