Zoom rolls out encryption for all desktop and mobile users

Zoom has kicked off end-to-end encryption for its mobile and desktop apps. Phase one of the encryption rollout doesn't include meetings via a web browser.

Zoom: If you want end-to-end encryption you'll have to pay

Zoom, the big winner from remote working during the COVID-19 pandemic, is rolling out end-to-end encryption for all video meetings on mobile and desktop devices after criticism that it used "substandard" encryption.

On Tuesday, Zoom announced that end-to-end encryption (E2EE) is immediately available for users on Windows, macOS, and Android. The iOS version of the Zoom app is still awaiting approval from Apple's App Store review. It's being rolled out as a "technical preview" for 30 days, during which time Zoom aims to gather customer feedback about their experience with E2EE.

The company flagged its plans to roll out its E2EE capabilities last week. The desktop version with E2EE support is 5.4.0.

SEE: COVID-19: A guide and checklist for restarting your business (TechRepublic Premium)

Zoom generates individual encryption keys that are used to encrypt voice and video calls between conference participants. The keys are stored on users' devices and are not shared with Zoom servers, meaning the company can't access or intercept the content of meetings.

Zoom's E2EE uses 256-bit AES encryption in Galois/Counter Mode (GCM) to protect online meetings, the company said in a statement. 

"This has been a highly requested feature from our customers, and we're excited to make this a reality," said Zoom CISO Jason Lee. 

"Kudos to our encryption team who joined us from Keybase in May and developed this impressive security feature within just six months."

Zoom nabbed Lee in June from his senior cybersecurity role at Salesforce, where he oversaw IT infrastructure, incident response, threat intel, identity and access management, and offensive security. Prior to that he worked at Microsoft as principal director of security engineering for the Windows and Devices division.

The company acquired encryption firm Keybase in May after it was criticized for claiming it used AES-256 encryption to secure video calls when it was actually using what security researchers labelled a "substandard" AES-128 key in Electronic Codebook (ECB) mode.

"In typical meetings, Zoom's cloud meeting server generates encryption keys for every meeting and distributes them to meeting participants using Zoom clients as they join. With Zoom's new E2EE, the meeting's host generates encryption keys and uses public key cryptography to distribute these keys to the other meeting participants," Zoom explained. 

"Zoom's servers become oblivious relays and never see the encryption keys required to decrypt the meeting contents. Encrypted data relayed through Zoom's servers is indecipherable by Zoom, since Zoom's servers do not have the necessary decryption key."

SEE: Top 100+ tips for telecommuters and managers (free PDF) (TechRepublic)    

Zoom notes that enterprise account admins can enable E2EE in the web interface at the account, group, and user level. Additionally, once E2EE is enabled, the host can turn E2EE on or off for any given meeting.

However, phase one of Zoom's roll-out lacks support for E2EE in a browser. Meeting participants need to join from the Zoom desktop client, mobile app, or Zoom Rooms for E2EE-enabled meetings, according to Zoom.