Thank you for doing this. Super into analyzing this for security. 1Password is my preferred single-client solution, but not having a good Team solution has been a serious drawback.
Is there a reason why you're using RSA over Curve25519? RSA is old and rusty at this point and there's no good reason that I know of to be using it in new cryptosystems. To a much lesser extent I also have the same question about using AES-GCM over Poly1305/ChaCha20.
Yep. There is very definitely a reason. You might not like it, but there is. For the moment we need a client that runs reasonable well in web browsers.
As libraries become more available or the nature of our clients change, we can switch. We certainly look forward to having the smaller keys that ECC will give us.
We are aware of tweet-nacl, but we are trying to avoid the number of external JS libraries we would need. This is why the Teams web app is limited to browsers that most fully support WebCrypto.(Of course our own browser extension for Desktop 1Password runs in more browsers as it does not rely on any crypto itself.)
I admit it is kind of weird using GCM where a stream cipher would be faster, lighter, cheaper. And so we definitely are looking forward to moving to something like that for our transport layer encryption. There aren't any security problems with our current ciphersuites, but we should be able to
improve performance by using things like what you recommend.
Thanks for the answer! WebCrypto is obviously a disaster, it is very unfortunate that new systems are being stuck with legacy crypto if they use it instead of non-native libraries.
I think that there are three issues with WebCrypto that people often conflate. But they need to be looked at separately when judging the security of any particular things.
1. Limited algorithms. This is what has use using GCM instead of a stream cipher for our transport layer.
2. It allows developers to shoot themselves in the foot by not enforcing best practices.
3. It encourages crypto delivered over the web.
If (3) is your concern, then it doesn't matter how good, modern, up to date, the methods are. This objection applies to tweet-nacl just as well.
If (1) is your concern, keep in mind that there is nothing wrong with the algorithms and modes we are using. Sure we had to forego some slicker alternatives, but this is a performance hit.
If (2) is your concern then what is true about WebCrypto is true of almost every crypto library out there. Whether we use libcrypto, CommonCrypto, MS CAPI, etc, we have just as great a chance of "using it wrong" as we do with WebCrypto. WebCrypto isn't worse than most of the alternatives, it is just new enough that we all hoped it would be better than the alternatives in this regard.
So given these three general concerns with WebCrypto, you need to make a judgement about how these play out when evaluating 1Password for Teams.
https://teams.1password.com/white-paper/1Password%20for%20Te...
Let us know if you have any questions after giving that a read.
Kyle
AgileBits