NIAP: View Technical Decision Details
NIAP/CCEVS
  NIAP  »»  Protection Profiles  »»  Technical Decisions  »»  View Details  
TD0488:  Selectable ciphers for FCS_COP.1(5)

Publication Date
2020.01.21

Protection Profiles
EP_VVOIP_V1.0

Other References
FCS_COP.1(5)

Issue Description

FCS_SRTP_EXT.1, as amended by TD0279, makes all SDES-SRTP ciphersuites selectable. However, FCS_COP.1(5) as currently specified in TD0193 does not support all the selections in FCS_SRTP_EXT.1. FCS_COP.1(5) needs to have fully selectable modes and key sizes.

Resolution

TD0193 is archived and replaced with the following:

 

The following outlines the changes to the VVOIP 1.0 EP:

 

Add the following immediately after the section 5.1.1 header of the VVOIP 1.0 EP:

 

FCS_COP.1(1) - This SFR is mandatory in the NDcPP.  The FCS_COP.1(5) in this EP is selection-based, and is included when the ST Author selects “SRTP” in either FTP_DIT_EXT.1 or FTP_ITC.1/Media.  If the ST author selects “SRTP”, then the FCS_COP.1(1) requirement from the NDcPP is included in the ST with the modes and bit-sizes appropriate for those functions, and FCS_COP.1(5) from this EP is included in the ST as well.  In order to preserve clarity, separate iterations are used rather than combining the requirements.  It should be noted that “GCM” is a selection in both iterations, so if there is a different key size specified for functions in the NDcPP (e.g., TLS) that use GCM, the TSS should note those instances.

 

Add the following immediately after the section 5.2.1 header of the VVOIP 1.0 EP:

 

FCS_COP.1(1) - This SFR is selection-based in the Application PP.  The FCS_COP.1(5) in this EP is also selection-based, and is included when the ST Author selects “SRTP” in either FTP_DIT_EXT.1 or FTP_ITC.1/Media.  If the ST author selects functions in both the App PP and the VVOIP EP that require AES Encryption/Decryption functionality, then the FCS_COP.1(1) requirement from the App PP is included in the ST with the modes and bit-sizes appropriate for those functions, and FCS_COP.1(5) from this EP is included in the ST to support SRTP.  Because bit size requirements are different for the two requirements, separate iterations are used to preserve clarity. It should be noted that “GCM” is a selection in both iterations, so if there is a different key size specified for functions in the App PP (e.g., TLS) that use GCM, the TSS should note those instances.

 

Add the following at the end of Annex B of the VVOIP 1.0 EP:

 

The following SFR shall be included in the ST if SRTP is selected in FTP_DIT_EXT.1 and/or FPT_ITC.1/Media:

 

FCS_COP.1(5) Cryptographic Operation - Encryption/Decryption for SRTP

 

FCS_COP.1.1(5)  Refinement: The application shall perform encryption/decryption to support SDES-SRTP in accordance with a specified cryptographic algorithm

 

[selection:   AES-CTR (as defined in NIST SP 800-38A) mode; AES-GCM (as defined in NIST SP 800-38D)

  

] and cryptographic key sizes [selection: 128-bit, 256-bit].

 

 

Assurance Activity:

 

AES-CTR Tests:

These tests must be performed as outlined in FCS_COP.1/DataEncryption in cPP_ND_v2.1_SD.

 

AES-GCM Monte Carlo Tests

 

These tests must be performed as outlined in FCS_COP.1/DataEncryption in cPP_ND_v2.1_SD.

Justification

The addition of AES-CTR mode in FCS_COP.1.1 in the Voice/Video over IP Endpoint Extended Package allows the SRTP protocol to be selected in FTP_DIT_EXT.1 and/or FPT_ITC.1/Media.  The selections for SRTP are as specified in TD0279. FCS_COP.1(5) needed updating to support the selections introduced by TD0279. Also, the wording of TD0193 needed updating to reflect FCS_COP.1(1) in NDcPP v2.1 and App PP 1.3.

 
 
Site Map              Contact Us              Home