 All right, so welcome to the talk about creating about one password criminal will be going through but the the format that they use is and what how I went around about Implementing them for my own you know for fun and profit And they will see a bit about interesting details about what they what they actually did So I'm me and Carlos from a day job is at GitHub I run the work and the team that runs the git infrastructure and For the last few years almost anything attached ends up having to implement some encryption So this time I said well, let's do something for fun instead of just for work and Disclaimer, I'm not your crypto experts So if you want to do I think this the the steps they've taken here At one password that they're interesting it can be useful to to learn from them But you know consult your own crypto and security expert your organization before you know doing stuff So I expect most of you are gonna know about just to go a bit over what the What one password is right? So this is a password manager What they do is they keep track of all your secrets so that you don't have to Keep around like a big ledger full of your passwords and all the old passwords and then you can't find anything And then you know the alternative is always just use the one password which isn't good because then you know Equifax gets popped and then now your Gmail is also popped means everything is not popped and really the the big advantage of of a password manager when they have a nice Browser integration because then it's easier to create a secure password and just store it and forget about it And just use that one instead of trying to come up with a clever Password which is probably not gonna be as secure as you know what the the random number generator in your current is gonna give them Of course sometimes websites have They think they're smart so they have interesting password requirements So you have to try a few times and that's definitely not fun But you know you complain to them rather than the password managers. So this is about the One password one password volt format or called OP volt This is the important export format. This isn't what the this is exactly what they use in the application They use something instead of SQLite database, but it's essentially the same. This is just the serialized version as it were This is what they use for So it's it that goes to the backup But essentially is what you dump out to Dropbox or iCloud or our sync which is how I sink the things this morning Or you know, whatever synchronization you have and that will then it will Look in that directory and import if any changes happen in other machines One password itself except for new developments, which are having a bit we're trying to Actually get your data in the cloud. They're a local password That means all the data is just up in your file system and then you are the one who decides exactly how you distribute the This exported backups in case you you do want to use multiple machines, right? This is all under under your control. They even have a very neat local Network synchronization so you can actually synchronize with your phone without actually having to go out through the internet. It's pretty cool So this URL where the actually document publicly the their format because they and the old format was a was secret And he got it wasn't as secure as it could have been so after that they decided Okay, well, let's just make it open this new one That's actually secure and then let everyone know how it is because that's that's how sure we are of the about our format So this is a directory they have a Bunch of files so you can see here the dot attachment ones are Attachments to two items will see later how they these all go together essentially you have a bunch of secrets And then you can attach like a picture or whatever it's necessary. I think the export went a bit bad So, yeah, so you have 16 bands so that's just a bunch of JavaScript files with JSON in them To to reduce the amount of churn that any particular file has because this is for the you know for dropbox to have and dropbox isn't necessarily like Updating all of the files in both machines and then you get like a weird thing Which you've probably seen if you ever tried to sync get repositories of a dropbox, which we keep getting comments about So then you have a profile, which is your where all the essentially many information Lives and then a folder a directory of folders To to organize things So how do we then? And Basically all almost all of the data here is encrypted. So how do we actually get to encryption? So, you know, we have a key, right that we need to to encrypt the things But then where do we put that key? We can put it as plain text on the file system because that defeats the whole point So we can put it but we can also encrypt that one Which only slows the problem slightly because now we have another key that we need to store somewhere. However These other key is something that we can create out of the users master password. So the password you use when you Festive when the program starts you type it in and then it unlocks everything, right? That password is the thing that encrypts The real encryption key that decrypts your your secrets Now you're you know your password you know you type a right. That's not a secure enough key. So what we have is a Function called PBKDF2, which I can I can never type it directly unless I actually mouth out what it means Right, so it stands for password-based key derivation function to so the one wasn't good enough This is some things somewhat similar to a script or big script that you might know from storing User passwords in your database except this instead of trying to create a hash so that we can compare to see if it matches The output of this is a key of Is some hexadecimal or some bytes of a particular length? That we can that's better suited for performing encryption key this also means that As I mentioned that similar to a script and a big script in a script it has a Assault but it also has a number of rounds or iterations that you can configure. So the the idea being that it should be Slow to create to calculate one. So it doesn't matter too much when you type in the correct password Maybe