How is my password managed in Tresorit?

Password security is crucial in Tresorit. In order to hide your password from anybody - even from us - we apply the following principles:

  • We are using PBKDFV2 (RFC 2898) with HMAC (RFC 2104) with SHA-1 (FIPS-180-4), as a password derivation function. For parameters, we use 160 bit, random salt and 10.000 iterations.
  • We planned to use scrypt, because unlike PBKDFv2, scrypt needs big memory in order to avoid GPU cracking. But scrypt is still not standardized. When it will be, we will include it.
  • Because of this any UTF8 character can be used in your password, and password length (theoretically) is not limited.
  • For autologin, the key derived with PBKDFv2 is stored only on your computer. That key is used to decrypt your profile. The content of this file NEVER leaves your computer.
  • Your encrypted profile contains your private and public keys used for sharing tresors with others, and to authenticate yourself to the server.
  • By default, we are using SSL Client certificates to authenticate you when you log in to our servers.
  • For the first time you log in, you need to download your encrypted profile file without user certificate authentication. To authenticate, we use a challenge-response protocol, based on a key derived with PBKDFv2 with the above described set up, but with an absolutely independent salt from the profile encryption salt. Only in this scenario, the client communicates with the server through SSL without client authentication. We planned to use SRP (RFC 2945) for this, but because implementation problems of TLS-SRP (RFC 5054) we use an application layer challenge-response protocol.
  • The brief description of the protocol is attached.

The password on this site (support.tresorit.com) is absolutely independent from your password in Tresorit. We strongly recommend to use different password on our support site. We are working on integrating support site with the Tresorit challenge-response protocol and SAML-2.

Was this article helpful?
9 out of 9 found this helpful
Have more questions? Submit a request

16 Comments

  • 0
    Avatar
    Jayant Arora

    I  have not been able to figure out as to how to set up password for support

  • 0
    Avatar
    Szilveszter

    You can sign up using the following link  https://support.tresorit.com/registration

  • 0
    Avatar
    Oooubuntu

    Was the user roaming profile encrypted with AES256 based on the key derived with PBKDFv2?

  • 0
    Avatar
    Szilveszter

     The user roaming profile encrypted with AES256 using* a *key derived with PBKDFv2 using your password, but with a different salt from the challenge-response secret.

  • 0
    Avatar
    Oooubuntu

    Excellent, thankyou. That make user roaming profile private and secure.

  • 0
    Avatar
    James Goodman

    I would like to change my Software password. I cannot find any information as to how to do it. Is it simpler to delete my account and start over?

  • 0
    Avatar
    Jeffrey Goldberg

    I think it is very interesting that you are using client certificates for client authentication.  I can see that it has some advantages.

    In the PDF slides describing authentication, could someone tell me what "d" and "ep" are in the "Registration" slide?  I assume that "csr" is Certificate Signing Request.

    Also are there any other technical documents describing how Tresorit works?

  • 0
    Avatar
    Myke

    Dear Jeffrey,

    Thank you very much for sharing your thoughts with us. Could you please tell us which document are you referring to? Yes, there are some more docs, if you write a mail to "support@tresorit.com" with your request you will have the docs soon.

    Thank you very much for your cooperation, we are glad you like Tresorit.

  • 0
    Avatar
    Jeffrey Goldberg

    Hello Myke!

    After posting my question, I found the White Paper at https://tresorit.com/tresoritwhitepaper.pdf  It is outstanding. 

  • 0
    Avatar
    Marjorie

    I don't see this type of knowledgeable information in my life. The users also providing  top essay writing services here. So I like this blog and very impressing me. And I am looking forward to see the another best content from you.

  • 0
    Avatar
    Philip

    The OS X app client allows me to log in to the "My Account" website (https://account.tresorit.com/account/ - not the "support" site).  It does so by asking me to enter my client app password.  There must therefore be some representation of my client app password in that website's database.  So some representation of my client app password is stored on a server.  But I thought this was not the case.  I thought that, like 1Password, the client app password never leaves the client app in any form.  Can you clarify this please?

  • 0
    Avatar
    Ian Mase

    I've been trying to Contact support but my password is not working for some reason.... Any ideas?

    Cheers

    Ian

    http://www.binaeraoptioner.org

  • 0
    Avatar
    Szilveszter

    Dear Philip,

    The "Account portal" and the "Support Site" are different that is true. The “Account portal” authenticates the user through the client, this means that the client gets a token proving your identity, then the client opens a web browser with the token. The “Account Portal” will only validate your token and let you in.

     

    Best Regards,

    Szilveszter Szebeni

    Tresorit

  • 0
    Avatar
    Ken Watson

    quoting "

    • For autologin, the key derived with PBKDFv2 is stored only on your computer. That key is used to decrypt your profile. The content of this file NEVER leaves your computer."
    • so what happens when my computer dies and i re-install the OS?  Can i still get access to my files?
  • 0
    Avatar
    Tom Hardy

    Thanks for Everything Szilveszter, I really appreciate it a lot

    Best,

    Tom

    http://www.opzionibinariegov.com/

  • 0
    Avatar
    Myke

    Dear Ken,

    Thank you very much for your question.

    Please let us tell you that if you re-install your OS, you can still access your files, you need to enter your email address and the password first and then Tresorit will remember the address you used for accessing the files.

    We hope this answer helps you out.

Please sign in to leave a comment.
Powered by Zendesk