Archived
TD0193: Selection-Based FCS_COP.1 Added to VVoip EP to include AES-CTR Mode
Publication Date
2017.04.20
Protection Profiles
EP_VVOIP_V1.0
Other References
FCS_COP.1
Issue Description
In order to allow SRTP as a selection in FTP_DIT_EXT.1 and/or FPT_ITC.1/Media, a new Selection-based FCS_COP.1 requirement has been added in Annex B of the VVOIP v1.0 EP to include AES-CTR mode (as defined in NIST SP800-38A). As a result of this, additional guidance will be needed in Sections 5.1 and 5.2 of the VVOIP EP as well. Resolution
The following outlines the changes to the VVOIP 1.0 EP:
Add the following immediately after the section 5.1.1 header of the VVOIP 1.0 EP:
FCS_COP.1(1) - This SFR is mandatory in the NDcPP. The FCS_COP.1(5) in this EP is selection-based, and is included when the ST Author selects “SRTP” in either FTP_DIT_EXT.1 or FTP_ITC.1/Media. If the ST author selects “SRTP”, then the FCS_COP.1(1) requirement from the NDcPP is included in the ST with the modes and bit-sizes appropriate for those functions, and FCS_COP.1(5) from this EP is included in the ST as well. In order to preserve clarity, separate iterations are used rather than combining the requirements. It should be noted that “GCM” is a selection in both iterations, and in FCS_COP.1(5) GCM is only allowed for 256-bit keys, so if there is a different key size specified for functions in the NDcPP (e.g., TLS) that use GCM, the TSS should note those instances.
Add the following immediately after the section 5.2.1 header of the VVOIP 1.0 EP:
FCS_COP.1(1) - This SFR is selection-based in the Application PP. In the App PP, 256-bit AES is required (and 128-bit AES is optional), and this applies to functions defined in the App PP that use AES cryptography, which include TLS. So, in general, if the ST author selects any functions for VVOIP that are specified in the App PP that require FCS_COP.1(1) to be selected (such as TLS), then support for 256-bit AES in the modes appropriate for those functions is mandatory. The FCS_COP.1(5) in this EP is also selection-based, and is included when the ST Author selects “SRTP” in either FTP_DIT_EXT.1 or FTP_ITC.1/Media. If the ST author selects functions in both the App PP and the VVOIP EP that require AES Encryption/Decryption functionality, then the FCS_COP.1(1) requirement from the App PP is included in the ST with the modes and bit-sizes appropriate for those functions, and FCS_COP.1(5) from this EP is included in the ST to support SRTP. Because bit size requirements are different for the two requirements, separate iterations are used to preserve clarity. It should be noted that “GCM” is a selection in both iterations, and in FCS_COP.1(5) GCM is only allowed for 256-bit keys, so if there is a different key size specified for functions in the App PP (e.g., TLS) that use GCM, the TSS should note those instances.
Add the following at the end of Annex B of the VVOIP 1.0 EP:
The following SFR shall be included in the ST if SRTP is selected in FTP_DIT_EXT.1 and/or FPT_ITC.1/Media:
FCS_COP.1(5) Cryptographic Operation - Encryption/Decryption for SRTP
FCS_COP.1.1(5) Refinement: The application shall perform encryption/decryption to support SDES-SRTP in accordance with a specified cryptographic algorithm
· AES-CTR (as defined in NIST SP 800-38A) mode;
and [selection:
AES-GCM (as defined in NIST SP 800-38D),
no other modes
] and cryptographic key sizes 128-bit and [selection: 256-bit, no other key sizes].
Application Note : The ST author selects “AES-GCM” in the first selection if the AEAD_AES_256_GCM ciphersuite (via TD #68) is selected in FCS_SRTP_EXT.1.2; otherwise, “no other modes is selected”. Similarly, the ST author selects “256-bit” in the second selection if AES_256_CM_HMAC_SHA1_80 or AEAD_AES_256_GCM (again via TD #68) are selected in FCS_SRTP_EXT.1.2.
Assurance Activity:
AES-CTR Tests:
AES-GCM Monte Carlo Tests
The evaluator shall test the authenticated encrypt functionality of AES-GCM for each combination of the following input parameter lengths with 256-bit keys:
· Two plaintext lengths. One of the plaintext lengths shall be a non-zero integer multiple of 128 bits, if supported. The other plaintext length shall not be an integer multiple of 128 bits, if supported.
· Three AAD lengths. One AAD length shall be 0, if supported. One AAD length shall be a non-zero integer multiple of 128 bits, if supported. One AAD length shall not be an integer multiple of 128 bits, if supported.
· Two IV lengths. If 96 bit IV is supported, 96 bits shall be one of the two IV lengths tested.
The evaluator shall test the encrypt functionality using a set of 10 key, plaintext, AAD, and IV tuples for each combination of parameter lengths above and obtain the ciphertext value and tag that results from AES-GCM authenticated encrypt. Each supported tag length shall be tested at least once per set of 10. The IV value may be supplied by the evaluator or the implementation being tested, as long as it is known.
The evaluator shall test the decrypt functionality using a set of 10 key, ciphertext, tag, AAD, and IV 5-tuples for each combination of parameter lengths above and obtain a Pass/Fail result on authentication and the decrypted plaintext if Pass. The set shall include five tuples that Pass and five that Fail.
The results from each test may either be obtained by the evaluator directly or by supplying the inputs to the implementer and receiving the results in response. To determine correctness, the evaluator shall compare the resulting values to those obtained by submitting the same inputs to a known good implementation.
Justification
The addition of AES-CTR mode in FCS_COP.1.1 in the Voice/Video over IP Endpoint Extended Package allows the SRTP protocol to be selected in FTP_DIT_EXT.1 and/or FPT_ITC.1/Media. When SRTP is selected, it is mandatory to support the AES_CM_128_HMAC_SHA1_80 ciphersuite from RFC 4568. This requires support for AES in CTR mode. |