Monday, April 8, 2013

Integrating ELC into your community

Introduction


This article will explain how you can integrate the ELC system into your community - using MegaDownloader 0.8
For an overall view of the ELC system, please refer to the article: "Understanding mega:// links", section "ELC links".
Required knowledge: This article presupposes you have some knowledge about cryptography, hashing, BD, and HTTP protocol.

Server validation

ELC requires a server to perform two actions:
- Validate users, so only users of your community will be able to download the files.
- Encode or decode the internal password that will allow users to download the files.

Two pages are required:
- One page to show the users of your community HOW to configure their MegaDownloader/MegaUploader ELC account.
- One page to validate the data and perform the password encode/decode.

User validation

Each user will have two unique codes that will let them identify into your system. You have to provide them to your users using the first page.
The first code is the "Username", a public code that will identify which user wants to download the files.
The second code is the "API-Key", a private code that will validate the user as a valid member of your community.
Apart of that, you should also display to the user the URL of the second page (the one that validates the data).

This API-Key should NOT be the user's password. Using the user's password represents a security issue, because if you don't use SSL, the data will travel unencrypted.
The API-Key should be a code that validates the user for the ELC usage, and nothing else. If a third person gets the user's API-Key, he shouldn't be able to modify the user's account, or anything like that. An API-Key should also be regenerated when the user changes his password.

A good API-Key would be, for example, the hash generated from concatenating  the username and the hashed password stored in your system - normally you store a hash, not the plain password of the user. If the user changes his password, the API-Key will be changed, because the hashed password has been changed.
If you also add a random salt when generating the hash, then security is increased.
Normally communities use a CMS or forum, with their own tables where user data is stored.

For example, if your community DB has a table called "user", with two columns "username" and "password", you could do something like:
1) Get the value of the username and his (hashed) password.
2) Concatenate a random salt string to the username and the (hashed) password (optional but recommended).
3) Generate a hash (preferably a SHA256 or SHA512, it's longer but also more secure than MD5).

This final hash could be the API-Key.

Data process

So, in your first page, the one that displays the user's data to configure his ELC account, you should generate and display the API-Key. The page should also display the Username and the URL of the second page.

The second page will be used internally by MegaDownloader. You can find here a PHP example of this page.
Of course, if your system doesn't use PHP but another language (Java, .NET, etc) you should adapt the example to that language.
This page will receive HTTP POST petitions, so this page should not allow GET petitions - if a user puts this URL in his browser, an error should be displayed because this page is designed to be accesed with a POST petition.

Input
MegaDownloader and MegaUploader will send 4 POST parameters when generating an ELC or when reading an ELC:

- Parameter "USER": Will contain the user's code.
- Parameter "APIKEY": Will contain the user's API-Key.
- Parameter "OPERATION_TYPE": Two possible values: E or C.
- Parameter "DATA": a string containing the data to process.

The first two parameters are used for validating the user; the other two parameters are used for processing the data.


Output
The page will return, in all cases, a JSON response.

If there is an error (invalid user access, invalid data, etc), the page will return this structure:

{"e": "'ERROR DESCRIPTION", "d": ""}

If there is no error, the page will return this structure:

{"e": "", "d": "PROCESSED DATA"}

As you can see, only two parameters are returned: e (error) and d (data). One must be empty and the other filled.





The page will perform two different actions:

- First, it will validate the user by using the data contained in the "USER" and "APIKEY" parameters. If the user is not validated, then an error will be returned and the page won't continue with the second action.

- Once the user has been validated, then the page will process the data (by using the other two parameters "OPERATION_TYPE" and "DATA".

"OPERATION_TYPE" parameter will contain E or C (any other value will cause an error to be returned). E means Encrypt, and D means Decrypt. So basically, you will take the data contained in the "DATA" parameter, and will encrypt it or decrypt it depending on the value of "OPERATION_TYPE".
It's very important to emphasise that the input data of the E operation must be equal to the output data of the D operation, when the E output and the D input is the same. The encryption process must be simmetric!!

The way to implement the encryption/decryption process is up to you. But if you just want "something that works", then you can use the example provided previously.

The example page doesn't contain a "good" implementation of the first action: it just compares the USER and APIKEY values with a constant text. This is because depending on how your community works, you can make one implementation or another; the general idea of how it should work was provided in the previous paragraphs.

However, the second action is fully implemented. In the example, an AES cipher is performed to the data provided. You can use this example "as is", just changing the password at the beginning of the code.
If you prefer, you can implement the proces on another way. You can store the input data in your DB, and return the numeric ID of the inserted row. The decrypt process will receive the numeric ID, and you will retrieve the original information. It's perfectly valid - just take into account that this requires DB access, most resource consuming than performing an AES "on the fly".

How can you test this page?
The simplest way is by using Firefox  + an extension called "POSTER". You can also create a basic HTML form that POST the data to that URL, and open it with a browser. It's up to you.

Easy ELC configuration - Just click!

For users with little knowledge about computers, configuring the ELC can be confusing/difficult. For that reason, a "click once configuration" method has been created.

