(Theoretical) leakage of master password while using PBKDF2

Hi all,

There‘s currently a surge of questions/posts on this forum in regards to iteration count blabla or adoption of Scrypt and Argon2.
While reading some of them, I had a strange idea:

Bitwarden uses 100‘001 iterations on the client side and adds 100‘000 on the server side for a total of 200‘001 iterations (by default). Now, I want to increase my iteration count to 500‘000.
Wouldn‘t that give Bitwarden (or whoever controls the server) give immediate access to my encryption key because they‘re currently storing the hash value of the 200‘001st iteration. Someone would just need to rehash that value another 500‘000 times to then have exactly the key which encrypt the „account encryption key“ (or whatever it‘s called).

Is that assumption correct or did I forget something?

Kind regards!

I don’t think the encryption key can be derived from the hash that BW store. The encryption key is derived from a different process to the hash.

Someone who has followed the security whitepaper will be along soon with a better answer to your concern.

No, you’ve misunderstood how this works.

From the security whitepaper (with minor modifications by me):

Bitwarden uses PBKDF2-SHA256 with user-definable number of KDF iterations to scramble and stretch your Master Password, and then additionally stretches it to a 512-bit hash using HKDF. The resulting “Stretched Master Key” is the key used for encrypting/decrypting the main account encryption key (“Generated Symmetric Key”). The encrypted version of the Generated Symmetric Key is known as the the “Protected Symmetric Key”, and this protected key is stored with your vault on Bitwarden’s servers. Everything else (hashing, stretching, ley generation, key encryption/decryption) is done entirely on the Bitwarden client (on your device); Bitwarden servers are only used for safekeeping and syncing of the Protected Symmetric Key.

When you increase the number of iterations, your Bitwarden client (on your device) takes your master password and creates a new Stretched Master Key based on the desired number of iterations. The Bitwarden client (on your device) then takes the naked account encryption key stored in memory (on your device) and encrypts it using the new Stretched Master Key as the key, resulting in an updated version of the Protected Symmetric Key; the Protected Symmetric Key is then transmitted to Bitwarden’s servers.

The important part is that your Master Password or Stretched Master Key is never stored on or transmitted to Bitwarden servers. Without these, the account encryption key cannot be extracted from the Protected Symmetric Key.

1 Like

Thanks you very much!

1 Like