enterprise white paper ::
Nuance VocalPassword™
Security Overview
Contents
About this Document ...3
Nuance VocalPassword™ Security Overview ...3
Architecture & System Components ...3
System Components ...4
Product infrastructure ...6
Authentication ...7
Web Server Access ...7
Database Access ...7
LDAP Server Access ...7
File System Access ...7
Authorization ...7
System Authorization ...7
Audit ...8
Audit levels...8
Audit Protection ...9
Audited operations and entities ...9
Log viewer...10
Administration ...10
Web based administration applications ...10
The Web-based Security Console Application Data Security ...11
VPMCLI ...13
SNMP ...14
Data Security
Data manipulation ...14Data Integrity & Encryption ...14
Custom Encryption Plug-in ...14
Multi-tenancy ...14
Network Security ...15
Interface protection ...15
Inter-Process Communication security ...15
Voice Biometrics Application Security ...15
Mitigating recording threats...15
About this Document
Nuance VocalPassword™ is an advanced biometric speaker verification system that verifies a speaker’s identity based on voice samples acquired during interaction with voice, Web, or mobile applications.
VocalPassword 7.0 delivers state of the art accuracy as well as exceptional ease of integration and deployment, enabling customers to utilize the biometric power of voice to protect personal self-service applications and provide secure, efficient, and convenient access to contact centers and remote applications.
This document provides an overview of VocalPassword product security. As an authentication product, VocalPassword implements a wide range of security measures to protect its resources against diversified threats. This document is intended for sales engineers and for IT security personnel who evaluate the use VocalPassword in their protected IT environments.
Nuance VocalPassword™ Security Overview
Nuance VocalPassword is a voice biometrics system which is implemented in security-sensitive environments. As such, it must adhere to strict security requirements and comply with privacy and additional industry-specific regulations. VocalPassword is protected at both the application level and the infrastructure level using the standard “Four A’s” of enterprise security: Administration, Authentication, Authorization, and Audit. VocalPassword’s security design is based on the Common Criteria Protection Profile for biometric speaker verification systems and has successfully passed third-party security audits and penetration attacks performed by customers.
VocalPassword supports integrated Windows security and role based authorization (RBA). Together with the security mechanisms provided by the system infrastructure, the system can be configured to meet the security requirement of financial services, government agencies, healthcare service providers and other security-sensitive organizations.
The following diagram provides an overview of VocalPassword security architecture and mechanisms.
Voice Platform File System IIS VocalPasswordTM Processing Server Admin Apps Authorization Manager Active Directory/ ADAM Authentication, Authorization, Audit Web Service
SSL Buffer Overflow &SQL Injection Check
Oracle / SQL Server / Sybase / DB2
Role-Based Authorization Full System Audit VocalPasswordTM DB LDAP LDAP NTFS
Hashed Audio File Names
Architecture & System Components
VocalPassword includes a set of applications, services and tools that work together in order to provide voice biometrics services.
System Components
VocalPassword system is comprised of two main logical components – the Processing Server and the Data Repository Server. These components can reside on a single machine or distributed among multiple machines. A system can be comprised of multiple instances of each component.
Processing Server
The Processing Server is the main processing component of the VocalPassword system. Multiple Processing Servers can optionally be used in a redundancy scheme for high availability purposes, or in a load balancing scheme for scalability. The Processing Servers run the VocalPassword application that provides the following functions:
• Service control – The Processing Server exposes a set of Web Services (SOAP/HTTP) which are used by calling applications as well as by the system’s administration tools and Web-based GUI Applications. • Algorithmic processing – This is the core biometric functionality of VocalPassword.
Each Processing Server includes two web applications that run under Microsoft IIS:
• VocalPassword Web Services – Provides a set of API methods accessed through SOAP and HTTP. • VocalPassword Web Applications – These web applications are used by Administrators, IT managers,
Security Officers and helpdesk agents.
In addition, the VocalPassword system includes a set of utilities/desktop administration applications. These are typically installed with each Processing Server.
Data Repository Server
The Data Repository Server is the logical name of the component which is responsible for handling and storing persistent data. Each data repository server contains the following components:
• SQL Database – The Database is used to store audit information, log messages and other information used for reports. VocalPassword supports most of the leading Databases.
• LDAP Directory – LDAP directory is used to securely store sensitive persistent data related to speakers, groups, voiceprints, and configurations. VocalPassword supports multiple LDAP directories. • Audio Files folder – A shared folder used for storing audio files. • Persistent Data Replicator (PDR) – Nuance’s replication service, responsible for duplicating database records and audio files between two data repository servers (Optional). • Logger Service – This service queues log messages and saves them in the background to the database. A VocalPassword system must include at least one Data Repository Server. Two Data Repository Servers can be used in an active-active configuration for redundancy.
VocalPassword Web Applications
Technical Management Platform Admin Voiceprint Helpdesk Security Console
Processing Server (N+1) IIS
Tools and Services
Tools and Services Algorithmic Engines
Data Repository Server (1+1)
VocalPassword Native Web Service APIs Processing Server (VocalPassword Application Pool) VocalPassword Web Applications VXML Gateway Algorithmic Engines Text Dependent Utterance
Validation DetectionLiveness DetectionPlayback (Optional)ASR Algorithmic Engines Text Independent Algorithmic Engines Text Prompted Logger Service Hashed Audio Files SNMP Agent Logger Service SNMP Agent Bit (Quick Test)
Authorization Manager Calibration Wizard Custom Encryption Hooks Management Command Line Interface (MCLI) PDR - Nuance Data Replicator DB/Audio Sync File system LDAP Directory Database User Group Voiceprint, Speakers Configuration, Roles, Scopes (Microsoft, AD, IBM Tivoli TDS)
Audit, Reports,Logs (Oracle, SQL Server, DB2 MySQL, Sybase,Informix) The following diagram outlines VocalPassword components and architecture.
Product infrastructure
Operation System
VocalPassword is based on .NET framework 4.0 and as such it can run only on Windows machines. Currently the product supports the following OS: • Windows XP • Windows 2003 Server • Windows 2008 Server • Windows7 Database
A Database is used to store audit information and log messages. The database may be installed on the same machine as the Data Repository or on a remote machine. VocalPassword utilizes common ADO.NET infrastructure to access the database.
VocalPassword supports the following databases: • Microsoft SQL Server 2005 • Microsoft SQL server 2000 • Oracle 10g with RAC support • Oracle 11g with RAC support • DB2 • MySQL 5.5 • SQL Express LDAP Directory LDAP is an application protocol for reading and editing directories over an IP network. The LDAP Directory is used to securely store the application’s persistent data entities such as speakers, voiceprints, and configuration. The supported LDAP Directories are:
• ADAM – Active Directory Application Mode - This lightweight version of Microsoft Active Directory runs as a service on the data repository server - this is the default directory for installations on Windows XP and Win2003 Server operating systems.
• AD LDS – Active Directory Lightweight Directory Services - This lightweight version of Microsoft Active Directory runs as a service on the data repository server - this is the default directory for installations on Windows 7 and Win2008 Server operating systems.
• Active Directory – Microsoft’s Directory Services product - The domain’s active directory can be used as the LDAP directory. When used, an extension of the Active Directory Schema is required in order to support VocalPassword entities.
• TDS – IBM Tivoli Directory Server.
Web Server
VocalPassword system uses IIS (Internet Information Services) as its web server and is based on the IIS ASP. NET 4.0 extension. VocalPassword 7.x offers an enhanced, open, and flexible Web service APIs, ensuring smooth, platform-independent integration using any programming environment. In addition, the VocalPassword
Web Applications enables easy access to tools and information needed for successful deployment.
VocalPassword utilizes IIS web server security mechanisms (i.e. application session timeout, limiting access to specific IPs etc. are supported).
Authentication
Web Server Access
VocalPassword authenticates users based on Windows Integrated Security. This ensures that system policies regarding passwords are handled according to the local domain policies (enforced by the Domain Controller). VocalPassword does not store passwords in its database or in any other application’s data store. Users accessing the system, whether by programmatically calling the system’s web service API, by using one of the administration applications, or by accessing a web page, are authenticated by the IIS using the Domain Controller. By setting a designated configuration parameter, the system can ensure exclusive log-in to the web applications.
Note: Authentication policies supported by Microsoft IIS, such as certificates and passports are also supported by VocalPassword. The VocalPassword Web Applications can be configured to enable Single Sign On which eliminates the need to re-enter user-name and password when accessing the application.
Database Access
Credentials to the system’s database are provided as part of the connection string used by VocalPassword. By default, VocalPassword uses Windows integrated security as the database authentication method. This means that the application’s identity is used when accessing the database. Another alternative is to specify a username and a password in the connection string. When this is done, this identity is used by all components accessing the database and must be managed manually. When this option is used, the password is saved encrypted in the system’s configuration file.
LDAP Server Access
The applications access the LDAP Server using Windows Integrated Security. Note that the applications identity is used when accessing the LDAP Server.
File System Access
File system access is controlled by the operating system. Every access to the file system by the VocalPassword application will be performed under the credentials of the application user.
Authorization
System Authorization
Role-based Authorization (RBA)
VocalPassword utilizes Microsoft Authorization Manager (AZMAN) for managing roles and operations. AZMAN is general-purpose role-based security architecture for Windows. Using roles, the operating system determines whether a process or a user is privileged to perform an operation.
Roles are defined in the Authorization Store of VocalPassword’s LDAP Directory. Each role can be granted permission to perform operations (a basic activity unit that the system performs). Every API method has a corresponding operation. Windows users and groups can be assigned a role, and be authorized to perform operations according to the role’s definition. The system is installed with the following predefined roles. These roles can be customized and additional roles can be defined.
• ClientApplication • HelpDesk • PlatformAdmin • MainScope • Security Every access to the Database, the LDAP Server, or the file system by the VocalPassword application is performed using the credentials of the application user. Once the application validated that the network user is permitted to perform a certain operation, the application user serves as a delegate for the network user. This means that in order to allow an application user to perform an operation that will delete a file from the file system for example, it is not required to add write privileges to the network user.
Audit
VocalPassword Audit is composed of the following elements: • Every API method is logged in the system’s database.
• Other standard system infrastructure components (such as the OS, IIS, DB) have their own auditing tools and capabilities that needs to be enabled.
• Audio files used for Enrollment/Verification may be saved for Audit purposes.
Audit levels
VocalPassword allows the system administrator to control the level of audit info detail that will be saved by the system. There are three audit levels:
• Alg Debug – Specifies whether to audit detailed algorithmic outputs (mainly used for algorithmic troubleshooting).
• Operational – Specifies whether to save operation level audit information (such as Enroll/Verify/Identify/ Fraudsters detection etc.). There are three options of saving operational level audit information: – Always – the system saves all audit information.
– Conditional – the system saves audit information only for delete operations and in case of an error in other operations.
– Never – the system does not save operational-level audit information.
• System - Specifies whether to save system level audit information. There are three options of saving system level audit information:
– Always – the system saves all system level audit information.
– Conditional – the system saves audit information only for system level write operations and in case of an error in read operations.
In addition, a configuration parameter named “log level” enables selecting the desired log level, enabling the system to keep different levels of log messages for different applications, services or scopes.
Audit Protection
VocalPassword audit information is stored securely in the system’s database. Besides the system specific audit trail, VocalPassword system infrastructure (IIS, LDAP Directory, Database) logs are protected in diversified (standard) ways.
Audited operations and entities
Auditing Audio Files
VocalPassword support auditing audio files used in the system using two configuration parameters: • SaveEnrollAudio - Specifies whether to save enrollment audio.
– Always – Enrollment audio is always saved
– U ntilTrained – Enrollment audio is saved temporarily and deleted as soon as the voiceprint is trained.
– Never – Enrollment audio is never saved.
• SaveOperationalAudio – Specifies whether to save operational audio (the audio associated with Verify, Identify, and Fraudsters Detection operations).
LDAP Server Audit
LDAP Server supports audit capabilities and enables flexible audit configuration. For more information turn to http://technet.microsoft.com/en-us/library/cc779161(WS.10).aspx
API Audit
Every call to an API method is logged in the system’s database. The API record includes the following details: • Request ID – A 64bit unique identifier assigned to each API call. This ID is unique across all the system’s
servers and can be used to reference other details stored in the database about the request such as verification score, or failure details.
• Method Name – The API method name. • Input Parameters – The values of the API method parameters. • Finish Status – An error or success code. • Timestamp – The exact time of the request execution. • Server name – The name of the processing server that handled the request. • Client ID – The IP address of the client. • User name – The windows username of the client. • Data repository server name – The name of the data repository server on which the data was originally stored. • Session ID – A token which is received from the StartSession command that launched the current session. • Scope – The scope which is the context of the current API operation.
Log viewer
VocalPassword saves log messages in the database based on the LogLevel parameter in the system
configuration. Log messages can be accessed using the Log Viewer which enables online or offline viewing of an application’s log messages. The Log Viewer is available as a Windows application or as a web page in the Technical management application.
Use the Log functionality to troubleshoot the system or analyze past system activity. The log section is divided into two views:
• History Log View which enables auditing past system activities. Log information retrieval can be controlled by dates and log level. Once retrieved, log information can be saved, sorted, filtered or saved to a file.
• Online Log View which is used to monitor system activities in real time. The Online Log View displays system-wide log messages as they are recorded in the VocalPassword data base, enabling isolating faults and communicating them with the vendor. Log messages can be saved to a file.
Administration
Web based administration applications
VocalPassword provides a set of web-based administration applications allowing management of all system aspects. The following applications are provided out-of-the-box:
Access to these applications is controlled by Windows Integrated Security and VocalPassword’s role based authorization. Security Console Voiceprint Helpdesk Platform Admin Technical Management VocalPassword Technical Management Application enables technical personnel, who are in charge of the systems’ health, to monitor VocalPassword system’s component status, audit system-wide logs, schedule administrative tasks such as audio purging, upload and view system licenses, and more.
VocalPassword Platform Admin is a web based Application that provides a variety of tools for properly setting up the system and its biometric functionality as well as managing speakers, voiceprints and groups. Use this application to configure VocalPassword, perform queries and reports, and monitor the system usage.
VocalPassword Voiceprint Helpdesk provides a set of tools enabling auditing and reviewing a speaker’s interactions with the system. Use the Helpdesk functions to audit verification results and decisions, edit speaker information, delete a speaker, edit a voiceprint and more.
The VocalPassword Security Console Application enables security personnel to audit VocalPassword operation and analyze specific verification and identification processes. The application provides tools for managing fraudsters voiceprints and groups. In addition, the security console collects and presents diversified security alerts.
The Web-based Security Console Application
The VocalPassword Security Console Application enables security personnel to audit VocalPassword operation and analyze specific verification and identification processes. The application provides tools for managing voiceprints as well as all aspects of user authorization. The Security Console Application is divided into four functionalities: Authorization Manager, Voiceprint Helpdesk, Configuration, Log. The following screenshot presents these functionality.
1. Authorization Manager Functionality – allows managing all aspects of User Authorization. Using roles, the system can make determinations, such as whether a process is privileged to perform an action. VocalPassword utilizes Microsoft’s Authorization Manager Infrastructure to manage user authorization in the system. Authorization Manager functionality is divided into three sections:
a. Scope management – used adding scopes (tenancies) in a multi-tenant system b. User management – used for assigning roles to users and groups
c. Role management – used for defining, creating and customizing roles
The following screenshots depict the User Management page and the role customization functionality of the Security Console.
