Sync IT is a decentralized file transfer solution that uses peer-to-peer networking and encryption to securely transfer files between clients. It leverages industry standard cryptographic techniques like AES-128 encryption and utilizes a custom transport protocol to optimize transfers over local and wide area networks. The system can be deployed entirely within a private infrastructure and includes a browser-based management interface to schedule and monitor transfers between client nodes.

1. IT
Questions? syncbiz@getsync.com • 303 2nd Street, Suite S200, San Francisco, CA 94107
Introduction
Sync IT uses cryptographic security that is built on industry standards. The implementation leverages OpenSSL cryptographic
libraries that are used on Windows, MAC and Linux, as well as OS provided cryptographic APIs (Windows and OSX).
The Sync IT security model consists of:
• Mutual authentication and authorization of clients and servers
• Generation of one-time session encryption keys between clients
• Data in transit encryption
• Data integrity validation
Key features
• Works inside your private infrastructure
• Uses industry standard crypto algorithms: AES 128-bit (AES 256-bit), SHA1 (SHA2)
• Incorporates SRP for session establishment and forward secrecy
• Data integrity is based on the SHA1 and ED25519 signature algorithm
• Endpoint authentication and authorization over TLS
Cross-Platform Support
Session Encryption
The Sync IT clients receive a 160 bit (20 bytes) private folder key from the Management
Server. The private key indicates that the client has either read-write (RW key) or
read-only (RO key) access to a folder. The client must have a folder private key before it
can initiate a session with other clients.
The Sync IT client uses SRP with the folder private key (RW key or RO key) to do mutual
authentication of clients and to generate a session key for traffic encryption. The transfer
key is unique to each client, folder and session. The use of SRP for session key
generation ensures perfect forward secrecy.
Technical Review
Sync IT Security
Sync Clients:
• Mac OS X 10.8 Lion or later
• Windows XP (SP2) or later (32/64-bit)
• Linux i386 & i386 (glibc 2.3)
• Linux x64 & x64 (glibc 2.3)
Management Server:
• Windows XP (SP2) or later (32/64-bit)
• Linux x64 & x64 (glibc 2.3)
Bob’s PC
RO Key
Jack’s PC
RW Key
SRP
Folder_ID & RO Key
40 Bytes
Session Key
AES CTR
(128)
20 Bytes20 Bytes
16 Bytes:
4 Bytes:
Session Key
Initial Counter
16 Bytes:
4 Bytes:
Session Key
Initial Counter

2. Questions? syncbiz@getsync.com • 303 2nd Street, Suite S200, San Francisco, CA 94107
Data Integrity
The Sync IT client that has the RW key can change the content of the
folder. It detects when the content of the file is changed, then it splits
the file into blocks (32KB or more) and calculates the hash (SHA1 or
SHA2) of each block as well as a hash of all of the files blocks. This
information is used to verify that the received block has arrived without
corruption. The receiver can also verify that file is fully delivered by
calculating the hash of all of the files blocks. It can also retransmit only
damaged blocks, without the need to resend the entire file.
Information about the directory is passed as a part of folder meta
information. Every piece of metadata is signed and signature is verified
by all clients during synchronization.
RO key is derived from RW key using ED25519 key generation algorithm.
RW key is used to sign and to verify meta information, RO key can be
used only to verify meta information.
Sync IT clients that have the RW key can modify folder meta information
(add/change files) and sign changes. This guarantees that changes to
the folder can only be made by clients that have the RW key.
Data Is Encrypted In Transit
Sync IT clients use SRP to do mutual authentication of clients and to generate 128 bit session keys for data transfer.
The Sync IT client uses AES 128-bit in CTR mode to encrypt all communication between clients. This includes exchange of folder
meta information, actual file data and control messages.
The Sync IT client uses persistent connections over TCP or UDP protocols to transfer the encrypted packets.
The session keys are discarded when the connection between clients is terminated.
Client Authentication
Sync IT clients use TLS to communicate with the server. This way all communication is encrypted by using industry standard encryption.
The Sync IT client must be authenticated against the Management server to connect and communicate with it. This is achieved through
bootstrapping a Sync client with a bootstrap token (20 bytes) with limited time to live. The bootstrap token is generated by the server and the
server can change or revoke it at any time. Each new Sync client must provide a valid bootstrap token to establish a connection to the server.
Bootstrap token is supplied to the Sync client through client configuration file during installation.
Once the client is authenticated with a valid bootstrap token, the server issues a unique client token (20 bytes) that the client needs to provide
during connection to the server. The client validates the server authenticity by checking the server certificate fingerprint during TLS
handshake. The server certificate fingerprint is a part of the client configuration.
Sync IT client mutually authenticate before any data is being sent. Data transfers only happen between clients that were authorized by
the server to do so.
Public & Private Keys
RO Key
RW Key
ED22519 (Seed = RW Key)
SHA1 (Public Key)
SHA1 (RO Key)
Folder_ID

