Security: Re-encrypting entire vault contents

khadkhad Social Choreographer

Team Member
edited January 2016 in Lounge
This discussion was created from comments split from: How safe is my data when I sync via Dropbox?.

Comments

  • Was wondering if someone could elaborate on this from the 1Password is Ready for John the Ripper link posted above by @JasperP:

    There is one other place that the distinction between encryption password and authentication password matters for users of 1Password. I will be writing about it more later, but in summary: it means that once you have a good 1Password Master Password, you should keep it for life. You gain no security by changing an encryption password frequently (indeed, it can hurt). So you should only change your 1Password Master Password if there is something wrong with your current one. I’ll talk more about changing passwords (when you should and when you shouldn’t) in a future article.

    Why would it hurt by changing an encryption/master password frequently? If someone were to change their master password for some reason, how would it "hurt?"

    Thank you for any info! :)

  • JasperJasper

    Team Member

    Hi @ScarySulley‌,

    Changing your master password does not change the underlying encryption keys. So if an attacker gets a hold of your old encryption keys, they could decrypt the key (and your current 1Password data) using the old master password.

  • @JasperP‌ So, is there going to be a simple way to re-build the keychain with new keys?

  • khadkhad Social Choreographer

    Team Member
    edited July 2014

    Very good questions, @ScarySulley‌ and @RichardPayne‌!

    Background

    The solution we recommend is that people pick a good Master Password to begin with and then never change it. But of course there are cases where people do need to change a Master Password:

    • If your Master Password is weak, a strong one should be used.

    • If your Master Password is reused, a unique one should be used.

    What seemed like a good Master Password in 2008 may not pass muster today, and your Master Password should never be used anywhere else.

    As @JasperP mentioned, there is a marginal case in which changing your Master Password weakens your security. When your keychain is created a truly random encryption key is generated, and that key is used to encrypt your data. Let's call it your master key. The master key does not change when you change your Master Password. Your Master Password is used to encrypt your master key, and your master key is used to encrypt your data.

    So if an attacker can get hold of an "old" copy of your encrypted master key, they can attack that by going after the old Master Password. If they get hold of a copy of a new copy of your encrypted master key, they can attack that by going after your new Master Password. So depending on what an attacker has access to, a Master Password change can increase the attack surface.

    1Password is like other high security tools such as SSH and PGP/GPG in this regard. The actual key doesn't change with a password change, but how that key is encrypted.

    Since your Master Password protects a secret key that never actually changes, old copies of your key files (1password.keys, .1password.keys and encryptionKeys.js) will remain protected only by your old Master Password. Because your more recent data are encrypted with the same decryption key, then even those can be gotten at by cracking an old Master Password.

    How to re-encrypt

    You can export all your 1Password data to a 1Password Interchange File (1PIF) (File > Export). Be sure to export all items and choose the 1PIF option. Then move your old data aside and create a fresh 1Password data file (which 1Password will prompt about if it doesn't find a data file where it expects one). That new, empty, data file will have a new random key encrypted with your (new) Master Password. Then import from the 1PIF file. All the data will now be encrypted with the new random key.

    Note that, as the warning states when you create the 1PIF, the 1PIF is not encrypted; treat it very carefully.

    Be sure that your import works and that you have everything you need before wiping your old 1Password data. On a Mac you can securely erase the 1PIF using Secure Empty Trash or srm from the command line.

    Caveats

    • The modified time actually comes from the modified time on the file itself instead of from information within the file.

    • Old data will still be available on Dropbox if you have been syncing with Dropbox. To delete files from Dropbox backups, see their guide on this here:

      https://www.dropbox.com/help/40

      That process will remove the file and all of the previous versions from Drobpox. Also be aware that 1Password makes backups of your data on your computer. See Preferences > Backups > Show Files in 1Password to see where those are kept.

    Why this hasn't changed (yet)

    One thing to keep in mind is that our design "solves" a number of security problems that might not be obvious. Here are a few:

    1. There is a limited amount of data that should be encrypted under the same key.

      Now 1Password databases aren't getting that big (yet), when you have a structure that allows people to add an unlimited amount of data, you need to use multiple keys.

    2. To get the full strength of 128-bit (or 256-bit) keys, those keys should be generated completely at random.

    3. To have a system where only the minimum amount of data necessary is decrypted at any single time requires separate keys for each item.

    4. Changing the Master Password should not be a process that takes many minutes during which a power failure or computer crash might leave data unusable.

    But this does leave the problem that a Master Password change does not have the effect that it might seem.

