Version: 2.0
2025-04-11
National Information Assurance Partnership
| Version | Date | Comment |
|---|---|---|
| 1.0 | 2020-10-28 | Initial publication |
| 2.0 | 2025-04-11 | CC:2022 updates, incorporation of TDs |
These Base-PPs are both valid because a VVoIP endpoint is a specific type of network device or software application that carries sensitive data over remote channels and uses protocols to do so that a typical network device or software application does not implement. Therefore, additional security requirements are necessary to ensure that sensitive communications are not subject to unauthorized disclosure to unintended recipients.
Note that the NDcPP defines an optional architecture for a “distributed TOE” that allows for security functionality to be spread across multiple distinct components. However, a TOE that conforms to the NDcPP and this PP-Module will not be a distributed TOE. All security functionality will be contained within a single physical device.
Assurance | Grounds for confidence that a TOE meets the SFRs [CC]. |
Base Protection Profile (Base-PP) | Protection Profile used as a basis to build a PP-Configuration. |
Collaborative Protection Profile (cPP) | A Protection Profile developed by international technical communities and approved by multiple schemes. |
Common Criteria (CC) | Common Criteria for Information Technology Security Evaluation (International Standard ISO/IEC 15408). |
Common Criteria Testing Laboratory | Within the context of the Common Criteria Evaluation and Validation Scheme (CCEVS), an IT security evaluation facility accredited by the National Voluntary Laboratory Accreditation Program (NVLAP) and approved by the NIAP Validation Body to conduct Common Criteria-based evaluations. |
Common Evaluation Methodology (CEM) | Common Evaluation Methodology for Information Technology Security Evaluation. |
Direct Rationale | A type of Protection Profile, PP-Module, or Security Target in which the security problem definition (SPD) elements are mapped directly to the SFRs and possibly to the security objectives for the operational environment. There are no security objectives for the TOE. |
Distributed TOE | A TOE composed of multiple components operating as a logical whole. |
Functional Package (FP) | A document that collects SFRs for a particular protocol, technology, or functionality. |
Operational Environment (OE) | Hardware and software that are outside the TOE boundary that support the TOE functionality and security policy. |
Protection Profile (PP) | An implementation-independent set of security requirements for a category of products. |
Protection Profile Configuration (PP-Configuration) | A comprehensive set of security requirements for a product type that consists of at least one Base-PP and at least one PP-Module. |
Protection Profile Module (PP-Module) | An implementation-independent statement of security needs for a TOE type complementary to one or more Base-PPs. |
Security Assurance Requirement (SAR) | A requirement to assure the security of the TOE. |
Security Functional Requirement (SFR) | A requirement for security enforcement by the TOE. |
Security Target (ST) | A set of implementation-dependent security requirements for a specific product. |
Target of Evaluation (TOE) | The product under evaluation. |
TOE Security Functionality (TSF) | The security functionality of the product under evaluation. |
TOE Summary Specification (TSS) | A description of how a TOE satisfies the SFRs in an ST. |
Basic telephony functions | The basic functions a VVoIP phone must provide – pick up, dial tone, dial, talk. |
Call control | The packets exchanged between devices to establish, maintain, and tear down a telephony call. |
Client | A VVoIP endpoint. |
Enterprise Session Controller (ESC) | A VVoIP call control server for VVoIP devices. |
H.323 | A communications protocol defined by ITU-T that is used for creating, modifying, and terminating multimedia sessions with multiple participants. |
Peer-to-Peer (P2P) | A VVoIP architecture that forces each peer to be a server and client at the same time. |
SDES-SRTP | A method of key negotiation for SRTP. |
Secure Real-Time Transport Protocol (SRTP) | A protocol that is used to provide multimedia (voice/video) streaming services with added security of encryption, message authentication and integrity, and replay protection. |
Sensitive Data | Call control/signal data, media data, and audit/management data that must be protected while in transit to prevent unauthorized disclosure. |
Session Initiation Protocol (SIP) | A communications protocol defined by IETF that is used for creating, modifying, and terminating multimedia sessions with multiple participants. |
Software/firmware update delivery channel | A trusted channel between a client and file server (which may be the same server as the call control server) for secure file download of software/firmware updates. |
State |
A configuration of a VVoIP endpoint based on how the user is currently using or not
using the endpoint. Examples include:
|
Streaming media | The voice/video exchanged between VVoIP endpoints. |
VVoIP Call Control Server | A VVoIP infrastructure device that performs call control functions between a client and other VVoIP endpoints; this may be either a dedicated device such as an ESC or a VVoIP device itself when using P2P. |
This PP-Module specifically addresses a dedicated network device or software application that facilitates the exchange of voice or video communication across an Internet Protocol (IP) network. The endpoint is a client (TOE) that communicates with a VVoIP call control server and may serve as its own call control server when using P2P. The VVoIP endpoint shall be able to secure file download from a file server to update VVoIP endpoint software and configuration, to establish secure communication for call control with the call control server, and to secure streaming media to other devices.
The combination of the NDcPP and this PP-Module is a network device that provides VVoIP endpoint functionality in addition to all of the security functionality expected of a network device as mandated by the NDcPP. The combination of the App PP and this PP-Module is a software application running on a general-purpose operating system that includes VVoIP endpoint capabilities in addition to all of the security functionality expected of a software application as mandated by the App PP.
This PP-Module describes the functional requirements and threats specific to the VVoIP endpoint. The most notable additions are requirements for the call control protocol (SIP, H.323) and streaming media protocol (SRTP, RTP). A conformant TOE is expected to be a standalone device or application; distributed TOE’s are not permitted.
