In order to allow SRTP as a selection in FTP_DIT_EXT.1 and/or FPT_ITC.1/Media, a new Selection-based FCS_COP.1 requirement has been added in Annex B of the VVOIP v1.0 EP to include AES-CTR mode (as defined in NIST SP800-38A).  As a result of this, additional guidance will be needed in Sections 5.1 and 5.2 of the VVOIP EP as well. 

The following outlines the changes to the VVOIP 1.0 EP:

Add the following immediately after the section 5.1.1 header of the VVOIP 1.0 EP:

FCS_COP.1(1) - This SFR is mandatory in the NDcPP.  The FCS_COP.1(5) in this EP is selection-based, and is included when the ST Author selects “SRTP” in either FTP_DIT_EXT.1 or FTP_ITC.1/Media.  If the ST author selects “SRTP”, then the FCS_COP.1(1) requirement from the NDcPP is included in the ST with the modes and bit-sizes appropriate for those functions, and FCS_COP.1(5) from this EP is included in the ST as well.  In order to preserve clarity, separate iterations are used rather than combining the requirements.  It should be noted that “GCM” is a selection in both iterations, and in FCS_COP.1(5) GCM is only allowed for 256-bit keys, so if there is a different key size specified for functions in the NDcPP (e.g., TLS) that use GCM, the TSS should note those instances.

Add the following immediately after the section 5.2.1 header of the VVOIP 1.0 EP:

FCS_COP.1(1) - This SFR is selection-based in the Application PP. In the App PP, 256-bit AES is required (and 128-bit AES is optional), and this applies to functions defined in the App PP that use AES cryptography, which include TLS.  So, in general, if the ST author selects any functions for VVOIP that are specified in the App PP that require FCS_COP.1(1) to be selected (such as TLS), then support for 256-bit AES in the modes appropriate for those functions is mandatory.  The FCS_COP.1(5) in this EP is also selection-based, and is included when the ST Author selects “SRTP” in either FTP_DIT_EXT.1 or FTP_ITC.1/Media.  If the ST author selects functions in both the App PP and the VVOIP EP that require AES Encryption/Decryption functionality, then the FCS_COP.1(1) requirement from the App PP is included in the ST with the modes and bit-sizes appropriate for those functions, and FCS_COP.1(5) from this EP is included in the ST to support SRTP.  Because bit size requirements are different for the two requirements, separate iterations are used to preserve clarity. It should be noted that “GCM” is a selection in both iterations, and in FCS_COP.1(5) GCM is only allowed for 256-bit keys, so if there is a different key size specified for functions in the App PP (e.g., TLS) that use GCM, the TSS should note those instances.

Add the following at the end of Annex B of the VVOIP 1.0 EP:

The following SFR shall be included in the ST if SRTP is selected in FTP_DIT_EXT.1 and/or FPT_ITC.1/Media:

FCS_COP.1(5) Cryptographic Operation - Encryption/Decryption for SRTP

FCS_COP.1.1(5)  Refinement: The application shall perform encryption/decryption to support SDES-SRTP in accordance with a specified cryptographic algorithm

·         AES-CTR (as defined in NIST SP 800-38A) mode;

and [selection:

AES-GCM (as defined in NIST SP 800-38D),

no other modes

] and cryptographic key sizes 128-bit and [selection: 256-bit, no other key sizes].

Application Note : The ST author selects “AES-GCM” in the first selection if the AEAD_AES_256_GCM ciphersuite (via TD #68) is selected in FCS_SRTP_EXT.1.2; otherwise, “no other modes is selected”.  Similarly, the ST author selects “256-bit” in the second selection if AES_256_CM_HMAC_SHA1_80 or AEAD_AES_256_GCM (again via TD #68) are selected in FCS_SRTP_EXT.1.2.

Assurance Activity:

AES-CTR Tests:

• Test 1: Known Answer Tests (KATs) 
  There are four Known Answer Tests (KATs) described below. For all KATs, the plaintext, IV, and ciphertext values shall be 128-bit blocks. The results from each test may either be obtained by the validator directly or by supplying the inputs to the implementer and receiving the results in response. To determine correctness, the evaluator shall compare the resulting values to those obtained by submitting the same inputs to a known good implementation. 
  
  To test the encrypt functionality, the evaluator shall supply a set of 10 plaintext values and obtain the ciphertext value that results from encryption of the given plaintext using a key value of all zeros and an IV of all zeros. Five plaintext values shall be encrypted with a 128-bit all zeros key, and the other five shall be encrypted with a 256-bit all zeros key. To test the decrypt functionality, the evaluator shall perform the same test as for encrypt, using 10 ciphertext values as input. 
  
  To test the encrypt functionality, the evaluator shall supply a set of 10 key values and obtain the ciphertext value that results from encryption of an all zeros plaintext using the given key value and an IV of all zeros. Five of the key values shall be 128-bit keys, and the other five shall be 256-bit keys. To test the decrypt functionality, the evaluator shall perform the same test as for encrypt, using an all zero ciphertext value as input. 
  
