FastKey Buffer

The Fastkey Buffer maintains a mapping between session secrets and client random values. The FastKey Server receives session secrets from SKI Sensors using the FastKey Protocol, and buffers the keys in memory for a configurable amount of time. When session keys expire, their memory is set to 0 and then freed. The Key Server exposes an REST API call to lookup keys based on the value of the Client Random which is when a new session is created or a session is restarted.

FastKey Servers can be used in multiple use cases. The figure below depicts a FastKey Server receiving keys from multiple SKI Sensors, and returning keys to multiple SKI Decryptors.

../_images/FastkeyServer.png

The following figure shows a FastKey Server receiving keys from multiple sensors and returning keys to a SKI Decryption Library.

../_images/FastKeyServerDlib.png

Deploying a FastKey Buffer

To launch a FastKey Buffer run the following command:

docker run --name nubeva-ks -d -p4433:4433 -p4433:4433/udp  \
-v $(pwd)/../certs:/certs nubeva/fastkey \
--cert /certs/yourcert.pem --key /certs/yourkey.pem

Note

You should adjust the mounted directory -v $(pwd)../certs to match your certs directory, and yourcert.pem and yourkey.pem files to match your cetificiate and key file names.

The instance running the FastKey Server must resolve your server DNS to 127.0.0.1 (usually with /etc/hosts).

Command Line Parameters

  • bind <addr> : Address to bind to. Default 0.0.0.0
  • port <port> : Port to use (both TCP & UDP). Default 4433
  • cert <file> : Server PEM-encoded X.509 Certificate chain file
  • key <file> : Server PEM-encoded Private Key file
  • client-timeout <n> : Timeout in seconds before client disconnects, default 60
  • key-timeout <n> : Timeout in seconds before a key is forgotten, default 300
  • max-key-count <n> : Maximum number of keys to keep. Default 32768
  • ciphers <str> : Accepted SSL Ciphers to use
  • enable-protocol <p> : Enable one of the following protocols: SSLv3, TLSv1, TLSv1.1, TLSv1.2, TLSv1.3 or ALL
  • disable-protocol <p> : Disable one of the following protocols: SSLv3, TLSv1, TLSv1.1, TLSv1.2, TLSv1.3 or ALL

Note

You do not need to launch a FastKey server if you have your own key management solution that implements the FastKey protocol.

API Calls

If you use Nubeva’s demo certificate the the FastKey Server must resolve to key.nubedge.com. The following API calls are supported:

  • stats: returns server statistics
# Call stats
curl https://[server DNS or IP]:4433/stats

# Returns
{
“cur_size”:175,
“get_req_count”:0,
“put_req_count”:602,
“put_from_dtls”:301,
“unneeded_put_from_dtls”:1,
“put_from_tcp”:301,
“unneeded_put_from_tcp”:299,
“get_success_count”:0,
“get_fail_count”:0,
“timedout_keys”:127,
“ssl_error”:0,
“ssl_error_other”:1,
“dtls_zero_read”:0,
“dtls_invalid_version”:0,
“dtls_invalid_len”:0,
“dtls_keepalive”:2,
“dtls_unknown_type”:0,
“dtls_unknown_size”:0,
“dtls_client_free”:0,
“dtls_client_prepare”:2,
“key_timeout_checks”:3,
“client_timeout_checks”:18,
“client_timeouts”:0,
“dtls_packets”:306,
“dtls_packet_bytes”:172548
}
  • dumpkeys dumps the contents of the key buffer
# Call dumpkeys

curl https://[server DNS or IP]:4433/stats

# Returns
f98cde0d83171d5cb6e53a1d3894b49d3757687a0b7e0aacffdc236d26229c53 (1s): {
"Type":"1.3",
"CR":"f98cde0d83171d5cb6e53a1d3894b49d3757687a0b7e0aacffdc236d26229c53",
"CHTS":"ffa69c63527f2a8fe1a9dc974bf0c9c841283ebe28278d27d4a32f888bf91eff2b7d66b490954843b458c386ccac90e6",
"SHTS":"e1fbea741bebc77786bee83b571a463476bd0a0daf0af0f39ca122b0032631a50fe3987ef6b619aba21216c5ad3b2349",
"CTS0":"5f1f76bed96460469b52d31c8c2539030d3f35b41a67f476cc277473787efd35b4598ef515ca777157a18786e59a5d85",
"STS0":"873180754f348e964060fc8b76292118cf4b535880bd9be94fa105b1f1c133f6b0366a2fcd88b666f545e00898af7698",
"XS":"8aab03b0bb908fb829ced89bb233255203995fb03151ede766dd737b298186fa1ed83016e13684473bb6bc5120452be5"
}
faf7ab15ba9c1872dc92ec7d17607e7f13844afb9beed83b28615cd7647f4ccd (1s): {
"Type":"1.3",
"CR":"faf7ab15ba9c1872dc92ec7d17607e7f13844afb9beed83b28615cd7647f4ccd",
"CHTS":"feb0418af64c0c8fc1059389a8e50e10e124092196c2b2781a012274ab9eea5f4625f1037f329bc983c5b30cba1eb6f9",
"SHTS":"d2611d319b2e43523098d9b87339ebca574d5b5d397dab3a74ef3f7f6e21b12472903e88ea364aea75a72b39b276271f",
"CTS0":"41beb5c8ea2c0fa073722e3addd4b39aaaf9599f309f6192df710e03417d198081a54da135d5d2a2c3f454a74619ba8c",
"STS0":"9e75b7418d3877548556e64b2079bba42c11ad1563add1002c551b4d63fb50a6cc3ab7c4f0429904d65fd84071587a7b",
"XS":"50cc7fa146b61476a7a493162b76e95c64d8256cf54a342f34eab983362a8b435870b4bd5fbef33b6bf7edf995e77278"
}
  • flush_keys clears the key buffer
# Call flush_keys
curl https://[server DNS or IP]:4433/flush_keys

# No return value