Abstract
Secure Keyword-based Deep Packet Inspection (KDPI) allows a middlebox and a network sender (or receiver) to collaborate in fighting spams, viruses, and intrusions without fully trusting each other on the secret keyword list and encrypted traffic. Existing KDPI proposals have a heavy-weighted initialization phase, but also require dramatic changes to existing encryption methods used to the original network traffic during the inspection phase. In this work, we propose novel KDPI schemes CE-DPI and MT-DPI, which offer highly competitive performance in initialization and guarantee keyword integrity against malicious middlebox. Moreover, our methods work readily with AES-based encryption schemes that are already widely deployed and well-supported by AES-NI. We show that our KDPI schemes can be integrated with TLS, adding marginal overhead.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Anati, I., Gueron, S., Johnson, S., Scarlata, V.: Innovative technology for CPU based attestation and sealing. In: International Workshop on Hardware and Architectural Support for Security and Privacy (2013)
Anderson, B., McGrew, D.: Identifying encrypted malware traffic with contextual flow data. In: ACM Workshop on Artificial Intelligence and Security (2016)
Anderson, B., Paul, S., McGrew, D.: Deciphering malware’s use of TLS (without decryption). J. Comput. Virol. Hacking Tech. (2018)
Asghar, H.J., Melis, L., Soldani, C., De Cristofaro, E., Kaafar, M.A., Mathy, L.: SplitBox: toward efficient private network function virtualization. In: Workshop on Hot Topics in Middleboxes and Network Function Virtualization (2016)
Beaver, D.: Efficient multiparty protocols using circuit randomization. In: Annual International Cryptology Conference (1992)
Blake, A., David, M.: Machine learning for encrypted malware traffic classification: accounting for noisy labels and non-stationarity. In: ACM International Conference on Knowledge Discovery and Data Mining (2017)
Boneh, D., Goh, E.-J., Nissim, K.: Evaluating 2-DNF formulas on ciphertexts. In: Kilian, J. (ed.) TCC 2005. LNCS, vol. 3378, pp. 325–341. Springer, Heidelberg (2005). https://doi.org/10.1007/978-3-540-30576-7_18
Bouscatié, É., Castagnos, G., Sanders, O.: Public key encryption with flexible pattern matching. In: Tibouchi, M., Wang, H. (eds.) ASIACRYPT 2021. LNCS, vol. 13093, pp. 342–370. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-92068-5_12
Bujlow, T., Carela-Español, V., Barlet-Ros, P.: Independent comparison of popular DPI tools for traffic classification. Comput. Netw. (2015)
Canard, S., Diop, A., Kheir, N., Paindavoine, M., Sabt, M.: BlindiDS: market-compliant and privacy-friendly intrusion detection system over encrypted traffic. In: AsiaCCS (2017)
de Carné de Carnavalet, X., Mannan, M.: Killed by proxy: analyzing client-end TLS interception software. In: Network and Distributed System Security Symposium (2016)
de Carné de Carnavalet, X., van Oorschot, P.C.: A survey and analysis of TLS interception mechanisms and motivations. arXiv e-prints (2020)
cURL: cURL: command line tool and library for transferring data with URLs (1998). https://curl.se/
Deri, L., Martinelli, M., Bujlow, T., Cardigliano, A.: NDPI: open-source high-speed deep packet inspection. In: International Wireless Communications and Mobile Computing Conference (2014)
Desmoulins, N., Fouque, P.A., Onete, C., Sanders, O.: Pattern matching on encrypted streams. In: International Conference on the Theory and Application of Cryptology and Information Security (2018)
Dierks, T.: The TLS protocol version 1.2 (2008)
Durumeric, Z., et al.: The security impact of HTTPS interception. In: Network and Distributed Systems Symposium (2017)
Evans, D., Kolesnikov, V., Rosulek, M., et al.: A Pragmatic Introduction to Secure Multi-Party Computation. Now Publishers Inc. (2018)
Fan, J., Guan, C., Ren, K., Cui, Y., Qiao, C.: SPABox: safeguarding privacy during deep packet inspection at a middlebox. IEEE/ACM Trans. Network. (2017)
Felt, A., Barnes, R., King, A., Palmer, C., Bentzel, C., Tabriz, P.: Measuring HTTPS adoption on the web. In: USENIX Security (2017)
Goltzsche, D., et al.: EndBox: scalable middlebox functions using client-side trusted execution. In: IEEE/IFIP International Conference on Dependable Systems and Networks (2018)
Google: HTTPS encryption on the web. https://transparencyreport.google.com/https/overview. Accessed 27 June 2021
Grubbs, P., Arun, A., Zhang, Y., Bonneau, J., Walfish, M.: Zero-Knowledge middleboxes. In: USENIX Security (2022)
Han, J., Kim, S., Cho, D., Choi, B., Ha, J., Han, D.: A secure middlebox framework for enabling visibility over multiple encryption protocols. IEEE/ACM Trans. Network. (2020)
Han, J., Kim, S., Ha, J., Han, D.: SGX-Box: enabling visibility on encrypted traffic using a secure middlebox module. In: Asia-Pacific Workshop on Networking (2017)
Hedenskog, P.: Simulate slow network connections on Linux and MAC OS X (2021). https://github.com/sitespeedio/throttle
Hofemeier, G., Chesebrough, R.: Introduction to intel AES-NI and intel secure key instructions. Intel, White Paper (2012)
Jarmoc, J.: SSL/TLS interception proxies and transitive trust. In: Black Hat Europe (2012)
Khalife, J., Hajjar, A., Díaz-Verdejo, J.: Performance of openDPI in identifying sampled network traffic. J. Netw. (2013)
Kim, J., Camtepe, S., Baek, J., Susilo, W., Pieprzyk, J., Nepal, S.: P2DPI: practical and privacy-preserving deep packet inspection. In: AsiaCCS (2021)
Kim, J., Camtepe, S., Baek, J., Susilo, W., Pieprzyk, J., Nepal, S.: P2DPI: practical and privacy-preserving deep packet inspection. IACR Cryptol. ePrint Arch. (2021)
Lai, S., et al.: Practical encrypted network traffic pattern matching for secure middleboxes. IEEE Trans. Dependable Secure Comput. (2021)
Lan, C., Sherry, J., Popa, R.A., Ratnasamy, S., Liu, Z.: Embark: securely outsourcing middleboxes to the cloud. In: NSDI (2016)
Lee, H., et al.: maTLS: how to make TLS middlebox-aware? In: NDSS (2019)
Lee, J., Lee, H., Jeong, J., Kim, D., Kwon, T.: Analyzing spatial differences in the TLS security of delegated web services. In: AsiaCCS (2021)
Li, H., Ren, H., Liu, D., Shen, X.S.: Privacy-enhanced deep packet inspection at outsourced middlebox. In: International Conference on Wireless Communications and Signal Processing (2018)
Li, J., Li, N.: OACerts: oblivious attribute certificates. In: The Conference on Applied Cryptography and Network Security (2005)
Li, J., Chen, R., Su, J., Huang, X., Wang, X.: ME-TLS: middlebox-enhanced TLS for internet-of-things devices. IEEE Internet Things J. (2019)
Lindell, Y., Pinkas, B.: A proof of security of Yao’s protocol for two-party computation. J. Cryptol. (2009)
Marquis-Boire, M., et al.: Planet blue coat: mapping global censorship and surveillance tools (2013)
McGrew, D., Wing, D., Nir, Y., Gladstone, P.: TLS proxy server extension. https://tools.ietf.org/html/draft-mcgrew-tls-proxy-server-01
Moriarty, K., Morton, A.: Effects of pervasive encryption on operators. Technical report, RFC (2018)
Naylor, D., et al.: The cost of the “s” in HTTPS. In: ACM International Conference on Emerging Networking Experiments and Technologies (2014)
Naylor, D., Li, R., Gkantsidis, C., Karagiannis, T., Steenkiste, P.: And then there were more: secure communication for more than two parties. In: The International Conference on Emerging Networking EXperiments and Technologies (2017)
Naylor, D., et al.: Multi-context TLS (mcTLS): enabling secure in-network functionality in TLS. In: ACM SIGCOMM Computer Communication Review (2015)
Nginx: Nginx (2022). https://www.nginx.com/
Ning, J., et al.: Pine: enabling privacy-preserving deep packet inspection on TLS with rule-hiding and fast connection establishment. In: Chen, L., Li, N., Liang, K., Schneider, S. (eds.) ESORICS 2020. LNCS, vol. 12308, pp. 3–22. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-58951-6_1
Ning, J., Poh, G., Loh, J.C., Chia, J., Chang, E.C.: PrivDPI: privacy-preserving encrypted traffic inspection with reusable obfuscated rules. In: ACM Conference on Computer and Communications Security (2019)
Nir, Y.: A method for sharing record protocol keys with a middlebox in TLS (2012). https://tools.ietf.org/id/draft-nir-tls-keyshare-02.html
O’Neill, M., Ruoti, S., Seamons, K., Zappala, D.: TLS proxies: friend or foe? In: The Internet Measurement Conference (2016)
Pedersen, T.: Non-interactive and information-theoretic secure verifiable secret sharing. In: Annual International Cryptology Conference (1991)
Poddar, R., Lan, C., Popa, R.A., Ratnasamy, S.: SafeBricks: shielding network functions in the cloud. In: USENIX Security (2018)
Ren, H., Li, H., Liu, D., Xu, G., Cheng, N., Shen, X.S.: Privacy-preserving efficient verifiable deep packet inspection for cloud-assisted middlebox. IEEE Trans. Cloud Comput. (2020)
Reports, V.: Deep packet inspection market size to reach USD 16620 million by 2026 at a CAGR of 25.0 percent valuates reports (2021). https://tinyurl.com/438yktzs
Rescorla, E.: The TLS protocol version 1.3 (2018)
Sherry, J., Lan, C., Popa, R.A., Ratnasamy, S.: BlindBox: deep packet inspection over encrypted traffic. In: The ACM Conference on Special Interest Group on Data Communication (2015)
Silowash, G.J., Lewellen, T., Costa, D.L., Lewellen, T.B.: Detecting and preventing data exfiltration through encrypted web sessions via traffic inspection (2013)
Singh, R., Dunna, A., Gill, P.: Characterizing the deployment and performance of multi-CDNs. In: Internet Measurement Conference (2018)
Soghoian, C., Stamm, S.: Certified lies: detecting and defeating government interception attacks against SSL. In: ACM Symposium on Operating Systems Principles (2010)
Waked, L., Mannan, M., Youssef, A.: To intercept or not to intercept: analyzing TLS interception in network appliances. In: AsiaCCS (2018)
Winternitz, R.: A secure one-way hash function built from des. In: IEEE Symposium on Security and Privacy (1984)
Yamada, A., Miyake, Y., Takemori, K., Studer, A., Perrig, A.: Intrusion detection for encrypted web accesses. In: International Conference on Advanced Information Networking and Applications Workshops (2007)
Yang, K., Weng, C., Lan, X., Zhang, J., Wang, X.: Ferret: fast extension for correlated OT with small communication. In: the ACM Conference on Computer and Communications Security (2020)
Yao, A.C.C.: How to generate and exchange secrets. In: Annual Symposium on Foundations of Computer Science (1986)
Yuan, X., Wang, X., Lin, J., Wang, C.: Privacy-preserving deep packet inspection in outsourced middleboxes. In: IEEE INFOCOM (2016)
Acknowledgement
This work was supported by the KENTECH Research Grant(KRG202200048A).
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
A Integration with TLS
A Integration with TLS
Since the TLS protocol is the most widely used security protocol in practice, we integrate MT-DPI into TLS. We extend the TLS protocol following the extension mechanism described in [16]. In the TLS protocol, two endpoints exchange their supporting extensions with corresponding extension messages during the first round-trip of the TLS handshake protocol. Our TLS extension is based on TLS 1.3 [55] where the extension messages from the TLS server are encrypted.
