Pastes from ZeroBin Alpha 0.19 unreadable in PrivateBin 1.3

[elyday]

Steps to reproduce

1. Have a ZeroBin Alpha 0.19 Installation with some Pastes
2. Create a new Paste for testing
3. Follow https://github.com/PrivateBin/PrivateBin/wiki/Upgrading-from-ZeroBin-0.19-Alpha for upgrade
   3.1. Use the setting zerobincompatibility instead of base64versions
4. Want to access in 2 created Paste

What happens

I am asked for a password that I have never set and an error appears.
Error: Algorithm: Unrecognized name

What should happen

The originally created pad should be shown to me.

Additional information

Screen: https://img.elyday.net/2019_12/19-12-19-09:31:24.png
Logs:

content-automation.js:98 {quick_capture_github: "false", quick_capture_github_welcome: "false"}
privatebin.js?1.3.1:533 Missing translation for: 'Algorithm: Unrecognized name' in language de
jQuery.PrivateBin.me.translate @ privatebin.js?1.3.1:533
jQuery.PrivateBin.me._ @ privatebin.js?1.3.1:468
handleNotification @ privatebin.js?1.3.1:1576
jQuery.PrivateBin.me.showError @ privatebin.js?1.3.1:1631
Promise.catch (async)
deriveKey @ privatebin.js?1.3.1:924
async function (async)
deriveKey @ privatebin.js?1.3.1:907
jQuery.PrivateBin.me.decipher @ privatebin.js?1.3.1:1054
async function (async)
jQuery.PrivateBin.me.decipher @ privatebin.js?1.3.1:1019
decryptOrPromptPassword @ privatebin.js?1.3.1:4518
decryptPaste @ privatebin.js?1.3.1:4553
jQuery.PrivateBin.me.run @ privatebin.js?1.3.1:4683
(anonymous) @ privatebin.js?1.3.1:1196
success @ privatebin.js?1.3.1:4005
success @ privatebin.js?1.3.1:4041
c @ jquery-3.4.1.js:2
fireWith @ jquery-3.4.1.js:2
l @ jquery-3.4.1.js:2
(anonymous) @ jquery-3.4.1.js:2
load (async)
send @ jquery-3.4.1.js:2
ajax @ jquery-3.4.1.js:2
jQuery.PrivateBin.me.run @ privatebin.js?1.3.1:4052
jQuery.PrivateBin.me.getPasteData @ privatebin.js?1.3.1:1199
jQuery.PrivateBin.me.run @ privatebin.js?1.3.1:4669
jQuery.PrivateBin.me.showPaste @ privatebin.js?1.3.1:4791
jQuery.PrivateBin.me.init @ privatebin.js?1.3.1:4955
(anonymous) @ privatebin.js?1.3.1:42
e @ jquery-3.4.1.js:2
t @ jquery-3.4.1.js:2
setTimeout (async)
(anonymous) @ jquery-3.4.1.js:2
c @ jquery-3.4.1.js:2
fireWith @ jquery-3.4.1.js:2
fire @ jquery-3.4.1.js:2
c @ jquery-3.4.1.js:2
fireWith @ jquery-3.4.1.js:2
ready @ jquery-3.4.1.js:2
B @ jquery-3.4.1.js:2
privatebin.js?1.3.1:1060 TypeError: Failed to execute 'decrypt' on 'SubtleCrypto': parameter 2 is not of type 'CryptoKey'.
    at Object.jQuery.PrivateBin.me.decipher (privatebin.js?1.3.1:1052)
    at async decryptOrPromptPassword (privatebin.js?1.3.1:4518)
    at async decryptPaste (privatebin.js?1.3.1:4553)
    at async Promise.all (/index 0)
jQuery.PrivateBin.me.decipher @ privatebin.js?1.3.1:1060
async function (async)
jQuery.PrivateBin.me.decipher @ privatebin.js?1.3.1:1019
decryptOrPromptPassword @ privatebin.js?1.3.1:4518
decryptPaste @ privatebin.js?1.3.1:4553
jQuery.PrivateBin.me.run @ privatebin.js?1.3.1:4683
(anonymous) @ privatebin.js?1.3.1:1196
success @ privatebin.js?1.3.1:4005
success @ privatebin.js?1.3.1:4041
c @ jquery-3.4.1.js:2
fireWith @ jquery-3.4.1.js:2
l @ jquery-3.4.1.js:2
(anonymous) @ jquery-3.4.1.js:2
load (async)
send @ jquery-3.4.1.js:2
ajax @ jquery-3.4.1.js:2
jQuery.PrivateBin.me.run @ privatebin.js?1.3.1:4052
jQuery.PrivateBin.me.getPasteData @ privatebin.js?1.3.1:1199
jQuery.PrivateBin.me.run @ privatebin.js?1.3.1:4669
jQuery.PrivateBin.me.showPaste @ privatebin.js?1.3.1:4791
jQuery.PrivateBin.me.init @ privatebin.js?1.3.1:4955
(anonymous) @ privatebin.js?1.3.1:42
e @ jquery-3.4.1.js:2
t @ jquery-3.4.1.js:2
setTimeout (async)
(anonymous) @ jquery-3.4.1.js:2
c @ jquery-3.4.1.js:2
fireWith @ jquery-3.4.1.js:2
fire @ jquery-3.4.1.js:2
c @ jquery-3.4.1.js:2
fireWith @ jquery-3.4.1.js:2
ready @ jquery-3.4.1.js:2
B @ jquery-3.4.1.js:2
privatebin.js?1.3.1:533 Missing translation for: 'waiting on user to provide a password' in language de
