TLS Decryption for PCAP Stores

Nubeva SKI Enhances DPI Capabilities for Network Forensics

sanbox-apt

PROBLEM: Capturing and storing pcaps for cybersecurity or application diagnostics is a fundamental forensics function employed by enterprises. However, TLS 1.3 and 1.2 with PFS (perfect forward secrecy) has obsoleted legacy PCAP forensics which used PKI pairs to decrypt. With passive decryption antiquated, to capture decrypted traffic, customers must add costly inline decryption, reduce TLS employed by the organizations, or lose forensics - none of which are good options for the enterprise. 

For manufacturers, such a significant loss of product capability leads to customers inspecting less traffic, and therefore, reducing the use of pcap services. Without a solution to the growing volume of encrypted traffic, the DPI market potential for pcap stores is shrinking, increasing sales friction, and overall, is a significant missed market opportunity.

Fact: PCAP DPI for Forensics and Troubleshooting has Growing Inspection Gaps with Modern Encryption

Nubeva SKI for Passive Inspection Systems

Nubeva’s SKI software-based TLS decryption technology provides a simple add-in to existing forensic systems that delivers high-speed, low-cost decryption of pcaps. SKI delivers high-speed, low-cost decryption of all TLS encrypted traffic from any standard passive traffic source in any environment. SKI is a complete suite of modular software components that can easily integrate into any system. Our solution is an elegant fit for PCAP forensics systems to expand capability, respond to encryption evolution, increase product value and accelerate sales.  

Learn About SKI
Inspect More Traffic

Fill Decryption Gaps

Technical Advantage 

Decrypt Any Traffic

North-south-east-west traffic, TLS 1.3, 1.2 with PFS along with legacy TLS, traffic authenticated with pinned certificates, as well as MTLS/client-side cert-based sessions.

Expand Inspection Capabilities 

Decrypt traffic to and from owned and foreign servers, traffic to the internet, and 3rd party servers and services, including cloud platforms - a capability never before possible.

High-Speed, Low Cost

Achieve simple, symmetric bulk decryption with very low resource requirements for breakthrough price-performance.

Ultimate Flexibility

Reduce operational headache with no server keypair management or PKI interaction. SKI offers a lower-risk architecture with an independent and ephemeral key plane separate from the sessions. 

More Value to Your Customers

Business Advantages

Deliver a Complete Solution 

Offer full-coverage deep inspection capabilities by support all protocols and ciphers

Reduce Sales Friction

Increase market opportunity allows sales teams to sell more products, close bigger deals, and create lasting customer success. 

deliver-more-value

Add Nubeva SKI Support into Your Product Suite

Adding Nubeva SKI into your forensics solution suite can be fast and easy, allowing you to get to market quickly with low entry hurdles. 

The core concept of SKI is to capture session keys from TLS servers and clients and forward them to authorized decryption engines for use. Session keys enable simple, high speed, and low-cost bulk decryption of any traffic. Simply match PCAPs with keys using a session’s client-random value, and decrypt. Decryption can be performed as soon as PCAPs are received in which case keys could be destroyed right after they are used. PCAPs and keys could also be stored for future on-demand decryption and inspection.  Session keys can be saved for further forensics and can be destroyed when they are no longer needed. 

 

Passive P-Cap Stores

 

Nubeva’s comprehensive suite of software components to get keys and to decrypt using keys, , is available in source or binary forms. There are multiple deployment options to support decryption for PCAP stores. Here are the basics.

Get Session Keys

Nubeva has perfected the learning and exporting keys from application and TLS process memory as they are created during the handshake. Simply deploy our Session key learning software on any VM, node, or endpoint. Our software is delivered as a C library or turnkey agents and containers in binary or source code form. Key extraction is 100% reliable, transparent and non-disruptive to application code, does not impact applications, and operates with minute memory and CPU. Additionally, SKI works with a higher level of security than prior methods of decryption. Get Keys from: 

  • Any TLS 1.3, 1.2, and legacy. 

  • Any session N-S-E-W including pinned and client certificate sessions.

  • Traffic to internet, cloud, and other 3rd party servers and services

  • Metal, VM’s, containers running on a client, in datacenter or cloud

  • OS and commercial applications as well as malware communications 

 

Get Started: 

Have an agent? - Add the ability to get session keys simply and easily using SKI Sensor C-Library.

No agent today? - Add agents to your portfolio with Nubeva's off-the-shelf SKI Sensor Agents and Containers.

Don't want to have an agent? - Resell Nubeva labeled sensors. Or, simply add the ability to receive and decrypt using session keys to your system and let your customers provide the keys from a growing list of systems with Nubeva SKI Sensor Technology or any other key source.

Decrypt with Session Keys

Nubeva complements session key discovery with a suite of decryption support options enabling forensics and troubleshooting product vendors to add the ability to receive, store, retrieve session keys, and decrypt. We offer a variety of implementation options pending architectural requirements and how the systems are configured. Inspection systems need minor modifications to receive and to decrypt using them. Decrypt using keys: 

  • Decrypt anytime, anywhere, using PCAPs and keys in real-time or on-demand

  • Any traffic and any session

  • Leverage crypto instruction set acceleration in standard CPUs

  • Achieve ultra high throughputs over 25Gb/s per core

  • Efficient use of CPU and Memory resources

Get Started: 

Already have decryption? – Add the ability to receive keys and decrypt by modifying your existing engine or utilizing Nubeva’s SKI Decrypt TLS C library and reference code. 

Don't have decryption?  Nubeva’s Decryptor Containers and Keyserver Container provide a fast and easy implementation to receive keys and decrypt traffic onboard.   

Don’t want to offer decryption directly?  Simply capture and store keys.  Then provide PCAP and the companion keys to enable external decryption using industry-standard formats.


There are a myriad of implementation options spanning key acquisition, key transport, and handling, as well as decryption.

Nubeva works with our customers to develop the ideal architecture and craft highly customized licensing programs and support services to enable customer success.

Let's discuss how SKI can work with your systems.

Get a Demo

Resources

In this comprehensive paper entitled A Definitive Guide to Modern Network Decryption: A Case for Nubeva SKI in a TLS 1.3 World and Beyond we cover the following:  Part 1: The State of the Visibility o...
  Nubeva SKI Decryptors are turnkey container solutions that receive encrypted mirrored traffic and output decrypted traffic on a standard network interface.  SKI Decryptors decrypt TLS records with T...
On our March 2021 Technical update, we dive into The Security of Session Key Intercept and answer other frequently asked questions including SKI and Service Mesh and How Nubeva enables passive and inl...