Page 1 of 83 imagio MP 2550/3350 series, Aficio MP 2550/3350 series㩷 Security Target Authors Fumi TAKITA Date Version : RICOH COMPANY, LTD., Yoshihiko KAMEKURA, Yasushi FUNAKI, : 2010-02-08 : 1.05 Copyright (c) 2009,2010 RICOH COMPANY, LTD. All Rights Reserved.
Page 2 of 83 Update History Version 1.05 Date 2010-02-08 Authors Yoshihiko KAMEKURA, Yasushi FUNAKI, Fumi TAKITA Details Released documents Copyright (c) 2009,2010 RICOH COMPANY, LTD. All Rights Reserved.
Page 3 of 83 Table of Contents 1 ST Introduction ..................................................................................................................... 8 1.1 ST Reference .................................................................................................................. 8 1.2 TOE Reference ............................................................................................................... 8 1.3 TOE Overview ....................................................
Page 4 of 83 3.3 4 Assumptions................................................................................................................. 29 Security Objectives.............................................................................................................. 30 4.1 Security Objectives for TOE......................................................................................... 30 4.2 Security Objectives for Operational Environment .................................................
Page 5 of 83 7.1.2.3 Password Feedback Area Protection................................................................70 7.1.2.4 Password Registration .....................................................................................70 7.1.3 SF.DOC_ACC Document Data Access Control Function.....................................71 7.1.3.1 Operations on Document Data by General Users...........................................71 7.1.3.2 Operations on Document Data by File Administrator.............
Page 6 of 83 List of Figures Figure 1: Environment for Usage of TOE..................................................................................................... 11 Figure 2: Hardware Configuration of TOE ................................................................................................... 13 Figure 3: Logical Scope of TOE ...................................................................................................................
Page 7 of 83 Table 33: List of Administrator for Machine Control Data ........................................................................... 75 Table 34: List of Encryption Operation on Stored Data on HDD ................................................................. 77 Table 35: Specific Terms Used in this ST ..................................................................................................... 79 Copyright (c) 2009,2010 RICOH COMPANY, LTD. All Rights Reserved.
Page 8 of 83 1 ST Introduction This chapter describes the ST Reference, TOE Reference, TOE Overview and TOE Description. 1.1 ST Reference The following are the identification information for this ST. 1.2 ST Title : imagio MP 2550/3350 series, Aficio MP 2550/3350 series Security Target ST Version : 1.05 Date : 2010-02-08 Authors : RICOH COMPANY, LTD., Yoshihiko KAMEKURA, Yasushi FUNAKI, Fumi TAKITA TOE Reference The following are the identification information for this TOE.
Page 9 of 83 Table 1: List of TOE Series Name Series Details Ricoh imagio MP 2550/3350 series Ricoh imagio MP 2550SP Ricoh imagio MP 2550SPF Ricoh imagio MP 3350SP Ricoh imagio MP 3350SPF Ricoh Aficio MP 2550/3350 series Ricoh Aficio MP 2550 Ricoh Aficio MP 2550SP Ricoh Aficio MP 2550SPF Ricoh Aficio MP 3350 Ricoh Aficio MP 3350SP Ricoh Aficio MP 3350SPF Savin 9025 Savin 9025SP Savin 9025SPF Savin 9033 Savin 9033SP Savin 9033SPF Lanier LD425 Lanier LD425SP Lanier LD425SPF Lanier LD433 Lanier LD433SP La
Page 10 of 83 1.3 TOE Overview This chapter describes the TOE Type, TOE Usage and Major Security Features, and Environment for TOE Usage and Non-TOE Configuration Items. 1.3.1 TOE Type The TOE is a digital MFP, which is an IT product that provides the functions of copier, scanner, printer and fax (optional). Those functions are for digitising the paper document files, managing the document files, printing the document files. 1.3.