TLS Extension for the DPI Protocols. As TLS is a two-party protocol, it is challenging to introduce MB in the TLS session. To address such a challenge, our TLS extension should provide 1) a way to make an agreement between S and R to use a particular MB and 2) a way to negotiate parameters for MT-DPI with MB. To this end, we make S and R execute the two different TLS extensions – one with each other and the other with MB– and use the TLS extension messages to negotiate necessary parameters, resulting in two TLS sessions per each entity. We design the TLS handshake for the latter session to be executed within the TLS handshake for the former session; thus, we refer to the former TLS extension as the master TLS extension and the latter as the slave TLS extension. We also consider how to bind two resulting TLS sessions while designing the two extensions.
Master TLS Extension. The main objective of the master TLS extension protocol is to agree on what MB to use in DPI and share secrets between S and R. Although both S and R can be either of a TLS client or a TLS server in the master TLS extension, we refer to a TLS server as S and a TLS client as R for ease of presentation. During the master handshake, R includes its list of preferred MBs in its extension message. Then, S selects which MB to be used, and responds with the name of the MB and the DPI key in its extension message. We also let S send a nonce to bind the master and the slave. Note that the extension message from the TLS server is encrypted in TLS 1.3; thus, the DPI key and the nonce are secret. If there is no DPI key usable with MB, S should perform the initialization protocol with MB before sending its extension message. Then, S and R respectively execute the slave TLS extension protocol with MB.
Slave TLS Extension. The slave TLS extension protocol aims to authenticate MB, negotiate parameters for MT-DPI between endpoints and MB, and bind master and slave sessions. In the slave TLS extension protocol, S and R are the TLS clients and MB is the TLS server. S and R can authenticate MB with the name negotiated in the master extension and the certificate provided by MB according to the TLS handshake protocol. With the extension messages, S and R respectively exchange parameters with MB, such as the token size or the initial counter value, to be used for the token computation and the token inspection. All the parameters are finally decided by MB and the values are sent to S and R via the MB ’s extension message.
Binding the Master and the Slave Extensions. To bind the master and the slave sessions, the endpoint can include the nonce from the master TLS extension in its extension message of the slave TLS extension. However, the extension message from the TLS client is not encrypted; thus, the nonce should not be sent as it is. If only the nonce is sent by one party (say, S), a network adversary can know the nonce and argue to be the other endpoint (say, R) to MB. To address this issue, we leverage the random values exchanged between the TLS server and the TLS client in the master TLS protocol. Before the extension messages, in the first round-trip of the TLS protocol, the endpoints exchange two random values in the plaintext – a server random and a client random, generated by the TLS server and the TLS client. We let S and R send a hash of the nonce and its random value of the master TLS extension to MB respectively in the slave TLS extension. Then, MB forwards the hash from S (or R) to R (or S). Then, R (or S) verifies the hash and aborts the connections with S (or R) and MB if the hash is not verified. Otherwise, S begins with sending the actual data to R in the master TLS session while performing the DPI protocol with MB in the slave TLS session.
Implementation. To show feasibility of the TLS extensions with the DPI protocols, we implement the master and the slave TLS extensions in the OpenSSL-1.1.1l library, which we will release at the public repository. We also design our implementation so that it does not require any revision to the off-the-shelf applications. That is, all the applications can use our protocol immediately by replacing their OpenSSL shared object with our shared object. We show that the protocol is immediately deployable in our testbed where cURL [13] is used as a TLS client and open-source web servers (Nginx [46] and Apache [13]) are used as TLS servers in the master TLS extension.
Rights and permissions
Copyright information
© 2024 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this paper
Cite this paper
Wang, W., Lee, H., Huang, Y., Bertino, E., Li, N. (2024). Towards Efficient Privacy-Preserving Deep Packet Inspection. In: Tsudik, G., Conti, M., Liang, K., Smaragdakis, G. (eds) Computer Security – ESORICS 2023. ESORICS 2023. Lecture Notes in Computer Science, vol 14345. Springer, Cham. https://doi.org/10.1007/978-3-031-51476-0_9
Download citation
DOI: https://doi.org/10.1007/978-3-031-51476-0_9
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-51475-3
Online ISBN: 978-3-031-51476-0
eBook Packages: Computer ScienceComputer Science (R0)