Kyocera address book password decryption

I needed to extract the SMB password associated with some address book entries on our Kyocera printers today (Kyocera 4550i’s, specifically) because we’d lost the original password for an account they were using, and we needed to recover it without having to reconfigure every printer in the company. No problem, thinks I, I’ll use KMNet Viewer to dump out the address book to XML from the printer, and just read out the password in the XML.

No such luck. The password’s encrypted in the XML file.

Fortunately, with a little patience and RedGate’s brilliant .NET reflector, I managed to find where the encryption happens, and to extract the relevant keys. The story of how I got this out of the code isn’t particularly exciting, but the final result is that I got the keys to decrypt any password saved in a dump from KMNet viewer. Unfortunately, it’s a fixed key used every time, so you can’t even set your own password to protect your address book dumps – it’s only enough to deter casual snoopers. Not an impressive level of security.

Anyway, without further ado, the relevant information is:-

Passwords are encrypted with DES, in CBC mode, using a key of 41F4A305F38B468F, and an IV of 01820D0B383ECB7C. These are derived from a few variations on the theme of Kyocera’s name via RFC2898; rather than reproduce the original values here, I’ve just included the resulting keys. I found http://des.online-domain-tools.com/ worked fine with these values if you want a quick and dirty online DES decryptor to let you read your address book files.

I hope that’s useful to someone!