[jira] [Commented] (FILEUPLOAD-119) The encryption & decryption of uploaded file

2018-05-16 Thread David Carboni (JIRA) 

[ 
https://issues.apache.org/jira/browse/FILEUPLOAD-119?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16477974#comment-16477974
 ] 

David Carboni commented on FILEUPLOAD-119:
--

To close this off, I've released at 2.1.0 version of encrypted-file-upload as a 
companion to FileUpload:
 * Github: [https://github.com/davidcarboni/encrypted-file-upload]
 * Maven Central: 
[https://search.maven.org/#search%7Cgav%7C1%7Cg%3A%22com.github.davidcarboni%22%20AND%20a%3A%22encrypted-file-upload%22]
 

David

> The encryption & decryption of uploaded file
> 
>
> Key: FILEUPLOAD-119
> URL: https://issues.apache.org/jira/browse/FILEUPLOAD-119
> Project: Commons FileUpload
>  Issue Type: New Feature
> Environment: Windows/Linux
>Reporter: inderjeet
>Priority: Critical
>
> Hi,
> Can we upload the file in the encypted format and later decrypt it to show 
> the file so that noone can directly open the file from the disk space (hard 
> disk) where i have uploaded the file usinf fileUpload functionality. This is 
> the major concern for our project ?
> Is there any external library which can do this for us even just after we 
> upload the file through this API ?
> Thanks & Regards
> Inderjeet



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

[jira] [Commented] (FILEUPLOAD-119) The encryption & decryption of uploaded file

2018-05-15 Thread David Carboni (JIRA) 

[ 
https://issues.apache.org/jira/browse/FILEUPLOAD-119?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16475943#comment-16475943
 ] 

David Carboni commented on FILEUPLOAD-119:
--

Thanks for the reply Jochen,

I respect your view on what should be in or out of the library. I've 
occasionally had to make calls on what should be in or out of libraries I've 
built, even when I've had willing contribution offers, (in my case from 
colleagues I could talk things through with).

I believe a clear understanding of intent and scope is key to the integrity of 
a library and support that.

Thanks for the offer to support the ability for an encrypted implementation to 
work with FileUpload. Having built a range of options (specifically 
implementing FileItem) the current implementation of FileUpload enables this to 
be done without breaking the interface.

I'll update the release of my original companion library above. Is there a way 
to offer this as an option for people who do want the additional capability?

Thanks

David

> The encryption & decryption of uploaded file
> 
>
> Key: FILEUPLOAD-119
> URL: https://issues.apache.org/jira/browse/FILEUPLOAD-119
> Project: Commons FileUpload
>  Issue Type: New Feature
> Environment: Windows/Linux
>Reporter: inderjeet
>Priority: Critical
>
> Hi,
> Can we upload the file in the encypted format and later decrypt it to show 
> the file so that noone can directly open the file from the disk space (hard 
> disk) where i have uploaded the file usinf fileUpload functionality. This is 
> the major concern for our project ?
> Is there any external library which can do this for us even just after we 
> upload the file through this API ?
> Thanks & Regards
> Inderjeet



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

[jira] [Commented] (FILEUPLOAD-119) The encryption & decryption of uploaded file

2018-05-14 Thread David Carboni (JIRA) 

[ 
https://issues.apache.org/jira/browse/FILEUPLOAD-119?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16474046#comment-16474046
 ] 

David Carboni commented on FILEUPLOAD-119:
--

Hi Jochen, thanks for the comment. 

Strictly speaking I agree. The focus of fileupload is parsing multipart 
uploads. The content being handled is the user's (i.e the server-side 
application's) responsibility. From this perspective it's clear-cut that 
encryption is not a FileUpload feature.

I've set out my thinking below, based on the progress of encryption on the Web, 
and on parallels that have emerged since this feature was first raised. I hope 
this provides a clear, thoughtful picture and I'd welcome your thoughts.

This thinking is what prompted me to create an "implicit encryption" 
implementation, which I used in delivering the public-facing service of a 
medium-sized UK government organisation dealing in market-moving economic data, 
where I (understandably) needed to satisfy demanding security constraints.

Here's where I think there are areas worth considering:
 * FileUpload is accepting and processing data "on behalf of" a consuming 
application and processing uploads internally. Uploads ** might be written to 
disk, for an indefinite period, and could be accessible to other user accounts 
on the machine. The caller needs to go to some length to manage this (setting a 
repository location with appropriate OS permissions, setting a 
FileCleaningTracker, or explicitly deleting uploads). For the duration that 
FileUpload accepts and holds data, it would seem there's a "duty of care" 
towards the caller, especially where the caller may not be fully aware of these 
settings (and may not have access to the underlying OS). 
 * As a parallel, I'm thinking of AWS EBS or S3. It's not _strictly_ the 
storage provider's responsibility to encrypt content - users really should 
encrypt data themselves. However the feature is beneficial and facilitates 
solutions with reduced security risk that minimise the effort required on the 
part of the user. 

