What we've learned with Two-Secret Key Derivation

Presented at BSidesLV 2016, Aug. 2, 2016, 3 p.m. (50 minutes)

Slides and videos from the talk: Slides (PDF, 1.2MB) Video 1 "Chena creates team, signs up, save Emergency Kit" (MP4,  119.1MB) Video 2 "Chena adds account to 1Password Mac" (MP4, 56.2MB) Video 3 "Morgan joins the Team" (MP4, 51.4MB Video 4 "Morgan gets data recovered" (MP4, 165.1MB) Submited Abstract: To ensure that AgileBits does not hold data that can be used for password cracking, we introduced Two-Secret Key Derivation (2SKD) into our client-side KDF. The two secrets are user's Master Password and a high entropy Account Key. As described in our Passwords15 (Cambridge) talk, we introduced what we are now calling "Two-Secret Key Derivation" (2SKD) in our client side KDF which derives both an authentication secret and a key encryption key. Our 2SKD combines the user's Master Password (MP) with an high entropy "Account Key" (AK) to derive the keys (or key encryption keys) needed for authentication and encryption. The goal is so that nothing stored on our servers or off of the users machine could be used in a password cracking attack. The AK is a high entropy (128-bit) secret generated by the client when the user first enrolls, and it is stored on the users local device. At the time we designed this, we had a number of concerns about how well this would work for our users and the additional risks to data availability it creates. The additional risk to data availability comes from the fact that if they either lose their AK _or_ they forget their MP, there is no way for anyone that they have not already shared their data with to be able to decrypt it. We address this risk through a combination of nudging the user toward certain behaviors and through a user data recovery mechanism that gives team Owners (but not us) copies of certain data encryption keys. These mechanisms appear to be largely, but not entirely, successful. Additional responsibility is placed on the user to provide the AK when enrolling a new client and so to transport the AK from client device to client device securely. We provide a UI that is designed to alleviate that burden. These will also be described. At this point, it appears that the largest problem users face with 2SKD is confusion. They do not understand what the AK is for and what it does and doesn't protect them from. This is reflected in the most common complaint that "it isn't really 2FA", a perfectly true statement but is nothing to complain about.

Presenters:

• Julie Haugh - Red Shirt Superhero - AgileBits, Inc
  I wear a red cape and protect people from the forces of evil.
• Jeffrey Goldberg - Chief Defender Against the Dark Arts - AgileBits
  Jeffery Goldberg is the Chief Defender Against the Dark Arts at AgileBits, creators of the password manager 1Password.

Links:

• https://bsideslv2016.sched.com/event/7YOG/what-weve-learned-with-two-secret-key-derivation

Similar Presentations:

• REcon 2023 / Dissecting the Modern Android Data Encryption Scheme
• Still Hacking Anyway (SHA2017) / Olmogo - because it's your data!: A cryptographically secure social network platform
• Texas Cyber Summit 2019 / BT-1050 Shining a Light on Shadow IT in the Cloud