TD0428: FCS_SRTP_EXT.1 Test Activity
A packet capture tool isn't sufficient to perform the test for FCS_SRTP_EXT.1 in VVoIP EP v1.0 if a TLS ciphersuite without forward secrecy is used or if the SIP server's private key is not available.
The Test Assurance Activity for FCS_SRTP_EXT.1 in VVOIP EP v1.0 is replaced with the following:
The evaluator shall follow the procedure for initializing their device so that they are ready to receive and place calls. For each ciphersuite selected in FCS_SRTP_EXT.1.2, the evaluator shall configure the SIP server to only allow that ciphersuite to be used. The evaluator shall then both place and receive a call and determine that the traffic sent and received by the TOE is encrypted using SRTP with that ciphersuite. The evaluator may choose one of the below two options to ensure that the call is being encrypted and to view the ciphersuite being used.
Option 1: The evaluator shall configure the SIP server to report whether SRTP is being used, and if so, print the negotiated SRTP ciphersuite. The evaluator shall confirm that SRTP was used for the calls and that the correct ciphersuite was negotiated.
Option 2: A packet capture tool should be used with the SIP server's private key loaded in. The evaluator shall decrypt the TLS-SIP traffic, view the SDES negotiation, and ensure that the correct ciphersuite was negotiated.
Next, the evaluator shall configure the SIP server to only allow the SRTP NULL ciphersuite. The evaluator shall attempt to both place and receive a call and confirm that both attempts failed.
See issue description.