it takes half a second one second to actually create the key but it does definitely hurt someone who's trying to brute force their way into your in your secret vault and And We have we and we don't use the The key that we get out of your password directly because that also means that we can Encrypt these the real master key with this other password And then we only have to update one particular field in this one particular file instead of trying to re-encrypt absolutely everything So it means that we don't need to Re-encrypt all of the files and then all of them just stay together and then you you can automatically increase the Deterration number which means as computer get faster you can ship an update That just says well the next updates instead of doing 50,000 iterations you do 80,000 iterations And then that that that means that you it's not increasing the iteration the sorry re-encrypting the Data out of the password make it more secure is no different from doing a normal export Yeah, so I already got went through this bit So one of the things that they They also do is a thing called authenticated encryption now This isn't always 100% relevant to an offline client because it often requires you to have a conversation But the essentially the the way that you know you might be That you might want to do the check summing of data that you encrypt this or you decrypt it And then you compare the checksum of the decrypted data again some Some checksum that you've recovered from somewhere Which is fine except for the kind of a task called choosing server text attack In which you can mangle the cypher text a bit even if you don't know what it contains And then if you actually can establish a conversation I have the tool tell you whether it's The decrypt the text and gets mangled in a Particular way you can slowly figure out the plain text without actually ever Figuring out what the key is or without knowing advanced with the key is This isn't 100% relevant for a an offline tool because it would just be well Sorry, I can't load your your vault now But it does protect Against any kind of chosen server text attack So even if someone comes up and figures out a way to sort of stay in your machine for a while and keep Twilling the the bits in your vault then they're still not gonna be able to get it because the first thing we do here is We check the checksum of the encrypted text and then we decrypt it this requires specific cryptographic primitives or functions But those luckily also exist in almost any cryptographic library you will have in your system So the one I'm using from a library is just open SSL But you can also you have them with common crypto, which is the one from on Mac OS And this is the one that they use in the in their app itself, which is a primarily a Mac thing So now we know how to create a key out of our password right that gives us a 522 bit 512 key bit now that was split into two one is the encryption key and what is the Mac key? The master key is however actually Two keys is master and overview, but we'll we'll see that in a sec Seriously what we We're using a s 256 So we only need half of this key But we still wanted to don't don't want to do multiple times the this pbdk too So we create now that we have Say we have the password now we now we have this other key that with that with a crypt the What's called the master key and the review key the master key is? the one used for the encryption the overview queue is the one used for encrypting the metadata or the the Sort of high-level details of few of items or your secrets. So for example, this lets you have the The URL for the website or its title listed in the In your list of items so so you can look for them without actually having to the crypt the actual password So that it's less likely that you know someone doing a memory dump will actually find Your password somewhere in in your file or in your encrypted swap if you have that So this is what the profile.js file looks like This is the The the keys are pretty long. So I've sort of a lot of you this this the stuff like the the password hands Rounds that kind of thing was sort of a lighted here Now this does look like it's being loaded into a JavaScript engine because it's been assigned to a variable. This is necessarily the Most I mean it looks a bit suspect that you're that it looks like you're trying to load in into some JavaScript when you're not supposed to actually trust The inputs because this is some file from somewhere I'm not saying that this is actually vulnerable to anything, but it does looks a bit weird So you can see here the iterations are about 50,000 I looked this morning and on my current export is about 83,000 so they do continually update this data So this profile Comes from the test data that they show up that they show in the web page So you can actually test if you want to implement something without having to use your own Your own vault which you know, so which means you're less likely to actually print out all of your passwords into the terminal for debugging So let's go back to the kinds of keys We started with the password We made that into two keys and without the decrypted these other two keys Which are actually two each But I generally treat them as just the one because they they all both go together It's it's time you get the key you split them you split into two the first half gives you the Encryption key and the one is the verification key So if I use the second half to verify that the encrypted text hasn't been tampered with and then you can decrypt And then you can know that at least the right person encrypted the the text even if you don't necessarily know what what's inside and then we can now start Opening all of the all of the items we can read those banned You know ABC files and then we can load and finally we can display to the user what the what what all the list of items is So an item is just what what this thing calls each entry in the database each secret that it's storing Almost all of the data is encrypted there's a few things which are Like the category where it's a favorites the folder it contains So this is Normally this is this is because that way you can actually figure out if something is a it's a favorite So