Pine: Enabling privacy-preserving deep packet inspection on TLS with rule-hiding and fast connection establishment
Transport Layer Security Inspection (TLSI) enables enterprises to decrypt, inspect and then re-encrypt users’ traffic before it is routed to the destination. This breaks the end-to-end security guarantee of the TLS specification and implementation. It also raises privacy concerns since users’ traffi...
Saved in:
Main Authors: | , , , , , , |
---|---|
Format: | text |
Language: | English |
Published: |
Institutional Knowledge at Singapore Management University
2020
|
Subjects: | |
Online Access: | https://ink.library.smu.edu.sg/sis_research/5925 https://ink.library.smu.edu.sg/context/sis_research/article/6928/viewcontent/PineEnablingPrivacy_Preserving_av.pdf |
Tags: |
Add Tag
No Tags, Be the first to tag this record!
|
Institution: | Singapore Management University |
Language: | English |
id |
sg-smu-ink.sis_research-6928 |
---|---|
record_format |
dspace |
spelling |
sg-smu-ink.sis_research-69282021-05-11T06:48:00Z Pine: Enabling privacy-preserving deep packet inspection on TLS with rule-hiding and fast connection establishment NING, Jianting HUANG, Xinyi POH, Geong Sen XU, Shengmin LOH, Jia-Chng WENG, Jain DENG, Robert H. Transport Layer Security Inspection (TLSI) enables enterprises to decrypt, inspect and then re-encrypt users’ traffic before it is routed to the destination. This breaks the end-to-end security guarantee of the TLS specification and implementation. It also raises privacy concerns since users’ traffic is now known by the enterprises, and third-party middlebox providers providing the inspection services may additionally learn the inspection or attack rules, policies of the enterprises. Two recent works, BlindBox (SIGCOMM 2015) and PrivDPI (CCS 2019) propose privacy-preserving approaches that inspect encrypted traffic directly to address the privacy concern of users’ traffic. However, BlindBox incurs high preprocessing overhead during TLS connection establishment, and while PrivDPI reduces the overhead substantially, it is still notable compared to that of TLSI. Furthermore, the underlying assumption in both approaches is that the middlebox knows the rule sets. Nevertheless, with the services increasingly migrating to third-party cloud-based setting, rule privacy should be preserved. Also, both approaches are static in nature in the sense that addition of any rules requires significant amount of preprocessing and re-instantiation of the protocols. In this paper we propose Pine, a new Privacy-preserving inspection of encrypted traffic protocol that (1) simplifies the preprocessing step of PrivDPI thus further reduces the computation time and communication overhead of establishing the TLS connection between a user and a server; (2) supports rule hiding; and (3) enables dynamic rule addition without the need to re-execute the protocol from scratch. We demonstrate the superior performance of Pine when compared to PrivDPI through extensive experimentations. In particular, for a connection from a client to a server with 5,000 tokens and 6,000 rules, Pine is approximately 27% faster and saves approximately 92.3% communication cost. 2020-09-01T07:00:00Z text application/pdf https://ink.library.smu.edu.sg/sis_research/5925 info:doi/10.1007/978-3-030-58951-6_1 https://ink.library.smu.edu.sg/context/sis_research/article/6928/viewcontent/PineEnablingPrivacy_Preserving_av.pdf http://creativecommons.org/licenses/by-nc-nd/4.0/ Research Collection School Of Computing and Information Systems eng Institutional Knowledge at Singapore Management University Network privacy Traffic inspection Encrypted traffic Information Security |
institution |
Singapore Management University |
building |
SMU Libraries |
continent |
Asia |
country |
Singapore Singapore |
content_provider |
SMU Libraries |
collection |
InK@SMU |
language |
English |
topic |
Network privacy Traffic inspection Encrypted traffic Information Security |
spellingShingle |
Network privacy Traffic inspection Encrypted traffic Information Security NING, Jianting HUANG, Xinyi POH, Geong Sen XU, Shengmin LOH, Jia-Chng WENG, Jain DENG, Robert H. Pine: Enabling privacy-preserving deep packet inspection on TLS with rule-hiding and fast connection establishment |
description |
Transport Layer Security Inspection (TLSI) enables enterprises to decrypt, inspect and then re-encrypt users’ traffic before it is routed to the destination. This breaks the end-to-end security guarantee of the TLS specification and implementation. It also raises privacy concerns since users’ traffic is now known by the enterprises, and third-party middlebox providers providing the inspection services may additionally learn the inspection or attack rules, policies of the enterprises. Two recent works, BlindBox (SIGCOMM 2015) and PrivDPI (CCS 2019) propose privacy-preserving approaches that inspect encrypted traffic directly to address the privacy concern of users’ traffic. However, BlindBox incurs high preprocessing overhead during TLS connection establishment, and while PrivDPI reduces the overhead substantially, it is still notable compared to that of TLSI. Furthermore, the underlying assumption in both approaches is that the middlebox knows the rule sets. Nevertheless, with the services increasingly migrating to third-party cloud-based setting, rule privacy should be preserved. Also, both approaches are static in nature in the sense that addition of any rules requires significant amount of preprocessing and re-instantiation of the protocols. In this paper we propose Pine, a new Privacy-preserving inspection of encrypted traffic protocol that (1) simplifies the preprocessing step of PrivDPI thus further reduces the computation time and communication overhead of establishing the TLS connection between a user and a server; (2) supports rule hiding; and (3) enables dynamic rule addition without the need to re-execute the protocol from scratch. We demonstrate the superior performance of Pine when compared to PrivDPI through extensive experimentations. In particular, for a connection from a client to a server with 5,000 tokens and 6,000 rules, Pine is approximately 27% faster and saves approximately 92.3% communication cost. |
format |
text |
author |
NING, Jianting HUANG, Xinyi POH, Geong Sen XU, Shengmin LOH, Jia-Chng WENG, Jain DENG, Robert H. |
author_facet |
NING, Jianting HUANG, Xinyi POH, Geong Sen XU, Shengmin LOH, Jia-Chng WENG, Jain DENG, Robert H. |
author_sort |
NING, Jianting |
title |
Pine: Enabling privacy-preserving deep packet inspection on TLS with rule-hiding and fast connection establishment |
title_short |
Pine: Enabling privacy-preserving deep packet inspection on TLS with rule-hiding and fast connection establishment |
title_full |
Pine: Enabling privacy-preserving deep packet inspection on TLS with rule-hiding and fast connection establishment |
title_fullStr |
Pine: Enabling privacy-preserving deep packet inspection on TLS with rule-hiding and fast connection establishment |
title_full_unstemmed |
Pine: Enabling privacy-preserving deep packet inspection on TLS with rule-hiding and fast connection establishment |
title_sort |
pine: enabling privacy-preserving deep packet inspection on tls with rule-hiding and fast connection establishment |
publisher |
Institutional Knowledge at Singapore Management University |
publishDate |
2020 |
url |
https://ink.library.smu.edu.sg/sis_research/5925 https://ink.library.smu.edu.sg/context/sis_research/article/6928/viewcontent/PineEnablingPrivacy_Preserving_av.pdf |
_version_ |
1770575666799968256 |