enteprise sync it data sheets

IT

Questions? [email protected] • 303 2nd Street, Suite S200, San Francisco, CA 94107

Introduction

Sync IT uses cryptographic security that is built on industry standards. The implementation leverages OpenSSL cryptographic

libraries that are used on Windows, MAC and Linux, as well as OS provided cryptographic APIs (Windows and OSX).

The Sync IT security model consists of:

• Mutual authentication and authorization of clients and servers

• Generation of one-time session encryption keys between clients

• Data in transit encryption

• Data integrity validation

Key features

• Works inside your private infrastructure

• Uses industry standard crypto algorithms: AES 128-bit (AES 256-bit), SHA1 (SHA2)

• Incorporates SRP for session establishment and forward secrecy

• Data integrity is based on the SHA1 and ED25519 signature algorithm

• Endpoint authentication and authorization over TLS

Cross-Platform Support

Session Encryption

The Sync IT clients receive a 160 bit (20 bytes) private folder key from the Management

Server. The private key indicates that the client has either read-write (RW key) or

read-only (RO key) access to a folder. The client must have a folder private key before it

can initiate a session with other clients.

The Sync IT client uses SRP with the folder private key (RW key or RO key) to do mutual

authentication of clients and to generate a session key for traffic encryption. The transfer

key is unique to each client, folder and session. The use of SRP for session key

generation ensures perfect forward secrecy.

Technical Review

Sync IT Security

Sync Clients:

• Mac OS X 10.8 Lion or later

• Windows XP (SP2) or later (32/64-bit)

• Linux i386 & i386 (glibc 2.3)

• Linux x64 & x64 (glibc 2.3)

Management Server:

• Windows XP (SP2) or later (32/64-bit)

• Linux x64 & x64 (glibc 2.3)

Bob’s PCRO Key

Jack’s PCRW Key

SRPFolder_ID & RO Key

40 BytesSession Key

AES CTR(128)

20 Bytes20 Bytes16 Bytes:

4 Bytes:Session KeyInitial Counter

16 Bytes:4 Bytes:

Session KeyInitial Counter


Data Integrity

The Sync IT client that has the RW key can change the content of the

folder. It detects when the content of the file is changed, then it splits

the file into blocks (32KB or more) and calculates the hash (SHA1 or

SHA2) of each block as well as a hash of all of the files blocks. This

information is used to verify that the received block has arrived without

corruption. The receiver can also verify that file is fully delivered by

calculating the hash of all of the files blocks. It can also retransmit only

damaged blocks, without the need to resend the entire file.

Information about the directory is passed as a part of folder meta

information. Every piece of metadata is signed and signature is verified

by all clients during synchronization.

RO key is derived from RW key using ED25519 key generation algorithm.

RW key is used to sign and to verify meta information, RO key can be

used only to verify meta information.

Sync IT clients that have the RW key can modify folder meta information

(add/change files) and sign changes. This guarantees that changes to

the folder can only be made by clients that have the RW key.

Data Is Encrypted In Transit

Sync IT clients use SRP to do mutual authentication of clients and to generate 128 bit session keys for data transfer.

The Sync IT client uses AES 128-bit in CTR mode to encrypt all communication between clients. This includes exchange of folder

meta information, actual file data and control messages.

The Sync IT client uses persistent connections over TCP or UDP protocols to transfer the encrypted packets.

The session keys are discarded when the connection between clients is terminated.

Client Authentication

Sync IT clients use TLS to communicate with the server. This way all communication is encrypted by using industry standard encryption.

The Sync IT client must be authenticated against the Management server to connect and communicate with it. This is achieved through

bootstrapping a Sync client with a bootstrap token (20 bytes) with limited time to live. The bootstrap token is generated by the server and the

server can change or revoke it at any time. Each new Sync client must provide a valid bootstrap token to establish a connection to the server.

Bootstrap token is supplied to the Sync client through client configuration file during installation.

Once the client is authenticated with a valid bootstrap token, the server issues a unique client token (20 bytes) that the client needs to provide

during connection to the server. The client validates the server authenticity by checking the server certificate fingerprint during TLS

handshake. The server certificate fingerprint is a part of the client configuration.

Sync IT client mutually authenticate before any data is being sent. Data transfers only happen between clients that were authorized by

the server to do so.

Public & Private Keys

RO Key

RW Key

ED22519 (Seed = RW Key)

SHA1 (Public Key)

SHA1 (RO Key)

Folder_ID


Networking

The Sync client does the following network activities:

• Communication between clients over TCP and UDP

• Communication with tracker over TCP and UDP

• Search for local peers using multicast UDP packets

• Communication with the management server over TCP

Client listening sockets:

• TCP socket for incoming TCP connections on a random port in the

range of 10000-65536 or other value set in configuration.It is

bound to all network interfaces..

