Security Analysis of End-to-End Encryption for Zoom Meetings Takanori Isobe1,2,3, Ryoma Ito2 1 University of Hyogo, 2 NICT, 3 JST PRESTO ACISP 2021 December 1-3, 2021

Takanori Isobe, Ryoma Ito ACISP 2021, December 1-3, 2021. Security Analysis of End-to-End Encryption for Zoom Meetings Examples of messaging apps and video conference systems n Signal Protocol u adopted by WhatsApp, Facebook Messenger, Signal n SFrame (Secure Frame) u adopted by Google Duo, Cisco Webex, Jitsi Meet n Others u iMessage (Apple), LINE, Zoom End-to-End Encryption (E2EE) 2 A technology for a secure communication scheme n Only communicating parties can send and read the messages n Nobody except each communicating party, not even the service provider, has access to the encryption keys that are used to encrypt the messages n The Snowden’s revelation: even honest server may be compromised by a powerful intelligence organization, e.g., NSA Introduction

Takanori Isobe, Ryoma Ito ACISP 2021, December 1-3, 2021. Security Analysis of End-to-End Encryption for Zoom Meetings Examples of messaging apps and video conference systems n Signal Protocol u adopted by WhatsApp, Facebook Messenger, Signal n SFrame (Secure Frame) u adopted by Google Duo, Cisco Webex, Jitsi Meet n Others u iMessage (Apple), LINE, Zoom End-to-End Encryption (E2EE) 3 A technology for a secure communication scheme n Only communicating parties can send and read the messages n Nobody except each communicating party, not even the service provider, has access to the encryption keys that are used to encrypt the messages n The Snowden’s revelation: even honest server may be compromised by a powerful intelligence organization, e.g., NSA Introduction

Takanori Isobe, Ryoma Ito ACISP 2021, December 1-3, 2021. Security Analysis of End-to-End Encryption for Zoom Meetings Zoom 4 *https://github.com/zoom/zoom-e2e-whitepaper (the latest version is 3.2 as of November 2021.) Introduction Video conference system n developed by Zoom Video Communications, Inc. n The number of daily active users was about 300 million, as of April 2020 n announced their plan to support E2EE in May 2020; published as a whitepaper* u defines Client Key Management (Phase I), Identity (Phase II), Transparency Tree (Phase III), and Real-Time Security (Phase IV) u Our target: whitepaper version 2.3.1 (November 3, 2020)

Takanori Isobe, Ryoma Ito ACISP 2021, December 1-3, 2021. Security Analysis of End-to-End Encryption for Zoom Meetings Zoom 5 *https://github.com/zoom/zoom-e2e-whitepaper (the latest version is 3.2 as of November 2021.) Introduction Video conference system n developed by Zoom Video Communications, Inc. n The number of daily active users was about 300 million, as of April 2020 n announced their plan to support E2EE in May 2020; published as a whitepaper* u defines Client Key Management (Phase I), Identity (Phase II), Transparency Tree (Phase III), and Real-Time Security (Phase IV) u Our target: whitepaper version 2.3.1 (November 3, 2020)

Takanori Isobe, Ryoma Ito ACISP 2021, December 1-3, 2021. Security Analysis of End-to-End Encryption for Zoom Meetings Our Contributions 6 No. Attack Type* Adversary** Victim** Ref. 1 Impersonation Active L/P L/P This work 2 Impersonation Passive I L/P/O This work 3 Impersonation Active I c.w. L L/P/O This work 4 Impersonation Active O c.w. I, L L/P/O This work 5 Impersonation Active O c.w. L L/P/O Appendix 6 Impersonation Active O c.w. I O Full version 7 Tampering Passive I L/P This work 8 Denial of Service Passive I P Full version *Active-type attack: an adversary can properly send and receive the meeting contents. *Passive-type attack: an adversary cannot properly send and receive the meeting contents. **I: Insider, O: Outsider, P: Participant, L: Leader **c.w.: an abbreviation of “colluding with” Introduction Security analysis of E2EE for Zoom meetings n Several attacks more powerful than those expected by the Zoom security team [Full vresion] T. Isobe and R. Ito, Security Analysis of End-to-End Encryption for Zoom Meetings, IEEE Access, 2021.

Takanori Isobe, Ryoma Ito ACISP 2021, December 1-3, 2021. Security Analysis of End-to-End Encryption for Zoom Meetings Our Contributions 7 *Active-type attack: an adversary can properly send and receive the meeting contents. *Passive-type attack: an adversary cannot properly send and receive the meeting contents. **I: Insider, O: Outsider, P: Participant, L: Leader **c.w.: an abbreviation of “colluding with” Introduction Security analysis of E2EE for Zoom meetings n Several attacks more powerful than those expected by the Zoom security team [Full vresion] T. Isobe and R. Ito, Security Analysis of End-to-End Encryption for Zoom Meetings, IEEE Access, 2021. No. Attack Type* Adversary** Victim** Ref. 1 Impersonation Active L/P L/P This work 2 Impersonation Passive I L/P/O This work 3 Impersonation Active I c.w. L L/P/O This work 4 Impersonation Active O c.w. I, L L/P/O This work 5 Impersonation Active O c.w. L L/P/O Appendix 6 Impersonation Active O c.w. I O Full version 7 Tampering Passive I L/P This work 8 Denial of Service Passive I P Full version Zoom deems some attacks, including in-meeting impersonation attacks n A malicious but otherwise authorized meeting participant colluding with a malicious server can masquerade as another authorized meeting participant More powerful impersonation attacks n If insiders collude with meeting participants, insiders can impersonate any Zoom user in target meetings (active-type attack). n Even without relying on malicious participants, insiders can impersonate any Zoom user in target meetings, but they cannot decrypt the meeting contents (passive-type attack).

Takanori Isobe, Ryoma Ito ACISP 2021, December 1-3, 2021. Security Analysis of End-to-End Encryption for Zoom Meetings Our Contributions 8 *Active-type attack: an adversary can properly send and receive the meeting contents. *Passive-type attack: an adversary cannot properly send and receive the meeting contents. **I: Insider, O: Outsider, P: Participant, L: Leader **c.w.: an abbreviation of “colluding with” Introduction Security analysis of E2EE for Zoom meetings n Several attacks more powerful than those expected by the Zoom security team [Full vresion] T. Isobe and R. Ito, Security Analysis of End-to-End Encryption for Zoom Meetings, IEEE Access, 2021. No. Attack Type* Adversary** Victim** Ref. 1 Impersonation Active L/P L/P This work 2 Impersonation Passive I L/P/O This work 3 Impersonation Active I c.w. L L/P/O This work 4 Impersonation Active O c.w. I, L L/P/O This work 5 Impersonation Active O c.w. L L/P/O Appendix 6 Impersonation Active O c.w. I O Full version 7 Tampering Passive I L/P This work 8 Denial of Service Passive I P Full version Zoom deems some attacks, including in-meeting impersonation attacks n A malicious but otherwise authorized meeting participant colluding with a malicious server can masquerade as another authorized meeting participant More powerful impersonation attacks n If insiders collude with meeting participants, insiders can impersonate any Zoom user in target meetings (active-type attack). n Even without relying on malicious participants, insiders can impersonate any Zoom user in target meetings, but they cannot decrypt the meeting contents (passive-type attack).

Takanori Isobe, Ryoma Ito ACISP 2021, December 1-3, 2021. Security Analysis of End-to-End Encryption for Zoom Meetings Adversary Models 9 Insiders Service providers can intercept, read, and modify any meeting contents sent over the network, and have full access to Zoom’s infrastructure. Meeting participants can access a meeting and attempt to break the security of E2EE by maliciously manipulating the protocol. Participants do not have a group key have a group key Preliminaries Any Zoom users who are uninvited to a meeting may monitor, intercept, modify network traffic, and attempt to break the security of E2EE. Outsiders do not have a group key A meeting leader has the responsibility of generating and distributing the shared group key and attempt to break the security of E2EE. Leader has a group key

Takanori Isobe, Ryoma Ito ACISP 2021, December 1-3, 2021. Security Analysis of End-to-End Encryption for Zoom Meetings Adversary Models 10 Insiders Service providers can intercept, read, and modify any meeting contents sent over the network, and have full access to Zoom’s infrastructure. Meeting participants can access a meeting and attempt to break the security of E2EE by maliciously manipulating the protocol. Participants do not have a group key have a group key Preliminaries Any Zoom users who are uninvited to a meeting may monitor, intercept, modify network traffic, and attempt to break the security of E2EE. Outsiders do not have a group key A meeting leader has the responsibility of generating and distributing the shared group key and attempt to break the security of E2EE. Leader has a group key

Takanori Isobe, Ryoma Ito ACISP 2021, December 1-3, 2021. Security Analysis of End-to-End Encryption for Zoom Meetings Adversary Models 11 Insiders Service providers can intercept, read, and modify any meeting contents sent over the network, and have full access to Zoom’s infrastructure. Meeting participants can access a meeting and attempt to break the security of E2EE by maliciously manipulating the protocol. Participants do not have a group key have a group key Preliminaries Any Zoom users who are uninvited to a meeting may monitor, intercept, modify network traffic, and attempt to break the security of E2EE. Outsiders do not have a group key A meeting leader has the responsibility of generating and distributing the shared group key and attempt to break the security of E2EE. Leader has a group key

Takanori Isobe, Ryoma Ito ACISP 2021, December 1-3, 2021. Security Analysis of End-to-End Encryption for Zoom Meetings Adversary Models 12 Insiders Service providers can intercept, read, and modify any meeting contents sent over the network, and have full access to Zoom’s infrastructure. Meeting participants can access a meeting and attempt to break the security of E2EE by maliciously manipulating the protocol. Participants do not have a group key have a group key Preliminaries Any Zoom users who are uninvited to a meeting may monitor, intercept, modify network traffic, and attempt to break the security of E2EE. Outsiders do not have a group key A meeting leader has the responsibility of generating and distributing the shared group key and attempt to break the security of E2EE. Leader has a group key

Takanori Isobe, Ryoma Ito ACISP 2021, December 1-3, 2021. Security Analysis of End-to-End Encryption for Zoom Meetings Protocol Flow 13 1. Each participant i generates a long-term signature key pair (IVKi , ISKi ) u When upgrading the user’s Zoom application to the first version that supports E2EE u The Local Key Security mechanism keeps the key pair secure 2. Each participant i generates a new ECDH key pair (ski , pki ) and a signature Sigi 3. A meeting leader generates the shared group key MK 4. The meeting leader verifies the signature Sigi for the participant i 5. The meeting leader distributes the shared group key to the participant i 6. The participants use MK to encrypt all meeting contents with AES-GCM Server Leader A Participant B Bulletin board* *Bulletin board is implemented on TLS tunnels over TCP to post cryptographic message by the meeting participants Preliminaries

