Zoom Video Communications, Inc. has introduced post-quantum end-to-end encryption (E2EE) to its Zoom Workplace, making it the first Unified Communications as a Service (UCaaS) provider to offer this advanced security feature. The new encryption is designed to protect against future quantum computer threats, which could decrypt current encrypted data. The feature is now available for Zoom Meetings, with Zoom Phone and Zoom Rooms to follow. Michael Adams, Chief Information Security Officer at Zoom, emphasized the company’s commitment to adapting to evolving security threats and protecting user data.
Zoom Introduces Post-Quantum End-to-End Encryption
Zoom Video Communications, Inc. has announced the global availability of post-quantum end-to-end encryption (E2EE) for Zoom Workplace, specifically Zoom Meetings. This new security enhancement positions Zoom as the first Unified Communications as a Service (UCaaS) company to offer a post-quantum E2EE solution for video conferencing. The company plans to extend this feature to Zoom Phone and Zoom Rooms soon.
The introduction of post-quantum E2EE comes as a response to the increasing sophistication of adversarial threats and the need to protect user data. In some cases, attackers may capture encrypted network traffic with the intention of decrypting it later when quantum computers become more advanced. This scenario, often referred to as “harvest now, decrypt later,” is a potential future threat that Zoom aims to mitigate with its upgraded algorithms.
Michael Adams, Chief Information Security Officer at Zoom, emphasized the company’s commitment to providing a secure platform that meets the unique needs of its customers. The launch of post-quantum E2EE is a significant step in this direction, demonstrating Zoom’s proactive approach to adapting to the evolving security threat landscape.
Understanding Post-Quantum End-to-End Encryption
When users enable E2EE for their meetings, Zoom’s system is designed to provide only the participants with access to the encryption keys used to encrypt the meeting. This applies to both post-quantum E2EE and standard E2EE. As Zoom’s servers do not possess the necessary decryption key, any encrypted data relayed through Zoom’s servers remains indecipherable.
To defend against “harvest now, decrypt later” attacks, Zoom’s post-quantum E2E encryption employs Kyber 768. This algorithm is being standardized by the National Institute of Standards and Technology (NIST) as the Module Lattice-based Key Encapsulation Mechanism, or ML-KEM, in FIPS 203.
Using End-to-End Encryption in Zoom Meetings
End-to-end encryption (E2EE) provides additional protection for Zoom meetings when enabled in the Zoom web portal. However, E2EE for meetings requires all meeting participants to join from the Zoom desktop app, mobile app, or Zoom Rooms. Meeting hosts on free accounts can also enable and use E2EE, but they will need to verify their phone number via a code sent to them using SMS.
E2EE is recommended for meetings where enhanced privacy and data protection are required. It serves as an extra layer to mitigate risk and protect sensitive meeting content. However, enabling E2EE may limit some Zoom functionality, and individual Zoom users should consider whether they need these features before enabling E2EE in their meetings.
Prerequisites and Limitations of End-to-End Encryption
Post-quantum end-to-end encryption (PQ E2EE) requires all meeting participants to be on Zoom desktop or mobile app version 6.0.10 or higher. If all meeting participants meet these prerequisites, PQ E2EE will automatically be used in the meeting. If some meeting participants do not meet this minimum version requirement, then standard end-to-end encryption will be used instead.
There are several limitations to using E2EE for meetings. For instance, users will not be able to join by telephone, SIP/H.323 devices, or on-premise configurations, as these endpoints cannot be encrypted end-to-end. E2EE meetings are also limited to 1000 meeting participants. Furthermore, enabling E2EE will disable several in-meeting features, including AI Companion features, breakout rooms, cloud recording, continuous meeting chat, join before host, live streaming, live transcription, polling and surveys, Zoom Apps, Zoom Notes, and Zoom Whiteboard.
Frequently Asked Questions about End-to-End Encryption for Zoom Meetings
Zoom’s E2EE uses public key cryptography, with the keys for each Zoom meeting generated by participants’ machines, not by Zoom’s servers. This key management strategy is similar to that used by most E2EE messaging platforms today.
While E2EE provides added security, it does limit some Zoom functionality. Individual Zoom users should determine whether they need these features before enabling E2EE in their meetings. Free and paid Zoom accounts joining directly from Zoom’s desktop or mobile app, or from a Zoom Room, can host or join an E2EE meeting if enabled in the Zoom web portal.
Zoom’s post-quantum end-to-end encryption is designed to withstand the threat of an adversary who can capture encrypted network traffic, hoping to acquire a quantum computer in the future and use it to decrypt the captured data. However, it is not designed to defend against potential attacks that would require the current existence of a quantum computer capable of breaking classical cryptography at the time a meeting takes place. Zoom is closely monitoring advancements in this space, and preparing for further protocol updates once this becomes a more concrete threat.
External Link: Click Here For More