    For us the real problem is how to have something that is simple and straightforward to use, without people needing to study the details, that works in a way so that it makes it easy for people to behave securely and hard to behave insecurely. This really is the overriding goal of what we do here. As a consequence, 1Password presents itself to people as much much simpler than it really is. In nearly all cases that is a very good thing. But there are still those small number of cases where what is presented to people by 1Password can be misleading in a way that can lead them astray.

    And there is another problem. The problem is that sometimes we do have to make tradeoffs of defending against one kind of threat versus another. Although I acknowledge the downside of the choice that we've made here, it was not a tough decision. The security benefits of our design choice are overwhelming.

    We'd love to have a system that did everything, including conforming to intuitions about changing Master Passwords. Perhaps the next time you need to change your Master Password we will have a smoother process. (Though neither SSH nor PGP/GPG seem to have come up with anything better when faced with an analogous problem.) We'll keep exploring ideas, but we require that any such system do more good than harm.

  • @khad‌,

    Wow, not gonna lie. That was over my head lol. I'll have questions to clear up some things as I continue to re-read it. But I do have some right now:

    It seems like to truly start over (new master key and new master password) you'd have to have to export your data as a 1PIF file and import that data into a new vault? And of course securely delete the old vault to remove all traces of it.

    The modified time actually comes from the modified time on the file itself instead of from information within the file.

    Can you please elaborate on this more? Does this refer to the created/modified time for each entry? What do you mean by modified time on the file itself instead of information within the file? Does starting over with a new vault/master key/password change what time/date shows when it's modified?

    Sorry for all the questions there! :)

  • @khad‌
    While the export/import method you mentioned would indeed work, it is neither simple to do, nor obvious. If also involves having large amounts of decrypted data hanging about.

    Can I suggest/request and File menu item to re-key the keychain? It would consist of the following steps:

    1) Backup the current keychain
    2) Rename the current keychain
    3) Create a new keychain with the original name (this would obviously generate all new keys
    4) Prompt the user for their master password to encrypt the new masters.
    5) Iterate the renamed original keychain, decrypting each item and then write it out to the new keychain.
    6) When done, delete the renamed keychain (there is still the backup in case of problems).

    Basically, it should be a couple of button presses and an entry of the MP, not all of the faff that you outlined.

    @ScarySulley‌

    Does this refer to the created/modified time for each entry?

    I think it means that the new keychain will have modified dates all set to the date that you imported the 1pif files rather than the original edit date.
    @khad file modified dates can be changed I believe. In both my scheme (outlined above) or the export/import of 1pif files you should record the original modified date and update the new file to match.

  • khadkhad Social Choreographer

    Team Member

    @ScarySulley‌ wrote:

    It seems like to truly start over (new master key and new master password) you'd have to have to export your data as a 1PIF file and import that data into a new vault? And of course securely delete the old vault to remove all traces of it.

    Exactly. That is the current process. It sounds like you understand it better than you think. :)

    The modified time actually comes from the modified time on the file itself instead of from information within the file.

    Can you please elaborate on this more? Does this refer to the created/modified time for each entry? What do you mean by modified time on the file itself instead of information within the file? Does starting over with a new vault/master key/password change what time/date shows when it's modified?

    The modified time on the 1PIF file will determine the modified time of the items in 1Password when you import them, so it could affect Watchtower results and any Smart Folders you have which are based on item dates, for example.

    @RichardPayne‌ wrote:

    While the export/import method you mentioned would indeed work, it is neither simple to do, nor obvious. If also involves having large amounts of decrypted data hanging about.

    Indeed, and I've made sure the suggestion(s) you outlined made it to the team for review. Thank you!

  • ScarySulleyScarySulley
    edited July 2014

    Exactly. That is the current process. It sounds like you understand it better than you think. :)

    Thanks! @khad

    So in essence, creating a new vault creates a new master key...you just need to get your data back in either via a back up 1PIF file or manually reentering them. Interesting to see how it all works behind the scenes.

    The modified time on the 1PIF file will determine the modified time of the items in 1Password when you import them, so it could affect Watchtower results and any Smart Folders you have which are based on item dates, for example.

    So if the modified time on an entry was 10:00am and the 1PIF file was 12:00pm, the modified time will now be 12:00pm? I assume the time would change to the new modified time as soon you modified the entry?

    Getting nick picky here, but how about the created time? How would that be affected?

    So if an attacker can get hold of an "old" copy of your encrypted master key, they can attack that by going after the old Master Password. If they get hold of a copy of a new copy of your encrypted master key, they can attack that by going after your new Master Password. So depending on what an attacker has access to, a Master Password change can increase the attack surface.

    This is going to sound like a stupid/obvious question, so bear with me...

    So if I copy my vault file to another location and change the master password for the original vault, the old vault can still be opened with the old master password (but not the new) since it is still associated with it? Likewise the new vault can only be opened with the new master password (but not the old). So same data/vault but two different master passwords/master keys?