jQuery.PrivateBin.me.translate @ privatebin.js?1.3.1:533
jQuery.PrivateBin.me._ @ privatebin.js?1.3.1:468
handleNotification @ privatebin.js?1.3.1:1576
jQuery.PrivateBin.me.showError @ privatebin.js?1.3.1:1631
(anonymous) @ privatebin.js?1.3.1:4706
Promise.catch (async)
jQuery.PrivateBin.me.run @ privatebin.js?1.3.1:4703
(anonymous) @ privatebin.js?1.3.1:1196
success @ privatebin.js?1.3.1:4005
success @ privatebin.js?1.3.1:4041
c @ jquery-3.4.1.js:2
fireWith @ jquery-3.4.1.js:2
l @ jquery-3.4.1.js:2
(anonymous) @ jquery-3.4.1.js:2
load (async)
send @ jquery-3.4.1.js:2
ajax @ jquery-3.4.1.js:2
jQuery.PrivateBin.me.run @ privatebin.js?1.3.1:4052
jQuery.PrivateBin.me.getPasteData @ privatebin.js?1.3.1:1199
jQuery.PrivateBin.me.run @ privatebin.js?1.3.1:4669
jQuery.PrivateBin.me.showPaste @ privatebin.js?1.3.1:4791
jQuery.PrivateBin.me.init @ privatebin.js?1.3.1:4955
(anonymous) @ privatebin.js?1.3.1:42
e @ jquery-3.4.1.js:2
t @ jquery-3.4.1.js:2
setTimeout (async)
(anonymous) @ jquery-3.4.1.js:2
c @ jquery-3.4.1.js:2
fireWith @ jquery-3.4.1.js:2
fire @ jquery-3.4.1.js:2
c @ jquery-3.4.1.js:2
fireWith @ jquery-3.4.1.js:2
ready @ jquery-3.4.1.js:2
B @ jquery-3.4.1.js:2
privatebin.js?1.3.1:1060 TypeError: Failed to execute 'decrypt' on 'SubtleCrypto': parameter 2 is not of type 'CryptoKey'.
    at Object.jQuery.PrivateBin.me.decipher (privatebin.js?1.3.1:1052)
    at async Promise.all (/index 0)
    at async Promise.all (/index 0)
    at async Promise.all (/index 1)
jQuery.PrivateBin.me.decipher @ privatebin.js?1.3.1:1060
async function (async)
jQuery.PrivateBin.me.decipher @ privatebin.js?1.3.1:1019
decryptComments @ privatebin.js?1.3.1:4615
jQuery.PrivateBin.me.run @ privatebin.js?1.3.1:4687
(anonymous) @ privatebin.js?1.3.1:1196
success @ privatebin.js?1.3.1:4005
success @ privatebin.js?1.3.1:4041
c @ jquery-3.4.1.js:2
fireWith @ jquery-3.4.1.js:2
l @ jquery-3.4.1.js:2
(anonymous) @ jquery-3.4.1.js:2
load (async)
send @ jquery-3.4.1.js:2
ajax @ jquery-3.4.1.js:2
jQuery.PrivateBin.me.run @ privatebin.js?1.3.1:4052
jQuery.PrivateBin.me.getPasteData @ privatebin.js?1.3.1:1199
jQuery.PrivateBin.me.run @ privatebin.js?1.3.1:4669
jQuery.PrivateBin.me.showPaste @ privatebin.js?1.3.1:4791
jQuery.PrivateBin.me.init @ privatebin.js?1.3.1:4955
(anonymous) @ privatebin.js?1.3.1:42
e @ jquery-3.4.1.js:2
t @ jquery-3.4.1.js:2
setTimeout (async)
(anonymous) @ jquery-3.4.1.js:2
c @ jquery-3.4.1.js:2
fireWith @ jquery-3.4.1.js:2
fire @ jquery-3.4.1.js:2
c @ jquery-3.4.1.js:2
fireWith @ jquery-3.4.1.js:2
ready @ jquery-3.4.1.js:2
B @ jquery-3.4.1.js:2
privatebin.js?1.3.1:1060 TypeError: Failed to execute 'decrypt' on 'SubtleCrypto': parameter 2 is not of type 'CryptoKey'.
    at Object.jQuery.PrivateBin.me.decipher (privatebin.js?1.3.1:1052)
    at async Promise.all (/index 1)
    at async Promise.all (/index 0)
    at async Promise.all (/index 1)
jQuery.PrivateBin.me.decipher @ privatebin.js?1.3.1:1060
async function (async)
jQuery.PrivateBin.me.decipher @ privatebin.js?1.3.1:1019
decryptComments @ privatebin.js?1.3.1:4634
jQuery.PrivateBin.me.run @ privatebin.js?1.3.1:4687
(anonymous) @ privatebin.js?1.3.1:1196
success @ privatebin.js?1.3.1:4005
success @ privatebin.js?1.3.1:4041
c @ jquery-3.4.1.js:2
fireWith @ jquery-3.4.1.js:2
l @ jquery-3.4.1.js:2
(anonymous) @ jquery-3.4.1.js:2
load (async)
send @ jquery-3.4.1.js:2
ajax @ jquery-3.4.1.js:2
jQuery.PrivateBin.me.run @ privatebin.js?1.3.1:4052
jQuery.PrivateBin.me.getPasteData @ privatebin.js?1.3.1:1199
jQuery.PrivateBin.me.run @ privatebin.js?1.3.1:4669
jQuery.PrivateBin.me.showPaste @ privatebin.js?1.3.1:4791
jQuery.PrivateBin.me.init @ privatebin.js?1.3.1:4955
(anonymous) @ privatebin.js?1.3.1:42
e @ jquery-3.4.1.js:2
t @ jquery-3.4.1.js:2
setTimeout (async)
(anonymous) @ jquery-3.4.1.js:2
c @ jquery-3.4.1.js:2
fireWith @ jquery-3.4.1.js:2
fire @ jquery-3.4.1.js:2
c @ jquery-3.4.1.js:2
fireWith @ jquery-3.4.1.js:2
ready @ jquery-3.4.1.js:2
B @ jquery-3.4.1.js:2

