Google Git
Sign in
flutter / third_party / libzip / f207bbdc0686f3e12ab323588b52b8e08d1a3fc2 / . / docs / aes_info.txt
blob: c7995d541a2757c4cb576841c2869a99eb26d5fc [file] [log] [blame]
AES Encryption Information:
Encryption Specification AE-1 and AE-2
Document version: 1.04
Last modified: January 30, 2009
NOTE: WinZip^(R) users do not need to read or understand the information
contained on this page. It is intended for developers of Zip file utilities.
Changes since the original version of this document are summarized in the
Change History section below.
This document describes the file format that WinZip uses to create
AES-encrypted Zip files. The AE-1 encryption specification was introduced in
WinZip 9.0 Beta 1, released in May 2003. The AE-2 encryption specification, a
minor variant of the original AE-1 specification differing only in how the CRC
is handled, was introduced in WinZip 9.0 Beta 3, released in January, 2004.
Note that as of WinZip 11, WinZip itself encrypts most files using the AE-1
format and encrypts others using the AE-2 format.
From time to time we may update the information provided here, for example to
document any changes to the file formats, or to add additional notes or
implementation tips. If you would like to receive e-mail announcements of any
substantive changes we make to this document, you can sign up below for our
Developer Information mailing list.
Without compromising the basic Zip file format, WinZip Computing has extended
the format specification to support AES encryption, and this document fully
describes the format extension. Additionally, we are providing information
about a no-cost third-party source for the actual AES encryption code--the same
code that is used by WinZip. We believe that use of the free encryption code
and of this specification will make it easy for all developers to add
compatible advanced encryption to their Zip file utilities.
This document is not a tutorial on encryption or Zip file structure. While we
have attempted to provide the necessary details of the current WinZip AES
encryption format, developers and other interested third parties will need to
have or obtain an understanding of basic encryption concepts, Zip file format,
etc.
Developers should also review AES Coding Tips page.
WinZip Computing makes no warranties regarding the information provided in this
document. In particular, WinZip Computing does not represent or warrant that
the information provided here is free from errors or is suitable for any
particular use, or that the file formats described here will be supported in
future versions of WinZip. You should test and validate all code and techniques
in accordance with good programming practice.
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
Contents
I. Encryption services
II. Zip file format
A. Base format reference
B. Compression method and encryption flag
C. CRC value
D. AES extra data field
III. Encrypted file storage format
A. File format
B. Salt value
C. Password verification value
D. Encrypted file data
E. Authentication code
IV. Changes in WinZip 11
V. Notes
A. Non-files and zero-length files
B. "Mixed" Zip files
C. Key generation
VI. FAQs
VII. Change history
VIII. Mailing list signup
I. Encryption services
To perform AES encryption and decryption, WinZip uses AES functions written by
Dr. Brian Gladman. The source code for these functions is available in C/C++
and Pentium family assembler for anyone to use under an open source BSD or GPL
license from the AES project page on Dr. Gladman's web site. The AES Coding
Tips page also has some information on the use of these functions. WinZip
Computing thanks Dr. Gladman for making his AES functions available to anyone
under liberal license terms.
Dr. Gladman's encryption functions are portable to a number of operating
systems and can be static linked into your applications, so there are no
operating system version or library dependencies. In particular, the functions
do not require Microsoft's Cryptography API.
General information on the AES standard and the encryption algorithm (also
known as Rijndael) is readily available on the Internet. A good place to start
is http://www.nist.gov/public_affairs/releases/g00-176.htm.
II. Zip file format
A. Base format reference
AES-encrypted files are stored within the guidelines of the standard Zip
file format using only a new "extra data" field, a new compression method
code, and a value in the CRC field dependant on the encryption version,
AE-1 or AE-2. The basic Zip file format is otherwise unchanged.
WinZip sets the version needed to extract and version made by fields in the
local and central headers to the same values it would use if the file were
not encrypted.
The basic Zip file format specification used by WinZip is available via FTP
from the Info-ZIP group at ftp://ftp.info-zip.org/pub/infozip/doc/
appnote-iz-latest.zip.
B. Compression method and encryption flag
As for any encrypted file, bit 0 of the "general purpose bit flags" field
must be set to 1 in each AES-encrypted file's local header and central
directory entry.
Additionally, the presence of an AES-encrypted file in a Zip file is
indicated by a new compression method code (decimal 99) in the file's local
header and central directory entry, used along with the AES extra data
field described below. There is no change in either the version made by or
version needed to extract codes.
