Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Werid behavior of API #6

Open
Ziqi-Yang opened this issue Jun 16, 2023 · 3 comments
Open

Werid behavior of API #6

Ziqi-Yang opened this issue Jun 16, 2023 · 3 comments
Labels
good first issue Good for newcomers hacktoberfest

Comments

@Ziqi-Yang
Copy link

  1. cannot create a new paste using the same initVector
    If you run the command below, you will encounter an error like {"message":"Internal Error"}. But if you change the initVector variable, a new paste can be created without problems.
curl -H "Content-Type: application/json" -X POST -d '{"content": "Ciallo~(∠・ω< )⌒★", "config": {"language": "plaintext", "encrypted": true, "expiresAfter": 3600, "burnAfterRead": false}, "passwordProtected": false, "initVector": "27DIWK00yDiGx003"}' https://bin.sohamsen.me/api/paste
  1. meaning of encrypted and passwordProtected
    It seems like on the API side, encrypted and passwordProtected have no effect on enhancing data security, cause it always return full information of a paste.
curl "https://bin.sohamsen.me/api/paste?key=121o2
# {"success":true,"data":{"key":"121o2","content":"Ciallo~(∠・ω< )⌒★","encrypted":true,"passwordProtected":true,"initVector":"27DIWK00yDiGx004","language":"plaintext"}}
@Yureien
Copy link
Owner

Yureien commented Jun 17, 2023

  1. cannot create a new paste using the same initVector

That is intentional. https://crypto.stackexchange.com/a/28980 states that the initVector can be public, but must be unique. There's a check on the server side that only allows for unique initVectors.

However, it should not return Internal Error. I will fix the error message.

  1. meaning of encrypted and passwordProtected
    It seems like on the API side, encrypted and passwordProtected have no effect on enhancing data security, cause it always return full information of a paste.

encrypted and passwordProtected are just for indicating to the server that the data is encrypted with AES-256-GCM (and passwordProtected with SHA-512-PBKDF2 + 310,000 iterations). It is returning plaintext since you sent the data to the server in plaintext, and I do not want any sort of encryption to happen on the server side (since this might potentially allow someone to decode your message by storing the keys on the server. If you send encrypted: true, it is your job to encrypt the data and then send it.

To deal with this, I am making a simple CLI client (#5), using Python. I will also improve the API documentation.

@ashmit-coder
Copy link
Contributor

  1. cannot create a new paste using the same initVector

That is intentional. https://crypto.stackexchange.com/a/28980 states that the initVector can be public, but must be unique. There's a check on the server side that only allows for unique initVectors.

However, it should not return Internal Error. I will fix the error message.

What is the expected error message over here? I may resolve it @Yureien

@ashmit-coder
Copy link
Contributor

Will "Not unique Initvector" work?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
good first issue Good for newcomers hacktoberfest
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@Yureien @ashmit-coder @Ziqi-Yang