User (Old forums)MemberSeptember 20, 2009 at 7:34 pmPost count: 23064
Hi, I hope someone can help me.
I have two components, one that creates a zip file and another that unzips it (both using Xceed.zip for .Net). I need to be able to verify that the zip file was created by my own component (i.e. the one that creates the zip file). Is there a secure way to do that?
I would have thought I could use encryption, but it seems if you give a ZipArchive a DefaultDecryptionPassword property, it will still unzip the contents even if the zipfile was created using WinZip without any encryption.
I need this to protect against someone replacing my zip file with one that has the same name, and same content file NAMES, but not with malicious content.
Imported from legacy forums. Posted by Fritz (had 1376 views)User (Old forums)MemberSeptember 20, 2009 at 7:35 pmPost count: 23064
Sorry, that last sentence should read:
“I need this to protect against someone replacing my zip file with one that has the same name, and same content file NAMES, but NOW WITH malicious content.”
Imported from legacy forums. Posted by Fritz (had 242 views)User (Old forums)MemberSeptember 22, 2009 at 1:41 amPost count: 23064
After doing a crash course in Encryption (mainly by following this article http://www.codeproject.com
/KB/securi ty/Encrypt File.aspx? msg=320654 8#xx320654 8xx), I chose to encrypt the zip file. The encrypted file is then decrypted before unzipping and I do an additional SHA-1 checksum on the decrypted file before unzipping the contents.
Imported from legacy forums. Posted by Fritz (had 422 views)User (Old forums)MemberOctober 7, 2009 at 12:19 amPost count: 23064
There is a method available if you are using the Zip Compression Library (ActiveX) and it is called TestZipFile. You will find the documentation right here:
There is no equivalent to this method with the .NET version of Xceed Zip but there is an example available right here that tells you how to program the same task:
Imported from legacy forums. Posted by Ghislain (had 1022 views)User (Old forums)MemberOctober 7, 2009 at 12:59 amPost count: 23064
I have just realized that you want to prevent alterations to the original zip file, which goes a bit beyond the solution I have suggested above.
I have taken a look at the CodeProject project referenced and, while I can’t take a lot of time to analyze the whole solution, there are some interesting things. I think the only drawback is that you have to use your component to read the encrypted file, particulary if the items list (the filenames) are also encrypted. And this is perhaps not a real drawback. Hiding the filenames within a zip archive certainly makes the zip archive less susceptible of being attacked. Actually, the filenames should ideally always being encrypted but, unfortunately, this was not planned in the original PkWare zip utility.
From you last reply, I understand that you were able to find a way to achieve your original objective. If this is not the case, let us know.
Imported from legacy forums. Posted by Ghislain (had 1476 views)
- You must be logged in to reply to this topic.