AES Encryption Information:
Encryption Specification AE-1 and AE-2

Document version: 1.04
Last modified: January 30, 2009

NOTE: WinZip^(R) users do not need to read or understand the information
contained on this page. It is intended for developers of Zip file utilities.

Changes since the original version of this document are summarized in the
Change History section below.

This document describes the file format that WinZip uses to create
AES-encrypted Zip files. The AE-1 encryption specification was introduced in
WinZip 9.0 Beta 1, released in May 2003. The AE-2 encryption specification, a
minor variant of the original AE-1 specification differing only in how the CRC
is handled, was introduced in WinZip 9.0 Beta 3, released in January, 2004.
Note that as of WinZip 11, WinZip itself encrypts most files using the AE-1
format and encrypts others using the AE-2 format.

From time to time we may update the information provided here, for example to
document any changes to the file formats, or to add additional notes or
implementation tips. If you would like to receive e-mail announcements of any
substantive changes we make to this document, you can sign up below for our
Developer Information mailing list.

Without compromising the basic Zip file format, WinZip Computing has extended
the format specification to support AES encryption, and this document fully
describes the format extension. Additionally, we are providing information
about a no-cost third-party source for the actual AES encryption code--the same
code that is used by WinZip. We believe that use of the free encryption code
and of this specification will make it easy for all developers to add
compatible advanced encryption to their Zip file utilities.

This document is not a tutorial on encryption or Zip file structure. While we
have attempted to provide the necessary details of the current WinZip AES
encryption format, developers and other interested third parties will need to
have or obtain an understanding of basic encryption concepts, Zip file format,
etc.

Developers should also review AES Coding Tips page.

WinZip Computing makes no warranties regarding the information provided in this
document. In particular, WinZip Computing does not represent or warrant that
the information provided here is free from errors or is suitable for any
particular use, or that the file formats described here will be supported in
future versions of WinZip. You should test and validate all code and techniques
in accordance with good programming practice.

━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

Contents

 I. Encryption services
II. Zip file format
     A. Base format reference
     B. Compression method and encryption flag
     C. CRC value
     D. AES extra data field
III. Encrypted file storage format
     A. File format
     B. Salt value
     C. Password verification value
     D. Encrypted file data
     E. Authentication code
IV. Changes in WinZip 11
 V. Notes
     A. Non-files and zero-length files
     B. "Mixed" Zip files
     C. Key generation
VI. FAQs
VII. Change history
VIII. Mailing list signup


I. Encryption services

To perform AES encryption and decryption, WinZip uses AES functions written by
Dr. Brian Gladman. The source code for these functions is available in C/C++
and Pentium family assembler for anyone to use under an open source BSD or GPL
license from the AES project page on Dr. Gladman's web site. The AES Coding
Tips page also has some information on the use of these functions. WinZip
Computing thanks Dr. Gladman for making his AES functions available to anyone
under liberal license terms.

Dr. Gladman's encryption functions are portable to a number of operating
systems and can be static linked into your applications, so there are no
operating system version or library dependencies. In particular, the functions
do not require Microsoft's Cryptography API.

General information on the AES standard and the encryption algorithm (also
known as Rijndael) is readily available on the Internet. A good place to start
is http://www.nist.gov/public_affairs/releases/g00-176.htm.

II. Zip file format

 A. Base format reference

    AES-encrypted files are stored within the guidelines of the standard Zip
    file format using only a new "extra data" field, a new compression method
    code, and a value in the CRC field dependant on the encryption version,
    AE-1 or AE-2. The basic Zip file format is otherwise unchanged.

    WinZip sets the version needed to extract and version made by fields in the
    local and central headers to the same values it would use if the file were
    not encrypted.

    The basic Zip file format specification used by WinZip is available via FTP
    from the Info-ZIP group at ftp://ftp.info-zip.org/pub/infozip/doc/
    appnote-iz-latest.zip.

 B. Compression method and encryption flag

    As for any encrypted file, bit 0 of the "general purpose bit flags" field
    must be set to 1 in each AES-encrypted file's local header and central
    directory entry.

    Additionally, the presence of an AES-encrypted file in a Zip file is
    indicated by a new compression method code (decimal 99) in the file's local
    header and central directory entry, used along with the AES extra data
    field described below. There is no change in either the version made by or
    version needed to extract codes.

    The code for the actual compression method is stored in the AES extra data
    field (see below).

 C. CRC value

    For files encrypted using the AE-2 method, the standard Zip CRC value is
    not used, and a 0 must be stored in this field. Corruption of encrypted
    data within a Zip file is instead detected via the authentication code
    field.

