Encrypted File Transfer

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
Hi all,

the following problem occured to me and I hope somebody can
help me :

I need to implement an encrypted File download with
a PHP script on the server side and a c# client application.

I know there is a way to symmetrically encrypt files
with the php mcrypt routines and already did implement a
protocol based on xml for querying files from the

So the problem is, I need to generate and exchange a
random key for each transfer. This is possible,
for example, with the Diffie-Hellman Key Exchange
Procedure. Because I found nothing about this
procedure in the php function list, I began
to implement it myself.

The problem in this case is that I need arithmetic
support for Big Numbers (>=1024 Bits). The bc* functions
are too slow and do not work in this case. An alternative
would be the GMP Library, which is not supported by the
ISP where the script will be running.

Setting up my own Server with GMP support is no alternative either in
this case.

So perhaps anybody knows how I could achieve an encrypted
file download with different keys for every "Download Session" in
php. Is it possible over an ssl / https connection ? Or what am I
missing here ?

I would be very grateful for any hints, tips, sugesstions, points
to existing code...

Many thanks in advance,


Re: Encrypted File Transfer

Quoted text here. Click to load it

Can't rely on a shared secret?

Re: Encrypted File Transfer

Chung Leong schrieb:
Quoted text here. Click to load it

Many thanks for your Reply !

But if you mean that Server and Client should agree
upon a key once and each store that key to be used
for every download session they will ever do, that
is not what I want.

A new Key for every Download is what I would appreciate !

Re: Encrypted File Transfer

In essence, yes. Although you can use the the shared secret to encrypt
a new key each time, which is used to encrypt the actual data.
What I was really asking is whether your system employs passwords.

Re: Encrypted File Transfer

Quoted text here. Click to load it

The encryption doesn't have to be strong if you use SSL for the actual
transer. A weak onetime keypair has to be strong enough to allow the
transfer to complete before you can reasonably assume someone had the
processor time to crack it.

But is the openssl module (http://nl3.php.net/openssl ) available on the
target server?

Quoted text here. Click to load it

What is the quest? Should the file to download be encrypted during
transfer or should an encrypted file be downloaded to a client?

In the first case SSL is good enough but you could use DH key exchange
for authtication for additional security. I don't see the practical
point of the latter case.

Re: Encrypted File Transfer

Daniel Tryba schrieb:
Quoted text here. Click to load it

First of all, many thanks for your reply !

Well yes, the Provider has installed the OpenSSL module
on the Server, great !

To be more specifically, this is what I want to Achive :

1) Client and Server agree upon a one-time-key.
2) The Client POSTs an Xml String to the Server
    in which he tells what file he wants to Download
    and some additional Information :

    <query filetodownload="abc.def" package="packageoffile">

     This POST should also be encrypted with the previously
     agreed key.

3)  Someone has Stored the file "abc.def" in unencrypted
     form in a specific Directory (Protected by an .htaccess file)
     on the Server before.

4)  The Server Opens the file, encrypts the Data with the
     key Exchanged in 1) and sends it to the Client.

5)  The Client Decrypts the Data and stores it in a specific

There were two thougts came in my mind while I was reading your answer :

First, the Download of a file may take up to 30 minutes, for this
short time a smaller key of 128 Bit perhaps could not be cracked
I suppose. So I am going to test, if the bcmath functions
work with this.

Secondly, perhaps the whole Session (Step 1-5) could be
(semi-)transparently encrypted with ssl.
So I would like to know how this could be done, if possible !

Or if it would just be possible to exchange the key over ssl this would
be great! How can this be done ?

Perhaps something like this :

Server & Client establish HTTPS Connection.
Client POSTs a number of randomly generated
bytes to the Server.
The Server Replies with another number of
randomly generated bytes.
Both Quit the HTTPS Connection and
Calculate a Key with the Exchanged Bytes, perhaps
with a simple XOR or something like that.

Would this make sense ? How could it be done ?

Many thanks in advance for any help, suggestions, hints !

Re: Encrypted File Transfer

Quoted text here. Click to load it

The data itself should offcourse be strongly encrypted.

Quoted text here. Click to load it

Ehhh, step 1 thru 5 are essentially SSL.

Quoted text here. Click to load it

https (http over ssl) is transparant, your PHP script and C# client
communicate just like any other http client/server. The client does a
for example a POST, the C# http/crypto libs will setup a secure
connection (I'd guess they use DH for that) to the webserver, which
invokes PHP. All data send from PHP will be over the already encrypted
socket back to the client. A typical encryption would be something like
AES-256 (which is symmetric)

Quoted text here. Click to load it

If you can use SSL this doesn't make any sense (way to complicated :).
SSL does the encryption (transparant), so all you have to do is
authenticate the client:

1-server/client establish https connection
2-client authenticates somehow (could be plaintext challenge/response)
3-server pushes file over existing socket

step 1 is handled by the actual webserver and the cryptolibraries on the
step 2 could be anything you want, from simple text passwords to RSA
step 3 could be a simple readfile() in PHP in response to a successfull
       step 2

Alternatively (depending on how the client program get distributed) you
could do authentication with SSL by using self generated client certificates
(some kind of activation after install).

Re: Encrypted File Transfer

Daniel Tryba schrieb:
Quoted text here. Click to load it

   You are right, weak encryption is not what i should do to
   minimize programming effort :-)

Quoted text here. Click to load it

Yes, I suppose the best solution is to use SSL, why reinvent the wheel ?
I think the client-certificate seems to be a great way for
authentication, so I am now going to read a lot about OpenSSL and
certificates to see how this technique best fits into my
project! Google will help me find the Tutorials/Code samples I need
(hope so).

I am very grateful for your answer ! Thank you alot !

Re: Encrypted File Transfer

Quoted text here. Click to load it


It does, but I bookmarked this last time I needed to generate a
seflsigned CA and client certificates with openssl (not for/in PHP
though): http://linsec.net/info/ssl-cert.html

Site Timeline