Authentication and Encryption

jkilheffer
jkilheffer
Community Member

I work in the computer security & forensics space, so I have a good grasp of how the non-family version of 1passwords including thru the use of Dropbox and how the master password key is being employed to make it so that the encrypted dataset can be freely moved from system to system without risking exposure.

What I would like to understand better is how you extend this model to the Family solution. I've read the knowledge base articles but they don't seem to specifically address the Family/Teams architecture. I am particularly concerned with how you are protecting my data in this architecture such that YOU (or anyone for that matter) who doesn't directly have the master key can not decrypt the contents and further how you extend that functionality to a browser based capability only.

I really like the strong encryption model the non-Family/Teams version employs and am very interested in the Family/Teams, but I've seen far too many password keeper solutions that are little more than an "at rest" encryption repository with the provider also in possession of the key in a separate location -or- requiring the transmission of the key to the server side (potentially allowing ti's interception or a rogue actor within your network coming into possession of it) and thus exposing the possibility of the both the encrypted vault and the key being in the possession of someone other than myself.

I can't imagine you didn't think that strong encryption model thru for the Family/Teams offering, so if you can explain it in detail, I would like to understand it.


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided
Referrer: forum-search:I am test driving the family plan

Comments

  • hawkmoth
    hawkmoth
    Community Member

    @jkilheffer - I am not a developer of anything, nor an AgileBits employee. But the key here, as I understand it, is that your master password, which you pick yourself locally, and the account key (for Families/Team only), which is generated locally only on your own device when you sign up for a Families or Teams account, is never known to or under the control of AgileBits. Neither is ever transmitted to AgileBits. All decryption and encryption is accomplished locally on your own devices, never in the cloud. And since AgileBits doesn't ever see those two security codes, which together control the encryption keys, there isn't any way they, or anyone else, can get access to your data, unless you divulge the credentials to get in.

    This is no different from what you already understand about using Dropbox. You create a strong master password to open your data, but it only exists under your control. It makes no difference what cloud solution you use, because your data is protected by the same encryption scheme you already know about and your strong master password. It exists in the cloud only as an encrypted black box. Families and Teams go a step farther and use an additional Account Key when generating the encryption keys. So, in reality, your data would be just as secure if you posted the encrypted file to a public server or even a social media site. That's true of the previously existing products, as well as the newer ones. Not that I would recommend either!

    I'm sure you will get a more official version of what I have said, but I rather doubt it will differ much in the essentials of how well protected your data are.

  • jkilheffer
    jkilheffer
    Community Member
    edited March 2016

    The part that stumps me is how as the account administrator you can "reset" a forgotten master password for someone. That would imply that there is some way to decrypt the data which doesn't require the original key. While you can certainly have more than one key (essentially encrypting the same "real" key individual with multiple individual keys and using some matching criteria to determine which one to decrypt such as the email address) much like an encrypted message to multiple recipients might be handled, this requires someone to know one of the keys -- so, OK, I see how that could work for a "shared" vault as long as one individual still knows their master key, but what about a personal vault where you are the only key holder? Unless the "cloud" somehow has a shadow "master" key -- which would concern me very much as that becomes the point of attack and provides the ability for someone to get at your passwords.

  • rgruyters
    rgruyters
    Community Member

    @jkilheffer, as far as I understand is that "reset" doesn't reset a master password but rather sent a message to the user to allow him/her to set a new master password.
    The user still needs to have the account key to able to set a new master password.

  • dszp
    dszp
    Community Member
    edited February 2018

    Hi @jkilheffer, I'm not with AgileBits but they have written a whitepaper that goes into great detail about how the mathematics work for their new Teams/Families product (they're the same except for some additional capabilities in Teams than Families).

    Their introductory blog post at https://blog.agilebits.com/2015/11/03/introducing-1password-for-teams/ has a link to a page called Security at https://teams.1password.com/security that appears to have moved since then, but the whitepaper itself is directly available here

    It's only 63 pages, but it might have enough detail for you regarding the security features :-) There's also a little bit of info on the Recovery Keys and how they work (or at least, why they work in Teams/Families) at https://discussions.agilebits.com/discussion/comment/250204/#Comment_250204 where @dteare mentions why the Recovery Group concept works with their hosted version better than it would for the standalone application. Math is not my forte, but a recovery group does imply that there is a master key controlling access to the data within an account for recovery, but the fact that recovery exists and the people who have control of that key are known is one of the features, not a bug. In a way it's a form of the 1Password Emergency Kit http://productivityist.com/1password-emergency-kit-3/ that's cloud-based and distributed (though you still need the Teams/Families emergency kit since it contains the account key). However, it's something controlled by the account holder (and requiring the account key) only, not something AgileBits obtains.

  • julie-tx
    julie-tx
    1Password Alumni

    @jkilheffer -

    Thanks for a great question. The answers you've gotten thus far are fairly close, but some of the finer points of the inner workings of account recovery are a little off the mark.

    The protected information we receive from users is incomprehensible gibberish as far as we're concerned. What we do is make sure that when you request a piece of information -- an encrypted keyset, for example -- we return the correct keyset. We can't tell you what those keys are (with the exception of some public keys we use to encrypt data that we can't decrypt to begin with), because we never have decryption keys.

    The key (pardon the pun) to understanding the 1Password for Teams platform is chained encryption. We send you encrypted things, which you then decrypt and reencrypt and send back to us. For example, vaults have encryption keys, and those are encrypted. When a user is added to a vault, the encrypted vault encryption key is encrypted with the public key of the user. The White Paper does a much more thorough job of explaining all this than I can in a response.

    Account recovery works much the same way. A user who is able to recover accounts has access to all of the encrypted vault encryption keys. When a recovery is started, the existing team member is forced to create a new Account Key and Master Password. This results in them having a new public key. This public key is then used by the person performing the recovery for them to re-encrypt the various keysets the user needs.

    The result is they have newly-encrypted keysets which, when decrypted with their newly-created keys, are able to decrypt the vault keys on the local devices and then decrypt the items themselves. All of this is done with us never having access to decrypted keys.

    There is some simplification in this response due to the limited space. For more details, the White Paper will explain the encryption in greater detail, as well as many other features of 1Password for Teams.

This discussion has been closed.