PROBLEM: Capturing and storing pcaps for cybersecurity or application diagnostics is a fundamental forensics function employed by enterprises. However, TLS 1.3 and 1.2 with PFS (perfect forward secrecy) has obsoleted legacy PCAP forensics which used PKI pairs to decrypt. With passive decryption antiquated, to capture decrypted traffic, customers must add costly inline decryption, reduce TLS employed by the organizations, or lose forensics - none of which are good options for the enterprise.
For manufacturers, such a significant loss of product capability leads to customers inspecting less traffic, and therefore, reducing the use of pcap services. Without a solution to the growing volume of encrypted traffic, the DPI market potential for pcap stores is shrinking, increasing sales friction, and overall, is a significant missed market opportunity.
Nubeva’s SKI software-based TLS decryption technology provides a simple add-in to existing forensic systems that delivers high-speed, low-cost decryption of pcaps. SKI delivers high-speed, low-cost decryption of all TLS encrypted traffic from any standard passive traffic source in any environment. SKI is a complete suite of modular software components that can easily integrate into any system. Our solution is an elegant fit for PCAP forensics systems to expand capability, respond to encryption evolution, increase product value and accelerate sales.
Fill Decryption Gaps
North-south-east-west traffic, TLS 1.3, 1.2 with PFS along with legacy TLS, traffic authenticated with pinned certificates, as well as MTLS/client-side cert-based sessions.
Decrypt traffic to and from owned and foreign servers, traffic to the internet, and 3rd party servers and services, including cloud platforms - a capability never before possible.
Achieve simple, symmetric bulk decryption with very low resource requirements for breakthrough price-performance.
Reduce operational headache with no server keypair management or PKI interaction. SKI offers a lower-risk architecture with an independent and ephemeral key plane separate from the sessions.
More Value to Your Customers
Offer full-coverage deep inspection capabilities by support all protocols and ciphers
Increase market opportunity allows sales teams to sell more products, close bigger deals, and create lasting customer success.
Adding Nubeva SKI into your forensics solution suite can be fast and easy, allowing you to get to market quickly with low entry hurdles.
The core concept of SKI is to capture session keys from TLS servers and clients and forward them to authorized decryption engines for use. Session keys enable simple, high speed, and low-cost bulk decryption of any traffic. Simply match PCAPs with keys using a session’s client-random value, and decrypt. Decryption can be performed as soon as PCAPs are received in which case keys could be destroyed right after they are used. PCAPs and keys could also be stored for future on-demand decryption and inspection. Session keys can be saved for further forensics and can be destroyed when they are no longer needed.
Nubeva’s comprehensive suite of software components to get keys and to decrypt using keys, , is available in source or binary forms. There are multiple deployment options to support decryption for PCAP stores. Here are the basics.
Nubeva has perfected the learning and exporting keys from application and TLS process memory as they are created during the handshake. Simply deploy our Session key learning software on any VM, node, or endpoint. Our software is delivered as a C library or turnkey agents and containers in binary or source code form. Key extraction is 100% reliable, transparent and non-disruptive to application code, does not impact applications, and operates with minute memory and CPU. Additionally, SKI works with a higher level of security than prior methods of decryption. Get Keys from:
Any TLS 1.3, 1.2, and legacy.
Any session N-S-E-W including pinned and client certificate sessions.
Traffic to internet, cloud, and other 3rd party servers and services
Metal, VM’s, containers running on a client, in datacenter or cloud
OS and commercial applications as well as malware communications
Have an agent? - Add the ability to get session keys simply and easily using SKI Sensor C-Library.
No agent today? - Add agents to your portfolio with Nubeva's off-the-shelf SKI Sensor Agents and Containers.
Don't want to have an agent? - Resell Nubeva labeled sensors. Or, simply add the ability to receive and decrypt using session keys to your system and let your customers provide the keys from a growing list of systems with Nubeva SKI Sensor Technology or any other key source.
Nubeva complements session key discovery with a suite of decryption support options enabling forensics and troubleshooting product vendors to add the ability to receive, store, retrieve session keys, and decrypt. We offer a variety of implementation options pending architectural requirements and how the systems are configured. Inspection systems need minor modifications to receive and to decrypt using them. Decrypt using keys:
Leverage crypto instruction set acceleration in standard CPUs
Achieve ultra high throughputs over 25Gb/s per core
Efficient use of CPU and Memory resources
Already have decryption? – Add the ability to receive keys and decrypt by modifying your existing engine or utilizing Nubeva’s SKI Decrypt TLS C library and reference code.
Don't have decryption? Nubeva’s Decryptor Containers and Keyserver Container provide a fast and easy implementation to receive keys and decrypt traffic onboard.
Don’t want to offer decryption directly? Simply capture and store keys. Then provide PCAP and the companion keys to enable external decryption using industry-standard formats.
There are a myriad of implementation options spanning key acquisition, key transport, and handling, as well as decryption.