Home Forums .NET libraries Xceed Zip & Real-Time Zip for .NET Verifying zip file contents

Viewing 5 posts - 1 through 5 (of 5 total)
  • Author
    Posts
  • User (Old forums)
    Member
    Post count: 23064
    #20232 |

    Hi, I hope someone can help me.

     I have two components, one that creates a zip file and another that unzips it (both using Xceed.zip for .Net). I need to be able to verify that the zip file was created by my own component (i.e. the one that creates the zip file). Is there a secure way to do that?

     I would have thought I could use encryption, but it seems if you give a ZipArchive a DefaultDecryptionPassword property, it will still unzip the contents even if the zipfile was created using WinZip without any encryption.

    I need this to protect against someone replacing my zip file with one that has the same name, and same content file NAMES, but not with malicious content.

    Imported from legacy forums. Posted by Fritz (had 1376 views)

    User (Old forums)
    Member
    Post count: 23064

    Sorry, that last sentence should read:  

     “I need this to protect against someone replacing my zip file with one that has the same name, and same content file NAMES, but NOW WITH malicious content.”

    Imported from legacy forums. Posted by Fritz (had 242 views)

    User (Old forums)
    Member
    Post count: 23064

    After doing a crash course in Encryption (mainly by following this article http://www.codeproject.com/KB/security/EncryptFile.aspx?msg=3206548#xx3206548xx), I chose to encrypt the zip file. The encrypted file is then decrypted before unzipping and I do an additional SHA-1 checksum on the decrypted file before unzipping the contents.

    Imported from legacy forums. Posted by Fritz (had 422 views)

    User (Old forums)
    Member
    Post count: 23064

    There is a method available if you are using the Zip Compression Library (ActiveX) and it is called TestZipFile.  You will find the documentation right here:

    http://doc.xceedsoft.com/products/XceedZip/TestZipFile_method_and_TestingFile_event_example_for_VB.html

    There is no equivalent to this method with the .NET version of Xceed Zip but there is an example available right here that tells you how to program the same task:

    http://xceed.com/CS/forums/thread/15628.aspx 

    Best regards

    Imported from legacy forums. Posted by Ghislain (had 1022 views)

    User (Old forums)
    Member
    Post count: 23064

    I have just realized that you want to prevent alterations to the original zip file, which goes a bit beyond the solution I have suggested above.

    I have taken a look at the CodeProject project referenced and, while I can’t take a lot of time to analyze the whole solution, there are some interesting things.  I think the only drawback is that you have to use your component to read the encrypted file, particulary if the items list (the filenames) are also encrypted.  And this is perhaps not a real drawback.  Hiding the filenames within a zip archive certainly makes the zip archive less susceptible of being attacked.  Actually, the filenames should ideally always being encrypted but, unfortunately, this was not planned in the original PkWare zip utility. 

    From you last reply, I understand that you were able to find a way to achieve your original objective.  If this is not the case, let us know.

    Best regards

    Imported from legacy forums. Posted by Ghislain (had 1476 views)

Viewing 5 posts - 1 through 5 (of 5 total)
  • You must be logged in to reply to this topic.