Google Cloud Is Looking To Make Open Source Code Safer Than Ever

This is the 3rd whitepaper on how Google uses encryption to protect your information. In this whitepaper, you lot will find more detail on encryption in transit for Google Cloud, including Google Cloud Platform and Google Workspace.

For all Google products, we strive to go on client data highly protected and to be as transparent as possible about how nosotros secure it.

The content contained herein is correct as of Dec 2017. This whitepaper represents the condition quo as of the time it was written. Google Cloud’southward security policies and systems might alter going frontward, as we continually ameliorate protection for our customers.

Google Cloud Encryption in Transit

CIO-level summary

  • Google employs several security measures to help ensure the authenticity, integrity, and privacy of data in transit.
  • For the use cases discussed in this whitepaper, Google encrypts and authenticates data in transit at one or more than network layers when information moves outside concrete boundaries non controlled by Google or on behalf of Google. All VM-to-VM traffic inside a VPC network and peered VPC networks is encrypted.
  • Depending on the connection that is being made, Google applies default protections to data in transit. For example, we secure communications between the user and the Google Forepart (GFE) using TLS.
  • Google Deject customers with additional requirements for encryption of data over WAN can choose to implement further protections for information as it moves from a user to an application, or virtual machine to virtual machine. These protections include IPSec tunnels, Gmail S/MIME, managed SSL certificates, and Istio.
  • Google works actively with the industry to assist bring encryption in transit to everyone, everywhere. We have several open-source projects that encourage the employ of encryption in transit and data security on the Net at large including Certificate Transparency, Chrome APIs, and secure SMTP.
  • Google plans to remain the industry leader in encryption in transit. To this end, we dedicate resources toward the development and improvement of encryption technology. Our piece of work in this surface area includes innovations in the areas of Key Transparency and post-breakthrough cryptography.


Security is frequently a deciding gene when choosing a public cloud provider. At Google, security is of the utmost importance. We work tirelessly to protect your data—whether information technology is traveling over the Internet, moving inside Google’south infrastructure, or stored on our servers.

Central to Google’s security strategy are hallmark, integrity, and encryption, for both data at rest and in transit. This newspaper describes our arroyo to encryption in transit for Google Cloud.

For information at remainder, see Encryption at Residual in Google Cloud Platform. For an overview across all of Google Security, see Google Infrastructure Security Design Overview.

this document is aimed at CISOs and security operations teams using or considering Google Deject.

in addition to this introduction, we assume a basic understanding of encryption and cryptographic primitives.

Authentication, Integrity, and Encryption

Google employs several security measures to help ensure the authenticity, integrity, and privacy of data in transit.

  • Authentication:
    we verify the data source, either a man or a procedure, and destination.
  • Integrity:
    we brand certain information you send arrives at its destination unaltered.
  • Encryption:
    nosotros make your data unintelligible while in transit to keep it private. Encryption is the process through which legible data (plaintext) is made illegible (ciphertext) with the goal of ensuring the plaintext is simply accessible by parties authorized by the owner of the data. The algorithms used in the encryption process are public, but the key required for decrypting the ciphertext is private. Encryption in transit oft uses asymmetric key exchange, such every bit elliptic-curve-based Diffie-Hellman, to establish a shared symmetric key that is used for data encryption. For more information on encryption, see Introduction to Modern Cryptography.

Encryption tin can be used to protect data in three states:

  • Encryption at rest
    protects your data from a organisation compromise or data exfiltration past encrypting data while stored. The Advanced Encryption Standard (AES) is often used to encrypt data at residue.
  • Encryption in transit:
    protects your data if communications are intercepted while data moves between your site and the cloud provider or between two services. This protection is achieved by encrypting the information before transmission; authenticating the endpoints; and decrypting and verifying the information on arrival. For instance, Transport Layer Security (TLS) is often used to encrypt data in transit for transport security, and Secure/Multipurpose Internet Mail service Extensions (S/MIME) is used oftentimes for email bulletin security.
  • Encryption in use:
    protects your data in memory from compromise or data exfiltration by encrypting data while being processed, e.g. Confidential Computing.

Encryption is one component of a broader security strategy. Encryption in transit defends your data, subsequently a connection is established and authenticated, against potential attackers by:

  • Removing the need to trust the lower layers of the network which are commonly provided past 3rd parties
  • Reducing the potential attack surface
  • Preventing attackers from accessing data if communications are intercepted

With adequate authentication, integrity, and encryption, data that travels between users, devices, or processes can be protected in a hostile environment. The remainder of this newspaper explains Google’s approach to the encryption of data in transit and where it is applied.

Google’s Network Infrastructure

Physical boundaries

Google applies different protections to data in transit when it is transmitted outside a physical boundary controlled by or on behalf of Google. A physical purlieus is the barrier to a physical space that is controlled by or on behalf of Google, where we can ensure that rigorous security measures are in place. Physical admission to these locations is restricted and heavily monitored. Just a small percentage of Google employees take access to hardware. Information in transit within these physical boundaries is generally authenticated, but may not exist encrypted by default – you can choose which additional security measures to apply based on your threat model.

