Are there extra measures taken by 1Password and KeePass, that make them more secure than an AES-256 encrypted text file? The database formats they use seem needlessly complex for my own purposes.
4 Answers
Which is faster, a Fiat 500 or a V12 Ferrari engine ? The Fiat 500 sure is a rather minimal car... but at least it has wheels. The Ferrari engine, however magnificent it may be, is still "just an engine"; put it down on a road and it will be no more mobile than a boulder. Therefore, the question does not really make sense.
And so is yours. AES is a block cipher, a mathematical object which alone does not achieve any kind of security. Products like 1Password and KeePass use AES and other algorithms into elaborate constructions which try to ensure confidentiality and integrity of the database of passwords. In that sense, they can be compared with "AES" no more than a Fiat 500 is comparable to a lone engine.
Encrypting even a simple file of passwords, with a master password, requires some care. The master password must be converted into an encryption key; this is the realm of password hashing and it is not simple. Then, the AES should be used with a mode of operation, which has its own rules (IV selection, padding...). Preferably, some sort of MAC is needed, and combining symmetric encryption and a MAC is a subtle matter. Last but not least, when you encrypt and/or decrypt a file, you tend to produce temporary files which will be written on the harddisk, with the clear file contents in them. Deleting files is not sufficient to ensure data destruction. Decrypting the file "in memory" and never letting the data go to the disk can be tricky, especially in the presence of virtual memory.
All of this amounts to this conclusion: while a file full of passwords, encrypted with AES, can be handy, there are a lot of details to take care of, and that's hard work. Most of existing products is about doing such work. You can do it yourself, but it won't be as immediate as slapping together a few OpenSSL-based scripts.
Then products like KeePass also provide some extra features which are not to be despised; see the list.
[Disclosure: I work for AgileBits, the makers of 1Password]
Think of AES as a very strong and well designed brick that everyone can use. But a house made out of such bricks could still be very weak and fragile if the architecture isn't done right. There are lots of ways a home grown password management system could go wrong. Here are some:
Encrypting a single large file means that when it is decrypted, all of the decrypted data is resident in memory (and may be swapped, dumped, etc). (1Password, in contract, decrypts only a single item at a time as it is needed.)
What kind of defenses does a roll-your-own system provide against automated password crackers? Will an attacker be able to test tens of millions of passwords per second or just thousands? Key derivation functions used for this purpose are subtle and tricky things. (I recently gave a presentation at PasswordsCon about a flaw in PBKDF2.)
Source of randomness. Various keys, IVs, salts, nonces have requirements for cryptographically appropriate random numbers. Can you get this in a "roll-your-own" system?
The system needs to be robust against data loss. A single, large, encrypted file is very fragile with respect to data corruption.
Even if you make the right choice with respect to encryption modes, key derivation, memory management etc today, can you keep up with research and developments in how such systems might be broken? Again, with respect to 1Password, we pay very close attention both to the cryptographic literature and to the work being done in the password cracking community.
It is great that everyone and every developer has AES and other strong cryptographic primitives at their finger tips. But unfortunately that isn't enough to design strong system. These things are substantially harder than one might initially imagine, and it is easy to make mistakes.
Ideally, a developer shouldn't have to have a deep understanding of cryptography to develop secure systems. The cryptographic libraries, APIs should be enough. But we aren't there yet. It is still easier to use the tools in those libraries badly than properly.
I don't want to discourage anyone from trying and learning. Just understand that there are reasons for the "overly complex" data formats that are used. Just don't think that you can avoid those complexities until you know why they are there.
- 5,839
- 13
- 18
-
Can you please link to your presentation if it's available? It sounds interesting. +1 however for pointing out the database formats are not *needlessly* complex. Also out of curiosity, how does 1Password handle entropy? A brief look at the website doesn't appear to give any info on that, unless I missed something. Cheers – rath Aug 24 '13 at 21:54
-
3@rath I don't think that my "reputation" here is sufficient to provide all of the links, but here goes: 1. PasswordsCon Presentation: Playing Defense with PBKDF2 [video](http://www.youtube.com/watch?v=oqFwQIOucwo&feature=share&list=UUVt2kWTMj6et10GCXdePdsA), [slides](http://blog.agilebits.com/?attachment_id=1671959173) 2. [Crypto details](http://learn.agilebits.com/1Password4/Security/keychain-design.html) (including CSPRNG info) for 1Password data format. – Jeffrey Goldberg Aug 25 '13 at 01:40
Mostly organization and usability. AES is still the underlying encryption in both, but you can't do things like copy a password temporarily in to memory without having it ever displayed with a simple text file that is encrypted.
The point of software like KeePass and 1Password are to help with organization and usability and provide a secure storage implementation based on the kind of thing you are thinking about.
There isn't any reason you "need" one of them, but they make life far simpler without sacrificing security.
- 41,816
- 5
- 63
- 110
I think you can try this link for more info: http://help.agilebits.com/1Password3/security.html
The slightly longer answer is that your data is encrypted using AES, the same state-of-the-art encryption algorithm used as the national standard in the United States. 1Password uses 128-bit keys for encryption, which means that it would take millions of years for a criminal to decrypt your data using a brute force attack.
For more info: http://help.agilebits.com/1Password3/agile_keychain_design.html
About KeePass:
KeePass supports the Advanced Encryption Standard (AES, Rijndael) and the Twofish algorithm to encrypt its password databases. Both of these ciphers are regarded as being very secure. AES e.g. became effective as a U.S. Federal government standard and is approved by the National Security Agency (NSA) for top secret information. The complete database is encrypted, not only the password fields. So, your user names, notes, etc. are encrypted, too. SHA-256 is used as password hash. SHA-256 is a 256-bit cryptographically secure one-way hash function. Your master password is hashed using this algorithm and its output is used as key for the encryption algorithms. In contrast to many other hashing algorithms, no attacks are known yet against SHA-256.
More info: keepass.info/features.html
- 121
- 1