File APIs for Java Developers
Manipulate DOC, XLS, PPT, PDF and many others from your application.
http://aspose.com/file-tools
The moose likes I/O and Streams and the fly likes Secure Uploading of Data !!! Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Java » I/O and Streams
Bookmark "Secure Uploading of Data !!!" Watch "Secure Uploading of Data !!!" New topic
Author

Secure Uploading of Data !!!

Dushyant Bhardwaj
Greenhorn

Joined: Apr 18, 2004
Posts: 28
Dear All,

I am working on an application where some very secured
data is uploaded by Client using Application UI(developed using
JSP+Servlets+orielly upload).
What are the possibilities that this data can be hacked by
a hacker.
If possible than what can be a secure way of uploading such
data .
Can a solution of encrypting a file containing the data and than
decrypting the file before inserting into DB be right.

Any clue will be helpful.

Thanks and Regards
Dushyant Bhardwaj
Joe Ess
Bartender

Joined: Oct 29, 2001
Posts: 8971
    
    9

Security is an extremely complex issue. The most secure system would be sealed inside a concrete block with no input or output. Most "computer security" problems are actually "social engineering" problems, where some cracker (not "hacker") asks a gullable employee for their user name and password or physical access to their computer. However, in your case, using HTTP to upload a file, you do have a security problem because HTTP will carry the data as plain text across the network. It is fairly trivial to place a network traffic sniffer along the route of the data and recover it. You have a couple of options. You could encrypt the data file before it is sent. If you use a symmetric encryption scheme (the encryption key and decryption key are the same, like DES), then the key on the client may be compromised by a cracker. More secure is public-private key encryption (i.e. Diffie-Hellman) where the client uses a public key which cannot decode the encoded message. In your case, I'd look at using HTTPS if you have a web server that supports it. HTTPS uses public-private key encryption to encode HTTP requests and responses.


[How To Ask Questions On JavaRanch]
Dushyant Bhardwaj
Greenhorn

Joined: Apr 18, 2004
Posts: 28
Dear Joe,
Thanks for your quick response .
Now I have further quries on this -
1. In approach one you mean - I ll first encrypt a file
and than upload the file , since I m not copying this file
to some physical location on the AppServer(I m reading the file from
ServletInput Stream line by line and inserting into DB), does that
mean I have to decrypt my info line by line.
Which I think would be a costly operation.

2. On the second approach - Since I m using Oracle 9i appserver and
it does support https also.
But I would like to use Https for Upload only , otherwise my
whole application would unnecessary suffer.
How can I do the same.

Thanks & Regards
Dushyant Bhardwaj
Joe Ess
Bartender

Joined: Oct 29, 2001
Posts: 8971
    
    9

Originally posted by Dushyant Bhardwaj:
does that mean I have to decrypt my info line by line. Which I think would be a costly operation.

You can always save and decrypt a temporary file or use buffering to decode a chunk at a time, then work on lines within the chunk. As for how costly these operations are, there's only one way to be sure. Implement, benchmark, repeat.

2. But I would like to use Https for Upload only , otherwise my
whole application would unnecessary suffer.

HTTPS, like HTTP, is a request-response protocol. There's no way I know of to do HTTPS on the upload, then HTTP on the download. I doubt if you would notice the difference between HTTP and HTTPS if you have reasonable hardware.
 
It is sorta covered in the JavaRanch Style Guide.
 
subject: Secure Uploading of Data !!!