What we've learned with Two-Secret Key Derivation - Jeffrey Goldberg, Julie Haugh

hey thank you and speaking of a talk at Cambridge in December I'm just assuming all of you have either watched that talk or read all the slides so I don't actually have to explain what this to secret key derivation is and I can just talk about how we communicate this to users right yeah sure okay so um 2 of the 3 j's are here yes julie is not here that's me at the end and we are being protected by umbrella bear a bit of an inside joke ok anyway so two secret key derivation we've been struggling with names for this thing but this is the flavor of the week and basically what we're doing is in deriving the keys that

are used for both authenticating with the 1password server now that we've actually started running a service and the keys that are used to that are used to decrypt the key encryption key that's used for encrypting your private key from your personal key set that's way too many keys the so in deriving the keys that you actually need to unlock stuff we take to user secrets a master password and something that we've called an account key and I have no idea of why we call it that so a master password is something that's more or less created by the user it's stored Oh in the users head which makes it difficult to steal I mean tortures one

way but ah but it isn't you know it's created by a human created password they need to remember it they need to type it so it is not so difficult to guess now the count key is created randomly by the client 128 bits it is stored only on the user's device is it is possible to steal because it's stored on the user's on the user's device before they actually get their keys for encrypting their data and it's pretty much impossible to guess now the reason for this is that we don't want to store hashes that if stolen could be used in any kind of offline attack that is the goal of this thing but we store on the server we've said

until recently we never touched any user data whatsoever and we like that and there were reasons for that so we don't want to have anything worth stealing anything that we could work on cracking if we were compelled or just decided to turn evil here now it's not going to happen um anyway so so by blending in this other high entropy user secret this account key then what we're storing server-side is just basically uncrackable now it's not actually a hash it's an it's an srp verifier but the principle still applies okay now I said in Cambridge I talked about the technology the key derivation all of that stuff my concern here is we are presenting a new kind of secret to

users and we kind of hoped that they behave in ways that help their security instead of harm their own interests now so we've got this new kind of secret it's unfamiliar so the questions are how do we get users to treat it properly how can we help users not to lose it because if they lose I if they forget their master password or they lose their account key that's it there is no way to derive those keys that are used as key encryption keys so so now we've added a new way that people can get totally locked out of their data by losing their account key so it's sort of the user is the helping the user or what we attempt

to do that is really the topic of this talk okay so chain of a psycho dog she's really sweet except for when she isn't catches frisbees ball we have no idea of who trained her to do this but anyway so she's going to be our team leader and so what you're going to see is a video that shows a first sign in and a first sign up for one password for teams and so just going to go through a lot of steps here but I think that so we'll see or do lots of things and we okay so here's a video sorry chain of the psycho dog this is Morgan the other member of the

family and yeah she's the sane one okay so although we've got to talk about team she's going to create a family because the control panel and screens are a little simpler for those okay so go through a normal sign of she selects a family name and she has to give her email address and I decided not to expose her real email address and i was too lazy to set up a special account so there we go and so she will be given a URL based on that name and there we go she gets told that you'll get some email there's her email real name and this by the way is me speeding up the video

because i typed really slowly but chaina types even slower okay first presentation of two secrets protect your data and now you are giving your account key now the first part of it is non secret information but the bulk of it is secret you know so there's actually account identifier at the beginning of it and she called so it was selectable you saw a copy operation she saved it someplace ok now bow wow this is going way too fast ok um but as you saw there was actually a dice we're like generator to offer people help in choosing master passwords he practices that oops she typed it in wrong because she thought it was cake instead of cape

is the last word there we go and now we are generating public/private key pairs and a bunch of other stuff and her first task she's given us to say how emergency kit the emergency kit contains all the non secret information her account key and a nice space to actually write in your master password and a QR code that will get to later you're encouraged to write down your master password put this piece of paper in someplace safe okay let's just set up stuff for the count oh well they're dogs you know okay um okay so just so that we have some data to look at China enters create some data rabbits are fast and they look as much as I hate to say it we

may need to cooperate instead of compete yay oops but you save this to her personal vault this is something that should be shared with every member of the family so one petrol does these different vaults with different properties so she's now put that into the shared vault okay so that was a lot that we've seen there because the this first run-through and then also are adding data as a is a bit much but this means that at the moment the only place she has her account keys and that emergency kit that we hope that she saved and in the local storage of the browser that she used for doing this and remember the account key is absolutely

necessary for deriving these keys so what we would like her to do and for other reasons we prefer her to be using a native client instead of the web client because then we don't have to be entirely depending on TLS for the overall security ah so we would like to encourage her to to get this working in one password on under the client so what so the next video we're going to see her set this up in one password for Mac so she's going to go to preferences she's going to select add a new team she's first going to do it the hard way she's going to give up on doing it the hard way she's

