Secret Key Being Transferred Automatically?
I just got a Samsung Galaxy S8 and when i did the first time setup i let google re-download all of my apps automatically. when i went to 1Password it said it had my account as a stored account; i clicked on it and it asked for my master password. Upon giving it the password it unlocked my vault, HOW? i never entered my Secret Key into the S8 and i never used the QR code. When i go into the app and go to account settings it does in-fact have my secret key. Obviously the 'never transferred' secret key got transferred. That completely defeats one of the layers of security this application provides (my favorite layer actually). So where is my Secret Key? is in it my google cloud? is AgileBits actually storing it?
1Password Version: 6.5.2 (Android)
Extension Version: Not Provided
OS Version: Android 7.0
Sync Type: AgileBits Cloud
Comments
-
@KevinUre: First of all, I'm glad to hear you had a backup and could successfully restore from it! Not everyone does, and it often isn't easy to accomplish this between devices. It's awesome that Google has made this so much easier. But on the other hand, with a 1Password.com membership, your encrypted data is always backed up on the server, so there's a failsafe there as well. Helps me sleep better at night, not just for my own data, but for other members as well. :chuffed:
On Android, the technical details differ a bit, but the general principle is the same as what we're doing on iOS. You can find a great discussion on that here.. While we don't have your Secret Key (and therefore the means to transfer it), you did that by backing up your device and restoring it. But that's not a bad thing. Since it is still secured along with the rest of your data, the only way you could do anything with it was by knowing your Master Password. So saying that this is insecure is sort of like making the assertion that it is insecure to lock the key to your house in your house.
If an attacker can get that, they’re already in the house.So if an attacker has full access to 1Password on your device, they can simply grab all of your data without needing to discover your Secret Key. And while that would be a very bad thing, you could still retake control of your account by regenerating the Secret Key on 1Password.com (which the attacker will not have access to without your Master Password). The Secret Key is used to encrypt your data, but it is "expendable": Like the Master Password, it can be easily changed; but unlike the Master Password, you don't have to memorize it. Someone with only one of these will not have full access to your account (which allows to you take steps to secure it).
Anyway, I've rambled on a bit, but hopefully that at least helps paint a clearer picture of the threat model and the ways we can mitigate risk to our 1Password.com accounts. And please let me know if you have any other questions at all! :)
0 -
@brenty, so that discussion you linked makes extra certain to note that encrpypting the secret key with your master password is bad, and yet a direct translation of your allegory suggests you do just that (lock the key inside house that the key unlocks). I assume that's a mistranslation but it does leave me wondering both how the SK is secured within the Android client (or if it is at all, after all the assumption is usually if an attacker can get hands on the physical device it's game over), and what is being used in place of keychain for Android users.
So let me make sure I understand the arguement here. It's one of transitivity. Normally an attacker would have to guess at both my MP and my SK, if they went there route of my Google backup they would need to guess my MP and my Google encryption key, either way it's two factors? I guess maybe I've misunderstood the security that the SK is supposed to provide then. I was under the impression that it's worth as an encryption factor was strengthened by the fact that it was never transferred and thus immune to capture by interception. In the case of my Google backup it's being transferred, although twice encrypted (https' TLS and, I assume, Google encryption over the payload). Was that just considered acceptable risk? Though I guess if they can break TLS we've all got bigger things to worry about right? So really the value proposition of the SK is that compromising AgileBits servers alone can't unlock my vault, right?
0 -
@brenty, so that discussion you linked makes extra certain to note that encrpypting the secret key with your master password is bad, and yet a direct translation of your allegory suggests you do just that (lock the key inside house that the key unlocks).
@KevinUre: Yeah, you're right, it's definitely not a perfect analogy. That's the tough thing with encryption, since it does not translate directly to the physical world; it's a whole 'nother thing. You might be interested in @jpgoldberg 's recent blog post on how all of this fits together, with perhaps a slightly better analogy. :)
I assume that's a mistranslation but it does leave me wondering both how the SK is secured within the Android client (or if it is at all, after all the assumption is usually if an attacker can get hands on the physical device it's game over), and what is being used in place of keychain for Android users.
It's certainly a complex issue, and the need to hide this complexity from the user is both a blessing and a curse. On the one hand, we don't want to shove all of this in people's faces. Okay, so we sort of do sometimes, because we totally get excited about this stuff and are pretty proud of the work we do...but most people just want 1Password to work and to keep their data secure. Just so I don't get any of the details wrong, I've asked a colleague to follow up here to answer your questions about how this is implemented.
