Questions

jeca09
jeca09
Community Member
edited July 2018 in Business and Teams

Questions 1password whitepaper

  1. When one the admin of a team deletes his account does the team vault get automatically deleted? So yes, why? As there are other team members in the vault?

  2. How many times can the user have its master password wrong until the account gets blocked?

  3. Does 1password keep a log of what happens in a team vault? Is it possible to see if team members have copied passwords?

  4. Team admins can make use of recovery groups as explained on page 39, however, is it also possible to revoke power from the recovery group members?

  5. As mentioned on page 53, a user can store the vault key before having access revoked from this vault. However, is it possible to change the vault key in this case? Or is the admin able to see that the vault is being accessed by someone that shouldn’t have access to this vault anymore?

Comments

  • AGAlumB
    AGAlumB
    1Password Alumni
    edited July 2018

    @jeca09: Thanks for getting in touch! :)

    1) When one the admin of a team deletes his account does the team vault get automatically deleted? So yes, why? As there are other team members in the vault?

    Deleting an account only deletes that user's Personal/Private vault. All other vaults are not directly associated with specific users; they simply do or do not have permission to access them.

    2) How many times can the user have its master password wrong until the account gets blocked?

    Infinite. 1Password doesn't rely on authentication for its security; rather, the data is protected by encryption. Adding a "lockout" mechanism would only hurt legitimate users, as an attacker can simply copy the database and perform offline attacks against it, circumventing any "lockout" policy.

    3) Does 1password keep a log of what happens in a team vault? Is it possible to see if team members have copied passwords?

    1Password Business allows admins to run reports with information about user access:

    Create reports in 1Password Business

    4) Team admins can make use of recovery groups as explained on page 39, however, is it also possible to revoke power from the recovery group members?

    An Owner or admin with the appropriate permissions can change groups and permissions to grant or limit these privileges:

    Use custom groups in 1Password Business

    5) As mentioned on page 53, a user can store the vault key before having access revoked from this vault. However, is it possible to change the vault key in this case? Or is the admin able to see that the vault is being accessed by someone that shouldn’t have access to this vault anymore?

    Indeed, if the user is able to capture the vault key before it is revoked and later steal that vault's encrypted data from the server even though their account does not have access to it, they could decrypt whatever is stored in the vault at that time:

    Removing someone from a vault, group, or team is not cryptographically enforced. Cryptographic keys are not changed. A member of a vault has access to the vault key, as a copy of the vault key is encrypted with that member’s public key. When someone is removed from a vault, that copy of the vault key is removed from the server, and the server will not allow that member to get a copy of the vault data.
    If prior to being removed from a vault the person makes a copy of the vault key which they store locally they will be able to decrypt all future data in that if they find a way to obtain the encrypted vault data. This is illustrated in Story 9. Note that this requires that the attacker both plan ahead and somehow acquire updated data.

    Also mentioned on page 53, creating a new vault, which they do not have the keys for, and moving the data there mitigates this:

    If you feel that someone removed from a vault may have a store of their vault keys and will somehow be able to acquire new encrypted vault data despite being denied access by server policy, then it is possible to create a new vault (which will have a new key), and move items from the old vault to the new one. Someone revoked from a vault will not be able to decrypt the data in the new vault no matter what encrypted data they gain access to.

    I hope this helps. Be sure to let me know if you have any other questions! :)

  • AlexTaghavi
    AlexTaghavi
    Community Member
    edited July 2018

    Hi,

    A few questions regarding the last point.

    -Where does a cached version exists, e.g. the device that is running 1password or your database?
    -How does one obtain a cached version (the steps to follow to obtain a cached version on a e.g. macbook pro)?
    -What do you mean by vault key, e.g. public key or private key?

    I'm lost on this part:
    "A member of a vault has access to the vault key, as a copy of the vault key is encrypted with that member’s public key. When someone is removed from a vault, that copy of the vault key is removed from the server, and the server will not allow that member to get a copy of the vault data."

    Copy of vault key is removed from the server, but it's not removed from the persons device, correct?
    Are there two instances of the private keys .e.g. one on the server and one on the users device?
    If so, then you're removing the private keys on the server, yet the user still has access to the public key data since the private keys are also stored on the users device, correct?

