Aficio MP C4501/C5501 series Security Target Author : RICOH COMPANY, LTD. Date : 2011-07-18 Version : 1.00 Portions of Aficio MP C4501/C5501 series Security Target are reprinted with written permission from IEEE, 445 Hoes Lane, Piscataway, New Jersey 08855, from IEEE 2600.1, Protection Profile for Hardcopy Devices, Operational Environment A, Copyright © 2009 IEEE. All rights reserved. This document is a translation of the evaluated and certified security target written in Japanese.
Page 1 of 93 Revision History Version 1.00 Date 2011-07-18 Author RICOH COMPANY, LTD. Detail Publication version. Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.
Page 2 of 93 Table of Contents 1 ST Introduction ...................................................................................................................7 1.1 ST Reference ................................................................................................................7 1.2 TOE Reference .............................................................................................................7 1.3 TOE Overview ..............................................................
Page 3 of 93 4 3.1 Threats .......................................................................................................................36 3.2 Organisational Security Policies ................................................................................37 3.3 Assumptions ...............................................................................................................37 Security Objectives......................................................................................
Page 4 of 93 7.3 Document Access Control Function ............................................................................84 7.4 Use-of-Feature Restriction Function ..........................................................................86 7.5 Network Protection Function .....................................................................................87 7.6 Residual Data Overwrite Function.............................................................................87 7.
Page 5 of 93 List of Figures Figure 1 : Example of TOE Environment........................................................................................................9 Figure 2 : Hardware Configuration of the TOE.............................................................................................12 Figure 3 : Logical Scope of the TOE.............................................................................................................
Page 6 of 93 Table 36 : Unlocking Administrators for Each User Role .............................................................................83 Table 37 : Stored Documents Access Control Rules for Normal Users.........................................................85 Table 38 : Encrypted Communications Provided by the TOE.......................................................................87 Table 39 : List of Cryptographic Operations for Stored Data Protection .......................................
Page 7 of 93 1 ST Introduction This section describes ST Reference, TOE Reference, TOE Overview and TOE Description. 1.1 ST Reference The following are the identification information of this ST. 1.2 Title : Aficio MP C4501/C5501 series Security Target Version : 1.00 Date : 2011-07-18 Author : RICOH COMPANY, LTD. TOE Reference This TOE is identified by the following: digital multi function product (hereafter "MFP") and Fax Controller Unit (hereafter "FCU"), all of which constitute the TOE.
Page 8 of 93 Names Versions infotec MP C4501, infotec MP C5501, Savin C9145, Savin C9155, Savin C9145G, Savin C9155G OpePanel 1.06 LANG0 1.06 LANG1 1.06 Data Erase Std 1.01x Hardware Ic Key 01020700 Ic Ctlr 03 GWFCU3-21(WW) 03.00.00 Options FCU name Keywords 1.3 Fax Option Type C5501 : Digital MFP, Documents, Copy, Print, Scanner, Network, Office, Fax TOE Overview This section defines TOE Type, TOE Usage and Major Security Features of TOE. 1.3.
Page 9 of 93 Figure 1 : Example of TOE Environment The TOE is used by connecting to the local area network (hereafter "LAN") and telephone lines, as shown in Figure 1. Users can operate the TOE from the Operation Panel of the TOE or through LAN communications. Below, explanations are provided for the MFP, which is the TOE itself, and hardware and software other than the TOE. MFP A machinery that is defined as the TOE.
Page 10 of 93 Client computer Performs as a client of the TOE if it is connected to the LAN, and users can remotely operate the MFP from the client computer.
Page 11 of 93 - Audit Function - Identification and Authentication Function - Document Access Control Function - Use-of-Feature Restriction Function - Network Protection Function - Residual Data Overwrite Function - Stored Data Protection Function - Security Management Function - Software Verification Function - Fax Line Separation Function 1.
Page 12 of 93 Figure 2 : Hardware Configuration of the TOE Controller Board The Controller Board is a device that contains Processors, RAM, NVRAM, Ic Key, and FlashROM. The Controller Board sends and receives information to and from the units and devices that constitute the MFP, and this information is used to control the MFP. The information to control the MFP is processed by the MFP Control Software on the Controller Board.
Page 13 of 93 and digital signature. It has the memory medium inside, and the signature root key is installed before the TOE is shipped. - FlashROM A non-volatile memory medium in which the following software components are installed: System/Copy, Network Support, Scanner, Printer, Fax, RemoteFax, Web Support, Web Uapl, NetworkDocBox, animation, PCL, OptionPCLFont, LANG0, and LANG1. These are part of the TOE and are included in the MFP Control Software.
