AVAILABLE IN VERSION 8.6 AND LATER

The Verint Financial Compliance (VFC) system provides a public key cryptography based encryption and digital signing solution to store recordings in a secure and encrypted format, and to protect the integrity of the recordings from tampering. Key features include:

Windows Certificate Store (WCS) and Azure Key Vault integration for key management
Industry standard crypto technologies such as RSA, AES, SHA
Separate certificates for encryption and signing
Data retention policy based configuration for encryption and/or signing
Support for defining any number of certificates
Support for all storage file formats
Both media and file-based metadata can be encrypted and signed
Seamless playback option over HTTPS
Automatic integrity check by validating the signature during playback
Ability to export recordings in non-encrypted format
Ability to configure certificates without the private key to disable playback in VFC completely
OpenSSL scripts available to decrypt and check signatures on recordings outside of the VFC system

The chapters below provide more details on the subject:

The encryption and digital signing features available prior version 8.6 are not compatible with the new version.

Overview

Encryption

The system allows encrypting recorded media and metadata files. If encryption is configured, the system will encrypt all available files for a recorded conversations:

Audio file
Video file
Screen capture file
IM transcript file
Metadata XML file

Encryption can be turned on by configuring a data retention policy:

Using the Upload and Move policies to encrypt recordings during the execution (before) the upload/move policy
Using the Encryption and Signing policy

Encryption process

The system encrypts the recorded media and metadata file (option) after the recording process is finished or in a configured time based on the data retention policy configuration. The encryption process consists of the following key steps:

The Storage Management Service executes a data retention policy where encryption is configured.
Based on the configuration, the service retrieves the certificate or key configured in System Management.
For each to be encrypted file (media and metadata XML), generates a session-key and saves the session-key with RSA encryption (public key) into the crypto information file.
Encrypts the file stream with AES-256-CTR.

Decryption and playback process when private key is available

Encrypted recordings can be played back on the web-based user interface in a seamless way. The decryption process includes the following steps:

User initiates playback (HTTPS).
The Content Server Service on the Media Repository retrieves the certificate or key used to encrypt the recording.
Decrypts the session-key parameters from the crypto information file with the related certificate/private key.
Decrypts symmetric cipher encrypted media with the session key.
Transcodes media to MP3 and streams it to the player in the browser over HTTPS (only).

Decryption and playback process when private key is not available

The system allows configuring certificates without private keys to disable decryption/playback in the Verba system. In this case, the Verba system is not able to provide any capability which requires access to the encrypted media files including playback, waveform, transcoding, export to not-encrypted media.

User initiates playback (HTTPS).
Media Repository returns encrypted media, metadata XML, crypto info files in a single ZIP file.
User opens the ZIP file in the Verba Offline Player application where the private key is also available.
The Verba Offline Player application decrypts the session-key parameters from crypto information file with the related certificate/private key.
Decrypts symmetric cipher encrypted media with the session key.
Plays media.

Integrity Protection / Digital Signing

The system allows signing recorded media and metadata files. If signing is configured, the system will sign all available files for a recorded conversations:

Audio file
Video file
Screen capture file
IM transcript file
Metadata XML file

Signing can be turned on by configuring a data retention policy:

Using the Upload and Move policies to sign recordings during the execution (before) the upload/move policy
Using the Encryption and Signing policy

Signing process

The Storage Management Service executes a data retention policy where signing is configured.
Based on the configuration, the service retrieves the certificate or key configured in System Management.
For each to be signed file (media and metadata XML), saves hashing algorithm and certificate or key into the crypto information file.
Calculates hash on the content of the file (when encryption is used also, hash calculation is done on the encrypted blocks).
Encrypts final hash with the configured certificate or key and saves the encrypted hash into the crypto information file.

Integrity validation process

The system allows verifying the digital signature through the following process:

User initiates check on the user interface .
The Media Utility Service on the Media Repository retrieves certificate or key configured in System Management.
Calculates hash (when encryption is used also, hash calculation is done on the encrypted blocks).
Decrypts signature with the certification public key/certificate and matches with the final hash.

Key Management

The system allows you to store and manage the certificates used for encryption and signing in local or cloud key management services.

The following integrations are supported:

Windows Certificate Store (WCS)
Azure Key Vault (AKV)

The system stores which conversation was encrypted and/or signed by which certificate. If you use WCS, the system stores the thumbprint of the certificate with the conversations. If you use AKV, Verba generates the Data Encryption Key (DEK), sends the key to AKV for encryption, and stores the encrypted DEK with the conversations.

To configure encryption and signing, you must be logged in using an administrative user account with access to certificates.

