WinXP + Zip AES = not supported?

The behaviour described in the bug report is either by design, or would be far too complex/time-consuming to be changed

Moderators: white, Hacker, petermad, Stefan2

User avatar
ghisler(Author)
Site Admin
Site Admin
Posts: 48021
Joined: 2003-02-04, 09:46 UTC
Location: Switzerland
Contact:

Re: WinXP + Zip AES = not supported?

Post by *ghisler(Author) »

Windows XP was released in 2001, and service pack 3 in 2008, according to Wikipedia. The Verisign Class 3 Code Signing 2010 CA certificate is from 2010.

So when you make a fresh install of Windows XP SP3, it's older than that certificate, and my signature cannot be verified. Please follow the instructions by Dalai to update your root certificates.
Author of Total Commander
https://www.ghisler.com
User avatar
petermad
Power Member
Power Member
Posts: 14739
Joined: 2003-02-05, 20:24 UTC
Location: Denmark
Contact:

Re: WinXP + Zip AES = not supported?

Post by *petermad »

I installed my current Windows XP in dec. 2017, and at that time Windows Update still worked in XP, so that is most likely why AES encryption works for me in my XP.
License #524 (1994)
Danish Total Commander Translator
TC 11.03 32+64bit on Win XP 32bit & Win 7, 8.1 & 10 (22H2) 64bit, 'Everything' 1.5.0.1371a
TC 3.50b4 on Android 6 & 13
Try: TC Extended Menus | TC Languagebar | TC Dark Help | PHSM-Calendar
User avatar
ghisler(Author)
Site Admin
Site Admin
Posts: 48021
Joined: 2003-02-04, 09:46 UTC
Location: Switzerland
Contact:

Re: WinXP + Zip AES = not supported?

Post by *ghisler(Author) »

My installation in Virtualbox is also very old, so it did receive regular updates too...
Author of Total Commander
https://www.ghisler.com
User avatar
Dalai
Power Member
Power Member
Posts: 9364
Joined: 2005-01-28, 22:17 UTC
Location: Meiningen (Südthüringen)

Re: WinXP + Zip AES = not supported?

Post by *Dalai »

It's funny that I can create AES-encrypted ZIP archives on my Win2k VM despite it not having the mentioned root CA, thus failing to fully verify the DLL's certificate chain. So I'm not sure if installing the root CA will actually change anything... To be fair, I haven't deleted the root CA from my XP VM, so it's a little bit like comparing apples and oranges.

Another note: Windows has an automatic certificate update mechanism which is independent from the regular Windows updates. XP already has this feature, and also a policy to disable it. This means that even newly installed XP systems should be able to get newer root certificates - if they have internet access.

I'm curious if installing the root CA helps MaxX to fix this.

Regards
Dalai
#101164 Personal licence
Ryzen 5 2600, 16 GiB RAM, ASUS Prime X370-A, Win7 x64

Plugins: Services2, Startups, CertificateInfo, SignatureInfo, LineBreakInfo - Download-Mirror
User avatar
ghisler(Author)
Site Admin
Site Admin
Posts: 48021
Joined: 2003-02-04, 09:46 UTC
Location: Switzerland
Contact:

Re: WinXP + Zip AES = not supported?

Post by *ghisler(Author) »

That's what the mentioned bugfix from 2016 is about:
28.06.16 Fixed: AES encryption in ZIP not working on Windows NT/2000
I simply disabled the certificate check on Windows NT/2000 because they were no longer getting any updates. Therefore there is a risk that your password gets stolen on these old systems, but they don't get security updates either, which is a much higher risk...

Maybe MaxX didn't connect his VM to the Internet? Or tried this on a freshly installed XP SP3 without waiting?
Author of Total Commander
https://www.ghisler.com
User avatar
Usher
Power Member
Power Member
Posts: 1675
Joined: 2011-03-11, 10:11 UTC

Re: WinXP + Zip AES = not supported?

Post by *Usher »

Waiting for automatic update in WinXPSP3 may take more than 24 hours.
Andrzej P. Wozniak
Polish subforum moderator
User avatar
MaxX
Power Member
Power Member
Posts: 1024
Joined: 2012-03-23, 18:15 UTC
Location: UA

Re: WinXP + Zip AES = not supported?

Post by *MaxX »

Clear snapshot (disk undo) + disabled WinUpdates.
That's why my VBox XP is clear and has fresh-installed condition for years since I made that .vhd (may be 2010 or 2011)...

I suggest to add some check if cert error becomes and give for user a chance to pack ZIP with AES without cert check. It would be enough secure for my case.
Ukrainian Total Commander Translator. Feedback and discuss.
User avatar
ghisler(Author)
Site Admin
Site Admin
Posts: 48021
Joined: 2003-02-04, 09:46 UTC
Location: Switzerland
Contact:

Re: WinXP + Zip AES = not supported?

Post by *ghisler(Author) »

Were you able to install the missing certificate as instructed above? I don't want to reduce the security for others because of a not up to date system, sorry.
Author of Total Commander
https://www.ghisler.com
User avatar
Dalai
Power Member
Power Member
Posts: 9364
Joined: 2005-01-28, 22:17 UTC
Location: Meiningen (Südthüringen)

Re: WinXP + Zip AES = not supported?

