Here's a taste:
This design flaw is certainly real, and is one of the many reasons why we have started migrating to a new design. In short, when the Agile Keychain Format was designed (in 2008), we weren't aware of all of the various problems that come from using unauthenticated CBC mode encryption.
I could plead that we were in reasonably good company in making that kind of error, but as I've since learned, research in academic cryptography had been telling people not to use unauthenticated encryption for more than a decade. This is why today we aren't just looking at the kinds of attacks that seem practical, but we are also paying attention to security theorems.
The other factor of two was a known and expected optimization for HMAC that the OCLHashcat developer(s) discovered the hard way. The defenders (1PW's users) may have already been taking advantage of this optimization, so it really doesn't count as an "attack".
The other factor-of-two, i.e., the 1-bit attack, comes from skipping the generation of the CBC mode IV and only generating 1 output block (160 bits) of PBKDF2 output for the key and using a later ciphertext block to check the candidate password. This saves the attacker half of the PBKDF2 work factor.
This is a weakness in PBKDF2 when used to generate key material longer than the underlying hash function output length. RFC 2898 explicitly endorses deriving multiple keys in the manner 1Password used it:
For instance, one might derive a
set of keys with a single application of a key derivation function,
rather than derive each key with a separate application of the
function. The keys in the set would be obtained as substrings of the
output of the key derivation function. This approach might be
employed as part of key establishment in a session-oriented protocol.
(I don't think using CTR mode would have made a lot of sense and am not saying the use of CBC mode is a design weakness; it isn't.)
And I was just on everyone else for conflating CTR mode nonces and CBC mode IVs...
The problem as I understand it is that 1Pw runs PBKDF2-HMAC-SHA1 twice. 1Pw stores encrypted passwords using AES-CBC. It derives a 128 bit AES key from the first run of PBKDF2, and the 128 bit CBC IV from the balance of the first and the first bits of the second. Based on that design, it appears that 1Pw believed that the secrecy of the IV would contribute to the difficulty of cracking the encrypted blob, but of course it doesn't, because the trailing bytes of the blob are known plaintext and an attacker can use the key without knowing the IV to check if their password guess is right.
This is not a great design. But it's bad in a way that wastes cycles for users. The fact that 1Pw does extra PBKDF2 work that doesn't bind on attackers don't make 1Pw meaningfully weaker than any other app that uses PBKDF2, because it was already weird that they were tapping PBKDF2 twice to begin with. A more idiomatic use of PBKDF2 in this situation would be to tap PBKDF2 once, and then expand it (say with SHA2) to 256 bits. That design, which is totally reasonable and would not be the subject of a news story, would be equivalently secure to the "flawed" approach 1Pw took.
There is another problem with the construction 1Pw uses, which is that they chose PBKDF2-HMAC-SHA1. PBKDF2 with SHA hashes are among the easiest KDFs to crack on GPUs††, because SHAx was designed to be fast in hardware. 1Pw would have been much better off with scrypt, or even bcrypt (which is still a pain to implement in GPUs). But PBKDF2 is an industry best practice; to ding someone for using it while the rest of the world still uses "salted hashes" seems unreasonable.
What's happening here, besides the echo-chamber effect, is that the implementation of the brute force cracker for this particular encrypt blob is clever. In a rush to applaud cleverness, Twitter seems to have lept to the conclusion that "clever attack" means "vulnerable target". That's usually a correct assumption, but it isn't in this case.
Corrections more than welcome.
† They deserve some kind of medal for that, by the way, because I have no dog in this fight at all and I can't seem to shut up about the unfairness of it all.
†† It turns out there's a clever way to optimize this on a GPU by precomputing the ipad/opad in HMAC, too, which sped the cracker up.
As I can see, they had various courses of action (don't take this to mean that they were remiss in securing their product, as they used best practices everywhere):
* Use AES-256, maybe deriving the key from a first run of the KDF and the IV from a second one, although that might also make for an attack.
* Use CTR mode. Unless I'm mistaken, the attacker would then need to guess both the key and the nonce to verify the block, which is significantly higher complexity.
