Encryption in Dropbox-like Java application

I'm thinking about encryption in an application. The architecture consists of:

1. Server
2. Desktop client
3. Web client
4. mobile client

The goal is to allow user to store his data on the server, and access it from all clients, but to guarantee data privacy by encrypting data on the client.

Dropbox is an example of such an architecture, but as far as I know they don't do that - they must store plaintext data on their servers, otherwise they wouldn't be able to save on space by storing the same file only once, even if it was stored by multiple users.

How would you implement such an application? I'm thinking about using Java for desktop client; the same encryption code could theoretically be reused in GWT web client (compiled to Javascript) and in Android client. However, that's only in theory.

1. Is there an encryption library that's available on all these platforms?
2. What algorithms to use?
3. What about private keys? I can ask user for the password every time, but how do I ensure that private keys are the same for the same user in all clients?
4. I'd like to avoid multiple passwords; but if I use the same password for both data and authentication, how 开发者_开发问答do I prevent server from giving data to a hacker which supplied the wrong password, or server from being able to decrypt user data because it has user's password?
5. What possible gotchas are there?

---

You actually need a few different pieces of cryto.

First, you want the client to encrypt the file for upload, and upon retrieving the encrypted payload back decrypt it.

Second, you want some method to transmitting the encrypted file for upload in a manner that insures that only the correct user can access his files.

The first problem requires a symmetric encryption algorithm. There are a bunch out there, but your best bet is probably AES. If you take a look at gwt-crypto at they have a wrapper for the java bouncy castle implementation. That takes care of two of three of your platforms. I don't work with android platform, but I'd be surprised if there wasn't an AES implementation floating around. As for the key, you'll probably end up with a hash of a password. Just keep in mind the possibility of rainbow tables and take appropriate measures. The password used to encrypt the file need never go over the wire, as I understand your model all encryption and deception is done on the client. Since you mentioned system administrators as a potential attacker, you really need to look into key loggers, memory dumps and the like, but that's beyond the scope of the specific question you asked.

The second problem is a solved problem using TLS with client and server side certificates. Clients for such are available for all three platforms you are looking at. Whether you want make your users go through the hassle of installing client side certificates, though, is up to you. There are various fallback options but none are as well vetted.