CAREER: End-to-End Encryption for Managed Networks

职业：托管网络的端到端加密

• 批准号: 2236784
• 负责人: Paul Grubbs
• 金额: $ 72.75万
• 依托单位: Regents of the University of Michigan - Ann Arbor
• 依托单位国家: 美国
• 项目类别: Continuing Grant
• 财政年份: 2023
• 资助国家: 美国
• 起止时间: 2023-03-01 至 2028-02-29
• 项目状态: 未结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=2236784&HistoricalAwards=false
• 关键词: CAREER; End; Encryption; Managed; Networks

Every day, billions of people use encryption to ensure the traffic they send across the public internet remains secure and private. Encryption is rarely used within managed networks administered by a single organization, like a business, a hospital, or a school. This is because current approaches to network management don't work if traffic is encrypted. The project’s novelties are applications of cryptography that enable network management directly on encrypted traffic. The project’s broader significance is that it will allow creating more secure and privacy-respecting managed networks. The project focuses on three critical areas of incompatibility between encryption and network management: policy enforcement, analytics, and network services. In the policy enforcement thrust, the project team uses zero-knowledge proofs to build network middleware that can enforce network policies, such as content filtering, without directly seeing traffic. In the analytics thrust, the project team is designing network analytics systems that do not rely on databases of plaintext traffic logs but verifiably outsource log storage and queries to endpoints. Finally, in the network services thrust, the project team uses cryptography to limit the metadata network services can learn about network traffic.The project’s broader impact will be improving the security of managed networks. Since management infrastructure will no longer need to see plaintext traffic, compromising this infrastructure will give an attacker less information about activity on the network. At the same time, user privacy in the network will also be improved since by using encryption, users can limit what is disclosed to administrators.This award reflects NSF's statutory mission and has been deemed worthy of support through evaluation using the Foundation's intellectual merit and broader impacts review criteria.

每天，数十亿人使用加密来确保他们通过公共互联网发送的流量保持安全和隐私。加密很少在由单个组织管理的托管网络中使用，例如企业、医院或学校。这是因为如果流量是加密的，则当前的网络管理方法不起作用。该项目的新奇之处在于密码学的应用，可以直接对加密的流量进行网络管理。该项目更广泛的意义在于，它将允许创建更安全、更尊重隐私的受管网络。该项目侧重于加密和网络管理之间不兼容的三个关键领域：策略实施、分析和网络服务。在策略实施方面，项目团队使用零知识证据来构建网络中间件，该中间件可以在不直接看到流量的情况下实施网络策略，如内容过滤。在分析方面，项目团队正在设计网络分析系统，该系统不依赖明文流量日志数据库，但可验证地将日志存储和查询外包给终端。最后，在网络服务方面，项目团队使用密码学来限制网络服务可以了解的网络流量的元数据。该项目的更广泛影响将是提高托管网络的安全性。由于管理基础设施将不再需要查看明文流量，因此危害此基础设施将使攻击者获得更少的有关网络活动的信息。同时，网络中的用户隐私也将得到改善，因为通过使用加密，用户可以限制向管理员披露的内容。这一奖项反映了NSF的法定使命，并通过使用基金会的智力优势和更广泛的影响审查标准进行评估，被认为值得支持。

项目成果

Zombie: Middleboxes that Don't Snoop

• 发表时间: 2023
• 期刊: IACR Cryptol. ePrint Arch.
• 作者: Collin Zhang;Zachary Destefano;Arasu Arun;Joseph Bonneau;Paul Grubbs;Michael Walfish