• UDP socket for incoming and outgoing UDP communication bound

to all network interfaces. It uses the same port as the TCP socket

• UDP socket for every network interface bound to local scope

multicast address 239.192.0.0 on port 3838 to listen for LAN

discovery packets

Server listening sockets:

• TCP socket for management UI over https (default is

8443)

• TCP socket for managing Sync clients (default is 8444)

• TCP socket for getting audit and debug logs from clients

(default 8445)

For communication with the tracker the Sync client uses TCP and UDP. If both connections succeed, Sync prefers UDP. UDP connection

allows the tracker to see the actual outgoing UDP port used for communication. This port is reported to other peers and used for NAT traversal.

Sync clients connect to tracker on start and keep persistent connection. When new client comes online, tracker sends notification to already

connected clients with address of new client.

To search the LAN for other clients with the same folder, Sync sends UDP packets to multicast address 239.192.0.0:3838. If there are other

clients on the LAN with the same folder, they reply to the sender of multicast packets.

Every Sync client has a list of clients having the same folder. Sync keeps persistent connections to every client from this list. When any change

occurs on any client, it notifies all other connected clients and it triggers synchronization. For communication between clients Sync uses both TCP

and UDP. Sync prefers TCP for LAN connections and UDP for WAN connections. Using custom TCP-like protocol over UDP allows to adjust

congestion control according to network conditions. Also it allows to establish connection to other clients behind NAT.

For communication with the management server Sync clients use TLS 1.0 - 1.2 (depends on what is supported by client) over TCP. Every Sync

clients keeps persistent connection to management port (default is 8444) which is used to get configuration and report status. Also client may

open connection on demand to log uploading port (default 8445) to send audit or debug logs to server.

Private Infrastructure

Sync IT provides the ability to run completely within private infrastructure. It doesn’t require any external web services or other resources to

deploy policies and transfer data between clients. Sync IT clients use multicast to find other clients that have the same folder. In addition a private

tracker is deployed on-prem to enable client discovery over networks where multicast is blocked or not available.

The private tracker keeps information about all the clients that share the same folder. The Sync IT client reports to the tracker the list of folders

that it has and receives list of other peers that has the same folders. This way peers could find each other and establish connection without using

multicast.


Client Security

The Sync IT client is a single binary that has no dependencies on external libraries and frameworks.This significantly simplifies

client installation and gives easy upgrade path for the endpoint systems.

The Sync IT client uses limited number of ports for all communications with other machines and management server.

This makes firewall rules configuration extremely easy for all devices inside your network.

The Sync IT client doesn’t require any administrative privileges to run. It could run in a sandboxed environment or under a user

with limited permissions.

Security Review

The Sync IT security design and implementation was reviewed by 3rd party security auditor.

IT


Introduction

Sync IT is a decentralized Managed File Transfer (MFT) solution capable of

moving large amounts of data to many locations and excels when that data

needs to be moved across unreliable or high latency networks. Built on the

same peer-to-peer (P2P) protocol powering Sync, Sync IT is designed to

empower high-performance managed file transfer applications, scaling to

thousands of nodes, TBs of data, and millions of individual files.

The decentralized architecture of Sync IT provides substantial benefits over

existing centralized tools that have a single point of failure or require

clustering for performance. Using our unique Micro Transport Protocol (μTP2),

Sync IT offers WAN-optimized transfers and can reach speed of 1 Gbit/s over

WAN or LAN. On top of the engine is a browser-based management tool that

offers the ability to schedule and automate transfers, logging, and more.

Product Datasheet

Key Features

Performance

• Peer-to-Peer protocol allows each client to act as a file server for others, allowing shared access to files

without a central server. This reduces costs, saves time and bandwidth and improves reliability

• Clients don’t need a whole file to participate in transmission: a single 4K block is sufficient

• The unique Micro Transport Protocol (μTP2) overcomes the bottlenecks of conventional synchronization

tools like rsync. rsync defaults to quite large block-sizes if the data files being transferred are large, which

tends to result in inefficient data transfer. Sync and μTP2 scale for maximum replication speed.

