Passive, Transparent, and Selective TLS Decryption for Network Security Monitoring

Internet traffic is increasingly encrypted. While this protects the confidentiality and integrity of communication, it prevents network monitoring systems (NMS) and intrusion detection systems (IDSs) from effectively analyzing the now encrypted payloads. Therefore, many enterprise networks have deployed man-in-the-middle (MitM) proxies that intercept TLS connections at the network border to examine packet payloads and thus retain some visibility. However, recent studies have shown that TLS interception often reduces connection security and potentially introduces additional attack vectors to the network. In this paper, we present a cooperative approach in which end-hosts as cryptographic endpoints selectively provide TLS key material to NMS for decryption. This enables endpoints to control who can decrypt which content and lets users retain privacy for chosen connections. We implement a prototype based on the Zeek NMS that is able to receive key material from hosts, decrypt TLS connections and perform analyzes on the cleartext. The patch is freely available and we plan to upstream our changes to Zeek once they are mature enough. In our evaluation, we discuss how our approach conceptually requires significantly less computational resources compared to the commonly deployed MitM proxies. Our experimental results indicate, that TLS decryption increases a runtime overhead of about 2.5 times of the original runtime on cleartext. Additionally, we show that the latency for transmitting keys between hosts and the NMS can be effectively addressed by buffering traffic at the NMS for at least 40ms, allowing successful decryption of 99.99% of all observed TLS connections.