1_____________________________________________________________________________ 2 3 This is Info-ZIP's README.CR for zcrypt29.zip, last updated 27 March 2008. 4_____________________________________________________________________________ 5 6 7The files described below contain the encryption/decryption code for Zip 2.31, 8UnZip 5.52, and WiZ 5.02 (and later). These files are included in the main 9source distributions for all of these now, but the encryption patch is still 10available for earlier versions of these. This file both describes the history 11of the encryption package and notes the current conditions for use. Check 12the comments at the top of crypt.c and crypt.h for additional information. 13 14As of version 2.9, this encryption source code is copyrighted by Info-ZIP; 15see the enclosed LICENSE file for details. Older versions remain in the pub- 16lic domain. Zcrypt was originally written in Europe and, as of April 2000, 17can be freely distributed from the US as well as other countries. 18 19(The ability to export from the US is new and is due to a change in the Bureau 20of Export Administration's regulations, as published in Volume 65, Number 2110, of the Federal Register [14 January 2000]. Info-ZIP filed the required 22notification via e-mail on 9 April 2000; see the USexport.msg file in this 23archive. However, as of June 2002, it can now be freely distributed in both 24source and object forms from any country, including the USA under License 25Exception TSU of the U.S. Export Administration Regulations (section 740.13(e)) 26of 6 June 2002.) 27 28 LIKE ANYTHING ELSE THAT IS FREE, ZIP, UNZIP AND THEIR ASSOCIATED 29 UTILITIES ARE PROVIDED AS IS AND COME WITH NO WARRANTY OF ANY KIND, 30 EITHER EXPRESSED OR IMPLIED. IN NO EVENT WILL THE AUTHORS BE LIABLE 31 FOR ANY DAMAGES RESULTING FROM THE USE OF THIS SOFTWARE. 32 33The encryption code is a direct transcription of the algorithm from 34Roger Schlafly, described by Phil Katz in the file appnote.txt. This 35file is distributed with the PKZIP program (even in the version without 36encryption capabilities). Note that the encryption will probably resist 37attacks by amateurs if the password is well chosen and long enough (at 38least 8 characters) but it will probably not resist attacks by experts. 39Paul Kocher has made available information concerning a known-plaintext 40attack for the PKWARE encryption scheme; see http://www.cryptography.com/ 41for details.) Short passwords consisting of lowercase letters only can be 42recovered in a few hours on any workstation. But for casual cryptography 43designed to keep your mother from reading your mail, it's OK. 44 45For more serious encryption, check into PGP (Pretty Good Privacy), a 46public-key-based encryption system available from various Internet sites. 47PGP has Zip and UnZip built into it. The most recent version at the time 48this was originally written was 6.5, although older versions were still 49widespread. At the time of this writing there are now GPG, PGP Universal 502.0, and various others based on OpenPGP. 51 52We are looking at adding AES strong encryption to future versions of Zip and 53UnZip. 54 55Zip 2.3x and UnZip 5.5x and later are compatible with PKZIP 2.04g. (Thanks 56to Phil Katz for accepting our suggested minor changes to the zipfile format.) 57 58IMPORTANT NOTE: 59 60 Zip archives produced by Zip 2.0 or later must not be *updated* by 61 Zip 1.1 or PKZIP 1.10 or PKZIP 1.93a, if they contain encrypted members 62 or if they have been produced in a pipe or on a non-seekable device. 63 The old versions of Zip or PKZIP would destroy the zip structure. The 64 old versions can list the contents of the zipfile but cannot extract 65 it anyway (because of the new compression algorithm). If you do not 66 use encryption and compress regular disk files, you need not worry about 67 this problem. 68 69 70Contents that were distributed and now are part of the main source files: 71 72 file what it is 73 ---- ---------- 74 README.CR this file 75 LICENSE Info-ZIP license (terms of reuse and redistribution) 76 USexport.msg export notice sent to US Bureau of Export Administration 77 WHERE where Zip/UnZip/WiZ and related utilities can be found 78 crypt.c code for encryption and decryption 79 crypt.h code for encryption and decryption 80 file_id.diz description file for some BBSes 81 82Most all of the files are in Unix (LF only) format. On MSDOS systems, you 83can use the -a option of UnZip to convert the source files to CRLF 84format. This is only necessary if you wish to edit the files -- they 85will compile as is with Microsoft C and Turbo/Borland C++ 1.0 or 86later. However, you will have to convert the files (using "unzip -a") 87to the CRLF format to compile with the older Turbo C 1.0 or 2.0. You 88should be able to find Zip and UnZip in the same place you found this 89(see ftp://ftp.info-zip.org/pub/infozip/Info-ZIP.html or the file 90"WHERE" for details). 91 92Current releases all have encryption built in. To update previous versions 93using the zcrypt sources: 94 95 (1) Get the main sources (e.g., Zip 2.3) and unpack into a working 96 directory, as usual. 97 98 (2) Overwrite the dummy crypt.c and crypt.h from the main sources with 99 the versions from this package. If you want to overwrite directly 100 out of the zcrypt29 archive, do not use UnZip's freshen/updating 101 option; the dummy files may be newer than the real sources in 102 zcrypt29. ("unzip -o zcrypt29 -d /your/working/dir" will do the 103 Right Thing in most cases, although it may overwrite a newer WHERE 104 file under some circumstances.) 105 106 (3) Read the main INSTALL document and compile normally! No makefile 107 changes are necessary on account of the zcrypt sources. You can 108 check that the version you just compiled has encryption or decryption 109 support enabled by typing "zip -v" or "unzip -v" and verifying that 110 the last "special compilation option" says encryption or decryption 111 is included. 112 113Encryption enables new "-e" and "-P password" options in Zip, and a new 114"-P password" option in UnZip--see the normal Zip and UnZip documentation 115for details. (Note that passing a plaintext password on the command line 116is potentially much more insecure than being prompted for it interactively, 117which is the default for UnZip and for Zip with "-e". Also note that the 118interactive method allows UnZip to deal with archives that use different 119passwords for different files.) 120