Security

• Managed and automated file workflows with encrypted transfers

• Files move directly between clients- no data lives in the cloud

• Sync IT is an on premise solution – data stays only on your devices, so all data remains private

• There are no passwords to be compromised – all security is cryptographic

• AES 128-bit encryption, Forward secrecy, SSL certificates


Central Management

• Distribute & manage data, significantly faster and more secure than FTP or HTTP

• Central management console allows for complete control of all Sync instances in the environment

• Dashboard monitors the deployments and status of clients and devices

• Setup individual or group policy based synchronizations

• Scheduler allows moving data at times of low load

• Uni-directional transfers to client machines initiated without the client intervention (headless clients)

Scalability

• Sync IT is optimized and scalable to thousands of clients, 1M+ files, 1 Gbit/s over WAN and LAN networks

• Smart logic behind peer to peer networks, eliminating the need to control every link between clients

• Simply assign clients to groups in order to create an effective data-distribution system inside your organization

(optimized for scalability and performance, while requiring minimum efforts to support and manage it)

Network Management

• Works seamlessly across networks, VPNs, and firewalls

• Clients make a portion of their resources, such as processing power, disk storage or network bandwidth,

directly available to other clients, without the need for central coordination by servers or stable hosts

• The decentralized nature of P2P networks increases robustness because it removes the single point of failure

that can be inherent in a client-server based system

• Ability to schedule transfers and throttle network usage

System Requirements

Management Server Sync Clients

• Windows 7 or later (32/64-bit)

• Linux i386 & i386 (glibc 2.3) Linux x64 & x64 (glibc 2.3)

• Mac OS X 10.8 Lion or later

• Windows XP SP3 or later (32/64-bit)



IT


Sync IT Overview

Sync IT is a decentralized Managed File Transfer (MFT) solution capable of moving large amounts

of data to many locations and across unreliable or high latency networks. Built on the same

Peer-to-Peer (P2P) protocol powering BitTorrent Sync, Sync IT is designed to empower

high-performance managed file transfer applications, scaling to thousands of nodes, TBs of data,

and millions of individual files.

The decentralized architecture of Sync IT provides substantial benefits over existing

centralized tools that have a single point of failure or require clustering for performance.

• Using our unique Micro Transport Protocol (μTP2), Sync IT offers WAN-optimized transfers and

can reach speed of 1Gbit/sec over WAN or LAN.

• On top of the engine is a browser-based management tool that offers the ability to schedule

and automate transfers, logging, and more.

Technical Review

WAN Optimization

WAN Optimization Technology

Our μTP2 protocol architecture is based on bulk transfer strategy, where the sender sends

packets periodically with a fixed packet delay to create a uniform packet distribution in time and

uses a congestion control algorithm to calculate the ideal send rate. There is no

acknowledgment for every packet, instead the protocol uses interval acknowledgment for a

group of packets with additional information about lost packets. This acknowledgment

combined with periodical RTT (Round Trip Time) probing creates information for the congestion

control algorithm to calculate the new sending rate. The protocol uses a delayed

retransmission strategy - lost packets retransmit once per RTT to decrease unnecessary

retransmissions.

Use Cases

• Easily deploy the Management Server

and headless clients across multiple

sites, and over any infrastructure

• Manage file distribution from a

dedicated source to remote headless

clients over LAN or WAN, using a

centralized management console

• Manage data replication between

multiple groups of servers, across

multiple sites

• Backup data from remote sites to a

single or multiple backup destinations

• Automate file replication workflows

and remotely manage and schedule

client’s activity and overall bandwidth

consumption

Max. Up/Down Rate

Up to 1Gbit/s

Security

Sync IT uses industry standard security

approaches:

• AES 128-bit encryption

• Forward secrecy

• SSL certificates

All algorithms and code were reviewed

by a 3rd party security auditor.

Max. Speeds over WAN

Regardless of distance and at up to

5% packet loss rate.

Sender does not wait for a confirmation for every packet before sending the next one. Instead, a confirmation is retrieved only for groups of packets, with additional information about specific lost packets, that needs to be retransmitted.

Receiver

Direct Peer-to-Peer connection

IT


Client-Server Networking Has Limitations

Many data transfer protocols are built on a client-server model. The most popular is FTP (File

Transfer Protocol), in which a server holds files and performs authentication on a client or

end-user who is accessing the files. The first FTP client applications were developed as

command-line programs before modern user interfaces existed, and still are shipped with

most Windows, Linux, and Unix operating systems. There are thousands of applications built

on top of FTP for data transfer. FTP sets the standard for data transmission for many years,

but was not designed for the file sizes or infrastructure needs of the modern internet.

The client-server model requires all data to be transferred directly from server to client,

which is inefficient from a bandwidth perspective and problematic from an availability and

reliability standpoint.

Peer-to-Peer Architecture Has Advantages

In contrast, peer-to-peer (P2P) networking is a distributed application architecture

that connects distributed peers (also referred to as clients or endpoints) together.

Peers share a portion of their resources (bandwidth, storage, or processing power) with the

other participants in the network without the need for central coordination or administration.

Files being transferred are broken into smaller segments called pieces and each peer is able

to transfer pieces to another peer. In this way, much of the network usage of sharing the

data is offloaded to the peers. The distributed P2P model has significant advantages in terms

of resource allocation and especially when it comes to handling large amounts of data. P2P

transfer saves time, cost and bandwidth and improves resilience and reliability.

