Security

TECHNOLOGY SPECIAL REPORT

The End of .Zip Compression as We Know It

Software constantly evolves, and change often sparks controversy. Such is the case with Zip, a popular file-compression technology that almost every computer user has run into at one time or another. One reason why the technology, developed back in 1986, has gained such widespread acceptance is that customers have been able to mix and match different vendors’ Zip products without having to worry about file compatibility. Soon, however, that might change.

In adding stronger encryption-security features to their products, Zip suppliers PKWare and WinZip Computing have taken divergent paths. While each company says it wants to promote a common standard, it seems unlikely that will occur in the short term, although customers and third-party vendors might move to forge a common standard eventually.

File-compression utilities originally emerged when PCs had limited memory and most users worked with dial-up connections. As broadband Internet connections became popular and hard drives gained oodles of memory, the need to squeeze files to save space or bandwidth lessened.

In addition, support for basic reading and extraction of Zip files has been built into recent versions of operating systems like Microsoft’s Windows. As a result, Zip software vendors have had to look for other ways to position their products.

Openness Requires Security Checks

With companies exchanging data with a wider variety of customers, suppliers and partners, security concerns have risen. The new security functions in PKZip and WinZip are intended to ensure enterprise customers continue to rely on the products by emphasizing Zip as a secure way to exchange files, rather than as a simple way to save space on a hard disk or to save bandwidth on a network link.

PKWare, which created and published the Zip standard, released an update in the spring of 2003 that supports RC2, RC4, DES, 3DES and AES encryption algorithms and works with both password and certificate-based (public key) encryption. Traditionally, the company has published any changes to the Zip standard so third parties can use the specification to design compatible, complementary and even competing products.

Phil Katz, the original developer of PKZip who died in 2000, said in 1989, “The Zip file format is given freely into the public domain and can be claimed neither legally nor morally by any individual, entity or company.”

The company took this open road when it recently found a way to increase the maximum size of a Zip file and made that specification public. So far, however, the firm has been unwilling to publish all of the information about its new security and encryption features. The company has published its password encryption scheme, but it has not done that with its public key encryption method.

“Our software runs on a number of different platforms, so we have to make sure that it works on each one before we would publish all of our interfaces,” said Steve Crawford, chief marketing officer at PKWare, which has not ruled out eventually taking the step to make its specification public and open to competing software developers.

Patent Pending

In addition, the company has applied for patents for its security-related extensions and has developed a licensing program for third parties interested in using them. In October, the company announced a free reader that works with the new encryption features to decompress encrypted files.

The company’s stance has put competitors in a bind. If customers download the PKWare reader, then they might have little use for other Zip products. Edwin Siebesma, president of WinZip, found PKWare’s new licensing agreement tighter and more restrictive than previous ones. Another problem is that vendors want to deliver security functions now and do not want to wait for PKWare to publish the public key specification.

As a result, WinZip, the creator of a popular competing Zip utility, announced in May its own version of Zip that supports the 128- and 256-bit Advanced Encryption standard. The WinZip security extensions are based on encryption keys that are incompatible with PKWare’s format. So while both programs use the basic .Zip file extension to designate both secure and standard files, they do not interoperate.

Two Zips Are Better Than One

Consequently, a user could download a file with one program and be unable to open it with the other. “We would have preferred that every Zip supplier support the same standard, but since PKWare was unwilling to publish its interface, we felt it necessary to develop our own,” Siebesma told TechNewsWorld.

WinZip has published the documentation for its encryption technique to allow authors of other Zip file utilities to adopt it. PKWare’s patents, which have not been formally granted yet, represent another potential area of disagreement. If they were granted, the company could sue WinZip on the grounds that its technology infringes on the patents.

Currently, few programs other than PKZip and WinZip support the new Zip security functions, so the impact of the schism has been minimal so far. Also, users have the option of turning off the encryption functions during transmissions, although some may not feel comfortable taking that step.

It is too early to tell what will happen next in this soap opera. To date, few third parties have licensed PKWare’s encryption technology or incorporated WinZip’s interface into their products, steps that could occur in the coming months. If one of the options gains prominence, a de facto standard could emerge. That standard could be users’ best hope, because it appears unlikely that the two sides will reach a compromise on their own.

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

Technewsworld Channels