Ransomware Reversal

Session Key

Technology Overview 

 placeholder image

TLS Decryption is Vital, but Hard and Getting Harder

The ability to fully inspect network packets for cybersecurity and application assurance is vital for enterprises and service providers. Over recent years, traditional decryption methods have seen growing capability gaps and operational complexities. For technologies with DPI services, these issues reduce product capability, raise operating costs, slow sales velocity, and increase support requirements.  The industry needs an answer. Nubeva SKI offers a new simple approach to enable solution providers and the enterprises they support.


What is SKI (Session Key Intercept)? 

Nubeva SKI is a powerful, new approach to decrypt modern TLS (SSL) traffic. With the advancements in today’s application, computing, and networking environments, SKI delivers a leap forward in capability and performance to quickly enable cybersecurity and application monitoring systems. SKI is employed both as an augmentation to legacy forward and reverse-proxy engines or as a fix to passive intercept systems due to pending obsolescence from Perfect Forward Secrecy.

Nubeva SKI Delivers: 

The Decryption of Any TLS for Passive and Inline systems
  • TLS 1.3, 1.2 with PFS, and legacy 1.2, 1.1, 1.0

  • TLS 1.3 handshakes

  • Pinned Certificates

  • MTLS/Client Certificates

  • Traffic to foreign/3rd Parties internet and cloud services

  • Encrypted SNI (eSNI) and TLS 1.3 Handshakes

For Any Environment and Traffic Flow

  • Metal, VM’s, Containers, Kubernetes, and microservice architectures (including Services Mesh Architectures)

  • Datacenter, Cloud, Hybrid

  • Servers, Clients, IOT

  • Inbound, outbound, and east-west sessions

How Does Session Key Intercept (SKI) Work? 

SKI provides the ability to GET SESSION KEYS from TLS clients and servers in real-time and to USE SESSION KEYS to decrypt TLS on authorized systems to enable deep packet inspection. 



With session keys available, one can decrypt any session with simple and efficient bulk decryption. As such, SKI is universal to all traffic flows and use cases and applications: inbound, outbound, east-west, clients, servers, data center, cloud.  Since TLS session keys are symmetric (shared by both endpoints), keys only need to be obtained from one side of a connection and therefore can apply to client connections to foreign servers and services.

The idea of getting and using keys is not a completely new concept. Keylogging, typically used by DevOps/SecOps and in some commercial systems has been widely used for a long time but is not a viable solution for scaled and secure mission-critical use.   With SKI, Nubeva has taken the basic idea of keylogging and delivered an enterprise-grade, complete solution for modern TLS visibility.  

Unlike legacy man-in-the-middle/forward proxy, session pre-termination/reverse proxy, and RSA Passive Intercept, SKI does not involve certificates or server keys, nor does it manipulate or change traffic, connections, authentication, or PKI.  Instead, it simply works with the individual TLS session encryption keys (aka, ephemeral, symmetric, or bulk encryption keys) that are developed during the handshake, shared by the TLS client and servers, used for the bulk encryption/decryption of the communication, then discarded.

Getting Session Keys:

Nubeva’s patented SKI Sensors intercept keys directly from TLS processes in the memory of the server or client as they are created during the handshake’s key exchange in real-time. SKI Sensors employ highly efficient key signatures that “understand” how TLS code works in memory so that keys can be traced and extracted.

SKI Sensors are a small piece of software implemented on the server or the client. The software is available as c libraries to be embedded into applications and agents, or delivered as standalone agents or containers available for a broad and growing range of operating systems and platforms. 

  • Reliable - 100% capture rates

  • Transparent - read-only system service which requires no changes to code, applications, configurations, libraries, protocols, or authentication and PKI.

  • Fast - Session keys are extracted and exported before the handshake completes, in under 200 usec, enabling real-time decryption

  • Low resource - requires minute memory and CPU

  • Stable - read-only architecture for crash-gree and no-reboot operations

  • Secure - SKI introduces a highly secure, reduced risk option for decryption both in technology architecture and deployment and as well as capability by enabling broader traffic and network monitoring and inspection. 

Using Session Keys: 

The use of session keys requires two functions, key handing, and decryption itself. 

Key Handling:

Once session keys are intercepted, SKI Sensors export the keys. Options for key handling include writing keys to file, piping to other local applications and processes, or securely forwarding them across networks to authorized receivers.

  • Keys can be sent directly to authorized decryption systems 

  • Sent to Keystore database or file

  • Sent to Key Servers, memory functions, or containers that can temporarily hold keys and serve them to requesting decryptors and that can filter, replicate, and push keys to targets.  

Once decryption is complete, keys are typically destroyed (e.g., inside 5 seconds) but can also be archived for forensics purposes.

Decrypt Using Keys: Using Session keys, high-throughput, low latency, and low-cost decryption can be easily achieved without modifications to authentication, handshakes, or production traffic and without any server keypairs or PKI. Decryption can far exceed the performance specs of exotic crypto cards and chips using commodity CPU instruction sets.

Option 1: 

Simple Decrypt using keylog files on any enabled system.

Option 2: 

Make minor modifications to an existing decrypt engine to receive keys.

Option 3: 

Add SKI-based decryption support using Nubeva’s Decrypt C Library or turnkey Decrypt Container.


Once decryption is completed, keys can be destroyed (typically seconds after creation and use), and perfect forward secrecy is maintained.  Optionally and with proper security considerations, keys can be archived for forensic purposes.

Explore Nubeva for Any System 

SWG and
Nubeva SKI for Secure Web Gateway and Secure Access Service Edge Systems
Group 1047
Nubeva SKI for Passive Application Monitoring Systems
Group 1047
NGFW and
Nubeva SKI for Next-Generation Firewalls and Intrusion Prevention Systems
5G Monitoring
5G Monitoring
Nubeva SKI for 5G Monitoring Systems
HIDS and
Nubeva SKI for Host-Based Inspection and Prevention Systems
Sandbox and
Nubeva SKI for Sandbox and Advanced Persistent Threat Detection
Network Packet Broker
Nubeva SKI for Network Packet Brokers and other Dedicated Decryption Systems
Passive inspection of PFS traffic (TLS 1.3 and 1.2) on IDS’s, NDR’s, Application Monitoring systems, and more
Group 745
IDS and
Nubeva SKI for IDS and NDR Systems

Nubeva Commercialized the SKI Concept with a Universal and Flexible Product Suite

Our solution is available as a combination of source-code and object-code for flexibility and speed.
Nubeva is built with leading-edge technology to solve problems.

Schedule a Meeting
The Definitive Guide to Modern Network Decryption

Nubeva Solution Guide 

A Definitive Guide to Modern Network Decryption

A Case for Nubeva SKI in a TLS 1.3 World and Beyond


Ready to Reimagine
TLS Visibility?

Schedule a quick technical briefing today and discover how we can unlock visibility for your systems and customers.

Schedule a Meeting

Relevant Materials

In this video, Erik Freeland, Head of Customer Engineering, demonstrates the Nubeva Sensor capturing keys from a variety of applications including Windows Browsers, DropBox, and Microsoft Office 365. ...
Tech Brownbag - Nubeva's Key Discovery is Evolving. First TLS. Now, Ransomware. Nubeva develops and licenses enterprise-class software for decryption to enable world-class application monitoring and n...
In this comprehensive paper entitled A Definitive Guide to Modern Network Decryption: A Case for Nubeva SKI in a TLS 1.3 World and Beyond we cover the following:  Part 1: The State of the Visibility o...