Recherche Images Maps Play YouTube Actualités Gmail Drive Plus »
Connexion
Les utilisateurs de lecteurs d'écran peuvent cliquer sur ce lien pour activer le mode d'accessibilité. Celui-ci propose les mêmes fonctionnalités principales, mais il est optimisé pour votre lecteur d'écran.

Brevets

  1. Recherche avancée dans les brevets
Numéro de publicationUS20080046761 A1
Type de publicationDemande
Numéro de demandeUS 11/774,317
Date de publication21 févr. 2008
Date de dépôt6 juil. 2007
Date de priorité16 juil. 2003
Autre référence de publicationCA2473481A1, EP1515445A1, US7793099, US7895434, US8090942, US8225108, US9098721, US20050015608, US20050081031, US20050081034, US20050086196, US20050086474, US20050086475, US20050086476, US20050091489, US20050091517, US20050091519, US20050094817, US20050097113, US20050097344, US20050120234, US20090144562, US20090240952, US20100119070, US20120284536, US20160026816
Numéro de publication11774317, 774317, US 2008/0046761 A1, US 2008/046761 A1, US 20080046761 A1, US 20080046761A1, US 2008046761 A1, US 2008046761A1, US-A1-20080046761, US-A1-2008046761, US2008/0046761A1, US2008/046761A1, US20080046761 A1, US20080046761A1, US2008046761 A1, US2008046761A1
InventeursJames Peterson
Cessionnaire d'originePkware, Inc.
Exporter la citationBiBTeX, EndNote, RefMan
Liens externes: USPTO, Cession USPTO, Espacenet
Method and system for strongly encrypting .zip files
US 20080046761 A1
Résumé
The present invention provides a method of integrating existing strong encryption methods into the processing of a .ZIP file to provide a highly secure data container which provides flexibility in the use of symmetric and asymmetric encryption technology. The present invention adapts the well established .ZIP file format to support higher levels of security and multiple methods of data encryption and key management, thereby producing a highly secure and flexible digital container for electronically storing and transferring confidential data.
Images(3)
Previous page
Next page
Revendications(37)
1-24. (canceled)
25. A method of placing data in a .Zip file format data container, said method including:
receiving a data file at an application;
compressing said data file using said application before encrypting said data file;
encrypting said data file to form encrypted data using said application, wherein said encrypting includes encrypting said data file using symmetric encryption having a key length of at least 128 bits; and
placing said encrypted data in a data container using said application, wherein said data container is constructed in accordance with a .Zip file format, wherein said data container includes an indication of the encryption method employed in encrypting said data file.
26. The method of claim 25 wherein said compressing employs a Lempel-Ziv (LZ)-type data compression algorithm.
27. The method of claim 25 wherein said compressing employs a Deflate-type data compression algorithm.
28. The method of claim 25 wherein said compressing employs a Burrows-Wheeler Transform (BWT)-type data compression algorithm.
29. The method of claim 25 wherein said data file has not been previously compressed.
30. The method of claim 25 wherein said key length is at least 192 bits.
31. The method of claim 25 wherein said key length is at least 256 bits.
32. The method of claim 25 further including:
generating symmetric key data during said encrypting of said data file.
33. The method of claim 32 further including:
placing said symmetric key data in said data container.
34. A .Zip file format data container stored on a computer-readable medium, said data container including:
an encrypted data file,
wherein said encrypted data file has been encrypted by an application using symmetric encryption having a key length of at least 128 bits,
wherein said encrypted data file has been compressed by said application before encryption,
wherein said data container is constructed by said application in accordance with a .Zip file format,
wherein said data container includes an indication of the encryption method employed in encrypting said data file.
35. The .Zip file format data container of claim 34 wherein said encrypted data has been compressed before encryption using a Lempel-Ziv (LZ)-type data compression algorithm.
36. The .Zip file format data container of claim 34 wherein said encrypted data has been compressed before encryption using a Deflate-type data compression algorithm.
37. The .Zip file format data container of claim 34 wherein said encrypted data has been compressed before encryption using a Burrows-Wheeler Transform (BWT)-type data compression algorithm.
38. The Zip file format data container of claim 34 wherein said encrypted data has not been compressed before encryption.
39. The .Zip file format data container of claim 34 wherein said key length is at least 192 bits.
40. The .Zip file format data container of claim 34 wherein said key length is at least 256 bits.
41. The Zip file format data container of claim 34 further including:
symmetric key data,
wherein said symmetric key data is generated during said encrypting of said encrypted data.
42. A method of placing data in a data container, said method including:
receiving a data file at an application;
compressing said data file using said application before encrypting said data file;
encrypting said data file to form encrypted data using said application, wherein said encrypting includes encrypting said data file using symmetric encryption having a key length of at least 128 bits; and
placing said encrypted data in a data container using said application, wherein said data container is designed for containing compressed files,
wherein said data container includes an indication of the encryption method employed in encrypting said data file.
43. The method of claim 42 wherein said compressing employs a Lempel-Ziv (LZ)-type data compression algorithm.
44. The method of claim 42 wherein said compressing employs a Deflate-type data compression algorithm.
45. The method of claim 42 wherein said compressing employs a Burrows-Wheeler Transform (BWT)-type data compression algorithm.
