jsaccess - private web file sharing using client side crypto
2013, Laurent Ghigonis <laurent@gouloum.fr>

Store files encrypted with symetric key (AES-256) and it will seemlessly be
decrypted in the user web-browser on download.
No htaccess, https, or any server side configuration required, as it will just
serve static pre-encrypted files.

Note:
You should still use https to protect against clients targeted attacks like
mitm on the javascript code or mitm on the encrypted archives.

$ git clone git://git.zx2c4.com/laurent-tools
$ cd laurent-tools/jsaccess/


Local demo
==========

$ firefox jsa/index.html
OR $ google-chrome --allow-file-access-from-files jsa/index.html
# Demo password is 'jsa'
# Click on 'Get files list' to retrieve the files available for this password
# In the demo the only file is 'put_your_encrypted_files_here.txt'
# Click on Download
# You now have the file decrypted :)


Deployment
==========

There are 2 parts:
* The jsa/ directory that contains html / javascript files, for the user to
access files list and download. jsa/files/ is the files store.
* The encrypt.sh script for the web server owner to encrypt files
It is recomanded to run encrypt.sh on your laptop, and then syncronise the
jsa/files/ file store.


Put jsa/ directory on your web server, publicly available.


Share a file
============

1. Add the file you want to share to the file store
On your laptop:
$ ./encrypt.sh myfile
# Then enter the passphase you want to use for encryption.
# It will tell you something like:
jsa/files/af022cd820fdad6cbcac8e15ac565c639a47dab0
CREATED jsa/files/af022cd820fdad6cbcac8e15ac565c639a47dab0/065e18a7f246b800242a778a6e8dd07a3321dac6
UPDATED jsa/files/af022cd820fdad6cbcac8e15ac565c639a47dab0/index.txt

2. Syncronise the file store with you online server
On your laptop:
$ rsync jsa/ user@myserver:/var/www/htdocs/
# Upload both CREATED and UPDATED files to your server
# You need to keep the correct full path

3. Direct people to the directory jsa/, e.g. http://myserver.com/jsa/


How it works
============

encrypt.sh creates a directory jsa/files/<rmd160_hash_of_passphrase>/.
It encrypts your file using AES256 with the passphrase and stores the result in
jsa/files/<rmd160_hash_of_passphrase>/<rmd160_hash_of_(passphrase+filename)>.
It also updates the index of available files per directory called index.txt,
that contains real file names. The index is also encrypted using AES256 with the
passphrase.

Web UI generates rmd160 hash from the passphrase and get the list of files
available for this passphrase (jsa/files/<rmd160_hash_of_passphrase>/index.txt),
decrypts it and shows the list of files.
When the user clicks on Download, it fetches the file from the rmd160 name,
decrypts it with the passphrase and stores it with the real name using the
Filesaver JS API.


Dependencies
============

On the host that runs encrypt.sh:
* openssl
* base64

On the web server:
* Serving static files is enough
* optional: https, to protect against clients targeted attacks


Git content
===========

jsa/ - should be on your webserver, can be renamed
jsa/files/<password_hash>/ - directory of files to download for a given password
jsa/files/<password_hash>/index.txt - list of file name available
encrypt.sh - to encrypt your files before uploading them to your web server


TODO
====

* Download progress

* Decrypting progress
Need to modify gibberish-aes

* Make password field appear as full of dots after validation