On The Security of Password Manager Database Formats

Hi AgileBits,

Are you aware of the following PDF document that compares various Password Manager Database Formats?
https://www.cs.ox.ac.uk/files/6487/pwvault.pdf

I'm not sure when the document was published but it makes for interesting reading, especially where 1Password is concerned:

Format Description.
1Password stores its database in multiple files. Each file contains a database entry, stored in JavaScript Object Notation (JSON). Entries are listed in an index file called “content.js”. 1Password allows users to select a different “security level” for each record [3].

The lowest security level corresponds to unencrypted entries, while the highest level means that sensitive fields, such as username and password, are encrypted with a key derived from the user’s master password. Regardless of the security level, some fields, e.g., the title of an entry, are never encrypted. We analyze the protection offered by the highest security level.

The encryption scheme used is AES-128 in CBC mode. Neither the records nor the index file are integrity protected. As a result, database corruption is only detected when the JSON parser fails to process the database.

Security Analysis.
1Password’s database format is affected by vulnerabilities that give adversaries a non-negligible advantage in both the IND-CDBA and
MAL-CDBA games. Advr can win IND-CDBA with probability 1 as follows: Advr builds two samesize record-sets RS0, RS1 such that there exist two records r0, r1 from RS0 and RS1 respectively, which differ in at least one of the following fields: title, location, locationKey, createdAt, updatedAt or typeName. These fields correspond to: the title of the record, the record URL, the URL used by the browser plugin to perform auto-complete, the time of creation and last update and the type of record (e.g., web form, protected note, credit card information). Since these fields are never encrypted, Advr can trivially determine bit b by testing which record belongs to DBb. In practice this means that an adversary with access to a 1Password database can read these fields and thus gather sensitive information about the user’s browsing habits.

Advrw can win the MAL-CDBA game with probability 1 as follows. Advrw selects an arbitrary record-set RS and receives the corresponding database DB. Then, Advrw can (1) alter any of the fields listed above, and/or (2) remove any entry by deleting the corresponding database file and altering the “content.js” index file correspondingly. In general, as long as the database is still composed of a set of correct JSON strings, 1Password will not show any warning. In practice, this means that an adversary can mount phishing attacks by replacing a legitimate URL with one pointing to an adversary-controlled website.

Additionally, if Advrw outputs at least two record-sets, say RS 6= RS0 and receives the corresponding databases DB, DB0 in the MAL-CDBA game, it can construct DB00 selecting records from both DB and DB0. This allows an adversary, among other things, to replace individual records in a database with older versions.

From reading this, it sounds like plain-text URLs are the issue - Is there any way you guys can encrypt URLs?

Being a software developer by trade, I know you've probably left those as plain-text to facilitate lookups from the browser when you're on a specific page. However, is there no way you could encrypt those URLs on save and decrypt/cache them for lookups? Surely that would negate the assumptions made above and provide better overall security for 1Password?

Regards,
Graham

1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided