ByteSync version 2022.3 was released a few weeks ago and it includes two major new features:
- Session Profiles, which allow you to launch sessions from predefined templates
- Trusted Clients, which allow to recognize the identity of already known clients to increase the security provided by End-to-End Encryption.
It is now possible to save the runtime settings of a Cloud Session or Local Session and quickly launch sessions based on those settings.
Session Profiles are suitable for recurring synchronization and backup tasks, as they save the user from setting up the session and waiting during the Data Inventory phase, and then setting up and running the Data Synchronization.
Saved Session Profiles can be launched from the ByteSync Home page with three different execution modes:
- The Synchronization mode loads the Session Settings, launches the Data Inventory, loads the Synchronization Rules and then launches the Data Synchronization.
- The Inventory mode loads the Session Settings, starts the Data Inventory and loads the Synchronization Rules.
- The operation of the Details mode depends on the type of profile.
In the case of a Local Session Profile, a pre-configured Local Session is opened. The user will be able to change the settings and then run the Data Inventory manually.
In the case of a Cloud Session Profile, a page similar to a Cloud Session Lobby is displayed to show the profile settings, but the Cloud Session is not automatically launched.
Other differences between the profile types are presented below.
Local Session Profiles
ByteSync’s management of Local Session Profiles is similar to what other data synchronization software usually offers. Once the Local Session settings are set correctly, the user saves the profile to a file on the machine.
Cloud Session Profiles
Managing Cloud Session Profiles has more constraints, as it is necessary to coordinate Session Members when registering and executing the profile, while ensuring data security and privacy.
Registration of a Cloud Session Profile is done only upon request of the First Member of the Session. Following this request, the profile will be saved on his machine and then transmitted, in an encrypted way, to the other Members of the Session. Everyone will have the possibility to accept or refuse the registration of the profile on their machine. It is necessary for each Session Member to agree to save the profile file on their machine in order for this Cloud Session Profile to be launched properly thereafter.
The file containing the profile data is encrypted on each of the machines with a symmetric encryption key specific to the profile. This key, stored only on the server, will be provided to clients who join a Cloud Session Lobby after the server checks the credentials provided. The server only holds control data on the profiles.
When a user launches a Cloud Session Profile, he or she joins a Cloud Session Lobby, dedicated to that profile, to wait until all expected clients have joined the lobby. When all Lobby Members are ready, security checks are performed between all clients to ensure that they are all Trusted Clients and that they have the appropriate credentials for that profile. Once these checks are complete, the Cloud Session is launched and each Lobby Member will join in turn.
The order of Session Members is recorded in the Cloud Session Profile. The First Member of the Session shall also be the First Member of the Lobby. It will determine how the session is executed.
Since the initial release of the software, ByteSync’s End-to-End Encryption of synchronization sessions uses the following principle:
- When a client wants to join a Cloud Session, an RSA public key exchange between the Session’s First Member and the client-candidate allows the Password to be exchanged and validated using RSA encryption.
- If the Password provided by the candidate-client is valid, the candidate-client becomes a Member of the Session. The First Session Member provides the symmetric AES-256 key, again using RSA encryption. This AES-256 key, known only to the Session Members and unknown to the server, is used to encrypt all data exchanged during the Cloud Session.
This implementation suffered from 2 potential security risks:
- It did not prevent Man-in-the-Middle (MITM) attacks that can be established during the initial exchange of RSA public keys if the identity of the parties is not verified.
- The arrival of Session Profiles allows Cloud Sessions to be launched, automatically and without the Password being used as a means of controlling the users/customers seeking to join the session. In order to increase the security level of the application, it became necessary to guarantee the identity of the parties as much as possible.
To address these two issues, we have introduced the concept of Trusted Clients.
A Trusted Client is a ByteSync client whose identity has been recognized through a simple and secure registration process. Each client :
- Is identifiable by its Client ID and by the Public Key of its Asymmetric Key Pair.
- Contains a list of all Trusted Clients whose identity it recognizes.
When a customer requests to join a Cloud Session, if they do not recognize one of the Session Members as a Trusted Customer or if one of the Session Members does not recognize them as a Trusted Client, a Trusted Client registration process is started. The purpose of this process is for each of the two clients to recognize and validate the Client ID and Public Key of the other client.
To make this operation as easy as possible, ByteSync uses a system similar to the Safety Number of the WhatsApp or Signal messaging applications. This is a unique list of English words, called Security Words, that must be controlled by the users of both clients. This list is based on the Client IDs and Public Keys of both clients and cannot be corrupted. To validate that each client is the expected client, simply read the Security Words and make sure they are identical on both clients. The use of Security Words avoids the tedious cross-comparison of Client IDs and Public Keys, which are long and difficult to read strings.
During the connection phase of a Cloud Session and during the security checks phase of the Cloud Session Lobby, each client verifies the identity of its Trusted Clients with a digital signature based on the private key that only each client holds.
These two important features help improve the ease of use and security of ByteSync. This is another major step towards a fully usable production version of the software.
If you haven’t already done so, you can discover ByteSync in Beta version by joining the Open Beta!
If you would like more information or to find out about other changes in version 2022.3, you can read the release notes.