Abstract
Network service providers monitor the data flow to detect anomalies and malicious behavior in their networks. Network monitoring inspects the data flow over time and thus has to store packet data. Storing of data impedes the privacy of users. A radically new approach counteracts such privacy concerns by exploiting threshold cryptography. It encrypts all monitored traffic. The used symmetric keys are made available to monitoring entities only if they collect enough evidence of malicious behavior. This new approach overcomes weaknesses of packet anonymization. It calls for dedicated hardware that is able to encrypt packets and generate key-share information for gigabit networks. This article proves that the application of Shamir’s secret sharing scheme is possible. The presented hardware is able to protect up to 1.8 million packets per second. The creation of such a high-speed hardware required innovations on the algorithmic, the protocol, and on the architectural level. The outcome is a surprisingly small circuit that fits commercially available FPGA cards. It was tested under real-world conditions. It proved to protect the users’ privacy while monitoring gigabit networks.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsPreview
Unable to display preview. Download preview PDF.
References
American National Standards Institute (ANSI). AMERICAN NATIONAL STANDARD X9.62-2005. Public Key Cryptography for the Financial Services Industry, The Elliptic Curve Digital Signature Algorithm, ECDSA (2005)
Bianchi, G., Teofili, S., Pomposini, M.: New Directions in Privacy-Preserving Anomaly Detection for Network Traffic. In: Antonatos, S., Bezzi, M., Boschi, E., Trammell, B., Yurcik, W. (eds.) NDA, pp. 11–18. ACM, New York (2008)
Broadcom. BCM5464SR Quad-Port Gigabit Copper Transceiver with Copper/Fiber Media Interface (2006), http://www.broadcom.com/products/Physical-Layer/Gigabit-Ethernet-PHYs/BCM5464SR
Broder, A.Z., Mitzenmacher, M.: Network Applications of Bloom Filters: A Survey. Internet Mathematics 1(4) (2003)
Burkhart, M., Schatzmann, D., Trammell, B., Boschi, E., Plattner, B.: The Role of Network Trace Anonymization Under Attack. SIGCOMM Comput. Commun. Rev. 40(1), 5–11 (2010)
EU Article 29 Data Protection Working Party. Opinion on the Concept of Personal Data (01248/07/EN WP 136) (April 2007)
Frankel, S., Glenn, R., Kelly, S.: RFC 3602: The AES-CBC Cipher Algorithm and Its Use with IPsec. RFC 3602 (Proposed Standard) (September 2003)
Harn, L., Lin, C.: Detection and Identification of Cheaters in (t, n) Secret Sharing Scheme. Designs, Codes and Cryptography 52, 15–24 (2009), doi:10.1007/s10623-008-9265-8
Hoffman, P.: RFC 3664: The AES-XCBC-PRF-128 Algorithm for the Internet Key Exchange Protocol, IKE (2004)
Hoffman, P.: RFC 4308: Cryptographic Suites for IPsec. RFC 4308 (Proposed Standard) (December 2005)
Lemsitzer, S., Wolkerstorfer, J., Felber, N., Braendli, M.: Multi-gigabit GCM-AES Architecture Optimized for FPGAs. In: Paillier, P., Verbauwhede, I. (eds.) CHES 2007. LNCS, vol. 4727, pp. 227–238. Springer, Heidelberg (2007)
Menezes, A.J., van Oorschot, P.C., Vanstone, S.A.: Handbook of Applied Cryptography. Series on Discrete Mathematics and its Applications. CRC Press, Boca Raton (1997) ISBN 0-8493-8523-7, http://www.cacr.math.uwaterloo.ca/hac/
Pang, R., Allman, M., Paxson, V., Lee, J.: The Devil and Packet Trace Anonymization. SIGCOMM Comput. Commun. Rev. 36(1), 29–38 (2006)
Shamir, A.: How to Share a Secret. Communications of the ACM 22(11), 612–613 (1979)
Song, H., Sproull, T.S., Attig, M., Lockwood, J.W.: Snort Offloader: A Reconfigurable Hardware NIDS Filter. In: Rissa, T., Wilton, S.J.E., Leong, P.H.W. (eds.) FPL, pp. 493–498. IEEE, Los Alamitos (2005)
Stanford University. NetFPGA Project. NetFPGA (2009), http://netfpga.org/
Wolkerstorfer, J., Szekely, A., Lorünser, T.: IPsec Security Gateway for Gigabit Ethernet. In: Ostermann, T. (ed.) Austrochip 2008 – Proceedings of the 16th Austrian Workshop on Microelectronics (October 2008)
Xilinx Corporation. Virtex-II Pro and Virtex-II Pro X Platform FPGAs: Complete Data Sheet (2007), http://www.xilinx.com/support/documentation/virtex-ii_pro_data_sheets.htm
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2011 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Wolkerstorfer, J. (2011). Secret-Sharing Hardware Improves the Privacy of Network Monitoring. In: Garcia-Alfaro, J., Navarro-Arribas, G., Cavalli, A., Leneutre, J. (eds) Data Privacy Management and Autonomous Spontaneous Security. DPM SETOP 2010 2010. Lecture Notes in Computer Science, vol 6514. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-19348-4_5
Download citation
DOI: https://doi.org/10.1007/978-3-642-19348-4_5
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-19347-7
Online ISBN: 978-3-642-19348-4
eBook Packages: Computer ScienceComputer Science (R0)