Zoom acquires Keybase to improve video conferencing security

8 May 2020

Image: © Andrei/Stock.adobe.com

Zoom has acquired Keybase as part of its 90-day plan to focus on the security of the video conferencing platform.

On Thursday (7 May), Zoom CEO Eric Yuan announced that the company has acquired Keybase, as part of a 90-day plan to improve security on the video conferencing platform.

Keybase’s team of engineers has built a secure messaging and file-sharing service, and Yuan said that he is “excited” to integrate its end-to-end encryption into Zoom.

“This acquisition marks a key step for Zoom as we attempt to accomplish the creation of a truly private video communications platform that can scale to hundreds of millions of participants, while also having the flexibility to support Zoom’s wide variety of uses,” Yuan added.

Terms of the deal were not disclosed.

Addressing security issues

Keybase was founded in New York in 2014 by Chris Coyne and Maxwell Krohn, who were part of the founding team of OkCupid. The company has 25 employees, who will now join Zoom.

Krohn will now lead Zoom’s security engineering team, reporting directly to Yuan. Prior to the acquisition, Keybase raised just under $11m in funding.

The start-up has been acquired as part of Zoom’s plan to address security issues that have been discovered in recent months, as millions of remote workers have turned to the platform to host video conferences and meetings. Last month, the company announced a 90-day freeze on new features in order to focus on security updates.

Yuan said that the company’s goal is now to provide “the most privacy possible” for every use case, while balancing the needs of users and preventing harmful behaviour on the platform.

Encryption

The company explained that, as it currently stands, audio and video content between Zoom clients is encrypted at each sending client device. It is not decrypted until it reaches the recipients’ devices. With the Zoom 5.0 release last month, it now supports encrypting content using industry-standard AES-GCM with 256-bit keys, which are generated for each meeting by Zoom’s servers.

“Some features that are widely used by Zoom clients, such as support for attendees to call into a phone bridge or use in-room meeting systems offered by other companies, will always require Zoom to keep some encryption keys in the cloud,” Yuan added.

The company said that in the near future, Zoom will offer end-to-end encryption to all paid accounts.

“An ephemeral per-meeting symmetric key will be generated by the meeting host,” Yuan said. “This key will be distributed between clients, enveloped with the asymmetric keypairs and rotated when there are significant changes to the list of attendees.

“The cryptographic secrets will be under the control of the host, and the host’s client software will decide what devices are allowed to receive meeting keys, and thereby join the meeting. We are also investigating mechanisms that would allow enterprise users to provide additional levels of authentication.”

He added that encryption keys will be “tightly controlled by the host”, who will admit attendees. “We believe this will provide equivalent or better security than existing consumer end-to-end encrypted messaging platforms, but with the video quality and scale that has made Zoom the choice of over 300m daily meeting participants.”

Kelly Earley was a journalist with Silicon Republic

editorial@siliconrepublic.com