Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sun, 5 Aug 2012 00:26:23 -0400
From: Jeffrey Goldberg <>
To: "" <>
Subject: Re: 1Password blog post about Dhiru's new/forthcoming 1Password module

Just a quick clarification. I will try to write more when I get to a real keyboard.

The Elcomsoft report was discussing 1Password for iOS, which uses a different format than the desktop.  The desktop has used PBKDF2 since 2008. We added PBKDF2 to the iOS app after the Elcomsoft report came out. (Our excuse for not doing it sooner is that we still support devices running iOS 3, which doesn't offer PBKDF2 in the Apple SDK. So after Elcomsoft report we ripped an implementation from OpenSSL to get this to work on older iPhones.)

I'll have to dig into various changes to see when the derived AES key is 128 or 256 bits. The answer may lie with when the agilekeychain was created (or had a password change).

Some of the finer details of our format aren't document for reasons other than my laziness. It's because we have made small changes over the years. 



Sent from my iPad

On Aug 4, 2012, at 11:09 PM, Solar Designer <> wrote:

> Hi Jeffrey,
> On Tue, Jul 31, 2012 at 11:45:50AM -0500, Jeffrey Goldberg wrote:
>> I just published a blog post for 1Password users about the new/forthcoming developments in JtR, once again exhorting them to use strong master passwords. It is here
>> If you see any egregious errors, please let me know.
>> And congratulations. I'm pleased that it was the JtR community that got here first. I have a lot of respect for Elcomsoft, and I really thought that they would be the first to publicly release a tool for 1Password cracking/recovery. But I'm glad it was you folk.
> I am impressed by the way you handled this.  Thank you!
> This is not an error in your blog post, but JFYI I think that
> Elcomsoft's speed estimates were "more correct" than what Dhiru obtained
> so far.  Sure, Dhiru's code is what actually exists and works now, but
> that code does not use SIMD yet.  So a speedup on CPUs (maybe 4x) is
> expected when/if someone (on our team or not) implements that.  On the
> other hand, Dhiru's guesstimate of 100x speedup with GPUs was relative
> to one CPU core.
> To get more accurate numbers for PBKDF2-HMAC-SHA-1 speeds with more
> optimal code, you may look at the speeds JtR is getting at MSCash2
> (DCC2).  This is PBKDF2-HMAC-SHA-1 with 10240 iterations (thus 20480
> SHA-1's are computed).  JtR achieves about 5350 c/s at it on FX-8120 CPU
> running an OpenMP-enabled build (or about 1600 c/s on one core in that
> same CPU - higher clock rate due to turbo).  It achieves about 100k c/s
> on HD 7970.  Now you may take these numbers and scale them to your
> desired iteration counts.  However, you may need to halve them if the
> derived keys are wider than 160 bits (there are twice more SHA-1's per
> PBKDF2 iteration then - e.g., 40960 for 10240 iterations then).
> Dhiru's code for 1Password appears to always generate 256-bit AES keys.
> Is this the key size you actually use?  Always?  If not, then there's
> room for a 2x speedup when the AES key is 128 bits (fits in 160).
> Also, per Elcomsoft's slides, some older versions of 1Password did not
> use PBKDF2 yet (but used simple MD5 instead).  Is this true?  Can you
> provide more info on this (what versions, when they were released)?
> Thanks again,
> Alexander

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.