PRISM and cloud syncing security

Started by jpgoldberg,

jpgoldbergjpgoldberg Agile Customer Care Administrator
edited 7 Jun 2013 in Lounge #1

I'd like to consolidate all of the discussions about the security of using services like Dropbox and iCloud for 1Password data into one discussion thread.

There will be now is a blog post on the implications of the NSA's PRISM program on our blog shortly, and discussion of that post will also be directed to this discussion. I don't know when that post will be ready, but please feel free to start the discussion without me.



Jeffrey Goldberg
Chief Defender Against the Dark Arts @ AgileBits

  • sovanbusovanbu
    edited 7 Jun 2013 #2

    I really wish AgileBits would incorporate synching between

    Mega is a much faster, 100X more secure (information is encrypted), and more space is offered.

    Mega is supposed to be releasing an API, (or has already released one?).

    I see so many App Developers implement 1Password, usually when @1Password tweets about it. I really wish there were more synching options.

    Any chance they could be added?

  • edited 7 Jun 2013 #3

    Hi all -- I'm sure many of you have watched the news unfold today that Dropbox is the next domino to fall in the ever-advancing march of the PRISM surveillance program by the US NSA.

    So why not add a "sync to your own server" option to 1Password??

    Just sayin'

  • jpgoldbergjpgoldberg Agile Customer Care Administrator

    Hi Mike,

    We never (well, hardly ever) promise features until they are delivered. We have "agile" in our name for a reason. We explore approaches and often have to abandon them if they don't work out the way we need. So absolutely no promises.

    With that said, we are acutely aware of the demand for people to be able to synchronize their 1Password data without having to rely on any system beyond their control. How that "acute awareness" may (or may not) turn into actual software is not something I can say anything about at this point.

    I can say that we do not want to be drawn into helping individual's configure their networks, firewalls, VPNs and such. So if we go down the line you are suggesting, it would have to something limited to advanced users who are familiar with setting up network services and making them available to the portions of the nets they want them to be. On the other hand, we know that providing something like this would give people more control over their own data, and that is always a good thing.

    Anyway, please keep in eye on our blog. I'm writing something up about the implications of PRISM for 1Password users. I don't know when it will be ready, however.



    Jeffrey Goldberg
    Chief Defender Against the Dark Arts @ AgileBits

  • khadkhad Social Choreographer Administrator
    edited 7 Jun 2013 #5

    @sovanbu, I'm not sure that Mega has the APIs we need, but I'll certainly pass your vote for this along to the developers. Thank you for letting us know you are interested in it.

    That said, syncing your 1Password data via Dropbox is extremely secure.

    From the moment we designed the Agile Keychain data format we ensured that it was able to withstand an attack should your data fall into the wrong hands, either as a result of a Dropbox breach or if someone physically stole your computer. As such, we use AES encryption with PBKDF2 key strengthening to protect your sensitive 1Password data as well as many other mechanisms to stop an attacker from ever accessing your information and we detail this here:

    Security of storing 1Password data in the cloud

    So, as long as you use a secure master password that you don't use elsewhere, your 1Password data is incredibly safe even when stored on a service like Dropbox. If you're not sure about the strength of your master password, please do take a look at our recent blog post on this:

    Toward Better Master Passwords

    I can't think of many better ways to show just how strongly 1Password protects your data than by pitting it against the pre-eminent password cracking tool John the Ripper. We did exactly that:

    1Password is Ready for John the Ripper

    But the choice is yours to make. You can sync via USB if you are cloud averse. :)

    1Password USB Syncing

    If we can be of further assistance, please let us know. We are always here to help!

  • jpgoldbergjpgoldberg Agile Customer Care Administrator

    Hi @sovenbu,

    I don't want to get into the specifics of Mega's system and security, but I suspect that it will not be a feasible option. There are some technical requirements that we need which I'll quote from an older article (once I find it) ... From Dropbox Terms in 2011:

    I will try to briefly address some of the questions that come up in any discussion of Dropbox and 1Password. These are “Why Dropbox?” and “Have you considered X as an alternative sync solution?”

