Beefy Boxes and Bandwidth Generously Provided by pair Networks
Clear questions and runnable code
get the best and fastest answer
 
PerlMonks  

Adding a password to Zip compression ?

by peterr (Scribe)
on Jan 04, 2004 at 03:43 UTC ( #318595=perlquestion: print w/ replies, xml ) Need Help??
peterr has asked for the wisdom of the Perl Monks concerning the following question:

Hi,

I have some files on a Linux box that I need to email to certain people. The email part is working okay, using MIME::Lite , however I now need to compress the files and add a password in them, before emailing. The people who receive the files will use something like WinZip, so they need to be in 'Zip" format.

I have looked at the module Archive::Zip , and compressing doesn't seem to be a problem.

Any clues on how to add a password ??

Thanks,

Peter

Comment on Adding a password to Zip compression ?
Re: Adding a password to Zip compression ?
by b10m (Vicar) on Jan 04, 2004 at 03:54 UTC
Re: Adding a password to Zip compression ?
by peterr (Scribe) on Jan 04, 2004 at 04:54 UTC
    Hi b10m,

    This has "recently" been discussed in Password Protected Zip files and Archive::ZIP. Unfortunately, you have to rely on some system call.

    Okay, thanks, I've had a look at that, and can see how to do it. But now after checking out the "man" for using the "zip" utility here , I'm starting to have second throughts about sending the (sensitive) information via email, even though the file would be password protected. The "man" doc suggested that the encryption used in ZIP is "weak".

    Maybe a better way of doing this, is to give the user a login (Apache/.htacess,etc) to a path, where he could view the information. Or use PGP to encrypt the file before emailing it ?

    There is also a HTTPS connection available, if I combined that with the (.htacess) login, would that be a better alternative ?

    Peter

      Do NOT rely on the zip format for encryption purposes. More proof from the writers of gzip and also in the great crypto book, "Applied Cryptography", it is easy to crack. You are right to use PGP or a proven cryptography package like openssl with a good cryptographic algorithm, like DES3.

      Play that funky music white boy..

      Ah, sensitive data. Nope, as sporty said, don't use the zip password thingy!

      You entered a realm of hassle now :) Sending out an e-mail with user/pass combo for a .htaccess protected site doesn't do much good either. The mail can be sniffed on it's way to the user, or the user's mailbox can be read by others (how many people do "lock" their screens when AFK?). The same argument is of course valid with the SSL connection. How does the user get his/her username/password? If you have the option of handing it over in person, go for that, otherwise: good luck :)

      I would opt for GPG/PGP encryption (although I dislike the idea of sending files over SMTP, but that's just my personal believe). A lot of Windows users seem to see PGP/GPG as a burden though, but I even convinced my mom to use it, so I bet everyone can be convinced after some (long) discussions :)

      --
      b10m
        Hi,

        What are my alternatives to use email/PGP ?

        The user needs to see this (sensitive) information, and already has an user/pass for .htaccess paths. I _think_ using .htaccess login though, even though the password is encrypted at 'root' level, sends the username/pwd across the internet as plain text, just like FTP. :(

        I guess I could setup another path/directory, and the user _has_ to use the SSL connection, plus a .htaccess login. Would that make the viewing of the information 'secure' ?

        Sorry this is a bit OT for Perl now, but considering what people have stated, using a zip password is not secure, using PGP/email may be difficult as I haven't used it before, and this user is not very computer literate at all.

        Peter

        Excuse me for butting in here, I've been out of the loop for a while on PGP. Didn't the U. professor sell PGP to someone (Netscape I think?) and there was a lot of concern about PGP being patented and no longer being secure anymore? The news broke out right about when my life took a turn for the worse and I didn't have the time then to track the PGP news.

        When you refer to GPG, I guess you're meaning the project at gnupg.com? I would guess so since a search turns up the gnupg.com site at the top, but they don't seem to refer to themselves as GPG.

        ----
        Thanks for your patience.
        Prove your knowledge @ HLPD

Log In?
Username:
Password:

What's my password?
Create A New User
Node Status?
node history
Node Type: perlquestion [id://318595]
Approved by rlb3
Front-paged by Courage
help
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others lurking in the Monastery: (8)
As of 2014-08-29 06:52 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    The best computer themed movie is:











    Results (276 votes), past polls