Zero knowledge vs. a malicious server: A look at ETH Zurich’s research

Today, researchers from the Applied Cryptography Group at ETH Zurich published a paper examining how different password managers uphold their “zero-knowledge” architecture when faced with a fully malicious server. We conducted a thorough review of the paper and confirmed that it doesn’t introduce any new attack vectors affecting 1Password beyond the architectural limitations already documented in our Security Design White Paper. We appreciated the opportunity to speak with the team about their research and value the work they’ve contributed to this area. Open scrutiny and thoughtful analysis ultimately make everyone’s products stronger, and that’s a win for customers everywhere.

Attack context

Zero-knowledge architectures are designed so services cannot read or access customer data. This isn’t achieved by tightening permissions or limiting administrative access; it’s accomplished by ensuring that only the customer holds the keys needed to decrypt their data. Access isn’t restricted by policy; it’s protected by peer-reviewed cryptographic designs. The research presented by ETH assumes a fully compromised, malicious server and explores the types of attacks that could be attempted against password managers.

End-to-end encryption remains intact

1Password is designed as an end-to-end encrypted system. As our Security Design White Paper states: “Data is only encrypted or decrypted locally on the users’ devices with keys that only the end users possess.”

Decrypting vault data requires three elements:

• Your account password

• Your Secret Key

• Your encrypted vault data

We designed our solution to ensure that secrets are never transmitted to our server in a way that could be used by a malicious user to compromise your account. The Secret Key resides only on the client, and authentication uses Secure Remote Password (SRP), which ensures that your password-derived secrets are never transmitted. Even if 1Password’s server login data were to be captured, it would not be susceptible to brute force attacks. 

The research does not demonstrate any bypass of these protections.

Public key authentication and vault key substitution

The paper discusses both the lack of robust public-key authentication and a vault-key-substitution scenario under a malicious-server model. These are not separate classes of weakness in our view, but manifestations of the same architectural consideration: server-mediated key distribution without strong key provenance guarantees.

Our Security Design White Paper (Appendix C: Verifying public keys) explicitly documents this limitation:

At present, there’s no robust method for a user to verify that the public key they’re encrypting data to belongs to their intended recipient. As a consequence, it would be possible for a malicious or compromised 1Password server to provide dishonest public keys to the user and run a successful attack.”

Addressing this class of issue requires broader structural work, including:

• A mechanism for public key verification

• A group encryption and management model that separates trust in long-term vault data from trust in user-owned keys that may rotate over time

While this set of architectural concerns is notoriously difficult to address, it’s important to note that this reflects broader industry-wide challenges in end-to-end encrypted systems. We have publicly discussed improvements in key verification mechanisms in our automated provisioning and account governance capabilities. We remain committed to continually strengthening our security architecture and evaluating it against advanced threat models, including malicious-server scenarios like those described in the research, and evolving it over time to maintain the protections our users rely on. 

Conclusion

To reiterate, we did not identify any new attack vectors impacting 1Password. The limitations discussed in the paper are already disclosed in our public Security Design White Paper, and we continue to harden our architecture to address these complex, industry-wide challenges. We greatly appreciate the work of the ETH Zurich team, as this research raises the security bar to protect users' most sensitive data: their passwords.  

We encourage researchers to contribute to our bug bounty program so we can reward security researchers for helping fortify our defenses and protect our customers against evolving threats.