3. Questions? syncbiz@getsync.com • 303 2nd Street, Suite S200, San Francisco, CA 94107
Networking
The Sync client does the following network activities:
• Communication between clients over TCP and UDP
• Communication with tracker over TCP and UDP
• Search for local peers using multicast UDP packets
• Communication with the management server over TCP
Client listening sockets:
• TCP socket for incoming TCP connections on a random port in the
range of 10000-65536 or other value set in configuration.It is
bound to all network interfaces..
• UDP socket for incoming and outgoing UDP communication bound
to all network interfaces. It uses the same port as the TCP socket
• UDP socket for every network interface bound to local scope
multicast address 239.192.0.0 on port 3838 to listen for LAN
discovery packets
Server listening sockets:
• TCP socket for management UI over https (default is
8443)
• TCP socket for managing Sync clients (default is 8444)
• TCP socket for getting audit and debug logs from clients
(default 8445)
For communication with the tracker the Sync client uses TCP and UDP. If both connections succeed, Sync prefers UDP. UDP connection
allows the tracker to see the actual outgoing UDP port used for communication. This port is reported to other peers and used for NAT traversal.
Sync clients connect to tracker on start and keep persistent connection. When new client comes online, tracker sends notification to already
connected clients with address of new client.
To search the LAN for other clients with the same folder, Sync sends UDP packets to multicast address 239.192.0.0:3838. If there are other
clients on the LAN with the same folder, they reply to the sender of multicast packets.
Every Sync client has a list of clients having the same folder. Sync keeps persistent connections to every client from this list. When any change
occurs on any client, it notifies all other connected clients and it triggers synchronization. For communication between clients Sync uses both TCP
and UDP. Sync prefers TCP for LAN connections and UDP for WAN connections. Using custom TCP-like protocol over UDP allows to adjust
congestion control according to network conditions. Also it allows to establish connection to other clients behind NAT.
For communication with the management server Sync clients use TLS 1.0 - 1.2 (depends on what is supported by client) over TCP. Every Sync
clients keeps persistent connection to management port (default is 8444) which is used to get configuration and report status. Also client may
open connection on demand to log uploading port (default 8445) to send audit or debug logs to server.
Private Infrastructure
Sync IT provides the ability to run completely within private infrastructure. It doesn’t require any external web services or other resources to
deploy policies and transfer data between clients. Sync IT clients use multicast to find other clients that have the same folder. In addition a private
tracker is deployed on-prem to enable client discovery over networks where multicast is blocked or not available.
The private tracker keeps information about all the clients that share the same folder. The Sync IT client reports to the tracker the list of folders
that it has and receives list of other peers that has the same folders. This way peers could find each other and establish connection without using
multicast.

4. Questions? syncbiz@getsync.com • 303 2nd Street, Suite S200, San Francisco, CA 94107
Client Security
The Sync IT client is a single binary that has no dependencies on external libraries and frameworks.This significantly simplifies
client installation and gives easy upgrade path for the endpoint systems.
The Sync IT client uses limited number of ports for all communications with other machines and management server.
This makes firewall rules configuration extremely easy for all devices inside your network.
The Sync IT client doesn’t require any administrative privileges to run. It could run in a sandboxed environment or under a user
with limited permissions.
Security Review
The Sync IT security design and implementation was reviewed by 3rd party security auditor.

