×
Ransomware Reversal

TLS Decryption for Host-Based Network Security

Nubeva SKI enables HIDS, HIPS, and other agent-based solutions.

Icon 1 White

PROBLEM: Host-based security technologies are a vital element to multi-layered defense strategies. Modern TLS encryption poses an increasing problem when inspecting network traffic, whether through passive or inline methods. Perfect forward secrecy obsoletes passive deep packet inspection, and man-in-the-middle functions are not widely tolerated due to their administrative and performance overhead. Additionally,  MITM  cannot inspect TLS sessions authenticated with pinned certificates or use client certificates for mutual authentication.

BUSINESS IMPLICATIONS: With these growing product gaps, the value proposition of these products is also decreasing. For consumers, they must find other compensating controls or product augmentations to enable DPI requirements. For the manufacturer, modern TLS reduces your product’s value and market potential and increases sales friction, support, and TCO.

Fact: Modern TLS limits packet inspection capabilities, reducing product value and decelerating sales

Nubeva SKI for Host-Based Inspection Systems

Nubeva breakthrough TLS decryption technology is a valuable feature enhancement to your existing host-based system and can be easily added as a net benefit to your solution. Nubeva’s SKI (Session Key Intercept) technology enables inspection of all TLS network traffic going in and out of a host. Our solution is delivered as a modular set of software components that quickly fills product gaps, improves capability, and ultimately enhances your value proposition.

Learn About SKI
Inspect More Traffic

(re)Enable Out-of-Band Decryption

Technical Advantage 

See Into Any Traffic

TLS 1.3, 1.2 with PFS along with legacy TLS, traffic authenticated with pinned certificates, as well as MTLS/client cert authentication.

No PKI Involvement

SKI decryption does not require CA installs, server keys, or changes to authentication.  SKI works entirely independently of all PKI

Extreme Performance

Designed for systems that cannot tolerate delays. Nubeva offers a high throughput service that achieves 80% of wire speed with negligible latency.

Low Resources Requirements

Achieve simple, symmetric bulk decryption with very low resource requirements for breakthrough price performance.

Deliver More Value to Your Customers

Business Advantages

Expanded Value to Customer

Increased DPI capabilities provide an expanded solution option to customers and removes the need for inline decryption projects and budgets.

Sales Acceleration

With increased functionality and reduced complexity, the selling process is simplified, win rates and deal sizes grow, and customer adoption and value realized dramatically improve.

Reduced Support 

The Fire and forget technology reduces pre and post-sales engineering requirements and support ticket quantity and complexity, leading to reduced cost of sales and support.

deliver-more-value

Integrate Nubeva SKI into Your Product Suite

Adding Nubeva SKI into your products can be fast and easy, allowing you to get to market quickly with low entry hurdles.

The core concept of SKI is to capture session keys from TLS servers and clients and forward them to authorized decryption engines for use. With session keys available, simple, high speed, and low-cost bulk decryption is available for any traffic. Simply match traffic with keys using a session’s client random, and decrypt.

Host-Based Inspection

 

Decryption can support passive as well as inline implementations.  See our NGFW/IPS Inline use case and Passive IDS/NDR use cases for details on each.  While these use cases represent external appliances, the same architecture and benefits apply to host-based networking solutions.

Nubeva provides software to get keys and to decrypt using keys. Our comprehensive suite of software components, available in source or binary forms, enables fast and flexible SKI decryption implementation into most product sets. While there are many implementation models and options for HIDS/HIPS inspection systems, here are the basics.

Get Session Keys

Nubeva has perfected the learning and exporting keys from application and TLS process memory as they are created during the handshake. Simply deploy our session key learning software on any VM, node, or endpoint. Our software is delivered as a C  library and turnkey agents or containers in binary or source code form. Key extraction is 100% reliable, transparent and non-disruptive to application code, does not impact applications, and operates with minute memory and CPU. Additionally, SKI works with a higher level of security than prior methods of decryption. Get Keys for:

  • Any TLS 1.3, 1.2, and legacy. 

  • Any session N-S-E-W including pinned and client certificate sessions.

  • Traffic to internet, cloud, and other 3rd party servers and services

  • For metal, VM's, container hosts in datacenter or cloud and/or client endpoints.

  • From OS and commercial applications as well as malware communications 

 

Get Started: 

For immediate implementation - utilize Nubeva’s turnkey agents and containers as a companion software component to acquire keys and pass to an existing agent.

For deeper integrations -  use Nubeva’s key extraction c library and add the ability to get session keys to your software simply and easily.

Decrypt with Session Keys

Nubeva complements session key discovery with a suite of decryption support options to enable HIDS/HIPS to receive session keys and decrypt if needed. We offer a multitude of implementation options to meet virtually any architectural model and go-to-market packaging scenario. Inspection systems need only minor modifications to receive keys and to decrypt using them. Decrypt using keys: Decrypt using keys: 

  • Enhance existing datapath or add net new

  • Any traffic and any session

  • Leverage crypto instruction set acceleration in standard CPUs

  • Achieve ultra high throughputs over 25Gb/s per core

  • Efficient use of  CPU and Memory resource

 

Get Started: 

Already have Decryption? – Add the ability to receive keys and decrypt by modifying your existing engine or utilizing Nubeva’s SKI Decrypt TLS C library and reference code.

Don't have Decryption?  Nubeva’s Decryptor Containers and Keyserver Container provide a fast and easy implementation to receive keys and decrypt traffic onboard


There are a myriad of implementation options spanning key acquisition, key transport, and handling, as well as decryption.

Nubeva works with our customers to develop the ideal architecture and craft highly customized licensing programs and support services to enable customer success.

Let's discuss how SKI can work with your systems.

Get a Demo

Resources

In this video, Erik Freeland, Head of Customer Engineering, demonstrates the Nubeva Sensor capturing keys from a variety of applications including Windows Browsers, DropBox, and Microsoft Office 365. ...
Tech Brownbag - Nubeva's Key Discovery is Evolving. First TLS. Now, Ransomware. Nubeva develops and licenses enterprise-class software for decryption to enable world-class application monitoring and n...
In this comprehensive paper entitled A Definitive Guide to Modern Network Decryption: A Case for Nubeva SKI in a TLS 1.3 World and Beyond we cover the following:  Part 1: The State of the Visibility o...