Building E2EE and User Identity

Note: Presentation times are in Pacific Standard Time (PST).

Wednesday, February 03, 2021 - 8:35 am9:05 am

Merry Ember Mou, Zoom Video Communications


In a remote-first world, end-to-end encrypted (E2EE) communications will become more common. The Zoom team published in May 2020 an incrementally deployable proposal for E2EE in their video conferencing product that describes not only moving user key generation to clients but also building a strongly-trusted and user-friendly concept of long-term identity. After all, E2EE is only as secure as the ends: if Alice thinks she is talking to her coworkers, but instead her competitors are participating in the meeting, encryption is not sufficient to protect her. This talk will go over and highlight some of the objectives and challenges of our multi-phased, multi-pronged approach to E2EE that has strong identity confirmation protocols, and minimal server-trust.

Integrating an E2EE implementation into an existing system like Zoom, which supports hundreds of millions of meeting participants every day, has required particular consideration of existing architectural constraints, existing user trust models, and user expectations in the UI/UX. Designing with these priorities becomes even more significant in subsequent phases of the E2EE plan, where we aim to establish a consistent and auditable identity designed to tie each user to their Zoom account/organization and their many devices' long-term keys. These user identities will be enforced by several mechanisms to minimize the reliance on server-side security, with the eventual goal of making server compromise of user identities detectable by external auditors. With each phase, we improve the properties of a user's displayed identity in a meeting and aim to make verifying the security of a Zoom meeting as intuitive for the user as possible.

Merry Ember Mou, Zoom Video Communications

Merry Ember Mou is a software engineer at Zoom working on end-to-end encryption. Their previous experience includes working on Keybase, building backend systems at a network security startup, and developing online community platform research. They hold a master's degree in computer science from MIT.

Open Access Media

USENIX is committed to Open Access to the research presented at our events. Papers and proceedings are freely available to everyone once the event begins. Any video, audio, and/or slides that are posted after the event are also free and open to everyone. Support USENIX and our commitment to Open Access.

@conference {264132,
author = {Merry Ember Mou},
title = {Building {E2EE} and User Identity},
year = {2021},
publisher = {USENIX Association},
month = feb

Presentation Video