5. IT
Questions? syncbiz@getsync.com • 303 2nd Street, Suite S200, San Francisco, CA 94107
Introduction
Sync IT is a decentralized Managed File Transfer (MFT) solution capable of
moving large amounts of data to many locations and excels when that data
needs to be moved across unreliable or high latency networks. Built on the
same peer-to-peer (P2P) protocol powering Sync, Sync IT is designed to
empower high-performance managed file transfer applications, scaling to
thousands of nodes, TBs of data, and millions of individual files.
The decentralized architecture of Sync IT provides substantial benefits over
existing centralized tools that have a single point of failure or require
clustering for performance. Using our unique Micro Transport Protocol (μTP2),
Sync IT offers WAN-optimized transfers and can reach speed of 1 Gbit/s over
WAN or LAN. On top of the engine is a browser-based management tool that
offers the ability to schedule and automate transfers, logging, and more.
Product Datasheet
Key Features
Performance
• Peer-to-Peer protocol allows each client to act as a file server for others, allowing shared access to files
without a central server. This reduces costs, saves time and bandwidth and improves reliability
• Clients don’t need a whole file to participate in transmission: a single 4K block is sufficient
• The unique Micro Transport Protocol (μTP2) overcomes the bottlenecks of conventional synchronization
tools like rsync. rsync defaults to quite large block-sizes if the data files being transferred are large, which
tends to result in inefficient data transfer. Sync and μTP2 scale for maximum replication speed.
Security
• Managed and automated file workflows with encrypted transfers
• Files move directly between clients- no data lives in the cloud
• Sync IT is an on premise solution – data stays only on your devices, so all data remains private
• There are no passwords to be compromised – all security is cryptographic
• AES 128-bit encryption, Forward secrecy, SSL certificates

6. Questions? syncbiz@getsync.com • 303 2nd Street, Suite S200, San Francisco, CA 94107
Central Management
• Distribute & manage data, significantly faster and more secure than FTP or HTTP
• Central management console allows for complete control of all Sync instances in the environment
• Dashboard monitors the deployments and status of clients and devices
• Setup individual or group policy based synchronizations
• Scheduler allows moving data at times of low load
• Uni-directional transfers to client machines initiated without the client intervention (headless clients)
Scalability
• Sync IT is optimized and scalable to thousands of clients, 1M+ files, 1 Gbit/s over WAN and LAN networks
• Smart logic behind peer to peer networks, eliminating the need to control every link between clients
• Simply assign clients to groups in order to create an effective data-distribution system inside your organization
(optimized for scalability and performance, while requiring minimum efforts to support and manage it)
Network Management
• Works seamlessly across networks, VPNs, and firewalls
• Clients make a portion of their resources, such as processing power, disk storage or network bandwidth,
directly available to other clients, without the need for central coordination by servers or stable hosts
• The decentralized nature of P2P networks increases robustness because it removes the single point of failure
that can be inherent in a client-server based system
• Ability to schedule transfers and throttle network usage
System Requirements
Management Server Sync Clients
• Windows 7 or later (32/64-bit)
• Linux i386 & i386 (glibc 2.3) Linux x64 & x64 (glibc 2.3)
• Mac OS X 10.8 Lion or later
• Windows XP SP3 or later (32/64-bit)
• Linux i386 & i386 (glibc 2.3) Linux x64 & x64 (glibc 2.3)
• Linux i386 & i386 (glibc 2.3) Linux x64 & x64 (glibc 2.3)

