1Password and the Crypto Wars
by Jeffrey Goldberg on
Of all of the revelations about the NSA that began in June 2013 the one that has shocked me the most is the fact that the United States National Security Agency has been deliberately inserting weaknesses into security products and even into NIST standards. In light of this, it is fit and proper for anyone who relies on 1Password for their security and privacy to ask whether 1Password has been, or could be, tampered with to deliberately weaken it.
Not without substantial risk that such attempt would become public.
Those questions are the easy ones to answer. The harder question is why you should believe those answers.
It is impossible to absolutely prove that our answers to the easy questions above are truthful. But what I can do is provide a number of more verifiable claims, each of which makes it harder for us to lie about any of this. In combination, these should be enough to persuade you that there is no backdoor (deliberate weakness) in 1Password and that it would be very unlikely for one to be introduced.
We have developers in four separate countries: Canada (AgileBits is a Canadian company), the United States, the United Kingdom, and the Netherlands. The gag orders that accompany National Security Letters in the US would not bind non-US citizens outside of the US. Likewise the Canadian, British, or Dutch analogues to National Security Letters wouldn’t bind US citizens. To compel all of us to betray our customers and principles, they would need to coordinate that legal compulsion in four jurisdictions.
This doesn’t entirely rule out the possibility of such a set of gag orders, but it does make such compelled silence much harder to achieve. This also doesn’t rule out other avenues of attack. In particular, could just one or two people within AgileBits sneak in a backdoor? We’ll talk about that below, but note that the inability to gag so many of us means that a backdoor would have to remain unknown to most of us.
Your 1Password data is under your control. Out of the box, 1Password creates a local data file (your “vault”) and sync is disabled. We never have the opportunity to see your Master Password or even your encrypted 1Password data. 1Password not only gives you “end-to-end” encryption, but our overall design means that we are never in a position to turn over or intercept your data. We simply never see it in any form whatsoever.
Furthermore, we never see how you use 1Password. We don’t know what sites you log into, we don’t know how many 1Password items you have. Indeed, we don’t even know whether you use 1Password or not. We offer a soon-to-be-incremented number of data synchronization methods, none of which involve us ever having the opportunity to intercept your data. When 1Password 4 for Mac arrives soon, Wi-Fi sync will allow you to sync locally, meaning your data never has to leave your local network.
You can monitor 1Password network activity for yourself to confirm that your data, even encrypted, is never sent to us. All of this dramatically reduces where a backdoor could be inserted. Indeed, it eliminates the otherwise easiest to insert and most difficult to detect backdoors. So an entire range of attacks is already off the table.
As always, this doesn’t rule out all kinds of mischief, but it substantially limits the scope and opportunity for an attack.
We have been very open about providing the details of the encryption and data format that 1Password uses. Anyone can verify that 1Password does produce the files we say it does. They can also examine whether that overall design is strong.
This doesn’t rule out every kind of sabotage that could be done, but it does rule out a broad range of the easiest lines of attack. Because this limits where a weakness could be introduced, it’s harder for a deliberate weakness to be introduced that isn’t noticed by others who can access the source code.
As a consequence of this, everyone with access to the source code knows where to look for possible tampering. This makes it harder for a backdoor to be introduced without it being noticed by many of us. As pointed out above, they can’t gag us all.
One company, Lavabit, has shut itself down rather than comply with betraying their customers. This increases the risk of discovery to those trying to compel developers to introduce weaknesses.
It is impossible to predict how we would react in absence of having the full details of such compulsion in front of us; there are just too many unknowns and too many forms of compulsion. But the very real possibility that we would shut ourselves down (which would be public) rather than sabotage what we do and love should act as some deterrent to those who might wish to compel us to introduce a backdoor.
From the most recent revelations, the targets appear to be communication tools and protocols. 1Password is not such a tool. This doesn’t mean that the NSA couldn’t change their focus, but from what we know so far, 1Password is not the kind of thing they are after.
Even if you don’t find any of the individual reasons listed above to be persuasive, they interact powerfully. In combination, they make it much harder to get a weakness into 1Password without taking on large risks of getting caught and failing. Any attacker, including the NSA, will avoid high risk, high cost attacks if there are safer and easier alternatives. I’m therefore confident that the NSA would rather go around 1Password than through it.
In the 1990s, there was a series of debates, pressure, civil disobedience, and cryptographic developments that have come to be known as “The Crypto Wars”. At the heart of this was the US and other governments’ efforts to prevent people from having access to cryptographic tools which those governments couldn’t break. In the end, governments (seemingly) surrendered, in large part because the tools they wished to use to enforce those restrictions (export restrictions, the Clipper Chip) just weren’t going to work.
What the 5 September, 2013 revelations show is that the US government has taken a different tack. The Crypto Wars may never have ended. Instead of explicitly and openly trying to limit the power of the cryptographic tools allowed to the public, they are now surreptitiously sabotaging the tools that we all use. As before, this will be fought on the political front—people telling their representatives that they don’t want hobbled security tools—and on the technological front—building better, stronger, more robust and verifiable systems.
Our role in this as a company is to be transparent about our approach to security while keeping your 1Password data protected.
Many details described above have changed over the past five years, but the overall point remains the same. We build 1Password in such a way that would make it difficult for us to surreptitiously deliver a malicious 1Password client. There is a high probability that any such attempt would be detected.
Let’s look at some of the things that have changed
Under the section titled, “they can’t gag all of us”, I pointed at that
We have developers in four separate countries: Canada (AgileBits is a Canadian company), the United States, the United Kingdom, and the Netherlands.
Well that has changed. We have many more developers from a much wider range of countries now. I’m not going to list the current ones now because I don’t happen to know off of the top of my head. And we are continuing to grow, so what I say now would shortly be out of date. The number of people that a malicious action would have to be hidden from internally has grown enormously.
We never have the opportunity to see your Master Password or even your encrypted 1Password data. 1Password not only gives you “end-to-end” encryption, but our overall design means that we are never in a position to turn over or intercept your data. We simply never see it in any form whatsoever.
That has changed. We do hold on to your encrypted data, and thus we can be compelled to turn that over. But what hasn’t changed is our desire to not hold on to anything that would be of value to an attacker. This is why we developed Two-Secret Key Derivation (2SKD). The data that we hold is not only protected by your Master Password (which we never see), but also by your Secret Key (which, again, we never see). This means that data captured from our services can’t be cracked through password guessing.
We offer a soon-to-be-incremented number of data synchronization methods, none of which involve us ever having the opportunity to intercept your data.
Well that did seem like a good idea at the time. And it made sense given that we didn’t ever have your encrypted data. In retrospect, the more synchronization methods we offered the easier it became for people to get these set up wrong (often setting up with different methods for different 1Password clients). This led to data loss (people thought that data was being synchronized that wasn’t), and huge difficulties in just getting sync to work for a substantial number of people.
Furthermore, none of those third-party methods were actually designed with 1Password data and security in mind. We’ve been able to design a transport security system which doesn’t rely on the secrecy of TLS and whose authentication process doesn’t transmit any secrets.
Furthermore, we never see how you use 1Password. We don’t know what sites you log into, we don’t know how many 1Password items you have. Indeed, we don’t even know whether you use 1Password or not.
The first part of that remains the case today. We do not know what sites you log into. If you have a login for
ISecretlyLoveNickelback.org, you don’t want us to know about it and we don’t want to know about it, either. We’ve gone to substantial effort to ensure that we cannot acquire such information. But now we do know if you use 1Password, and we can find out how many items you have in your vaults.
In the 1990s, there was a series of debates, pressure, civil disobedience, and cryptographic developments that have come to be known as “The Crypto Wars”. At the heart of this was the US and other governments’ efforts to prevent people from having access to cryptographic tools which those governments couldn’t break. … What the 5 September, 2013 revelations show is that the US government has taken a different tack. The Crypto Wars may never have ended. Instead of explicitly and openly trying to limit the power of the cryptographic tools allowed to the public, they are now surreptitiously sabotaging the tools that we all use.
The response over the past five years has been fantastic. There was an enormous bug hunt to try to rout out the kinds of vulnerabilities that were being exploited. In the months and years immediately following September 2013, there was a series of revelations of long-standing security bugs in many of the systems we all rely upon. Those bugs were fixed and alternative systems were also developed. Those revelations may have looked bad, but they were a consequence of renewed and improved scrutiny of the systems that we counted on.
There has also been a fantastic growth in end-to-end encryption for consumer products. End-to-end encryption is now an expected feature of most messaging systems. And new products ranging from personal journals to calendar and scheduling systems build in end-to-end encryption from the start.
I believe that it is because of success in these areas over the past five years that we are seeing the Crypto Wars return to its original form. Governments are having a harder time exploiting or surreptitiously inserting weaknesses into security tools, so instead they are trying to legislate for weaknesses. While many of us may not like the kinds of legislation being enacted and promoted these days, the return of the Crypto Wars on this far more open and public front is a good thing. These are important questions of public policy, and so the public sphere is the right place for this battle.