Password protected archive

Backland
9th August 2007 17:04 UTC

Password protected archive
Hey all,

I'm looking for a way to provide a password protected archive with an installed (zip, rar, tarball, archive format doesnt really matter).

I've looked at the Nsisunz, UnTGZ and ZipDLL plugins, but none of them support encrypted archives.

Any ideas would be appreciated!

Red Wine
9th August 2007 17:45 UTC

Did you check the stand alone command line 7za.exe?
It might support such feature.

Backland
10th August 2007 10:18 UTC

I think thats a viable solution since 7z is redistributable, but my concern would be that it would be very easy to get the archive password by simply replacing 7za.exe with a dummy file, so some validation checks on the 7za.exe file would be needed.

Afrow UK
10th August 2007 12:14 UTC

Why? 7za.exe is the only way to enter the password to open the archive itself.

Stu

Anders
10th August 2007 12:29 UTC

If you pass the password as a parameter to 7za.exe, someone could just use process explorer to check the full command line it was launched with. In the end, no protection is 100%, your only hope is to stop people with limited knowledge

Afrow UK
10th August 2007 12:59 UTC

That is a problem. How about calling the dll instead then with the System plug-in?

Stu

Backland
11th August 2007 04:59 UTC

Yea, I was referring to the command line issue. Thanks for the pointer Stu, I completely overlooked the dll option, will go over the details for the library today.

Backland
11th August 2007 07:33 UTC

I've looked through the 7zip SDK, but there doesnt seem to be anything about using the compiled dll binary at runtime to extract an archive.

Zlib looks good, but doesnt support password protection.

ClayDowling
12th August 2007 11:40 UTC

Why does the archive have to be password protected? If you're extracting the contents during the install there isn't any great benefit.

If you're worried about somebody getting the contents by decompiling your installer check out the encryption plugins. You can encrypt the archives before putting them in the installer, then decrypt them before extraction.

If you'd like the decryption and extraction to occur after the software is installed OpenSSL has a lot of functions that can do this for you. The documentation on that package is not quite as clear as you might desire, but Linux Journal has articles on how to use it, and it works the same on Linux and Windows.

Backland
12th August 2007 15:17 UTC

Yeah, the point is to protect the files UNLESS they're extracted through the installer itself.

I'll look into the crypto plugin option, DcryptDll looks good.

sag47
12th August 2007 20:45 UTC

Re: Password protected archive

Originally posted by Backland
Hey all,

I'm looking for a way to provide a password protected archive with an installed (zip, rar, tarball, archive format doesnt really matter).

I've looked at the Nsisunz, UnTGZ and ZipDLL plugins, but none of them support encrypted archives.

Any ideas would be appreciated!

Se this thread:
Click Here

As far as cryptic details of the password protected archive; I don't know what encryption standards (AES, Twofish, Serpent) or hash algorythms (SSH1, SSH2, Whirlpool) are used in UHARC. Depending on how mission critical your files are it may be better to get a command line encryptor from http://www.sf.net and then use NSIS to automatically decrypt it (just search for encryption or something). You can use the same method that is used in automatically extracting UHARC archives as you can with extracting any command line based archive, whether it be encrypted, compressed, or both. However if all you need is simple password protection and not U.S. Government standard encryption then UHARC is good for you.

Here is a link to UHARC files:
ftp://ftp.elf.stuba.sk/pub/pc/pack/uharc06b.zip

You could also try bcrypt which uses blowfish (448-bit) encryption. They also provide the source code so there is not limit on implementation. Here is a link:
bcrypt Homepage on Source Forge

Here is one more link to help you get started:
Cryptography on SourceForge.net

If you have need for it I can suggest programs that use extremely strong encryption that are free.
SAM

sag47
12th August 2007 21:28 UTC

Originally posted by Backland
I think thats a viable solution since 7z is redistributable, but my concern would be that it would be very easy to get the archive password by simply replacing 7za.exe with a dummy file, so some validation checks on the 7za.exe file would be needed.

That is not a viable concern. You cannot simply replace the Zza.exe file with just a simple file that does nothing but extract archives. The same goes with all the popular compressors (RaR, UHARC, etc...)

Those archives create a hash and encrypt the archive that can only be decrypted with a key (in this case the key is the password). So if you replace a file with just a dummy file that does nothing but extract archives then it will see the archive as being corrupt or not in the format it should be and then throw an error saying something is wrong with the archive. So basically without the password it is just a file of random data that can't be accessed until that password is cracked. So depending on how complicated your password will be the security of your archive.
SAM

Edit: I believe I misunderstood your concern when I was replying. Do you mean a dummy file that does nothing but take the arguments given to it and store them in a text file? Because I could see where that would be a concern if you don't ask the user for the password for the archive. In that case I could see where the use of md5deep could be used that creates a hash of your file.

sag47
12th August 2007 23:44 UTC

Originally posted by Backland
I think thats a viable solution since 7z is redistributable, but my concern would be that it would be very easy to get the archive password by simply replacing 7za.exe with a dummy file, so some validation checks on the 7za.exe file would be needed.

I've changed the documentation to the Crypto Plug-in
http://nsis.sourceforge.net/Crypto_plug-in#File_Hash

Documentation now tells you how to do do a validation check on a file.

sag47
13th August 2007 00:31 UTC

Re: Re: Password protected archive

Originally posted by sag47
Se this thread:
Click Here

As far as cryptic details of the password protected archive; I don't know what encryption standards (AES, Twofish, Serpent) or hash algorythms (SSH1, SSH2, Whirlpool) are used in UHARC. Depending on how mission critical your files are it may be better to get a command line encryptor from http://www.sf.net and then use NSIS to automatically decrypt it (just search for encryption or something). You can use the same method that is used in automatically extracting UHARC archives as you can with extracting any command line based archive, whether it be encrypted, compressed, or both. However if all you need is simple password protection and not U.S. Government standard encryption then UHARC is good for you.

Here is a link to UHARC files:
ftp://ftp.elf.stuba.sk/pub/pc/pack/uharc06b.zip

You could also try bcrypt which uses blowfish (448-bit) encryption. They also provide the source code so there is not limit on implementation. Here is a link:
bcrypt Homepage on Source Forge

Here is one more link to help you get started:
Cryptography on SourceForge.net

If you have need for it I can suggest programs that use extremely strong encryption that are free.
SAM

I meant to say SHA-1 and MD5 not SSH1 and SSH2. Hehe, I was thinking diff thoughts when typing that :rolleyes:
SAM

Red Wine
13th August 2007 05:31 UTC

Originally posted by Backland
I'll look into the crypto plugin option, DcryptDll looks good.

DcryptDll is good enough for the job, after all you know that there's not 100% protection out there.

Backland
13th August 2007 09:30 UTC

Yeah that seems like a great option... and in this case (which needs some less complex protection), the files can be stored in a passworded archive, and the installer checks the integrity of the extraction module (such as 7z.exe) with a hash as suggested by sag47.