Consumer Products > Avast Passwords

Avast Passwords and Zero Knowledge?

(1/1)

TheIndifferent:
I've seen somewhere on this forum that Passwords is zero-knowledge storage, but I was not able to find any more technical info on the subject.

What I see is, when I install Passwords on a new device, first step is to create a master password. I type a password that is different from my previous devices, then I turn on synchronization, it downloads my old passwords, and they are immediately seen. I thought that zero-knowledge is based on master password being the same across all my devices and all my data being encrypted on the client, so synchronization with different master password should not be possible.. To be honest, that does not look like zero-knowledge.

Asyn:

--- Quote from: TheIndifferent on April 13, 2019, 08:47:12 PM ---I've seen somewhere on this forum that Passwords is zero-knowledge storage, but I was not able to find any more technical info on the subject.

--- End quote ---
-> https://files.avast.com/files/passwords/security-whitepaper.pdf

TheIndifferent:
Thanx, I've seen this one, but it is very concentrated on initial device. Consider following:

0. I already have a vault synced to Avast servers, as described by point 5 in the whitepaper.
1. I install Passwords on a new device, and create a new Master Password. It creates a strong Local Key.
2. I log in with my Avast account and enable synchronization.
3. Vault Passwords and Vault Keys are downloaded from Avast servers to this device.
4. ?...
5. Vault Keys now can be unlocked with the key derived from my Local Key, which is unique for the device.

So what happens at step 4? I am clearly missing something here, some shared secret between devices, or the way to establish that shared secret.

Asyn:
That's all I know, but feel free to wait for one of the devs.

Navigation

[0] Message Index