Google gradually intends to deploy its mechanism. For the time being, the latter is in testing with a few companies. In this system, encryption and deciphering are well in local, on user devices, but the keys are managed by Google.
Sending
When a user wishes to send a secure message via Gmail, his browser figures the message before sending it. The operation is therefore good on the customer side. This encryption process uses an ephemeral symmetrical encryption key. The latter is generated by a light server called KACL (Key Access Control List). This is used by Google to manage encryption keys. When the user clicks on the button to activate encryption, his browser connects to the Kacl server to obtain this ephemeral key.
In transit
When the message is encrypted, it remains throughout its journey and can only be read by the authorized recipient. It is sent with a reference key. This reference key allows the interlocutor to recover the ephemeral symmetrical key necessary to, this time, decipher the message. To do this, the receiver must connect to the same KACL server, on Google’s infrastructure.
On reception
Then, the recipient’s browser uses this key to decipher the message. Once the operation is carried out, the key is deleted to avoid any data leak. This process guarantees that the message remains confidential throughout its journey and that only authorized contact can read it.
Admittedly, the proposed method is much simpler than the implementation and management of X.509 certificates. However, it is important to emphasize that users do not have total control over their messages. The key server being at Google, in theory, the company can therefore have access to messages. As emphasizes Ars Technicait is therefore not true of an end -to -end encryption in the strictest sense of the term.
Julien Duplant, product manager at Google Workspace, says, however: “The idea is that whatever happens, at no time and in any way, Gmail never has the real key. Never. And we never have access to deciphered content. Everything happens only on the user’s device.”
