How does a shared vault in password managers such as 1Password work?

Question

The password manager 1Password has a feature where multiple accounts in a group ("family") can share login information with each other.

From my understanding, a password manager is never supposed to know my passwords because they are encrypted with my master password before being sent "to the cloud".

How then can I decrypt / see the password that a family member shares with me through the Shared Vault without 1Password decrypting it?

If all passwords are encrypted with my private master password, how can it be possible that another user can decrypt it without me or the password manager knowing the master password of the other person?

Answer 1

Disclosure: I work for 1Password and had a hand to play in the design of exactly what you are asking about.

What you are after is described in more detail in the 1Password Security Design document. I will leave out some details here so that I can focus on the essential part of the question.

1Password works with the notion of vaults, and vaults are what people share. A vault will have a number of items in it. Each vault has its own randomly generated vault key that is created by the users client when the vault is created.

Let's suppose that Alice has created a vault $V$, and the vault key for it is $V_k$. For synching and sharing the encrypted items in the vault are sent to our server. Note that we never have the vault key, so we can't decrypt the items in the vault (or even the name of the vault).

Each individual has a public/private key pair as part of what we call their "personal keyset". So Alice has a public/private key pair which we will call $A_p$ for the public key and $A_s$ for her private key which she keeps secret. Bob will have his public/secret key pair $B_p$ and $B_s$.

The magic of public key encryption is that anyone can use Bob's public key to encrypt something to him, but only Bob, with is access to his secret key can decrypt it. Alice's and Bob's key pairs are generated by the 1Password client running on their own machines when they first set things up so that we never see their private keys. (Their private keys are encrypted with keys derived from the Master Password.)

When Alice shares a vault, say vault $V$ with Bob, she encrypts the vault key $V_k$ for that vault with Bob's public key, $B_p$. Let's call the result of that encryption the message, $m$

$$ m = E_{B_p}(V_k) $$

Alice's 1Password program running on her machine will then send $m$ up to the server. We can't decrypt $m$ because we don't have Bob's private key, $B_s$. But we can deliver $m$ to Bob the next time his 1Password client connects to the server. We can also allow for Bob to receive the encrypted items of that vault.

Now Bob can use is private key to decrypt $m$

$$ V_k = D_{B_s}(m) $$

Bob can then decrypt the items in the vault using the vault key, $V_k$. All of the encryption and decryption is happening in Bob's and Alice's 1Password apps running on their machines, and all the server does is pass encrypted objects between them that it, the server, cannot decrypt.

Answer 2

A common solution for this problem is key encapsulation.

All the shared passwords are encrypted with one randomly-generated key. Then the password manager creates a copy of that key for every user and encrypts each copy with a key derived from that users password.

When a user wants to access the shared password list, they first decrypt their copy of the shared key, and then decrypts the passwords with it.