going to do it the easy way and then we'll see that she has the vols from her team so so she's joining a team using one password for Mac she can enter it manually which means all of the which means the account key the email address the you are URL and the master password that's not anything that any human or canine should ever have to type so we've got this scanning a QR code here's a handy copy from her emergency kit and boom everything is there except the master password which she types in and now this instance of one password for Mac on this machine has that team data and we see within one password her

secure note about strategy so now this is stored again it's unencrypted but it's stored by the emojis but out the count key is now stored by the client okay we do need to add more people have more dogs to this family we're going to add morgan and that is going to look like this so first chain is going to login because we're switching back and forth between China and Morgan you get one of the dogs shelling who's actually the one doing stuff now or for China uses chrome Morgan uses safari so Serena sends an invite and she gets a list of family members including those pending invites and Morgan gets email rabbit hunters is using one password chaina the psycho dog

wants you to join rabbit hunters she clicked the link she's got she's now given this sign up stuff introduced it to the two keys I didn't see her select that account key even though she pressed I've got it safe okay and she types in she creates a master password and i'll write the which was a wonderful master password of ABC 123 ABC oh look save your emergency kit remind me later hmm okay now there's a little bit of back and forth because because Morgan's keys are generated by Morgan's client when she first signs up for the public key to get to the team administrator anyway China has to go through this step for the user it's just it's just confirming

what it actually is doing is it is encrypting the vault key for the shared key with China's public key anyway now Dana Morgan I'm sorry Morgan can enter in some very precious data that must never ever be lost and as you see she could actually get what's in the shared vault as well because the key to that vault has been encrypted with her public key and and there we go okay so now we were really really scared would we thought of this notion of account key we just thought it's way too easy for people to get themselves locked out but we a jalebi do not want to have the power or responsibility of doing actual

recovery for people who have lost their account keys or forgot my master passwords we shouldn't have the power and we shouldn't have to be sitting there trying to decide whether some request is genuine from the real owner so what we've done instead is we have given the family organizers or team owners that power so every time a vault is created by any user within a team or within a family the the keys to that particular vault get encrypted with the public keys of the organizer but the organizer may not actually have access to the actual encrypted data that's done through normal kind of access control sorts of stuff from our server so they don't have access to the data but they

do the keys for it so China actually has the keys to Morgan's personal vault but China does not have the authority to get the Act the encrypted data that is China's personal vault okay so he would go with recovery Morgan having trashed your Safari installation has lost her account key and thus lost her access to the secret plans in an act of desperation she sends an out-of-band message to China via droid fortunately for our heroes the organizer the team has access to all the vault keys blah blah blah blah blah ok so now so Jane has gotten this out of band message which obviously I'm not showing she goes into the admin council console and she

sees Morgan here

and she clicks on a begin recovery button and that really just sets Morgan's account into a particular state and send email to Morgan about the road to recovery and effectively Morgan is creating a new account but it's with her old email address and identifying informations she gets a new account key and look she saved at this time and she chooses a master password and so now a new public key pair has been generated and created for her but you still can't get in until the team owner confirms our recovery or completes the recovery and this is because it's the completing the recovery in which the new owner sends the appropriate vault keys or encrypts the appropriate vault keys with Morgan's

new public key and so now back in she get some tips to not have to go through this again save your emergency kit write down your master password join things and new clients

you know now so one of these things with these emergency kits and these account keys is it's actually the users responsibility to get the count key from client to client okay but I'm it's not handled by us it's what the QR code is for so they can either manually type it in and so here you'll see her setting it up in within one password on an iphone at a count scan QR code and here when you actually logged in on the web the forget the apps link includes the QR code it really scans fast i did not speed that one up everything but the master password is filled in here she types in a brilliant master password and

the server is unreachable because all this demo construction was done on b5 local comm instead of actually our real server so it was just local host on that thing okay and now it's time for a nap and now all right I tried to show the QR code scanning a little slower okay I'm not really an expert on iMovie in case you didn't notice okay so the questions that we have is will our users understand that the count key is a secret you know they're not going to be reading everything on those pages will they understand that it is their secret so remember when you're given a license code for example when you're given a license code

that's actually a secret that matters to the software vendor it doesn't hurt you if that secret if a license code you're given by the vendor leaks but this is a secret that they need to protect for their interests and is there more that we can do to prevent the risk of catastrophic data loss now we haven't actually counted but so far we're actually doing pretty well from what we get into customer customer support the people who are losing account keys or people who are just testing things out of the free system who don't actually have who don't who actually haven't put data into the system so the overwhelming majority of I'm locked out help me and

