我在解密存储在Chrome的sqlite db中encrypted_value下的cookie时遇到了一个问题。
从sqlite数据库中提取的工作正常:
// filePath = absolute cookies.sqlite path
// query = "SELECT creation_utc, host_key, name, encrypted_value, path, expires_utc from cookies WHERE host_key like \"%<target_site>%\"
using (var connection = new SqliteConnection($"Data Source={filePath}"))
{
connection.Open();
var command = connection.CreateCommand();
command.CommandText = query;
using (var reader = command.ExecuteReader())
{
while (reader.Read())
{
var creationTime = reader.GetString(0);
var host = reader.GetString(1);
var name = reader.GetString(2);
var value = reader.GetString(3);
var path = reader.GetString(4);
var expiryTime = reader.GetString(5);
/* here the below code is placed */
}
}
}然而,在解密值时,我得到了auth标签和预期的auth标签之间的不匹配。我在Windows下面跑。
下面的代码带有注解,以显示我的推理
// get encrypted blob from row
byte[] encryptedData = new byte[reader.GetBytes(3, 0, null, 0, int.MaxValue) - 1]; // 3 = encrypted_value column
reader.GetBytes(3, 0, encryptedData, 0, encryptedData.Length);
// Get encrypted key from local state file:
string encKey = File.ReadAllText(filePath + @"/../../../Local State");
encKey = JObject.Parse(encKey)["os_crypt"]["encrypted_key"].ToString();
// The encrypted key starts with the ASCII encoding of DPAPI (i.e. 0x4450415049) and is Base64 encoded,
// i.e. the key must first be Base64 decoded and the first 5 bytes must be removed.
// Afterwards a decryption with win32crypt.CryptUnprotectData is possible.
var decryptedKey = System.Security.Cryptography.ProtectedData.Unprotect(Convert.FromBase64String(encKey).Skip(5).ToArray(), null, System.Security.Cryptography.DataProtectionScope.LocalMachine);
// try decryption
try
{
// The encrypted data start with the ASCII encoding of v10 (i.e. 0x763130) ...
if (value.StartsWith("v10"))
{
using (var aes = new System.Security.Cryptography.AesGcm(decryptedKey))
{
// ... followed by the 12 bytes nonce,
var nonce = encryptedData[3..15];
// the actual ciphertext
var encData = encryptedData[15..(encryptedData.Length - 16)];
// and finally the 16 bytes authentication tag.
var auth_tag = encryptedData[(encryptedData.Length - 16)..(encryptedData.Length)];
byte[] plaintextBytes = new byte[encData.Length];
aes.Decrypt(nonce, encData, auth_tag, plaintextBytes);
value = Encoding.UTF8.GetString(plaintextBytes);
}
}
else
{
// TODO
throw new Exception("[!] Cookie encrypted with DPAPI");
}
}
catch (Exception e)
{
Console.WriteLine(e);
Console.WriteLine($"[*] Could not decode cookie with encrypted value {value}");
}我得到的例外是
System.Security.Cryptography.CryptographicException: The computed authentication tag did not match the input authentication tag.
at System.Security.Cryptography.AesAEAD.Decrypt(SafeAlgorithmHandle algorithm, SafeKeyHandle keyHandle, ReadOnlySpan`1 nonce, ReadOnlySpan`1 associatedData, ReadOnlySpan`1 ciphertext, ReadOnlySpan`1 tag, Span`1 plaintext, Boolean clearPlaintextOnFailure)
at System.Security.Cryptography.AesGcm.Decrypt(Byte[] nonce, Byte[] ciphertext, Byte[] tag, Byte[] plaintext, Byte[] associatedData)
at <REDACTED>:line 123我很确定我对nonce、ciphertext和auth_tag的解析是正确的,但显然不是?我不知道这个问题从何而来。
此外,这是在保存cookie的同一用户/同一浏览器上运行的。
先谢了。
1条答案
按热度按时间5tmbdcev1#
发现自己有同样的问题,这里是解决方案:
使用的Nuget:
2019年8月25日更新:
Working example repository
警告: 这是可能的解密只有什么是在同一台机器上创建的cookie文件和相同的Windows用户,因为它运行此应用程序*
cookie文件的密钥存储在
current user保护范围内ProtectedData.Unprotect(key, null, DataProtectionScope.CurrentUser);资料来源: