XML Encryption

S

Seraphic

2[H]4U
Joined
Oct 5, 2007
Messages
2,258
Hi,

I have a large XML file that I use with a flash music player to call locations of mp3 files.
My question is, is there anyway to encrypt the XML file so the path locations are encrypted, but still readable from the flash player?

Also, if someone was to find the path location to the XML file, then tried to save-target-as, using .htaccess, would there be any way to have it redirect and download another blank XLM file but the flash music player would still have access to the "real" XML file?

Thanks
 
Since flash runs on clientside, there isn't much you can do. You can leave the file encrypted on your server, and then have flash decrypt it, but since flash runs on the users machine, they will have the code on their machine to decrypt it if they want.
 
Theoretically, you could have your web server check the client header in the HTTP request, and only allow the flash player access based on that - but any decent power user will be able to spoof an HTTP header with minimal effort. I can't think of a good way to encrypt the XML file and then have flash decrypt it; you might try just XORing it with a key and hard coding the key into the compiled flash file. Still, the decrypted file would be stored in memory and could be accessed by anyone with a decent debugger.
 
Fryguy8 said:
Since flash runs on clientside, there isn't much you can do. You can leave the file encrypted on your server, and then have flash decrypt it, but since flash runs on the users machine, they will have the code on their machine to decrypt it if they want.
Click to expand...

Well, the track list and true path locations are in the XML file, not in the flash player. The flash player should only being displaying the track list that allows the viewer to select the track, the mp3 track streams and does not download. I don't think the XML file is downloaded to the user's system like you suggest, or does it?

Also, I found this page:
http://www.webdeveloper.com/forum/showthread.php?t=125966

Although, from 2006, the idea the second user posted does work. When you enter the url path the XML file it will redirect to the XSL file. I changed it to a redirect to my homepage. However, if you are fast enough, and right click before the redirect, then view source, it will display the true XML code. To fix this you simply direct it to a non-existent XSL file on your sever. Then it will return and error for the XSL file and there will be no source to view! Problem with that, however, is if you all you have to do is go to file tab, save page as, and it will save the true XML file... :(

I think the issue is because the URL bar still shows the .xml location when using a non-existent XSL file. If somehow you get the url to change to the XSL file that would mean there would be no source to view and no file to save.

But even if that worked though, I think a simple making an .html on your desktop, adding of the below code, opening the file and right clicking to save the target, would save the true path anyway.

Code: 
<a href="http://www.domain.com/test.xml">HERE</a>

Once the .xml path is found out, I think the game is over. In my case, I have the .xml path location hidden the in the flash player code itself. The flash file was exported with a password, so I don't think it can be found out. But I was wanted to try and encrypt the .xml file. Again though, not sure how much can be done.
 
Admittedly I know very little about flash, but I will toss in my .02 anyway.

How much actual security do you need for this, do you just want to make it hard for the user to read it? Using an actual cipher system seems like it would be complicated (again I don't know flash). Why not just encode the xml, say something like Base64. Anyone who actually looked at the file would just see a long string of nonsense, another programmer "might" know what he's looking at but as with any security by obscurity plan any one in the same field might be able to figure out the trick your pulling. While you are at it, remove the file extension as well.
 
You must log in or register to reply here.
Back
Top