FastKey Buffer

The Fastkey Buffer maintains a mapping between session secrets and client random values. The FastKey Buffer receives session secrets from SKI Sensors using the FastKey Protocol, and buffers the keys in memory for a configurable amount of time. When session keys expire, their memory is set to 0 and then freed. The Key Buffer exposes an REST API call to lookup keys based on the value of the Client Random which is when a new session is created or a session is restarted.

FastKey Buffers can be used in multiple use cases. The figure below depicts a FastKey Buffers receiving keys from multiple SKI Sensors, and returning keys to multiple SKI Decryptors.

Note

FastKey Buffer is also referred to as FastKey Server

../_images/FastkeyServer.png

The following figure shows a FastKey Buffer receiving keys from multiple sensors and returning keys to a SKI Decryption Library.

../_images/FastKeyServerDlib.png

Deploying a FastKey Buffer

To launch a FastKey Buffer run the following command:

docker run --name nubeva-ks -d -p4433:4433 -p4433:4433/udp  \
-v $(pwd)/../certs:/certs nubeva/fastkey \
--cert /certs/yourcert.pem --key /certs/yourkey.pem

Note

You should adjust the mounted directory -v $(pwd)../certs to match your certs directory, and yourcert.pem and yourkey.pem files to match your cetificiate and key file names.

The instance running the FastKey Buffer must resolve your server DNS to 127.0.0.1 (usually with /etc/hosts).

Command Line Parameters

  • bind <addr> : Address to bind to. Default 0.0.0.0
  • port <port> : Port to use (both TCP & UDP). Default 4433
  • cert <file> : Server PEM-encoded X.509 Certificate chain file
  • key <file> : Server PEM-encoded Private Key file
  • client-timeout <n> : Timeout in seconds before client disconnects, default 60
  • key-timeout <n> : Timeout in seconds before a key is forgotten, default 300
  • max-key-count <n> : Maximum number of keys to keep. Default 32768
  • ciphers <str> : Accepted SSL Ciphers to use
  • enable-protocol <p> : Enable one of the following protocols: SSLv3, TLSv1, TLSv1.1, TLSv1.2, TLSv1.3 or ALL
  • disable-protocol <p> : Disable one of the following protocols: SSLv3, TLSv1, TLSv1.1, TLSv1.2, TLSv1.3 or ALL

Note

You do not need to launch a FastKey Buffer if you have your own key management solution that implements the FastKey protocol.

API Calls

If you use Nubeva’s demo certificate the the FastKey Buffer must resolve to key.nubedge.com. The following API calls are supported:

  • stats: returns buffer statistics
# Call stats
curl https://[buffer DNS or IP]:4433/stats

# Returns
{
“cur_size”:175,
“get_req_count”:0,
“put_req_count”:602,
“put_from_dtls”:301,
“unneeded_put_from_dtls”:1,
“put_from_tcp”:301,
“unneeded_put_from_tcp”:299,
“get_success_count”:0,
“get_fail_count”:0,
“timedout_keys”:127,
“ssl_error”:0,
“ssl_error_other”:1,
“dtls_zero_read”:0,
“dtls_invalid_version”:0,
“dtls_invalid_len”:0,
“dtls_keepalive”:2,
“dtls_unknown_type”:0,
“dtls_unknown_size”:0,
“dtls_client_free”:0,
“dtls_client_prepare”:2,
“key_timeout_checks”:3,
“client_timeout_checks”:18,
“client_timeouts”:0,
“dtls_packets”:306,
“dtls_packet_bytes”:172548
}
  • dumpkeys dumps the contents of the key buffer
# Call dumpkeys

curl https://[buffer DNS or IP]:4433/dumpkeys

# Returns
f98cde0d83171d5cb6e53a1d3894b49d3757687a0b7e0aacffdc236d26229c53 (1s): {
"Type":"1.3",
"CR":"f98cde0d83171d5cb6e53a1d3894b49d3757687a0b7e0aacffdc236d26229c53",
"CHTS":"ffa69c63527f2a8fe1a9dc974bf0c9c841283ebe28278d27d4a32f888bf91eff2b7d66b490954843b458c386ccac90e6",
"SHTS":"e1fbea741bebc77786bee83b571a463476bd0a0daf0af0f39ca122b0032631a50fe3987ef6b619aba21216c5ad3b2349",
"CTS0":"5f1f76bed96460469b52d31c8c2539030d3f35b41a67f476cc277473787efd35b4598ef515ca777157a18786e59a5d85",
"STS0":"873180754f348e964060fc8b76292118cf4b535880bd9be94fa105b1f1c133f6b0366a2fcd88b666f545e00898af7698",
"XS":"8aab03b0bb908fb829ced89bb233255203995fb03151ede766dd737b298186fa1ed83016e13684473bb6bc5120452be5"
}
faf7ab15ba9c1872dc92ec7d17607e7f13844afb9beed83b28615cd7647f4ccd (1s): {
"Type":"1.3",
"CR":"faf7ab15ba9c1872dc92ec7d17607e7f13844afb9beed83b28615cd7647f4ccd",
"CHTS":"feb0418af64c0c8fc1059389a8e50e10e124092196c2b2781a012274ab9eea5f4625f1037f329bc983c5b30cba1eb6f9",
"SHTS":"d2611d319b2e43523098d9b87339ebca574d5b5d397dab3a74ef3f7f6e21b12472903e88ea364aea75a72b39b276271f",
"CTS0":"41beb5c8ea2c0fa073722e3addd4b39aaaf9599f309f6192df710e03417d198081a54da135d5d2a2c3f454a74619ba8c",
"STS0":"9e75b7418d3877548556e64b2079bba42c11ad1563add1002c551b4d63fb50a6cc3ab7c4f0429904d65fd84071587a7b",
"XS":"50cc7fa146b61476a7a493162b76e95c64d8256cf54a342f34eab983362a8b435870b4bd5fbef33b6bf7edf995e77278"
}
  • flush_keys clears the key buffer
# Call flush_keys
curl https://[buffer DNS or IP]:4433/flush_keys

# No return value