File APIs for Java Developers
Manipulate DOC, XLS, PPT, PDF and many others from your application.
http://aspose.com/file-tools
The moose likes Java in General and the fly likes Store HTTPS file upload on server encrypted? Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Java » Java in General
Bookmark "Store HTTPS file upload on server encrypted?" Watch "Store HTTPS file upload on server encrypted?" New topic
Author

Store HTTPS file upload on server encrypted?

andy armstrong
Ranch Hand

Joined: May 14, 2002
Posts: 154
I need some opinions on this.

I want to be able to have a file that is uploaded to a server stored
in the encrypted state and not to be decrypted till it is downloaded by another client.
The server would act as a go between the 2 ends of the https clients.

I would need to be able to read the https stream and store it encrypted and
later read that encrypted file and send it to the client in an encrypted state.
Any ideas?


Certifications: <br />scp2, scea, scwcd, WL7.0, CISSP, XML
Stephen Huey
Ranch Hand

Joined: Jul 15, 2003
Posts: 618
That should be fine. Just do a regular file upload, store the file there without doing anything to it, and let the other user download it.

If you need to learn how to do file uploads and downloads, you can search throughout the servlet/JSP forums, and there is Apache Commons FileUpload utility that you can use (there is also tons of sample code all over the web).
andy armstrong
Ranch Hand

Joined: May 14, 2002
Posts: 154
Thanks.
Sorry for being a little slow but ..

Will the file be stored encrypted?
James Carman
Ranch Hand

Joined: Feb 20, 2001
Posts: 580
No, the file will not be encrypted for you if you do it that way. The file is decrypted for you by the transport layer prior to you receiving it. What you can do is encrypt it yourself using the Java Cryptography Extension (JCE). Now, you'll have to keep track of HOW you encrypted it. Maybe you could dynamically generate a keypair on webapp startup and store it in the ServletContext. Then, you could always use that keypair to encrypt/decrypt the file(s) as they come in and go out.


James Carman, President<br />Carman Consulting, Inc.
James Carman
Ranch Hand

Joined: Feb 20, 2001
Posts: 580
Actually, you could use a symmetric cipher and just use the same key to encrypt/decrypt. DUH! I don't know why I suggested a keypair. Here's a class that uses passphrase-based encryption...



What you would do is create a ServletContextListener for your webapp. Instantiate a PassphraseCrypto object (supply your own passphrase) and add it to your ServletContext. Then, use it later when you want to encrypt/decrypt files. Now, the problem here is that the key is passphrase-based, so if someone knows your passphrase (and what algorithm you use), they can (theoretically) decrypt the files you have stored on disk. You have to decide on the likelihood of that happening. If you're trying to protect the data from people who have no idea how to do that stuff (and haven't seen this post), then you're probably safe.

However, if you can live with it, you COULD use a random passphrase. The problem with that would be that you can't decrypt files which were encrypted using a previous random value (the server went down and you brought it back up).
andy armstrong
Ranch Hand

Joined: May 14, 2002
Posts: 154
Wow that is awesome.
I want to get it from the Transport Layer to storage without
decrypting it and enabling the uploaded encrypted file to be later downloaded via https and decrypted seamlessly with no client side code.

Kind of an interrupted https connection...
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: Store HTTPS file upload on server encrypted?