.Zip File Format Splinters
mmonnin
Centreville, VA
http://www.pcworld.com/news/article/0,aid,111772,00.asp
"If you're using the latest version of either the PKZip or the WinZip file compression utility to create .zip files, beware: The files you make may not be accessible to other .zip software. The incompatibility is creating confusion over a format that has known remarkable stability for years.
The problem stems from the two popular programs' implementations of a long-overdue new feature, AES encryption (the password protection built in to the previous versions of the .zip format is easily hacked). PKZip publisher PKWare--the company founded by the late .zip inventor Phil Katz and the traditional keeper of the .zip format--added AES to PKZip in January; the beta of WinZip 9, with incompatible AES encryption, debuted in May."
"If you're using the latest version of either the PKZip or the WinZip file compression utility to create .zip files, beware: The files you make may not be accessible to other .zip software. The incompatibility is creating confusion over a format that has known remarkable stability for years.
The problem stems from the two popular programs' implementations of a long-overdue new feature, AES encryption (the password protection built in to the previous versions of the .zip format is easily hacked). PKZip publisher PKWare--the company founded by the late .zip inventor Phil Katz and the traditional keeper of the .zip format--added AES to PKZip in January; the beta of WinZip 9, with incompatible AES encryption, debuted in May."
0
Comments
Then you can less expensively first uncompress and then unencrypt the material being sent at the receiving end.
I RAR or SIT (StuffIT) stuff to MAC users, and have been known to double compress stuff with different compressors\archivers for minimal security and tell those receiving it what to use and exactly how to uncompress it.
You do not need a known all-in-one common method, part of making it hard for folks to extract info is variety and something that folks will not guess easily. standards work against encryption security, idea is to get folks who ned the material to get it, and folks who do not to have so hard a time that they give up.
So, I will not be buying AES+compression software. Too likely to use a common key or if not to forget key used unless you use a common one (and common things get out in public too easy, so combos that vary will do a fair job).
One reason for zip going this way was for software publishers to be able to frustrate pirates, the folks that use free zips do not AES. I would expect to start seeing it in Shareware eventually,with an unextractor that wants a key before extracting as well as a reg number beyond a time limit of use.
The biggest PKWare customers are software pubs and online software distributors. zip is effective but not secure. But the most secure is a non-standard and variable SET of methods using packages within packages plus encryption that have to opened like an Easter egg with a set of processes done just right or you get junk. Sophisticated admins with very sensitive data do just that.