Encryption and integrity protection
AVAILABLE IN VERSION 8.6 AND LATER
The Verint Financial Compliance (VFC) system provides a public key cryptography based encryption and digital signing solution to store recordings in a secure and encrypted format, and to protect the integrity of the recordings from tampering. Key features include:
- Windows Certificate Store (WCS) and Azure Key Vault integration for key management
- Industry standard crypto technologies such as RSA, AES, SHA
- Separate certificates for encryption and signing
- Data retention policy based configuration for encryption and/or signing
- Support for defining any number of certificates
- Support for all storage file formats
- Both media and file-based metadata can be encrypted and signed
- Seamless playback option over HTTPS
- Automatic integrity check by validating the signature during playback
- Ability to export recordings in non-encrypted format
- Ability to configure certificates without the private key to disable playback in VFC completely
- OpenSSL scripts available to decrypt and check signatures on recordings outside of the VFC system
The chapters below provide more details on the subject:
The encryption and digital signing features available prior version 8.6 are not compatible with the new version.
Overview
Encryption
The system allows encrypting recorded media and metadata files. If encryption is configured, the system will encrypt all available files for a recorded conversations:
- Audio file
- Video file
- Screen capture file
- IM transcript file
- Metadata XML file
Encryption can be turned on by configuring a data retention policy:
- Using the Upload and Move policies to encrypt recordings during the execution (before) the upload/move policy
- Using the Encryption and Signing policy
Encryption process
The system encrypts the recorded media and metadata file (option) after the recording process is finished or in a configured time based on the data retention policy configuration. The encryption process consists of the following key steps:
- The Storage Management Service executes a data retention policy where encryption is configured.
- Based on the configuration, the service retrieves the certificate or key configured in System Management.
- For each to be encrypted file (media and metadata XML), generates a session-key and saves the session-key with RSA encryption (public key) into the crypto information file.
- Encrypts the file stream with AES-256-CTR.
Decryption and playback process when private key is available
Encrypted recordings can be played back on the web-based user interface in a seamless way. The decryption process includes the following steps:
- User initiates playback (HTTPS).
- The Content Server Service on the Media Repository retrieves the certificate or key used to encrypt the recording.
- Decrypts the session-key parameters from the crypto information file with the related certificate/private key.
- Decrypts symmetric cipher encrypted media with the session key.
- Transcodes media to MP3 and streams it to the player in the browser over HTTPS (only).
Decryption and playback process when private key is not available
The system allows configuring certificates without private keys to disable decryption/playback in the Verba system. In this case, the Verba system is not able to provide any capability which requires access to the encrypted media files including playback, waveform, transcoding, export to not-encrypted media.
- User initiates playback (HTTPS).
- Media Repository returns encrypted media, metadata XML, crypto info files in a single ZIP file.
- User opens the ZIP file in the Verba Offline Player application where the private key is also available.
- The Verba Offline Player application decrypts the session-key parameters from crypto information file with the related certificate/private key.
- Decrypts symmetric cipher encrypted media with the session key.
- Plays media.
Integrity Protection / Digital Signing
The system allows signing recorded media and metadata files. If signing is configured, the system will sign all available files for a recorded conversations:
- Audio file
- Video file
- Screen capture file
- IM transcript file
- Metadata XML file
Signing can be turned on by configuring a data retention policy:
- Using the Upload and Move policies to sign recordings during the execution (before) the upload/move policy
- Using the Encryption and Signing policy
Signing process
- The Storage Management Service executes a data retention policy where signing is configured.
- Based on the configuration, the service retrieves the certificate or key configured in System Management.
- For each to be signed file (media and metadata XML), saves hashing algorithm and certificate or key into the crypto information file.
- Calculates hash on the content of the file (when encryption is used also, hash calculation is done on the encrypted blocks).
- Encrypts final hash with the configured certificate or key and saves the encrypted hash into the crypto information file.
Integrity validation process
The system allows verifying the digital signature through the following process:
- User initiates check on the user interface .
- The Media Utility Service on the Media Repository retrieves certificate or key configured in System Management.
- Calculates hash (when encryption is used also, hash calculation is done on the encrypted blocks).
- Decrypts signature with the certification public key/certificate and matches with the final hash.
Key Management
The system allows you to store and manage the certificates used for encryption and signing in local or cloud key management services.
The following integrations are supported:
- Windows Certificate Store (WCS)
- Azure Key Vault (AKV)
The system stores which conversation was encrypted and/or signed by which certificate. If you use WCS, the system stores the thumbprint of the certificate with the conversations. If you use AKV, Verba generates the Data Encryption Key (DEK), sends the key to AKV for encryption, and stores the encrypted DEK with the conversations.