So let me make sure I understand the arguement here. It's one of transitivity. Normally an attacker would have to guess at both my MP and my SK, if they went there route of my Google backup they would need to guess my MP and my Google encryption key, either way it's two factors? I guess maybe I've misunderstood the security that the SK is supposed to provide then. I was under the impression that it's worth as an encryption factor was strengthened by the fact that it was never transferred and thus immune to capture by interception. In the case of my Google backup it's being transferred, although twice encrypted (https' TLS and, I assume, Google encryption over the payload). Was that just considered acceptable risk? Though I guess if they can break TLS we've all got bigger things to worry about right? So really the value proposition of the SK is that compromising AgileBits servers alone can't unlock my vault, right?
Sorry. I should have done a better job of addressing this earlier. I'm sure my colleague will be able to offer more details here as well, but I think it's important to keep in mind the threats we're trying to protect against. Since all of the data in your 1Password.com account is encrypted using your Secret Key and Master Password, an attacker would have to already have these in order to get the same information stored inside your vault (or login to your account).
The sticking point here is the wording though, I think, when we say that the Secret Key and Master Password are not transmitted. What we're talking about here is that they are not sent by 1Password, and are (most importantly) never transmitted to us (this is why we're using SRP — Secure Remote Password — protocol). It may sound like hairsplitting (which I can't afford to do!) but it's a huge distinction. Since we're storing 1Password.com users' encrypted data, it's critical that we never have the keys to it. Otherwise that makes us a target, and attackers could go through us to get your data. So the real issue is that we don't want the encrypted database and the keys to decrypt it to be stored in the same place. The only thing AgileBits ever receives is an encrypted blob, not the keys to decrypt it.
I hope that helps clarify things a bit, and we'll follow up with a bit more information shortly. :)
0 -
Hi @KevinUre! Your account’s Secret Key works as an extra layer of security on top of your Master Password. It is stored in 1Password’s internal database encoded on your Android device and access to it is governed by the Android application sandbox. The only app that can read this database is 1Password.
We use Android’s backup service to store your 1Password account’s sign-in address, email address, and Secret Key. This data is stored with your device backup and cannot work independently to access your 1Password account. The Master Password, which is only known to you, is required to be able to successfully sign-in and decrypt your data.
Your 1Password account is protected by your Master Password and your Secret Key. Both are not known to us and is never transmitted to our servers. Your Secret Key is stored locally on your device after signing in and with your backup if enabled on your device.
I hope that answers your question. Let us know if you have any others!
0 -
You are absolutely correct, @KevinUre, to wonder what we mean when we say that your secrets (Master Password and Secret Key) never leave your devices in light of this new behavior. Quite frankly, we need to update our wording to reflect changes we have made in 1Password for Android (and 1Password for iOS and Mac) in this regard.
What we have now is that your Secret Key never leaves your device or a trusted (by us) end-to-end encrypted backup of your device. (It is slightly broader in the Apple-verse.) For some time, the Android backup service didn't meet our security requirements for storing Secret Keys, but more recent versions of it do. These backups are encrypted with keys derived from your Google Play account secrets.
So in the words of the gallant captain of the Pinafore*, it hardly ever leaves your device, and we need to do a better job of explaining under what conditions it may.
[1] Captain: I'm never known to quail at the fury of a gale, and I'm never never sick at sea
Chorus: What never
Captain: No, never!
Chorus: What never?
Captain: Well ..., hardly ever.
Chorus: He's hardly ever sick at sea. So give three cheers and one cheer more for the hardy captain of the Pinafore.0 -
So really the value proposition of the SK is that compromising AgileBits servers alone can't unlock my vault, right?
That would be an extreme way of putting it, but it does capture our primary concern of AgileBits' servers cannot be used for password cracking. But this doesn't mean that it is ok to put the Secret Key anywhere except on AgileBits servers. The fewer places it lives and can be stolen from the better.
Though I guess if they can break TLS we've all got bigger things to worry about right?
1Password is designed to withstand failures of TLS. We use TLS as an additional layer, but we've built things so that don't rely its secrecy, and only rely on its authenticity checks when using the web-client.
Sight unseen
One of the things that I really love about using the QR codes is that the "network" activity is completely transparent to the user. It is being transmitted from device to device using line of sight and a camera. From an ideal security perspective it would be really nice to keep things that way. And it is great for people like you who understand the importance of not losing your Secret Key.
