Master password, OTP and data security

Have questions about LastPass, or having problems using it? Ask for help here!

Moderators: admin, Israel, anatoly_LP, chantie, robyn, JoeSiegrist

Master password, OTP and data security

Postby texnic » Sat Dec 12, 2009 9:36 pm

I think I am missing something, but I also could not find any information in this forum, although the users seem to be concerned about this. May be you could create a somewhat more "technical" explanation of the OTP-related issues and add it to the FAQ...

I don't understand the following, could you please comment:

1. I have tried the password recovery using locally stored one-time password. After logging into the system, I was able to read all the secure notes, including those, for which "require password reprompt" was enabled. For a password with this option enabled, this doesn't work, it requires password reprompt indeed. Is it a bug with the notes?

2. On the other hand, if I am using the normal OTPs, in an internet cafe, I don't want to enter my master password. Should I enter another OTP when reprompted?

3. If my information is encrypted with my master password, how can it be that one-time passwords allow to decrypt it? This forum makes me think that you take the master password, split it into two parts, store one locally and another on your server. Is this correct?

4. Don't you think it makes sense to switch the OTP recovery off by default? I understand why you have created this function and find it rather useful, at least for "normal" users. I should also agree that the implementation, as far as I understand it, is smart indeed. But AES-256 is not the level of encryption for the normal users, it is a military grade algorithm. Therefore the rest of the system should be as robust. Encryption with a strong password with AES-256 is unbreakable. I don't think my email is as secure. Neither can I be sure my laptop won't be stolen. Then this OTP-based recovery becomes a typical backdoor! And false safety in action!

5. Finally, since the OTPs are 128 bit long, I think you are just saving 128 bits of the master password hash value on your servers and 128 bits locally. Right? If yes, then: Of course, it is impossible to do brute-force attack on your 128 bit since this would require impossible number of connections to your servers. BUT: if your own storage would be compromised, Eve would get my encrypted database and 50% of my master password. 128 bit encryption with AES is still very strong, but it is not AES-256 any more. Taking this into account, wouldn't it be more proper to make OTPs be 256 bit long?
texnic
 
Posts: 21
Joined: Sat Dec 12, 2009 8:49 pm

Re: Master password, OTP and data security

Postby JoeSiegrist » Sat Dec 12, 2009 10:48 pm

texnic wrote:1. I have tried the password recovery using locally stored one-time password. After logging into the system, I was able to read all the secure notes, including those, for which "require password reprompt" was enabled. For a password with this option enabled, this doesn't work, it requires password reprompt indeed. Is it a bug with the notes?


Upon using your password recovery you can now change the password, we kill the reprompt for that and so the password reprompt doesn't really make sense here.

2. On the other hand, if I am using the normal OTPs, in an internet cafe, I don't want to enter my master password. Should I enter another OTP when reprompted?


I think the right thing to do here is not reprompting after a OTP has been used; this point could be argued either way but the reprompt itself is more of a 'casual protection', especially on the website.

3. If my information is encrypted with my master password, how can it be that one-time passwords allow to decrypt it? This forum makes me think that you take the master password, split it into two parts, store one locally and another on your server. Is this correct?


That's a layman's way to explain it -- we do something far more safe, which I'll detail below.

4. Don't you think it makes sense to switch the OTP recovery off by default? I understand why you have created this function and find it rather useful, at least for "normal" users. I should also agree that the implementation, as far as I understand it, is smart indeed. But AES-256 is not the level of encryption for the normal users, it is a military grade algorithm. Therefore the rest of the system should be as robust. Encryption with a strong password with AES-256 is unbreakable. I don't think my email is as secure. Neither can I be sure my laptop won't be stolen. Then this OTP-based recovery becomes a typical backdoor! And false safety in action!

We have to choose the lesser of two issues here -- we scrambled to come up with a password recovery mechanism that exposed nothing to us as an option since a truly shocking number of people forget their master passwords. Given that you can choose to disable the feature entirely, and that the people who will not be remembering their password are far less likely to look at any options I think it's the right choice.

