How SKI Works

A Better Way For Modern TLS Decryption

Schedule a Meeting
Mask Group 3 (1)
Table of Contents
  • Gets Session Keys
  • Use Session Keys to Decrypt

How SKI Gets Session Keys?

Nubeva’s patented SKI Sensors intercept keys directly from TLS processes in the memory of the server or client as they are created during the handshake’s key exchange in real-time. SKI Sensors employ highly efficient key signatures that “understand” how TLS code works in memory so that keys can be traced and extracted.

SKI Sensors are a small piece of software implemented on the server or the client. The software is available as c libraries to be embedded into applications and agents, or delivered as standalone agents or containers available for a broad and growing range of operating systems and platforms.

  • Reliable - 100% capture rates
  • Transparent - read-only system service which requires no changes to code, applications
  • Fast - Session keys are extracted and exported before the handshake Low resource - requires minute memory and CPU
  • Stable - read-only architecture for crash-gree and no-reboot operations
  • Secure - SKI introduces a highly secure, reduced risk option for decryption both in technology architecture and deployment and as well as capability by enabling broader traffic and network monitoring and inspection

 

 

Use Session Keys to Decrypt

The use of session keys requires two functions, key handing, and decryption itself

Key Handling:

Once session keys are intercepted, SKI Sensors export the keys. Options for key handling include writing keys to file, piping to other local applications and processes, or securely forwarding them across networks to authorized receivers.

  • Keys can be sent directly to authorized decryption systems
  • Sent to Keystore database or file
  • Sent to Key Servers, memory functions, or containers that can temporarily hold keys and serve them to requesting descriptors and that can filter, replicate, and push keys to targets.

Once decryption is complete, keys are typically destroyed (e.g., inside 5 seconds) but can also be archived for forensics purposes.

Decrypt Using Keys:

Using Session keys, high-throughput, low latency, and low-cost decryption can be easily achieved without modifications to authentication, handshakes, or production traffic and without any server keypairs or PKI. Decryption can far exceed the performance specs of exotic crypto cards and chips using commodity CPU instruction sets.

Option 1: Simple Decrypt using keylog files on any enabled system.

Option 2: Make minor modifications to an existing decrypt engine to receive keys.

Option 3: Add SKI-based decryption support using Nubeva’s Decrypt C Library or turnkey Decrypt Container.

Once decryption is completed, keys can be destroyed (typically seconds after creation and use), and perfect forward secrecy is maintained. Optionally and with proper security considerations, keys can be archived for forensic purposes.

 

System Exploration

Group 1044
SWG and
SASE
Nubeva SKI for Secure Web Gateway and Secure Access Service Edge Systems
Group 1045
APM
Systems
Nubeva SKI for Passive Application Monitoring Systems
Group 1047
NGFW and
IPS
Nubeva SKI for Next-Generation Firewalls and Intrusion Prevention Systems
Group 745
IDS and
NDR
Nubeva SKI for IDS and NDR Systems
inspection
HIDS and
HIPS
Nubeva SKI enables HIDS, HIPS, and other agent-based solutions to Provide Evolved TLS Inspection
sandbox
Sandbox and
APT
Nubeva SKI for Sandbox and Advanced Persistent Threat Detection
host-based
Network Packet Broker
Nubeva SKI for Network Packet Brokers and other Dedicated Decryption Systems
sanbox-apt
PCAP
Stores
Nubeva SKI for PCAP Stores, Network Forensics and Troubleshooting
Group 1043
5G Monitoring
Systems
Nubeva SKI for 5G Monitoring Systems

Nubeva Commercialized the SKI Concept with a Universal and Flexible Product Suite

Our solution is available as a combination of source-code and object-code for flexibility and speed.
Nubeva is built with leading-edge technology to solve problems.

Schedule a Meeting