But there are a sizable portion of people who do not understand the importance of not losing the Secret Key. All of the explanations during signup and all of our encouragement for people to save a copy of their emergency kit just isn't up to the job. I don't blame users for failing to fully understand the implications of the SK. Most people are told for every single site and service they create a password for that they must not lose that password; yet only a few of those services really leave data unrecoverable if credentials are forgotten or lost. On top of that, nobody has encountered anything like our Secret Key before. No matter what we say and what explanations we provide, some people are going to treat it as a license key or some other thing that they don't need to take large efforts to preserving.
Of course this means that we should continue to find ways to help people treat their SK's appropriately. This is an on-going effort, and we make refinements here and there. But it also means that we have to help people not lose their SKs. And so when an operating system offers an end-to-end encrypted backup mechanism for application configuration information, we will try to get the
SK onto those backups.So we are taking a two pronged approach to lose of the secret key.
- Improve our encouragement Emergency Kits or user-made backups of it.
- Finding safe (end-to-end) places to automatically back it up that are still far from us.
0 -
First off thank you all for the quick responses.
On the one hand, we don't want to shove all of this in people's faces. Okay, so we sort of do sometimes, because we totally get excited about this stuff and are pretty proud of the work we do...but most people just want 1Password to work and to keep their data secure.
I'm decently versed in cryptography and actually read your entire whitepaper prior to signing up, so don't be afraid to get a bit more technical if it would add clarity.
It is stored in 1Password’s internal database encoded on your Android device and access to it is governed by the Android application sandbox.
So my SK is in Android's crypto-vault, sure. my new phone was able to read data from my old phone's crypto-vault though, which means that either they share some common way of deriving the decryption key, which i would like to know what is if you happen to know; or the vault was stored in my backup without at-rest encryption, right? would the answer to the former be the Google Play account secrets that @jpgoldberg eluded to? Any additional readings you have on the subject would be appreciated.
But there are a sizable portion of people who do not understand the importance of not losing the Secret Key. All of the explanations during signup and all of our encouragement for people to save a copy of their emergency kit just isn't up to the job. I don't blame users for failing to fully understand the implications of the SK. Most people are told for every single site and service they create a password for that they must not lose that password; yet only a few of those services really leave data unrecoverable if credentials are forgotten or lost. On top of that, nobody has encountered anything like our Secret Key before. No matter what we say and what explanations we provide, some people are going to treat it as a license key or some other thing that they don't need to take large efforts to preserving.
Yeah i understand the struggle of user-friendliness vs security here, its why i manage my family's account and personally have a copy of everyone's recovery kit in my fireproof safe.
My initial inquiry can be broken down into two parts i think. the first part is how exactly did this situation transpire, which you all have done a great job of explaining :) . The second part is how this effects my security, or maybe how i should shift my perception of how 1Password protects me. I understand that the SK needs to be stored on each device somewhere and that Android's crypto-vault is the obvious answer; I've no further questions on the at-rest encryption on the device. Where I'm still a bit uneasy/uneducated is what having it in my backup means for security. From @saad 's post it makes it sound like you guys monitor how Google is doing their security pretty closely so hopefully you can help me understand. I would guess that Google encrypts my backups with a derivative of my account password (and maybe a google held salt thats unique to me or something). Is having my google password the only thing needed to rummage through my backups? I guess the real underlying question here though is if an attacker targeting my 1Password vault gets one of my backups in the format that Google stores it, does that grant them any advantage? why or why not.
0 -
So my SK is in Android's crypto-vault, sure. my new phone was able to read data from my old phone's crypto-vault though, which means that either they share some common way of deriving the decryption key, which i would like to know what is if you happen to know; or the vault was stored in my backup without at-rest encryption, right? would the answer to the former be the Google Play account secrets that @jpgoldberg eluded to? Any additional readings you have on the subject would be appreciated.
@KevinUre: Exactly. I'm having trouble finding good public available documentation on this, but the summary is that there are a few layers of security here:
- 1Password's app data is encrypted with unique keys generated for the app itself (so that others cannot access it)
- 1Password user data (the things you store in it yourself) are encrypted using keys derived from your Master Password (and Secret Key, in the case of a 1Password.com account)
- Anything backed up through Google is encrypted using your account's keys
The tricky thing is that the Secret Key is probably both (1) and (2) here, if you have your 1Password.com account credentials saved in your vault (2) as well as the being stored expressly for recovery purposes (1), as in your original question.
I think it helps to take a step back and look at things from a wider perspective and break things down. Let's take "traditional" 1Password (the standalone version with local vaults) for an example:
- 1Password's app data is encrypted with unique keys generated for the app itself (so that others cannot access it)
- 1Password user data (the things you store in it yourself) are encrypted using keys derived from your Master Password
- Anything backed up through Google is encrypted using your account's keys
= Your Master Password is required to access the decrypted data, either on the original device, or after syncing the data to a new device; the "keys" to decrypt it are not stored with the data, (even if you store the data "in the cloud").
