04-16-2013, 05:28 PM
[Disclosure: I work for AgileBits, the makers of 1Password]
This design flaw is certainly real, and is one of the many reasons why we have started migrating to a new design. In short, when the Agile Keychain Format was designed (in 2008), we weren't aware of all of the various problems that come from using unauthenticated CBC mode encryption.
I could plead that we were in reasonably good company in making that kind of error, but as I've since learned, research in academic cryptography had been telling people not to use unauthenticated encryption for more than a decade. This is why today we aren't just looking at the kinds of attacks that seem practical, but we are also paying attention to security theorems.
The new data format which we are tentatively calling the 1Password4 Cloud Keychain Format (until we can come up with a better name) was introduced in December 2012 for 1Password 4 on iOS and it will be rolled out to all platforms in the not so distant future.
We still use CBC in the new format, but padding is random (the length of the pad is stored outside of the ciphertext), and we use an Encrypt-then-MAC construction for authenticated encryption with additional data. Key derivation now involves PBKDF2-HMAC-SHA512.
You can read the full details of the encryption and key derivation in
http://learn.agilebits.com/1Password4/Se...esign.html
Although our source isn't open, we've tried to document this well enough that people can develop their own tools for decrypting the data. Indeed, several have done so.
And thanks for posting your results. We need to be able to advise 1Password users on their selection of Master Passwords, and your crack rates play a central role is devising that advice.
Cheers,
-j
–-
Jeffrey Goldberg
Chief Defender Against the Dark Arts @ AgileBits
http://agilebits.com
This design flaw is certainly real, and is one of the many reasons why we have started migrating to a new design. In short, when the Agile Keychain Format was designed (in 2008), we weren't aware of all of the various problems that come from using unauthenticated CBC mode encryption.
I could plead that we were in reasonably good company in making that kind of error, but as I've since learned, research in academic cryptography had been telling people not to use unauthenticated encryption for more than a decade. This is why today we aren't just looking at the kinds of attacks that seem practical, but we are also paying attention to security theorems.
The new data format which we are tentatively calling the 1Password4 Cloud Keychain Format (until we can come up with a better name) was introduced in December 2012 for 1Password 4 on iOS and it will be rolled out to all platforms in the not so distant future.
We still use CBC in the new format, but padding is random (the length of the pad is stored outside of the ciphertext), and we use an Encrypt-then-MAC construction for authenticated encryption with additional data. Key derivation now involves PBKDF2-HMAC-SHA512.
You can read the full details of the encryption and key derivation in
http://learn.agilebits.com/1Password4/Se...esign.html
Although our source isn't open, we've tried to document this well enough that people can develop their own tools for decrypting the data. Indeed, several have done so.
And thanks for posting your results. We need to be able to advise 1Password users on their selection of Master Passwords, and your crack rates play a central role is devising that advice.
Cheers,
-j
–-
Jeffrey Goldberg
Chief Defender Against the Dark Arts @ AgileBits
http://agilebits.com