End-to-end encrypted file sharing and sync service Tresorit has revealed the results of a third-party review of its security architecture, conducted by the EY - formerly branded as Ernst & Young - Advanced Security Center. This approach was chosen in order to independently test whether the Zürich-based company's claims regarding zero-knowledge and encryption are legitimate.
Tresorit underwent the security evaluation in August and September of this year, via multiple penetration testing, and review of both source code and cryptography implementation. Of this endeavor, Tresorit CEO, István Lám, had this to say:
“The external security assessment makes Tresorit the most thoroughly publicly reviewed file sync and sharing solution available on the market today. Opening up our product for rigorous evaluation represents our commitment to a proactive and transparent approach to security and plays a great role in reaffirming our customers’ sense of security.”
In terms of the first category, black-box testing was conducted of Tresorit Web, its mobile applications on iOS and Android, as well as the Windows, macOS, and Linux desktop clients. Results from this, as well as the source code review and cryptography method analysis via NIST statistical tests confirmed that what the file sharing company states regarding its approach to data privacy is correct.
A target of interest during testing was the end-to-end encryption claim, which underlines that the data is encrypted on the client side, meaning that no employee has access to either the data itself or the encryption keys. This was in fact validated, so the only ones that have access to whatever is uploaded to the service are the user who has upload the data, as well as those who have been authorized by the user to access said data. On the subject of encryption testing, Cybersecurity, Technology Risk and Technology Consulting Leader at EY, Mihály Zala, stated:
“We paid specific attention to Tresorit’s claim regarding end-to-end encryption and to identify potential security deficiencies during the security review. Our assessment concluded that Tresorit ensures high confidentiality by encrypting data on the client side and in a way that Tresorit servers and employees never receive cleartext data or the encryption keys.”
The company uses AES256 encryption, and as such, a random 256-bit symmetric key is generated client-side. Furthermore, for each different file version, a randomly chosen 128-bit IV (initialization vector) is used to ensure "semantic security". Both individual files and directories will have their encryption keys changed periodically via a "lazy re-encryption" scheme, used to also protect existing files in case of changes to the group of members allowed to access a given file. In other words, if somebody leaves this group, they won't be able to decrypt information they did not have access to prior to leaving.
This is the latest in the company's repeated championing of user privacy via support of the General Data Protection Regulation (GDPR), calling for better protections under California Consumer Privacy Act (CCPA), as well as the release of its very own transparency report.
More information about resources and pricing can be found on the official portal.