• Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

Store HTTPS file upload on server encrypted?

 
andy armstrong
Ranch Hand
Posts: 154
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I need some opinions on this.

I want to be able to have a file that is uploaded to a server stored
in the encrypted state and not to be decrypted till it is downloaded by another client.
The server would act as a go between the 2 ends of the https clients.

I would need to be able to read the https stream and store it encrypted and
later read that encrypted file and send it to the client in an encrypted state.
Any ideas?
 
Stephen Huey
Ranch Hand
Posts: 618
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
That should be fine. Just do a regular file upload, store the file there without doing anything to it, and let the other user download it.

If you need to learn how to do file uploads and downloads, you can search throughout the servlet/JSP forums, and there is Apache Commons FileUpload utility that you can use (there is also tons of sample code all over the web).
 
andy armstrong
Ranch Hand
Posts: 154
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Thanks.
Sorry for being a little slow but ..

Will the file be stored encrypted?
 
James Carman
Ranch Hand
Posts: 580
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
No, the file will not be encrypted for you if you do it that way. The file is decrypted for you by the transport layer prior to you receiving it. What you can do is encrypt it yourself using the Java Cryptography Extension (JCE). Now, you'll have to keep track of HOW you encrypted it. Maybe you could dynamically generate a keypair on webapp startup and store it in the ServletContext. Then, you could always use that keypair to encrypt/decrypt the file(s) as they come in and go out.
 
James Carman
Ranch Hand
Posts: 580
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Actually, you could use a symmetric cipher and just use the same key to encrypt/decrypt. DUH! I don't know why I suggested a keypair. Here's a class that uses passphrase-based encryption...



What you would do is create a ServletContextListener for your webapp. Instantiate a PassphraseCrypto object (supply your own passphrase) and add it to your ServletContext. Then, use it later when you want to encrypt/decrypt files. Now, the problem here is that the key is passphrase-based, so if someone knows your passphrase (and what algorithm you use), they can (theoretically) decrypt the files you have stored on disk. You have to decide on the likelihood of that happening. If you're trying to protect the data from people who have no idea how to do that stuff (and haven't seen this post), then you're probably safe.

However, if you can live with it, you COULD use a random passphrase. The problem with that would be that you can't decrypt files which were encrypted using a previous random value (the server went down and you brought it back up).
 
andy armstrong
Ranch Hand
Posts: 154
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Wow that is awesome.
I want to get it from the Transport Layer to storage without
decrypting it and enabling the uploaded encrypted file to be later downloaded via https and decrypted seamlessly with no client side code.

Kind of an interrupted https connection...
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic