1Password cryptographic library

deeeed
deeeed
Community Member

Hi,

That might not be the right place to ask but...
Is there a way to know the list of cryptographic libraries used by the software (For example, I noticed that you use sjcl for the web) ?
You also mention BigNum libraries, is it possible to know which one you are using?
I am doing a comparison between different password management solutions, and I want to list the libraries that are used, if they are open or if it has been developed internally.

Thanks


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

Comments

  • cohix
    cohix
    1Password Alumni

    Well I can't speak for all of the teams, but for the CLI at least we use the libraries built in to the Go language, around which we've built thin wrappers. Even we avoid rolling our own crypto whenever possible :)

    I can ask around if you'd like and see if there are any special cases, but for the most part the given language's builtin crypto is used.

  • deeeed
    deeeed
    Community Member

    thanks @cohix, it would be great if you could ask what is the BigInteger library used for the web client?
    Webpack is heavily minifying the libraries and it's quite hard to get figure out which one is used by looking at the minified code.
    I have seen there are different projects created by independent developers to decrypt the vaults files, I may try to implement another one.

  • deeeed
    deeeed
    Community Member

    I ended up finding which one is used https://github.com/andyperlitch/jsbn

  • jsbn does appear to be what's used in our webapp.

    Rick

  • jpgoldberg
    jpgoldberg
    1Password Alumni
    edited December 2017

    Hi @deeeed!

    I know I'm jumping in here late, but yes, the choice of the JSBN library for the web-client was to pick something that is as cryptographically appropriate as possible for the environment. In particular, it does offer constant time exponentiation.

    On the whole, I'm not aware of what sorts of timing/energy attacks are available within a browser. I would not be surprised if someone developed a browser extension that was able to detect just how much computation was happening within a tab, but I'm not specifically aware of any.

    For the CLI, we have published the source for what we do with SRP, which is where big integers come into play: https://github.com/agilebits/srp

    The (overly verbose) documentation can be viewed on GoDoc.org. https://godoc.org/github.com/agilebits/srp

This discussion has been closed.