Into the Black Box: A Case Study in Obtaining Visibility into Commercial Software

The use of commercial off-the-shelf (COTS) software products can reduce the time and cost of developing software, assuming that developers know how to make full use of the product. COTS product vendors often supply only user-level documentation. In most cases, this level of documentation is adequate, but in some instances the developer may need information about the internal operation of a product, its performance characteristics, and perhaps internal data formats. COTS software vendors are often reluctant to release such information because it may have proprietary value. Nevertheless, it is sometimes necessary for the developer to probe into a COTS product to obtain needed functionality or understanding in order to effectively use the product.

Such was the case in one of our projects. We needed to programmatically extract private keys and certificates from the Netscape Communicator (version 4.5) internal databases. The Netscape certificate database (cert7.db) and key database (key3.db) contain certificates and private keys that are ultimately used to provide authentication and secure communication. Netscape does not, however, make the format of their key database (key3.db) and certificate database (cert7.db) publicly available because releasing this information could possibly violate the International Trade and Export Regulations (ITAR) regarding key management in cryptographic systems.

This report describes what we did to gain insight into Netscape’s Communicator databases, the internal formats of the databases, and the password and encryption schemes used in the key3.db database. Note that we did not disassemble any Netscape software products. We limited ourselves to documentation and other resources provided by Netscape and to resources that we could obtain from the Web. The results of our work can not be used in any manner to subvert or crack the standard encryption algorithms used by Netscape Corporation in the protection of certificate and key material stored in the Communicator’s databases.

The rest of this report is organized of as follows: In Section 2, we describe the database used by Netscape. Section 3 describes the record formats of the certificate database. In Section 4 we describe the key database record formats and the encryption algorithm used to encrypt private keys. Finally, we present our summary in Section 5.

[abstract] [chapter 1] [chapter 2] [chapter 3] [chapter 4] [chapter 5] [references] [DTIC] [PDF]