The code for the actual compression method is stored in the AES extra data
field (see below).
C. CRC value
For files encrypted using the AE-2 method, the standard Zip CRC value is
not used, and a 0 must be stored in this field. Corruption of encrypted
data within a Zip file is instead detected via the authentication code
field.
Files encrypted using the AE-1 method do include the standard Zip CRC
value. This, along with the fact that the vendor version stored in the AES
extra data field is 0x0001 for AE-1 and 0x0002 for AE-2, is the only
difference between the AE-1 and AE-2 formats.
NOTE: Zip utilities that support the AE-2 format are required to be able to
read files that were created in the AE-1 format, and during decryption/
extraction of files in AE-1 format should verify that the file's CRC
matches the value stored in the CRC field.
D. AES extra data field
1. A file encrypted with AES encryption will have a special "extra data"
field associated with it. This extra data field is stored in both the
local header and central directory entry for the file.
Note: see the Zip file format document referenced above for general
information on the format and use of extra data fields.
2. The extra data header ID for AES encryption is 0x9901. The fields are
all stored in Intel low-byte/high-byte order. The extra data field
currently has a length of 11: seven data bytes plus two bytes for the
header ID and two bytes for the data size. Therefore, the extra data
overhead for each file in the archive is 22 bytes (11 bytes in the
central header plus 11 bytes in the local header).
3. The format of the data in the AES extra data field is as follows. See
the notes below for additional information.
Offset Size(bytes) Content
0 2 Extra field header ID (0x9901)
2 2 Data size (currently 7, but subject
to possible increase in the future)
4 2 Integer version number specific to
the zip vendor
6 2 2-character vendor ID
8 1 Integer mode value indicating AES
encryption strength
9 2 The actual compression method used to
compress the file
4. Notes
☆ Data size: this value is currently 7, but because it is possible
that this specification will be modified in the future to store
additional data in this extra field, vendors should not assume that
it will always remain 7.
☆ Vendor ID: the vendor ID field should always be set to the two
ASCII characters "AE".
☆ Vendor version: the vendor version for AE-1 is 0x0001. The vendor
version for AE-2 is 0x0002.
Zip utilities that support AE-2 must also be able to process files
that are encrypted in AE-1 format. The handling of the CRC value is
the only difference between the AE-1 and AE-2 formats.
☆ Encryption strength: the mode values (encryption strength) for AE-1
and AE-2 are:
Value Strength
0x01 128-bit encryption key
0x02 192-bit encryption key
0x03 256-bit encryption key
The encryption specification supports only 128-, 192-, and 256-bit
encryption keys. No other key lengths are permitted.
(Note: the current version of WinZip does not support encrypting
files using 192-bit keys. This specification, however, does provide
for the use of 192-bit keys, and WinZip is able to decrypt such
files.)
☆ Compression method: the compression method is the one that would
otherwise have been stored in the local and central headers for the
file. For example, if the file is imploded, this field will contain
the compression code 6. This is needed because a compression method
of 99 is used to indicate the presence of an AES-encrypted file
(see above).
III. Encrypted file storage format
A. File format
Additional overhead data required for decryption is stored with the
encrypted file itself (i.e., not in the headers). The actual format of the
stored file is as follows; additional information about these fields is
below. All fields are byte-aligned.
Size Content
(bytes)
Variable Salt value
2 Password verification value
Variable Encrypted file data
10 Authentication code
Note that the value in the "compressed size" fields of the local file
header and the central directory entry is the total size of all the items
listed above. In other words, it is the total size of the salt value,
password verification value, encrypted data, and authentication code.
B. Salt value
The "salt" or "salt value" is a random or pseudo-random sequence of bytes
that is combined with the encryption password to create encryption and
authentication keys. The salt is generated by the encrypting application
and is stored unencrypted with the file data. The addition of salt values
to passwords provides a number of security benefits and makes dictionary
attacks based on precomputed keys much more difficult.
Good cryptographic practice requires that a different salt value be used
for each of multiple files encrypted with the same password. If two files
are encrypted with the same password and salt, they can leak information
about each other. For example, it is possible to determine whether two
files encrypted with the same password and salt are identical, and an
attacker who somehow already knows the contents of one of two files
encrypted with the same password and salt can determine some or all of the
contents of the other file. Therefore, you should make every effort to use
a unique salt value for each file.