46. The method of claim 42 wherein said data file has not been previously compressed.
47. The method of claim 424 wherein said key length is at least 192 bits.
48. The method of claim 42 wherein said key length is at least 256 bits.
49. The method of claim 42 further including:
generating symmetric key data during said encrypting of said data file.
50. The method of claim 49 further including:
placing said symmetric key data in said data container.
51. The method of claim 42 wherein said data container is constructed in accordance with a .Zip file format.
52. A data container stored on a computer-readable medium, said data container including:
an encrypted data file,
wherein said encrypted data file has been encrypted by an application using symmetric encryption having a key length of at least 128 bits,
wherein said encrypted data has been compressed by said application before encryption,
wherein said data container is designed by said application for containing compressed files,
wherein said data container includes an indication of the encryption method employed in encrypting said data file.
53. The data container of claim 52 wherein said encrypted data has been compressed before encryption using a Lempel-Ziv (LZ)-type data compression algorithm.
54. The data container of claim 52 wherein said encrypted data has been compressed before encryption using a Deflate-type data compression algorithm.
55. The data container of claim 52 wherein said encrypted data has been compressed before encryption using a Burrows-Wheeler Transform (BWT)-type data compression algorithm.
56. The data container of claim 52 wherein said encrypted data has not been compressed before encryption.
57. The data container of claim 52 wherein said key length is at least 192 bits.
58. The data container of claim 52 wherein said key length is at least 256 bits.
59. The data container of claim 52 further including:
symmetric key data,
wherein said symmetric key data is generated during said encrypting of said encrypted data.
60. The data container of claim 52 wherein said data container is constructed in accordance with a .Zip file format.
Description
    CROSS REFERENCE TO RELATED APPLICATIONS
  • [0001]
    This application is a continuation of Ser. No. 10/620,960, filed Jul. 16, 2003 entitled “METHOD FOR STRONGLY ENCRYPTING ZIP FILES”.
  • BACKGROUND OF THE INVENTION
  • [0002]
    The present invention relates generally to a method of using standard .ZIP files and strong encryption technology to securely store files, and more particularly to a method of integrating existing strong encryption methods into the processing of .ZIP files to provide a highly secure data container which provides flexibility in the use of symmetric and asymmetric encryption technology. The present invention adapts the well established and widely used .ZIP file format to support higher levels of security and multiple methods of data encryption and key management, thereby producing an efficient, highly secure and flexible digital container for electronically storing and transferring confidential data.
  • [0003]
    Compression of computer files has been available for many years. Compressing files can save large amounts of disk space, and can reduce transfer time when downloading files from the Internet or transferring files through email. Almost any file one downloads from the Internet is compressed in some way. A standard compressed file or folder as it is sometimes called contains one or more files that were compressed into a single file or folder. Many different compression formats have been developed over the years. The .ZIP format, created by the assignee of the present invention, is perhaps the most common compressed file format for the personal computer. Any file with a “.zip” extension most likely contains one or more files of data archived, that is, each either compressed or stored, in the .ZIP format. “Zipping” a file has become a commonly used term meaning to compress the file into the .ZIP format archive so that it occupies less disk space, and similarly, “unzipping” a file means decompressing a compressed file in the .ZIP format.
  • [0004]
    A .ZIP file is generally recognized as a data compression and archiving format invented by PKWARE, Inc. The .ZIP format is a file format designed for combining data compression technology with file archiving techniques. Many commercially available software products are available for compressing or “zipping” files or other data into the .ZIP format. These .ZIP files can then be used to reconstruct the original data through the “unzipping” process. Data compression converts the contents of a file into an encoded format requiring less computer storage space or in the case of transmission less network bandwidth than the original uncompressed file.
  • [0005]
    Archiving, in the context of a .ZIP file, is a method of storing information about the characteristics of a file in a catalogue of files, known as the Central Directory, inside the .ZIP file, allowing each file to be retrieved individually by its characteristics. This capability is widely used. These characteristics include, but are not limited to, file name, file size, and file creation date and time.
  • [0006]
    Software programs such as PKZIP® written by PKWARE, Inc. are used to process files in the .ZIP format. Such programs allow one or more files of any type to be compressed and archived into a file of the .ZIP format type for efficient file storage and transmission over computer and communication networks. This format and the software programs that process .ZIP files have become ubiquitous.
  • [0007]
    Data encryption is used by many software programs to provide data privacy. Data encryption is a method of encoding data so that it cannot be reproduced in its original form unless an associated key is provided. Decryption uses this key to convert the encrypted data back into its original state. The key is known only to the person encrypting the data or by those other people with whom the person encrypting the data chooses to share the key. The key is used to “unlock” the data so that it can again be used in its original form.
  • [0008]
    Keys are uniquely generated using data known to the person encrypting a file or other data associated with recipients and users of the file. This data can be a user-defined password or other random data. Several methods are commonly used for processing the keys used for data encryption. Encryption using a key generated from a password is an example of symmetric encryption. Encryption using a public/private key pair is an example of asymmetric encryption. An example of one method for processing encryption keys supported by this invention uses a public/private key pair commonly associated with digital certificates as defined by the document Internet X.509 Public Key Infrastructure Certificate and CRL Profile (RFC 2459). A digital certificate is a unique digital identifier associating a public and private key pair to an assigned individual, a group, or an organization. When used for encrypting data, the public key of an individual is used to process an encryption key which only the individual in possession of the corresponding private key can use for decryption. A digital certificate is issued to an individual, a group, or an organization for a fixed period of time and can only be used during this time period. After the time period has elapsed, the digital certificate will be considered to have expired and must be reissued for a new time period.
  • [0009]
    The strength of a data encryption method is determined at least in part by its key size in bits. The larger the key size a data encryption method uses, the more resistant it is to cryptanalysis. Cryptanalysis, or popularly “cracking”, is the unauthorized access to encrypted data. Strong encryption is a type of data encryption that uses key sizes of 128 bits or more. A number of encryption encoding methods are known today. Examples supported by the present invention include but are not limited to Advanced Encryption Standard (AES), Data Encryption Standard (DES), 2DES, 3DES, and others. A number of key sizes are commonly used today. Examples supported by the present invention include but are not limited to 128 bits, 192 bits, and 256 bits.
  • [0010]
    Many software programs available today that process .ZIP files use data encryption to encrypt files after compression as they are written to the .ZIP file. The data encryption method used by these software programs uses a key size of 96 bits or less and is considered weak or moderate encryption by today's standards. These software programs use keys generated using user-defined password data. Weak data encryption may not provide sufficient security to computer users that store and transfer their confidential data files using the .ZIP format.
  • [0011]
    Password-based key generation has been a commonly used method of applying data encryption, however, known vulnerabilities to cracking methods such as “brute force password cracking” make this method of encryption insufficient to meet today's more advanced security needs. Another known limitation of password-based security is the lack of non-repudiation. Non-repudiation is the ability to be certain that the person or program that created an encrypted .ZIP file cannot deny that fact and that their identity is bound to the .ZIP file they created. This cannot be achieved with symmetric encryption methods. Today, non-repudiation is an important aspect of security related to the implementation of digital certificates and digital signatures. It is critically important to be able to prove that a creator or sender of an encrypted file did in fact create the file, i.e. not repudiate his/her action.
  • [0012]
    Therefore, a need exists to extend the options for levels of security available to programs that process .ZIP files. This extended of security capability makes use of the encryption technologies available today or others that may gain acceptance in the future.
  • SUMMARY OF THE INVENTION
  • [0013]
    The present invention provides a method of integrating multiple strong encryption methods into the processing of .ZIP files to provide a highly secure data container which provides flexibility in the use of symmetric and asymmetric encryption technology. The present invention adapts the well established .ZIP file format to support higher levels of security and multiple methods of data encryption and key management, thereby producing a highly secure and flexible digital container for storing and transferring confidential electronic data.
  • [0014]
    The present invention provides a method of integrating multiple strong encryption methods into the processing of .ZIP files to provide a highly secure data container which provides flexibility in the use of encryption technology. The present invention supports existing weak encryption methods available in .ZIP software programs used today to ensure backward compatibility with existing software programs that use the .ZIP file format. Strong encryption methods are made available to computer users as configurable options to select when compressing and encrypting their files or other data into a .ZIP file.
  • [0015]
    The method of the present invention provides the capability of using strong encryption when creating .ZIP files. It is flexible in that it provides that different encryption methods can be applied to a single .ZIP file to meet the security needs of a given computer user or application. Strong encryption algorithms are preferably used in conjunction with either password (symmetric) or any form of public/private key (asymmetric) encryption methods. The symmetric method preferably includes a password defined by the user, while the asymmetric method preferably includes a public/private key associated with digital certificates to process encryption keys. The invention allows one or more passwords and one or more public keys to be used individually, or in combination at the same time when archiving any file of any type of data into a secure .ZIP file. This capability is useful since secure .ZIP files are frequently distributed, or otherwise made accessible, to multiple recipients for decryption. Some of those recipients may require password access while others may require certificate access.
  • [0016]
    The method of the present invention also supports the four basic security functions to be associated with encrypted files: confidentiality, message authentication, sender or creator authentication, and non-repudiation.
  • [0017]
    Specifically, the present invention supports non-repudiation to uniquely bind a .ZIP file with the identity of its creator, and prevent that creator from denying the creation of that .ZIP file. One method of non-repudiation used by this invention is the identity support available with digital signatures that can be generated using public/private key technology. The non-repudiation function provided by the present invention also preferably supports time-stamping methods for fixing the creation of a digital signature in time, as well as time-stamped audit trails providing transaction history.
  • [0018]
    As indicated, the method of the present invention also supports message authentication. Message authentication ensures the data has not been altered since being encrypted. The present invention supports message authentication techniques that employ public/private key forms of message authentication, as well as other methods of message authentication that do not require the use of public/private keys. One example of an alternative method that does not use a public/private key is a cryptographic checksum.
  • [0019]
    The method of the present invention further supports the encryption of file characteristics for each file inside a .ZIP file. Current .ZIP software programs encrypt only the contents of the files in a .ZIP file. The additional characteristics for each file, such as its name, size, etc., remain unencrypted. To remove the possibility that this unencrypted data for a file could be made available to an unauthorized user, this information may preferably also be encrypted as an option. This additional encryption further increases the level of security available to .ZIP file users.
  • [0020]
    Public keys such as those associated with digital certificates used for encrypting .ZIP file data preferably resides on a user's local computer in a file or a database, on an external device such as a Smart Card or other removable device, or in a shared data repository such as a directory service served by an LDAP server.
  • [0021]
    The present invention also provides multiple methods of checking whether a digital certificate is valid for use. These methods preferably include, but are not limited to standard methods of certificate validation, such as searching certificate revocation lists (CRL), certificate trust lists (CTL), and online checking via the internet using Online Certificate Status Protocol (OCSP) or Simple Certificate Validation Protocol (SCVP).
  • [0022]
    The method of the present invention also preferably defines data storage locations within the established .ZIP file format specification for storing information on the encryption parameters used when a file was encrypted and on the keys needed when a file is to be decrypted. One such example of these data storage locations includes a field to identify that a new strong encryption method has been applied to a file in the .ZIP file. The strong encryption record will be defined within a Central Directory storage area for each encrypted file. The Central Directory is a storage location defined in the .ZIP file format which serves as a table of contents for the entire .ZIP file. An entry is made into the Central Directory for each file added to a .ZIP file. A decryption record will be defined for storing the information needed to initialize and start the decryption process. This decryption record will be placed immediately ahead of the encrypted data for each file in a .ZIP file. This example is not the only method of storing this data as other storage methods can be defined.
  • [0023]
    The present invention provides many advantages or benefits over the prior art. One benefit is the ability to use multiple encryption methods instead of supporting only a single encryption method. A second benefit is the ability to use a mixture of symmetric and asymmetric encryption in a single, secure .ZIP file. A third benefit is that the encryption of individual files using advanced public/private keys provides a significantly higher level of security to computer users. A fourth benefit is that encryption of .ZIP file data can be implemented using a range of commonly available cryptographic toolkits. A fifth benefit is that the present invention supports using packaged or readily available encryption algorithms to provide state-of-the-art security. A sixth benefit is the availability of non-repudiation using digital signatures through the use of public/private key technology. A seventh benefit is that the invention ensures a high degree of interoperability and backward compatibility by extending the current .ZIP file format.
  • [0024]
    Various other features, objects, and advantages of the invention will be made apparent to those skilled in the art from the following detailed description, claims, and accompanying drawings.
  • BRIEF DESCRIPTION OF THE DRAWINGS
  • [0025]
    FIG. 1 is a record layout of a prior art .ZIP file prior to the present invention.
  • [0026]
    FIG. 2 is a record layout of a .ZIP file in accordance with the present invention.
  • DETAILED DESCRIPTION OF THE INVENTION
  • [0027]
    Referring now to the drawings, FIG. 1 shows the file format for the standard .ZIP file, in existence prior to the present invention. FIG. 2 illustrates the preferred general record layout of a ZIP file in accordance with the present invention.
  • [0028]
    The newly modified ZIP file format specification according to the present invention, as published by PKWARE, Inc., is described in a document entitled APPNOTE.TXT, which is attached hereto and incorporated herein by reference. The new version of the .ZIP file format provides an implementation of the use of strong encryption based on a key generated using a password. This implementation constitutes one example of a structure and layout of the records and fields suitable for processing secure .ZIP files as defined by the present invention. The complete description of the conventional or standard .ZIP file format will not be included here since this information is generally well known. Only the portions pertaining to the new records and fields defined by the new format, capable of storing data using strong encryption, will be discussed in detail.
  • [0029]
    The present invention extends the original .ZIP file format with the addition of new storage records to support the use of strong encryption methods including, as described above, both public/private key, or asymmetric, methods, and password-based, or symmetric, methods, and the capability to use a mixture of symmetric and asymmetric methods.
  • [0030]
    An example of implementing a new strong encryption method is discussed below. This example identifies several new records and fields that must be defined within the .ZIP file format.
      • A new General Purpose Bit Flag having a hexadecimal value of 0x0040 to be set in both the Local and Central Record Headers when strongly encrypting a file.
      • A new Decryption Header to be located immediately ahead of and adjacent to the compressed data stored for each file.
      • A new Extra Field record definition with an ID having a hexadecimal value of 0x0017 to be inserted into the Central Record Header for each file.
  • [0034]
    When using these new fields for strongly encrypting files, the following actions are indicated.
  • [0035]
    1. If the General Purpose Bit Flag value of 0x0040 is set to indicate strong encryption was applied to a file, the General Purpose Bit Flag value of 0x0001 will also generally be set.
  • [0036]
    2. Files having a size of zero bytes (an empty file) should not generally be encrypted. As indicated, however, the file characteristics of the archived files may be encrypted, even if the file is of zero length and is not itself encrypted.
  • [0037]
    3. The contents of the field labeled Version Needed to Extract in both the Local and Central Record Headers should preferably be set to the decimal value of 50 or greater. If the AES encryption method is used, the contents of the field labeled Version Needed to Extract in both the Local and Central Record Headers should preferably be set to the decimal value 51 or greater.
  • [0038]
    4. Data encryption should preferably be applied after a file is compressed, but encryption can be applied to a file if compression is not used. If compression is not applied to a file, it is considered to be stored in the .ZIP file.
  • [0039]
    5. If encryption is applied using digital certificates, a list of intended recipients will be constructed. Each entry in the recipient list identifies a person whose public key has been used in the encryption process for a file and who is allowed to decrypt the file contents using their private key.
  • [0040]
    Record Definitions:
    New Decryption Header (NDH)
    Size
    Value (bytes) Description
    IV size 2 Size of custom initialization vector/salt,
    if 0 then CRC32 + 64-bit File Size should
    be used to decrypt data.
    IV variable Initialization vector/salt (file specific)
    which should be used in place of CRC32 +
    64-bit File Size
    Original Size 4 Original (uncompressed) size of the following
    data
    Decryption variable Decryption Information
    Info.
  • [0041]
    Decryption Information (details)
    Size
    Value (bytes) Description
    Version (3) 2 Version/Format of decryption information.
    AlgID 2 Encryption Algorithm ID
    BitLen 2 Bit length of the key
    Flags 2 Processing flags
    ERD size 2 Size of Encrypted Random Data (ERD)
    ERD variable Encrypted Random Data
    Recipient 4 Number of Recipients
    Count
    Hash 2 Hash algorithm to be used to calculate
    Algorithm Public Key hash (absent for password based
    encryption)
    Hash Size 2 Size of Public Key hash (absent for password
    based encryption)
    Recipient variable Recipient List Element (absent for password
    List based encryption)
    Element
    Password 2 Size of random password validation data
    Validation (Includes CRC32 of PVD; >4) MUST be multiple
    Data of encryption block sizes
    size
    Password, variable Password Validation Data (PVD)
    Validation
    Data
    CRC32 of 4 CRC32 of PVD, used for password verification
    PVD when decrypting data
  • [0042]
    Encryption Algorithm ID (AlgID) identifies which of several possible strong encryption algorithms was used for encrypting a file in the .ZIP file. The strong encryption algorithms that can be used include but are not limited to AES, 3DES, 2DES, DES, RC2 and RC4. The use of other unspecified strong algorithms for encryption is supported by the present invention.
  • [0043]
    Hash Algorithm identifies which of several possible hash algorithms was used for the encryption process for a file in the .ZIP file. The algorithms that can be used include but are not limited to MD5, SHA1-SHA512. The use of other unspecified algorithms for hashing is supported by the present invention.
  • [0044]
    Flags
  • [0045]
    The following values are defined for the processing Flags.
    Name Value Description
    PASSWORD_KEY Ox0001 Password is used
    CERTIFICATE_KEY 0x0002 Recipient List is used
    COMBO_KEY 0x0003 Either a password or a Recipient
    List can be used to decrypt a file
    DOUBLE_SEED_KEY 0x0007 Both password and Recipient List
    are required to decrypt a file.
    ERD is encrypted twice by 2
    separate keys.
    DOUBLE_DATA_KEY Ox000f Both a password and a Recipient
    List are required to decrypt a
    file. File data is encrypted twice
    using 2 separate keys.
    MASTER_KEY_3DES 0x4000 Specifies 3DES algorithm is used
    for MSK
  • [0046]
    Recipient List Element
    Size
    Value (bytes) Description
    Recipient Element size 2 Combined size of Hash of Public Key
    and Simple Key Blob
    Hash Hash Size Hash of Public Key
    Simple key Blob variable Simple Key Blob
  • [0047]
    New Decryption Central Record Extra Field (NDCEF)
    Size
    Value (bytes) Description
    0x0017 2 Signature of NDCEF
    Data Size 2 Size of the following data (at least
    12 bytes)
    Version (2) 2 Version/Format of this extra field.
    AlgID 2 Encryption Algorithm ID.
    BitLen 2 Bit length of the key
    Flags 2 Processing flags
    Recipient Count 4 Number of Recipients
    Hash Algorithm 2 Hash algorithm to be used to calculate
    Public Key hash (absent for password
    based encryption)
    Hash Size 2 Size of Public Key hash (absent for
    password based encryption)
    Simplified variable Simplified Recipient List Element
    Recipient List (absent for password based encryption)
    Element
  • [0048]
    Simplified Recipient List Element
    Size
    Value (bytes Description
    Hash Hash Hash of Public Key
    Size
  • [0049]
    A simplified recipient list element is defined as a subset of a recipient list element and is stored to provide redundancy of the recipient list data for the purposes of data recovery.
  • [0050]
    Process Flow:
  • [0051]
    The following is a description of the most preferred encryption/decryption process for a single file using the storage format defined by this example. Any programs, software or other processes available to suitably perform the encryption/decryption process may be used.
