If you count on online services and providers to keep your sensitive private and financial information secure, you are taking a huge risk. Instead of going after the user himself for the password, hackers today go after the provider, well aware of the fact that many don't adequately protect their user's data, including usernames and passwords. The answer to this is zero-knowledge password protection.
In this article, we are going to explore what is zero-knowledge encryption, why it might be better than regular passwords, its advantages and we'll throw in a zero-knowledge authentication example or two for good measure.
What is Zero-Knowledge Password Protection?
So, what is zero-knowledge encryption?
Simply put, ZKP is a method that allows one party (let's call it "the prover") to the other party (we'll call that one "the verifier") that they know some piece of information (like a password) without revealing it.
What this means, in other words, is that the prover is the only one with access to a piece of confidential information (password) and no one else, including the verifier or the service provider, has access or can reach it.
This isn't a new concept, although it's gained some wind with the advent of crypto and encryption services. The idea dates back to the 1980s, where a group of researchers from MIT, Silvio Micali, Charles Rackoff and Shafi Goldwasser engaged in finding a way to prove the knowledge of an answer to a problem without revealing the actual answer.
According to Micali, Rackoff and Goldwasser, ZKP should meet these three criteria:
- Zero-Knowledgness: The verifier can't learn the password, regardless if they act honorably or dishonorably to get information on it.
- Completeness: If the prover is giving the correct information, the verifier will be confident that the information is correct,
- Soundness: The only way for the verifier to be satisfied is if and only if the prover is providing the right password.
Zero-knowledge protocols can fall into two categories:
- Interactive, where the verifier interrogates the prover in real-time and,
- Non-interactive, where there is no direct communication between the two and the verifier can only verify the authenticity after the fact.
How Does Zero-Knowledge Proof Work?
To understand how ZKP works, let's take a look at a zero-knowledge authentication example or two.
Imagine two people. One of them is color-blind. The other is holding two balls, one red and one blue.
The person holding the balls doesn't believe that the other can't see colors and wants proof so they put the balls behind their back and have the color-blind friend tell them if they switched the balls or not. If that person is indeed color-blind then they would only be able to tell that the balls switched by accident or a lucky guess. If the person with the balls does this a couple of times, let's say 20, they will have their proof.
Here's another example. You are staying in a nice hotel and want to leave some valuables in the room while you go out and have a nice dinner in the town. So, as a matter of well-advised precaution, you lock the door and take the key to the room with you. That key is your password.
Now, imagine if the hotel reception also has a copy of the key to your room (or a master key for all their guests' rooms) and a thief comes to rob your room. Yes, they can always break in without the key (remember that not all doors are 100% secure, even when it comes to encryption services), but it's much easier for them if they just go to the front desk and grab the copy of the key.
This is how data breaches work in the first place. It doesn't matter how secure your password is if the hacker can simply breach a databank and steal your and a thousand other passwords and usernames.
Data breaches happen all the time. Popular video conferencing app Zoom was breached in April, 2020 and hackers had 500,000 Zoom passwords for sale on the dark web (here's how Liverado over Tor makes your email more secure).
Also in April, Nintendo announced that it had 160,000 accounts breached in a credential stuffing attack and hackers were able to see user's sensitive data including their email addresses and birth dates and make purchases.
These are just some examples of how hackers were able to get to the user's sensitive information, like passwords, without taking the password from the users themselves and instead, going after the service and its data.
Zero-knowledge encryption offers a way to prevent this from happening. It's like a hotel, instead of giving each guest a key and keeping a spare key at the front desk that a thief can nick, allows the guests to bring their own lock pads or to use their own keys. In that case, the receptionist, who in this case might be the verifier, doesn't need to see if the guest has a key, they only need the guest to prove they have it in their possession.
Why isn't Zero-Knowledge Password Protection More Often Used?
So why isn't zero-knowledge password protection more commonly used outside of cryptography and encryption email services?
One reason may lie in the fact that it demands a great deal of computational power and is, therefore, more expensive to maintain.
Of course, this argument against becomes a non-factor if we know that ZKP can enhance data security by getting rid of some other, less efficient verification and authentication methods.
Think about it. If all a hacker has to do to get your sensitive information is not to crack your password, but breach into an unsecured datastore of a provider keeping your account, is it really a good idea to keep your password or key with that provider?
At Liverado, we know that you trust us with keeping your emails private and the last thing we want is to break that trust. This is why we use zero-knowledge password protection technology to make sure that no one else has access to your encrypted data, including us.
Ready to take back your privacy? Sign up today for a free Liverado account.