Playing Defense with PBKDF2: Hashcat and the 1Password Agile Keychain from the Defender’S Point of View a (Rough) Day in the Life of a Defender
Total Page:16
File Type:pdf, Size:1020Kb
Background Announcement and reaction PBKDF2 Bug Millions of guesses per second Playing Defense with PBKDF2: hashcat and the 1Password Agile Keychain from the defender’s point of view A (rough) day in the life of a defender Jeffrey Goldberg Chief Defender of the Dark Arts AgileBits Inc. [email protected] Passwords13 Jeffrey Goldberg Playing Defense with PBKDF2 Background Announcement and reaction PBKDF2 Bug Millions of guesses per second Outline 1 Background AgileBits and 1Password Key derivation 2 Announcement and reaction Announcement Response 3 PBKDF2 Bug 4 Millions of guesses per second PBKDF2 Iterations Other defenses Most promising approaches Jeffrey Goldberg Playing Defense with PBKDF2 Background Announcement and reaction AgileBits and 1Password PBKDF2 Bug Key derivation Millions of guesses per second AgileBits and 1Password 1Password is the flagship product of AgileBits, Inc. In 2005 Dave Teare and Roustem Karimov said, “Wouldn’t it be cool if we could use the OS X Keychain to build a form filler and password manager for ourselves?” 1Password is now extremely popular and runs on OS X, iOS, Windows (and there is an Android reader). Jeffrey Goldberg Playing Defense with PBKDF2 Background Announcement and reaction AgileBits and 1Password PBKDF2 Bug Key derivation Millions of guesses per second Relevant Design Principles Sometimes people’s encrypted data will get stolen. (So we started using PBKDF2 before it was cool) We are willing to say “no” to feature requests (E.g., we don’t have an option for a cascade of AES-Twofish-Serpent) Not open-source, but open about security design (Most relevant for this audience, we’ve provided samples and details to those building crackers.) Demonstrate that “usable security” is not an oxymoron. We want non-experts to have top-notch security. Jeffrey Goldberg Playing Defense with PBKDF2 Background Announcement and reaction AgileBits and 1Password PBKDF2 Bug Key derivation Millions of guesses per second Relevant Design Principles Sometimes people’s encrypted data will get stolen. (So we started using PBKDF2 before it was cool) We are willing to say “no” to feature requests (E.g., we don’t have an option for a cascade of AES-Twofish-Serpent) Not open-source, but open about security design (Most relevant for this audience, we’ve provided samples and details to those building crackers.) Demonstrate that “usable security” is not an oxymoron. We want non-experts to have top-notch security. Jeffrey Goldberg Playing Defense with PBKDF2 Background Announcement and reaction AgileBits and 1Password PBKDF2 Bug Key derivation Millions of guesses per second Relevant Design Principles Sometimes people’s encrypted data will get stolen. (So we started using PBKDF2 before it was cool) We are willing to say “no” to feature requests (E.g., we don’t have an option for a cascade of AES-Twofish-Serpent) Not open-source, but open about security design (Most relevant for this audience, we’ve provided samples and details to those building crackers.) Demonstrate that “usable security” is not an oxymoron. We want non-experts to have top-notch security. Jeffrey Goldberg Playing Defense with PBKDF2 Background Announcement and reaction AgileBits and 1Password PBKDF2 Bug Key derivation Millions of guesses per second Relevant Design Principles Sometimes people’s encrypted data will get stolen. (So we started using PBKDF2 before it was cool) We are willing to say “no” to feature requests (E.g., we don’t have an option for a cascade of AES-Twofish-Serpent) Not open-source, but open about security design (Most relevant for this audience, we’ve provided samples and details to those building crackers.) Demonstrate that “usable security” is not an oxymoron. We want non-experts to have top-notch security. Jeffrey Goldberg Playing Defense with PBKDF2 Background Announcement and reaction AgileBits and 1Password PBKDF2 Bug Key derivation Millions of guesses per second Relevant Design Principles Sometimes people’s encrypted data will get stolen. (So we started using PBKDF2 before it was cool) We are willing to say “no” to feature requests (E.g., we don’t have an option for a cascade of AES-Twofish-Serpent) Not open-source, but open about security design (Most relevant for this audience, we’ve provided samples and details to those building crackers.) Demonstrate that “usable security” is not an oxymoron. We want non-experts to have top-notch security. Jeffrey Goldberg Playing Defense with PBKDF2 Background Announcement and reaction AgileBits and 1Password PBKDF2 Bug Key derivation Millions of guesses per second Relevant Design Principles Sometimes people’s encrypted data will get stolen. (So we started using PBKDF2 before it was cool) We are willing to say “no” to feature requests (E.g., we don’t have an option for a cascade of AES-Twofish-Serpent) Not open-source, but open about security design (Most relevant for this audience, we’ve provided samples and details to those building crackers.) Demonstrate that “usable security” is not an