What encryption method is used by the zip program in macOS?

Question

In order to send a file securely I am going to encrypt/password protect a zip file. (Why I am doing this). I am using macOS Sierra 10.12.6 and through my research I have concluded that encrypting a zip file is done the following way on macOS,

zip -e [newzip].zip [myFile].[extension]

This works perfectly, but I would like to make sure that the algorithm/method used to encrypt the zip is secure. Unfortunately, I can't find any documentation on what algorithm/method the zip command uses to encrypt, whether its AES-256bit, AES-128bit, or something completely different.

The man page of zip is no help:

-e
       --encrypt
              Encrypt the contents of the zip archive using a  password  which
              is  entered  on  the terminal in response to a prompt (this will
              not be echoed; if standard error is not a  tty,  zip  will  exit
              with  an  error).   The  password prompt is repeated to save the
              user from typing errors.

Please include in your answer the algorithm that is used, a possible source for this information, and if it is not AES-256bit/AES-128bit, then how secure the algorithm/method is.

Answer 1

It's using the original PKZIP 2.0 encryption (variously referred to as "traditional" or "legacy" encryption), described in section 6 of the .ZIP file format specification. It's based on using CRC32 to mix the password, a (hopefully) random seed, and the compressed file. It is not considered secure; at the very least, it has serious vulnerabilities to known-plaintext attacks (see this crypto.se answer for a summary).

Update: Michael Stay developed a better attack in order to recover some Bitcoin private keys for a client. Details in Michael's blog post and DEF CON talk, and coverage at Wired and Hacker News.

This is based on: looking at Apple's source code for ZIP. The README.CR says:

The encryption code is a direct transcription of the algorithm from Roger Schlafly, described by Phil Katz in the file appnote.txt. This file is distributed with the PKZIP program (even in the version without encryption capabilities). Note that the encryption will probably resist attacks by amateurs if the password is well chosen and long enough (at least 8 characters) but it will probably not resist attacks by experts. Paul Kocher has made available information concerning a known-plaintext attack for the PKWARE encryption scheme; see http://www.cryptography.com/ for details.) Short passwords consisting of lowercase letters only can be recovered in a few hours on any workstation. But for casual cryptography designed to keep your mother from reading your mail, it's OK.

Note that the file says was last updated in 2008, so when it talks about password recovery "in a few hours on any workstation", it's talking about decade-old hardware. I'm slightly confused about what version of Zip Apple is actually using. README.CR seems to indicate it's v2.31, but WHATSNEW lists new features in Zip v3.0 beta (and says AES is planned for v3.1). In any case, it's pretty old.

As further support, the file crypto.c (while a bit hard to follow) is clearly using CRC32 for the encrypt/decrypt processes, and the only mentions of AES are in several files that say it's planned for a later version.

Oh, and I also tried creating an encrypted file with it, and then looked at a hex dump. It doesn't contain 0x0017, which is the header ID for a "strong encryption header". It does have an extra 12 bytes of seed data (part of the "legacy" format) along with each file. So that matches the source code and README.

Summary: don't use it. I'd look for third-party Zip utilities that support more modern encryption, but I'm not familiar enough with any of them to make recommendations.