Unpacking this thinking, whilst a user "could" implement encryption, there are 
reasons why a user won't, or shouldn't have to:
 * What happens behind the FileItem interface, whilst data sit inside the 
implementation, ideally shouldn't concern the user (or worry their security 
assurance team).
 * User convenience (e.g. transparent encryption, as with AWS or https) 
dramatically reduces friction / barrier to (good) implementation and enables 
solutions to be more secure "by default".
 * Creating a Cipher[Input|Output]Stream requires significantly more work than 
wrapping an existing stream (as with say Buffered[Input|Output]Stream). It 
requires acquiring an encryption key (of the right type and length), acquiring 
and initialising a Cipher (of the right algorithm and mode, and introducing a 
suitable initialisation vector) before the stream class can be instantiated. 
Using a cipher stream classes means handling half a dozen checked exceptions 
(NoSuchAlgorithmException, NoSuchPaddingException, 
InvalidAlgorithmParameterException, InvalidKeyException, 
IllegalBlockSizeException, BadPaddingException). This makes for heavy-going 
code to handle a file upload.
 * Most developers know implementing an encryption algorithm is unacceptable, 
but even correct use of encryption primitives from a trusted library is 
non-trivial (and using JCE adds complication on top of this). The variety of 
primitives, algorithms, modes, key lengths, right down to the need for key 
management and secure random number generation, means "good" encryption remains 
hard for most - and few will be allowed the time to get it right (in my case I 
got lucky!).
 * Encryption that doesn't require user action (or behaviour change) and uses 
ephemeral keys (so avoiding key management) provides a very low barrier to use. 

The Web has come a long way since 2006 and encryption is now the norm online 
(I'm thinking of advances like Letsencrypt, Chrome frowning on non-https sites, 
and increased business awareness data breaches). I've had to deal with an 
enterprise security team who weren't happy to accept data not encrypted at 
rest, even where underlying storage was encrypted, because they weren't happy 
to accept the risk of administrative accounts on the machine.

I hope this is constructive and would be interested to hear what you think.

> The encryption & decryption of uploaded file
> 
>
> Key: FILEUPLOAD-119
> URL: https://issues.apache.org/jira/browse/FILEUPLOAD-119
> Project: Commons FileUpload
>  Issue Type: New Feature
> Environment: Windows/Linux
>Reporter: inderjeet
>Priority: Critical
>
> Hi,
> Can we upload the file in the encypted format and later decrypt it to show 
> the file so that noone can directly open

[jira] [Commented] (FILEUPLOAD-119) The encryption & decryption of uploaded file

2018-05-12 Thread David Carboni (JIRA) 

[ 
https://issues.apache.org/jira/browse/FILEUPLOAD-119?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16473157#comment-16473157
 ] 

David Carboni commented on FILEUPLOAD-119:
--

Hi there,

Appreciate I'm late to this party, but, for the benefit of Googlers and as an 
offer to the maintainers if helpful, this is something I have implemented, 
using a few different options.

In terms of core FileUpload functionality, it would seem useful feature 
(security risk reduction) to provide "transparent encryption" so that no data 
are ever written to disk in the clear - encryption at rest.

If, at the same time, users do not need to take any action to benefit from 
encryption and encryption does not affect their implementation, this would be 
ideal (like https, it "just happens").

I've been using the JCE for encryption for some time 
([https://github.com/davidcarboni/cryptolite-java]) so I've worked out four 
approaches to providing encryption, all of which respect the FileItem interface.

1. As a *stand-alone library* 
([https://github.com/davidcarboni/encrypted-file-upload]):

 
{code:java}

  com.github.davidcarboni
  encrypted-file-upload
  1.0.2
{code}
 

2-4. As a fork of Commons Fileupload with different approaches on different 
branches ([https://github.com/davidcarboni/commons-fileupload]):
 * *Implement FileItem*, using a copy of DiskFileItem as a starting point 
(branch: _encrypted-file-item-implementation branch_)
 * *Extend DiskFileItem* to modify writes and reads (branch: 
_encrypted-file-item-extends_)
 * *Modify DiskFileItem* itself. In this case I needed to reduce the visibility 
of getStoreLocation() (which is not part of the FileItem API) because the 
returned file is encrypted and therefore meaningless (_branch: 
encrypted-file-item-default_)

All of these allow you to use a [corresponding] FileItemFactory. Modifying 
FileItem itself has the advantage that encryption becomes the default, however 
users of the DiskFileItem method getStoreLocation will be affected because 
there's no way to recover the key used to encrypt data written to disk.

It's an API-neutral change with respect to FileItem and, based on the unit 
tests, does not affect the behaviour of DiskFileItem.

Many thanks

David

> The encryption & decryption of uploaded file
> 
>
> Key: FILEUPLOAD-119
> URL: https://issues.apache.org/jira/browse/FILEUPLOAD-119
> Project: Commons FileUpload
>  Issue Type: New Feature
> Environment: Windows/Linux
>Reporter: inderjeet
>Priority: Critical
>
> Hi,
> Can we upload the file in the encypted format and later decrypt it to show 
> the file so that noone can directly open the file from the disk space (hard 
> disk) where i have uploaded the file usinf fileUpload functionality. This is 
> the major concern for our project ?
> Is there any external library which can do this for us even just after we 
> upload the file through this API ?
> Thanks & Regards
> Inderjeet



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)