It occurred to me sometime after I’d finished my talk that I should have a single post that pulls all the elements together. So here’s a complete walkthrough from Master Password all the way to decrypted Vault Item.
If you’ve missed the first parts of the series, here’s a good starting point.
General Process First, let’s review the overall sequence of events. It’s a little complicated at the beginning, depending on which client we’re using.
Thanks to BSides Delaware for the chance to go super-geeky about how 1Password works. Here are the slides from my talk, which give a basic introduction to how it all works. See this extended series for super-detailed technical information and examples.
Click on the link above to download a copy of the slides.
Thanks for reading! I hope you’ve enjoyed this deep dive into how 1Password works.
We’ve covered a lot:
Why I even went down this path Unlocking macOS clients and the 2SKD process Unlocking Windows clients Decrypting data in the cloud-based vault system Unlocking and decrypting local vaults But there’s actually quite a bit I haven’t touched upon.
Password Strength One thing I totally skipped over was the strength of the master password.
To conclude (for now) this extensive look at 1Password, we’ll go back a little to see how local private vaults work. Initially, local vaults were all you had (though they could be synced over Dropbox and other methods). These are documented separately from the cloud based “Teams” system. Now, local vaults are basically being discouraged in favor of the cloud system.
But you can still have a mix of local and loud vaults.
We’re back with part three of a close look at how 1Password works. So far we’ve seen how the Two-Secret Key Derivation (2SKD) process is used to unlock macOS clients, and how the Encrypted Master Key (EMK) does the same under Windows. In both cases, we end up with a decrypted master key, the “sym key” in the account’s first keyset. As I’ve said in both prior segments, this key then lets us descend into the vault and decrypt everything else.