Looking ahead in security

Security is a process, not a product — Bruce Schneier

If you build a tough lock on a door, it is easy to imagine that you have now secured that door and don’t need to think about it anymore. But in the security business life is rarely that simple. Both the “threat landscape” and our understanding of the locks we’ve built earlier changes. The renowned security expert, Bruce Schneier is famous for (among other things) saying more than a decade ago that security is a process, not a product.

Combination Lock image1Password works so well because it isn’t just a security product, but it changes the way we deal with with website logins. That is, we do things more securely and more easily when 1Password is around. This is one illustration of what is meant by “process” instead of “product”.

Just as security should be a process for you, it must also be a process for us. We can’t just rest on our laurels, but must respond to and anticipate all threats as well as taking advantage of every opportunity. For an example of an opportunity, iOS 4 allowed us to put additional security measures into how syncing credentials are stored by 1Password for iPhone and iPad, anticipating potential threats by password crackers going against iTunes backups.

In other cases, we have locked down things as old threats became more serious. When weaknesses in the Domain Name System (DNS) became more apparent, we improved the security of our updater (which uses digital signatures to verify that a downloaded update is indeed from us) and even in our preview/icon fetcher to make sure that it visit the same sites you did. With those last two improvements (along with several others not discussed here), I would particularly like to thank Aaron Sigel (AKA @diretraversal) for reporting these.

There are countless little changes that we implemented that have improved security of 1Password such as: the error checking in the automated backups in 1Password for Mac, the handling of input in the Chrome extension, and the management of privileges in the 1Password for Windows installer. We never think that our job is done. Instead we are always looking for how we can make things easier and more secure for you.

The Ghosts in the Machine

We don’t normally announce features until they are delivered, but questions about cloud security require that we talk about upcoming changes to our data format.

Data Format of 1Password Past

The first versions of 1Password stored data in the OS X keychain. This was great because we could just use tools completely built in to OS X. However, there were several disadvantages to this including syncing issues with MobileMe.

Data Format of 1Password Present

There were great advantages to moving to our current data format, the Agile Keychain format. It is far more scalable than what preceded it, and syncing is far easier and more reliable. It also encrypts everything except what is needed for indexing and sorting items and finding potential matches for websites. It was in this move from to the Agile Format that moved from using 3DES to the more modern AES-128 for our encryption. More importantly this is when we protected your master password with PBKDF2, which makes it much harder for automated password guessing systems to discover your master password. A full explanation of this is in our document on cloud storage security. It has also been much discussed in our forums.

When we introduced Dropbox syncing for iOS and 1Password for Windows, it was so awesome that everyone wanted to use it. It was then that we renewed discussing what we can do to give your data more privacy protection.

Data Format of 1Password Future

As I said, we like to be agile and never (well…, hardly ever) announce features before they are delivered. There are two aspects of our next data format that we are willing to announce. It will have even more of your data fully encrypted, with the remainder well obfuscated.

Another security enhancement that I’m ready to reveal is that the new data format will have an increased the number of PBKDF2 iterations used when processing your master password. This will make it even harder for anyone to try to run software that would automatically guess master passwords.

1Password has always been designed with the security feature of only decrypting the smallest amount of information needed at any one time. That has meant that decryption happens frequently instead of just decrypting all of the data when you enter your master password. With improvements in computer processing power over the past few years, we will now be able to switch from AES-128 to AES-256 without having to compromise on performance.

I certainly won’t promise a date for this, but we’ve been working very hard on this. I can tell you that we plan to have this available in 1Password 3. Of course, there will be lots of other things coming with the new data format, but we will keep those under our hats at the moment.

These enhancements, along with others, will make your 1Password data even better suited to life in the cloud. We are looking forward to introducing them to you in full as we continue with the process of making security easy and convenient for you.

9 replies
  1. Doug Hogg
    Doug Hogg says:

    I appreciate the updates and the attention to detail with regards to security. With the many passwords that I have to deal with, 1Password is a life saver. Thanks.

  2. Valentin Starke
    Valentin Starke says:

    I really look forward to the improvements. AES-128 is good enough, I know. But AES-256 “feels” safer. The weakest point however is not the database and password encryption. I believe the weak point is the other ways of accessing the data, such as the export to text or encrypted webpage and 1Password.html. Can you explain how well the data is protected when a user accesses the data via the 1Password.html version of the front end or via encrypted webpage?

    Best regards

    Valentin.

    • Jeff
      Jeff says:

      These are great questions and observations, Valentin!

      You are absolutely correct that 128 bits AES was already the strongest part of the system, so moving to 256-bits doesn’t have much practical importance in real security. But as long as there is no reason not to use 256-bits, we should do so. Changes in the hardware environment mean that we can make this move without negative side effects.

