The Basics of Encryption
Encryption is a security process that alters readable data to make it unreadable. It takes plaintext, data readable by humans, and transforms it into ciphertext, which is unreadable by humans or machines. Only someone with the correct decryption key can convert the data back into plaintext and view it in its unscrambled form. Anyone else, who perhaps managed to intercept the data, would see only gibberish.
There are several different types of encryption methods available, each used for keeping data safe in different situations. The most common encryption type or protocol is Advanced Encryption Standard (AES). AES comes in three increasing security strengths, AES-128, AES-192, and AES-256. All of these are very secure, but AES-256 is considered military-grade encryption.
You likely use encrypted services several times a day, even if you don’t realize it. But encryption is only as strong as the password or key used to secure it. So, just because something is encrypted, that doesn’t mean it is completely safe. This is where zero-knowledge encryption comes into play. But what is zero-knowledge encryption, how does it work, and why should you choose it?
What Is Zero-Knowledge Encryption?
Zero-knowledge encryption is a method of encryption, rather than an encryption protocol such as AES-256. The term most often describes an encryption process where your data is secured at all times, with only you having the key or password needed to access and decrypt it.
For a service to be truly zero-knowledge, your data should be encrypted before it leaves your device, during transfer, and when it is stored on a server. These three stages are known as client-side encryption, encryption in transit, and encryption at rest, respectively. This will normally mean different encryption methods, including TLS and AES or an alternative, are used in combination to provide overall encryption.
Zero-knowledge encryption also requires that your password, which is the key to being able to decrypt the data, is never stored anywhere it could be accessed by a third party. Because only you have the password needed to decrypt the data, neither the service provider nor anyone who infiltrates the service can read it at any stage. Hence, zero-knowledge.
But how can your password be verified as being correct by a service provider if only you know it? That is where zero-knowledge proof comes in.
What Is Zero-Knowledge Proof?
Zero-knowledge encryption and zero-knowledge proof are different concepts. Although zero-knowledge proof is often part of a service that promises zero-knowledge encryption, that isn’t always the case.
Zero-knowledge proof is a cryptographic authentication method between two or more parties. During a standard authentication process, a password might be given as proof of the holder’s right to access data. The trouble is that the password needs to be known by both parties for it to be verified. This obviously makes it less secure.
In zero-knowledge proof authentication, only proof of knowledge of the password is needed, so the actual password is never revealed. Proving knowledge is achieved by the prover (you) answering a series of interactive or non-interactive challenges from the verifier (the service provider).
A real-world comparison is when you are asked to supply the 3rd, 5th, and 9th letters of your password to verify login to a banking app. Only someone who knows the full password would know which letters to provide, yet the actual password is not revealed.
In most situations, such as logging in to a password manager app, you won’t actually need to answer questions or challenges to verify yourself. You will just need to enter your password. The zero-knowledge proof part of the process will be handled in the background by complex mathematical algorithms.
Where Zero-Knowledge Encryption Is Used
Zero-knowledge encryption has been around for a while, but its use has increased in the last few years. This is particularly true for consumer data storage services.
Any digital service that locks data behind a password login could use zero-knowledge encryption. The two most common services that offer zero-knowledge encryption are cloud storage services and password manager apps.
In fact, zero-knowledge encryption is increasingly being used to secure cloud storage. As mentioned earlier, this encryption method only works properly if the data is encrypted before leaving your computer, during transit, and when in the storage vault. That means true zero-knowledge cloud storage will be accessed through an app or desktop client, rather than through a browser interface.
Password manager apps are another place where zero-knowledge encryption makes perfect sense. When trusting all of your passwords to a single app or service, knowing that not even the service provider can access them unencrypted goes a long way. The best password managers will encrypt your passwords before they are even stored in the app or client, not just when they are stored in the cloud.
Problems With Zero-Knowledge Encryption
Although it is one of the most secure ways to protect your data, zero-knowledge encryption isn’t without its downsides.
Getting Locked Out
The most obvious potential problem is that there is often no way for you to retrieve your password if you lose or forget it. Your data will be lost, stuck behind an impenetrable barrier. Some services that use zero-knowledge encryption let you create a recovery key, which will allow you to reset your password once. However, this just moves the problem back one step, and if you lose the recovery key you will be in the same situation.
Loss of Speed
Zero-knowledge encryption can result in a service being slower than it might be with other security measures in place. The extra security and encryption steps needed can mean that something like cloud storage isn’t as fast as it would be without zero knowledge being used. The loss of speed will probably be, for most people, outweighed by the extra security, but it is still worth considering.
Fewer Features
Services that use zero-knowledge encryption might also lack some of the features offered by similar services that don’t use it. For example, you might be unable to preview images or videos stored in a backup vault because that would require the data to be decrypted. In this case, you have to decide if convenience is more important to you than security.
Should I Choose Zero-Knowledge Encryption?
Many big names in cloud storage offer zero-knowledge services. These include Sync.com, MEGA, pCloud, IDrive, and icedrive. Likewise, some of the best password manager services protect your data with this type of encryption, from NordPass to LastPass. As we spend more and more time in the cloud, entrusting our data security to others, we can only hope that more services get on board with zero-knowledge encryption.
Because, despite the few potential downsides, zero-knowledge encryption is the best choice if you care about the security of your data. By taking complete control of who can access and view your data, be it in a password manager, cloud storage, or another service, you remove the only realistic way it can be compromised.