“While we never intended to deceive any of our customers, we recognize that there is a discrepancy between the commonly accepted definition of end-to-end encryption and how we were using it.”
That is truly an ominous statement. It is especially daunting because it came from Zoom, the audio and video conferencing service that has rapidly gained fame during the COVID-19 crisis. Their stock has risen, their user base has grown, and they’ve become a household name as citizens of the world shelter in place. Our kids are using it as schools patchwork together distance learning, our seniors are using it to consult with doctors and seek to remain connected to family, and our expanded work-from-home economy is using it to replace team meetings and water cooler conversations. The increase has come hand-in-hand with reports of unauthorized use. Hackers are entering virtual classrooms and joining meetings, with intentions of disruption at minimum and malice in some cases. A recent anecdote from a colleague relayed that a high school teacher simply truncated a study session when they were unable to convince the intruder to leave and lacked the ability to expel the offending user from the group.
These all-too-common demonstrations of vulnerability yielded a closer look at Zoom’s technological underpinnings and a scathing report from the University of Toronto researchers. Despite many security insiders praising Zoom’s responsiveness and willingness to address the findings, key issues such as incongruity between public documentation and marketing claims and their actual technology in use are very troubling. For example, researchers highlight that “a single AES-128 key is used in ECB mode by all participants” instead of the promised AES-256, let alone the common-sense usage of unique keys for each participant or avoidance of the less favored ECB mode. They also expose troubling protocols for keys being generated and delivered via servers in China for users worldwide.
Don’t get me wrong - each of these technological choices are defendable. Implementing AES-128-ECB is even an available option within a FIPS 140-2 validated encryption module, the U.S. federal government’s mandated benchmark and certification program for cryptography. Leveraging engineering teams and resources offshore are commonplace, even for products approved for use in the Public Sector, although China is generally frowned upon.
However, it is very concerning that Zoom was certified for FedRAMP, the U.S. Federal Risk And Management Program, which authorizes Cloud-based technology solutions for use across government agencies, in April 2019 without requiring FIPS 140-2 validation. Encryption modules are voluntarily tested by a network of independently accredited laboratories against the FIPS 140 standard and reports are sent to the aptly-named Cryptographic Module Validation Program (CMVP), operated jointly by the United States National Institute of Standards and Technology (NIST) and their Canadian counterpart, to be validated and certified. FIPS 140 and the CMVP are not perfect, but their explicit and singular role is to confirm which encryption modules have been approved for use in government. It is the official position of NIST that any cryptography that has not been validated for conformance to FIPS 140-2 (scheduled to be replaced by FIPS 140-3) should be considered to be no better than plaintext. It is that increased level of scrutiny on cryptographic implementations that gives us all assurance and confidence that a solution is safe for all use cases from sensitive government discussions to just calling your grandparents.
If you’d like to advance the idea that the FIPS standards should be tightened to exclude AES-128, or the EBC mode, or keys generated in China; or that they should be expanded to include an audit of a vendor’s marketing materials to ensure they reflected the implementation, for example, you could make an argument. But ultimately, without FIPS 140-2 validation, Zoom should not have been granted authorization by FedRAMP, should not have been deployed in seven different U.S. agencies, including, ironically, the Centers for Disease Control and Prevention, and should not have been the tool of choice for schools around the country and worldwide. Each U.S. government compliance program has an obligation to use NIST guidance as a building block, not a nuisance to be ignored and avoided.
Whether or not you believe Zoom’s cryptographic choices were justified, or their public response was appropriate, or their allegiance to the Chinese government is overblown, the FIPS 140-2 standard applies here and should have been enforced.