Basic information

Server address: Not at this moment

Server OS: Linux

Webserver: Apache2 (PHP 7.1)

Browser: Chrome Version 78.0.3904.97

PrivateBin version: 1.3.1

I can reproduce this issue on https://privatebin.net: No

[elrido]

Hello and thank you for providing such a detailed report.

The error "Algorithm: Unrecognized name" is thrown in 1.3.1's use of the webcrypto API to decrypt the message:

PrivateBin/js/privatebin.js

Line 919 in 71797d1

name: 'AES-' + spec[6].toUpperCase(), // can be any supported AES algorithm ("AES-CTR", "AES-CBC", "AES-CMAC", "AES-GCM", "AES-CFB", "AES-KW", "ECDH", "DH" or "HMAC")

Looking at the SJCL libraries default AES mode used back in 0.19, that is probably AES-CCM. Back in privatebin 1.0 (2016) we switched to AES-GCM mode. All our unit tests for ensuring downwards compatibility used AES-GCM flavoured SJCL pastes, but no AES-CCM ones as generated in the original 0.19 release. In the 1.3 release we switched from the SJCL library to the browser integrated webcrypto API. As I realize now, looking at the W3C specs, AES-CCM isn't listed to be implemented.

Long story, short: The last version of PrivateBin that uses SJCL library and therefore supports the ZeroBin 0.19 paste format is version 1.2.1.

I'll updated the wiki page accordingly.

[elyday]

Oh ok. Then i will be never able to use thew newest version or will a update for the backwards compatability will come?

[elrido]

Should the spec for the webcrypto API get extended to include AES-CCM mode, browser vendors may consider implementing it. Then it would just start to work with the current codebase on those browser releases with CCM support.

But the thing is that we switched away from CCM mode because there were concerns regarding its security and I assume the W3C didn't consider suggesting it for similar reasons. So unfortunately it is at this point it's not very likely that PrivateBin will regain support for those AES-CCM pastes in newer versions, as long as we don't move away from the Webcrypto API.

The key benefit for this project to use that API over the SJCL library or (for example) openssl transpiled to WASM (like we do with the zlib) is that we use a standardized browser feature and don't have to ship a large crypto library alongside the paste. This gives us both huge performance gains (binary executable vs interpreted JS or WASM), as well as security (browsers having integrated update mechanisms, should there be a flaw in their implementation of the crypto).

[elyday]

Hm.. okay.
Sounds to me as if I should give up compatibility with the old pastes. But I don't want that because of the relative popularity of my service and the large use of older created pastes.
I will try it with 1.2.1 and then i will think about it.

[elrido]

So far we haven't had any serious flaw reported to us with the 1.2.1 release, but at some point newer releases may include features that may make a breaking upgrade more worthwhile to you.

In 1.3 we mostly focused on the paste format and crypto changes, so 1.2.1 is pretty close to it in terms of features.

[rugk]

As for the simplest change: Could not you re-create the old pastes? I.e. copy the text and paste it into a new paste?

[rugk]

Marking this as blocked now, because we can likely not fix it easily without shipping yet another fallback library…

BTW, switching to GCM all the time back seemed to have been a good decision at least. 😄

[elyday]

As for the simplest change: Could not you re-create the old pastes? I.e. copy the text and paste it into a new paste?

This is a public authority, which is used by many people.