The TOE boundary includes the VVoIP-capable device or application (VVoIP endpoint). A VVoIP-capable device is a dedicated phone whereas a VVoIP endpoint application is just one of many applications that runs on a general-purpose device such as a smartphone, tablet, or PC. Regardless of whether the TOE is a hardware appliance or a client application on an operating system, it will be deployed in the same environment. The figure below shows a typical VVoIP infrastructure from the perspective of the TOE. Many of the environmental components have direct connections between one another, but since these are not visible to the TOE, these connections have not been depicted.
The TOE uses a VVoIP call control server, either by connecting to an ESC or acting as one itself when using P2P, in order to set up connections with other VVoIP endpoint devices or other telephony equipment such as a conference bridge. The call control server also may have the ability to deliver software/firmware updates to the TOE, but this can alternatively be performed by a file server. The TOE must be able to process Internet Protocol version 4 (IPv4) and/or IPv6 packets.
To be able to initiate communications in a client-server architecture, the TOE needs at minimum an IP address, network mask, gateway address, configuration server address, update server address (or may rely on platform for updates if it is a software application configured to do so), and call control server address. The address may be obtained by Dynamic Host Configuration Protocol (DHCP), manually entered on the VVoIP endpoint, or inherited from the device the TOE resides on (if it is a software application); addresses can belong to the same device if it performs multiple functions (such as an ESC which also performs updates). The TOE should allow basic telephony functions. Once the IP addresses are obtained, the TOE downloads any VVoIP application updates, downloads VVoIP endpoint configuration, and connects to the call control server as a VVoIP client. When a call is finished or the line is otherwise not in use, the TOE will ensure that streaming media communication paths/ports are closed while call control remains open.
To be able to initiate communications in P2P, the TOE needs at minimum an IP address, network mask, gateway address, and update server address (or may rely on platform for updates if it is a software application configured to do so). The address may be obtained by DHCP, manually entered on the VVoIP endpoint, or inherited from the device the TOE resides on (if it is a software application). The TOE should allow basic telephony functions. Once the IP addresses are obtained, the TOE downloads any VVoIP application updates. The endpoint configuration for P2P TOE of telephony functions is local. When the TOE initiates a call, the TOE connects to the other peer’s call control (which is active) and the TOE is a client. When the TOE receives a call, the other peer acts as a client and connects to the TOE’s call control. When a call is finished or the line is otherwise not in use, the TOE will ensure that streaming media communication paths/ports are closed while call control remains open.
The TOE has three paths for three different functions that need to execute: streaming media path that contains voice, video, and session control (endpoint to endpoint); call control path to control the endpoint (endpoint to VVoIP call control server), and configuration/management path to configure and manage the TOE (software/firmware updates, configuration updates, audit).
This PP-Module defines four potential use cases for the VVoIP TOE, defined below. The first two use cases define the physical embodiment of the TOE, while the latter two define its role in a telecommunications deployment.
Regardless of the physical embodiment of the TOE, the expected functional capabilities are similar. However, when the TOE is deployed in a peer-to-peer architecture, it must perform auditing and call control functions that a client-server TOE does not need to perform because the Enterprise Session Controller provides those functions in that architecture. A client-server TOE may also perform its own auditing, but it is not required.
If this feature is implemented by the TOE, the following requirements must be claimed in the ST:
The security problem is described in terms of the threats that the TOE is expected to address, assumptions about its operational environment, and any organizational security policies that the TOE is expected to enforce.
These assumptions are made on the Operational Environment (OE) in order to be able to ensure that the security functionality specified in the PP-Module can be provided by the TOE. If the TOE is placed in an OE that does not meet these assumptions, the TOE may no longer be able to provide all of its security functionality.
The following assumptions that are defined in this PP-Module extend the assumptions that are defined by the Base-PPs.
This PP defines no Organizational Security Policies beyond those defined in the claimed Base-PP(s).
The following environmental security objectives that are defined in this PP-Module extend the objectives that are defined by the Base-PPs.
| Assumption or OSP | Security Objectives | Rationale |
| A.UPDATE_SOURCE | OE.UPDATE_SOURCE | The objective satisfies the assumption by ensuring that TOE updates are made available in the intended location. |
This SFR is modified to prohibit the selection of distributed TOE options. Any element not mentioned in this section is unchanged from its definition in the Base-PP.
The text of FAU_STG_EXT.1.2 is replaced with:
FAU_STG_EXT.1.2: The TSF shall be able to store generated audit data on the TOE itself.
Application Note: This PP-Module modifies the existing FAU_STG_EXT.1 SFR in the NDcPP to prohibit the selection of any “distributed TOE” behavior in FAU_STG_EXT.1.2. The SFR is otherwise unchanged.
This SFR is selection-based in the NDcPP and remains selection-based in this PP-Module. However, an additional trigger for this SFR’s inclusion is added for the selection of “register the TOE to an ESC…” in FMT_SMF.1/VVoIP if the TOE is a hardware device. This is because any hardware-based VVoIP TOE that can be registered to ESCs is required to use them as NTP servers.
If the TOE is not registered to an ESC, it is not relevant to this PP-Module whether or not NTP is implemented, and in this case this SFR remains selection-based on FPT_STM_EXT.1.2, which is not modified by this PP-Module (i.e. a peer-to-peer TOE does not register to an ESC but may still receive time data from a separate NTP source).
This PP-Module does not modify this SFR as it is defined in the NDcPP. However, note that this PP-Module expects that either the call control server or a separate file server managed by the organization to function as the source of TOE software/firmware updates. The evaluator shall ensure that the test environment is configured appropriately.
