Multi-Stage Group Key Distribution and PAKEs: Securing Zoom Groups against Malicious Servers without New Security Elements

—Video conferencing apps like Zoom have hundreds of millions of daily users, making them a high-value target for surveillance and subversion. While such apps claim to achieve some forms of end-to-end encryption, they usually assume an incorruptible server that is able to identify and authenticate all the parties in a meeting. Concretely this means that, e.g., even when using the “end-to-end encrypted” setting, malicious Zoom servers could eavesdrop or impersonate in arbitrary groups. In this work, we show how security against malicious servers can be improved by changing the way in which such protocols use passwords (known as passcodes in Zoom) and integrating a password-authenticated key exchange (PAKE) protocol. To formally prove that our approach achieves its goals, we formalize a class of cryptographic protocols suitable for this setting, and define a basic security notion for them, in which group security can be achieved assuming the server is trusted to correctly authorize the group members. We prove that Zoom indeed meets this notion. We then propose a stronger security notion that can provide security against malicious servers, and propose a transformation that can achieve this notion. We show how we can apply our transformation to Zoom to provably achieve stronger security against malicious servers, notably without introducing new security elements.

[1]  Benjamin Beurdouche,et al.  The Messaging Layer Security (MLS) Protocol , 2023, RFC.

[2]  Cas J. F. Cremers,et al.  The Provable Security of Ed25519: Theory and Practice , 2021, 2021 IEEE Symposium on Security and Privacy (SP).

[3]  Ilia Markov,et al.  Keep the Dirt: Tainted TreeKEM, Adaptively and Actively Secure Continuous Group Key Agreement , 2021, 2021 IEEE Symposium on Security and Privacy (SP).

[4]  Stanislaw Jarecki,et al.  Universally Composable Relaxed Password Authenticated Key Exchange , 2020, IACR Cryptol. ePrint Arch..

[5]  Yevgeniy Dodis,et al.  Security Analysis and Improvements for the IETF MLS Standard for Group Messaging , 2020, IACR Cryptol. ePrint Arch..

[6]  Manuel Barbosa,et al.  Perfect Forward Security of SPAKE2 , 2019, IACR Cryptol. ePrint Arch..

[7]  Björn Haase,et al.  AuCPace: Efficient verifier-based PAKE protocol tailored for the IIoT , 2019, IACR Cryptol. ePrint Arch..

[8]  Scott Arciszewski,et al.  XChaCha: eXtended-nonce ChaCha and AEAD_XChaCha20_Poly1305 , 2018 .

[9]  Alfred Menezes,et al.  Handbook of Applied Cryptography , 2018 .

[10]  Cas J. F. Cremers,et al.  On Ends-to-Ends Encryption: Asynchronous Group Messaging with Strong Security Guarantees , 2018, IACR Cryptol. ePrint Arch..

[11]  Marc Fischlin,et al.  PRF-ODH: Relations, Instantiations, and Impossibility Results , 2017, CRYPTO.

[12]  Martijn Stam,et al.  Rogue Decryption Failures: Reconciling AE Robustness Notions , 2015, IMACC.

[13]  Quynh H. Dang,et al.  Recommendation for Applications Using Approved Hash Algorithms , 2009 .

[14]  Cheng Huang,et al.  Computation-Efficient Multicast Key Distribution , 2008, IEEE Transactions on Parallel and Distributed Systems.

[15]  María Isabel González Vasco,et al.  (Password) Authenticated Key Establishment: From 2-Party to Group , 2007, TCC.

[16]  David Pointcheval,et al.  A Scalable Password-Based Group Key Exchange Protocol in the Standard Model , 2006, ASIACRYPT.

[17]  JongWon Kim,et al.  An efficient LKH tree balancing algorithm for group key management , 2006, IEEE Communications Letters.

[18]  Emmanuel Bresson,et al.  Password-Based Group Key Exchange in a Constant Number of Rounds , 2006, Public Key Cryptography.

[19]  David Pointcheval,et al.  Simple Password-Based Encrypted Key Exchange Protocols , 2005, CT-RSA.

[20]  Haibin Lu,et al.  A novel high-order tree for secure multicast key management , 2005, IEEE Transactions on Computers.

[21]  J. Vacca Public Key Infrastructure: Building Trusted Applications and Web Services , 2004 .

[22]  David Hutchison,et al.  A survey of key management for secure group communication , 2003, CSUR.

[23]  Richard E. Ladner,et al.  Algorithms for dynamic multicast key distribution trees , 2003, PODC '03.

[24]  Alan T. Sherman,et al.  Key Establishment in Large Dynamic Groups Using One-Way Function Trees , 2003, IEEE Trans. Software Eng..

[25]  Emmanuel Bresson,et al.  Group Diffie-Hellman Key Exchange Secure against Dictionary Attacks , 2002, ASIACRYPT.

[26]  Phillip Rogaway,et al.  Authenticated-encryption with associated-data , 2002, CCS '02.

[27]  Gene Tsudik,et al.  Simple and fault-tolerant key agreement for dynamic collaborative groups , 2000, CCS.

[28]  Matthew J. Moyer,et al.  A survey of security issues in multicast communications , 1999, IEEE Network.

[29]  Mohamed G. Gouda,et al.  Secure group communications using key graphs , 1998, SIGCOMM '98.

[30]  Hugh Harney,et al.  Group Key Management Protocol (GKMP) Specification , 1997, RFC.

[31]  R. Shiller,et al.  JFQ volume 18 issue 1 Cover and Back matter , 1983, Journal of Financial and Quantitative Analysis.

[32]  Antonio Marcedone,et al.  End-to-End Encrypted Zoom Meetings: Proving Security and Strengthening Liveness , 2023, EUROCRYPT.

[33]  M. Bellare,et al.  Efficient Schemes for Committing Authenticated Encryption , 2022, IACR Cryptol. ePrint Arch..

[34]  Ryoma Ito,et al.  Security Analysis of End-to-End Encryption for Zoom Meetings , 2021, IEEE Access.

[35]  Michel Abdalla,et al.  Security Analysis of CPace , 2021, IACR Cryptol. ePrint Arch..

[36]  Jörg Schwenk,et al.  SoK: Game-based Security Models for Group Key Exchange , 2021, IACR Cryptol. ePrint Arch..

[37]  Colin Boyd,et al.  Protocols for Authentication and Key Establishment , 2020, Information Security and Cryptography.

[38]  Adrian Perrig,et al.  Efficient Collaborative Key Management Protocols for Secure Autonomous Group Communication , 1999 .

[39]  Peter S. Kruus,et al.  A Survey of Multicast Security Issues and Architectures , 1998 .