![Page 1: BlindBox: Deep Packet Inspection Over Encrypted Trafficjustine/blindbox-2015-4-10.pdf · Threat Model Summary: Actors and Constraints • Alice and Bob (Clients): • Users who want](https://reader033.vdocuments.mx/reader033/viewer/2022053001/5f05c3a57e708231d41496f9/html5/thumbnails/1.jpg)
BlindBox: Deep Packet Inspection Over
Encrypted TrafficJustine Sherry, Chang Lan, Raluca Ada Popa, Sylvia Ratnasamy
UC Berkeley
(Work under submission).
![Page 2: BlindBox: Deep Packet Inspection Over Encrypted Trafficjustine/blindbox-2015-4-10.pdf · Threat Model Summary: Actors and Constraints • Alice and Bob (Clients): • Users who want](https://reader033.vdocuments.mx/reader033/viewer/2022053001/5f05c3a57e708231d41496f9/html5/thumbnails/2.jpg)
Deep Packet Inspection
(DPI)In-network devices which inspect and modify packet
payloads to enforce security policies.
Intrusion Prevention
Parental Filtering
Exfiltration Detection
Increasingly offered as “network services.” (e.g. NFV, APLOMB)
![Page 3: BlindBox: Deep Packet Inspection Over Encrypted Trafficjustine/blindbox-2015-4-10.pdf · Threat Model Summary: Actors and Constraints • Alice and Bob (Clients): • Users who want](https://reader033.vdocuments.mx/reader033/viewer/2022053001/5f05c3a57e708231d41496f9/html5/thumbnails/3.jpg)
Alice and Bob
CONNECTIONS BobAliceAlice:Bob ALLOW
BLACKLISTWAREZHACKS%
![Page 4: BlindBox: Deep Packet Inspection Over Encrypted Trafficjustine/blindbox-2015-4-10.pdf · Threat Model Summary: Actors and Constraints • Alice and Bob (Clients): • Users who want](https://reader033.vdocuments.mx/reader033/viewer/2022053001/5f05c3a57e708231d41496f9/html5/thumbnails/4.jpg)
DPI Usage Today: HTTP
BLACKLISTWAREZHACKS%
CONNECTIONS BobAlice
![Page 5: BlindBox: Deep Packet Inspection Over Encrypted Trafficjustine/blindbox-2015-4-10.pdf · Threat Model Summary: Actors and Constraints • Alice and Bob (Clients): • Users who want](https://reader033.vdocuments.mx/reader033/viewer/2022053001/5f05c3a57e708231d41496f9/html5/thumbnails/5.jpg)
DPI Usage Today: HTTP
BLACKLISTWAREZHACKS%
CONNECTIONS BobAlice
To: Bob From:AliceHello!
Alice:Bob ALLOW
![Page 6: BlindBox: Deep Packet Inspection Over Encrypted Trafficjustine/blindbox-2015-4-10.pdf · Threat Model Summary: Actors and Constraints • Alice and Bob (Clients): • Users who want](https://reader033.vdocuments.mx/reader033/viewer/2022053001/5f05c3a57e708231d41496f9/html5/thumbnails/6.jpg)
DPI Usage Today: HTTP
BLACKLISTWAREZHACKS%
CONNECTIONS BobAlice
To: Alice From:BobHello!
Alice:Bob ALLOW
![Page 7: BlindBox: Deep Packet Inspection Over Encrypted Trafficjustine/blindbox-2015-4-10.pdf · Threat Model Summary: Actors and Constraints • Alice and Bob (Clients): • Users who want](https://reader033.vdocuments.mx/reader033/viewer/2022053001/5f05c3a57e708231d41496f9/html5/thumbnails/7.jpg)
DPI Usage Today: HTTP
BLACKLISTWAREZHACKS%
CONNECTIONS BobAlice
To: Bob From:AliceWant some WAREZ?
