Monday, May 20, 2024
Homepage · image
 Popular · Latest · Hot · Upcoming
182
rated 0 times [  189] [ 7]  / answers: 1 / hits: 16666  / 14 Years ago, thu, october 14, 2010, 12:00:00

I have a web based application that requires images to be encrypted before they are sent to server, and decrypted after loaded into the browser from the server, when the correct key was given by a user.



[Edit: The goal is that the original image and the key never leaves the user's computer so that he/she is not required to trust the server.]



My first approach was to encrypt the image pixels using AES and leave the image headers untouched. I had to save the encrypted image in lossless format such as png. Lossy format such as jpg would alter the AES encrypted bits and make them impossible to be decrypted.



Now the encrypted images can be loaded into the browser, with a expected completely scrambled look. Here I have JavaScript code to read in the image data as RGB pixels using Image.canvas.getContext(2d).getImageData(), get the key form the user, decrypt the pixels using AES, redraw the canvas and show the decrypted image to the user.



This approach works but suffers two major problems.



The first problem is that saving the completely scrambled image in lossless format takes a lot of bytes, close to 3 bytes per pixel.



The second problem is that decrypting large images in the browser takes a long time.



This invokes the second approach, which is to encrypt the image headers instead of the actual pixels. But I haven't found any way to read in the image headers in JavaScript in order to decrypt them. The Canvas gives only the already decompressed pixel data. In fact, the browser shows the image with altered header as invalid.



Any suggestions for improving the first approach or making the second approach possible, or providing other approaches are much appreciated.



Sorry for the long post.


More From » image
 Answers
5

Encrypt and Base64 encode the image's raw data when it is saved. (You can only do that on a web browser that supports the HTML5 File API unless you use a Java applet). When the image is downloaded, unencode it, decrypt it, and create a data URI for the browser to use (or again, use a Java applet to display the image).



You cannot, however, remove the need for the user to trust the server because the server can send whatever JavaScript code it wants to to the client, which can send a copy of the image to anyone when it is decrypted. This is a concern some have with encrypted e-mail service Hushmail – that the government could force the company to deliver a malicious Java applet. This isn't an impossible scenario; telecommunications company Etisalat attempted to intercept BlackBerry communications by installing spyware onto the device remotely (http://news.bbc.co.uk/2/hi/technology/8161190.stm).



If your web site is one used by the public, you have no control over your users' software configurations, so their computers could even already be infected with spyware.


[#95329] Monday, October 11, 2010, 14 Years  [reply] [flag answer]
Only authorized users can answer the question. Please sign in first, or register a free account.
nestorjarettg
Add To Favorites
Follow
Total Points: 451
Total Questions: 108
Total Answers: 108
Location: Rwanda
Member since Thu, Feb 10, 2022
2 Years ago
nestorjarettg questions
Sat, Sep 25, 21, 00:00, 3 Years ago
Wed, Sep 9, 20, 00:00, 4 Years ago
Sun, Feb 16, 20, 00:00, 4 Years ago
Wed, Jan 29, 20, 00:00, 4 Years ago
Mon, Jan 13, 20, 00:00, 4 Years ago
View All
;