Takanori Isobe, Ryoma Ito ACISP 2021, December 1-3, 2021. Security Analysis of End-to-End Encryption for Zoom Meetings Protocol Flow 14 1. Each participant i generates a long-term signature key pair (IVKi , ISKi ) u When upgrading the user’s Zoom application to the first version that supports E2EE u The Local Key Security mechanism keeps the key pair secure 2. Each participant i generates a new ECDH key pair (ski , pki ) and a signature Sigi 3. A meeting leader generates the shared group key MK 4. The meeting leader verifies the signature Sigi for the participant i 5. The meeting leader distributes the shared group key to the participant i 6. The participants use MK to encrypt all meeting contents with AES-GCM Server Leader A Participant B Bulletin board* *Bulletin board is implemented on TLS tunnels over TCP to post cryptographic message by the meeting participants (IVKA , ISKA ) (IVKB , ISKB ) IVKA IVKB Preliminaries

Takanori Isobe, Ryoma Ito ACISP 2021, December 1-3, 2021. Security Analysis of End-to-End Encryption for Zoom Meetings Protocol Flow 15 1. Each participant i generates a long-term signature key pair (IVKi , ISKi ) 2. Each participant i generates a new ECDH key pair (ski , pki ) and a signature Sigi u Computes Bindingi ← (meetingID ∥ meetingUUID ∥ i ∥ deviceID ∥ IVKi ∥ pki ) u Computes Sigi ← Sign.Sign(ISKi , Context ∥ Bindingi ) with EdDSA over Ed25519 3. A meeting leader generates the shared group key MK 4. The meeting leader verifies the signature Sigi for the participant i 5. The meeting leader distributes the shared group key to the participant i 6. The participants use MK to encrypt all meeting contents with AES-GCM Server Leader A Participant B Bulletin board* *Bulletin board is implemented on TLS tunnels over TCP to post cryptographic message by the meeting participants Preliminaries (skA , pkA ) BindingA meetingID, meetingUUID pkA , SigA (skB , pkB ) BindingB meetingID, meetingUUID pkB , SigB

Takanori Isobe, Ryoma Ito ACISP 2021, December 1-3, 2021. Security Analysis of End-to-End Encryption for Zoom Meetings Protocol Flow 16 1. Each participant i generates a long-term signature key pair (IVKi , ISKi ) 2. Each participant i generates a new ECDH key pair (ski , pki ) and a signature Sigi 3. A meeting leader generates the shared group key MK u Generates a 32-byte seed using a secure random number generator 4. The meeting leader verifies the signature Sigi for the participant i 5. The meeting leader distributes the shared group key to the participant i 6. The participants use MK to encrypt all meeting contents with AES-GCM Server Leader A Participant B Bulletin board* *Bulletin board is implemented on TLS tunnels over TCP to post cryptographic message by the meeting participants Preliminaries MK ← rand()

Takanori Isobe, Ryoma Ito ACISP 2021, December 1-3, 2021. Security Analysis of End-to-End Encryption for Zoom Meetings Protocol Flow 17 1. Each participant i generates a long-term signature key pair (IVKi , ISKi ) 2. Each participant i generates a new ECDH key pair (ski , pki ) and a signature Sigi 3. A meeting leader generates the shared group key MK 4. The meeting leader verifies the signature Sigi for the participant i u Computes Bindingi ← (meetingID ∥ meetingUUID ∥ i ∥ deviceID ∥ IVKi ∥ pki ) u Verifies Sigi : Sign.Verify(IVKi , Sigi , Context ∥ Bindingi ) with EdDSA over Ed25519 5. The meeting leader distributes the shared group key to the participant i 6. The participants use MK to encrypt all meeting contents with AES-GCM Server Leader A Participant B Bulletin board* *Bulletin board is implemented on TLS tunnels over TCP to post cryptographic message by the meeting participants Preliminaries IVKB IVKA BindingB BindingA pkB , SigB pkA , SigA

Takanori Isobe, Ryoma Ito ACISP 2021, December 1-3, 2021. Security Analysis of End-to-End Encryption for Zoom Meetings Protocol Flow 18 1. Each participant i generates a long-term signature key pair (IVKi , ISKi ) 2. Each participant i generates a new ECDH key pair (ski , pki ) and a signature Sigi 3. A meeting leader generates the shared group key MK 4. The meeting leader verifies the signature Sigi for the participant i 5. The meeting leader distributes the shared group key to the participant i u encrypts MK: Ci ← Enc(skL , pki , Meta, MK) with ECDHKE and XChaCha20-Poly1305 u distributes Ci to the participant i via the bulletin board 6. The participants use MK to encrypt all meeting contents with AES-GCM Server Leader A Participant B Bulletin board* *Bulletin board is implemented on TLS tunnels over TCP to post cryptographic message by the meeting participants Preliminaries pkB pkA , (B, CB ) (skA , pkA ) MK (skB , pkB ) (B, CB ) → MK (B, CB )

Takanori Isobe, Ryoma Ito ACISP 2021, December 1-3, 2021. Security Analysis of End-to-End Encryption for Zoom Meetings Our Contributions 19 No. Attack Type* Adversary** Victim** Ref. 1 Impersonation Active L/P L/P This work 2 Impersonation Passive I L/P/O This work 3 Impersonation Active I c.w. L L/P/O This work 4 Impersonation Active O c.w. I, L L/P/O This work 5 Impersonation Active O c.w. L L/P/O Appendix 6 Impersonation Active O c.w. I O Full version 7 Tampering Passive I L/P This work 8 Denial of Service Passive I P Full version *Active-type attack: an adversary can properly send and receive the meeting contents. *Passive-type attack: an adversary cannot properly send and receive the meeting contents. **I: Insider, O: Outsider, P: Participant, L: Leader **c.w.: an abbreviation of “colluding with” Security analysis of E2EE for Zoom meetings n Several attacks more powerful than those expected by the Zoom security team Security Analysis

Takanori Isobe, Ryoma Ito ACISP 2021, December 1-3, 2021. Security Analysis of End-to-End Encryption for Zoom Meetings Attack 1: Impersonation Based on No Entity Authentication 20 Impersonation based on Vulnerability 1 (active-type attack) n Adversaries: Participants/Leader n Victims: Any legitimate participants n Attack Procedure 1. An adversary joins the meeting as a legitimate participant and derives MK 2. The adversary encrypts M with MK and broadcasts C with the victim’s metadata (e.g., sender ID) to the other participants Vulnerability 1 (No Entity Authentication) Even if a meeting content is received from a particular meeting participant, the authenticity of the contents is not ensured because there is no entity authentication when using AES-GCM. Security Analysis Participant Victim Bulletin board MK MK Leader MK ① ② ② ① ①

Takanori Isobe, Ryoma Ito ACISP 2021, December 1-3, 2021. Security Analysis of End-to-End Encryption for Zoom Meetings Attack 1: Impersonation Based on No Entity Authentication 21 Impersonation based on Vulnerability 1 (active-type attack) n Adversaries: Participants/Leader n Victims: Any legitimate participants n Attack Procedure 1. An adversary joins the meeting as a legitimate participant and derives MK 2. The adversary encrypts M with MK and broadcasts C with the victim’s metadata (e.g., sender ID) to the other participants Vulnerability 1 (No Entity Authentication) Even if a meeting content is received from a particular meeting participant, the authenticity of the contents is not ensured because there is no entity authentication when using AES-GCM. Security Analysis Participant Victim Bulletin board MK MK Leader MK ① ② ② ① ①

Takanori Isobe, Ryoma Ito ACISP 2021, December 1-3, 2021. Security Analysis of End-to-End Encryption for Zoom Meetings Attack 1: Impersonation Based on No Entity Authentication 22 Impersonation based on Vulnerability 1 (active-type attack) n Adversaries: Participants/Leader n Victims: Any legitimate participants n Attack Procedure 1. An adversary joins the meeting as a legitimate participant and derives MK 2. The adversary encrypts M with MK and broadcasts C with the victim’s metadata (e.g., sender ID) to the other participants Vulnerability 1 (No Entity Authentication) Even if a meeting content is received from a particular meeting participant, the authenticity of the contents is not ensured because there is no entity authentication when using AES-GCM. Security Analysis Participant Victim Bulletin board MK MK Leader MK ① ② ② ① ①

Takanori Isobe, Ryoma Ito ACISP 2021, December 1-3, 2021. Security Analysis of End-to-End Encryption for Zoom Meetings Attack 1: Impersonation Based on No Entity Authentication 23 Impersonation based on Vulnerability 1 (active-type attack) n Adversaries: Participants/Leader n Victims: Any legitimate participants n Attack Procedure 1. An adversary joins the meeting as a legitimate participant and derives MK 2. The adversary encrypts M with MK and broadcasts C with the victim’s metadata (e.g., sender ID) to the other participants Vulnerability 1 (No Entity Authentication) Even if a meeting content is received from a particular meeting participant, the authenticity of the contents is not ensured because there is no entity authentication when using AES-GCM. Security Analysis Participant Victim Bulletin board MK MK Leader MK ① ② ② ① ①

Takanori Isobe, Ryoma Ito ACISP 2021, December 1-3, 2021. Security Analysis of End-to-End Encryption for Zoom Meetings Attack 1: Impersonation Based on No Entity Authentication 24 Impersonation based on Vulnerability 1 (active-type attack) n Adversaries: Participants/Leader n Victims: Any legitimate participants n Attack Procedure 1. An adversary joins the meeting as a legitimate participant and derives MK 2. The adversary encrypts M with MK and broadcasts C with the victim’s metadata (e.g., sender ID) to the other participants Vulnerability 1 (No Entity Authentication) Even if a meeting content is received from a particular meeting participant, the authenticity of the contents is not ensured because there is no entity authentication when using AES-GCM. Security Analysis Participant Victim Bulletin board MK MK Leader MK ① ② ② ① ① Countermeasure: all contents should be signed as entity authentication n It is a challenging task

Takanori Isobe, Ryoma Ito ACISP 2021, December 1-3, 2021. Security Analysis of End-to-End Encryption for Zoom Meetings Attacks 2-4: Impersonation of Any Zoom User 25 Security Analysis Vulnerability 2 (Free Access to the Bulletin Board) Insiders and participants have free access to the bulletin board. Particularly, insiders are free collect and tamper with all values, including the user’s signatures and public keys. Vulnerability 3 (Same Binding as in the Previous Meeting) If the meeting IDs, which are meetingID and meetingUUID, generated by the insiders and the public key pki generated by the participant i are reused, then Bindingi has the same value. n Bindingi ← (meetingID ∥ meetingUUID ∥ i ∥ deviceID ∥ IVKi ∥ pki ) n i, deviceID, and IVKi are always reused in all meetings The signature key pair (IVKi , ISKi ) is used for a long-term period; hence, the same signature Sigi is always generated from the same Bindingi . n Sigi ← Sign.Sign(ISKi , Context ∥ Bindingi ) with EdDSA over Ed25519 Vulnerability 4 (Leader-generated Group Key) Only the meeting leader is involved in generating a 32-byte seed MK. n may intentionally reuse the shared group key MK used in the previous meeting