    Where is all the data/database (from 1password) stored, e.g. passwords, notes etc.?

    -Is every vault a public key, or is it a public key and a private key?
    -And is there a master private key (which the users receives initially when starting with 1password), which can then create public keys and private keys (vaults & private keys access the data on the vault)?

    -A user in a team can access all private keys (or secret keys as you call them) to all vaults that are being shared with that person and can copy/paste outside of 1password. Is then excluded from the vault by the admin, thus the private key (secret key) is then deleted from your database, but is still sitting in the users device (if the user pasted it there).
    *How is it possible that the user can't access the vault (besides being excluded from that vault)? What is technically happening when a user is excluded from a vault (from a security point of view)?
    *Couldn't the user make a back-up of the data and a backup of the private keys of that vault, before being excluded?

    Look forward to your reply.
    Thanks
    Alex.

    ref: RGC-25571-329

  • Where does a cached version exists, e.g. the device that is running 1password or your database?

    If you mean where would the person who formerly had access to the vault obtain a new copy of the vault data, they could (theoretically) obtain it from either another authorized user's device or from our server, if they found a way to bypass our server's authentication controls (we are not aware of any way to do this of course).

    How does one obtain a cached version (the steps to follow to obtain a cached version on a e.g. macbook pro)?

    This is not something we care to expound upon. The only supported way to use 1Password is through the native and web apps.

    What do you mean by vault key, e.g. public key or private key?

    Vault keys are symmetric, meaning the same key is used for both encryption and decryption, and thus it is private.

    Copy of vault key is removed from the server, but it's not removed from the persons device, correct?
    Are there two instances of the private keys .e.g. one on the server and one on the users device?
    If so, then you're removing the private keys on the server, yet the user still has access to the public key data since the private keys are also stored on the users device, correct?

    Native 1Password apps (such as 1Password for Mac) can function without Internet access. To do so, they save copies of the keys they need to decrypt the data so they do not have to request that information from 1Password.com. The vault keys a user has will remain on their device indefinitely if they are not connected to the Internet. But if they are removed from a vault, and they unlock 1Password while connected to the Internet, the 1Password app will learn that they have been removed from the vault and will remove the vault keys.

    Where is all the data/database (from 1password) stored, e.g. passwords, notes etc.?

    Native 1Password apps keep their own copies of data for use when the device is offline. 1Password.com is the authoritative source of data, however.

    -Is every vault a public key, or is it a public key and a private key?
    -And is there a master private key (which the users receives initially when starting with 1password), which can then create public keys and private keys (vaults & private keys access the data on the vault)?

    Each vault has its own symmetric key. Vaults do not have public keys. Each user has her own key set, which includes a public/private encryption key pair, among other keys. The encryption key pair is used to give users access to vault keys.

    A user in a team can access all private keys (or secret keys as you call them) to all vaults that are being shared with that person and can copy/paste outside of 1password. Is then excluded from the vault by the admin, thus the private key (secret key) is then deleted from your database, but is still sitting in the users device (if the user pasted it there).

    You're mixing up a few terms here. Each user has a "Secret Key" that is used to sign in to 1Password, and we do not have or want to have a copy of that key. The "Secret Key" is also not part of the user's key set. The keys in a user's key set are never visible to the user, nor are the vault keys.

    *How is it possible that the user can't access the vault (besides being excluded from that vault)? What is technically happening when a user is excluded from a vault (from a security point of view)?
    *Couldn't the user make a back-up of the data and a backup of the private keys of that vault, before being excluded?

    I'm not sure what you're asking here. The white paper describes all of this in detail, "from a security point of view". Any time a user is granted access to a vault, that user has access to all of the data in the vault. We like to say that you cannot unshare a secret. Once you've shared the secret, the user has it. The user could go offline and copy all of the data out, so they have a permanent record of the secrets. The only thing an admin can do is make the old secrets worthless, e.g. by changing all of the passwords that the user had access to.

  • AlexTaghavi
    AlexTaghavi
    Community Member

    Once you've shared the secret, the user has it. The user could go offline and copy all of the data out, so they have a permanent record of the secrets. The only thing an admin can do is make the old secrets worthless, e.g. by changing all of the passwords that the user had access to.

