Why only 2048 bits for account private keys?

@OutboundRadiographer:

Yes but they won’t need to break that encryption, right? To get the contents of a vault they just need to break the encryption around the vault key which is encrypted with the public key using 2048-bit RSA. If they can use a brute force search to guess the private key then none of the master password, secret key, derived keys or AES wrapping would matter, right?

Brute forcing is always an attack option that is available to you, so in this sense yes, you could just ignore everything else and just try every possible key combination. If you decide to go that way though, the question at this point becomes the feasibility of such an attack. I am not aware of a way to brute force RSA 2048 with current computing power, in the near future. Even the NIST guidelines currently recommend at least 2048 bits [1].

Should you be aware of ways to make such a brute force attack feasible against RSA 2048 with current computing power though, I would love to read more about it. Factorization is a very difficult mathematical problem: there are typically (much) easier ways to get into a system than a brute force attack against RSA.

If that encrypted blob is taken from 1Password servers, though, AgileBits wouldn’t be able to upgrade the level of encryption on that copy after the fact, right?

Correct. The copy that is now outside of our server cannot be upgraded.

If I’m looking at this correctly then:

• Breaking a 2048-bit cipher is all that is needed to get at the vault contents

You make this sound easy :P

• And if 2048-bit becomes crackable within the next 5–10 years
• Then someone that managed to steal my encrypted blob off the server today could access the contents of my vault in 5–10 years and there’s no way AgileBits nor I could stop them (once they have that particular copy)
  Does that sound right?

Correct. May I ask what the specific threat model you have in mind is though? I would argue that, due to the nature of data stored inside 1Password, a lot of the Login items and Passwords inside it might be outdated in 10 years, and so the bigger threat would be someone getting that data and managing to decrypt it now.

Also, in case you become aware of a threat such as this, you could also argue that you have 10 years to update your passwords and make the stolen copy of the data useless at that point.

[1] - NIST Special Publication (SP) 800-57 Part 3, Rev. 1 - Recommendation for Key Management, Part 3: Application-Specific Key Management Guidance

@XIII:

Ideally we would notice and send out a notification to the user's registered email address.

@OutboundRadiographer:

I’m thinking about organized crime using cybercrime-as-a-service, botnet computing resources and criminal-built clouds. Criminals with the ability to rent large amounts of computing power and hacking skill.

I think we have hit the nail on the head here. Certainly this is a possible scenario, but would switching to RSA-3072 cancel this threat for you? Surely you could then just say that the criminals will need just some more power, and we will be back at square one (I am playing devil's advocate here).

My problem with this is that if we do that switch now, there will be another user in a few weeks commenting about the same thing, and about why we are not using RSA 4096 instead. We could certainly just keep increasing this, but I don't think we should do it just for the sake of doing it, and only offer a perceived security benefit.

We definitely will have to do the switch one day or another (computing power will keep increasing after all), so please don't take this as "we don't want to do this". Indeed, as I mentioned some posts ago, we built 1Password so that changes such as these will be possible without a crazy amount of effort. I just think that if a cybercriminal organization is targeting you, and has ability to rent large amounts of computing power as you said, it will just rent some more. Remember, this is someone who really, really wants your secrets, not just valuable information in general.

I would also like to offer a different perspective on the calculations though. So far we have exclusively focused on time needed, but I would like to take a look at the cost involved in such an attack, which (especially in your scenario where the attacker is organized crime) is often more important than the time variable. The cost for such an attack can easily be in the millions of dollars (we ran a password-cracking competition last year, so while this is not strictly related to this, it offers some interesting calculations [1] [2]). Unless you are a high-value target, or if someone is targeting you specifically, you need to ask yourself whether your data is actually worth the money and effort put in by the attackers. Especially if they don't target you specifically, but are just on the lookout for useful stuff.

I’m thinking about the data breaches that happen every year affecting companies like Target, Yahoo and Equifax. In particular, breaches like the one LinkedIn suffered where it was 4 years before they discovered 100 million accounts had been disclosed.

Hang on though: those breaches hardly ever (or at least not that I know of) attacked the encryption of these services. Those breaches happened because data was not encrypted in the first place, or a machine was not properly secured and segregated, or an employee made a mistake, or because of social engineering, or malware etc. Encryption is usually the strongest link of the chain, it is much easier to attempt to break things in other ways.

[1] https://discussions.agilebits.com/discussion/comment/469944/#Comment_469944
[2] https://discussions.agilebits.com/discussion/comment/470503/#Comment_470503

Thank you all for your support. There will be times when accidents of history and the pragmatics of how software does get developed mean that some aspects of design, while providing the security and privacy we want to provide, can be a bit messy. Our view is that if we are going to offer a security product to people then we have to be open and transparent about design and implementation decisions, even when they reveal some messiness.

I think that it also helps to make it clear that we understand the choices we make, whether we make them implicitly or explicitly. Misaligned security levels is a cryptographic hygiene issue. And its something that we've been wanted to clean up. 256 bit EC key pairs (giving us a 128 bit security level) will go a long way to doing so, but there are things that we need to do first, and these things take time.

Common code base to make all-client changes easier

One of the things we have been working on for well over a year is to provide a common code base for 1Password clients. Because of how 1Password works, pretty much all of the cryptography is in the software running on your local machines. For the most part, our server only sees encrypted blobs. So any change has to work in 1Password for iOS, 1Password for Mac, 1Password for Windows, 1Password for Android, 1Password X, 1Password web-app, the 1Password Command Line Utility, and the 1Password SCIM bridge. (The first two share a great deal of code with each other and so do the last two).

With more common code, we will be able to roll out features and improvements to all clients more quickly. This, as I like to say internally, also allows us to put all our bugs in one place¹. Thus making them easier to prevent, spot, and fix. But this also posses some difficult choices with respect to cryptography. On the whole, it is best to use the cryptographic libraries that come with the platform native software development kits. For iOS and Mac, this means that for the underlying cryptographic primitives we should be using Apple's Security Framework and CommonCrypto while for Windows it means that we should be using Microsoft's Cryptographic API: Next Generation, and so on for different systems.

So we have to do some work to make some of the cryptographic functions in our common code actually be system dependent. On the the other hand, as cryptographic packages for Rust improve, we help might not have to rely so heavily OS native APIs. But we get some portions of FIPS-2² compliance for free by using the OS provided SDKs. So all of this helps illustrate the messiness of these kinds of choices. And many of the choices will be heavily influenced by what is practically and usably available at the time.

Anyway, this post all started out as a simple "thank you". But I kind of got carried away.

Me too. I love when Jeff expounds on 1Password's security model. :+1:

Ben