TLS/SSL Decryption and Encryption

Secure your network with complete visibility into all your encrypted traffic

Already own this product? Visit Technical Support

Keysight's Active SSL

As most traffic becomes encrypted and with ephemeral key on its way to becoming the dominant technology, organizations need a way to retain the benefits of Transport Layer Security (TLS) 1.3, while being able to inspect traffic for threats and malware to protect their networks and users.

Keysight's Active Secure Sockets Layer (SSL) capability, an addition to the SecureStack feature set, enables organizations to see inside traffic that uses ephemeral key cryptography through its visibility platform. Keysight's Active SSL can be used both inline and out-of-band, for outbound and inbound traffic, and it can be used simultaneously with NetStack, PacketStack and AppStack capabilities. The Active SSL capability is available via a high-performance application module that is compatible with Vision ONE™, a turnkey network packet broker that provides high-performance, lossless visibility. With a dedicated cryptographic processor, Active SSL provides the best throughput integrated with a visibility solution. Moreover, it includes built-in policy management, Uniform Resource Locator (URL) categorization, support for all leading ciphers, and reporting.

A Security Dilemma

Organizations encrypt internet exchanges to protect themselves and their users — in particular, to protect sensitive information such as credit card numbers, social security numbers, etc. As of 201, both Firefox and Google have shown that over 75% of sites visited via their browsers encrypt traffic. This encryption helps prevent identity theft, security breaches, and data leaks. However, much like a Trojan horse, encryption can also be the way malware and other threats are inserted into networks. Gartner predicts that by 2020, more than 60% of organizations will fail to decrypt Hypertext Transfer Protocol Secure (HTTPS) efficiently, "missing most targeted web malware". Moreover, hackers are becoming more clever and some forms of encryption are becoming more vulnerable.

The solution to this dilemma is two-fold:

  • Use encryption technology that is harder to compromise
  • Inspect all encrypted traffic for threats as part organizations' security and monitoring policies

Why Ephemeral Key

Secure Sockets Layer (SSL) and Transport Layer Security (TLS), both of which are commonly referred to as "SSL", are technologies in which data is scrambled or "encoded" to protect communications over a computer network. As pictured to the right, the technology basically works by exchanging information that is coded via a public key (provided by the server) and sent over the internet. The receiving party (server) is able to decode the data because it has the other half of the equation, the private key.

The dominant encryption technology had been Rivest-Shamir-Adleman (RSA), which uses static keys. This means that a server has a given key for its communications. Now, if this key is somehow compromised, any communication from that server is exposed. To address this concern, many organizations and regulatory bodies are shifting to using and mandating ephemeral key encryption, most commonly Elliptic curve Diffie–Hellman ephemeral (ECDHE), in which a new key is generated for each exchange.

Perfect Forward Secrecy And TLS 1.3

Let us consider static keys to be like physical keys — if one is stolen or copied, the person with the key can access all communications locked by that key. In contrast, ephemeral key is like a number generated by a mobile app for a specific exchange. If the number is stolen, it can only be used to unlock that one exchange. All other exchanges are still protected. This perfect forward secrecy is what makes ephemeral key compelling.

Tech industry leaders including Google, Facebook, Mozilla, and more are announcing their shift to using ephemeral key for encryption in order to provide greater security for users. TLS 1.3, the latest TLS protocol standard by the Internet Engineering Task Force (IETF), favors ephemeral key exchange.

Supports Leading Ciphers

Active SSL already supports many leading ciphers indicated in TLS 1.3 and additional ciphers are continuously being added.

SUPPORTED CIPHERS   KX AU ENC MAC
ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 ECDH RSA AESGCM(128) AEAD
ECDHE-ECDSA-AES128-SHA SSLv3 ECDH ECDSA AES(128) SHA1
ECDHE-RSA-AES256-SHA384 TLSv1.2 ECDH RSA AES(256) SHA384
ECDHE-ECDSA-AES256-SHA384 TLSv1.2 ECDH ECDSA AES(256) SHA384
ECDHE-ECDSA-AES128-GCM-SHA256 TLSv1.2 ECDH ECDSA AESGCM(128) AEAD
ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 ECDH RSA AESGCM(128) AEAD
ECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2 ECDH ECDSA AESGCM(128) AEAD
DHE-RSA-AES128-GCM-SHA256 TLSv1.2 DH RSA AESGCM(128) AEAD
DHE-RSA-AES256-GCM-SHA384 TLSv1.2 DH RSA AESGCM(128) AEAD
ECDHE-RSA-AES128-SHA256 TLSv1.2 ECDH RSA AES(128) SHA256
ECDHE-ECDSA-AES128-SHA256 TLSv1.2 ECDH ECDSA AES(128) SHA256
ECDHE-RSA-AES128-SHA SSLv3 ECDH RSA AES(128) SHA1
DHE-RSA-AES256-SHA SSLv3 DH RSA AES(256) SHA1
ECDHE-RSA-DES-CBC3-SHA SSLv3 ECDH RSA 3DES(168) SHA1
ECDHE-ECDSA-DES-CBC3-SHA SSLv3 ECDH ECDSA 3DES(168) SHA1
AES128-GCM-SHA256 TLSv1.2 RSA RSA AESGCM(128) AEAD
AES256-GCM-SHA384 TLSv1.2 RSA RSA AESGCM(256) AEAD
AES128-SHA256 TLSv1.2 RSA RSA AESGCM(128) SHA256
AES256-SHA256 TLSv1.2 RSA RSA AES(256) SHA256
AES128-SHA SSLv3 RSA RSA AES(128) SHA1
AES256-SHA SSLv3 RSA RSA AES(256) SHA1
ECDHE-RSA-AES256-SHA SSLv3 ECDH RSA AES(256) SHA1
ECDHE-ECDSA-AES256-SHA SSLv3 ECDH ECDSA AES(256) SHA1
DHE-RSA-AES128-SHA256 TLSv1.2 DH RSA AES(128) SHA256
DHE-RSA-AES128-SHA SSLv3 DH RSA AES(128) SHA1
DHE-RSA-AES256-SHA256 TLSv1.2 DH RSA AES(256) SHA256
ECDHE-ECDSA-CHACHA20-POLY1305 TLSv1.2 ECDH ECDSA CHACHA20/POLY1305(256) AEAD
ECDHE-RSA-CHACHA20-POLY1305 TLSv1.2 ECDH RSA CHACHA20/POLY1305(256) AEAD
DHE-RSA-CHACHA20-POLY1305 TLSv1.2 DH RSA CHACHA20/POLY1305(256) AEAD
CAMELLIA128-SHA256 TLSv1.2 RSA RSA CAMELLIA(128) SHA256
CAMELLIA256-SHA256 TLSv1.2 RSA RSA CAMELLIA(256) SHA256
DHE-RSA-CAMELLIA128-SHA256 TLSv1.2 DH RSA CAMELLIA(128) SHA256
DHE-RSA-CAMELLIA256-SHA256 TLSv1.2 DH RSA CAMELLIA(256) SHA256

Available On Vision One

Inline Security With Active SSL

Active SSL seamlessly integrates into Keysight's fail-safe security architecture for inline deployments. Combined with Keysight's threat intelligence gateway, ThreatARMOR™ , Active SSL creates an even more robust inline architecture that can block bad Internet Protocols (IPs), handle encrypted traffic, and protect your network with active-active high availability configurations that ensure continuous traffic inspection and near-instant recovery.

Related Information

Want help or have questions?