网页缩放与窗口缩放
In April 2020, over 4 billion people are under a form of shelter-in-place or stay-home orders worldwide due to the coronavirus pandemic.[1] With work-from-home as the new normal, videoconferencing application Zoom has become the preferred platform — experiencing a spike from an average of 10 million to 200 million daily users in March[2]. This is no coincidence; the overall user experience of Zoom is fantastic. It is easy to use, and just works (at least, in the subjective opinion of the authors).
到2020年4月,由于冠状病毒大流行,全球有超过40亿人处于就地庇护或留在家中的形式。 [1]一起工作,从家庭的新常态,视频会议应用缩放已成为首选的平台-在三月份经历着从平均10万〜200个用户日常尖峰[2] 。 这不是巧合; Zoom的整体用户体验非常棒。 它易于使用,并且可以正常工作(至少在作者的主观意见中)。
With great ubiquity comes great risk, however. As co-workers openly share documents, presentations, and company strategies, the rich bevy of confidential information at hand has made Zoom an especially attractive target.
但是,普遍存在会带来很大的风险。 随着同事公开共享文档,演示文稿和公司战略,手头上的大量机密信息使Zoom成为特别有吸引力的目标。
With Zoom’s growing popularity comes greater scrutiny, both from cybersecurity professionals, as well as from criminals and mischievous students. A new term, called “zoombombing,” is where unauthorized participants show up uninvited. The result of such an attack can range from stealing company secrets to presenting inappropriate material.
随着Zoom的日益普及,网络安全专业人员以及罪犯和恶作剧的学生都受到了越来越严格的审查。 一个叫做“ zoombombing”的新名词是未经授权的参与者未经邀请就出现的地方。 此类攻击的结果可能从窃取公司机密到提供不适当的材料。
Zoom itself has acknowledged its privacy and security issues,[3] including passing along unnecessary information to Facebook and LinkedIn, issues with Zoom for Mac, UNC link issues, and a widely publicized controversy around Zoom’s encryption practices.
Zoom本身已经承认其隐私和安全性问题, [3]包括将不必要的信息传递给Facebook和LinkedIn,有关Mac的Zoom的问题,UNC链接问题,以及有关Zoom的加密实践的广泛争议。
This article will explore the Zoom encryption practices in order to help clarify what the issues are.
本文将探讨Zoom加密实践,以帮助阐明问题所在。
Confusion (and even anger) began with Zoom stating that their platform used “end-to-end encryption,” a statement the company later acknowledged was misconstrued based on “a discrepancy between the commonly accepted definition of end-to-end encryption and how we were using it.”[4]
混乱(甚至是愤怒)始于Zoom声称其平台使用了“端到端加密”,该公司后来承认,由于“普遍接受的端到端加密定义与我们正在使用它。” [4]
True end-to-end encryption means that Zoom calls are encrypted at all points in the data creation, transfer, and reception lifecycle — and that Zoom itself is unable to access that critical data. End-to-end encryption is the gold standard, and it means that keys are generated and managed on endpoints, and are never accessible by Zoom’s servers.
真正的端到端加密意味着Zoom调用在数据创建,传输和接收生命周期的所有时间点都进行了加密-并且Zoom本身无法访问该关键数据。 端到端加密是黄金标准,这意味着密钥是在端点上生成和管理的,而Zoom的服务器永远无法访问它们。
In practice, Zoom encrypts meetings unless one of the following conditions is met:
实际上,除非满足以下条件之一,否则Zoom会加密会议:
- At least one participant phones in (and is not using a Zoom applications — i.e. connected via laptop or mobile app) 至少有一位参与者正在使用电话(并且未使用Zoom应用程序-即通过笔记本电脑或移动应用程序连接)
- The call is being recorded. 通话记录中。
It certainly makes sense that encryption is not used in the first case since a regular phone line would not be able to decrypt the communication (it is using a different infrastructure without access to the keys). In the second case, this could be solved, but would introduce quite significant key management difficulties in the case that the recording is uploaded to the cloud. However, it is unclear why encryption is not used when the recording is stored locally by the host.
