Agilebits 1Password support and Design Flaw?
(04-16-2013, 05:28 PM)jpgoldberg Wrote: This design flaw is certainly real, [...]

I don't want to quibble about the meaning of the word "flaw", so I'll try to summarize the key points in my own terms to see if I have it right.

First you have speed up The PBKDF2 optimization of decomposing the HMAC calls, so that you don't calculate the SHA1(opad XOR key) and SHA1(ipad XOR key) separately for each round. Instead you calculated those only once.

If that is what you mean by cutting the hash calls in quarter, then it should be noted that this is a general PBKDF2 optimization and nothing specific to 1Password. Also unless you have specific reason to believe that our use of PBKDF2 doesn't make use of that optimization, then this is a bit of a wash. This optimization is available to defenders as well as attackers. (Although, I don't actually know whether we make use of this optimization on all platforms, as it depends on the innards of the crypto libraries we use.)

The second point is that you've found that by checking the padding, you can avoid having to to the full CBC decryption on the data. That is, you can use one AES operation instead of one per each block + IV. I believe that this is a fairly standard optimization. And any system that has a "verify if this decrypted correctly" is going to give attackers a fairly quick test once they have a candidate derived key. Again, I'm not familiar with hashcat or how these things are done, but I wouldn't have assumed that this was all "standard practice."

In the new format that I mentioned, we actually make this last bit easier for you (by design). Because we use an Encrypt-then-MAC construction, you can check a derived hmac key from your candidate password to just check the HMAC tag, without having to perform any AES operations.

There are definitely flaws with using unauthenticated CBC mode as we do. But I'm not sure that the optimizations you point out reflect what I might call a "flaw". Have I misunderstood the nature of what you are doing?



Jeffrey Goldberg
Chief Defender Against the Dark Arts @ AgileBits

Messages In This Thread
RE: Agilebits 1Password support and Design Flaw? - by jpgoldberg - 04-16-2013, 06:24 PM