Feasibility of wire-speed hardware-based conditional per-flow encryption for on-the-fly protection of monitored traffic

The indiscriminate collection and processing of all traffic carried via high speed networks poses a serious threat to the privacy of network users. In early results of the PRISM project, we have proposed an approach for cryptographically protecting, directly on the network monitoring probe, captured traffic on a per-flow basis, and permitting decryption only for the specific flows for which an anomalous behavior is suspected. This new work shows the viability of such an approach, by documenting a gigabit-speed hardware implementation of the underlying cryptographic techniques. In addition to ordinary symmetric encryption, these include i) dynamic and stateless generation of per-flow encryption keys, and ii) delivery of decryption keys in the form of Shamir´s secret shares computed over on-the-fly generated Shamir´s per-flow polynomials. To the best of our knowledge, this is the first work which applies a Shamir secret sharing scheme at such high throughput rates.