Never trust, always verify: your 2023 guide to zero-knowledge encryption
Cybercriminals don’t seem to have taken a summer break last year. Based on Check Point Research’s newest report at least, which has found that the number of global cyberattacks grew by 28% in the third quarter of 2022, compared to the same period in 2021. On average, there have been over 1,130 attacks per organization per week. The good – or cautiously optimistic – news is that despite the increase, the number of attacks has plateaued as opposed to the sharp rise the previous year.
This could be a sign that organizations are doubling down on their investments in cybersecurity strategies, researchers argue. Strategies that increasingly revolve around no-trust modes to fend off security threats from without and within. That’s according to Dell Technologies’ Adrian McDonald, who cites pressure to comply with international regulatory demands as a reason behind the push for adoption, with government agencies and critical infrastructure providers now mandating the switch to zero trust architecture by 2024.
But what does “zero knowledge” mean and how does it work? How is zero-knowledge encryption different from other encryption methods and what are its upsides and downsides for users? Read on to find out.
What is encryption and when do you need it?
Encryption is the method by which information is converted into secret code that hides its true meaning, TechTarget explains. In computing, unencrypted data is called plaintext, while encrypted data is referred to as ciphertext. When the intended recipient opens the message, however, the information is translated back to its original form. This is what we call decryption. The formulas that are used to encode and decode messages are known as encryption algorithms, or ciphers.
To unlock the message contents, both the sender and the recipient must use a so-called encryption key. That is, a random string of numbers generated with algorithms to scramble and unscramble data. Encryption systems that only use a single key to encrypt and decrypt data are called symmetric. Asymmetric encryption systems, in contrast, use two keys: a public one, which is shared among users, to encrypt a message and a private key, which is not shared, to decrypt it.
Encryption is used to keep data safe across states, with the two most important being:
- Data in transit
- Data at rest
Encryption plays a key role in safeguarding data in transit, also referred to as data in motion or data in flight, and data at rest. Encryption in transit is used to protect information if communications are intercepted while data is being transferred via networks. For example, when you’re withdrawing money from an ATM, placing or checking on an order through the Amazon mobile app, uploading photos from your smartphone to your iCloud or sending an email or text.
When your data reaches its destination, it becomes data at rest. Meaning that it will be stored in a data warehouse, file archives, cloud backup, spreadsheet, on a USB flash drive or what have you. This category excludes information that is currently being used, as in being moved across a network or is open to be read or updated, aka data in use. For example, when you open a Word document to edit it or check your transaction history in your mobile banking app.
Ensuring that information is only accessed by authorized users, encryption, at rest or in transit, is critical to bulletproofing any business’s data protection strategy. As per TechTarget, it provides confidentiality by encoding the contents of a message, authentication by verifying its origin, integrity by proving that it has remained unchanged since it was sent, plus nonrepudiation by preventing senders from denying having sent it.
Often touted as the gold standard for securing communication, end-to-end encryption, or E2EE, encodes messages before they’re sent and decodes them only after arriving at a recipient’s device. This means that no one in the middle can read or modify them because they don’t have the private keys that would allow them to do so. When only the safest is safe enough, end-to-end encryption, E2EE for short, is hard to beat. But not impossible.
No end in sight: what is zero-knowledge encryption?
So what if there’s only data but no ends or communication to speak of – like cloud storage? Enter zero-knowledge encryption, a method that makes it impossible even for your service provider to know anything about your encryption key or the data you’re processing or storing on its servers. Everything you have or do there gets encrypted before the data reaches the server without the encryption key ever being revealed to the service provider.
To better grasp the term, let’s go back to how encryption traditionally works for a second. As we’ve previously pointed out, online services should be protected with some sort of encryption. Meaning that when we enter our data on a website or app, our information should be encoded in a way that it can only be accessed by authorized people with a secret key or password. Like door locks, this safeguard can be very basic or very strong.
Now imagine you’re on a business trip. Cheap motels where your key works for multiple guest rooms are out of the question, so you pick a hotel with solid security measures. On arrival, you check in, get ready and leave your camera in the room before locking the door and heading out for a meeting. You do so with peace of mind, knowing that your camera would be right where you left it as you trust both the hotel staff and the lock on your door.
In this example:
- the camera is the private information you upload to the cloud
- the room is your account
- the lock on the door is the encryption system used to protect your data
- the key to open the lock is your password
- the hotel is your service provider
Because of encryption, you're right to trust the lock. But what if instead of trying to pick the lock, a thief, or hacker, snatches the master key? You’ll probably end up in the market for a new camera – and looking at a data breach. Plus, the damage to your revenues and reputation that often comes with it. Using zero-knowledge encryption, your online service provider has no knowledge of your data or password – just like a hotel that holds no extra copies of the key to your suite.
Show don’t tell: what’s zero-knowledge proof and how does it work?
Again, using zero-knowledge protocol means that only you know what goes in and what goes on in your vault. But what does this look like in practice?
When logging into a web server, users must offer proof that they have authorized access by entering their key or password. Now, traditionally, the server already has an encoded version of this key or password, and if it matches, the door opens and you’re in. But here’s the catch: to be able to do that the server must have knowledge of your keys. So the security of your data entirely depends on the server not being compromised.
Back in the 1980s, MIT researchers Shafi Goldwasser, Silvio Micali and Charles Rackoff thought they could do better and created a method for the “prover” to show the “verifier” that they know the answer to a particular mathematical problem, aka the password, without actually revealing it. Today, this process is known as zero-knowledge proof or ZK Protocol. According to Goldwasser, Micali and Rackoff, it must meet the following criteria:
- Completeness: if the prover has the right password, the verifier will be convinced that it’s the right password.
- Soundness: the verifier will be convinced if – and only if – the prover has entered the right password.
- Zero-knowledgeness: the verifier learns no information beyond the fact that the password is right.
So how is it possible to prove that you have the right password without actually telling it to the service administrators? To put it no-so-simply, the “private” password of the proofer and the “public” password that the verifier knows are mathematically linked. This way, the verifier can check whether they belong together but can’t figure out the password itself.
Coming back to our hotel analogy for a second, in Hotel Zero Knowledge, the receptionist wouldn’t give you a key. All they would do is tell you the room number and encourage you to bring a padlock of your choice to secure it. No copies of the keys lying around to steal and no access to your valuables for even the most trusted staff members.
Cloud storage encryption: no risk, all reward
Cloud encryption is the process of using encryption algorithms to transform data from its original plain text format to an unreadable format, such as ciphertext, when it’s transmitted to and from cloud-based applications and storage. A proactive defense against data breaches and cyberattacks, cloud encryption allows businesses to reap the benefits of cloud collaboration services, such as improved regulatory compliance, customer satisfaction and workflows, without putting data at unnecessary risk, TechTarget explains.
What are the benefits of zero-knowledge encryption?
- 1. No compromise or dependence when it comes to security. Zero-knowledge solution providers know nothing about your data, making it impossible for anyone to access them apart from you.
- 2. Even if your data is breached, there’s nothing to worry about. Should any of your encrypted information leak, it would still remain unreadable to unauthorized users, including malicious actors.
- 3. Improved compliance for sectors where data protection is required by law, such as the Health Insurance Portability and Accountability Act, or by professional standards like the Payment Card Industry Data Security Standard.
What are the drawbacks of zero-knowledge encryption?
- 1. No password, no access. If you lose or forget your password and recovery phrase code, you won't be able to retrieve your data. Nor will be your service provider, who has no access to or knowledge of this information.
- 2. Lacking user experience and speed. Additional security steps can potentially slow down data transfers to and from your cloud storage and leave less room for creating advanced features and intuitive interfaces.
Safety shouldn’t be a matter of trust: zero-knowledge security from Tresorit
Tresorit uses zero-knowledge protocol to keep your data safe. Unlike other services, however, we can also guarantee that your data is protected by zero-access encryption no matter where you decide to access it – even if it’s your browser. It’s virtually impossible for anyone to access your private key and documents. This includes us. Besides the highest level of security in the cloud, our cloud storage and collaboration solution also allow you to:
- Stay in control of what happens to your data
- Set up and enforce enterprise security policies in one place
- Keep access secure and limited
Implement data protection measures while collaborating on files, including controlling who has access to what data, logging file activities, and creating internal security policies for data management. No file content can be modified without you knowing about it, thanks to cryptographic authentication applied to all encrypted data in the form of HMAC or AEAD.
Make sure that everyone on your team is on the same page when it comes to using crucial data security tools and processes. Apply policy templates, including 2-step verification, IP filtering, timeout policies, and sharing policies, to a set of users, create different policies for each template and modify these policies at any moment through a single interface.
Monitor and decide which devices are allowed to access which files within the organization and from where users are allowed to log in to their company account to safeguard critical data assets. Manage files and tresors at a granular level, ensuring that they’re only accessible to those who need them, and limit file downloads or revoke access at any time.