Evaluation Activities:
There is no change to the EAs specified for this SFR in the NDcPP Supporting Document. Note however that the following additional configuration steps are necessary in order for this testing to be performed:
This SFR is modified to mandate the inclusion of TLS. Any other protocols may additionally be claimed. Any element that is not included in this section is unchanged from its definition in the Base-PP.
The text of the requirement is replaced with:
FTP_ITC.1.1: The TSF shall be capable of using TLS and [selection: IPsec, SSH, DTLS, HTTPS, no other protocols] to provide a trusted communication channel between itself and authorized IT entities supporting the following capabilities: audit server, streaming media channel, call control channel, software/firmware update delivery channel, [selection: authentication server, [assignment: other capabilities], no other capabilities] that is logically distinct from other communication channels and provides assured identification of its end points and protection of the channel data from modification or disclosure.
Application Note: The NDcPP provides the ability for the ST author to specify the protocols used to establish trusted communications in FTP_ITC.1.1. This PP-Module mandates the inclusion of TLS because it is the underlying protocol used to secure communications with the ESC and other VVoIP endpoints. Additional protocols should be selected if they are used for securing other trusted channels. For example, the TSF may communicate with an ESC using TLS for call control functions but some other protocol for remote transmission of audit data. This PP-Module also specifies additional uses for the trusted channel beyond what the NDcPP defines. The remainder of the SFR is unchanged from its definition in the Base-PP.
This PP-Module does not modify this SFR as it is defined in the App PP. However, note that this PP-Module expects that either the call control server or a separate file server managed by the organization to function as the source of TOE software/firmware updates. A vendor provided source should only be used if a call control server or separate file server cannot be configured.
Evaluation Activities:
There is no change to the EAs specified for this SFR in the App PP. Note however that the following additional configuration steps may be necessary when relying on a call control server or dedicated file server in order for this testing to be performed:
This SFR is modified from its definition in the Base-PP to mandate the inclusion of TLS as a method to protect data and to add support for the use of SRTP to protect data in transit.
The text of the requirement is replaced with:
FTP_DIT_EXT.1.1: The application shall [selection:
Application Note: The App PP provides the ability for the ST author to specify the protocols used to establish trusted communications and the behavior that trusted communications are used to protect. This PP-Module mandates the inclusion of TLS because it is the underlying protocol used to secure communications with a VVoIP call control server and other VVoIP endpoints. Additional protocols may be selected if they are used for securing other channels. For example, the TSF may communicate with an ESC using TLS for call control functions but some other protocol for remote transmission of audit data.
Since the App PP does not define separate SFRs for trusted channel (TOE to trusted third party) and trusted path (administrator to TOE), FTP_DIT_EXT.1 is expected to cover both use cases. The proper protocols should be selected accordingly.
Sensitive data includes at minimum call control/signal data, media data, and audit/management data.
If “SRTP” is selected in FTP_DIT_EXT.1.1, the selection-based SFRs FCS_COP.1/SRTP and FCS_SRTP_EXT.1 must be claimed.
| Requirement | Auditable Events | Additional Audit Record Contents |
|---|---|---|
| FCO_VOC_EXT.1 | ||
| No events specified | N/A | |
| FDP_IFC.1 | ||
| Call Detail Record (CDR) of VVoIP peer communications. |
| |
| FDP_IFF.1 | ||
| No events specified | N/A | |
| FMT_SMF.1/VVoIP | ||
| [selection: Registration of TOE to ESC., None] | [selection: IP address or identifier for the ESC, No additional information] | |
| FTA_SSL.3/MEDIA | ||
| Termination of a call due to inactivity. | Call party dropped time | |
| FTP_ITC.1/CONTROL | ||
| Establishment of connection to VVoIP call control server |
| |
| Termination of connection to VVoIP call control server |
| |
| FTP_ITC.1/MEDIA | ||
| Establishment of connection to VVoIP peer |
| |
| Termination of connection to VVoIP peer |
|
If "acting as a VVoIP call control server when using P2P" is selected, the ST must include the selection-based SFRs FAU_GEN.1/P2PADMIN, FAU_GEN.1/P2PVVOIP, FDP_IFC.1/CALLCONTROL, and FDP_IFF.1/CALLCONTROL.
This SFR defines additional management functions for the TOE beyond what is defined in each of the supported Base-PPs as FMT_SMF.1. The TOE may have all management functionality implemented in the same logical interface; it is not necessary for the Base-PP management functions and the PP-Module’s management functions to be implemented separately.
The audit-related sections are duplicates of those in the NDcPP’s definition of FMT_SMF.1. If the VVoIP audit functionality is configurable separately from the auditing for the device as a whole, the relevant selections should be made or omitted in each iteration as needed.
If "register the TOE to an ESC..." is selected, regardless of Base-PP selection, the ST must include the selection-based SFR FPT_STM_EXT.1/VVoIP.
If the TOE claims conformance to the NDcPP and “register the TOE to an ESC…” is selected, the selection-based NDcPP SFR FCS_NTP_EXT.1 must additionally be claimed since connectivity to an ESC implies that the TSF will use it as an NTP server. In this case, the TOE does not need to implement two distinct time services for different purposes. The same time service defined by FPT_STM_EXT.1 may be used here as well. Note however, for this PP-Module, the TOE must use ESCs to which it is registered as its NTP time sources.
