jsaccess - private web file sharing using client side crypto 2013, Laurent Ghigonis Store files encrypted with symetric key (AES-256) and it will seemlessly be decrypted in the user web-browser on download. Files list cannot be accessed without the correct passphrase. It's possible to store files but not encrypt them with jsaccess, for example for files already PGP encrypted. No htaccess, https, or any server side configuration required, as it will just serve static pre-encrypted files. Note: You should still use https to protect against clients targeted attacks like mitm on the javascript code or mitm on the encrypted archives. $ git clone git://git.zx2c4.com/laurent-tools $ cd laurent-tools/jsaccess/ Local demo ========== $ firefox jsa/index.html OR $ google-chrome --allow-file-access-from-files jsa/index.html # Demo password is 'jsa' # Click on 'Get files list' to retrieve the files available for this password # In the demo the only file is 'put_your_encrypted_files_here.txt' # Click on Download # You now have the file decrypted :) Deployment ========== There are 2 parts: * The jsa/ directory that contains html / javascript files, for the user to access files list and download. jsa/store/ is the files store. * The jstore script for the web server owner to manage file store. It is recomanded to run jstore on your laptop, and then syncronise the jsa/store/ with your server. Put jsa/ directory on your web server, publicly available. $ scp -r jsa/ user@myserver:/var/www/htdocs/ Share a file ============ 1. Add the file you want to share to the file store On your laptop: $ jstore add myfile # Then enter the passphase you want to use for encryption. # It will tell you something like: jsa/store/af022cd820fdad6cbcac8e15ac565c639a47dab0 CREATED file jsa/store/af022cd820fdad6cbcac8e15ac565c639a47dab0/065e18a7f246b800242a778a6e8dd07a3321dac6 UPDATED file jsa/store/af022cd820fdad6cbcac8e15ac565c639a47dab0/index.txt 2. Syncronise the file store with you online server On your laptop: # Set the rsync url (only once) jstore rset user@myserver:/var/www/htdocs/jsa/store/ # push the file store jstore push 3. Direct people to the directory jsa/, e.g. http://myserver.com/jsa/ How it works ============ jstore creates a directory jsa/store//. It encrypts your file using AES256 with the passphrase and stores the result in jsa/store//. It also updates the index of available files per directory called index.txt, that contains real file names. The index is also encrypted using AES256 with the passphrase. Web UI generates rmd160 hash from the passphrase and get the list of files available for this passphrase (jsa/store//index.txt), decrypts it and shows the list of files. When the user clicks on Download, it fetches the file from the rmd160 name, decrypts it with the passphrase and stores it with the real name using the Filesaver JS API. Dependencies / Compatibility ============================ On the host that runs jstore: * openssl * base64 * optional: rsync, if you with to use ./store push to deploy your file store On the web server: * Serving static files is enough * optional: https, to protect against clients targeted attacks On the web user machine: * Tested with Firefox 21 and Chrome 27 Banner ====== You can set your own banner image / link / text without modifying html. See jsa/banner/README.txt Git content =========== jsa/ - should be on your webserver, can be renamed jsa/store// - directory of files to download for a given password jsa/store//index.txt - list of file name available jstore - to encrypt the files that will be available for download TODO ==== * store non encrypted files option in jstore special mark in index, to show it in web ui * web: download progress * web: decrypting progress Need to modify gibberish-aes * web: make password field appear as full of dots after validation