An analysis of Zoom's encryption scheme, published on Friday by Citizen Lab at the University of Toronto, shows that Zoom does generate and hold all keys itself on key management systems. The report notes that most of Zoom's developers are based in China, and that some of its key management infrastructure is in that country, meaning keys used to encrypt your meetings could be generated there. It's also unclear how Zoom generates keys and whether they're adequately random or might be predictable.
"It would help if Zoom were more clear about how keys are generated and transmitted," Teserakt's Aumasson says.
Citizen Lab's investigation found that every Zoom meeting is encrypted with one key that is distributed to all meeting participants, and it doesn't change until everyone has left the "room." Conceptually, this is a legitimate way to encrypt video calls, but its overall security depends on a number of factors, including what happens in situations where only some people join or leave the meeting after it has started. Citizen Lab found that the key does not change when some participants join and leave, and only refreshes when everyone has left a meeting. Citizen Lab also found that Zoom uses an unexpected configuration for its transport protocol, used in delivering audio and video over the internet. Improvising alternatives in this way is often called "rolling your own" cryptography, typically a red flag given how easy it is to make mistakes that create vulnerabilities.
"It sounds like Zoom solved a lot of the hard problems, but didn’t go all the way," says Johns Hopkins University cryptographer Matthew Green.
After reviewing Citizen Lab's findings, all the cryptographers WIRED spoke to ..
Support the originator by clicking the read the rest link below.
