
1Password and the Crypto Wars - halostatue
http://blog.agilebits.com/2013/09/06/1password-and-the-crypto-wars/
======
revelation
Back in April, there was an attack on 1Password that managed to exploit some
flaws in its crypto scheme to achieve a sizable speedup. [1] To this day, they
have not managed to rollout the new _1Password 4 Cloud Keychain_ that is
supposed to fix these flaws. [2]

Lots of smooth talk, but apparently security is not a blocker.

1:
[http://hashcat.net/forum/thread-2238.html](http://hashcat.net/forum/thread-2238.html)

2: [http://discussions.agilebits.com/discussion/14780/which-
prod...](http://discussions.agilebits.com/discussion/14780/which-products-use-
cloud-keychain-and-which-use-agile-keychain)

~~~
tptacek
Isn't this the attack that reduced the strength of their PBKDF2 scheme by one
(1) bit? Because they were unnecessarily calling PBKDF2 twice, where a normal
system would have called it once and expanded the resulting key, resulting in
exactly the same speed characteristics?

Your snark would sting more if you knew what you were talking about.

The reason nobody's hair lit on fire over this is that it's a stupid issue.

~~~
revelation
The speedup was apparently 4x, so rather 2 bit, or as the layman would say,
_only 1 /4th the work_. But thats not the point. If you can't trust them to
deploy a fix to a stupid issue in half a year, why would you trust them to do
it in a day should a serious issue arise?

But I agree, its a stupid issue. Snowden tells us endpoint security is the
problem. So maybe the Windows 1Password client should stop

1) checking for updates over HTTP (no s here!)

    
    
       Bonus: you can specify the update URL in the response
       Bonus: you can specify parts of the dialogue shown to the user
    

2) download the update over HTTP

3) execute it with _elevated rights_ without verifying it

This was _maybe_ fixed in the last build from 2013-08-07:

    
    
        Improved security of automatic updates (using https:// when checking for a new version). Reported by David Thiel, iSEC Partners.
    

Since they use a CDN to distribute updates, these might still be downloaded
over HTTP and still not be verified prior to running.

\-- Update --

You got to be kidding me. So I upgraded my fake update server with a self-
signed certificate (with a wrong CN, no less) and of course, the 1Password
client happily accepts it.

Theres some good news, though. They now verify that the downloaded binary is
signed (with their own key)!

But since I can control the update server that tells the client what to
download, I can just supply the client with an old 1Password build that is
still signed but does not implement the strong(isher) scheme in build #333.
The installer doesn't complain and what user keeps track of build numbers
anyway.

~~~
jpgoldberg
[Disclosure: I work for AgileBits, the makers of 1Password.

The PBKDF2 speed up was 2x, not 4x. Jens was simply wrong about that. The
"disputed" speed up comes from an PBKDF2 optimization that is available to the
defender as it is to the attacker. 1Password makes use of that optimization.
So it gives no advantage to the attacker. It is not a speed up when the
defender makes use (as we do) of the same trick.

What versions of 1Password for Windows are you using? The check for updates is
over HTTPS. The download is still from a CDN, but the binary is signed (by
us). You can examine the trust chain to decide whether it satisfies your
requirements.

However, until not so long ago (a few months, I think) you were correct that
the 1Password for Windows updater was vulnerable to "evilgrade" attacks.

~~~
revelation
As stated, the check for updates is finally over HTTPS in the very latest
build (333), but you do not verify the certificate in any way. So its
essentially HTTP with obfuscation. This allows a malicious network to
_downgrade_ clients to build 332, where the check for updates is over plain
HTTP and downloaded binaries are not verified.

~~~
teamgb
Can you write a blog post about this? Need to get this information out there.
Good job finding this.

------
rdl
I love AgileBits (makers of 1Password).

It's pretty clear that the highest risk is pure-cloud services. There, it's
trivial to get a legal order or technical compromise to steal the data. A
"hostproof", download-on-each-use app, like LastPass, is essentially the same
risk as a cloud app. (this is the hushmail and lavabit vulnerability.)

The safest is some kind of purely-client software, with local data, which
operates online, and is never updated. Ideally open source, with a trustworthy
build process.

In between is software like 1Password. I wouldn't consider 1Password + Dropbox
sync to be safe -- NSA has open-door access to Dropbox if they wish to get a
single user's data (and possibly more). Tricking a user into download a
compromised version of 1Password wouldn't be terribly difficult even without
the cooperation of AgileBits.

You can use 1Password more safely (local-only, infrequently updating, some
kind of local-firewalling in the client, etc.). Without the client being open
source, it's really difficult to do more. It's probably a hell of a lot safer
on OSX than it is on iOS, since at least some OSX users are likely to do real
network monitoring, or otherwise be on some kind of debugging enabled system,
or something with just weird bugs, uncover a problem, and then dig into it and
find a backdoor -- on mobile, there's little risk of that.

------
SCdF
In for a penny, in for a pound.

If you care about security enough to use a password safe you might as well
also use an open source solution that has even a remote chance of having its
code looked at by more people than the ones trying to sell it to you.

I mean, I know 1Password is all pretty and animated and things, but things
like KeePass aren't so ugly as to be unusable.