Windows Certificate Store as Key Management Service

If you use WCS as a key management service, the certificates have to meet the following requirements:

Have authorization for Verba service user account.
Be available on all Verba servers.
Have RSA keys (512, 1025, 2048, 4096).
Be valid, not expired or revoked.
Certificates for encryption must have a private and a public key (certificates without a private key will also be accepted, but playback will not be available in Verba).
Strong private key protection must be disabled.
Certificates for digital signing must have a private and a public key.
All certificates used at any time (even if expired) must be available to provide decryption and validation for any recording.

Certificates not satisfying the requirements above will not be used and the system will report an error on an encryption/signing/decryption/validation attempt.

It is strongly recommended to use different certificates for encryption and signing.

Renewing a certificate might generate new keys and thumbprint which need to be configured as a new certificate in Verba.

The system uses the Windows service user account for authorization. The following Verba services need access to the certificates:

Storage Management Service
Media Streamer and Content Server Service
Media Utility Service
Media Transcoder Service

Azure Key Vault as Key Management Service

If you use AKV as a key management service, you need to configure the details of the key vault instance separately from the encryption and signing configuration, under System > Key Management Services.

In Azure, you have to create an App Registration and associate it with your AKV instance. The application must have the following permissions when associated with the AKV instance:

Key Permissions
- Get
- List
- All permissions under Cryptographic Operations
- Get Rotation Policy
Secret Permissions
- Get
- List
Certificate Permissions
- Get
- List

The Application Registration ID and Secret are used to uniquely identify the Verba connection to AKV, and you need to specify those values when configuring the AKV instance in Verba under Key Management Services.

You need to create a Key in AKV and enable it before it can be used in Verba. Multiple versions can exist and be enabled for the key, and you can view the key versions both in AKV, and when opening the corresponding certificate configuration page in Verba under System > Encryption/Signing Certificates.

In Encryption/Signing Certificates, you can configure how often Verba regenerates the DEK. This allows the system to reduce network traffic by only connecting to the AVK when a new DEK needs encrypting, and conversations can be signed and encrypted with the stored DEK without recurring connections.

Configuring Encryption/Signing using the Windows Certificate Store

In order to use a certificate in the WCS, the certificate must be registered/configured in the Verba system. For requesting and assigning certificates to the Verba server see: Requesting and assigning certificates

Follow the steps below to configure certificates:

Step 1 - In the Verba web application, under System, select Encryption/Signing Certificates.

Step 2 - Select Add New Certificate.

Step 3 - Under Key Management, select Windows Certificate Store.

Step 4 - Configure the required parameters and click Save.

Configuring Encryption/Signing using the Azure Key Vault

You can use keys configured in an Azure Key Vault to encrypt and sign files in Verba.

Before you begin:

Ensure you have an Azure Key Vault configured, with at least one key.
Ensure an application is assigned to the Key Vault under Access Policies.

Step 1 - In the Verba web application, under System, select Key Management Services.

Step 2 - Select Add New Key Management Service.

Step 3 - Configure the required parameters and click Save.

Step 4 - Under System, select Encryption/Signing Certificates.

Step 5 - Select Add New Certificate.

Step 6 - Under Key Management, select the Key Management Service configured in steps 1-3.

Step 7 - Configure the required parameters and click Save.

Get the certificate thumbprint from Windows Certificate Manager

You can obtain the thumbprint of a certificate from Windows Certificate Manager.

Step 1 - On a server where the certificate is available, open Windows Certificate Manager.

Step 2 - Double click on the certificate you want to use in Verba.

Step 3 - In the Certificate menu, go to the Details tab,

Step 4 - Scroll down to find the Thumbprint field, and select the field.

When the Thumbprint field is selected, the hexadecimal thumbprint value appears in the blank space below the list of fields.

Step 5 - Highlight the hexadecimal values and press Ctrl+C.

Encryption/Signing configuration parameters

Field Name	Available for Key Management method	Description	Requirements
ID	Both	Unique identifier for the configured certificate in the Verba system.	Required field
Current Environment	Both	In multi-tenant deployments, the tenant for which the certificate is configured.	Required field
Name	Both	The display name of the certificate used in the Verba system.	Required field Minimum length: 1 Maximum length: 256
Key Management	Both	The type of key management service where the certificates are stored.	Required field
Private Key Accessible	Only Windows Certificate Store	Indicates if the private key is available in the certificate or not. When a private key is not available: the certificate cannot be used for signing when this certificate is used for encryption, the system will not able to decrypt or play back recordings	-
Compromised	Only Windows Certificate Store	Indicates if the certificate is compromised and can no longer be used. The system does not allow selecting or using certificates marked as compromised.	-
Valid From	Only Windows Certificate Store	Start date of the validation for the certificate. The system does not allow selecting or using expired, not valid certificates.	-
Valid Until	Only Windows Certificate Store	End date of the validation for the certificate. The system does not allow selecting or using expired, not valid certificates.	-
Thumbprint	Only Windows Certificate Store	The unique thumbprint of the certificate in hex values.	Required field
Key ID	Only Key Management Service	The unique name of the key in Azure Key Vault.	Required field
DEK Rotation Day(s)	Only Key Management Service	The time period when Verba generates a new Data Encryption Key (DEK) to use.	Required field

Key Management Service configuration parameters

Field Name	Description	Requirements
ID	Unique identifier for the configured key management service in the Verba system.	Required field
Current Environment	In multi-tenant Verba deployments, the tenant for which the certificate is configured.	Required field
Name	The display name of the key management service.	Required field
Type	The type of key management service used. Only supports Azure Key Vault.	Required field
URL	The Vault URI in Azure.	Required field
App Registration ID	The unique ID of the application describing the Verba system, that is configured in Azure to be used with the Key Vault.	Required field
Secret	The secret of the application describing the Verba system, that is configured in Azure to be used with the Key Vault.	Required field
Tenant ID	The Directory ID or Tenant ID of the Vault in Azure.	Required field
Proxy address	If using a proxy, the Fully Qualified Domain Name (FQDN), hostname, or IP address of the proxy.	-
Proxy port	If using a proxy, the port of the proxy.	-
Proxy user	If using a proxy, the user name used to connect to the proxy.	-
Proxy password	If using a proxy, the password used to connect to the proxy.	-

If proxy details are not specified in the Key Management Service configuration, the proxy details configured in the server configuration are used if they exist.

Configuring Encryption

Follow the steps below to configure encryption:

Step 1 - In the web application, under Data, go to Data Management Policies.

Step 2 - Select Add New Data Management Policy.

Step 3 - Set the Action to Upload when files need to be encrypted before uploading them to the storage location, or to Encrypt and Sign if the files need to be encrypted in the current storage location.

Step 4 - Select a certificate or key for Encrypt Files with Certificate.

Step 5 - Configure the data retention policy based on the requirements. For more information see Data management policies.

Please note that encryption policies will skip recordings which are under Retention Period.

Configuring Signing

Follow the steps below to configure signing:

Step 1 - In the web application, under Data, go to Data Management Policies.

Step 2 - Select Add New Data Management Policy.

Step 3 - Set the Action to Upload when files need to be signed before uploading them to the storage location, or to Encrypt and Sign if the files need to be signed in the current storage location.

Step 4 - Select a certificate or key for Sign Files with Certificate.

Step 5 - Configure the data retention policy based on the requirements. For more information see Data management policies.

Please note that signing policies will skip recordings which are under Retention Period.

Changing the Keys for Already Encrypted or Signed Recordings

In some cases (for instance when a certificate or key gets compromised and revoked) the certificates used for encryption and signing needs to be replaced with new ones and recordings already encrypted or signed need to be encrypted and signed again with the new certificates. The Encryption and Signing data retention policy allows changing the certificates for existing, already encrypted or signed recordings using the following process:

Configure an Encryption and Signing policy and filter for one or more specific certificates used (in addition to standard filter options)
The Storage Management Service decrypts then encrypts and signs the files using the new certificates

Follow the steps below to change the certificates or keys for already encrypted or signed recordings:

Step 1 - In the web application, under Data, go to Data Management Policies.

Step 2 - Select Add New Data Management Policy.

Step 3 - Set the Action to Encrypt and Sign to run the policy in the current storage location.

Step 4 - Select the certificate or key for Encrypt Files with Certificate and Sign Files with Certificate.

Step 5 - Under the Data Management Filtering Criteria / Conversation Detail Fields select the Encrypted with Certificate or Signed with Certificate options to filter for one or more recordings encrypted and/or signed with the selected certificates.

Step 6 - Configure the data retention policy based on the requirements. For more information see Data management policies.

VFC Capture (Verba) 9.9

Encryption and integrity protection

Overview

Encryption

Encryption process

Decryption and playback process when private key is available

Decryption and playback process when private key is not available

Integrity Protection / Digital Signing

Signing process

Integrity validation process

Key Management

Windows Certificate Store as Key Management Service

Azure Key Vault as Key Management Service

Configuring Encryption/Signing using the Windows Certificate Store

Configuring Encryption/Signing using the Azure Key Vault

Get the certificate thumbprint from Windows Certificate Manager

Encryption/Signing configuration parameters

Key Management Service configuration parameters

Configuring Encryption

Configuring Signing

Changing the Keys for Already Encrypted or Signed Recordings

Related content