In general, a user certificate is an electronic document that binds the public key of a person to his/her identity, using the digital signature of the certificate issuer. Upon registration with Tresorit, the registration server issues a certificate for the user. This is true even if the user already has a certificate signed by another issuer, as, for maximum security, Tresorit does not fully trust any other certificate issuer. The certificate issued by Tresorit follows the X.509 certificate format, but is useful only for Tresorit. If the user deletes his/her Tresorit account, the corresponding certificate gets revoked.

**WHAT IS A PUBLIC KEY AND WHAT IS A PRIVATE KEY?**

Public key and private key are concepts within public-key cryptography, where users have a public key and a private key which are mathematically linked. From this key pair, the public key is published and can be used by anyone who wants to send encrypted messages to the owner of the key pair. The private key, on the other hand, is kept secret by the owner and used to decrypt messages that were encrypted with the public key. Important to note that it is effectively impossible to derive the private key based only on the knowledge of the public key. Besides encryption, the public-private key pair can also be used for creating and checking digital signatures and performing user authentication. The public-private key pair is shipped with a certificate.

Symmetric key is a concept in symmetric-key cryptography, where the user has only a symmetric key that is used for both encryption and decryption. In fact, the key used for decryption might be different from the key used for encryption, but, as opposed to public-private key pairs, the transformation between the former two is simple. Therefore, the symmetric key has to be kept secret. Compared to public-private key pairs, encryption with symmetric keys is computationally faster while providing the same level of security, but performing secret communication using symmetric keys is more problematic as sharing the symmetric key between the communicating parties in advance the communication can be troublesome. In Tresorit, we apply symmetric keys and the AES-256 encryption algorithm to encrypt data uploaded to the cloud.

AES-256 is a symmetric-key block encryption algorithm. The abbreviation stands for Advanced Encryption Standard with a key length of 256 bits. AES was standardized by the U.S. National Institute of Standards and Technology (NIST) in 2001. AES applies the substitution-permutation network design principle, according to which the plaintext bytes are first combined with a so called round key (i.e., a derivative of the encryption key), then substituted by other bytes, finally the order of the resulting bytes is permuted. The latter three steps constitute one cycle of operation, and AES-256 repeats such a cycle 14 times. After the 14 repetitions, the output bytes constitute the ciphertext. The plaintext can be recovered from the ciphertext by applying the inverse substitutions and permutations with the round keys fed in the opposite order. In June 2003, the U.S. Government announced that AES-256 can be used to protect information classified Top Secret. As of October 2012, all known attacks against AES-256 are computationally infeasible.

**WHAT ARE ENCRYPTION AND DECRYPTION?**

Encryption is a mathematical operation that involves applying an encryption key to a so called plaintext using an encryption algorithm. Encryption turns the plaintext into a ciphertext, which, for those who do not know the decryption key, appears to be as a collection of random bytes. In other words, without the knowledge of the decryption key, the plaintext cannot be effectively recovered from the ciphertext. Decryption is the inverse operation of encryption. During decryption, the decryption key is applied to the ciphertext and the result is the plaintext. The two types of encryption and decryption involve symmetric keys or public-private key pairs. Algorithms applied by Tresorit are AES-256 for symmetric-key encryption and RSA for public-key encryption.

RSA is a public-key encryption and signature generation algorithm. The abbreviation stands for Rivest-Shamir-Adleman, the inventors of RSA. It is standardized in RSA Laboratories’ PKCS#1, ANSI X9.31 and IEEE 1363. The security of RSA is based on the presumed difficulty of factoring large integers. RSA is used for encryption by taking the public key (which consists in a modulus n and an exponent e) and calculating, simply put, the nth power of the plaintext modulo n. Decryption is done in the same way by using the decryption key (which is an exponent d) and calculating the dth power of the ciphertext modulo n. RSA is also used for generating digital signatures, in that case, the decryption key is applied by the signer to calculate the dth power of the hash of the plaintext that is verifiable by anyone with the corresponding public key. As of October 2012, the best known attack against RSA is solving the factoring problem for 768 bits long numbers. Tresorit applies RSA with 4092 bit long keys

A digital signature, similarly to the aim of everyday signatures, is a method to enforce authenticity. A message or document being digitally signed means that a signature is attached to it that is created by applying the private key to the hash of the message. A signature’s validity can be checked by applying the public key to the signature and comparing the result to the hash of the message. As the private key is considered to be secret, only the owner of that can produce a signature that is valid according to the corresponding public key. Therefore, a valid signature proves the identity of the sender. On top of this, signatures can be applied to integrity checking: if a message gets altered on transit, its signature will no longer be valid. Tresorit applies digital signatures in both ways extensively, using the RSA algorithms.

Hashing, more precisely cryptographic hashing is a mathematical operation that creates a fixed-length footprint of an input of arbitrary length. This footprint is called hash. Hashing is one-way operation, i.e. it is practically impossible to recover the input from the hash, but creating a hash from an input is easy. Moreover, even though the length of the hash is significantly smaller than that of the input, different inputs will result in different hash values with high probability. Hashing is often used for the purposes of integrity checking and compression, the latter for example in case of digital signatures. Tresorit applies SHA-256, SHA-384 and SHA-512 algorithms.

**WHAT ARE SHA-256, SHA-384 AND SHA-512?**

SHA-256, SHA-384 and SHA-512 are hash algorithms from the SHA-2 algorithm family with output length of 256, 384 and 512 bits, respectively. SHA stands for Secure Hash Algorithm; it was standardized by U.S. National Institute of Standards and Technology (NIST) in FIPS PUB 180-2 in 2002. SHA-2 family hash algorithms apply compression function in order to reduce the size of the input. Compression functions consist in a series of bitwise rotation, addition, multiplication, negation, XOR and shift operations. SHA-256 applies 64, SHA-384 and SHA-512 apply 80 successive rounds of compressing. The output of the last compression round is the hash value. As of October 2012, the best known attack against SHA-2 family hashes can recover the pre-image (i.e., the input for hash calculation) for 41 out of 64 rounds of SHA-256, and 46 out of 80 rounds of SHA-512.

**WHAT IS THE X.509 CERTIFICATE FORMAT?**

X.509 is an ITU-T standard for specifying the format of public key certificates and certificate revocation lists, among others. For the detailed specification of X.509, we refer you to the X.509 Recommendation website : www.itu.int/rec/T-REC-X.509/en.

**WHO IS THE CERTIFICATE ISSUER?**

A certificate issuer, or certificate authority (CA), is an entity who certifies the ownership of a public key by the subject of the certificate. Certification is done by issuing a certificate with the digital signature of the issuer. A certificate can be trusted as long as the issuer is considered trustworthy, or the issuer’s certificate is signed by a trustworthy issuer, and so on. When using Tresorit, the registration server issues a certificate to you that is trusted within Tresorit.

**WHAT IS CERTIFICATE REVOCATION?**

Certificates have an expiration date beyond which they have to be revoked. The same has to happen to a certificate if its corresponding private key gets compromised. Revocation basically means that the expired certificate gets on revocation list containing certificates that must not be relied upon anymore. In order to ensure authenticity, certificate revocation lists are digitally signed by the issuing certificate authority.

Trusted user is someone who you have already shared a tresor with. Such a user, say user U, earns the attribute ‘trusted’ because the two of you already executed the ICE protocol when you invited U to a tresor of yours. Having performed ICE guarantees that U was authenticated by you and that you share a long-term symmetric key with U which can serve as the basis of a secure and authenticated communication between you and U.

ICE is the abbreviation of Invitation and Certificate Exchange Protocol. ICE is used when a new user is invited to share a tresor with an existing user. ICE provides an authenticated way of exchanging public-key agreement certificates of yours and that of the invitee when no trusted certificate source is available. In addition, with the execution of ICE, you and the invitee will establish a long-term symmetric key that is later used to secure the communication between the two of you.

Share password provides an extra, out-of-band authentication of the invitee in order to make sure that the email address to which the invitation is sent really belongs to him/her. This is an extra layer of protection, specifically against man-in-the-middle attacks. The share password is made up by the inviter, and both inviter and invitee has to enter it into the appropriate field during the invitation process. The share password might not be communicated to the invitee via email, but e.g. over the phone or in person, in order to make it really out-of-band.

**WHAT IS A MAN-IN-THE-MIDDLE ATTACK?**

A man-in-the-middle attack is an active attack during which the attacker intercepts the communication between the two communicating parties, say Alice and Bob, and impersonates the one towards the other while both Alice and Bob think that they are talking to each other directly. Instead of this, both Alice and Bob communicate with the attacker, who can relay their messages, but can also read, delete, alter them, or insert new messages as well. With the concrete example of sharing a tresor, if a man-in-the-middle attack happens during the invitation process, you might share your tresor with someone you did not intend to share it with (i.e., the attacker).