I would like to hear advice from the more experienced developers. The project is now in the design stage. It’s mobile application and a simple web application. Content is pictures, comments, personal correspondence.
Pictures can be quite personal. Need a very serious attitude to security.
The question is simple: where to store photos and how to secure it?
I think it’s will be in the following way:
1. User make some photo. Via SSL the application sends photo to the server.
2. The server recieve photo, encrypt it and store somewhere.
Also, via app the user can see all own photos.
1. Request to server for photos.
2. Server decrypt stored photos and send via SSL to client.
I need some technical advices: where to save images, I know that database is quite slow for this case, which algorithms use for encrypt/decrypt, what about cache. It will be highload project and performance is very important.
Mobile application is planned on cross-platform framework like phoneGap, Titanium. On the server is .NET. But it is planned. I also consider full stack frameworks for javascript.
4
I would recommend using Amazon S3.
They have a pretty decent API for .net and I use it for all my image storage.
You can set privacy on an image “bucket” which means without accessing with the user/password or token they will be perfectly secure.
Also of course, you get all the cloud rednundancy and location based hosted services, also would be great if you are going to be using it with mobile and web, as you won’t be restricted by having your images stuck on a web server.
http://aws.amazon.com/s3/faqs/
2
where to save images
Like you realised, saving images onto a database isn’t worthwhile for your purpose. The usual approach is to –
- Save the uploaded image into any directory on the server.
- And then save the path to the image in the database.
Since you are encrypting the images too, it shouldn’t matter if somebody figures out where the images are on the server. (Ofcourse, you need to make sure your crypto keys are safe but that’s another topic.)
In project I’m working currently on I had to solve same problem.
My solution is :
- Store resources on HDD as files (HDD is made for this task so this is the best solution imho).
- Store in database id’s of resources with path’s and additional ‘meta data’.
- To provide client (iPad in this case) with secured photos we are using Spring MVC with Basic Authentication and REST interface.
Basic auth over HTTPS satisfies authentication requirement. You can easily implement it with Spring. Spring also provides you with REST interface for HTTP requests. Files should be stored on hard disk. Additional meta data can be stored in database to provide fast searching (f.e upload date or upload user).
It can be easily implemented with tools I’ve mentioned. That’s why I think it’s good solution. There are also many content repositories which can be installed on server where webapp will be deployed. I considered using Jackrabbit but solution I’ve provdied satisfied our needs.
2
That won’t be a long answer but maybe it helps.
How about storing it on Azure, AWS, Google or Manta. Then you encrypt the data with a secure algorithm by using the device IMEI.
As storage I would prefere Azure, I use it on my own atm and is very nice for .net and node.js.
As algortihm how about Rijndael or RSA.
A bit more explanation, the IMEI is unique and so nobody else can decrypt it, without access to the device. The other stuff, the cloud is the only option for global access.
4
It may be not a good idea to use javascript to decrypt, if so, every one that have access to your site, will have a copy of the decryptor,
the solution I can suggest is to keep photos encrypted at database. decryption must be on the server side when a secure request come through an ssl connection.
I don’t sure but maybe blocking direct links to photos is also useful, your links must be come through a secure routing
3