Archived
TD0068: Addition of SRTP Ciphersuites
Publication Date
2015.10.13
Protection Profiles
CPP_ND_SBC_EP_V1.0, EP_VVOIP_V1.0, PP_VOIP_V1.3
Other References
Issue Description
Revision as of 20 April 2016: Updated to reflect applicability to VVOIP EP v1.0. Revision as of 28 December 2015: This TD was originally issued on 13 October 2015 and referenced a draft RFC. It is being revised to reference the published RFC (RFC 7714, AES-GCM for SRTP).
The current SRTP requirements mandate AES with 128 bit key size. The requirements currently read: FCS_SRTP_EXT.1.2 The VoIP client application shall implement SDES-SRTP supporting the following ciphersuites in accordance with RFC 4568: AES_CM_128_HMAC_SHA1_80. and FCS_SRTP_EXT.1.2 The TSF shall implement SDES-SRTP supporting the following ciphersuites in accordance with RFC 4568: AES_CM_128_HMAC_SHA1_80. Larger key sizes should be able to be used and validated. Resolution
The requirements are revised to include other ciphersuites as follows:
For PP_VOIP_V1.3: FCS_SRTP_EXT.1.2 The VoIP client application shall implement SDES-SRTP supporting the following ciphersuites: AES_CM_128_HMAC_SHA1_80 in accordance with RFC 4568 and [selection: AES_256_CM_HMAC_SHA1_80 in accordance with RFC 6188, AEAD_AES_256_GCM in accordance with RFC 7714, no other]. For EP_VVOIP_V1.0:
For CPP_ND_SBC_EP_V1.0: FCS_SRTP_EXT.1.2 The TSF shall implement SDES-SRTP supporting the following ciphersuites: AES_CM_128_HMAC_SHA1_80 in accordance with RFC 4568 and [selection: AES_256_CM_HMAC_SHA1_80 in accordance with RFC 6188, AEAD_AES_256_GCM in accordance with RFC 7714, no other].
The verification of the cryptographic primitives in the additional ciphersuites is performed via the applicable FCS_COP requirements, so update to the Assurance Activity for this requirement is not needed. Justification
Allowance of additional ciphersuites. |