The instructions lead to non-existent password in KeyChain #1
Comments
|
BTW - is this tool also suitable for encrypting the file back after modifying it? |
|
Hi there,
It is because the value you extracted from keychain is "base64 encoded".
Instead, it has to be "hexadecimal".
If you convert the base64 encoded text to hexadecimal, you obtain
this: 4f0555f2cff69c48171d1d5e709399c3 (and it should be the right key to
decrypt the file).
Anyway, I will add support for base64 encoded password!
For your second question, the tool cannot (yet) encrypt the file back, but
it's only because I don't need. May be I will add the option later.
…On Mon, Jun 3, 2019 at 2:51 PM Motti Shneor ***@***.***> wrote:
BTW - is this tool also suitable for encrypting the file back after
modifying it?
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub
<#1?email_source=notifications&email_token=ABANNXZKYDGLTD7BXADOJWDPYUHT3A5CNFSM4HSHXEIKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGODWZJMAA#issuecomment-498243072>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/ABANNX6HRXS3TMCYBL3LAVDPYUHT3ANCNFSM4HSHXEIA>
.
|
|
First off — THANK YOU for the quick and helpful reply.
Next, I wonder - what one-way use is there? Somehow I only see the use-case of being able to edit / clear junk off Safari’s form values, which are terribly annoying when they become Safari’s first suggestion , which is typed wrong, or otherwise broken.
Would you say there’s a case for writing a “Form value editor” native application, that will automatically do the decryption/encryption and provide UI for easy editing, plus reading the password from KeyChain (provided the key to unlock the chain of course) ?
I was wondering if it is something easily done in Obj-C or Swift… as I said, I’m not a Java developer. What 3rd-party tools/SDKs/Libraries are being employed?
Thanks again!
Motti Shneor
[email protected]
… On 3 Jun 2019, at 22:41, Florian Pradines ***@***.***> wrote:
Hi there,
It is because the value you extracted from keychain is "base64 encoded".
Instead, it has to be "hexadecimal".
If you convert the base64 encoded text to hexadecimal, you obtain
this: 4f0555f2cff69c48171d1d5e709399c3 (and it should be the right key to
decrypt the file).
Anyway, I will add support for base64 encoded password!
For your second question, the tool cannot (yet) encrypt the file back, but
it's only because I don't need. May be I will add the option later.
On Mon, Jun 3, 2019 at 2:51 PM Motti Shneor ***@***.***>
wrote:
> BTW - is this tool also suitable for encrypting the file back after
> modifying it?
>
> —
> You are receiving this because you are subscribed to this thread.
> Reply to this email directly, view it on GitHub
> <#1?email_source=notifications&email_token=ABANNXZKYDGLTD7BXADOJWDPYUHT3A5CNFSM4HSHXEIKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGODWZJMAA#issuecomment-498243072>,
> or mute the thread
> <https://github.com/notifications/unsubscribe-auth/ABANNX6HRXS3TMCYBL3LAVDPYUHT3ANCNFSM4HSHXEIA>
> .
>
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub <#1?email_source=notifications&email_token=AAUGO22PQVL3L4GWLYU5SIDPYVXXPA5CNFSM4HSHXEIKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGODW2PEFQ#issuecomment-498397718>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AAUGO26XDQUSG3BTIPARAQTPYVXXPANCNFSM4HSHXEIA>.
|
For me, the only use case when I needed it was for forensic analysis, so I only needed to decrypt the file.
I am not a Mac user, but if you have no other way to remove entries directly inside the browser, it could be interesting to write a program for this purpose. But if you can remove entries from the browser, I don't see why an user would like to insert/edit entries since the entries would be inserted once typed.
