close
close

Zoom Brings End-to-End ‘Post-Quantum’ Encryption to Video Meetings – Computerworld

Posted on by darion

Zoom is adding “post-quantum” end-to-end encryption to its video and voice meeting software. The goal is to protect communications data sent between applications once quantum computers have enough power to breach existing encryption methods.

Today, modern or “classic” computers have a hard time breaking the modern encryption algorithms that protect Internet communications – this means everything from text messaging to online banking and shopping. But security experts fear that cybercriminals could collect encrypted data now and decrypt it once quantum computers become sufficiently capable, a strategy known as “collect now, decrypt later.”

To secure communications in its meeting apps for the long term, Zoom on Tuesday said it would enhance existing EE2E capabilities available in Zoom Workplace apps with “post-quantum cryptography.” “This is the first unified communications software vendor to do this,” Zoom said in a blog post.

In Zoom’s case, this means using Kyber 768, a key encapsulation mechanism (KEM) algorithm that is standardized by the National Institute of Standards and Technology (NIST). NIST has been working to identify a set of “post-quantum” algorithms that can withstand attacks from future quantum computers.

While quantum computers are adept at solving complex mathematical equations, which means they can decode classical algorithms, existing systems are small in scale and have high error rates, said Heather West, quantum computing research manager at IDC Infrastructure Systems , Platforms, and Technology Group.

As a result, modern classical algorithms are not yet at risk; this may change as quantum computing advances, enabling systems that support Shor’s algorithm – a quantum algorithm that, by one definition, is able to “efficiently factorize large complex numbers” and thus reduce the time it takes to break classical encryption.

“Due to this advantage, there are concerns that some entities – particularly state-sponsored entities – are currently compromising and stealing long-lived data (e.g. finance, governments, Department of Defense, etc.) with the intention of exploiting quantum data in the future . systems to decrypt them and use them later,” West said.

Several initiatives are currently underway to identify and develop post-quantum cryptographic algorithms that organizations can implement to achieve quantum resilience. For example, NIST launched a global initiative in 2016 and is expected to release its final recommendations later this year. In 2022, US President Joseph R. Biden Jr. issued two security memorandums (NSM-8 and NSM10) to provide government agencies with guidance and a time frame to begin implementing post-quantum cryptography.


Regarding Zoom’s post-quantum EE2E feature, West said the amount of information transferred via text messages and virtual meetings “is rather uncharted territory for post-quantum cryptography (PQC),” but is an important area of ​​interest. “Confiscated information using these technologies could lead to national security breaches, accidental disclosure of company trade secrets, and more,” she said. “Zoom used this opportunity to identify a current area of ​​data security vulnerabilities and develop an industry-changing PQC solution.”

Still, West points to “serious limitations” of Zoom’s approach. For example, for security purposes, all meeting participants must be using the Zoom desktop or mobile app version 6.0.10 or higher. “So there is no guarantee that everyone will use the most up-to-date version…” she said.

Additionally, Zoom’s use of post-quantum encryption means participants lose access to some key features, such as cloud recording. “For PQC to be effective, it must not only be secure against potential quantum cybersecurity breaches, but it should also provide the same performance and usability of applications and infrastructure as if it were not in use. This does not appear to be the case with the Zoom rollout,” West said.

Overall, West said all companies should consider how to keep encrypted data safe in the future.

“Organizations should take this risk seriously,” she said. “There seems to be a misconception that if an organization is not investing in quantum computing, there is no need to invest in post-quantum cryptography.”

According to her, cyberattacks using quantum algorithms could affect all companies and organizations. Some understand the importance of post-quantum cryptography and are waiting for NIST to release the final standards, but upgrading to post-quantum cryptography can be a “labor-intensive process,” so organizations should start now by inventorying and identifying at-risk data and infrastructure.


“Working with a supplier or PQC consultant can help you navigate the transition. PQC vendors and consultants can also help determine which solution is most appropriate for your organization, West said.