At this point,
Zoom’s security issues have been well documented, as has the company’s response, which has included measures such as a feature freeze and a 90-day improvement plan. Today, Zoom has taken a step further in addressing these concerns by acquiring Keybase, a secure messaging and file-sharing service, and outlining its plan to provide end-to-end encryption.
While Zoom 5.0,
announced on April 23, includes AES-GCM with 256-bit keys support, the encryption keys are generated by Zoom servers, Zoom said. With the Keybase technology, Zoom will be able to offer an end-to-end encryption meeting mode. With this mode, meeting hosts will be able to decide what devices can receive meeting keys and then be allowed to join the meeting, Zoom said. While Zoom Rooms and Zoom Phone participants will have the end-to-end encryption support, cloud recording and non-Zoom conference room systems and those that use a phone bridge to call in will not be supported, according to Zoom.
With the end-to-end encryption, logged-in users will generate a public cryptographic identity that will be used to establish trust relationships between meeting attendees. Zoom will store this identity. Meanwhile, the meeting host will generate an “ephemeral per-meeting symmetric key,” Zoom CEO Eric Yuan described in a
blog post announcing the acquisition. This key will be sent between clients with asymmetric keypairs, rotating when significant changes to the attendee list occur, he said. Zoom is also researching mechanisms that allow enterprise users to have additional levels of authentication.
In the post, Yuan also made several statements concerning Zoom’s commitment to privacy and security. He promised, for example, that Zoom won't build any cryptographic backdoors allowing staff to enter meetings or mechanisms to decrypt live meetings for lawful intercept purposes, and that it will continue to work on an enhanced report to root out unwanted and disruptive attendees.
Zoom will release a detailed draft cryptographic design on May 22 and will solicit feedback from cryptographic experts and customers, Yuan said. The feedback will then be integrated into the final design, before being deployed to Zoom users.
