Pine: Enabling privacy-preserving deep packet inspection on TLS with rule-hiding and fast connection establishment

Transport Layer Security Inspection (TLSI) enables enterprises to decrypt, inspect and then re-encrypt users’ traffic before it is routed to the destination. This breaks the end-to-end security guarantee of the TLS specification and implementation. It also raises privacy concerns since users’ traffi...

Full description

Saved in:
Bibliographic Details
Main Authors: NING, Jianting, HUANG, Xinyi, POH, Geong Sen, XU, Shengmin, LOH, Jia-Chng, WENG, Jain, DENG, Robert H.
Format: text
Language:English
Published: Institutional Knowledge at Singapore Management University 2020
Subjects:
Online Access:https://ink.library.smu.edu.sg/sis_research/5925
https://ink.library.smu.edu.sg/context/sis_research/article/6928/viewcontent/PineEnablingPrivacy_Preserving_av.pdf
Tags: Add Tag
No Tags, Be the first to tag this record!
Institution: Singapore Management University
Language: English
id sg-smu-ink.sis_research-6928
record_format dspace
spelling sg-smu-ink.sis_research-69282021-05-11T06:48:00Z Pine: Enabling privacy-preserving deep packet inspection on TLS with rule-hiding and fast connection establishment NING, Jianting HUANG, Xinyi POH, Geong Sen XU, Shengmin LOH, Jia-Chng WENG, Jain DENG, Robert H. Transport Layer Security Inspection (TLSI) enables enterprises to decrypt, inspect and then re-encrypt users’ traffic before it is routed to the destination. This breaks the end-to-end security guarantee of the TLS specification and implementation. It also raises privacy concerns since users’ traffic is now known by the enterprises, and third-party middlebox providers providing the inspection services may additionally learn the inspection or attack rules, policies of the enterprises. Two recent works, BlindBox (SIGCOMM 2015) and PrivDPI (CCS 2019) propose privacy-preserving approaches that inspect encrypted traffic directly to address the privacy concern of users’ traffic. However, BlindBox incurs high preprocessing overhead during TLS connection establishment, and while PrivDPI reduces the overhead substantially, it is still notable compared to that of TLSI. Furthermore, the underlying assumption in both approaches is that the middlebox knows the rule sets. Nevertheless, with the services increasingly migrating to third-party cloud-based setting, rule privacy should be preserved. Also, both approaches are static in nature in the sense that addition of any rules requires significant amount of preprocessing and re-instantiation of the protocols. In this paper we propose Pine, a new Privacy-preserving inspection of encrypted traffic protocol that (1) simplifies the preprocessing step of PrivDPI thus further reduces the computation time and communication overhead of establishing the TLS connection between a user and a server; (2) supports rule hiding; and (3) enables dynamic rule addition without the need to re-execute the protocol from scratch. We demonstrate the superior performance of Pine when compared to PrivDPI through extensive experimentations. In particular, for a connection from a client to a server with 5,000 tokens and 6,000 rules, Pine is approximately 27% faster and saves approximately 92.3% communication cost. 2020-09-01T07:00:00Z text application/pdf https://ink.library.smu.edu.sg/sis_research/5925 info:doi/10.1007/978-3-030-58951-6_1 https://ink.library.smu.edu.sg/context/sis_research/article/6928/viewcontent/PineEnablingPrivacy_Preserving_av.pdf http://creativecommons.org/licenses/by-nc-nd/4.0/ Research Collection School Of Computing and Information Systems eng Institutional Knowledge at Singapore Management University Network privacy Traffic inspection Encrypted traffic Information Security
institution Singapore Management University
building SMU Libraries
continent Asia
country Singapore
Singapore
content_provider SMU Libraries
collection InK@SMU
language English
topic Network privacy
Traffic inspection
Encrypted traffic
Information Security
spellingShingle Network privacy
Traffic inspection
Encrypted traffic
Information Security
NING, Jianting
HUANG, Xinyi
POH, Geong Sen
XU, Shengmin
LOH, Jia-Chng
WENG, Jain
DENG, Robert H.
Pine: Enabling privacy-preserving deep packet inspection on TLS with rule-hiding and fast connection establishment
description Transport Layer Security Inspection (TLSI) enables enterprises to decrypt, inspect and then re-encrypt users’ traffic before it is routed to the destination. This breaks the end-to-end security guarantee of the TLS specification and implementation. It also raises privacy concerns since users’ traffic is now known by the enterprises, and third-party middlebox providers providing the inspection services may additionally learn the inspection or attack rules, policies of the enterprises. Two recent works, BlindBox (SIGCOMM 2015) and PrivDPI (CCS 2019) propose privacy-preserving approaches that inspect encrypted traffic directly to address the privacy concern of users’ traffic. However, BlindBox incurs high preprocessing overhead during TLS connection establishment, and while PrivDPI reduces the overhead substantially, it is still notable compared to that of TLSI. Furthermore, the underlying assumption in both approaches is that the middlebox knows the rule sets. Nevertheless, with the services increasingly migrating to third-party cloud-based setting, rule privacy should be preserved. Also, both approaches are static in nature in the sense that addition of any rules requires significant amount of preprocessing and re-instantiation of the protocols. In this paper we propose Pine, a new Privacy-preserving inspection of encrypted traffic protocol that (1) simplifies the preprocessing step of PrivDPI thus further reduces the computation time and communication overhead of establishing the TLS connection between a user and a server; (2) supports rule hiding; and (3) enables dynamic rule addition without the need to re-execute the protocol from scratch. We demonstrate the superior performance of Pine when compared to PrivDPI through extensive experimentations. In particular, for a connection from a client to a server with 5,000 tokens and 6,000 rules, Pine is approximately 27% faster and saves approximately 92.3% communication cost.
format text
author NING, Jianting
HUANG, Xinyi
POH, Geong Sen
XU, Shengmin
LOH, Jia-Chng
WENG, Jain
DENG, Robert H.
author_facet NING, Jianting
HUANG, Xinyi
POH, Geong Sen
XU, Shengmin
LOH, Jia-Chng
WENG, Jain
DENG, Robert H.
author_sort NING, Jianting
title Pine: Enabling privacy-preserving deep packet inspection on TLS with rule-hiding and fast connection establishment
title_short Pine: Enabling privacy-preserving deep packet inspection on TLS with rule-hiding and fast connection establishment
title_full Pine: Enabling privacy-preserving deep packet inspection on TLS with rule-hiding and fast connection establishment
title_fullStr Pine: Enabling privacy-preserving deep packet inspection on TLS with rule-hiding and fast connection establishment
title_full_unstemmed Pine: Enabling privacy-preserving deep packet inspection on TLS with rule-hiding and fast connection establishment
title_sort pine: enabling privacy-preserving deep packet inspection on tls with rule-hiding and fast connection establishment
publisher Institutional Knowledge at Singapore Management University
publishDate 2020
url https://ink.library.smu.edu.sg/sis_research/5925
https://ink.library.smu.edu.sg/context/sis_research/article/6928/viewcontent/PineEnablingPrivacy_Preserving_av.pdf
_version_ 1770575666799968256