Encryption and integrity protection

Owned by Kiss, Mate
Last updated: May 09, 2024 by Zszugyi

AVAILABLE IN VERSION 8.6 AND LATER

The Verba system provides a public key cryptography based encryption and digital signing solution to store recordings in a secure and encrypted format, and to protect the integrity of the recordings from tampering. Key features include:

  • Windows Certificate Store (WCS) integration for key management
  • Azure Key Vault integration
  • Industry standard crypto technologies such as RSA, AES, SHA
  • Separate certificates for encryption and signing
  • Data retention policy based configuration for encryption and/or signing
  • Support for defining any number of certificates
  • Support for all storage file formats
  • Both media and file-based metadata can be encrypted and signed
  • Seamless playback option over HTTPS
  • Automatic integrity check by validating the signature during playback
  • Ability to export recordings in non-encrypted format
  • Ability to configure certificates without the private key to disable playback in Verba completely
  • OpenSSL scripts available to decrypt and check signatures on recordings outside of the Verba system

The chapters below provide more details on the subject:


The encryption and digital signing features available prior version 8.6 are not compatible with the new version.

 

Overview

Encryption

The system allows encrypting recorded media and metadata files. If encryption is configured, the system will encrypt all available files for a recorded conversations:

  • Audio file
  • Video file
  • Screen capture file
  • IM transcript file
  • Metadata XML file

Encryption can be turned on by configuring a data retention policy:

  • Using the Upload and Move policies to encrypt recordings during the execution (before) the upload/move policy
  • Using the Encryption and Signing policy

Encryption process

The system encrypts the recorded media and metadata file (option) after the recording process is finished or in a configured time based on the data retention policy configuration. The encryption process consists of the following key steps:

  1. The Storage Management Service executes a data retention policy where encryption is configured
  2. Based on the configuration, the service retrieves the certificate(s) from the WCS using the configured Windows service user credentials
  3. For each to be encrypted file (media and metadata XML), generates a session-key and saves the session-key with RSA encryption (public key) into the crypto information file
  4. Encrypts the file stream with AES-256-CTR

Decryption and playback process when private key is available

Encrypted recordings can be played back on the web-based user interface in a seamless way. The decryption process includes the following steps:

  1. User initiates playback (HTTPS)
  2. The Content Server Service on the Media Repository retrieves the certificate (the one used to encrypt the recording) from the WCS using the configured Windows service user credentials
  3. Decrypts the session-key parameters from the crypto information file with the related certificate/private key
  4. Decrypts symmetric cipher encrypted media with the session key
  5. Transcodes media to MP3 and streams it to the player in the browser over HTTPS (only)

Decryption and playback process when private key is not available

The system allows configuring certificates without private keys to disable decryption/playback in the Verba system. In this case, the Verba system is not able to provide any capability which requires access to the encrypted media files including playback, waveform, transcoding, export to not-encrypted media.

  1. User initiates playback (HTTPS)
  2. Media Repository returns encrypted media, metadata XML, crypto info files in a single ZIP file
  3. User opens the ZIP file in the Verba Offline Player application where the private key is also available
  4. The Verba Offline Player application decrypts the session-key parameters from crypto information file with the related certificate/private key
  5. Decrypts symmetric cipher encrypted media with the session key
  6. Plays media

Integrity Protection / Digital Signing

The system allows signing recorded media and metadata files. If signing is configured, the system will sign all available files for a recorded conversations:

  • Audio file
  • Video file
  • Screen capture file
  • IM transcript file
  • Metadata XML file

Signing can be turned on by configuring a data retention policy:

  • Using the Upload and Move policies to sign recordings during the execution (before) the upload/move policy
  • Using the Encryption and Signing policy

Signing process

  1. The Storage Management Service executes a data retention policy where signing is configured
  2. Based on the configuration, the service retrieves the certificate(s) from the WCS using the configured Windows service user credentials
  3. For each to be signed file (media and metadata XML), saves hashing algorithm and certificate into the crypto information file
  4. Calculates hash on the content of the file (when encryption is used also, hash calculation is done on the encrypted blocks)
  5. Encrypts final hash with the configured certificate (private key) and saves the encrypted hash into the crypto information file

Integrity validation process

The system allows verifying the digital signature through the following process:

  1. User initiates check on the user interface 
  2. The Media Utility Service on the Media Repository retrieves certificate (the one used for signing the recording) from the WCS using the configured Windows service user credentials
  3. Calculates hash (when encryption is used also, hash calculation is done on the encrypted blocks)
  4. Decrypts signature with the certification public key/cert and matches with the final hash

Key Management / Windows Certificate Store

The system relies on the Windows Certificate Store for storing and managing certificates and keys used for encryption and digital signing. In order to use encryption or signing, the necessary certificates has to be deployed and made accessible on all Verba servers. The system uses the thumbprint of the certificate for identification. The system stores which conversation was encrypted and/or signed by which certificate (thumbprint). Certificate requirements:

  • Authorization for Verba service user account
  • Availability on all Verba servers
  • Certificates must have RSA keys (512, 1025, 2048, 4096)
  • Certificates used for encryption and signing must be valid, not expired or revoked
  • Certificates for encryption must have a private and a public key (certificates without a private key will also be accepted, but playback will not be available in Verba)
  • Strong private key protection must be disabled
  • Certificates for digital signing must have a private and a public key
  • It is strongly recommended to use different certificates for encryption and signing
  • All certificates used at any time (even if expired) must be available to provide decryption and validation for any recording
  • Renewing a certificate might generate new keys and thumbprint which need to be configured as a new certificate in Verba

Certificates not satisfying the requirements above will not be used and the system will report an error on an encryption/signing/decryption/validation attempt.

The system uses the Windows service user account for authorization. The following Verba services need access to the certificates:

  • Storage Management Service
  • Media Streamer and Content Server Service
  • Media Utility Service
  • Media Transcoder Service

Configuring Certificates

In order to use a certificate in the WCS, the certificate must be registered/configured in the Verba system. For requesting and assigning certificates to the Verba server see: Requesting and assigning certificates

Follow the steps below to configure certificates:

Step 1 - Using the web application, navigate to System \ Encryption/Signing Certificates, you must be logged in using an administrative user account with access to certificates

Step 2 - Click on the Add New Certificate link.

Step 3 - Enter a name for the certificate.

Step 4 - Enter the thumbprint of the certificate. The thumbprint of a certificate can be obtained by opening the certificate in the Windows Certificate Manager on the server/computer where the certificate is available. Double click on the certificate and navigate to the Details tab, scroll down to the Thumbprint field and copy the hex values.

Step 5 - Configure the certificate, more information on the fields are available below.

Step 6 - Click on the Save button.

Field NameDescriptionRequirements
NameThe friendly/display name of the certificate used in the Verba system.

Required field

Minimum length: 1

Maximum length: 256

Private Key Accessible

Indicates if the private key is available in the certificate or not. When a private key is not available:

  • the certificate cannot be used for signing
  • when this certificate is used for encryption, the system will not able to decrypt or play back recordings
-
CompromisedIndicates if the certificate is compromised and can no longer be used. The system does not allow selecting or using certificates marked as compromised.-
Valid FromStart date of the validation for the certificate. The system does not allow selecting or using expired, not valid certificates.-
Valid UntilEnd date of the validation for the certificate. The system does not allow selecting or using expired, not valid certificates.-
ThumbprintThe unique thumbprint of the certificate in hex values.Required field

Configuring Encryption

Follow the steps below to configure encryption:

Step 1 - Using the web application, navigate to the Data \ Data Management Policies page.

Step 2 - Click on the Add New Data Management Policy link.

Step 3 - Set the Action to Upload when files need to be encrypted before uploading them to the storage location or to Encrypt and Sign if the files need to be encrypted in the current storage location.

Step 4 - Select the certificate under the Encrypt Files with Certificate option.

Step 5 - Configure the data retention policy based on the requirements. For more information see Data management policies.

Please note that encryption policies will skip recordings which are under Retention Period.

Configuring Signing

Follow the steps below to configure signing:

Step 1 - Using the web application, navigate to the Data \ Data Management Policies page.

Step 2 - Click on the Add New Data Management Policy link.

Step 3 - Set the Action to Upload when files need to be signed before uploading them to the storage location or to Encrypt and Sign if the files need to be signed in the current storage location.

Step 4 - Select the certificate under the Sign Files with Certificate option.

Step 5 - Configure the data retention policy based on the requirements. For more information see Data management policies.

Please note that signing policies will skip recordings which are under Retention Period.

Changing the Keys for Already Encrypted or Signed Recordings

In some cases (for instance when a certificate gets compromised and revoked) the certificates used for encryption and signing needs to be replaced with new ones and recordings already encrypted or signed need to be encrypted and signed again with the new certificates. The Encryption and Signing data retention policy allows changing the certificates for existing, already encrypted or signed recordings using the following process:

  1. Configure an Encryption and Signing policy and filter for one or more specific certificates used (in addition to standard filter options)
  2. The Storage Management Service decrypts then encrypts and signs the files using the new certificate(s)

Follow the steps below to change the certificates for already encrypted or signed recordings:

Step 1 - Using the web application, navigate to the Data \ Data Management Policies page.

Step 2 - Click on the Add New Data Management Policy link.

Step 3 - Set the Action to Encrypt and Sign to run the policy in the current storage location.

Step 4 - Select the certificate under the Encrypt Files with Certificate and the Sign Files with Certificate options.

Step 5 - Under the Data Management Filtering Criteria / Conversation Detail Fields select the Encrypted with Certificate or Signed with Certificate options to filter for one or more recordings encrypted and/or signed with the selected certificate(s).

Step 6 - Configure the data retention policy based on the requirements. For more information see Data management policies.