Chrome on Windows has used AES to encrypt browser cookies since v80.
(The cookie of Chrome browser for Linux and macOS is not mentioned here. The term "cookie" below refers to the cookie of Chrome browser for Windows.)
Previously, it was encrypted using the DPAPI Windows API (CryptUnprotectData in crypt32.dll), but cookies encrypted with the new method cannot be decrypted with the old method.
Apps that read the contents of Windows Chrome cookie files directly to log in to web services are affected by this change. (Example: Nico Live Comment Viewer)
The outline of the decryption procedure of the AES-encrypted cookie is shown below.
The default is as follows (same as before)
%userprofile%\appdata\local\google\chrome\user data\default\cookies
(It will change if you move the profile, reinstall Windows, change the google account, etc.)
Encrypted cookie The beginning of the data is "0x01 00 00 00" → cookie encrypted by DPAPI
Encrypted cookie The beginning of the data is "v10" → AES-encrypted cookie
Decryption requires not only a key but also a value called a nonce.
For nonce, 12 bytes after the 4th byte excluding the prefix 3 bytes ('v10') from the beginning of each encrypted cookie data are used as they are.
By default, the key is encoded and encrypted and stored in the Local State
file below.
%userprofile%\appdata\local\google\chrome\user data\local state
The contents of Local State are in JSON format. Encrypted key data is stored in ["os_crypt"]-> ["encrypted_key"] in this.
'DPAPI'
) of the decoded data.
3.2 Decrypt the data in 2 with DPAPI.
Decryption by DPAPI should use CryptUnprotectData of crypt32.dll which is the same as the old method.The length of the obtained key should be 256 bits (32 bytes).
You have now decrypted the key needed to decrypt the cookie.
The part of the encrypted cookie data excluding the first 15 bytes ('v10' + nonce 12bytes) is decrypted by 256bit AES-GCM using the nonce and key obtained above.
In addition, the last 16 bytes of the decrypted data are removed.
https://github.com/taizan-hokuto/chrome_cookie
I am using the cryptography library for AES-GCM.
If cryptography is not included, do pip install cryptography
.
python 3.7.4
Chrome version: Confirmed to work with 80.0.3987.87 (Official Build) (64-bit).
browsercookiejar (regen100) https://github.com/regen100/browsercookiejar
AES GCM example in python and go (sumanmukherjee03) https://gist.github.com/sumanmukherjee03/dd16d6c732a1055b6af97daba484809d
A little tool to play with Windows security (gentilkiwi) https://github.com/gentilkiwi/mimikatz
Recommended Posts