Luca Melis
Emiliano De Cristofaro
ABSTRACT
Aiming to reduce the cost and complexity of maintaining networking infrastructures, organizations are increasingly outsourcing their network functions (e.g., firewalls, traffic shapers and intrusion detection systems) to the cloud, and a number of industrial players have started to offer network function virtualization (NFV)-based solutions. Alas, outsourcing network functions in its current setting implies that sensitive network policies, such as firewall rules, are revealed to the cloud provider. In this paper, we investigate the use of cryptographic primitives for processing outsourced network functions, so that the provider does not learn any sensitive information. More specifically, we present a cryptographic treatment of privacy-preserving outsourcing of network functions, introducing security definitions as well as an abstract model of generic network functions, and then propose a few instantiations using partial homomorphic encryption and public-key encryption with keyword search. We include a proof-of-concept implementation of our constructions and show that network functions can be privately processed by an untrusted cloud provider in a few milliseconds.
- D. F. Aranha and C. P. L. Gouvêa. RELIC is an Efficient LIbrary for Cryptography. https://github.com/relic-toolkit/relic.Google Scholar
- B. H. Bloom. Space/time trade-offs in hash coding with allowable errors. Communications of the ACM, 13(7):422--426, 1970. Google ScholarDigital Library
- D. Boneh, G. Di Crescenzo, R. Ostrovsky, and G. Persiano. Public key encryption with keyword search. In Eurocrypt '04, pages 506--522, 2004.Google ScholarCross Ref
- D. Boneh, E.-J. Goh, and K. Nissim. Evaluating 2-DNF Formulas on Ciphertexts. In TCC '05, pages 325--341, 2005. Google ScholarDigital Library
- J. H. Cheon, K. Han, C. Lee, H. Ryu, and D. Stehle. Cryptanalysis of the Multilinear Map over the Integers. In Eurocrypt '15, pages 3--12, 2015.Google ScholarCross Ref
- J.-S. Coron, T. Lepoint, and M. Tibouchi. Practical Multilinear Maps over the Integers. In CRYPTO '13, pages 476--493, 2013.Google ScholarCross Ref
- M. G. Gouda and A. X. Liu. Structured Firewall Design. Comput. Netw., 51(4):1106--1120, 2007. Google ScholarDigital Library
- A. R. Khakpour and A. X. Liu. First Step Toward Cloud-Based Firewalling. In SRDS '12, pages 41--50, 2012. Google ScholarDigital Library
- G. Klein, K. Elphinstone, G. Heiser, J. Andronick, D. Cock, P. Derrin, D. Elkaduwe, K. Engelhardt, R. Kolanski, M. Norrish, T. Sewell, H. Tuch, and S. Winwood. seL4: Formal Verification of an OS Kernel. In SOSP '09, pages 207--220, 2009. Google ScholarDigital Library
- M. Luby and C. Rackoff. How to Construct Pseudorandom Permutations from Pseudorandom Functions. SIAM J. Comput., 17(2):373--386, Apr. 1988. Google ScholarDigital Library
- N. McKeown, T. Anderson, H. Balakrishnan, G. Parulkar, L. Peterson, J. Rexford, S. Shenker, and J. Turner. OpenFlow: Enabling Innovation in Campus Networks. SIGCOMM Comput. Commun. Rev., 38(2):69--74, 2008. Google ScholarDigital Library
- M. Naehrig, K. Lauter, and V. Vaikuntanathan. Can homomorphic encryption be practical? In CCSW '11, pages 113--124, 2011. Google ScholarDigital Library
- T. Ristenpart, E. Tromer, H. Shacham, and S. Savage. Hey, You, Get off of My Cloud: Exploring Information Leakage in Third-party Compute Clouds. In CCS '09, pages 199--212, 2009. Google ScholarDigital Library
- K. Searl. Top 26 Companies in the Global NFV Market. http://www.technavio.com/blog/top-26-companies-in-the-global-nfv-market, 2014.Google Scholar
- J. Sherry, S. Hasan, C. Scott, A. Krishnamurthy, S. Ratnasamy, and V. Sekar. Making Middleboxes Someone Else's Problem: Network Processing as a Cloud Service. In SIGCOMM '12, pages 13--24, 2012. Google ScholarDigital Library
- J. Sherry, C. Lan, R. A. Popa, and S. Ratnasamy. BlindBox: Deep Packet Inspection over Encrypted Traffic. In SIGCOMM '15, pages 213--226, 2015. Google ScholarDigital Library
- J. Shi, Y. Zhang, and S. Zhong. Privacy-preserving Network Functionality Outsourcing. http://arxiv.org/abs/1502.00389, 2015.Google Scholar
- Z. Wang and X. Jiang. HyperSafe: A Lightweight Approach to Provide Lifetime Hypervisor Control-Flow Integrity. In IEEE S&P '10, pages 380--395, 2010. Google ScholarDigital Library
- F. Zhang, J. Chen, H. Chen, and B. Zang. CloudVisor: Retrofitting Protection of Virtual Machines in Multi-tenant Cloud with Nested Virtualization. In SOSP '11, pages 203--216, 2011. Google ScholarDigital Library
- Y. Zhang, A. Juels, M. K. Reiter, and T. Ristenpart. Cross-VM Side Channels and Their Use to Extract Private Keys. In CCS, pages 305--316, 2012. Google ScholarDigital Library
Index Terms
- Private Processing of Outsourced Network Functions: Feasibility and Constructions
Recommendations
A Generic Construction of Integrated Secure-Channel Free PEKS and PKE and its Application to EMRs in Cloud Storage
To provide a search functionality for encrypted data, public key encryption with keyword search (PEKS) has been widely recognized. In actual usage, a PEKS scheme should be employed with a PKE scheme since PEKS itself does not support the decryption of ...
New verifiable outsourced computation scheme for an arbitrary function
We study the construction of efficient verifiable outsourced computation for arbitrary functions. We improve previous verifiable outsourced computation schemes for arbitrary functions by using hybrid encryption based on fully homomorphic encryption and ...
A secure biometric authentication based on PEKS
Biometrics refers to metrics related to human characteristics and traits such as finger prints. How to use biometric to replace an encryption key or an identity certificate efficiently and securely is a hot topic in this big data era. In this field, ...
Comments