8.2.1 Security Properties

The security properties of AEV largely follow from those of the key management layer that it is built upon, as detailed in Section 3.11. In particular, a malicious insider cannot decrypt any AEV-encrypted voicemail messages recorded before its compromise began (unless it also corrupts a device to obtain the necessary decryption keys). Key rotations happen as soon as possible when the set of devices changes and ensure that revoked devices cannot decrypt future voicemails, while we rely on the server to withhold past ciphertexts. We stress that, even if Zoom Phone servers delete plaintext voicemail messages as soon as possible after encryption (and cannot perform decryption afterwards), they have temporary access to the voicemails during recording, and therefore AEV has inherently weaker guarantees than end-to-end encryption. In addition to the confidentiality limitations, voicemail recipients cannot independently verify, and therefore rely on the Zoom servers for, the integrity of the voicemail recording (i.e. that it wasn’t tampered with) and of any metadata such as the recording time, claimed author, intended recipient and their respective phone numbers. This is unavoidable at least in the PSTN case, as this technology does not support encryption natively. We are considering offering E2EE voicemail between Zoom Phone users in the future. Moreover, we note that the above metadata is not encrypted with per-user keys, and remains available to the server to provide the service even after the audio recording is not. Since Zoom servers are performing the encryption and keeping track of everyone’s keys, fingerprints are not displayed when sending or listening to an AEV voicemail message (but the user interface distinguishes between messages using standard and AEV encryption). Fingerprint verification is still useful during device approvals to prevent an attacker (including a recently compromised server) from gaining access to previously encrypted voicemails.