If you do choose to do it, yes your email might not be 100% safe and you rely on the combination of that plus your physical security but it's automatic which is a big requirement on our side. We've thought about expanding this to allow registration of your telephone number and doing an IVR call to it for authorization, especially for people who want to use a random password for their email account.

5. Finally, since the OTPs are 128 bit long, I think you are just saving 128 bits of the master password hash value on your servers and 128 bits locally. Right? If yes, then: Of course, it is impossible to do brute-force attack on your 128 bit since this would require impossible number of connections to your servers. BUT: if your own storage would be compromised, Eve would get my encrypted database and 50% of my master password. 128 bit encryption with AES is still very strong, but it is not AES-256 any more. Taking this into account, wouldn't it be more proper to make OTPs be 256 bit long?


No, that's not how it works at all, and would radically reduce your security with each OTP you made if that was the case. We used 128 bits because that's about the longest reasonable length for people typing in OTPs -- 128bits / 8 bit characters = 16 characters but they could be high ascii so we use 'hex' so 2 hex digits per character = 32 hex digits to type in. That's a stretch already, doing 64 hex digits just seems unreasonable to me.

What we actually do is far more complicated:
- Create a completely random 128-bit number
- Make the random key out of the username and the random password as a hash
- Make a random hash from your username and random password, send this to the server, this will be how we can tell you entered the right 32 digits of hex to allow you to download your encrypted data later
- Encrypt your actual key with the new random_key, so we can retrieve it when random password is entered later, send this to the server

Basically we recursed our entire process using a 128-bit key that's randomly created.

The safety of this is very high, especially if you turn over your OTPs -- a full 128-bit key to encrypted data which gets wiped once you use it.

There is one minor regret here, but it came about because we needed to implement it on a time-line: we're using the same 128-bit OTP process for the stored password recovery hash -- there's no reason that couldn't be 256 bit (or even longer) since you're not typing it in. We'll hopefully get around to fixing this at some point, but 128-bit AES is still exceptionally strong and it would be the end of the universe before it's brute forced .... time is on our side here.
JoeSiegrist
 
Posts: 4132
Joined: Wed Aug 20, 2008 10:40 am

Re: Master password, OTP and data security

Postby texnic » Mon Dec 28, 2009 11:12 am

Joe, thanks very much for fast and extensive response. I hope I understand it now. I'll just repeat for clarity:

In simplified words (in terms of what data is sent and what is used locally), when I ask for an OTP,
- Random OTP is created locally
- temp_key = hash(username + OTP)
- Username + hash(OTP) is sent to the server
- encrypt(master_password, temp_key) is sent to the server

Thus, neither my master password nor OTP nor temp_key is ever sent to the server.

When I am using the OTP,
- I enter my username and OTP
- Username + hash(OTP) is sent to the server for authorization
- You then send me the encrypted database and the temp_key-encrypted master_password
- temp_key is recreated locally from username and OTP
- Master password is locally decrypted
- Database is locally decrypted
- You delete the used Username + hash(OTP) value so that this OTP cannot be used for authorization any more.

So basically we are dealing with OTP-encrypted master password.

Is this correct?

Then I don't understand how an OTP can be revoked. If you have sent me the OTP-encrypted master_password, and I have entered the OTP locally, someone key-logging on the local machine can save both values and decrypt the master_password later? You will not allow second authorization with the same OTP, but the person has already obtained the master password! Where am I wrong?
texnic
 
Posts: 21
Joined: Sat Dec 12, 2009 8:49 pm

Re: Master password, OTP and data security

Postby JoeSiegrist » Mon Dec 28, 2009 9:21 pm

texnic wrote:Is this correct?

Then I don't understand how an OTP can be revoked. If you have sent me the OTP-encrypted master_password, and I have entered the OTP locally, someone key-logging on the local machine can save both values and decrypt the master_password later? You will not allow second authorization with the same OTP, but the person has already obtained the master password! Where am I wrong?


