User guide

ManualsBrandsDigital Data Communications ManualsSecurity CameraLEVEL ONE FCS-4300

- 1 -

27 October 2006

Version: V1.01

This document is a translation of the evaluated and certified security

target written in Japanese

Fuji Xerox Co., Ltd.

Fuji Xerox

DocuCentre-II C4300/C3300/C2200 Series

Security Kit for Asia Pacific

Security Target

Summary of content (57 pages)

PAGE 1
Fuji Xerox DocuCentre-II C4300/C3300/C2200 Series Security Kit for Asia Pacific Security Target 27 October 2006 Version: V1.01 This document is a translation of the evaluated and certified security target written in Japanese Fuji Xerox Co., Ltd.
PAGE 2
Revision History No. 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 Date October 17, 2006 October 27, 2006 Version V1.00 V1.01 Description First draft. Changed the name of Documents, etc.
PAGE 3
-Contents- 1. ST Introduction .................................................................... 5 1.1. 1.2. 1.3. 1.4. 1.5. 1.6. 1.7. 1.8. 1.9. 2. ST Identification.............................................................................................................................................................................................................5 ST Overview ..........................................................................................................................
PAGE 4
5.1.3. Class FIA: Identification and Authentication........................................................................................................................................ 24 5.1.4. Class FMT: Security Management............................................................................................................................................................ 25 5.1.5. Class FPT: TSF Protection.......................................................................................
PAGE 5
8.3.1. Rationale for Function Summary Specification .................................................................................................................................. 47 8.3.2. Assurance Measures Rationale.................................................................................................................................................................. 49 8.4. PP Claims Rationale................................................................................................
PAGE 6
Fuji Xerox ApeosPort-II C4300(AP)Series Security Kit for Asia Pacific Security Target V1.01 1.3. Evaluation Assurance Level Evaluation Assurance Level of TOE: EAL2 Reason: TOE is to be used in facilities of organizations such as SOHO, general offices, government and municipal offices, and universities. The users are limited to those who are related to the organization. 1.4. Applicable PP There is no applicable Protection Profile. 1.5. Related ST There is no related Security Target. 1.6.
PAGE 7
Fuji Xerox ApeosPort-II C4300(AP)Series Security Kit for Asia Pacific Security Target V1.01 One who manages MFP. Customer Engineer Fuji Xerox’s engineer who maintains and repairs MFP. Attacker One who uses TOE with malicious intention. Control Panel Panel on which the buttons, lamps, and touch panel display that are necessary for operating MFP are arranged. User’s Client Client that is used by general user.
PAGE 8
Fuji Xerox ApeosPort-II C4300(AP)Series Security Kit for Asia Pacific Security Target V1.01 Printer Control Function Function to control the equipment to realize printer function. Storage Print Print method in printer function. In this method, bitmap data created by decomposing print data is once stored on the internal hard disk drive of MFP, and printed according to the general-user’s instruction from the control panel or when the designated time comes.
PAGE 9
