The level of Zoom meeting security will be even higher thanks toimplementation of post-quantum end-to-end (E2EE) encryption.
Communications on Zoom, already protected today with standard end-to-end encryption, will become even more secure because all data traveling between its servers and our clients during video conferences will be indecipherable even by the most advanced quantum computers.
“As adversary threats become more sophisticated, the need to protect user data also grows,” the company said in a statement. “With the launch of post-quantum E2EE, we are strengthening security and providing cutting-edge features to help users protect their data.”
The update is already available globally for Zoom Workplaceespecially for Zoom Meetings, and soon will also arrive on Zoom Phone and Zoom Rooms.
An update which, in fact, makes Zoom the first UCaaS (Unified Communication as a Service, i.e. a system that combines cloud-based telephony services and instant messaging apps) company to offer an E2EE (end-to-end encryption) solution post-quantum for video conferencing.
“Zoom's announcement on May 21st that it will adopt the Kyber 768 encryption algorithm is interesting and indicates that companies are moving towards implementing post-quantum (i.e. resistant to quantum computers) encryption” , points out Giorgio Sbaragliacyber security business consultant, member of the Clusit Steering Committee.
How post-quantum encryption works on Zoom
Zoom uses post-quantum E2EE CRYSTALS-Kyber768, one of the top four cryptographic algorithms chosen by the US Department of Commerce's National Institute of Standards and Technology (NIST) in July 2022 as a quantum computer-resistant cryptographic algorithm for general encryption.
“It is a public key cryptography algorithm with a key encapsulation mechanism (KEM) whose security is based on the difficulty of solving the problem called “learning-with-errors” (LWE)”, he specifies the engineer Sbaraglia.
“It is available with three different sets of parameters that target different levels of security: Kyber-768 has security approximately equivalent to AES-192 and is the one that Crystal recommends using, because – according to their prudential analysis – it guarantees of over 128 bits against all known classical and quantum attacks. They also recommend using Kyber-768 in a so-called “hybrid” mode, i.e. in combination with an established “pre-quantum” security, for example in combination with elliptic curve Diffie-Hellman”, continues the Clusit expert.
However, for post-quantum E2EE to be enabled by default, all meeting participants must be using version 6.0.10 or later of the Zoom desktop or mobile app.
In the event that some participants do not meet this minimum version requirement, standard E2EE encryption will be used.
“When users enable end-to-end encryption for their meetings, Zoom's system is designed to provide only participants with access to the encryption keys used to encrypt the meeting; this applies to both post-quantum E2EE and standard E2EE,” Zoom's announcement reads. “Because Zoom's servers do not possess the necessary decryption key, encrypted data passing through Zoom's servers is undecipherable.”
Protect yourself today to avoid data theft tomorrow
“This Zoom update is important”, underlines Giorgio Sbaraglia, “because it demonstrates a proactive approach and that the path towards post-quantum cryptography has finally started. However, in this announcement I also see a strong commercial value to increase the credibility of the product.”
The engineer Sbaraglia recalls, in fact, that “in 2020, with the explosion of Covid-19, Zoom recorded a huge increase in users, but it was highly criticized (and there was no shortage of accidents) because it still did not have E2EE encryption, which was implemented shortly afterwards in 2020. Now, evidently, Zoom wants to “get ahead of the times”, following the same path as Tuta Mail, Google Chrome, Signal and Apple iMessage. In particular, Signal already announced in September 2023 that it had adopted PQXDH (Post-Quantum Extended Diffie-Hellman) encryption for its messaging app, while iMessage has implemented the PQ3 post-quantum cryptographic protocol”.
However, it is important to remember that Quantum computers are still in the experimental stagebut it is also true that the sector is progressing constantly and rapidly: according to experts, it is only a matter of time before sufficiently powerful quantum computers will be able to make all current conventional encryption schemes obsolete.
The risk of “harvest now, decrypt later” attacks
The main threat posed by quantum computers lies in the their ability to solve complex mathematical problems much fastermaking cryptanalysis much easier.
But, above all, the aggravating factor is represented by “harvest now, decrypt later” (HNDL) attacks during which sophisticated malicious actors steal and store encrypted network traffic with the intention of decrypting it in the future, when quantum computers will be more advanced.
Post-quantum encryption is designed precisely to counteract these risks and it is no coincidence that other companies, including Amazon Web Services (AWS), Apple, Cloudflare, Google, HP and Signal, have also begun to integrate the new standard into their products.
Post-quantum encryption: better be prepared
“However”, adds Giorgio Sbaraglia, “today these post-quantum cryptographies would not yet be necessary, because if on the one hand we are aware that quantum computers will be able to break the asymmetric (public key) cryptography on which all secure communication systems, on the other hand quantum computers with the power necessary to do so have not yet been created, as theoretically demonstrated by Shor's algorithm in 1995”.
“It is expected that Q-Day, the day on which a sufficiently powerful quantum computer equipped with a high number of Qubits will be created and usable on the market will be at the beginning of the next decade, therefore from 2030 onwards”, concludes the Clusit expert, “but it is good to prepare now, as Zoom is doing, because although post-quantum algorithms already exist, the complete implementation of the same in all encrypted communication tools (basically everything that travels on the internet ) will be long and complex.”
More information about Zoom Workplace versions and platforms that support end-to-end post-quantum encryption can be found at official page by Zoom.
GIPHY App Key not set. Please check settings