In My website my server will reply raw data(a Jpeg image encrypted using a password) , when the browser receives it can i decrypt(Using the same password) the data into a image and show them as image using JavaScript.
What is the point?
Image will be 'protected' only during transmision from server to the client. Also, to decrypt it as described, password will be saved somewhere on the client side (in javascript). So every one can see the password and algorithm.
If you want to protect data during transmision just access it via https.
First please think over your design and make sure that this is really the way you want to go for. Maybe a ordinary login system with https or htaccess protection would be more suitable.
If you really want to do it the way you described, I would do it the following way:
convert the images to base64 format (wikipedia article), because handling binary data with JavaScript is nasty.
then encrypt your images with AES and a strong key
save the result in your database
when a client wants to access the images you should
send the encrypted images over HTTPS
let him enter the key (or a passphrase which will be hashed,e.g. with SHA512, to the key) in a HTML input field and read it with JavaScript
decrypt the images using a JavaScript AES library, e.g. http://point-at-infinity.org/jsaes/
change the src attribute of your img tag to the decrypted base64 stream.
Related
I'm developing a small project in android which is using php webservices' call.
I want my webservices to be protected, however by using GET/POST request methods I don't think its much protected. After googling I got RSA implementation in "phpseclib", Its having good documentation as well. But I'm confused so much, so thought post this here.
Basically what I need is:
from Android I'l call a url with "encrypted parameters merged in one string".
(I'l first encode parameters in json and then I'l encrypt).
those parameters I'l extract in php, and process accordingly.
json string: {user_id:xyz#gmail.com, passwd: Password!}
encrypted to: XsjkhkjwehrkanmNXmnskjawrhjlljahdhuw
eg. http://my.domain.com/webservices/call.php?params=Xsjkhkjwehrkanm,NXmnskjawrhjlljahdhuw
In php, I'l extract userID and Password, from that $_GET['params"']
This is possible in base64_encode(), base64_decode(), but base64 encoder will just obfuscate the string, it won't encrypt actually.
I need public/private key mechanism.
However I've tried this: (https://launchkey.com/docs/api/encryption/php/phpseclib)
<?
function rsa_encrypt($key, $message) {
$rsa = new Crypt_RSA();
$rsa->loadKey($key);
$encrypted = base64_encode($rsa->encrypt($message));
return $encrypted;
}
?>
Its not returning any $encrypted string.
Any help would be really appreciated.
Thanks..! :)
If you're new to encryption, you should go the simple route and just go with HTTPS, as suggested in comments.
Also, as suggested in comments, don't send the passwords via GET from a web page because that shows in the address bar and passers by can read that off the screen.
HTTPS (SSL/TLS) provides end to end encryption of the entire connection between the web server and the client. This allows you to send all your data in clear text and not worry about it because it's being encrypted at a lower level.
Since it's not a web browser calling your web server, you don't even need to pay for an SSL certificate. You can create a self-signed certificate. Just ensure you verify the signature on every connection to prevent man in the middle attacks. This is a bit trickier though, so again, if you're new to this, just pay for the SSL certificate and let Android take care of the certificate verification for you.
In response to your direct question:
Encoding is not encryption, as you may have discovered. Base64 is encoding and provides no security.
You cannot simply generate an RSA public/private key pair, encrypt data with the private key, and send it to your server. You have to first share your public key with the server. Well, anyone who sniffs the public key off the wire can decrypt it.
You could potentially have the client generate a random symmetric key and encrypt it with the server's public key. The server would then decrypt it with the private key, and have a shared secret key to use to encrypt data and send it to you.
The problem with that is an attacker could simply replay all your data to a server to see the same output. These random things need to be generated by the server to ensure they're actually random, so you're stuck with the server generating the key, but if the server simply encrypts with the private key, anyone with the public key could decrypt it.
So, you'd need some method of securely deriving a shared secret key, some complicated mathematical way of sharing some data that both the server and the client could use to calculate the same shared key.
You could do this yourself, but you'll be calling complicated procedures and functions, when you could just use SSL, which does the same thing for you.
I think you can use POST web service to make it more secure and if possible then please don't encrypt parameter just encrypt value of parameter and then also if you face issue then try to retrive value using
$_REQUEST['parameter_name']
I am trying to get basic encryption on my database for my app and i am having trouble with decrypting it in my app.
I have managed to get specific data to be encrypted with AES.
AES_ENCRYPT(data, '9027382883960882');
This returns me data like this: ÷çôpFx4Ûk`©ùþ§ß-ð?±AGXxPkoË
The data from the database then gets put on a page as JSON data.
We then get the data through a XMLHTTP request on the app.
We then have the encrypted data on the app but then i need to deccrypt it.
I dont know how we can do this in a good way because when we use a plug-in like Aes-js.