当然,在第一种情况下不使用加密是有道理的,因为常规电话线将无法解密通信(它正在使用其他基础结构而不访问密钥)。 在第二种情况下,可以解决此问题,但是在将记录上传到云的情况下,会带来相当大的密钥管理困难。 但是,不清楚由主机本地存储记录时为何不使用加密。
However, regardless of whether or not the call is encrypted, cryptographers criticize Zoom’s use of the term “end-to-end” (E2E) encryption term for a simple reason: the encryption is simply not end-to-end. That is, Zoom’s servers have access to the encryption keys, and may decrypt them at their discretion.[5]
但是,无论呼叫是否被加密,密码学家都批评Zoom使用术语“端到端”(E2E)加密术语,原因很简单:加密根本不是端到端的。 也就是说,Zoom的服务器可以访问加密密钥,并且可以自行决定对其进行解密。 [5]
Note that Zoom’s servers do not decrypt the traffic (according to their reports), but the mere fact that they can means that end-to-end encryption is not being used. On the positive side, the infrastructure set up by Zoom whereby their servers do not need to decrypt the traffic means that they should be able to roll out true end-to-end encryption without too much difficulty. This is a far better situation than a vendor who needs to decrypt on the server in order to mix the different streams together. If Zoom were to work in that way, they would need to completely change their infrastructure in order to deploy end-to-end encryption.
请注意,Zoom的服务器不会解密流量(根据其报告),而仅仅是它们可以表示未使用端到端加密的事实。 从积极的方面来看,Zoom建立的基础结构使服务器无需解密流量,这意味着它们应该能够毫不费力地推出真正的端到端加密。 这比需要在服务器上解密以将不同流混合在一起的供应商要好得多。 如果Zoom以这种方式工作,他们将需要完全改变其基础架构以部署端到端加密。
This is good news: it shows that the basic infrastructure design used by Zoom is good, and gives us hope that they will be able to roll out end-to-end encryption soon.
这是个好消息:它表明Zoom所使用的基本基础架构设计是不错的,并给我们希望,他们将能够很快推出端到端加密。
ECB加密-那是什么,我们为什么要关心呢? (ECB Encryption — What is that and why should we care?)
Symmetric encryption, as used to protect the actual data being sent in Zoom, is a combination of a block cipher used in a specific mode of operation. A block cipher is a cryptographic function that takes a block of data and scrambles it in a way that is not reversible.
对称加密(用于保护在Zoom中发送的实际数据)是在特定操作模式下使用的分组密码的组合。 分组密码是一种加密功能,它接收数据块并以不可逆的方式对其进行加密。
When building secure encryption, one of the main questions is how to apply the block cipher, and this method is called a “mode of operation”. Zoom uses the simplest mode of operation, called Electronic Codebook (ECB) mode. In ECB mode, data is divided into blocks, and each block is encrypted separately by simply passing it through the block cipher, as shown in the diagram below.
建立安全加密时,主要问题之一是如何应用分组密码,这种方法称为“操作模式”。 缩放使用最简单的操作模式,称为电子密码簿(ECB)模式。 在ECB模式下,数据被分为多个块,每个块通过简单地通过块密码进行加密就分别加密,如下图所示。
Unfortunately, ECB is not a secure way of encrypting, and using ECB mode is a rookie’s mistake. In order to see why, notice that blocks of the same data are always mapped to the result. This can leak a lot of information, as shown in the encryption of the famous Linux penguin below:
不幸的是,ECB并不是一种安全的加密方式,而使用ECB模式是菜鸟的错误。 为了了解原因,请注意始终将相同数据的块映射到结果。 这可能会泄漏很多信息,如下面著名的Linux企鹅的加密所示:
The penguin encrypted in ECB mode still looks like a penguin since all of the white blocks are mapped to the same color, all of the yellow blocks to the same color, and so on. This should not happen in secure encryption, and indeed other modes of operation do not suffer from this weakness.
由于所有白色块都映射到相同的颜色,所有黄色块都映射到相同的颜色,因此在ECB模式下加密的企鹅仍然看起来像企鹅。 在安全加密中不应发生这种情况,并且实际上其他操作模式也不会遭受此漏洞的影响。
Cryptographers have been debating whether ECB mode in the context of Zoom conference calls really does or does not leak actual information. However, this really isn’t the point. The problem is that ECB is known to not be secure by anyone who has even the most basic knowledge of cryptography and encryption. Thus, the use of ECB by Zoom just looks very bad, and gives the impression that no one at Zoom has even basic expertise.
