Zoom Introduces End-to-End Post-Quantum Encryption For Video Conferencing – Computer World


To protect users when quantum computers are able to decode encrypted data, Zoom intends to be the first video conferencing software provider to use post-quantum cryptography.

After much criticism of its security practices, Zoom has announced that it has equipped its video and voice meeting software with comprehensive “post-quantum” encryption. The goal is to protect communication data sent between its applications when quantum computers become powerful enough to compromise existing encryption methods. Current or “classic” computers do not yet have sufficient capabilities to break the modern encryption algorithms that protect communications passing through the Internet, be it text messages, banking services, or online shopping. But security experts worry that cybercriminals have already started collecting encrypted data to decrypt it when quantum computers are good enough, a retrospective decryption strategy called “harvest now, decrypt later.”

To secure communication in its meeting apps in the long term, Zoom announced Tuesday that it is expanding the existing EE2E capabilities available in its Workplace apps to include “post-quantum cryptography.” “We are the first unified communications software vendor to do this,” Zoom said in a blog post. To do this, the company will use Kyber 768, a Key Encapsulation Mechanism (KEM) algorithm currently standardized by the National Institute of Standards and Technology (NIST). NIST is working to identify a set of “post-quantum” algorithms that can withstand attacks from future quantum computers. “Although quantum computers are unable to solve complex mathematical equations, they could decipher classical algorithms on existing systems, given their small scale and high error rate,” said Heather West, quantum computing research leader in IDC’s Infrastructure Systems, Platforms and Technology group.

Save for later deciphering

Therefore, modern classical algorithms are not yet threatened, but this could change with advances in quantum computing allowing systems to run Shor’s algorithm. This quantum algorithm would be able to “efficiently factorize large composite numbers”, reducing the time needed to break classical encryption. “Because of this advantage, there is concern that some entities, especially state-backed actors, may hack and steal long-term data (finance, government, defense, etc.) with the intention of using future quantum systems to decrypt it. and use them later,” Ms. West added. Several initiatives are underway to identify and develop post-quantum cryptographic algorithms that companies can deploy to resist quantum energy. For example, in 2016 NIST launched a global initiative and is expected to issue its final recommendations later this year. In 2022, President Biden issued two security memoranda (NSM-8 and NSM10) to provide guidance and timelines for government agencies to begin implementing post-quantum cryptography.

Regarding EE2E Zoom’s post-quantum feature, West said that the amount of information transmitted via text messages and virtual meetings “remains uncharted territory for Post-Quantum Cryptography (PQC)” but that it is an important area to focus on. . . “Information compromised using these technologies could lead to breaches of national security, accidental disclosure of company trade secrets, and more,” she said. “Zoom took this opportunity to identify a currently fragile area in data security and develop an industry-disruptive post-quantum cryptography solution.”

Restrictions on Use

However, Ms West highlights “serious limitations” to Zoom’s approach. For example, To ensure security, all meeting participants must be using version 6.0.10 or higher of the Zoom desktop or mobile app. “However, there is no guarantee that everyone is using the latest version…” she warned. In addition, Zoom’s use of post-quantum encryption means that participants will lose access to some key features, such as cloud recording. “To be effective, PQC must not only protect against potential quantum cybersecurity breaches, but also enable the same performance and utility of applications and infrastructure as if they were not in use. This does not appear to be the case with the Zoom implementation,” Ms West said.

In general, IDC’s head of quantum computing research believes that all companies should be thinking about how to ensure the security of encrypted data tomorrow. “They should take this risk seriously,” she insisted. “Many seem to mistakenly believe that if a company does not invest in quantum computers, there is no need to invest in post-quantum cryptography. Cyber ​​attacks using quantum algorithms have the potential to affect all businesses and organizations. Some understand the importance of post-quantum cryptography and are waiting for NIST’s final standards to be released, but updating to post-quantum cryptography is likely to be a “laborious process.” That’s why he recommends that companies start inventorying and identifying risky data and infrastructure now. “Partnering with a PQC supplier or consultant can support them in the transition. Post-quantum cryptography vendors and consultants can also help determine the best solution for business.”



Source link

Leave a Comment