Independent security test: ETH Zurich puts Tresorit’s E2EE cloud solution to the test

By Brigitta Finta security
Independent security test: ETH Zurich puts Tresorit’s E2EE cloud solution to the test

When you search for “best end-to-end encrypted cloud storage“ or “most secure cloud storage”, you’re likely to come across Tresorit — delivering top-tier security for our users is at the core of our mission. But how do we measure up to this bold promise?

We continuously assess our security measures, but we recently got unexpected support for our efforts. A  team of cryptography experts from the ETH Zurich undertook an in-depth evaluation of our solution as part of their study End-to-End Encrypted Cloud Storage in the Wild: A Broken Ecosystem. Alongside Tresorit other well-known providers who claim to offer ultra-secure E2EE solutions such as Sync, pCloud, Icedrive, and Seafile — serving more than 22 million users in total — have been examined carefully.

How was Tresorit’s security tested?

The ETH Zurich research team focused on how well E2EE held up under severe scrutiny. As they put it:

“We analyse the end-to-end encryption of these providers in the natural setting of a compromised server. This is a fair expectation for E2EE cloud storage: security should be preserved even if the attacker has full access to the server and can directly interact with the user”.

The exact attacks carried out by the team included various aspects, targeting the confidentiality, integrity, and authenticity of data and metadata. In total, they identified ten classes of attacks, which were categorized into four groups:

  1. Confidentiality breaches:
    • Lack of authentication of user key material: This was about testing if adversaries were able to manipulate key material to use their own keys for encrypting files.
    • Unauthenticated public keys: The aim was to find out whether it was possible to use unauthenticated public keys provided by the server.
    • Protocol downgrade: The test objective was to find out if adversaries could perform a protocol downgrade attack to facilitate breaking confidentiality.
    • Link sharing pitfalls: As providers often sacrifice security to make link-based sharing work, this attempt was to breach data confidentiality via links.
  2. Attacks on data integrity:
    • Unauthenticated encryption modes: This relates to the scrutinization of unsafe encryption modes, which allowed adversaries to tamper with files.
    • Unauthenticated chunking: These tests refer to a scenario in which adversaries swap around or remove chunks from files, because the file chunking was unauthenticated.
  3. Attacks on metadata:
    • Tampering with file names and location: This refers to testing if adversaries are able to modify file names and location.  
    • Tampering with file metadata: The focus here was on the manipulation of metadata such as file size, file type, and modification date through adversaries.
  4. File injection:
    • Injection of folders: In this case, the research team tested whether adversaries were able to make folders appear as if they had been uploaded by the user.
    • Injection of files: In this case, the research team tested whether adversaries were able to make files appear as if they had been uploaded by the user.

How secure is Tresorit? The takeaways of the study

All in all, Tresorit did well. The ETH Zurich team praised Tresorit’s thoughtful design, noting:

“Tresorit’s design is mostly unaffected by our attacks due to a comparably more thoughtful design and an appropriate choice of cryptographic primitives.”

The team attested that “the cryptographic design of Tresorit is remarkably more complex than the other providers’, partially due to the advanced features that it provides, such as password recovery and admin access for user accounts”.

The researchers came to this conclusion by carefully examining various aspects of Tresorit’s system, such as:

  • Data encryption and authentication: Tresorit uses a strong data encryption method (AES) to make data illegible for unauthorized persons: either authenticated encryption (AES-GCM) or an encrypt-then-authenticate construction (with AES-CFB and SHA2-based HMAC) is applied. This also makes it impossible for anyone to tamper with data unnoticeably. 
  • Key encryption: The symmetric key that is needed to decrypt files is also protected by strong asymmetric encryption (RSA). In this case, a large key with 4096-bit modulus is used, which is difficult to hack for potential adversaries.
  • Key derivation: As a cryptographic best practice, Tresorit derives new keys for each distinct use of existing keys. Passwords are also made more secure via key derivation (using scrypt and PBKDF2). This way, guessing them would be an extremely laborious task for adversaries.

Tresorit applies further security measures for the protection of user data:

  • Profile key generation and encryption: When the user creates their password, a cryptographic key is derived from it. This key is used to encrypt an RSA keypair (a private and public key). The public key is then utilized to encrypt another key, which in turn protects the user profile. This profile contains important information, such as the user’s further keys.
  • File organization in tresors : Tresorit stores files in so-called tresors, which serve as shareable folders. Each tresor contains a file called “group key file” (GKF). This encrypted and authenticated GKF contains keys necessary to access the files in the tresor. Each tresor member user is provided cryptographic access to the tresor via the GKF.
  • Encryption of files and folders: Each folder or file, including its name, is protected with its own encryption key. These keys are additionally used not only to encrypt but also to authenticate the data to ensure they have not been tampered with. File hierarchy is also protected against tampering.
  • Protection from tampering by the server: The user profile and the GKF are additionally secured to prevent the server from replacing the user’s or tresor’s keys with its own keys.
  • Authentication via certificates: All asymmetric keys used by Tresorit are secured via digital certificates. These certificates are issued by Tresorit’s own certification authority and are validated every time a user requests a key from the server.
  • Management by administrators: It is possible for organizational administrators to manage user accounts and access managed accounts’ data. This is achieved by the user profile being extended with one more cryptographic entrance accessible with the admin’s private key. The user, however, must explicitly consent to this — after checking the admin’s cryptographic fingerprint, to prevent impersonation attacks.

Furthermore, the ETH Zurich team examined the option of sharing data via Tresorit. Tresorit offers two ways for sharing data securely: link sharing and permanent sharing.

Link sharing:

  • When a file or folder is shared via link, Tresorit generates a random 16-byte client secret in the background. This client secret becomes part of the link. Links can be additionally protected with a password.
  • The link’s target file or folder can be decrypted using the client secret or, if a password was set, the cryptographic combination of the client secret and the password.
  • The link’s receiver does not need a Tresorit account to access the file or folder behind the link.

Permanent sharing:

  • When a tresor is permanently shared with another person, the invitee’s public key is placed into the tresor’s group key file (GKF).
  • This GKF is then sent to the Tresorit server, who relays it to the invitee.
  • The invitee can use the tresor permanently, since the required information (the private key) is securely stored in their own user profile.

In addition, Tresorit ensures that the shared keys are trustworthy, by wrapping them into a digital certificate issued by Tresorit. This serves as an additional layer to confirm the identity of a public key’s owner, and thus prevent unauthorized individuals from accessing one’s files.

Embracing constructive feedback

Despite the various measures Tresorit takes to fully secure data storage and transfer, the study has also shown room for improvement. The researchers criticized the absence of formal security analyses and the lack of open-source code. Combined with the inherently complex nature of our cryptographic design, these factors present barriers to independent security evaluations.

Such impulses for improvement are fully embraced by Tresorit. Tresorit’s CEO, István Hartung, emphasizes:

“We are delighted with the positive outcome of the research, but also take the room for improvement indicated by the researchers seriously. This is why we value our exchange with academic research: not only does it help us but the entire industry to keep moving in the right direction. We plan to continue our dialogue with the research team and explore the potential for future collaboration.”

A commitment to excellence

At Tresorit, security is not a one-time achievement — it’s an ongoing journey. This independent evaluation by ETH Zurich affirms our commitment to delivering the highest standards of end-to-end encryption while driving innovation for even greater transparency and resilience.

Visit our security page to learn more about Tresorit's security standards and cryptographic design.

Suggested Articles