密码学家一直在争论Zoom电话会议中的ECB模式是否确实泄漏了实际信息。 但是,这实际上不是重点。 问题在于,即使是最了解密码学和加密知识的人,也知道ECB并不安全。 因此,Zoom使用ECB看起来非常糟糕,给人的印象是Zoom中没有人甚至没有基本专业知识。
Having said that, this is extremely easy to fix, and so we can hope to see this being updated very soon.
话虽如此,这个问题非常容易修复,因此我们希望很快能对此进行更新。
摘要 (Summary)
With Zoom’s explosive popularity has come great scrutiny regarding its security, as well as a slew of attacks. The interesting question is not how well Zoom did in the past, but how well with they do in fixing the problems now uncovered.
随着Zoom的爆炸性普及,对其安全性以及一系列攻击行为进行了严格的审查。 有趣的问题不是Zoom在过去的表现如何,而是它们在解决目前发现的问题上的表现如何。
The good news is that Zoom’s basic infrastructure is well designed and can support strong end-to-end encryption. The bad news is that some of their mistakes show a lack of basic understanding of cryptography and security.
好消息是,Zoom的基本基础架构设计合理,可以支持强大的端到端加密。 坏消息是,他们的一些错误表明对加密和安全性缺乏基本的了解。
Fortunately, these can be fixed, and if they do and show that they are now taking security seriously, this will be the result that we will all benefit from.
幸运的是,这些问题可以解决,并且如果这样做并表明他们现在正在认真对待安全性,那么这将是我们所有人都将从中受益的结果。
[1] “C.D.C. Recommends Wearing Masks in Public; Trump Says, ‘I’m Choosing Not to Do It’.” The New York Times, The New York Times, 3 Apr. 2020, www.nytimes.com/2020/04/03/world/coronavirus-news-updates.html#link-290c3c8.
[1] “疾病预防控制中心建议在公共场合戴口罩; 特朗普说,“我选择不这样做”。 纽约时报》,《纽约时报》,2020年4月3日, www.nytimes.com / 2020/04/03 / world / coronavirus-news-updates.html#link-290c3c8。
[2] Miller, Maggie. “Zoom CEO Says Company Reached 200 Million Daily Users in March.” TheHill, The Hill, 2 Apr. 2020, thehill.com/policy/cybersecurity/490794-zoom-ceo-says-company-reached-200-million-daily-users-in-march.
[2]米勒,玛姬。 “ Zoom CEO说公司三月份的每日用户达到2亿。” 希尔 (The Hill),The Hill,2020年4月2日,thehill.com / policy / cybersecurity / 490794-zoom-ceo-says-company-reached-200,000,000 daily-users-march。
[3] “A Message to Our Users.” Zoom Blog, 2 Apr. 2020, blog.zoom.us/wordpress/2020/04/01/a-message-to-our-users/.
[3] “给我们用户的消息。” Zoom博客,2020年4月2日,blog.zoom.us / wordpress / 2020/04/01 / a-message-to-our-users /。
[4] “The Facts Around Zoom and Encryption for Meetings/Webinars.” Zoom Blog, 2 Apr. 2020, blog.zoom.us/wordpress/2020/04/01/facts-around-zoom-encryption-for-meetings-webinars/.
[4] “有关会议/网络研讨会的缩放和加密的事实。” Zoom Blog,2020年4月2日,blog.zoom.us / wordpress / 2020/04/01 / facts-around-zoom-encryption-for-meetings-webinars /。
[5] Newman, Lily Hay. “So Wait, How Encrypted Are Zoom Meetings Really?” Wired, Conde Nast, 3 Apr. 2020, www.wired.com/story/zoom-security-encryption/.
[5]纽曼,莉莉·海(Lily Hay)。 “所以等等,Zoom Meetings的加密程度如何?” 连线 ,Kong德纳斯特(Conde Nast),2020年4月3日, www.wired.com / story / zoom-security-encryption /。
Originally published at https://www.unboundtech.com on April 7, 2020.
最初于 2020年4月7日 在 https://www.unboundtech.com 上 发布 。
翻译自: https://medium.com/key-insights/the-zoom-encryption-debate-c58bbff56f06
网页缩放与窗口缩放
扫一扫
531
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