    Dropbox does two things that no other system (yet) does. It provides the necessary programming tools (APIs) for all of the platforms that we support: OS X, Windows, iOS, Android, and Windows 7 Phone; and it provides syncing to truly native filesystems on the Mac and PC.

    The short answer to “Have you considered X as an alternative sync solution” is “Yes” for every value of X that people have asked about. We have considered them, and have had to reject them for various technical reasons.

    That was from 2011, since there Google's GDrive and Microsoft's SkyDrive have appeared and at least superficially meet our requirements, but we could only know for sure whether they work by actually trying. For those people specifically concerned about PRISM, I'm not sure whether those alternatives would really be satisfying.

    We should note that any system which does deduplication (as all of these do, including Mega Upload) are not providing NSA-proof encryption at their end.

    I think it is reasonable to assume that the NSA is attacking non-US based systems at least as aggressively as US based systems. Note that it now appears that PRISM was done without the knowledge or consent of the actual service providers. Current speculation is that they have broken or got around some aspects of SSL and are intercepting traffic at the level of the ISP.



    Jeffrey Goldberg
    Chief Defender Against the Dark Arts @ AgileBits

  • jpgoldbergjpgoldberg Agile Customer Care Administrator
  • Hello all After reading the newsletter on Prism I really didn't like the fact that

    " it is still possible to see when items were created and modified along with how many items a person has in their 1Password data. Also, item categories (whether something is a Secure Note or a Login or a Credit Card) is not encrypted." I don't want someone to see my categories !!!!!

    We must also assume that the (US) government has a backdoor to the version implemented of the AES algorithm used in Mac OS X operating system. (In your newsletters you always avoid this topic. Instead you tout the great unvulnerability of AES) If AES as implemented in OS X were not back doored then Macs could not be exported from the US as they would be considered munitions and it would be illegal.

    The solution to this problem would be to let the user select among various algorithms such as: Serpent, Twofish, AES-Twofish, AES-Twofish-Serpent, Serpent-AES, Serpent Two-Fish-AES etc. just like TrueCrypt.

    I may be wrong so please comment.


  • jpgoldbergjpgoldberg Agile Customer Care Administrator

    I'd like to expand a bit on something I put in the blog article:

    We would like you to have as much control over your own data as possible. This way, it doesn’t matter whether you agree with me about the relative risks of capture from local computers. It should be your choice to make. We have provided a (beta, Mac only) USB Syncher, but we are also exploring other approaches that may work out as better solutions for synchronizing your 1Password data without having to rely on services outside of your control. At this point, I can tell you nothing about the kinds of approaches we are exploring, and I do not yet have a timeline to share.

    There are a number of different approaches we could take. I am not committing to any of them (or even saying which ones are or aren't being looked at at this point.

    1. Allow for additional sync services (beyond Dropbox and iCloud)

      It's always useful to have some alternatives to fall back on if some service we use suddenly becomes unacceptable, but as I described a couple comments earlier, GDrive and SkyDrive are going to have the same sorts of issues as Dropbox does if the concern is government snooping.

    2. Develop a data format that will allow synching with a service that does good client side encryption.

      In the past, we've said that 1Password data syncing wouldn't work with something like SpiderOak, Waula, or SugarSync which perform all of the encryption clientside, so that the service couldn't decrypt even if they wanted to. The difficulty with these is that on your computer the file systems are not local, native filesystems. 1Password's Agile Keychain Format is very filesystem I/O intensive. To simplify syncing, each item is in its own file. 1Password needs the data to be on a fast filesystem to be able to function.

