Encryption support

[NikolaiRuhe]

Are there any plans to support one of the encryption methods described in the ZIP format specification?

The very common "Traditional PKWARE Encryption" would be a great addition, as it's part of the ZIP specification.

[weichsel]

Hello Nikolai,

In the long term I'd like to support most parts of the ZIP Specification but I am not sure yet if there is a plausible way to support encryption.

Traditional PKWARE Encryption is basically useless today and providing support for it might give users a false sense of security. The more modern encryption methods supported in ZIP have the disadvantage of introducing large 3rd party dependencies like OpenSSL etc. Another problem with encrypted ZIP archives is, that several vendors added proprietary (some of them patented) encryption methods to their archiving utilities - so it's almost impossible to support them all. I am not sure yet how to tackle those problems but I am open for suggestions. Do you have a specific use case in mind for password protected ZIPs?

[NikolaiRuhe]

I agree with your assessment regarding licensing problems and the sheer number of encryption methods, and I have no solution for that.

The reason I mentioned PKWARE encryption is that even though it is not secure it is very common. There are a lot of encrypted ZIPs out there and the vast majority uses the traditional encryption.

Currently I'm developing a medical application for a customer who uses ZIP with PKWARE encryption (in their own file format). I wanted to adapt ZIPFoundation to work with these files but couldn't because of the encryption. I was looking into implementing it myself but I'm too busy currently.

[weichsel]

Thanks for your input. Thought about support for traditional PKWARE encryption yesterday.
One pro-argument for supporting it would be that it could help people to migrate away from that legacy format. It's also simple enough to implement it without any 3rd party libraries. I am leaving this issue open for now - maybe someone needs it and submits a PR.

[NikolaiRuhe]

It's also simple enough to implement it without any 3rd party libraries.

That's what I thought.

When I find time I'll really like to look into this. For my current project I had to use some minizip based Swift ZIP framework—and it's horrible. Your framework on the other hand looks really well crafted. Congrats!

[weichsel]

Thanks :)

[zkrige]

We also have a number of clients that have zip files with passwords. We need to be able to process these files

[krzyzanowskim]

@weichsel would be a CryptoSwift handy to handle that part across the platforms?

[weichsel]

@krzyzanowskim Finding a way to decrypt certain ZIP archive types with CryptoSwift would be awesome. Sadly ZIP Encryption is a bit of a jungle. Besides several proprietary mechanisms, there are 3 common encryption schemes in use:

• PKWare Encryption (which is actually more obfuscation than encryption by nowadays standards)
• PKWare SES (See section "7.0 Strong Encryption Specification" in https://pkware.cachefly.net/webdocs/casestudies/APPNOTE.TXT)
• WinZip AES Encryption (http://www.winzip.com/aes_info.htm)

The first one should be relatively easy to implement and I'd directly add de- and encryption code to ZIPFoundation (mostly to support migration away from that format) if someone contributes the code. PKWare SES seems to be patented or at least requires some special license from PKWare - So I am not going to touch this ;) The third one (WinZIP AES) seems to be a good candidate for de/encryption via SwiftCrypto. I haven't read the full specification yet, but ideally there would be a way where ZIPFoundation only parses the encryption header and passes the information into a consumer closure where the actual decryption is taking place.

[Bryan-Dunphy]

Info-Zip's ZIP & UNZIP implement encryption support in C. Perhaps someone could port it to Swift? I am not adequately familiar enough with C or Swift to do this myself.