Security

Scuba629
Scuba629
Community Member
edited March 2016 in Families

Maybe a random or odd question but can someone using a program like wireshark get my master password? My guess would be yes but not the account key? Unless they were using the program when my account key was generated? I created my account at work and worry now that some of my data might be available to them.

http://www.howtogeek.com/104278/how-to-use-wireshark-to-capture-filter-and-inspect-packets/

edit: Sorry I forgot to add im using the latest version of Chrome


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

Comments

  • tommyent
    tommyent
    Community Member

    @Scuba629 no your password is never sent over wifi. Also your key is generated locally so there is no way to capture it when it was generated. That being said if it was a public machine or work computer there are other ways to get the info

  • jpgoldberg
    jpgoldberg
    1Password Alumni

    Hi @Scuba629, @tommyent is correct.

    First of all the attacker would need to be able to get past the TLS security layer, which isn't going to be easy. But let's suppose that the attacker can get past that.

    Magic

    Your Master Password is never transmitted, nor is your account key. There is even a bit of mathematical magic which means that during a login to your Families site, no secrets are transmitted.

    1Password calculates a number, x, from your Account Key and your Master Password (and from some non-secret stuff as well). And when you first sign up, it also calculates a related number from x called v (for "verifier"). When you first sign up, v gets sent to the server, so the sever will know v only.

    Proving you know a secret without revealing it

    Now the really cool part is that because of the way that v is created from x it is possible for 1Password on your machine to be able to prove to the server that it knows x but without revealing any secrets whatsoever in the process. Furthermore, it is possible for the server to prove to 1Password on your machine that it knows v, again without revealing any secrets. So someone listening in to that communication (even if they get past TLS) will learn nothing. Furthermore, they won't even be able to "replay" what they recorded from that session because the way that the server and 1Password prove to each other that they know v and x is different each time. (The math is the same, but random numbers are used for each session.)

    Key exchange

    To make things even cooler (ok, perhaps the kinds of things that I think are cool isn't what everyone thinks is cool) is that during the process of 1Password and the server proving to each other that they know x and v, they also create a session key that is used for another layer of encryption for the rest of the session. Again, this is done in a way that even someone listening in on the whole conversation will not be able to figure out what the key is.

    The buzzwords

    The jargon is that 1Password uses a PAKE known as SRP which is based on Diffie-Hellman Key Exchange.

This discussion has been closed.