The web site I'm working on currently provides an option for the user to download their data in an encrypted zip file. Standard zip file encryption is nearly worthless (so I've read), so I'm looking to replace that with something that uses AES encryption but still has a self-extracting format. There are a couple of issues with doing this, which I am sure someone has worked through before:
- I don't know what platform the user is on (Mac or Windows or Linux) so I can't just make a self-extracting .exe file and assume that will work. I suppose I will need to ask. (I am already asking for a password.)
- My web site is running on Linux, and I suspect that most programs that produce self-extracting encrypted .exe files expect to be run (to make the .exe) on a Windows machine. I suppose I could set up a virtual machine running Windows, and have my Linux server send that virtual machine a request (and the data) to make the .exe, but that sounds complicated.
The ZIP encryption being rubbish controversy was from a long time ago (see here). The main issue with ZIP encryption is that although it uses a 128 bit AES cypher it still requires a password from the user. Attackers have already determined how the ZIP program generates a key from the password so when a user entered password contains low entropy (i.e. a simple password) then it becomes very easy to brute force the key and open the file. If you assign a large very random password it is considered very secure.