Fuji Xerox ApeosPort-II C4300(AP)Series Security Kit for Asia Pacific Security Target V1.01 Method used in printer function, in which decomposing is performed while print data sent from user’s client is being received. In this method, print data from multiple user’s-clients cannot be received simultaneously. Original Texts, pictures, photographs, and others that are scanned in IIT in copy function.
PAGE 10
Fuji Xerox ApeosPort-II C4300(AP)Series Security Kit for Asia Pacific Security Target V1.01 - Print data sent from user’s client and bitmap data created by decomposing the data, when using printer function. - Bitmap data that is stored on the internal hard disk drive when using scanner function. - Bitmap data that is sent to a connected remote-machine and bitmap data that is received from a connected remote-machine and printed in IOT, when using facsimile function.
PAGE 11
Fuji Xerox ApeosPort-II C4300(AP)Series Security Kit for Asia Pacific Security Target V1.01 1.9. Reference The following are references for this ST: [CC Part 1] [CC Part 2] [CC Part 3] [CEM] [PDTR15446] Common Criteria for Information Technology Security Evaluation Part1:Introduction and general model Version2.3 August 2005 CCMB-2005-08-001 Common Criteria for Information Technology Security Evaluation Part2: Security functional requirements Version2.
PAGE 12
Fuji Xerox ApeosPort-II C4300(AP)Series Security Kit for Asia Pacific Security Target V1.01 2.2. Usage Environment of TOE TOE is assumed to be used in the condition where the machine is connected to internal network, public telephone line network, and user’s clients. Assumed usage environment of TOE is shown in Figure 1.
PAGE 13
Fuji Xerox ApeosPort-II C4300(AP)Series Security Kit for Asia Pacific Security Target V1.01 firewall. 2.3. Purpose of Using TOE To protect the used document data that is stored on the internal hard disk drive of MFP from being disclosed illicitly. 2.4. Configuration of TOE 2.4.1. Physical Configuration Each unit in MFP and physical boundaries within TOE are shown in Figure 2. MFP consists of three board-units: controller board, control panel, and facsimile card.
PAGE 14
Fuji Xerox ApeosPort-II C4300(AP)Series Security Kit for Asia Pacific Security Target V1.
PAGE 15
Fuji Xerox ApeosPort-II C4300(AP)Series Security Kit for Asia Pacific Security Target V1.01 In printer functions, there are two types of decomposing methods. One is spool method, in which the print data sent from user’s client is temporarily received in an memory (internal memory or internal hard disk drive of MFP) and then decomposed. The other is non-spool method, in which decomposing is performed while print data sent from user’s client is being received in an internal memory of MFP.
PAGE 16
Fuji Xerox ApeosPort-II C4300(AP)Series Security Kit for Asia Pacific Security Target V1.01 TOE provides the following security functions for this used document data stored on the hard disk drive: Overwrites and erases used document data stored on the hard disk drive after the operation of copy, printer, scanner, and facsimile functions.
PAGE 17
Fuji Xerox ApeosPort-II C4300(AP)Series Security Kit for Asia Pacific Security Target V1.
PAGE 18
Fuji Xerox ApeosPort-II C4300(AP)Series Security Kit for Asia Pacific Security Target V1.01 In “setting for HDD overwriting function for residual data,” the number of overwriting and erasing used document data recorded on the hard disk drive can be set to one of those described below: - Not perform: Does not overwrite nor erase. Set when security functions of TOE are not used. Lowering of process speed of copy and printer functions, which occurs due to overwriting and erasing, can be avoided.
PAGE 19
Fuji Xerox ApeosPort-II C4300(AP)Series Security Kit for Asia Pacific Security Target V1.01 due to the encryption can be avoided. - Perform: Encryption makes the parsing of document data difficult. Protects used document data by being set in combination with the setting for HDD overwriting function for residual data. Cryptographic seed key for data stored on the hard disk drive becomes valid when the “setting for HDD data encryption function” is “Perform.