    -Is there a possibility of sharing secrets without sharing what the secret is?
    E.g. share login of a website, without ever showing the password.

    -When you say copying secrets/copy cached version of database, do you mean manually copying passwords and notes one at a time?

    Native 1Password apps (such as 1Password for Mac) can function without Internet access. To do so, they save copies of the keys they need to decrypt the data so they do not have to request that information from 1Password.com. The vault keys a user has will remain on their device indefinitely if they are not connected to the Internet. But if they are removed from a vault, and they unlock 1Password while connected to the Internet, the 1Password app will learn that they have been removed from the vault and will remove the vault keys.

    -Once a user is connected with their device running 1Password on the internet, the software syncs with your database and realizes the private key to that vault is missing for that user ID and will erase it for that user ID?

    -What happens if the user never connects to the internet, can it still enter the vault since the user has the private keys on their (offline)device (assuming the user has been excluded from that vault by the moderator)?

    -How many instances of the private keys are there? From what you described there seems to be multiple (always one on your server).

    Native 1Password apps keep their own copies of data for use when the device is offline. 1Password.com is the authoritative source of data, however.

    -Can we consider 1password.com a server you control which provides certain controls to users?
    -Where is the 1password.com hosted?
    -Since 1Password.com has data from all its users (assuming copies of private keys), are you able to see the data since you also have the private keys to each public key containing data?

    You're mixing up a few terms here. Each user has a "Secret Key" that is used to sign in to 1Password, and we do not have or want to have a copy of that key. The "Secret Key" is also not part of the user's key set. The keys in a user's key set are never visible to the user, nor are the vault keys.

    -Are the user's key set visible to you?
    -Is a public & corresponding private key created, e.g. when a vault is created and what are other instances of creation of public and corresponding private keys?
    -If the keyset is not visible to the user, how come in the whitepaper it says that a excluded teammember could have copied the private key before being excluded from a vault?


    Not to be annoying, but several things are still unclear in terms of security and how things work under the hood.
    I also still don't know which subscription is the right one in my case since certain things are still unclear.
    I've send an email to business@ last Friday and no answer yet.

    I'm hopeful that my remaining questions are answered as we go forward.
    Thank you for your patience and help in the matter.

  • -Is there a possibility of sharing secrets without sharing what the secret is?
    E.g. share login of a website, without ever showing the password.

    1Password Business includes finer grained permissions, which includes the ability to Reveal Passwords. If you give someone read access to the vault but do not give them access to Reveal Passwords then they'll be able to see the other attributes of a login but not the password. They'll even be able to fill the login in a browser (i.e. the app will be willing to give the password to a browser but not the user).

    -Once a user is connected with their device running 1Password on the internet, the software syncs with your database and realizes the private key to that vault is missing for that user ID and will erase it for that user ID?

    Correct.

    -What happens if the user never connects to the internet, can it still enter the vault since the user has the private keys on their (offline)device (assuming the user has been excluded from that vault by the moderator)?

    They'll be able to keep the data. This is a tough problem. There's a couple of different ways that it could be solved and I'd love your thoughts on which would be preferable. The first option is basically a lease timeout. i.e. devices are given the data from the server, but it's leased and if the device doesn't contact the server for X amount of time the device should delete the data. This is an interesting solution because it allows for offline access. We could allow you to say that the data should be available offline for a day. That's usually enough for someone to do things like travel where they wouldn't be near an internet connection. The problem with this solution is that it's difficult for anyone to choose a value of X that makes sense. A day isn't all that much time if what I'm doing is driving across Canada. But a day is also an eternity if what you're worried about is a disgruntled employee who's leaving with secrets. So from a technical perspective this isn't hard, but so far we haven't been confident that any value of X makes sense.

    The other option is what I like to call Online-Only vaults. Which is a special case of the above scenario where X=0. i.e. A device could refuse to persist keys to certain vaults, and when it detects that it goes offline it could jettison the keys it has in memory for that vault. This way the vault can't be decrypted unless the app is online. This is a really nice solution for vaults that contain extremely sensitive information. But it comes with a pretty big downside: the contents of that vault would be inaccessible when offline, with no exceptions.

    How many instances of the private keys are there? From what you described there seems to be multiple (always one on your server).

