Make aes-encrypted zip file in ruby?

--
Dave Aronson, freelance software developer (details @ www.Codosaur.us);
see also www.PullRequestRoulette.com, Blog.Codosaur.us, www.Dare2XL.com

On Thu, Jun 19, 2014 at 8:04 AM, Dave Aronson < ruby-talk.list.2.TRex@codosaur.us> wrote:

For a client project, I am trying to create an AES-256 encrypted zip
file in Ruby, and having trouble finding applicable tools (mainly
gems). I have looked at these:

- RubyZip, we are currently using for other purposes. However, this
does not support encryption at all.

- jphastings' fork of RubyZip might do it, I see mention of AES in
some pull requests, but the docs haven't been updated to reflect any
crypto support, and I haven't slogged through the code to see how
complete (let alone correct and robust) the AES support is.

- Archive::Zip looked plausible, if we write a custom encryption
codec. Maybe someone's already done one that supports AES-256? Not
that I could find. Anyway, the project is dormant, and only claims
v0.0.0 so it doesn't seem mature and reliable.

- ZipRuby claims to do crypto, but only "legacy" crypto, the kind most
compression utilities have had built in for ages, which is much weaker
than AES. Also, it apparently doesn't even do that, according to a
fairly old unaddressed bug. No hint, at a quick glance, of being able
to plug in alternate crypto.

- Chilkat's library seems suitable at a quick glance, but we'd much
prefer something free and open source. Not so much for the cost, but
just the sheer hassles, especially since Chilkat's license is tied to
specific named developers... and I'm a contractor.

Other details:

- I *think* it needs to be openable by 7zip, which means it should
either use the same mode and initialization vector, or let me set
them. (I *think* I can find out what those are set to.)

- I *think* the deployment will be on Linux, but development and a lot
of the testers are on Macs, so if one of the standard command-line
utilities common to both environments will do it, I will happily just
use a system call. However, Mac's standard zip only supports the weak
"password protect" crypto.

- If someone is thinking "why not just use RubyZip to compress and
OpenSSL to encrypt": no, an "encrypted zip file" doesn't mean "take a
zip file and encrypt it", it has to be in standard zip format so an
unzipper knows how to extract entries, which are what is encrypted.

- I'm open to other approaches, if anybody's got suggestions! I have
reached out to the folks consuming the file to see if maybe they don't
really need an AES-256 encrypted zip file specifically openable by
7zip -- the files are probably small to begin with, so maybe we can
skip compression....

Thanks,
Dave

--
Dave Aronson, freelance software developer (details @ www.Codosaur.us);
see also www.PullRequestRoulette.com, Blog.Codosaur.us, www.Dare2XL.com

On 06/19/2014 10:04 AM, Dave Aronson wrote:

On 6/19/2014 12:48, Andrew Kelley wrote:

please unsubscribe me

Andrew CP Kelley

Founder & CEO | CallRed

(t) 401.300.0034

www.CallRed.com <http://www.CallRed.com>

On Thu, Jun 19, 2014 at 8:04 AM, Dave Aronson > <ruby-talk.list.2.TRex@codosaur.us > <mailto:ruby-talk.list.2.TRex@codosaur.us>> wrote:

For a client project, I am trying to create an AES-256 encrypted
zip file in Ruby, and having trouble finding applicable tools
(mainly gems). I have looked at these:

- RubyZip, we are currently using for other purposes. However,
this does not support encryption at all.

- jphastings' fork of RubyZip might do it, I see mention of AES in
some pull requests, but the docs haven't been updated to reflect
any crypto support, and I haven't slogged through the code to see
how complete (let alone correct and robust) the AES support is.

- Archive::Zip looked plausible, if we write a custom encryption
codec. Maybe someone's already done one that supports AES-256?
Not that I could find. Anyway, the project is dormant, and only
claims v0.0.0 so it doesn't seem mature and reliable.

- ZipRuby claims to do crypto, but only "legacy" crypto, the kind
most compression utilities have had built in for ages, which is
much weaker than AES. Also, it apparently doesn't even do that,
according to a fairly old unaddressed bug. No hint, at a quick
glance, of being able to plug in alternate crypto.

- Chilkat's library seems suitable at a quick glance, but we'd
much prefer something free and open source. Not so much for the
cost, but just the sheer hassles, especially since Chilkat's
license is tied to specific named developers... and I'm a
contractor.

Other details:

- I *think* it needs to be openable by 7zip, which means it should
either use the same mode and initialization vector, or let me set
them. (I *think* I can find out what those are set to.)

- I *think* the deployment will be on Linux, but development and a
lot of the testers are on Macs, so if one of the standard
command-line utilities common to both environments will do it, I
will happily just use a system call. However, Mac's standard zip
only supports the weak "password protect" crypto.

- If someone is thinking "why not just use RubyZip to compress and
OpenSSL to encrypt": no, an "encrypted zip file" doesn't mean "take
a zip file and encrypt it", it has to be in standard zip format so
an unzipper knows how to extract entries, which are what is
encrypted.

- I'm open to other approaches, if anybody's got suggestions! I
have reached out to the folks consuming the file to see if maybe
they don't really need an AES-256 encrypted zip file specifically
openable by 7zip -- the files are probably small to begin with, so
maybe we can skip compression....

Thanks, Dave

-- Dave Aronson, freelance software developer (details @
www.Codosaur.us <http://www.Codosaur.us>); see also
www.PullRequestRoulette.com <http://www.PullRequestRoulette.com>,
Blog.Codosaur.us <http://Blog.Codosaur.us>, www.Dare2XL.com
<http://www.Dare2XL.com>

- --
Rylee Fowler
rylee@rylee.me