Zoom Security - Myths and Facts
Zoom End-to-End Encryption
Zoom endpoints and clients have signed certificates that facilitate secure communication with certificates on Zoom servers. This secure communication eliminates the possibility of eavesdropping on Zoom-based communications.
This type of encryption is similar to HTTPS where traffic between a web server and the client is encrypted. When a lock shows in front of a URL in your browser, it means the traffic between your web browser and the server is encrypted. This is accomplished by Public key cryptography in which a browser connects to a web server (website) secured with SSL (https). The browser requests that the server identify itself. The server sends a copy of its SSL Certificate, including the server’s "public key". If the browser trusts the certificate, it creates, encrypts, and sends back a symmetric session key using the server’s "public key". Any data that is encrypted with the public key, can only be decrypted by the corresponding private key. The server decrypts the symmetric session key using its private key and sends back an acknowledgment encrypted with the session key to start the encrypted session. Server and Browser then encrypt all transmitted data with the session key. In this case, the owner of the server, Zoom has the private key and can decrypt any data that flows between the web server and the client.
Zoom currently manages and stores all of the keys involved in user data encryption in its own cloud infrastructure. Since Zoom endpoints establish encrypted connections with the Zoom servers in their cloud infrastructure using public-key cryptography, allowing Zoom a capability to decrypt any traffic that flows between its servers and the endpoints. In true E2E encryption, the host generates a symmetric key using a Cryptographically Secure Pseudo-Random Number Generator (CSPRNG), encrypts it using the public key that the client sends, and sends the encrypted symmetric key back to the client. The traffic generated by clients is encrypted using the symmetric key. Hence traffic cannot be decrypted by the owner of the webserver. This is obviously not the case with Zoom.
Zoom Gov Cloud
Zoom for Government is a FedRAMP Authorized SaaS service operating as a "Moderate" baseline for FedRAMP. Zoom for Government has a separate Software Development LifeCycle (SDLC) that is implemented and controlled by US Persons only. There are no foreign nationals allowed access to Zoom for Government. It is, however, important to understand the difference between FedRAMP Moderate and High Baseline controls.
FedRAMP Security controls, operating at Moderate baseline means Cloud Service Offering (CSO) is operated and controlled by only US Persons, including all customer support personnel, sales engineers, and operations personnel. Operating at this baseline, loss of confidentiality, integrity, and availability (CIA) would result in serious adverse effects on an agency’s operations, assets, or individuals. Serious adverse effects could include significant operational damage to agency assets, financial loss, or individual harm that is no loss of life or physical.
FedRAMP High Baseline is mostly used by the government’s most sensitive, unclassified data in cloud computing environments, including data that involves the protection of life and financial ruin. FedRAMP High Baseline Controls consists of an additional 96 controls when compared to FedRAMP Moderate baseline Controls.
In a recent statement by Pentagon, the spokesman said the new guidance permits use of Zoom for Government, a paid tier service that is hosted in a separate cloud authorized by the Federal Risk and Authorization Management Program, when video conferencing about publicly releasable DOD information not categorized as ‘For Official Use Only.'
Recent Security Enhancements
In a statement on April 22, 2020, Zoom announced security enhancement in an upcoming release of Zoom 5.0, which will support AES-256 bit Galois/Counter Mode (GCM) encryption. This is a significant upgrade from its predecessor that uses AES-128 bit key. The company also announced the new "data routing control" feature giving customers the ability to control which data regions it avoids. Data Routing Control will allow users to omit Zoom data center locations around the globe limiting where the conference data could be routed.
In another statement, Zoom announced that by the end of 2020 the company will offer an ability for customers to manage their own private keys, by hosting Zoom infrastructure on-premise. This will allow customers to enable end-2-end encryption by running the entire Zoom infrastructure—clients, servers, and connectors—in-house.