How does tresor sharing work?

HOW DOES TRESOR SHARING WORK?

1. TRESOR DATA ENCRYPTION

For encrypting all the data (uploaded files and folders) in your tresors, Tresorit uses a symmetric key encryption algorithm, more specifically AES-256, in OpenPGP CFB mode described in RFC2440. All files have different, independent and freshly generated 256-bit keys encryption key. Each version of a file has a random IV, so even if you change one bit in a large file, the encrypted form totally changes, which ensures that we and others do not have any information about your changes. Folders, including file names are encrypted the same way, so as tresors, which are actually special folders (see 1.2 Group Info). Integrity of all ciphertext is protected with HMAC-SHA-512.

1.1. Agreement keys

It is a common technique in cryptography to protect the symmetric keys with asymmetric encryption, such as RSA. Tresorit also employs this scheme by encrypting the AES-256 tresor encryption key with RSA-4096 algorithm using the public key (called the agreement public key) of the tresor members. The encryption key is is encrypted as many times as many members are in the tresor, using the personal agreement public key of each member.

This way all the tresor members are able to decrypt the encryption key needed to access tresor contents using their own agreement private key, but they don't employ any kind of common secret, only standard asymmetric encryption methods. The agreement keys (both private and public) are stored securely in the *roaming profile* of the users. To understand how user profiles are handled, please see the related FAQ article. Every user has many agreement keys (public/private pairs) belonging to their different tresors, so even if one of them gets compromised somehow, other tresors still remain protected.

1.2. Group info

Each tresor contains a special file in the cloud called the group info, which contains the aforementioned encryption key encrypted with each member's agreement public key and the link to the (encrypted) root folder of the tresor contents. This file serves as the starting point when accessing a tresor. If a member would like to download the contents of a tresor, her/his Tresorit client application first downloads the group info, decrypts the encyption key with his own agreement private key and uses it to decrypt the root folder and other folders and files in the tresor.

The location (URI) of the group info in the cloud is generally known only to the tresor members and our servers won't allow other users to download it, but please note that even if other users has access to the group info, they still won't be able to access tresor contents, because they don't have the RSA private key to decrypt the tresor encryption key. This is a good example of how Tresorit employs multiple layers of protection around your valuable data, always backed up by strong cryptographic routines.

2. TRESOR SHARING

Sharing a tresor with other users basically works with the manipulation of the encrypted encryption keys stored in the group info.

As mentioned before, there is an additional level of protection built in our servers which only allow tresor members to access any encrypted content belonging to a tresor. These access control privileges are also manipulated when sharing a tresor or revoking access to it. This access control protection is similar to what you would receive from other cloud providers, like Dropbox - server checks an access control table before each file operation request.

2.1. Inviting a user to a tresor

When you invite someone to a tresor, a so called cryptographic handshake is performed. It consists of a series of message exchanges between the inviter and the invitee, and has two main purposes:

- Both the inviter and the invitee make sure that the other party is the one she/he claims to be, eg. she/he is a real Tresorit user with the given email address.
- They exchange metadata (tresor name, invitation message) and the credentials needed to access the tresor.

During the cryptographic handshake, the invitee sends her/his agreement public key embedded in a X.509 certificate to the inviter. The inviter then uses this public key to encrypt the tresor's encryption key yet again, appends it to the group info and then uploads the group info to the cloud. At the same time she/he notifies the Tresorit servers to grant access privilege to the new member. The inviter then sends the URI of the group info to the invitee who can now download it and use it to access the contents of the tresor as described above.

Note, that your personal data (e.g. your name) are included in your certificate. Because we also protect your privacy, this certificate is sent to the inviter once you accept an invitation. This guarantees, that someone just inviting you will not automatically receive your personal data. Also please note that your agreement private key never gets transferred to any other user, this secret always remains under your control (stored in your roaming profile).

2.2. Firing a user from a tresor

When you fire a member from a tresor, a new AES-256 tresor encryption key is generated and from now on, this key will be used to encrypt tresor contents. Then the group info is regenerated by encrypting this new encryption key with the agreement public keys of the remaining members, the fired member will be left out. The new group info is uploaded then, and parallel to that, our servers are notified that the access permission of the fired user should be revoked for the given tresor.

This way the fired user will not be able to access the tresor contents with the old encryption key, nor will he be able to obtain the new encryption key from the group info because she/he won't be able to download it and even if she/he would, she/he wouldn't be able to decrypt the file/folder encryption key from it.