We first have to change the encrypted data to Hexdecimal or Bytes and that is not possible because the data has random signs in it.
Do you guys have any idea how we can do this or maybe a push in the right direction.
Client vs server imagen process.
We got a big system which runs on JSF(primefaces) EJB3 and sometimes JavaScript logic (like for using firebase and stuff).
So we run onto this problem, we have a servlet to serve some images. Backend take a query, then extract some blob img from DB, make that BLOB into array of bytes, send it to browser session memory and servlet take it to serve it in ulr-OurSite/image/idImage. Front end calls it by <img>(url/image/id)</img> and works fine so far.
Then we are using a new direct way to show img, we send BLOB/RAW data to frontend and there we just convert them into Base64.imageReturn. and pass it to html.
Base64 codec = new Base64();
String encoded = codec.encodeBase64String(listEvidenciaDev.get(i).getImgReturns());
Both work, for almost all cases.
Note: We didn't try this before because we couldn't pass the RAW data through our layers of serialized objects and RMI. Now we can of course.
So now there are two ways.
Either we send data to servlet and put it on some url, which means the backend does all the job and frontend just calls url
or we send data to frontend which is going to make some magic and transform it to img.
This brings 2 questions.
If we send to frontend RawObject or make them call URL to show his image content, final user download the same amount of data? This is important because we have some remote branch offices with poor internet connection
Is worth pass the hard work to frontend (convert data) or backend (convert and publish)?
EDIT:
My questions is not about BLOB (the one i call RAW data) being bigger than base64
It is; passing the data as object and transform it to a readable picture is more heavy to internet bandwidth than passing a url from our servlet with the actual IMG and load it on html ?
I did choose to close this answer because we did some test and it was the same bandwidth usage on front end.
Anyway we make use of both solutions
If we dont want to charge frontend making a lot of encode we set a servlet for that images (that comes with more code and more server load). We look for the best optimization on specific cases.
I am making an application that will store a Azure SQL server DB user information, including profile photo downloaded from Facebook. On the server side, ASP.NET MVC4'll have a controller that will receive the information and send it to the database.
The client side is Javascript and thought to give the image in json (once converted to base64). Is it a good option? Is it better to directly send the jpg? What are the advantages of sending information in json?
In SQL Server image field would be stored as a nvarchar (max)
Are you going to return the image as a binary stream content type image/jpeg or as a text stream encoded base64? Is far more likely that you're going to do the former, so there is little reason to go through an intermediate base64 encoded transfer. And of course, store them as VARBINARY(MAX). Even if you would choose to store them as base64, choosing an Unicode data type for base64 text is really wasteful, (double the storage cost for no reason...), base64 can fit very well in VARCHAR(max).
But, specially in a SQL Azure environemnt, you should consider storing media in Azure BLOB storage and store only the Blob path in your database.
In my opinion, it's better sending the image directly in .jpg using Multipart Forms or something like that.
Sending information in Json is useful when you transfer explicit data, like collections or objects that you will be able to query or de-serialize later.
The client side is Javascript and thought to give the image in json (once converted to base64). Is it a good option?
As Pasrus pointed out, you are not going to manipulate the image data. So JSON does not seems to be a good choice here.
One option is, you can add the base64 data into src attribute in html tag and send it.
What are the advantages of sending information in json?
Please check this answers and there are so many:
Advantages of using application/json over text/plain?
In SQL Server image field would be stored as a nvarchar (max)
Please refer this link:
Storing images in SQL Server?
I'm building an ASPX website that should allow the user to download a CSV/Excel file (including the 'Save To' dialog). The CSV contains encrypted data - the decryption key is available at user side and should be kept secret against the webservice.
So decryption actually should be performed within the browser, a javascript implementation (sjcl) has proofed to work fine.
But how can the incoming datastream during a file download be influenced? Something like a browser hosted proxy performing the javascript decryption?
#closure: thanks a lot! Ajax is no problem, and the idea
<a href='data:application/csv;base64,aGVsbG87d29ybGQNCg=='>click</a>
is really cool, but it has two problems: it seems not work with IE and it is not the right approach for really huge tables. The solution should be able to handle many thousands of records, therefore we need some sort of download stream encoder/decrypter.
Here are the steps to achieve this:
Instead of downloading the CSV directly to the client machine, fetch it via ajax
Once the data is received in via Ajax, parse the CSV via many available functions on internet. Let me know, if you need help on this. This function will convert the CSV to native Javascript Arrays.
Walk through the Array and covert the encrypted data to unencrypted data. Do it natively in the same Array.
Convert the array to CSV (Again there are functions in public domain)
Make a link (a element) and set the href to local data like data:text/csv;charset=utf-8, + encodeURIComponent(csv)
Present this link to the user and ask him to click on it to save the file locally.