    Files encrypted using the AE-1 method do include the standard Zip CRC
    value. This, along with the fact that the vendor version stored in the AES
    extra data field is 0x0001 for AE-1 and 0x0002 for AE-2, is the only
    difference between the AE-1 and AE-2 formats.

    NOTE: Zip utilities that support the AE-2 format are required to be able to
    read files that were created in the AE-1 format, and during decryption/
    extraction of files in AE-1 format should verify that the file's CRC
    matches the value stored in the CRC field.

 D. AES extra data field
     1. A file encrypted with AES encryption will have a special "extra data"
        field associated with it. This extra data field is stored in both the
        local header and central directory entry for the file.

        Note: see the Zip file format document referenced above for general
        information on the format and use of extra data fields.

     2. The extra data header ID for AES encryption is 0x9901. The fields are
        all stored in Intel low-byte/high-byte order. The extra data field
        currently has a length of 11: seven data bytes plus two bytes for the
        header ID and two bytes for the data size. Therefore, the extra data
        overhead for each file in the archive is 22 bytes (11 bytes in the
        central header plus 11 bytes in the local header).
     3. The format of the data in the AES extra data field is as follows. See
        the notes below for additional information.

        Offset Size(bytes) Content

        0      2           Extra field header ID (0x9901)

        2      2           Data size (currently 7, but subject
                           to possible increase in the future)

        4      2           Integer version number specific to
                           the zip vendor

        6      2           2-character vendor ID

        8      1           Integer mode value indicating AES
                           encryption strength

        9      2           The actual compression method used to
                           compress the file

     4. Notes
          ☆ Data size: this value is currently 7, but because it is possible
            that this specification will be modified in the future to store
            additional data in this extra field, vendors should not assume that
            it will always remain 7.
          ☆ Vendor ID: the vendor ID field should always be set to the two
            ASCII characters "AE".
          ☆ Vendor version: the vendor version for AE-1 is 0x0001. The vendor
            version for AE-2 is 0x0002.

            Zip utilities that support AE-2 must also be able to process files
            that are encrypted in AE-1 format. The handling of the CRC value is
            the only difference between the AE-1 and AE-2 formats.

          ☆ Encryption strength: the mode values (encryption strength) for AE-1
            and AE-2 are:

            Value Strength

            0x01  128-bit encryption key

            0x02  192-bit encryption key

            0x03  256-bit encryption key

            The encryption specification supports only 128-, 192-, and 256-bit
            encryption keys. No other key lengths are permitted.

            (Note: the current version of WinZip does not support encrypting
            files using 192-bit keys. This specification, however, does provide
            for the use of 192-bit keys, and WinZip is able to decrypt such
            files.)

          ☆ Compression method: the compression method is the one that would
            otherwise have been stored in the local and central headers for the
            file. For example, if the file is imploded, this field will contain
            the compression code 6. This is needed because a compression method
            of 99 is used to indicate the presence of an AES-encrypted file
            (see above).

III. Encrypted file storage format

 A. File format

    Additional overhead data required for decryption is stored with the
    encrypted file itself (i.e., not in the headers). The actual format of the
    stored file is as follows; additional information about these fields is
    below. All fields are byte-aligned.

    Size     Content
    (bytes)

    Variable Salt value

    2        Password verification value

    Variable Encrypted file data

    10       Authentication code

    Note that the value in the "compressed size" fields of the local file
    header and the central directory entry is the total size of all the items
    listed above. In other words, it is the total size of the salt value,
    password verification value, encrypted data, and authentication code.

 B. Salt value

    The "salt" or "salt value" is a random or pseudo-random sequence of bytes
    that is combined with the encryption password to create encryption and
    authentication keys. The salt is generated by the encrypting application
    and is stored unencrypted with the file data. The addition of salt values
    to passwords provides a number of security benefits and makes dictionary
    attacks based on precomputed keys much more difficult.

    Good cryptographic practice requires that a different salt value be used
    for each of multiple files encrypted with the same password. If two files
    are encrypted with the same password and salt, they can leak information
    about each other. For example, it is possible to determine whether two
    files encrypted with the same password and salt are identical, and an
    attacker who somehow already knows the contents of one of two files
    encrypted with the same password and salt can determine some or all of the
    contents of the other file. Therefore, you should make every effort to use
    a unique salt value for each file.

