How access key is secured on clients?

Hi,
currently I am happy 1password for Families user. It’s great product for our family. Still I am always thinking about different risk scenarios if something goes horribly wrong. Because of that I was just looking you Security White paper for Teams and that convinced me for data protection/encryption at all stages (rest, transit, storage). Only part I am still thinking of is the authentication part, especially the risk that both Master key (something you know) and Access key (something you have) could be stolen/captured/retrieved on an endpoint.
E.g. Master key could be stolen with keylogger but what about Access key? How you are protecting Access Key on a 1Password Windows client or in a browser? Btw, section “How We Secure Data on Clients” seems quite empty on the Security Whitepaper….


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

Comments

  • brentybrenty

    Team Member

    How you are protecting Access Key on a 1Password Windows client or in a browser?

    @Mikri: The great thing about the Account Key is that it is never transmitted and is rarely used, so this significantly decreases the opportunities for it to be compromised.

    Btw, section “How We Secure Data on Clients” seems quite empty on the Security Whitepaper….

    You're absolutely right. We need to update the white paper to include that. The methods we use vary widely between platforms, so it's a bit complex. But we're working on adding that information in a readable form, and are happy to answer any questions you have in the mean time as well. :)

  • Hi @brenty, thank you for the answer!
    In my threat analyze I was not worried about transmitting the Access key over the wire – once it’s not happening :) More like when it’s stored on browser storage or native app storage, how it’s protected then?
    E.g scenario like this: evil hacker has managed to install RAT tool to my Windows workstation, and with that he is able to capture my Master password with key logger functionality. Then the next question is that if he has admin level rights to my workstation can he find and extract 1Password Access Key from the local storage as well? Either from Browser cache/storage or from your 1Password native app storage. So how you are protecting local Access Key storage against local storage extract attack?

    Security White paper

    Great. Thank you.

  • brentybrenty

    Team Member

    @Mikri: The white paper does cover this (page 49). While the native clients are able to use OS features (e.g. Keychain on Apple platforms) to store the Account Key locally, browsers do not offer this facility. In either case, the Account Key is obfuscated, but if your device is compromised all bets are off. You should assume that it's only a matter of time before the attacker gets whatever they want, unless you stop using the device and regenerate your Account Key to invalidate the old one. Nothing can protect you once someone else owns your machine since they have the same privilege you did (and perhaps no longer do). 1Password can't protect you from yourself, or a device that's been turned against you, so asking "how" is a bit of a red herring.

  • Hi @brenty ,
    Clear. That was my fear actually. And that’s why I mentioned my worry for the authentication part at my first article. Therefore it’s urgently needed that you introduce real MFA for the authentication part, to mitigate this risk. Currently when all, both encryption and authentication, rely the fact that end point is secure risk is very high. It’s good that Access Key is used for encryption to have higher entropy but for the authentication you should offer MFA as an option, then e.g. mobile phone could be used as second factor and then one compromised end point would not result -> total game over! With MFA user would be on safe side on that risk scenario, do you agree?

  • brentybrenty

    Team Member

    @Mikri: Not at all. Even with MFA if the endpoint is compromised they'll have access to whatever data you do; no need to authenticate. That's why 1Password is built on encryption: endpoint compromise is, by far, the highest risk; each of us is the weakest link in our own security.

    MFA is something we may add as an option down the road, but again — and I can't stress this enough — endpoint compromise means game over no matter how you spin it. Stronger encryption at least makes it infeasible for them to access data on the device without your help. MFA provides no such benefit...unless you're proposing that you need to enter a one-time password each and every time you unlock your vault, and that's not something almost anyone would be willing to do. Impractical security offers little benefit, as most users won't use it because it's too onerous.