Takanori Isobe, Ryoma Ito ACISP 2021, December 1-3, 2021. Security Analysis of End-to-End Encryption for Zoom Meetings Attacks 2-4: Impersonation of Any Zoom User 26 Security Analysis Vulnerability 2 (Free Access to the Bulletin Board) Insiders and participants have free access to the bulletin board. Particularly, insiders are free collect and tamper with all values, including the user’s signatures and public keys. Vulnerability 3 (Same Binding as in the Previous Meeting) If the meeting IDs, which are meetingID and meetingUUID, generated by the insiders and the public key pki generated by the participant i are reused, then Bindingi has the same value. n Bindingi ← (meetingID ∥ meetingUUID ∥ i ∥ deviceID ∥ IVKi ∥ pki ) n i, deviceID, and IVKi are always reused in all meetings The signature key pair (IVKi , ISKi ) is used for a long-term period; hence, the same signature Sigi is always generated from the same Bindingi . n Sigi ← Sign.Sign(ISKi , Context ∥ Bindingi ) with EdDSA over Ed25519 Vulnerability 4 (Leader-generated Group Key) Only the meeting leader is involved in generating a 32-byte seed MK. n may intentionally reuse the shared group key MK used in the previous meeting

Takanori Isobe, Ryoma Ito ACISP 2021, December 1-3, 2021. Security Analysis of End-to-End Encryption for Zoom Meetings Attacks 2-4: Impersonation of Any Zoom User 27 Security Analysis Vulnerability 2 (Free Access to the Bulletin Board) Insiders and participants have free access to the bulletin board. Particularly, insiders are free collect and tamper with all values, including the user’s signatures and public keys. Vulnerability 3 (Same Binding as in the Previous Meeting) If the meeting IDs, which are meetingID and meetingUUID, generated by the insiders and the public key pki generated by the participant i are reused, then Bindingi has the same value. n Bindingi ← (meetingID ∥ meetingUUID ∥ i ∥ deviceID ∥ IVKi ∥ pki ) n i, deviceID, and IVKi are always reused in all meetings The signature key pair (IVKi , ISKi ) is used for a long-term period; hence, the same signature Sigi is always generated from the same Bindingi . n Sigi ← Sign.Sign(ISKi , Context ∥ Bindingi ) with EdDSA over Ed25519 Vulnerability 4 (Leader-generated Group Key) Only the meeting leader is involved in generating a 32-byte seed MK. n may intentionally reuse the shared group key MK used in the previous meeting

Takanori Isobe, Ryoma Ito ACISP 2021, December 1-3, 2021. Security Analysis of End-to-End Encryption for Zoom Meetings Attack 2: Impersonation of Any Zoom User 28 Impersonation Based on Vulnerabilities 2 and 3 (passive-type attack) n Adversaries: Insiders n Victims: Any legitimate user A uninvited to the target meeting n Attack Procedures: 1. An adversary stores (SigA , pkA ) in the previous meeting 2. The adversary reuse (meetingID, meetingUUID) used in the previous meeting 3. The adversary posts (SigA , pkA ) to the bulletin board in the target meeting u A leader can successfully verify SigA with IVKA u The adversary does not know skA corresponding to pkA ; hence, he cannot derive MK. ① pkA , SigA ③ ③ pkA , SigA ② BindingA BindingA Bulletin board Victim A Bulletin board Participant Leader The target meeting The previous meeting Insiders Security Analysis meetingID meetingUUID

Takanori Isobe, Ryoma Ito ACISP 2021, December 1-3, 2021. Security Analysis of End-to-End Encryption for Zoom Meetings Attack 2: Impersonation of Any Zoom User 29 Impersonation Based on Vulnerabilities 2 and 3 (passive-type attack) n Adversaries: Insiders n Victims: Any legitimate user A uninvited to the target meeting n Attack Procedures: 1. An adversary stores (SigA , pkA ) in the previous meeting 2. The adversary reuse (meetingID, meetingUUID) used in the previous meeting 3. The adversary posts (SigA , pkA ) to the bulletin board in the target meeting u A leader can successfully verify SigA with IVKA u The adversary does not know skA corresponding to pkA ; hence, he cannot derive MK. ① pkA , SigA ③ ③ pkA , SigA ② BindingA BindingA Bulletin board Victim A Bulletin board Participant Leader The target meeting The previous meeting Insiders Security Analysis meetingID meetingUUID

Takanori Isobe, Ryoma Ito ACISP 2021, December 1-3, 2021. Security Analysis of End-to-End Encryption for Zoom Meetings Attack 2: Impersonation of Any Zoom User 30 Impersonation Based on Vulnerabilities 2 and 3 (passive-type attack) n Adversaries: Insiders n Victims: Any legitimate user A uninvited to the target meeting n Attack Procedures: 1. An adversary stores (SigA , pkA ) in the previous meeting 2. The adversary reuse (meetingID, meetingUUID) used in the previous meeting 3. The adversary posts (SigA , pkA ) to the bulletin board in the target meeting u A leader can successfully verify SigA with IVKA u The adversary does not know skA corresponding to pkA ; hence, he cannot derive MK. ① pkA , SigA ③ ③ pkA , SigA ② BindingA BindingA Bulletin board Victim A Bulletin board Participant Leader The target meeting The previous meeting Insiders Security Analysis meetingID meetingUUID

