TGOS wrote: > I don't expect any detailed information,
That's part of the problem. Your original request, asking for a one-sentence description of how the key was derived from the master password, was not answered because it had no answer. The request is based on a false premise, that the key is derived from the master password. The key is NOT derived from the master password. The system used to protect mozilla users' passwords is not the simplistic crypto exercise that one might naively imagine it to be. > I know everything I need to know except the encryption method. Dubious. Read on. > I have a string of data, that is > encrypted and I want to convert it back to plain text. And I don't even > have to "crack" anything, I know the master password (after all it's MY > password) and have the encrypted string, that is all I need to decrypt > it... No, it's not. > if I'd know which method to run over it and how to generate the > key from the password. The key is not generated from the master password, and cannot be derived from the master password itself. > Why can't there be a page saying "The key is MD5 checksum of the > password and the encryption is Triple-DES" Because it's nowhere near that simple. There are several levels of indirection that you've not considered. The key generation, storage, and related encryption and decryption is all done inside of a cryptographic "token" (hardware device, or software). The master password is used to authenticate the user to the token, after which the token will do the necessary crypto on behalf of the user. The crypto key is _randomly_ generated by and stored inside of the token. When the token generates the key, the token outputs a key identifier that identifies the key, but does not reveal the key. That key identifier is used, instead of the key, whenever the user asks the token to encrypt or decrypt data. The base64 encoded blob you see contains an ASN.1 DER encoded structure which contains the key identifier; another DER encoded structure which contains the algorithm identifier (the system is not limited to any one encryption algorithm) and the initialization vector (for block ciphers only); and the encrypted data. Even if you have decoded all that data and have the master password, you do not have the key to decrypt the data. You must go back to the token for the decryption because the token holds the keys. > How many years does it take a developer to comment thousands lines of > code with this single sentence that contains all information any As you can see, one sentence cannot describe it. I didn't even begin to describe the ASN.1 structures used, nor the means by which the keys are protected and stored in the tokens. Given that, by default, mozilla uses a software emulation of a hardware token, it is possible to dig into the encrypted databases used for the emulated token's storage and find and extract the keys, with some non-trivial amount of work. It's far easier just to use the token via the same API that mozilla uses. If you want web pages that explain this, start with these: http://lxr.mozilla.org/security/source/security/manager/ssl/src/nsSDR.cpp#158 http://lxr.mozilla.org/security/source/security/nss/lib/pk11wrap/pk11sdr.c#254 Use the Source, Luke! -- Obi-Wan Disclaimer: I speak for myself, not for Netscape
