White Paper: My Feedback
Hello,
I'm currently reading your White Paper and I enjoyed it. You did a fabulous work in designing the Software and documentation the design. At least from my Point of View. I'm just a guy who is interested in Security and Cryptography, but I'm not an expert. :-)
I just give you my thoughst. Maybe it sometimes sound like I am know everything (Cause of language issues) but they are always meant in a positiv critics and I'm aware there is always more then one way to do it. :-)
I may post more Feedback on this thread.
It would be nice to get a honest feedback if my Feedbacks really helps you or if it is just time consuming and you have already thought about it.
You can send me a private message about this. It just would save you and me time. :-)
I want your 1password4team to be a great success, cause 1password already delivered great value to my life and 1password4team is promising even more value.
A. Account_Key
On Page 46 you state that you store the account_key obfuscated. What will happend if you store it encrypted with derived Key from Masterpassword with an extra Salt ? Then your Webclient need simply use the derived Key to decrypte the account_key. I don't know if this add a weakness to Masterpassword if you use it to often do derived Keys from it. And surely a local malware could get arround of this limitations anyway, so I don't know is there is a value to do it. But IMHO it is important to give Feedback to you, even if I believe your Team already thought about, cause your are the experts :-)
B. DesignPattern
You should read https://www.boxcryptor.com/en/technical-overview since they did a quite similar desgin like you did.
They explain there way of doing in a structured way which is easy to follow for non experts.
I like their Definitions cause they make most things really clear.
C. Principles
I like your Principles and especially Privacy by Desgin. But I would like you to get this Principle to me as User. I'm the admin and Owner of the Team (Whole Company) and I don't want to have access to any Vault thats doesn't belong to me. So it is bad that I'm able to
For Companies all of your Principles apply over Organizational Units (OU). Why should the Server Team trust the Admin of the 1password Team Account.
D. User vs. Admin
Since I used my normal and only eMail Address for sign in, I have all the Admin and Owner Power. I would like you to give me the option to have a second Masterpassword to use to gain Admin/Owner or Recovery Power.
Or you should state add team Creation that one should use a different admin eMail adress to make segregation of duties possible.
E. Ease of use and Recovery Group
Youre Recovery Group way is easy to use, but then all Recovery Members are a Weakpoint. So as in Point above they should have an additonal Masterpassword to get the power. Or as Boxcryptor does, just get a Companykey (Recoverykey) which is not automatically in place. It wouldn't be so easy to use (So it should be an options the Admin is choosing). The Companykey needs an extra Password and you don't need to store the encrypted priv key in the client.
See company https://www.boxcryptor.com/en/technical-overview#anc06
F. Group and Access - Role and Right Design
F.1 Defintions
Information Owner:
Person you Owns the Information (The Vault Owner).
The Info Owner has the power to create a Vault and add a User or a Group to a Vault.
The Vaultkey will be encrypted with publickey of Group/User.
Group Owner:
Person you has the power to create a Group and add a person to it. When Group will be create the Groupowner creates the Groupkey. And if a User is added the groupkey is encrypted with Users publickey.
Since all Group Members have to access to Groupkey (Group Private Key) they can add Groupmembers by there self, there should be Server Policy as option which is enforcing that only Group Owner can add Group Members.
The Information Owner will be a Group Owner too.
F.2 Rules
The Information Owner can decide if he trust a group owner. Or create Groups by him self. With this flexibility it is possible to customize your systems to comply to organizational Rules.
F.3 Workflow
You could apply a Workflow. That if a User wants to have Access to a Vault it could ask for access via Webclient and the Informationowner will see this request and can decide if granted.
The User can also ask to be added to a Group.
Surely a Infoowner or Groupowner can do the same with out waiting for user Request.
F.4 Dashboard
Information Owners should have a dashboard to see id New Users added which have access to Vaults and why/whom did grant access.
The dashboard should also show really easily which Users have access.
F.5. Asym. vs. Sym. Encription for Groups
Boxcryptor Website says:
In order to speed up the sign in process, the membership key will be additionally AES encrypted with the user's group key on the first occasion - e.g. the next user's sign in. When the membership key is also available in AES encrypted form, subsequent sign ins can use AES decryption over RSA decryption which is a lot faster.
I think this is a good way to do it.
G. Item Key vs. Vault Key
Maybe it could be useful to use a key per Item especially for the Document Catagory (Like Boxcryptor is doing). So you can have bigger Files.
H. Vaultkey and Vaultoverviewkey
I guess you differentiate between Vaultkey and Vaultoverviewkey but I didn't find it clearly expressed in you Whithpaper.
I. Pricing
Once again: See boxcryptor Pricing my Company and I'm personal has no problem to pay this fees. I like also the differation between personal, business and company plans.
J. Flexibility (Complex) vs. Easy to use
It would be good if you stay to with you Principle of easy to use. But I would like to have the option to enable an Expertmode so I have more flexibilty and get more out of your Service as use have imagined at the first place. Cause this will lead to a bit complexibilty the Expertuser has to understand how it works and that he could messup things otherwise.
