Technical data

Zero trust vs zero-knowledge proof: what’s the difference?

When talking about zero trust with technical colleagues, you may have heard a reference to something called zero knowledge proof.

Although the two terms sound similar, they refer to distinctly different computer security concepts with a slight overlap. Let’s compare the two to understand the difference.

What is Zero Trust?

Companies looking for greater control of communications over a corporate network are considering zero-trust philosophies as a potential solution. Zero Trust is a security framework that requires users and devices to be continuously authenticated, authorized, and validated over time. Each user and device is bound to a set of granular controls that they must adhere to when communicating with other users, devices, and systems within a secure network.

Zero trust principles can be extended to data centers and the cloud. The idea is to place applications and services in logically created secure areas. All traffic entering or leaving a zone must be explicitly authorized before transferring data over. This means that, if a server or application is compromised, the bad actor cannot easily move laterally in the data center to potentially compromise other systems.

What is zero-knowledge proof?

Zero-knowledge proof is a term used in the field of cryptography that has been around since the mid-1980s. This methodology involves one party proving that they have information that they claim to be true and a second party wants to verify that the information in the first part is indeed true. With a zero-knowledge proof system, the proving party does not pass on any secret information that could prove whether what it claims is true.

A zero-knowledge proof requires no real knowledge or secret information to prove the claim. Instead, a scenario must be set up that allows the party of proof to demonstrate that it has particular information without actually revealing it.

Zero-knowledge proofs are used in modern cybersecurity in situations where a system claims to have sensitive data but does not want to pass that data to prove it to another system. Cryptographic algorithms based on zero-knowledge proof can be used to allow the verifying party to test the proof in such a way that it would be mathematically impossible not to be factual.

Where do zero-trust and zero-knowledge proof intersect in business?

Zero-knowledge proofs can be used to protect data confidentiality. This type of cryptography is therefore a great way to authenticate and verify users without having to transmit secrets that should never be known to others.

In most cases, the information that the proving party wants to keep secret is a password. Some types of two-factor authentication (2FA) and multi-factor authentication (MFA) use zero-knowledge proofs, never requiring the proof party to divulge secret information. Of course, authentication – and MFA and 2FA in particular – is an integral part of zero-trust frameworks.

This was last published in May 2022

Deepen data security and privacy