Page 11 of 83 Internal Networks, or USB-connected client PCs. Figure 1 shows and describes an assumed environment for the usage of the TOE. Figure 1: Environment for Usage of TOE The following describes the non-TOE configuration items. Internal Network The Internal Network connects the TOE with various types of servers (FTP server, SMB server and SMTP server) and client PCs. It is connected to the Internet via firewall. IPv4 is used for the Internal Networks.
Page 12 of 83 SMB Server An SMB server is used to deliver the Document Data, which is stored in the TOE, to folders in an SMB server. SMTP Server An SMTP server is used to send the Document Data to a client PC by e-mail. Telephone Line A telephone line is a line used to send and receive the fax data from the external fax when the optional fax is equipped.
Page 13 of 83 Figure 2: Hardware Configuration of TOE Operation Panel Unit (hereafter called Operation Panel) The Operation Panel is an interface device that is equipped on the TOE and is used by TOE users for TOE operation. It is configured with key switches, LED indicators, touch screen LCD, and the Operation Panel Control Board. Operation Panel Control Software is installed in the Operation Panel Control Board.
Page 14 of 83 information about the status of fax communication and controls the fax communication according to the instruction from the MFP Control Software. Controller Board The Controller Board contains processors, FlashROM, RAM, NVRAM, and Ic Key. It is connected to the Operation Panel Unit, Engine Unit, Fax Unit, Network Unit, USB Port, SD CARD Slot and Ic Hdd. Ic Hdd is also connected with HDD.
Page 15 of 83 When installing the TOE, the CE inserts an SD Card containing information to activate the Stored Data Protection Function into this SD CARD Slot to enable the Stored Data Protection Function. 1.4.2 Guidance Documents The following are the guidance documents attached with this TOE. One of the guidance documents, [Japanese version.], [English version.1], [English version.2] or [English version.
Page 16 of 83 - Manuals for Administrators Security Reference 9025/9033/9025b /9033b MP 2550/3350/2550B/3350B LD425/LD433/LD425B /LD433B Aficio MP 2550/3350/2550B/3350B - Manuals for Administrators Security Reference Supplement 9025/9025b/9033/9033b MP 2550/MP 2550B/MP 3350/MP 3350B LD425/LD425B/LD433/LD433B Aficio MP 2550/2550B/3350/3350B - Notes for Users Back Up/Restore Address Book - Notes for Administrators: Using this Machine in a CC-Certified Environment [English version.
Page 17 of 83 Aficio MP 2550/2550B/3350/3350B MP 2550/MP 2550B/MP 3350/MP 3350B Operating Instructions About This Machine 1.4.
Page 18 of 83 1.4.3.2 Administrator An Administrator is a user who is registered on the TOE as an Administrator. There are one to four Administrators registered for the TOE. Administrator Roles for Administrators include User Administration, Machine Administration, Network Administration and File Administration. Administrators may have concurrent Administrator Roles, and Administrator Roles shall be assigned to one or more Administrators.
Page 19 of 83 Figure 3: Logical Scope of TOE 1.4.4.1 Basic Functions Basic functions include Copy Function, Printer Function, Fax Function, Scanner Function, Document Server Function, Management Function and Web Service Function. This chapter describes these basic functions. Basic functions can be operated from the Operation Panel or web browser of client PC. When operating from the Operation Panel, users select functions from the Operation Panel shown in Figure 4.
Page 20 of 83 Figure 4: Operation Panel (for North America) In addition, General Users, Administrators, and a Supervisor can use the functions corresponding to each user role by accessing to the Web Service Function of the TOE from web browser of client PC. The following describes the outlines of basic functions. Copy Function The Copy Function is used to scan the original and print out the scanned image data in accordance with the Print Settings specified by the user.
Page 21 of 83 is operated from a client PC. Document Data stored in D-BOX for faxing can be printed and deleted using the "Document Server Function", which is also one of the basic functions and described later. Although the MFP provides IP-Fax Function and Internet Fax Function as a part of Fax Function, this evaluation does not cover these functions.
Page 22 of 83 1.4.4.2 3. Delete the stored Document Data in D-BOX. 4. Download the stored Document Data in D-BOX. The Document Data stored using Scanner Function or Fax Function can be downloaded. 5. Subset of Management Functions. 6. Check the TOE status.
Page 23 of 83 Document Data Access Control Function The Document Data Access Control Function is used to allow only the specific users to perform the operations on the Document Data stored in D-BOX. The operations on Document Data include the reading operation and deleting operation. Each of these operations is as follows: Reading Document Data: Read Document Data stored in D-BOX. Deleting Document Data: Delete Document Data stored in D-BOX.
Page 24 of 83 And the Network Administrator decides the communication protocol to use according to the environment where the TOE is placed and the intended purpose of the TOE. 1. Download Document Data using the Web Service Function from a client PC: SSL protocol. 2. Print or fax from a client PC: SSL protocol. 3. Deliver Document Data to an FTP server or SMB server from the TOE: IPSec protocol. 4. Send Document Data attached to e-mail to a client PC from the TOE: S/MIME.
Page 25 of 83 Information. General Users are allowed to change their own General User Information that is registered for Address Book, with the exception of their user IDs even if it is their own General User Information. 4. Management of Supervisor Information The Supervisor is allowed to change his/her Supervisor ID and password. 5.
Page 26 of 83 2. Import from Networks/USB Convert Print Data that the TOE receives from networks or USB into a format that the TOE can handle, and generate Document Data. Storing Document Data Document Data stored in the TOE is stored in D-BOX. Document Data stored in D-BOX is protected from unauthorised access and leakage. Outputting Document Data Document Data can be output by the following five operations: 1. Send Document Data to a client PC (to the e-mail address) 2.
Page 27 of 83 2 Conformance Claims This chapter describes the conformance claim. 2.1 CC Conformance Claim The CC conformance claim of this ST and TOE as follows: - CC Version for which this ST claims the conformance Part 1: Introduction and general model September 2006 Version 3.1 Revision 1 (Japanese translation Ver.1.2) CCMB-2006-09-002 Part 2: Security functional components September 2007 Version 3.1 Revision 2 (Japanese translation Ver.2.
Page 28 of 83 3 Security Problem Definition This chapter describes the Threats, Organisational Security Policies and Assumptions. 3.1 Threats The assumed threats related to the use and environment of this TOE are identified and described below. The threats described in this chapter are the attacks by persons who have the knowledge of disclosed information about the TOE operation, and the attackers will have the basic level of attack potential. T.
Page 29 of 83 P.SOFTWARE (Checking Integrity of Software) Measures are provided for verifying the integrity of MFP Control Software, which is installed in FlashROM in the TOE. 3.3 Assumptions The assumptions related to the environment and use of this TOE are identified and described below. A.ADMIN (Assumption for Administrators) The Administrators will have adequate knowledge to operate the TOE securely in the roles assigned to them, and guide General Users to operate the TOE securely.
Page 30 of 83 4 Security Objectives This chapter describes the Security Objectives for TOE, Security Objectives for Operational Environment and Security Objectives Rationale. 4.1 Security Objectives for TOE This chapter describes the security objectives for the TOE. O.
Page 31 of 83 O.LINE_PROTECT (Prevention of Intrusion from Telephone Line) The TOE shall prevent unauthorised access to the TOE from a telephone line connected to the Fax Unit. 4.2 Security Objectives for Operational Environment This chapter describes the security objectives for the operational environment. OE.
Page 32 of 83 organisational security policies and assumptions. And the security objectives do not correspond to the assumptions (as the shaded region in Table 4 shows). X O.DOC_ACC X X X X X X X O.MANAGE X O.MEM.PROTECT X O.NET.PROTECT X O.GENUINE X O.LINE_PROTECT OE.ADMIN OE.SUPERVISOR OE.NETWORK 4.3.2 P.SOFTWARE T.FAX_LINE O.I&A T.TRANSIT X T.SALVAGE O.AUDIT T.ABUSE_SEC_MNG T.ILLEGAL_USE A.NETWORK A.SUPERVISOR Security Objectives A.ADMIN TOE Security Environment T.
Page 33 of 83 A.SUPERVISOR (Supervisor's Assumption) A.SUPERVISOR presupposes that the Supervisor has adequate knowledge to operate the TOE securely in the role assigned to him/her, and does not carry out any malicious acts using Supervisor permissions. By OE.SUPERVISOR, Responsible Manager for MFP selects a trusted person as the Supervisor and provides the Supervisor with the education programmes according to the role of Supervisor. Therefore, A.SUPERVISOR is accomplished. A.
Page 34 of 83 T.SALVAGE (Salvaging Memory) To counter this threat, the TOE converts the format of Document Data by O.MEM.PROTECT that makes it difficult to read and decode if the HDD is installed in IT products other than the TOE. In addition, the performance of O.MEM.PROTECT is recorded as audit logs by O.AUDIT, and the function to read audit logs is only provided to the Machine Administrator so that the Machine Administrator detects afterwards whether or not O.MEM.PROTECT was successfully performed.
Page 35 of 83 5 Extended Components Definition In this ST and TOE, there are no extended components, i.e., the new security requirements and security assurance requirements that are not described in the CC, which is claimed the conformance in "2.1 CC Conformance Claim". Copyright (c) 2009,2010 RICOH COMPANY, LTD. All Rights Reserved.
Page 36 of 83 6 Security Requirements This chapter describes the Security Functional Requirements, Security Assurance Requirements, and Security Requirements Rationale. 6.1 Security Functional Requirements This chapter describes the TOE security functional requirements to accomplish the security objectives defined in "4.1 Security Objectives for TOE". The security functional requirements are quoted from the ones defined in the CC Part 2.
Page 37 of 83 Functional Requirements Actions which should be auditable Auditable events of TOE of the activity.㩷 b) Basic: The object attribute(s), and object value(s) excluding any sensitive information (e.g. secret or private keys). 1. HDD cryptographic key generation (Outcome: Success/Failure) FCS_COP.1 a) Minimal: Success and failure, and the type of cryptographic operation. b) Basic: Any applicable cryptographic mode(s) of operation, subject attributes and object attributes.
Page 38 of 83 Functional Requirements Actions which should be auditable Auditable events of TOE FIA_SOS.1 a) Minimal: Rejection by the TSF of any tested secret; b) Basic: Rejection or acceptance by the TSF of any tested secret; c) Detailed: Identification of any changes to the defined quality metrics. b) Basic 1. Newly creating authentication information of General Users (Outcome: Success/Failure) 2. Changing authentication information of General Users (Outcome: Success/Failure) 3.
Page 39 of 83 Functional Requirements Actions which should be auditable Auditable events of TOE 3. Deleting authentication information of General Users. 4. Changing Administrator Authentication Information. 5. Changing Supervisor Authentication Information. 6. Changing time and date of system clock. 7. Deleting the entire audit logs. FMT_SMF.1 a) Minimal: Use of Management Functions. the 1. Adding and deleting Administrator Roles. 2.
Page 40 of 83 FAU_GEN.1.
Page 41 of 83 6.1.2 Class FCS: Cryptographic support FCS_CKM.1 Cryptographic key generation Hierarchical to: No other components. Dependencies: [FCS_CKM.2 Cryptographic key distribution, or FCS_COP.1 Cryptographic operation] FCS_CKM.4 Cryptographic key destruction. FCS_CKM.1.
Page 42 of 83 6.1.3 Class FDP: User data protection FDP_ACC.1 Subset access control Hierarchical to: No other components. Dependencies: FDP_ACF.1 Security attribute based access control. FDP_ACC.1.1 The TSF shall enforce the [assignment: MFP access control SFP] on [assignment: List of Subjects, Objects, and Operation among Subjects and Objects in Table 8].
Page 43 of 83 Table 10: Rules Governing Access Subject General User process Operations on objects Rules governing access Storing Document Data General Users can store the Document Data. The Document Data Default ACL associated with General User process is copied to the Document Data ACL associated with the storing Document Data when storing the Document Data.
Page 44 of 83 FDP_IFC.1.1 Hierarchical to: No other components. Dependencies: FDP_IFF.1 Simple security attributes. The TSF shall enforce the [assignment: telephone line information flow SFP] on [assignment: subjects, information, and an operation listed in Table 12].
Page 45 of 83 FDP_IFF.1.5 The TSF shall explicitly deny an information flow based on the following rules: [assignment: no rules, based on security attributes, that explicitly deny information flows]. 6.1.4 Class FIA: Identification and authentication FIA_AFL.1 FIA_AFL.1.1 Authentication failure handling Hierarchical to: No other components. Dependencies: FIA_UAU.1 Timing of authentication.
Page 46 of 83 Manual Lockout Release FIA_ATD.1 FIA_ATD.1.1 Regardless of the value set for the Lockout release time by the Machine Administrator, the Unlocking Administrators who are set for each User Role of the Locked out Users can release Locked out Users. FMT_MTD.1 defines the relation between the Locked out Users and Unlocking Administrator.
Page 47 of 83 Dependencies: FIA_UID.1 Timing of identification. FIA_UAU.2.1 The TSF shall require each user to be successfully authenticated before allowing any other TSF-mediated actions on behalf of that user. FIA_UAU.7 Protected authentication feedback Hierarchical to: No other components. Dependencies: FIA_UAU.1 Timing of authentication. FIA_UAU.7.
Page 48 of 83 associated with subjects acting on the behalf of users: [assignment: Administrators can add their own assigned Administrator Roles to other Administrators, and can delete their own Administrator Roles. However, if deleting the Administrator Role makes no Administrator covers that Administrator Role, it is not allowed to delete the Administrator Role]. 6.1.5 Class FMT: Security management FMT_MSA.1 Management of security attributes Hierarchical to: No other components.
Page 49 of 83 Security attributes Operations General User Information) User roles Document Data 㩷 FMT_MSA.3 Static attribute initialisation Hierarchical to: No other components. Dependencies: FMT_MSA.1 Management of security attributes FMT_SMR.1 Security roles. FMT_MSA.3.1 The TSF shall enforce the [assignment: MFP access control SFP] to provide default values [selection: specified as shown in Table 18] for security attributes that are used to enforce the SFP. FMT_MSA.3.
Page 50 of 83 TSF data Operations User roles Change Applicable General Users of General User Information Supervisor Information Authentication Change Supervisor Administrator Information Authentication Change Supervisor Applicable Administrator of Administrator Authentication Information Number of Attempts before Lockout Query, modify Machine Administrator Setting for Lockout Release Timer Query, modify Machine Administrator Lockout time Query, modify Machine Administrator Date and tim
Page 51 of 83 TSF data Operations S/MIME User Information (a data item of General User Information) Destination Information for Deliver to Folder FMT_SMF.1 User roles Query, newly create, delete, change User Administrator Applicable General User of S/MIME User Information Query General User Query User Administrator, General Users Specification of Management Function Hierarchical to: No other components. Dependencies: No dependencies. FMT_SMF.1.
Page 52 of 83 Functional requirements Management requirements Management items Administrator. b) Management of the Unlocking Administrators and Lockout release operations for the Locked out Users. FIA_ATD.1 a) If so indicated in the assignment, the authorised Administrator might be able to define additional security attributes for users. None: No functions to define additional security attributes for users. FIA_SOS.1 a) Management of the metric used to verify the secrets.
Page 53 of 83 Functional requirements Management requirements Management items (Management of Administrator Information): management of own Administrator IDs by Administrators. Security Management Function (Management of Administrator Information): new registration of Administrators by Administrators. Security Management Function (Management of Supervisor Information): management of Supervisor ID by Supervisor. FIA_USB.1 a) An authorised Administrator can define default subject security attributes.
Page 54 of 83 Functional requirements Management requirements Management items and second). FPT_TST.1 a) Management of the conditions under which TSF self testing occurs, such as during initial start-up, regular interval, or under specified conditions; b) Management of the time interval if appropriate. a) None: The condition under which the TSF self testing occurs is fixed. b) None: No management of the time interval. FTP_ITC.1 a) Configuring the actions that require trusted channel, if supported.
Page 55 of 83 6.1.7 Class FTP: Trusted path/channels FTP_ITC.1 FTP_ITC.1.1 Inter-TSF trusted channel Hierarchical to: No other components.㩷 Dependencies: No dependencies.㩷 The TSF shall provide a communication channel between itself and another trusted IT product that is logically distinct from other communication channels and provides assured identification of its end points and protection of the channel data from modification or disclosure.㩷 FTP_ITC.1.
Page 56 of 83 6.2 Security Assurance Requirements The evaluation assurance level of this TOE is EAL3. The assurance components of the TOE are shown in Table 22. These are a set of components defined by the evaluation assurance level, EAL3 and other requirements are not added.
Page 57 of 83 6.3 Security Requirements Rationale This chapter describes the rationale for the security requirements. As described below, if all security functional requirements are satisfied, the security objectives defined in "4.1 Security Objectives for TOE" are achieved. 6.3.1 Tracing Table 23 shows the relation between the TOE security functional requirements and TOE security objectives.
Page 58 of 83 FIA_UID.2 X FIA_USB.1 X FMT_MSA.1 X FMT_MSA.3 X FMT_MTD.1 X FMT_SMF.1 X FMT_SMR.1 X FPT_STM.1 FPT_TST.1 6.3.2 X X X FTP_ITC.1 X FTP_TRP.1 X Tracing Validity This chapter describes how the TOE security objectives are accomplished by the TOE security functional requirements corresponding to the TOE security objectives in Table 23. O. AUDIT Audit The following are the rationale for the functional requirements that correspond to O.
Page 59 of 83 manage security intrusions. For this, FPT_STM.1 provides the trusted time stamp. O.I&A User Identification and Authentication The following are the rationale for the functional requirements that correspond to O.I&A in Table 23 being appropriate to satisfy O.I&A. a) Identify and authenticate users before users use the TOE. To accomplish O.I&A, identification and authentication shall be performed prior to the use of the TOE security functions by users. For this, FIA_UID.
Page 60 of 83 Document Data ACL of each Document Data, then FDP_ACC.1 and FDP_ACF.1 allow the General User process to perform operations on Document Data. The permitted operations follow the operation permission on Document Data set for each General User ID in the Document Data ACL. O. MANAGE Security Management The following are the rationale for the functional requirements that correspond to O.MANAGE in Table 23 being appropriate to satisfy O.MANAGE. a) Management of security attributes.
Page 61 of 83 - The User Administrator and General Users to query S/MIME User Information and destination information for Deliver to Folder, - Supervisor to query and set Lockout Flag for Administrators, and set Supervisor Authentication Information, and - Supervisor and the applicable Administrators to change Administrator Authentication Information. c) Specify management functions. To accomplish O.MANAGE, the Security Management Functions for the implemented TSF shall be performed.
Page 62 of 83 FTP_TRP.1 also protects Document Data on networks from leakage and detects the tampering by using a trusted path, which is described later, between the TOE and the remote users. For sending by e-mail from the TOE to client PC, Document Data or Print Data on network is protected from leakage and tampering is detected by using S/MIME in the mailing service.
Page 63 of 83 TOE Security Functional Requirements Dependencies claimed by CC Dependencies satisfied in ST Dependencies not satisfied in ST FCS_COP.1] FCS_CKM.4 FCS_COP.1 [FDP_ITC.1 or FDP_ITC.2 or FCS_CKM.1] FCS_CKM.4 FCS_CKM.1 FCS_CKM.4 FDP_ACC.1 FDP_ACF.1 FDP_ACF.1 None FDP_ACF.1 FDP_ACC.1 FMT_MSA.3 FDP_ACC.1 FMT_MSA.3 None FDP_IFC.1 FDP_IFF.1 FDP_IFF.1 None FDP_IFF.1 FDP_IFC.1 FMT_MSA.3 FDP_IFC.1 FMT_MSA.3 None FIA_AFL.1 FIA_UAU.1 FIA_UAU.2 FIA_UAU.1 FIA_ATD.
Page 64 of 83 In this TOE, HDD encryption keys are stored in the area that cannot be accessed from outside Ic Hdd. In addition, after the Administrators generate encryption keys at the start of the TOE operation, deletion of encryption keys are not performed but only the change to overwrite the new encryption keys is performed. Therefore, the functional requirements for encryption key destructions using standard measures are not required. Rationale for removing the dependencies for FIA_UAU.
Page 65 of 83 7 TOE Summary Specification This chapter describes the summary specification of the security functions of this TOE. 7.1 TOE Security Function The TOE provides the following TOE security functions to satisfy the Security Functional Requirements described in Chapter "6.1". SF.AUDIT Audit Function SF.I&A User Identification and Authentication Function SF.DOC_ACC Document Data Access Control Function SF.SEC_MNG Security Management Function SF.CE_OPE_LOCK Service Mode Lock Function SF.
FDP_ACF.1 X FDP_IFC.1 X FDP_IFF.1 X FIA_AFL.1 X FIA_ATD.1 X FIA_SOS.1 X FIA_UAU.2 X FIA_UAU.7 X FIA_UID.2 X FIA_USB.1 X X X FMT_MSA.1 X FMT_MSA.3 X FMT_MTD.1 X X FMT_SMF.1 X X FMT_SMR.1 X X FPT_STM.1 SF.GENUINE SF.FAX_LINE SF.NET_PROT SF.CIPHER SF.CE_OPE_LOCK SF.SEC_MNG SF.DOC_ACC SF.I&A SF.AUDIT Page 66 of 83 X X X FPT_TST.1 X X FTP_ITC.1 X FTP_TRP.
Page 67 of 83 7.1.1.1 Audit logs generation The TOE generates the audit logs when auditable events occur, and appends them to the audit log files. Audit logs consist of Basic Audit Information and Expanded Audit Information. The Basic Audit Information is a data item recorded for the occurrence of any kinds of auditable events, and the Expanded Audit Information is a data item recorded for generating auditable events that require additional information for audit.
Page 68 of 83 Communication with trusted IT product Communication IP address Communication with remote user - Deleting the entire audit log -: No applicable Expanded Audit Information *1: The starting of Audit Function is substituted with the event of the TOE startup. This TOE does not record the ending of Audit Function. The starting and ending of Audit Function audit the state of inactivity of Audit Function.
Page 69 of 83 7.1.2 SF.I&A User Identification and Authentication Function The TOE identifies and authenticates users prior to the use of the TOE security functions to allow the authorised users to operate the TOE according to their roles and authorisation. The following are the explanations of each functional item in "SF.I&A User Identification and Authentication Function" and their corresponding security functional requirements. 7.1.2.
Page 70 of 83 meets the Number of Attempts before Lockout, the TOE Lockouts the user and the Lockout Flag for that user is set to "Active". The number of times for Number of Attempts before Lockout is set by the Machine Administrator to a value between 1 and 5. In addition, when successfully authenticated with the Identification and Authentication described in "7.1.2.
Page 71 of 83 password meets those conditions, it registers the password. If the password does not meet those conditions, it does not register password but displays an error screen. (1) Usable characters and character types: Upper-case letters: [A-Z] (26 letters) Lower-case letters: [a-z] (26 letters) Numbers: [0-9] (10 letters) Symbols: SP (space) ! " # $ % & ' ( ) * + , - .
Page 72 of 83 Document Data. Table 29 shows the value of the Document Data ACL when storing Document Data. Table 29: Initial Value for Document Data ACL Type of Document Data Document Data stored by General User Initial value for Document Data ACL Document Data Default ACL From the above, FDP_ACC.1 (Subset access control) and FDP_ACF.1 (Security attribute based access control) are accomplished. 7.1.3.
Page 73 of 83 - Document File Owners - General Users with full control authorisation Delete the Document File Users - File Administrator - Document File Owners - General Users with full control authorisation Change the operation permission on Document Data of Document File Users - File Administrator - Document File Owners - General Users with full control authorisation If the login user is the File Administrator, the TOE allows the File Administrator to perform the operations on all Document Data ACLs i
Page 74 of 83 Operations on Administrator Information Authorised operators Authentication Information Add and query Administrator Roles The Administrators who are already assigned that Administrator Role Delete Administrator Roles The Administrators who are already assigned that Administrator Role However, the operation cannot be performed if no other Administrators have the Administrator Role.
Page 75 of 83 Operations on General User Information Authorised operators Data Default ACL, S/MIME User Information) Query General User Information registered for Address Book (General User ID, Document Data Default ACL, S/MIME User Information) User Administrator The General User themselves Query General User Information registered for Address Book (General User ID, S/MIME User Information) General User Delete General User Information registered for Address Book (General User ID, authentication infor
Page 76 of 83 Machine control data items Range of values Operations Authorised setter Operation interfaces Length (digits) modify Password Complexity Setting Level 1 or Level 2 Query, modify User Administrator Operation Panel Date and time system clock Date, time (hour, minute, second) Query, modify Machine Administrator Query General Users, User Administrator, Network Administrator, File Administrator, Supervisor Operation Panel Web Service Function of Panel Lockout Flag General Users
Page 77 of 83 The HDD encryption keys are generated by the Machine Administrator. If the login user is the Machine Administrator, the TOE provides the screen to generate the HDD encryption keys from the Operation Panel.
Page 78 of 83 7.1.7.3 Sending by E-mail from TOE When sending Document Data by e-mail from the TOE to client PC, the TOE attaches the Document Data to e-mail and send the e-mail with S/MIME. The destination information of S/MIME is managed as S/MIME User Information of General User Information, and users send e-mail only using this managed destination information. From the above, FTP_TRP.1 (Trusted path) is accomplished. 7.1.7.
Page 79 of 83 8 Appendix 8.1 Terminology Description Table 35 shows the definitions of specific terms for clearly understanding of this ST. Table 35: Specific Terms Used in this ST Terms Definitions D-BOX A storage area for Document Data on the HDD. FTP Server A server for sending files to client PC and receiving files from client PC using File Transfer Protocol. HDD An abbreviation for Hard Disk Drive. Indicates the HDD installed in the TOE.
Page 80 of 83 Terms Definitions Back Up/Restore Address Book To back up the Address Book to SD cards or to restore the backup copy of the Address Book from SD cards to the TOE. Internet Fax A function that reads the fax original, then converts the scanned document images to e-mail format and transit the data over the Internet to the machine that has an e-mail address.
Page 81 of 83 Terms Definitions Lockout A function that prohibits the access for the specific user IDs to the TOE. Lockout Flag A data that is assigned to each authorised user. The Lockout Flag for the Locked out User is set to "Active", and the one for the released Locked out User is set to "Inactive". The Administrators or Supervisor who are allowed to operate the Lockout Flag can release the Lockout for the Locked out Users by setting the Lockout Flag for the Locked out Users to "Inactive".
Page 82 of 83 Terms Definitions Machine Administration One of the Administrator Roles that manages machines and plays the role of performing the audit. The Machine Administrator is a person who has the machine management role. Machine Control Data MFP Control Data that is related to security functions and security behaviour. Operation Panel A display-input device that consists of a touch screen LCD, keyswitches, and LED indicators, and is used for MFP operation by users. Operation Panel Unit.
Page 83 of 83 - CC Version 3.1 Revision 2 Evaluation Criteria: "English version" Common Criteria for Information Technology Security Evaluation Version3.1 Part 1: Introduction and general model Revision 1 (CCMB-2006-09-001) Part 2: Security functional components Revision 2 (CCMB-2007-09-002) Part 3: Security assurance components Revision 2 (CCMB-2007-09-003) "Translated version" Common Criteria for Information Technology Security Evaluation Version3.
