The continuing evolution of security in 1Password 4

Security is a process, not a product.
— Bruce Schneier

In 1Password 4, we have built upon the security features of previous versions while also looking further in the future to anticipate new threats and take advantage of new technology. Security is a a never-ending process, and because 1Password 4 is a major redesign, we’ve had the opportunity to make a number of substantial changes. In this article describes both the changes and also some of what has remained the same.

What hasn’t changed in security for 1Password 4?

  1. We maintain our goal of making it easy for people to behave securely.
  2. 1Password continues to use well trusted standard library implementations of cryptographic functions
  3. 1Password continues to use PBKDF2 to slow down automated Master Password guessing systems
  4. 1Password continues to do all of its encryption on your local device
  5. 1Password never writes decrypted data to disk nor transmits your data
  6. We have no information about you or about your 1Password data. We have neither the means nor the desire to violate your privacy.
  7. Data design allows for single items to be decrypted as needed.
  8. We continue to be open about the security design within 1Password

What’s New

Data integrity checks

The new Cloud Keychain format is tamper resistant. A Message Authentication Code or MAC derived from your master password is used to check that your data hasn’t been modified, either by accident or maliciously. This defends against what are called Chosen Ciphertext Attacks (CCA) and also against other mischief that can be done through tampering with your data.

For those who love details, all encryption is now authenticated encryption using an Encrypt-then-MAC construction with HMAC-SHA256. Most associated data is also subject to integrity checks using HMAC-SHA256.

It’s all encrypted

As promised, the Cloud Keychain format encrypts pretty much every bit of information about an item. Exceptions are things like modify time and creation date. We have been moving toward this goal for some time, and we’re delighted that we have found a way to do this while still allowing you to efficiently list and locate items in your 1Password data. This has been achieved while still only fully decrypting a single item at a time as needed.

With the release of 1Password 4 for iOS, we now have three data formats that encrypt everything using AES with 256-bit keys. These are the new Cloud Keychain format, the SQLite data format used directly on iOS, and the SQLite data formats used by our browser extensions for 1Password for Mac and 1Password for Windows.

Less reliance on the iOS keychain

1Password now uses the same Master Password across devices. This, along with our modular sync process, simplifies automatic synchronization on mobile platforms.

In 1Password 3, synchronization required decrypting the changed item using the Master Password for the system where the changes were made (source) and then re-encrypting with the Master Password on the system that is being updated (destination). As a consequence, 1Password 3 for iOS needed to store your desktop (source) Master Password in the iOS keychain for automatic synchronization. With 1Password 4 for iOS, that storage is no longer necessary.

And we can be truer to our name with just one password.

One security level to rule them all

Instead of high and low security levels for items in 1Password 3, everything is now high security in 1Password 4. This change is only noticeable in 1Password 3 for iPhone, which is the only app in which security levels were used.

There had been a fair amount of confusion about how security levels worked within previous versions of 1Password, and some of that confusion led to people using 1Password in some insecure ways. When a substantial number of people use it wrong, it tells us that there is a problem with our design. Furthermore, because 1Password now protects the things like Title and URL, the list of items cannot be displayed without some decryption.

256-bit encryption keys

1Password 4’s new Cloud Keychain and the current SQLite formats use 256-bit encryption keys. Faster hardware and cleverer software mean that we can now add this much requested feature.

128-bit symmetrical keys remain more than sufficient for security against brute force attacks against the key, but as the machines we use able to perform AES encryption extremely efficiently, there is now no longer any reason not to move to 256-bit keys.

We are aware that there are design problems with the AES key schedule for 256-bit keys and that progress is being made on exploited those design problems to create related key attacks.

When applications are designed correctly, there should be no opportunity to use a related key attack; and so, these concerns about AES with 256-bit keys have no security implications for 1Password. All encryption keys are created using a cryptographically-appropriate random number generator.

Even more cracker resistant

We’ve always taken the lead on building data formats that are designed to resist automated Master Password guessing software with our early adoption of PBKDF2 in the Agile Keychain format. In 1Password 4, we use SHA512 within PBKDF2 which will further slow down attempts to crack passwords using GPUs.

Modular sync architecture

There are radical, under-the-hood, changes to how data synchronization is approached. The new design allows for synching to be quick and efficient, while making the the synchronization process even more secure.

The tasks of translating the data from the sync storage format to the format used locally on your computer and device is now separated from the task of actually transferring the encrypted data from one place to another. This means that the data transfer can happen safely occur with only the sync service credentials. While the data translation, between the format used for synching and efficient database used directly by 1Password on your computer or device, can happen quickly once you have unlocked 1Password with your Master Password that is stored only in your head.

By separating these processes 1Password can perform the “slow” part of the operation without needing access to your encryption keys. But once you unlock 1Password, the data translation can take place swiftly.

In some cases these two processes are still combined, such as when WiFi or USB synching is used. With these you have complete control over when, where, and how your encrypted data travels among devices.

Quick Unlock in 1Password 4 for iOS

We have redesigned Quick Unlock from the ground up. The goal is to allow people to be able to use 1Password without having to enter their Master Password too frequently.

The Quick Unlock Code does not encrypt or decrypt your 1Password data. Instead it is to grant you access to the 1Password app itself. This allows you to have a strong Master Password for your data (that you may not wish to type as often) but still have your 1Password data unavailable if you hand your phone or iPad to someone.

1Password is remembering your Master Password (well, actually the keys derived from it) when you switch away from the app and then allowing you to reopen the app with a four-digit Quick Unlock Code. Settings for the Quick Unlock Code and Master Password are configurable in Settings > Security in the iOS app.

We have some great tips and full details of how to tune your auto-lock settings to work best for you.

If you (or anyone) enters the Quick Unlock Code incorrectly just once, 1Password will immediately lock your data, requiring your full Master Password to be entered.

Finer clipboard control (iOS)

When you copy any data in 1Password to paste it elsewhere, 1Password will automatically clear it from the clipboard for you by default. You can set this in Settings > Security.

(Almost) no cryptography in Javascript (Mac and Windows browser extensions)

1Password 4 shifts much of the work that had been done in the 1Password 3 browser extension (JSE3) to the 1Password Mini. 1Password 4 browser extension (JSE4) does not need to handle an encrypted database, unlocking, item decryption, or searching.

With 1Password 4, we can avoid some of the challenges that come with doing cryptography in JavaScript, including (among others) limited performance, limited memory management, and operating within the potentially more hostile environment of a web browser. Moving cryptography to 1Password Mini also reduces the number of copies of your encrypted data stored on your local machine, as the browser extensions no longer need to maintain their own database.

Do security improvements in 1Password 4 mean that 1Password 3 is unsafe?

1Password 3 for iOS/Mac and 1Password for Windows remain safe in the same way that a third generation iPad remains a great device even after Apple released a newer model. We have always worked to design systems that defend against future threats, and so the security enhancements in 1Password 4 are looking toward the future.

Who gets to use the new data format?

Everyone using 1Password 4 for any platform is already using the new data design for their data stored locally. This began with 1Password 4 for iOS in December, 2012 and continued with 1Password 4 for Mac in October, 2013. This will continue to be rolled out to other platforms.

To ensure that data synchronization continues to work for everyone, the rollout of the 1Password 4 Cloud Keychain Format as a replacement for the Agile Keychain format is more cautious. Details and updates can be found in our 1Password 4 Cloud Keychain Format [rollout document].

Copyright © 2014 AgileBits Inc.