I am working on an application where some very secured data is uploaded by Client using Application UI(developed using JSP+Servlets+orielly upload). What are the possibilities that this data can be hacked by a hacker. If possible than what can be a secure way of uploading such data . Can a solution of encrypting a file containing the data and than decrypting the file before inserting into DB be right.
Security is an extremely complex issue. The most secure system would be sealed inside a concrete block with no input or output. Most "computer security" problems are actually "social engineering" problems, where some cracker (not "hacker") asks a gullable employee for their user name and password or physical access to their computer. However, in your case, using HTTP to upload a file, you do have a security problem because HTTP will carry the data as plain text across the network. It is fairly trivial to place a network traffic sniffer along the route of the data and recover it. You have a couple of options. You could encrypt the data file before it is sent. If you use a symmetric encryption scheme (the encryption key and decryption key are the same, like DES), then the key on the client may be compromised by a cracker. More secure is public-private key encryption (i.e. Diffie-Hellman) where the client uses a public key which cannot decode the encoded message. In your case, I'd look at using HTTPS if you have a web server that supports it. HTTPS uses public-private key encryption to encode HTTP requests and responses.
Dear Joe, Thanks for your quick response . Now I have further quries on this - 1. In approach one you mean - I ll first encrypt a file and than upload the file , since I m not copying this file to some physical location on the AppServer(I m reading the file from ServletInput Stream line by line and inserting into DB), does that mean I have to decrypt my info line by line. Which I think would be a costly operation.
2. On the second approach - Since I m using Oracle 9i appserver and it does support https also. But I would like to use Https for Upload only , otherwise my whole application would unnecessary suffer. How can I do the same.
Originally posted by Dushyant Bhardwaj: does that mean I have to decrypt my info line by line. Which I think would be a costly operation.
You can always save and decrypt a temporary file or use buffering to decode a chunk at a time, then work on lines within the chunk. As for how costly these operations are, there's only one way to be sure. Implement, benchmark, repeat.
2. But I would like to use Https for Upload only , otherwise my whole application would unnecessary suffer.
HTTPS, like HTTP, is a request-response protocol. There's no way I know of to do HTTPS on the upload, then HTTP on the download. I doubt if you would notice the difference between HTTP and HTTPS if you have reasonable hardware.