Security of the Secret Key

This discussion was created from comments split from: Yubico 5Ci not working on website.

Comments

  • rbondi
    rbondi
    Community Member

    Regarding the plain text of the secret key: then why does the same dialog show the mp obfuscated? If the assumption is that anyone with access to my system (defined as macOS, my operating system) has access to the secret key, and also that they do not have access to the mp, that seems inconsistent.

    First, another part of the 1P UX doesn't appear to assume it either, and second, that doesn't seem like a good assumption to me.

    1. When I launch macOS 1P and don't give the mp, I can do command-, to load the Preferences panel. In that panel, I can click the security icon, but I can't see the whole Secret Key, and I can't click to copy it. So clearly the assumption is that even with access to my macOS, an attacker shall not have access to my Secret Key unless they also have my mp.

    2. A reasonable attack vector is:

    • I've just set up U2F on Chrome, but I haven't yet attempted to log in to macOS 1P (this thread's scenario)
    • me leaving my laptop open somewhere accidentally while not logged into macOS 1P, e.g. in a coffee shop or whatever
    • Eve walks up to my laptop, and quits and launches my macOS 1P.

    With the steps above, Eve will very quickly have my Secret Key: she can photograph it with her phone, quit and relaunch 1P, and then walk away. Now Eve just has to get my mp, which she might get by filming me type it in. I've always accepted the filming danger because I take care to keep my Secret Key secure. But with the current setup/bug, Eve it's not as secure as I thought.

  • Lars
    Lars
    1Password Alumni
    edited February 2020

    @rbondi - thanks for your thorough documentation and pursuit of this issue. :) On your own device, it is your Master Password that keeps you secure, not your Secret Key. The important security issues in the scenario you've hypothesized above are:

    1. Leaving your laptop unlocked in a public place, and
    2. Entering your Master Password in a hostile environment that could be captured by "shoulder surfing" or cameras. (this is part of why the Master Password uses Secure Input on your Mac -- to prevent recording of the screen and casual shoulder surfing; someone would have to record video of your fingers, because they're not getting your Master Password by filming your screen).

    That's not an attempt to blame you -- remember, this is hypothetical anyway, no actual data was harmed in the making of this imaginary scenario, let alone any blame placed. ;)

    But on your local device, it is your Master Password -- not your Secret Key -- that protects your data, as outlined on page 55 of our 1password.com security white paper ("Locally exposed Secret Keys"). If someone has direct access to your computer with your macOS account open, and you're already envisioning them being able to successfully film you entering your Master Password, then they could just as easily insert a USB flash drive and copy the contents of your 1Password Data folder that's inside your ~/Library folder over to the drive (only a few MB, nearly instantaneous), and then use the video you imagine them having been able to take of you entering your Master Password to decrypt that data locally on their own device at their leisure.

    The point here is that - as we often say on this forum - security is a process and not a product. 1Password can serve quite ably as a reliable centerpiece of your digital security strategy, but there is no substitute for active user participation in their own security. More importantly, there is no single product - not even 1Password - that can reliably secure users' data and protect them against any and all security threats (even self-created ones like accidentally leaking your Master Password or leaving your computer unlocked in public) 100% of the time. If there were such a product, this game would already be over: everyone would own this product and hackers would have to get jobs as baristas. But there isn't. Instead, 1Password provides you a multi-layered set of defenses against various threats to your data:

    • Your Secret Key (and to a lesser extent, your Master Password) keeps you safe if your encrypted 1Password data is stolen from our servers.
    • Your Master Password is what defends you if your encrypted data is stolen from your device.
    • SRP protects the authentication process and sessions from an attacker who has control of the network.
    • 1Password's MFA protects you in case an attacker has your Secret Key and Master Password but does not have your encrypted data.

    In practice, this works out to pretty robust security for your data under virtually all conditions...but as already mentioned, if an attacker has both access to your physical Mac with your user account unlocked and open and also has managed to use real-world (non-digital) means such as video to record you entering your Master Password, that's not something 1Password can protect you against: anyone with a copy of your data and your Master Password will be able to decrypt the data.

This discussion has been closed.