PAGE 20
Fuji Xerox ApeosPort-II C4300(AP)Series Security Kit for Asia Pacific Security Target V1.01 2.6. Assets protected by TOE Assets protected by TOE are the used document data stored on the hard disk drive of MFP and the TOE setting data stored on NVRAM and SEEPROM. There are two types of document data; one is bitmap data stored by copy function, and the other is print data that is sent from user’s client and stored.
PAGE 21
Fuji Xerox ApeosPort-II C4300(AP)Series Security Kit for Asia Pacific Security Target V1.01 R.CONFDATA (TOE setting data) Types of used document data when using facsimile function: - Bitmap data of which use is finished when sending of the stored document data is finished in sending a facsimile. - Bitmap data of which use is finished when printing of the stored document data is finished in receiving a facsimile.
PAGE 22
Fuji Xerox ApeosPort-II C4300(AP)Series Security Kit for Asia Pacific Security Target V1.01 2.7.2. Non-Security Function of TOE TOE provides the following non-security functions. Function classification Copy control function Printer control function Decomposing function Scanner control function Facsimile control function CWIS 2.8. Description Function to control copy operation of MFP. Document data scanned in IIT is converted to image data such as through digital filter and printed out by IOT.
PAGE 23
Fuji Xerox ApeosPort-II C4300(AP)Series Security Kit for Asia Pacific Security Target V1.01 hard disk drive that is built into MFP as described in Table 4. Security functions of TOE operate for this stored used document data according to the key-operator’s setting before general user knows. Flows of control data and document data between respective units in each function of MFP are described in Table 4.
PAGE 24
Fuji Xerox ApeosPort-II C4300(AP)Series Security Kit for Asia Pacific Security Target V1.
PAGE 25
Fuji Xerox ApeosPort-II C4300(AP)Series Security Kit for Asia Pacific Security Target V1.01 3. TOE Security Environment 3.1. Assumptions Assumptions related to the operation and use of this TOE are described in Table 5. Table 5: Assumptions Assumption A.SECMODE A.ADMIN A.NET 3.2.
PAGE 26
Fuji Xerox ApeosPort-II C4300(AP)Series Security Kit for Asia Pacific Security Target V1.01 4. Security Objectives 4.1. Security Objectives for the TOE Security objectives for the TOE are described in Table 7. Table 7: Security Objectives for the TOE Objective O.RESIDUAL O.DECIPHER O.MANAGE 4.2. Description TOE must make the recovery of used document data stored on the hard disk drive impossible by overwriting.
PAGE 27
Fuji Xerox ApeosPort-II C4300(AP)Series Security Kit for Asia Pacific Security Target V1.01 5. IT Security Requirements 5.1. TOE Security Functional Requirements Specifies security functional requirements provided by TOE. 5.1.1. Class FCS: Cryptographic Support FCS_CKM.1 Cryptographic Key Generation Hierarchical to: No other components. FCS_CKM.1.
PAGE 28
Fuji Xerox ApeosPort-II C4300(AP)Series Security Kit for Asia Pacific Security Target V1.01 [assignment: list of cryptographic operations] Encryption of document data stored on the hard disk drive Decryption of document data stored on the hard disk drive Dependencies: ［FDP_ITC.1 Import of user data without security attributes or FCS_CKM.1 Cryptographic key generation］ FCS_CKM.4 Cryptographic key destruction FMT_MSA.2 Secure security attributes 5.1.2. Class FDP: User Data Protection FDP_RIP.
PAGE 29
Fuji Xerox ApeosPort-II C4300(AP)Series Security Kit for Asia Pacific Security Target V1.01 Transition to the authentication-denial status. There is no function to cancel the authentication-denial status. Dependencies: FIA_UAU.1 Timing of authentication FIA_UID.2 User Identification before Any Action Hierarchical to: FIA_UID.1 FIA_UID.2.1 The TSF shall require [Refinement: key operator] to identify itself before allowing any other TSF-mediated actions on behalf of the [Refinement: key operator].
