#cryptography #security #engineering #pattern

idea

In contexts where data is stored on a third part service, the only way to ensure the service provider does not have access to the data is by using a secret that they don't have.

Passwords don't provide a sufficient level of entropy for long term security, one way to add entropy is to add other factors ; and derive a key from all these factors.

Key derivation as presented by 1password provides such an algorithm, where the client stores a certificate locally, which means that each client needs to propagate the certificate to the next rather than relying on the central service to do so. This is increasing security at the expense of complexity.

The actual encoding is done via AES (symmetric), using one key per document, which is making the cost of decrypting the documents themselves prohibitive (since finding one key does giving access to only one doc).

The AES keys are encrypted by an asymmetric encryption algorithm (RSA or ECC^[1]), using a derived key composed of a local secret + a master password.

links

[1]: ECC is a secured asymmetric encryption algorithm

references

1password's whitepaper^ref is describing in great details how this works for them