    This depends on what exactly you're asking. 1Password is basically a key management system at its most basic form. But let's be clear: Our servers do not have any of your private keys accessible to it. Our server hosts your private keys, encrypted with other keys, of which only you have the keys to decrypt those. If we look at your access to your Team's Shared vault, there are many keys at play:

    • Master Unlock Key, which is derived from your Master Password + Secret Key
    • User Keyset Symmetric Key, which is encrypted with Master Unlock Key
    • User Keyset Private Key, which is encrypted with the Active Keyset Symmetric Key
    • Team Members Group Symmetric Key, which is encrypted with the Active Keyset Private Key
    • Team Members Group Private Key, which is encrypted with the Team Members Group Symmetric Key
    • Shared Vault Symmetric Key, which is encrypted with the Team Members Group Private Key

    (I wrote those from memory, so I hope that I'm correct with the ordering and didn't forget any)

    It's a chain of encrypted keys, and to get access to a resource you need to decrypt all intermediate keys.

    -Can we consider 1password.com a server you control which provides certain controls to users?

    I think that's a fair statement.

    -Where is the 1password.com hosted?

    1Password.com is currently hosted in Amazon's US-East-1 data center. We also have 1Password.ca which is hosted in Amazon's Montreal datacenter, and 1Password.eu which is hosted in Amazon's Frankfurt datacenter.

    Since 1Password.com has data from all its users (assuming copies of private keys), are you able to see the data since you also have the private keys to each public key containing data?

    As I mentioned earlier, we do not have the private keys in a form that's useful to us. They're always encrypted with data that we don't have and only you have. And so we are unable to see into any of your data. We don't want to see into it, and you don't want us to be able to see into it. We both win with this design.

    -Are the user's key set visible to you?

    Only the public key, which is by definition public and non-sensitive. The rest is an opaque blob to us as it's encrypted with your Master Unlock Key which only ever exists on your systems.

    Is a public & corresponding private key created, e.g. when a vault is created and what are other instances of creation of public and corresponding private keys?

    No. Vaults have symmetric keys, not public/private keys. Creation of a vault involves a client generating a random symmetric key, and encrypting that key with the public keys of the entities it wants to provide access to... most notably the creator of the vault themselves. So what gets sent to the server is a request to create a vault, and that request contains the symmetric key, encrypted with the user's public key.

    The two entities that have public/private keypairs are users and groups. When a user creates their account and chooses their first Master Password, the client generates them a keypair (and symmetric key). It does the encryption dance I mentioned above and uploads the encrypted blob to our server, leaving our server to have the public key accessible. When creating a group a similar process happens as that of the vault. A new keyset (keypair + symmetric key) is created by the client. The client encrypts the private key with the symmetric key, then encrypts the symmetric key with the public key of the person who created the group.

    If the keyset is not visible to the user, how come in the whitepaper it says that a excluded teammember could have copied the private key before being excluded from a vault?

    What Rob meant by "visible to the user" was that the key isn't something you interact with directly. It's not something we make users aware of. There's a ton of keys, and we want to add even more. For example there are signing keypairs used when using the "Send a copy" feature. There are signing keys used when dealing with relationships between items and files. Tons of keys. We love to back features by cryptography. We have all sorts of ideas for how to enhance things even further and that will require even more keys.

    The whitepaper's job is to be as transparent as possible. Just because a user doesn't interact with a key directly doesn't mean it's not there. It's there, and exists unencrypted in memory while using the app. Someone could theoretically extract that key from the app's memory and hold on to it long term some other way.

    Your questions are welcomed. I love talking about this stuff, and I find it really awesome that you care enough to ask these questions. These are all really important ones, and it's great that you're thinking through all of this.

    Have yourself a great weekend.

    Rick

  • -Is there a possibility of sharing secrets without sharing what the secret is?
    E.g. share login of a website, without ever showing the password.

    I just wanted to add on to what Rick said regarding the "Reveal Password" permission that's available in Business accounts. Note that while our apps will not allow the user to see the password, you have still shared the secret with them and they can get around this restriction without too much effort. The purpose of the feature is to prevent accidentally revealing the password. But it is not possible to keep the user from finding out what the password is if you've shared it with them.

This discussion has been closed.