~~~
laurent123456
Unfortunately, the developer of Keepass has made the choice of using .NET for
development, which means it's pretty much Windows only. There are some non-
official clients for Mac OS X and Linux but they don't work great (missing
features like auto-completion or browser integration). I'm still using Keepass
on these platforms though, but I can see how a truly cross-platform solution
like 1Password is appealing.

~~~
lwhalen
Does 1Password have a Linux client? Looking at their page, they appear to only
support Mac, Windows, iOS, and Android.

~~~
shawndumas
they create an HTML file in your Dropbox (when you sync) that you can hit with
any browser.

~~~
jamesgeck0
Just opening the 1PasswordAnywhere html file in Firefox doesn't work.
Something about Firefox's local file access policy. I serve the HTML file with
`python -m SimpleHTTPServer` and visit localhost:8000 to use it.

------
tlrobinson
Until we solve "the password problem", what I'd really like is a small
dedicated hardware password manager. Like Trezor
([http://www.bitcointrezor.com/](http://www.bitcointrezor.com/)) but for
passwords.

But there are a number of problems:

1\. How do you authenticate yourself with it? If you lose it you don't want
the thief to be able to extract your passwords. You need to reintroduce the
"something you know" factor (hard to enter passwords in keychain sized
devices), or maybe "something you are" factor (fingerprint? RFID implant? only
half joking, I'd consider it)

2\. How do you perform backups without exposing the whole database to your
hosts?

3\. How do you interface with mobile devices? Public computers?

~~~
rdl
I'd like it to actually be hardware with tamper evidence (or response, even
better), unlike trezor. That makes it a lot easier to use a weaker password or
biometric to authenticate with it, safely.

The unknown thing is whether it should communicate directly to the computer,
or have all communications mediated by the user. I'd be more comfortable if it
only had one-way communications capability (user enters something on a device-
local keypad, it sends data transmit-cable-only back to the computer), but
that's not going to work with mobile, probably.

~~~
tlrobinson
You could emulate a keyboard, and have the Bluetooth/USB stacks implemented in
dedicated chips, with a 1-way serial connection from the main MCU.

But it's pretty nice to be able to hit a keyboard shortcut and have it figure
out which password to fill rather than scrolling through a list. It would be
pain to enter all the site names without management software too.

As always, convenience vs security.

~~~
rdl
It would cost between 1/30th and 1/15th of a SCAR 17, though.

------
mwfunk
I use 1Password and have been really happy with it. It's not open source, but
(I wasn't aware of this until I read this article) they do document the format
used by their data file, and the encryption algorithms used:

[http://learn.agilebits.com/1Password4/Security/keychain-
desi...](http://learn.agilebits.com/1Password4/Security/keychain-design.html)

------
xiaomai
I'm a huge fan of this command-line password manager:
[http://zx2c4.com/projects/password-
store/](http://zx2c4.com/projects/password-store/)

It's just a simple wrapper around gpg and (optionally) git. Makes it real easy
to sync passwords between machines and you can be as confident as possible
about the security.

~~~
da_n
For someone who lives more and more on the command line Pass looks really
nice. The only issue I have is that the lastpass importer is not working for
me, tried it with 2 different version of Ruby but always get a NoMethodError.
Adding 400+ passwords is going to be a huge pita.

------
coldcode
I think if your are building closed crypto products you need to be (1) not a
US company (2) have multiple technical people in various different countries
not likely to be politically compatible. Even better have no connections to
the US at all other than selling products there. Then at least you have a
chance to avoid the pressure to compromise.

------
scrrr
“I would strongly recommend against anyone trusting their private data to a
company with physical ties to the United States.” (Assuming being a Canadian
company counts..)

