1. No category

Rethinking Factors

Rethinking Factors
How to not store user secrets
Jeffrey Goldberg Julie Haugh Jessy Irwin
{jeff,julie,jessy}@agilebits.com
AgileBits, Inc
Passwords15, 8 December 2015
.
J. {Goldberg,Haugh,Irwin} (AgileBits)
Rethinking Factors
.
.
.
.
.
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
.
.
Passwords15
.
.
.
.
.
.
.
1 / 23
.
Who we are
We make candy canes
We make a password manager, 1Password.
Until last month we said:
We never handle, see or know about our
customers’ data in any form whatsoever.
That changed in November 2015 with the
introduction of 1Password for Teams.
.
J. {Goldberg,Haugh,Irwin} (AgileBits)
Rethinking Factors
.
.
.
.
.
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
.
.
Passwords15
.
.
.
.
.
.
.
2 / 23
.
Who we are
We make candy canes
We make a password manager, 1Password.
Until last month we said:
We never handle, see or know about our
customers’ data in any form whatsoever.
That changed in November 2015 with the
introduction of 1Password for Teams.
.
J. {Goldberg,Haugh,Irwin} (AgileBits)
Rethinking Factors
.
.
.
.
.
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
.
.
Passwords15
.
.
.
.
.
.
.
2 / 23
.
Cowardice
Cowardice is a virtue
“Sleep no more. Scrooge has
murdered sleep!”
If we want to sleep at night, we need to
know that our customers’ data is safe.
.
J. {Goldberg,Haugh,Irwin} (AgileBits)
Rethinking Factors
.
.
.
.
.
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
.
.
Passwords15
.
.
.
.
.
.
.
3 / 23
.
Cowardice
Things to fear
1
Customers lose access to their data
2
Data is tampered with
3
Secrets and private information is revealed
to unauthorized entities
“Unauthorized” means not authorized by the
customer.
.
J. {Goldberg,Haugh,Irwin} (AgileBits)
Rethinking Factors
.
.
.
.
.
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
.
.
Passwords15
.
.
.
.
.
.
.
4 / 23
.
Cowardice
Things to fear
1
Customers lose access to their data
2
Data is tampered with
3
Secrets and private information is revealed
to unauthorized entities
“Unauthorized” means not authorized by the
customer.
.
J. {Goldberg,Haugh,Irwin} (AgileBits)
Rethinking Factors
.
.
.
.
.
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
.
.
Passwords15
.
.
.
.
.
.
.
4 / 23
.
Cowardice
We can sleep better if …
1
We only keep encrypted data
2
We don’t have customer keys
3
We aren’t in a position to acquire those keys
.
J. {Goldberg,Haugh,Irwin} (AgileBits)
Rethinking Factors
.
.
.
.
.
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
.
.
Passwords15
.
.
.
.
.
.
.
5 / 23
.
Cowardice
How a server could acquires keys
During client authentication there are (at least) two ways the server could
acquire keys.
1
Client tells server keys (or secrets from which keys can be derived)
2
Client gives the server something that can be used in a cracking
attempt
.
J. {Goldberg,Haugh,Irwin} (AgileBits)
Rethinking Factors
.
.
.
.
.
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
.
.
Passwords15
.
.
.
.
.
.
.
6 / 23
.
Cowardice
No hash oracles
Even though a cryptographic hash y = H(p) is not reversible
y can be used to verify a guess at p and so is an oracle.
A human usable password is guessable.
If p is (derived from) a usable password, then y us a useful oracle for
guessing the password.
.
J. {Goldberg,Haugh,Irwin} (AgileBits)
Rethinking Factors
.
.
.
.
.
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
.
.
Passwords15
.
.
.
.
.
.
.
7 / 23
.
Cowardice
Authentication Desiderata
1
Client proves identity to Server
2
Server proves identity to the Client
3
Doesn’t leak any secrets to an eavesdropper
4
Cannot be replayed
5
Doesn’t reveal any information about the user’s secret to the server.
6
Establishes a new secret that can be used as an encryption key for the
session.
7
Server can’t obtain enough information to launch a password cracking
attack
.
J. {Goldberg,Haugh,Irwin} (AgileBits)
Rethinking Factors
.
.
.
.
.
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
.
.
Passwords15
.
.
.
.
.
.
.
8 / 23
.
Cowardice
Vanilla login
What vanilla password auth does
1 Client proves identity to Server
.
J. {Goldberg,Haugh,Irwin} (AgileBits)
Rethinking Factors
.
.
.
.
.
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
.
.
Passwords15
.
.
.
.
.
.
.
9 / 23
.
Cowardice
PAKE
A PAKE does everthing except
7. Server can’t obtain enough information to launch a password cracking
attack
[T]he low entropy of passwords makes them vulnerable to
dictionary attacks, both off-line and on-line. [Jean Lancrenon,
Passwords15]
.
J. {Goldberg,Haugh,Irwin} (AgileBits)
Rethinking Factors
.
.
.
.
.
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
.
.
Passwords15
.
.
.
.
.
.
.
10 / 23
.
Factors
Multiple Factors
What MFA does
1 Client proves (more strongly) identity to Server
4 Cannot be replayed
.
J. {Goldberg,Haugh,Irwin} (AgileBits)
Rethinking Factors
.
.
.
.
.
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
.
.
Passwords15
.
.
.
.
.
.
.
11 / 23
.
Factors
A problem to solve
.
