Schedule Demo

TLS Decryption for APM Solutions

Nubeva SKI for Passive Monitoring Systems 

Inline Datacenter-Cloud - white

PROBLEM: The broad adoption of PFS (perfect-forward-secrecy) in TLS 1.3 and 1.2, and the increasing use of third-party applications and services, are rendering traditional passive-intercept application performance monitoring (APM) system's decryption obsolete. Without decryption, detailed application behaviors such as API call sequences, service response times, or service delays cannot be monitored or analyzed. The alternatives are to implement inline decryption systems at significant cost and complexity and with serious performance consideration, to acquire and inspect clear text outside of the TLS connection but without vital associated network telemetry, or to skip DPI services altogether. 

BUSINESS IMPLICATIONS: These technical realities lead to business implications for solution providers who offer passive decryption.  Facing end-of-life features, sales must either de-focus on selling DPI capabilities or push the problem onto the customer to address, and thereby, reduce service value and insert secondary and interdependent projects (and their budgets) into the sales process. Resulting in lower value to customers, reduced opportunity and deal size, and longer uncontrolled sales cycles.  It also increases pre and post-sales engineering and support costs.

Fact: Traditional passive decryption is becoming obsolete with modern TLS - affecting the value of APM products, potential sales reach, and expanding support requirements. 

Nubeva SKI for Passive Inspection Systems: 

The Nubeva SKI solution represents a breakthrough solution to modern TLS Decryption for the application monitoring and assurance industry.   SKI can passively decrypt PFS-based traffic as well as traffic to external servers and services and thus re-establishes the out-of-band decryption option for the industry.  SKI delivers high-speed, low-cost decryption of all TLS encrypted traffic from any standard passive traffic source (taps, mirrors, SPANs, PCAP files) in any environment (physical, virtual, on-prem, or cloud).   SKI is delivered as a modular and comprehensive suite of software components that can be quickly and easily integrated into any system.  Add SKI to solve the decryption challenge for customers and sales teams, and to (re)enable high-value deep packet inspection features and functionality for more effective security solutions.

SKI for TLS/SSL Traffic
Inspect More Traffic

(re)Enable Passive Decryption

Technical Advantage 

Decrypt PFS Traffic

Without inline devices, decrypt TLS 1.3, 1.2 with PFS along with any legacy TLS.

High-Speed, Low Cost 

Achieve simple, symmetric bulk decryption for breakthrough price performance with very low resource requirements.

Decrypt 3rd Party Traffic

Traffic to the internet and 3rd party servers and services, including cloud platforms - capability never before possible.

Decrypt Pinned and Client Cert Traffic

See into pinned traffic such as MS365, G-Suite, Dropbox, and most Mobile, and other pinned traffic as well as MTLS/client-side cert-based sessions.

Easier Operations and Security

Reduce operational headache with no server keypair management or PKI interaction  SKI offers a lower-risk architecture with an independent and ephemeral key plane. 

Deliver More Value to Your Customers

Business Advantages

More Value to Customer

With expanded DPI capabilities, provide an expanded solution option to customers and remove the need for inline decryption projects and budgets.

Reduce Sales Friction

Increase market opportunity allows sales teams to sell more value, leading to more products, close bigger deals and lasting customer success.

Lower Support Complexities

Empower your sales engineers and support teams, simplifying pre-sales engineering and post-sales implementation and reducing ticket count and complexity.


Integrate Nubeva SKI into Your Product Suite

Adding Nubeva SKI into your products can be fast and easy, allowing you to get to market quickly with low entry hurdles.

The core concept of Nubeva SKI is to capture session keys from TLS servers or clients and forward them securely to authorized decryption engines. With session keys available, low-cost bulk decryption of any traffic is simple and high speed. Decryption is trivial, simply match traffic with keys using a TLS session’s client-random value, and decrypt.

Passive Inspection

Nubeva provides software to get keys and to decrypt using keys. Our comprehensive suite of software components, available in source or binary forms, enables fast and flexible SKI decryption implementation into most product sets. While there are many implementation models and options for inline inspection systems, here are the basics.

Get Session Keys

Nubeva has perfected the learning and exporting keys from application and TLS process memory as they are created during the TLS handshake. Simply deploy our session key learning software on any VM, node, or endpoint. 

Key learning software is delivered as a C library or turnkey agents and containers in binary or source code form. Key extraction is 100% reliable. This read-only micro-process is ultra-secure,  transparent, and non-disruptive to application code, does not impact applications, and operates with minute memory and CPU requirements. 


Get Keys for:

  • Any TLS 1.3, 1.2, and legacy. 

  • Any session N-S-E-W including pinned and client certificate sessions.

  • Traffic to internet, cloud, and other 3rd party servers and services

  • For metal, VM's, container hosts in datacenter or cloud and/or client endpoints.

  • From OS and commercial applications as well as malware communications 


  • Have an agent? - Add the ability to get session keys simply and easily using the SKI Sensor C Library

  • No agent? - Add to your portfolio with Nubeva's off-the-shelf SKI Sensor Agents and Containers 

  • Don't want to have an agent? - Resell Nubeva labeled sensors. Or, simply add the ability to receive and decrypt using session keys to your system and let your customers provide the keys from a growing list of systems with Nubeva SKI Sensor Technology or any other key source.

Decrypt with Session Keys

Nubeva complements session key discovery with a suite of decryption support options enabling IDS, NDR, and other passive vendors to add the ability to receive session keys and decrypt. We offer a multitude of implementation options to meet virtually any architectural model and go-to-market packaging scenario. Inspection systems need only minor modifications to receive keys and to decrypt using them.

Decrypt Using Keys: 

  • Enhance existing datapath or add net new

  • Any traffic and any session

  • Leverage crypto instruction set acceleration in standard CPUs

  • Achieve ultra high throughputs over 25Gb/s per core

  • Miniscule CPU and memory resource requirements 

Implementation Options

  • Already have Decryption? – Add the ability to receive keys and decrypt by modifying your existing engine or utilizing Nubeva’s SKI Decrypt TLS C library and reference code.

  • Don't have Decryption?  Nubeva’s Decryptor Containers and Keyserver Container provide a fast and easy implementation to receive keys and decrypt traffic onboard

There are a myriad of implementation options spanning key acquisition, key transport, and handling, as well as decryption.

Nubeva works with our customers to develop the ideal architecture and craft highly customized licensing programs and support services to enable customer success.

Let's discuss how SKI can work with your systems.

Get a Demo


Read the full text here. “Ransomware attacks are really not a one-off situation. We’re at a point now where we just have to accept that they are going to happen.” In this paper, Ryan Cote, former U.S....
Discussing Ransomware and an Innovative Approach to Ridding Us of this Blight Security Bytes is a podcast from the Tech Talks stable (Nash Squared). Jim Tiller, Group CISO, talks to leading figures in...