To configure encryption and signing, you must be logged in using an administrative user account with access to certificates.
Windows Certificate Store as Key Management Service
If you use WCS as a key management service, the certificates have to meet the following requirements:
- Have authorization for Verba service user account.
- Be available on all Verba servers.
- Have RSA keys (512, 1025, 2048, 4096).
- Be valid, not expired or revoked.
- Certificates for encryption must have a private and a public key (certificates without a private key will also be accepted, but playback will not be available in Verba).
- Strong private key protection must be disabled.
- Certificates for digital signing must have a private and a public key.
- All certificates used at any time (even if expired) must be available to provide decryption and validation for any recording.
Certificates not satisfying the requirements above will not be used and the system will report an error on an encryption/signing/decryption/validation attempt.
It is strongly recommended to use different certificates for encryption and signing.
Renewing a certificate might generate new keys and thumbprint which need to be configured as a new certificate in Verba.
The system uses the Windows service user account for authorization. The following Verba services need access to the certificates:
- Storage Management Service
- Media Streamer and Content Server Service
- Media Utility Service
- Media Transcoder Service
Azure Key Vault as Key Management Service
If you use AKV as a key management service, you need to configure the details of the key vault instance separately from the encryption and signing configuration, under System > Key Management Services.
In Azure, you have to create an App Registration and associate it with your AKV instance. The application must have the following permissions when associated with the AKV instance:
- Key Permissions
- Get
- List
- All permissions under Cryptographic Operations
- Get Rotation Policy
- Secret Permissions
- Get
- List
- Certificate Permissions
- Get
- List
The Application Registration ID and Secret are used to uniquely identify the Verba connection to AKV, and you need to specify those values when configuring the AKV instance in Verba under Key Management Services.
You need to create a Key in AKV and enable it before it can be used in Verba. Multiple versions can exist and be enabled for the key, and you can view the key versions both in AKV, and when opening the corresponding certificate configuration page in Verba under System > Encryption/Signing Certificates.
In Encryption/Signing Certificates, you can configure how often Verba regenerates the DEK. This allows the system to reduce network traffic by only connecting to the AVK when a new DEK needs encrypting, and conversations can be signed and encrypted with the stored DEK without recurring connections.
Configuring Encryption/Signing using the Windows Certificate Store
In order to use a certificate in the WCS, the certificate must be registered/configured in the Verba system. For requesting and assigning certificates to the Verba server see: Requesting and assigning certificates
Follow the steps below to configure certificates:
Step 1 - In the Verba web application, under System, select Encryption/Signing Certificates.
Step 2 - Select Add New Certificate.
Step 3 - Under Key Management, select Windows Certificate Store.
Step 4 - Configure the required parameters and click Save.
Configuring Encryption/Signing using the Azure Key Vault
You can use keys configured in an Azure Key Vault to encrypt and sign files in Verba.
Before you begin:
- Ensure you have an Azure Key Vault configured, with at least one key.
- Ensure an application is assigned to the Key Vault under Access Policies.
Step 1 - In the Verba web application, under System, select Key Management Services.
Step 2 - Select Add New Key Management Service.
Step 3 - Configure the required parameters and click Save.
Step 4 - Under System, select Encryption/Signing Certificates.
Step 5 - Select Add New Certificate.
Step 6 - Under Key Management, select the Key Management Service configured in steps 1-3.
Step 7 - Configure the required parameters and click Save.
Get the certificate thumbprint from Windows Certificate Manager
You can obtain the thumbprint of a certificate from Windows Certificate Manager.
Step 1 - On a server where the certificate is available, open Windows Certificate Manager.
Step 2 - Double click on the certificate you want to use in Verba.
Step 3 - In the Certificate menu, go to the Details tab,
Step 4 - Scroll down to find the Thumbprint field, and select the field.
When the Thumbprint field is selected, the hexadecimal thumbprint value appears in the blank space below the list of fields.
Step 5 - Highlight the hexadecimal values and press Ctrl+C.
Encryption/Signing configuration parameters
| Field Name | Available for Key Management method | Description | Requirements |
|---|---|---|---|
| ID | Both | Unique identifier for the configured certificate in the Verba system. | Required field |
| Current Environment | Both | In multi-tenant deployments, the tenant for which the certificate is configured. | Required field |
| Name | Both | The display name of the certificate used in the Verba system. | Required field Minimum length: 1 Maximum length: 256 |
| Key Management | Both | The type of key management service where the certificates are stored. | Required field |
| Private Key Accessible | Only Windows Certificate Store | Indicates if the private key is available in the certificate or not. When a private key is not available:
| - |
| Compromised | Only Windows Certificate Store | Indicates if the certificate is compromised and can no longer be used. The system does not allow selecting or using certificates marked as compromised. | - |
| Valid From | Only Windows Certificate Store | Start date of the validation for the certificate. The system does not allow selecting or using expired, not valid certificates. | - |
| Valid Until | Only Windows Certificate Store | End date of the validation for the certificate. The system does not allow selecting or using expired, not valid certificates. | - |
| Thumbprint | Only Windows Certificate Store | The unique thumbprint of the certificate in hex values. | Required field |
| Key ID | Only Key Management Service | The unique name of the key in Azure Key Vault. | Required field |
| DEK Rotation Day(s) | Only Key Management Service | The time period when Verba generates a new Data Encryption Key (DEK) to use. | Required field |
Key Management Service configuration parameters
| Field Name | Description | Requirements |
|---|---|---|
| ID | Unique identifier for the configured key management service in the Verba system. | Required field |
| Current Environment | In multi-tenant Verba deployments, the tenant for which the certificate is configured. | Required field |
| Name | The display name of the key management service. | Required field |
| Type | The type of key management service used. Only supports Azure Key Vault. | Required field |
| URL | The Vault URI in Azure. | Required field |
| App Registration ID | The unique ID of the application describing the Verba system, that is configured in Azure to be used with the Key Vault. | Required field |
| Secret | The secret of the application describing the Verba system, that is configured in Azure to be used with the Key Vault. | Required field |
| Tenant ID | The Directory ID or Tenant ID of the Vault in Azure. | Required field |
| Proxy address | If using a proxy, the Fully Qualified Domain Name (FQDN), hostname, or IP address of the proxy. | - |
| Proxy port | If using a proxy, the port of the proxy. | - |
| Proxy user | If using a proxy, the user name used to connect to the proxy. | - |
| Proxy password | If using a proxy, the password used to connect to the proxy. | - |
If proxy details are not specified in the Key Management Service configuration, the proxy details configured in the server configuration are used if they exist.
Configuring Encryption
Follow the steps below to configure encryption:
Step 1 - In the web application, under Data, go to Data Management Policies.
Step 2 - Select Add New Data Management Policy.
Step 3 - Set the Action to Upload when files need to be encrypted before uploading them to the storage location, or to Encrypt and Sign if the files need to be encrypted in the current storage location.
Step 4 - Select a certificate or key for Encrypt Files with Certificate.
Step 5 - Configure the data retention policy based on the requirements. For more information see Data management policies.
Please note that encryption policies will skip recordings which are under Retention Period.
Configuring Signing
Follow the steps below to configure signing:
Step 1 - In the web application, under Data, go to Data Management Policies.
Step 2 - Select Add New Data Management Policy.
Step 3 - Set the Action to Upload when files need to be signed before uploading them to the storage location, or to Encrypt and Sign if the files need to be signed in the current storage location.
Step 4 - Select a certificate or key for Sign Files with Certificate.
Step 5 - Configure the data retention policy based on the requirements. For more information see Data management policies.
Please note that signing policies will skip recordings which are under Retention Period.
Changing the Keys for Already Encrypted or Signed Recordings
In some cases (for instance when a certificate or key gets compromised and revoked) the certificates used for encryption and signing needs to be replaced with new ones and recordings already encrypted or signed need to be encrypted and signed again with the new certificates. The Encryption and Signing data retention policy allows changing the certificates for existing, already encrypted or signed recordings using the following process:
- Configure an Encryption and Signing policy and filter for one or more specific certificates used (in addition to standard filter options)
- The Storage Management Service decrypts then encrypts and signs the files using the new certificates
Follow the steps below to change the certificates or keys for already encrypted or signed recordings:
Step 1 - In the web application, under Data, go to Data Management Policies.
Step 2 - Select Add New Data Management Policy.
Step 3 - Set the Action to Encrypt and Sign to run the policy in the current storage location.
Step 4 - Select the certificate or key for Encrypt Files with Certificate and Sign Files with Certificate.
Step 5 - Under the Data Management Filtering Criteria / Conversation Detail Fields select the Encrypted with Certificate or Signed with Certificate options to filter for one or more recordings encrypted and/or signed with the selected certificates.
Step 6 - Configure the data retention policy based on the requirements. For more information see Data management policies.