TrueZIP 3.1 has been released
(October 22nd, 2005)
This version provides transparent access to RAES encrypted ZIP files, fixes some bugs and offers performance and memory optimizations. All users are recommended to upgrade.
Encryption
TrueZIP has been extended to provide transparent access to regular ZIP files which have been encrypted according to the Random Access Encryption Specification (RAES).
RAES has been developed because there is a significant need to encrypt ZIP files. However, existing de-facto standards are either patent bombed, such as PKWARE's AES encryption feature, or known to be more or less vulnerable as the article "Attacking and Repairing the WinZip Encryption Scheme" from Tadayoshi Kohno about WinZIP's proprietary AES encryption feature documents. Hence the need for a new format. However, this time the format (RAES) is designed to provide maximum security and flexibility as an extensible open source specification with an open source reference implementation as part of TrueZIP.
RAES is a file wrapping format that has been designed to provide secure, random access to arbitrary encrypted file contents - encrypting ZIP files is just one its applications. RAES features encryption according to the Advanced Encryption Standard (AES) with variable key sizes of 128, 192 and 256 bits. In order to provide maximum security, RAES encrypts the entire ZIP file (the content) and operates AES in Counter Mode (CTR), whereby its parameters are derived from a password according to the Public Key Cryptography Standard # 12 (PKCS #12). For parameter derivation, Message Authentication (MAC) and Pseudo Random Number Generation (PRNG), RAES uses the the Secure Hash Algorithm with 256 bit output (SHA-256). RAES is an extensible format - the next version is intended to provide certificate based encryption and authentication according to PKCS #12.
For more information about RAES, please refer to the class RandomAccessEncryptionSpecification in the package de.schlichtherle.crypto.io. If you would like to use an easy interface for reading and writing RAES files yourself, please check the RAES reference implementation classes RaesReadOnlyFile and RaesOutputStream in the same package.
Please note that some refactorings were necessary to introduce RAES encryption (most notably in the ZipDetector class) and consequently, all code marked as deprecated in previous versions has been removed. However, most applications should not be affected by this.
Bugs fixed
The bugs fixed for version 3.0 include, but are not limited to:
- The interpretation of dot directories (. and ..) is now correct.
- TrueZIP is now aware of some specifics of the file system and J2SE behavior on Mac OS X. In particular, file name comparison is now working correctly.
- Previous versions could deadlock or behave erratically when used in multithreading applications.
- JFileChooser caused a NullPointerException if going up one directory on the Windows Desktop.
- Writability tests have been fixed not to alter the last modification time if a file is already opened on Windows.
- Various other minor fixes.
Bugs fixed for version 3.1:
- A bug in the update strategy could have caused some directory time stamps to be incorrect if an application is accessing corrupted ZIP files.
- The password manager now always resets the password display if prompting for new passwords.
A special thanks to Dr. Simon White for helping me to identify some of the bugs.
Optimizations
The performance and memory optimizations include, but are not limited to:
- A new File.update() strategy offers enhanced performance by reducing I/O.
- The memory footprint of the class ZipEntry has been slightly reduced. This may be important if you use ZIP files with thousands of entries.