7. IT
Questions? syncbiz@getsync.com • 303 2nd Street, Suite S200, San Francisco, CA 94107
Sync IT Overview
Sync IT is a decentralized Managed File Transfer (MFT) solution capable of moving large amounts
of data to many locations and across unreliable or high latency networks. Built on the same
Peer-to-Peer (P2P) protocol powering BitTorrent Sync, Sync IT is designed to empower
high-performance managed file transfer applications, scaling to thousands of nodes, TBs of data,
and millions of individual files.
The decentralized architecture of Sync IT provides substantial benefits over existing
centralized tools that have a single point of failure or require clustering for performance.
• Using our unique Micro Transport Protocol (μTP2), Sync IT offers WAN-optimized transfers and
can reach speed of 1Gbit/sec over WAN or LAN.
• On top of the engine is a browser-based management tool that offers the ability to schedule
and automate transfers, logging, and more.
Technical Review
WAN Optimization
WAN Optimization Technology
Our μTP2 protocol architecture is based on bulk transfer strategy, where the sender sends
packets periodically with a fixed packet delay to create a uniform packet distribution in time and
uses a congestion control algorithm to calculate the ideal send rate. There is no
acknowledgment for every packet, instead the protocol uses interval acknowledgment for a
group of packets with additional information about lost packets. This acknowledgment
combined with periodical RTT (Round Trip Time) probing creates information for the congestion
control algorithm to calculate the new sending rate. The protocol uses a delayed
retransmission strategy - lost packets retransmit once per RTT to decrease unnecessary
retransmissions.
Use Cases
• Easily deploy the Management Server
and headless clients across multiple
sites, and over any infrastructure
• Manage file distribution from a
dedicated source to remote headless
clients over LAN or WAN, using a
centralized management console
• Manage data replication between
multiple groups of servers, across
multiple sites
• Backup data from remote sites to a
single or multiple backup destinations
• Automate file replication workflows
and remotely manage and schedule
client’s activity and overall bandwidth
consumption
Max. Up/Down Rate
Up to 1Gbit/s
Security
Sync IT uses industry standard security
approaches:
• AES 128-bit encryption
• Forward secrecy
• SSL certificates
All algorithms and code were reviewed
by a 3rd party security auditor.
Max. Speeds over WAN
Regardless of distance and at up to
5% packet loss rate.
Sender does not wait for a confirmation for
every packet before sending the next one.
Instead, a confirmation is retrieved only for
groups of packets, with additional
information about specific lost packets,
that needs to be retransmitted.
Receiver
Direct Peer-to-Peer connection

8. IT
Questions? syncbiz@getsync.com • 303 2nd Street, Suite S200, San Francisco, CA 94107
Client-Server Networking Has Limitations
Many data transfer protocols are built on a client-server model. The most popular is FTP (File
Transfer Protocol), in which a server holds files and performs authentication on a client or
end-user who is accessing the files. The first FTP client applications were developed as
command-line programs before modern user interfaces existed, and still are shipped with
most Windows, Linux, and Unix operating systems. There are thousands of applications built
on top of FTP for data transfer. FTP sets the standard for data transmission for many years,
but was not designed for the file sizes or infrastructure needs of the modern internet.
The client-server model requires all data to be transferred directly from server to client,
which is inefficient from a bandwidth perspective and problematic from an availability and
reliability standpoint.
Peer-to-Peer Architecture Has Advantages
In contrast, peer-to-peer (P2P) networking is a distributed application architecture
that connects distributed peers (also referred to as clients or endpoints) together.
Peers share a portion of their resources (bandwidth, storage, or processing power) with the
other participants in the network without the need for central coordination or administration.
Files being transferred are broken into smaller segments called pieces and each peer is able
to transfer pieces to another peer. In this way, much of the network usage of sharing the
data is offloaded to the peers. The distributed P2P model has significant advantages in terms
of resource allocation and especially when it comes to handling large amounts of data. P2P
transfer saves time, cost and bandwidth and improves resilience and reliability.
Technical Review
P2P Technology
Security
Sync IT uses industry standard security
approaches:
• AES 128-bit encryption
• Forward secrecy
• SSL certificates
All algorithms and code were reviewed
by a 3rd party security auditor.
Side notes
• BitTorrent is a protocol for P2P file
sharing that was invented by Bram
Cohen in 2001
• The protocol is open source and is
one of the most common technical
protocols for transferring large files
• Blizzard Entertainment distributes
large game updates using the P2P
protocol
• Facebook and Twitter use the P2P
protocol to distribute software
updates to their servers across the
world
Workstation (RW)
Workstation (RW)
Workstation (RO)
Workstation (RO)
Server (RW)
Server (RW)
Workstation (RO) Workstation (RO)
Client-Server ModelPeer-to-Peer Model
Upload & Download Data