Due to the calibration of the global Internet, we cannot put these same concrete security controls in place for the fiber links in our WAN, or anywhere outside of physical boundaries controlled past or on behalf of Google. For this reason, we automatically enforce additional protections outside of our physical trust purlieus. These protections include encryption of information in transit.

How traffic gets routed

To fully understand how encryption in transit works at Google, it is too necessary to explain how traffic gets routed through the Net. This section describes how requests get from an end user to the appropriate Google Cloud service or client application, and how traffic is routed between services.

Google Deject service
is a modular deject service that we offer to our customers. These services include computing, data storage, data analytics and machine learning. For example, Google Cloud Storage and Gmail are both Google Deject services. A
customer application
is an application hosted on Google Deject that you, as a Google customer, can build and deploy using Google Cloud services. Client applications or partner solutions that are hosted on Google Deject are not considered Google Deject servicesone. For example, an application yous build using Google App Engine, Google Kubernetes Engine, or a VM in Google Compute Engine is a customer application.

The five kinds of routing requests discussed below are shown in Figure 1. This figure shows the interactions between the various network components and the security in place for each connectedness.

End user (Internet) to a Google Deject Service

Google Cloud services accept requests from effectually the globe using a globally distributed system called the Google Front end End (GFE). GFE terminates traffic for incoming HTTP(Due south), TCP and TLS proxy traffic, provides DDoS attack countermeasures, and routes and load balances traffic to the Google Deject services themselves. There are GFE points of presence effectually the globe with routes advertised via unicast or Anycast.

GFEs proxy traffic to Google Deject services. GFEs route the user’s asking over our network courage to a Google Cloud service. This connection is authenticated and encrypted from GFE to the forepart-terminate of the Google Cloud service or customer awarding, when those communications leave a concrete purlieus controlled past Google or on behalf of Google. Figure 1 shows this interaction (labelled connection A).

Cease user (Internet) to a customer awarding hosted on Google Deject

There are several ways traffic from the Internet can exist routed to a customer awarding yous host on Google Cloud. The way your traffic is routed depends on your configuration, every bit explained beneath. Figure 1 shows this interaction (labelled connexion B).

Using a Google Cloud HTTP(South) or TCP/SSL proxy Load Balancer external load balancer

Encryption in all Google Cloud regions

All VM-to-VM traffic within a VPC network and peered VPC networks is encrypted. This includes VM-to-VM traffic inside physical boundaries (that is, intra-cluster traffic).

Encryption between proxy load balancers and backends

For some proxy load balancers (see table ane), Google automatically encrypts traffic to the backends that reside within Google Cloud VPC networks. This is called
automatic network-level encryption. In addition, Google Cloud provides secure protocol options to encrypt communication with the backend service.

Some Google Deject load balancers apply Google Front end Ends (GFEs) as the customer to the backends. Others use the open source Envoy proxy. In all cases, the load balancer supports the nix suites listed in RFC 8446, section ix.1.

The following tabular array provides a summary.

Table 1.
Communcations betwixt load balancers and backends
Proxy load balancer Client to the backend Automatic network-level encryption Backend service secure protocol options
Global external HTTP(S) load balancer GFE (with Envoy software for advanced routing features) HTTPS and HTTP/2
Global external HTTP(S) load balancer (classic) GFE HTTPS and HTTP/2
Regional external HTTP(S) load balancer Envoy proxy HTTPS and HTTP/2
TCP proxy load balancer GFE Due north/A. If y’all want to use a secure protocol, use the SSL proxy load balancer.
SSL proxy load balancer GFE SSL
Internal HTTP(S) load balancer Envoy proxy HTTPS and HTTP/two
Traffic Managing director Customer-side proxy HTTPS and HTTP/2

Secure backend protocol utilize cases

A secure protocol to connect to backend instances is recommended in the post-obit cases:

  • When you require an auditable, encrypted connection from the load balancer (or Traffic Managing director) to the backend instances.

  • When the load balancer connects to a backend instance that is outside of Google Cloud (with an internet NEG). Communication to an internet NEG backend might transit the public cyberspace. When the load balancer connects to an internet NEG, the public CA-signed document must meet the validation requirements.

Secure backend protocol considerations

When using a secure backend service protocol, keep the following in mind:

  • Your load balancer’s backend instances or endpoints must serve using the same protocol as the backend service. For example, if the backend service protocol is HTTPS, the backends must be HTTPS servers.

  • If the backend service protocol is HTTP/2, your backends must use TLS. For configuration instructions, see the documentation for the software running on your backend instances or endpoints.

  • You must install private keys and certificates on your backend instances or endpoints in order for them to function as HTTPS or SSL servers. These certificates don’t need to match the load balancer’southward frontend SSL certificates. For installation instructions, see the documentation for the software running on your backend instances or endpoints.

  • With the exception of HTTPS load balancers with Cyberspace NEG backends, GFEs don’t utilize the Server Name Indication (SNI) extension for connections to the backend.

  • When a GFE connects to backends that are within Google Deject, the GFE accepts any certificate your backends present. GFEs exercise non perform certificate validation. For example, the certificate is treated as valid even in the following circumstances:

    • The certificate is self-signed.
    • The certificate is signed past an unknown document authority (CA).
    • The certificate has expired or is not nonetheless valid.
    • The
      attributes don’t match a
      header or DNS PTR record.
Popular:   The Intel Arc Alchemist Range Might Disappoint Pc Gamers

Secure frontend protocols

When you use a target HTTPS or target SSL proxy every bit part of your configuration, Google Deject uses a secure frontend protocol.

HTTP(S) Load Balancing and SSL Proxy Load Balancing use Google’southward BoringCrypto library. For FIPS 140-2 details, see NIST Cryptographic Module Validation Program Certificate #3678.

Internal HTTP(Southward) Load Balancing uses Google’southward BoringSSL library. For FIPS 140-2 details, encounter the Envoy documentation. Google builds Envoy proxies for Internal HTTP(S) Load Balancing in FIPS compliant mode.

Traffic Director supports Envoy proxies that are built in FIPS-compliant fashion.

Using a connectedness direct to a VM using an external IP or network load balancer IP

If you are connecting via the VM’s external IP, or via a network-load-counterbalanced IP, the connexion does not go through the GFE. This connexion is not encrypted by default and its security is provided at the user’s discretion.

Using Cloud VPN

If you are connecting from a host on your bounds to a Google Cloud VM via a Cloud VPN, the connection goes from/to your on-bounds host, to the on-bounds VPN, to the Cloud VPN, to the Google Cloud VM. The connectedness is protected from the on-premises VPN to the Deject VPN with IPSec. The connexion from the Deject VPN to the Google Cloud VM is authenticated and encrypted by Google.

Using Cloud Dedicated Interconnect

If you are connecting via Dedicated Interconnect, the connexion goes from/to your on-premises host directly and the connection does not get through the GFE. This connectedness is not encrypted by default and its security is provided at the user’s discretion. Yous can utilise the Transport Layer Security (TLS) Layer vii cryptographic protocol to encrypt application traffic over Dedicated Interconnect.

Virtual Machine to Virtual Motorcar

VM-to-VM connections inside VPC networks and peered VPC networks inside of Google’due south product network are authenticated and encrypted. This includes connections between client VMs and between client and Google-managed VMs such equally Cloud SQL. Figure 1 shows this interaction (labelled connectedness C).

Connectivity to Google APIs and services

Traffic handling differs depending on the location of the Google Cloud service:

  • Well-nigh Google APIs and services are hosted on Google Front Ends (GFEs); withal, some services are hosted on Google-managed instances. For example, individual services admission and GKE masters for private clusters are hosted on Google-managed instances.

    With Private Google Admission, VMs that don’t have external IP addresses can admission supported Google APIs and services, including customer applications hosted on App Engine. For more than information about access to Google APIs and services, see Individual access options for services.

  • If a Compute Engine VM instance connects to the external IP accost of another Compute Engine VM case, traffic remains in Google’due south product network. Systems that are outside of Google’south production network that connect to an external IP address of a Compute Engine VM case have traffic routed over the internet.

    Figure 1 shows an external path (labeled connection D). Typical cases of this kind of routing request are:

    • From a Compute Engine VM to Google Cloud Storage
    • From a Compute Engine VM to a Machine Learning API

From the VM to the GFE, Google Cloud services support protecting these connections with TLS past defaulttwo. The connection is authenticated from the GFE to the service and encrypted if the connection leaves a physical boundary.

Google Cloud service to Google Cloud service

Routing from one production service to another takes identify on our network backbone and may require routing traffic exterior of physical boundaries controlled past or on behalf of Google. Effigy 1 shows this interaction (labelled connection East). An example of this kind of traffic is a Google Deject Storage event triggering Google Deject Functions. Connections between product services are encrypted if they leave a concrete boundary, and authenticated within the physical boundary.

The user is routed to Google Cloud services across physical boundaries using ALTS encryption.

Figure 1: Protection by default and options overlaid on a VPC network

Encryption in Transit by Default

Google uses various methods of encryption, both default and user configurable, for information in transit. The type of encryption used depends on the OSI layer, the blazon of service, and the concrete component of the infrastructure. Figures 2 and 3 below illustrate the optional and default protections Google Cloud has in identify for layers 3, 4, and 7.

Encryption options for layers 3 and 4 include data traffic to the VM and across boundaries.

Figure 2: Protection past Default and Options at Layers three and 4 beyond Google Deject

Encryption options for layer 7 include those for data in transit between VMs and to the Google Front End.

Figure 3: Protection past Default and Options at Layer vii beyond Google Cloudiii

The rest of this department describes the default protections that Google uses to protect data in transit.

User to Google Front End encryption

Today, many systems use HTTPS to communicate over the Internet. HTTPS provides security by using a TLS connexion, which ensures the actuality, integrity, and privacy of requests and responses. To accept HTTPS requests, the receiver requires a public–private key pair and an X.509 certificate for server authentication from a Document Authorisation (CA). The key pair and certificate help protect a user’southward requests at the application layer (layer 7) by proving that the receiver owns the domain proper name for which requests are intended. The following subsections discuss the components of user to GFE encryption, namely: TLS, BoringSSL, and Google’due south Certificate Authority. Recollect that not all customer paths road via the GFE; notably, the GFE is used for traffic from a user to a Google Cloud service, and from a user to a customer application hosted on Google Cloud that uses Google Deject Load Balancing.

Transport Layer Security (TLS)

When a user sends a request to a Google Deject service, nosotros secure the information in transit; providing hallmark, integrity, and encryption, using HTTPS with a certificate from a web (public) certificate authority. Any data the user sends to the GFE is encrypted in transit with Transport Layer Security (TLS) or QUIC. GFE negotiates a particular encryption protocol with the client depending on what the client is able to support. GFE negotiates more than modern encryption protocols when possible.

GFE’south scaled TLS encryption applies not but to stop-user interactions with Google, it likewise facilitates API interactions with Google over TLS, including Google Cloud. Additionally, our TLS encryption is used in Gmail to commutation email with external mail servers (more detail in Require TLS in Gmail).

Google is an industry leader in both the adoption of TLS and the strengthening of its implementation. To this terminate, nosotros accept enabled, by default, many of the security features of TLS. For example, since 2011 nosotros take been using forwards secrecy in our TLS implementation. Forwards secrecy makes certain the key that protects a connection is not persisted, so an attacker that intercepts and reads one message cannot read previous messages.


BoringSSL is a Google-maintained, open-source implementation of the TLS protocol, forked from OpenSSL, that is mostly interface-compatible with OpenSSL. Google forked BoringSSL from OpenSSL to simplify OpenSSL, both for internal use and to improve back up the Chromium and Android Open up Source Projects. BoringCrypto, the cadre of BoringSSL, has been validated to FIPS 140-two level one.

TLS in the GFE is implemented with BoringSSL. Table 1 shows the encryption protocols that GFE supports when communicating with clients.

Protocols Authentication Key commutation Encryption Hash Functions
TLS i.threefour RSA 2048 Curve25519 AES-128-GCM SHA384
TLS i.two ECDSA P-256 P-256 (NIST secp256r1) AES-256-GCM SHA256
TLS ane.1 AES-128-CBC SHA18
TLS ane.0v AES-256-CBC MD59
QUIC6 ChaCha20-Poly1305

Table one: Encryption Implemented in the Google Forepart Cease for Google Deject Services and Implemented in the BoringSSL Cryptographic Library

As office of TLS, a server must show its identity to the user when it receives a connection request. This identity verification is achieved in the TLS protocol by having the server nowadays a certificate containing its claimed identity. The certificate contains both the server’south DNS hostname and its public key. Once presented, the document is signed by an issuing Certificate Authority (CA) that is trusted past the user requesting the connectednessten. As a effect, users who request connections to the server only need to trust the root CA. If the server wants to be accessed ubiquitously, the root CA needs to be known to the client devices worldwide. Today, virtually browsers, and other TLS client implementations, each accept their ain ready of root CAs that are configured as trusted in their “root shop”.

Historically, Google operated its own issuing CA, which nosotros used to sign certificates for Google domains. Nosotros did not, nonetheless, operate our own root CA. Today, our CA certificates are cantankerous-signed past multiple root CAs which are ubiquitously distributed, including Symantec (“GeoTrust”) and roots previously operated by GlobalSign (“GS Root R2” and “GS Root R4”).

In June 2017, we announced a transition to using Google-owned root CAs. Over time, we plan to operate a ubiquitously distributed root CA which volition upshot certificates for Google domains and for our customers.

Root key migration and key rotation

Root CA keys are not changed oftentimes, as migrating to a new root CA requires all browsers and devices to embed trust of that certificate, which takes a long time. As a result, even though Google now operates its ain root CAs, nosotros volition go on to rely on multiple 3rd-party root CAs for a transitional period to account for legacy devices while we drift to our own.

Creating a new root CA requires a key ceremony. At Google, the anniversary mandates that a minimum 3 of the 6 possible authorized individuals physically assemble to use hardware keys that are stored in a safe. These individuals meet in a dedicated room, shielded from electromagnetic interference, with an air-gapped Hardware Security Module (HSM), to generate a set of keys and certificates. The defended room is in a secure location in Google data centers. Boosted controls, such as physical security measures, cameras, and other human observers, ensure that the procedure goes as planned. If the anniversary is successful the generated certificate is identical to a sample document, except for the issuer name, public key and signature. The resulting root CA certificate is then submitted to browser and device root programs for inclusion. This process is designed to ensure that the privacy and security of the associated private keys are well understood so the keys can be relied upon for a decade or more than.

Every bit described earlier, CAs employ their individual keys to sign certificates, and these certificates verify identities when initiating a TLS handshake as part of a user session. Server certificates are signed with intermediate CAs, the creation of which is like to the cosmos of a root CA. The intermediate CA’due south certificates are distributed equally office of the TLS session then information technology’southward easier to drift to a new intermediate CA. This method of distribution besides enables the CA operator to go on the root CA fundamental material in an offline country.

The security of a TLS session is dependent on how well the server’southward key is protected. To further mitigate the risk of cardinal compromise, Google’s TLS certificate lifetimes are express to approximately three months and the certificates are rotated approximately every 2 weeks.

Popular:   A New Compass App Offers A Feature That Can Improve Maps In Ios 16

A client that has previously connected to a server can apply a private ticket key11
to resume a prior session with an abbreviated TLS handshake, making these tickets very valuable to an attacker. Google rotates ticket keys at least in one case a day and expires the keys across all properties every three days. To learn more about session key ticket rotation, meet Measuring the Security Harm of TLS Crypto Shortcuts.

Google Front to Application Front Ends

In some cases, as discussed in How traffic gets routed, the user connects to a GFE inside of a different physical boundary than the desired service and the associated Application Front Cease. When this occurs, the user’s request and any other layer 7 protocol, such equally HTTP, is either protected past TLS, or encapsulated in an RPC which is protected using Application Layer Transport Security (ALTS), discussed in Service-to-service hallmark, integrity, and encryption. These RPCs are authenticated and encrypted.

For Google Cloud services, RPCs are protected using ALTS by default. For client applications hosted on Google Cloud, if traffic is routed via the Google Front end End, for example if they are using the Google Cloud Load Balancer, traffic to the VM is protected using Google Cloud’s virtual network encryption, described in the next department.

Google Cloud’s virtual network encryption and hallmark

Encryption of private IP traffic within the aforementioned VPC or across peered VPC networks inside Google Cloud’s virtual network is performed at the network layer.

We use the Avant-garde Encryption Standard (AES) in Galois/Counter Fashion (GCM) with a 128-fleck fundamental (AES-128-GCM) to implement encryption at the network layer. Each pair of communicating hosts establishes a session key via a control channel protected by ALTS for authenticated and encrypted communications. The session key is used to encrypt all VM-to-VM advice between those hosts, and session keys are rotated periodically.

At the network layer (layer 3), Google Cloud’southward virtual network authenticates all traffic between VMs. This authentication, achieved via security tokens, protects a compromised host from spoofing packets on the network.

During authentication, security tokens are encapsulated in a tunnel header which contains hallmark data about the sender and receiver. The control aeroplane12
on the sending side sets the token, and the receiving host validates the token. Security tokens are pre-generated for every flow, and consist of a token key (containing the sender’south information) and the host hole-and-corner. Ane hole-and-corner exists for every source-receiver pair of concrete boundaries controlled by or on behalf of Google.

Effigy 4 shows how token keys, host secrets, and security tokens are created.

The component parts of a security token can include a token key and a host secret, along with their dependencies.

Figure four: Security Tokens

The concrete boundary secret is a 128-bit pseudorandom number, from which host secrets are derived by taking an HMAC-SHA1. The physical boundary hole-and-corner is negotiated by a handshake between the network control planes of a pair of physical boundaries and renegotiated every few hours. The security tokens used for private VM-to-VM authentication, derived from these and other inputs, are HMACs, negotiated for a given sender and receiver pair.

Service-to-service authentication, integrity, and encryption

Within Google’southward infrastructure, at the awarding layer (layer 7), we use our Awarding Layer Transport Security (ALTS) for the authentication, integrity, and encryption of Google RPC calls from the GFE to a service, and from service to service.

ALTS uses service accounts for authentication. Each service that runs in Google’due south infrastructure runs equally a service account identity with associated cryptographic credentials. When making or receiving RPCs from other services, a service uses its credentials to authenticate. ALTS verifies these credentials using an internal certificate authority.

Within a physical boundary controlled past or on behalf of Google, ALTS provides both hallmark and integrity for RPCs in “authentication and integrity” style. For traffic over the WAN outside of physical boundaries controlled by or on behalf of Google, ALTS enforces encryption for infrastructure RPC traffic automatically in “authentication, integrity, and privacy” mode. Currently, all traffic to Google services, including Google Cloud services, benefits from these aforementioned protections.

ALTS is also used to encapsulate other layer vii protocols, such every bit HTTP, in infrastructure RPC mechanisms for traffic moving from the Google Front end to the Application Front Terminate. This protection isolates the application layer and removes whatever dependency on the network path’due south security.

Services can be configured to accept and send ALTS communications but in “hallmark, integrity and privacy” style, fifty-fifty within concrete boundaries controlled by or on behalf of Google. 1 example is Google’s internal central direction service, which stores and manages the encryption keys used to protect data stored at balance in Google’s infrastructure.

ALTS Protocol

ALTS has a secure handshake protocol similar to mutual TLS. Two services wishing to communicate using ALTS employ this handshake protocol to authenticate and negotiate communication parameters before sending any sensitive information. The protocol is a ii-step process:

  • Step 1:Handshake
    The client initiates an elliptic curve-Diffie Hellman (ECDH) handshake with the server using Curve25519. The client and server each have certified ECDH public parameters as part of their certificate, which is used during a Diffie Hellman cardinal substitution. The handshake results in a common traffic cardinal that is bachelor on the client and the server. The peer identities from the certificates are surfaced to the application layer to use in authorisation decisions.
  • Footstep 2: Record encryption
    Using the common traffic key from Step i, data is transmitted from the customer to the server securely. Encryption in ALTS is implemented using BoringSSL and other encryption libraries. Encryption is most unremarkably AES-128-GCM while integrity is provided by AES-GCM’s GMAC.

The following diagram shows the ALTS handshake in detail. In newer implementations, a procedure helper does the handshake; there are all the same some cases where this is done directly past the applications.

Client app interacts with a handshake service through a process helper, and with the server app through a key exchange.

Figure 5: ALTS handshake

As described at the kickoff of section Service-to-service authentication, integrity, and encryption, ALTS uses service accounts for authentication, with each service that runs on Google’s infrastructure running as a service identity with associated cryptographic credentials. During the ALTS handshake, the process helper accesses the private keys and corresponding certificates that each client-server pair uses in their communications. The private cardinal and corresponding document (signed protocol buffer) have been provisioned for the service account identity of the service.

ALTS Certificates
At that place are multiple kinds of ALTS certificate:

  • Machine certificates:
    provide an identity to core services on a specific car. These are rotated approximately every vi hours.
  • User certificates:
    provide an cease user identity for a Google engineer developing code. These are rotated approximately every 20 hours.
  • Borg job certificates:
    provide an identity to jobs running within Google’s infrastructure. These are rotated approximately every 48 hours.

The root certification signing key is stored in Google’s internal document authority (CA), which is unrelated and independent of our external CA.

Encryption in ALTS

Encryption in ALTS can be implemented using a variety of algorithms, depending on the machines that are used. For example, most services use AES-128-GCM13. More information on ALTS encryption tin be establish in Table 2.

Machines Message encryption used
Most common AES-128-GCM
Sandy Span or older AES-128-VCM Uses a VMAC instead of a GMAC and is slightly more than efficient on these older machines.

Tabular array 2: Encryption in ALTS

Most Google services utilise ALTS, or RPC encapsulation that uses ALTS. In cases where ALTS is not used, other protections are employed. For example:

  • Some depression-level machine direction and bootstrapping services employ SSH
  • Some depression-level infrastructure logging services TLS or Datagram TLS (DTLS)14
  • Some services that use non-TCP transports utilise other cryptographic protocols or network level protections when within physical boundaries controlled by or on behalf of Google

Communications between VMs and Google Cloud Platform services use TLS to communicate with the Google Front end Finish, not ALTS. We describe these communications in Virtual car to Google Front End encryption.

Virtual auto to Google Front encryption

VM to GFE traffic uses external IPs to reach Google services, but you can configure Private Google Admission feature to use Google-but IP addresses for the requests.

Every bit with requests from an external user to Google, nosotros support TLS traffic by default from a VM to the GFE. The connection happens in the aforementioned way every bit whatsoever other external connectedness. For more information on TLS, run into Transport Layer Security (TLS).

User-configurable options for encryption in transit

Encryption in Transit described the default protections that Google has in place for information in transit. This section describes the configurations our users tin can make to these default protections.

On-bounds data center to Google Deject

TLS using GCLB external load balancers

If your cloud service uses a Google HTTPS or SSL Proxy external load balancer, then GFE terminates the TLS connections from your users using SSL certificates that you provision and control. More than information on customizing your certificate tin can be found in our SSL Certificates documentation.

IPSec tunnel using Cloud VPN

As a Google Cloud customer, you can employ Google Cloud VPN to securely connect your on-bounds network to your Google Cloud VPC network through an IPSec VPN connection (layer 3). Traffic traveling betwixt the two networks is encrypted by one VPN gateway and decrypted by the other VPN gateway. This protects your data over the Internet. In add-on, you lot can fix multiple, load-balanced tunnels through multiple VPN gateways. The Google Cloud VPN protects your data in the following ways:

  • Packets
    from your VMs to the Cloud VPN gateway
    remain within the VPC network. These packets are authenticated and encrypted by Google Cloud’s virtual network.
  • Packets
    from the Deject VPN to your on-premises VPN
    are authenticated and encrypted using an IPSec tunnel.
  • Packets
    from your on-premises VPN to your on-bounds hosts
    are protected by whatever controls y’all accept in place on your network.

To set up a VPN, create a Cloud VPN gateway and tunnel on the hosted service’s VPC network, then permit traffic betwixt the networks. You also accept the option of setting up a VPN between two VPC networks.

You can further customize your network by specifying the Internet Key Substitution15
(IKE) version for your VPN tunnel. There are 2 versions of IKE to cull from, IKEv1 and IKEv2, each of which supports different ciphers. If you specify IKEv1, Google encrypts the packets using AES-128-CBC and provides integrity through SHA-1 HMAC16. For IKEv2, a variety of ciphers are available and supported. In all cases, Google Cloud VPN will negotiate the almost secure common protocol the peer devices support. Full instructions on setting upwardly a VPN can be constitute in our documentation Choosing a VPN Routing Choice.

