Into the Black Box: A Case Study in Obtaining Visibility into Commercial Software
March 1999 • Technical Note
Daniel Plakosh, Scott Hissam, Kurt C. Wallnau
This 1999 report describes what we did to gain insight into Netscape's Communicator databases, the internal formats of the databases, and the password and encryption schemes used in the key3.db database.
Software Engineering Institute
CMU/SEI Report Number
We were recently involved with a project that faced an interesting and not uncommon dilemma. The project needed to programmatically extract private keys and digital certificates from the Netscape Communicator v4.5 database. Netscape documentation was inadequate for us to figure out how to do this. As it turns out, this inadequacy was intentional-Netscape was concerned that releasing this information might possibly violate export control laws concerning encryption technology. Since our interest was in building a system and not exporting cryptographic technology, we decided to further investigate how to achieve our objectives even without support from Netscape. We restricted ourselves to the use of Netscape-provided code and documentation, and to information available on the Web. Our objective was to build our system, and to provide feedback to Netscape on how to engineer their product to provide the capability that we (and others) need, while not making the product vulnerable or expose the vendor to violations of export control laws. This paper describes our experiences peering "into the black box."