Takanori Isobe, Ryoma Ito ACISP 2021, December 1-3, 2021. Security Analysis of End-to-End Encryption for Zoom Meetings Attack 2: Impersonation of Any Zoom User 31 Impersonation Based on Vulnerabilities 2 and 3 (passive-type attack) n Adversaries: Insiders n Victims: Any legitimate user A uninvited to the target meeting n Attack Procedures: 1. An adversary stores (SigA , pkA ) in the previous meeting 2. The adversary reuse (meetingID, meetingUUID) used in the previous meeting 3. The adversary posts (SigA , pkA ) to the bulletin board in the target meeting u A leader can successfully verify SigA with IVKA u The adversary does not know skA corresponding to pkA ; hence, he cannot derive MK. ① pkA , SigA ③ ③ pkA , SigA ② BindingA BindingA Bulletin board Victim A Bulletin board Participant Leader The target meeting The previous meeting Insiders Security Analysis meetingID meetingUUID

Takanori Isobe, Ryoma Ito ACISP 2021, December 1-3, 2021. Security Analysis of End-to-End Encryption for Zoom Meetings Attack 2: Impersonation of Any Zoom User 32 Impersonation Based on Vulnerabilities 2 and 3 (passive-type attack) n Adversaries: Insiders n Victims: Any legitimate user A uninvited to the target meeting n Attack Procedures: 1. An adversary stores (SigA , pkA ) in the previous meeting 2. The adversary reuse (meetingID, meetingUUID) used in the previous meeting 3. The adversary posts (SigA , pkA ) to the bulletin board in the target meeting u A leader can successfully verify SigA with IVKA u The adversary does not know skA corresponding to pkA ; hence, he cannot derive MK. ① pkA , SigA ③ ③ pkA , SigA ② BindingA BindingA Bulletin board Victim A Bulletin board Participant Leader The target meeting The previous meeting Insiders Security Analysis meetingID meetingUUID

Takanori Isobe, Ryoma Ito ACISP 2021, December 1-3, 2021. Security Analysis of End-to-End Encryption for Zoom Meetings Attack 3: Impersonation of Any Zoom User 33 Impersonation Based on Vulnerabilities 1, 2 and 3 (active-type attack) n Adversaries: Insiders colluding with participants/leader n Victims: Any legitimate user A uninvited to the target meeting n Attack Procedures: 1. An adversary stores (SigA , pkA ) in the previous meeting 2. The adversary reuse (meetingID, meetingUUID) used in the previous meeting 3. The adversary posts (SigA , pkA ) to the bulletin board in the target meeting 4. The adversary obtains MK from a malicious participant/leader u completely impersonate victim user A ① pkA , SigA ③ ③ pkA , SigA ② BindingA BindingA Bulletin board Victim A Bulletin board Participant Leader The target meeting The previous meeting Insiders Security Analysis meetingID meetingUUID ④ ④ MK

Takanori Isobe, Ryoma Ito ACISP 2021, December 1-3, 2021. Security Analysis of End-to-End Encryption for Zoom Meetings Attack 4: Impersonation of Any Zoom User 34 Impersonation Based on Vulnerabilities 1 - 4 (active-type attack) n Adversaries: Outsiders colluding with insiders and leader n Victims: Any legitimate user B uninvited to the target meeting n Attack Procedures: 1. A malicious leader stores (SigB , pkB ) in the previous meeting 2. A malicious Insiders reuse (meetingID, meetingUUID) used in the previous meeting 3. The malicious leader reuses MK or provide it to an adversary 4. The adversary posts (SigB , pkB ) to the bulletin board in the target meeting u successfully verify SigB with IVKB and completely impersonate victim user B Security Analysis The target meeting The previous meeting ① pkB , SigB Leader ①③ ② ④ ④ pkB , SigB BindingB BindingB MK Bulletin board Victim B Bulletin board Participant Insiders meetingID meetingUUID Outsiders

Takanori Isobe, Ryoma Ito ACISP 2021, December 1-3, 2021. Security Analysis of End-to-End Encryption for Zoom Meetings Attack 4: Impersonation of Any Zoom User 35 Impersonation Based on Vulnerabilities 1 - 4 (active-type attack) n Adversaries: Outsiders colluding with insiders and leader n Victims: Any legitimate user B uninvited to the target meeting n Attack Procedures: 1. A malicious leader stores (SigB , pkB ) in the previous meeting 2. A malicious Insiders reuse (meetingID, meetingUUID) used in the previous meeting 3. The malicious leader reuses MK or provide it to an adversary 4. The adversary posts (SigB , pkB ) to the bulletin board in the target meeting u successfully verify SigB with IVKB and completely impersonate victim user B Security Analysis The target meeting The previous meeting ① pkB , SigB Leader ①③ ② ④ ④ pkB , SigB BindingB BindingB MK Bulletin board Victim B Bulletin board Participant Insiders meetingID meetingUUID Outsiders

Takanori Isobe, Ryoma Ito ACISP 2021, December 1-3, 2021. Security Analysis of End-to-End Encryption for Zoom Meetings Attack 4: Impersonation of Any Zoom User 36 Impersonation Based on Vulnerabilities 1 - 4 (active-type attack) n Adversaries: Outsiders colluding with insiders and leader n Victims: Any legitimate user B uninvited to the target meeting n Attack Procedures: 1. A malicious leader stores (SigB , pkB ) in the previous meeting 2. A malicious Insiders reuse (meetingID, meetingUUID) used in the previous meeting 3. The malicious leader reuses MK or provide it to an adversary 4. The adversary posts (SigB , pkB ) to the bulletin board in the target meeting u successfully verify SigB with IVKB and completely impersonate victim user B Security Analysis The target meeting The previous meeting ① pkB , SigB Leader ①③ ② ④ ④ pkB , SigB BindingB BindingB MK Bulletin board Victim B Bulletin board Participant Insiders meetingID meetingUUID Outsiders

