As you seek a cloud storage service to safeguard your sensitive files, you may come across terms such as "Zero-Knowledge Encryption," "Zero-Knowledge Proof (ZKP)", or "Zero-Access Encryption". Well, you probably wonder what does it exactly mean when your cloud storage claims it has a zero-knowledge policy? Does it really mean your data is completely protected from any security risk?
What Is Encryption?
In order to understand what "Zero-Knowledge Encryption" means, we need first to understand what is encryption. Encrypting data is a crucial method for safeguarding sensitive information from unauthorized access by converting it into an unreadable format (ciphertext) using complex mathematical algorithms. The protected data can be turned back into its original form by using the keys provided by the encryption system (it can be the same key that was used for encryption when using symmetric encryption methods such as "Caesar Cipher" and "AES", or another key when using asymmetric encryption methods like "public-key cryptography").
Encryption Standards and Protocols:
In the world of communication, there are several encryption standards and protocols that cloud storage providers are using to protect your data:
- Encryption in transit - A type of encryption used to safeguard the data during the transmission process - while the user is uploading the data to the server. It protects the information from being intercepted by unauthorized individuals performing a man-in-the-middle (MITM) attack by securing the communications between the client and cloud server (using the TLS protocol, for example). However, the sensitive data is still at risk, because at the end of the transfer process, once the data have finally reached his destination, the server will store the data in an unprotected manner, which opens the possibility of stealing the data in the event of a breach to the server.
- Encryption in rest - Encryption in rest refers to encrypting data while it is in "rest", meaning while it's stored on the server storage and is not being used by the client. Usually, cloud servers use symmetric encryption methods to encrypt the data such as AES128 or AES256. However, this security measure has limitations since the server will eventually need to decrypt the data when it's requested by the user.
- End-to-End Encryption (E2EE) - End-to-End Encryption is an encryption method developed to ensure private communications between sender and recipient by implementing asymmetric cryptography. It guarantees that the information exchanged between sender and recipient remains unreadable to anyone else, as only the communicating users hold the key to decrypt it.
What is asymmetric cryptography?
Asymmetric cryptography, also known as public-key cryptography, works by encrypting data at its source prior to sending it to the intended destination, and then decrypting it solely upon arrival. Each party generates his own pair of a private key and a public key, with the private key being securely kept at the source end, while the public key can be freely shared with others. Every message that is encrypted with the public key can be decrypted only by the private key. This way, sensitive information can be never decrypted by a middleman, such as a server that transfers data between the sender and recipient, because it doesn't hold the private key for decryption. Instead, decryption only takes place on either the sender's or recipient's device.
End-to-End Encryption vs. Zero-Knowledge encryption
As previously stated, the E2EE mechanism guarantees that communication between two parties (sender and recipient) remains completely private, ensuring that only they can understand the information being exchanged. The end-to-end encryption (E2EE) mechanism proves to be highly efficient in strengthening the security of networks and real-time communication apps (such as WhatsApp) or email services. However, if the data is stored locally (in our case on the cloud service provider's side), it makes it harder to implement this mechanism.
Moreover, some cloud storage providers that claim to provide end-to-end encryption, don't really provide real end-to-end encryption. Instead, they provide a combination of "encryption in transit" and "encryption in rest" (explained earlier), which does not provide complete protection to the data.
This is due to the fact that these cloud storage providers keep the decryption keys at the storage environment, instead of placing them only in the hands of the clients (in some cases, it can be even worse, as some cloud servers keep the entire data stored unencrypted). When the keys for decryption are on the cloud server side, the data will be vulnerable to anyone that can gain access to the server, like authorized server staff or even hackers. You eventually require trusting your cloud storage provider's ability to securely protect your data effectively.
This is where zero-knowledge encryption comes in, where end-to-end encryption is mostly used in network and communication apps, zero-knowledge encryption is the way to implement this mechanism in cloud servers. Just like EE2E, zero-knowledge architecture ensures that your data is protected from unauthorized access, and the keys are kept securely on your end, ensuring that only you have the ability to access your data, with no access even for the staff of the service provider.
How Zero-Knowledge encryption works?
Zero-Knowledge encryption is a security model that made possible by encrypting your data before it reach the cloud server (usually by implementing a client-side encryption by the browser) and keeping the master cryptographic key for decrypting the data in the client's hands only (during the entire communication process, your password remains unknown to the cloud server). When you wish to access your data, the cloud server will prompt you for your password. Once you have successfully entered the correct password, a decryption process starts, and only you can access the data as long as you remain logged in. However, zero-knowledge encryption has a downside because if you lose the master key, you lose the data too.
If the user needs to share data with another user on the same cloud server while preventing the server from accessing the data, this can be easily achieved using asymmetric encryption, which makes use of public and private keys. When Bob needs to share his files with David, David will provide Bob with his public key. Bob will then use David's public key to encrypt the data before sending it securely back to David. David will then decrypt the encrypted data using his private key.
Does Zero-Knowledge encryption provide complete protection?
It is important to note that while encrypting your data provides a significant level of protection, it does not guarantee absolute security. Hackers can potentially conduct brute force attacks to crack the encryption. However, if a strong encryption method is utilized it will take them millions or trillions of years to break it with today's hardware capabilities. One concern is the rapid development of quantum computers, which are likely to be available in decades. If that happens, all current encryption methods will become obsolete and would be breakable in less than a day, or even in a few hours.