0

Say that I have an application that stores user resources in amazon s3. Let's say that this data is sensitive. I have a table in the database which has resource rows, each containing a url to the resource and a user_id that owns it.

If I am returning the url directly to the user, how can I guarantee that only that user will be able to access it from that session?

A similar question had an answer that used expiring urls, although if someone else also had the link within the expiry period, they could access it as well.

Is there a way that I can facilitate a direct cryptographic exchange between the client and the cloud storage provider where the resource exists? I want to be able to pass the client a link to the cloud resource and have only them be able to decrypt it in their browser at that moment only.

Community
  • 1
  • 1

1 Answers1

0

Why not?

If you can securely pass a private cryptographic key to your client OR you know a public key to his private key, you can always encrypt a file on your end and then user's browser will decrypt that file at his end.

Take a look at a couple of readily available JavaScript libraries:

  1. https://code.google.com/archive/p/crypto-js/
  2. http://www.fourmilab.ch/javascrypt/
  3. Also, a huge list here: https://gist.github.com/jo/8619441

If you have to give access to different people (say, to User1 today, to User2 and User3 tomorrow), the best approach will be not encrypting the file itself every time, but encrypt it once, then encrypt the private key to decrypt the file with keys of those users.

Sergey Kovalev
  • 9,110
  • 2
  • 28
  • 32