Post by *Dalai »

MaxX wrote: 2022-06-01, 18:48 UTCI suggest to add some check if cert error becomes and give for user a chance to pack ZIP with AES without cert check. It would be enough secure for my case.
After having thought about it for quite a while, I've come to disagree. If TC can't verify the DLL, it can't tell (before loading the DLL) if it's the expected DLL or an arbitrary one, maybe even a malicious one. Imagine this: Someone replaces the DLL without your knowledge and the next time you want to create such archive, TC would ask whether or not to continue. As soon as you confirm it, TC may execute malicious code, and if the replaced DLL also creates the archive you expect it to create, you might not even notice the things it does behind your back. This is especially problematic where the DLL can be written during runtime, e.g. a portable TC installation.

But it's not just about the malicious code. Even a damaged DLL might create corrupted archives. The user might delete data thinking "the files are in the archive, so I don't need the unpacked ones anymore".

A better way to inform the user that the verification failed instead of just showing "Function not supported" - yes by all means! But I disagree on providing an option to continue despite the failed verification.

Regards
Dalai
#101164 Personal licence
Ryzen 5 2600, 16 GiB RAM, ASUS Prime X370-A, Win7 x64

Plugins: Services2, Startups, CertificateInfo, SignatureInfo, LineBreakInfo - Download-Mirror
User avatar
MaxX
Power Member
Power Member
Posts: 1024
Joined: 2012-03-23, 18:15 UTC
Location: UA

Re: WinXP + Zip AES = not supported?

Post by *MaxX »

Ok. No problem there. Security is good reason.
Total7zip plugin can pack ZIP with AES256 on XP.
Now I just need some way to read ZIP with plugin, not by TC.
Ukrainian Total Commander Translator. Feedback and discuss.
User avatar
Dalai
Power Member
Power Member
Posts: 9364
Joined: 2005-01-28, 22:17 UTC
Location: Meiningen (Südthüringen)

Re: WinXP + Zip AES = not supported?

Post by *Dalai »

Any particular reason why you don't just import the single missing certificate to make it all work? Download VeriSign-Class 3-Public-Primary-Certification-Authority-G5.zip from the TrendMicro site I linked above, extract it and execute the included batch file. That's it.

If you want to completely avoid any downloads, you can also export this certificate from a system that has it in its certificate store and then import it on the XP system. Just make sure to import it into the local machine store, not the user store. The latter would make it work just for one user.

Regards
Dalai
#101164 Personal licence
Ryzen 5 2600, 16 GiB RAM, ASUS Prime X370-A, Win7 x64

Plugins: Services2, Startups, CertificateInfo, SignatureInfo, LineBreakInfo - Download-Mirror
User avatar
MaxX
Power Member
Power Member
Posts: 1024
Joined: 2012-03-23, 18:15 UTC
Location: UA

Re: WinXP + Zip AES = not supported?

Post by *MaxX »

It uses

Code: Select all

CERTUTIL -addstore -f -v root "VeriSign-Class 3-Public-Primary-Certification-Authority-G5.pem"
, but my XP has no CERTUTIL.
Ukrainian Total Commander Translator. Feedback and discuss.
User avatar
Dalai
Power Member
Power Member
Posts: 9364
Joined: 2005-01-28, 22:17 UTC
Location: Meiningen (Südthüringen)

Re: WinXP + Zip AES = not supported?

Post by *Dalai »

Oh, you're right. Sorry for missing this detail. My server (with XP) has it because I've added it from a Server 2003 system or setup CD.

However, you can still import the certificate manually. Rename it to *.crt and then double-click on it. It will most probably say that it's not trusted because it isn't in the certificate store yet. Click the "Install certificate" button, select the "Show physical stores" checkbox and then select the "Local Computer" under Trusted Root CA to import the cert into the local machine store instead of the personal/user store.

Double clicking the certificate file again shouldn't show that it isn't trusted anymore. And opening certmgr.msc should show the certificate listed under Trusted Root CAs.

Here's a HowTo going a slightly different way (via the context menu): https://www.s-sols.com/install-root-certificate-in-windows

Regards
Dalai
#101164 Personal licence
Ryzen 5 2600, 16 GiB RAM, ASUS Prime X370-A, Win7 x64

Plugins: Services2, Startups, CertificateInfo, SignatureInfo, LineBreakInfo - Download-Mirror
User avatar
MaxX
Power Member
Power Member
Posts: 1024
Joined: 2012-03-23, 18:15 UTC
Location: UA

Re: WinXP + Zip AES = not supported?

Post by *MaxX »

That's too much to do it every boot (don't forget my disk undo). Has no sense.
It would be easier to read somehow ZIP files with total7zip.
Ukrainian Total Commander Translator. Feedback and discuss.
User avatar
Dalai
Power Member
Power Member
Posts: 9364
Joined: 2005-01-28, 22:17 UTC
Location: Meiningen (Südthüringen)

Re: WinXP + Zip AES = not supported?

Post by *Dalai »

Then do it once, and save that new state as the one to go back to.

Regards
Dalai
#101164 Personal licence
Ryzen 5 2600, 16 GiB RAM, ASUS Prime X370-A, Win7 x64

Plugins: Services2, Startups, CertificateInfo, SignatureInfo, LineBreakInfo - Download-Mirror
Post Reply