      But with the new Cloud Keychain Format, we may not have this restriction. It too is designed for file based synching, but it uses a smaller number of files and furthermore, we don't have 1Password 4 working directly with Cloud Keychain format. Instead, 1Password 4 translates from the Cloud Keychain (or Agile Keychain as appropriate) into a format that is used locally on that system, typically an SQLite database. This makes 1Password's performance much less dependent on the qualities of the filesystem it's sitting on.

      So something we have ruled out in the past, is something that may be a way forward under some conditions.

    3. Revive WiFi syncing.

      We really had very very good reasons to drop WiFi syncing with 1Password 4 on iOS. But if it turns out that it is still the best way to enable people to synchronize their 1Password data wihtout having to store their data on systems beyond their control, then we wouldn't rule out reviving it. Of course, if that is to become our solution, we we need to make sure that it isn't just limited to the Mac and iOS. We would need extend it to all users.

    4. Enable people to run their own synchronization servers.

      This is a solution that may appeal greatly to a small number of people, but it would have many of the same problems that we ran into with WiFi synching. The ways in which it could fail are likely to be about a person's local network configuration. Getting all of the firewalls, and pinholes, and discovery set up would be tricky for anyone who isn't familiar with managing their own network.

      I run my own authoritative DNS servers in my house, and so have been able to give constant names and IP addresses to things on my private LAN. But I used to work as a network and system administrator. A solution that works for me, isn't one that will work for everyone.

    5. Revive My1Password.

      We've tried a number of ways to deal with data synchronization. There was a (failed) attempt to run our own system many years ago. We just couldn't get it to work reliably enough. Of course any attempt to revive something like that, may still not be a satisfactory solution. The same concerns that people have for Dropbox should be asked about any service we run. So such a system would need to designed in a way that protects your data from us.

      At the moment we have no information at all about 1Password users (other than those who specifically chose to contact us). We can't be compelled or tricked into revealing data we don't have.

    6. Leave things as they are.

      We've got the USB syncher. It's not a great solution, but it does allow people to sync their 1Password data between Mac and iOS without having to talk to any external (or even intenral) network. I haven't really changed my mind about the relative risks of data theft from a home computer verus data theft from the cloud. The question is what sorts of options can we provide to the people who disagree with me on that.

      Note that the new data format that is being rolled out has an improved security design. That is, there may be people who are unwilling to let their Agile Keychain data live in the cloud, but will be happy to let their 1Password 4 Cloud Keychain [we really need a better name for that] data live in the cloud. So "leaving things as they are" still includes rolling out our new data format to more and more platforms.

    I'm not going to rule out anything or suggesting that we are leaning in any particular direction. There are difficulties with all of these options. I'm most certainly not trying to list excuses not to pursue these options. Instead, I am trying to answer, preemptively, questions of the form "why can't you simply do X?"



    Jeffrey Goldberg
    Chief Defender Against the Dark Arts @ AgileBits

  • My take away from this whole debacle is that all those defending the actions of the US govt - Obama, FSA, politicians, WSJ etc - do so principally on the grounds that their spying is in the interests of Americans. "Foreigners", all 6.8 billion foreigners, are specifically targeted in all of these actions. They are all essentially treated as a priori possible hostiles.

    The very best curtailing of these powers that can be hoped for is that US citizens are not spied on - but the rest of the world will always be fair game for America.

    I'm not American and don't live in America. I was an early adopter of Google, Apple, and Dropbox and many other great American companies' services. But if I had any decent choice in the matter I would dump them all in a heartbeat because these privacy infringements really annoy me. These people are not just indifferent to me and billions of other people. They think they own us.

    No I don't have anything particular to hide. Yes, I do see a difference between posting something on Twitter or Facebook and writing a personal email - so let's not conflate all of those. It's like the difference between having a conversation in a supermarket or having one in bed with ones partner.

    Yes I do see how the US govt might use secret data culled from influential business people, journalists, politicians, lawmakers around the world. It's not just terrorists and "insignificant little people" that are being spied on. I really regret now having introduced a foreign journalist I know to 1password/Dropbox - not all journalists are tech savvy - some of them are in their seventies.

