Ignorance is something we generally think is a bad thing, although there are people who say “ignorance is bliss” too! Regardless of how you feel about the word, in a security context ignorance is actually a very important concept.
When you want to control the exposure and vulnerability of information, it’s better to compartmentalize that information. This is what organizations like the CIA refer to as the “need to know”. This means that you always have to ask the question “does this entity need to know this?”. If someone doesn’t need to know something in order to perform their function then they won’t know it. This radically cuts down on information leaks and makes extortion of information impossible.
In the world of computer security, there’s a similar concept known as “zero-knowledge”. In general, zero knowledge is something that you as a user will want. However, many of the internet services we use wouldn’t work well (or at all) in a zero-knowledge setup. Before we dig into that core problem, let’s talk about what zero-knowledge means in the first place.
The Meaning of Zero-knowledge
The proper, academic, denotative meaning of "zero-knowledge" refers to a situation where the "prover" can show to the "verifier" that a given statement is true, without actually giving away more information than that.
In real life, there aren't many examples of true zero-knowledge systems, but the term is also used in a more colloquial sense.
When someone is said to provide a "zero-knowledge" service, it generally means that they are insulated from your information. The only people who can know the content of your information are those you want to know. In practice, and in a cryptographic context, this usually means that only you are the keeper of the keys to your information.
Let's look at a few examples of use cases that use the zero-knowledge approach.
One of the most important processes in encryption is authentication. While encryption prevents third-parties from understanding your messages, it doesn't mean much if you aren't talking to who you think you are.
That's the role of authentication, where the two entities at each end of the encrypted line can be sure both are really who they say they are.
A classic encryption attack is known as the "man-in-the-middle" attack. Here someone slips between the two legitimate communicators and just passes the information along. They get to decrypt the information without anyone figuring out something is wrong.
This problem has largely been solved by public key encryption technology. Where a trusted key authority helps authenticate that everyone is on the level.
For some, this still poses a problem since the key authority has access to everything. We have to trust that they will do the right thing and have security measures that are good enough.
While it isn't quite possible in a practical form yet, researchers have been working on zero-knowledge proofs for use in authentication. There is, however, a sub-class of zero-knowledge application that has seen some use. This is known as a zero-knowledge password proof. It allows one party (the prover) to show that they know the password to the other party, without actually having to send the password itself to them. Instead, information derived from the password is sent to the verifier, who can then say with confidence that proof has been provided, without ever seeing the password.
Zero-Knowledge in the Cloud
We're all pretty spoilt for choice when it comes to online cloud storage. Services like DropBox and Google Drive have revolutionized the way we work and share information.
There's one catch, however. The companies who provide these services have full access to your data. There's nothing stopping them from indexing everything you upload. Analyzing it for insights into your behavior or to simply steal info. That's not the same thing as saying these companies actually do these things, just that they could if they wanted to.
So if you aren't comfortable with a service provider having complete access to your files, you need to use a zero-knowledge alternative. That is a cloud storage service that will store your information for you but doesn't hold the keys that open up the information in the first place.
There are some downsides to this of course. If the service can't look in your files you lose the ability to do contextual searches, among other things.
There are a few zero-knowledge cloud services out there already, but you can use a tool like BoxCrypter to convert your existing cloud storage account to a zero-knowledge one.
VPNs are internet services that provide users with unparalleled privacy and security. When you use a good VPN (e.g. ExpressVPN) your entire internet connection is secured against outside spying. The VPN service can, however, see exactly what you are doing.
What a VPN service does with this ability is of major concern to users. By definition, a VPN can't really be zero-knowledge since the VPN server has to be in the middle to encrypt and decrypt traffic for you.
Which means you still have to place trust in the VPN provider that they won't capture and share your activity. Nonetheless, some VPN providers have designed their systems in such a way that no information is ever captured or stored. So even if someone hacked them or ordered them to hand over user data, they simply don't have it. Given that you believe the VPN provider, this is what you should look for in any VPN provider. The so-called "no-logs" VPN.
The final example we'll look at here is zero-knowledge messaging. The proper name for this type of messaging is end-to-end encrypted messaging. Keys are generated at the client end and the provider itself has no idea what they are. This has become ever more important as governments start to feel irritated at the fact that people are moving away from telephony and onto over-the-top services. You can't "phone tap" these apps when they use end-to-end encryption. In fact, it's pretty much impossible.
Counting Our Words
Yes, it's true that the term "zero-knowledge" is being used a little improperly by the mainstream world, but this casual meaning is still very important to be aware of. The principle that has received this label is still worth seeking out. For once, ignorance really is bliss.