It is definitely feasible and can be done in Obj-C and Swift. For instance with the following libraries:
First, you have to generate the AES-KEY from the password in the Keychain: let keychain = XXX
let password: Array<UInt8 = get keychain entry
let salt: Array<UInt8> = Array("someSalt".utf8)
let key = try PKCS5.PBKDF2(password: password, salt: salt, iterations: 1000, variant: .sha256).calculate() // there also should be a parameter to tell output has to be "128 bits long".
let cipher = content of the file
let aes = try AES(key: key, blockMode: CBC(iv: [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]), padding: .pkcs5)
let plaintext = try aes.decrypt()
// Edit the binary plist file
let newCipher = try aes.encrypt(editedPlaintext)
// Save the fileN.B: the code is untested and is likely not to work (I am not a Swift developer), I just wanted to give you an idea of how to do it. |
|
I found a minute to try again ** unfortunately, this value I get from KeyChain seems not to be a base64 encoded thing.All base64 decoders I tried, yield a strange looking half-chinese text looking like this: "O�U⏶숗��^p㙃" and not a 32 digit hexadecimal - what am I doing wrong here? Also, I had all kind of permissions issues - even when I try to run the code as root - so I copied the "Form Values" file out to my desktop, so the code can access it. ** I then experimented with the hexadecimal you've put in your answer (knowing it should fail on decrypting - since it's incorrect) but the code fails on the input file?
The Keychain entry I'm using is named "Safari Forms AutoFill Encryption Key" in the keychain, and is an "Application Password". Is it the correct one? Is there another thing I forgot there? |
|
Hi there :) The value is base64 encoded. The reason you get those weird characters is because the non-encoded value is binary and not ASCII. So if you want to convert from base64 to hexadecimal, you have to use a "direct" base64 to hex converter (like this one: https://conv.darkbyte.ru/). For the exception, it seems that the program can not open the file: Could you try to copy the file to another place on your system (like on the Desktop) and manually chmod it to 777? |
|
Hmmm, the stack trace changed on your message. Could you send me the Form Values file please so I can take a look? |
|
I edited the issue - because I solved the permission thing. refresh my message... |
|
Hmm.... may contain some private data... but I don't think anything too important. How to send you? this is very public discussion... |
|
I just sent you an email, you can reply with your file attached. |
|
Ok, so after some analysis, it seems to me that either:
Can you tell me what is the exact size (in bytes) of your Form Values file in the original folder? |
|
File size (~/Library/Safari/Form Values) - 17,436 bytes. |
|
What is really weird is that the file you sent me shows 16,744 bytes long. (but may be the file was modified since). I will analyze the file you sent me when I have some time (I think I will have some time to look by the end of next week). |
|
Yes, the copy I tried to decipher was copied from the original at my first attempts, days ago, and the "Date Modified" of the original file is different than the one I sent you. I don't mind resending the older one as well - so you may test with it too. |
|
Hi there,
So, just a quick update. I had a look on the file you sent me and it
appears that the encryption process has changed.
Unfortunately I will not be able to look at it in the near future...
…On Tue, Jun 11, 2019 at 4:28 PM Motti Shneor ***@***.***> wrote:
Yes, the copy I tried to decipher was copied from the original at my first
attempts, days ago, and the "Date Modified" of the original file is
different than the one I sent you. I don't mind resending the older one as
well - so you may test with it too.
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
<#1?email_source=notifications&email_token=ABANNX6KN22X2PKPNOM36YTPZ6Y7HA5CNFSM4HSHXEIKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGODXNJ64I#issuecomment-500866929>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/ABANNX42IQTIAK5STVTGTVTPZ6Y7HANCNFSM4HSHXEIA>
.
|
Hi. I'm not a Java developer, but was able to follow and build (hopefully correctly) your utility.
However, the "PASSWORD" parameter should be provided as a "32 byte hexa number" taken from my keychain.
However, in my keychain there's but one password that seems appropriate --- it's name is "Safari Forms AutoFill Encryption Key" and when I unlock it, the value is NOT hexadecimal: more like "TwVV8s/2nEgXHR1ecJOZww==" (I've made some char changes to keep my password safe).
And now the tool fails with this error:
The text was updated successfully, but these errors were encountered: