Keka icon indicating copy to clipboard operation
Keka copied to clipboard

Published 20 hours ago verified publisher icon aonez

Encryption method and password length not flagged [BUG]

Open dcblack opened this issue 2 years ago • 1 comments

Configuration

  • Keka version: 1.2.53 (4962)
  • macOS version: 12.2.1 (Monterey)

Describe the bug

For anybody that care about security, there are some warnings that should be issued:

  1. ZipCrypto (i.e., classic Zip encryption) is unsafe.
  2. AES encryption needs a decently long password depending on key length (e.g., 128-bit => 23 characters). So anything less should issue a warning dialog.
  3. Oddly, Windows 10 7-Zip won't allow passwords longer than 63 characters apparently, which makes interoperability an issues and should issue a warning.

To Reproduce

Steps to reproduce the behavior:

  1. Try encrypting for defacto ZipCrypto
  2. Try encrypting with a short password for AES
  3. Try encrypting with a long password for AES

Expected behavior

I expect warning messages that encourage security.

Current behavior

I get a warning recommending away from AES encryption and no issues with password length.

Additional information

On Windows 10, 7-Zip supports AES and it's free.

dcblack avatar Mar 31 '22 15:03 dcblack

Very interesting issue.

  1. ZipCrypto (i.e., classic Zip encryption) is unsafe.

Most users want the most compatible encrypted file and that's why ZipCrypto is still the default for ZIP and a warning is shown when using AES https://github.com/aonez/Keka/issues/363. Indeed is not a bad idea to add some warning/tip noting that ZipCrypto is widely supported but a legacy, less safe option so users have the opportunity to read about it.

2. AES encryption needs a decently long password depending on key length (e.g., 128-bit => 23 characters). So anything less should issue a warning dialog.

Was not aware of that one. Can you provide some reference?

3. Oddly, Windows 10 7-Zip won't allow passwords longer than 63 characters apparently, which makes interoperability an issues and should issue a warning.

I'm unable to reproduce this one with 7-Zip in Windows. Tried with 90+ characters passwords, both in ZipCrypto and AES and all worked properly. It does indeed fail with bundled Windows extraction limited support of ZIP (ZipCrypto only), so you're right a warning should be issues when using both ZipCrypto and passwords longer than 63 characters.

aonez avatar Apr 01 '22 10:04 aonez