  • [0052]
    Encryption:
  • [0053]
    1. Validate public/private key
  • [0054]
    2. Calculate file digital signature and time-stamp
  • [0055]
    3. Compress or Store uncompressed file data
  • [0056]
    4. Generate a File Session Key (FSK) (see below)
  • [0057]
    5. Calculate Decryption Information size
  • [0058]
    6. Adjust Compressed Size to accommodate Decryption Information and padding
  • [0059]
    7. Save Decryption Information to .ZIP file
  • [0060]
    8. Encrypt Compressed or Stored File Data
  • [0061]
    9. Encrypt file characteristics
  • [0062]
    Decryption:
  • [0063]
    1. Decrypt file characteristics
  • [0064]
    2. Read Decryption Information from .ZIP file
  • [0065]
    3. Generate FSK (see below)
  • [0066]
    4. Verify Decryption Information (see below)
  • [0067]
    5. If Decryption Information is valid, then decrypt Compressed or Stored File Data
  • [0068]
    6. Decompress compressed data
  • [0069]
    7. Validate file time-stamp and digital signature
  • [0070]
    Generating Master Session Key (MSK)
  • [0071]
    1. If MASTER_KEY3DES is set, use 3DES 3-key as MSK algorithm, otherwise use specified algorithm.
  • [0072]
    2. If encrypting or decrypting with a password.
  • [0073]
    2.1.1. Prompt user for password
  • [0074]
    2.1.2. Calculate hash of the password
  • [0075]
    2.1.3. Pass calculated hash as argument into a cryptographic key derivation function or its equivalent.
  • [0076]
    3. When encrypting using a public key(s).
  • [0077]
    3.1.1. Call a cryptographic key generation function or its equivalent to generate random key
  • [0078]
    4. When decrypting using a private key(s).
  • [0079]
    4.1. Using Recipient List information, locate private key, which corresponds to one of the public keys used to encrypt MSK.
  • [0080]
    4.2. Decrypt MSK
  • [0081]
    Salt and/or Initialization Vector (IV)
  • [0082]
    1. For algorithms that use both Salt and IV, Salt=IV
  • [0083]
    2. IV can be completely random data and placed in front of Decryption Information
  • [0084]
    3. Otherwise IV=CRC32+64-bit File Size
  • [0085]
    Adjusting Keys
  • [0086]
    1. Determine Salt and/or Initialization Vector size of the key for the encryption algorithm specified. Usually salt is compliment to 128 bits, so for 40-bit key Salt size will be 11 bytes. Initialization Vector is usually used by block algorithms and its size corresponds to the block size.
  • [0087]
    2. If Salt size >0 or Initialization Vector size is >0 then set IV1 to be used by the specified encryption algorithm.
    1 When adjusting MSK, if IV is smaller then required Initialization Vector (or Salt) size it is complimented with 0, if it is larger it is truncated. For all other operations IV is used as is without any modifications.
  • [0088]
    Generating File Session Key (FSK)
  • [0089]
    1. FSK←SHA1(MSK(IV)). Adjust MSK with IV, and decrypt ERD (Encrypted Random Data). Calculate hash of IV+Random Data. Pass calculated hash as argument into a cryptographic key derivation function or its equivalent to obtain FSK.
  • [0090]
    Verifying Decryption Information
  • [0091]
    1. Decryption Information contains variable length Password Validation Data (PVD).
  • [0092]
    2. First Password Validation Data Size-4 bytes are random data, and last 4 bytes are CRC32 of that random data. This allows verification that the correct key is used and deters plain text attacks.
  • [0093]
    The following modifications are used for encrypting and decrypting multiple files.
  • [0094]
    Multi-File Encryption:
  • [0095]
    1. Generate MSK.
  • [0096]
    2. For each file follow Encryption steps.
  • [0097]
    Multi-File Decryption:
  • [0098]
    1. Generate MSK from the file Decryption Information
  • [0099]
    2. For each file follow Decryption steps
  • [0100]
    3. If Decryption Information verification fails go to step 1
  • [0101]
    Alternate storage formats can be defined for implementing the flexible security support within ZIP files. One such alternative is to use other fields, either existing or newly defined to denote that a strong encryption method was applied to a .ZIP archive. Another alternative could be to use additional storage fields in addition to those defined in the above example, or to use the fields as defined, but ordered differently within each record. Still other implementations may use fewer, or more, records or fields than are defined by the above example or the records and fields may be placed in other physical locations within the .ZIP file.
  • [0102]
    Alternate processing methods can also be defined for implementing the flexible security support within .ZIP files. One such alternative is to implement the encryption process for each file using another public/private key technology such as that defined by the OpenPGP Message Format as documented in RFC 2440. Another alternative could be to use a more direct form of encryption key generation where the file session key is directly used for encrypting each file. This method would not use the indirect form described in the above example where the file session key is derived from a master key.
  • [0103]
    While the invention has been described with reference to preferred embodiments, it is to be understood that the invention is not intended to be limited to the specific embodiments set forth above. Thus, it is recognized that those skilled in the art will appreciate that certain substitutions, alterations, modifications, and omissions may be made without departing from the spirit or intent of the invention. Accordingly, the foregoing description is meant to be exemplary only, the invention is to be taken as including all reasonable equivalents to the subject matter of the invention, and should not limit the scope of the invention set forth in the following claims.