PAGE 30
Fuji Xerox ApeosPort-II C4300(AP)Series Security Kit for Asia Pacific Security Target V1.01 Enable [assignment: the authorized identified roles] Key operator Dependencies: FMT_SMF.1 Specification of management function FMT_SMR.1 Security roles FMT_MOF.1 (2) Management of security functions behaviour (2) Hierarchical to: No other components. FMT_MOF.1.
PAGE 31
Fuji Xerox ApeosPort-II C4300(AP)Series Security Kit for Asia Pacific Security Target V1.01 Hierarchical to: No other components. FMT_MTD.1.1 The TSF shall restrict the ability to [selection: change_default, query, modify, delete, clear, [assignment: other operations]] the [assignment: list of TSF data] to [assignment: the authorized identified roles].
PAGE 32
Fuji Xerox ApeosPort-II C4300(AP)Series Security Kit for Asia Pacific Security Target V1.01 [assignment: the authorized identified roles] Key operator Dependencies: FMT_SMF.1 Specification of management function FMT_SMR.1 Security roles FMT_SMF.1 Specification of Management Functions Hierarchical to: No other components. FMT_SMF.1.1 The TSF shall be capable of performing the following security management functions: [assignment: list of security management functions to be provided by the TSF].
PAGE 33
Fuji Xerox ApeosPort-II C4300(AP)Series Security Kit for Asia Pacific Security Target V1.01 operator.) As for FMT_MOF.1, FMT_MTD.1(1), FMT_MTD.1(2), FMT_MTD.1(3), and FMT_SMR.1, only the key operator who is authenticated by key-operator’s password is managed, and management of group is not performed. Dependencies: None FMT_SMR.1 Security roles Hierarchical to: No other components. FMT_SMR.1.1 The TSF shall maintain the roles [assignment: the authorized identified roles].
PAGE 34
Fuji Xerox ApeosPort-II C4300(AP)Series Security Kit for Asia Pacific Security Target V1.01 Vulnerability assessment ATE_IND.2 Independent testing - sample AVA_SOF.1 Evaluation of TOE security function strength Developer vulnerability analysis AVA_VLA.1 5.3. ADV_FSP.1 ADV_ADM.1 AGD_USR.1 ATE_FUN.1 ADV_FSP. 1 ADV_HLD.1 ADV_FSP.1 ADV_HLD.1 AGD_ADM.1 AGD_USR.1 Security Functional Requirement for IT Environment There is no security functional requirement provided by IT environment of TOE. 5.4.
PAGE 35
Fuji Xerox ApeosPort-II C4300(AP)Series Security Kit for Asia Pacific Security Target V1.01 6. TOE Summary Specification 6.1. TOE Security Functions This TOE has the following security functions to satisfy TOE security functional requirements: - HDD overwriting function for residual data (SF.OVERWRITE) - HDD data encryption function (SF.ENCRYPTION) - Key-operator authentication function (SF.MANAGE) - Customer-engineer operation restriction function (SF.
PAGE 36
Fuji Xerox ApeosPort-II C4300(AP)Series Security Kit for Asia Pacific Security Target V1.01 This function is configured to certainly operate because it is realized by unique software that does not have bypass measures. Table 12: Control of Overwriting Number of overwritings One time Three times Data to overwrite with 0 First time: random number Second time: random number Third time: 0 6.1.2. HDD Data Encryption Function (SF.
PAGE 37
Fuji Xerox ApeosPort-II C4300(AP)Series Security Kit for Asia Pacific Security Target V1.01 key operator succeeds, this function allows the operation of TOE setting data. When either of the “key-operator’s user ID” or ”key-operator’s password” entered at the control panel or through the Web browser of key-operator’s client is incorrect and the identification/authentication of key operator fails, this function displays identification/authentication error.
PAGE 38