If "act as a VVoIP call control server when using P2P" is selected, the ST must include the selection-based SFRs FAU_GEN.1/P2PADMIN, FAU_GEN.1/P2PVVOIP, FDP_IFC.1/CALLCONTROL, and FDP_IFF.1/CALLCONTROL.
This SFR defines the application layer protocol used to secure voice/video transmissions once a call is established between another VVoIP endpoint or other telephony device such as a call conference device.
If “SRTP” is selected, the selection-based SFRs FCS_COP.1/SRTP and FCS_SRTP_EXT.1 must be claimed.
The following rationale provides justification for each SFR for the TOE,
showing that the SFRs are suitable to address the specified threats:
| Threat | Addressed by | Rationale |
|---|---|---|
| T.MEDIA_DISCLOSURE | FAU_STG_EXT.1 (refined from NDcPP) | Mitigates the threat by ensuring that audit data is securely stored locally and transmitted to an external entity. |
| FCS_NTP_EXT.1 (from NDcPP) | Mitigates the threat by defining how accurate system time is maintained, which is used to support certain cryptographic functions. | |
| FCS_TLSC_EXT.1 (from Functional Package for Transport Layer Security (TLS), version 2.1) | Mitigates the threat by defining the TLS client implementation used to secure call control and streaming media channels used for VVoIP. | |
| FCS_TLSC_EXT.2 (from Functional Package for Transport Layer Security (TLS), version 2.1) | Mitigates the threat by defining the TOE’s implementation of mutual authentication for its TLS client | |
| FIA_X509_EXT.1 (from Functional Package for X.509, version 1.0) | Mitigates the threat by defining requirements for the use of X.509 certificates that TLS functionality depends on. | |
| FIA_X509_EXT.2 (from Functional Package for X.509, version 1.0) | Mitigates the threat by defining requirements for the use of X.509 certificates that TLS functionality depends on. | |
| FIA_X509_EXT.3 (from Functional Package for X.509, version 1.0) | Mitigates the threat by defining requirements for the use of X.509 certificates that TLS functionality depends on. | |
| FTP_ITC.1 (refined from NDcPP) | Mitigates the threat by defining the trusted communications channel used for VVoIP | |
| FTP_DIT_EXT.1 (refined from App PP) | Mitigates the threat by defining the trusted communications channel used for VVoIP. | |
| FCO_VOC_EXT.1 | Mitigates the threat by defining the use of a fixed-rate vocoder to prevent the exposure of encryption vulnerabilities that are present with variable-rate vocoders. | |
| FPT_TUD_EXT.1 (refined from NDcPP and App PP) | Mitigates the threat by ensuring the cryptographic functions or other TSF can be updated to remain secure. | |
| FTP_ITC.1/CONTROL | Mitigates the threat by defining the application-layer channel used for communications with a VVoIP call control server. | |
| FTP_ITC.1/MEDIA | Mitigates the threat by defining the application-layer channel used for communications of media (voice and video) data. | |
| FAU_STG.1 (optional for software-only TOEs) | Mitigates the threat by ensuring that audit data is securely transmitted to an external entity. | |
| FAU_STG.5 (optional for software-only TOEs) | Mitigates the threat by defining behavior for response to log space overruns. | |
| FCS_COP.1/SRTP (selection-based) | Mitigates the threat by defining the implementation of encryption used for SDES-SRTP, if supported by the TOE. | |
| FCS_SRTP_EXT.1 (selection-based) | Mitigates the threat by defining the implementation of the SRTP protocol, if supported by the TOE. | |
| FDP_IFC.1/CALLCONTROL (selection-based) | Mitigates the threat by defining a policy for protection of call control information in cases where the TOE can act as a VVoIP call control server in a peer-to-peer configuration. | |
| FDP_IFF.1/CALLCONTROL (selection-based) | Mitigates the threat by defining the implementation of the call control policy in cases where the TOE can act as a VVoIP call control server in a peer-to-peer configuration. | |
| FPT_STM_EXT.1/VVoIP (selection-based) | Mitigates the threat by defining how the TSF obtains system time in certain cases, which is then used as an input to other functions that support this objective. | |
| T.UNDETECTED_TRANSMISSION | FDP_IFC.1 | Mitigates the threat by defining the existence of a media transmission policy. |
| FDP_IFF.1 | Mitigates the threat by defining how the media transmission policy is enforced to determine when transmissions should occur. | |
| FTA_SSL.3/MEDIA | Mitigates the threat by requiring the TSF to terminate idle sessions. | |
| FAU_GEN.1/CSADMIN (optional) | Mitigates the threat by optionally allowing a client-server TOE to provide an audit trail of administrative actions, which could diagnose misconfiguration of the TOE that could lead to unattended transmissions. | |
| FAU_GEN.1/CSVVoIP (optional) | Mitigates the threat by optionally allowing a client-server TOE to provide an audit trail of call data, which could diagnose when unattended transmissions may be occurring. | |
| FAU_GEN.1/P2PADMIN (selection-based) | Mitigates the threat by requiring a peer-to-peer TOE to provide an audit trail of administrative actions, which could diagnose misconfiguration of the TOE that could lead to unattended transmissions. | |
| FAU_GEN.1/P2PVVoIP (selection-based) | Mitigates the threat by requiring a peer-to-peer TOE to provide an audit trail of call data, which could diagnose when unattended transmissions may be occurring. | |
| FPT_STM_EXT.1/VVoIP (selection-based) | Mitigates the threat by requiring the TSF to specify how it obtains system time in certain cases, which is then used as an input to other functions that support this objective. | |
| FMT_SMF.1/VVoIP | Mitigates the threat by requiring the TSF to implement certain the management functions specific to VVoIP functionality. |
| PP-Module Threat, Assumption, OSP | Consistency Rationale |
|---|---|
