Deploying SKI Decryptors

SKI Decryptors decrypt TLS records with session secrets extracted by SKI Sensors. SKI Decryptors pull keys from key depots: AWS DynamoDB, MongoDB or Nubeva’s Key Server. Keys are looked up in a key depot based on client-random values extracted from client-hello handshake messages. This approach assures that decryptors decrypt TLS sessions and TLS resumed sessions in the same manner. Packets are decrypted and delivered out of the virtual interface to be inspected, monitored, or forwarded. SKI Decryptors decrypt TLS records with session secrets extracted by SKI Sensors. SKI Decryptors pull keys from key depots: AWS DynamoDB, MongoDB or Nubeva’s Key Server. Keys are looked up in a key depot based on client-random values extracted from client-hello handshake messages. This approach assures that decryptors decrypt TLS sessions and TLS resumed sessions in the same manner. Packets are decrypted and delivered out of the virtual interface to be inspected, monitored, or forwarded.

../_images/DecryptorHighlighted.png

Note

  • Delivered as Linux containers, supported on Linux - kernel 4.4 or above, Kubernetes 1.13 and above and OpenShift 4.x.
  • TLS 1.3, TLS 1.2 PFS and legacy ciphers.
  • 2Gbps throughput.
  • Decrypted packets can be processed by commercial and open source tools such as Arkime (Moloch), Bro, ntop, Suricata and Wireshark.

Decryptors read VXLAN traffic from the NIC and use session secrets received from SKI Sensors to decrypt traffic. Output is sent to an interface called nurx0. Encrypted packets are forwarded to port 443. Decrypted packers are forwarded to port 80.

Tip

If you are running a customized network stack (e.g. DPDK), require 10Gbps or higher decryption throughput, or have other specialized decryption configuration requirements, please review the SKI Decryption Library section.

Decryptor Configuration Files

SKI Decryptors require three configuration files: rx_login, rx_create and rx_get. The contents of the files are listed below.

  • rx_login: login request. The Key Server returns the following JSON object:
{
        "status": "success",
        "response": {
                "user_id": "default",
                "token": "default",
                "expires": 31536000,
        }
}
  • rx_create: The SKI Decryptor sends its meta data. The Key Server returns a the following JSON :
{
        "status": "success",
        "response": {
                "rxid": "01234567890",
                "account_id": "default",
                "plan_id": "default"
    }
}
  • rx_get: decryptor configuration request. The Key Server returns a minimal configuration in JSON format:
{
        "response": {
                "Mtu": 65535,
                "SslCredObj": "eyJ0eXBlIjoiZHRscyIsImRvbWFpbiI6ImtleS5udWJlZGdlLmNvbTo0NDMzIiwicmVnaW9uIjoidGVzdCIsImFrIjoidXNlciIsInNrIjoicGFzc3dvcmQifQo="
        },
        "status": "success"
}

Decryptor Command Line Parameters

Highlighted parameters indicate parameters used in the command lines provided in this guide.

  • accept_eula: adding this flag indicates you accept the Nubeva’s EULA
  • baseurl: (string) Base URL for requests, include final slash ‘file:///host/<local path>/’
  • both-traffic: send both encrypted and decrypted traffic to interface (default true)
  • debug: value [ all | none | main | nutap | nuagentclient | argparser | metrics ] default:none
  • dint: interface to send decrypted traffic to (default is “nurx0”)
  • disable: value [ all | none | client | cwlogs | panicwrapper | metrics ] default:none
  • noautoupdate: Automatically update binary
  • nutoken: (string) Nubeva token for authenticating to the API
  • sslcredobj (string) defines a key store authentication parameters:

Note

Make sure you use an sslcredobj value that contain a type field value set to kdb.

--sslcredobj eyJ0eXBlIjoia2RiIiwiZG9tYWluIjoidGVzdCIsInJlZ2lvbiI6ImtleS5udWJlZGdlLmNvbTo0NDMzIiwiYWsiOiJ1c2VyIiwic2siOiJwYXNzd29yZCJ9

This string is a base64 encoded json object that can be generated using the following command:

echo '{"type":"kdb","domain":"key.nubedge.com:4433","region":"test","ak":"user","sk":"password"}' | base64

Type kdb instructs the SKI Decryptor to use a REST API to retrieve session secrets, ‘domain’ is the destination host name, region should be set to “test”, user, and password fields can be left the same. They are not used but they are required. You can change the domain to anything however you MUST have a valid cert. This docker container contains a valid cert for key.nubedge.com.

To launch a SKI Decryptor run the following command:

docker run -v /:/host -v /var/run/docker.sock:/var/run/docker.sock \
--cap-add NET_ADMIN \
--name nubeva-rx -d --restart=on-failure \
--net=host nubeva/nurx --accept-eula \
--disable metrics -noautoupdate \
--nutoken {YOUR_NUTOKEN} \
--sslcredobj eyJ0eXBlIjoia2RiIiwiZG9tYWluIjoidGVzdCIsInJlZ2lvbiI6ImtleS5udWJlZGdlLmNvbTo0NDMzIiwiYWsiOiJ1c2VyIiwic2siOiJwYXNzd29yZCJ9 \
--baseurl file:///host/<path>/