The downside to decryption and why you need encrypted traffic intelligence

Tobias Roeder portrait

By Tobias Roeder
Published on: 17.09.2024

If you are a networking or security vendor, you are probably hanging on to a variety of decryption techniques to help you manage the increasing share of encrypted traffic processed every day. Encryption is inevitable. As data usage surges, a lot more sensitive and critical information is being transported over IP networks, creating an expanded attack surface that malicious parties are eager to take advantage of. Encryption protects data flows from any form of interception, as packets are transmitted between user devices, intermediary devices and applications. Encryption also protects data-at-rest. It ensures that threat actors can’t have the cake and eat it, too, metaphorically speaking.

Decrypting encrypted traffic helps network administrators to identify underlying traffic flows. This is extremely useful for:

  • Intelligent traffic steering where different applications are accorded different routing and processing policies.
  • Maintaining network security where it helps to reveal threats that are cleverly disguised as regular encrypted traffic such as encrypted ransomware and encrypted viruses.
  • Managing network performance by decrypting SIPS traffic to diagnose VoIP call issues, for example.
  • Network analytics where detailed application-level insights are used to build better networks and improve resource provision.

Understanding the decryption dilemma

As you might already anticipate, intercepting someone else’s communication pathways is never a good idea. Decryption does exactly that – it intercepts the mailman and inspects the mail. For a quick glimpse of the underlying packets, the destination device or an intermediate proxy converts incoming cypher text into regular text using special keys. While this makes complete sense in managing and analyzing encrypted traffic, it can create a host of issues:

  • Wastage of computing resources: Decryption and encryption both involve complex algorithms (RSA, AES, Triple DES, Blowfish, etc) which require lots of computing power. As traffic volumes multiply, costs of decrypting and re-encrypting packets can become exorbitant.
  • Duplication: The same traffic flows, when routed through different independent network functions, for example secure web gateways, compression tools or routers, are decrypted and re-encrypted multiple times. This impacts network latencies and application performance and can lead to congestion or even wipe out network resources.
  • Regulatory compliance: Sensitive data, such as personally identifiable information (PII), medical records, financial information, passwords and critical business data, are subject to various international and local regulations, such as GDPR (Europe), HIPAA (United States), PIPEDA (Canada) and POPIA (South Africa). In many jurisdictions, decryption of sensitive and critical information would contravene the law. As a result, large chunks of traffic are transported over the network without adequate processing and filtering, leading to various security risks and network suboptimalities.
  • Limited coverage: In some cases of encryption, decryption becomes technically impossible due to the type of encryption protocols that disallow processing by intermediate devices. Examples include end-to-end encryption (E2EE) protocols such as WhatsApp’s messaging protocol and certificate pinning.
  • Issues with centralized decryption: To mitigate multiple decryption rounds, intermediary functions such as load balancers or proxies are used to centrally decrypt traffic before packets are forwarded to their respective destinations. Two challenges arise in this type of architectures. Firstly, compromised proxies provide threat actors with easy access to virtually every flow navigating the network. Secondly, threat actors can tap into the onward communications between the intermediary device and the destination devices, and get hold of the decrypted data.
  • Integrity: Decryption is executed on the premise that anyone managing the decryption engine or tools with built-in decryption capabilities is trustable. Where third-party or cloud‑based tools are used, this assumption presents a serious risk of exposure as these domains are controlled and managed by others.
  • Storage and handling: Transaction logs, packet metadata and other analytics extracted from decrypted data has to be secured at all times especially where such data is retained for future processing or shared across different tools. Poor access and security controls governing servers and devices that host temporary decrypted data can create new vulnerabilities.

What about homomorphic encryption?

Given that mass scale decryption is rarely the solution for environments with growing traffic volumes, new encryption techniques such as homomorphic encryption are being implemented. Homomorphic encryption retains the structure of the data being transported, supporting a number of traffic manipulation processes despite encryption. However, homomorphic encryption is very compute intensive and slow.

Next-gen DPI as an alternative to decryption

With these constraints and challenges, what alternative is there for analyzing encrypted traffic? The answer is next-gen deep packet inspection (DPI). Take ipoque’s next-gen DPI software R&S®PACE 2 and its VPP-native counterpart R&S®vPACE, for example, which come with encrypted traffic intelligence (ETI). The OEM DPI engines combine behavioral, statistical and heuristic analysis with ETI, which leverages machine learning and deep learning algorithms, such as k NN, decision tree learning, CNN, RNN and LSTM, alongside high-dimensional data analysis. In combination, these equip vendors with real-time insights into the underlying applications, including their protocols and service types. Encrypted traffic intelligence is built to address the most stringent encryption protocols, including TLS 1.3, ESNI, QUIC and DoX. If you are struggling with progressive loss of network visibility, ETI not only reinstates insights into encrypted traffic, but also helps you figure out those obfuscated and anonymized flows that often increase blinds spots in your traffic analysis.

How does encrypted traffic intelligence benefit you?

Using next-gen DPI is like using a multipronged tool. R&S®PACE 2 and R&S®vPACE boast superfast processing speeds and a low memory footprint, which means that you can say goodbye to performance and latency issues associated with decrypting large traffic volumes. Analysis from next gen DPI can be embedded anywhere in the network, as it is packaged as a software module that fits into traditional, virtualized and containerized stacks, and can be integrated into any networking or security tool. It provides central intelligence for the entire network and can be used to power multiple tools simultaneously.

Additionally, R&S®PACE 2 and R&S®vPACE’s extensive library boasts thousands of signatures, covering practically every popular and frequently used application. This ensures your monitoring radar captures almost all of your flows.

Why next-gen DPI deserves a gold medal

The most important aspect of next-gen DPI in handling encrypted traffic is that, at no point in its journey is a packet decrypted, except at its destination. This single quality alleviates every security risk that is associated with proxy or device tampering, eavesdropping or even incidental exposure. It also aligns perfectly with increasing data privacy and confidentiality requirements as packets remain encrypted at all times, enabling vendors and network administrators to pass highly sensitive information through the network without complex workarounds. All in all, DPI with encrypted traffic intelligence equips today’s networks with a powerful tool to handle both the best and the worst of encryption, ensuring data remains safe, networks remain high-performing and users remain happy.

Tobias Roeder portrait

Tobias Roeder

Contact me on LinkedIn

Tobias holds a degree in electrical engineering and has more than eight years of experience in product development. For a number of years, Tobias has been working as an application engineer for the deep packet inspection (DPI) software R&S®PACE 2 at ipoque, a subsidiary of the Rohde & Schwarz company. Tobias provides engineering services from the packet processing level up to the application level. In customer consulting, he identifies the optimal implementation to fulfill customer requirements and assists with the architectural decisions that go along with embedding DPI into network solutions. When he’s not at work, Tobias plays disc golf and enjoys doing CrossFit.

ipoque blog - discover the latest news and trends in IP network analytics

Sign up for the ipoque newsletter

Stay informed about the latest advances and trends in
deep packet inspection and network traffic visibility