Uploaded file encryption PLEASE HELP!!!!!!!!!!!!!!!!!!

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
ozzthegod
Forum Newbie
Posts: 2
Joined: Thu Mar 27, 2008 9:17 am

Uploaded file encryption PLEASE HELP!!!!!!!!!!!!!!!!!!

Post by ozzthegod »

Hi,
I am banging my head against the wall for last 5 days. I CANT find any way to encrypt uploaded files (any extension txt,pdf,mp3,exe...etc).

I am working on a data management system and it needs to have encryption so the files people are storing with it can be accessed only from the app.
app was created in Flex and it uses PHP to handle file upload.
the biggest problem is that i have no idea on which server it will be hosted so the encryption i implement needs to be multi-platform(so no shell_exec unfortunately).

i have tryed anything i could think of, i even tryed to pull data from the file, encrypt it and then write it back into the file but that doesnt work properly with anything that is not txt. so that rules out mcrypt, crypt...

does anyone have any experience with this kind of problem if nothing else point me to the right direction.

TNX A MILLION with a cheery on top and cream and sugar and plasma TV....
User avatar
Mordred
DevNet Resident
Posts: 1579
Joined: Sun Sep 03, 2006 5:19 am
Location: Sofia, Bulgaria

Re: Uploaded file encryption PLEASE HELP!!!!!!!!!!!!!!!!!!

Post by Mordred »

ozzthegod wrote:...so the files people are storing with it can be accessed only from the app.
Simply store them in a folder which is unaccessible from the web.
Two ways:
1. (better) Outside the web tree (any sensible hosting should provide this)
2. In a protected folder in the web tree (using the proper .htaccess directives)
ozzthegod
Forum Newbie
Posts: 2
Joined: Thu Mar 27, 2008 9:17 am

Re: Uploaded file encryption PLEASE HELP!!!!!!!!!!!!!!!!!!

Post by ozzthegod »

i wish it was that easy,
ppl that i am developing this for REALLY REALLY REALLY want files to be encrypted :(
very sensitive data and... you can guess...

tnx for the idea :)
User avatar
Mordred
DevNet Resident
Posts: 1579
Joined: Sun Sep 03, 2006 5:19 am
Location: Sofia, Bulgaria

Re: Uploaded file encryption PLEASE HELP!!!!!!!!!!!!!!!!!!

Post by Mordred »

ozzthegod wrote:ppl that i am developing this for REALLY REALLY REALLY want files to be encrypted :(
Well, tell us what do you know of encryption and keys and stuff, and what have you considered so far?

I hear that choosing a simple encryption scheme and applying it multiple times increases the security considerably. Take something basic which PHP supports natively - the best I can think of is the xor operator (be careful to use the bitwise ^, not the logical xor) and go from it - xor the data multiple times with a long random key. Do it many times - 4 or 8 times for best results. It is guaranteed to work on every PHP system, so it looks perfect for you.
rufio1717
Forum Newbie
Posts: 13
Joined: Fri Feb 12, 2010 3:56 pm

Re: Uploaded file encryption PLEASE HELP!!!!!!!!!!!!!!!!!!

Post by rufio1717 »

Don't bang you head against the wall. Take the easy approach and store the files the database! I know that everyone hates this, but in your situation is the best solution.

Code: Select all

CREATE TABLE `files`(
id INT NOT NULL AUTO_INCREMENT,
user_id INT NOT NULL,
file_name VARCHAR(40) NOT NULL,
file LONGBLOB,
PRIMARY KEY('id')
) ;

$key = "Large Random String"

Then just insert into the DB
$sql = "INSERT INTO `files` ('user_id','file_name') VALUES(intval($user_id),mysql_real_escape_string($file_name), AES_ENCRYPT($file,$key)); "
Now here is the real problem... AES_ENCRYPT SUCKS!!! If you can find a better solutions let me know! In fact anyone know a better alternative to AES_ENCRYPT?
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: Uploaded file encryption PLEASE HELP!!!!!!!!!!!!!!!!!!

Post by kaisellgren »

rufio1717 wrote:Now here is the real problem... AES_ENCRYPT SUCKS!!! If you can find a better solutions let me know! In fact anyone know a better alternative to AES_ENCRYPT?
Why not just PHP's encryption functionalities, and doing the encryption in PHP instead of revealing the key on the SQL-query, which is likely going to end up in some logs.
User avatar
yacahuma
Forum Regular
Posts: 870
Joined: Sun Jul 01, 2007 7:11 am

Re: Uploaded file encryption PLEASE HELP!!!!!!!!!!!!!!!!!!

Post by yacahuma »

Why AES_ENCRYPT sucks?
User avatar
Mordred
DevNet Resident
Posts: 1579
Joined: Sun Sep 03, 2006 5:19 am
Location: Sofia, Bulgaria

Re: Uploaded file encryption PLEASE HELP!!!!!!!!!!!!!!!!!!

Post by Mordred »

Wow, thread necromancy.

If you guys still think the built-in encryption functions suck, I still stand by my idea (above) of XOR-ing the data 4 times (or 8 times for even better security). Or you can use a one-time pad, it's proven to be 100% unbreakable. Or, if you're really really paranoid, you can combine the two - use a one time pad, but XOR it 4 times for the most benefit.
Post Reply