format zip

There are three (well known, standard) zip formats that support encryption:

• Old ZipCrypto - not secure, not recommended - https://blog.devolutions.net/2020/08/why-you-should-never-use-zipcrypto/
• AE-1 - AES-256 (or smaller key size) includes CRC of the plain text - not recommended
• AE-2 - AES-256 (or smaller key size) identical to AE-1 but with no CRC of the plain text (set to 0)

There are other variants, for example, some extensions are common where the metadata is encrypted.

Puren Tonbo's support for zip files comes from:

• pyzipper - https://github.com/danifus/pyzipper Python 3 only, will be installed via pip automatically when Puren Tonbo is installed
• mzipaes.py - originally created by maxpat78 as part of https://github.com/maxpat78/CryptoPad/ who kindly relicensed for use with Puren Tonbo under a LGPL license https://github.com/maxpat78/CryptoPad/issues/2

AE-1 and AE-2 use AES-256 with CTR mode, with PBKDF2 used for key derivation (note in 2023 iteration count considered VERY low). HMAC-SHA1 is used (AE-2 only?) for authentication.

Resources

• https://docs.mojolicious.org/zipdetails (zipdetails tool)
  • https://github.com/pmqs/zipdetails/
• http://www.info-zip.org/ https://infozip.sourceforge.net/ (zipinfo tool)
• https://www.winzip.com/win/es/aes_info.html
• https://www.winzip.com/en/support/aes-encryption/
• https://www.winzip.com/en/
• WinRAR - implements the creation of AE-1 format zip files
• 7z / 7-Zip - implements creation of AE-2 format zip files
• https://pkware.cachefly.net/webdocs/APPNOTE/APPNOTE-5.2.0.txt
• https://en.m.wikipedia.org/wiki/ZIP_(file_format)
• https://crypto.stackexchange.com/questions/109268/winzip-ae-2-for-small-files-and-ae-1-for-larger-how-small-how-large-for-each - strongly recommends against AE-2, and says do NOT use AE-1. Possible for zip files to be tampered with when containing multiple files.