Zero-knowledge service: Difference between revisions

Content deleted Content added

Inline

Latest revision as of 13:21, 23 November 2023

In cloud computing, the term zero-knowledge (or occasionally no-knowledge or zero access) refers to an online service that stores, transfers or manipulates data in a way that maintains a high level of confidentiality, where the data is only accessible to the data's owner (the client), and not to the service provider. This is achieved by encrypting the raw data at the client's side or end-to-end (in case there is more than one client), without disclosing the password to the service provider. This means that neither the service provider, nor any third party that might intercept the data, can decrypt and access the data without prior permission, allowing the client a higher degree of privacy than would otherwise be possible. In addition, zero-knowledge services often strive to hold as little metadata as possible, holding only that data that is functionally needed by the service.

The term "zero-knowledge" was popularized by backup service SpiderOak, which later switched to using the term "no knowledge" to avoid confusion with the computer science concept of zero-knowledge proof.

Disadvantages

Most^{[citation needed]} cloud storage services keep a copy of the client's password on their servers, allowing clients who have lost their passwords to retrieve and decrypt their data using alternative means of authentication; but since zero-knowledge services do not store copies of clients' passwords,^[1] if a client loses their password then their data cannot be decrypted, making it practically unrecoverable.

Most^{[citation needed]} cloud storage services are also able to furnish access requests from law enforcement agencies for similar reasons; zero-knowledge services, however, are unable to do so, since their systems are designed to make clients' data inaccessible without the client's explicit cooperation.

References

^ Kiefer, Franziskus; Manulis, Mark (2014). "Zero-Knowledge Password Policy Checks and Verifier-Based PAKE" (PDF). Computer Security - ESORICS 2014. Lecture Notes in Computer Science. Vol. 8713. pp. 295–312. doi:10.1007/978-3-319-11212-1_17. ISBN 978-3-319-11211-4.
^ Kiss, Jemima (2014-07-17). "Snowden: Dropbox is hostile to privacy, unlike 'zero knowledge' Spideroak". The Guardian. Retrieved 2021-05-29.
^ O'Sullivan, Fergus (2015-08-25). "What Exactly is Zero-Knowledge in The Cloud and How Does it Work?". Cloudwards. Retrieved 2021-05-29.
^ Farivar, Cyrus (2016-10-04). "FBI demands Signal user data, but there's not much to hand over". Ars Technica. Retrieved 2021-05-29.

[1] Kiefer, Franziskus; Manulis, Mark (2014). "Zero-Knowledge Password Policy Checks and Verifier-Based PAKE" (PDF). Computer Security - ESORICS 2014. Lecture Notes in Computer Science. Vol. 8713. pp. 295–312. doi:10.1007/978-3-319-11212-1_17. ISBN 978-3-319-11211-4.

[2] Kiss, Jemima (2014-07-17). "Snowden: Dropbox is hostile to privacy, unlike 'zero knowledge' Spideroak". The Guardian. Retrieved 2021-05-29.

[3] O'Sullivan, Fergus (2015-08-25). "What Exactly is Zero-Knowledge in The Cloud and How Does it Work?". Cloudwards. Retrieved 2021-05-29.

[4] Farivar, Cyrus (2016-10-04). "FBI demands Signal user data, but there's not much to hand over". Ars Technica. Retrieved 2021-05-29.

[1]

