From c22c6c301eb10c0b34bb694e01f773c02813ae37 Mon Sep 17 00:00:00 2001
From: Michal Charemza <michal@charemza.name>
Date: Fri, 5 Jan 2024 10:42:24 +0000
Subject: [PATCH] docs: be more specific about the limitation of AE-2

This gives more specific limitations about AE-2, rather than just depending on
external links.

This is to allow people to make more informed decisions on whether to use it or
not. I am maybe torn on whether to refer to AE-2's "flaws" or "limitations",
but opting to use the word "flaws" since it's stronger and from the point of
view of people's expectations of encryption, more accurate.

This is done in repsonse to the request/discussion at
https://github.com/uktrade/stream-zip/issues/93
---
 docs/advanced-usage.md | 24 +++++++++++++++++-------
 1 file changed, 17 insertions(+), 7 deletions(-)

diff --git a/docs/advanced-usage.md b/docs/advanced-usage.md
index 1be1495..d4851de 100644
--- a/docs/advanced-usage.md
+++ b/docs/advanced-usage.md
@@ -54,10 +54,20 @@ password = secrets.token_urlsafe(32)
 encrypted_zipped_chunks = stream_zip(member_files(), password=password)
 ```
 
-Notes:
-
-1. This encrypts the data with AES-256, adhering to the [WinZip AE-2 specification](https://www.winzip.com/en/support/aes-encryption/).
-
-2. This is seen as more secure than ZipCrypto, the original mechanism of password protecting ZIP files, but fewer clients can open such ZIP files.
-
-3. While a step forward from ZipCrypto, it has flaws that you should be aware of before using it. See ["Attacking and Repairing the WinZip Encryption Scheme" by Tadayoshi Kohno](https://homes.cs.washington.edu/~yoshi/papers/WinZip/winzip.pdf) and [fgrieu's answer to a question about WinZip's AE-1 and AE-2 on Crytography Stack Exchange](https://crypto.stackexchange.com/a/109269/113464).
+You should make sure to use a long and random password, for example one generated by the [Python secrets module](https://docs.python.org/3/library/secrets.html).
+
+This encrypts the data with AES-256, adhering to the [WinZip AE-2 specification](https://www.winzip.com/en/support/aes-encryption/).
+
+> ### Warnings
+>
+> AE-2 is seen as more secure than ZipCrypto, the original mechanism of password protecting ZIP files, but fewer clients support AE-2 than ZipCrypto.
+>
+> Also, AE-2 has flaws. These include:
+>
+> - Not encrypting metadata, for example member file names, modification times, permissions, and sizes.
+>
+> - Not including sufficient mechanisms to alert recipients if data or metadata has been intercepted and changed. This can itself lead to leakage of information about the original data.
+>
+> - A higher risk of data leakage when there's a higher number of member files in the ZIP when they're encrypted with the same password, as stream-zip does.
+>
+> See ["Attacking and Repairing the WinZip Encryption Scheme" by Tadayoshi Kohno](https://homes.cs.washington.edu/~yoshi/papers/WinZip/winzip.pdf) and [fgrieu's answer to a question about WinZip's AE-1 and AE-2 on Crytography Stack Exchange](https://crypto.stackexchange.com/a/109269/113464) for more information.