NIAP: View Technical Decision Details
NIAP/CCEVS
  NIAP  »»  Protection Profiles  »»  Technical Decisions  »»  View Details  
TD0068:  Addition of SRTP Ciphersuites

Publication Date
2015.10.13

Protection Profiles
CPP_ND_SBC_EP_V1.0, EP_VVOIP_V1.0, PP_VOIP_V1.3

Other References

Issue Description

Revision as of 20 April 2016: Updated to reflect applicability to VVOIP EP v1.0.

Revision as of 28 December 2015: This TD was originally issued on 13 October 2015 and referenced a draft RFC. It is being revised to reference the published RFC (RFC 7714, AES-GCM for SRTP).

 

The current SRTP requirements mandate AES with 128 bit key size. The requirements currently read:

FCS_SRTP_EXT.1.2 The VoIP client application shall implement SDES-SRTP supporting the following ciphersuites in accordance with RFC 4568: AES_CM_128_HMAC_SHA1_80.

and

FCS_SRTP_EXT.1.2 The TSF shall implement SDES-SRTP supporting the following ciphersuites in accordance with RFC 4568: AES_CM_128_HMAC_SHA1_80.

Larger key sizes should be able to be used and validated.

Resolution

The requirements are revised to include other ciphersuites as follows:

 

For PP_VOIP_V1.3:

FCS_SRTP_EXT.1.2 The VoIP client application shall implement SDES-SRTP supporting the following ciphersuites: AES_CM_128_HMAC_SHA1_80 in accordance with RFC 4568 and [selection: AES_256_CM_HMAC_SHA1_80 in accordance with RFC 6188, AEAD_AES_256_GCM in accordance with RFC 7714, no other].

For EP_VVOIP_V1.0:

FCS_SRTP_EXT.1.2 The TSF shall implement SDES-SRTP supporting the following ciphersuites: AES_CM_128_HMAC_SHA1_80 in accordance with RFC 4568 and [selection: AES_256_CM_HMAC_SHA1_80 in accordance with RFC 6188, AEAD_AES_256_GCM in accordance with RFC 7714, no other].

 

For CPP_ND_SBC_EP_V1.0:

FCS_SRTP_EXT.1.2 The TSF shall implement SDES-SRTP supporting the following ciphersuites: AES_CM_128_HMAC_SHA1_80 in accordance with RFC 4568 and [selection: AES_256_CM_HMAC_SHA1_80 in accordance with RFC 6188, AEAD_AES_256_GCM in accordance with RFC 7714, no other].

 

The verification of the cryptographic primitives in the additional ciphersuites is performed via the applicable FCS_COP requirements, so update to the Assurance Activity for this requirement is not needed.

Justification

Allowance of additional ciphersuites.

 
 
Site Map              Contact Us              Home