1Password cryptographic library


That might not be the right place to ask but...
Is there a way to know the list of cryptographic libraries used by the software (For example, I noticed that you use sjcl for the web) ?
You also mention BigNum libraries, is it possible to know which one you are using?
I am doing a comparison between different password management solutions, and I want to list the libraries that are used, if they are open or if it has been developed internally.


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided


  • cohixcohix

    Team Member

    Well I can't speak for all of the teams, but for the CLI at least we use the libraries built in to the Go language, around which we've built thin wrappers. Even we avoid rolling our own crypto whenever possible :)

    I can ask around if you'd like and see if there are any special cases, but for the most part the given language's builtin crypto is used.

  • thanks @cohix, it would be great if you could ask what is the BigInteger library used for the web client?
    Webpack is heavily minifying the libraries and it's quite hard to get figure out which one is used by looking at the minified code.
    I have seen there are different projects created by independent developers to decrypt the vaults files, I may try to implement another one.

  • I ended up finding which one is used https://github.com/andyperlitch/jsbn

  • rickfillionrickfillion Junior Member

    Team Member

    jsbn does appear to be what's used in our webapp.


  • jpgoldbergjpgoldberg Agile Customer Care

    Team Member
    edited December 2017

    Hi @deeeed!

    I know I'm jumping in here late, but yes, the choice of the JSBN library for the web-client was to pick something that is as cryptographically appropriate as possible for the environment. In particular, it does offer constant time exponentiation.

    On the whole, I'm not aware of what sorts of timing/energy attacks are available within a browser. I would not be surprised if someone developed a browser extension that was able to detect just how much computation was happening within a tab, but I'm not specifically aware of any.

    For the CLI, we have published the source for what we do with SRP, which is where big integers come into play: https://github.com/agilebits/srp

    The (overly verbose) documentation can be viewed on GoDoc.org. https://godoc.org/github.com/agilebits/srp

Leave a Comment

BoldItalicStrikethroughOrdered listUnordered list
Align leftAlign centerAlign rightToggle HTML viewToggle full pageToggle lights
Drop image/file