Is the same decryption key used for data on the server as locally with Lastpass?

Question

Lastpass stores the password databases encrypted on the server. Does it give a database to anyone who asks? If no, then what authentication (i.e. password) is used? I use Lastpass on multiple devices with the same master password and have not configured any other passwords. It sure would be silly if the master password is used to authenticate to the Lastpass servers when a person's password database is being retrieved.

Is there anything special about Lastpass in the sense that most servers when they do store something in ecrypted form, they know how to decrypt it e.g. a court order could compel them to do so?

Answer 1

Is the same decryption key used for data on the server as locally with Lastpass?

Yes, the same decryption key is used for data on the server as local data. Although if you are using a Yubikey, so you can set your local password database to be encrypted with the public identifier too.

Does it give a database to anyone who asks?

Not anyone. LastPass will comply with the law, so if a relevant law enforcement agency requests the data with the correct authorisation then LastPass will supply them with the encrypted data.

If no, then what authentication (i.e. password) is used?

Your password is never sent to LastPass themselves. According to Security Now podcast:

when you log in, when you give your system your LastPass username and password, the first thing it does is it runs it through this SHA - it lowercases the email address, removes the whitespace, adds the password, and then it does this hash to it, turning it into a 256-bit blob

_{(Mandatory Attrition link)}

This is the symmetric key used to encrypt your password database before it is sent to LastPass, and to decrypt the password database when retrieved the from LastPass servers.

So the key used never leaves your system.

Regarding authentication:

they take that key, the cryptographic key, and they add your password to it, that is, they concatenate your password to your cryptographic key, and they hash that. So they do another one-way function on your crypto key with your password, which they don't know because they never get it. But they get another blob

So this second blob, this second output from the hash, that's your unique ID. That is, the only way to get that is if you take your username and password, hash it, then add the password to that and hash it again. So it absolutely depends upon both of those pieces of information. So then your username and that goes to LastPass to identify you. And because that contains your password twice hashed into it, nobody who doesn't have your password, even if they have your email address, is able to produce that blob. So you have to have your email address and your password run through this hash twice to get that blob.

But notice that your cryptographic key, which is sort of the first byproduct of that because that's the output from the first hash, that goes into the second hash but is lost in the hashing process, thanks to it being mixed with your password. So the LastPass people never get your crypto key. They get a different unique token that identifies you to them so that you're able to log on securely to their facility. And these guys are so paranoid that they don't even save that on their servers. They don't even save that special logon blob, the output from that second hashing process.

Instead they, at the time you create your account, they come up with, they use a random number generator at their headquarters to create a unique 256-bit token which they save with your account. And whenever you're logging in, they take this 256 blob you're sending them that's the result of these two hashing processes. They add that to this unique 256k random number, and they hash that. And that's what they compare to what's stored with your account. Which is to say they never store that logon token. They store the result of hashing that logon token with a unique 256-bit value that they created for you. So they dynamically see if it's the same, but they never save your logon token. They just - they don't want it. They don't need it. So they're able to perform a dynamic check whenever you need to authenticate, but they don't keep it statically.

So to summarise the podcast your encryption key is:

DK = sha256("foo@example.com" + password)

(Note that LastPass state they use PBKDF2 over SHA-256).

Your effective authentication passkey is:

key = sha256(DK + password)

And they store this on their system only in salted hashed form with a 256 bit salt (the "random number").

stored_value = sha256(key + salt)

(assuming it is sha256 once again. This answer states this is PBKDF2 over HMAC-SHA256 with 100,000 rounds.)

they know how to decrypt it e.g. a court order could compel them to do so?

As they don't have the DK they can't decrypt your data. However, bear in mind that many countries have a key disclosure law which could compel you to hand over your LastPass password.

Answer 2

Lastpass encrypts and decrypts your data only locally, probably using Javascript, in the browser. Your master password is not sent do the Lastpass servers. Well, it should not and up til now I trust them not to do this.

It sends the encrypted database to its servers. When you login on another computer, you enter your email address and password. Then Lastpass downloads your database, it's decrypted locally and there you go.

Now there is one thing that I can't tell you. When somebody enters your email address and a wrong password, will your database download to that computer? As the password is not uploaded to Lastpass, they can't know for sure that it's not you until the database is decrypted locally. My guess is that they send some kind of (ecnrypted) hash based on your email address and your password to their servers, in such a way that your password cannot be extracted from it with a reasonable time.

If simply entering the email address is enough to download the database, that opens up the possibility of a local brute force attack.