Cryptology ePrint Archive: Report 2015/264

BlindBox: Deep Packet Inspection over Encrypted Traffic

Justine Sherry and Chang Lan and Raluca Ada Popa and Sylvia Ratnasamy

Abstract: Many network middleboxes perform {\it deep packet inspection} (DPI), a set of useful tasks which examine packet payloads. These tasks include intrusion detection (IDS), exfiltration detection, and parental filtering. However, a long-standing issue is that once packets are sent over HTTPS, middleboxes can no longer accomplish their tasks because the payloads are encrypted. Hence, one is faced with the choice of only one of two desirable properties: the functionality of middleboxes and the privacy of encryption. We propose BlindBox, the first system that simultaneously provides {\em both} of these properties. The approach of BlindBox is to perform the deep-packet inspection {\em directly on the encrypted traffic}. BlindBox realizes this approach through a new protocol and new encryption schemes.

We demonstrate that BlindBox enables applications such as IDS, exfiltration detection and parental filtering, and supports real rulesets from both open-source and industrial DPI systems. We implemented BlindBox and showed that it is practical for settings with long-lived HTTPS connections. Moreover, its core encryption scheme is 3-6 orders of magnitude faster than existing relevant cryptographic schemes.

Category / Keywords: implementation, crypto systems, packets

Original Publication (with major differences): ACM SIGCOMM

Date: received 21 Mar 2015, last revised 11 Apr 2016

Contact author: justine at eecs berkeley edu

Available format(s): PDF | BibTeX Citation

Note: Additional experiment and text.

Version: 20160411:194057 (All versions of this report)

Short URL:

[ Cryptology ePrint archive ]