encrypted files on web server

Anon

I am currently looking for a file encryption solution for the following senerio...

I have a company that is posting several documents to their web site for their clients to log in a view.
The documents need to be stored in a encrypted format on the web server for security purposes.
Does anyone have a scheme or idea on how this would work best? (If i encrypt the documents and store the key on the server then encrypting them is pointless.) (Also the encyption needs to be seamless to the web site users)

How can i encrypt these documents and decrypt them when an authenticated web site visitor logs in and requests the document????

How can I make this process automated?

Where do i store the decrypt key?

Any thoughts would be helpful!!

kparker

You have some conflicting requirement there!

Transparent-to-the-user limits your possibilities to one only: the clients need to view the pages via SSL. Anything else is going to require something special on the client end.

As far as needing to be encrypted on the server, if you can't be sure your webserver is secure, you have problems that merely encrypting a few files isn't going to help.

Anon

Not really true... One can never be sure a web server is completely secure.

Microsoft's problems over the past few weeks are a perfect example of that. If you have ANY remote ports open their is a chance of someone accessing your server/network.

Encrypting on the server can just add another layer of security.

jbloom

I don't agree. Encryption of a message is chosen on the assumption that the message will be inspected by unwanted viewers. That could include the Web admin as well as the unwashed 'Net hordes. Just because a document is on my Web server does not mean I have a need to know its contents.

jbloom

What you are looking for is public-key cryptography, where the document can be encrypted using one key (available to the server) but decrypted only using a different key (available to the client).

I'm not sure there is any seamless solution, particularly if by "documents" you mean Web pages. The problem, as always, is that you are constrained by what the client supports, and while there is some crypto support in modern Web browsers, I'm not sure its up to providing what you need.

One possibility worth investigating is crypto packages that include browser plug-ins to handle the decryption transparently. I don't know that any such packages exist, but I wouldn't be a bit surprised if they did since the basic crypto technology is widespread. (Such packages may not be cheap, though.)

If the documents in question are not Web pages (that is they are Excel, Word, PDF, etc files) and if you are willing to trade off a bit of seamlessness, you could use something like PGP (www.pgp.com) or its open-source alternative GnuPG (www.gnupg.org), which will allow users to create and exchange the needed crypto keys and to encrypt and decrypt files using those keys.

Anon

I agree 100%. It is for that reason I have been attempting to implement a valid encryption solution.

kparker

PKI

Indeed, and the things mentioned here (i.e. should the webmaster have access to my documents?) are certainly valid. I was just trying to point out that the requirement that the user not have to do anything special ruled out quite a few options, including most definitely PKI.