NSA Prism 1Password Security
by Jeffrey Goldberg on
It should come as no surprise that the NSA (United States National Security Agency) has easy access to data that ordinary people store online. Section 215 of the PATRIOT Act (of 2001) and section 702 of FISA (renewed and extended many times over its long history) give the US government the legal authority to gather such data and to keep the fact of gathering that data secret.
What is new is that there are confirmations of the prior suspicions that they are gathering telephony metadata about everyone, even if there is no specific reason to connect those people to a specific investigation, and that they have mechanisms in place to make it quick and easy to obtain data stored with various Internet service providers.
If the US government wants your data stored with Apple or Dropbox, it is easy for them to obtain it with no notification to you that they are doing so. This fact is not news. The laws have long enabled them to do that.
The news is (a) that the NSA and FBI have been collecting data about telephone calls on a large and indiscriminate scale while publicly stating that they weren’t, and (b) that they have mechanisms in place with various service providers, including Apple, to be able to collect data from individuals. The latter, we are now being told, is not indiscriminate; and the actual mechanisms are unclear.
I think this matters for everyone, but here I will focus only on what this specifically means for 1Password. The latest news really changes little. We have gone from a situation where the government could “easily obtain the data” to one where “it’s so easy that they may have already made a copy.” Looking only at implications for 1Password, this is not anything new. The US government can easily obtain data you may store on iCloud and Dropbox. That just isn’t anything new, and so it isn’t anything new for 1Password.
Nonetheless, this does give us an opportunity to talk both about what data we at AgileBits may have about you and also with how resistant your 1Password data might be to the NSA.
We’ve never been asked to turn over data about you. Sure, some of that is because we are a Canadian company, but most importantly is the simple fact that we really don’t have any data to turn over. The easiest way for us to protect your data and data about you is to not have that data in the first place. We can’t reveal or abuse data that we don’t have. You can read the details of the data we do and don’t have.
In summary, we only have information about you that you explicitly provide to us. If you sign up for our Newsletter, we will have your email address. If you purchase from our store directly, then we have the information you provided at time of purchase (though we only retain partial credit card details). If you contact use through support, we have a record of those communications. If you make your purchase of 1Password through Apple’s app stores, we are only given aggregate information (how many people from which countries).
We do not have your 1Password data. We do not know your 1Password Master Password, We don’t even know if you use 1Password. We do not know how many items you have in your data or their type. Our image server (used for Rich Icons in 1Password 4) is set up in a way that we never see the IP addresses of individual requests. That server never gives us information about what is in any individual’s 1Password data.
Quite simply, you don’t have to be concerned about AgileBits gathering information about you. We just don’t have much information in the first place.
Returning to the (unsurprising) fact that the US government can easily obtain your data from cloud services, we can ask about how resistant the 1Password data formats might be to an attack by the NSA.
As we’ve often said, we designed the data format used in 1Password with the knowledge that some people would have their data stolen. It might get stolen because their computer is stolen or it might get stolen because of a data breach at a service like Dropbox. Either way, we’ve assumed that there would be circumstances where an attacker may get hold of your 1Password data, and so we designed the data formats with encryption to keep your secrets secret.
We can only guess (but make reasonable guesses) about the NSA’s capabilities. We can’t rule out that there might be some flaw in the design of our data format that neither we, nor anyone whose studied it, have found but that the NSA is aware of and able to exploit. Finally, there is the potential use the NSA could make from your 1Password data even without decrypting it.
In judging NSA capabilities, we need to keep in mind that they have a history of discouraging the US government from using systems that the NSA could break. If the NSA could break AES-CBC-128, then they would not be advising US government agencies to use it. Interestingly there is a history of the US and UK governments advising foreign governments to use cryptographic systems derived from Enigma, which the US and UK could break at the time. But the NSA has (correctly) operated under the assumption that if they have found a way to break something, others will too.
It’s also reasonable to assume that the gap between the kinds of cryptanalytic techniques that the NSA has, and what the academic community has, is not as large as it was in the past. We did see evidence of the NSA (presumably) using a novel technique in Flame. We know that they are ahead, but as the number of people who publicly study cryptanalysis increases, the gap should narrow significantly. It certainly appears that their skills in designing presentation slides are more than a decade behind readily available and documented public techniques.
From these I comfortably operate on the assumption that the actual building blocks (AES, etc) and the constructions (CBC) we use are not broken.
Of course, one area where the NSA has clear, unmatched power is with computing resources. Our estimations of how long it would take a password cracker to guess a Master Password have been based on the kinds of tools that the public password cracking community has available.
A Master Password with the equivalent of 60 bits of entropy is going to be out of the reach of even the most dedicated civilian password cracker, but may be within reach of the NSA.
There may be non-cryptographic flaws in cryptographic software, including 1Password, that the NSA is able to exploit, and that nobody else knows of. That is, they may know a way to break 1Password’s security without having to break the crypto. Naturally, we work hard to keep 1Password free of such vulnerabilities, but that is no guarantee that there aren’t some which the NSA is aware of and that we are not.
Finally, if they are collecting massive amounts of data, they may be able to make use of the non-encrypted data within our data formats. Our newest format reduces that particular threat, but it is still possible to see when items were created and modified along with how many items a person has in their 1Password data. Also, item categories (whether something is a Secure Note or a Login or a Credit Card) is not encrypted. As discussed in many places, the Agile Keychain format, which we developed in 2007 and began phasing out with 1Password 4 for iOS in December, leaves Title and Location unencrypted, so it’s similar to a browser bookmark file. However, in the case of an investigation by the NSA, that probably tells them little that they already didn’t have access to.
Security failures often happen when people don’t use the appropriate tool for the task they are trying to achieve. 1Password is extremely good at what it does. It keeps the secrets (passwords in particular) you store within it safe, and makes it easy for you to use those secrets when you need them. This is an extremely important part of your security, and we are very pleased to provide that.
If, however, your goal is to keep your online activity secret from the government, then 1Password can only be a tiny part of what you need to do. As an analogy (and all security analogies ultimately fail; so don’t take this too far), consider a system, say 1Passlock, as providing a very good lock on your house making it impossible for someone to break into it. 1Passlock, however, would do little to prevent someone from learning the location of your house, so you would also need to find something in addition to 1Passlock to conceal your house’s location.
The point of this terrible analogy is that you need to find the right tools for your particular security goals and try to make sure that those tools work together.
Our approach has been to plan and design for the case where your data can be captured from anywhere, whether it is stored on services like iCloud or Dropbox, or not. However, we have learned that a notable number of people don’t agree with storing their data in the cloud at all. There are 1Password users who reject the idea of storing their 1Password data on any system outside of their control no matter how strongly their 1Password data is encrypted.
We would like you to have as much control over your own data as possible. This way, it doesn’t matter whether you agree with me about the relative risks of capture from local computers. It should be your choice to make. We have provided a (beta, Mac only) USB Syncher, but we are also exploring other approaches that may work out as better solutions for synchronizing your 1Password data without having to rely on services outside of your control. At this point, I can tell you nothing about the kinds of approaches we are exploring, and I do not yet have a timeline to share.
The latest news does not substantially change the security situation for 1Password. It does, however, focus more attention on the relative safety of your 1Password data when using Dropbox or iCloud to store and synchronize said data.
We anticipate that there will be some creative discussion of this, and so have already created a specific place for this in our forums.