Building Generic Scalable Middlebox Services Over Encrypted Protocols

Cong Liu Tsinghua University, P.R. China
Yong Cui Tsinghua University, P.R. China
Kun Tan Microosft Research Asia, P.R. China
Quan Fan Tsinghua University, P.R. China
Kui Ren State University of New York at Buffalo, USA
Jianping Wu Tsinghua University, P.R. China


The trends of the increasing middleboxes make the middle network more and more complex. Today, many middleboxes work on application layer and offer significant network services by the plain-text traffic, such as firewalling, intrusion detecting and application layer gateways. At the same time, more and more network applications are encrypting their data transmission to protect security and privacy. It is becoming a critical task and hot topic to continue providing application-layer middlebox services in the encrypted Internet, however, the state of the art is far from being able to be deployed in the real network. In this paper, we propose a practical architecture, named PlainBox, to enable session key sharing between the communication client and the middleboxes in the network path. It employs Attribute-Based Encryption (ABE) in the key sharing protocol to support multiple chaining middleboxes efficiently and securely. We develop a prototype system and apply it to popular security protocols such as TLS and SSH. We have tested our prototype system in a lab testbed as well as real-world websites. Our result shows PlainBox introduces very little overhead and the performance is practically deployable.

You may want to know: