开发者

Providing self-extracting encrypted downloads from a web site

The web site I'm working on currently provides an option for the user to download their data in an encrypted zip file. Standard zip file encryption is nearly worthless (so I've read), so I'm looking to replace that with something that uses AES encryption but still has a self-extracting format. There are a couple of issues with doing this, which I am sure someone has worked through before:

  1. I don't know what platform the user is on (Mac or Windows or Linux) so I can't just make a self-extracting .exe file and assume that will work. I suppose I will need to ask. (I am already asking for a password.)
  2. My web site is running on Linux, and I suspect that most programs that produce self-extra开发者_如何学Gocting encrypted .exe files expect to be run (to make the .exe) on a Windows machine. I suppose I could set up a virtual machine running Windows, and have my Linux server send that virtual machine a request (and the data) to make the .exe, but that sounds complicated.


The ZIP encryption being rubbish controversy was from a long time ago (see here). The main issue with ZIP encryption is that although it uses a 128 bit AES cypher it still requires a password from the user. Attackers have already determined how the ZIP program generates a key from the password so when a user entered password contains low entropy (i.e. a simple password) then it becomes very easy to brute force the key and open the file. If you assign a large very random password it is considered very secure.

0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