How good is zip file encryption?

[Louis LaBrunda]

Hi Everyone,

Does anyone have any idea how good is the encryption used with zip files?  I don't need the greatest encryption.  Are the files really encrypted or is this just a password to unzip the file?  Does the VA Smalltalk zip system support the encryption?  I don't need it to support all forms of zip encryption (if there is more then one) I just need to to be able to unzip what it zips.

I want to make a small home grown database with object dumper and encrypt the files.  Compressing them is a bonus.  I think both the VA Smalltalk object dumping and compression systems have stream options.  I haven't tested this yet but I think I can do something like this:

program -> object dumper stream -> zip compression stream -> disk file

I will give this a try and report back.

Lou

[Noschvie]

Hi Lou

we are using the #MZZipUnzipApp application to compress /decompress binary data /ByteArray.

Have a look to:

MZDllCall>>#compress:length:source:length:

MZDllCall>>#uncompress:length:source:length:

br

Norbert

[Louis LaBrunda]

Hi Norbert,

I have used the zip stuff before but without doing any encryption.  When I look around now, I don't see anything about encryption.  I think I will look into the SSL stuff.

Lou

[Seth Berman]

Hi Lou,

I think there was something called ZipCrypto from the original zip spec...but my understanding is that it's very insecure.  Other zip applications (PKzip, 7-zip, WinZip, Windows Explorer) provided their own encryption, and then there is some history regarding the different zip application providers trying to standardize on it so they could all read each other's stuff.

We certainly have all the cryptographic primitives and zip support to do whatever would be required, but the Zip functionality itself does not attempt to implement any sort of custom or non-standard crypto solution.

- Seth

[Louis LaBrunda]

Hi Seth,

Thanks for the post.  I'm really looking encryption and not compression, I just hoped the encryption that might be available with the compression stuff would be good enough and that it would be easy to use.  It doesn't look like either is the case.

So, I'm moving on to just encryption.  I would like a method call that I could give a password and a string and get back the encrypted/unencrypted result.  But so far I haven't found it.

Lou

[thomas....@natural-software.eu]

Hi Lou

It all depends on what you want to do and what kind of security you need.

For passwords - what we do is convert the password using MD5 and store the result in a database (or XML or ....)

When the user types in a password we convert it as well and compare.

If you really need encryption and decryption with high security (two-way) you should be looking at the various openssl options.

--Thomas

[thomas....@natural-software.eu]

Example for  MD5 Password conversion

'My Secret Password'  asByteArray abtMD5PrintableDigest.

--Thomas

[Noschvie]

Some time ago Instantiations pointed me to:

Load feature 'ST: Cryptographic Support" and see examples in OpenSSLSymmetricCipherExamples.

OpenSSLSymmetricCipherExamples class>>exampleAEADCipherHighLevelApi

L...@Keystone-Software.com schrieb am Donnerstag, 8. September 2022 um 16:08:22 UTC+2:

[Seth Berman]

Hi Lou, Thomas, Norbert

Thanks Thomas (I just saw Norbert's response too:) for chiming in.

"I would like a method call that I could give a password and a string and get back the encrypted/unencrypted result"

- You certainly can do this, but you have to know what algorithm you want.
- I'm assuming we are talking about symmetric encryption.
- If this is the case, you use the factory methods on OSSslCipher to select the algorithm you want.
- The easiest is an unauthenticated mode. `OSSslCipher aes_256_cbc`.
- If you want to add authentication in addition to encryption (which is certainly preferred today), you need an authenticated mode such as `OSSslCipher aes_256_gcm`

I'll add a short symmetric cipher example here, but we have extensive examples in OpenSSLCryptoInterfaceExamplesApp for doing hashing, authentication, various types of encryptions, key agreement, key derivations...

Here is the simple unauthenticated example using just a password and string.
| algo plainText key iv cipherText plainText2 |

algo := OSSslCipher aes_256_cbc.
plainText := 'Hello Smalltalk' asByteArray.
key := algo randomKey.   "(you can preselect a key also, but generally that is not a favored approach)"
iv := algo randomIV.
cipherText := algo encrypt: plainText key: key iv: iv.
plainText2 := algo decrypt: cipherText key: key iv: iv.
self assert: [plainText = plainText2]

For more examples of this type of encryption, including adding authentication, see OpenSSLSymmetricCipherExamples.

[Louis LaBrunda]

Hi Guys,

Thanks for the suggestions.  I was looking at an example similar to what Seth posted when I got interrupted. Once interrupted I came back to the group to check for new posts.  So, I will do something close to Seth's suggestion.

I like to save objects on disk with object dumper.  In this case I want to encrypt the object dump before saving it to disk.  When I want to do something with the data I will read it, unencrypt it and run it through object loader to get it back to an object.  I know this isn't perfect but it makes it difficult for someone to learn much by hacking in and downloading disk files.  The project is to help my local homeowners association keep track of its members.

Lou