An alternative to a Deject VPN (IPSec) tunnel is Google Cloud Dedicated Interconnect. Dedicated Interconnect provides straight physical connections and private IP communication between your on-bounds network and your VPC network. The data traveling over Defended or Partner interconnect is NOT encrypted by default and should exist secured at the application layer, using TLS for example. MACsec (layer two protection) is not currently supported.

User to Google Front End

Managed SSL certificates: Free and automatic certificates

When building an application on Google Cloud, you tin leverage GFE’s support of TLS by configuring the SSL certificate you use. For instance, you lot can have the TLS session terminate in your application. This termination is different to the TLS termination described in TLS using GCLB external load balancers.

Popular:   The Worlds First Risc V Laptop Could Arrive Sooner Than You Think

Google also provides free and automatic SSL certificates in both the Firebase Hosting and Google App Engine custom domains. These certificates are merely available for Google-hosted backdrop. With Google App Engine custom domains, you lot tin also provide your ain SSL certificates and use an HTTP Strict Transport Security (HSTS) header.

Once your domain is pointed at Google’due south infrastructure, we request and obtain a certificate for that domain to allow secure communications. We manage the TLS server individual keys, which are either 2048-fleck RSA or secp256r1 ECC, and renew certificates on behalf of our customers.

Require TLS in Gmail

As discussed in Ship Layer Security, Gmail uses TLS by default. Gmail records and displays whether the final hop an email made was over a TLS session17. When a Gmail user exchanges an email with some other Gmail user, the emails are protected past TLS, or in some cases, sent directly within the application. In these cases, the RPCs used past the Gmail application are protected with ALTS as described in Service-to-service hallmark, integrity, and encryption. For incoming messages from other email providers, Gmail does not enforce TLS. Gmail administrators can configure Gmail to require a secure TLS connectedness for all incoming and approachable emails.

Gmail S/MIME

Secure/Multipurpose Internet Post Extensions (South/MIME) is an electronic mail security standard that provides authentication, integrity, and encryption. The implementation of the S/MIME standard mandates that certificates associated with users sending emails are hosted in a public CA.

As an administrator, y’all can configure Gmail to enable S/MIME for outgoing emails, set up policies for content and attachment compliance, and create routing rules for incoming and outgoing emails. Once configured, yous must upload users’ public certificates to Gmail using the Gmail API. For users external to Gmail, an initial S/MIME-signed message must be exchanged to set S/MIME as the default.

Service-to-service and VM-to-VM encryption

Istio is an open-source service mesh developed by Google, IBM, Lyft, and others, to simplify service discovery and connectivity. Istio authentication provides automated encryption of data in transit between services, and management of associated keys and certificates. Istio can exist used in Google Kubernetes Engine and Google Compute Engine.

If you desire to implement mutual hallmark and encryption for workloads, you lot can utilize istio auth. Specifically, for a workload in Kubernetes, Istio auth allows a cluster-level CA to generate and distribute certificates, which are and then used for pod-to-pod mutual Transport Layer Security (mTLS).

How Google helps the Internet encrypt data in transit

Encryption in Transit by Default and User-configurable options for encryption in transit explained the default and customizable protections Google Cloud has in identify for customer data in transit. In addition, Google has several open-source projects and other efforts that encourage the use of encryption in transit and information security on the Internet at large.

Certificate Transparency

As discussed in User to Google Front end encryption, to offering HTTPS, a site must use get-go for a document from a trusted web (public) Certificate Authorization (CA). The Certificate Dominance is responsible for verifying that the bidder is authorized by the domain holder, as well as ensuring that any other information included in the document is authentic.This certificate is then presented to the browser to cosign the site the user is trying to admission. In order to ensure HTTPS is properly authenticated, information technology’s important to ensure that CAs only issue certificates that the domain holder has authorized.

Document Transparency (CT) is an endeavour that Google launched in March 2013 to provide a fashion for site operators and domain holders to detect if a CA has issued any unauthorized or incorrect certificates. Information technology works by providing a mechanism for domain holders, CAs, and the public to log the trusted certificates they meet or, in the case of CAs, the certificates they outcome, to publicly verifiable, append-only, tamper-proof logs. The certificates in these logs tin be examined past anyone to ensure the data is correct, authentic, and authorized.

The kickoff version of Certificate Transparency was specified in an IETF experimental RFC, RFC 6962. During the development of Document Transparency, Google open up-sourced a number of tools, including an open-source log server that can record certificates, as well equally tools to create Certificate Transparency logs. In addition, Google Chrome requires that some certificates must exist publicly disclosed, such as for Extended Validation (EV) certificates or certificates issued from CAs that have improperly issued certificates in the past. From 2022, Chrome will require that all new publicly trusted certificates be disclosed.

As a site operator, y’all tin use Certificate Transparency to notice if unauthorized certificates accept been issued for your website. A number of costless tools exist to make this easy to practise, such as Google’s Document Transparency Report, Certificate Search, or tools from Facebook. Even if you don’t utilize Certificate Transparency, a number of browsers at present examine Certificate Transparency regularly to ensure that the CAs your users trust to access your website are adhering to industry requirements and all-time practices, reducing the gamble of fraudulent certificates existence issued.

Increasing the use of HTTPS

As described in User to Google Forepart encryption, nosotros work hard to make certain that our sites and services provide modern HTTPS by default. Our goal is to achieve 100% encryption across our products and services. To this end, we publish an annual HTTPS Transparency Report that tracks our progress towards our goal for all backdrop, including Google Deject. Nosotros continue to work through the technical barriers that go far difficult to back up encryption in some of our products, such every bit solutions for browsers or other clients that practice not back up HTTP Strict Transport Security (HSTS)18. We use HSTS for some of our sites, including the homepage, to allow users to connect to a server just over HTTPS.

We know that the remainder of the Net is working on moving to HTTPS. Nosotros effort to facilitate this move in the following ways:

  • Nosotros provide developers with advice on why HTTPS matters, how to enable HTTPS, and all-time practices when implementing HTTPS
  • We accept created tools in Chrome similar the Security panel in DevTools to assistance developers assess the HTTPS condition of their site(s)
  • We financially support the Permit’south Encrypt initiative that allows anyone to obtain a free certificate for their website. Google representatives sit down on the technical advisory board of Let’s Encrypt’s parent organization, Internet Security Research Group

In 2016, nosotros began publishing metrics on “HTTPS usage on the Cyberspace” for the Pinnacle 100 non-Google sites on the Internet. With these metrics, we aim to increase awareness and help make the Internet a safer identify for all users. In Oct 2017, Chrome formally renewed its financial support of Allow’south Encrypt as a Platinum sponsor.

Increasing the use of secure SMTP: Gmail indicators

Nigh email is exchanged using the Simple Mail Transfer Protocol (SMTP) which, past default, sends email without using encryption. To encrypt an email, the mail service provider must implement security controls similar TLS.

As discussed in User to Google Front End encryption, Gmail uses TLS by default. In addition, Require TLS in Gmail describes how Gmail administrators can enforce the apply of TLS protection for incoming and outgoing emails. Like Google’s efforts with HTTPS transparency, Gmail provides data on TLS use for incoming emails to Gmail. This data is presented in our Safer Email Transparency Written report.

Google, in partnership with the IETF and other manufacture key players, is leading the development of SMTP STS. SMTP STS is like HSTS for HTTPS, forcing the use of SMTP over only encrypted channels.

Chrome APIs

In February 2015, Chrome announced that powerful new features will be available only to secure origins19. Such features include the handling of private information and access to sensors on a user’due south device. Starting with geolocation in Chrome 50, nosotros began deprecating these features for insecure origins.

Ongoing Innovation in Encryption in Transit

Chrome Security User Experience

Google Chrome is an manufacture leader in leveraging its UI to display security data in ways that allow users to quickly sympathize the safety of their connection to a site. With this information, users can make informed decisions about when and how they share their information. Chrome conducts extensive user research, the results of which are shared in peer-reviewed papers.

To help further protect its users, Chrome has announced that past the end of 2017, information technology will mark all HTTP connections as non-secure. Starting with Chrome 56, by default, users volition run across a alarm if an HTTP page includes a form with password or credit card fields. With Chrome 62, a warning will be shown when a user enters in information on an HTTP page, and for all HTTP pages visited in Incognito manner. Eventually, Chrome will show a alarm for all pages that are served over HTTP.

To see how particular configurations are displayed to users in Chrome, you can use the BadSSL tool.

Key Transparency

A significant deterrent to the widespread adoption of bulletin encryption is the difficulty of public key exchange: how tin can I reliably find the public key for a new user with which I am communicating? To help solve this event, in January 2017, Google appear Key Transparency. This is an open framework that provides a generic, secure, and auditable means to distribute public keys. The framework removes the need for users to perform transmission primal verification. Fundamental Transparency is primarily targeted at the distribution of users’ public keys in communications, for example, E2E and OpenPGP email encryption. Key Transparency’southward design is a new approach to key recovery and distribution and is based on insights gained from Document Transparency and CONIKS.

Fundamental Transparency’s development is open-source and information technology is implemented using a large-calibration Merkle tree. Key Transparency Verification allows business relationship owners to run across what keys take been associated with their accounts and how long an business relationship has been active and stable. The long-term goal of Google’due south Fundamental Transparency work is to enable anyone to run a Key Transparency server and make information technology easy to integrate into any number of applications.

Post-quantum cryptography

Google plans to remain the manufacture leader in encryption in transit. To this end, we accept started work in the surface area of mail service-quantum cryptography. This type of cryptography allows u.s. to replace existing crypto primitives, that are vulnerable to efficient breakthrough attacks, with post-quantum candidates that are believed to be more robust. In July 2016 we announced that we had conducted an experiment on the feasibility of deploying such an algorithm by using the New Hope post-quantum crypto algorithm in the programmer version of Chrome. In add-on to this work, researchers at Google accept published papers on other practical post-quantum key-exchange protocols.


Read more almost Google Cloud Security, including our Infrastructure Security Pattern Overview; besides equally Google Deject compliance, including the public SOC 3 inspect report.

Google Cloud Is Looking To Make Open Source Code Safer Than Ever