When talking about zero trust with technical colleagues, you may have heard a reference to something called zero-knowledge proof.
Despite the two terms sounding similar, they refer to distinctly different IT security concepts with a slight overlap. Let’s compare the two to understand the difference.
What is zero trust?
Businesses seeking greater control over communications on an enterprise network are looking at zero-trust philosophies as a potential solution. Zero trust is a security framework that requires users and devices to be authenticated, authorized and continuously validated over time. Each user and device is tied to a set of granular controls it must adhere to when communicating with other users, devices and systems within a secure network.
Zero-trust principles can be extended to data centers and the cloud. The idea is to place applications and services into logically created secure zones. All traffic entering or exiting a zone must be explicitly permitted prior to forwarding the data on. This means that, if a server or application becomes compromised, the bad actor cannot easily move laterally throughout the data center to potentially compromise other systems.
What is zero-knowledge proof?
Zero-knowledge proof is a term used throughout the field of cryptography that has been around since the mid-1980s. This methodology involves one party proving it has information it claims is true and a second party that wants to verify that the first party’s information is indeed true. With a zero-knowledge proof system, the proving party does not transmit any secretive information that could substantiate whether what it claims is true.
A zero-knowledge proof requires no real knowledge or secret information to prove the claim. Instead, a scenario must be set up that enables the proving party to demonstrate it has particular information without actually revealing it.
Zero-knowledge proofs are used in modern cybersecurity in situations where one system claims to possess sensitive data yet does not want to transmit that data to prove it to another system. Cryptographic algorithms based on zero-knowledge proof can be used to enable the verifying party to test the proof in such a way that it would be mathematically impossible to not be factual.
Where do zero trust and zero-knowledge proof intersect in the enterprise?
Zero-knowledge proofs can be used to protect the privacy of data. This type of cryptography, therefore, is a great way to authenticate and verify users without having to transmit secrets that should never be known by others.
In most cases, the information the proving party wants to keep secret is a password. Certain types of two-factor authentication (2FA) and multifactor authentication (MFA) use zero-knowledge proofs, never requiring the proving party to give up secretive information. Of course, authentication — and MFA and 2FA especially — is an integral part of zero-trust frameworks.
This was last published in May 2022
Dig Deeper on Data security and privacy
Related Q&A from Andrew Froehlich
Security administrators don’t have to choose between zero-trust and defense-in-depth cybersecurity methodologies. Learn how the two frameworks …
Administrators are assessing microsegmentation to beef up access control and security. But deploying microsegmentation can be complex.
Network segmentation and microsegmentation both control access but vary in how they do it, as well as how granular their approach is. Learn the …