setComments() in ZipEntry- how safe to put critical data in encryptedformat..

[volkswak]

How safe to carry some encrypted password as a Comment in a
programmatically created Zip file?
i.e. using ZipEntry.setComment(encPasswordString)

Intention is to use this password while processing this Zip file
programmatically (like Unzip,etc). The contents inside the Zip are
already encrypted.

Is it possible to remove such Comments in the original Zip file?
Are there any security holes in putting such sensitive but encrypted
data in the Comments field of Zip file(rather overload the use of this
field).

 

[Roedy Green]

How safe to carry some encrypted password as a Comment in a
programmatically created Zip file?

The original PkZip format was just designed to keep your mother from
snooping.

The AES variant should keep pretty well anyone out but the government.

winZip supports AES. see http://mindprod.com/jgloss/winzip.html

For a pure Java solution, you could use GZIP to compress, then a JCE
encryption, then pack in a Zip.

You must always compress before encryption or you won't get any
compression.

 

[volkswak]

For a pure Java solution, you could use GZIP to compress, then a JCE
encryption, then pack in aZip.

This is already taken care.

But,
How safe it is to carry some encrypted data as the Comment in a
programmatically created Zip file in a pure Java solution?
i.e. using ZipEntry.setComment(encryptedData)

So that, I could use ZipEntry.getComment() to extract this encrypted
data while unzipping/etc, say on another box.
Just curious to see any negative consequences in carrying sensitive
info in the Comment field of Zip.

 

[Tris Orendorff]

Actually if it uses AES it should also keep the government out. At
least it will make using a rubber hose to get the information more
attractive than trying to break the file encryption.

(Note, a key logger or other technology could also be used)

Up your nose, with a rubber hose. Don't forget about waterboarding.