Zoom has released a draft design for its much-anticipated end-to-end encryption offering as part of a plan for “major security and privacy upgrades”.
The video conferencing platform published the draft design for end-to-end encryption on its service for peer review on GitHub.
Zoom’s document outlines the implementation of improved encryption on the platform in four phases, with regular consultation with clients, cryptography experts and civil society.
The introduction of stronger encryption will protect Zoom users from malicious outsiders, meeting participants and insiders, with an aim to achieve confidentiality, integrity and abuse prevention, the draft design said.
“To achieve these objectives would be an important improvement to Zoom’s overall security and would give Zoom’s users additional assurances that their meetings are secure along the axes they care most about,” it said.
Use of Zoom has skyrocketed in the wake of the global COVID-19 pandemic and a large chunk of the world’s workforce working from home.
This increased usage has led to increased scrutiny and criticism of the company’s privacy and security protocols, with Zoom quickly announcing a 90-day plan to improve the situation.
Earlier this year it was revealed that Zoom does not offer end-to-end encryption, despite appearing to claim to do so on its website and white paper. The company later apologised for the “confusion”, saying it did not mean to mislead users.
As part of the 90-day plan, the company has since introduced AES 256-bit GCM encryption for meeting data in transit.
Recently it announced the acquisition of secure messaging and file-sharing service Keybase to assist with the journey towards end-to-end encryption.
Keybase co-founder Max Krohn has joined Zoom as the lead of its security engineering team and helped to develop the new document outlining the path towards end-to-end encryption.
The first phase will see Zoom upgrade its meeting key exchange protocol to use public-key cryptography, meaning the keys will be secret from the server.
The next three phases will “harden the notion of a user’s identity to help maintain server honesty in the key exchange and to give hosts better information when allowing or disallowing participation in a meeting”.
“At a high level, the approach is simple: use public key cryptography to distribute a session key to a meeting’s participants; and provide increasingly stronger bindings between public keys and user identities,” the document said.
“However, the devil is in the details, as user identity across multiple devices is a challenging problem and has user experience implications. We proposed a phased deployment of end-to-end encryption security, with each successive stage giving stronger protections.”
Zoom will be using third party Single Sign-Ons (SSOs) and Identity Providers (IDPs) to independently voice for the identity of users on the platform as part of the plan.
“Doing so moves the trust away from Zoom and to identity providers that many of Zoom’s enterprise users already trust for sensitive identity operations,” it said. “Where we do rely on SSOs and IDPs, meetings may become vulnerable because of attacks on their infrastructure.”
It will also utilise signed chains of cryptographic statements for user devices and contact lists, and a privacy-preserving “transparency tree” to “tie them tightly together”.
The company has acknowledged that there are “limitations” in its approach. The introduction of the protocol also won’t protect from in-meeting impersonation attacks, metadata and traffic analysis and software flaws, the company said.
Zoom also announced a number of new security updates that have been rolled out immediately.
These include temporarily removing the integration of GIPHY on the platform in an effort to “ensure strong privacy protections”.
Zoom has not detailed what these security concerns are around GIPHY, and the decision came just days after the gif-sharing service was acquired by Facebook for $US300 million.
“Once additional technical and security measures have been deployed, we will re-enable the feature,” Zoom said in a blog post.
The company has also restricted screen-sharing by default, introduced a requirement for consent for a user to be unmuted, an audio alert when someone joins a waiting room and multiple login restrictions.
