1. ROAMING PROFILE
Your roaming profile contains both your SSL/TLS client certificate and the associated private key required to communicate with Tresorit’s servers, and agreement certificates and private keys to securely access and decrypt the contents of your tresors. This makes the roaming profile one of the most sensitive information in Tresorit, that is why it is protected with your password that never leaves your computer in any unencrypted or reversible form.
1.1. Sign up
When you sign up for an account, a random 256 bit master salt is generated, which will be used along with your password to derive your 256-bit master key using the PBKDFv2 (RFC 2898) algorithm with HMAC (RFC 2104) with SHA-512 (RFC 6234) with 20000 iterations. Your roaming profile is then encrypted using AES-256 (FIPS-197) and integrity-protected using HMAC-SHA-512 with the resulting master key before it gets uploaded to the cloud during the registration process. The roaming profile is also stored on your computer.
At the same time, another 160 bit authentication salt value is generated, and a derived authentication key is calculated using the same PBKDFv2 algorithm with SHA-1 (FIPS-180-4) with 10000 iterations. This derived authentication key is also sent out to Tresorit servers during registration, where it will be used to authenticate you at the first time you log in (see below).
1.2. Normal login
When you log in to your account with your roaming profile available on your computer, we use the same process to produce your master key from the master salt stored in the roaming profile (the only part of your roaming profile that is unencrypted) and your password that you enter. Then the roaming profile can be decrypted using the master key, and you gain access to our servers and your tresors.
1.3. Autologin
When you enable the auto-login feature, the generated master key is stored on your computer, and it is used by the Tresorit client application to decrypt your roaming profile, and eventually log you in.
Remember, this master key never leaves your computer, and your original password is not recoverable from the master key because of the PBKDFv2 algorithm used to calculate it, furthermore the master key is also encrypted using platform specific local encryption services provided by the operating system.
1.4. First-time login
When you log in to your Tresorit account for the first time on a device (or for example if you have reinstalled your operating system), the situation is a bit different because you do not have the roaming profile on your computer, and you have to obtain it from Tresorit’s servers. In this case you also do not have your SSL client certificates, so you have to authenticate yourself to our servers using a proprietary challenge-response protocol, based on the authentication salt and authentication key established during the signup process. We use PBKDFv2 and HMAC based challenge-response protocol, something similar to CRAM-MD5 (RFC 2195), but it uses SHA-1 and PBKDFv2 with HMAC with SHA-1 for password derivation as recommended in NIST 800-132.
During the authentication process, the server generates a 160 bit random nonce and sends it back along with the authentication salt as a challenge. The client assembles a response value which contains the authentication salt received from the server, and a newly generated 160 bit client-side temporary salt value. It then calculates your authentication key again from your password and the authentication salt provided by the server and uses it to derive the actual response using the PBKDFv2 algorithm with SHA1 and 1 iteration and sends it back to the server.
As the server is also able to calculate the proper response value using the stored authentication key and the PBKDFv2 algorithm, the authentication process is finished successfully if these two values match. <<Scroll down to the pdf link with more details>>
Please note that your password never leaves your computer, and the Tresorit client application still communicates with the server over SSL/TLS connection, but only in this scenario without client certificate authentication.
After you have downloaded your encrypted roaming profile, the login process follows the steps described for the normal login above.
1.5. Password change
As your password (to be more precise, the master key and the authentication key, both irreversibly derived from your actual password) is used both for encrypting your roaming profile and authenticating you to Tresorit’s servers, it gets tricky when you decide to change your password.
First, a new master salt and authentication salt are generated and the new master key and authentication key are calculated from your new password using the process described above for sign up.
Your roaming profile gets re-encrypted locally using the new master key, then the client initiates the same challenge-response protocol as in the first-time login process using your old password but this time also with your SSL/TLS client certificate for increased security. The client sends the newly encrypted roaming profile and the new authentication salt and key along with the response, which concludes the password change process.
Please note that your old password is also required for the password change, and not only the Tresorit client application but also the Tresorit servers require it to prevent malevolent people from changing your password in the unfortunate case when you leave your device unattended, unlocked and with Tresorit client logged in. Also note that since the password change process involves the complete re-encryption of your roaming profile and the re-encryption requires the old and the new passwords, the password recovery is theoretically impossible. If you ever forget your password, you will never be able to access your Tresorit account again! All you can do is to delete and re-register your account.
2. LOCAL PROFILE
Your local profile contains all the information required to locally map your tresors to folders on your device. Because of this, the local profile is only relevant for a specific device of yours and unlike your roaming profile, it never gets uploaded to the cloud. However, the local profile is also encrypted with the same AES-256 algorithm and integrity-protected as the roaming profile. The encryption key is derived from a local profile local key contained in your roaming profile and a randomly generated 256-bit local salt using the aforementioned PBKDFv2 algorithm with HMAC with SHA-512 with 1 iteration. As with your roaming profile, the local salt is the only thing stored unencrypted in the local profile.