When we compare that to 1Password.com, we see that the security model is very similar:
- 1Password's app data is encrypted with unique keys generated for the app itself (so that others cannot access it)
- 1Password user data (the things you store in it yourself) are encrypted using keys derived from your Master Password and Secret Key
- Anything backed up through Google is encrypted using your account's keys
= Your Master Password alone is required to access the decrypted data when the Secret Key is already available locally, either on the original device, or after syncing the data to a new device; the "keys" to decrypt it are not stored with the data, which is always on the 1Password.com server...
But with one important difference: The Secret Key provides an extra layer of security for the data itself, and is only not required when you've already authorized the app/browser (because it is already stored locally). This additional layer is really overkill at the device level, and this is why the Secret Key isn't required each time you unlock 1Password on your phone.
My initial inquiry can be broken down into two parts i think. the first part is how exactly did this situation transpire, which you all have done a great job of explaining :) .
Indeed. This has a very simply answer: Despite our best (ongoing) efforts in the apps themselves and our documentation, a lot of people lose their Secret Keys (or simply never saved them anywhere in the first place). :(
The second part is how this effects my security, or maybe how i should shift my perception of how 1Password protects me. I understand that the SK needs to be stored on each device somewhere and that Android's crypto-vault is the obvious answer; I've no further questions on the at-rest encryption on the device. Where I'm still a bit uneasy/uneducated is what having it in my backup means for security. From @saad 's post it makes it sound like you guys monitor how Google is doing their security pretty closely so hopefully you can help me understand. I would guess that Google encrypts my backups with a derivative of my account password (and maybe a google held salt thats unique to me or something). Is having my google password the only thing needed to rummage through my backups?
No. More on that in a bit.
I guess the real underlying question here though is if an attacker targeting my 1Password vault gets one of my backups in the format that Google stores it, does that grant them any advantage?
Arguably, but not a helpful advantage. If you're using a strong Master Password, it's the difference between being able to brute force your data potentially before the heat death of the universe, rather than after it.
If they're able to gain access to your encrypted data and Secret Key, then they "only" need to guess your Master Password correctly to decrypt. But then we're back to the "traditional 1Password" level of security, which isn't by any stretch of the imagination obsolete or in sufficient. More on that later.
why or why not.
Fantastic questions! Hopefully my illustrations above helped to make things clearer already, but I'll reiterate here because it's so important: No matter what, the data you store in 1Password is never in a position to be compromised with an attack on an account/service/server.
In this case we're talking specifically about Google, if your data and/or Secret Key is backed up there. Someone compromising your Google Account will still only be able to access encrypted data: they'll need your Master Password to decrypt it. This applies equally to Dropbox, 1Password.com, or anything else 1Password users might utilize for convenience to access their secure data.
So getting back to Google again, someone accessing your account would still need to get past the app-level encryption (to get your actual 1Password data, still encrypted), the Secret Key, and also successfully guess your Master Password. That's not only more trouble than it's worth, the encryption on its own is sufficient to protect your data. So regardless of the 1Password setup you use, an attacker will need to get the Master Password from you before they can decrypt your data.
Perhaps the key here (pun not intended) is that the purpose of the Secret Key is to ensure that, in the event of 1Password.com being breached, the attacker will not be able to perform a brute force attack against people's Master Passwords to access any of our customers' data. Put another way, a long, strong, unique Master Password protects you; the Secret Key protects us from being used to get our customers' most important, sensitive data.
Apple gets some laughs and criticism when they talk about "courage", but they do take some risks when it comes to aggressively pushing things forward, if only in the sense that they end up alienating people sometimes. That's the business they're in. Conversely, we're in the security business — it's actually the only business we're in — and are rather cowardly when it comes to protecting our customers' data (and our own!) as well as our reputation. The Secret Key is a testament to that, and its saving grace is that we've found a way to have it both protect 1Password users' data and also not be a horrendous usability problem. Otherwise 1Password.com might not exist today. Cheers! :)
0 -
- 1Password's app data is encrypted with unique keys generated for the app itself (so that others cannot access it)
- 1Password user data (the things you store in it yourself) are encrypted using keys derived from your Master Password (and Secret Key, in the case of a 1Password.com account)
I'm going to reference the above quote several times because it makes a very important distinction.