The idea is that the user click on a link, and MegaDownloader automatically configures the ELC account for the first time. That's all! The user has to do nothing else :D

In the page where you show the ELC information to the user, you should implement a mega:// link to do that. This mega:// link should be like this (copying the link also works if MegaDownloader is configured to detect links from clipboard):
mega://configelc?http%3A%2F%2Ftest.com%2Felc%3Fa%3D1%26b%3D2:User%20Name:Api%20Key:Account%20Alias

As you can see, it's a mega:// link with the "configelc?" code. After that, there should be 4 parameters, each one separated with a ":" character:
- Parameter 1: The ELC URL of your site, URI encoded (you can do it with Javascript using encodeURIComponent). In this example, the URL is "http://test.com/elc?a=1&b=2" (note you can use & or ? if you need it)
- Parameter 2: The user name of the user, URI encoded. In this example "User name" (note it supports spaces and other strange characters).
- Parameter 3: The API-Key of the user, URI encoded. In this example "Api key" (note it supports spaces and other strange characters).
- Parameter 4: This is an optional parameter, you can specify the Alias of the ELC account, URI encoded - in this example "Account alias".

When the user clicks on the link, MegaDownloader will ask the user if he wants to create/update the ELC account. If he says "Yes", then the ELC account configuration will be imported - and he has to enter no data at all!

Conclusion

For users, adding an ELC account should be easy - just clicking on a link.
For developers, creating the ELC pages should be also easy - the ciphering method is provided in the example, and only an user validation system has to be implemented.

Using ELC is a solid and robust system to protect your MEGA links so they can't be reported, and people outside your community can't download them.

30 comments:

  1. Is not constant, but sometimes, a file that has not finished downloading is given as complete, even not downloaded or 1MB file. It would be nice if it had a button in the context to reset or restart a complete download.

    ReplyDelete
    Replies
    1. Also, on windows xp folders are not deleted, only the files inside.

      Delete
    2. I will try to get a XP to test, thanks!
      Can you provide me a link that has this problem in order to check it? Thanks!

      Delete
  2. Test MegaDownloader BETA v0.8
    http://youtu.be/PCrsgCJVWV0

    ReplyDelete
  3. Hello dude,
    How can i find download link of a file in a folder like this one?

    mega.co.nz/#F!pRMnkBxL!QTbrTTp9DZo64urlaXDUNQ

    thanks

    ReplyDelete
  4. I lost my download list when the computer restarted because of an error.

    This is the second time it happens, you know how to solve this?

    ReplyDelete
    Replies
    1. I faced the same problem.
      Apparently, it saves the list of downloads constantly and continuously, it becomes sensitive to the forced closure.
      My temporary solution was to use a batch to perform the backup also constantly.

      http://pastebin.com/a85TPTnP

      Delete
  5. hey,
    this is great downloader
    how to delete my download list when is complete or cancel?

    http://img32.imageshack.us/img32/842/tl0.PNG

    ReplyDelete
  6. Hi,
    I have been getting errors in files and after the applications automatically retries, the status of the file is shown as download complete whereas it is not.
    I am unable to resume the download.
    kindly help asap
    thanks

    ReplyDelete
  7. http://imagizer.imageshack.us/v2/800x600q90/593/vten.jpg

    ReplyDelete
  8. Cuando codifico los links de mega con este programa y copio el link generado MiPony me lo detecta y tambien me dice el link original, osea que mipony me decifra el link.. Alguna solucion? haci me roban y borran mis archivos posteados en mi foro.

    ReplyDelete
    Replies
    1. Hola, prueba a implementar el ELC tal como se explicar aquí, este sistema se basa en que tu foro te permita controlar los usuarios, por esa razón no es posible romper la codificación con Mipony (puesto que la contraseña no es la misma siempre, tu foro tendrá la que tú decidas y por tanto la seguridad radica en tu sistema, no en Megadownloader!).

      Delete
    2. Hola, es que nose como implentar esto de ELC, es un poco complicado y no hay un tutorial como hacerlo, encima esta en ingles. Disculpa mi ignorancia, saludos

      Delete
  9. Hola, me puedes decir como modificar el script para agregar la conexión a la base de datos, lo he intentado de varias maneras pero no logro hacer que funcione.

    ReplyDelete
    Replies
    1. Como lo lograste? T_T me trato de comunicar contigo en tu web pero no tengo invitacion, espero me puedas ayudar, Ty gracias de antemano

      Delete
  10. Great post thank you for sharing this post. I like your post. Online MAC Software from Cdrbsoftwares, one of the top online stores. Thanks for publishing your post.