we have to say tough have been harmless so far we also find that almost all of them are from people who have only used the web client so we really are I mean there are other reasons as well but we're really trying to push people to use the native apps but we see this new kind of secret that we're asking people to deal with as quite possibly the most as at least one of the most difficult problems or challenges that we face as we've rolled out this one password service as opposed to just the local apps and you know we like to think that we try to make it easier for people to behave securely you know and so usable

security is central to what we do throughout but we face tough questions with so and that's where I'm going to leave it Jeff is an expert at asking questions at passwords come so now I'm hoping there are people in the audience who are questions for Jeff

jeffer would it work if you have a company with 20 or hundred thousand people and that many accounts would this work with them or do you have any experience do you know how that would wanna get I mean it certainly works with 20 it works with hundreds are you interested in a customer new customer with a hundred thousand users that's the question um it's a pretty big license yeah yeah no no no we'd we'd guess yes it'll work just the day his disapproving Justin he really is improving not what are the sales people you know I made the light of course is we're all in sales okay okay so um I don't know what the

largest company we have is but but thousands we know works and it should scale very nicely so it's built to do that hey em I was going to ask if you had any feedback from users who are surprised that they're under this hierarchy so you have a hierarchy of a team owner and then these users who can effectively bean be overridden by whoever's above them yeah we haven't actually said so we haven't actually had reports from users from sort of individual non team owners and managers saying wait I didn't know that my team owner had all this power but just because we haven't had that yet doesn't mean it isn't something that we that were worrying

about it did I don't know if I got the negatives in there it's this is a question that bothers us so is it clear to Morgan that China has these powers now cryptographically chain of a team owner has everything but we also have access control mechanisms so that Shana is not actually seeing the data is not getting the data to decrypt from Morgan's vault obviously we prefer to have all of these assurances done completely cryptographically instead of having to rely on authentication and access control but we do have that but in principle it would be possible for China to let's say get the cached data off of Morgan's computer Shana would have to be digging into because of

course the keys that China has access to aren't actually exposed to her in the UI he'd have to do some digging to get them her client has them that is a line of attack but there is some confusion one of the problems if I may go on a little bit more about this one of the problems we face is when somebody leaves a company is their personal vault there's or is it the company's and each organization has a different view and so we are actually working on trying to we're working on trying to have a way so that if an organization says the stuff in the personal vault is the personal thing that that data can be

transferred to a personal account for somebody who is leaving a team but this is a work in progress but yes these are difficult issues our view was to try to leave it up to the organization's but we really can't we have to enable the organizations to do what makes sense for them yeah I have a question I wanna make sure I understand how you're generating the KEK are you actually using the the account key plus a master keen like a secret sharing scheme or something to get that or are you rather using the account key initially to authenticate and like pinning that somehow okay a secret sharing would be really cool and that was the original goal but mostly

it's just we both are used in deriving it it's not actually secret sharing with it's an it's the details of the KDF or in the white paper it's a little bit messy because we left a hole for where we wanted secret sharing to go in so after you do some key derivation stuff on both they actually get X sword and then some stuff after that so so yes it really is to secret key derivation not one key for one thing in another key for the other okay whoever has the microphone photographers is there a way to have more than one team owner or can I want an a-team be an owner yes and this is something that we encourage is

that is specifically this is if you have more than one team owner you've got more than one person who's capable of doing recoveries if let's say a team owner gets you know hit by boss or loses their account key or forgets their master password so it's actually four teams it's another one of these quests we try to say set up another owner organizer in our beta we actually had a more complicated set of roles so we had what was called the recovery group but we just merged that with owner and organizer because it was confusing people but underlying Lee we actually have the ability to specify a recovery group which is a group of individuals who are who who are the ones

who are getting these vault keys and have the power to initiate recovery so there's more granularity under the hood than is actually exposed to the users so when you sign a new team member is that all done excuse me is that all done on the client computer of the team owner so the invitation the invitation for a new team member is is constructed by the client of the team owner the email the email notification goes through us but the invit but the invitation URL is that is constructed by the client and I suspect I'm not actually answering your actual question

oh sorry so once you confirm somebody who's joined in right so once you've can so when an owner confirm somebody who joins in what they are doing on their client is is encrypting let's say the shared vault key to the public key of the new member repeat the question oh okay so then the follow-up is is have we considered open sourcing that code so that people can actually see that this really is happening client-side considered it yes we haven't done it yet I'm sure we've got all these normal end user License things that say Oh reverse engineering is bad just you know first engineer it check it out okay haha so Jennifer Jeff of course is going to be

around here and there's also just save you a anybody and everybody should say hi to Jesse that's my opinion so once again thank you Jeff and

you