Takanori Isobe, Ryoma Ito ACISP 2021, December 1-3, 2021. Security Analysis of End-to-End Encryption for Zoom Meetings Attack 4: Impersonation of Any Zoom User 37 Impersonation Based on Vulnerabilities 1 - 4 (active-type attack) n Adversaries: Outsiders colluding with insiders and leader n Victims: Any legitimate user B uninvited to the target meeting n Attack Procedures: 1. A malicious leader stores (SigB , pkB ) in the previous meeting 2. A malicious Insiders reuse (meetingID, meetingUUID) used in the previous meeting 3. The malicious leader reuses MK or provide it to an adversary 4. The adversary posts (SigB , pkB ) to the bulletin board in the target meeting u successfully verify SigB with IVKB and completely impersonate victim user B Security Analysis The target meeting The previous meeting ① pkB , SigB Leader ①③ ② ④ ④ pkB , SigB BindingB BindingB MK Bulletin board Victim B Bulletin board Participant Insiders meetingID meetingUUID Outsiders

Takanori Isobe, Ryoma Ito ACISP 2021, December 1-3, 2021. Security Analysis of End-to-End Encryption for Zoom Meetings Attack 4: Impersonation of Any Zoom User 38 Impersonation Based on Vulnerabilities 1 - 4 (active-type attack) n Adversaries: Outsiders colluding with insiders and leader n Victims: Any legitimate user B uninvited to the target meeting n Attack Procedures: 1. A malicious leader stores (SigB , pkB ) in the previous meeting 2. A malicious Insiders reuse (meetingID, meetingUUID) used in the previous meeting 3. The malicious leader reuses MK or provide it to an adversary 4. The adversary posts (SigB , pkB ) to the bulletin board in the target meeting u successfully verify SigB with IVKB and completely impersonate victim user B Security Analysis The target meeting The previous meeting ① pkB , SigB Outsiders Leader ①③ ② ④ ④ pkB , SigB BindingB BindingB MK Bulletin board Victim B Bulletin board Participant Insiders meetingID meetingUUID

Takanori Isobe, Ryoma Ito ACISP 2021, December 1-3, 2021. Security Analysis of End-to-End Encryption for Zoom Meetings Attacks 2-4: Impersonation of Any Zoom User 39 Countermeasures n The following procedures should be added to overcome Vulnerability 3: 1. Add time information (e.g., the date and time when meeting starts) to Bindingi : Bindingi ← (meetingID ∥ meetingUUID ∥ i ∥ deviceID ∥ IVKi ∥ pki ∥ time) 2. Add a procedure to verify the time information when verifying the signature n The adversary can be prevented from exploiting Vulnerability 3 u successfully prevent the impersonation attacks (Attacks 2-4) Security Analysis Vulnerability 3 (Same Binding as in the Previous Meeting) If the meeting IDs, which are meetingID and meetingUUID, generated by the insiders the public key pki generated by the participant i are reused, then Bindingi has the same value. n Bindingi ← (meetingID ∥ meetingUUID ∥ i ∥ deviceID ∥ IVKi ∥ pki ) n i, deviceID, and IVKi are always reused in all meetings The signature key pair (IVKi , ISKi ) is used for a long-term period; hence, the same signature Sigi is always generated from the same Bindingi . n Sigi ← Sign.Sign(ISKi , Context ∥ Bindingi ) with EdDSA over Ed25519

Takanori Isobe, Ryoma Ito ACISP 2021, December 1-3, 2021. Security Analysis of End-to-End Encryption for Zoom Meetings Attacks 2-4: Impersonation of Any Zoom User 40 Countermeasures n The following procedures should be added to overcome Vulnerability 3: 1. Add time information (e.g., the date and time when meeting starts) to Bindingi : Bindingi ← (meetingID ∥ meetingUUID ∥ i ∥ deviceID ∥ IVKi ∥ pki ∥ time) 2. Add a procedure to verify the time information when verifying the signature n The adversary can be prevented from exploiting Vulnerability 3 u successfully prevent the impersonation attacks (Attacks 2-4) Security Analysis Vulnerability 3 (Same Binding as in the Previous Meeting) If the meeting IDs, which are meetingID and meetingUUID, generated by the insiders the public key pki generated by the participant i are reused, then Bindingi has the same value. n Bindingi ← (meetingID ∥ meetingUUID ∥ i ∥ deviceID ∥ IVKi ∥ pki ) n i, deviceID, and IVKi are always reused in all meetings The signature key pair (IVKi , ISKi ) is used for a long-term period; hence, the same signature Sigi is always generated from the same Bindingi . n Sigi ← Sign.Sign(ISKi , Context ∥ Bindingi ) with EdDSA over Ed25519

Takanori Isobe, Ryoma Ito ACISP 2021, December 1-3, 2021. Security Analysis of End-to-End Encryption for Zoom Meetings Attack 7: Security against Tampering with Meeting Contents 41 Tampering based on Vulnerabilities 1 and 5 (passive-type attack) n Adversaries: Insiders n Victims: participants/leader n Attack Procedures 1. An adversary embeds a vulnerability that allows participants to reuse the same nonce 2. The adversary intercepts the contents sent over the network 3. The adversary derives the authentication key from the encrypted contents u No tampering with the meaningful contents u successfully verified as message authentication Vulnerability 5 (Misuse of Nonce) All meeting contents are encrypted with AES-GCM. If nonce is misused during a meeting, the authentication key of AES-GCM can be exposed to insiders and outsiders. Security Analysis Participant Insiders Participant ① ① ② ③ Countermeasure n Adopt a misuse-resistant AE (MRAE)