1 is the data that 1Password keeps for its own internal operation, SK included (as it is part of the process of creating the decryption key). 2 is anything i chose to put in the vault that my MP and SK (and some other factors) are needed to decrypt. 2 is secured through the methods devised by AgileBits and is more or less the product/service purchased. 1 however is just a feature of the Android operating system right? since it apparently gets transferred between devices the key to get in there the key to access it must be something shared across all installs of 1Password such as a hard-coded GUID. I'll refer to such a key as the app secret from now on...In this case we're talking specifically about Google, if your data and/or Secret Key is backed up there. Someone compromising your Google Account will still only be able to access encrypted data: they'll need your Master Password to decrypt it. This applies equally to Dropbox, 1Password.com, or anything else 1Password users might utilize for convenience to access their secure data.
So getting back to Google again, someone accessing your account would still need to get past the app-level encryption (to get your actual 1Password data, still encrypted), the Secret Key, and also successfully guess your Master Password. That's not only more trouble than it's worth, the encryption on its own is sufficient to protect your data. So regardless of the 1Password setup you use, an attacker will need to get the Master Password from you before they can decrypt your data.So its not my Vault (2 from above) that I'm worried about someone getting from my backups, its the app settings (1 from above). For that they would not need my MP to get to my SK, they would however need to both beat Google's encryption on the backup and guess your app secret to access the SK from app settings (1), correct? Provided I'm not misunderstanding anything up to this point that actually sounds more difficult than just breaking into the Vault (2) itself. That's reassuring...
If nothing stated above is wrong then i think my initial question/worry has been put to rest. Thanks for all of your responses :)
Two side notes:
it's the difference between being able to brute force your data potentially before the heat death of the universe, rather than after it.
That was hilarious.
and secondly: i had a thought during our exchange. you mentioned that people put their SK and MP inside their vault (2) itself, and i was wondering if that weakens security. Its obviously the key inside the locked house analogy from above but it brings to mind the way the vigenere cipher is solved. Does encrypting your MP and SK with a key made form them leave any telltale mathematical evidence, or does the salting of them cover that flank?
0 -
@KevinUre: Thanks! I fear I may have misunderstood part of your original question — perhaps not what you asked exactly, but the thing you were trying to understand. When your Android device is backed up to Google, the data you stored is not part of that. Since 1Password.com has all your data to be accessed on demand, this simply isn't necessary: everything's backed up — encrypted — on our server. So this affords us two things: your Secret Key is not backed up in the same place as the data encrypted using it (and your Master Password), which is probably the part you care about; but it also means that the server doesn't suddenly get a bunch of old data dumped on it when you restore, so we avoid having to try to reconcile this, which could cause sync conflicts. I apologize if I muddled that earlier. There are just a lot of different "backups" involved in all of this. :)
Getting back to the Secret Key though, I did want to clarify that what your device has, and what is backed up to Google in your device backup (if enabled), is the Secret Key itself. "At rest" this is protected by Android app sandboxing and device encryption, and "in transit" it's protected by Google's backup service and account security. But since we don't have strict control over these ourselves, we treat this roughly the same as we do in any other authorized device or (especially) browser: we should assume that an attacker with unrestricted access to the device/browser can get it if they want to. More on why we don't encrypt this using your Master Password below.
Two side notes:
it's the difference between being able to brute force your data potentially before the heat death of the universe, rather than after it.
That was hilarious.
lol thank you. A bit fanciful, but I figured you'd get the idea. ;)
and secondly: i had a thought during our exchange. you mentioned that people put their SK and MP inside their vault (2) itself, and i was wondering if that weakens security. Its obviously the key inside the locked house analogy from above but it brings to mind the way the vigenere cipher is solved. Does encrypting your MP and SK with a key made form them leave any telltale mathematical evidence, or does the salting of them cover that flank?
Your Secret Key is not encrypted using your Master Password. It doesn't sound like that's what you're asking, but this applies indirectly and is really important because if someone captured a Master-Password-encrypted Secret Key, they could run a brute force attack on that to try to discover the Master Password. If they do, they will then have both. That is, the encrypted Secret Key would provide a "test" for whether a Master Password guess is correct. You're on the right track. The derivation process which uses both your Secret Key and Master Password to encrypt the encryption keys used to encrypt each vault means that we can't mathematically discover one without the other, different from trying to discover the Master Password used by itself to encrypt the Secret Key (as described above).
Anyway, I hope this helps tie things together a bit better, but with all of this in mind, and since you mentioned it already, it might be worth taking another look at the security white paper, since it really offers a comprehensive view of how all of this fits together. We're happy to answer any questions you have here (and frankly, it's a lot of fun!), but the scope is more limited due to the medium. Cheers! :)
0