The size of the salt value depends on the length of the encryption key, as
follows:
Key size Salt size
128 bits 8 bytes
192 bits 12 bytes
256 bits 16 bytes
C. Password verification value
This two-byte value is produced as part of the process that derives the
encryption and decryption keys from the password. When encrypting, a
verification value is derived from the encryption password and stored with
the encrypted file. Before decrypting, a verification value can be derived
from the decryption password and compared to the value stored with the
file, serving as a quick check that will detect most, but not all,
incorrect passwords. There is a 1 in 65,536 chance that an incorrect
password will yield a matching verification value; therefore, a matching
verification value cannot be absolutely relied on to indicate a correct
password.
Information on how to obtain the password verification value from Dr.
Gladman's encryption library can be found on the coding tips page.
This value is stored unencrypted.
D. Encrypted file data
Encryption is applied only to the content of files. It is performed after
compression, and not to any other associated data. The file data is
encrypted byte-for-byte using the AES encryption algorithm operating in
"CTR" mode, which means that the lengths of the compressed data and the
compressed, encrypted data are the same.
It is important for implementors to note that, although the data is
encrypted byte-for-byte, it is presented to the encryption and decryption
functions in blocks. The block size used for encryption and decryption must
be the same. To be compatible with the encryption specification, this block
size must be 16 bytes (although the last block may be smaller).
E. Authentication code
Authentication provides a high quality check that the contents of an
encrypted file have not been inadvertently changed or deliberately tampered
with since they were first encrypted. In effect, this is a super-CRC check
on the data in the file after compression and encryption. (Additionally,
authentication is essential when using CTR mode encryption because this
mode is vulnerable to several trivial attacks in its absence.)
The authentication code is derived from the output of the encryption
process. Dr. Gladman's AES code provides this service, and information
about how to obtain it is in the coding tips.
The authentication code is stored unencrypted. It is byte-aligned and
immediately follows the last byte of encrypted data.
For more discussion about authentication, see the authentication code FAQ
below.
IV. Changes in WinZip 11
Beginning with WinZip 11, WinZip makes a change in its use of the AE-1 and AE-2
file formats. The file formats themselves have not changed, and AES-encrypted
files created by WinZip 11 are completely compatible with version 1.02 the
WinZip AES encryption specification, which was published in January 2004.
WinZip 9.0 and WinZip 10.0 stored all AES-encrypted files using the AE-2 file
format, which does not store the encrypted file's CRC. WinZip 11 instead uses
the AE-1 file format, which does store the CRC, for most files. This provides
an extra integrity check against the possibility of hardware or software errors
that occur during the actual process of file compression/encryption or
decryption/decompression. For more information on this point, see the
discussion of the CRC below.
Because for some very small files the CRC can be used to determine the exact
contents of a file, regardless of the encryption method used, WinZip 11
continues to use the AE-2 file format, with no CRC stored, for files with an
uncompressed size of less than 20 bytes. WinZip 11 also uses the AE-2 file
format for files compressed in BZIP2 format, because the BZIP2 format contains
its own integrity checks equivalent to those provided by the Zip format's CRC.
Other vendors who support WinZip's AES encryption specification may want to
consider making a similar change to their own implementations of the
specification, to get the benefit of the extra integrity check that it
provides.
Note that the January 2004 version of the WinZip AE-2 specification, version
1.0.2, already required that all utilities that implemented the AE-2 format
also be able to process files in AE-1 format, and should check on decryption/
extraction of those files that the CRC was correct.
V. Notes
A. Non-files and zero-length files
To reduce Zip file size, it is recommended that non-file entries such as
folder/directory entries not be encrypted. This, however, is only a
recommendation; it is permissible to encrypt or not encrypt these entries,
as you prefer.
On the other hand, it is recommended that you do encrypt zero-length files.
The presence of both encrypted and unencrypted files in a Zip file may
trigger user warnings in some Zip file utilities, so the user experience
may be improved if all files (including zero-length files) are encrypted.
If zero-length files are encrypted, the encrypted data portion of the file
storage (see above) will be empty, but the remainder of the encryption
overhead data must be present, both in the file storage area and in the
local and central headers.
B. "Mixed" Zip files
There is no requirement that all files in a Zip file be encrypted or that
all files that are encrypted use the same encryption method or the same
password.
A Zip file can contain any combination of unencrypted files and files
encrypted with any of the four currently defined encryption methods (Zip
2.0, AES-128, AES-192, AES-256). Encrypted files may use the same password
or different passwords.
C. Key Generation
Key derivation, as used by AE-1 and AE-2 and as implemented in Dr.
