White paper clarifications
Hello,
I've read through the 1Password for Teams White Paper and I am left with a few questions, due in part to missing information. Notably, I am interested in the How We Secure Data on Clients section, which is completely empty in the version I have (v0.2.3, released 2015-12-04). Are there any plans to release an updated version?
I do have a few things in the other areas that I would also like clarified. I was hoping someone here could help me out with this:
On page 21, the details for the information used in key derivation is unspecific. What are the actual values?
"Account Key, email address, ID, salt from local storage" -- what ID does this refer to?
"HKDF(s, version, e, 32)" and "HKDF(kA, version, I, ||km||)" -- what does version refer to?What is the hierarchy for the keys that are used? I believe the master password/account key (among other things, including the items to be clarified above) are used to derive the Master Unlock Key. Then the MUK is used to decrypt encSymmetricKey in the Key Set. Then, in turn, the encSymmetricKey is used to decrypt the encPrivateKey. Then, I'm not sure what happens--I presume the encPrivateKey decrypts some sort of vault key and that is able to decrypt individual items? Or maybe the items themselves can be decrypted with the encPrivateKey?
Thanks!
1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided
Comments
-
Excellent questions. I will try to clarify these in (slowly) forthcoming versions.
Account Keys and IDs
"Account Key, email address, ID, salt from local storage" -- what ID does this refer to?
Sorry about that. Some of this is the result of our own mixed use of terminology. From the user's point of view, an account key is something like this:
A3-ASWWYB-798JRY- LJVD4-23DC2-86TVM-H43EB
. But from a key derivation point of view that is a combination of three things:- Account Key format: A3
- The account ID: ASWWYB
- Account key secret: 798JRYLJVD423DC86TVMH43EB.
The first two of those are not secret, but the third one is. In key derivation, the term "Account Key" refers to the secret. The ID is the account ID.
Version strings in HKDF
The version in HKDF is a constant, literal, string with the name of our key derivation function. For deriving the SRP-x it is "SRPg-4096" and for deriving the Master Unlock Key, it is "PBES2g-HS256".
From MUK to encrypting data
Vault keys are encrypted with the public key of the personal key set
I believe the master password/account key (among other things, including the items to be clarified above) are used to derive the Master Unlock Key. Then the MUK is used to decrypt encSymmetricKey in the Key Set. Then, in turn, the encSymmetricKey is used to decrypt the encPrivateKey.
That is correct.
Then, I'm not sure what happens--I presume the encPrivateKey decrypts some sort of vault key and that is able to decrypt individual items?
Yes. Vault keys are encrypted with the public part of your personal keyset. These vault keys can be decrypted with the private part of that keyset. Items (other than Documents) within a vault are encrypted with the vault keys themselves. (Each Document has its own key which is encrypted with the vault key).
I'm guessing from how specific your questions are about these details that you are playing with building your own implementation of the key derivation. If so, I can see if I can send you some test vectors.
0 -
Hey jpgoldberg,
Thanks for the fantastic answers! You're right--I am curious about how the key derivation works because I'm working on my own sample implementation. I use 1Password for Teams at work and 1Password for Families at home and I am interested in the specifics of how it secures all my data. I'd maybe even like to have the ability to programmatically access the local data that is cached by the 1Password desktop application.
Some sample test vectors would be invaluable if you're able to get ahold of them!
Thanks so much.
0 -
Hey jpgoldberg--any update on the test vectors?
I also could use a little more help filling in some details on the white paper:
encSymKey, as it exists in the key set, has these parameters. I've noted what I believe their purpose is, please correct me if I'm wrong.
- data -- the encrypted blob
- kid -- the ID of the key used to encrypt the data. for example "mp" would mean the master unlock key.
- enc -- the type of encryption used to encrypt the data
- iv -- the initialization vector used to encrypt the data
- alg -- the algorithm used to derive the encryption key
- p2c -- the number of iterations used when deriving the encryption key
- p2s -- the salt used when deriving the encryption key
In the sample on page 27 of the white paper, alg, p2c, and p2s match up with the values used to derive the MUK. I presume that they are there because deriving the MUK is a part of decrypting this blob, meaning that these values are not used in the decryption of data. Is that correct?
In that same sample, the value of enc is A256GCM. Isn't it necessary to have some sort of auth tag in order to decrypt things using GCM, or am I missing something?
I know that these questions are extremely technical and may not fit in with this forum--please let me know if there's a better forum to ask in or a better way to get in contact with you guys.
0 -
:) :+1:
0 -
Hey guys! Any updates on this?
0 -
Hi @dubokk15! Thanks for checking in. :) I spoke with @jpgoldberg and things are still a bit busy, but we'd like to keep the conversation going. I'll email you and we can take things there for now. Thanks again for the patience.
ref: PSV-32113-711
0 -
All of our test vectors have some personal information of some of our developers in them. I will try to create some others that we can more readily publish.
0