0

I'm dealing with a website that loads a javascript file which eventually sets an AES hash/value (whatever it's called) as a cookie. The file is heavily obfuscated making it hard to understand certain things within. Anyways, I have reversed enough of the file to understand that they are using the cipher block chaining mode (cbc) to generate this value. I also believe I have found the AES key needed to decrypt. However I'm wondering how I could go about decrypting an example cookie (set by the browser) using the AES without knowing the IV.

If it helps, I know for a fact that the AES value (cookie) is always a 48 int array in bytes. The key, from what I can see, ranges from 128-bit to 192-bit.

In summary, I have the encrypted AES value, I believe I have the key. How can I go about decrypting this to in turn be able to generate my own values? Thank you

William Martens
  • 129
  • 8
Joe
  • 1
  • 1
  • 1
    I would be skeptical that you have the key if the size is variable - it's quite uncommon for someone to vary the key size... – Serpent27 Sep 27 '20 at 22:29
  • Now you go to find the IV, If the application really uses AES in javascript with cookies (seems a bit odd), in addition to the encrypted content and the key, it will also use the IV. – Ángel Sep 27 '20 at 23:54
  • The IV is random. This is irrelevant to my question though. I asked how I can go about decrypting to find the necessary bytes @Ángel – Joe Sep 28 '20 at 00:06
  • Are you sure the IV isn't included with the encrypted bytes (maybe prepending the encrypted text)? – Ángel Sep 28 '20 at 00:11
  • It could be. There is a part in the code that might be appending rather than prepending it, but I've tried both and when comparing two different cookies, the decrypted value is different. What might be causing this? – Joe Sep 28 '20 at 00:13
  • Hint; in [CBC mode](https://en.wikipedia.org/wiki/Block_cipher_mode_of_operation#Cipher_block_chaining_(CBC)), what's the standard [decryption method](https://en.wikipedia.org/wiki/Block_cipher_mode_of_operation#/media/File:CBC_decryption.svg)? If the IV changes, what changes in the decrypted plaintext? – fgrieu Sep 28 '20 at 06:49
  • 1
    If it's being decrypted in JS it should be easy enough to find the code doing the encrypting or decrypting. I'd imagine its something along the lines of `AES.encrypt_cbc(cookie_data, key)` you could simply open your browser's JS web console (via inspect element) and try `AES.decrypt_cbc(cookie_enceypted, key)´. No cryptanalysis needed. – Serpent27 Sep 28 '20 at 22:18

0 Answers0