Page 14 of 93 Ic Ctlr The Ic Ctlr is a board that implements data encryption and decryption functions. It is provided with functions for HDD encryption realisation. Network Unit The Network Unit is an external interface to an Ethernet (100BASE-TX/10BASE-T) LAN. USB Port The USB Port is an external interface to connect a client computer to the TOE for printing directly from the client computer. During installation, this interface is disabled.
Page 15 of 93 Operating Instructions Troubleshooting D088-7653A - Quick Reference Copy Guide D088-7526 - Quick Reference Printer Guide D088-7805 - Quick Reference Scanner Guide - App2Me Start Guide D088-7886 D085-7906B - Notes for Users D088-7608 - Notes for Users D088-7759A - Notes for Users D572-7010 - Manuals for Users Aficio MP C3001/MP C3001G/MP C3501/MP C3501G/MP C4501/MP C4501G/MP C4501A/MP C4501AG/MP C5501/MP C5501G/MP C5501A/MP C5501AG C9130/C9130G/C9135/C9135G/C9145/C9145G/C9145A/C914
Page 16 of 93 Aficio MP C3001/C3501/C4501/C4501A/C5501/C5501A Aficio MP C3001G/C3501G/C4501G/C4501AG/C5501G/C5501AG Operating Instructions About This Machine D088-7609 - C9130/C9135/C9145/C9145A/C9155/C9155A C9130G/C9135G/C9145G/C9145AG/C9155G/C9155AG LD630C/LD635C/LD645C/LD645CA/LD655C/LD655CA LD630CG/LD635CG/LD645CG/LD645CAG/LD655CG/LD655CAG Aficio MP C3001/C3501/C4501/C4501A/C5501/C5501A Aficio MP C3001G/C3501G/C4501G/C4501AG/C5501G/C5501AG Operating Instructions Troubleshooting D088-7657 - Quick Refer
Page 17 of 93 Table 4 : Guidance for English Version-3 TOE Components Guidance Documents for Product MFP - Safety Information for MP C3001/MP C3501/MP C4501/MP C4501A/MP C5501/MP C5501A/Aficio MP C3001/Aficio MP C3501/Aficio MP C4501/Aficio MP C4501A/Aficio MP C5501/Aficio MP C5501A - Quick Reference Copy Guide D088-7525 - Quick Reference Fax Guide D545-8505 - Quick Reference Printer Guide D088-7804 - Quick Reference Scanner Guide - App2Me Start Guide D088-7400A D088-7885 D085-7904B - Manuals f
Page 18 of 93 Operating Instructions About This Machine D088-7605A - MP C3001/C3501/C4501/C4501A/C5501/C5501A MP C3001/C3501/C4501/C4501A/C5501/C5501A Aficio MP C3001/C3501/C4501/C4501A/C5501/C5501A Operating Instructions Troubleshooting D088-7655A - Quick Reference Copy Guide D088-7527 - Quick Reference Printer Guide D088-7805 - Quick Reference Scanner Guide D088-7887 - Notes for Users D088-7608 - Notes for Users D088-7759A - App2Me Start Guide D085-7906B - Manuals for Users Aficio MP C3001/M
Page 19 of 93 Table 6 : Definition of Users Definition of Users Explanation Normal user A user who is allowed to use the TOE. A normal user is provided with a login user name and can use Copy Function, Fax Function, Scanner Function, Printer Function, and Document Server Function. Administrator A user who is allowed to manage the TOE. An administrator performs management operations, which include issuing login names to normal users. RC Gate An IT device connected to networks.
Page 20 of 93 The responsible manager of MFP is a person who is responsible for selection of the TOE administrators in the organisation where the TOE is used. Customer engineer The customer engineer is a person who belongs to the organisation which maintains TOE operation. The customer engineer is in charge of installation, setup, and maintenance of the TOE. Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.
Page 21 of 93 1.4.4 Logical Boundary of TOE The Basic Functions and Security Functions are described as follows: Figure 3 : Logical Scope of the TOE 1.4.4.1. Basic Functions The overview of the Basic Functions is described as follows: Copy Function The Copy Function is to scan paper documents and copy scanned image data from the Operation Panel. Magnification and other editorial jobs can be applied to the copy image. It can also be stored on the HDD as a Document Server document.
Page 22 of 93 Printer Function The Printer Function of TOE is to print or store the documents the TOE receives from the printer driver installed on the client computer. It also allows users to print and delete the stored documents from the Operation Panel or a Web browser. - Receiving documents from the printer driver installed on the client computer. The TOE receives documents from the printer driver installed on the client computer.
Page 23 of 93 Fax Function The Fax Function is to send paper documents and documents received from the fax driver installed on the client computer to external faxes (Fax Transmission Function). Also, this function can be used to receive documents from external faxes (Fax Reception Function). Documents to be sent by fax can be stored in the TOE. Those documents stored in the TOE for fax transmission are called fax documents.
Page 24 of 93 Document Server Function The Document Server Function is to operate documents stored in the TOE by using the Operation Panel and a Web browser. From the Operation Panel, users can store, print and delete Document Server documents. Also, users can print and delete fax documents. From a Web browser, users can print and delete Document Server documents, fax, print, download, and delete fax documents. Also, users can send scanner documents to folders or by e-mail, download and delete them.
Page 25 of 93 Identification and Authentication Function The Identification and Authentication Function is to verify persons before they use the TOE. The persons are allowed to use the TOE only when confirmed as the authorised user. Users can use the TOE from the Operation Panel or via the network. By the network, users can use the TOE from a Web browser, printer/fax driver, and RC Gate.
Page 26 of 93 transmission function of Scanner Function is used, the protection function can be enabled through encrypted communication with communication requirements that are specified for each e-mail address. If the LAN-Fax Transmission Function of Fax Function is used, the protection function can be enabled using the fax driver to specify encrypted communication. When communicating with RC Gate, encrypted communication is used.
Page 27 of 93 data 1.4.5.2. TSF Data The TSF data is classified into two types: protected data and confidential data. Table 9 defines TSF data according to these data types. Table 9 : Definition of TSF Data Type Description Protected data This data must be protected from changes by unauthorised persons. No security threat will occur even this data is exposed to the public. In this ST, "protected data", listed below, is referred to as "TSF protected data".
Page 28 of 93 Terms Definitions Login user name An identifier assigned to each normal user, MFP administrator, and supervisor. The TOE identifies users by this identifier. Login password A password associated with each login user name. Lockout A type of behaviour to deny login of particular users. Auto logout A function for automatic user logout if no access is attempted from the Operation Panel or Web Function before the predetermined auto logout time elapses.
Page 29 of 93 Terms Definitions +SCN One of the document data attributes. Documents sent to IT devices by e-mail or sent to folders, or downloaded on the client computer from the MFP. For these operations the Scanner Function is used. +CPY One of the document data attributes. Documents copied by using Printer Function. +FAXOUT One of the document data attributes. Documents sent by fax or to folders by using Fax Function. +FAXIN One of the document data attributes.
Page 30 of 93 Terms Definitions Users for stored and received documents A list of the normal users who are authorised to read and delete received fax documents. Folder transmission A function that sends documents from the MFP via networks to a shared folder in an SMB Server by using SMB protocol or that sends documents to a shared folder in an FTP Server by using FTP protocol.
Page 31 of 93 2 Conformance Claim This section describes Conformance Claim. 2.1 CC Conformance Claim The CC conformance claim of this ST and TOE is as follows: - CC version for which this ST and TOE claim conformance Part 1: Introduction and general model July 2009 Version 3.1 Revision 3 Final (Japanese translation ver.1.0 Final) CCMB-2009-07-001 Part 2: Security functional components July 2009 Version 3.1 Revision 3 Final (Japanese translation ver.1.
Page 32 of 93 2600.1-SMI conformant 2.4 Conformance Claim Rationale 2.4.1 Consistency Claim with TOE Type in PP The targeted product type by the PP is the Hardcopy devices (hereafter, HCDs). The HCDs consist of the scanner device and print device, and have the interface to connect telephone line. The HCDs combine these devices and equip one or more functions of Copy Function, Scanner Function, Printer Function or Fax Function.
Page 33 of 93 For those points mentioned above, the security problems and security objectives in this ST are consistent with those in the PP. 2.4.3 Consistency Claim with Security Requirements in PP The SFRs for this TOE consist of the Common Security Functional Requirements, 2600.1-PRT, 2600.1-SCN, 2600.1-CPY, 2600.1-FAX, 2600.1-DSR, and 2600.1-SMI. The Common Security Functional Requirements are the indispensable SFR specified by the PP. 2600.1-PRT, 2600.1-SCN, 2600.1-CPY, 2600.1-FAX, 2600.
Page 34 of 93 Ownership of Received Fax Documents For the ownership of the received fax documents, the TOE has the characteristic that the ownership of the document is assigned to the intended user. This is according to PP APPLICATION NOTE 93. Augmentation of FCS_CKM.1 and FCS_COP.1 This TOE claims O.STORAGE.ENCRYPTED as the security objectives for the data protection applied to non-volatile memory media that are neither allowed to be attached nor removed by the administrator.
Page 35 of 93 The TOE allows the MFP administrator to delete document data and user jobs (document access control SFP, FDP_ACC.1(a) and FDP_ACF.1(a)), and as a result, the TSF restrictively allows the MFP administrator to access the TOE functions. Therefore, the requirements described in FDP_ACF.1.3(b) in the PP are satisfied at the same time. The fax reception process, which is accessed when receiving from a telephone line, is regarded as a user with administrator privileges. Therefore, FDP_ACF.1.
Page 36 of 93 3 Security Problem Definitions This section describes Threats, Organisational Security Policies and Assumptions. 3.1 Threats Defined and described below are the assumed threats related to the use and environment of this TOE. The threats defined in this section are unauthorised persons with knowledge of published information about the TOE operations and such attackers are capable of Basic attack potential. T.DOC.
Page 37 of 93 3.2 Organisational Security Policies The following organisational security policies are taken: P.USER.AUTHORIZATION User identification and authentication Only users with operation permission of the TOE shall be authorised to use the TOE. P.SOFTWARE.VERIFICATION Software verification Procedures shall exist to self-verify executable code in the TSF. P.AUDIT.LOGGING Management of audit log records The TOE shall create and maintain a log of TOE use and security-relevant events.
Page 38 of 93 A.ADMIN.TRAINING Administrator training Administrators are aware of the security policies and procedures of their organisation, are competent to correctly configure and operate the TOE in accordance with the guidance document following those policies and procedures. A.ADMIN.TRUST Trusted administrator The responsible manager of MFP selects administrators who do not use their privileged access rights for malicious purposes according to the guidance document.
Page 39 of 93 4 Security Objectives This section describes Security Objectives for TOE, Security Objectives of Operational Environment and Security Objectives Rationale. 4.1 Security Objectives for TOE This section describes the security objectives for the TOE. O.DOC.NO_DIS Protection of document disclosure The TOE shall protect documents from unauthorised disclosure by persons without a login user name, or by persons with a login user name but without an access permission to the document. O.DOC.
Page 40 of 93 O.USER.AUTHORIZED User identification and authentication The TOE shall require identification and authentication of users and shall ensure that users are authorised in accordance with security policies before allowing them to use the TOE. O.INTERFACE.MANAGED Management of external interfaces by TOE The TOE shall manage the operation of external interfaces in accordance with the security policies. O.SOFTWARE.
Page 41 of 93 OE.INTERFACE.MANAGED Management of external interfaces in IT environment The IT environment shall take a countermeasure for the prevention of unmanaged access to TOE external interfaces. 4.2.2 Non-IT Environment OE.PHYSICAL.MANAGED Physical management According to the guidance document, the TOE shall be placed in a secure or monitored area that provides protection from physical access to the TOE by unauthorised persons. OE.USER.
Page 42 of 93 4.3 Security Objectives Rationale This section describes the rationale for security objectives. The security objectives are for upholding the assumptions, countering the threats, and enforcing the organisational security policies that are defined. 4.3.1 Correspondence Table of Security Objectives Table 11 describes the correspondence between the assumptions, threats and organisational security policies, and each security objective. P.USER.AUTHORIZATION P.SOFTWARE.VERIFICATION P.AUDIT.
Page 43 of 93 4.3.2 Security Objectives Descriptions The following describes the rationale for each security objective being appropriate to satisfy the threats, assumptions and organisational security policies. T.DOC.DIS T.DOC.DIS is countered by O.DOC.NO_DIS, O.USER.AUTHORIZED and OE.USER.AUTHORIZED. By OE.USER.AUTHORIZED, the responsible manager of MFP gives the authority to use the TOE to users who follow the security policies and procedures of their organisation. By O.USER.
Page 44 of 93 data from unauthorised alteration by persons without a login user name, or by persons with a login user name but without an access permission to the TSF protected data. T.PROT.ALT is countered by these objectives. T.CONF.DIS T.CONF.DIS is countered by O.CONF.NO_DIS, O.USER.AUTHORIZED and OE.USER.AUTHORIZED. By OE.USER.AUTHORIZED, the responsible manager of MFP gives the authority to use the TOE to users who follow the security policies and procedures of their organisation. By O.USER.
Page 45 of 93 P. AUDIT.LOGGING P . AU D I T . L O G G I N G i s e n f o r c e d b y O . A U D I T . L O G G E D , O E . A U D I T . R E V I E W E D , OE.AUDIT_STORAGE.PROTECTED and OE.AUDIT_ACCESS.AUTHORIZED. By O.AUDIT.LOGGED, the TOE creates and maintains a log of TOE use and security-relevant events in the MFP and prevents its unauthorised disclosure or alteration. By OE.AUDIT.
Page 46 of 93 By OE.ADMIN.TRAINED, the responsible manager of MFP ensures that the administrators are aware of the security policies and procedures of their organisation. For this, the administrators have the training, competence, and time to follow the guidance documents, and correctly configure and operate the TOE in accordance with those policies and procedures. A.ADMIN.TRAINING is upheld by this objective. A.ADMIN.TRUST A.ADMIN.TRUST is upheld by OE.ADMIN.TRUSTED. By OE.ADMIN.
Page 47 of 93 5 Extended Components Definition This section describes Extended Components Definition. 5.1 Restricted forwarding of data to external interfaces (FPT_FDI_EXP) Family behaviour This family defines requirements for the TSF to restrict direct forwarding of information from one external interface to another external interface.
Page 48 of 93 are firewall systems but also other systems that require a specific work flow for the incoming data before it can be transferred. Direct forwarding of such data (i.e., without processing the data first) between different external interfaces is therefore a function that—if allowed at all—can only be allowed by an authorized role.
Page 49 of 93 6 Security Requirements This section describes Security Functional Requirements, Security Assurance Requirements and Security Requirements Rationale. 6.1 Security Functional Requirements This section describes the TOE security functional requirements for fulfilling the security objectives defined in section 4.1. The security functional requirements are quoted from the requirement defined in the CC Part2.
Page 50 of 93 perform an operation on an object covered by the SFP. b) Basic: All requests to perform an operation on an object covered by the SFP. c) Detailed: The specific security attributes used in making an access check. - Start and end operation of storing document data. - Start and end operation of printing document data. - Start and end operation of downloading document data. - Start and end operation of faxing document data. - Start and end operation of sending document data by e-mail.
Page 51 of 93 authentication mechanism; b) Basic: All use of the authentication mechanism. login operation FIA_UID.1(a) a) Minimal: Unsuccessful use of the user identification mechanism, including the user identity provided; b) Basic: All use of the user identification mechanism, including the user identity provided. b) Basic: Success and failure of login operation. Also includes the user identification that is required by the PP as the additional information. FIA_UID.
Page 52 of 93 Dependencies: FAU_GEN.1 Audit data generation FIA_UID.1 Timing of identification FAU_GEN.2.1 For audit events resulting from actions of identified users, the TSF shall be able to associate each auditable event with the identity of the user that caused the event. FAU_STG.1 Protected audit trail storage Hierarchical to: No other components. Dependencies: FAU_GEN.1 Audit data generation FAU_STG.1.
Page 53 of 93 specified cryptographic key sizes [assignment: cryptographic key sizes in Table 13] that meet the following: [assignment: standards in Table 13]. Table 13 : List of Cryptographic Key Generation Key Type Standard Cryptographic Key Generation Algorithm Cryptographic Key Size HDD cryptographic key BSI-AIS31 TRNG 256 bits FCS_COP.1 Cryptographic operation Hierarchical to: No other components. Dependencies: [FDP_ITC.1 Import of user data without security attributes, or FDP_ITC.
Page 54 of 93 Table 15 : List of Subjects, Objects, and Operations among Subjects and Objects (a) Subjects - Normal user process - MFP administrator process - Supervisor process - RC Gate process Objects - Document data - User jobs Operations - Read - Delete FDP_ACC.1(b) Subset access control Hierarchical to: No other components. Dependencies: FDP_ACF.1 Security attribute based access control FDP_ACC.1.
Page 55 of 93 Subject Supervisor process - User role Subject RC Gate process - User role Object Document data - Document data attribute - Document user list Object User job - Login user name of normal user FDP_ACF.1.2(a) The TSF shall enforce the following rules to determine if an operation among controlled subjects and controlled objects is allowed: [assignment: rules to control operations among subjects and objects shown in Table 18].
Page 56 of 93 Document data +CPY Read Normal user process Not allowed. However, it is allowed for normal user process that created the document data. Document data +DSR Delete Normal user process Not allowed. However, it is allowed for normal user process with login user name of normal user registered on document user list for document data. Document data +DSR Read Normal user process Not allowed.
Page 57 of 93 FDP_ACF.1.1(b) The TSF shall enforce the [assignment: TOE function access control SFP] to objects based on the following: [assignment: subjects or objects, and their corresponding security attributes shown in Table 20].
Page 58 of 93 6.1.4 Class FIA: Identification and authentication FIA_AFL.1 Authentication failure handling Hierarchical to: No other components. Dependencies: FIA_UAU.1 Timing of authentication FIA_AFL.1.1 The TSF shall detect when [selection: an administrator configurable positive integer within [assignment: 1 to 5]] unsuccessful authentication attempts occur related to [assignment: the authentication events of Basic Authentication shown in Table 22].
Page 59 of 93 Table 24 : List of Security Attributes for Each User That Shall Be Maintained Users List of Security Attributes Normal user - Login user name of normal user - User role - Available function list Supervisor - User role MFP administrator - Login user name of MFP administrator - User role RC Gate - User role FIA_SOS.1 Verification of secrets Hierarchical to: No other components. Dependencies: No dependencies. FIA_SOS.1.
Page 60 of 93 FIA_UAU.1.2(a) The TSF shall require each user to be successfully authenticated before allowing any other TSF-mediated actions on behalf of that user. FIA_UAU.1(b) Timing of authentication Hierarchical to: No other components. Dependencies: FIA_UID.1 Timing of identification FIA_UAU.1.
Page 61 of 93 of fax reception, and repair request notification] on behalf of the user to be performed before the user is identified (refinement: authentication of MFP administrator and supervisor with Basic Authentication, and identification of normal user with external authentication server). FIA_UID.1.2(b) The TSF shall require each user to be successfully identified before allowing other TSF-mediated actions on behalf of that user. FIA_UID.
Page 62 of 93 Dependencies: [FDP_ACC.1 Subset access control, or FDP_IFC.1 Subset information flow control] FMT_SMR.1 Security roles FMT_SMF.1 Specification of Management Function FMT_MSA.1.1(a) The TSF shall enforce the [assignment: document access control SFP] to restrict the ability to [selection: query, modify, delete, [assignment: newly create]] the security attributes [assignment: security attributes in Table 26] to [assignment: the user roles with operation permission in Table 26].
Page 63 of 93 FMT_MSA.1(b)Management of security attributes Hierarchical to: No other components. Dependencies: [FDP_ACC.1 Subset access control, or FDP_IFC.1 Subset information flow control] FMT_SMR.1 Security roles FMT_SMF.1 Specification of Management Function FMT_MSA.1.
Page 64 of 93 FMT_MSA.3.2(a) The TSF shall allow the [assignment: authorised identified roles shown in Table 28] to specify alternative initial values to override the default values when an object or information is created.
Page 65 of 93 FMT_MTD.1.1 The TSF shall restrict the ability to [selection: query, modify, delete, [assignment: newly create]] the [assignment: list of TSF data in Table 29] to [assignment: the user roles in Table 29].
Page 66 of 93 TSF Data Operations User Roles Users for stored and received documents Query, modify MFP administrator User authentication method Query MFP administrator FMT_SMF.1 Specification of Management Functions Hierarchical to: No other components. Dependencies: No dependencies. FMT_SMF.1.1 The TSF shall be capable of performing the following management functions: [assignment: management functions shown in Table 30].
Page 67 of 93 Query and modification of date and time by MFP administrator Query of date and time by supervisor Query of date and time by normal user Query and deletion of audit logs by MFP administrator New creation of HDD encryption key by MFP administrator New creation, modification, query and deletion of S/MIME user information by MFP administrator Query of S/MIME user information by normal user New creation, modification, query and deletion of destination information for folder transmission by MFP admi
Page 68 of 93 FPT_FDI_EXP.1 Hierarchical to: Dependencies: Restricted forwarding of data to external interfaces No other components. FMT_SMF.1 Specification of Management Functions FMT_SMR.1 Security roles FPT_FDI_EXP.1.1 The TSF shall provide the capability to restrict data received on [assignment: the Operation Panel, LAN, telephone line] from being forwarded without further processing by the TSF to [assignment: the LAN and telephone line]. 6.1.7 Class FTA: TOE access FTA_SSL.
Page 69 of 93 Table 31 : TOE Security Assurance Requirements (EAL3+ALC_FLR.2) Assurance Classes ADV: Development AGD: Guidance documents ALC: Life-cycle support ASE: Security Target evaluation ATE: Tests AVA: Vulnerability assessment 6.3 Assurance Components ADV_ARC.1 Security architecture description ADV_FSP.3 Functional specification with complete summary ADV_TDS.2 Architectural design AGD_OPE.1 Operational user guidance AGD_PRE.1 Preparative procedures ALC_CMC.
Page 70 of 93 FAU_GEN.1 X FAU_GEN.2 X FAU_STG.1 X FAU_STG.4 X FAU_SAR.1 X FAU_SAR.2 X FCS_CKM.1 X FCS_COP.1 X FDP_ACC.1(a) X X X FDP_ACC.1(b) X FDP_ACF.1(a) X X X FDP_ACF.1(b) X FDP_RIP.1 X X FIA_AFL.1 X FIA_ATD.1 X FIA_SOS.1 X FIA_UAU.1(a) X X FIA_UAU.1(b) X X FIA_UAU.2 X X FIA_UAU.7 X FIA_UID.1(a) X X FIA_UID.1(b) X X FIA_UID.2 X X FIA_USB.1 X FPT_FDI_EXP.1 FMT_MSA.1(a) X X X X FMT_MSA.1(b) FMT_MSA.
FMT_MSA.3(b) FMT_MTD.1 X X X X FMT_SMF.1 X X X X FMT_SMR.1 X X X X X FPT_TST.1 X FTA_SSL.3 FTP_ITC.1 O.RCGATE.COMM.PROTECT O.STORAGE.ENCRYPTED X FPT_STM.1 6.3.2 O.AUDIT.LOGGED O.SOFTWARE.VERIFIED O.INTERFACE.MANAGED O.USER.AUTHORIZED O.CONF.NO_ALT O.CONF.NO_DIS O.PROT.NO_ALT O.FUNC.NO_ALT O.DOC.NO_ALT O.DOC.
Page 72 of 93 is thus restricted to perform each operation. FMT_MSA.3(a) surely sets the restrictive value to the security attributes of document data (object) when document data are generated. By satisfying FDP_ACC.1(a), FDP_ACF.1(a), FDP_RIP.1, FTP_ITC.1, FMT_MSA.1(a) and FMT_MSA.3(a), which are the security functional requirements for these countermeasures, O.DOC.NO_DIS is fulfilled. O.DOC.NO_ALT Protection of document alteration O.DOC.
Page 73 of 93 (3) Management of the security attributes. FMT_MSA.1(a) restricts each available operation (newly create, query, modify and delete) for the login user name to specified users only. FMT_MSA.3(a) sets the restrictive value to the security attributes of user jobs (object) when the user jobs are generated. By satisfying FDP_ACC.1(a), FDP_ACF.1(a), FTP_ITC.1, FMT_MSA.1(a) and FMT_MSA.3(a), which are the security functional requirements for these countermeasures, O.FUNC.NO_ALT is fulfilled. O.PROT.
Page 74 of 93 O.CONF.NO_ALT Protection of TSF confidential data alteration O.CONF.NO_ALT is the security objective to allow only users who can maintain the security to alter the TSF confidential data. To fulfil this security objective, it is required to implement the following countermeasures. (1) Management of the TSF confidential data. FMT_MTD.1 allows the MFP administrator and applicable normal user to operate the login password of normal user.
Page 75 of 93 (3) Complicate decoding of login password. FIA_UAU.7 displays dummy letters as authentication feedback on the Operation Panel and prevents the login password from disclosure. FIA_SOS.1 accepts only passwords that satisfy the minimum character number and password character combination specified for the Basic Authentication by the MFP administrator, and makes it difficult to guess the password. For the External Authentication, this depends on the settings for the External Authentication.
Page 76 of 93 (3) Restricted forwarding of data to external interfaces. FPT_FDI_EXP.1 prevents the data received from the Operation Panel, LAN interface and telephone line from being transmitted from the LAN or telephone line without further processing by the TSF. By satisfying FIA_UID.1(a), FIA_UID.1(b), FIA_UAU.1(a), FIA_UAU.1(b), FIA_UID.2, FIA_UAU.2, FTA_SSL.3 and FPT_FDI_EXP.1, which are the security functional requirements for these countermeasures, O.INTERFACE.MANAGED is fulfilled. O.SOFTWARE.
Page 77 of 93 (1) Generate appropriate cryptographic keys. FCS_CKM.1 generates the cryptographic key for encryption. (2) Perform cryptographic operation. FCS_COP.1 encrypts the data to be stored in the HDD, and decrypts the data to be read from the HDD. (3) Manage the TSF data. FMT_MTD.1 allows the MFP administrator to manage the cryptographic keys. (4) Specification of Management Function. FMT_SMF.1 performs the required Management Functions for Security Function. (5) Specification of the roles. FMT_SMR.
Page 78 of 93 FCS_CKM.4 FCS_COP.1 [FDP_ITC.1 or FDP_ITC.2 or FCS_CKM.1] FCS_CKM.4 FCS_CKM.1 FCS_CKM.4 FDP_ACC.1(a) FDP_ACF.1(a) FDP_ACF.1(a) None FDP_ACC.1(b) FDP_ACF.1(b) FDP_ACF.1(b) None FDP_ACF.1(a) FDP_ACC.1(a) FMT_MSA.3(a) FDP_ACC.1(a) FMT_MSA.3(a) None FDP_ACF.1(b) FDP_ACC.1(b) FMT_MSA.3(b) FDP_ACC.1(b) FMT_MSA.3(b) None FDP_RIP.1 None None None FIA_AFL.1 FIA_UAU.1(a) FIA_UAU.1(a) None FIA_ATD.1 None None None FIA_SOS.1 None None None FIA_UAU.1(a) FIA_UID.
Page 79 of 93 FMT_SMR.1 FIA_UID.1 FIA_UID.1 None FPT_STM.1 None None None FPT_TST.1 None None None FTA_SSL.3 None None None FTP_ITC.1 None None None The following explains the rationale for acceptability in all cases where a dependency is not satisfied: Rationale for Removing Dependencies on FCS_CKM.
Page 80 of 93 7 TOE Summary Specification This section describes the TOE summary specification for each security function. The security functions are described for each corresponding security functional requirement. 7.1 Audit Function The Audit Function is to generate the audit log of TOE use and security-relevant events (hereafter, "audit events"). This function provides the recorded audit log in a legible fashion for users to audit (audit log review).