Citations de brevets
Brevet cité Date de dépôt Date de publication Déposant Titre
US4947318 *15 nov. 19847 août 1990Hitachi, Ltd.Data processing security system for automatically transferring software protection data from removable store into internal memory upon mounting of stores
US5274805 *5 juin 199228 déc. 1993Amalgamated Software Of North America, Inc.Method of sorting and compressing data
US5446895 *31 mars 199429 août 1995White; Leonard R.Measurement analysis software system and method
US5455946 *21 mai 19933 oct. 1995International Business Machines CorporationMethod and means for archiving modifiable pages in a log based transaction management system
US5469564 *13 janv. 199421 nov. 1995Samsung Electronics Co., Ltd.Data storage device with enhanced data security
US5659616 *16 juil. 199619 août 1997Certco, LlcMethod for securely using digital signatures in a commercial cryptographic system
US5675645 *18 avr. 19957 oct. 1997Ricoh Company, Ltd.Method and apparatus for securing executable programs against copying
US5802520 *16 sept. 19961 sept. 1998Software Builders International, L.L.C.System and method for manipulating compressed files
US5841865 *11 avr. 199724 nov. 1998Certco LlcEnhanced cryptographic system and method with key escrow feature
US5881225 *14 avr. 19979 mars 1999Araxsys, Inc.Security monitor for controlling functional access to a computer system
US5909638 *6 août 19961 juin 1999Maximum Video Systems, Inc.High speed video distribution and manufacturing system
US5911776 *18 déc. 199615 juin 1999Unisys CorporationAutomatic format conversion system and publishing methodology for multi-user network
US6021198 *23 déc. 19961 févr. 2000Schlumberger Technology CorporationApparatus, system and method for secure, recoverable, adaptably compressed file transfer
US6047318 *19 nov. 19974 avr. 2000International Business Machines CorporationMethod of downloading java bean files in a network
US6148340 *30 avr. 199814 nov. 2000International Business Machines CorporationMethod and system for differencing container files
US6151609 *16 août 199621 nov. 2000Electronic Data Systems CorporationRemote editor system
US6161219 *3 juil. 199712 déc. 2000The University Of Iowa Research FoundationSystem and method for providing checkpointing with precompile directives and supporting software to produce checkpoints, independent of environment constraints
US6167453 *20 nov. 199726 déc. 2000International Business Machines CorporationMethod and apparatus for utilizing URLs to specify local or remote java bean repositories
US6233565 *13 févr. 199815 mai 2001Saranac Software, Inc.Methods and apparatus for internet based financial transactions with evidence of payment
US6378054 *25 mars 199823 avr. 2002Fujitsu LimitedData backup device and method for use with a computer, and computer-readable recording medium having data backup program recorded thereon
US6427149 *9 sept. 199930 juil. 2002Herman RodriguezRemote access of archived compressed data files
US6434561 *9 mai 199813 août 2002Neomedia Technologies, Inc.Method and system for accessing electronic resources via machine-readable data on intelligent documents
US6460044 *2 févr. 19991 oct. 2002Jinbo WangIntelligent method for computer file compression
US6484259 *16 nov. 199919 nov. 2002Microsoft CorporationMethods and arrangements for mapping widely disparate portable tokens to a static machine concentric cryptographic environment
US6529908 *28 mai 19984 mars 2003Netspan CorporationWeb-updated database with record distribution by email
US6604106 *10 déc. 19985 août 2003International Business Machines CorporationCompression and delivery of web server content
US6635088 *20 nov. 199821 oct. 2003International Business Machines CorporationStructured document and document type definition compression
US6657702 *29 nov. 19992 déc. 2003Shutterfly, Inc.Facilitating photographic print re-ordering
US6742176 *14 juin 200025 mai 2004Lycos, Inc.Secure flexible plugin software architecture
US6879988 *9 mars 200112 avr. 2005PkwareSystem and method for manipulating and managing computer archive files
US6914985 *14 déc. 19995 juil. 2005International Business Machines CorporationMethod and system for presentation and manipulation of PKCS enveloped-data objects
US6983371 *13 nov. 20003 janv. 2006International Business Machines CorporationSuper-distribution of protected digital content
US6996251 *29 sept. 20037 févr. 2006Myport Technologies, Inc.Forensic communication apparatus and method
US7127712 *11 févr. 200224 oct. 2006Oracle International CorporationSystem and method for providing a java code release infrastructure with granular code patching
US7139811 *31 juil. 200221 nov. 2006Actona Technologies Ltd.Double-proxy remote data access system
US7139918 *31 janv. 200221 nov. 2006International Business Machines CorporationMultiple secure socket layer keyfiles for client login support
US7184573 *4 janv. 200627 févr. 2007Myport Technologies, Inc.Apparatus for capturing information as a file and enhancing the file with embedded information
