14 Transport security
We designed 1Password with the understanding that data traveling over a network can be read and tampered with unless otherwise protected. Here we discuss the multiple layers of protections we have in place. Roughly speaking, there are three layers of protection.
- 1Password’s at-rest encryption, as described in “How vault items are secured,” also applies to data when it’s in transit.
Your items are always encrypted with vault keys, which in turn are encrypted by keys held by you and not by the server. They remain encrypted this way in transit.
- TLS with best practices (encryption, data integrity, authenticity of server).
TLS the successor of SSL, puts the “S” in “HTTPS.” It encrypts data in transit and authenticates the server so the client knows to whom it’s talking.
- SRP authentication and encryption
The login process provides mutual authentication. Not only does your client prove who it is to the server, but the server proves who it is to the client. This is in addition to the server authentication provided by TLS. During login, a session key will be agreed upon between client and server, and communication will be encrypted using Advanced Encryption Standard (AES) in Galois Counter Mode (GCM).
The protocol provides a layer of authentication and encryption that’s independent of TLS.
When discussing transport security, it’s useful to distinguish different security notions: integrity, authenticity, and confidentiality.29 “Confidentiality” means the data remains secret, “authenticity” means the parties in the data exchange are talking to whom they believe they’re talking to, and data “integrity” means the data transmitted can’t be tampered with. Tampering includes not only changing the contents of a particular message, but also preventing a message from getting to the recipient or injecting a message into the conversation the authorized sender never sent.
Because parts of systems can fail, it’s useful to design the overall system so a failure in one part doesn’t result in total failure. This approach is often called defense in depth.
As summarized in Table 14.1, each encryption layer is independent of the others. If one fails, the others remain in place (though see A.1 for an exception). The at-rest encryption described in “How vault items are secured is not part of a communication protocol, and so authentication is not applicable to it. TLS, as it’s typically used, authenticates the server but doesn’t authenticate the client.
| SRP+GCM | TLS | AT-REST ENCRYPTION | |
|---|---|---|---|
| Confidentiality | ✓ | ✓ | ✓ |
| Data integrity | ✓ | ✓ | ✓ |
| Server authenticity | ✓ | ✓ | ✕ |
| Client authenticity | ✓ | ✕ | ✕ |
One limitation of SRP+GCM is that each message is encrypted individually. An attacker who can get in the middle of that connection, could replay messages sent over SRP+GCM and the server will accept them. We’d like to expand the security goals of this transport encryption such that messages cannot be replayed in the future.
14.1 Data at rest
Your 1Password data is always encrypted when it’s stored anywhere30 whether on your computer or on our servers, and it’s encrypted with keys that are encrypted with keys derived from your account password and Secret Key. Even if there were no other mechanisms to provide data confidentiality and integrity for the data that reaches the recipient, 1Password’s at-rest encryption sufficiently provides both.
Because it’s designed for stored data, this layer of data encryption doesn’t ensure messages can’t go missing or older data is not replayed. It also doesn’t authenticate the communication channel.
14.2 TLS
TLS puts the “S” in “HTTPS”. It provides encryption, data integrity, and authenticity of the server.
Our TLS configuration includes HTTP Strict Transport Security (HSTS) and a restricted set of cipher suites to avoid downgrade attacks. Precise policies and choices will change more rapidly than the document you’re reading will be updated.
Neither certificate pinning nor DNSSec have been implemented. Given the mutual authentication described in “A modern approach to authentication,” the marginal gain in security provided by such measures isn’t something we consider to be worth the risk of availability loss should those extra measures fail in some way. Following research31 and analysis32 of the value of certain security indicators and extended validation certificates in particular, we’re no longer using extended validation certificates.
14.3 Our transport security
Our use of Secure Remote Password (SRP) authentication between the client and server provides mutual authentication. Both the server and client will know they’re talking to exactly who they think they’re talking to.
This is in addition to the server authentication provided by TLS. Thus, if TLS fails in some instances to provide proper authentication, SRP still provides authentication.
Not only does the client prove its identity to the server, but the server proves its identity to the client.
14.3.1 Client delivery
This section has focused on the transport security between 1Password clients and server. For discussion of delivery of the client itself see A.1 in “Beware of the leopard.”
14.3.2 Passkey and single sign-on unlock caveats
You can use a passkey or SSO to unlock a 1Password account, as described in @ref(#passkeySSO). When you sign in with a passkey, that sign-in with the 1Password server is only protected by TLS. When you sign in with your SSO provider, they’re responsible for protecting your sign-in information on the network. Single sign-on providers generally only protect the confidentiality of login information using TLS.
After completing authentication with either method, a client will fetch an encrypted credential bundle from the server. A client can only use SRP after fetching this bundle. If an attacker can break the security of TLS, they can obtain an encrypted copy of the credential bundle.
When discussing information security, the acronym “CIA” is often used to refer to confidentiality, integrity, and availability. But when considering data transport security, integrity and authenticity play a major role. In neither case should the abbreviation be confused with the well-known institution, the Culinary Institute of America.↩︎
Decrypted Documents may be written to your device’s disk temporarily after you open them.↩︎