    No I'm not naive. I've written in the past to 1P specifically about my discomfort of putting 1password in Dropbox partly because of US government spying. I also requested that wifi syncing not be phased out. I very recently realised that tags and titles were visible and again wrote to 1P. So i guess now (if they have Prismed Dropbox) the US govt knows the name of every bank I have an account with, every credit card I own, every website I log in to, every FTP site I use, what types of passport, licences and other ID I own - because all this information is in the 1P titles, for what good it'll do them. Incidentally I looked at another person's 1P file - she doesn't keep it as neat as I do - her titles appeared to contain some login information generated automatically (from a browser plugin?) eg etc.

    Unfortunately I see no optimistic solution. This problem will only become worse as time goes by. No government will ever relinquish power, given the choice. Why would they. The EU, France, Germany, UK, Israel, China, you name it, are all as bad as the US and will capture and store any data they can get their hands on too. At present they just don't have quite the access the US does. I hope in time the big US companies will lose foreign customers (the majority of US profits) who don't like being spied on by a government they trusted but was actually treating them as "hostiles" - but there have to be alternatives first! And it's not going to be easy - just look how the US fought Galileo every step of the way.

    Meanwhile, I again humbly request 1P encrypt titles and tags and bring back wifi syncing.

  • StokkesStokkes Junior Member

    I understand the complexities that go into ensuring that our 1Password data is safe. I know the data I have in there and I know I wouldn't want that data to fall into the wrong hands. I trust 1Password with a lot of private data and it's important for me to know that data is safe.

    That being said, I think there is definitely value into looking into this whole "Private Cloud" solution. I truly believe that a portion of the market place will move away from cloud services such as Google, DropBox, etc. and move their data "back" into their own environment.

    I have been eyeing Connected Data, makers of File Transporter ever since their funding campaign. It has all the beauty of Dropbox, but the data is stored within your network. NO data goes through their servers but you have all the simplicity and transparency as Dropbox.

    There is apparently an API available as well that could allow you to integrate 1P syncing with our own personal transporters. I also don't believe you would need to deal with the same complexities as Wifi syncing or "Back to my mac" style syncing.

    I've recently started getting a little weary of any cloud data provider, especially those who offer "free services". As Marco Arment has said on numerous occasions, if you're not paying for the product, you ARE the product. I take this to heart.

    What are the chances of Agile looking into these types of solutions? While I agree Dropbox and iCloud syncing are nice, supporting these new types of solution that allow users such as myself to "take back our data".

  • jpgoldbergjpgoldberg Agile Customer Care Administrator

    Hi @Migs,

    I most certainly sympathize with your distrust of the US government in these matters. But I don't agree with your assessment of their capabilities.

    We must also assume that the (US) government has a backdoor to the version implemented of the AES algorithm used in Mac OS X operating system.

    I'm sorry but that doesn't make sense. It would be like saying that someone has tampered with the implementation of the square root function. If it didn't produce the right results, then it really wouldn't work at all. That is the primitive AES operation is a function (in the mathematical sense of function) in that it takes a key (128-bits, 192-bits, or 256-bits) and a block of data (128-bits) and produces a result. Given the same input, it must always produce the same output. (This AES primitive gets called in different modes so as to not reveal whether multiple blocks of the input are the same, but let me leave that aside.)

    Quite simply, if AES were producing the wrong results on OS X, then we wouldn't be able to process the data on Windows. And we've switched back and forth between using Apple's crypto libraries and the OpenSSL crypto libraries. They all produce the same results. As I said, it would be like tampering with the square root function.

    There are ways to implement AES insecurely but still have it produce the right results. Insecure AES implementations might reveal information about the key by taking different amounts of time to compute its operation depending on facts about the key. So someone able to closely monitor those might gain information. But those attacks do nothing for someone who just has access to the encrypted data. By the way, what I described isn't just theoretical. Early RSA based smartcards could leak information about their embedded keys by taking different amounts of time or consuming variable amounts of power when asked to encrypt specially crafted inputs. These weren't deliberate backdoors, but they do illustrate why extremely careful implementations matter.