US7298851 *21 sept. 199920 nov. 2007Discovery Communications, Inc.Electronic book security and copyright protection system
US7386726 *31 mai 200210 juin 2008Telefonaktiebolaget L M Ericsson (Publ)Personal certification authority device
US7434052 *15 déc. 19997 oct. 2008Fraunhofer-Gesellschaft Zur Foerderung Der Angewandten Forschung E.V.Method and device for producing an encrypted payload data stream and method and device for decrypting an encrypted payload data stream
US20010002485 *14 déc. 200031 mai 2001Bisbee Stephen F.System and method for electronic transmission, storage, and retrieval of authenticated electronic original documents
US20010023360 *20 déc. 200020 sept. 2001Nelson Chester G.Dynamic bandwidth monitor and adjuster for remote communications with a medical device
US20010030667 *22 déc. 200018 oct. 2001Kelts Brett R.Interactive display interface for information objects
US20010037309 *31 janv. 20011 nov. 2001Vrain Kent Carlyle St.System and method for ordering customized identification documents via a network
US20010042121 *11 mai 200115 nov. 2001Isochron Data CorporationMethod and system for the optimal formating, reduction and compression of DEX/UCS data
US20010055407 *23 janv. 200127 déc. 2001Rhoads Geoffrey B.Computer system linked by using information in data objects
US20020007287 *18 déc. 200017 janv. 2002Dietmar StraubeSystem and method for electronic archiving and retrieval of medical documents
US20020029227 *2 janv. 20017 mars 2002Multer David L.Management server for synchronization system
US20020040369 *2 janv. 20014 avr. 2002Multer David L.Binary data synchronization engine
US20020042833 *29 déc. 200011 avr. 2002Danny HendlerStreaming of archive files
US20020049717 *10 mai 200125 avr. 2002Routtenberg Michael D.Digital content distribution system and method
US20020059144 *26 mars 200116 mai 2002Meffert Gregory J.Secured content delivery system and method
US20020076052 *29 oct. 199920 juin 2002Marcel M. YungIncorporating shared randomness into distributed cryptography
US20020078466 *15 déc. 200020 juin 2002Siemens Information And Communication Networks, Inc.System and method for enhanced video e-mail transmission
US20020188605 *5 déc. 200112 déc. 2002Atul AdyaServerless distributed file system
US20030016770 *1 mai 200123 janv. 2003Francois TransChannel equalization system and method
US20030115169 *17 déc. 200119 juin 2003Hongzhuan YeSystem and method for management of transcribed documents
US20030144858 *29 janv. 200231 juil. 2003Jain Vineet KumarMethod and apparatus for providing intelligent and controlled access to supply chain information
US20030233494 *2 mai 200318 déc. 2003Sukha GhoshApplication program interface-access to hardware services for storage management applications
US20040030898 *10 juil. 200112 févr. 2004Yossi TsuriaTransferring electronic content
US20040098715 *29 août 200320 mai 2004Parixit AgheraOver the air mobile device software management
US20040107125 *12 sept. 20033 juin 2004Accenture LlpBusiness alliance identification in a web architecture
US20040117845 *8 sept. 200317 juin 2004Jeyhan KaraoguzPersonal inter-home media exchange network
US20050147946 *31 déc. 20037 juil. 2005Shankar RamamurthyAutomatic object generation and user interface identification
US20060200253 *27 févr. 20067 sept. 2006Hoffberg Steven MInternet appliance system and method
US20060253451 *1 mars 20049 nov. 2006Van De Sluis Bartel MContent exchange between portable device and network
Classifications
Classification aux États-Unis713/193
Classification internationaleH04L9/30, H04L9/32, H03M7/30, G06F12/14, H04L9/06, H04L9/00, G06F7/00, G06F21/00, H03M7/40, H04L9/28, H04K1/00, G06F11/30
Classification coopérativeG06F17/30153, G06F21/6209, H04L9/088, G06F2221/2107, G06F2221/2153, G06F21/6218, H04L2209/30
Classification européenneG06F21/62B, H04L9/00
Événements juridiques
DateCodeÉvénementDescription
12 sept. 2007ASAssignment
Owner name: PKWARE, INC., WISCONSIN
Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:PETERSON, JAMES C.;REEL/FRAME:019818/0587
Effective date: 20070907
18 août 2009ASAssignment
Owner name: MARANON CAPITAL, L.P., AS AGENT, ILLINOIS
Free format text: SECURITY AGREEMENT;ASSIGNOR:PKWARE, INC.;REEL/FRAME:023107/0510
Effective date: 20090817
Owner name: MARANON CAPITAL, L.P., AS AGENT,ILLINOIS
Free format text: SECURITY AGREEMENT;ASSIGNOR:PKWARE, INC.;REEL/FRAME:023107/0510
Effective date: 20090817
19 août 2009ASAssignment
Owner name: MARANON CAPITAL, L.P., AS AGENT, ILLINOIS
Free format text: SECURITY AGREEMENT;ASSIGNOR:PKWARE, INC.;REEL/FRAME:023107/0952
Effective date: 20090817
Owner name: MARANON CAPITAL, L.P., AS AGENT,ILLINOIS
Free format text: SECURITY AGREEMENT;ASSIGNOR:PKWARE, INC.;REEL/FRAME:023107/0952
Effective date: 20090817
23 déc. 2010ASAssignment
Owner name: PKWARE, INC., WISCONSIN
Free format text: RELEASE BY SECURED PARTY;ASSIGNOR:MARANON CAPITAL, L.P., AS AGENT;REEL/FRAME:025525/0223
Effective date: 20101217
Owner name: PKWARE, INC., WISCONSIN
Free format text: RELEASE BY SECURED PARTY;ASSIGNOR:MARANON CAPITAL, L.P., AS AGENT;REEL/FRAME:025525/0230
Effective date: 20101217