Security concern / question - how is the "Recovery Group" created and linked to family vaults

Hello,

I read the white paper and it gave me a lot of usefull informations.
I still have a question about the creation of the "Recovery Group" ("RG" in the reste of the topic) keyset.

The white paper say that the 1password server is "zero knowledge", there is no data unencrypted on it (except some users informations like email, public key, etc...).
That would mean that the private key of the security group is unknown by the server, and have to be created and encrypted on the client side, right ?

When and how is this keyset created and encrypted ?
I think of something like :
1. When the organizer of the family acount creat the acount, the "RG" keyset in generated on his local client, as his own keyset.
2. The private key of the "RG" is localy encrypted with the public key of the organizer.
3. This "RG" encypted private key his send to the server, with the public key.

This would mean that the process of adding someone (Bob) in the "RG" would be somethink like :
1. The organizer local client use his private key to localy uncrypt the RG private key's.
2. The client then encrypt the RG private key with Bob public key's.
3. The client send the encrypted RG private key to the server.

Am I right ?

If yes, is it the same process when creating a new family account and upgrading from a personnal account to a family one (in the second case, the organizer already existe, so does the RG keyset already where existing but not used ? Or it will be created when changing the account to family one ?)

And second question :
How is the RG linked to the family account ?
How to be sure that there is not a "fake" RG linked to my account (bug or hack) and reciving the cipher key of every single vault of the family acount ?

Waiting to read you,
Best regards,


1Password Version: 7.6.785
Extension Version: 4.7.5.90
OS Version: Windows 10
Sync Type: 1password

Comments

  • ag_anaag_ana

    Team Member

    Hi @matthttam! Welcome to the forum!

    I have asked our security team to review this and let you know. They will get back to you as soon as possible :+1:

  • rickfillionrickfillion Junior Member

    Team Member

    Hi @matthttam,

    While I'm not on our security team, I do have a complete understanding of how this stuff works and I'm actually in the process of writing more internal documentation about recovery. This will give me an opportunity to practice conveying the ideas.

    Your original theory about how it works is very very close to how it works, and is probably "close enough" as far as understanding the concept goes. But since you're clearly wanting to know the nitty gritty, let's dive in!

    It's probably easiest to first address the upgrade from an Individual account to a Familes/Teams account. That process creates the Team Members group (and associated keyset) and adds the original user to that group (by encrypting the Team Member's private key with the user's public key). That's really about it besides the billing side, and flipping the account type. From a crypto perspective it's quite simple.

    So now back to account creation and the Recovery group.

    Upon account creation 3 groups are created: Owners, Administrators, Recovery. Each has its own keyset, all generated on the client. The account creator is made a member of each of these groups (by encrypting its private key with the user's public key).

    In 1Password Families, the definition of "Family Organizer" is actually "Owner and Administrator." When you make a user an Organizer the client will add that user to both the Owner and Administrator groups. But not the Recovery group. In fact outside of account creation no user is ever added directly to the Recovery group. This is why the Recovery group isn't visible even in 1Password Teams and Business. Though there is a group behind the scenes, that group is an implementation detail.

    If a Family Organizer is in the Owner and Administrator groups only, how does this user get access to the Recovery keys. This is more easily explained with 1Password Business where more fine grained permissions are exposed. In 1Password Business you can create a custom group and give that group permissions. There are certain permissions like "Recovery" itself or "Manage All Groups" which requires that this group have access to the recovery keys. When you give this new custom group those permissions you're also giving this group access to the recovery keys (by encrypting the recovery private key with the group public key). The original Owner and Administrator groups that are created during account creation have those permissions and are given access to that key.

    This means that to get to the recovery keys, the client has to go down a chain: User's keyset -> Owner/Admin Key -> Recovery key.

    How is the RG linked to the family account ?

    I hope that my explanation explains that.

    How to be sure that there is not a "fake" RG linked to my account (bug or hack) and reciving the cipher key of every single vault of the family acount?

    This is a great question to be asking. The short answer is "you can't." That's not a very satisfying answer. Currently you're in a position where you need to trust our server for that. We would love to have a way that could be used for verification. It's technically not just the recovery group you need to worry about, it's any public key. 1Password isn't unique in this respect: verification of authenticity of public keys is tricky. We could maybe do it by having a trusted third party to help us out (basically a mini-Certificate Authority). Or you can use something out of band to do verification. For example during account creation the client could compute the fingerprints of keys and provide that to the user. Later on when using those keys an option could be provided to the user to compare the fingerprints against the known values. There are pros and cons to both methods.

    I hope this helps shed some light on the recovery keys. Do let us know if you have any more questions.

    Rick

  • Hi,
    @ag_ana, thank you for the welcome :)
    @rickfillion, thank you for this full technical explanations 8-)

    Upon account creation 3 groups are created: Owners, Administrators, Recovery. Each has its own keyset, all generated on the client. The account creator is made a member of each of these groups (by encrypting its private key with the user's public key).

    In 1Password Families, the definition of "Family Organizer" is actually "Owner and Administrator." When you make a user an Organizer the client will add that user to both the Owner and Administrator groups.

    Does it mean that even for family acount, all 3 groups are created ?
    And the "Organizer" group is juste a sort of "binding" of Owner et Administrator unvisible for the user ?

    The original Owner and Administrator groups that are created during account creation have those permissions and are given access to that key.

    This part explain how users have access to the "Recovery group" (and if I anderstand well, they do not have access to this group directly, but througt the "Organizer" group, wich is a "binding" of "Administror" and "Owner" groups, wich has access to the private key of the "Recovery Group".

    But I still not have well understand where a vault find the public key of the "Recovery group".
    I think it is the same as sharing vault with somone, I have to trust the 1password server to send me the good public key of the good acount I want to share data with.
    But in the case of Family and recovery, the encryption of every cipher key vault using the "Recovery group" public key is automatic.
    So is this something like :
    1. When creating a Family acount, an UID is created to this "family group"
    2. The public key of the "Recovery group" is linked to this UID, as are all user and vaults created insinde this "Family group"
    3. When a new vault is created, it chek wich is the UID of the "Family group" and ask the 1password server to send the public key of the assiociated "Recovery group" to encrypt it with ?

    Thank you again for your time,
    This feature (not only recovry but also sharing) kind freak me out... :p
    Beacause I'm used to "KeePass like" encryption, where the cipher key is based on my Master Password only, and not using RSA keys (and with system like that, there is no share or recovery possibility, but also not the risk of having the wrong public key use and leting somone uncrypt my data without the need of knowing my Master password.

    Have a nice day ;)
    Best regards,

  • rickfillionrickfillion Junior Member

    Team Member

    Does it mean that even for family acount, all 3 groups are created ?
    And the "Organizer" group is juste a sort of "binding" of Owner et Administrator unvisible for the user ?

    Exactly right.

    if I anderstand well, they do not have access to this group directly, but througt the "Organizer" group, wich is a "binding" of "Administror" and "Owner" groups, wich has access to the private key of the "Recovery Group".

    Correct

    But I still not have well understand where a vault find the public key of the "Recovery group".
    I think it is the same as sharing vault with somone, I have to trust the 1password server to send me the good public key of the good acount I want to share data with.

    Right. When a client creates a vault, it's responsible for fetching the public keys for the entities that should get access to it. For a user-created vault in a 1Password Families account that would mean the Owners group, the Admin Group and the Recovery group. The Owners and Admin groups get given the keys with the permission to Manage the vault. The Recovery group gets given the keys with permission to Recover the vault key.

    This feature (not only recovry but also sharing) kind freak me out...

    Understandably. :)

    Cheers.

    Rick

  • Hi,
    Understood ;)
    Thank you @rickfillion

  • rickfillionrickfillion Junior Member

    Team Member

    Happy to help.

    Rick

  • I have two related questions, and given the technical depth of this thread it seems appropriate to add them here -
    1) it seems that based on this recovery model, private vaults are in fact accessible (from a security perspective) to any family organizer. It seems that the things preventing family organizers from accessing private vaults are essentially software control over what vaults are synced. Is this correct or is there some nuance I'm missing?
    2) I've seen some older posts covering estate and emergency planning and access (or not) to private vaults. From a security model perspective, w.r.t. #1 this appears to be technically feasible. Is configuration of a family organizer sufficient for this, if private vaults needed to be accessed in an emergency? The opposite question also arises - if there is some content that should NOT be accessed for estate planning (one example I saw was work-type HIPPA info or access), is there a way to go about that outside of a separate, completely individual account?

    Thanks,
    Aaron

  • rickfillionrickfillion Junior Member

    Team Member
    edited November 25

    Hi @ad27163,

    1. Correct. Policy dictates that the server won't give the contents of the vault to a user without Read access to the vault. But due to Recovery, the server makes the keys for the vaults accessible to those with Recovery permission.

    2a. "Is configuration of a family organizer sufficient?" Not quite. Not unless the person with the Recovery keys (the Family Organizer) also has control of the email address of the person whose vault they're trying to gain access to. In my personal case it's sufficient as my wife has the information she would need to gain control of my email address should she ever need it in an emergency. But the converse isn't true. I don't have the information to gain control of my wife's email address in an emergency. I should probably get that resolved, thanks for making me think through this.

    2b. "if there is some content that should NOT be accessed for estate planning, is there a way to go about that outside a completely individual account?" No. It's a problem we find interesting though. Truly secure in that respect means another Family Organizer can't recover it. If it's not recoverable, it means it'd need to be vulnerable to be lost should the original creator lose access. Considering how often people forget their Master Passwords and need to be recovered, this seems like a dangerous proposition. It'd be easy for us to say "Well we can make the user understand that before they create the unrecoverable vault." Sadly at the time of vault creation a user is very unlikely to think that one day they may forget their Master Password or lose their Secret Key. I don't think most users would understand why part of their data could be recovered but not all of it should that ever happen.

    Rick

Leave a Comment

BoldItalicStrikethroughOrdered listUnordered list
Emoji
Image
Align leftAlign centerAlign rightToggle HTML viewToggle full pageToggle lights
Drop image/file