Version 5.1 adds support for the following:
    AES 128 bit, 192 bit, and 256 bit
Version 6.1 introduces encryption data changes to support 
interoperability with SmartCard and USB Token certificate storage 
methods which do not support the OAEP strengthening standard.
Version 6.2 introduces support for encrypting metadata by compressing 
and encrypting the central directory data structure to reduce information 
leakage.   Information leakage can occur in legacy ZIP applications 
through exposure of information about a file even though that file is 
stored encrypted.  The information exposed consists of file 
characteristics stored within the records and fields defined by this 
specification.  This includes data such as a files name, its original 
size, timestamp and CRC32 value. 
Central Directory Encryption provides greater protection against 
information leakage by encrypting the Central Directory structure and 
by masking key values that are replicated in the unencrypted Local 
Header.   ZIP compatible programs that cannot interpret an encrypted 
Central Directory structure cannot rely on the data in the corresponding 
Local Header for decompression information.  
Extra Field records that may contain information about a file that should 
not be exposed should not be stored in the Local Header and should only 
be written to the Central Directory where they can be encrypted.  This 
design currently does not support streaming.  Information in the End of 
Central Directory record, the ZIP64 End of Central Directory Locator, 
and the ZIP64 End of Central Directory record are not encrypted.  Access 
to view data on files within a ZIP file with an encrypted Central Directory
requires the appropriate password or private key for decryption prior to 
viewing any files, or any information about the files, in the archive.  
Older ZIP compatible programs not familiar with the Central Directory 
Encryption feature will no longer be able to recognize the Central 
Directory and may assume the ZIP file is corrupt.  Programs that 
attempt streaming access using Local Headers will see invalid 
information for each file.  Central Directory Encryption need not be 
used for every ZIP file.  Its use is recommended for greater security.  
ZIP files not using Central Directory Encryption should operate as 
in the past. 
The details of the strong encryption specification for certificates 
remain under development as design and testing issues are worked out 
for the range of algorithms, encryption methods, certificate processing 
and cross-platform support necessary to meet the advanced security needs 
of .ZIP file users today and in the future. 
This feature specification is intended to support basic encryption needs 
of today, such as password support.  However this specification is also 
designed to lay the foundation for future advanced security needs.
Encryption provides data confidentiality and privacy.  It is 
recommended that you combine X.509 digital signing with encryption 
to add authentication and non-repudiation.
Single Password Symmetric Encryption Method:
-------------------------------------------
The Single Password Symmetric Encryption Method using strong 
encryption algorithms operates similarly to the traditional 
PKWARE encryption defined in this format.  Additional data 
structures are added to support the processing needs of the 
strong algorithms.
The Strong Encryption data structures are:
1. General Purpose Bits - Bits 0 and 6 of the General Purpose bit 
flag in both local and central header records.  Both bits set 
indicates strong encryption.  Bit 13, when set indicates the Central
Directory is encrypted and that selected fields in the Local Header
are masked to hide their actual value.
2. Extra Field 0x0017 in central header only.
     Fields to consider in this record are:
     Format - the data format identifier for this record.  The only
     value allowed at this time is the integer value 2.
     AlgId - integer identifier of the encryption algorithm from the
     following range
         0x6601 - DES
         0x6602 - RC2 (version needed to extract < 5.2)
         0x6603 - 3DES 168
         0x6609 - 3DES 112
         0x660E - AES 128 
         0x660F - AES 192 
         0x6610 - AES 256 
         0x6702 - RC2 (version needed to extract >= 5.2)
         0x6801 - RC4
         0xFFFF - Unknown algorithm
     Bitlen - Explicit bit length of key
          40
          56
          64
         112
         128
         168
         192
         256
     Flags - Processing flags needed for decryption
         0x0001 - Password is required to decrypt
         0x0002 - Certificates only
         0x0003 - Password or certificate required to decrypt
         Values > 0x0003 reserved for certificate processing



 
                