The present invention relates generally to a method of using standard .ZIP files and strong encryption technology to securely store files, and more particularly to a method of integrating existing strong encryption methods into the processing of .ZIP files to provide a highly secure data container which provides flexibility in the use of symmetric and asymmetric encryption technology. The present invention adapts the well established and widely used .ZIP file format to support higher levels of security and multiple methods of data encryption and key management, thereby producing an efficient, highly secure and flexible digital container for electronically storing and transferring confidential data.
Compression of computer files has been available for many years. Compressing files can save large amounts of disk space, and can reduce transfer time when downloading files from the Internet or transferring files through email. Almost any file one downloads from the Internet is compressed in some way. A standard compressed file or folder as it is sometimes called contains one or more files that were compressed into a single file or folder. Many different compression formats have been developed over the years. The .ZIP format, created by the assignee of the present invention, is perhaps the most common compressed file format for the personal computer. Any file with a “.zip” extension most likely contains one or more files of data archived, that is, each either compressed or stored, in the .ZIP format. “Zipping” a file has become a commonly used term meaning to compress the file into the .ZIP format archive so that it occupies less disk space, and similarly, “unzipping” a file means decompressing a compressed file in the .ZIP format.
A .ZIP file is generally recognized as a data compression and archiving format invented by PKWARE, Inc. The .ZIP format is a file format designed for combining data compression technology with file archiving techniques. Many commercially available software products are available for compressing or “zipping” files or other data into the .ZIP format. These .ZIP files can then be used to reconstruct the original data through the “unzipping” process. Data compression converts the contents of a file into an encoded format requiring less computer storage space or in the case of transmission less network bandwidth than the original uncompressed file.
Archiving, in the context of a .ZIP file, is a method of storing information about the characteristics of a file in a catalogue of files, known as the Central Directory, inside the .ZIP file, allowing each file to be retrieved individually by its characteristics. This capability is widely used. These characteristics include, but are not limited to, file name, file size, and file creation date and time.
Software programs such as PKZIP® written by PKWARE, Inc. are used to process files in the .ZIP format. Such programs allow one or more files of any type to be compressed and archived into a file of the .ZIP format type for efficient file storage and transmission over computer and communication networks. This format and the software programs that process .ZIP files have become ubiquitous.
Data encryption is used by many software programs to provide data privacy. Data encryption is a method of encoding data so that it cannot be reproduced in its original form unless an associated key is provided. Decryption uses this key to convert the encrypted data back into its original state. The key is known only to the person encrypting the data or by those other people with whom the person encrypting the data chooses to share the key. The key is used to “unlock” the data so that it can again be used in its original form.
Keys are uniquely generated using data known to the person encrypting a file or other data associated with recipients and users of the file. This data can be a user-defined password or other random data. Several methods are commonly used for processing the keys used for data encryption. Encryption using a key generated from a password is an example of symmetric encryption. Encryption using a public/private key pair is an example of asymmetric encryption. An example of one method for processing encryption keys supported by this invention uses a public/private key pair commonly associated with digital certificates as defined by the document Internet X.509 Public Key Infrastructure Certificate and CRL Profile (RFC 2459). A digital certificate is a unique digital identifier associating a public and private key pair to an assigned individual, a group, or an organization. When used for encrypting data, the public key of an individual is used to process an encryption key which only the individual in possession of the corresponding private key can use for decryption. A digital certificate is issued to an individual, a group, or an organization for a fixed period of time and can only be used during this time period. After the time period has elapsed, the digital certificate will be considered to have expired and must be reissued for a new time period.
The strength of a data encryption method is determined at least in part by its key size in bits. The larger the key size a data encryption method uses, the more resistant it is to cryptanalysis. Cryptanalysis, or popularly “cracking”, is the unauthorized access to encrypted data. Strong encryption is a type of data encryption that uses key sizes of 128 bits or more. A number of encryption encoding methods are known today. Examples supported by the present invention include but are not limited to Advanced Encryption Standard (AES), Data Encryption Standard (DES), 2DES, 3DES, and others. A number of key sizes are commonly used today. Examples supported by the present invention include but are not limited to 128 bits, 192 bits, and 256 bits.
Many software programs available today that process .ZIP files use data encryption to encrypt files after compression as they are written to the .ZIP file. The data encryption method used by these software programs uses a key size of 96 bits or less and is considered weak or moderate encryption by today's standards. These software programs use keys generated using user-defined password data. Weak data encryption may not provide sufficient security to computer users that store and transfer their confidential data files using the .ZIP format.
Password-based key generation has been a commonly used method of applying data encryption, however, known vulnerabilities to cracking methods such as “brute force password cracking” make this method of encryption insufficient to meet today's more advanced security needs. Another known limitation of password-based security is the lack of non-repudiation. Non-repudiation is the ability to be certain that the person or program that created an encrypted .ZIP file cannot deny that fact and that their identity is bound to the .ZIP file they created. This cannot be achieved with symmetric encryption methods. Today, non-repudiation is an important aspect of security related to the implementation of digital certificates and digital signatures. It is critically important to be able to prove that a creator or sender of an encrypted file did in fact create the file, i.e. not repudiate his/her action.
Therefore, a need exists to extend the options for levels of security available to programs that process .ZIP files. This extended of security capability makes use of the encryption technologies available today or others that may gain acceptance in the future.