Zoom has acquired Keybase, a key directory that maps social media identities to encryption keys and offers end-to-end encrypted chat (Keybase Chat) and cloud storage system (Keybase Filesystem), the companies announced yesterday. This will help Zoom implement end-to-end encryption and scale it up to Zoom’s current levels where the service is seeing more than 300 million daily meeting participants. The company will publish a detailed draft cryptographic design on May 22 for public review.
There aren’t any specific plans for a Keybase app yet, but “ultimately Keybase’s future is in Zoom’s hands, and we’ll see where that takes us”, Keybase said.
Zoom will offer end-to-end encrypted meeting mode to all paid accounts. Here’s how it will work:
Logged-in users will generate public cryptographic identities that are stored in a repository on Zoom’s network and can be used to establish trust relationships between meeting attendees. An ephemeral per-meeting symmetric key will be generated by the meeting host. This key will be distributed between clients, enveloped with the asymmetric keypairs and rotated when there are significant changes to the list of attendees. The cryptographic secrets will be under the control of the host, and the host’s client software will decide what devices are allowed to receive meeting keys, and thereby join the meeting.
The company warned that for calling into a meeting using the phone, using in-room meeting systems offered by other companies, and cloud recording, meetings will not be end-to-end encrypted. This means that Zoom Rooms and Zoom Phone participants will be able to attend only if explicitly allowed by the host as encryption keys will be controlled by the host who will admit the attendees.
Right now, Zoom offers some level of encryption for audio and video content: the audio and video content between the Zoom app clients on any device are encrypted at each sending app client device, and decrypted at the receiving app client device. However, unlike end-to-end encryption, where keys for encryption and decryption are generated on the device itself, here, they are generated by the Zoom servers.
This is a part of Zoom’s 90-day plan (announced on April 1) to improve its security after it had numerous lapses, Zoombombing the most notable amongst them. Under the 90 day plan, it first announced a six month feature update freeze, following which it created a Chief Information Security Officers Council (CISO Council) with CISOs from HSBC, NTT Data, etc. A subset of this council, with security experts from Netflix, VMware and Uber, will personally advise Zoom CEO Eric S. It had also hired cybersecurity expert and Facebook’s former chief security officer Alex Stamos of Stanford University as an external advisor.