Go to DBLP homepagePrivRE: Regular Expression Matching for Encrypted Packet Inspection
Abstract: Encrypted packet inspection (EPI) allows a middle-box to perform DPI over encrypted packets without decryption. Existing EPI systems rely on expensive cryptographic operations, hence they are not yet ready to be deployed in real-world. Fur-thermore, such solutions only support exact keyword matching, unable to securely support regular expression, which is the major tool for DPI rule description due to its powerful and flexible expressive ability. In this paper, we propose PrivRE, the first EPI system that can securely support regular expressions. The main idea of PrivRE is to have middlebox run regular expressions on a desensitized version of the payload, in which sensitive information has been replaced with dummy characters. We provide a full-fledged implementation of PrivRE. In particular, we override OpenSSL to make PrivRE transparent to the application layer, so that the software developers do not need to be aware of the existence of PrivRE. We systematically evaluate PrivRE on a testbed that consists of 3 intercontinental EC2 VMs. Our experimental results show that it introduces at most 0.03 % accuracy loss, and it is only 1.78 x −8.23 x slower than SplitTLS (where the middle box can decrypt the packets).
External IDs:dblp:conf/icdcs/HouLTZR24
Loading