| T.MEDIA_DISCLOSURE | The NDcPP defines a threat for untrusted communications channels. The threat of media disclosure through vocoder frames is a type of side channel attack that is unique to the functions of a VVoIP endpoint. However, it is consistent with the overall threat of unintended disclosure of sensitive data. |
| T.UNDETECTED_TRANSMISSION | The NDcPP defines threats for insecure communications and undetected activity. Unauthorized and undetected use of a communications channel is consistent with these threats. |
| A.UPDATE_SOURCE | The NDcPP does not have any assumptions for the source of TOE updates, only that the updates have adequate integrity protections. There is no conflict with this Module assuming that TOE updates will be retrieved from a particular location. |
The objectives for the TOE’s operational environment are consistent with the NDcPP based on the following rationale:
| PP-Module OE Objective | Consistency Rationale |
|---|---|
| OE.UPDATE_SOURCE | The NDcPP requires the TOE to be able to apply software/firmware updates but does not define any specific way that these updates need to be made available. This PP-Module defines an objective that allows for an assumption that TOE updates will be made available in a specific location. A.UPDATE_SOURCE is consistent with the Base-PP objectives for the same reason. |
| PP-Module Requirement | Consistency Rationale |
|---|---|
| Modified SFRs | |
| FAU_STG_EXT.1 | This SFR will need to be revisited when its upstream definitions are finalized. We assume that this SFR is going to be refactored to FAU_STG.1 in the next release of the NDcPP, but it's unclear in what form the distributed TOE selections will be included. This PP-Module modifies this SFR to prohibit the selection of any “distributed TOE” behavior in FAU_STG_EXT.1.2. The SFR is otherwise unchanged. |
| FCS_NTP_EXT.1 | This PP-Module does not modify this SFR; it only modifies the circumstances that trigger its inclusion in the TOE’s logical boundary. |
| FPT_TUD_EXT.1 | This PP-Module does not modify this SFR; it only specifies that the source of TOE software/firmware updates must be a specific type of server. |
| FTP_ITC.1 | This PP-Module restricts the Base-PP SFR to a subset of existing permissible functionality and does not introduce any new behavior. |
| Additional SFRs | |
| This PP-Module does not add any requirements when the NDcPP is the base. | |
| Mandatory SFRs | |
| FCO_VOC_EXT.1 | The use of a fixed-rate vocoder relates to application-layer communications that are not within the scope of the NDcPP. |
| FDP_IFC.1 | This SFR defines a policy for when data will or will not be transmitted by the TSF. The NDcPP defines requirements for how data is transmitted but a policy governing when an external interface may be invoked is beyond its scope. |
| FDP_IFF.1 | This SFR defines the rules for a policy for when data will or will not be transmitted by the TSF. The NDcPP defines requirements for how data is transmitted but a policy governing when an external interface may be invoked is beyond its scope. |
| FMT_SMF.1/VVoIP | This PP-Module defines a new iteration of FMT_SMF.1 to add additional management functions that relate specifically to VVoIP functionality. The addition of these functions does not prevent any of the original functions from being implemented. This iteration does include two duplicates of management functions specified in the Base-PP; this is consistent because it is possible that auditing is handled differently for the VVoIP functionality as it is for the rest of the TOE’s auditing. These functions are also selectable so it is not required that a conformant TOE implement this. |
| FTA_SSL.3/MEDIA | This SFR defines session termination behavior for the TOE’s media channel. This interface is specific to this PP-Module and is not within the scope of the NDcPP. |
| FTP_ITC.1/CONTROL | This SFR defines the trusted communications protocol used by the TOE’s signaling channel, which is specific to the VVoIP technology and does not conflict with the functionality defined in the NDcPP. |
| FTP_ITC.1/MEDIA | This SFR defines the trusted communications protocol used by the TOE’s media channel, which is specific to the VVoIP technology and does not conflict with the functionality defined in the NDcPP. |
| Optional SFRs | |
| FAU_GEN.1/CSADMIN | The NDcPP already defines an audit generation function. This PP-Module adds redundant audit events for administrative actions (with respect to those defined in the NDcPP) to be required for software-only TOEs. A TOE that conforms to the NDcPP satisfies this SFR by default. |
| FAU_GEN.1/CSVVOIP | The NDcPP already defines an audit generation function. This PP-Module adds an iteration of FAU_GEN.1 for the auditable events that relate specifically to VVoIP endpoint behavior that may apply for client-server TOEs. |
| Objective SFRs | |
| This PP-Module does not define any Objective requirements. | |
| Implementation-dependent SFRs | |
| FAU_STG.1 | This SFR is implementation-dependent and is explicitly not claimed when the NDcPP is the Base-PP. Therefore there is no conflict between this SFR and the NDcPP. |
| FAU_STG.5 | This SFR is implementation-dependent and is explicitly not claimed when the NDcPP is the Base-PP. Therefore there is no conflict between this SFR and the NDcPP. |
| Selection-based SFRs | |
| FAU_GEN.1/P2PADMIN | The NDcPP already defines an audit generation function. This PP-Module adds redundant audit events for administrative actions (with respect to those defined in the NDcPP) to be required for software-only TOEs. A TOE that conforms to the NDcPP satisfies this SFR by default. |
| FAU_GEN.1/P2PVVOIP | The NDcPP already defines an audit generation function. This PP-Module adds an iteration of FAU_GEN.1 for the auditable events that relate specifically to VVoIP endpoint behavior that must apply for peer-to-peer TOEs. |
