Multi-Stage Group Key Distribution and PAKEs: Securing Zoom Groups against Malicious Servers without New Security Elements

Cas Cremers*, Eyal Ronen, Mang Zhao

*Corresponding author for this work

Research output: Chapter in Book/Report/Conference proceedingConference contributionpeer-review

Abstract

Video conferencing apps like Zoom have hundreds of millions of daily users, making them a high-value target for surveillance and subversion. While such apps claim to achieve some forms of end-to-end encryption, they usually assume an incorruptible server that is able to identify and authenticate all the parties in a meeting. Concretely this means that, e.g., even when using the "end-to-end encrypted"setting, malicious Zoom servers could eavesdrop or impersonate in arbitrary groups.In this work, we show how security against malicious servers can be improved by changing the way in which such protocols use passwords (known as passcodes in Zoom) and integrating a password-authenticated key exchange (PAKE) protocol.To formally prove that our approach achieves its goals, we formalize a class of cryptographic protocols suitable for this setting, and define a basic security notion for them, in which group security can be achieved assuming the server is trusted to correctly authorize the group members. We prove that Zoom indeed meets this notion. We then propose a stronger security notion that can provide security against malicious servers, and propose a transformation that can achieve this notion. We show how we can apply our transformation to Zoom to provably achieve stronger security against malicious servers, notably without introducing new security elements.

Original languageEnglish
Title of host publicationProceedings - 45th IEEE Symposium on Security and Privacy, SP 2024
PublisherInstitute of Electrical and Electronics Engineers Inc.
Pages2686-2704
Number of pages19
ISBN (Electronic)9798350331301
DOIs
StatePublished - 2024
Event45th IEEE Symposium on Security and Privacy, SP 2024 - San Francisco, United States
Duration: 20 May 202423 May 2024

Publication series

NameProceedings - IEEE Symposium on Security and Privacy
ISSN (Print)1081-6011

Conference

Conference45th IEEE Symposium on Security and Privacy, SP 2024
Country/TerritoryUnited States
CitySan Francisco
Period20/05/2423/05/24

Fingerprint

Dive into the research topics of 'Multi-Stage Group Key Distribution and PAKEs: Securing Zoom Groups against Malicious Servers without New Security Elements'. Together they form a unique fingerprint.

Cite this