    Anyway, that was a long way of saying that tampering with the AES implementation in OS X couldn't be done and still have something that appeared to work.

    If the operating system is tampered with to weaken cryptography, it would most likely be in the random number generation. Again, this is the kind of thing that has been known to happen accidentally. Most spectacularly with many versions of the Debian Linux distribution. It went unnoticed for many years, until someone studied the public keys of a huge number of servers and performed a statistical analysis and discovered far far more collisions than there should have been.

    Such tampering would effect all cryptography. It doesn't matter if you use AES or RC4; if you are getting bad random numbers for your keys, salts, and IVs then you are getting them no matter what algorithm you use.

    More basically, if you can't trust the operating system you are using, then all bets are off. You aren't going to fix that in software running on a malicious OS.

    The solution to this problem would be to let the user select among various algorithms such as: Serpent, Twofish, AES-Twofish, AES-Twofish-Serpent, Serpent-AES, Serpent Two-Fish-AES etc. just like TrueCrypt.

    As you've noticed, we don't take the approach that TrueCrypt developers have taken. There are a variety of reasons for this.

    1. It is not safe to assume that a cascade of algorithms is as strong as the strongest algorithms. If the algorithms are flawed then they can work in ways that interact with each other to actually play on each others weaknesses.

    2. AES has been publicly studied far far more than all of those others combined. It is far more likely that the NSA knows of a secret vulnerability in something less studied than AES.

    3. Cascading and the choice of cryptographic algorithms adds complexity. That complexity adds to the opportunity for error and it makes it much harder to actually evaluate and audit the security of the system.

    On the whole, the academic cryptographic community advises against that kind of complexity and cascading, and we follow that advice. I know that there are plenty of people who like the approach taken in TrueCrypt, and they may argue vehemently for it. TrueCrypt does have a very nice track record (well, at least in one spectacular case). But at best that approach adds only a tiny bit of security at the cost of enormous additional complexity.

    Anyway, I know that we probably still disagree, but I do want to thank you for the terrific question. I loved the chance to expand on why we've taken the approach that we have.



    Jeffrey Goldberg
    Chief Defender Against the Dark Arts @ AgileBits

    PS: Maybe when I've got more time, I'll edit this to put in various links to the stuff that I mentioned. It's fascinating reading. But no promises on that.

  • jpgoldbergjpgoldberg Agile Customer Care Administrator
    edited 8 Jun 2013 #13

    Hello @Stokkes,

    Thank you very much for your kind words. The idea of a "private cloud" is very definitely on the list of approaches that we have been thinking about.

    What are the chances of Agile looking into these types of solutions?

    The chances are excellent that we are looking into these types of solutions along with the others types of solutions that I listed in an earlier comment. But at this point, I'm not going to reveal any information about which approaches we currently consider to be most promising.

    I'm sorry to be so coy, but we really try to avoid sliding into the vaporware business. We try not to promise things until we are absolutely certain that they can be delivered. That usually means that we don't promise anything before it is delivered.



    Jeffrey Goldberg
    Chief Defender Against the Dark Arts @ AgileBits

  • spcarrspcarr
    edited 8 Jun 2013 #14

    Thanks for the blog and forums posts on this topic. While all these companies are denying involvement, it is much safer to assume that my 1Password data on dropbox is easily obtained by the US government. The vast majority of us are currently just "noise" to institutions like the NSA, but it is still very crucial for us to admit that it will not necessarily always be that way. Therefore we should keep up the good fight of privacy and security. My 1Password data is by far my most sensitive data around, and so it is where I focus first when news like prism hits.

