Zoom is adding “post-quantum” end-to-end encryption to its video and voice meeting software. The aim is to protect communication data sent between its apps once quantum computers are sufficiently power to compromise existing encryption methods.
Right now, it’s difficult for current or “classical” computers to break the modern encryption algorithms that protect internet communications — that means anything from text messages to online banking or shopping. But security experts are concerned cybercriminals can collect encrypted data now and decrypt it once quantum computers become sufficiently capable, a strategy referred to as “harvest now, decrypt later.”
To secure communications on its meetings apps in the long term, Zoom on Tuesday said it will enhance existing EE2E capabilities available in its Zoom Workplace apps with “post-quantum cryptography.” It’s the first unified communication software vendor to do so, Zoom claimed in a blog post.
For Zoom, this means the use of Kyber 768, a key encapsulation mechanism (KEM) algorithm that’s being standardized by the National Institute of Standards and Technology (NIST). NIST has been working to identify a set of “post-quantum” algorithms that can withstand attacks from future quantum computers.
Although quantum computers are adept at solving complex mathematical equations, meaning they could decrypt classical algorithms, existing systems are small scale and plagued with high error rates, said Heather West, research manager for quantum computing at IDC’s Infrastructure Systems, Platforms, and Technology Group.
As a result, modern classical algorithms are not yet at risk; that could change as quantum computing advances, enabling systems that can run Shor’s algorithm —a quantum algorithm that, according to one definition, is able to “efficiently factorize large composite numbers” and therefore reduce the time taken to break classical encryption.
“Due to this advantage, there is concern that some entities — specifically state-sponsored actors — are breaching and stealing data with a long-shelf life value now (think financial, government, DOD, etc.) with the intent of using future quantum systems to decrypt it and use it later,” said West.
Several initiatives are now under way to identify and develop post-quantum cryptographic algorithms organizations can deploy to become quantum-resilient. For example, NIST launched a global initiative in 2016 and is expected to release its final recommendations later this year. In 2022, US President Joseph R. Biden Jr. issued two security memorandums (NSM-8 and NSM10) to provide government agencies with the guidance and timeframes to begin implementing post-quantum cryptography.
As for Zoom’s post-quantum EE2E feature, West said the amount of information transferred via text messages and in virtual meetings “is a rather unexplored territory for post-quantum cryptography [PQC],” but is an important area of focus. “Compromised information using these technologies could lead to national security breaches, the accidental exposure of company trade secrets, and more,” she said. “Zoom has taken this opportunity to identify a current area of data security weakness and develop an industry disruptive PQC solution.”
Even so, West points to “severe limitations” in Zoom’s approach. For example, to be secure, all meeting participants are required to use the Zoom desktop or mobile app version 6.0.10 or higher. “So there is no guarantee that everyone will be using the most up-to-date version…,” she said.
In addition, using Zoom’s post-quantum encryption means participants loseaccess to some key features, such as cloud recording. “For PQC to be effective, not only must it be secure against potential quantum cyber security breaches, but it should also allow for the same performance and utility of the applications and infrastructure than if it weren’t being used. This doesn’t seem to be the case with Zoom’s implementation,” West said.
In general, West said all businesses should be considering how to keep encrypted data safe in future.
“Organizations should be taking this risk seriously,” she said. “There seems to be a misconception that if an organization is not investing in quantum computing there isn’t a need to invest in post-quantum cryptography.”
Cyberattacks using quantum algorithms have the potential to affect all businesses and organizations, she said. Some understand the importance of post-quantum cryptography and are waiting for final standards from NIST to be released, but updating to post-quantum cryptography can be a “laborious process,” so organizations should get started now by inventorying and identifying at-risk data and infrastructure.
“Partnering with a PQC vendor or consultant can help guide the transition. PQC vendors and consultants can also help to determine what solution is most suitable for the organization,” said West.
