NewsReviewsOpinionsCase StudiesResearchToolsDiscussions
Home > Opinion > Livingston > PKZip Must Open Up

Brian Livingston  
PKZip Must Open Up
By Brian Livingston

Imagine that you've just bought a bag of fresh, tasty walnuts from a local farmer and that you're looking forward to sitting in the cool shade of a leafy tree, cracking open the walnuts and chowing down their crunchy contents.


To your dismay, you find that you can't open the shells. A farmhand passing by calls out, "Your nutcracker is incompatible, you idiot."

This is a future we face if we lose the interoperability of password-protected Zip files. Two of the most widely deployed zip/unzip tools, PKZip and WinZip, have started using different methods of encrypting their output. The upshot? Even with the correct password, your users may no longer be able to open encrypted Zip files they receive from other people—and your help desk will get the calls.

This situation has been simmering for a while, and now it's coming to a boil.

The latest rumblings impelled me to investigate. We hardly need yet another schism such as DVD-R versus DVD+R to drive us nuts. PKZip, a product of PKWare, added a feature last year that creates Zip files with stronger encryption. But on July 16, the company applied for a patent and suggested it intends to charge other developers license fees to process such Zip files.

WinZip has added its own version of strong encryption, but it can't read PKZip's encrypted files. Edwin Siebesma, president of WinZip Computing, says competing developers can't easily do so because PKWare hasn't fully documented its use of PKI (public-key infrastructure). "They published the specs for their password encryption but not for the PKI encryption," Siebesma said in an interview.

The implementations by both PKZip and WinZip rely upon the well-tested and royalty-free AES (Advanced Encryption Standard) algorithm. Both methods, therefore, produce solid encryption. But the fact that PKZip's AES-encrypted Zip files can't be read by other unzipping software—and the AES-encrypted files of other unzipping software can't be read by PKZip—should concern enterprise managers everywhere.

It would be easy to gloss over this incompatibility. You might think that, thanks to widespread broadband connections, Zip files aren't much needed since we can exchange big files as e-mail attachments. But if we allow the Zip standard to splinter today, it encourages vendors to splinter other formats tomorrow.

We need security measures to become more interoperable, not less. With viruses and worms spreading faster than you can say Blaster, enterprises need a reliable way for users to accept files securely. If you receive an e-mail with an encrypted Zip file attached and the file accepts an obscure password that you and a trusted colleague previously agreed to use, you can be sure the attachment isn't from some worm that used a forged "from" line. This is a procedure that even a marketing vice president can understand.

PKWare executives declined to be interviewed for this column. But the company has made plenty of statements that have long been on the record. Phil Katz, the original developer of PKZip, announced in 1989, "The ZIP file format is given freely into the public domain and can be claimed neither legally nor morally by any individual, entity or company." Katz passed away in 2000, and others now direct PKWare. But PKZip 6.0—the current version—still states in its user manual the exact same principle: "Because PKWARE has dedicated the .ZIP file format to the public domain, it is possible for other people to write programs which can read .ZIP files."

Because of this openness, numerous companies now sell unzip utilities. Basic Zip support is even built into Windows XP. To permit compatibility, WinZip has responsibly disclosed its new encryption method for all to see, although PKWare has yet to implement support for it.

PKWare's approach to PKZip is technologically and commercially stupid. Until all Zip files it produces are readable by all unzip programs, enterprises should simply stop buying PKZip.

Discuss this in the eWEEK forum.

Brian Livingston is editor of and co-author of "Windows Me Secrets" and nine other books. His column appears every other week in eWEEK. Send your comments to

Print email

System Shopping Partners: Dell Business Systems | Dell Home Systems | Gateway Small Business
view more eSeminars >>


Advance Your Career and Sharpen Your Skills!

It's easy with convenient online courses from Ziff Davis and Element K. Dozens of classes available will help you:

More at >>

Find the BEST PRICES on the most popular tech products in eWEEK's Tech Shop.

Digital Camera: Pentax Optio 550

Storage: NEC Dual DVD R/RW

Projector: NEC VT460 SVGA

PDA: HP iPAQ H2210 64MB

Monitor: Samsung 213T LCD 21"

Desktop: Sony Vaio RZ36G

More Tech Shop >>

Jump to Topic Center

Security: A Federal Case


PeopleSoft Acquires JCIT's Manufacturing Software

Oracle Upgrades HRMS Suite

Questions Dog Microsoft on Linux Studies

IBM Mainframes Give IT More Flexibility

Macrovision Expands Software Licensing Platform

View All >


XML Want an easy way to keep up with breaking tech news? Get eWEEK headlines delivered to your desktop with RSS.


FREE Online Seminars presented by Intel Logo