Page 81 of 93 Termination of session by auto logout Web Function communication Folder transmission E-mail transmission Printing via networks LAN Fax via networks Storing document data Reading document data (print, download, fax transmission, e-mail transmission, and folder transmission) Deleting document data Success and failure of creation, modification, and deletion of S/MIME user information Success and failure of creation, modification, and deletion of destination folders Communication with RC Gate (*1)
Page 82 of 93 Communicating e-mail address 7.
Page 83 of 93 When the sent login user name and login password are identified and authenticated, the user is allowed to use the TOE according to the identified user role. FIA_USB.1, FIA_ATD.1, and FMT_SMR.1 If a user is identified and authenticated as a result of checking FIA_UAU.1(a), FIA_UID.1(a), FIA_UAU.1(b), and FIA_UID.1(b), the use of the TOE by the user is allowed as the identified user role (normal user, MFP administrator, or supervisor).
Page 84 of 93 Supervisor MFP administrator MFP administrator Supervisor FIA_SOS.1 Login passwords for users can be registered only if these passwords meet the following conditions: (1) Usable characters and types: Upper-case letters: [A-Z] (26 letters) Lower-case letters: [a-z] (26 letters) Numbers: [0-9] (ten digits) Symbols: SP (space) ! " # $ % & ' ( ) * + , - .
Page 85 of 93 (1) Access control rule on document data The TOE provides users with the interface for stored documents to be printed, downloaded to the client computers, sent by fax, sent by e-mail, sent to folders, and deleted. The interface enables users to delete all the stored documents. Users authorised to operate stored documents are MFP administrator and normal users. The supervisor and RC Gate are not allowed to operate stored documents.
Page 86 of 93 Web browser Web browser Document Server Function Document Server Function Document Server documents Print Delete Scanner documents E-mail transmission Folder transmission Download Delete (Operations above are authorised only if normal users are privileged to use Scanner Function) Web browser Document Server Function Fax transmission documents Fax transmission Download Print Delete (Operations above are authorised only if normal users are privileged to use Fax Function) Web browser
Page 87 of 93 FDP_ACC.1(b) and FDP_ACF.1(b) The TOE verifies the role for an authorised TOE user who attempts to start operating Copy Function, Printer Function, Scanner Function, Document Server Function, and Fax Function. If the role is that of normal user, the user can operate only functions that are included in the available function list set for each normal user. If the role is that of MFP administrator, the user can operate Fax Reception Function that corresponds to MFP management.
Page 88 of 93 applies the method specified by the MFP administrator and overwrites the area on the HDD where the digital image data of the document data is stored. Also, when a user job is complete, the TOE applies the method specified by the MFP administrator and overwrites the area on the HDD where temporary documents that are created while a user job is executed or the fragments of those temporary documents are stored.
Page 89 of 93 FMT_MSA.1(a), FMT_MSA.1(b), FMT_MSA.3(a), FMT_MTD.1, FMT_SMF.1 and FMT_SMR.1 The TOE allows operations for TSF data according to the rules described in Table 40.
Page 90 of 93 Function types No operation interfaces available No operations allowed User roles No operation interfaces available No operations allowed Login passwords of normal users when Basic Authentication is applied Operation Panel, Web browser Login password of supervisor Operation Panel, Web browser Newly create, modify - MFP administrator Modify Applicable normal user Modify Supervisor Modify Supervisor Newly create MFP administrator Modify Applicable MFP administrator Login p
Page 91 of 93 Query, (Query operation for a user certificate is unavailable for External Authentication) Operation Panel, Web browser Destination folder Normal user Newly create, modify, query, delete MFP administrator Query Normal user Users for stored and received documents Operation Panel, Web browser Query, modify MFP administrator User authentication procedures Operation Panel, Web browser Query MFP administrator -: No user roles whose operations are allowed by the TOE (*1): The login u
Page 92 of 93 Table 41 : List of Static Initialisation for Security Attributes of Document Access Control SFP Objects/Subjects Security attributes Default values Document data Document data attribute +PRT: Documents printed from the client computer with direct print, locked print, hold print, and sample print. +SCN: Documents sent by e-mail or to folders from the MFP. +CPY: Documents copied using the MFP. +FAXOUT: Documents sent by fax from the MFP or client computer.
Page 93 of 93 Each MFP application (Copy Function, Printer Function, Scanner Function, Document Server Function and Fax Function) 7.9 Function type The values specified for each function type is as follows: For Copy Function, values to identify Copy Function. For Document Server Function, values to identify Document Server Function. For Printer Function, values to identify Printer Function. For Scanner Function, values to identify Scanner Function. For Fax Function, values to identify Fax Function.