Gladman's library, is done according to the PBKDF2 algorithm, which is
described in the RFC2898 guidelines. An iteration count of 1000 is used. An
appropriate number of bits from the resulting hash value are used to
compose three output values: an encryption key, an authentication key, and
a password verification value. The first n bits become the encryption key,
the next m bits become the authentication key, and the last 16 bits (two
bytes) become the password verification value.
As part of the process outlined in RFC 2898 a pseudo-random function must
be called; AE-2 uses the HMAC-SHA1 function, since it is a well-respected
algorithm that has been in wide use for this purpose for several years.
Note that, when used in connection with 192- or 256-bit AES encryption, the
fact that HMAC-SHA1 produces a 160-bit result means that, regardless of the
password that you specify, the search space for the encryption key is
unlikely to reach the theoretical 192- or 256-bit maximum, and cannot be
guaranteed to exceed 160 bits. This is discussed in section B.1.1 of the
RFC2898 specification.
VI. FAQs
• Why is the compression method field used to indicate AES encryption?
As opposed to using new version made by and version needed to extract
values to signal AES encryption for a file, the new compression method is
more likely to be handled gracefully by older versions of existing Zip file
utilities. Zip file utilities typically do not attempt to extract files
compressed with unknown methods, presumably notifying the user with an
appropriate message.
• How can I guarantee that the salt value is unique?
In principle, the value of the salt should be different whenever the same
password is used more than once, for the reasons described above, but this
is difficult to guarantee.
In practice, the number of bytes in the salt (as specified by AE-1 and
AE-2) is such that using a pseudo-random value will ensure that the
probability of duplicated salt values is very low and can be safely
ignored.
There is one exception to this: With the 8-byte salt values used with
WinZip's 128-bit encryption it is likely that, if approximately 4 billion
files are encrypted with the same password, two of the files will have the
same salt, so it is advisable to stay well below this limit. Because of
this, when using the same password to encrypt very large numbers of files
in WinZip's AES encryption format (that is, files totalling in the
millions, for example 2000 Zip files, each containing 1000 encrypted
files), we recommend the use of 192-bit or 256-bit AES keys, with their 12-
and 16-byte salt values, rather than 128-bit AES keys, with their 8-byte
salt values.
Although salt values do not need to be truly random, it is important that
they be generated in a way that the probability of duplicated salt values
is not significantly higher than that which would be expected if truly
random values were being used.
One technique for generating salt values is presented in the coding tips
page.
• Why is there an authentication code?
The purpose of the authentication code is to insure that, once a file's
data has been compressed and encrypted, any accidental corruption of the
encrypted data, and any deliberate attempts to modify the encrypted data by
an attacker who does not know the password, can be detected.
The current consensus in the cryptographic community is that associating a
message authentication code (or MAC) with encrypted data has strong
security value because it makes a number of attacks more difficult to
engineer. For AES CTR mode encryption in particular, a MAC is especially
important because a number of trivial attacks are possible in its absence.
The MAC used with WinZip's AES encryption is based on HMAC-SHA1-80, a
mature and widely respected authentication algorithm.
The MAC is calculated after the file data has been compressed and
encrypted. This order of calculation is referred to as Encrypt-then-MAC,
and is preferred by many cryptographers to the alternative order of
MAC-then-Encrypt because Encrypt-then-MAC is immune to some known attacks
on MAC-then-Encrypt.
• What is the role of the CRC in WinZip 11?
Within the Zip format, the primary use of the CRC value is to detect
accidental corruption of data that has been stored in the Zip file. With
files encrypted according to the Zip 2.0 encryption specification, it also
functions to some extent as a method of detecting deliberate attempts to
modify the encrypted data, but not one that can be considered
cryptographically strong. The CRC is not needed for these purposes with the
WinZip AES encryption specification, where the HMAC-SHA1-based
authentication code instead serves these roles.
The CRC has a drawback in that for very small files, such as files with
four or fewer bytes, the CRC can be used, independent of the encryption
algorithm, to determine the unencrypted contents of the file. And, in
general, it is preferable to store as little information as possible about
the encrypted file in the unencrypted Zip headers.
The CRC does serve one purpose that the authentication code does not. The
CRC is computed based on the original uncompressed, unencrypted contents of
the file, and it is checked after the file has been decrypted and
decompressed. In contrast, the authentication code used with WinZip AES
encryption is computed after compression/encryption and it is checked
before decryption/decompression. In the very rare event of a hardware or
software error that corrupts data during compression and encryption, or
during decryption and decompression, the CRC will catch the error, but the
authentication code will not.