| FCS_COP.1/SRTP | This SFR defines the AES functionality used to support SRTP. This does not conflict with the NDcPP because the TOE can still use FCS_COP.1/DataEncryption to make claims related to all other uses of AES. |
| FCS_SRTP_EXT.1 | This SFR defines support for the SRTP protocol, which is specific to VVoIP technology. The TSF’s implementation of this protocol does not prevent the enforcement of any NDcPP SFRs. |
| FDP_IFC.1/CALLCONTROL | This SFR defines VVoIP call control policy. The TSF’s implementation of this protocol does not prevent the enforcement of any NDcPP SFRs. |
| FDP_IFF.1/CALLCONTROL | This SFR defines VVoIP call control policy. The TSF’s implementation of this protocol does not prevent the enforcement of any NDcPP SFRs. |
| FPT_STM_EXT.1/VVoIP | This SFR defines the TOE’s reliance on ESCs to act as its NTP servers in deployments where the TOE is registered to them. It is duplicative of the FPT_STM_EXT.1 SFR defined in the Base-PP but is refined to identify the use of the ESC as a specific NTP server, which is a restriction not present in the Base-PP. |
| PP-Module Threat, Assumption, OSP | Consistency Rationale |
|---|---|
| T.MEDIA_DISCLOSURE | The App PP defines a threat for network eavesdropping. The threat of media disclosure through vocoder frames is a type of side-channel attack that is unique to the functions of a VVoIP endpoint. However, it is consistent with the overall threat of unintended disclosure of sensitive data. |
| T.UNDETECTED_TRANSMISSION | The App PP defines threats for network attack and network eavesdropping. Unauthorized and undetected use of a communications channel is consistent with these threats. |
| A.UPDATE_SOURCE | The App PP does not have any assumptions for the source of TOE updates, only that the updates have adequate integrity protections. There is no conflict with this Module assuming that TOE updates will be retrieved from a particular location. |
The objectives for the TOE’s operational environment are consistent with the App-PP based on the following rationale:
| PP-Module OE Objective | Consistency Rationale |
|---|---|
| OE.UPDATE_SOURCE | This rationale could be interpreted as vague or conflicting with FPT_TUD_EXT.2, as applications that are not packaged with the OS do have format requirements. There is no defined requirement for update location, since there may be an alternate use case where "the place you get the app from" is different from "the mobile device vendor's app store" because an MDM might have a separate mobile app server that devices enrolled in the MDM must use. Is this still an anticipated use case? If so, the objective may need to be reworded in terms of a generic "trusted source" to make clear that this module is not conflicting with FPT_TUD_EXT.2's requirements. The App PP requires the TOE to be able to apply software/firmware updates but does not define any specific way that these updates need to be made available. This PP-Module defines an objective that allows for an assumption that TOE updates will be made available in a specific location. A.UPDATE_SOURCE is consistent with the Base-PP objectives for the same reason. |
| PP-Module Requirement | Consistency Rationale |
|---|---|
| Modified SFRs | |
| FPT_TUD_EXT.1 | This PP-Module does not modify this SFR; it only specifies that the source of TOE software/firmware updates must be a specific type of server. |
| FTP_DIT_EXT.1 | This PP-Module modifies the App PP SFR by mandating the use of trusted communications to secure transmitted data, mandating support for TLS, and permitting support for SRTP. The first two modifications are derived from selections that are already present in the App PP version of the SFR. The addition of SRTP does not prevent any of the other protocols from being used if supported. |
| Additional SFRs | |
| This PP-Module does not add any requirements when the APP PP is the base. | |
| Mandatory SFRs | |
| FCO_VOC_EXT.1 | The use of a fixed-rate vocoder relates to application-layer communications that are not within the scope of the App PP. |
| FDP_IFC.1 | This SFR defines a policy for when data will or will not be transmitted by the TSF. The App PP defines requirements for how data is transmitted but a policy governing when an external interface may be invoked is beyond its scope. |
| FDP_IFF.1 | This SFR defines the rules for a policy for when data will or will not be transmitted by the TSF. The App PP defines requirements for how data is transmitted but a policy governing when an external interface may be invoked is beyond its scope. |
| FMT_SMF.1/VVoIP | This PP-Module defines a new iteration of FMT_SMF.1 to add additional management functions that relate specifically to VVoIP functionality. The addition of these functions does not prevent any of the original functions from being implemented. This iteration does include two duplicates of management functions specified in the Base-PP; this is consistent because it is possible that auditing is handled differently for the VVoIP functionality as it is for the rest of the TOE’s auditing. These functions are also selectable so it is not required that a conformant TOE implement this. |
| FTA_SSL.3/MEDIA | This SFR defines session termination behavior for the TOE’s media channel. This interface is specific to this PP-Module and is not within the scope of the App PP. |
| FTP_ITC.1/CONTROL | This SFR defines the trusted communications protocol used by the TOE’s signaling channel, which is specific to the VVoIP technology and does not conflict with the functionality defined in the App PP. |
| FTP_ITC.1/MEDIA | This SFR defines the trusted communications protocol used by the TOE’s media channel, which is specific to the VVoIP technology and does not conflict with the functionality defined in the App PP. |
| Optional SFRs | |
| FAU_GEN.1/CSADMIN | This PP-Module specifies an iteration of FAU_GEN.1 for the auditable events that relate specifically to the administration of the VVoIP endpoint. The App PP does not mandate that the TOE include an audit function but it is not prohibited by the PP. |
