aboutsummaryrefslogblamecommitdiffstats
path: root/jsaccess/README.txt
blob: da1dc5c5913e55ea005c656f9bc34415f3dca3a1 (plain) (tree)
1
2
3
4
5
6
7
8
9



                                                                            




                                                                              
 

                                             
                        
                      
 



          

























































                                                                                                   





                                                  

                                                                                







                                                                           

                        
jsaccess - download and decrypt files in the browser
2013, Laurent Ghigonis <laurent@gouloum.fr>

Provide protected access to files on a web server without htaccess or https.
The files are stored AES256 encrypted on the server, and decrypted on download
in the web browser.

You should still use https to protect against client targeted attacks like
mitm on the javascript code or mitm on the encrypted archives.

$ git clone git://git.zx2c4.com/laurent-tools
$ cd laurent-tools/jsaccess/
$ firefox jsa/index.html
demo password is 'jsa'


Deployment
==========

First, put jsa/ directory on your web server, publicly available

To add a file for others to download :

1. $ ./encrypt.sh myfile
Then enter the passphase you want to use for encryption.
It will tell you something like:
jsa/files/af022cd820fdad6cbcac8e15ac565c639a47dab0
CREATED jsa/files/af022cd820fdad6cbcac8e15ac565c639a47dab0/065e18a7f246b800242a778a6e8dd07a3321dac6
UPDATED jsa/files/af022cd820fdad6cbcac8e15ac565c639a47dab0/index.txt

2. Upload both CREATED and UPDATED files to your server
You need to keep the correct full path
$ rsync jsa/ user@_host:/var/www/htdocs/

3. Direct people to the directory jsa/, e.g. http://myserver.com/jsa/


Example adding a new file
=========================

$ ./encrypt.sh README.txt 
Enter passphrase used to encrypt: jsa
jsa/files/af022cd820fdad6cbcac8e15ac565c639a47dab0
CREATED jsa/files/af022cd820fdad6cbcac8e15ac565c639a47dab0/065e18a7f246b800242a778a6e8dd07a3321dac6
UPDATED jsa/files/af022cd820fdad6cbcac8e15ac565c639a47dab0/index.txt

$ rsync jsa/ user@_host:/var/www/htdocs/


Example downloading a file
==========================

firefox jsa/index.html
# enter 'jsa' as password
# click on 'Get files list'
# select 'README.txt'
# click on Download
# you now have the file decrypted :)


How it works
============

encrypt.sh creates a directory jsa/files/<rmd160_hash_of_passphrase>.
It encrypts your file using AES256 with the passphrase and moves the encrypted
version to
jsa/files/<rmd160_hash_of_passphrase>/<rmd160_hash_of_(passphrase+filename)>.
It also updates the index of available files per directory called index.txt,
that contains real file names. The index is also encrypted using AES256 with the
passphrase.

web UI generates rmd160 hash from the passphrase and get the list of files
available for this passphrase (jsa/files/<rmd160_hash_of_passphrase>/index.txt),
decrypts it and shows the list of files.
When the users clicks on Download, it fetches the file from the rmd160 name,
decrypts it with the passphrase and stores it with the real name using the
Filesaver JS API.


Directory content
=================

jsa/ - should be on your webserver, can be renamed
jsa/files/<password_hash>/ - directory of files to download for a given password
jsa/files/<password_hash>/index.txt - list of file name available
encrypt.sh - to encrypt your files before uploading them to your web server


TODO
====

* dynamicaly get files list from jsa/files/list_<password_hash>
(server directory listing should be disabled)

* MIME types on download