Dashlane supports three methods of login :
- UKI : Provide a previously-given unique-key-identifier as the uki parameter. TODO : How do we get UKIs ?
- Token : Provide a (not-completely) one-time token as the "token" parameter. To generate a token, send a request to /6/authentication/sendtoken with login=email
- OTP : Probably for Google Authenticator.
Obtaining an UKI : POST requiest to /6/authentification/registeruki with following params :
- devicename
- login
- platform
- temporary ? (seen value : 0)
- token
- uki
To get the "backup" (AKA the vault), you need to do a request to /12/backup/latest which accepts :
Variable Name | Possible values | What it does |
---|---|---|
lock | nolock, an OID | ? |
login | your email | |
needsKey | true, false | Provides RSA public and private key. Use unknown |
sharedLock | true, false | ? |
sharingCapability | Number | ? |
sharingSkipped | needsKey,webapp | ? |
sharingTimestamp | Number | probably timestamp since last SHARED KEYS sync. |
timestamp | curr timestamp | Timestamp since last sync. Set to 0 to get full backup. |
token/otp/uki | Used to login the user without sending the master password. | |
Once you have your hands on the full backup, you'll have to have a lot of fun decoding it. |
Steps :
- base64decode the vault.
- salt = bytes 0-32
- If bytes 32-36 === 'KWC3', then :
- aes is bytes 36-end
- data is compressed
- else
- aes is bytes 32-end
- data is not compressed
- Derive a key from the password and salt using PBKDF2, 10204 iterations, 32 bit key length, 'sha1' hash.
- As if PBKDF2 wasn't enough, derive ANOTHER key using OpenSSL's EVP_BytesToKey, with PBKDF2 key as data, same salt, SHA algorithm, 1 iteration and 256 bit size.
- If data is compressed
- Create an AES256-CBC decipher, using pbkdf2 as key and EVP_BytesToKey's IV as IV.
- else
- Create an AES256-CBC decipher using the EVP_BytesToKey's key and IV.
- Decrypt the data using the decipher
- If data is compressed
- Remove bytes 0-6 and the last byte (Don't ask me...)
- Raw Inflate the rest of the byte stream
- You should now have XML data. Documentation about its format comming soon.
Oh damn, I wish github had gist notifications back in 2019. I've written some POC code back when I worked on this at https://github.com/RedImpala/RedImpalaLib-JS/blob/master/dashlane.js#L19. That said, I have no clue if that code still works, or if dashlane changed their system since then.