    Pretty sure I'm preaching to the choir when I say that a secure system is one with multiple layers... so while I applaud all efforts to secure the 1Password database itself, that is the last line of defence. The first line is to make sure no one can easily get the data, so I am definitely looking forward to what you guys come up with as a "dropbox" / cloud sync replacement. This could even open up another revenue stream for agile bits...

    I was naive to trust my data to the cloud, so I'm going to begin reclaiming my data from it.

  • adiummyadiummy Junior Member

    It's outrageous. I won't trust US cloud services any longer, I've just canceled my Dropbox account. Please integrate a secure and convenient syncing solution quickly!

  • jpgoldbergjpgoldberg Agile Customer Care Administrator

    Hi @spcarr,

    There are a number of plausible ways to read the denials from the various companies, but none of those ways would give us reason to doubt that PRISM is real.

    1. The companies are lying.

      There are two reasons why the statements from the companies might be false.

      1. They are lying because they are trying to save themselves embarrassment.

      2. They are lying because the law compels them to lie.

        As we saw in the Verizon case, the court order included a proscription on even acknowledging the receipt of the letter. So called National Security Letters forbid the recipient from revealing the fact that they've received such a letter. In such a case, the overwhelming majority of people within the company would not no about it. So the people making the announcements would be unaware that they are giving false answers.

    2. The companies are telling the truth, so the data collection is "indirect"

      There are a number of plausible scenarios where the NSA is gathering their data without the cooperation of anyone within the organizations. It would mean being able to capture all the traffic to and from those company servers and exploit weaknesses in SSL/TLS. (It's terrible that the world hasn't moved to TLS 1.2. We know that there are problems with all prior versions.).

    As I said up top, it doesn't immediately matter for our data privacy how we interpret the denials, the US government has largely confirmed PRISM. Personally, I'd prefer for the companies to be lying instead of the NSA being able to gain this sort of access without their cooperation.



    Jeffrey Goldberg
    Chief Defender Against the Dark Arts @ AgileBits

  • jpgoldbergjpgoldberg Agile Customer Care Administrator

    Hi @adiummy,

    I share your outrage, but I'd like to better understand your decisions:

    I won't trust US cloud services any longer, I've just canceled my Dropbox account.

    From what's been published about PRISM, it appears that Dropbox was not (yet) a participant in PRISM. But also it is unclear whether the participants are willing participants.

    If the NSA can gain this access without the cooperation (coerced or otherwise) then it seems perfectly reasonable to assume that they would be more likely to be spying on non-US servers than on US based ones. The NSA's legal mandate is pretty much to spy outside of the US. It seems likely to me that they've been hitting non-US based things harder than US based things.

    The title for a draft of my blog post was "If the NSA wants your 1Password data ..." with the obvious continuation that they can get it. I really don't think that there were people who thought on Wednesday, "Oh, my data on Dropbox is safe from the NSA" but on Saturday said, "Oh, I guess I was wrong; I see now that my data on Dropbox isn't really safe from the NSA".

    So this is why I'm confused by your action. Did you previously (prior to PRISM leak) think your data on Dropbox was safe from capture by the NSA if they really wanted it? If not, what has changed in your willingness to use Dropbox?

    Please integrate a secure and convenient syncing solution quickly!

    I can't promise dates. We've been exploring a number of options for a while (see my earlier post), but it will also help us better understand what we need to do if we gain more insight into your decision.



    Jeffrey Goldberg
    Chief Defender Against the Dark Arts @ AgileBits

  • jpgoldbergjpgoldberg Agile Customer Care Administrator

    This just in. The official statement (PDF) from the Director of National Intelligence.

    I suspect that it is telling the truth in saying that

    "the United States Government does not unilaterally obtain information from the servers of U.S. electronic communication service providers. All such information is obtained with FISA Court approval and with the knowledge of the provider based upon a written directive ... Service providers supply information to the Government when they are lawfully required to do so."

    I wonder if they will somehow release the complying service providers from the gag order that comes with these. That is, the service providers are probably still under the requirement to keep even the existence of those requests secret.

