Zoom To Add End-To-End Encryption With Keybase Acquisition
Zoom has acquired secure messaging and identity management firm Keybase as its looks to shore up security capabilities on its platform with end-to-end encryption.
The acquisition will give Zoom access to Keybase’s encryption technology, used to secure online identities, as well as its team of engineers. Launched in 2014, Keybase lets users encrypt social media messages and shared files with public key encryption to ensure that communications stay private.
Zoom said in blog post that the aim of the acquisition is to move to end-to-end encryption.
Today, audio and video content flowing between Zoom clients (e.g., Zoom Rooms, laptop computers, and smartphones running the Zoom app) is encrypted at each sending client device. It is not decrypted until it reaches the recipients’ devices. With the recent Zoom 5.0 release, Zoom clients now support encrypting content using industry-standard AES-GCM with 256-bit keys.
However, the encryption keys for each meeting are generated by Zoom’s servers […] For hosts who seek to prioritize privacy over compatibility, we will create a new solution.
Zoom will offer an end-to-end encrypted meeting mode to all paid accounts. Logged-in users will generate public cryptographic identities that are stored in a repository on Zoom’s network and can be used to establish trust relationships between meeting attendees. An ephemeral per-meeting symmetric key will be generated by the meeting host. This key will be distributed between clients, enveloped with the asymmetric keypairs and rotated when there are significant changes to the list of attendees.
The cryptographic secrets will be under the control of the host, and the host’s client software will decide what devices are allowed to receive meeting keys, and thereby join the meeting. We are also investigating mechanisms that would allow enterprise users to provide additional levels of authentication.
Choosing to use end-to-end encryption will, however, mean that some functionality will be lost. These end-to-end encrypted meetings will not support phone bridges, cloud recording, or non-Zoom conference room systems.