Standard for encryption

The revelations about the extent of surveillance by the NSA have led to a major rethink in the use of digital media in recent years. In the meantime, 92 percent of Germans are concerned about the Privacy of their online data. With the advancing digitalization of companies, more and more sensitive business information is stored on servers of cloud providers. In the event of a data breach, there is a risk of legal action by customers, severe contractual penalties and industrial espionage. Nevertheless so far, only 42 percent encrypt of companies encrypt their cloud data, although the majority consider data encryption to be important. One reason for the reticence in practical implementation could be the uncertainty about which type of encryption actually offers the appropriate protection. The keywords "end-to-end encryption" and "zero-knowledge" are coming up more and more frequently in this context - but what is behind these terms?

Industry increasingly relies on encryption
There are hardly any transparent figures on the frequency of government data queries and hacker attacks. Depending on the legal situation in each country, users do not necessarily have to be notified of hacks. And government interventions may not always be communicated to the affected users. Services such as Twitter and Microsoft sued the U.S. government over the issue. The IT industry is now responding to the complicated legal situation with end-to-end encryption, most recently even WhatsApp and soon Facebook. This is a step in the right direction, but further thought is needed to ensure optimum data protection.

The Zero Knowledge Method
End-to-end encryption ensures that files or messages on one's own computer or smartphone are encrypted and reach the server only in encrypted form. If a strong AES256 algorithm is used, such encryption cannot be cracked with the computing capacities available today. At the same time, however, many providers store a copy of the encryption password on the same servers, which makes it easier for the provider to maintain the service, but this can be at the expense of security. This effort is comparable to investing in elaborate security locks in a hotel, where, however, a spare key is always available for employees at the reception desk. This is where zero-knowledge comes into play. If the end-to-end process is consistently thought through to the end according to the zero-knowledge standard, there is no key copy; only the hotel guest or the user can open the lock. In this way, the provider can ensure that employee errors are ruled out and that theft cannot jeopardize the customer's privacy. The difficulty for online services is now to transfer this simple practical example to much more complex IT systems and thus ensure zero knowledge. The customer must be able to log into the system without the verifying provider knowing the password. To do this, the customer's "private" password is mathematically linked to the verifier's "public" password. The public password can easily be generated from the private password, but not vice versa. In this way, the service provider does not know the user's private password and can still verify usage authorization. The service provider thus has "zero knowledge" of the private password, which also makes it enormously difficult for third parties to gain access to confidential information.

Double holds better
Such a cumbersome zero-knowledge process is especially important for industries that cannot afford to make mistakes because of their sensitive data. For example, healthcare and financial service providers, lawyers, journalists and human rights organizations bear great responsibility for highly confidential information. And home users also need to manage their own data securely. Zero-knowledge protects data as soon as it leaves the end device for the cloud, but users still need to additionally secure their password and the device. Similar to cars, where airbags and seat belts are necessary in addition to the ABS system, virus protection programs, strong passwords, two-step verification and hard disk encryption should be a matter of course for every user.

Conclusion

In the age of Big Data, users have little control over their own data. In addition to advertisers and researchers, hackers and mass surveillance are also drawing on this huge pool of data. Despite Privacy Shield and progress with the EU General Data Protection Regulation, an internationally uniform and user-oriented data protection law is hardly foreseeable at present. Encryption is therefore the best way to get a technical handle on the complicated situation right now and return data sovereignty to the user. Zero-knowledge is the most consistent way to implement this. The growing demand for zero-knowledge solutions therefore holds great potential for the future of digital privacy.

Text:Istvan Lam, CEO Tresorit