    The size of the salt value depends on the length of the encryption key, as
    follows:

    Key size Salt size

    128 bits 8 bytes

    192 bits 12 bytes

    256 bits 16 bytes

 C. Password verification value

    This two-byte value is produced as part of the process that derives the
    encryption and decryption keys from the password. When encrypting, a
    verification value is derived from the encryption password and stored with
    the encrypted file. Before decrypting, a verification value can be derived
    from the decryption password and compared to the value stored with the
    file, serving as a quick check that will detect most, but not all,
    incorrect passwords. There is a 1 in 65,536 chance that an incorrect
    password will yield a matching verification value; therefore, a matching
    verification value cannot be absolutely relied on to indicate a correct
    password.

    Information on how to obtain the password verification value from Dr.
    Gladman's encryption library can be found on the coding tips page.

    This value is stored unencrypted.

 D. Encrypted file data

    Encryption is applied only to the content of files. It is performed after
    compression, and not to any other associated data. The file data is
    encrypted byte-for-byte using the AES encryption algorithm operating in
    "CTR" mode, which means that the lengths of the compressed data and the
    compressed, encrypted data are the same.

    It is important for implementors to note that, although the data is
    encrypted byte-for-byte, it is presented to the encryption and decryption
    functions in blocks. The block size used for encryption and decryption must
    be the same. To be compatible with the encryption specification, this block
    size must be 16 bytes (although the last block may be smaller).

 E. Authentication code

    Authentication provides a high quality check that the contents of an
    encrypted file have not been inadvertently changed or deliberately tampered
    with since they were first encrypted. In effect, this is a super-CRC check
    on the data in the file after compression and encryption. (Additionally,
    authentication is essential when using CTR mode encryption because this
    mode is vulnerable to several trivial attacks in its absence.)

    The authentication code is derived from the output of the encryption
    process. Dr. Gladman's AES code provides this service, and information
    about how to obtain it is in the coding tips.

    The authentication code is stored unencrypted. It is byte-aligned and
    immediately follows the last byte of encrypted data.

    For more discussion about authentication, see the authentication code FAQ
    below.

IV. Changes in WinZip 11

Beginning with WinZip 11, WinZip makes a change in its use of the AE-1 and AE-2
file formats. The file formats themselves have not changed, and AES-encrypted
files created by WinZip 11 are completely compatible with version 1.02 the
WinZip AES encryption specification, which was published in January 2004.

WinZip 9.0 and WinZip 10.0 stored all AES-encrypted files using the AE-2 file
format, which does not store the encrypted file's CRC. WinZip 11 instead uses
the AE-1 file format, which does store the CRC, for most files. This provides
an extra integrity check against the possibility of hardware or software errors
that occur during the actual process of file compression/encryption or
decryption/decompression. For more information on this point, see the
discussion of the CRC below.

Because for some very small files the CRC can be used to determine the exact
contents of a file, regardless of the encryption method used, WinZip 11
continues to use the AE-2 file format, with no CRC stored, for files with an
uncompressed size of less than 20 bytes. WinZip 11 also uses the AE-2 file
format for files compressed in BZIP2 format, because the BZIP2 format contains
its own integrity checks equivalent to those provided by the Zip format's CRC.

Other vendors who support WinZip's AES encryption specification may want to
consider making a similar change to their own implementations of the
specification, to get the benefit of the extra integrity check that it
provides.

Note that the January 2004 version of the WinZip AE-2 specification, version
1.0.2, already required that all utilities that implemented the AE-2 format
also be able to process files in AE-1 format, and should check on decryption/
extraction of those files that the CRC was correct.

V. Notes

 A. Non-files and zero-length files

    To reduce Zip file size, it is recommended that non-file entries such as
    folder/directory entries not be encrypted. This, however, is only a
    recommendation; it is permissible to encrypt or not encrypt these entries,
    as you prefer.

    On the other hand, it is recommended that you do encrypt zero-length files.
    The presence of both encrypted and unencrypted files in a Zip file may
    trigger user warnings in some Zip file utilities, so the user experience
    may be improved if all files (including zero-length files) are encrypted.

    If zero-length files are encrypted, the encrypted data portion of the file
    storage (see above) will be empty, but the remainder of the encryption
    overhead data must be present, both in the file storage area and in the
    local and central headers.

 B. "Mixed" Zip files

    There is no requirement that all files in a Zip file be encrypted or that
    all files that are encrypted use the same encryption method or the same
    password.

    A Zip file can contain any combination of unencrypted files and files
    encrypted with any of the four currently defined encryption methods (Zip
    2.0, AES-128, AES-192, AES-256). Encrypted files may use the same password
    or different passwords.

 C. Key Generation

    Key derivation, as used by AE-1 and AE-2 and as implemented in Dr.
    Gladman's library, is done according to the PBKDF2 algorithm, which is
    described in the RFC2898 guidelines. An iteration count of 1000 is used. An
    appropriate number of bits from the resulting hash value are used to
    compose three output values: an encryption key, an authentication key, and
    a password verification value. The first n bits become the encryption key,
    the next m bits become the authentication key, and the last 16 bits (two
    bytes) become the password verification value.

    As part of the process outlined in RFC 2898 a pseudo-random function must
    be called; AE-2 uses the HMAC-SHA1 function, since it is a well-respected
    algorithm that has been in wide use for this purpose for several years.

    Note that, when used in connection with 192- or 256-bit AES encryption, the
    fact that HMAC-SHA1 produces a 160-bit result means that, regardless of the
    password that you specify, the search space for the encryption key is
    unlikely to reach the theoretical 192- or 256-bit maximum, and cannot be
    guaranteed to exceed 160 bits. This is discussed in section B.1.1 of the
    RFC2898 specification.

VI. FAQs

  • Why is the compression method field used to indicate AES encryption?

    As opposed to using new version made by and version needed to extract
    values to signal AES encryption for a file, the new compression method is
    more likely to be handled gracefully by older versions of existing Zip file
    utilities. Zip file utilities typically do not attempt to extract files
    compressed with unknown methods, presumably notifying the user with an
    appropriate message.

  • How can I guarantee that the salt value is unique?

    In principle, the value of the salt should be different whenever the same
    password is used more than once, for the reasons described above, but this
    is difficult to guarantee.

    In practice, the number of bytes in the salt (as specified by AE-1 and
    AE-2) is such that using a pseudo-random value will ensure that the
    probability of duplicated salt values is very low and can be safely
    ignored.

    There is one exception to this: With the 8-byte salt values used with
    WinZip's 128-bit encryption it is likely that, if approximately 4 billion
    files are encrypted with the same password, two of the files will have the
    same salt, so it is advisable to stay well below this limit. Because of
    this, when using the same password to encrypt very large numbers of files
    in WinZip's AES encryption format (that is, files totalling in the
    millions, for example 2000 Zip files, each containing 1000 encrypted
    files), we recommend the use of 192-bit or 256-bit AES keys, with their 12-
    and 16-byte salt values, rather than 128-bit AES keys, with their 8-byte
    salt values.

    Although salt values do not need to be truly random, it is important that
    they be generated in a way that the probability of duplicated salt values
    is not significantly higher than that which would be expected if truly
    random values were being used.

    One technique for generating salt values is presented in the coding tips
    page.

  • Why is there an authentication code?

    The purpose of the authentication code is to insure that, once a file's
    data has been compressed and encrypted, any accidental corruption of the
    encrypted data, and any deliberate attempts to modify the encrypted data by
    an attacker who does not know the password, can be detected.

    The current consensus in the cryptographic community is that associating a
    message authentication code (or MAC) with encrypted data has strong
    security value because it makes a number of attacks more difficult to
    engineer. For AES CTR mode encryption in particular, a MAC is especially
    important because a number of trivial attacks are possible in its absence.
    The MAC used with WinZip's AES encryption is based on HMAC-SHA1-80, a
    mature and widely respected authentication algorithm.

    The MAC is calculated after the file data has been compressed and
    encrypted. This order of calculation is referred to as Encrypt-then-MAC,
    and is preferred by many cryptographers to the alternative order of
    MAC-then-Encrypt because Encrypt-then-MAC is immune to some known attacks
    on MAC-then-Encrypt.

  • What is the role of the CRC in WinZip 11?

    Within the Zip format, the primary use of the CRC value is to detect
    accidental corruption of data that has been stored in the Zip file. With
    files encrypted according to the Zip 2.0 encryption specification, it also
    functions to some extent as a method of detecting deliberate attempts to
    modify the encrypted data, but not one that can be considered
    cryptographically strong. The CRC is not needed for these purposes with the
    WinZip AES encryption specification, where the HMAC-SHA1-based
    authentication code instead serves these roles.

    The CRC has a drawback in that for very small files, such as files with
    four or fewer bytes, the CRC can be used, independent of the encryption
    algorithm, to determine the unencrypted contents of the file. And, in
    general, it is preferable to store as little information as possible about
    the encrypted file in the unencrypted Zip headers.

    The CRC does serve one purpose that the authentication code does not. The
    CRC is computed based on the original uncompressed, unencrypted contents of
    the file, and it is checked after the file has been decrypted and
    decompressed. In contrast, the authentication code used with WinZip AES
    encryption is computed after compression/encryption and it is checked
    before decryption/decompression. In the very rare event of a hardware or
    software error that corrupts data during compression and encryption, or
    during decryption and decompression, the CRC will catch the error, but the
    authentication code will not.