Not entirely -- to try to put it in a simple way the OTP creates a hash, which that hash then verifies if the OTP is still valid on the server and if so allows download of random data that can then be combined with the OTP locally (remember the OTP wasn't sent to the server just the hash) to create your key.

Yes if your OTP is valid on the server and is used it's too late -- your key is now local too -- but if you say lose your OTP list you can run to the server and invalidate them all before the person has a chance to use them.
JoeSiegrist
 
Posts: 4132
Joined: Wed Aug 20, 2008 10:40 am

Re: Master password, OTP and data security

Postby texnic » Thu Dec 31, 2009 8:26 am

JoeSiegrist wrote:Yes if your OTP is valid on the server and is used it's too late -- your key is now local too.

Then, I should rather not use LastPass in the places that I don't trust (internet cafes etc.), right?

Or, if I have to, I should then change all my passwords ASAP. My account is not compromised, so it is still safe to use it, but all the passwords could have been read.
texnic
 
Posts: 21
Joined: Sat Dec 12, 2009 8:49 pm

Re: Master password, OTP and data security

Postby texnic » Thu Dec 31, 2009 8:55 am

Joe, I actually found your answer to some related post.
It's never a good idea to use a computer where you're concerned about what software is running on it, though the general risk of LastPass accounts being specifically targeted right now are quite low, it could grow in the future... Bring your laptop, use your smart phone...

I think, this answers my last question. I would only join other people suggesting that you add to your wonderful demo videos collection an explanation of how OTP stuff works, or rather update the available one: currently it says:
After OTP has been used once, it can never be reused again.

which gives the wrong impression of using OTP's being not safer but just safe. It is actually not, since the "unsafe" computer/operating system can provide its owner with all user's information, including the master password and full content of the user's LastPass database.

LastPass is, in general, so secure, that it is important for all users to realize what are the insecure ways of using it. For security-concerned people such straightforward explanation would also make LastPass more attractive. And I believe it's also the LastPass' mission to make people more aware of secure/insecure ways of using the internet.

Thanks for your explanations, LastPass, and happy and successful New Year!
texnic
 
Posts: 21
Joined: Sat Dec 12, 2009 8:49 pm

Re: Master password, OTP and data security

Postby JoeSiegrist » Sat Jan 02, 2010 12:38 am

texnic wrote:Then, I should rather not use LastPass in the places that I don't trust (internet cafes etc.), right?


I personally don't, and wouldn't recommend it to others. Since at this time LastPass is small, the risk is likely also quite small though.
JoeSiegrist
 
Posts: 4132
Joined: Wed Aug 20, 2008 10:40 am

Re: Master password, OTP and data security

Postby v783 » Fri Dec 06, 2013 5:52 pm

Hi, after this long time, are the OTP methods identical to what can be read here?

I'm interested especially in the last 3 posts.
Could you be so kind and explain it to me with other words? It can be that I am a little stupid on this, so please be patient with me ;)

The text says somehow, that on whatever computer I use lastpass (irrelevant if I enter masterpass or OT password), my lastpass data somehow gets to that computer and can be read? HOw is that?
Under which circumstances can it be read?

I guess under this:
a) When I did use my masterpassword and someone did keylog, they can use that directly with the locally stored database and have it all (IF the get access to that local database, or to the one on the LP servers)
b) When I did use a OTP, or a non-keylogged masterpassword, the local LP database can only be accessed when they do a hack of the 256bit encoded database (which might only be possible in military dimensions)

So is this correct? If yes, why would it be bad to use a computer in the internet cafe with a OTP? Why do you say that all the data "lies open to the owner of the computer"? How can that be?

thx for help.
v783
 
Posts: 20
Joined: Sun Nov 24, 2013 6:13 pm


Return to General Support & Troubleshooting

Who is online

Users browsing this forum: austin445, Google Feedfetcher, JoeSiegrist and 25 guests