    If I understand that properly, that does make sense and I could see how that could do 'harm.' Not to the actual data/vault, but to the security of the of the data/vault. There are basically two vaults with the same info, that each have their own master passwords/keys (two master passwords/keys that can access the same, but separate, vault). Although securely deleting the old vault (with the old master password/master key) would eliminate that 'harm' of having the same data able to be unlocked with two different master passwords/master keys. The old vault would be eliminated and you only have one vault and master password/key.

    Am I right or did I totally get that wrong? :D @-)

    I know I made that more complicated that what it is. lol

    Thanks though, I really do appreciate your assistance. Nice to see AgileBits has good ways for their customers to get information about a such a secure type of product.

  • khadkhad Social Choreographer

    Team Member

    We're delighted to be able to help. It's great that you are thinking about these things. :)

    With that said, you can forget most of this thread (which has surprisingly centered around that one caveat). Modified and created date are retained on import. In the past they were not, but they are now. I apologize for any confusion.

    Regarding old vaults, yes, they are not modified when changing Master Password. A backup can be opened using the Master Password it had when the backup was created. It would be nearly impossible to track down all your backups (some of which could be on external drives inaccessible to 1Password) to update the Master Password in them. (This is one of the differences between an encryption password and an authentication password.)

    This is actually a great help if someone forgets their new Master Password. They can restore the most recent backup prior to the Master Password change and only be missing data created since that backup rather than all of it. There are circumstances under which one might wish to delete backups using the previous Master Password, but it is a safety net that can come in handy. We suggesting keeping that in mind when making such a decision.

    I hope that helps. Please let me know.

  • @khad
    Am I correct in saying that if an attacker has two cipher texts which are the same plain text encrypted with two different keys then this can present an opportunity to reduce the crack time over that which would be required to crack either of them individually?

  • jpgoldbergjpgoldberg Agile Customer Care

    Team Member

    @RichardPayne‌ asked:

    Am I correct in saying that if an attacker has two cipher texts which are the same plain text encrypted with two different keys then this can present an opportunity to reduce the crack time over that which would be required to crack either of them individually?

    You are not correct.

    If m is encrypted using password p1 in one place, and is encrypted with p2 in another place, and if an attacker has both encryptions, the attacker will break the one with the weaker password first (on average).

    If m then can be used to decrypt a lot of other data, then that other data is made slightly more vulnerable by the fact that there are two different passwords that can get at it.

  • Thanks @jpgoldberg‌. Wonder what I read that gave me that impression.

  • jpgoldbergjpgoldberg Agile Customer Care

    Team Member

    If you have distinct (but related) plaintexts encrypted under the same stream cipher key then you've got a problem. Note that "related" can simply be something like "both in ASCII" or "both in the same human language".

    Stream cipher work by XORing the cipher text with a pseudo random sequence of bits. The "problem" comes for the (generally very useful fact) that XOR is commutative and associative.

    So the ciphertext of message 1 will be c1 = "stream XOR m1" and the ciphertext of message 2 will be c2= "stream XOR m2". If the same stream is used for both both encryptions, then

    c1 XOR c2 == m1 XOR m2

    During the 1940s, the Soviets made the mistake of using a "one time pad" (a truly random stream) multiple times. XORing multiple messages with the same stream led to messages being broken.

    Perfect, but brittle cryptography

    One of the interesting things about one time pads is that when done properly they offer true, absolute and completely unbreakable encryption. But one time pads are extremely brittle. Even the slightest deviation from the protocol can be catastrophic. It is extremely easy to go from perfect secrecy to virtually no secrecy. This is why people really should not try to built one time pad systems.

    CBC versus CTR mode

    We have a somewhat less dramatic case of this in the choice of block cipher encryption modes. You should never reuse the same key/IV pair for encrypting something. But the consequences are different depending on encryption mode. Making that mistake with CBC mode is bad. Making that mistake with CTR mode is catastrophic.

    So although there are some good reasons to prefer CTR to CBC, I tend to recommend that people stick to CBC because it holds up a bit better under common sorts of mistake that people make. (Our choice of CBC over CTR had to do with availability in CommonCrypto at the time. Also the advantage of CTR over CBC are moot once you use authenticated encryption. )

  • edited July 2014

    Hi All,

    I used the hint in thread to regenerate my master key by using local storage sync and not the pif file. I delted my dropbox sync and reestablished a new one after reimport. Afterwards I erased my data on the iOS devices and reestablished dropbox sync.

    Question:

    • Does the dropbox sync has it's own master, overwiew and item keys (keys) ?
    • Do the devices have all theire own keys ?

