Zoom will make its end-to-end encryption (E2EE) mode for video conferences publicly available as a technical preview starting next week, after first flagging the security enhancement in March this year.
The E2EE feature has to be enabled by desktop and mobile app users, and it is built around public cryptography utilising the popular Galois/Counter Mode (GCM) stream cipher operation which is considered high performance and secure.
Enabling E2EE means audio and video streams between Zoom apps will be encrypted with keys that are generated by the meeting host, and distributed to other participants.
This means only meeting participants have access to the encryption/decryption keys, and nobody else, not even Zoom, can intercept the traffic.
A green shield graphic with a padlock will appear when E2EE is enabled, and Zoom call participants can see the host’s security code, comprising eight five-digit groups of security numbers for verification.
Currently, Zoom encrypts audio, video and application sharing for meetings and webinars with 256-bit Advanced Encryption Standard (AES) GCM using keys generated on the company’s cloud servers.
In the technical preview of E2EE, some meeting features will be disabled when the security feature is switched on.
Join before host, cloud recording, streaming, live transcription, breakout rooms, polling, one-on-one private chats and meeting reactions all stop working with E2EE enabled.
Single sign-on (SSO) integration with E2EE is tentatively on Zoom’s roadmap for 2021 as well.
Zoom will require additional information from users wanting to enable E2EE such as verifying their phone numbers through text messages.
This is done to reduce the mass creation of abusive accounts, said Max Krohn, Zoom’s head of security engineering.
The company, which claims to have 300 million daily users, has been criticised for poor security in the past, including the use of weak encryption keys that were distributed from servers in China where authorities could demand access to them from Zoom.
Zoom’s E2EE announcement follows this week’s statement from the Western Five-Eyes intelligence sharing alliance, and Japan and India, which demands that tech companies introduce backdoors in encrypted communications for lawful interception.