Why does 1Password use RSA with 2048-bit keys?

afokoue

After reading the 1password white paper, it seems that, in case of a security breach in which encrypted vaults and unencrypted user public keys are stolen, the best way for the attacker to access information in stolen vaults is NOT by trying to guest the 128-bit Secret Key and the user master password. Instead, since a vault key is encrypted with the RSA public key of a user who has access to the vault, it is better for the attacker to directly attempt to break the RSA encryption by recovering the private key from the unencrypted public key. 1password uses RSA with 2048-bit keys, which, according to NIST (see Table 2 on page 54), provides only a 112-bit security protection (whereas a strong 80-bit user master password, combined with the 128-bit Secret Key, provides more than 200-bit of security). To get at least the same protection as provided by the 128-bit Secret Key, the size of RSA keys should be at least 3072, which provides a 128-bit security according to NIST.

I understand that increasing the size of the RSA keys will slow down decryption, which is done frequently in the current design. However, the encryption of the vault key with a user public RSA key is only performed to securely share the vault key with only that user. The RSA decryption should really be done only once per user's client (the first time the user's client attempts to access a vault that has been shared with her). After the first successful RSA decryption of an encrypted vault key on the client, the client should cache an encryption of the vault key using AES-256 and the "Account Unlock Key" (AUK) which is derived from the Secret Key and the user master password (note that this type of caching is already routinely done by clients to save time by avoiding to regenerate the secret for authentication, "SRP-𝑥"). Thus, the cost of decrypting a RSA encrypted vault key on a client would be paid only once [1], which means that 1password could certainly afford much larger RSA keys.

My question is then: why not increase the size of RSA keys to at least 3072-bit to provide, in case of a security breach, at least the 128-bit security that 1password advertises (due to the 128-bit Secret Key)? (IMHO, it should be increased to at least 4096-bit)

Best regards

[1] Note: RSA decryption might also be needed for rare account recovery operations.

---

1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Browser: Not Provided

Dave_1P

Hello @afokoue! 👋

Thank you for the questions. Our security team has posted about this in the past and these two previous posts should address your questions:

• https://1password.community/discussion/comment/541951#Comment_541951
• https://1password.community/discussion/comment/542179/#Comment_542179

The TL;DR: there isn't any way to brute force RSA 2048 using the computing power currently available and RSA 2048 meets the recommendations of cybersecurity bodies such as the National Institute of Standards and Technology (NIST). There is always an opportunity to improve things as clients and browsers become more capable and our security team is staying on top of the latest developments. Any moves to change how 1Password's cryptography works in the future will need to be carefully considered and be compatible with all supported clients.

-Dave

afokoue

Thanks, @Dave_1P, for your response!
The second post in particular (https://1password.community/discussion/comment/542179/#Comment_542179) explains well the current situation.

Dave_1P

Thanks again for the questions. I'm happy to hear that the links provide some useful information about the subject. 🙂

-Dave