Keka
Keka copied to clipboard
Encryption method and password length not flagged [BUG]
Configuration
- Keka version: 1.2.53 (4962)
- macOS version: 12.2.1 (Monterey)
Describe the bug
For anybody that care about security, there are some warnings that should be issued:
- ZipCrypto (i.e., classic Zip encryption) is unsafe.
- AES encryption needs a decently long password depending on key length (e.g., 128-bit => 23 characters). So anything less should issue a warning dialog.
- Oddly, Windows 10 7-Zip won't allow passwords longer than 63 characters apparently, which makes interoperability an issues and should issue a warning.
To Reproduce
Steps to reproduce the behavior:
- Try encrypting for defacto ZipCrypto
- Try encrypting with a short password for AES
- Try encrypting with a long password for AES
Expected behavior
I expect warning messages that encourage security.
Current behavior
I get a warning recommending away from AES encryption and no issues with password length.
Additional information
On Windows 10, 7-Zip supports AES and it's free.
Very interesting issue.
- ZipCrypto (i.e., classic Zip encryption) is unsafe.
Most users want the most compatible encrypted file and that's why ZipCrypto is still the default for ZIP and a warning is shown when using AES https://github.com/aonez/Keka/issues/363. Indeed is not a bad idea to add some warning/tip noting that ZipCrypto is widely supported but a legacy, less safe option so users have the opportunity to read about it.
2. AES encryption needs a decently long password depending on key length (e.g., 128-bit => 23 characters). So anything less should issue a warning dialog.
Was not aware of that one. Can you provide some reference?
3. Oddly, Windows 10 7-Zip won't allow passwords longer than 63 characters apparently, which makes interoperability an issues and should issue a warning.
I'm unable to reproduce this one with 7-Zip in Windows. Tried with 90+ characters passwords, both in ZipCrypto and AES and all worked properly. It does indeed fail with bundled Windows extraction limited support of ZIP (ZipCrypto only), so you're right a warning should be issues when using both ZipCrypto and passwords longer than 63 characters.