| FAU_GEN.1/CSVVOIP | This PP-Module specifies an iteration of FAU_GEN.1 for the auditable events that relate specifically to VVoIP endpoint behavior. The App PP does not mandate that the TOE include an audit function but it is not prohibited by the PP. |
| Objective SFRs | |
| This PP-Module does not define any Objective requirements. | |
| Implementation-dependent SFRs | |
| FAU_STG.1 | This SFR defines the ability of the TOE to protect, store, and transmit audit data to a remote server using a secure channel. The App PP does not define its own requirements for auditing but it does not prohibit audit functionality, so this PP-Module’s inclusion of an audit function does not conflict with the PP. |
| FAU_STG.5 | This SFR defines the ability of the TOE to handle log space overruns in a defined manner. The App PP does not define its own requirements for auditing but it does not prohibit audit functionality, so this PP-Module’s inclusion of an audit function does not conflict with the PP. |
| Selection-based SFRs | |
| FAU_GEN.1/P2PADMIN | This PP-Module specifies an iteration of FAU_GEN.1 for the auditable events that relate specifically to the administration of the VVoIP endpoint. The App PP does not mandate that the TOE include an audit function but it is not prohibited by the PP. |
| FAU_GEN.1/P2PVVOIP | This PP-Module specifies an iteration of FAU_GEN.1 for the auditable events that relate specifically to VVoIP endpoint behavior. The App PP does not mandate that the TOE include an audit function but it is not prohibited by the PP. |
| FCS_COP.1/SRTP | This SFR defines the AES functionality used to support SRTP. This does not conflict with the App PP because the TOE can still use FCS_COP.1/DataEncryption to make claims related to all other uses of AES. |
| FCS_SRTP_EXT.1 | This SFR defines support for the SRTP protocol, which is specific to VVoIP technology. The TSF’s implementation of this protocol does not prevent the enforcement of any App PP SFRs. |
| FDP_IFC.1/CALLCONTROL | This SFR defines VVoIP call control policy. The TSF’s implementation of this protocol does not prevent the enforcement of any App PP SFRs. |
| FDP_IFF.1/CALLCONTROL | This SFR defines VVoIP call control policy. The TSF’s implementation of this protocol does not prevent the enforcement of any App PP SFRs. |
| FPT_STM_EXT.1/VVoIP | This SFR defines the TOE’s reliance on ESCs to act as its NTP servers in deployments where the TOE is registered to them. The App PP does not define a specific method for how a conformant TOE is expected to receive time data so there is no contradiction here. |
This SFR defines the same auditable events as FAU_GEN.1/P2PADMIN in Appendix B below. It is defined as a separate iteration because when the TOE is deployed in a client-server architecture, the Enterprise Session Controller is expected to be responsible for the relevant auditing, so this capability is optional when the TOE is not peer-to-peer.
If the TOE claims this SFR and conforms to the App PP, the implementation-dependent SFRs FAU_STG.1 and FAU_STG.5 must also be claimed. This does not need to be claimed when the TOE conforms to the NDcPP because that PP already defines FAU_STG.1 as a mandatory requirement.
This SFR defines the same auditable events as FAU_GEN.1/P2P-VVoIP in Appendix B below. It is defined as a separate iteration because when the TOE is deployed in a client-server architecture, the Enterprise Session Controller is expected to be responsible for the relevant auditing, so this capability is optional when the TOE is not peer-to-peer.
If the TOE claims this SFR and conforms to the App PP, the implementation-dependent SFRs FAU_STG.1 and FAU_STG.5 must also be claimed. This does not need to be claimed when the TOE conforms to the NDcPP because that PP already defines FAU_STG.1 as a mandatory requirement.
This PP-Module does not define any Objective SFRs.
| Functional Class | Functional Components |
|---|---|
| Communications (FCO) | FCO_VOC_EXT Fixed-Rate Vocoder |
| Cryptographic Support (FCS) | FCS_SRTP_EXT Secure Real-Time Transport Protocol |
FCO_VOC_EXT.1, Fixed-Rate Vocoder, requires the TSF to use a constant bit rate vocoder as opposed to a variable one.
The following actions could be considered for the management functions in FMT:
There are no auditable events foreseen.
| Hierarchical to: | No other components. |
| Dependencies to: | No dependencies. |
FCS_SRTP_EXT.1, Secure Real-Time Transport Protocol, requires the TSF to implement SRTP and defines conditions on its use.
No specific management functions are identified.
There are no auditable events foreseen.
| Hierarchical to: | No other components. |
| Dependencies to: | FCS_COP.1 Cryptographic Operation |
This appendix lists requirements that should be considered satisfied by products successfully evaluated against this PP-Module. These requirements are not featured explicitly as SFRs and should not be included in the ST. They are not included as standalone SFRs because it would increase the time, cost, and complexity of evaluation. This approach is permitted by [CC] Part 1, 8.3 Dependencies between components.
This information benefits systems engineering activities which call for inclusion of particular security controls. Evaluation against the PP-Module provides evidence that these controls are present and have been evaluated.
This appendix lists requirements that should be considered satisfied by products successfully evaluated against this PP-Module. However, these requirements are not featured explicitly as SFRs and should not be included in the ST. They are not included as standalone SFRs because it would increase the time, cost, and complexity of evaluation. This approach is permitted by [CC] Part 1, 8.2 Dependencies between components.