~~~
clebio
Is that a quote from the article, or do you just use quotes for emphasis of
your own words?

~~~
riobard
It's from the Lavabit mail.

------
ChuckMcM
Nicely done. I appreciate the stand they are taking here.

That said, gag orders are gag orders. You can decide not to play as Lavabits
did but you cannot reasonably tell some non-US employee to blab about your NSL
since you will go to jail anyway and Federal Prison is Federal Prison.

~~~
tzs
What if you put release procedures in place that make it so your foreign
offices will detect if a compromised release goes out?

For instance, require code review from the foreign offices to approve building
a new release, and require that the foreign offices build copies of the new
release from the code they reviewed and that they verify that their builds
match the release candidate binary before the release can go live on the
server?

~~~
rdl
An interesting thing for an open source project might be to put code-signing
keys (for a reviewer) out with pseudonymous people on the Internet -- real
identities unknown to the developers.

I'd be happy to only use releases of 1Password which were signed by both
AgileBits and a few nyms with a long history of being awesome (e.g. Satoshi).

~~~
lawnchair_larry
People would just declare that the nyms are probably NSA. And they would
probably be right in some cases.

~~~
rdl
If the NSA had a long history of auditing and signing good code, in addition
to an unmolested and identifiable developer, and combination of known and
unknown nyms who also could attest to the security of the specific code I'm
running, I'd be quite happy with their incremental approval.

------
tlrobinson
Notable missing phrase: "open source"

~~~
mwfunk
That's not a notably missing phrase, because it's not open source. Maybe it's
notable because you don't trust closed source security products, but if so,
you didn't say that. :) Not that I disagree with you. I use 1Password, but in
my opinion the fact that it is closed source is definitely a mark against it.
If there was anything built on top of, say, GPG that had remotely similar
functionality, I would totally use that. Maybe there is and I don't know about
it.

~~~
sk5t
You might be interested in STRIP[1] which is built on SQLite and SQLCipher,
the latter being an open-source encryption codec for the former. It's up to
the user to decide whether and how to use Dropbox, Google Drive, etc., for
syncing.

Disclosure: My employer makes STRIP.

[1] [http://getstrip.com/](http://getstrip.com/)

------
logn
AgileBits, if you're not not ok, then blink twice.

------
jgalt212
This is sort of funny: Back on June 6, 2013 David Pogue wrote a puff piece on
Dashlane

interesting quote:

 _No system is foolproof. But Dashlane notes that it doesn’t ever see your
passwords or your credit card information. They’re all stored on your own
computer, encoded by the AES-256 encryption method, an open-source standard
approved by the National Security Agency._

[http://www.nytimes.com/2013/06/06/technology/personaltech/to...](http://www.nytimes.com/2013/06/06/technology/personaltech/too-
many-passwords-and-no-way-to-remember-them-until-now.html?pagewanted=all&_r=0)

------
q_
req: lastpass's response

~~~
jessedhillon
Could you link to it please?

~~~
Shank
LastPass has not made a direct statement. On their forums, however, a customer
asked where data was hosted and this post was made by the CEO:

 _LastPass is "host proof" hosted meaning that your sensitive data is
encrypted with a key we at LastPass NEVER have, removing many of the concerns
PRISM raises with most cloud service providers. LastPass can't be forced to
give the encryption key to your data as it has never hit our servers!_

[https://forums.lastpass.com/viewtopic.php?f=12&t=89195](https://forums.lastpass.com/viewtopic.php?f=12&t=89195)

~~~
riquito
They could release a new binary that does register encryption keys, and you
would never know it. They could even lie (not that I mean they do it, but if
you need security, it can't be from a closed source application).

------
rorrr2
DO NOT USE 1Password.

If you care about security, there's absolutely no reason to use 1Password over
an open source solution like KeePass.

Even if 1Password doesn't have a backdoor now, nothing would stop NSA from
inserting one and keep the owners quiet about it with a gag order.

AgileBits is a US company, and so you cannot trust their security. Thank the
US government for that.

~~~
mannkind
From the linked article, "We have developers in four separate countries:
Canada ( __AgileBits is a Canadian company __), the United States, the United
Kingdom, and the Netherlands. "

... reading comprehension …

There are good password managers, then there's KeyPass. :/

