![Page 1: Deep Packet Inspection Over Encrypted Trafficnetseminar.stanford.edu/seminars/11_11_15.pdf · BlindBox: Deep Packet Inspection Over Encrypted Traffic! SIGCOMM 2015! Raluca Ada Popa!](https://reader034.vdocuments.mx/reader034/viewer/2022052515/5a7377167f8b9ad22a8b5d99/html5/thumbnails/1.jpg)
BlindBox: Deep Packet Inspection Over
Encrypted Traffic
SIGCOMM 2015
Raluca Ada Popa Joint work with: Justine Sherry, Chang Lan, Sylvia Ratnasamy
UC Berkeley
![Page 2: Deep Packet Inspection Over Encrypted Trafficnetseminar.stanford.edu/seminars/11_11_15.pdf · BlindBox: Deep Packet Inspection Over Encrypted Traffic! SIGCOMM 2015! Raluca Ada Popa!](https://reader034.vdocuments.mx/reader034/viewer/2022052515/5a7377167f8b9ad22a8b5d99/html5/thumbnails/2.jpg)
Deep Packet Inspection
(DPI) In-network devices which
inspect packet payloads to enforce policies.
Intrusion detection/prevention
Exfiltration
Parental filtering
![Page 3: Deep Packet Inspection Over Encrypted Trafficnetseminar.stanford.edu/seminars/11_11_15.pdf · BlindBox: Deep Packet Inspection Over Encrypted Traffic! SIGCOMM 2015! Raluca Ada Popa!](https://reader034.vdocuments.mx/reader034/viewer/2022052515/5a7377167f8b9ad22a8b5d99/html5/thumbnails/3.jpg)
Example: Intrusion prevention
ATTACK
HACKS
183237
rules
middlebox ATTACK
Alice Bob
Detect!
rule generator
rules
![Page 4: Deep Packet Inspection Over Encrypted Trafficnetseminar.stanford.edu/seminars/11_11_15.pdf · BlindBox: Deep Packet Inspection Over Encrypted Traffic! SIGCOMM 2015! Raluca Ada Popa!](https://reader034.vdocuments.mx/reader034/viewer/2022052515/5a7377167f8b9ad22a8b5d99/html5/thumbnails/4.jpg)
Observation: a lot of traffic today is sent over https
![Page 5: Deep Packet Inspection Over Encrypted Trafficnetseminar.stanford.edu/seminars/11_11_15.pdf · BlindBox: Deep Packet Inspection Over Encrypted Traffic! SIGCOMM 2015! Raluca Ada Popa!](https://reader034.vdocuments.mx/reader034/viewer/2022052515/5a7377167f8b9ad22a8b5d99/html5/thumbnails/5.jpg)
Problem: middleboxes cannot inspect
traffic over https
middlebox Alice Bob
ATTACK
???
![Page 6: Deep Packet Inspection Over Encrypted Trafficnetseminar.stanford.edu/seminars/11_11_15.pdf · BlindBox: Deep Packet Inspection Over Encrypted Traffic! SIGCOMM 2015! Raluca Ada Popa!](https://reader034.vdocuments.mx/reader034/viewer/2022052515/5a7377167f8b9ad22a8b5d99/html5/thumbnails/6.jpg)
State-of-the-art: man in the middle attack on SSL
middlebox
SECRET
Alice
I am Google fake certificate
No privacy! and a lot of other security issues [Jarmoc’12]
[Huang et al.’14]
![Page 7: Deep Packet Inspection Over Encrypted Trafficnetseminar.stanford.edu/seminars/11_11_15.pdf · BlindBox: Deep Packet Inspection Over Encrypted Traffic! SIGCOMM 2015! Raluca Ada Popa!](https://reader034.vdocuments.mx/reader034/viewer/2022052515/5a7377167f8b9ad22a8b5d99/html5/thumbnails/7.jpg)
Can we achieve both privacy and payload inspection?