    WinZip 9.0 and WinZip 10.0 used AE-2 for all files that they created, and
    did not store the CRC. As of WinZip 11, WinZip instead uses AE-1 for most
    files, storing the CRC as an additional integrity check against hardware or
    software errors occurring during the actual compression/encryption or
    decryption/decompression processes. WinZip 11 will continue to use AE-2,
    with no CRC, for very small files of less than 20 bytes. It will also use
    AE-2 for files compressed in BZIP2 format, because this format has internal
    integrity checks equivalent to a CRC check built in.

    Note that the AES-encrypted files created by WinZip 11 are fully compatible
    with January 2004's version 1.0.2 of the WinZip AES encryption
    specification, in which both the AE-1 and AE-2 variants of the file format
    were already defined.

VII. Change history

Changes made in document version 1.04, January, 2009: Minor clarification
regarding the algorithm used to generate the authentication code.

Changes made in document version 1.03, November, 2006: Minor editorial and
clarifying changes have been made throughout the document. The following
substantive technical changes have been made:

 A. WinZip 11 Usage of AE-1 and AE-2

    WinZip's AES encryption specification defines two formats, known as AE-1
    and AE-2, which differ in whether the CRC of the encrypted file is stored
    in the Zip headers. While the file formats themselves remain unchanged,
    WinZip's usage of them is changing. Beginning with WinZip 11, WinZip uses
    the AE-1 format, which includes the CRC of the encrypted file, for many
    encrypted files, in order to provide an additional integrity check against
    hardware or software errors occurring during the compression/encryption or
    decryption/decompression processes. Note that AES-encrypted files created
    by WinZip 11 are completely compatible with the previous version of the
    WinZip encryption specification, January 2004's version 1.0.2.

 B. The discussion of salt values mentions a limitation that applies to the
    uniqueness of salt values when very large numbers of files are encrypted
    with 128-bit encryption.
 C. Older versions of this specification suggested that other vendors might
    want to use their own vendor IDs to create their own unique encryption
    formats. We no longer suggest that vendor-specific alternative encryption
    methods be created in this way.

Changes made in document version 1.02, January, 2004: The introductory text at
the start of the document has been rewritten, and minor editorial and
clarifying changes have been made throughout the document. Two substantive
technical changes have been made:

 A. AE-2 Specification

    Standard Zip files store the CRC of each file's unencrypted data. This
    value is used to help detect damage or other alterations to Zip files.
    However, storing the CRC value has a drawback in that, for a very small
    file, such as a file of four or fewer bytes, the CRC value can be used,
    independent of the encryption algorithm, to help determine the unencrypted
    contents of the file.

    Because of this, files encrypted with the new AE-2 method store a 0 in the
    CRC field of the Zip header, and use the authentication code instead of the
    CRC value to verify that encrypted data within the Zip file has not been
    corrupted.

    The only differences between the AE-1 and AE-2 methods are the storage in
    AE-2 of 0 instead of the CRC in the Zip file header,and the use in the AES
    extra data field of 0x0002 for AE-2 instead of 0x0001 for AE-1 as the
    vendor version.

    Zip utilities that support the AE-2 format are required to be able to read
    files that were created in the AE-1 format, and during decryption/
    extraction of files in AE-1 format should verify that the file's CRC
    matches the value stored in the CRC field.

 B. Key Generation and HMAC-SHA1

    The description of the key generation mechanism has been updated to point
    out a limitation arising from its use of HMAC-SHA1 as the pseudo-random
    function: When used in connection with 192- or 256-bit AES encryption, the
    fact that HMAC-SHA1 produces a 160-bit result means that, regardless of the
    password that you specify, the search space for the encryption key is
    unlikely to reach the theoretical 192- or 256-bit maximum, and cannot be
    guaranteed to exceed 160 bits. This is discussed in section B.1.1 of the
    RFC2898 specification.

VII. Developer Information Mailing List Signup

We plan to use this mailing list to notify subscribers of any substantive
changes made to the Developer Information pages on the WinZip web site.



   If you enter your e-mail address above, you will receive a message
   asking you to confirm your wish to be added to the mailing list. If you
   don't reply to the confirmation message, you will not be added to the
   list.

   By subscribing to this complimentary mailing list service, you
   acknowledge and agree that WinZip Computing makes no representations
   regarding the completeness or accuracy of the information provided
   through the service, and that this service may be discontinued, in whole
   or in part, with respect to any or all subscribers at any time.
   * E-mail Address:
     [                    ]   [Submit to Support] [Clear Form]
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

Document version: 1.04
Last modified: January 30, 2009

Copyright(C) 2003-2015 WinZip International LLC.
All Rights Reserved
