Encrypted ZIP shows contents structure

[artincube]

Possible Security Issue

Configuration
Keka version: Version 1.1.30 (3477)
macOS version: macOS 10.14.6 (18G6020)

Describe the bug
Create a zip with a password and 256 encryption. I upload these to Google Drive (web interface) and without password I can see the content of one of the zips, in Google Drive. I repeated with that folder, same result. This is quite a security issue if I don't miss a step.

To Reproduce
Steps to reproduce the behavior:

1. set Keka with ZIP 256bits encryption
2. Drop several folders to zip them individually, then upload these to Google Drive.
3. Then I noticed I didn't setup encryption on first one, so deleted it from Google Drive, re zipped it localy with encryption and uploaded again. I could see content in Google Drive!
4. I then tried again changing the name of the folder before zipping it, thinking to avoid potential issues with that (upload delete reupload same name file). But same again, content accessible.Wow

[aonez]

@artincube encrypted ZIP files have the contents structure (filenames) unencrypted by design. That's why you can see the structure of the file without needing the password. You can't extract them without the password in any case.

If you want to also encrypt the filenames I suggest you use 7Z with the "Encrypt filenames" option enabled.

Hope this helps :)

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[wkhan69]

Can this be a feature request for Keka? I think it would greatly add to the security of protecting an archive.

[aonez]

@wkhan69 this is something that must be implemented in the ZIP standard, not directly in Keka, otherwise it will break compatibility. I strongly recommend you use 7Z instead when that level of encryption is required. It is more and more supported natively (Mac and Linux).

[wkhan69]

This sounds great, but upon looking at the 7-zip source-forge discussion, I see that Keka is a 7-zip port to Mac (with a GUI) (made by yourself -Great job!!!!). So, if Keka is a 7-zip MacOS port, is this filename encryption a feature of 7-zip that cannot or will not be part of Keka?

[aonez]

I think we are missing something here 😅

• You can encrypt the filenames using the 7Z format in Keka. Note that 7Z format in Keka always uses 256AES encryption, thus no checkbox for that option:

• You can create ZIP files with 256AES encryption but you can't encrypt filenames using the ZIP format (the format does not support that feature):

So that 7-Zip feature is also available in Keka but is a feature for the 7Z format, not for the ZIP format. See the difference?

[wkhan69]

Hi - you are indeed correct. When I save the archive as .7z, and click the "encrypt filenames", it indeed works fine. ie: I cannot look at the file names in windows, or mac using any archive extractor without entering the password. Thanks for clarifying!
Will