It occurred to me sometime after I’d finished my talk that I should have a single post that pulls all the elements together. So here’s a complete walkthrough from Master Password all the way to decrypted Vault Item.
If you’ve missed the first parts of the series, here’s a good starting point.
General Process
First, let’s review the overall sequence of events. It’s a little complicated at the beginning, depending on which client we’re using.
Slides from my BSidesDE talk, November 9, 2018. A detailed description of how 1Password client unlocking and shared vault encryption works.
Thanks for reading! I hope you’ve enjoyed this deep dive into how 1Password works.
We’ve covered a lot:
- Why I even went down this path
- Unlocking macOS clients and the 2SKD process
- Unlocking Windows clients
- Decrypting data in the cloud-based vault system
- Unlocking and decrypting local vaults
But there’s actually quite a bit I haven’t touched upon.
Password Strength
One thing I totally skipped over was the strength of the master password. There are actually several different password derivation steps in use by 1Password, all using PBKDF2:
To conclude (for now) this extensive look at 1Password, we’ll go back a little to see how local private vaults work. Initially, local vaults were all you had (though they could be synced over Dropbox and other methods). These are documented separately from the cloud based “Teams” system. Now, local vaults are basically being discouraged in favor of the cloud system.
But you can still have a mix of local and loud vaults. So it’s worth seeing how those affect the way data is stored in 1Password.
We’re back with part three of a close look at how 1Password works. So far we’ve seen how the Two-Secret Key Derivation (2SKD) process is used to unlock macOS clients, and how the Encrypted Master Key (EMK) does the same under Windows. In both cases, we end up with a decrypted master key, the “sym key” in the account’s first keyset. As I’ve said in both prior segments, this key then lets us descend into the vault and decrypt everything else.
Nov 12, 2018 - 1900 Words -
