5 Reasons Why SKI Decryption Is More Secure than the Alternatives
Nubeva SKI finds TLS session secrets in client or server memory and sends the keys over encrypted channels to user-authorized destinations where the keys are paired with mirrored traffic for decryption and analysis. Nubeva’s SKI architecture is more secure than traditional TLS decryption implementations such as forward-proxy/MITM, reverse-proxy/session termination and out-of-band/passive decryption and here is why:
1) True End-to-End TLS Integrity - SKI assures session integrity is maintained and not modified in any way, while activating the highest levels of security, privacy, and compliance of any TLS inspection method. SKI does not participate in the TLS handshake and does not depend on server public/private key pairs for authentication. When using SKI, endpoints need not be configured with certificate authorities from MITM devices. SKI addresses vulnerabilities caused by bypassing inspection of 3rd party applications, applications using pinned and client side certificates/mutual TLS. Not only does SKI reduce the complexity and vulnerabilities of session and certificate management, SKI’s method of learning session secrets at the endpoints of TLS sessions is simple, secure, and applies to all TLS sessions.
2) Key Learning and Forwarding Are 100% Customer Controlled - For SKI sensors to work, they must be provisioned by the user to read process memory. Users have full control over where sensors are deployed and their access rights. As such, sensor deployment is just as secure as the deployment of any other commercial software and can leverage the automated deployment method you prefer. Customers define the destinations for discovered keys. Keys are sent over secured encrypted tunnels to the customer’s destinations for inspection. Keys are kept separate from session traffic until they are required for decryption. Only the customer’s decryption services can leverage the session secrets SKI provides to unlock their encrypted sessions. Customers can set the TTL of session keys to few seconds or a few minutes, so keys can be discarded as soon as they are used.3) Ephemeral Session Keys are Lower Risk than Server Key Pairs - SKI does not inspect and does not transfer asymmetric public/private key pairs. Therefore SKI has no bearing on the security of your public key infrastructure (PKI) and key management services (e.g. AWS KMS). SKI only discovers ephemeral session secrets, which unlike public/private keys, only apply to a single TLS session between one client and one server, after which that session key is never used again.
4) Decryption Without Exposing Clear Text - Traditional approaches either decrypt once and distribute clear text (decrypt one inspect many, DOIM), or decrypt multiple times with an increased performance penalty. SKI’s architecture decouples keys and traffic; keys are not derived from traffic. SKI’s FastKey(™) securely sends session secrets to a customer’s decryption services before data arrives. SKI decryption is fast and affordable, exceeding 10 Gbps on a single core. This architecture enables decryption to be done wherever needed without ever sending clear text to decryption services.
5) A Time-Tested Approach Made Safer - Logging session secrets has been available in browsers and load balancers for years and is widely accepted in limited use cases. But those solutions are typically disruptive, requiring debug mode or shims, or architectural changes. Such methods may also leave keys in unsecured files, creating further cascading complications. Finally these are point solutions that are not built to be automated, manageable, or scaleable. Nubeva SKI has perfected the use of these techniques for scale, performance and security, adding orchestration, logging and monitoring integration options all of which are non-disruptive to existing infrastructure . SKI has been thoroughly tested by top cybersecurity companies utilizing our technology.
SKI Use Cases:
With SKI adoption, it is clear that SKI is safer and simpler to use than the traditional approaches. The following table shows SKI’s operational and security benefits in the context of common decryption use cases:
|
SKI Use Case |
SKI Benefits |
|
Passive Monitoring used in IDS, NDR, APA and APM systems. |
Restores visibility. Can inspect TLS 1.3, TLS 1.2 PFS and legacy TLS protocols without key pairs including traffic to 3rd party controlled servers. Safer and easier to operate. |
|
Outbound (forward proxy) - used in, secure web gateways, NG Firewalls, IPS, DLP, CASB |
Significant boost in performance and inspection coverage of traffic using pinned and client certificates. Certificates are not required, simplifying configuration and management. |
|
Inbound (reverse proxy) - used in NG Firewalls, IPS, ALB/NLB |
Maintains end-to-end encryption and session integrity. Traffic is encrypted all the way to the endpoint. Certificates are not required simplifying configuration and management. |
|
Host-Based inspection - used in endpoint firewalls, localized IPS, IDS and APM systems. |
Maintains end-to-end encryption and session integrity. Eliminating session management improves performance. Certificates are not required simplifying configuration. |
|
Service Mesh - Used in 5G packet core, compute delivery platforms, other microservice application infrastructures. |
TLS session key overlay, with a minimal footprint (1 sensor per node), does not require modifications to sidecar or application software. |
In conclusion, the Session Key Intercept approach is a tried and tested approach to decryption, and Nubeva has commercialized it for enterprise use at scale. SKI checks all the boxes:
- Operates at the end points, not in the middle
- Provides complete TLS coverage including coverage for mutual TLS and pinned certificates, so all that should be inspected, is inspected
- Avoids certificate management complexity
- Maintains full session integrity and no clear text
- Non disruptive, no shims, no need for debug mode or architectural changes
- Universal across use cases regardless of how many services
- Customer controlled at all times