![Page 8: Deep Packet Inspection Over Encrypted Trafficnetseminar.stanford.edu/seminars/11_11_15.pdf · BlindBox: Deep Packet Inspection Over Encrypted Traffic! SIGCOMM 2015! Raluca Ada Popa!](https://reader034.vdocuments.mx/reader034/viewer/2022052515/5a7377167f8b9ad22a8b5d99/html5/thumbnails/8.jpg)
Yes: BlindBox
The first system to enable DPI middleboxes to inspect traffic without seeing the traffic
![Page 9: Deep Packet Inspection Over Encrypted Trafficnetseminar.stanford.edu/seminars/11_11_15.pdf · BlindBox: Deep Packet Inspection Over Encrypted Traffic! SIGCOMM 2015! Raluca Ada Popa!](https://reader034.vdocuments.mx/reader034/viewer/2022052515/5a7377167f8b9ad22a8b5d99/html5/thumbnails/9.jpg)
Approach
middlebox Alice Bob
SECRET
inspect encrypted traffic without decrypting it!
![Page 10: Deep Packet Inspection Over Encrypted Trafficnetseminar.stanford.edu/seminars/11_11_15.pdf · BlindBox: Deep Packet Inspection Over Encrypted Traffic! SIGCOMM 2015! Raluca Ada Popa!](https://reader034.vdocuments.mx/reader034/viewer/2022052515/5a7377167f8b9ad22a8b5d99/html5/thumbnails/10.jpg)
Technical setup
![Page 11: Deep Packet Inspection Over Encrypted Trafficnetseminar.stanford.edu/seminars/11_11_15.pdf · BlindBox: Deep Packet Inspection Over Encrypted Traffic! SIGCOMM 2015! Raluca Ada Popa!](https://reader034.vdocuments.mx/reader034/viewer/2022052515/5a7377167f8b9ad22a8b5d99/html5/thumbnails/11.jpg)
Model
middlebox (MB) Alice Bob
rule generator
rules
![Page 12: Deep Packet Inspection Over Encrypted Trafficnetseminar.stanford.edu/seminars/11_11_15.pdf · BlindBox: Deep Packet Inspection Over Encrypted Traffic! SIGCOMM 2015! Raluca Ada Popa!](https://reader034.vdocuments.mx/reader034/viewer/2022052515/5a7377167f8b9ad22a8b5d99/html5/thumbnails/12.jpg)
Threat model
middlebox (MB) Alice Bob
rule generator
rules
runs detection functionality correctly
one endpoint can misbehave but at least one endpoint behaves correctly;
generates rules correctly
but curious to see traffic content (honest but curious/passive)
endpoints cannot learn rules
![Page 13: Deep Packet Inspection Over Encrypted Trafficnetseminar.stanford.edu/seminars/11_11_15.pdf · BlindBox: Deep Packet Inspection Over Encrypted Traffic! SIGCOMM 2015! Raluca Ada Popa!](https://reader034.vdocuments.mx/reader034/viewer/2022052515/5a7377167f8b9ad22a8b5d99/html5/thumbnails/13.jpg)
Goals
1. Strong privacy guarantee
2. Practical
3. Wide range of functionality
well-studied security guarantees
network rates are incredibly fast! (microsec)
regexp, scripts
![Page 14: Deep Packet Inspection Over Encrypted Trafficnetseminar.stanford.edu/seminars/11_11_15.pdf · BlindBox: Deep Packet Inspection Over Encrypted Traffic! SIGCOMM 2015! Raluca Ada Popa!](https://reader034.vdocuments.mx/reader034/viewer/2022052515/5a7377167f8b9ad22a8b5d99/html5/thumbnails/14.jpg)
Strawmen: fully homomorphic or functional encryption?
[Gentry’09, BSW’11]
• Does not fit our threat model
* based on our experiments using [Katz, Sahai,Waters’08]
middlebox Alice Bob
• Prohibitive performance: IDS detection over a single packet requires over 1 day*
![Page 15: Deep Packet Inspection Over Encrypted Trafficnetseminar.stanford.edu/seminars/11_11_15.pdf · BlindBox: Deep Packet Inspection Over Encrypted Traffic! SIGCOMM 2015! Raluca Ada Popa!](https://reader034.vdocuments.mx/reader034/viewer/2022052515/5a7377167f8b9ad22a8b5d99/html5/thumbnails/15.jpg)
BlindBox’s design
![Page 16: Deep Packet Inspection Over Encrypted Trafficnetseminar.stanford.edu/seminars/11_11_15.pdf · BlindBox: Deep Packet Inspection Over Encrypted Traffic! SIGCOMM 2015! Raluca Ada Popa!](https://reader034.vdocuments.mx/reader034/viewer/2022052515/5a7377167f8b9ad22a8b5d99/html5/thumbnails/16.jpg)
System overview
SSL remains unchanged.