    This also means that there may be some protection by using service providers based outside of the US. I don't actually think that would make much of a difference as the intelligence agencies of different countries engage in "information sharing". But it is something to consider.

    There are statements in that document that I believe to be highly misleading, even where technically true. But in the bit I quoted, I think that they'd have everything to lose by lying.



    Jeffrey Goldberg
    Chief Defender Against the Dark Arts @ AgileBits

  • alembicalembic Junior Member

    It seems Dropbox is going to be providing access to its servers to this NSA-sponsored surveillance initiative.

    I'm now looking at SugarSync.

  • They've been providing access to RIAA bots since forever, and god knows who else. Once again, thanks 1P team for bringing USB sync.

  • Then again, why would they bother with breaking into your 1password keychain if they can just pull all your documents plain from google docs/icloud/you-name-it :D

  • adiummyadiummy Junior Member

    Ok, let me explain. Until now I knew that the NSA could access my data if they somehow get evidence that I might be involved in terrorism. Now I have to assume that US agencies are sucking indiscriminately everything they can get about internet users worldwide and are building a huge database with information about just everyone.

    Therefore I will avoid US services in future which seem to willingly share information about all its users with the NSA. And I will prefer services that are (more) secure by design, e.g. cloud services with client side encryption.

  • BHDicaireBHDicaire
    edited 9 Jun 2013 #23

    Hello Jeff & Adiummy,

    My local data at rest is protected with Apple's FileVault2 and my password using 1Password. Everything else is not encrypted :(

    We need a new tool from you guys: 1Encrypt. Please use a 7zip enveloppe with AES 256 encryption.

    We need this software to encrypt ad hoc files and then have a mecanism to transmit the password to the destinator of the encrypted file.

    We also need this software to encrypt a local directy, let's say /userA/Dropbox/Secure/ and /userA/Dropbox/Confidential transparently so I don't need to worry about it. Performance, might be an issue, you might be using aes 128 or ellyptical for one and aes 256 for the second one. Of course, I want my private keys in 1Password using your API :)

    And YES, I will pay for that.

    I understand that you can't promise me too much at this time.

  • Have you thought about integrating the recent OmniPresence technology from the Omni Group as an alternative sync option into 1Password? This would allow users to use their own servers (or at least managed servers in their own country) for syncing. All it needs is a WebDAV service.

  • jpgoldbergjpgoldberg Agile Customer Care Administrator

    Thanks, @adiummy. That does help my understand. Cheers, -j

  • jpgoldbergjpgoldberg Agile Customer Care Administrator

    Hi @BHDicaire,

    It really would be nice to have a general purpose, cross platform, file and folder encryption system with some sort of key management that is simple to use.

    PGP/GPG does all of that except for the "simple to use" part. Slapping a nice user interface on it won't solve that problem either (lots of people have tried). This is because the user needs to understand many subtle concepts of key management in order to use GPG correctly.

    One of the ways that I got my start in this business was trying to teach smart, motivated people how to use PGP correctly. I was postmaster at a post-graduate technical university in the UK. People did want file and email security and I wanted them to have it as well. Even under these ideal circumstances, my attempts were a failure.

    AgileBits is committed to providing outstanding cryptographic tools that people can use without having to have a PhD in engineering. (And some of the PhDs in engineering I worked with still didn't fully understand the distinction between "trust as an introducer" or "trust the identity of" needed for PGP.)

    You mentioned performance decrypting and encrypted a large chunk of data. There are techniques that help deal with this, which you can see in the design of file system encryption (like FileVault and BitLocker). The performance problems really come in trying to transfer or synchronize data. A small change in one of the files might require that a very large chunk of data actually be transferred. And if encryption were done using the kind of structure you suggested, then the tiniest modifification to one file would require that the entire thing be reencrypted and transferred as a whole.

    These are not insoluable problems. And we love challenges. But they do involve subtleties that most people aren't aware of.



