[dogman144]

"home grown encryption scheme" seems to imply Zoom is rolling its own crypto, which is tremendously foolish.

That isn't exactly the case, per the same article. More Zoom is choosing a poor choice among other choices, of implementing AES:

"Furthermore, Zoom encrypts and decrypts with AES using an algorithm called Electronic Codebook (ECB) mode, “which is well-understood to be a bad idea, because this mode of encryption preserves patterns in the input,” according to the Citizen Lab researchers. In fact, ECB is considered the worst of AES’s available modes."

Bad idea but not "rolling own crypto bad"

edit: agree it's bad. this is pointing out inaccuracies in language from tech journalism reporting on security. This continues to be an issue per the miseducation it creates for the general public in infosec concepts, which is already an uphill battle of misconceptions. Since these articles, or AG Barr, are the discussions that actually hit the mainstream, it's an issue that needs to correct.ed Tech journalism, a profession focused on 'getting the facts,' are the direct conduit of this version of miseducation/failure of facts, and should be corrected. See: NY Times Baltimore Ransomware = NSA Tool (false), Bloomberg Supermicro (false, so far), etc.

[minitech]

> Bad idea but not "rolling own crypto bad"

- misusing cryptographic primitives is one way of rolling one’s own crypto

- ECB really is that bad

[tpetry]

Even Wikipedia is stating ECB is a very bad choice. How can someone really use it nowadays without fraudulent intentions?

[Diggsey]

Many of the alternative modes are unsuitable for this case, as it is being used to encrypt UDP packets which may be lost. There are two commonly used modes which support the random access needed here:

- ECB - CTR

Note that CTR is still recommended for use and is often used for things like hard-disk encryption where random access is required. Furthermore, the only difference between ECB and CTR is that CTR includes an incrementing counter in the input to the encryption algorithm to ensure that each encryption is unique. Do you know what else starts with an incrementing counter? UDP packets intended to form an audio or video stream.

So yes: ECB can be bad, but there's no evidence that Zoom are actually using it incorrectly. Using CTR when you already have a non-repeating data stream would only add overhead and potentially negatively impact the amount of useful data that can be streamed.

[hiq]

Is there a way to use ECB "correctly"?

Is there any non-repeating data apart from noise (if even)?

[Diggsey]

Yes, as I mentioned, if you include an incrementing counter within each block then the data does not repeat. The data only needs to be non-repeating within a single stream. Different streams will use a different IV and possibly different keys. This is how CTR works.

[katzenjam]

Including a counter in each UDP packet does not make ECB mode equivalent to CTR mode.

Let's assume the counter is at the start of the packet. An AES block is 16 bytes, so the counter ensures the first 16 bytes of ciphertext are unique across packets. But any patterns in the remainder of the packet are preserved, within and across packets.

[_-___________-_]

Most of Zoom's security problems seem like the kind of things a novice programmer who didn't know any better would do. Which may mean that they hire inexperienced programmers, or may mean that they wanted that as an excuse if they got caught. The former is probably more likely. After all, never attribute to malice what can adequately be explained by incompetence.

[downshun]

Incompetence can enable malice

[dogman144]

ECB is a standard mode on many crypto libraries. Devs don't know better, or are intimidated by IVs

[_-___________-_]

Using ECB for this is terrible. It's likely that you could quite trivially recover low-fidelity video from the encrypted stream.

[Jabbles]

It works like that if you're encrypting a bitmap, but a compressed video stream is already fairly randomised. The encryption is broken, but low-res video extraction seems unlikely.

[fock]

shipping a statically linked version of openssl 1.0.2o (Q2/18) is not building any trust either.