Session Key
Intercept

A Better Way For Modern TLS Decryption

Schedule a Meeting
Mask Group 3 (2)

Nubeva SKI (Session Key Intercept) is a superior approach for the decryption of modern TLS in today’s compute and network environments versus traditional man-in-the-middle, proxy termination, and passive techniques. Providing complete deep packet inspection services does not need to be so hard.

Simple. Yet Powerful.

portfolio image

What is Session Key Intercept?
- SKI Defined

The core concept of SKI is to capture individual, ephemeral session secrets (hereafter called “session keys”) from clients and/or servers. Then, the ability to either re-use those keys to unlock and inspect traffic on trusted systems or to store them in vaults for later inspection, forensics, and lawful intercept applications.

How Does SKI Work?

There are three discrete steps to the SKI method of decryption: Key Extraction, Key Transport, and Decryption.

 placeholder image

Key Extraction

In SKI, there is no involvement in handshakes, server key pairs, certificates, CA’s, PKI, etc. The asymmetric part of TLS (the handshake) is detected but not modified. Instead, it is monitored, waiting for the completion of the key exchange and the creation of the session final secrets (or interim secrets in the case of TLS 1.3). As soon as session secrets are created, they are learned and copied. Keys can be captured for standard sessions, pinned certificates, client certificate operations, client-side or server-side connection, and more. By capturing session keys, SKI provides universal decryption capabilities.

 placeholder image

Key Transport

The SKI method’s next step is the fast and secure export of secure session keys to trusted systems for decryption use. For SKI to be broadly useful, keys must be exported extremely fast, in this case under 200useconds, before the first packet is encrypted, thus enabling inline use cases as well as passive/out-of-band.

 placeholder image

Decryption

Finally, SKI involves the decryption of encrypted sessions using the discovered session keys. With session keys available, inspection and monitoring systems have an easy, low-cost, and high-performance hardware-accelerated bulk decryption solution available. Using the session “Client Random” as an index, session keys can be easily matched to the encrypted traffic flows or PCAPs and decrypted independently from where keys are acquired.

Nubeva Commercialized the SKI Concept with a Universal and Flexible Product Suite

Our solution is available as a combination of source-code and object-code for flexibility and speed.
Nubeva is built with leading-edge technology to solve problems.

View Our Product

Nubeva SKI has commercialized the SKI concept

This idea of capturing and re-using session keys is not new. Keys are often logged from browsers and applications in debug mode. Load balancers and SSL offload appliances and even newer service-mesh proxy sidecars that terminate sessions can also log keys. But in these legacy models, there are significant secondary consequences of keylogging, including production architecture modifications, key transport, and hindering the security and scale of production systems to operate in debug or logging mode.

 placeholder image

Non-disruptive, signature-based key discovery and extraction

Modern endpoint agent code allows targeted extraction algorithms with low system resource utilization, extremely high-speed key learning. It is extensible to new TLS libraries, applications, and protocols. No need for changes to applications, libraries, or debug mode.

 placeholder image

Secure, Safe Key Transport

Nubeva has pioneered the security, reliability, and scalability of key handling and transport with its FastSKI™ protocol that works across legacy and modern architectures.

 placeholder image

TLS 1.3 Decryption

Nubeca offers off-the-shelf solutions for TLS 1.3 (and 1.2) decryption in the form of a turnkey scale-out container or high-speed decryption c-library capable of >10Gb/s per thread. Both are built to work with session keys from Nubeva sensors or any other key source.

Explore Solutions

What are the Advantages of SKI?

The technical advantages of SKI versus the alternatives:

Capability

With the ability to capture the session secrets, decryption is simple and straightforward. Unlock any encrypted session regardless of protocol, pinning, certs, CA, or other variants.

Performance

Extract and land keys on the defined system in under 200 to achieve line-rate, deep-packet inspection with commodity hardware, and eliminate costly latency.

Simplicity

TLS inspection becomes an instant-on easy option with no certs and server keys to manage, no CA issues, and no bypass and exception around unsupported applications and protocols.

Universal

Works the same for any application, inbound and outbound, east-west, inline or passive, realtime, or historical, making it easier to plan and build more into architectures and environments.

Extensible

SKI works by finding keys in memory. It is extensible to any protocol that uses the same base constructs, including QUIC, DTLS, DoT/DoH, SSH, IPsec, and more.

A More Secure Solution

Our solution is truly different. SKI is not decryption of the past with master server keys or certificate resigning. SKI keeps the keys separate from the packets and keeps session integrity for end-to-end encryption.

Nubeva SKI is for:

Outbound Access Inspection

Outbound inspection on Secure Web Gateways, Web Proxies, SD-Wans, Firewalls, and IPS and DLP systems.

Group 744

Inline Datacenter/ Cloud

Inline inbound and East-West traffic inspection in Firewalls, IPS’s, APT’s, and SSL Visibility systems.

Passive
Monitoring

Passive inspection of PFS traffic (TLS 1.3 and 1.2) on IDS’s, NDR’s, Application Monitoring systems, and more

Host-Based
Systems

Localized decryption on clients or servers for firewall, intrusion detection and prevention, application monitoring

5G and Service
Mesh

Inspect container-container and inter-node/cluster traffic for 5G packet cores, services meshes, and Kubernetes.

Ready to Reimagine
TLS Visibility?

Schedule a quick technical briefing today and discover how we can unlock visibility for your systems and customers.

Schedule a Meeting

Resources

Learn more about our solutions

The Mission Critical Need To Answer for TLS 1.3 Monitoring Gaps Cybersecurity systems must be able to apply deep packet inspection services to modern TLS 1.3. This blog addresses the growing gaps solu...
Overview of Session Key Intercept - The Problem and The Answer Our March 2021 technical brown bag has received praise from our customers, prospects, and partners for its in-depth informative content. ...
How Are Your Security Teams Keeping Up with the Malware Hiding in TLS Encrypted Traffic?  A recent study by Sophos shows that 23% of the Malware detected in 2020 was encrypted with the Transport Layer...