Imagine that youve just bought a bag of fresh, tasty walnuts from a local farmer and that youre looking forward to sitting in the cool shade of a leafy tree, cracking open the walnuts and chowing down their crunchy contents.
To your dismay, you find that you cant open the shells. A farmhand passing by calls out, “Your nutcracker is incompatible, you idiot.”
This is a future we face if we lose the interoperability of password-protected Zip files. Two of the most widely deployed zip/unzip tools, PKZip and WinZip, have started using different methods of encrypting their output. The upshot? Even with the correct password, your users may no longer be able to open encrypted Zip files they receive from other people—and your help desk will get the calls.
This situation has been simmering for a while, and now its coming to a boil.
The latest rumblings impelled me to investigate. We hardly need yet another schism such as DVD-R versus DVD+R to drive us nuts. PKZip, a product of PKWare, added a feature last year that creates Zip files with stronger encryption. But on July 16, the company applied for a patent and suggested it intends to charge other developers license fees to process such Zip files.
WinZip has added its own version of strong encryption, but it cant read PKZips encrypted files. Edwin Siebesma, president of WinZip Computing, says competing developers cant easily do so because PKWare hasnt fully documented its use of PKI (public-key infrastructure). “They published the specs for their password encryption but not for the PKI encryption,” Siebesma said in an interview.
The implementations by both PKZip and WinZip rely upon the well-tested and royalty-free AES (Advanced Encryption Standard) algorithm. Both methods, therefore, produce solid encryption. But the fact that PKZips AES-encrypted Zip files cant be read by other unzipping software—and the AES-encrypted files of other unzipping software cant be read by PKZip—should concern enterprise managers everywhere.
It would be easy to gloss over this incompatibility. You might think that, thanks to widespread broadband connections, Zip files arent much needed since we can exchange big files as e-mail attachments. But if we allow the Zip standard to splinter today, it encourages vendors to splinter other formats tomorrow.
We need security measures to become more interoperable, not less. With viruses and worms spreading faster than you can say Blaster, enterprises need a reliable way for users to accept files securely. If you receive an e-mail with an encrypted Zip file attached and the file accepts an obscure password that you and a trusted colleague previously agreed to use, you can be sure the attachment isnt from some worm that used a forged “from” line. This is a procedure that even a marketing vice president can understand.
PKWare executives declined to be interviewed for this column. But the company has made plenty of statements that have long been on the record. Phil Katz, the original developer of PKZip, announced in 1989, “The ZIP file format is given freely into the public domain and can be claimed neither legally nor morally by any individual, entity or company.” Katz passed away in 2000, and others now direct PKWare. But PKZip 6.0—the current version—still states in its user manual the exact same principle: “Because PKWARE has dedicated the .ZIP file format to the public domain, it is possible for other people to write programs which can read .ZIP files.”
Because of this openness, numerous companies now sell unzip utilities. Basic Zip support is even built into Windows XP. To permit compatibility, WinZip has responsibly disclosed its new encryption method for all to see, although PKWare has yet to implement support for it.
PKWares approach to PKZip is technologically and commercially stupid. Until all Zip files it produces are readable by all unzip programs, enterprises should simply stop buying PKZip.
Discuss this in the eWEEK forum.