The explosive growth of network traffic is pushing forward the paradigm of cloud-based middlebox services today. However, due to the increasing attacking surfaces, redirecting enterprises traffic to outsourced middleboxes inevitably raises new privacy concerns about packet content exposure and unauthorized rulesets access. To address these issues, recent efforts have been made toward enabling middlebox services through encrypted traffic and middlebox rules. Following this direction, in this article, we investigate the issue of privacy-preserving header checking, which is an indispensable service of middlebox applications. Specifically, we propose two new encrypted header-matching schemes that significantly improve security and efficiency. Our main idea is to formulate the problem of encrypted header checking as range-based pattern matching, and carefully craft security designs to enable efficient header inspection in the ciphertext domain. Our first design is carefully tailored to generic range-based functions, while our second design is highly customized for contiguous rulesets to further improve the checking efficiency. We formally analyze the security strengths and implement a fully functional system prototype. The extensive experiments over the real-world rulesets demonstrate the practicality of our designs.
- Intrusion detection
- Order-revealing encryption (ORE)
- Outsourced middlebox
- Searchable encryption