      1PasswordAnywhere (that is, 1Password.html in your 1Password data) uses the same data that 1Password uses, so it is encrypted the same way. The only security concern with 1PasswordAnywhere is that we can’t force the JavaScript in the browser to “forget” your master password after you have entered it. So it is probably a good idea to quit the browser after using 1PasswordAnywhere if you are on a computer that others have access to.

      The encrypted HTML exports from 1Password for Mac do not (yet) use PBKDF2, so it is important to treat those files with care and to use very good passwords for them. This is one of the several places where we need to adjust for more modern hardware. And again here, to be extra safe it is probably wise to quit the browser after using it.

      Cheers,

      -j

      • Curbed
        Curbed says:

        What would be nice is something similar to what LastPass does, which prompts a user for their master password before performing a full export, for example.

        • Jeff
          Jeff says:

          Hi Curbed,

          1Password won’t be able to export at all if your 1Password data are locked. Were you looking for an additional check on export beyond the requirement that 1Password be unlocked?

          Thanks!

          -j

          • Curbed
            Curbed says:

            Yes, that’s right Jeff. Just in case, for example, you leave your PC unattended for some time and someone attempted to export the database. If there was an additional password prompt, they wouldn’t be able to, and could only scramble and write down as much as they could. Granted, leaving a machine unlocked is a no-no, but it’s not unheard of if there’s an emergency or phone call or…..etc.

            LastPass has an option to prompt for passwords when doing certain actions, even if you are logged in.

            Regards,

  3. Carlos Cordero
    Carlos Cordero says:

    I am pleased to tread that the number of PBKDF2 iterations will be increased and that we are already moving to AES264.

    I am still concerned about the use of Dropbox after reading Christopher Soghoian’s submission to the FTC
    [see http://www.wired.com/images_blogs/threatlevel/2011/05/dropbox-ftc-complaint-final.pdf ].

    Some of those concerns have been addressed in the “Security of storing 1Password data in the Cloud” section of the blog, but recent changes in what Dropbox has published in their documentation (see Soghoian’s submission points 28, 29, and 30) render that information old.

    At the end of the day, from a point of view of the architecture, Dropbox has the data and the keys/passwords (even if they store them in different places, they have both and their staff can access both). Alternatives such as Spideroak and Wuala hold the data (already encrypted) but the user retains the keys/password (all encryption happens on the user’s computer). Wuala is using a new encryption management model (Cryptree) which reads – reads, I have no evidence it is better than anything else – interesting. What I like of Wuala is that it is based in Europe and privacy protection there is much more stringent there than in North America.

    Moving forward, some questions:
    – Is it possible to use a different cloud storage service to sync 1Password data?
    – If the answer to the previous question is “No”, would you consider enabling this feature?
    – Is Dropbox, in the immediate future (next 30 to 60 days), intending to change their architecture in order to retain the data (encrypted) and have the user handle the encryption locally and retain the keys/passwords? If not in the future, at any point in time? Is there a timeline?
    – Is there a reason to prefer Dropbox’s model to the one Wuala and Spideroak have?

    It is clear to us, 1Password users, that security is a process and that the architectural choices made by the Agile team strike an excellent balance between security and easy of use. I wonder if these facts that have come to light recently should not compel a revision of that balance and a slight shift towards the former, in order to safeguard privacy.

    • Jeff
      Jeff says:

      Hi Carlos,

      You ask some great questions. I won’t be able to address them all as fully as they merit here, and could like to encourage you to participate in our forums where some of these have already been discussed in a very interesting thread on this topic. Your contributions to the topic there would be very welcome, both by us and by other people participating in this discussion.

      The short answer is that we are not in the position to switch to a different sync service at a moments notice. So if we had to abandon Dropbox today, there would be some scrambling before we could have an alternative in place. But to the question of whether we are willing to explore alternatives, that is an emphatic “yes”. We most certainly are investigating a variety of options.

      Thanks for your insights and suggestions on this. We do continue to recommend Dropbox syncing, but we also don’t want to be caught without an alternative should we ever need to revise that recommendation.

      Cheers,

      -j

      • Carlos Cordero
        Carlos Cordero says:

        Thank you, Jeff!

        I am comfortable with Dropbox. It works really well synchronising my 2 Win and 1 Mac computers. At this point in the debate, I trust you guys and both your reply and the information you have disclosed gives me confidence. I am trusting Dropbox a little bit less lately – with regards to that I can discriminate what I upload there and use my own common sense.

        I am testing Wuala currently, from NZ where broadband is NOT that hot. It seems to be working nicely. Getting upload speeds between 35Kb/s to 76 Kb/s.

Comments are closed.