    Jeffrey Goldberg
    Chief Defender Against the Dark Arts @ AgileBits

  • jpgoldbergjpgoldberg Agile Customer Care Administrator

    Hi @TheMaJa,

    That is a nice suggestion, but by now you should know that the answer to questions of the form "Have you thought of X?" tend to be "yes".

    So to

    Have you thought about integrating the recent OmniPresence technology from the Omni Group ...?

    Yes, we've thought of something like that. This falls under #4 in my list of approaches from my earlier comment.

    All it needs is a WebDAV service.

    Funny you should mentioned WebDAV. We've long had our reluctance to promise features before they were delivered, but one exception was when we promised WebDAV/MobileMe synching for 1Password Pro for iOS. At the time we made that promise we were 95% complete with WebDAV support.

    The remaining 5% killed us. It turns out that the speed and reliability of WebDAV file systems weren't up to the demands that were needed for the structure of the Agile Keychain Format. Once we started testing it in practical use, it just failed miserably. We tried to develop our own local cacheing on top of the WebDAV filesystem; we tried other tricks to lighten the load. In the end, we were dedicating a huge portion of our time to getting just the "last touches" to work that we had to abandon it and break our promise.

    With that said, it is plausible that the new data format and separation of synching format versus local format will work with WebDAV. But I think you will understand why I won't promise anything like that.



    Jeffrey Goldberg
    Chief Defender Against the Dark Arts @ AgileBits

  • jpgoldbergjpgoldberg Agile Customer Care Administrator

    Hello @latteine and @alembic!

    I've merged the discussion you were in into the place where we are trying to consolidate this important discussion.

    Cheers, -j

  • Assuming that Dropbox could be compromised, can you characterize the increased level of protection we are getting with the MAS version of 1Password? I am getting about 28,000 PBKDF2 iterations compared to 10K for version 3.8. (I migrated from 3.8, created a new keychain, and did an import)

    Also, does using the latest iOS versions of 1Password reduce the security protection of my keychain? Do you create a copy of the keychain using different (weaker) protection mechanism for those devices with less CPU capacity?

  • jpgoldbergjpgoldberg Agile Customer Care Administrator
    edited 10 Jun 2013 #30

    That's a great set of questions, @rfc1918.

    PBKDF2 is great and important, but it's just as important to understand what it can't do. There are limited gains in increasing the number of PBKDF2 iterations beyond a certain point. Going from 1 iteration to 10000 iterations is great because it adds (roughly) 13 bits of effective strength. But going from 10000 to 30000 only adds an additional 1.6 bits. Going from 30000 to 50000 iterations would only add 0.7 bits.

    So really, once you have 10000 iterations or so, then you get far far more bang for the buck by increasing the strength of your Master Password. Just adding a single (truly randomly chosen) lowercase letter to the end of your password will increase its effective strength by 4.7 bits without any of the computational costs.

    In geek speak, the strength that comes from PBKDF2 increases linearly with the number of iterations, while the strength that comes from your Master Password increases exponentially with its length (under most conditions).

    So except for those users who have just 1000 iterations (from our original design back in 2007), there really is little gain in increasing the number of PBKDF2 iterations. Improving your Master Password is where the effort should go. Also, with the latest versions of 1Password, doing a password change will perform an automatic PBKDF2 upgrade from 1000 (if you still have that) to a minimum of 10000.

    PS: Given your nym, rfc1918, I would have bet that you were going to advocate hosting of sync services on private networks. Not that you are obligated to, but I'm sure you understand why that was my initial thought.



    Jeffrey Goldberg
    Chief Defender Against the Dark Arts @ AgileBits

  • Hi, Between my phone, tablet and computers, I have 5 devices where I need 1password. Because of that offline syncing is out of question for me, at least if I want to keep my sanity... However, how about supporting webdav? It would allow people to use selfhosted "clouds" like for example.

    Kind regards,