oxymoron. We want non-experts to have top-notch security. Jeffrey Goldberg Playing Defense with PBKDF2 Background Announcement and reaction AgileBits and 1Password PBKDF2 Bug Key derivation Millions of guesses per second Relevant Design Principles Sometimes people’s encrypted data will get stolen. (So we started using PBKDF2 before it was cool) We are willing to say “no” to feature requests (E.g., we don’t have an option for a cascade of AES-Twofish-Serpent) Not open-source, but open about security design (Most relevant for this audience, we’ve provided samples and details to those building crackers.) Demonstrate that “usable security” is not an oxymoron. We want non-experts to have top-notch security. Jeffrey Goldberg Playing Defense with PBKDF2 Background Announcement and reaction AgileBits and 1Password PBKDF2 Bug Key derivation Millions of guesses per second Relevant Design Principles Sometimes people’s encrypted data will get stolen. (So we started using PBKDF2 before it was cool) We are willing to say “no” to feature requests (E.g., we don’t have an option for a cascade of AES-Twofish-Serpent) Not open-source, but open about security design (Most relevant for this audience, we’ve provided samples and details to those building crackers.) Demonstrate that “usable security” is not an oxymoron. We want non-experts to have top-notch security. Jeffrey Goldberg Playing Defense with PBKDF2 Background Announcement and reaction AgileBits and 1Password PBKDF2 Bug Key derivation Millions of guesses per second My history with AgileBits I’d tried a number of password managers, including rolling my own. Once I’d made the switch from Linux on the Desktop to OS X, I was willing to consider a Mac-only solution. Examined a number of options. After peppering Dave and Roustem with questions, eventually settled on 1Passwd. As a customer, I’d been such an enthusiastic advocate and “explainer” of its security that I was offered a job. I may be the one who explains crypto and security to the public, but our developers are way smarter than I am. Jeffrey Goldberg Playing Defense with PBKDF2 Background Announcement and reaction AgileBits and 1Password PBKDF2 Bug Key derivation Millions of guesses per second My history with AgileBits I’d tried a number of password managers, including rolling my own. Once I’d made the switch from Linux on the Desktop to OS X, I was willing to consider a Mac-only solution. Examined a number of options. After peppering Dave and Roustem with questions, eventually settled on 1Passwd. As a customer, I’d been such an enthusiastic advocate and “explainer” of its security that I was offered a job. I may be the one who explains crypto and security to the public, but our developers are way smarter than I am. Jeffrey Goldberg Playing Defense with PBKDF2 Background Announcement and reaction AgileBits and 1Password PBKDF2 Bug Key derivation Millions of guesses per second 1Password data formats Original version used the OS X keychain. In 2007–2009 transitioned to Agile Keychain Format Currently transitioning to 1Password 4 Cloud Keychain Format For this talk, what is relevant is key derivation in the Agile Keychain Format. Jeffrey Goldberg Playing Defense with PBKDF2 Background Announcement and reaction AgileBits and 1Password PBKDF2 Bug Key derivation Millions of guesses per second Key derivation in Agile Keychain Format 1 Master Password taken as UTF8 string is handed to PBKDF2-HMAC-SHA1 to derive 256-bits 2 256-bit split into 128 bit AES key and 128 bit IV for AES-CBC 3 Derived AES key is used to decrypt a 1 kilobyte chunk of data encrypted with AES-CBC with PKCS#7 padding. 4 (Other steps that are not relevant for password cracking.) Jeffrey Goldberg Playing Defense with PBKDF2 Background Announcement and reaction AgileBits and 1Password PBKDF2 Bug Key derivation Millions of guesses per second Key derivation in Agile Keychain Format 1 Master Password taken as UTF8 string is handed to PBKDF2-HMAC-SHA1 to derive 256-bits 2 256-bit split into 128 bit AES key and 128 bit IV for AES-CBC 3 Derived AES key is used to decrypt a 1 kilobyte chunk of data encrypted with AES-CBC with PKCS#7 padding. 4 (Other steps that are not relevant for password cracking.) Jeffrey Goldberg Playing Defense with PBKDF2 Background Announcement and reaction AgileBits and 1Password PBKDF2 Bug Key derivation Millions of guesses per second Key derivation in Agile Keychain Format 1 Master Password taken as UTF8 string is handed to PBKDF2-HMAC-SHA1 to derive 256-bits 2 256-bit split into 128 bit AES key and 128 bit IV for AES-CBC 3 Derived AES key is used to decrypt a 1 kilobyte chunk of data encrypted with AES-CBC with PKCS#7 padding. 4 (Other steps that are not relevant for password cracking.) Jeffrey Goldberg Playing Defense with PBKDF2 Background Announcement and reaction AgileBits and 1Password PBKDF2 Bug Key derivation Millions of guesses per second Key derivation in Agile Keychain Format 1 Master Password taken as UTF8 string is handed to PBKDF2-HMAC-SHA1 to derive 256-bits 2 256-bit split into 128 bit AES key and 128 bit IV for AES-CBC 3 Derived AES key is used to decrypt a 1 kilobyte chunk of data encrypted with AES-CBC with PKCS#7 padding.