Issue 34546: Add encryption support to zipfile (original) (raw)

Created on 2018-08-30 08:40 by 大野隆弘, last changed 2022-04-11 14:59 by admin. This issue is now closed.

Messages (6)
msg324372 - (view)	Author: 大野隆弘 (大野隆弘) *	Date: 2018-08-30 08:40
from https://mail.python.org/pipermail/python-ideas/2018-August/053081.html I would like to use zipfile encryption as python standard library. https://github.com/python/cpython/blob/master/Lib/zipfile.py Below document says "currently" cannot. https://github.com/python/cpython/blob/master/Doc/library/zipfile.rst "but it currently cannot create an encrypted file." Current pythonians like me have to use 3rd party like below, but I believe it is worth to include. https://pypi.org/project/pyminizip/ https://github.com/wllm-rbnt/py-zipcrypt
msg324452 - (view)	Author: Serhiy Storchaka (serhiy.storchaka) *	Date: 2018-08-31 22:54
From the official ZIP files specification: This form of encryption is considered weak by today's standards and its use is recommended only for situations with low security needs or for compatibility with older .ZIP applications. I think that the support of encrypting ZIP files using the traditional PKWARE encryption was intentionally omitted in the zipfile module, because we don't want to encourage using such weak encryption method. If you need to add encrypted data in the ZIP file, use third-party tools for encrypting it before adding to the ZIP file or encrypting the whole ZIP file after creating. I'm -1 for adding support of weak encrypting. Of course, adding support for the strong (AES) encryption in ZIP files would be nice. But this task is much more difficult.
msg324454 - (view)	Author: 大野隆弘 (大野隆弘) *	Date: 2018-09-01 00:33
Agree, we should not enhance weak encryption to the world. But unfortunately, MS Windows supports only this type of encryption as far as I researched. https://blogs.msdn.microsoft.com/oldnewthing/20180515-00/?p=98755 That is the my first motivation of Traditional PKWARE encryption(a.k.a ZipCrypto/Standard Zip 2.0 encryption) support. If this big platform supports AES, we don't have any reason to support. But unfortunately not. On the other hand, encryption algorithm compromising happens forever. I believe python developers must have ability to make decision of suitable algorithm because "We are all (consenting) adults here".(I love this phrase) Also implementing other algo (including AES) support must affect to decryption of zipfile module. As we can imagine it should be big task and should be divided. These are the background of my suggestion. In summary, 1. We don't have to support "weak" encryption like DES/RC2 although they are on the document. 2. But Traditional PKWare Encryption is special enough to support because of the circumstances. 3. Other algo support in both decrypt/encrypt should be implemented sooner or later. Any feedback is welcome. FYI : All candidate of Zip encryption --------- (Traditional PKWARE encryption) + 0x6601 - DES 0x6602 - RC2 (version needed to extract < 5.2) 0x6603 - 3DES 168 0x6609 - 3DES 112 0x660E - AES 128 0x660F - AES 192 0x6610 - AES 256 0x6702 - RC2 (version needed to extract >= 5.2) 0x6720 - Blowfish 0x6721 - Twofish 0x6801 - RC4 https://pkware.cachefly.net/webdocs/casestudies/APPNOTE.TXT 7.2.3.2 AlgId --------- FYI 2. Other languages/tools support Perl : "Support Encryption" is in TODO https://metacpan.org/pod/Archive::Zip Go : Both (AES/Traditional) encryption is going to be integrated( discussion was suspended?) https://github.com/golang/go/issues/12081 Ruby : Supports as experimental https://github.com/rubyzip/rubyzip/blob/master/README.md WinZip : Supports but not recommended. http://kb.winzip.com/help/help_encryption.htm
msg324781 - (view)	Author: Serhiy Storchaka (serhiy.storchaka) *	Date: 2018-09-07 18:33
What is the reason of using such weak encryption? It looks to me that creating a non-encrypted ZIP file and encrypting it with third-party tools is the right way if you need an encryption.
msg324787 - (view)	Author: Christian Heimes (christian.heimes) *	Date: 2018-09-07 19:14
-1 from me, too. Serhiy already made a valid point and suggested a better alternative.
msg324845 - (view)	Author: 大野隆弘 (大野隆弘) *	Date: 2018-09-08 15:55
My original reason of this is supporting Windows Explore decryption. That doesn't support AES but support only this traditional PKWARE encryption. In my work, some recipients who received the zip file cannot install 3rd party tools on their Windows https://blogs.msdn.microsoft.com/oldnewthing/20180515-00/?p=98755 But as Christian explained for me in below thread, I understand we should use 3rd party module for this purpose https://mail.python.org/pipermail/python-dev/2018-September/155091.html Thanks and Regards, ----------- Takahiro Ono 2018年9月8日(土) 6:34 Serhiy Storchaka <report@bugs.python.org>: > > Change by Serhiy Storchaka <storchaka+cpython@gmail.com>: > > > ---------- > resolution: -> rejected > stage: patch review -> resolved > status: open -> closed > > _______________________________________ > Python tracker <report@bugs.python.org> > <https://bugs.python.org/issue34546> > _______________________________________ >