  To test the encrypt functionality, the evaluator shall supply the two sets of key values described below and obtain the ciphertext values that result from AES encryption of an all zeros plaintext using the given key values an an IV of all zeros. The first set of keys shall have 128 128-bit keys, and the second shall have 256 256-bit keys. Key_i in each set shall have the leftmost i bits be ones and the rightmost N-i bits be zeros, for i in [1, N]. To test the decrypt functionality, the evaluator shall supply the two sets of key and ciphertext value pairs described below and obtain the plaintext value that results from decryption of the given ciphertext using the given key values and an IV of all zeros. The first set of key/ciphertext pairs shall have 128 128-bit key/ciphertext pairs, and the second set of key/ciphertext pairs shall have 256 256-bit pairs. Key_i in each set shall have the leftmost i bits be ones and the rightmost N-i bits be zeros for i in [1, N]. The ciphertext value in each pair shall be the value that results in an all zeros plaintext when decrypted with its corresponding key. 
  
  To test the encrypt functionality, the evaluator shall supply the set of 128 plaintext values described below and obtain the two ciphertext values that result from encryption of the given plaintext using a 128-bit key value of all zeros and using a 256 bit key value of all zeros, respectively, and an IV of all zeros. Plaintext value i in each set shall have the leftmost bits be ones and the rightmost 128-i bits be zeros, for i in [1, 128]. To test the decrypt functionality, the evaluator shall perform the same test as for encrypt, using ciphertext values of the same form as the plaintext in the encrypt test as input.
• Test 2: Multi-Block Message Test 
  The evaluator shall test the encrypt functionality by encrypting an i-block message where 1 less-than i less-than-or-equal to 10. For each i the evaluator shall choose a key, IV, and plaintext message of length i blocks and encrypt the message, using the mode to be tested, with the chosen key. The ciphertext shall be compared to the result of encrypting the same plaintext message with the same key and IV using a known good implementation. The evaluator shall also test the decrypt functionality by decrypting an i-block message where 1 less-than i less-than-or-equal to 10. For each i the evaluator shall choose a key and a ciphertext message of length i blocks and decrypt the message, using the mode to be tested, with the chosen key. The plaintext shall be compared to the result of decrypting the same ciphertext message with the same key using a known good implementation.
• Test 3: Monte-Carlo Test 
  For AES-CTR mode perform the Monte Carlo Test for ECB Mode on the encryption engine of the counter mode implementation. There is no need to test the decryption engine. 
  
  The evaluator shall test the encrypt functionality using 200 plaintext/key pairs. 100 of these shall use 128 bit keys, and 100 of these shall use 256 bit keys. The plaintext values shall be 128-bit blocks. For each pair, 1000 iterations shall be run as follows: 
  
  For AES-ECB mode
  # Input: PT, Key
  for i = 1 to 1000:
  CT[i] = AES-ECB-Encrypt(Key, PT)
  PT = CT[i] 
  The ciphertext computed in the 1000th iteration is the result for that trial. This result shall be compared to the result of running 1000 iterations with the same values using a known good implementation.

AES-GCM Monte Carlo Tests

The evaluator shall test the authenticated encrypt functionality of AES-GCM for each combination of the following input parameter lengths with 256-bit keys:

·         Two plaintext lengths. One of the plaintext lengths shall be a non-zero integer multiple of 128 bits, if supported. The other plaintext length shall not be an integer multiple of 128 bits, if supported.

·         Three AAD lengths. One AAD length shall be 0, if supported. One AAD length shall be a non-zero integer multiple of 128 bits, if supported. One AAD length shall not be an integer multiple of 128 bits, if supported.

·         Two IV lengths. If 96 bit IV is supported, 96 bits shall be one of the two IV lengths tested.

The evaluator shall test the encrypt functionality using a set of 10 key, plaintext, AAD, and IV tuples for each combination of parameter lengths above and obtain the ciphertext value and tag that results from AES-GCM authenticated encrypt. Each supported tag length shall be tested at least once per set of 10. The IV value may be supplied by the evaluator or the implementation being tested, as long as it is known.

The evaluator shall test the decrypt functionality using a set of 10 key, ciphertext, tag, AAD, and IV 5-tuples for each combination of parameter lengths above and obtain a Pass/Fail result on authentication and the decrypted plaintext if Pass. The set shall include five tuples that Pass and five that Fail.

The results from each test may either be obtained by the evaluator directly or by supplying the inputs to the implementer and receiving the results in response. To determine correctness, the evaluator shall compare the resulting values to those obtained by submitting the same inputs to a known good implementation.

The addition of AES-CTR mode in FCS_COP.1.1 in the Voice/Video over IP Endpoint Extended Package allows the SRTP protocol to be selected in FTP_DIT_EXT.1 and/or FPT_ITC.1/Media.  When SRTP is selected, it is mandatory to support the AES_CM_128_HMAC_SHA1_80 ciphersuite from RFC 4568.  This requires support for AES in CTR mode.