@@ Line 1: / Line 1: @@
 {{distinguish|Zero-knowledge proof}}
-In [[cloud computing]], the term '''zero-knowledge''' (or occasionally '''no-knowledge''' or '''zero access''') refers to software services that [[Data at rest|store]], [[Data in transit|transfer]] or [[Data in use|manipulate]] [[Data (computing)|data]] such that it is only accessible to its owner, not to the service provider. This is accomplished by [[encryption|encrypting]] the [[Plaintext|raw data]] at the [[client-side encryption|client side]] or [[End-to-end encryption|end-to-end]] (in case of one or more clients, respectively), without disclosing the [[password]] to the service provider. This means neither the service provider, nor any third party that might [[Sniffing attack|intercept the data]], can ever decrypt and access the data on their own, allowing the client a higher degree of [[Internet privacy|privacy]] than would otherwise be possible. In addition, zero-knowledge services usually aspire to hold as little [[metadata]] as possible, so as not to jeopardize clients' privacy by holding data beyond what is functionally needed by the service.
+In [[cloud computing]], the term '''zero-knowledge''' (or occasionally '''no-knowledge''' or '''zero access''') refers to an [[Web service|online service]] that [[Data at rest|stores]], [[Data in transit|transfers]] or [[Data in use|manipulates]] [[Data (computing)|data]] in a way that maintains a high level of [[Information security#Confidentiality|confidentiality]], where the data is only accessible to the data's owner (the [[Client–server model|client]]), and not to the service provider. This is achieved by [[encryption|encrypting]] the [[Plaintext|raw data]] at the [[client-side encryption|client's side]] or [[End-to-end encryption|end-to-end]] (in case there is more than one client), without disclosing the [[password]] to the service provider. This means that neither the service provider, nor any third party that might [[Sniffing attack|intercept the data]], can decrypt and access the data without prior permission, allowing the client a higher degree of [[Internet privacy|privacy]] than would otherwise be possible. In addition, zero-knowledge services often strive to hold as little [[metadata]] as possible, holding only that data that is functionally needed by the service.
 The term "zero-knowledge" was popularized by [[online backup|backup]] service [[SpiderOak]], which later switched to using the term "no knowledge" to avoid confusion with the [[computer science]] concept of [[zero-knowledge proof]].
-Providers of zero-knowledge services include:
-* Cubbit<ref>{{Cite web |title=What is Zero Knowledge Encryption and why you need it from the services you use |url=https://blog.cubbit.io/blog-posts/what-is-zero-knowledge-encryption |access-date=2021-05-29 |website=Cubbit blog |language=en}}</ref>
-* [[LucidLink]]<ref>{{Cite web |title=No Knowledge |url=https://lucidlink.com/security/ |access-date=2022-05-13 |website=LucidLink |language=en-US}}</ref>
-* [[NordPass]]<ref>{{Cite web |title=Zero-Knowledge Encryption: Extra Password Safety |url=https://nordpass.com/features/zero-knowledge-architecture/ |access-date=2021-05-29 |website=NordPass |language=en}}</ref>
-* [[ProtonMail]]<ref>{{Cite web |date=2018-05-23 |title=What is zero access encryption? |url=https://protonmail.com/blog/zero-access-encryption/ |access-date=2021-05-29 |website=ProtonMail Blog |language=en-US}}</ref>
-* [[Signal (software)|Signal]]<ref>{{Cite web |title=Technology preview: Private contact discovery for Signal |url=https://signal.org/blog/private-contact-discovery/ |access-date=2021-05-29 |website=Signal Messenger |language=en}}</ref>
-* [[SpiderOak]]<ref>{{Cite web |title=No Knowledge |url=https://spideroak.com/no-knowledge/ |access-date=2021-05-29 |website=SpiderOak |language=en-US}}</ref>
-* Sync.com<ref>{{Cite web |title=Zero knowledge: The smartest option |url=https://www.sync.com/blog/zero-knowledge/ |access-date=2021-05-29 |website=Sync.com |language=en}}</ref>
-* [[Tresorit]]<ref>{{Cite web |date=2016-05-20 |title=What is Zero-Knowledge Encryption? |url=https://tresorit.com/blog/zero-knowledge-encryption/ |access-date=2021-05-29 |website=Tresorit Blog |language=en}}</ref>
-* [[Tarsnap]]<ref>{{Cite web | title=Tarsnap | url=https://www.tarsnap.com/ | access-date=2022-06-04 |website=Tarsnap |language=en-US}}</ref>
 == Disadvantages ==
-Most{{cn|date=December 2021}} [[cloud storage]] services keep a copy of the client's password on their servers, allowing clients who have lost their passwords to retrieve and decrypt their data using alternative means of [[Authentication#Authentication factors|authentication]]; but since zero-knowledge services ''do not'' store copies of clients' passwords,<ref>{{Cite journal |last=Kiefer |first=Franziskus |last2=Manulis |first2=Mark |title=Zero-Knowledge Password Policy Checks and Verifier-Based PAKE |url=https://eprint.iacr.org/2014/242.pdf |journal=Lecture Notes in Computer Science |volume=8713 |pages=295-312}}</ref> if a client loses their password then their data cannot be decrypted, making it practically unrecoverable.
+Most{{cn|date=December 2021}} [[cloud storage]] services keep a copy of the client's password on their servers, allowing clients who have lost their passwords to retrieve and decrypt their data using alternative means of [[Authentication#Authentication factors|authentication]]; but since zero-knowledge services ''do not'' store copies of clients' passwords,<ref>{{Cite book |last1=Kiefer |first1=Franziskus |last2=Manulis |first2=Mark |title=Computer Security - ESORICS 2014 |chapter=Zero-Knowledge Password Policy Checks and Verifier-Based PAKE |series=Lecture Notes in Computer Science |chapter-url=https://eprint.iacr.org/2014/242.pdf |year=2014 |volume=8713 |pages=295–312|doi=10.1007/978-3-319-11212-1_17 |isbn=978-3-319-11211-4 }}</ref> if a client loses their password then their data cannot be decrypted, making it practically unrecoverable.
 Most{{cn|date=December 2021}} [[cloud storage]] services are also able to furnish [[search warrant|access requests]] from [[law enforcement]] agencies for similar reasons; zero-knowledge services, however, are unable to do so, since their systems are designed to make clients' data inaccessible without the client's explicit cooperation.