WinZip 9.0 and WinZip 10.0 used AE-2 for all files that they created, and
did not store the CRC. As of WinZip 11, WinZip instead uses AE-1 for most
files, storing the CRC as an additional integrity check against hardware or
software errors occurring during the actual compression/encryption or
decryption/decompression processes. WinZip 11 will continue to use AE-2,
with no CRC, for very small files of less than 20 bytes. It will also use
AE-2 for files compressed in BZIP2 format, because this format has internal
integrity checks equivalent to a CRC check built in.
Note that the AES-encrypted files created by WinZip 11 are fully compatible
with January 2004's version 1.0.2 of the WinZip AES encryption
specification, in which both the AE-1 and AE-2 variants of the file format
were already defined.
VII. Change history
Changes made in document version 1.04, January, 2009: Minor clarification
regarding the algorithm used to generate the authentication code.
Changes made in document version 1.03, November, 2006: Minor editorial and
clarifying changes have been made throughout the document. The following
substantive technical changes have been made:
A. WinZip 11 Usage of AE-1 and AE-2
WinZip's AES encryption specification defines two formats, known as AE-1
and AE-2, which differ in whether the CRC of the encrypted file is stored
in the Zip headers. While the file formats themselves remain unchanged,
WinZip's usage of them is changing. Beginning with WinZip 11, WinZip uses
the AE-1 format, which includes the CRC of the encrypted file, for many
encrypted files, in order to provide an additional integrity check against
hardware or software errors occurring during the compression/encryption or
decryption/decompression processes. Note that AES-encrypted files created
by WinZip 11 are completely compatible with the previous version of the
WinZip encryption specification, January 2004's version 1.0.2.
B. The discussion of salt values mentions a limitation that applies to the
uniqueness of salt values when very large numbers of files are encrypted
with 128-bit encryption.
C. Older versions of this specification suggested that other vendors might
want to use their own vendor IDs to create their own unique encryption
formats. We no longer suggest that vendor-specific alternative encryption
methods be created in this way.
Changes made in document version 1.02, January, 2004: The introductory text at
the start of the document has been rewritten, and minor editorial and
clarifying changes have been made throughout the document. Two substantive
technical changes have been made:
A. AE-2 Specification
Standard Zip files store the CRC of each file's unencrypted data. This
value is used to help detect damage or other alterations to Zip files.
However, storing the CRC value has a drawback in that, for a very small
file, such as a file of four or fewer bytes, the CRC value can be used,
independent of the encryption algorithm, to help determine the unencrypted
contents of the file.
Because of this, files encrypted with the new AE-2 method store a 0 in the
CRC field of the Zip header, and use the authentication code instead of the
CRC value to verify that encrypted data within the Zip file has not been
corrupted.
The only differences between the AE-1 and AE-2 methods are the storage in
AE-2 of 0 instead of the CRC in the Zip file header,and the use in the AES
extra data field of 0x0002 for AE-2 instead of 0x0001 for AE-1 as the
vendor version.
Zip utilities that support the AE-2 format are required to be able to read
files that were created in the AE-1 format, and during decryption/
extraction of files in AE-1 format should verify that the file's CRC
matches the value stored in the CRC field.
B. Key Generation and HMAC-SHA1
The description of the key generation mechanism has been updated to point
out a limitation arising from its use of HMAC-SHA1 as the pseudo-random
function: When used in connection with 192- or 256-bit AES encryption, the
fact that HMAC-SHA1 produces a 160-bit result means that, regardless of the
password that you specify, the search space for the encryption key is
unlikely to reach the theoretical 192- or 256-bit maximum, and cannot be
guaranteed to exceed 160 bits. This is discussed in section B.1.1 of the
RFC2898 specification.
VII. Developer Information Mailing List Signup
We plan to use this mailing list to notify subscribers of any substantive
changes made to the Developer Information pages on the WinZip web site.
If you enter your e-mail address above, you will receive a message
asking you to confirm your wish to be added to the mailing list. If you
don't reply to the confirmation message, you will not be added to the
list.
By subscribing to this complimentary mailing list service, you
acknowledge and agree that WinZip Computing makes no representations
regarding the completeness or accuracy of the information provided
through the service, and that this service may be discontinued, in whole
or in part, with respect to any or all subscribers at any time.
* E-mail Address:
[ ] [Submit to Support] [Clear Form]
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
Document version: 1.04
Last modified: January 30, 2009
Copyright(C) 2003-2015 WinZip International LLC.
All Rights Reserved