## What is a user certificate?

In general, a user certificate is an electronic document that binds the public key of a person to their identity, using the digital signature of the certificate issuer. When you sign up for Tresorit, our server issues a certificate for the user. This is true even if the user already has a certificate signed by another issuer, as, for maximum security, Tresorit does not fully trust any other certificate issuer. The certificate issued by Tresorit follows the X.509 certificate format, but is useful only for Tresorit. If the user deletes their Tresorit account, the corresponding certificate gets revoked.

## What are public and private keys?

Public key and private key are concepts within public-key cryptography, where users have a public key and a private key which are mathematically linked. From this key pair, the public key is published and can be used by anyone who wants to send encrypted messages to the owner of the key pair. The private key, on the other hand, is kept secret by the owner and used to decrypt messages that were encrypted with the public key. It’s important to note that it is effectively impossible to derive the private key based only on the knowledge of the public key. Besides encryption, the public-private key pair can also be used for creating and checking digital signatures and performing user authentication. The public-private key pair is shipped with a certificate.

## What is a symmetric key?

Symmetric key is a concept in symmetric-key cryptography, where the user has only a symmetric key that is used for both encryption and decryption. In fact, the key used for decryption might be different from the key used for encryption, but, as opposed to public-private key pairs, the transformation between the former two is simple. Therefore, the symmetric key has to be kept secret. Compared to public-private key pairs, encryption with symmetric keys is computationally faster while providing the same level of security. However, performing secret communication using symmetric keys is more problematic, since sharing the symmetric key between the communicating parties before the communication can be troublesome. In Tresorit, we apply symmetric keys and the AES-256 encryption algorithm to encrypt data uploaded to the cloud.

## What is AES-256?

AES-256 is a symmetric-key block encryption algorithm. The abbreviation stands for Advanced Encryption Standard with a key length of 256 bits. AES was standardized by the U.S. National Institute of Standards and Technology (NIST) in 2001. AES applies the substitution-permutation network design principle, according to which the plaintext bytes are first combined with a so called round key (i.e., a derivative of the encryption key), then substituted by other bytes, finally the order of the resulting bytes is permuted. The latter three steps constitute one cycle of operation, and AES-256 repeats such a cycle 14 times. After the 14 repetitions, the output bytes constitute the ciphertext. The plaintext can be recovered from the ciphertext by applying the inverse substitutions and permutations with the round keys fed in the opposite order. In June 2003, the U.S. Government announced that AES-256 can be used to protect information classified Top Secret. As of 2021, all known attacks against AES-256 are computationally infeasible.

## What are encryption and decryption?

Encryption is a mathematical operation that involves applying an encryption key to a so called plaintext using an encryption algorithm. Encryption turns the plaintext into a ciphertext, which, for those who do not know the decryption key, appears to be as a collection of random bytes. In other words, without the knowledge of the decryption key, the plaintext cannot be effectively recovered from the ciphertext. Decryption is the inverse operation of encryption. During decryption, the decryption key is applied to the ciphertext and the result is the plaintext. The two types of encryption and decryption involve symmetric keys or public-private key pairs. Algorithms applied by Tresorit are AES-256 for symmetric-key encryption and RSA for public-key encryption.

## What is RSA?

RSA is a public-key encryption and signature generation algorithm. The abbreviation stands for Rivest-Shamir-Adleman, the inventors of RSA. It is standardized in RSA Laboratories’ PKCS#1, ANSI X9.31 and IEEE 1363. The security of RSA is based on the presumed difficulty of factoring large integers. RSA is used for encryption by taking the public key (which consists in a modulus n and an exponent e) and calculating, simply put, the nth power of the plaintext modulo n. Decryption is done in the same way by using the decryption key (which is an exponent d) and calculating the dth power of the ciphertext modulo n. RSA is also used for generating digital signatures, in that case, the decryption key is applied by the signer to calculate the dth power of the hash of the plaintext that is verifiable by anyone with the corresponding public key. As of 2021, the best known attack against RSA is solving the factoring problem for 768 bits long numbers. Tresorit applies RSA with 4096 bit long keys.

## What is a digital signature?

A digital signature, similarly to the aim of everyday signatures, is a method to enforce authenticity. A message or document being digitally signed means that a signature is attached to it that is created by applying the private key to the hash of the message. A signature’s validity can be checked by applying the public key to the signature and comparing the result to the hash of the message. As the private key is considered to be secret, only the owner of that can produce a signature that is valid according to the corresponding public key. Therefore, a valid signature proves the identity of the sender. On top of this, signatures can be applied to integrity checking: if a message gets altered in transit, its signature will no longer be valid. Tresorit applies digital signatures in both ways extensively, using the RSA algorithms.

## What is hashing?

Hashing, more precisely cryptographic hashing, is a mathematical operation that creates a fixed-length footprint of an input of arbitrary length. This footprint is called hash. Hashing is one-way operation, i.e. it is practically impossible to recover the input from the hash, but creating a hash from an input is easy. Moreover, even though the length of the hash is significantly smaller than that of the input, different inputs will result in different hash values with high probability. Hashing is often used for the purposes of integrity checking and compression, the latter for example in case of digital signatures. Tresorit applies SHA-256, SHA-384 and SHA-512 algorithms.

## What are SHA-256, SHA-384 and SHA-512?

SHA-256, SHA-384 and SHA-512 are hash algorithms from the SHA-2 algorithm family with output length of 256, 384 and 512 bits, respectively. SHA stands for Secure Hash Algorithm; it was standardized by U.S. National Institute of Standards and Technology (NIST) in FIPS PUB 180-2 in 2002. SHA-2 family hash algorithms apply compression function in order to reduce the size of the input. Compression functions consist in a series of bitwise rotation, addition, multiplication, negation, XOR and shift operations. SHA-256 applies 64, SHA-384 and SHA-512 apply 80 successive rounds of compressing. The output of the last compression round is the hash value. As of 2021, the best known attack against SHA-2 family hashes can recover the pre-image (i.e., the input for hash calculation) for 52 out of 64 rounds of SHA-256, and 57 out of 80 rounds of SHA-512.

## What is the X.509 certificate format?

X.509 is an ITU-T standard for specifying the format of public key certificates and certificate revocation lists, among others. For the detailed specification of X.509, visit the X.509 Recommendation website: www.itu.int/rec/T-REC-X.509/en.

## Who is the certificate issuer?

A certificate issuer, or certificate authority (CA), is an entity who certifies the ownership of a public key by the subject of the certificate. Certification is done by issuing a certificate with the digital signature of the issuer. A certificate can be trusted as long as the issuer is considered trustworthy, or the issuer’s certificate is signed by a trustworthy issuer, and so on. When using Tresorit, our server issues a certificate to you that is trusted within Tresorit.

## What is certificate revokation?

Certificates have an expiration date beyond which they have to be revoked. The same has to happen to a certificate if its corresponding private key gets compromised. Revocation basically means that the expired certificate gets included in the revocation list containing certificates that must not be relied upon anymore. In order to ensure authenticity, certificate revocation lists are digitally signed by the issuing certificate authority.