|
| 1 | +This is a fork of the Go archive/zip package to add support |
| 2 | +for reading password protected AES encrypted files. Only supports |
| 3 | +Winzip's AES extension: http://www.winzip.com/aes_info.htm. This |
| 4 | +package DOES NOT intend to implement the encryption methods |
| 5 | +mentioned in the original PKWARE spec (sections 6.0 and 7.0): |
| 6 | +https://pkware.cachefly.net/webdocs/casestudies/APPNOTE.TXT |
| 7 | + |
| 8 | +WinZip AES specifies |
| 9 | +==================================================================== |
| 10 | +1. Encryption-Decryption w/ AES-CTR (128, 192, or 256 bits) |
| 11 | +2. Key generation with PBKDF2-HMAC-SHA1 (1000 iteration count) that |
| 12 | +generates a master key broken into the following: |
| 13 | + a. First m bytes is for the encryption key |
| 14 | + b. Next n bytes is for the authentication key |
| 15 | + c. Last 2 bytes is the password verification value. |
| 16 | +3. Following salt lengths are used w/ password during keygen: |
| 17 | + ------------------------------ |
| 18 | + AES Key Size | Salt Size |
| 19 | + ------------------------------ |
| 20 | + 128bit(16bytes) | 8 bytes |
| 21 | + 192bit(24bytes) | 12 bytes |
| 22 | + 256bit(32bytes) | 16 bytes |
| 23 | + ------------------------------- |
| 24 | +4. Master key len = AESKeyLen + AuthKeyLen + PWVLen: |
| 25 | + a. AES 128 = 16 + 16 + 2 = 34 bytes of key material |
| 26 | + b. AES 192 = 24 + 24 + 2 = 50 bytes of key material |
| 27 | + c. AES 256 = 32 + 32 + 2 = 66 bytes of key material |
| 28 | +5. Authentication Key is same size as AES key. |
| 29 | +6. Authentication with HMAC-SHA1-80 (truncated to 80bits). |
| 30 | +7. A new master key is generated for every file. |
| 31 | +8. The file header and directory header compression method will |
| 32 | +be 99 (decimal). The actual compression method will be in the |
| 33 | +extra's payload at the end of the directory header. |
| 34 | +9. A extra field will be added to the file header and directory |
| 35 | +header identified by 0x9901 and contains the following info: |
| 36 | + a. Header ID (2 bytes) |
| 37 | + b. Data Size (2 bytes) |
| 38 | + c. Vendor Version (2 bytes) |
| 39 | + d. Vendor ID (2 bytes) |
| 40 | + e. AES Strength (1 byte) |
| 41 | + f. Compression Method (2 bytes) |
| 42 | +10. The Data Size is always 7. |
| 43 | +11. The Vendor Version can either be 0x0001 (AE-1) or |
| 44 | +0x0002 (AE-2). |
| 45 | +12. Vendor ID is ASCII "AE" |
| 46 | +13. AES Strength: |
| 47 | + a. 0x01 - AES-128 |
| 48 | + b. 0x02 - AES-192 |
| 49 | + c. 0x03 - AES-256 |
| 50 | +14. Compression Method is the actual compression method |
| 51 | +used that was replaced by the encryption process. |
| 52 | +15. AE-1 keeps the CRC and should be verified after decompression. |
| 53 | +16. AE-2 removes the CRC and shouldn't be verified after decompression. |
| 54 | +Refer to http://www.winzip.com/aes_info.htm#winzip11 for the reasoning. |
0 commit comments