9. Questions? syncbiz@getsync.com • 303 2nd Street, Suite S200, San Francisco, CA 94107
The BitTorrent Protocol
The protocol was built to reduce the network impact of distributing large files.
Rather than downloading a file from a central server, the protocol allows a groups of clients to upload and/or download data from each
other simultaneously. As each client receives a piece of the file, it becomes a source of the piece for other clients. This approach is
especially beneficial in low bandwidth scenarios or to prevent spikes in bandwidth usage. A ‘tracker’ server can be used to coordinate
connections between clients or the management layer can also be distributed. The tracker server never receives any data: all transfer is
direct from device to device.
The protocol was also designed to easily recover from network failures or endpoint failures. Data transmission is resumed from the point
of failure and all data is verified upon receival to prevent data corruption.
BitTorrent, Inc. builds solutions on top of the protocol to address issues where scalability, speed, cost, and data control are paramount.
BitTorrent Sync has all the advantages of P2P and is used to manage and automate file workflows with secure, encrypted replication to over
thousands of endpoints.
Sync Builds on the BitTorrent Protocol
BitTorrent Sync introduces substantial improvements over the standard BitTorrent protocol. The primary BitTorrent P2P use case is
downloading from multiple clients to one client over the WAN. With Sync support was added for one-to-one and one-to-many distribution
scenarios. In addition the code was optimized to handle faster transfer speeds over LAN and WAN connections with high latency and some
packet loss. With these enhancements, Sync is able to reach a speed of over 1 Gbit/s over LAN or WAN.
Deployment Example: Managing File-Transfers Across Remote Sites (using Sync IT)
In the following deployment example Sync IT is used to replicate and transfer 2 (huge) folders to 98 Clients and 7 servers, in 3 remote sites.
In this example, clients in each group have different permissions, and file-transfer activity is configured independently, per group.
Also, WAN optimization feature is enabled only for certain sites, to solve latency and packet loss issues.
Direct Peer-to-Peer connection, over WAN (WAN optimized over fat pipe)
Status & policy messages to/from the Management Server
Group name: SF office
• Clients: 2 servers & 18 laptops
• Has ‘read only’ access to “Resources”
• Profile: Custom (WAN optimization
enabled) Group name: Milano office
• Clients: 5 servers & 75 laptops
• Has ‘read only’ access to ”Data” & “Resources”
• Profile: Custom (WAN optimization enabled)
• Activity Scheduler: Every day, 7PM-8AM
Group name: Greenland office
• Clients: 5 laptops
• Has ‘read & write’ access to ”Data” & “Resources”
• Profile: Custom (Relay turned on)
• Activity Scheduler: Every day, 9PM-6AM
Management Server (NY)
Direct Peer-to-Peer connection, over LAN

10. Questions? syncbiz@getsync.com • 303 2nd Street, Suite S200, San Francisco, CA 94107
File-Transfers using P2P Architecture
To move data, Sync establishes a direct connection between clients. By default, Sync will try to find
other clients using LAN multicast search and by querying the tracker server. You can deploy your
own tracker on private infrastructure. Once the client of each folder learns the IP addresses of the
other clients from the LAN search or the tracker they contact them directly to establish a
connection.
If that direct connection between clients fails, the relay server is used. From the data we have
collected, Sync is very successful at establishing a direct connection, with more than 97% of all
data transferred is moved directly from client to client. Sync will leverage the full performance of a
local network and doesn’t require any cloud upload or data movement to a central server.
Sync’s P2P architecture makes it ideal for moving data to distributed endpoints where connectivity
or processing power may be an issue. Sync can recover when connections are dropped or
interrupted and P2P allows network channels between endpoints to reduce overall load. P2P also
is ideal for transmission of data across unreliable WANs.
Sync’s architecture is lightweight and built on optimized C++ code designed for low CPU and
memory usage. Improvements were made to the underlying BitTorrent P2P protocol to scale to
millions of files and thousands of clients.
Peer Connection Diagram:
Bob’s PC Jack’s PC Abigail’s PC
Option 4
Direct
Connection
P2P over
WAN
P2P over
LAN
Option 1
NAT Traversal
Option 2
UPnP
Modem, Router
Option 3
Relay Server
Relay Server