WinZip AE-2 for small files and AE-1 for larger – how small/how large for each? [closed]
I'm adding password protection/encryption support to a Python package that makes ZIP files (https://github.com/uktrade/stream-zip). I'm opting to not add ZipCrypto support, but instead add WinZip-style AES
From https://www.winzip.com/en/support/aes-encryption/ WinZip has two versions of this, AE-1 and AE-2, and it looks like WinZip changes the version used depending on the size of the file.
As of WinZip 11, WinZip instead uses AE-1 for most files, storing the CRC as an additional integrity check against hardware or software errors occurring during the actual compression/encryption or decryption/decompression processes. WinZip 11 will continue to use AE-2, with no CRC, for very small files of less than 20 bytes.
I need to decide what the Python package does in terms of using AE-1 and AE-2. So far, I've made it create ZIP files that use AE-2 for everything. That is, not including the CRC in the ZIP file.
But in terms of next steps:
a) Should I make it use AE-1 for larger files like the WinZip specification suggests
b) Or should I continue to use AE-2 for everything
or c) Something else?
And if a), then is the 20 byte minimum limit for AE-1 of the compressed data or uncompressed data? The encryption happens after compression, so there is a choice here as well (albeit it's maybe slightly awkward to code up if it's 20 bytes after compression due to the streaming nature of stream-zip - avoiding loading all plain/cipher text in memory at once)