Fuji Xerox ApeosPort-II C4300(AP)Series Security Kit for Asia Pacific Security Target V1.01 Description”: - Function and usage of configuration management system - Naming rule for the unique identification of TOE - Configuration items that are included in TOE - Unique identifier of each configuration item - How to track the changing history of TOE configuration items Corresponding security assurance requirement: ACM_CAP.2 6.2.2. DocuCentre-II C4300(AP) Series TOE Configuration List (AS.
PAGE 39
Fuji Xerox ApeosPort-II C4300(AP)Series Security Kit for Asia Pacific Security Target V1.01 above-described external interfaces - Complete description of TOE security functions Corresponding security assurance requirement: ADV_FSP.1 6.2.5. DocuCentre-II C4300(AP) Series High-Level Design Specification (AS.
PAGE 40
Fuji Xerox ApeosPort-II C4300(AP)Series Security Kit for Asia Pacific Security Target V1.
PAGE 41
Fuji Xerox ApeosPort-II C4300(AP)Series Security Kit for Asia Pacific Security Target V1.01 6.2.8. DocuCentre-II C4300(AP) Series Test Plan and Report (AS.
PAGE 42
Fuji Xerox ApeosPort-II C4300(AP)Series Security Kit for Asia Pacific Security Target V1.01 functions’ operation-conditions are described in the manual Corresponding security assurance requirement: AVA_SOF.1 AVA_VLA.
PAGE 43
Fuji Xerox ApeosPort-II C4300(AP)Series Security Kit for Asia Pacific Security Target V1.01 7. PP Claims 7.1. PP Reference There is no referred PP. 7.2. PP Tailoring There is no refinement to PP. 7.3. PP Additions There is no addition to PP.
PAGE 44
Fuji Xerox ApeosPort-II C4300(AP)Series Security Kit for Asia Pacific Security Target V1.01 8. Rationale 8.1. Security Objectives Rationale Correspondences between security objectives and threats/assumptions are described in Table 13. (1) Necessity Rationale for the necessity of security objectives is described below. As described in Table 13, all the security objectives correspond to one or more threats/assumptions. Table 13: Correspondences between Security Objectives and Threats/Assumptions A.ADMIN A.
PAGE 45
Fuji Xerox ApeosPort-II C4300(AP)Series Security Kit for Asia Pacific Security Target V1.01 T.CONFDATA A.SECMODE A.ADMIN A.NET Print data is included in the used document data that is stored on the hard disk drive when using printer function. This print data is sometimes described in text format and is relatively easy to be parsed.
PAGE 46
Fuji Xerox ApeosPort-II C4300(AP)Series Security Kit for Asia Pacific Security Target V1.01 8.2. Security Requirements Rationale 8.2.1. Security Functional Requirements Rationale (1) Necessity Relations between security functional requirements and security objectives are described in Table 15. Each TOE security functional requirement corresponds to at least one security objective. Incorrect subject does not exist in TOE.
PAGE 47
Fuji Xerox ApeosPort-II C4300(AP)Series Security Kit for Asia Pacific Security Target V1.01 FPT_RVM.1 O.MANAGE FIA_AFL.1 FIA_UID.2 FIA_UAU.2 FIA_UAU.7 FMT_MOF.1 (1) FMT_MOF.1 (2) FMT_MOF.1 (3) FMT_MTD.1(1 ) FMT_MTD.1(2 ) FMT_MTD.1(3 ) FMT_SMF.1 FMT_SMR.1 FPT_RVM.1 document data stored on the hard disk drive difficult can be realized by encryption: - FCS_CKM.1 By FCS_CKM.1, the cryptographic key of the specified cryptographic key size is generated. - FCS_COP.1 By FCS_COP.
PAGE 48
Fuji Xerox ApeosPort-II C4300(AP)Series Security Kit for Asia Pacific Security Target V1.01 Attack capability of the attackers assumed for this TOE is low level. Therefore, “SOF-basic” being the minimum function strength level is appropriate. The security function strength necessary for TOE is satisfied because all the probabilistic and permutational mechanisms in FIA_AFL.1 and FIA_UAU.2 are SOF-basic.
PAGE 49
Fuji Xerox ApeosPort-II C4300(AP)Series Security Kit for Asia Pacific Security Target V1.01 FMT_MOF.1 (1) FMT_SMF.1 FMT_SMR.1 FMT_SMF.1 FMT_SMR.1 FMT_SMF.1 FMT_SMR.1 FMT_SMF.1 FMT_SMR.1 FMT_SMF.1 FMT_SMR.1 FMT_SMF.1 FMT_SMR.1 FMT_SMF.1 FMT_SMR.1 None FIA_UID.2 FPT_RVM.1 None FMT_MOF.1 (2) FMT_MOF.1 (3) FMT_MTD.1(1) FMT_MTD.1(2) FMT_MTD.1(3) The dependency on FIA_UID.1 is satisfied because FIA_UID.2 is the security functional requirement that is an upper hierarchy of FIA_UID.1.