2. Voiceprint Helpdesk functionality – provides a set of tools enabling auditing and reviewing a speaker’s interactions with the system, editing voiceprint audio and adapting voiceprints with audio used for verification. Voiceprint Helpdesk is divided into two section:
a. Audit Speaker Interactions – used for reviewing a specific speaker’s interactions with the system.
Information available includes session info as well as information regarding each and every operation within the session (i.e. Enrolment, Verification etc.). Verification statistics and scores are displayed including decision reasons and extended scoring information. Speaker audit information can be filtered, sorted and grouped for better analysis. Audit information also includes the speaker’s audio. This
audio can be played back and / or downloaded assuming the system audit configuration is set to store it and the proper security privileges are set.
b. Review Voiceprint – enables reviewing of a speaker’s voiceprint/s. Use this page to listen to audio used for enrollment, and edit it if necessary, removing unrelated or faulty audio. The Edit Voiceprint page enables removing and adding audio segments from / to a speaker’s voiceprint and adapting
it with verification audio segments if available. Use the Edit Voiceprint page to fix problematic voiceprints that deliver high false rejection rate as well as to enhance the quality of existing voiceprints via manual adaptation.
3. Configuration Functionality - enables the system administrator to control and manipulate the system configuration and operation. VocalPassword system supports multiple concurrent configurations that are used to control the system’s diversified functionality and multi-engine infrastructure. Use the configuration functionality to comply with diversified requirements (i.e. Security, Audit), optimize the system performance, and adjust its functionality to accommodate for a specific call / verification flow. Configuration is divided into two sections:
a. Edit Configuration Sets – enables creating, editing, uploading, downloading, and comparing Configuration Sets. A Configuration Set is a set of parameters and their corresponding values that controls the operation of VocalPassword in a specific context which can be an application or a specific operation. Configuration Sets inherit parameters’ values from the system’s “Default” configuration set and enable the user to overwrite specific ones as necessary.
b. Configuration Audit – used to track all of the system’s configuration changes. Use this page to review configuration changes and filter them by dates, parameter category, and more. Information retrieved includes parameters values, timestamp, change initiator, IP and host name. Configuration Audit page can be used by the system administrator as well as by Nuance support to isolate system problems caused by configuration errors.
VPMCLI
VocalPassword includes a command line utility that enables administrator to perform various administration tasks such as: retraining voiceprints or deleting history records from the database. A system administrator using the VPMCLI must have the proper credentials and authorization to use the various functionality provided by this utility.
SNMP
VocalPassword’s SNMP agent receives SNMP requests and sends SNMP traps to standard network monitoring consoles complying with SNMPv2 standard. Each Processing Server has an SNMP agent service that
handles SNMP Get/Set requests and sends SNMP traps when important system events occur. VocalPassword monitoring can be easily added to standard SNMP-based consoles.
Data Security
Data manipulation
VocalPassword checks every input against data manipulations such as: SQL injection, LDAP injection, Buffer overflow and Cross-Site Scripting (XSS).
Data Integrity & Encryption
Voiceprints are stored in a proprietary format in the system’s LDAP directory and cannot be reverse engineered. Voiceprints are signed with the speaker ID and the customer ID (system ID) which is a unique key assigned to each installation. This signing protects the system voiceprints from being manipulated by authorized users. Voiceprints cannot be used outside the specific system as well as in other VocalPassword systems.
Customer related information (Speaker IDs, Group IDs), is encrypted by VocalPassword by default using 128 bit encryption mechanism (Rijndel). Customer-specific encryption mechanisms are supported.
Audio Files stored in the files system can be encrypted using standard OS encryption mechanisms. The names of the saved audio files are hashed so that they cannot be associated directly with a specific speaker.
LDAP Directory store – The LDAP Directory stores used by VocalPassword (Provided by Microsoft/IBM) is encrypted by default using proprietary encryption mechanisms.
Database – The databases used by VocalPassword can be configured to encrypt stored information.
