Fog Creek Software
Discussion Board




Suggestions/Pointers for Project Issue

Hi All,

I am facing an issue in my project and I want your suggestions on how can I tackle it in best manner.

Basic aim: To allow transfer of files from user's machine to server.

Flow:
End user will login to Intranet. Now he should be able to upload files or FOLDERS. As you know by default, HTML will not allow me to upload FOLDERS. So the obvious solution is to use ActiveX control. (Yep, I have control over which browser user can use and allowing certain ActiveX control to run)

Now what I want to do is:
Embed ActiveX control on HTML page.
User can select file OR FOLDER to upload.
ActiveX control should now ENCRYPT & ZIP (file or folder) and FTP it to the Server. It should use the logged in person's ID to access the FTP server. Then it should basically do an HTTP GET request to one script and tell what file it has uploaded and where.

My doubts:
1. Does it make sense to encrypt file / zip and then upload?
2. Will encrypting/zipping will be very slow inside browser?
3. Are there any places where I can look for ready made encryption API which can encrypt files? [I am aware about zipping of the file]
4. In case of folders, should I encrypt the zipped file, or I should encrypt the individual files in folder and then zip the folder?

If you have any ideas/suggestions, please share them.
Thanks for your time,
Regards,
JD

JD
Tuesday, June 24, 2003

1, I can understand zipping for lowering traffic volumes, but I take it that once uploaded to server the files will be processed by some server side program. This means it will probably have to be unzipped once reaching the server.

Why not simply use SSL encryption and unencrypted ZIPs?

Why use FTP and not HTTP transfers over SSL?


2, Probably :-)


3, There is an algorithm called AES that is built upon Rijndael encryption, that has sample code and things. I've used it and it is good.

http://csrc.nist.gov/CryptoToolkit/aes/


4, I would suggest encrypting the zip file containing the recursive folder structure. Then again, it depends on what you need to do with the files once they are uploaded.

Patrik
Tuesday, June 24, 2003


If you are on an Intranet... what is the purpose of file encryption for an internal FTP transfer?

Joe AA
Tuesday, June 24, 2003

I don't have a say on 'Why we need encryption?'

The decision is by _upper_ management and that is it. I have to implement it somehow.

Patrick, Thanks for the AES link! :)

Regards,
JD

JD
Tuesday, June 24, 2003

>The decision is by _upper_ management and that is it.

Oh, this is bad. Every design descision that is not totally obvious as to why it was made should be questioned.

If upper management later decides that their descision was less than brilliant you will be blamed for not recognizing a potential problem yada yada.

Happened to me before.

A lesson learned the hard way, so now Im the PITA developer that questions every descision that does not make sense to me.

But thats another thread.

Good luck.

Patrik
Tuesday, June 24, 2003

Why not just put a password on the zip file.  Doesn't that encrypt the zip file in some manner?

GiorgioG
Tuesday, June 24, 2003

I don't think that giving password to zip file encrypts it!

Regards,
JD

JD
Tuesday, June 24, 2003

http://www.pkzip.com/products/enterprise/securitypre-ggl.html

GiorgioG
Tuesday, June 24, 2003

Why does management want the file encrypted?
I'm sure it's not arbitrary. Maybe it's for some legal requirement.  That determines when you must encrypt it, and if https/ftps would make more sense or encrypting individual files or whatnot.

> Will encrypting/zipping will be very slow inside browser?
You just said it's an activeX control, so it is native code.

BTW, if you write your own activex control, make sure you don't add security holes to your user's systems.

mb
Tuesday, June 24, 2003

Maybe I'm mistaken, but if the site runs on an intranet, would you not have access to use scripting code and use the FileSystemObject to iterate over files in a folder and post them one at a time?

Big B
Tuesday, June 24, 2003

Who cares why management wants it encrypted? Just do it and go home! The only things that matter are getting paid and going home. Computers suck.

Fred2000
Tuesday, June 24, 2003

As ActiveX seems to be an option - why not go for WebDAV, which is called Web Folders in Windows? Users then would be able to use Windows Explorer do drag'n drop/copy files to/from a remote server, facilitating SSL etc.

Johnny Bravo
Tuesday, June 24, 2003

*  Recent Topics

*  Fog Creek Home