×
Ransomware Reversal

Product

A Complete Suite of Software to Implement Better, Faster, and Easier TLS Decryption

Learn About SKI
Group

Nubeva offers a complete suite of software components to implement SKI-based decryption to any system, for any architecture from monolithic deployments to parallel scale-out and elastic cloud scenarios.

TURNKEY AGENTS AND CONTAINERS (5)

Simple to integrate, the SKI product elements solve TLS decryption challenges across the full range of monitoring and inspection product types: 

  • For Passive Systems: Add Nubeva SKI to re-enable passive decryption capabilities for PFS-based systems. 

  • For Inline Systems:  Easily fill product visibility gaps created by pinned certificates and latency-sensitive applications. 

  • For Net-New Decryption: Expand your existing product to offer a more complete solution for your customers.

 

Offered as source and object code, Nubeva provides endpoint key extraction software to discover and extract symmetric TLS session keys via Nubeva SKI Sensors and SKI C library. To enable decryption, Nubeva offers a turnkey decryptor and a c-library decryption option that applies TLS session keys for high-speed, symmetric decryption.

The key discovery and decryption components can be deployed together or independently. Key extraction and decryption components communicate over  Nubeva’s innovative FastSKI™ protocol, which provides a highly reliable, secure, low-latency key delivery from source to destination.

Get Keys: Nubeva Key Discovery

SKI Sensor and C Library

Nubeva’s Key Discovery technology is optimized to extract TLS session keys from client-side or server-side process memory even before TLS handshakes are complete. The sensor technology is easy to deploy, simple to manage, because they do not require certificate,  server private keys, or any PKI infrastructure, and do not require any changes to application or libraries. Nubeva’s discrete SKI sensors are the answer to simplifying TLS decryption - once you have the session secrets, decryption is simple and efficient.

SKI sensors are available as stand-alone agents or as a c-library. Sensors work across today’s myriad of TLS implementations and a growing list of host platforms to extract TLS session keys from client-side or server-side processes. 

SKI Sensor: Nubeva’s standalone SKI sensors are available off-the-shelf. The sensor technology is a lightweight, read-only, signature-based, endpoint software available as an agent and container. 

SKI C Library  Allows for integration into an existing agent or host application using a well-defined API. 

 

Product Details:

  • TLS 1.3, TLS 1.2 with PFS, legacy TLS/SSL, pinned and client certificates, third-party services, and MTLS/client-side cert-based sessions
  • Discover TLS symmetric session keys from client or server-side.
  • Operate independently of protocol, cipher, and underlying data path.
  • A vast, growing set of extraction signatures cover 99% of TLS implementations today and is extensible into the future.
  • Write keys to files or forward across the network using Nubeva’s ultrafast and secure FastKey™ protocol.
  • Key capture, export, and delivery in <200mμ (before the first payload packet is encrypted)
  • Supporting a growing list of platforms and OS including containers, Kubernetes DaemonSet, Windows service, or Native Linux Daemon
  • Exclusive Keysense™ technology signals receiving systems if keys are not available for alternate traffic handling
  • Written in GoLang [and C], sensors are available as containers and DaemonsSets as well as native OS system services.

Learn More

Decrypt Use Keys: Nubeva Decryption

Decryptor Containers and
C Library

Nubeva’s Decryption solution components support high-speed decryption of all TLS traffic delivered as a turn-key decryptor container or as a C Library added to existing services. 

Decryptor C Library: Optimized for high-speed TLS decryption, the C Library matches streamed traffic with the discovered session secrets (or keys from any other source).  Embed directly in existing or new inline and passive DPI systems.

Decryptor Container: Delivered in the form of a lightweight Docker container, the decryptor reads packets from an interface and decrypts the traffic using TLS session keys. Decrypted traffic is delivered to security and monitoring tools through an output interface.