Takanori Isobe, Ryoma Ito ACISP 2021, December 1-3, 2021. Security Analysis of End-to-End Encryption for Zoom Meetings Attack 7: Security against Tampering with Meeting Contents 42 Tampering based on Vulnerabilities 1 and 5 (passive-type attack) n Adversaries: Insiders n Victims: participants/leader n Attack Procedures 1. An adversary embeds a vulnerability that allows participants to reuse the same nonce 2. The adversary intercepts the contents sent over the network 3. The adversary derives the authentication key from the encrypted contents u No tampering with the meaningful contents u successfully verified as message authentication Vulnerability 5 (Misuse of Nonce) All meeting contents are encrypted with AES-GCM. If nonce is misused during a meeting, the authentication key of AES-GCM can be exposed to insiders and outsiders. Security Analysis Participant Insiders Participant ① ① ② ③ Countermeasure n Adopt a misuse-resistant AE (MRAE)

Takanori Isobe, Ryoma Ito ACISP 2021, December 1-3, 2021. Security Analysis of End-to-End Encryption for Zoom Meetings Attack 7: Security against Tampering with Meeting Contents 43 Tampering based on Vulnerabilities 1 and 5 (passive-type attack) n Adversaries: Insiders n Victims: participants/leader n Attack Procedures 1. An adversary embeds a vulnerability that allows participants to reuse the same nonce 2. The adversary intercepts the contents sent over the network 3. The adversary derives the authentication key from the encrypted contents u No tampering with the meaningful contents u successfully verified as message authentication Vulnerability 5 (Misuse of Nonce) All meeting contents are encrypted with AES-GCM. If nonce is misused during a meeting, the authentication key of AES-GCM can be exposed to insiders and outsiders. Security Analysis Participant Insiders Participant ① ① ② ③ Countermeasure n Adopt a misuse-resistant AE (MRAE)

Takanori Isobe, Ryoma Ito ACISP 2021, December 1-3, 2021. Security Analysis of End-to-End Encryption for Zoom Meetings Attack 7: Security against Tampering with Meeting Contents 44 Tampering based on Vulnerabilities 1 and 5 (passive-type attack) n Adversaries: Insiders n Victims: participants/leader n Attack Procedures 1. An adversary embeds a vulnerability that allows participants to reuse the same nonce 2. The adversary intercepts the contents sent over the network 3. The adversary derives the authentication key from the encrypted contents u No tampering with the meaningful contents u successfully verified as message authentication Vulnerability 5 (Misuse of Nonce) All meeting contents are encrypted with AES-GCM. If nonce is misused during a meeting, the authentication key of AES-GCM can be exposed to insiders and outsiders. Security Analysis Participant Insiders Participant ① ① ② ③ Countermeasure n Adopt a misuse-resistant AE (MRAE)

Takanori Isobe, Ryoma Ito ACISP 2021, December 1-3, 2021. Security Analysis of End-to-End Encryption for Zoom Meetings Attack 7: Security against Tampering with Meeting Contents 45 Tampering based on Vulnerabilities 1 and 5 (passive-type attack) n Adversaries: Insiders n Victims: participants/leader n Attack Procedures 1. An adversary embeds a vulnerability that allows participants to reuse the same nonce 2. The adversary intercepts the contents sent over the network 3. The adversary derives the authentication key from the encrypted contents u No tampering with the meaningful contents u successfully verified as message authentication Vulnerability 5 (Misuse of Nonce) All meeting contents are encrypted with AES-GCM. If nonce is misused during a meeting, the authentication key of AES-GCM can be exposed to insiders and outsiders. Security Analysis Participant Insiders Participant ① ① ② ③ Countermeasure n Adopt a misuse-resistant AE (MRAE)

Takanori Isobe, Ryoma Ito ACISP 2021, December 1-3, 2021. Security Analysis of End-to-End Encryption for Zoom Meetings Attack 7: Security against Tampering with Meeting Contents 46 Tampering based on Vulnerabilities 1 and 5 (passive-type attack) n Adversaries: Insiders n Victims: participants/leader n Attack Procedures 1. An adversary embeds a vulnerability that allows participants to reuse the same nonce 2. The adversary intercepts the contents sent over the network 3. The adversary derives the authentication key from the encrypted contents u No tampering with the meaningful contents u successfully verified as message authentication Vulnerability 5 (Misuse of Nonce) All meeting contents are encrypted with AES-GCM. If nonce is misused during a meeting, the authentication key of AES-GCM can be exposed to insiders and outsiders. Security Analysis Participant Insiders Participant ① ① ② ③ Countermeasure n Adopt a misuse-resistant AE (MRAE)

Takanori Isobe, Ryoma Ito ACISP 2021, December 1-3, 2021. Security Analysis of End-to-End Encryption for Zoom Meetings Summary 47 No. Attack Type* Adversary** Victim** Ref. 1 Impersonation Active L/P L/P This work 2 Impersonation Passive I L/P/O This work 3 Impersonation Active I c.w. L L/P/O This work 4 Impersonation Active O c.w. I, L L/P/O This work 5 Impersonation Active O c.w. L L/P/O Appendix 6 Impersonation Active O c.w. I O Full version 7 Tampering Passive I L/P This work 8 Denial of Service Passive I P Full version Conclusion Security analysis of E2EE for Zoom meetings n Several attacks more powerful than those expected by the Zoom security team [Full vresion] T. Isobe and R. Ito, Security Analysis of End-to-End Encryption for Zoom Meetings, IEEE Access, 2021. Communication with Zoom security team n They acknowledged our findings and quickly revised its specification n Whitepaper version 2.3.1 (November 3, 2020) → version 3 (December 15, 2021)