This information benefits systems engineering activities which call for inclusion of particular security controls. Evaluation against the PP-Module provides evidence that these controls are present and have been evaluated.
| Requirement | Rationale for Satisfaction |
| FAU_GEN.2 – User identity association | The iterations of FAU_GEN.1.2 explicitly requires that the OS record any user account associated with each event; therefore, it is duplicative to include a separate requirement to associate a user account with each event. If the TOE claims conformance to the NDcPP, the dependency is explicitly met through FAU_GEN.2. |
| FIA_UID.1 – Timing of Identification |
For the purpose of logging and processing VVoIP telephony functions, the TOE is identified solely by underlying system or configuration characteristics (e.g., IP address, phone number) independent of the identity of the user interacting with the TOE. When the TOE is a software application, neither this PP-Module nor the Base-PP (App PP) define a separate identification and authentication mechanism for the software application to interact with its management interface. The software application assumes that accessing the OS platform itself is sufficient to grant access to the application. For accountability purposes, the user of the TOE is identified as the user that logged in to the OS platform and subsequently interacted with the TSF. |
| FMT_MSA.1 – Management of Security Attributes |
This SFR defines the TOE security attributes that can be managed and what management role can administer them. Specifically, this is indirectly dependent on FDP_IFF.1. The PP-Module defines two iterations of FDP_IFF.1. Each of these iterations define explicit rules that determine when the TSF transmits call control and media data. The relevant attributes are either directly under the control of an ordinary user, such that no specific security authorization is needed, or they are entirely under the control of the TSF and cannot be influenced by the user regardless of privilege. An example of the first case in that in FDP_IFF.1.2, whether or not the TOE is in the off-hook state or the mute state is controllable by a user with physical access to the TOE and does not require the assumption of an administrative role. An example of the second case is in FDP_IFF.1.2/CallControl, where the TSF will determine if the other end of the connection is a valid VVoIP endpoint, which is something the user has no ability to configure or influence. |
| FMT_MSA.3 – Static Attribute Initialization |
This SFR is a dependency on FDP_IFF.1. The PP-Module defines two iterations of FDP_IFF.1. Each of these iterations define explicit rules that determine when the TSF transmits call control and media data. FMT_MSA.3 has not been specified because the default state of the attributes used to determine if data flow is authorized is not relevant to enforcement of the rules. For example, FDP_IFF.1.2 states that the TSF will not transmit media data within a call if the TOE is in the mute state. Whether the call starts with the mute state active or inactive does not affect the enforcement of the rule, and requiring the ST to state this information does not affect the security of the TSF. |
| FMT_SMR.1 – Security Roles |
When the TOE is a software application, neither this PP-Module nor the Base-PP (App PP) define security roles that are authorized to perform management functionality on the TSF. For user access, the TOE does not require separate authentication to the TSF because authentication to the OS platform on which the TOE is installed is sufficient user access control; a user logged in to the OS platform is assumed to be a valid user of the TOE. If the TOE is registered to an ESC, the ESC may be able to issue management commands to the TOE. No separate ‘user role’ is needed to define this because the ESC is not a ‘user’ and so FMT_SMR.1.2 is not applicable in this context. The ESC’s authorization to manage the TSF is implicitly granted through the user registering the TOE to the ESC. |
| FPT_STM.1 – Reliable time stamps |
The iterations of FAU_GEN.1.2 explicitly requires that the software application TSF associate timestamps with audit records; therefore it is duplicative to include a separate timestamp requirement. Additionally, the App PP has an assumption of relying upon a trustworthy computing platform with a reliable time clock for its execution, so the dependency is also met through the assumption. Alternatively, if the TOE is registered to an ESC, the selection-based requirement FPT_STM_EXT.1/VVoIP must be claimed, which is sufficient to address the dependency as the TSF will receive time data from the operational environment that is assumed to be reliable. If the TOE claims conformance to the NDcPP, the dependency is also explicitly met through FPT_STM_EXT.1, regardless of whether the TOE is deployed in a client-server configuration (with registration to an ESC) or peer-to-peer configuration (with no ESC involved). |
The TOE does not require any additional supplementary information to describe its entropy sources beyond the requirements outlined in the Base-PPs. As with other Base-PP requirements, the only additional requirement is that the entropy documentation also applies to the specific VVoIP capabilities of the TOE that require random data, in addition to any functionality required by the claimed Base-PP.
| Acronym | Meaning |
|---|---|
| Base-PP | Base Protection Profile |
| CC | Common Criteria |
| CEM | Common Evaluation Methodology |
| cPP | Collaborative Protection Profile |
| DHCP | Dynamic Host Configuration Protocol |
| ESC | Enterprise Session Controller |
| FP | Functional Package |
| IETF | Internet Engineering Task Force |
| IP | Internet Protocol |
| ITU-T | International Telegraph Union – Telecommunication Standardization Sector |
| NTP | Network Time Protocol |
| OE | Operational Environment |
| P2P | Peer-to-Peer |
| PP | Protection Profile |
| PP-Configuration | Protection Profile Configuration |
| PP-Module | Protection Profile Module |
| SAR | Security Assurance Requirement |
| SFR | Security Functional Requirement |
| SIP | Session Initiation Protocol |
| SRTP | Secure Real-Time Transport Protocol |
| ST | Security Target |
| TCP | Transmission Control Protocol |
| TFTP | Trivial File Transfer Protocol |
| TOE | Target of Evaluation |
| TSF | TOE Security Functionality |
| TSFI | TSF Interface |
| TSS | TOE Summary Specification |
| UDP | User Datagram Protocol |
| VVoIP | Voice/Video over IP |
| Identifier | Title |
|---|---|
| [CC] | Common Criteria for Information Technology Security Evaluation -
|
| [CEM] | Common Methodology for Information Technology Security Evaluation -
|