message
• split in tokens • encrypt each token
• run detection on encrypted tokens
encrypted tokens
message
SSL traffic SSL encrypt
BlindBox encrypt
BlindBox verify
SSL decrypt
BBhttps: enhance https BBhttps BBhttps
![Page 17: Deep Packet Inspection Over Encrypted Trafficnetseminar.stanford.edu/seminars/11_11_15.pdf · BlindBox: Deep Packet Inspection Over Encrypted Traffic! SIGCOMM 2015! Raluca Ada Popa!](https://reader034.vdocuments.mx/reader034/viewer/2022052515/5a7377167f8b9ad22a8b5d99/html5/thumbnails/17.jpg)
How do we inspect encrypted traffic efficiently?
![Page 18: Deep Packet Inspection Over Encrypted Trafficnetseminar.stanford.edu/seminars/11_11_15.pdf · BlindBox: Deep Packet Inspection Over Encrypted Traffic! SIGCOMM 2015! Raluca Ada Popa!](https://reader034.vdocuments.mx/reader034/viewer/2022052515/5a7377167f8b9ad22a8b5d99/html5/thumbnails/18.jpg)
Step1: searchable encryption
scheme packet inspection security
deterministic schemes
fast O(log(#rules) * #bytes/packet)
weak
randomized schemes [SongWagnerPerrig’00]
slow O(#rules * #bytes/packet)
high
high fast desired
our new searchable encryption scheme & detection algorithm
no satisfying scheme for our setting
![Page 19: Deep Packet Inspection Over Encrypted Trafficnetseminar.stanford.edu/seminars/11_11_15.pdf · BlindBox: Deep Packet Inspection Over Encrypted Traffic! SIGCOMM 2015! Raluca Ada Popa!](https://reader034.vdocuments.mx/reader034/viewer/2022052515/5a7377167f8b9ad22a8b5d99/html5/thumbnails/19.jpg)
Our new search scheme
middlebox Alice AESK(rule) example message
tokens example xample ample m mple me …
AESK(token) salt, AES (salt)
Fast encryption: only AES! ?=
K
But detection is slow O(#rules *
#tokens)
BBhttps AES
AESK(rule) AES (salt)
![Page 20: Deep Packet Inspection Over Encrypted Trafficnetseminar.stanford.edu/seminars/11_11_15.pdf · BlindBox: Deep Packet Inspection Over Encrypted Traffic! SIGCOMM 2015! Raluca Ada Popa!](https://reader034.vdocuments.mx/reader034/viewer/2022052515/5a7377167f8b9ad22a8b5d99/html5/thumbnails/20.jpg)
Desired:
Avoid combining a salt with each rule
Build index on rules
![Page 21: Deep Packet Inspection Over Encrypted Trafficnetseminar.stanford.edu/seminars/11_11_15.pdf · BlindBox: Deep Packet Inspection Over Encrypted Traffic! SIGCOMM 2015! Raluca Ada Popa!](https://reader034.vdocuments.mx/reader034/viewer/2022052515/5a7377167f8b9ad22a8b5d99/html5/thumbnails/21.jpg)
Fast detection protocol
middlebox Alice
Rule index: precompute tree with salt=1 EncK(1, rule1), EncK(1, rule2), …
tokens A B A A
encrypted tokens EncK(1, A) EncK(1, B) EncK(2, A) EncK(3, A)
For each token, one tree lookup! O(log #rules * # tokens)
EncK(2, rule2) rare operation!
Use a salt schedule:
![Page 22: Deep Packet Inspection Over Encrypted Trafficnetseminar.stanford.edu/seminars/11_11_15.pdf · BlindBox: Deep Packet Inspection Over Encrypted Traffic! SIGCOMM 2015! Raluca Ada Popa!](https://reader034.vdocuments.mx/reader034/viewer/2022052515/5a7377167f8b9ad22a8b5d99/html5/thumbnails/22.jpg)
But how does the middlebox obtain ?
middlebox Alice Bob
AESK(rule)
K
AESK(rule)
![Page 23: Deep Packet Inspection Over Encrypted Trafficnetseminar.stanford.edu/seminars/11_11_15.pdf · BlindBox: Deep Packet Inspection Over Encrypted Traffic! SIGCOMM 2015! Raluca Ada Popa!](https://reader034.vdocuments.mx/reader034/viewer/2022052515/5a7377167f8b9ad22a8b5d99/html5/thumbnails/23.jpg)
Step 2: BlindBox’s setup phase
middlebox Alice
AESK(rule) K
1. Alice sends to MB garbled circuits [Yao’86] for 2. MB runs oblivious transfer [Rabin’81] with Alice to obtain
encoding for rule 3. MB evaluates garbled circuit and obtains
AESK()
AESK(rule)
have rule want
![Page 24: Deep Packet Inspection Over Encrypted Trafficnetseminar.stanford.edu/seminars/11_11_15.pdf · BlindBox: Deep Packet Inspection Over Encrypted Traffic! SIGCOMM 2015! Raluca Ada Popa!](https://reader034.vdocuments.mx/reader034/viewer/2022052515/5a7377167f8b9ad22a8b5d99/html5/thumbnails/24.jpg)
Security guarantee
“Principle of least privilege”: the middlebox learns only byte positions where a rule matches (well-studied guarantee in the searchable encryption literature)
ATTACK HACKS
BLACKLIST
match!
byte stream
![Page 25: Deep Packet Inspection Over Encrypted Trafficnetseminar.stanford.edu/seminars/11_11_15.pdf · BlindBox: Deep Packet Inspection Over Encrypted Traffic! SIGCOMM 2015! Raluca Ada Popa!](https://reader034.vdocuments.mx/reader034/viewer/2022052515/5a7377167f8b9ad22a8b5d99/html5/thumbnails/25.jpg)
So far…
complete system for equality matching
exfiltration intrusion prevention (IPS) parental filtering
Need support for regular expressions!
![Page 26: Deep Packet Inspection Over Encrypted Trafficnetseminar.stanford.edu/seminars/11_11_15.pdf · BlindBox: Deep Packet Inspection Over Encrypted Traffic! SIGCOMM 2015! Raluca Ada Popa!](https://reader034.vdocuments.mx/reader034/viewer/2022052515/5a7377167f8b9ad22a8b5d99/html5/thumbnails/26.jpg)
How to support regular expressions?
![Page 27: Deep Packet Inspection Over Encrypted Trafficnetseminar.stanford.edu/seminars/11_11_15.pdf · BlindBox: Deep Packet Inspection Over Encrypted Traffic! SIGCOMM 2015! Raluca Ada Popa!](https://reader034.vdocuments.mx/reader034/viewer/2022052515/5a7377167f8b9ad22a8b5d99/html5/thumbnails/27.jpg)
Rules with regular expressions in IPS Snort rule example: { content: “malicious string”, pcre: “/\r\nHost\x3As+[^\r\n]*?[bcdfghjklmnpqrstvwxyz]{5,}[^\r\n]*?\x2Ebiz Hi”, […] }
• Rule first matches string by equality • Must be highly selective string
![Page 28: Deep Packet Inspection Over Encrypted Trafficnetseminar.stanford.edu/seminars/11_11_15.pdf · BlindBox: Deep Packet Inspection Over Encrypted Traffic! SIGCOMM 2015! Raluca Ada Popa!](https://reader034.vdocuments.mx/reader034/viewer/2022052515/5a7377167f8b9ad22a8b5d99/html5/thumbnails/28.jpg)
New privacy model: probable cause privacy
If a malicious string matches a packet, middlebox can decrypt the packet, but not otherwise.
Privacy may be lost only if there is a probable cause
![Page 29: Deep Packet Inspection Over Encrypted Trafficnetseminar.stanford.edu/seminars/11_11_15.pdf · BlindBox: Deep Packet Inspection Over Encrypted Traffic! SIGCOMM 2015! Raluca Ada Popa!](https://reader034.vdocuments.mx/reader034/viewer/2022052515/5a7377167f8b9ad22a8b5d99/html5/thumbnails/29.jpg)
New encryption scheme for probable cause
middlebox Alice
AESK(rule) K
Enc’K(token)
If token = rule, middlebox obtains K
![Page 30: Deep Packet Inspection Over Encrypted Trafficnetseminar.stanford.edu/seminars/11_11_15.pdf · BlindBox: Deep Packet Inspection Over Encrypted Traffic! SIGCOMM 2015! Raluca Ada Popa!](https://reader034.vdocuments.mx/reader034/viewer/2022052515/5a7377167f8b9ad22a8b5d99/html5/thumbnails/30.jpg)
Middlebox can run regexp
Step 1: match content string on encrypted traffic
Step 2: run regexp on unencrypted traffic
Rule {content: “malicious string”, pcre: “/\r\nHost\…”, […] }
obtain K
decrypt packet
![Page 31: Deep Packet Inspection Over Encrypted Trafficnetseminar.stanford.edu/seminars/11_11_15.pdf · BlindBox: Deep Packet Inspection Over Encrypted Traffic! SIGCOMM 2015! Raluca Ada Popa!](https://reader034.vdocuments.mx/reader034/viewer/2022052515/5a7377167f8b9ad22a8b5d99/html5/thumbnails/31.jpg)
More details in our paper!
• Optimizations to reduce bandwidth overhead
• Details on garbled circuits + oblivious transfer
• Support for malicious middlebox
• Rule generation, regular expressions, probable cause decryption…
![Page 32: Deep Packet Inspection Over Encrypted Trafficnetseminar.stanford.edu/seminars/11_11_15.pdf · BlindBox: Deep Packet Inspection Over Encrypted Traffic! SIGCOMM 2015! Raluca Ada Popa!](https://reader034.vdocuments.mx/reader034/viewer/2022052515/5a7377167f8b9ad22a8b5d99/html5/thumbnails/32.jpg)
Implementation • Endpoints: BBhttps - C library
• Middlebox: Click framework
![Page 33: Deep Packet Inspection Over Encrypted Trafficnetseminar.stanford.edu/seminars/11_11_15.pdf · BlindBox: Deep Packet Inspection Over Encrypted Traffic! SIGCOMM 2015! Raluca Ada Popa!](https://reader034.vdocuments.mx/reader034/viewer/2022052515/5a7377167f8b9ad22a8b5d99/html5/thumbnails/33.jpg)
Evaluation functionality performance
![Page 34: Deep Packet Inspection Over Encrypted Trafficnetseminar.stanford.edu/seminars/11_11_15.pdf · BlindBox: Deep Packet Inspection Over Encrypted Traffic! SIGCOMM 2015! Raluca Ada Popa!](https://reader034.vdocuments.mx/reader034/viewer/2022052515/5a7377167f8b9ad22a8b5d99/html5/thumbnails/34.jpg)
Functionality Evaluation Dataset Without probable cause With probable cause
Document watermarking 100% 100%
Parental filtering 100% 100% Snort community
(HTTP) 67% 100%
Snort Emerging Threats (HTTP) 42% 100%
StoneSoft (McAffee) IDS 40% 100%
LastLine IDS 29% 100%
IDS
![Page 35: Deep Packet Inspection Over Encrypted Trafficnetseminar.stanford.edu/seminars/11_11_15.pdf · BlindBox: Deep Packet Inspection Over Encrypted Traffic! SIGCOMM 2015! Raluca Ada Popa!](https://reader034.vdocuments.mx/reader034/viewer/2022052515/5a7377167f8b9ad22a8b5d99/html5/thumbnails/35.jpg)
Performance highlights • Three main performance figures:
• Detection Time: competitive with existing IDSes!
• 186Mbps with BlindBox (comparable to Snort)
• Transmission Time: practical overhead
• Page load completion time increases by 0.15-1x
• Setup Time: not yet competitive
• 1 min for 3000 rules
• fine for long-lived connections (cloud-enterprise)
![Page 36: Deep Packet Inspection Over Encrypted Trafficnetseminar.stanford.edu/seminars/11_11_15.pdf · BlindBox: Deep Packet Inspection Over Encrypted Traffic! SIGCOMM 2015! Raluca Ada Popa!](https://reader034.vdocuments.mx/reader034/viewer/2022052515/5a7377167f8b9ad22a8b5d99/html5/thumbnails/36.jpg)
Upcoming work: MBArk Outsourcing middleboxes to the cloud
Support header-based computations over encrypted data: firewall, NAT, IP forwarder, load balancer, VPN, IDS, exfiltration
![Page 37: Deep Packet Inspection Over Encrypted Trafficnetseminar.stanford.edu/seminars/11_11_15.pdf · BlindBox: Deep Packet Inspection Over Encrypted Traffic! SIGCOMM 2015! Raluca Ada Popa!](https://reader034.vdocuments.mx/reader034/viewer/2022052515/5a7377167f8b9ad22a8b5d99/html5/thumbnails/37.jpg)
Conclusion
BlindBox is the first system to enable DPI middleboxes to process traffic without seeing it
• practical for a class of applications
Thanks!