7.7 Meeting Leader Security Code

If all participants can verify the authenticity of the leader’s public key (IVK), they are safe from MitM attacks. The Zoom client exposes the following “meeting leader security code” in the security tab: Digits(SHA256(SHA256("Zoombase-1-ClientOnly-MAC-SecurityCode")||SHA256(IVK))) Digits extracts a string of 39 decimal digits from a SHA-256 hash, representing just over 129 bits of information. This representation is more human-readable and more internationalizable than the full hexadecimal hash. Crucially, every Zoom client in the meeting independently computes these codes from the IVK used in the handshake protocol. The length of the code is long enough to protect against second pre-image attacks. The leader reads out the meeting leader security code, after which everyone in the meeting in turn does the same thing. If the code does not match, the participant should speak up in the meeting, and the leader should rotate the meeting key by kicking them out; they may be allowed to rejoin and try again. By having the leader go first, participants verify that they all agree both on which of them is the leader, and on their IVK . Both properties are necessary to detect MitM attacks. If deep fake technology15 is a concern, or the participants do not know each other in advance, this verification can also happen over a different out-of-band secure channel. Non-leader participants see a notification prompting them to re-perform the security code checks whenever the meeting leader changes. These additional checks prevent a compromised Zoom server from changing the meeting leader over the course of a meeting without being detected. We considered other approaches to the meeting leader security code, such as mixing more of the handshake data into the displayed code. While more mixins would be more robust to attacks that try to confuse participants by mixing members from different meetings, we see a UX advantage of “one leader, one code.”