* Re-encrypt the last block with the IV. This way, the attacker would have to decrypt with the other 128-bit key, and would need to know both to decrypt the last block.
* Pad the beginning, rather than the end. Or, since the string is of known length, just make it a multiple of the block size, and use no padding.
I'm really a crypto novice, though, so I might be completely mistaken. That said, it's a bit too bad that they didn't spend a bit of time thinking how they would crack their own product, they might have come up with this attack and mitigated it.
At any rate, running the KDF twice isn't a problem, unless you mean that it wastes CPU cycles for no good reason. In that case, I agree.
But it's not a meaningful mistake, for two reasons: (1) they were being naive about how they used PBKDF2 to begin with (again: don't call it a second time to generate a key or a nonce) and the attack on their encrypted blobs still requires a brute force attack on the first output, and (2) we're discussing a minimal improvement on the complexity of an attack on their system, but there are much bigger improvements available to them if they move off PBKDF2.
But, really: deriving keys from PBKDF2 is just fine. If they had just used PBKDF2 (once!) to generate an AES key, and then used /dev/random to generate an IV, nobody would be talking about them right now.
(For what it's worth, a CTR nonce only gives you 64 more bits to play with).
* What do you mean that it requires a brute force attack on the first output? As I understand it, the attacker doesn't need to match all 256 bits of the derived key (only the first 128 bits), so the complexity is reduced by a lot. If those match, you can just run the KDF "properly" on the passphrase you guessed and get the rest of the bits, i.e. the IV. It thus weakens PBKDF2 to only need 2002 rounds of SHA, rather than 8000, and still allows you to decrypt the whole stream.
* If they used a random IV, they'd have to include it in the stream, which wouldn't really do anything more for security. The IV doesn't matter at all now either, but at least now it's secret. This attack doesn't use the key space of AES or the IV, though, so it's a bit moot.
* The CTR nonce would prevent the attacker from taking the 128-bit "shortcut", as they'd need all 256 bits of the derived key to decrypt the last block, which is the improvement I'm referring to.
Please correct me if I'm mistaken, I find crypto very interesting and would like to know where I'm wrong.
Jeffrey got back to me with a way-more-reasonable-than-expected answer:
I'm sorry for not getting back to you earlier. I think I answered your question elsewhere, and so failed to get to the email followup.
The Belenko and Sklyorov analysis of a large number of password managers found that many of them (including 1Password) were vulnerable to a "padding oracle" attack.
We discussed the problem the day that the report came out, and released an update to 1Password for iOS (Mac and Windows versions were not affected) within a few weeks.
The specific vulnerability (that pretty much affected everyone who used the standard cryptographic libraries) is fascinating, and I'm hoping to write more about it some day. But for the moment, please see
which includes some links to the issue and what we did about it. The key paragraph is
"The [New York Times] article cites some of the research behind Elcomsoft’s scathing review (PDF) of password managers on mobile devices, which we wrote about last March. That report did included some issues in 1Password on iOS (which we quickly addressed), but it also shows that there is enormous variation in the quality of password managers. 1Password is clearly among the best."
It is hard to stay ahead of potential threats, and we slipped up in that case so had to play "catch up" instead. Although there was never a practical threat to people's data, as developing a practical tool to exploit the vulnerability would take some time. But the design flaw certainly opened the door for people to create such tools, so we did need to get this fixed quickly.
Still we try to look toward the future in our design and defend against potential threats that don't yet exist. We should have defended against all potential chosen ciphertext attacks (CCAs) no matter how "theoretical" before the padding oracle (a type of CCA attack) was actually discovered.
I hope that helps. Please let me know if you have further questions.
Chief Defender Against the Dark Arts @ AgileBits
Part of the problem stems from the fact that application developers are also (correctly) reluctant to use things that aren't in standard libraries and that don't have standards behind them. Even today, Apple's CommonCrypto offers no authenticated encryption modes, and only documents CBC and ECB. (CTR is available, but not documented as such.) And back to the current issue, we would have moved to scrypt from PBKDF2 already if it were readily available in well-reviewed implementations.
But also this stuff is hard (fun, but hard). And not every development team is going to have the expertise on board to really follow this stuff. They are just going to go with what's in the most easily accessible libraries, and if we are lucky, they won't use their encryption keys as IVs for CBC.
Lots of people are talking about how to improve the situation. I'm "cautiously optimistic".
Any (more clever) HNers care to offer a interpretation and calcuation?
The dictionary files I have in /usr/share/dict/ have about half a million words. Mean length is 11 characters. And there are about 100 characters easily accessible on my keyboard (letters, numbers and common symbols).
Regular words, trying lower case, UPPER CASE or First Letter Capitalised. 3 * 0.5 million options = Half a second to search.
Same but with a two digit number before or after (e.g. Patio11): 2 * 100 * 3 * 0.5 million options = 100 seconds to search.
Single regular word with up to 4 standard keyboard characters before or after (e.g. Patio3&A@): 2 * 100^4 * 3 * 0.5 million = about 3.1 years to search.
Two regular words, same case options, with or without a space. (3 * 0.5 million)^2 * 2 = 17 days to search.
Single regular word, random capitalisation (e.g. paTIo) rough figure: 2^11 * 0.5 million = 6 minutes to search.
Single regular word, random capitalisation, 4 standard keyboard characters before or after (e.g. PaTio8#`¬): 2 * 100^4 * 2^11 * 0.5 million = 2163 years to search.
Four regular lower case words (e.g. correct battery horse staple): (0.5 million)^4 = 660000000 years to search.
Up to 10 letters or numbers, upper or lower case (e.g. nk7rFG9Ad9): 63^10 combinations = 10403 years to search.
Up to 8 letters or numbers, upper or lower case (e.g. Plfws0aX): 63^8 combinations = 2.6 years to search.
Assuming you could obtain the same 3M hashes/second on an Amazon EC2 cluster GPU instance (this isn't a given as they have nVidia GPUs instead of the ATI chip used in the test reported) 2.6 years of GPU time at the spot price of 35 cents an hour would cost $7976.85
Needless to say, if you had access to a whole load of people's 1password files, probably some of them would be following a weak password selection scheme and you'd break them within seconds. On the other hand, people with strong password selection schemes will still be safe.
However, if you can try all dictionary words in 0.5 seconds, you can try that against 172800 files in a day.
Of course you'd need a security breach that gave you access to multiple files too!
"A user-selected eight-character password with numbers, mixed case, and symbols, reaches an estimated 30-bit strength, according to NIST" 
A completely random 8-character password from a space of 64 characters (upper, lower, number + 2 symbols) is 48 bits:
3^48/(3M attempts/s) ~= 3 years
Multiply by 64^N for longer passwords (so >180 years for a 9 character password)
The reason for the difference is that user-selected passwords are (on average) not as good as random passwords.
But that's just with 2 GPU's! Any larger bitcoin miner has a few hundred (up to many more) of these graphics cards running. 100 GPUs would require only 20 days! Any larger entity could easily setup 1000 GPUs which cuts it down to 2 days, etc.
Probably there will be password cracking pools, similar to altcoin mining pools, which pay for your GPU resources in bitcoins.
This amounts to the loss of almost exactly 1 bit of security. Yes, really.
The first letter of my password is lowercase, not uppercase. There, that's how much it matters. 1 bit.
would still be relatively hard to crack?
> It's nearly identical.
> There are around 170,000 english words (including all the obscure ones you've never heard and have no idea how to spell).
> Number of 4-word combinations:
170,000^4 = 8.35 * 10^20
98^10 = 8.17 * 10^19
> And if they start bruteforcing with the simpler words (which you used in the example), there are only 5,000 - 10,000 of them, the number of your combinations drops dramatically:
5,000^4 = 6.25 * 10^14
10,000^4 = 10^16
For good reason; please check someone's comment history before advising them of this.
