Need the salt from 1password

baumduke

Hi everybody,



I have to do a thorough security validation/analysis of 1password at my company for the bosses to decide if they want to allow 1password within the company or not.



To start with this task I need to find out the value of the salt that 1password uses together with my master password to generate the encryption key with PBKDF2. Google didn't help my on the search for finding the salt value and I didn't find it here in the forums either.



Just to be sure I have the correct values for PBKDF2:



Used Algo: PBKDF2_HMAC_SHA1

rounds: 1000

key length: 128 bits



Thanks for any help.

baumduke

I just need to know the location where my users salt for creating the salt+pw hash is stored

so that I can verify the security of 1password.



Is there nobody around who can tell me where the salt of my user is stored?

DBrown

Welcome to the forum, baumduke!



I've asked the developer for the details, and I hope we'll hear from him soon. I'm sorry that I don't know the answer myself, but it's simply never come up.



Thanks for your patience!

baumduke

Thanks for relaying my question to the developers.



I'm going to check this topic out later, to see what the developers can say.

Stefan von Dutch

We pre-pend every encrypted item with a new, random salt. There is no such thing as a "salt-per-user", and the salt isn't stored anywhere else. It is pre-pended to the encrypted material.

baumduke

I'm not sure if I understand this correctly. So you mean that every encrypted item has the salt prependend?

Like the first x bytes are the salt and the rest is the encrypted item itself?



I just need to be able to reproduce what 1password does so that 1password will be allowed for in-company use.



Thanks for you answer.

jpgoldberg

Hi baumduke,



It looks like you are asking two separate questions. One is about how the master password is encrypted and the other is how each item is encrypted.



Your master password is is used to encrypt a random 128 bit "decryption key" which in turn is used to encrypt and decrypt your data. Please take a look at articles listed in the "Architecture, Design and Security" section of our [url="http://help.agilebits.com/1Password3/knowledgebase.html"]knowledge base[/url] to get the picture of how these are split up.



Because the decryption key is fully random there is no need to salt that key derivation. There simply is no scope for an attacker to use pre-cooked tables or look for collisions. (I am tempted here to digress into talking about the Birthday Paradox, but I'll refrain from doing so). Even though salting is unnecessary here, we use eight bytes of random salt.



When your data is encrypted with a your decryption key (where salting does matter), then the salt is also eight bytes of cryptographically appropriate random data.



Earlier versions of 1Password used the OpenSSL crypto libraries and as we've moved to CommonCrypto on the Mac and iOS and other standard libraries on Windows, we've kept with the "openssl enc" standard practice of prepending the salt with "Salted__", leading to 16 bytes of salt, eight of which are random.



Again, I'm not entirely certain what you are asking about, but I hope that this answered your question.



Cheers,



-j

baumduke

Hi JBGoldberg



you are right, I am asking two questions cause I need to know in detail how the whole process works so that I can reproduce it and verify that 1password works as it should in terms of security.



So therefore I first need to know how exactly the encryption key is created and then how it is used to encrypt the data.



I think the link to the knowledge database you provided me is for Mac Only. Can you please provide me with the Windows link?

I will have to reproduce it on a Windows host as I don't use MacOS.



Thanks

Stefan von Dutch

[quote name='baumduke' timestamp='1320827148' post='53834']

I think the link to the knowledge database you provided me is for Mac Only. Can you please provide me with the Windows link?

[/quote]



The architecture, design and security of our database is identical for both Mac and Windows. It is a cross-platform product.

jasimop

I would like to reactivate this discussion as I have similar requirements and need some extra information.

I need to be able to write new passwords to a central 1Password keychain.

For nearly all fields it should be simple, as I could just put a textfile with 1password extension and JSON data into the datafolder.

But I have some problems when it comes to the used encryption/decryption strategy.



The basic settings are already mentioned in this thread and I had a look at the javascript implementation in the

1Password.html, but some things are not clear to me.



In the encryptionKeys.js what are the entries named SL5 and SL3? Are these the encryption keys for the data, encrypted with

my password? What does data then contain?



Could you please provide info on how to encrypt, decrypt the data?

And how is checking for the right password done? Is SL3 the encrypted password?

I already tried to implement my guess on how this works (with [color=#282828][font=helvetica, arial, sans-serif]PBKDF2, 1000 rounds etc.)[/font][/color][color=#282828][font=helvetica, arial, sans-serif]but can't decrypt anything meaningfull or create the same encrypted value for my password.[/font][/color]

[color=#282828][font=helvetica, arial, sans-serif]Any help is greatly appreciated.[/font][/color]



[color=#282828][font=helvetica, arial, sans-serif]jasimop[/font][/color]

jpgoldberg

Hi jasimop! Welcome to the forums.



I would need to do some digging to be able to describe exactly how the SL3 and SL5 keys are derived from the 1024 byte chunk of data. (It is hashed in various ways, but I'd need to go poking around to specify this to a sufficient degree.)



Can you give me some sense of the urgency of your project, and whether you will be moving to our newest data format (the Cloud Keychain format) which will be replacing the Agile Keychain format. (It already does for iCloud syncing among 1Password4 for iOS, and will be rolled out to other platforms).



I'm really hoping that you will want to work with the new format, because I actually have all of the details documented for key derivation and data formats for that.



Cheers,



-j