K. Secure Client Administration
I'm using a crypto money ournem.com. I like how they differentiate the client and the server code.
They have a Webclient available (NCC) which you can download and checks if it is really from the developer. This Webclient is called locally and connects to a Server (NIS).
So you don't need to implement all your Admin stuff on all Native Apps but still deliver a secury client. And your own Server enviroment can set up the same way.
If you interessted in details look at ournem.com. Or we could skype and I could explain it are more in detail.
If it would be possible to get your
Would be cool if you could make sure that the Server is delivering always the
Still 9 pages to read ...
Random
1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided
Comments
-
Wow! Thank you for the incredibly detailed feedback, @random_31731ec7aea! It really is an awesome feeling knowing that people like yourself are taking the time to read our White Paper. As you can imagine, it took us a very long time to write, so I'm very grateful knowing it was worth the effort :)
As for whether or not your feedback is helpful, it absolutely is! Even just hearing your perspective is awesome.
While Jeff Goldberg and Roustem Karimov are the true experts, I've been in enough meetings with them to be able to answer most of your questions :)
Now, let me address your points in turn:
A. Account Key
As you say we chose to obfuscate the Account Key instead of securing it with your Master Password. One reason for this is we didn't want to give attackers another vector for brute forcing your Master Password. There are ways around this I suppose (i.e. we could have performed X PBKDF2 iterations to derive the decryption key, and and X+1 for another key to protect the Account Key) but that brings us to the second issue.
The second issue is Master Password changes. Ideally you would only need to change your Master Password once on a single device, and then be able to use the new Master Password on any other device that is connected to the internet. If we encrypted the Account Key using your (old) Master Password, we wouldn't be able to do this.
B. DesignPattern
Thanks for pointing out what you enjoyed about the BoxCryptor documentation. I like how they start out with the definition of terms as well. We played with that a bit and decided a gentle introduction that started with simplified concepts and slowly grew to cover all aspects worked better. Combined with the Glossary I think it works pretty well, but a small part of me still wishes we had some definitions earlier on.
C. Principles
I see where you are coming from when you say you do not want to access vaults that "don't belong to you", but as the owner, all vaults belong to you. That is why we give you the power to restore access to them.
With that said, it would be relatively easy for us to allow you to remove this feature from your team. The hard part was designing things in a way that made it possible to securely restore access to locked out accounts. By comparison, having a preference that allows you to disable this would be relatively easy :)
One of the biggest problems with allowing this to be disabled, however, is there is no easy way back. Once you delete the (encrypted) keys for everyone's vaults, you won't be able to get them back. For this reason, we do not have this preference at this time and honestly it will shoot so many people in the foot that I'm hesitant to add it.
D. User vs. Admin
This is an interesting idea. While having a separate Master Password would be a huge pain, I like the idea of having a separate user account dedicated to administration. This is something you can do today with the current features.
E. Ease of use and Recovery Group
You're absolutely right that in many ways the Recovery Group is the biggest target as they have a lot of power. When we designed 1Password for Teams we wanted to make sure that the team could continue to operate even if one of the team members got run over by a bus. For this reason we really want the Recovery Group to be enabled automatically.
It sounds like you would prefer to live with this risk and instead turn off Recovery Groups on your team, like we discussed in C. Principles.
F. Group and Access - Role and Right Design
I'm not sure where you were going with with this section. Are you proposing an entirely new model for sharing data within an organization?
G. Item Key vs. Vault Key
There is a lot of history here :)
We used to have a key per item in our other keychain formats and in many ways they were a pain in the ass. They didn't add enough value to justify the additional complexity they added, so in the latest design we decided to chose the simpler path. Simple is good.
H. Vaultkey and Vaultoverviewkey
We use the same key for the item overview and the item details. I'm 90% certain we did the same for vault keys, but now that you mention it, we didn't make the distinction very clear here. I'll take this feedback to Jeff and see if we can make things more obvious.
I. Pricing
We're planning on having separate tiers and feature differentiation as well. We simply don't have all the answers at the moment as we're focused on getting feedback on the beta and polishing things for everyone. Once we get closer to final release we'll give this more thought.
J. Flexibility (Complex) vs. Easy to use
How do you see Expert Mode working?
K. Secure Client Administration
This is an interesting idea. We've been playing with a few similar technologies to accomplish what you're asking for here. I guess this would be part of your Expert Mode?
Thanks again for all your feedback, Random! It's awesome to know you're reading our White Paper so closely :)
Cheers!
++dave;
0 -
Hi Dave,
_D. _
Yeah an addtional User would be the best choice. Since Webclient is aware of different Accounts automatically it would be cool if you are able to select the Account manually with out the need of typing in into the field._C. E. and F. _
You've got me a bit wrong. I don't want to loose the Ability of Recovery Group.- Team creator should be automatically be Owner, Admin and Recovery.
