Zoom 5.0 update brings new encryption standard

Zoom has introduced new version of its client called Zoom 5.0, which brings a new encryption standard for video calls. The popular video calling app, announced the release of Zoom 5.0, in which it switched to AES 256-bit GCM encryption. Here are the new features of Zoom 5.0 and the changes made …

Zoom has been the focus of criticism on security and privacy and has grown 20 times in 3 months in terms of usage, reaching 200 million users a day, thus became the most hyped tool for online meetings.

What encryption standard was Zoom using before Zoom 5.0 update?

The software used the AES-256 ECB encryption standard in previous versions. This standard includes a decrypted AES-128 security key to decode packets (or information) transmitted between servers.

However, Alex Stamos, a well known expert who joined Zoom’s recently formed CISO advisory council told that the company is now turned to the AES 256-bit GCM encryption standard, with Zoom 5.0.

What is AES encryption standard?

AES (Advanced Encryption Standard) is the most popular encryption algorithm for block encryption today. It has been accepted as a standard by the US National Institute of Standards and Technology in 2001, replacing the DES and the 3DES at the time.

What does “256-bit” mean?

The size of an AES block is 128-bit, but the encryption key can be 128, 192 or 256-bit. As the bits increase, the strength of the encryption and hence the difficulty of decoding increases.

Difference between AES ECB and GCM encryption standards

Abbreviated as Electronic Code Book, ECB is actually known as the simplest standard for AES. It is generally not recommended, except for one-time use.

As seen in the diagram above, plain text is divided into 128-bit blocks, which are the length of an AES block. Each block is then encrypted with the same key and algorithm.

GCM, which stands for Galois / Counter Mode, carries three important parameters. These are a one-time number (nonce), key, and shared secret. The difference in GCM encryption is that the authentication phase depends on the previous blocks, and a more complex standard is introduced with multiplication applied at different levels.

Will AES 256-bit GCM encryption mode make Zoom more secure?

Yes, strictly according to ECB mode. Although end-to-end encryption has not yet been used, Alex Stamos said that while the company will work with end-to-end encryption by working with renowned cryptographers in the long term, there is no reason for those who are not already using it to trust.

Features that come with Zoom 5.0 update

Speaking about the new version, Zoom CEO Eric S. Yuan said, “I am proud to reach this step in our 90-day plan, but this is just the beginning. We built our business by delivering happiness to our customers. We will earn our customers’ trust and deliver them happiness with our unwavering focus on providing the most secure platform.”

Network:

● AES 256-bit GCM encryption: Zoom is upgrading to the AES 256-bit GCM encryption standard, which offers increased protection of your meeting data in transit and resistance against tampering. This provides confidentiality and integrity assurances on your Zoom Meeting, Zoom Video Webinar, and Zoom Phone data. Zoom 5.0, which is slated for release within the week, supports GCM encryption, and this standard will take effect once all accounts are enabled with GCM. System-wide account enablement will take place on May 30.

● Control Data Routing: The account admin may choose which data center regions their account-hosted meetings and webinars use for real-time traffic at the account, group, or user level.

User Experience and Controls:

● Security icon: Zoom’s security features, which had previously been accessed throughout the meeting menus, are now grouped together and found by clicking the Security icon in the meeting menu bar on the hosts’ interface.

● Robust host controls: Hosts will be able to “Report a User” to Zoom via the Security icon. They may also disable the ability for participants to rename themselves. For education customers, screen sharing now defaults to the host only.

● Waiting Room default-on: Waiting Room, an existing feature that allows a host to keep participants in individual virtual waiting rooms before they are admitted to a meeting, is now on by default for education, Basic, and single-license Pro accounts. All hosts may now also turn on the Waiting Room while their meeting is already in progress.

● Meeting password complexity and default-on: Meeting passwords, an existing Zoom feature, is now on by default for most customers, including all Basic, single-license Pro, and K-12 customers. For administered accounts, account admins now have the ability to define password complexity (such as length, alphanumeric, and special character requirements). Additionally, Zoom Phone admins may now adjust the length of the pin required for accessing voicemail.

● Cloud recordings passwords: Passwords are now set by default to all those accessing cloud recordings aside from the meeting host and require a complex password. For administered accounts, account admins now have the ability to define password complexity.

● Secure Account Contact Sharing: Zoom 5.0 will support a new data structure for larger organizations, allowing them to link contacts across multiple accounts so people can easily and securely search and find meetings, chat, and phone contacts.

● Dashboard enhancement: Admins on business, enterprise, and education plans can view how their meetings are connecting to Zoom data centers in their Zoom Dashboard. This includes any data centers connected to HTTP Tunnel servers, as well as Conference Room Connectors and gateways.

● Additional: Users may now opt to have their Zoom Chat notifications not show a snippet of their chat; new non-PMI meetings now have 11-digit IDs for added complexity; and during a meeting, the meeting ID and Invite option have been moved from the main Zoom interface to the Participants menu, making it harder for a user to accidentally share their meeting ID.