A guessing technique that leverages a design flaw in the popular 1Password password manager tool has sparked widespread discussion about potential security consequences and appropriate approaches to encryption implementation. Cryptography experts have suggested that the actual danger is minimal but that the incident underscores the need for careful code review and better hashing functions.
The issue first surfaced on Tuesday, April 16, when the developer of password cracking tool oclHashcat-plus, Jens “atom” Steube, posted on the Hashcat forums that he had reduced the number of calls required to crack passwords to a quarter of what would normally be required, Ars Technica reported. As a result, Steube was able to carry out 3 million guesses per second.
Assessing the design issues
The company that makes 1Password, AgileBits, strengthens its encryption by using the PBKDF2 hash function, which runs plaintext through a hash algorithm such as SHA1 or MD5 hundreds or thousands of times. As a result, it can take billions of additional guesses – adding up to many additional years – to crack a password, Ars Technica explained. The latest versions of 1Password runs plaintext master passwords through anywhere from 10,000 to 45,000 iterations, but earlier versions only run 1,000 iterations due to processing constraints on older equipment.
As explained on the Agile Bits blog, during each iteration, a pseudo-random function is used to transform the data. Unique hash functions deliver differently sized outputs. The one Agile Bits uses, HMAC-SHA1, will return 20 bytes of data. The company’s key derivation mechanism asks for 32 bytes of data, however. To achieve this, the 20-byte output is truncated to 16 bytes, and the number of hash function iterations is doubled to produce two 16-byte pieces of output. The first 16 bytes come out as a derived AES key and the second 16 bytes as an initialization vector. However, an attacker only needs to decrypt the first 16 bytes. Steube’s method leverages this fact by only running guesses through the 16-byte AES key rather than the full 32-byte output.
“For the end user, it means that an attacker only needs to perform 50 percent of the SHA1 calls that the 1Password software needs (maybe only 25 percent, depending on how optimized the 1Password code is),” software security blogger Adam Caudill wrote in a post analyzing the flaw. “When it comes to password cracking, that certainly seems less secure than what was intended. As flaws go it could be far worse, but it’s likely less secure than intended.”
According to Agile Bits’ Jeffrey Goldberg, the company should be able to prevent the problem by switching to a different hashing algorithm, such as SHA512, which delivers a 64-byte output that does not need to be split into halves. However, making these changes may be a lengthy process to ensure compatibility. He also suggested that the real improvement needed may be a successor to PBKDF2.
While the issue does suggest that 1Password is not as secure as believed, it does not represent a major security lapse, according to experts. Johns Hopkins University professor Matthew Green told Ars Technica that the system’s security still meets user needs – it just is not as strong as initially intended. Caudill suggested that the so-called flaw only removes 1 or 2 bits of entropy. The problem is derived from the trickiness of combining several encryption tools, he explained, and it underscores the fact that even experts can become tripped up when navigating the details of how multiple algorithms work in conjunction with each other.
“This should serve as a great example of why any new crypto implementation needs to be expert reviewed to make sure that it’s right,” he wrote. “Nobody gets it right every time, every code base needs to be reviewed, this could (but doesn’t have to) happen to you.”
Developers can catch potential errors with code review from experts, as well as by using tools such as static analysis software. By implementing these types of precautions, vendors can smooth over any design flaws that may occur as they combine multiple algorithms for encryption or other purposes.
Software news brought to you by Klocwork Inc., dedicated to helping software developers create better code with every keystroke.