Paste - Quick'n'easy online pastebin tool Published the 2017-10-27 > Note that, while not a completely identical version, I made a new paste > with slightly different goals. > > The biggest differences are around persistence and security. > > It can be found [here](https://gitlab.com/Artemix/paste). [defuse]: https://github.com/defuse/php-encryption [random]: https://stackoverflow.com/questions/6101956/generating-a-random-password-in-php/31284266#31284266 Between my first and last project, I took the time to try and make a small pastebin tool. As always, and once more, my main concern was about lightness. Small'n'easy ! I also had the goal to "securely" store the text that was sent. After some bumps and fails, I finally managed to make it work! > > Why do you talk about this project after the µRL project, that came later? > > Tbh, I only finished this pastebin project recently, > due to some mistakes I made during the development. ## A nice start My first steps were, like with every project, easy: - A quick composer init ; - Adding Siler as a dependency (Lightness~); - Making the default config; - Adding the default route: `/`. I wanted a trusted and secure PHP cryptography library, and, obviously, my first thoughts came to the Paragonie Initiative's library, LibSodium. Since it'll be natively integrated in PHP7.2 (Yay~), it could be a good choice. The only constraint I found was manually compiling and installing the extension. On my linux servers, I don't say. Windows? Such a pain to use for compilation. So, after that, I tried and searched a bit more for a composer-dependency-managed, secured library. I searched and searched, always looking for an up-to-date solution, until I found [this one][defuse]. Clean code, nice reviews, seems to be quite rock solid and a very approached look on security. Let's try that! ## Making the flow~ After choosing the first requirements (of course, for database, I'd go with PostgreSQL, as it's list-ordered entries), I started working on the core workflow: Routes and base logic thinking. Once the first base `/` route was setup and running (not something very hard...), I started thinking in-depth on how I wanted the upload/storing and download flow to work. ## Security? The two flows (send/retrieve) are described below. ### Send flow (aka. Upload) The send flow has a few "security" steps, to allow retrieval key checking. - Generating the random UID and Key using a cryptographically-secure random key generation algorithm; - Using the key to cipher the sent text; - Calculating the deciphered text's hashsum (using the RipeMD160 hash algorithm); - Hashing this hashsum using the native `password_hash` function, only passing `PASSWORD_BCRYPT` as a restriction (when PHP7.2 will be released, and Argon2I with it, I'll change this line); - Inserting the generated uid, the hashed text hashsum and the ciphered content in database; - And that's all. ### Retrieve flow (aka. Download) The retrieve flow have a bit less work: only removing the generation part. - Extracting the first (and technically, only) entry; - If no result, well... Fuck off ! Else, ...; - Deciphering the text with the key; - Generating a hashsum of the deciphered text using the same RipeMD160 algorithm; - Verifying the two hashes (the checksum and the new one) using the `password_verify` function; - And that's all. ### Conclusion As shown, the workflow is pretty straightforward and identical. No hidden magic, no complicated craft with the data. Only using secure systems and libraries. > Note that the random key generation library was taken and not modified > from [here][random] as I couldn't use RandomLib. ## Now the only thing left is to make some tools to interact with the server! As I could discover, it's quite easy to make a basic text storing service, even when security's one of the most important concerns! Something I wanted to make was an upload client tool, like the µClient one, but a bit more able.