What encription method is used in logins.json?'

Discussion of features in Mozilla Firefox
Locked
User avatar
Olhanzilla
Posts: 146
Joined: February 10th, 2005, 8:29 pm

What encription method is used in logins.json?'

Post by Olhanzilla »

What is the encryption method used for the encrypted user name and password in the logins.json file?

Given that there is no replacement for the Password Export extension (apparently because extensions cannot yet get at passwords in 57) I want to write a standalone program to export and import passwords.

Apparently the master password is in key3.db and the saved passwords are in logins.json. It appears that if you do not set a master password, a blank password is used to encrypt the logins.json user name and password fields

The format of the logins.json file is quite simple but I need to know the encryption method used to retrieve the user name and password and the format and encryption used in the key3.db file.

Does anyone know what encryption method is used and, perhaps, can point me at code that would decrypt the fields?

I also need the format of the date fields in the logoins.json file - how are they formatted? Here's an example: 1466569273228

FYI - here's the format of an entry in the logins.json file, the encrypted fields have been mangled:

Code: Select all

"id":1,
"hostname":"http://www.example.com/",
"httpRealm":null,
"formSubmitURL":"http://downloads.example.com/",
"usernameField":"userName",
"passwordField":"password",
"encryptedUsername":"MDoEEPgAA98utyfAAAAAAAAAAAAAAAAAEwFAYIKoZIhvcNAwcECAcg3+WDArAeBBCukYFxEhYj3iE8UUV1LN+/",
"encryptedPassword":"MEIEEPgAAAtfiojljAAAAAAAAAAAAAAAAEwFAYIKoZIhvcNAwcECFaqHMkFMc8YBBi2Ay0JInEnnVkmw10auloMCk6s/WbOtEQ=",
"guid":"{8be5cdad-b01d-490f-b003-c7fcdedd1e0b}",
"encType":1,
"timeCreated":1466569273228,
"timeLastUsed":1466569273228,
"timePasswordChanged":1466569273228,
"timesUsed":1
Another FYI - there is an online converter - https://json-csv.com/ - which will convert .json files to .csv files. Use of the page is fairly intuitive.
User avatar
DanRaisch
Moderator
Posts: 127187
Joined: September 23rd, 2004, 8:57 pm
Location: Somewhere on the right coast

Re: What encription method is used in logins.json?'

Post by DanRaisch »

User avatar
therube
Posts: 21703
Joined: March 10th, 2004, 9:59 pm
Location: Maryland USA

Re: What encription method is used in logins.json?'

Post by therube »

Fire 750, bring back 250.
Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball CopyURL+ FetchTextURL FlashGot NoScript
User avatar
Olhanzilla
Posts: 146
Joined: February 10th, 2005, 8:29 pm

Re: What encription method is used in logins.json?'

Post by Olhanzilla »

DanRaisch wrote:See this thread -- https://support.mozilla.org/en-US/questions/824120
I read the page you refereed to, it says:

When using a master password, the data is encrypted using Triple DES Encryption in CBC mode.

The text "Triple DES Encryption in CBC mode" is a link but it produces a 404, not found error.

I did some searching on Triple Des Encryption and found some material including https://code.google.com/archive/p/crypto-js/ I also found some C code.

I can quickly toss together some JavaScript to text the logarithm. I'll come back and post the results - in a couple days.
User avatar
Olhanzilla
Posts: 146
Joined: February 10th, 2005, 8:29 pm

Re: What encription method is used in logins.json?'

Post by Olhanzilla »

Thanks for the reply.

See my reply to DanRaisch.
User avatar
maniac42
Posts: 69
Joined: September 28th, 2004, 3:52 pm

Re: What encription method is used in logins.json?'

Post by maniac42 »

Olhanzilla wrote:
The text "Triple DES Encryption in CBC mode" is a link but it produces a 404, not found error.
The Internet Archive's Wayback Machine has an archived version of the page at https://web.archive.org/web/20110222210 ... /des3.html
Hopelessly lost, but making good time.
User avatar
LIMPET235
Moderator
Posts: 39936
Joined: October 19th, 2007, 1:53 am
Location: The South Coast of N.S.W. Oz.

Re: What encription method is used in logins.json?'

Post by LIMPET235 »

Thank you but just a tad late.

Locking due to old age.
[Ancient Amateur Astronomer.]
Win-10-H/64 bit/500G SSD/16 Gig Ram/450Watt PSU/350WattUPS/Firefox-115.0.2/T-bird-115.3.2./SnagIt-v10.0.1/MWP-7.12.125.

(Always choose the "Custom" Install.)
Locked