if the user says oh show me all of the favorites, you don't even need to bother decrypting the Overview to see if it's favorite However, the first thing the app does when you input the password is to show you all items from all volts So I'm not sure whether they this was an idea that they had Oh, maybe the some integration will actually want to do this because the app definitely doesn't seem to be taking advantage of this And the first thing you'll do is just to crypt everything. Well, all of the overviews right so the the overview will consist of the Essentially that a date when this was done Some text and some auxiliary information like you'll sometimes will say well you create this password on this date Or this is a great card for this bank and this person they have a lot of somewhat specific kinds of Of items like you can have a outdoors license is one specific one You have credit cards and they have like a type for each credit card And then some but then you most of the time you're just gonna have a generic passwords Now this Each item itself also has its own keys not for the overview that one is sort of less secure or is less sensitive The but now that you once you have your master key for encryption You can still decrypt this other key pair for each item this that's That way now you can get the to the detail Which is actually the password or the credit card number or your SSN or whatever so because the American they also have this thing and And That means that when you that there's only very little Actual content that gets encrypted under each particular key, which it doesn't necessarily Protect against any known attack But generally the less that you use any particular key the less likely it is that you can that you've you've misused in some way and thus You've exposed some data So the less actual secrets that you store under each key The hardest answer is that if even if an attack becomes possible that is it's less likely that it's gonna hurt you They do however Well, what are the other things that the app? The app the actual bits provides a one password. It also just forgets your password if you if you wait too long without you know going into it or if you close the If you close your laptop and it goes to sleep it also just forget This also reduces the you know the chance that someone will manage to go go and get it But it also means that it's it evacuates the the memory more often because if you were I mean the the this overview information isn't considered to be as Sensitive so it's okay if someone sees it a little bit But you know, it's it's still gonna be easier to find that in your in a memory dump or an encrypted swap like I mentioned than You know the kids itself, which are also gonna be in memory. So it's sort of trying to To be secure whilst also, you know, not not asking you for your password for every single thing. So it's kept in memory But only some of the keys is it's trying to play around with with with this trying to figure out what the What the recommendation is of spending time You know behalf of the users just storing keys versus not so one of the interesting things here with the when trying to perform a checksum, so It most of the the time you you run this authenticated Encryption in which you have a chunk of data. However, because some of the data inside an item is unencrypted like the faith the category We don't we can't run the the same process. So they they came out with this other process where you You essentially do the same thing, but you you grab the data all of the data and you store the the HMAC Which includes, you know, all of the encrypted data plus all of the unencrypted one Except obviously for the HMAC entry in the in the field now, this is a JSON object. So it's all a bunch of strings And you know numbers and booleans were primarily strings So and also because there is Jason there is no canonical representation for any of this So you can't just hash the output because there are multiple implementations could just produce anything So they will do is you have the key and the value So you have the key you hash that and then you put the value as a string and then you hash that however Probably because the the road is an objective C and that doesn't actually have booleans But only integers the they have they have a single optional boolean in the in the items Which is whether it's been sent to the trash And I took me well to figure out because that my I could never verify this this one object until I realized that oh, right I'm in rust so I actually have booleans. I'm gonna say print me this two strings as bull but because of the generic dictionary that they're using in In one password implementation turns out that it's trying to print a one instead of a Boolean true So that took way too long to figure out that they know that turns out booleans aren't always booleans I don't know if this is just a side effect of them storing things in a in a sequel that database where Types aren't necessarily a real thing But um, yeah, at least they didn't Yeah, it took a while it was it's not as clear as it could be but it's You know the fine I can manage to read in the end Attachment there's not much of them. You can each attachment specifies what Item they they go to they also have an overview and a detail don't know where you can say oh, this is my Great card or this is my ID and then the actual Details is just a bit the image generally will be I mean very often would just be an image Folders they also have a name And a you you ID this is you ID is what the items refer to to say I'm in this folder they do have this particular kind of a Folder called a smart folder which can for example in the test data for example They say oh will show me all of the items that contain attachments Now this is I assume there was oh This is probably like some JavaScript of some Lua and some sandboxy thing that will that runs through code But it turns out it's some something in binary that they don't promise is ever gonna stay stable anyway And it turns out the the base 64 encoded string isn't even a properly encoded string in the in the test data At least I think it's like a null somewhere or half a byte is missing or something strange So I mean I don't use them so I didn't