Nubeva offers a complete suite of software components to implement SKI-based decryption to any system, for any architecture from monolithic deployments to parallel scale-out and elastic cloud scenarios.
Simple to integrate, the SKI product elements solve TLS decryption challenges across the full range of monitoring and inspection product types:
Offered as source and object code, Nubeva provides endpoint key extraction software to discover and extract symmetric TLS session keys via Nubeva SKI Sensors and SKI C library. To enable decryption, Nubeva offers a turnkey decryptor and a c-library decryption option that applies TLS session keys for high-speed, symmetric decryption.
The key discovery and decryption components can be deployed together or independently. Key extraction and decryption components communicate over Nubeva’s innovative FastSKI™ protocol, which provides a highly reliable, secure, low-latency key delivery from source to destination.
Get Keys: Nubeva Key Discovery
Nubeva’s Key Discovery technology is optimized to extract TLS session keys from client-side or server-side process memory even before TLS handshakes are complete. The sensor technology is easy to deploy, simple to manage, because they do not require certificate, server private keys, or any PKI infrastructure, and do not require any changes to application or libraries. Nubeva’s discrete SKI sensors are the answer to simplifying TLS decryption - once you have the session secrets, decryption is simple and efficient.
SKI sensors are available as stand-alone agents or as a c-library. Sensors work across today’s myriad of TLS implementations and a growing list of host platforms to extract TLS session keys from client-side or server-side processes.
SKI Sensor: Nubeva’s standalone SKI sensors are available off-the-shelf. The sensor technology is a lightweight, read-only, signature-based, endpoint software available as an agent and container.
SKI C Library Allows for integration into an existing agent or host application using a well-defined API.
Decrypt Use Keys: Nubeva Decryption
Nubeva’s Decryption solution components support high-speed decryption of all TLS traffic delivered as a turn-key decryptor container or as a C Library added to existing services.
Decryptor C Library: Optimized for high-speed TLS decryption, the C Library matches streamed traffic with the discovered session secrets (or keys from any other source). Embed directly in existing or new inline and passive DPI systems.
Decryptor Container: Delivered in the form of a lightweight Docker container, the decryptor reads packets from an interface and decrypts the traffic using TLS session keys. Decrypted traffic is delivered to security and monitoring tools through an output interface.
FastKey protocol combines a binary protocol over DTLS and a REST API to send keys to key targets. The rest API uses a JSON object. The protocol supports both TLS 1.2 key messages and TLS 1.3 key messages. TLS 1.2 key messages contain a single ‘master key’. TLS 1.3 key messages contain the five keys required to construct the final session symmetric key. Fastkey is secured by TLS and SKI Sensors do not extract session keys from key-transfer TLS sessions.
The FastKey Buffer maintains a mapping between session secrets and client random values. The FastKey Buffer receives session secrets from SKI Sensors using the FastKey Protocol, and buffers the keys in memory for a configurable amount of time. When session keys expire, their memory is set to 0 and then freed. The Key Server exposes a REST API call to lookup keys based on the value of the Client Random created at the beginning of a TLS session or when a TLS session is restarted.
Session keys can be stored in any cloud or enterprise database. Nubeva’s SKI sensors support a DynamoDB interface out of the box. Please contact Nubeva for more information about interface extensibility.
Tailored Customer Success
Nubeva complements its software products with white-glove support and maintenance. As Nubeva continues to innovate and ciphers suites evolve, those implementing Nubeva’s SKI architecture, or components thereof, will receive ongoing support. Our support package will include Key Extraction Signature updates, software updates, bug fixes, documentation, and consultative support focused on rapid implementation, innovation, knowledge transfer, and continuous delivery of solutions utilizing Nubeva technology.