Scribd
Upload
3 views9 pages

2025 CE FinalProject-GoogleCSE

Google Client-Side Encryption (CSE) is a security feature of Google Workspace that allows users to encrypt data locally before uploading it to Google servers, ensuring that even if attackers access the server, they cannot decrypt the data since Google does not store the encryption keys. The process involves client-side encryption using AES-GCM, key management through services like Google Cloud KMS, and user authorization via OAuth 2.0. While CSE provides advantages such as compliance with regulations and enhanced data protection, it also has limitations, including increased complexity and the organization's responsibility for key management.

Uploaded by

kellyhsu051614
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
3 views9 pages

2025 CE FinalProject-GoogleCSE

Google Client-Side Encryption (CSE) is a security feature of Google Workspace that allows users to encrypt data locally before uploading it to Google servers, ensuring that even if attackers access the server, they cannot decrypt the data since Google does not store the encryption keys. The process involves client-side encryption using AES-GCM, key management through services like Google Cloud KMS, and user authorization via OAuth 2.0. While CSE provides advantages such as compliance with regulations and enhanced data protection, it also has limitations, including increased complexity and the organization's responsibility for key management.

Uploaded by

kellyhsu051614
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 9

2025 Cryptography Engineering

Google Client-Side Encryption


Final Project Topic
11 April, 2025
Outline
1. What is Google CSE

2. Critical Mechanism in Google CSE

3. Procedure of Google CSE

4. Advantage of Google CSE

5. Limitations of Google CSE

6. CSE v.s. E2E

7. Final Project’s Topics


1. What is Google CSE

Google CSE is a security function offered by Google Workspace, which make user can
encrypt their data in local before uploading it to the Google server(cloud side).

Under CSE, the attacker cannot decrypt the data when he/she gets access to the server’s DB
because “Google doesn’t stores the KEY”.
2. Critical Mechanism in Google CSE
a. Client-Side Encryption
AES-GCM (data protection)
RSA or EC (key protection)
e.g. When user upload a document to Google drive, Google drive will store the encrypt version rather than
the raw data.
b. Key Management Service
Google Cloud KMS or third-party KMS(AWS KMS\Microsoft Azure Key Vault)
Only authorized user can access the “KEY”, Google service can’t access it
e.g. A company used a key to encrypt the document and store the document in Google drive. But the key
is stored in AWS KMS.
c. Client-Side Decryption
User authorization(OAuth 2.0)
Zero trust access
e.g. Use OAuth 2.0 with Zero trust policy to management the user’s access right.
3. Procedure of Google CSE

Upload(encryption) Download(descryption)
1. User choose a file to upload 1. User request to download the encrypted data
2. Browser or local app use AES-GCM to encrypt 2. Google send the encrypted data to user without
data with its private key decrypt method
3. Encrypt the private key with the “KMS public key” 3. User’s browser or local app send request to KMS
4. Upload the encrypted data and encrypted for “KMS secret key”
private to Google server(cloud) 4. If user is authorized, KMS will send the secret key.
5. Browser or app decrypt the data after decrypt
the private with “KMS secret key”
4. Advantage of Google CSE

Compliance Requirements Flexible Key Management Private Protection

GDRR Support third-party KMS Google or cloud operator can’t


HIPAA Management key by users access data
FIPS Attacker can’t get data from
server directly
5. Limitations of Google CSE

Complexity
User need more steps to do KMS
operation or encryption
Key Management
The organization is responsible for
managing the keys. If the keys are
Functions Limitations lost, the data cannot be recovered.
Some Google service(search,
suggestion) may not work under
encryption data.
6. CSE v.s. E2E
Properties CSE E2E

Encrypt at UE UE

Key Management Third-party (KMS) User

Cloud Decryption No No

Applicable Scenarios Company or Organization Self-communication


7. Final Project’s Topics (include but not limit)
Cipher Game(local encryption)
AES-GCM Application
AES+(DIY)

Cipher Game Plus


WebCrypto API with KMS
Communication with PKI and KMS
Cipher Game Pro
Simulation CSE
File System’s Authority Management with PKI
2FA
Cipher Game Pro Max
Simulation CSE(included multi-nodes \ WebCrypto API \ >3 users \ KMS)

You might also like

pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy