Zoom acquires encryption startup Keybase

Video communications company Zoom is buying Keybase, makers of an end-to-end encrypted messaging and cloud storage system. The acquisition is the first purchase in Zoom's history.

With Keybase, Zoom users will have the ability to add end-to-end encryption to video calls -- a significant development on Zoom's 90-day security push. 

Zoom came under fire earlier this year for saying that its platform used end-to-end encryption when in fact it did not. Zoom's marketing practices suggested that the company used the AES-256 encryption standard to keep video calls secure, but instead, a substandard AES-128 key in ECB mode was actually in use. 

Encryption has remained a focal point for Zoom over the last several weeks and is at the forefront of the company's 90-day plan to improve the security and privacy capabilities of its platform. In a blog post Thursday, Zoom CEO Eric Yuan said the Keybase acquisition will allow Zoom to offer an end-to-end encrypted meeting mode to all paid accounts.

Logged-in users will generate public cryptographic identities that are stored in a repository on Zoom's network and can be used to establish trust relationships between meeting attendees. An ephemeral per-meeting symmetric key will be generated by the meeting host. This key will be distributed between clients, enveloped with the asymmetric keypairs and rotated when there are significant changes to the list of attendees. The cryptographic secrets will be under the control of the host, and the host's client software will decide what devices are allowed to receive meeting keys, and thereby join the meeting. We are also investigating mechanisms that would allow enterprise users to provide additional levels of authentication.

These end-to-end encrypted meetings will not support phone bridges, cloud recording, or non-Zoom conference room systems. Zoom Rooms and Zoom Phone participants will be able to attend if explicitly allowed by the host. Encryption keys will be tightly controlled by the host, who will admit attendees. We believe this will provide equivalent or better security than existing consumer end-to-end encrypted messaging platforms, but with the video quality and scale that has made Zoom the choice of over 300 million daily meeting participants, including those at some of the world's largest enterprises. 

Zoom was an early beneficiary of the videoconferencing boom spurred by the novel coronavirus pandemic, but the platform's weaknesses were quickly exposed after experts found security flaws in the app's code and privacy issues with user data management. Facing mounting criticism, Yuan announced on April 1 that the company would stop development on all new app features and focus entirely on security. 

A week later, the company hired former Facebook security chief Alex Stamos as an outside security consultant. The came Zoom's 5.0 update, which added data center routing capabilities for account administrators. The feature was meant to allay fears that Zoom chats and encryption keys were being sent to Chinese servers, where the data could be hijacked by Chinese intelligence.

Looking ahead, Zoom said it will publish a draft cryptographic design on May 22 and then solicit feedback from crypto experts and customers before settling on a final design and pushing it out to Zoom users. Zoom has also promised that it will not build a mechanism to decrypt live meetings for lawful interception, nor will it build any cryptographic backdoors that would allow the company to secretly insert people into meetings.