PROBLEM: Host-based security technologies are a vital element to multi-layered defense strategies. Modern TLS encryption poses an increasing problem when inspecting network traffic, whether through passive or inline methods. Perfect forward secrecy obsoletes passive deep packet inspection, and man-in-the-middle functions are not widely tolerated due to their administrative and performance overhead. Additionally, MITM cannot inspect TLS sessions authenticated with pinned certificates or use client certificates for mutual authentication.
BUSINESS IMPLICATIONS: With these growing product gaps, the value proposition of these products is also decreasing. For consumers, they must find other compensating controls or product augmentations to enable DPI requirements. For the manufacturer, modern TLS reduces your product’s value and market potential and increases sales friction, support, and TCO.
Nubeva breakthrough TLS decryption technology is a valuable feature enhancement to your existing host-based system and can be easily added as a net benefit to your solution. Nubeva’s SKI (Session Key Intercept) technology enables inspection of all TLS network traffic going in and out of a host. Our solution is delivered as a modular set of software components that quickly fills product gaps, improves capability, and ultimately enhances your value proposition.
(re)Enable Out-of-Band Decryption
TLS 1.3, 1.2 with PFS along with legacy TLS, traffic authenticated with pinned certificates, as well as MTLS/client cert authentication.
SKI decryption does not require CA installs, server keys, or changes to authentication. SKI works entirely independently of all PKI
Designed for systems that cannot tolerate delays. Nubeva offers a high throughput service that achieves 80% of wire speed with negligible latency.
Achieve simple, symmetric bulk decryption with very low resource requirements for breakthrough price performance.
Deliver More Value to Your Customers
Increased DPI capabilities provide an expanded solution option to customers and removes the need for inline decryption projects and budgets.
With increased functionality and reduced complexity, the selling process is simplified, win rates and deal sizes grow, and customer adoption and value realized dramatically improve.
The Fire and forget technology reduces pre and post-sales engineering requirements and support ticket quantity and complexity, leading to reduced cost of sales and support.
Adding Nubeva SKI into your products can be fast and easy, allowing you to get to market quickly with low entry hurdles.
The core concept of SKI is to capture session keys from TLS servers and clients and forward them to authorized decryption engines for use. With session keys available, simple, high speed, and low-cost bulk decryption is available for any traffic. Simply match traffic with keys using a session’s client random, and decrypt.
Decryption can support passive as well as inline implementations. See our NGFW/IPS Inline use case and Passive IDS/NDR use cases for details on each. While these use cases represent external appliances, the same architecture and benefits apply to host-based networking solutions.
Nubeva provides software to get keys and to decrypt using keys. Our comprehensive suite of software components, available in source or binary forms, enables fast and flexible SKI decryption implementation into most product sets. While there are many implementation models and options for HIDS/HIPS inspection systems, here are the basics.
Nubeva has perfected the learning and exporting keys from application and TLS process memory as they are created during the handshake. Simply deploy our session key learning software on any VM, node, or endpoint. Our software is delivered as a C library and turnkey agents or containers in binary or source code form. Key extraction is 100% reliable, transparent and non-disruptive to application code, does not impact applications, and operates with minute memory and CPU. Additionally, SKI works with a higher level of security than prior methods of decryption. Get Keys for:
Any TLS 1.3, 1.2, and legacy.
Any session N-S-E-W including pinned and client certificate sessions.
Traffic to internet, cloud, and other 3rd party servers and services
For metal, VM's, container hosts in datacenter or cloud and/or client endpoints.
From OS and commercial applications as well as malware communications
For immediate implementation - utilize Nubeva’s turnkey agents and containers as a companion software component to acquire keys and pass to an existing agent.
For deeper integrations - use Nubeva’s key extraction c library and add the ability to get session keys to your software simply and easily.
Nubeva complements session key discovery with a suite of decryption support options to enable HIDS/HIPS to receive session keys and decrypt if needed. We offer a multitude of implementation options to meet virtually any architectural model and go-to-market packaging scenario. Inspection systems need only minor modifications to receive keys and to decrypt using them. Decrypt using keys: Decrypt using keys:
Enhance existing datapath or add net new
Any traffic and any session
Leverage crypto instruction set acceleration in standard CPUs
Achieve ultra high throughputs over 25Gb/s per core
Efficient use of CPU and Memory resource
Already have Decryption? – Add the ability to receive keys and decrypt by modifying your existing engine or utilizing Nubeva’s SKI Decrypt TLS C library and reference code.
Don't have Decryption? Nubeva’s Decryptor Containers and Keyserver Container provide a fast and easy implementation to receive keys and decrypt traffic onboard
There are a myriad of implementation options spanning key acquisition, key transport, and handling, as well as decryption.