Paul Grubbs earns NSF CAREER Award to build more secure, private networks

February 16, 2023
His cryptographic techniques will help managed networks like those in schools and companies enforce network policies without the need to access user information.
Paul Grubbs
Prof. Paul Grubbs

Paul Grubbs, assistant professor of computer science at the University of Michigan, has received a National Science Foundation (NSF) CAREER Award to design more secure and privacy-protecting managed networks. The project is titled “End-to-End Encryption for Managed Networks.”

Every day, billions of people use encryption to ensure the traffic they send across the public internet remains secure and private. However, encryption is rarely used within managed networks administered by a single organization, like a business, a hospital, or a school. This is because current approaches to network management don’t work if traffic is encrypted. In settings like K-12 schools, for instance, it’s expected that networks will filter out obscene content, while classified settings need protection against things like data loss, intrusions, or compromised sensitive information.

In his CAREER research, Grubbs will devise novel ways to carry out network management directly on encrypted traffic. His goal is to allow the creation of more secure and privacy-respecting managed networks.

Grubbs’ project focuses on three critical areas of incompatibility between encryption and network management: policy enforcement, analytics, and network services. 

To enable encrypted policy enforcement, Grubbs and his collaborators will make use of a technique called a zero-knowledge proof to build network middleware that can enforce network policies without directly seeing traffic. This technique enables a secret message to be tested against some requirement without needing to divulge the secret itself. Grubbs argues that this paradigm can be applied to payloads like network traffic, which can be tested for safety without divulging their contents.

In the analytics thrust, the team will design network analytics systems that do not rely on databases of plaintext traffic logs, but verifiably outsource log storage and queries. Finally, in the network services thrust, the team will use cryptography to limit the metadata that network services can learn about network traffic.

Grubbs’ broader goal is to improve the security of managed networks. At the same time, user privacy in the network will also be improved through the use of encryption, enabling users to limit what is seen by administrators.

“Since management infrastructure will no longer need to see plaintext traffic,” he explains, “compromising this infrastructure will give an attacker less information about activity on the network.”