 

 

Product Details:

  • Enables TLS 1.3+ decryption for inline security and monitoring manufacturers, passive systems, and Tier 1 telco for 5G monitoring
  • High-speed decryption in >12Gbps per core scales to 100Gbps or more
  • Comprehensive cipher support (see the list here)
  • Parses and decrypts TLS encapsulations in TCP payloads.
  • Lost frame recovery attempts to continue decrypting a TLS session when TCP packets containing TLS record fragments are lost.
  • Includes companion key buffer to receive and serve keys from SKI Sensors
  • Decryptor Container uses the SKI Decryption Library - Packets are processed by commercial and open-source tools (such as Arkime (Moloch), Bro, ntop, Suricata, Wireshark

Enabling Technologies

FastKeyTM  Protocol

FastKey protocol combines a binary protocol over DTLS and a REST API to send keys to key targets. The rest API uses a JSON object. The protocol supports both TLS 1.2 key messages and TLS 1.3 key messages. TLS 1.2 key messages contain a single ‘master key’. TLS 1.3 key messages contain the five keys required to construct the final session symmetric key.  Fastkey is secured by TLS and SKI Sensors do not extract session keys from key-transfer TLS sessions. 

 

FastKeyTM  Buffer

The FastKey Buffer maintains a mapping between session secrets and client random values. The FastKey Buffer receives session secrets from SKI Sensors using the FastKey Protocol, and buffers the keys in memory for a configurable amount of time. When session keys expire, their memory is set to 0 and then freed. The Key Server exposes a REST API call to lookup keys based on the value of the Client Random created at the beginning of a TLS session or when a TLS session is restarted.

 

KeySenseTM

In the rare event that an application uses TLS code that requires a custom signature from Nubeva, the SKI Sensor sends a KeySense indication to the decryption system, telling the system not to expect a key for this application. This indication is sent as soon as a TCP handshake is detected before TLS handshakes begin. KeySense indicates whether a key can or cannot be extracted, providing the process ID, source TCP address, source port, destination TCP address, and destination port. The information allows the traffic inspection logic to select an alternate decryption mechanism.
 

 

Database Interfaces

Session keys can be stored in any cloud or enterprise database. Nubeva’s SKI sensors support a DynamoDB interface out of the box. Please contact Nubeva for more information about interface extensibility.  

Group 922

Tailored Customer Success 

Maintence and Support

Nubeva complements its software products with white-glove support and maintenance. As Nubeva continues to innovate and ciphers suites evolve, those implementing Nubeva’s SKI architecture, or components thereof, will receive ongoing support. Our support package will include Key Extraction Signature updates, software updates, bug fixes, documentation, and consultative support focused on rapid implementation, innovation, knowledge transfer, and continuous delivery of solutions utilizing Nubeva technology.

Explore Nubeva For Any System

Group 1044
SWG and
SASE
Nubeva SKI for Secure Web Gateway and Secure Access Service Edge Systems
Learn More
Group 745
IDS and
NDR
Nubeva SKI for IDS and NDR Systems
Learn More
Group 1045
APM
Systems
Nubeva SKI for Passive Application Monitoring Systems
Learn More
Group 1047
NGFW and
IPS
Nubeva SKI for Next-Generation Firewalls and Intrusion Prevention Systems
Learn More
Group 1043
5G Monitoring
Systems
Nubeva SKI for 5G Monitoring Systems
Learn More
inspection
HIDS and
HIPS
Nubeva SKI enables HIDS, HIPS, and other agent-based solutions to Provide Evolved TLS Inspection
Learn More
sandbox
Sandbox and
APT
Nubeva SKI for Sandbox and Advanced Persistent Threat Detection
Learn More
host-based
Network Packet Broker
Nubeva SKI for Network Packet Brokers and other Dedicated Decryption Systems
Learn More
sanbox-apt
PCAP
Stores
Nubeva SKI for PCAP Stores, Network Forensics and Troubleshooting
Learn More

Unlock TLS Visibility

We deliver tailored and highly customized solutions to fit into almost
any technology and business model.

 

Contact Us