projects techreports press lab location staff
citi top.2 top.3
citi mid.3
bot.1 bot.2 bot.3

Projects : Secure Packet Vault

Detection of and response to a security breach in progress requires special attention to legal, regulatory, policy, and ethical matters so that the needs of security administrators and the forensics requirements of law enforcement are balanced with the privacy rights and expectations of users. These matters will be addressed with the Secure Packet Vault, a tool for rapid response to an intrusion incident or for continuous oversight of a subnet. CITI will also investigate the uses of cryptography to address policy-imposed data handling requirements.

Vault Architecture

The packet vault hardware is composed of two 133 MHz PCI-bus Pentium machines interconnected via a private 100 Mbps Ethernet. One machine (the "listener") is also connected to the network under test, and is used to capture and encrypt the data, which are then sent over the private Ethernet. The listener stores no packet data on magnetic disk. The other machine (the "writer") receives the encrypted captured data and stores them to magnetic disk for subsequent writing to CD-ROM. The two magnetic disks on the writer are attached to a dedicated SCSI bus; a second SCSI bus is dedicated to the CD-ROM recorder (CD-R).

UNIX-derived operating systems were chosen for both platforms because of our familiarity with UNIX and the flexibility it provides. OpenBSD 2.0 was chosen for the listener because of its kernel BPF support; Linux 2.0.0 was chosen for the writer because of the early availability of drivers for the CD-R.

All data are encrypted to allow selective release of conversations, where a conversation is defined as all communications between a pair of IP addresses. Packet IP addresses are obscured by substitution, and packet data are encrypted under a symmetric key unique to each conversation. Material needed to reconstruct all conversations is remembered and encrypted under the public key of a trusted third party.

Project Status

The packet vault project has been completed. We have secured funding from Dartmouth's Institute of Security Technology Studies for a follow-on Advanced Packet Vault project.

Papers and reports

  • "The Packet Vault: Secure Storage of Network Data" (with M. Undy and P. Honeyman), CITI Technical Report 98-5, June 1998. [Updated USENIX version, Proc. USENIX Workshop on Intrusion Detection and Network Monitoring, Santa Clara, April 1999.]


Charles Antonelli    Principal Investigator
Mathhew Undy Graduate Student Research Assistant projects | techreports | press | lab | location | staff Email address
or call +1 734 763 2929
Copyright © 1996-2013
The Regents of the University of Michigan