Alice:Bob ALLOW
![Page 8: BlindBox: Deep Packet Inspection Over Encrypted Trafficjustine/blindbox-2015-4-10.pdf · Threat Model Summary: Actors and Constraints • Alice and Bob (Clients): • Users who want](https://reader033.vdocuments.mx/reader033/viewer/2022053001/5f05c3a57e708231d41496f9/html5/thumbnails/8.jpg)
DPI Usage Today: HTTP
BLACKLISTWAREZHACKS%
CONNECTIONS BobAliceAlice:Bob DENY
![Page 9: BlindBox: Deep Packet Inspection Over Encrypted Trafficjustine/blindbox-2015-4-10.pdf · Threat Model Summary: Actors and Constraints • Alice and Bob (Clients): • Users who want](https://reader033.vdocuments.mx/reader033/viewer/2022053001/5f05c3a57e708231d41496f9/html5/thumbnails/9.jpg)
Many users are switching to HTTPS, specifically to protect their
privacy against eavesdroppers.
![Page 10: BlindBox: Deep Packet Inspection Over Encrypted Trafficjustine/blindbox-2015-4-10.pdf · Threat Model Summary: Actors and Constraints • Alice and Bob (Clients): • Users who want](https://reader033.vdocuments.mx/reader033/viewer/2022053001/5f05c3a57e708231d41496f9/html5/thumbnails/10.jpg)
DPI Usage Today: HTTPS
BLACKLISTWAREZATTACK
MAD HATTER
CONNECTIONS BobAliceAlice:Bob ALLOW
To: Bob From:Alice0xce869fa98e0g…
?????
State of the art solution: Man in the middle the SSL
connection!
![Page 11: BlindBox: Deep Packet Inspection Over Encrypted Trafficjustine/blindbox-2015-4-10.pdf · Threat Model Summary: Actors and Constraints • Alice and Bob (Clients): • Users who want](https://reader033.vdocuments.mx/reader033/viewer/2022053001/5f05c3a57e708231d41496f9/html5/thumbnails/11.jpg)
BlindBox: Goal
• Alice and Bob have two very conflicting requirements!
• Privacy.
• In-network functionality.
• Can they have their cake and eat it too?
![Page 12: BlindBox: Deep Packet Inspection Over Encrypted Trafficjustine/blindbox-2015-4-10.pdf · Threat Model Summary: Actors and Constraints • Alice and Bob (Clients): • Users who want](https://reader033.vdocuments.mx/reader033/viewer/2022053001/5f05c3a57e708231d41496f9/html5/thumbnails/12.jpg)
Short answer: yes!
![Page 13: BlindBox: Deep Packet Inspection Over Encrypted Trafficjustine/blindbox-2015-4-10.pdf · Threat Model Summary: Actors and Constraints • Alice and Bob (Clients): • Users who want](https://reader033.vdocuments.mx/reader033/viewer/2022053001/5f05c3a57e708231d41496f9/html5/thumbnails/13.jpg)
BlindBox Functionality
• The first system to allow DPI middle boxes like IPS and Parental Filtering to operate over traffic without granting the ability to decrypt the entire payload.
• “Principle of least privilege”: the middle box learns only what it needs to know to detect an attack or match.
![Page 14: BlindBox: Deep Packet Inspection Over Encrypted Trafficjustine/blindbox-2015-4-10.pdf · Threat Model Summary: Actors and Constraints • Alice and Bob (Clients): • Users who want](https://reader033.vdocuments.mx/reader033/viewer/2022053001/5f05c3a57e708231d41496f9/html5/thumbnails/14.jpg)
Can’t functional encryption solve this?
• Existing schemes don’t fit our needs:
• Wrong security model: all parties learn all of the middlebox rules
• Missing functionality: no approach to address rules which are regular expressions
• Prohibitive performance: Performing IDS detection over a single packet requires over 1 day of computation on our servers!*
*J. Katz, A. Sahai, B. Waters. “Predicate Encryption Supporting Disjunctions, Polynomial Equations, and Inner Products.” EUROCRYPT 2008.
![Page 15: BlindBox: Deep Packet Inspection Over Encrypted Trafficjustine/blindbox-2015-4-10.pdf · Threat Model Summary: Actors and Constraints • Alice and Bob (Clients): • Users who want](https://reader033.vdocuments.mx/reader033/viewer/2022053001/5f05c3a57e708231d41496f9/html5/thumbnails/15.jpg)
Threat Model Summary: Actors and Constraints
• Alice and Bob (Clients):
• Users who want to protect their privacy from the MB. Also want protection from each other, ie, that their traffic be scanned by the middlebox.
• Requirement: at least one client must be honest.
• Middlebox (MB):
• “Honest but curious” network operator who provides an inspection service.
• McAffee (“Rule Generator”):
• Trusted by MB and Clients to generate rules.
• Does not have the power to actually observe/manipulate client traffic.
B
![Page 16: BlindBox: Deep Packet Inspection Over Encrypted Trafficjustine/blindbox-2015-4-10.pdf · Threat Model Summary: Actors and Constraints • Alice and Bob (Clients): • Users who want](https://reader033.vdocuments.mx/reader033/viewer/2022053001/5f05c3a57e708231d41496f9/html5/thumbnails/16.jpg)
Strawman Approach
BLACKLISTWAREZHACKS%
CONNECTIONS BobAliceAlice:Bob ALLOW
BB
Has many security holes, but gets one thing right: searchable encryption.
![Page 17: BlindBox: Deep Packet Inspection Over Encrypted Trafficjustine/blindbox-2015-4-10.pdf · Threat Model Summary: Actors and Constraints • Alice and Bob (Clients): • Users who want](https://reader033.vdocuments.mx/reader033/viewer/2022053001/5f05c3a57e708231d41496f9/html5/thumbnails/17.jpg)
Strawman Approach
BLACKLISTWAREZHACKS%
CONNECTIONS BobAliceAlice:Bob ALLOW
BB
Rules: WAREZ, HACKS, %
![Page 18: BlindBox: Deep Packet Inspection Over Encrypted Trafficjustine/blindbox-2015-4-10.pdf · Threat Model Summary: Actors and Constraints • Alice and Bob (Clients): • Users who want](https://reader033.vdocuments.mx/reader033/viewer/2022053001/5f05c3a57e708231d41496f9/html5/thumbnails/18.jpg)
Strawman Approach
BLACKLISTWAREZHACKS%
CONNECTIONS BobAliceAlice:Bob ALLOW
BB
Rules: 0xeaf345, 0x43aa, 0x678ea3 Deterministic AES; no IV, no Salt
![Page 19: BlindBox: Deep Packet Inspection Over Encrypted Trafficjustine/blindbox-2015-4-10.pdf · Threat Model Summary: Actors and Constraints • Alice and Bob (Clients): • Users who want](https://reader033.vdocuments.mx/reader033/viewer/2022053001/5f05c3a57e708231d41496f9/html5/thumbnails/19.jpg)
Strawman Approach
CONNECTIONS BobAliceAlice:Bob ALLOW
BB
Rules: 0xeaf345, 0x43aa, 0x678ea3
BLACKLISTWAREZ: 0xeaf345…HACKS: 0x43aa… %: 0x678ea3…
![Page 20: BlindBox: Deep Packet Inspection Over Encrypted Trafficjustine/blindbox-2015-4-10.pdf · Threat Model Summary: Actors and Constraints • Alice and Bob (Clients): • Users who want](https://reader033.vdocuments.mx/reader033/viewer/2022053001/5f05c3a57e708231d41496f9/html5/thumbnails/20.jpg)
Strawman Approach
CONNECTIONS BobAliceAlice:Bob ALLOW
BB
To: Bob From:AliceWould you like some CAKE?
0xe90326
BLACKLISTWAREZ: 0xeaf345…HACKS: 0x43aa… %: 0x678ea3…
![Page 21: BlindBox: Deep Packet Inspection Over Encrypted Trafficjustine/blindbox-2015-4-10.pdf · Threat Model Summary: Actors and Constraints • Alice and Bob (Clients): • Users who want](https://reader033.vdocuments.mx/reader033/viewer/2022053001/5f05c3a57e708231d41496f9/html5/thumbnails/21.jpg)
Strawman Approach
CONNECTIONS BobAliceAlice:Bob ALLOW
BB
To: Bob From:AliceWould you like some CAKE?
0x592aa5
BLACKLISTWAREZ: 0xeaf345…HACKS: 0x43aa… %: 0x678ea3…
![Page 22: BlindBox: Deep Packet Inspection Over Encrypted Trafficjustine/blindbox-2015-4-10.pdf · Threat Model Summary: Actors and Constraints • Alice and Bob (Clients): • Users who want](https://reader033.vdocuments.mx/reader033/viewer/2022053001/5f05c3a57e708231d41496f9/html5/thumbnails/22.jpg)
Strawman Approach
CONNECTIONS BobAliceAlice:Bob ALLOW
BB
To: Bob From:AliceWould you like some CAKE?
…etc
BLACKLISTWAREZ: 0xeaf345…HACKS: 0x43aa… %: 0x678ea3…
![Page 23: BlindBox: Deep Packet Inspection Over Encrypted Trafficjustine/blindbox-2015-4-10.pdf · Threat Model Summary: Actors and Constraints • Alice and Bob (Clients): • Users who want](https://reader033.vdocuments.mx/reader033/viewer/2022053001/5f05c3a57e708231d41496f9/html5/thumbnails/23.jpg)
Strawman Approach
CONNECTIONS BobAliceAlice:Bob ALLOW
BB
To: Bob From:AliceWould you like some CAKE?
BLACKLISTWAREZ: 0xeaf345…HACKS: 0x43aa… %: 0x678ea3…
![Page 24: BlindBox: Deep Packet Inspection Over Encrypted Trafficjustine/blindbox-2015-4-10.pdf · Threat Model Summary: Actors and Constraints • Alice and Bob (Clients): • Users who want](https://reader033.vdocuments.mx/reader033/viewer/2022053001/5f05c3a57e708231d41496f9/html5/thumbnails/24.jpg)
Strawman Approach
CONNECTIONS BobAliceAlice:Bob ALLOW
BB
To: Bob From:Alice0xea453840eaabb90
ccdd9032….
BLACKLISTWAREZ: 0xeaf345…HACKS: 0x43aa… %: 0x678ea3…
![Page 25: BlindBox: Deep Packet Inspection Over Encrypted Trafficjustine/blindbox-2015-4-10.pdf · Threat Model Summary: Actors and Constraints • Alice and Bob (Clients): • Users who want](https://reader033.vdocuments.mx/reader033/viewer/2022053001/5f05c3a57e708231d41496f9/html5/thumbnails/25.jpg)
Strawman Approach
CONNECTIONS BobAliceAlice:Bob ALLOW
BB
To: Bob From:AliceWould you like some WAREZ?
0xeaf345
BLACKLISTWAREZ: 0xeaf345…HACKS: 0x43aa… %: 0x678ea3…
![Page 26: BlindBox: Deep Packet Inspection Over Encrypted Trafficjustine/blindbox-2015-4-10.pdf · Threat Model Summary: Actors and Constraints • Alice and Bob (Clients): • Users who want](https://reader033.vdocuments.mx/reader033/viewer/2022053001/5f05c3a57e708231d41496f9/html5/thumbnails/26.jpg)
Strawman Approach
CONNECTIONS BobAliceAlice:Bob DENY
BB
To: Bob From:AliceWould you like some WAREZ?
BLACKLISTWAREZ: 0xeaf345…HACKS: 0x43aa… %: 0x678ea3…
![Page 27: BlindBox: Deep Packet Inspection Over Encrypted Trafficjustine/blindbox-2015-4-10.pdf · Threat Model Summary: Actors and Constraints • Alice and Bob (Clients): • Users who want](https://reader033.vdocuments.mx/reader033/viewer/2022053001/5f05c3a57e708231d41496f9/html5/thumbnails/27.jpg)
How many bugs did you spot in our Strawman?
Let’s fix it.
![Page 28: BlindBox: Deep Packet Inspection Over Encrypted Trafficjustine/blindbox-2015-4-10.pdf · Threat Model Summary: Actors and Constraints • Alice and Bob (Clients): • Users who want](https://reader033.vdocuments.mx/reader033/viewer/2022053001/5f05c3a57e708231d41496f9/html5/thumbnails/28.jpg)
What was good about the Strawman?
The IDS only learns the decrypted value of the text iff there exists a rule for that text.
Hence, only text which is “suspicious” can be read by the IDS. The rest remains encrypted.
![Page 29: BlindBox: Deep Packet Inspection Over Encrypted Trafficjustine/blindbox-2015-4-10.pdf · Threat Model Summary: Actors and Constraints • Alice and Bob (Clients): • Users who want](https://reader033.vdocuments.mx/reader033/viewer/2022053001/5f05c3a57e708231d41496f9/html5/thumbnails/29.jpg)
Fixing Bug #1
• What if there are duplicate substrings in the flow? Won’t deterministic encryption leak that there are multiple matches, even for substrings that aren’t in the ruleset?
Solution: Just add Salt!
Challenge: How to do so with fast
MB data structures?
![Page 30: BlindBox: Deep Packet Inspection Over Encrypted Trafficjustine/blindbox-2015-4-10.pdf · Threat Model Summary: Actors and Constraints • Alice and Bob (Clients): • Users who want](https://reader033.vdocuments.mx/reader033/viewer/2022053001/5f05c3a57e708231d41496f9/html5/thumbnails/30.jpg)
Fixing Bug #2• If Alice knows what all the rules are, doesn’t she
know how to evade detection now?*
• Also, many IDS rules are trade secrets that they are unwilling to share with users/vendors.
• Solution: Yao’s Garbled Circuits + Oblivious Transfer
*V. Paxson. “Bro: A System for Detecting Network Intruders in Real Time.” Computer Networks 1999.
![Page 31: BlindBox: Deep Packet Inspection Over Encrypted Trafficjustine/blindbox-2015-4-10.pdf · Threat Model Summary: Actors and Constraints • Alice and Bob (Clients): • Users who want](https://reader033.vdocuments.mx/reader033/viewer/2022053001/5f05c3a57e708231d41496f9/html5/thumbnails/31.jpg)
Fixing Bug #2• Result:
• Middlebox learns the encrypted value of the rules, without learning Alice’s key.
• Alice doesn’t learn what the rules are.
• Operation only works if Middlebox’s rules have been signed by the rule generator.
![Page 32: BlindBox: Deep Packet Inspection Over Encrypted Trafficjustine/blindbox-2015-4-10.pdf · Threat Model Summary: Actors and Constraints • Alice and Bob (Clients): • Users who want](https://reader033.vdocuments.mx/reader033/viewer/2022053001/5f05c3a57e708231d41496f9/html5/thumbnails/32.jpg)
Fixing Bug #3• Some rules are regular expressions (or even in some
cases, scripts), not exact matches.
• Solution: “Probable Cause Encryption”, a new form of attribute based encryption (ABE).
• Key Idea: A second protocol by which MB gains the ability to decrypt the payload only if a set of exact matches have already been detected.
![Page 33: BlindBox: Deep Packet Inspection Over Encrypted Trafficjustine/blindbox-2015-4-10.pdf · Threat Model Summary: Actors and Constraints • Alice and Bob (Clients): • Users who want](https://reader033.vdocuments.mx/reader033/viewer/2022053001/5f05c3a57e708231d41496f9/html5/thumbnails/33.jpg)
More details in our paper!• Optimizations to reduce bandwidth overhead.
• Details on GC + OH Transfer.
• How to do fast matching at the middlebox, despite random salts.
• Rule generation, regular expressions, probable cause decryption…
![Page 34: BlindBox: Deep Packet Inspection Over Encrypted Trafficjustine/blindbox-2015-4-10.pdf · Threat Model Summary: Actors and Constraints • Alice and Bob (Clients): • Users who want](https://reader033.vdocuments.mx/reader033/viewer/2022053001/5f05c3a57e708231d41496f9/html5/thumbnails/34.jpg)
Evaluation Highlights• Three main performance figures:
• Detection Time: competitive with existing IDSes
• 186Mbps with BB (Snort Achieves 85Mbps)
• Transmission Time: practical overhead
• Page load completion time increases by 0.15-1x
• Setup Time: not yet competitive
• 414s for 3000 rules.Enterprise
Cloud Provider
External Site(Internet)
APLOMB
1
UnencryptedTunneled
6
2 3 5
4
Fine for NFV & APLOMB where connections are persistent.
![Page 35: BlindBox: Deep Packet Inspection Over Encrypted Trafficjustine/blindbox-2015-4-10.pdf · Threat Model Summary: Actors and Constraints • Alice and Bob (Clients): • Users who want](https://reader033.vdocuments.mx/reader033/viewer/2022053001/5f05c3a57e708231d41496f9/html5/thumbnails/35.jpg)
Conclusion• BlindBox is the first system to allow network
appliances to perform deep packet inspection over traffic without needing to decrypt the entire stream.
• Alice and Bob can “have their cake and eat it too”, keeping the communications private, while receiving the benefits of network services like IDS.
![Page 36: BlindBox: Deep Packet Inspection Over Encrypted Trafficjustine/blindbox-2015-4-10.pdf · Threat Model Summary: Actors and Constraints • Alice and Bob (Clients): • Users who want](https://reader033.vdocuments.mx/reader033/viewer/2022053001/5f05c3a57e708231d41496f9/html5/thumbnails/36.jpg)
Old/Backup Slides
![Page 37: BlindBox: Deep Packet Inspection Over Encrypted Trafficjustine/blindbox-2015-4-10.pdf · Threat Model Summary: Actors and Constraints • Alice and Bob (Clients): • Users who want](https://reader033.vdocuments.mx/reader033/viewer/2022053001/5f05c3a57e708231d41496f9/html5/thumbnails/37.jpg)
BlindBox Wishlist & Future Work
• Faster setup time (<1second) setup time.
• “All or nothing property”: leaks only whether or not a complete rule matched (not substrings)
• “Maliciously” -> “Maliciou” + “iciously”
• General regular expression support.
![Page 38: BlindBox: Deep Packet Inspection Over Encrypted Trafficjustine/blindbox-2015-4-10.pdf · Threat Model Summary: Actors and Constraints • Alice and Bob (Clients): • Users who want](https://reader033.vdocuments.mx/reader033/viewer/2022053001/5f05c3a57e708231d41496f9/html5/thumbnails/38.jpg)
Generalizing to More Middleboxes
• Follow-on work looks at cloud case in general and more middle boxes — including firewalls, NATs, proxies, etc.
• C. Lan, J. Sherry, R. A. Popa, S. Ratnasamy. “Securely Outsourcing Middleboxes to the Cloud.”
![Page 39: BlindBox: Deep Packet Inspection Over Encrypted Trafficjustine/blindbox-2015-4-10.pdf · Threat Model Summary: Actors and Constraints • Alice and Bob (Clients): • Users who want](https://reader033.vdocuments.mx/reader033/viewer/2022053001/5f05c3a57e708231d41496f9/html5/thumbnails/39.jpg)
Non-Usage Scenario• Charlie is a political dissident in a country
which deploys DPI devices for censorship.• Charlie is afraid of political repercussions
for the things that he reads and writes on the web.
• Charlie should not opt-in to BlindBox.• Even if he trusts his Rule Generator, there
is no guarantee that the Rule Generator has not been co-opted by the government!
• Charlie should use a strong encryption scheme instead.
Charlie
![Page 40: BlindBox: Deep Packet Inspection Over Encrypted Trafficjustine/blindbox-2015-4-10.pdf · Threat Model Summary: Actors and Constraints • Alice and Bob (Clients): • Users who want](https://reader033.vdocuments.mx/reader033/viewer/2022053001/5f05c3a57e708231d41496f9/html5/thumbnails/40.jpg)
Alice
Usage Scenario #1• Alice is a university student connecting her
laptop to the campus network.• Campus policy requires that all traffic be
monitored by an IDS to prevent botnet and malware activity from spreading at the university.
• Alice likes the idea of having her laptop protected by these mechanisms, but she is worried by the idea of someone being able to read her traffic and private Facebook messages.
![Page 41: BlindBox: Deep Packet Inspection Over Encrypted Trafficjustine/blindbox-2015-4-10.pdf · Threat Model Summary: Actors and Constraints • Alice and Bob (Clients): • Users who want](https://reader033.vdocuments.mx/reader033/viewer/2022053001/5f05c3a57e708231d41496f9/html5/thumbnails/41.jpg)
Usage Scenario #2• Bob is a father with two small children at
home.• His ISP offers a parental filtering service to
block access to pornography.• Bob would like to opt-in to this service. • However, Bob read a news article about
ISPs selling user data to marketers, and does not want to allow his ISP read all his traffic and sell it to marketers.
Bob
![Page 42: BlindBox: Deep Packet Inspection Over Encrypted Trafficjustine/blindbox-2015-4-10.pdf · Threat Model Summary: Actors and Constraints • Alice and Bob (Clients): • Users who want](https://reader033.vdocuments.mx/reader033/viewer/2022053001/5f05c3a57e708231d41496f9/html5/thumbnails/42.jpg)
0
0.2
0.4
0.6
0.8
1
0 5 10 15 20
CD
F
Tokenization Overhead Ratio
Delim Tokenization : PlaintextWindow Tokenization : Plaintext
Delim Tokenization : gzipWindow Tokenization : gzip
Bandwidth Overhead from Tokens
Many pages are gzipped; encrypted data cannot be compressed.