    ReplyDelete
  11. ปัญหาอย่างหนึ่งของร่างกายที่ต้องจัดการให้ดี เมื่อเรามีอาการ นอนไม่หลับ คือ ของเสียที่เกิดขึ้นจากการเผาผลาญพลังงานจากอาหาร ร่างกายจะต้องมีวิธีจัดการกับของเสียเหล่านั้นออกไป ร่างกายจะมีระบบน้ำเหลือง มีเครือข่ายของท่อน้ำเหลืองที่เชื่อมโยงครอบคลุมทั่วร่างกาย คอยจัดการโปรตีนและของเสียที่สะสมอยู่ในช่องว่างระหว่างเซลล์ แล้วส่งเข้าสู่กระแสเลือดเพื่อทำลาย

    แต่ระบบน้ำเหลืองจะไม่ครอบคลุมสมอง ซึ่งเป็นเรื่องแปลกเพราะสมองเป็นอวัยวะที่ต้องใช้พลังงานมาก ก็ต้องมีของเสียเกิดขึ้นมากเช่นกัน แต่ในสมองกลับไม่มีระบบน้ำเหลืองแบบเดียวกับที่พบในส่วนอื่นๆ ของร่างกาย

    สมองมีวิธีจัดการกับของเสียโดยการใช้ของเหลวที่เรียกว่า Cerebrospinal fluid หรือ CSF ซึ่งจะถูกเติมเข้าไปที่ช่องว่างในสมอง นอนไม่หลับ ของเสียที่อยู่ภายในสมองจะถูกกำจัดออกมาพร้อมกับ CSF เข้าสู่กระแสเลือด คล้ายๆ กับระบบน้ำเหลืองที่ส่วนอื่นๆ ของร่างกาย

    กระบวนการกำจัดของเสียในสมองจะไม่ได้ทำงานอยู่ตลอดเวลา แต่จะทำงานก็ต่อเมื่อร่างกายหลับเท่านั้น โดยสมองจะเริ่มหดตัวลงเพื่อทำให้เกิดช่องว่างระหว่างเซลล์มากขึ้น ทำให้ของเหลวไหลผ่านได้ดีและล้างของเสียออกไปจากสมองได้เร็ว

    ReplyDelete
  12. I get this error when encoding with ELC

    Error: Unexpected character encountered while parsing value: <. Path '', line 0, position 0.

    ReplyDelete
  13. I used to play various games a lot, and from now on I like to watch more, whether I have cash or not. In any case, I prefer various types of games, such as free bet blackjack. I really like a reasonable interface and standard prizes. In contrast, I prefer to bet on some occasions, such as football or tennis, which is more interesting to me.

    ReplyDelete
  14. Congratulations. Good blog. Keep sharing. I love them Are you also searching for professional nursing paper? we are the best solution for you.

    ReplyDelete
  15. Your blogs are great.Are you also searching for Cheap Nursing Writing Services? we are the best solution for you. We are best known for delivering nursing writing services to students without having to break the bank.whatsapp us:+1-(951)-468-9855

    ReplyDelete
  16. Wonderful post! We are linking to this great post on our website. Keep up the good writing. pretty handy stuff, overall I imagine this is really worth a bookmark, thanks Feel free to visit my website; 먹튀검증

    ReplyDelete
  17. Wszyscy od dawna wiedzą, że najlepszym i najbardziej niezawodnym kasynem online jest https://fansportsklep.pl/ Vulkan Vegas ponieważ mają one licencję i wiele bonusów, jeśli chodzi o rejestrację i codzienne. Jestem pewien, że spodobają Ci się także codzienne turnieje i ogromny wybór automatów na każdy gust.

    ReplyDelete
  18. Thanks to sharing such considerate know-how I like your work, preserve it up web development services for business

    ReplyDelete
  19. Hey! If you tired of working from early morning till evening for salary which is only enough for food, check this out 9winz com app register and finally quit your boring and now well paid job! Start winning real money without leaving your house! Good luck

    ReplyDelete
  20. Finding pay someone to do my online course has never been easier than with Take My Courses For Me! Just share details of your course or assignment, and we'll guide you to the perfect solution. With multiple institutions giving online courses, we provide the best online courses and degrees and are recognized around the country. Our support team stands ready every day to process your request while our expert tutors work tirelessly to guarantee top-notch grades for your classes. Our website helps especially students who struggling with challenging courses and tight schedules due to work or family commitments.

    ReplyDelete
  21. สมัคร pg slot สมัครสมาชิก เพื่อรับความสนุกสนานที่กำลังจะเกิดขึ้นอย่างไม่เคยสัมผัสมาก่อนกับ pg slot เว็บสล็อตออนไลน์ที่กำลังมาแรงที่สุดในปีนี้ กับเกมสล็อต

    ReplyDelete
  22. In summary, MegaDownloader is more than just a download manager—it's a game-changer for anyone who relies on MEGA.CO.NZ for their file storage and sharing needs. With its user-friendly interface, blazing-fast download speeds, and rock-solid security features, MegaDownloader is the ultimate companion for unlocking the full potential of MEGA.CO.NZ. Experience the power of MegaDownloader today and take your downloading experience to new heights!
    dui lawyer southampton va

    ReplyDelete
  23. เว็บ สล็อต ออนไลน์อันดับ 1 ในทวีปเอเชีย เป็นเว็บออนไลน์ ที่ดีเยี่ยมที่1ของไทย ระบบน่าไว้วางใจ pg slot เล่นได้ จ่ายจริง ไม่มีต่ำ ฝาก-ถอน เร็วทันใจเล่นง่ายไม่ยุ่งยาก ทำเงิน ได้จริง

    ReplyDelete