Note that, while not a completely identical version, I made a new paste with slightly different goals.
The biggest differences are around persistence and security.
It can be found here.
Between my first and last project, I took the time to try and make a small pastebin tool.
As always, and once more, my main concern was about lightness. Small'n'easy !
I also had the goal to "securely" store the text that was sent.
After some bumps and fails, I finally managed to make it work!
Why do you talk about this project after the µRL project, that came later?
Tbh, I only finished this pastebin project recently, due to some mistakes I made during the development.
A nice start
My first steps were, like with every project, easy:
- A quick composer init ;
- Adding Siler as a dependency (Lightness~);
- Making the default config;
- Adding the default route:
/.
I wanted a trusted and secure PHP cryptography library, and, obviously, my first thoughts came to the Paragonie Initiative's library, LibSodium.
Since it'll be natively integrated in PHP7.2 (Yay~), it could be a good choice. The only constraint I found was manually compiling and installing the extension.
On my linux servers, I don't say. Windows? Such a pain to use for compilation.
So, after that, I tried and searched a bit more for a composer-dependency-managed, secured library.
I searched and searched, always looking for an up-to-date solution, until I found this one. Clean code, nice reviews, seems to be quite rock solid and a very approached look on security.
Let's try that!
Making the flow~
After choosing the first requirements (of course, for database, I'd go with PostgreSQL, as it's list-ordered entries), I started working on the core workflow: Routes and base logic thinking.
Once the first base / route was setup and running
(not something very hard...), I started thinking in-depth on how I wanted the
upload/storing and download flow to work.
Security?
The two flows (send/retrieve) are described below.
Send flow (aka. Upload)
The send flow has a few "security" steps, to allow retrieval key checking.
- Generating the random UID and Key using a cryptographically-secure random key generation algorithm;
- Using the key to cipher the sent text;
- Calculating the deciphered text's hashsum (using the RipeMD160 hash algorithm);
- Hashing this hashsum using the native
password_hashfunction, only passingPASSWORD_BCRYPTas a restriction (when PHP7.2 will be released, and Argon2I with it, I'll change this line); - Inserting the generated uid, the hashed text hashsum and the ciphered content in database;
- And that's all.
Retrieve flow (aka. Download)
The retrieve flow have a bit less work: only removing the generation part.
- Extracting the first (and technically, only) entry;
- If no result, well... Fuck off ! Else, ...;
- Deciphering the text with the key;
- Generating a hashsum of the deciphered text using the same RipeMD160 algorithm;
- Verifying the two hashes (the checksum and the new one)
using the
password_verifyfunction; - And that's all.
Conclusion
As shown, the workflow is pretty straightforward and identical. No hidden magic, no complicated craft with the data. Only using secure systems and libraries.
Note that the random key generation library was taken and not modified from here as I couldn't use RandomLib.
Now the only thing left is to make some tools to interact with the server!
As I could discover, it's quite easy to make a basic text storing service, even when security's one of the most important concerns!
Something I wanted to make was an upload client tool, like the µClient one, but a bit more able.