  • @brenty: Hmm. I must say that I don’t fully follow your thoughts here.
    I do agree that good encryption, good implantation of it, is needed to achieve good security solution to protect data at rest. But if not all keys to the data are not known by the attacker and attacker needs to brute force or find vulnerability/bad implementation then likelihood of success rate is pretty low, in case of 1Password. So like risk scenario that end point (or even your cloud solution..) would be comprised so that data is stolen but without encryption/access keys. On that risk scenario I am pretty confident that it’s not that easy to decrypt/brute force 1password vault data or find implementation flaw to bypass security layers on 1Password. I hope we can agree on that at least :-)

    Now, if everything what is needed to open encrypted data is located on one place I think that is high risk. I think it would give more security to re-locate some of the needed credential behind another channel, MFA.
    Let’s assume my browser is compromised with some man-in-the-browser attack, everything I type to my 1password site on a browser is captured (key logger) and if it’s relatively easy to retrieve access key as well from the browser then those credentials can be used from where ever in the world to access all my content -> total disaster for me.
    To prevent that at least second channel authentication (MFA) should be trigger on that use case -> every time user introduces new endpoint user is enforced to authorize that new endpoint in another channel, mobile phone authenticator app I suggest. And it would not harm if it would be possible for users, like myself, to have the possibility to do MFA approve every 1Password vault opening – even in a trusted device. So I am not suggesting that MFA would be mandatory for everybody and in all use cases but for those individuals, like myself, who consider that as another security layer which will introduce more security. MFA is not a silver bullet but I do think that it will bring more security. And I think I am not only one who thinks like that.

    For the comment “each of us is the weakest link in our own security.” Yes, but …
    I think it’s little bit unfair only to blame the poor user to be the biggest risk on IT world. That’s why we have these different security controls or concepts (encryption, MFA, AI or user behavior analytics, tamper proof apps, signed apps or signed communication channels, trusted source loading, app containers etc..) or whatever technology/concepts to mitigate the human risk. I mean so that if poor user clicks one malicious link (and gets compromised) once in a life time then it should not be game over for him or her. Layered security with multiple security controls should prevent that happening. So my point is that everything should be done that user could not endanger everything accidentally, and that this slogan should not be used as an excuse not doing something.
    But, sorry for this “explosion” :) I just could not resist myself commenting that evergreen song everybody are singing that user is the biggest risk.

    I am very pleased to hear that you are considering to introduce MFA. I strongly believe that many of your users would really appreciate that.

    Happy New Year 2017!

  • brentybrenty

    Team Member

    Hmm. I must say that I don’t fully follow your thoughts here.

    @Mikri: Haha. Sorry. I don't always get my point across successfully, but I'm happy to keep trying. Thanks for meeting me halfway! :lol:

    I do agree that good encryption, good implantation of it, is needed to achieve good security solution to protect data at rest. But if not all keys to the data are not known by the attacker and attacker needs to brute force or find vulnerability/bad implementation then likelihood of success rate is pretty low, in case of 1Password. So like risk scenario that end point (or even your cloud solution..) would be comprised so that data is stolen but without encryption/access keys. On that risk scenario I am pretty confident that it’s not that easy to decrypt/brute force 1password vault data or find implementation flaw to bypass security layers on 1Password. I hope we can agree on that at least :-)

    I agree that brute force is infeasible with a sufficiently strong password. But what I'm saying is that if the attacker has access to your machine just as you do, they don't need to brute force anything if you access your data without brute forcing it, since you're decrypting it for them.

    Now, if everything what is needed to open encrypted data is located on one place I think that is high risk. I think it would give more security to re-locate some of the needed credential behind another channel, MFA.
    Let’s assume my browser is compromised with some man-in-the-browser attack, everything I type to my 1password site on a browser is captured (key logger) and if it’s relatively easy to retrieve access key as well from the browser then those credentials can be used from where ever in the world to access all my content -> total disaster for me.

    What I'm suggesting is that someone malicious in control of your machine could simply intercept the one-time password. This negates the benefit of MFA, and completely avoids the problem of brute forcing.

    I'm not suggesting that MFA doesn't offer any benefit, only that in the scenario you're describing, it doesn't necessarily help. This seems like a next-to-worst-case scenario, wherein the attacker knows how to find and de-obfuscate the Account Key in your browser, but not how to intercept the one-time password, or how to collect your data as you yourself access it. And I think it's important that we design with the worst-case scenario in mind. Again, MFA is useful, but it feels like we're talking about a scenario constructed to justify the need for it, rather than the other way around.