Technical Review

P2P Technology

Security

Sync IT uses industry standard security

approaches:

• AES 128-bit encryption

• Forward secrecy

• SSL certificates

All algorithms and code were reviewed

by a 3rd party security auditor.

Side notes

• BitTorrent is a protocol for P2P file

sharing that was invented by Bram

Cohen in 2001

• The protocol is open source and is

one of the most common technical

protocols for transferring large files

• Blizzard Entertainment distributes

large game updates using the P2P

protocol

• Facebook and Twitter use the P2P

protocol to distribute software

updates to their servers across the

world

Workstation (RW)

Workstation (RW)

Workstation (RO)

Workstation (RO)

Server (RW)

Server (RW)

Workstation (RO) Workstation (RO)

Client-Server ModelPeer-to-Peer Model

Upload & Download Data


The BitTorrent Protocol

The protocol was built to reduce the network impact of distributing large files.

Rather than downloading a file from a central server, the protocol allows a groups of clients to upload and/or download data from each

other simultaneously. As each client receives a piece of the file, it becomes a source of the piece for other clients. This approach is

especially beneficial in low bandwidth scenarios or to prevent spikes in bandwidth usage. A ‘tracker’ server can be used to coordinate

connections between clients or the management layer can also be distributed. The tracker server never receives any data: all transfer is

direct from device to device.

The protocol was also designed to easily recover from network failures or endpoint failures. Data transmission is resumed from the point

of failure and all data is verified upon receival to prevent data corruption.

BitTorrent, Inc. builds solutions on top of the protocol to address issues where scalability, speed, cost, and data control are paramount.

BitTorrent Sync has all the advantages of P2P and is used to manage and automate file workflows with secure, encrypted replication to over

thousands of endpoints.

Sync Builds on the BitTorrent Protocol

BitTorrent Sync introduces substantial improvements over the standard BitTorrent protocol. The primary BitTorrent P2P use case is

downloading from multiple clients to one client over the WAN. With Sync support was added for one-to-one and one-to-many distribution

scenarios. In addition the code was optimized to handle faster transfer speeds over LAN and WAN connections with high latency and some

packet loss. With these enhancements, Sync is able to reach a speed of over 1 Gbit/s over LAN or WAN.

Deployment Example: Managing File-Transfers Across Remote Sites (using Sync IT)

In the following deployment example Sync IT is used to replicate and transfer 2 (huge) folders to 98 Clients and 7 servers, in 3 remote sites.

In this example, clients in each group have different permissions, and file-transfer activity is configured independently, per group.

Also, WAN optimization feature is enabled only for certain sites, to solve latency and packet loss issues.

Direct Peer-to-Peer connection, over WAN (WAN optimized over fat pipe)

Status & policy messages to/from the Management Server

Group name: SF office

• Clients: 2 servers & 18 laptops• Has ‘read only’ access to “Resources”• Profile: Custom (WAN optimization enabled) Group name: Milano office

• Clients: 5 servers & 75 laptops• Has ‘read only’ access to ”Data” & “Resources”• Profile: Custom (WAN optimization enabled)• Activity Scheduler: Every day, 7PM-8AM

Group name: Greenland office

• Clients: 5 laptops• Has ‘read & write’ access to ”Data” & “Resources”• Profile: Custom (Relay turned on)• Activity Scheduler: Every day, 9PM-6AM

Management Server (NY)

Direct Peer-to-Peer connection, over LAN


File-Transfers using P2P Architecture

To move data, Sync establishes a direct connection between clients. By default, Sync will try to find

other clients using LAN multicast search and by querying the tracker server. You can deploy your

own tracker on private infrastructure. Once the client of each folder learns the IP addresses of the

other clients from the LAN search or the tracker they contact them directly to establish a

connection.

If that direct connection between clients fails, the relay server is used. From the data we have

collected, Sync is very successful at establishing a direct connection, with more than 97% of all

data transferred is moved directly from client to client. Sync will leverage the full performance of a

local network and doesn’t require any cloud upload or data movement to a central server.

Sync’s P2P architecture makes it ideal for moving data to distributed endpoints where connectivity

or processing power may be an issue. Sync can recover when connections are dropped or

interrupted and P2P allows network channels between endpoints to reduce overall load. P2P also

is ideal for transmission of data across unreliable WANs.

Sync’s architecture is lightweight and built on optimized C++ code designed for low CPU and

memory usage. Improvements were made to the underlying BitTorrent P2P protocol to scale to

millions of files and thousands of clients.

Peer Connection Diagram:

Bob’s PC Jack’s PC Abigail’s PC

Option 4

DirectConnection

P2P over

WANP2P over

LANOption 1

NAT Traversal

Option 2

UPnP

Modem, Router

Option 3

Relay Server

Relay Server

enteprise sync it data sheets

Documents