J. {Goldberg,Haugh,Irwin} (AgileBits)
Rethinking Factors
.
.
.
.
.
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
.
.
Passwords15
.
.
.
.
.
.
.
12 / 23
.
Factors
Adding factors
How to fix this
1
A combination lock
(something you know)
2
A lock with a key
(something you have)
3
A fingerprint scanner
(something you are)
.
J. {Goldberg,Haugh,Irwin} (AgileBits)
Rethinking Factors
.
.
.
.
.
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
.
.
Passwords15
.
.
.
.
.
.
.
13 / 23
.
Factors
Adding factors
How to fix this
1
A combination lock
(something you know)
2
A lock with a key
(something you have)
3
A fingerprint scanner
(something you are)
.
J. {Goldberg,Haugh,Irwin} (AgileBits)
Rethinking Factors
.
.
.
.
.
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
.
.
Passwords15
.
.
.
.
.
.
.
13 / 23
.
Factors
Adding factors
How to fix this
1
A combination lock
(something you know)
2
A lock with a key
(something you have)
3
A fingerprint scanner
(something you are)
.
J. {Goldberg,Haugh,Irwin} (AgileBits)
Rethinking Factors
.
.
.
.
.
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
.
.
Passwords15
.
.
.
.
.
.
.
13 / 23
.
What we do
SRP and a bit more
Secure Remote Password (v6) SRP
Replaced Key Derivation Function from a single SHA1 HMAC with
PBKDF2
And we did something more to prevent cracking against SRP verifier v.
.
J. {Goldberg,Haugh,Irwin} (AgileBits)
Rethinking Factors
.
.
.
.
.
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
.
.
Passwords15
.
.
.
.
.
.
.
14 / 23
.
What we do
Account Key
.
J. {Goldberg,Haugh,Irwin} (AgileBits)
Rethinking Factors
.
.
.
.
.
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
.
.
Passwords15
.
.
.
.
.
.
.
15 / 23
.
What we do
Key Derivation
Generating SRP-x
Key Derivation
: p ← Master Password from user
2 : (kA , e, I, sa ) ← Account Key, email address, ID, salt from local storage
3 : p ← trim(p)
1
: p ← normalize(p)
5 : sa ← HKDF(sa , versiona , e, 32)
6 : kx ← PBKDF2(p, sa , 100000)
4
: kA ← HKDF(kA , versiona , I, ∥kx ∥)
8 : kx ← kx ⊕ kA
7
.
J. {Goldberg,Haugh,Irwin} (AgileBits)
Rethinking Factors
.
.
.
.
.
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
.
.
Passwords15
.
.
.
.
.
.
.
16 / 23
.
What we do
Encryption key derivation
Note
The keys needed for data encryption are derived the same way, but with a
distinct (independent) salt, and a different tweak, versione
.
J. {Goldberg,Haugh,Irwin} (AgileBits)
Rethinking Factors
.
.
.
.
.
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
.
.
Passwords15
.
.
.
.
.
.
.
17 / 23
.
What we do
Managing the Account Key
Challenges:
How is the Account Key stored?
How does the user get the AK to a new device?
How do we reduce risk of user losing the AK?�
.
J. {Goldberg,Haugh,Irwin} (AgileBits)
Rethinking Factors
.
.
.
.
.
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
.
.
Passwords15
.
.
.
.
.
.
.
18 / 23
.
What we do
Storing AKs
High entropy
Hard to steal
Master Password
5
3
Account Key
3
5
.
J. {Goldberg,Haugh,Irwin} (AgileBits)
Rethinking Factors
.
.
.
.
.
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
.
.
Passwords15
.
.
.
.
.
.
.
19 / 23
.
What we do
Getting AK to a new device
We cannot move the AK to a new device, only the user can.
We use QR codes.
.
J. {Goldberg,Haugh,Irwin} (AgileBits)
Rethinking Factors
.
.
.
.
.
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
.
.
Passwords15
.
.
.
.
.
.
.
20 / 23
.
What we do
Paper backup
KEEP SAFE - DON'T THROW AWAY - KEEP SAFE - DON'T THROW AWAY - KEEP SAFE - DON'T THROW AWAY
Emergency Kit
Created for Patty on November 3rd, 2015.
Account Key
Print out an Emergency Kit
A3-8MMQJN-MZ64CY-2SDB4-RPX3T-V52Q3-N2C84
Non-secret information
Account Key
Space for Master Password
email address
[email protected]
sign-in url
https://example.1password.com
Master Password
QR code
Use this kit to recover access to your 1Password account if you are ever locked out.
https://1password.com
Print out this document.
Fill in your Master Password above.
Store your Emergency Kit somewhere safe, accessible, and offline.
For questions and support, please contact AgileBits: [email protected].
.
J. {Goldberg,Haugh,Irwin} (AgileBits)
Rethinking Factors
.
.
.
.
.
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
.
.
Passwords15
.
.
.
.
.
.
.
21 / 23
.
What we do
Recovery Group
Recovery group members have vault keys
Recovery group members do not have others’ Master Passwords or
AKs.
Recovery group members do not (generally) have vault data
Recovery group members are set by team administrators.
AgileBits does not have the vault keys
.
J. {Goldberg,Haugh,Irwin} (AgileBits)
Rethinking Factors
.
.
.
.
.
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
.
.
Passwords15
.
.
.
.
.
.
.
22 / 23
.
What we do
Deteriorating slides?
.
J. {Goldberg,Haugh,Irwin} (AgileBits)
Rethinking Factors
.
.
.
.
.
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
.
.
Passwords15
.
.
.
.
.
.
.
23 / 23
.

 Download  Report

Paperzz.com

Your Paperzz

© Copyright 2026 Paperzz