    Comment:
    Even as technical savy User I'm still not sure what afford it's necessary to change keys ? And I don't what to do more as necessary.
    Theire are circumstances where it is necessary to change masterpasswords.

    In my case I thougt I've a good way to generate masterpasswords (unix tool pwgen/mkpasswd), but after I've checked entropy I was sure diceware is a far better choice.

    Conclusion:

    There should be any Option in 1password to rebuild the hole keys and make sure that this will be done about all devices automagically.
    Sure that should not happend every time you change master password.

    regards

    Random

  • Thanks @jpgoldberg‌, interesting as ever.

  • khadkhad Social Choreographer

    Team Member

    @random_31731ec7aea‌, the keys are in the data file (vault) itself. They are synced across all your devices (but the Master Password used to decrypt them is never synced).

    I mentioned reasons above why changing the Master Password doesn't generate new encryption keys, but it could be a helpful option to have under some circumstances. Thank you for letting us know you are interested in this. I'll make sure the devs know you would like to see such an option. I myself have advocated for such an option in the past. I think I've changed my perspective over time a bit, but there will always be those edge cases where it would be helpful. And the export/import dance can be cumbersome in those cases.

  • primeprime

    I am so glad I read this, I want to change my master password because I feel it's not that good sometimes.

  • primeprime
    edited September 2014

    Ok, now I exported, deleted, but it didn't have me start over. I even deleted 1Password from my computer and when I reloaded it, it still asked me for my master password. Now while it was empty, I changed my master password, and then imported the file that I exported.

    I didn't know how to restart it like a new 1Password, so if this won't do it., I can so it over. Just my issue is not sure how to start over.

    @khad‌, any suggestions?

  • I got it figured out. It seems wit Mountain Lion that the Library folder is almost hidden or something. Anyways, all fixed!

  • After reading all this reaaly helpfull advises about master password, I'm now also in the situation to change my master password. How will the proccess on iOS will work? There is no export/import.
    thanks for some hints.

  • jpgoldbergjpgoldberg Agile Customer Care

    Team Member

    Hi @MichaelKaras‌,

    If you are not synching your 1Password data and keep it only on iOS, then the risk of data capture (particularly of old data capture) is really very small. So I don't think that you have much to gain by trying to do an export and a re-import.

    If, however, you really wanted to, both 1Password for Mac and 1Password for Windows are available as a free trial. So you could synchronize with one of those and then do the export business from there. While I would recommend that you sync to a desktop for other reasons (1Password is great on the desktop, and you will get more reliable backups), I think that going through this just to perform a rekeying and re-encryption of all of your data is just making things harder for yourself than they really ought to be.

  • jpgoldbergjpgoldberg Agile Customer Care

    Team Member

    Hi @prime,

    I'm sorry that it has gotten so long to get back to you. Yes, the actual data directories, particularly if you are using the Mac App Store version, are hard to find. I realize that this information would have been more use to you a few days ago, but we do have a guide which does show how to find all of these things. 1Password Knowledge Base: Starting Over

  • @jpgoldberg‌ I found that link and it was very helpful. Thanks!

  • MeganMegan 1Password Alumni 1Password Alumni

    Hi @prime,

    I'm glad to hear that @jpgoldberg‌ was able to help. :)

  • As I was in the process of changing a password for an account, my efforts led me to consider also changing my master password (which by 1Password's standards is "Good", but I'd rather have "Excellent"). I should point out that I've used this master password from the start (roughly a couple of months, if that means anything).

    That effort led me to this forum where I found a reference to an Agilebits blog post: Toward Better Master Passwords. In this post, this comment was made: "But it is not a good idea with 1Password master passwords", meaning, not to change the password regularly, I think.

    So to clarify, is it not recommended to change the master password because:

    1) doing so puts you at risk of forgetting something so new, thus losing access to your protected information?

    Or is it because...

    2) there is some issue with the change not turning out right, meaning that there is the potential to have your devices not sync up right, for example?

  • DBrownDBrown 1Password Alumni 1Password Alumni
    edited September 2014

    I'll let @jpgoldberg‌ (the author of that blog post) reply here, as I'm sure his answer will be more comprehensive.

  • Thanks, DBrown.

  • jpgoldbergjpgoldberg Agile Customer Care

    Team Member

    Hello @phoenixrizing‌!

    I'm sorry that it has taken me so long to get back to you.

    Your guesses are good, but the actual basis for the advice is more subtle. Suppose that you change your Master Password on Monday and add a new item on Tuesday. If an attacker gets a hold of the right combination of old and new data, they may be able to decrypt your new item (created Tuesday) with the old (prior to Monday) Master Password.

    This is discussed in far more detail in the discussion thread "Security: Changing Master Passwords. (I will try to actually merge your query into that discussion.)

This discussion has been closed.