    To prevent that at least second channel authentication (MFA) should be trigger on that use case -> every time user introduces new endpoint user is enforced to authorize that new endpoint in another channel, mobile phone authenticator app I suggest. And it would not harm if it would be possible for users, like myself, to have the possibility to do MFA approve every 1Password vault opening – even in a trusted device. So I am not suggesting that MFA would be mandatory for everybody and in all use cases but for those individuals, like myself, who consider that as another security layer which will introduce more security. MFA is not a silver bullet but I do think that it will bring more security. And I think I am not only one who thinks like that.

    Fair enough. It's certainly an interesting idea, but this would require you to be online at all times. Otherwise there's no way to validate to determine if MFA is required. If there's any way to go offline, an attacker could simply disable the network interface to work around this.

    For the comment “each of us is the weakest link in our own security.” Yes, but …

    I think it’s little bit unfair only to blame the poor user to be the biggest risk on IT world. That’s why we have these different security controls or concepts (encryption, MFA, AI or user behavior analytics, tamper proof apps, signed apps or signed communication channels, trusted source loading, app containers etc..) or whatever technology/concepts to mitigate the human risk. I mean so that if poor user clicks one malicious link (and gets compromised) once in a life time then it should not be game over for him or her. Layered security with multiple security controls should prevent that happening. So my point is that everything should be done that user could not endanger everything accidentally, and that this slogan should not be used as an excuse not doing something.

    You're right that it sounds like blame on the surface, and I'm sorry for that. I don't mean to make excuses. Certainly there are other considerations, but the fact remains that math is more reliable that we are. Only human, after all. That's what I mean. Encryption isn't going to slip up and spill our secrets ringing in the new year, or fall prey to a phishing scam. Often users are frustrated when 1Password doesn't fill their login on a site because the URL doesn't match. We care, but 1Password doesn't. Like the encryption it's built upon, it has a programmed function which it carries out perfectly. That may sound silly since we've all encountered sites where 1Password falls down. But in fact it simply hasn't been programmed in such a way to accommodate that specific structure.

    Certainly there are bugs too, and in these instances 1Password is decidedly not doing what we'd want or expect, but it is doing what it was programmed to. By people. And much like we can make mistakes in software, we can in practice as well, in ways that compromise our security. This is why we use time-tested, industry-standard encryption based on straightforward (if advanced) mathematics that have been hammered on by academics and security researchers, and hackers across the spectrum of black, white, and grey hat. UI bugs need to be fixed, but are not critical on the same level as fundamental security.

    But, sorry for this “explosion” :) I just could not resist myself commenting that evergreen song everybody are singing that user is the biggest risk.

    No worries. I hope you'll understand that I don't mean to belittle you or anyone else as a user when I talk about us being the weakest link. I very much include myself in that too. Just like we can use other tools to great effect for our benefit or detriment (cars, for instance...), 1Password and other security tools can be misused in ways that make us less secure — or at the very least provide no real benefit — whether that be having 1Password fill the same password for all websites, or using monkey123 as a Master Password. These are extreme examples, but I think they illustrate this fundamental truth.

    I understand completely what you mean though. It sounds like a cop out. I'm glad you let me know where you're coming from, and I hope this gives you a better idea of where I'm coming from too.

    I am very pleased to hear that you are considering to introduce MFA. I strongly believe that many of your users would really appreciate that.

    I think we're in complete agreement about that. I just think it's important to recognize that it isn't a panacea. Ultimately we still need to be vigilant and take responsibility for our own security. 1Password can help, but it's only one weapon in our arsenal for defense of our digital lives. I'm probably preaching to the choir here, as this is something you're well aware of. But we really need to take into consideration users all across the spectrum.

    Happy New Year 2017!

    Likewise, I hope you have a safe and happy new year too! Thanks so much for your time and patience discussing this with me. Always a pleasure. :chuffed:

This discussion has been closed.