- Team Owner should be forced by Server Policy to have the same Access rights a Admin or Recoverygroup member has. ^1
- Admin should not automatically be a Recovery Member.
- Admin should only be allowed to Create and Delete Vaults
- Admin may select other Admins
- Admin shouldn't have read/write Access to Vaults he didn't created, execept he is allowed to delete All Vaults
- The Owner should be the only one who is Assigning you Recovery Member
1) Sure the Owner can create additonal User and grant access to a vault be enabling Recovery, but this Power will logged.
We would split duties. One Company Account which is owner. At least one additional Recovery Account as Backup. And then normal accounts, which some are admins.
Latter on, if you split Rights / Persmission for Admin in to Vaultowner and Usermanamget ...
- A Vaultowner Permission (Right) should be the same as Admin but with out ability for Useradministration and delting Vaults he doesn't own
- A Usermanager would just have the permisson to Manage Users.
- Admin would be still available but.
I'm not saying you should do it the exact way I describe, but I'll hope you get point the a Role/Permissions Concept who allowed segregation of duties is really good, to enforce Principles in a Company.
J.
Let me explain it the other way around.
You make things configureable and with defaults.
The easy mode wouldn't have the ability to change defaults but the Expert Mode would have.For example you could make a finer Permisson set available and chose to make the Default like you currently did. But since Permissions a configureable in Expert Mode I simply could Apply the Role and Permissions scheme I described in C.
, E. and F..
But since I could messup things and loosing Recovery Mode it's the Expert Mode. Maybe some Customer want to remove Recovery intentionally.So that want I'm mean with flexibility/complex .
Agilebits did a good job to select good defaults, but some time a Customers want to achieve other things. So the value for the Customer could be extend beyond what you imagined. Btw I would only allow Expert Mode in premium plans. So you earn more money if a Customer gets more value.
K.
No this wouldn't be the expert Mode. It would be the overall design to change Business logic (Server) and Webgui from each other.
And the Webgui can run remote (On your Server) for most people. And which are concrend about Security will download the Webgui Client and run it locally.0 -
Hello again Random :)
D.
Being able to select different Accounts automatically would indeed be cool. And you're right, since it's all stored locally we can do this in a secure manner.
Another idea Roustem and I had on our walk today was perhaps we could enable 2FA for accessing the Admin Console? I think that could work perfectly for what you're looking for.
C. E. and F.
Thanks for elaborating on this. I understand better now how you see the segregation of duties taking place.
J.
Ah, I understand better now. Thanks.
I must admit I don't like the idea of an Expert Mode that could allow users to shoot themselves in the foot, but I do understand your desire for more customization here.
K.
Something like Electron could work well here I think.
++dave;
0 -
Hi,
L. Revoking Permission / Automatic Keychaning
If you Revoke Persmission for a Vault or being Admin or Recovery, it would be good if there serval Steps to ensure that User didn't get Access to want he shouldn't anymoreSteps:
1. Revoke Permissions
2. Take Server Policiy in palace that you can not Access to the Vaults anymore
3. Tell Client to remove vaults and all secrets
4. Remove Publickey of User from any Key he has access to
5. Apply a key Rolling Process at the beginning with both old and new Key in place (Maybe inform all other Users to login/sync once after all Users have downloaded the new key, then one client should to reencrypting all Vaults and Items with new key)....
....M. Free Apps in Appstore and to download
I did Mentioned this on a other Thread before1Password4Teams should be available for free and if you login to at least one Team you can use it. Pro Features should be bound to the Subscription Plan and Team.
0 -
M. Free Apps
I'm such a long Term user that I didn't recognized that 1password in iOS Appstore is already freely available. My colleagues told me today.So M. is obsolet.
0 -
Hi @dteare,
when you add a Vault without "Add Administrators" option set, only the creator is able to see that vault and not the other Admins. So C. E. and F. Topics are possible for us as a workaround. I decided the Vault Owners are Admins and they create theire own Vaults. But it would be cool to get a full Role and Access Management in near future.
Just one caveat left.If you don't add the other Admins, the other Admins aren't even aware of the Vault. But it would be cool that the other Admins can see the Vault in Adminconsole (Important only in Adminconsole) and may delete it. Otherwise there is a split Brain Situation where you always have to communicate which Vaults are create. My Workaround till then a Vault for all Admin where we put a List of Vaults as Secure Note and maybe a changelog.
BTW
We now full productiv on 1P4T Beta. :-) Do we need a manual Backup Procedure or do you make backups at the moment.Cu
Random
0 -
Random -
Thanks again for the detailed feedback! It's great having users like you who take the time to read through our white paper and analyze all the nitty-gritty details. I'm a member of the security team and it's very rewarding knowing that our users are putting so much thought into reading it and seeing how it works for your organization.
We have been discussing the issues you've raised within the team, and your latest feedback will be part of that discussion as we continue building 1Password for Teams.
0 -
Random,
The server keeps backup copies of your encrypted data.
0