DreamSpace – Secure 3D Asset Marketplace

DreamSpace is a full-stack web application designed for the secure distribution of high-value 3D assets. Unlike traditional file storage platforms, DreamSpace implements a Hybrid Cryptographic Architecture, ensuring that sensitive 3D models are encrypted at rest and can only be decrypted inside the authenticated user's browser session.

Core Security Architecture

The defining feature of DreamSpace is its Secure Handshake & Delivery Protocol. Files are never directly downloaded in plain form; instead, they are streamed in an encrypted state and decrypted client-side.

Secure Handshake (Login Phase)

Client-Side Key Generation

• Upon successful login and OTP verification, the React frontend generates a fresh RSA-2048 key pair using the Web Crypto API.
• This key pair is unique to the current session.

Session Binding

• The public key is sent to the backend server.
• The private key remains only in the browser’s RAM and is never stored or transmitted.

Encryption at Rest (Upload Phase)

AES-256 File Encryption

• When a Creator uploads a 3D model, the server generates a unique AES-256 symmetric key for that file.
• The file is encrypted using this AES key before being stored.

Key Wrapping

• The AES key is encrypted using the Server’s RSA Public Key.
• The encrypted AES key is stored in MongoDB alongside the file metadata.

Zero-Trust Storage Model

• Even if the database or file storage is compromised:

  • Attackers cannot decrypt the files.
  • The AES keys are locked behind the server’s private key.

Secure Delivery Protocol (Download Phase)

This is the core re-encryption mechanism that makes DreamSpace unique.

Step-by-Step Flow

1. Request

   • The authenticated user requests a file download.

2. Server Decryption

   • The server uses its RSA Private Key to decrypt the stored AES file key.

3. Re-Encryption

   • The AES key is immediately re-encrypted using the User’s Session Public Key.

4. Secure Transport

   • The server streams:

     • The still-encrypted file
     • The re-encrypted AES key

5. Client-Side Decryption

   • The browser decrypts the AES key using the session private key.
   • The AES key is used to decrypt the file in memory only.
   • The decrypted file is then offered for download.

Hashing & Integrity

Password Security (Bcrypt)

• User passwords are never stored in plain text.

• Passwords are hashed using Bcrypt (salt rounds = 10) during registration.

• During login, the entered password is hashed and compared with the stored hash.

• This protects against:

  • Rainbow table attacks
  • Database leaks

File Integrity (SHA-256)

• Each uploaded file generates a SHA-256 hash.

• The hash is stored in the database.

• Upon download, the hash is recomputed and verified to ensure:

  • No tampering
  • No corruption during encryption or storage

Tech Stack

Frontend

• React (Vite) – Fast and modern UI framework
• TypeScript – Strong typing for cryptographic logic
• Web Crypto API – Native, high-performance browser cryptography
• Tailwind CSS – Responsive and clean styling
• Axios – HTTP requests with interceptors

Backend

• Node.js & Express – RESTful API architecture
• MongoDB (Mongoose) – Flexible NoSQL metadata storage
• Node Crypto – Server-side cryptographic operations
• Multer – Secure multipart file uploads

Security & Authentication

• Bcrypt – Password hashing
• JWT – Stateless authentication
• Nodemailer – OTP-based two-factor authentication

Setup & Installation

Prerequisites

• Node.js (v18+)
• MongoDB (Local or Atlas)
• Git

Clone the Repository

git clone https://github.com/yourusername/dreamspace.git
cd dreamspace

Backend Setup

cd backend
npm install

Environment Configuration

Create a .env file inside the backend folder:

MONGO_URI=mongodb://localhost:27017/dreamspace
JWT_SECRET=your_secret_jwt_key
EMAIL_USER=your_email@gmail.com
EMAIL_PASS=your_app_specific_password

For Gmail, use an App Password, not your normal login password.

Generate Server RSA Keys

node utils/keys.js

Ensure private.pem and public.pem exist in:

backend/keys/

Seed Initial Data

node seed/seedRoles.js

Run the Backend Server

node server.js

Frontend Setup

Open a new terminal:

cd client
npm install
npm run dev

Usage Guide

User Roles

• User – Browse, search, and securely download models
• Creator – Upload new 3D models and cover images
• Admin – Manage users and all uploaded assets

Application Workflow

1. Register

   • Create an account
   • Receive OTP via email

2. Verify

   • Enter OTP
   • Secure session and key exchange established

3. Upload (Creator)

   • Navigate to /upload
   • Upload .obj or .zip files with cover images
   • Files are encrypted immediately

4. Download (User)

   • Browse models on the Home page
   • Click Secure Download
   • Client-side decryption occurs transparently

📂 Project Structure

dreamspace/
├── backend/
│   ├── controllers/   # Auth & Model logic
│   ├── models/        # Mongoose Schemas (User, Model, RolePerm)
│   ├── routes/        # API endpoints
│   ├── storage/       # Encrypted files
│   └── server.js      # Backend entry point
│
└── client/
    ├── src/
    │   ├── api/       # Axios configuration
    │   ├── components/# UI components
    │   ├── context/   # AuthContext (Session keys in memory)
    │   ├── pages/     # Home, Upload, Login
    │   └── utils/     # Client-side cryptography
    └── main.tsx

Contributors

• @Shyam Sundar Raju