Hi, I am currently developing a password manager application in Java and I would like to add a feature to import password from an existing firefox or thunderbird installation. I have been looking mostly at firefox to understand how things are done.
I looked at the following sources: http://mxr.mozilla.org/mozilla-central/source/security/manager/ssl/src/nsSDR.cpp http://mxr.mozilla.org/mozilla-central/source/security/nss/lib/pk11wrap/pk11sdr.c and I add more info on http://infond.blogspot.com/2010/04/firefox-passwords-management-leaks.html . Unfortunately it's not easy to understand the code through mxr and I didn't took time to build a debug version of firefox to understand it... When I do some test to see how the encrypted password are built here is what I get: 1) first I save a pass which value is "test" and encrypted text becomes-> MDIEEPgAAAAAAAAAAAAAAAAAAAEwFAYIKoZIhvcNAwcECGK6FOQUs2y7BAhXW4E7UCasFw== 2) then I change the pass to "test2" the encrypted text becomes -> MDIEEPgAAAAAAAAAAAAAAAAAAAEwFAYIKoZIhvcNAwcECFiBAIUavQHYBAhFxHcF +ZMgdA== 3) finally I change it back to "test" and the encrypted text is -> MDIEEPgAAAAAAAAAAAAAAAAAAAEwFAYIKoZIhvcNAwcECFCmjr19KuBbBAhtYUHm/gqn +g== Here we can see that 1) and 3) have two different encrypted text for the same password which means there is some kind of salt added when the encryption is done. I haven't been able to understand it from the source and what I don't get is how Firefox can decrypt the pass without knowing the salt use for generation. For this test, I didn't use a master password so the default key should have been used for encryption: static unsigned char keyID[] = { 0xF8, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01 }; Could you explain how the encrypted string is different every time ? (what kind of salt is used and how the decryption can find the same password for different encrypted text). How to explain the similar pattern of text to all the encrypted password ? (I guess it's from using the same key but I don't know the details). Thanks for the help ;) -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