We didn't explicitly call PBKJDF2 twice. We called it once, but asked for 256 bits of data, while giving it SHA1 to work with. In these circumstances, PBKDF2 acts as if we'd called it twice.
Anyway, there is a blog post about this here: http://blog.agilebits.com/2013/04/16/1password-hashcat-stron... The final part of it contains my analysis of what did and didn't go wrong.
Please take care and pick a strong master phassphrase!
There should be some iOS-specific system with a key in protected keystore/keybag on the phone, combined with your encrypted password db potentially living in dropbox/icloud/etc., and then a user passphrase or biometric or whatever to unlock the file. Then you at least are protected against brute force once someone steals the encrypted keyfile from dropbox or some other service.
I've suggested this to them ~10 times. A keyfile format that doesn't rely on the crazy Apple resource forks and works with a user-self-hostable sync server would also be nice.
An emoji password like happyface heart pizza devil hospital trafficlight cow moon is probably going to be more secure than any word/number combination that could be dictionary attacked.
This obviously assumes the site properly encodes Unicode, but also somewhat limits use for most people to devices with the keyboard.
I don't know how you get to the emoji keyboard on iOS. It would also be a little annoying having to do this on multiple platforms (I have considered using 1p on Windows at some point; no real argument that a well configured win 7 or 8 is worse than OSX, now).
It's obnoxious to have to enter it on an iPhone keyboard with one hand while trying to drive or whatever on every login to anything. Particularly bad since I'm on a platform with a secure element, protected by tamper-resistant hardware, and relatively decent OS provided APIs to handle this exact problem.
There are good rumors that iOS 7/iPhone 5++ is going to have at least a fingerprint sensor, too, which would then automatically give biometric protection to the keybag as well.
> with one hand while trying to drive
When I asked them to allow me to use a key along with my passphrase they said it would confuse their users, and then acknowledge their users aren't going to pick good passwords and would be at risk:
> A master password constructed with diceware of three or four words should be both strong and memorable, but I have to acknowledge that most users aren't going to use diceware to construct a master password. So I suppose that your point stands.
Denial of hardware attacks is built in.
I think initially some miners used FPGAs: these are reprogrammable and offer similar performance, but they're much more expensive.
I do believe seeing that (the mythical) Butterfly Labs intends on releasing software for all sorts of other parallel high-performance applications (or some kind of driver/API type of thing), but I could be hallucinating.
I know what you mean, but I think you should be more specific in your statement. Bitcoin mining ASICs might be re-purposable. Not all ASICs.
If you want it to, you would have to produce new wafers with a modified chip logic.
I'm not sure how this is "least charitable", it seems to be pretty much the only interpretation. Either way, I'm not seeing the significance at all. I look forward to a reply from atom to penultimate post in that thread (#24) in which guinndupont explicitly asks for the real-world significance.
And I agree with Thomas and miles, that the vendor response is wonderfully direct, informative, reasonable, helpful, non-weaselly, etc. Props to him.
There really isn't a good way for anyone except Apple to make a great password manager on iOS, though, without getting every single app vendor to write to a password manager's API. But 1Password on iOS is pretty good. (what doesn't work so well is that you have to manually cut and paste passwords into browser or other apps; I'm not comfortable running a browser inside 1password)
The problem I have (which isn't THAT MUCH of an outlier) is that I have an MBA, a MBP17-desktop, an iPad, and an iPhone. I want to be able to use all of my normal/boring/personal/medium-sec passwords from all of my devices, want to be able to add new services from any of those devices, and I want to be able to do password updates from any of those devices. Ideally without ever connecting cables -- my iPhone/iPad get plugged into a charger in the car or by the bed, but not connected to either of the Macs.
All of their sync seems to be built around one Mac, one or two iOS devices; the USB, the older wifi, etc. Dropbox is the only solution they offer which is many-to-many.
I'm also essentially terrified of corruption or losing the data file, so any but the most cautious and transparent sync scares me.
I keep a recently updated (every few weeks or after I enter something especially important) copy on a flash drive. Worse comes to worse and something gets corrupted I can always use that version.