PAGE 50
Fuji Xerox ApeosPort-II C4300(AP)Series Security Kit for Asia Pacific Security Target V1.01 interrupted such as by power shutdown, re-overwriting and re-erasing is performed at the next power-on. Therefore, non-bypassability is ensured. The TOE security function (FIA_AFL.1) is configured by unique software that does not have bypass measures, and cannot be replaced with another module. The function to cancel authentication-denial status does not exist. Therefore, non-bypassability is ensured.
PAGE 51
Fuji Xerox ApeosPort-II C4300(AP)Series Security Kit for Asia Pacific Security Target V1.01 8.3. TOE Summary Specification Rationale 8.3.1. Rationale for Function Summary Specification (1) Necessity Correspondences between security functional requirements and TOE security functions are described in Table 19. TOE security functions correspond to security functional requirements. All TOE security functions are necessary to realize the security functional requirements.
PAGE 52
Fuji Xerox ApeosPort-II C4300(AP)Series Security Kit for Asia Pacific Security Target V1.01 FCS_COP.1 FDP_RIP.1 FIA_AFL.1 FIA_UID.2 FIA_UAU.2 FIA_UAU.7 FMT_MOF.1 (1) FMT_MOF.1 (2) FMT_MOF.1 (3) By the following security function, FCS_COP.1, the cryptographic operation, can be assured: - SF.ENCRYPTION By SF.ENCRYPTION, TOE encrypts document data stored on the hard disk drive using the automatically-generated cryptographic key. By the following security function, FDP_RIP.
PAGE 53
Fuji Xerox ApeosPort-II C4300(AP)Series Security Kit for Asia Pacific Security Target V1.01 FMT_MTD.1(1) FMT_MTD.1(2) FMT_MTD.1(3) FMT_SMF.1 FMT_SMR.1 FPT_RVM.1 - SF. MANAGE By SF. MANAGE, TOE allows the authenticated key-operator to define and change the key-operator’s password related to the determination of the behavior of the TOE security function “key-operator authentication function.” By the following security function, FMT_MTD.
PAGE 54
Fuji Xerox ApeosPort-II C4300(AP)Series Security Kit for Asia Pacific Security Target V1.01 AS.VULNERABILITY AS.TEST AS.GUIDANCE AS.REPRESENT AS.HIGHLDESIGN AS.FUNCSPEC AS.DELIVERY AS.CONFIGURATIONLIST AS.CONFIGURATION ACM_CAP.2 O O ADO_DEL.1 O O ADO_IGS.1 O O ADV_FSP.1 O ADV_HLD.1 O ADV_RCR.1 O AGD_ADM.1 O AGD_USR.1 O ATE_COV.1 O ATE_FUN.1 O ATE_IND.2 O AVA_SOF.1 O AVA_VLA.1 O O: Shows that it is the assurance measure that satisfies the security assurance requirement.
PAGE 55
Fuji Xerox ApeosPort-II C4300(AP)Series Security Kit for Asia Pacific Security Target V1.01 User Guide” (AS. GUIDANCE) 3. ADO_IGS.1 Installation, Generation, and Start-up Procedures [Corresponding assurance measure] The following documents are provided. By these documents, the requirements such as procedure / checking method for TOE installation/activation and how to deal with exceptional event can be satisfied: - “C4300(AP) Series Delivery, Introduction, and Operation Procedure Description” (AS.
PAGE 56
Fuji Xerox ApeosPort-II C4300(AP)Series Security Kit for Asia Pacific Security Target V1.01 - “ApeosPort-II C4300/C3300/C2200 DocuCentre-II C4300/C3300/C2200 Security Kit Supplementary Guide, ApeosPort-II C4300/C3300/C2200 DocuCentre-II C4300/C3300/C2200 User Guide” (AS. GUIDANCE) 8. AGD_USR.1 User Guidance [Corresponding assurance measure] The following documents are provided.
PAGE 57
Fuji Xerox ApeosPort-II C4300(AP)Series Security Kit for Asia Pacific Security Target V1.01 [Corresponding assurance measure] The following document is provided. By this document, the requirement for checking that the identified vulnerability of TOE is not illicitly used in an assumed environment can be satisfied: - “DocuCentre-II C4300(AP) Series Vulnerability Analysis” (AS.VULNERABILITY) 8.4. PP Claims Rationale There is no applicable PP.