Custom Encryption Plug-in
Nuance supplies a built in encryption mechanism which uses Rijndael symmetric encryption (AES) – 128bit. In case the customer wishes to control the system’s encryption method, he may do so through the encryption plug-in. The encryption plug-in enables customized encryption, giving the customer full control over the encryption algorithm and key. A configuration parameter which points to the encryption software must be set to enable custom encryption.
Multi-tenancy
Multi-Tenancy enables logical partitioning of the entire system in an effortless manner through the use of scopes. This allows a clear cut separation of the system’s data, configuration, audit, roles, etc. within an organization, enabling a single enterprise to use VocalPassword for multiple/distinct applications in different business units. Multi-Tenancy is ideal for a hosted solution, enabling a service provider to offer VocalPassword as a service to multiple enterprises. The benefits are both from a practical aspect and from a security aspect.
Regardless of what system tool is used or what API method is called, everything is performed in the context of a specific scope. Scopes are assigned to users by the system security administrator. Each session is associated with a certain scope, the configuration set specified when calling an API method is used to determine the desired scope.
Network Security
Interface protection
VocalPassword web service interface acess is controlled using IIS6 or IIS7 security supporting SSL encryption. All authentication schemes are supported: Integrated, Basic, Digest, and Certificates.
Inter-Process Communication security
VocalPassword processes
The different components which compose the VocalPassword system communicate with each other over TCP using WCF (Windows Communication Foundation. Windows Communication Foundation is the technology used for inter process communication between different components of VocalPassword. More information regarding WCF can be found at http://msdn.microsoft.com/en-us/netframework/aa663324. All ports used for inter-process communication are configurable. This allows System Administrators to specify which ports will be used in their specific site. The component used for inter-process communications is NET.TCP. This standard component secure TCP communications in various ways.
Processing Server – LDAP Directory communication security
VocalPassword communicates with the LDAP directory via a .Net component (Microsoft Directory Entry) which is part of Microsoft Directory Services which is part of .Net Framework. The component supports LDAPS for secure LDAP communication.
Processing Server – SQL Database communication security
VocalPassword communicates with the SQL Server using database-specific ADO.Net provider. The provider communication security is proprietary and database-specific.
Voice Biometrics Application Security
Mitigating recording threats
Recording threats are the threat of fraudsters using voice recordings of legitimate speakers. Following are three methods in which VocalPassword enables diminishing these threats:
• Liveness detection (Intra-session voice variation) – This unique and patented method significantly reduces recording threats. Following text-dependent verification, this method uses text-independent voice biometrics technology to compare the voice sample captured during the text-dependent verification process, with an additional sample captured by prompting the speaker to repeat a random or semi-random sentence. By combining the obtained biometric scores and validating that the speaker indeed repeated the requested utterance (using VocalPassword’s Utterance Validation engine or ASR), a liveness detection score is extracted.
• Prompted passwords verification – Prompted verification requires the user to repeat a random phrase that is a subset of speech atoms (digits/words) trained during enrollment. Prompted verification provides protection against interception and playback attacks, as each session uses a different subset of the trained speech atoms.
• Playback detection – VocalPassword’s patented playback detection algorithm runs as part of the verification process and identifies audio segments that unnaturally match audio segments that were previously used for verification/enrollment.
About Nuance Communications, Inc.
Nuance is a leading provider of speech and imaging solutions for businesses and consumers around the world. Its technologies, applications and services make the user experience more compelling by transforming the way people interact with information and how they create, share and use documents. Every day, millions of users and thousands of businesses experience Nuance’s proven applications and professional services. For more information, please visit: www.nuance.com.
©2011 Nuance Communications, Inc. All rights reserved. Nuance, the Nuance logo, The experience speaks for itself, SpeakFreely, and VocalPassword are trademarks and/or registered trademarks of Nuance Communications, Inc., and/or its subsidiaries in the United States and/or other countries. All other trademarks are the properties of their respective owners. WP 041511 NUCC1061
