technical questions about opvault design

Options
blimpyboy2
blimpyboy2
Community Member
edited January 2017 in Mac

Hello,

I've been and continue to be a very satisfied user of 1Password since 2008. I use the licensed version rather than the SaaS/subscription model. I have a couple technical questions about the opvault design I'm hoping someone could kindly answer:

question 1
Is there a way to generate new master/overview encryption + MAC keys for an existing opvault?

Rationale is I may have an old (backup) of my vault floating around where I had a weak master password (since updated and strengthened). When the weak master password was used, the data in the then-current vault wasn't particularly sensitive. Since strengthening my master password, I've added sensitive data in my vault. Although someone who cracks my older, weak master password to decrypt my older opvault won't gain access to any particularly sensitive data (by virtue of what I had stored in there), I want to protect myself against such a user obtaining the master (and to a less extent overview) encryption keys from the old vault to decrypt my current data in my current vault.

question 2
I use 1Password on one iOS device and one Mac device via Dropbox. Hence opvault data plus 2 x local data formats (SQLite) are in play. Would all 3 have exactly the same master/overview (and item) encryption + MAC keys, or would each have different set of keys? Maybe I am mistaken, but in understanding the opvault design, you could design this either way? Said differently, when I install 1Password on a new device for the first time and ask it to sync with an existing vault, do you generate new master/overview encryption + MAC keys for the newly created local data or do you re-use the keys from the sync source?

question 3
My understanding of the opvault design is that the first 80 bits of secure notes are protected with the overview key, i.e. Potentially the first 80 bits of plaintext is in the application memory for a period of time that is extended well beyond the period of time that note is actually being viewed in the application. What are the first 80-bits of a secure note? Would that be the first 10 characters of the secure note title, and if less than 10, the first characters in the note body?

Thank you kindly

Comments

  • rickfillion
    rickfillion
    Options

    Hi @blimpyboy2,

    Those are some fantastic questions. Let me try to answer them...

    Question 1 : Is there a way to generate new master/overview encryption + MAC keys for an existing opvault?

    Not really. The recommendation here would be to create a new OPVault instead which should just be a matter of disconnecting sync, deleting the old OPVault, then creating a new one.

    Question 2 : Would all devices have exactly the same master/overview (and item) encryption + MAC keys, or would each have different set of keys?

    The 3 of them would have different keys. I wrote a blog post a while ago that talks about how we manage those keys in order to do Master Password "syncing" across devices. I think it'll help explain a bit of that.

    Question 3 : What's in the overview bits for the secure note?

    If we're saying 80bits anywhere, let me know as that's not technically accurate. It's 80 bytes, not 80 bits. What's getting stored in the overview for secure notes is: the first 80 bytes of of the text, or the first line of text, whichever is smallest. Interestingly, this is why it's only possible to do searching on the "first line" of secure notes (assuming I'm remembering the technical bits correctly).

    I hope this explains what you're looking for. I'm happy to answer any other questions you have.

    Rick

  • blimpyboy2
    blimpyboy2
    Community Member
    edited January 2017
    Options

    Thanks @rickfillion . This is very helpful. Apologies, I'm writing this on my phone and so cannot respond inline.

    1. Got it. I didn't find an option to delete my primary vault, but going into the help menu and resetting all data did the trick. I then imported my original vault and copied items over to the newly created vault. It was a simple process outside of re-creating my folder structure. The copy function didn't preserve folders.

    2. That's a nifty trick!

    3. My bad, it is indeed 80 bytes.

  • Drew_AG
    Drew_AG
    1Password Alumni
    Options

    I'm glad Rick's information was helpful for you! If you have more questions or need help with 1Password, please don't hesitate to let us know. Have a great weekend! :)

This discussion has been closed.