The ProtonDrive Security Model
This article paperwork ProtonDrive’s security mannequin by showing how it uses discontinue-to-discontinue encryption to present protection to your sensitive knowledge. While somewhat of technical, this doc is intended to be accessible to a habitual viewers and attempts to level to how ProtonDrive works in easy language.
ProtonDrive is within the closing phases of development earlier than our beta originate later this 365 days.
ProtonDrive is the latest addition to the Proton encrypted ecosystem. It provides win online storage state for our users’ photos, paperwork, and other files with the same focal level on privacy and security as the opposite Proton products.
ProtonDrive’s construct is in accordance with discontinue-to-discontinue encryption. This mannequin prevents any attacker who features derive admission to to 1 in all our servers from:
- viewing the file construction within the users’ personal storage state
- viewing or changing the contents of their files
- viewing or changing the file names
- adding unique files and attributing them to the actual person
With this in mind, our goal is to clarify that that that the presence of encryption doesn’t hinder the actual person in any blueprint from seamlessly:
- uploading, downloading, and previewing files
- organizing their ProtonDrive recount material into folder hierarchies
- though-provoking, renaming, and deleting files and folders
All recount material in ProtonDrive lives interior a volume, an allotted quantity of storage state, with each and each person having their grasp personal volume. Within the fracture, ProtonDrive will allow directors to construct a volume for his or her organization and to give derive admission to to contributors of the organization.
Every file and folder in ProtonDrive is described by two entities:
- a node — this keeps note of the entry’s metadata (to illustrate, variety, size, creation, and modification time) and its attributes
- a link — this identifies the entry’s state within the folder tree. The link indicates the entry’s state by referencing the guardian entry and by storing the title of the entry.
This mannequin, connected to the Portable Working Machine Interface (POSIX) file system mannequin, facilitates communication and synchronization between ProtonDrive and the file systems to your tool and can toughen the app on desktop and pocket book within the future. Within the case of files, the associated node also references the file recount material, which is split into multiple blocks, each and every with a maximum size of 4 MB.
Having access to a volume is regularly done the usage of a fragment of knowledge identified as a part. A part might presumably be considered as a extra or less derive admission to card that provides an particular particular person with definite permissions and derive admission to to a selected fragment of the folder tree. A part, thus, has three functions:
- It references a link within the tree
- It limits the operations that will presumably be conducted on the recount material (ex: learn-reliable, write-reliable, etc.)
- It carries the cryptographic field topic required to originate the decryption route of of the recount material
Every volume has a default part, equal to the root of its folder tree without any permission restriction.
Multiple users might presumably be contributors of a part, and each and every membership can bear its grasp permissions (admin, learn, or write). This allows sharing recount material between Proton users or between contributors of a corporation. A varied blueprint for sharing recount material with of us without a Proton account is described in a later piece.
Well-known encryption mannequin
In this piece, we picture the blueprint recount material is encrypted in ProtonDrive. While there are a total bunch similarities with the ProtonCalendar encryption mannequin, the variation lies in ProtonDrive’s hierarchical recount material construction, whereby folder bushes can bear varied depths. This fashion the decryption steps are repeated at each and every stage of the tree.
All keys and passphrases are generated on the shopper’s side and reliable transmitted to the server in encrypted construct. Within the same device, file and folder names, to boot to file contents, are reliable sent to the server in encrypted construct, making it no longer doable even for Proton to decrypt any of these entities.
Having access to shares
Proton users with multiple ProtonMail email addresses can bear multiple email addresses connected to their ProtonDrive account. Every address has an associated key that enables the account proprietor to derive admission to a part when they turn out to be a member.
When the part is created, the encryption system generates a 32-byte random part passphrase, alongside with an uneven key (the part key). The part key is locked the usage of the part passphrase, which is encrypted and signed with the particular person’s address key.
Within the case of multiple part contributors, the part passphrase is encrypted with each and every member’s address key.
The PGP encryption blueprint permits the usage of multiple uneven keys or passwords to encrypt a payload. PGP begins the encryption route of by producing a unique symmetric session key, which is a random passphrase of ample length. The session key is used to encrypt the payload, producing the knowledge packet.
The next step is to encrypt the session key, in flip, with each and every uneven key and each and every password equipped by the actual person, resulting in multiple key packets. Every uneven key or password can decrypt its corresponding key packet and employ the session key within to then decrypt the knowledge packet. (Demand figure 5)
Allowing a unique key (i.e., a unique particular person) to decrypt the payload is a easy operation that doesn’t alter the knowledge packet — reliable the session key needs to be encrypted again with the unique key, producing a unique key packet.
Recordsdata and folders are organized in a tree construction. Therefore, there is a routine sample the build a file or folder’s uneven key is locked with a passphrase, which in flip is encrypted with the uneven key of their guardian folder. All passphrases are signed with the address key of the actual person, without which a malicious server might presumably well forge the contents of the tree.
For each and every node within the tree, whether a file or a folder, an uneven key and passphrase are also generated — the node key and passphrase. The node passphrase is encrypted with the guardian folder’s node key (if the latest node is no longer a volume root) or with a part key, if the latest node represents a part root.
The file or folder title will doubtless be encrypted with the guardian folder’s node key. As mentioned earlier, files are saved in blocks, the build each and every block is at most 4 MB in size and is encrypted with the file’s node key. The blocks’ recount material hashes that disguise the fresh recount material by encryption are linked in succession and the resulting string is signed with the address key of the uploader. This mechanism protects against a malicious or compromised server forging the contents of files.
The clarification to this level covers the main functions of the safety mannequin: encrypting and verifying saved recount material and sharing recount material between Proton users.
Sharing by URL
Our users might presumably well favor to part a file located in a ProtonDrive volume with somebody who doesn’t bear a Proton account. This would presumably well also be done in a learn-reliable formula by a mechanism that stops Proton from gaining access to the shared recount material.
The blueprint we developed is in accordance with the fetch client producing win URLs, which allow derive admission to to the contents of specific files. The URLs are password-excellent, and having each and every the URL and the password provides derive admission to to the shared recount material. While the Proton server will know the URL, it could presumably well no longer ever receive the password.
When developing a unique shareable URL for a file, the fetch client will first confirm that a part directing to the file exists. The passphrase of this part need to then be encrypted with the unique password connected to the URL. This unique password is either randomly generated by the ProtonDrive client, or is specified by the actual person.
Within the case of randomly generated passwords, the actual person can capture whether they favor to incorporate it at the tip of the URL, equal to sharing the recount material publicly. This piece of the URL isn’t shared with Proton servers, making the password and the recount material inaccessible to Proton. Alternatively, the actual person can capture to part the password individually.
Within the case of particular person-defined passwords, this option isn’t on hand and the password need to regularly be communicated individually.
As a closing step, the shopper makes a demand to the server to construct a unique shareable URL, offering the unique encrypted key packet of the part passphrase. The server stores the encrypted key packet and returns to the shopper a clear random URL for gaining access to the shared recount material.
When the URL is accessed, the server will return the encrypted payload desired to derive admission to the shared recount material. Most animated by brilliant the URL password can the payload be decrypted and the shared file be accessed.
Here’s a simplified description which captures the central precept of the construct. The specific implementation involves mechanisms to prevent the repeated abusive derive admission to of the URLs. It also provides the means to state an expiration time for the URLs or to restrict the number of times the URLs might presumably be accessed.
In this text we described the safety mannequin of ProtonDrive, which is designed to present protection to users’ knowledge from malicious actors whereas offering the same ease of employ as a non-discontinue-to-discontinue encrypted cloud storage provider. As regularly, comments and suggestions are welcome, and security researchers can reach us at email@example.com with comments or questions.
The Proton Team
This post used to be authored by ProtonDrive technical lead Radu Popescu.
Attracted to constructing products like this? Join us.
You doubtlessly can derive a free win email account from ProtonMail here.
We also provide a free VPN provider to present protection to your privacy.
ProtonMail and ProtonVPN are funded by group contributions. Within the occasion you would shield to toughen our development efforts, you might presumably well presumably pork up to a paid notion or donate. Thank you on your toughen.