New security concept for Zoom groups

Zoom is one of the most popular software products for video conferencing in the world. Every day, it is used by millions of users, trusting that their data is secure and that their conversations cannot be intercepted. So far, this depends on the Zoom servers, which also control group access: They verify if all group members are in possession of the meeting password. Now, there is another way of doing this: CISPA-Faculty Professor Dr. Cas Cremers, his postdoc Mang Zhao, and Dr. Eyal Ronen, have developed a new method for access control where the Zoom servers do not know the password.

Since the coronavirus pandemic, video conferencing software such as Zoom has found its way into the private and professional lives of many people. Users usually require a password if they want to take part in a group conversation via Zoom. “At the moment, the password is shared with the server to determine who is allowed to participate”, explains CISPA-Faculty Cas Cremers. This, however, is a situation that Cremers does not agree with. Being in possession of the password, Zoom is theoretically able to interfere with the group’s members and add new members at will.

“We’re hoping, of course, that Zoom will say: ‘No, no, that is something that we’ll never do.’ But we don’t have a technical guarantee for this. We can only hope and trust that they won’t do that”, Cremers says. To him, it is important that security is not based solely on trust: “I want technology that is designed in such a way that we can convince ourselves that our connection is secure and that Zoom cannot eavesdrop. This is the guarantee I want to have.” The challenge for him was to develop a solution that did not require a complete redesign of Zoom. “In theory, you could come up with a system completely that is different to the one Zoom is currently using. But nobody would accept that”, Cremers continues.

Password exchange between users, not with the Zoom server

Cremers and his colleagues were faced with the task of designing a solution in which the Zoom server neither knows all the passwords nor uses them to control access. “Our idea was to no longer share the password with the server, but only with the participants”, Cremers explains. “They have to be able to establish a secure connection with each other without ever having to share the password outside the group.” To achieve this, Cremers and his colleagues have developed a modified key exchange protocol that is only performed between Zoom users, and does not involve Zoom’s servers. The process only takes place within the software, without the users having to actively do anything.

“We use a basic building block called PAKE (Password-based Key Exchange), which we integrate into the Zoom protocol. We use PAKE to enable groups to perform access control themselves, without relying on the Zoom server”, Cremers explains. Zoom does not publicly share its source code, so Cremers had to find another way to test his application: “We took the description of Zoom’s software from their whitepaper.” This is a technical description of the software published by the company itself, which describes the design of the software, but does not include all details. “So we can’t be 100 percent sure what Zoom actually uses. But from the developer’s perspective, the solution seems to work”, Cremers says.

A clear goal in mind: Showing what is possible

Cremers has not yet been in contact with Zoom Video Communications, although he would be open to it. In theory, the security mechanism he developed with his co-authors could be applied to other video conferencing software as well. Its practical implementation, however, is not something he focuses on so much. “In a sense, part of our work is about showing the community what options are available”, he says. “We demonstrate that more privacy and better security guarantees are not just a fantasy, but that there is a way to actually achieve them.” You also could say that Cremers’ research is holding up a mirror to the application-oriented IT industry, showing them what is, and is not, possible using the tools of foundational research. But Cremers also has another, more socio-political goal in mind: “We humans want to communicate in such a way that safeguards our privacy and prevents others from eavesdropping on our communications. This should even include the companies that provide the infrastructure for our communications.” His research ultimately aims to establish this wider societal goal.

Originalpublikation:

Cremers, Cas and Ronen, Eyal and Zhao, Mang (2024) “Multi-Stage Group Key Distribution and PAKEs: Securing Zoom Groups against Malicious Servers without New Security Elements.” In: IEEE Symposium on Security and Privacy.

https://publications.cispa.saarland/id/eprint/4014

The paper will be presented at the IEEE Symposium on Security and Privacy (S&P) in May 2024.

https://www.cispa.de/