Secret-Sharing Hardware Improves the Privacy of Network Monitoring
Network service providers monitor the data flow to detect anomalies and malicious behavior in their networks. Network monitoring inspects the data flow over time and thus has to store packet data. Storing of data impedes the privacy of users. A radically new approach counteracts such privacy concerns by exploiting threshold cryptography. It encrypts all monitored traffic. The used symmetric keys are made available to monitoring entities only if they collect enough evidence of malicious behavior. This new approach overcomes weaknesses of packet anonymization. It calls for dedicated hardware that is able to encrypt packets and generate key-share information for gigabit networks. This article proves that the application of Shamir’s secret sharing scheme is possible. The presented hardware is able to protect up to 1.8 million packets per second. The creation of such a high-speed hardware required innovations on the algorithmic, the protocol, and on the architectural level. The outcome is a surprisingly small circuit that fits commercially available FPGA cards. It was tested under real-world conditions. It proved to protect the users’ privacy while monitoring gigabit networks.
KeywordsSecret Sharing Threshold Cryptography Hardware Acceleration Field-Programmable Gate Array (FPGA) Gigabit Ethernet
Unable to display preview. Download preview PDF.
- 1.American National Standards Institute (ANSI). AMERICAN NATIONAL STANDARD X9.62-2005. Public Key Cryptography for the Financial Services Industry, The Elliptic Curve Digital Signature Algorithm, ECDSA (2005)Google Scholar
- 3.Broadcom. BCM5464SR Quad-Port Gigabit Copper Transceiver with Copper/Fiber Media Interface (2006), http://www.broadcom.com/products/Physical-Layer/Gigabit-Ethernet-PHYs/BCM5464SR
- 4.Broder, A.Z., Mitzenmacher, M.: Network Applications of Bloom Filters: A Survey. Internet Mathematics 1(4) (2003)Google Scholar
- 6.EU Article 29 Data Protection Working Party. Opinion on the Concept of Personal Data (01248/07/EN WP 136) (April 2007)Google Scholar
- 7.Frankel, S., Glenn, R., Kelly, S.: RFC 3602: The AES-CBC Cipher Algorithm and Its Use with IPsec. RFC 3602 (Proposed Standard) (September 2003)Google Scholar
- 9.Hoffman, P.: RFC 3664: The AES-XCBC-PRF-128 Algorithm for the Internet Key Exchange Protocol, IKE (2004)Google Scholar
- 10.Hoffman, P.: RFC 4308: Cryptographic Suites for IPsec. RFC 4308 (Proposed Standard) (December 2005)Google Scholar
- 15.Song, H., Sproull, T.S., Attig, M., Lockwood, J.W.: Snort Offloader: A Reconfigurable Hardware NIDS Filter. In: Rissa, T., Wilton, S.J.E., Leong, P.H.W. (eds.) FPL, pp. 493–498. IEEE, Los Alamitos (2005)Google Scholar
- 16.Stanford University. NetFPGA Project. NetFPGA (2009), http://netfpga.org/
- 17.Wolkerstorfer, J., Szekely, A., Lorünser, T.: IPsec Security Gateway for Gigabit Ethernet. In: Ostermann, T. (ed.) Austrochip 2008 – Proceedings of the 16th Austrian Workshop on Microelectronics (October 2008)Google Scholar
- 18.Xilinx Corporation. Virtex-II Pro and Virtex-II Pro X Platform FPGAs: Complete Data Sheet (2007), http://www.xilinx.com/support/documentation/virtex-ii_pro_data_sheets.htm