What is zero-knowledge encryption and why should I choose it?
Protecting your important data is an essential part of modern life, and encryption plays an important role in that. Zero-knowledge encryption, if done correctly, is about the best security method you can choose.
The basics of encryption
Encryption is a security process that alters readable data to make it unreadable. It takes plaintext, human-readable data, and turns it into ciphertext, which is unreadable by humans or machines. Only someone with the correct decryption key can convert the data back to plain text and display it in its unscrambled form. Anyone else who might have managed to intercept the data would see it as gibberish.
There are several types of encryption methods available, each used to provide data security in different situations. The most common encryption type or protocol is Advanced Encryption Standard (AES). AES comes in three increasing security strengths, AES-128, AES-192, and AES-256. All of these are very secure, but AES-256 is considered military-grade encryption.
You probably use encrypted services several times a day, even if you don’t realize it. But encryption is only as strong as the password or key used to secure it. So just because something is encrypted doesn’t mean it’s completely safe. This is where zero-knowledge encryption comes in. But what is zero-knowledge encryption, how does it work, and why should you choose it?
What is zero-knowledge encryption?
Zero-knowledge encryption is an encryption method rather than an encryption protocol such as AES-256. The term most often describes an encryption process where your data is secure at all times, with only you having the key or password needed to access and decrypt it.
For a service to be truly zero-knowledge, your data must be encrypted before it leaves your device, during transfer, and while it is stored on a server. These three stages are respectively called client-side encryption, encryption in transit, and encryption at rest. This normally means that different encryption methods, including TLS and AES or an alternative, are used in combination to provide overall encryption.
Zero-knowledge encryption also requires that your password, which is the key to being able to decrypt the data, is never stored where a third party could access it. Because only you have the password needed to decrypt the data, neither the service provider nor anyone infiltrating the service can read it at any time. So zero knowledge.
But how can your password be verified by a service provider if only you know it? This is where the zero-knowledge proof comes in.
What is proof without knowledge?
Zero-knowledge encryption and zero-knowledge proof are different concepts. Although zero-knowledge proof is often part of a service that promises zero-knowledge encryption, this is not always the case.
Zero-knowledge proof is a method of cryptographic authentication between two or more parties. During a standard authentication process, a password can be provided as proof of the holder’s right to access the data. The problem is that the password must be known to both parties to be verified. This obviously makes it less secure.
In authentication without proof-of-knowledge, only proof-of-knowledge of the password is needed, so the actual password is never revealed. Proof of knowledge is performed by the prover (you) responding to a series of interactive or non-interactive challenges from the verifier (the service provider).
A real-world comparison is providing the 3rd, 5th, and 9th letters of your password to verify login to a banking app. Only someone who knows the full password would know which letters to provide, but the actual password is not revealed.
In most situations, such as logging into a password manager app, you won’t actually need to answer any questions or challenges to verify yourself. You will only have to enter your password. The zero-knowledge proof part of the process will be handled behind the scenes by complex mathematical algorithms.
Where Zero-Knowledge Encryption is Used
Zero-knowledge encryption has been around for a while, but its use has increased in recent years. This is especially true for consumer data storage services.
Any digital service that locks data behind a password login could use zero-knowledge encryption. The two most common services that offer zero-knowledge encryption are cloud storage services and password manager apps.
In fact, zero-knowledge encryption is increasingly being used to secure cloud storage. As mentioned earlier, this encryption method only works properly if the data is encrypted before it leaves your computer, during transit, and while in the storage vault. This means that true zero-knowledge cloud storage will be accessed through an app or desktop client, rather than through a browser interface.
Password manager apps are another place where zero-knowledge encryption comes into its own. When you entrust all your passwords to a single app or service, knowing that even the service provider can’t access them unencrypted is very helpful. The best password managers will encrypt your passwords before they’re even stored in the app or client, not just when they’re stored in the cloud.
Problems with Zero-Knowledge Encryption
Although it is one of the most secure ways to protect your data, zero-knowledge encryption is not without its drawbacks.
The most obvious potential problem is that you often cannot recover your password if you lose or forget it. Your data will be lost, stuck behind an impenetrable barrier. Some services that use zero-knowledge encryption allow you to create a recovery key, which will allow you to reset your password once. However, this only takes the problem one step further, and if you lose the recovery key, you will be in the same situation.
Loss of speed
Zero-knowledge encryption may result in slower service than it would be with other security measures in place. The extra security and encryption steps needed can mean that something like cloud storage isn’t as fast as it would be without any knowledge. The loss in speed will probably, for most people, be outweighed by the added security, but it’s still worth considering.
Services that use zero-knowledge encryption may also lack some of the features offered by similar services that do not. For example, you may not be able to preview images or videos stored in a backup vault as this would require data decryption. In this case, you need to decide if convenience is more important to you than security.
Should I choose Zero-Knowledge encryption?
Many big names in cloud storage offer zero-knowledge services. These include Sync.com, MEGA, pCloud, I driveand ice. Similarly, some of the best password management services protect your data with this type of encryption, North Pass at Last pass. As we spend more and more time in the cloud, entrusting the security of our data to others, we can only hope that more services will ship with zero-knowledge encryption.
Because, despite the few potential drawbacks, zero-knowledge encryption is the best choice if you care about the security of your data. By taking full control of who can access and view your data, whether it’s in a password manager, cloud storage, or another service, you’re removing the only realistic way to compromise it.