14 Transport security
We designed 1Password with the understanding that data traveling over a network can be read and tampered with unless otherwise protected. Here we discuss the multiple layers of protections we have in place. Roughly speaking, there are three layers of protection.
- 1Password’s at-rest encryption, as described in “How vault items are secured,” also applies to data when it’s in transit.
Your items are always encrypted with vault keys, which in turn are encrypted by keys held by you and not by the server. They remain encrypted this way in transit.
- TLSThe successor to SSL. It puts the “S” in HTTPS. with best practices (encryption, data integrity, authenticity of server).
TLS the successor of SSL, puts the “S” in “HTTPS.” It encrypts data in transit and authenticates the server so the client knows to whom it’s talking.
- SRPA method for both a client and server to authenticate each other without either revealing any secrets. In the process, they also agree on an encryption key to be used for the current session. We’re using Version 6 with a modified key derivation function. authenticationThe process of one entity proving its identity to another. Typically the authenticating party does this by proving to the verifier that it knows a particular secret that only the authenticator should know. and encryption
The login process provides mutual authenticationMutual authentication is a process in which all parties prove their identity to each other.. Not only does your client prove who it is to the server, but the server proves who it is to the client. This is in addition to the server authentication provided by TLS. During login, a session key will be agreed upon between client and server, and communication will be encrypted using Advanced Encryption Standard (AES)Probably the best studied and most widely used symmetric block cipher. in Galois Counter Mode (GCM)An authenticated encryption mode for use with block ciphers..
The protocol provides a layer of authentication and encryption that’s independent of TLSThe successor to SSL. It puts the “S” in HTTPS..
When discussing transport security, it’s useful to distinguish different security notions: integrity, authenticity, and confidentiality.29 “Confidentiality” means the data remains secret, “authenticity” means the parties in the data exchange are talking to whom they believe they’re talking to, and data “integrity” means the data transmitted can’t be tampered with. Tampering includes not only changing the contents of a particular message, but also preventing a message from getting to the recipient or injecting a message into the conversation the authorized sender never sent.
Because parts of systems can fail, it’s useful to design the overall system so a failure in one part doesn’t result in total failure. This approach is often called defense in depth.
As summarized in Table 14.1, each encryption layer is independent of the others. If one fails, the others remain in place (though see A.1 for an exception). The at-rest encryption described in How vault items are secured is not part of a communication protocol, and so authentication is not applicable to it. TLSThe successor to SSL. It puts the “S” in HTTPS., as it’s typically used, authenticatesThe process of one entity proving its identity to another. Typically the authenticating party does this by proving to the verifier that it knows a particular secret that only the authenticator should know. the server but doesn’t authenticate the client.
| SRP+GCM | TLS | AT-REST ENCRYPTION | |
|---|---|---|---|
| Confidentiality | ✓ | ✓ | ✓ |
| Data integrity | ✓ | ✓ | ✓ |
| Server authenticity | ✓ | ✓ | ✕ |
| Client authenticity | ✓ | ✕ | ✕ |
One limitation of SRP+GCM is that each message is encrypted individually. An attacker who can get in the middle of that connection, could replay messages sent over SRP+GCM and the server will accept them. We’d like to expand the security goals of this transport encryption such that messages cannot be replayed in the future.
14.1 Data at rest
Your 1Password data is always encrypted when it’s stored anywhere30 whether on your computer or on our servers, and it’s encrypted with keys that are encrypted with keys derived from your account password and Secret Key. Even if there were no other mechanisms to provide data confidentialityData confidentiality involves keeping data secret. Typically this is achieved by encrypting the data. and integrityPreventing or detecting tampering with the data. Typically done through authenticated encryption or message authentication. for the data that reaches the recipient, 1Password’s at-rest encryption sufficiently provides both.
Because it’s designed for stored data, this layer of data encryption doesn’t ensure messages can’t go missing or older data is not replayed. It also doesn’t authenticateThe process of one entity proving its identity to another. Typically the authenticating party does this by proving to the verifier that it knows a particular secret that only the authenticator should know. the communication channel.
14.2 TLS
TLSThe successor to SSL. It puts the “S” in HTTPS. puts the “S” in “HTTPS”. It provides encryption, data integrity, and authenticity of the server.
Our TLS configuration includes HTTP Strict Transport Security (HSTS)Strict Transport Security has the server instruct the client that insecure HTTP is never to be used when talking to the server. and a restricted set of cipher suites to avoid downgrade attacks. Precise policies and choices will change more rapidly than the document you’re reading will be updated.
Neither certificate pinning nor DNSSec have been implemented. Given the mutual authenticationMutual authentication is a process in which all parties prove their identity to each other. described in “A modern approach to authentication,” the marginal gain in security provided by such measures isn’t something we consider to be worth the risk of availability loss should those extra measures fail in some way. Following research31 and analysis32 of the value of certain security indicators and extended validation certificates in particular, we’re no longer using extended validation certificates.
14.3 Our transport security
Our use of Secure Remote Password (SRP)A method for both a client and server to authenticate each other without either revealing any secrets. In the process, they also agree on an encryption key to be used for the current session. We’re using Version 6 with a modified key derivation function. authentication between the client and server provides mutual authenticationMutual authentication is a process in which all parties prove their identity to each other.. Both the server and client will know they’re talking to exactly who they think they’re talking to.
This is in addition to the server authentication provided by TLSThe successor to SSL. It puts the “S” in HTTPS.. Thus, if TLS fails in some instances to provide proper authenticationThe process of one entity proving its identity to another. Typically the authenticating party does this by proving to the verifier that it knows a particular secret that only the authenticator should know., SRP still provides authentication.
Not only does the client prove its identity to the server, but the server proves its identity to the client.
14.3.1 Client delivery
This section has focused on the transport security between 1Password clients and server. For discussion of delivery of the client itself see A.1 in “Beware of the leopard.”
14.3.2 Passkey and single sign-on unlock caveats
You can use a passkeyA credential with which you authenticate to a server. Unlike a password, the passkey isn’t sent to the server to authenticate. Instead, the passkey signs a challenge the server provides to your device. This process is also known as WebAuthn or FIDO2 authentication. or SSOIn the setting of a company or another organization, when you are provided with a single set of username, password, or other authentication factors to log in to services that company or organization provides for you. It’s one of the methods that can be used to sign in to 1Password. to unlock a 1Password account, as described in @ref(#passkeySSO). When you sign in with a passkey, that sign-in with the 1Password server is only protected by TLSThe successor to SSL. It puts the “S” in HTTPS.. When you sign in with your SSO provider, they’re responsible for protecting your sign-in information on the network. Single sign-on providers generally only protect the confidentialityData confidentiality involves keeping data secret. Typically this is achieved by encrypting the data. of login information using TLS.
After completing authenticationThe process of one entity proving its identity to another. Typically the authenticating party does this by proving to the verifier that it knows a particular secret that only the authenticator should know. with either method, a client will fetch an encrypted credential bundleA bundle containing a randomly generated SRP-𝑥 and Account Unlock Key (AUK), used to sign in to 1Password when signing in with single sign-on (SSO). It’s encrypted by the device key and stored on 1Password servers. See also Device Key from the server. A client can only use SRPA method for both a client and server to authenticate each other without either revealing any secrets. In the process, they also agree on an encryption key to be used for the current session. We’re using Version 6 with a modified key derivation function. after fetching this bundle. If an attacker can break the security of TLSThe successor to SSL. It puts the “S” in HTTPS., they can obtain an encrypted copy of the credential bundle.
When discussing information security, the acronym “CIA” is often used to refer to confidentiality, integrity, and availability. But when considering data transport security, integrity and authenticity play a major role. In neither case should the abbreviation be confused with the well-known institution, the Culinary Institute of America.↩︎
Decrypted Documents may be written to your device’s disk temporarily after you open them.↩︎