my dog learned polymorphism*
The moose likes I/O and Streams and the fly likes Secure Uploading of Data !!! Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Java » I/O and Streams
Bookmark "Secure Uploading of Data !!!" Watch "Secure Uploading of Data !!!" New topic
Author

Secure Uploading of Data !!!

Dushyant Bhardwaj
Greenhorn

Joined: Apr 18, 2004
Posts: 28
Dear All,

I am working on an application where some very secured
data is uploaded by Client using Application UI(developed using
JSP+Servlets+orielly upload).
What are the possibilities that this data can be hacked by
a hacker.
If possible than what can be a secure way of uploading such
data .
Can a solution of encrypting a file containing the data and than
decrypting the file before inserting into DB be right.

Any clue will be helpful.

Thanks and Regards
Dushyant Bhardwaj
Joe Ess
Bartender

Joined: Oct 29, 2001
Posts: 8836
    
    7

Security is an extremely complex issue. The most secure system would be sealed inside a concrete block with no input or output. Most "computer security" problems are actually "social engineering" problems, where some cracker (not "hacker") asks a gullable employee for their user name and password or physical access to their computer. However, in your case, using HTTP to upload a file, you do have a security problem because HTTP will carry the data as plain text across the network. It is fairly trivial to place a network traffic sniffer along the route of the data and recover it. You have a couple of options. You could encrypt the data file before it is sent. If you use a symmetric encryption scheme (the encryption key and decryption key are the same, like DES), then the key on the client may be compromised by a cracker. More secure is public-private key encryption (i.e. Diffie-Hellman) where the client uses a public key which cannot decode the encoded message. In your case, I'd look at using HTTPS if you have a web server that supports it. HTTPS uses public-private key encryption to encode HTTP requests and responses.


"blabbing like a narcissistic fool with a superiority complex" ~ N.A.
[How To Ask Questions On JavaRanch]
Dushyant Bhardwaj
Greenhorn

Joined: Apr 18, 2004
Posts: 28
Dear Joe,
Thanks for your quick response .
Now I have further quries on this -
1. In approach one you mean - I ll first encrypt a file
and than upload the file , since I m not copying this file
to some physical location on the AppServer(I m reading the file from
ServletInput Stream line by line and inserting into DB), does that
mean I have to decrypt my info line by line.
Which I think would be a costly operation.

2. On the second approach - Since I m using Oracle 9i appserver and
it does support https also.
But I would like to use Https for Upload only , otherwise my
whole application would unnecessary suffer.
How can I do the same.

Thanks & Regards
Dushyant Bhardwaj
Joe Ess
Bartender

Joined: Oct 29, 2001
Posts: 8836
    
    7

Originally posted by Dushyant Bhardwaj:
does that mean I have to decrypt my info line by line. Which I think would be a costly operation.

You can always save and decrypt a temporary file or use buffering to decode a chunk at a time, then work on lines within the chunk. As for how costly these operations are, there's only one way to be sure. Implement, benchmark, repeat.

2. But I would like to use Https for Upload only , otherwise my
whole application would unnecessary suffer.

HTTPS, like HTTP, is a request-response protocol. There's no way I know of to do HTTPS on the upload, then HTTP on the download. I doubt if you would notice the difference between HTTP and HTTPS if you have reasonable hardware.
 
It is sorta covered in the JavaRanch Style Guide.
 
subject: Secure Uploading of Data !!!
 
Similar Threads
Upload Excel on desktop to JAVA
Https Question
How to upload CSV or SQL file from Hibernate?
progress bar and timeout functionality for file upload
multiple fileupload