bother too much, but they're they're there It's an interesting feature, but I guess you'll have to reverse engineer This binary format if if if you want to write something like this like something that reads At these math folders and you're actually using them So putting all of these data into into tone library, right? So I figured hey, let's I should try out something in rust No, because it's the one language. I don't get to use usually at work So I figured well, okay, you know I should do this is it's been it's with its public and then I've managed to Manage to to leave I've mulled through by using my phone as the other one password plan and then just copying it around because luckily most of the time I work I can just use my my QFA key to to go into pseudomode instead of having to set my password 20 times a day So it was fine, but then I gotta be tired and of course the the official solution from agile bits is oh, you should just run wine You know and run the windows Implementation from them in your Debian. Just like okay cool, but no, I don't want to do that I'm sure it works fine, but there's no, you know, it's at the point So, you know, let's try to do it. It was like a year ago roughly The So I mentioned that we have the this overview key plus the master key and that's what you used for the items I'm what you use for the attachments or to seal their overview versus the details So I was gonna say okay. Well, I'm a C programmer generally. So I'll just add pointers everywhere It turns out, you know rush says oh, but you have to prove to me that you're not gonna free, you know The vaults that actually contains all of this Of this data while you're using the other thing and then I'm like no, but it's fine I've been right in C for a decade You know, I rarely second fold But you know, so so in the end I sort of took the colors way and added a Reference counter around it It was fine, but you know, I still want to go back in and actually fix it more now that the the compiler has better Error messages, so it's not shouting as me at me as much Yeah, and also we'll shout out to CERTI the Serialization association library. It's very versatile. It lets me specify almost Completely what I do in code and in sort of statically in compile time and it'll generate all the code I want It's pretty cool So once I mentioned now what now we know how to decode this They actually encrypted data and now we have a bunch of JSON blobs that aren't actually documented because that's application data So but at least you know Jason's self-documenting or something so at least we can actually Hey, see what the keys and values are and just build up a bunch of structs and You know just do it. All right, just just have the service have the deserialization library do it for me However, there are Some things that aren't quite clear whether it's just all the way the app someone wrote it and then forgot about it or whatever, but there's a For for when you have a login or something you submitted through a web form and it gets stored, you know from your browser from integration, right? They have a type for a field. That's password but then I noticed that half of my Passwords were just printed in plain text in my UI that I was writing that well What's going on here turns out a password is a password when it has a password When it has a password type or when it's a normal text type and its name or its destination Are also password Which for some so the app knows it's a password. It's just it doesn't stories as a password I'm not sure why that's that's it, right? So this is like a bit of the code I have there Where I'm saying, okay, well, is this a password or does it look like a password? This is what you call duck typing or something There was also a Interesting so when when you have the the more specific ones we have like outdoor license Whatever it actually has some very specific fields Most of them are actually strings, but they all have different kinds now in cert I started doing it Within each have their own struct because they want to be proper and I you know have types and safety and whatever, right? But then turns out that they all are Just ten that are the same and two that have a difference. So at the end of the day This is where my second child to cert that goes because so here we can see K And so this is the key the name the value and then some attributes the value can be a number a string or this whole other structure just address and and this is all optional and a Certainly, let me just say hey, there's this value field. It can be one of these three things Just try them all and it will just write the code for me that Tries to fear. Hey, it's just a number. Oh, this matches the number. Is this a string? Okay, or it is another object that has all of these fields Oh, then I'm going to pack it into this address field Which is another very specific thing that they have where otherwise it's mostly strengths and on this Specific versus non-specificity that they have in a few places They seem to have this form of get text by default. So Eleora you see all this the name or the designation for this field is password now for a bunch of these things They have a designation which So they have a name which is the The field name in the in the browser But they also have a thing for example expredate game whatever so game is this for the outdoor license because apparently they have one The very specific field for what kind of animals are allowed to kill They they have none of these are actually That none of these just have the English or you know human Name of this they have something that presumably you take get text Which is actually cool because most of the time you you're stuck with the the English definitions of things Whereas here they you know you sort of default to well This is just something and then we're gonna update the app as things happen So this is the source code the first one is the The library the second one is the GUI You shouldn't use the GUI right now because for big for debugging purposes It will actually print everything into the command line if you were you running it So that's it's just gonna print out of your passwords. So don't you know, don't use that without A commenting that out and thanks