[Python-Dev] Support for Encrypted Zip as python scripts
Gregory P. Smith
greg at krypto.org
Mon Aug 24 02:59:53 CEST 2009
On Sun, Aug 23, 2009 at 2:24 PM, "Martin v. Löwis" <martin at v.loewis.de>wrote:
> >> No doubt this is a useful functionality to have but it would be great to
> >> have some comments on whether
> >> this can be(or even should be) feasibly added as an inbuilt support.
> >
> > MvL already asked for a patch so I suppose that means he thinks it's
> > useful.
>
> I am actual skeptical that it is implementable in a reasonable way;
> if implemented, I'd say: why not?
>
> > Personally I've never encountered an encrypted zipfile, so I
> > just have questions: is there a standard encryption algorithm?
>
> In principle, yes. There are several aspects of encryption described in
>
> http://www.pkware.com/documents/casestudies/APPNOTE.TXT
>
> There are several encryption algorithms defined, such as
> "traditional PKWARE", DES, 3DES, "original RC2", RC4, AES,
> "corrected RC2", "corrected RC2-64", blowfish, twofish.
>
> In the file header general purpose bits , bit 0 indicates "file is
> encrypted" (which means "traditional PKWARE"), bit 6 indicates "strong
> encryption" (an additional header then giving details).
>
> > What is encrypted? The entire file or individual members?
>
> Traditionally, only individual files. With strong encryption (only?),
> the central directory can also be encrypted.
>
> > How are you supposed to give the password?
>
> In pkzip: interactively. In the import support: this remains to be seen
> in the patch. I assume people requesting that feature have a plan.
>
> > Also, I suppose there could be (US) export
> > problems with the code, so it would have to be optional (and we might
> > not be able to build it into binaries we distribute from python.org).
>
> The zipfile module already supports decryption. I forgot whether we
> determined that support for decryption only doesn't fall under the
> export restrictions, or whether we reported the module to the BXA as
> well.
>
I doubt you can even classify the zipfile module's "decryption" support as
encryption. It is trivially stupid, easily cracked (a 32bit crc based
"cipher"). The zipfile module does not support the various later encryption
schemes that use actual crypto algorithms.
I do not think we should support execution of python scripts or importing of
modules from encrypted zips. I do not see a valid use case.
-gps
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/python-dev/attachments/20090823/c3097869/attachment-0001.htm>
More information about the Python-Dev
mailing list