End-to-end encryption with identity verification for Webex meetings
Compare Webex End-to-End Encryption and Zero-Trust End-to-End Encryption
The Webex Suite offers two types of end-to-end encryption (E2EE):
-
Webex End-to-End Encryption — Default security for user-generated content shared in standard meetings and Webex Messaging.
-
Zero-Trust End-to-End Encryption — Enhanced security for media and user-generated content in Webex end-to-end encrypted meetings. This article focuses mainly on Zero-Trust End-to-End Encryption.
Both types of end-to-end encryption provide an extra layer of encryption that safeguards data from interception attacks, but they differ in the levels of confidentiality that they offer.
Webex End-to-End Encryption
Webex End-to-End Encryption uses the Webex Key Management System* (KMS) to generate and manage encryption keys. These Webex KMS keys are used to encrypt chat messages, files, whiteboards and annotations created by Webex apps and Cisco video devices. Originally used with Webex Messaging, Webex End-to-End Encryption is now also used to encrypt user-generated content in standard Webex Meetings on the Webex Suite meeting platform. With Webex End-to-End Encryption:
-
Data is encrypted in transit and at rest.
-
Webex apps and Cisco devices encrypt all user-generated content, such as messages, files, annotations, and whiteboards, before transmitting them over encrypted TLS.
-
This encrypted content is stored on encrypted content servers in the Webex cloud.
This additional layer of security protects user data in transit from TLS interception attacks, and stored user data from potential bad actors in the Webex cloud.
* By default, our cloud-based KMS generates and distributes encryption keys. You also have an option with Webex Hybrid Data Security (HDS) to manage your own, on-premises version of the key management system.
The Webex cloud can access and use KMS encryption keys, but only to decrypt data as required for core services such as:
- Message indexing for search functions
- Data loss prevention
- File transcoding
- eDiscovery
- Data archival
For more information on Webex KMS-based End-to-End Encryption, see Webex Messaging Security Technical Paper.
Zero-Trust End-to-End Encryption
Webex uses Zero-Trust End-to-End Encryption to offer higher levels of security and confidentiality for media and user-generated content (chat, files, whiteboards, and annotations) in Webex End-to-End Encrypted meetings.
Zero-Trust End-to-End Encryption uses the Messaging Layer Security (MLS) protocol to exchange information so that participants in a Webex Meeting can create a common meeting encryption key.
The meeting encryption key is only accessible to the participants in the meeting. The Webex service can't access the meeting key—hence "Zero-Trust."
Scope of Zero-Trust security for Webex Meetings
Zero-Trust end-to-end encrypted Webex meetings support the following:
-
Standards-based protocols (MLS, SFrame) with formally verified cryptography.
- Webex desktop apps for Windows, MacOS, and Linux.
- Webex mobile apps for iOS and Android.
-
Cisco video devices (Room Series, Desk Series, and Webex Board).
-
End-to-end encryption (E2EE) in Personal Room meetings.
-
End-to-end encryption (E2EE) for scheduled meetings.
-
A security icon which lets all meeting participants know at a glance that their meeting is secure, and when end-to-end encryption is enabled for the meeting.
-
Verbal verification of meeting attendees using a new Security Verification Code.
-
Up to 1000 participants.
-
Local recording.
-
In-meeting chat, file transfer, whiteboarding, and annotation.
-
Remote Desktop Control.
-
In Webex App, you can join the meeting using your computer audio only (PSTN-based Call me/Call is not supported).
Zero-Trust security does not support the following in meetings:
-
Older Webex devices, such as the SX, DX, and MX Series.
-
Web browser-based Webex App (web.webex.com).
-
Saving meeting chat, files, whiteboards, and annotations.
-
Saving session data, transcripts, and meeting notes to the cloud.
-
Features provided by Cisco cloud services that require access to decrypted media, including:
-
Network-Based Recording (NBR)
-
Transcoding media
-
In-meeting Webex AI Assistant
-
Automated closed captioning
-
Transcription, etc.
-
-
Calls to and from the Public Switched Telephone Network (PSTN)
-
Calls to and from SIP devices
-
This section is for customers with Full-Featured Meetings.
To join an E2EE meeting from your Webex Board, Room, or Desk device, tap Join Webex and enter the meeting number that is listed in the Webex Meetings invite. Then, tap Join to join the meeting.
In the meeting, you can check whether the meeting is end-to-end encrypted by looking at the shield icon in the header.
-
– The meeting is end-to-end encrypted.
-
– The connection between your Webex desktop app and the Webex server is secure, but the meeting is not end-to-end encrypted.
A security code is provided to allow participants to verify that their connection is secure.
Tap the icon to see the security code and other security information for the meeting. The security code changes each time a participant enters the meeting.
All the meeting participants should see the same security code. If one person sees a different security code, their connection is not secure.
In the participants list, you can see information about the authentication status of each participant: verified or unverified.
-
– Participant's identity has been verified externally by a Webex Partner Certificate Authority (CA). This requires configuring an external certificate on your personal device.
-
– Participant's identity has been verified internally by Webex CA.
-
– Participant's identity is unverified.
More detailed information about the certificate provider is available by tapping a participant’s name and selecting Show Certificate.