All posts
3 min readglizzykingdreko

Akamai v3 Sensor Data: Deep Dive into Encryption, Decryption, and Bypass Tools

Understanding and bypassing Akamai’s bot protection can feel a real pain due to its complexity. This deep dive provides a clear understanding of v3’s…

Akamai v3 Sensor Data: Deep Dive into Encryption, Decryption, and Bypass Tools

Understanding and bypassing Akamai’s bot protection can feel a real pain due to its complexity. This deep dive provides a clear understanding of v3’s encryption and decryption processes, practical tools to get you started, as well as some tips.

Detailed Breakdown of v3 Encryption & Decryption

Encryption Process

Akamai’s v3 encryption involves a sophisticated two-step algorithm:

  1. Element Shuffling:
  • The JSON payload data is first converted into a colon-delimited string.
  • Elements within this string are shuffled using a pseudo-random number generator (PRNG), initialized with a unique file hash extracted from Akamai’s JavaScript.

2. Character Substitution:

  • After shuffling, each character in the string is substituted with another character. This substitution uses another PRNG seeded with a cookie-derived hash, typically from the bm_sz cookie.

Decryption Process

To reverse this encryption:

  • Reverse Character Substitution: Reinitialize the PRNG using the same cookie-derived hash, then reverse character substitutions.
  • Reverse Element Shuffling: Using the original script-derived file hash, the elements of the string are shuffled back into their original order.

The necessity of both script content and cookie hash for successful encryption and decryption significantly increases the complexity of bypassing Akamai’s v3.

Hashing in Akamai v3

Cookie Hashing

Initially, the first sensor_data request uses a default cookie hash of 8888888. Once this initial request returns a valid bm_sz cookie, future payloads use a cookie-derived hash extracted from the returned cookie. This integration ensures each sensor payload remains unique per session, increasing the difficulty of replay attacks.

File Hashing

Akamai utilizes dynamic JavaScript files for generating sensor data. Each script file includes complex and dynamic concatenations of functions, arrays, and hashing operations to compute the actual file hash. This file hash is then used as the seed for the element shuffling phase of encryption. For detailed extraction logic, you can explore the AST-based implementation in my npm GitHub repository let me know if a deep-dive into it would be appreciated.
So in order to decrypt the sensor_data, his script source code is going to be required.

Major Changes from v2 to v3

Significant upgrades and changes from Akamai’s sensor data v2 include:

  • Cookie Integration: v3 explicitly uses cookie data for encryption, enhancing the security and uniqueness of each payload.
  • Script-Dependent Hashing: Unlike v2, v3 encryption relies heavily on real-time JavaScript file hashes, complicating static reverse-engineering efforts.
  • Complexity and Security: Overall encryption complexity has substantially increased, providing stronger protection against automated attacks.

For historical reference and comparison, check the v2 repository.

Practical Usage of the Akamai v3 Helper Module

My open-source Akamai v3 helper (GitHub) simplifies dealing with sensor data encryption and decryption:

Installation

npm install akamai-v3-sensor-data-helper

Decryption Example

const akamaiHelper = require('akamai-v3-sensor-data-helper');
const fs = require('fs');

const scriptContent = fs.readFileSync('akamai_script.js', 'utf-8');
const encryptedSensorData = '{"sensor_data":"3;0;1;0;3753014;..."}';
const decryptedData = akamaiHelper.decrypt(encryptedSensorData, scriptContent);
if (decryptedData.success) {
    console.log(decryptedData.parsedData);
} else {
    console.error("Decryption failed:", decryptedData.message);
}

Web App: Visualizing Akamai Sensor Data

I developed the Akamai Tools Web App, an intuitive interface designed to streamline sensor data handling:

  • Decrypt Payload Tool: Convert encrypted sensor_data to readable JSON quickly.

  • Encrypt Payload Tool: Effortlessly create valid sensor_data from structured JSON inputs.

  • Cookie Hash Extractor: Quickly extract the hash from bm_sz cookies for use in encryption processes.

Need help with antibots?

Check out my antibot bypass api company TakionAPI. We provide APIs for most of the antibot/captchas, as well as custom web scraping solutions for specific projects.

Follow & Contact Me

Enjoyed this article? Consider supporting me via BuyMeACoffee.

anti-botakamaiabckencryptionsensordata

Skip the reverse-engineering.

Takion returns fresh cookies, headers, and tokens for every major antibot wall. One POST, no browser, first call within the hour.