←back to thread

Firefox-Passwords-Decryptor: Extracts and decrypts passwords saved in Firefox

(github.com)
95 points thunderbong | 2 comments | 22 Oct 24 04:23 UTC | HN request time: 0.857s | source
Show context
java-man ◴[22 Oct 24 04:34 UTC] No.41911233[source]
Firefox is using TripleDES??
replies(3): >>41911581 #>>41911662 #>>41911814 #
jackjeff ◴[22 Oct 24 06:44 UTC] No.41911814[source]
It uses both AES and TripleDES

If you glance at the code there's a single "key encryption key" in the whole SQLITE file (in the 'metadata' table). That key is decrypted using AES with the PBKDF2 derived secret.

Then each password is in turn encrypted using TripleDES. The "data encryption key" for each these records is in turn encrypted using the aforementioned "key encryption key".

My suspicion is that the TripleDES format must be really old, and when they migrated the crypto layer to use AES they just re-encrypted the top layer (the "key encryption key" later) to use AES. It's much faster (and safer) to just re-encrypt all the TripleDES keys with the new AES than go and mess with "all" the records in the database. It's inelegant and lazy but you effectively get "AES level" of security without having to do all the work, so to speak…

https://github.com/Sohimaster/Firefox-Passwords-Decryptor/bl...

replies(1): >>41911911 #
alexey-salmin ◴[22 Oct 24 07:06 UTC] No.41911911[source]
I don't know about the particular case of TripleDES+AES but I think in a general case you can't claim that A+B encryption is always at least as strong as B alone. The A part can result in e.g. first bytes of input being the same enabling a crib-type attack.
replies(1): >>41912095 #
1. jackjeff ◴[22 Oct 24 07:42 UTC] No.41912095[source]
I'm not defending this choice, and I think you're right in general.

In this case, the only thing encrypted with TripleDES is the password itself, so the practicality of a crib or other known plaintext attacks is debatable in my opinion.

If you use the same (or similar) password everywhere, then you have bigger worries than Firefox use of TripleDES. Password stuffing based with leaks from poorly hashed password DB (cough facebook cough) is likely the most practical attack vector in this case.

If all your passwords are like q@qrG#Z4ARYm^qjeTEMN2Kh45v^p7L# then crib like attacks are impractical.

There are other weird/debatable choices in the Firefox encryption layer:

- Why bother with CBC? Things like AES-GCM or other authenticated* encryption mode would be nicer. Not sure it's a flaw here (google the cryptographic doom principle of Moxie Marlinspike)

- Why not wrap the encryption keys with some kind of "key wrap" mode instead. There are such things as AES-KV for instance.

- Why do the weird PBDKF2 derivation here? It's not based on a password the player enters, so there's nothing to "strengthen"? Seems oddly unnecessary (or I don't understand and there's a password somewhere).

- If there's a password then PBKDF2 is really really shit compared to scrypt or even better one the variant of argon OWASP said you should use.

replies(1): >>41913091 #
2. kuschku ◴[22 Oct 24 11:01 UTC] No.41913091[source]
> - Why do the weird PBDKF2 derivation here? It's not based on a password the player enters, so there's nothing to "strengthen"? Seems oddly unnecessary (or I don't understand and there's a password somewhere).

If you set a master password, firefox uses that master password instead as input to PBKDF2.