Page 1 of 81 Aficio MP 4001/5001 series with Fax Option Type 5001 Security Target Author : RICOH COMPANY, LTD., Yasushi FUNAKI Date Version : 2010-06-17 : 1.00 Copyright (c) 2010 RICOH COMPANY, LTD. All Rights Reserved.
Page 2 of 81 Revision History Version 1.00 Date 2010-06-17 Author Yasushi FUNAKI Details Released version. Copyright (c) 2010 RICOH COMPANY, LTD. All Rights Reserved.
Page 3 of 81 Table of Contents 1 ST Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . 7 1.1 ST Reference. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . 7 1.2 TOE Reference. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . .
Page 4 of 81 4 Security Objectives. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . .28 4.1 Security Objectives for TOE. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .28 4.2 Security Objectives of Operational Environment. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . .29 4.
Page 5 of 81 7.1.2.4 7.1.3 SF.DOC_ACC Document Data Access Control Function................................ 69 7.1.3.1 General User Operations on Document Data........................................... 69 7.1.3.2 File Administrator Operations on Document Data................................... 70 7.1.4 SF.SEC_MNG Security Management Function............................................ 70 7.1.4.1 Management of Document Data ACL...................................................... 70 7.1.4.
Page 6 of 81 List of Figures Figure 1: Example TOE environment ..............................................................................................................9 Figure 2: Hardware configuration of TOE.....................................................................................................11 Figure 3: Logical boundaries of TOE.............................................................................................................
Page 7 of 81 1 ST Introduction This section describes the ST reference, TOE reference, TOE overview, and TOE description. 1.1 ST Reference The following are the identification information of this ST. 1.2 ST Title : Aficio M P 4001/5001 series with Fax Option Type 5001 Security Target ST Version : 1.00 Date : 2010-06-17 Author : RICOH COMPANY, LTD.
Page 8 of 81 FCU Version : GWFCU3-19(WW) Keywords 1.3 01.00.00 : Digital MFP, Documents, Copy, Print, Scanner, Fax, Network, Office TOE Overview This section defines the TOE type, TOE usage and major security features of the TOE, the environment for the TOE usage and non-TOE configuration items. 1.3.1 TOE Type The TOE is a digital MFP, which is an IT device that provides the functions of a copier, scanner, printer, and fax (optional).
Page 9 of 81 Figure 1: Example TOE environment The following describes non-TOE configuration: Internal Network The internal network connects the TOE with various types of servers (FTP, SMB, and SMTP servers) and client computers. It is connected to the Internal via firewall. IPv4 is for the protocol of the internal network. Client Computer A Web browser of a client computer that is connected to the internal network allows users to access and operate the TOE, and permits data communications.
Page 10 of 81 SMB Server SMB server is used for the TOE to send the document data stored in the TOE to folders in SMB server. SMTP Server SMTP server is used for the TOE to send the document data stored in the TOE to a client computer by e-mail. Telephone Line A telephone line is a line used to send and receive fax data from an external fax when the optional fax is installed.
Page 11 of 81 Figure 2: Hardware configuration of TOE Operation Panel Unit (hereafter "Operation Panel") The Operation Panel is an interface device that is installed on the TOE for use by users. It features key switches, LED indicators, and LCD touch screen, and the Operation Panel Control Board. The Operation Panel Control Software is installed in the Operation Panel Control Board.
Page 12 of 81 Controller Board The Controller Board contains Processors, FlashROM, RAM, NVRAM, and Ic Key. It is connected to the Operation Panel Unit, Engine Unit, Fax Unit, Network Unit, USB Port, SD Card Slot, and Ic Hdd. The Ic Hdd is also connected to the HDD. The following are descriptions of these components: [Processor] A semiconductor chip that carries out the basic arithmetic processing of the MFP operation. [FlashROM] A memory medium in which the MFP Control Software is installed.
Page 13 of 81 1.4.2 Guidance Documents The following sets of user guidance documents are available for this TOE: [English version-1], [English version-2], [English version-3], [English version-4]. Selection of the guidance document sets depends on characteristics of sales area and/or companies.
Page 14 of 81 - Quick Reference Printer Guide - Quick Reference Scanner Guide - Manuals for This Machine - Safety Information for Aficio MP 4001/Aficio MP 5001 - Notes for Users - App2Me Start Guide - Manuals for Users MP 4001/5001 Aficio MP 4001/5001 A - Manuals for Administrators Security Reference MP 4001/5001 Aficio MP 4001/5001 - Manuals for Administrators Security Reference Supplement 9240/9250 MP 4001/5001 LD140/LD150 Aficio MP 4001/5001 - Notes for Administrators: Using this Machi
Page 15 of 81 - Manuals for Administrators Security Reference Supplement 9240/9250 MP 4001/5001 LD140/LD150 Aficio MP 4001/5001 - Notes for Administrators: Using this Machine in a CC-Certified Environment - VM Card Manuals [English version-4] - MP 4001/MP 5001 MP 4001/MP 5001 Aficio MP 4001/5001 Operating Instructions About This Machine - MP 4001/MP 5001 MP 4001/MP 5001 Aficio MP 4001/5001 Operating Instructions Troubleshooting - Quick Reference Copy Guide - Quick Reference Fax Guide - Quick
Page 16 of 81 1.4.3 User Roles This section describes the roles involved in this TOE operation. 1.4.3.1 Responsible Manager of MFP The "responsible manager" of the MFP is a person who belongs to the organisation that uses the TOE, and has the role of selecting the TOE administrators and TOE supervisor. The responsible manager of the MFP selects up to four administrators and one supervisor.
Page 17 of 81 1.4.3.5 Customer Engineer A customer engineer (hereafter "CE") is an expert in maintenance of the TOE and is employed by manufacturers, technical support service companies, and sales companies. 1.4.4 Logical Boundaries of TOE The logical boundaries of the TOE comprise the functions provided by the TOE. This section describes the "Basic Functions", which is the service provided by the TOE to users, and the "Security Functions", which counter threats to the TOE.
Page 18 of 81 Copy Function This function is for scanning originals and printing the scanned image according to the Print Settings specified by the user. Print Settings include the number of copies, magnification, and custom settings (e.g. printing multiple pages onto a single sheet). In addition, the scanned original images can be stored in the D-BOX.
Page 19 of 81 Function. When document data is printed, the Print Setting information for the stored document data will be updated according to the user's settings. Management Function This function is for setting the following information: information for configuring operation of the machine, information for connecting the TOE to networks, user information, and information on restriction of use of document data.
Page 20 of 81 Audit Function This function is for checking the operational status of the TOE, and for recording events in the audit log, which is necessary for the detection of security breaches. Only the machine administrator is able to read and delete the recorded audit logs. The machine administrator can read the audit logs using the Web Service Function, and delete the audit logs using both the Operation Panel and the Web Service Function.
Page 21 of 81 Table 2: Correspondence between operations authorised by permissions to process document data and operations possible on document data Reading document data Deleting document data Operations possible on document data Operation permissions authorised by permissions to process document data Read-only v Edit v Edit/delete v v Full control v v v: possible blank: impossible The operation permissions for each document data can be specified for each general user.
Page 22 of 81 1. Management of document data ACL Allows only specified users to modify the document Data ACL. Modifying the document data ACL includes changing document file owners, registering new document file users for the document data ACL, deleting document file users previously registered for document data ACL, and changing operation permissions specified in document data. Only file administrators can change the document file owners.
Page 23 of 81 MFP Control Software Verification Function This function verifies the integrity of the MFP Control Software by checking the integrity of an executable code installed in the FlashROM. 1.4.5 Protected Assets This section describes the protected assets of this TOE (document data and print data). 1.4.5.1 Document Data Document data is imported from outside the TOE by various methods, and can be either stored in the TOE or output by it. Document data stored in the TOE can be deleted.
Page 24 of 81 a client computer to the TOE through the internal network, print data is protected from leakage, and tampered data can be detected. Copyright (c) 2010 RICOH COMPANY, LTD. All Rights Reserved.
Page 25 of 81 2 Conformance Claims This section describes the conformance claim. 2.1 CC Conformance Claim The CC conformance claim of this ST and TOE is as follows: - CC version for which this ST claims conformance Part 1: Introduction and general model September 2006 Version 3.1 Revision 1 (Japanese translation ver.1.2) CCMB-2006-09-002 Part 2: Security functional components September 2007 Version 3.1 Revision 2 (Japanese translation ver.2.
Page 26 of 81 3 Security Problem Definitions This section provides details of threats, organisational security policies, and assumptions. 3.1 Threats Defined and described below are the assumed threats related to the use and environment of this TOE. The threats defined in this section are attacks by unauthorised persons with knowledge of published information about TOE operations and such attackers are capable of potential security attacks. T.
Page 27 of 81 P.SOFTWARE (Software integrity checking) Measures shall be provided for verifying the integrity of MFP Control Software, which is installed in the FlashROM of the TOE. 3.3 Assumptions Defined and described below are the assumptions related to the use and environment of this TOE: A.ADMIN (Assumption for administrators) Administrators shall have sufficient knowledge to operate the TOE securely in the roles assigned to them and will instruct general users to operate the TOE securely also.
Page 28 of 81 4 Security Objectives This section describes the security objectives of the TOE and its security objectives of the operational environment and their rationale. 4.1 Security Objectives for TOE The following define the security objectives of the TOE. O.
Page 29 of 81 O.LINE_PROTECT (Prevention of intrusion from telephone line) The TOE shall prevent unauthorised access to the TOE from a telephone line connected to the Fax Unit. 4.2 Security Objectives of Operational Environment The following describes the security objectives of the operational environment. OE.ADMIN (Trusted administrator) The responsible manager of the MFP shall select trusted persons as administrators and instructs them on their administrator roles.
Page 30 of 81 O.AUDIT v O.I&A v O.DOC_ACC v v v v v v v O.MANAGE v O.MEM.PROTECT v O.NET.PROTECT v O.GENUINE v O.LINE_PROTECT OE.ADMIN v v OE.SUPERVISOR OE.NETWORK 4.3.2 P.SOFTWARE T.FAX_LINE T.TRANSIT T.SALVAGE T.ABUSE_SEC_MNG T.UNAUTH_ACCESS T.ILLEGAL_USE A.NETWORK Security objectives A.ADMIN TOE security Environment A.
Page 31 of 81 A.NETWORK (Assumptions for network connections) As specified by A.NETWORK, when the network that the TOE is connected to (the internal network) is connected to an external network such as the Internet, the internal network shall be protected from unauthorised communications originating from the external network. As specified by OE.
Page 32 of 81 T.TRANSIT (Data interception and tampering with communication path) To counter this threat, the TOE protects document data and Print Data on communication path from leakage, and detects tampering. In addition, the performance of O.NET.PROTECT is recorded as audit logs by O.AUDIT, and the function to read audit logs is only provided to the machine administrator so that the machine administrator verifies afterwards whether or not O.NET.PROTECT was performed. Therefore, the TOE can counter T.
Page 33 of 81 5 Extended Components Definition In this ST and TOE, there are no extended components, i.e., the new security requirements and security assurance requirements that are not described in the CC, which is claimed the conformance in "2.1 CC Conformance Claim". Copyright (c) 2010 RICOH COMPANY, LTD. All Rights Reserved.
Page 34 of 81 6 Security Requirements This section describes the security functional requirements, security assurance requirements, and security requirements rationale. 6.1 Security Functional Requirements This section describes the TOE security functional requirements for fulfilling the security objectives defined in "4.1 Security Objectives for TOE". The security functional requirements are quoted from the requirement defined in the CC Part2.
Page 35 of 81 Functional requirements Actions which should be auditable Auditable events of TOE object value(s) excluding any sensitive information (e.g. secret or private keys). generation (Outcome: Success/Failure) FCS_COP.1 a) Minimal: Success/failure, and type of cryptographic operation. b) Basic: Any applicable cryptographic mode(s) of operation, subject and object attributes. 1. Storage of document data successful 2.
Page 36 of 81 Functional requirements Actions which should be auditable Auditable events of TOE (Outcome: Success/Failure) 3. Changing administrator authentication information (Outcome: Success/Failure) 4. Changing supervisor authentication information (Outcome: Success/Failure) FIA_UAU.2 Minimal: Unsuccessful use of the authentication mechanism; Basic: All use of the authentication mechanism. Basic 1. Login (Outcome: Success/Failure) FIA_UAU.7 None FIA_UID.
Page 37 of 81 Functional requirements Actions which should be auditable Auditable events of TOE Authentication information. 6. Changing time and date of system clock. 7. Deleting entire audit logs. FMT_SMF.1 a) Minimal: Use of the Management Functions. 1. Adding and deleting administrator roles. 2. Lockout release by the unlocking administrator. 3. Changing time and date of system clock. FMT_SMR.
Page 38 of 81 b) For each audit event type, based on the auditable event definitions of the functional components included in the PP/ST, [assignment: communication IP address, IDs of persons whose authentication information is created/changed/deleted, Locking out users, release of user Lockout, method of Lockout release, IDs of object document data]. FAU_SAR.1 Audit review Hierarchical to: No other components. Dependencies: FAU_GEN.1 Audit data generation. FAU_SAR.1.
Page 39 of 81 FCS_COP.1 Cryptographic operation] FCS_CKM.4 Cryptographic key destruction. FCS_CKM.1.1 The TSF shall generate cryptographic keys in accordance with a specified cryptographic key generation algorithm [assignment: cryptographic key generation algorithm shown in Table 5] and specified cryptographic key size [assignment: cryptographic key size shown in Table 5] that meet the following: [assignment: standards shown in Table 5].
Page 40 of 81 Table 7: List of subjects, objects, and operations among subjects and objects Subjects Objects Operations among subjects and objects Administrator process Document data Deleting document data General user process Document data Storing document data Reading document data Deleting document data FDP_ACF.1 Security attribute based access control Hierarchical to: No other components. Dependencies: FDP_ACC.1 Subset access control FMT_MSA.3 Static attribute initialisation. FDP_ACF.1.
Page 41 of 81 Deleting document data A general user process has permission to delete document data if the general user ID associated with the general user process matches either the document file owner ID or a document file user ID in the document data ACL associated with the document data, and if the matched ID has permission for editing/deleting or full control permission. FDP_ACF.1.
Page 42 of 81 following types of subject and information security attributes: [assignment: subjects or information and their corresponding security attributes shown inTable 12].
Page 43 of 81 User authentication using TOE from client computer Web browser User authentication when printing from client computer User authentication when faxing from client computer FIA_AFL.1.2 When defined number of unsuccessful authentication attempts has been [selection: met], the TSF shall [assignment: Lockout the user, who has failed the authentication attempts, until one of the Lockout release actions, shown in Table 14, is taken].
Page 44 of 81 Numbers: [0-9] (10 digits) Symbols: SP (spaces) ! " # $ % & ' ( ) * + , - . / : ; < = > ? @ [ \ ] ^ _ ` { | } ~ (33 symbols) (2) Registerable password length: For general users No fewer than the Minimum Password Length specified by the user administrator (8-32 characters) and no more than 128 characters. For administrators and a supervisor No fewer than the Minimum Password Length specified by the user administrator (8-32 characters) and no more than 32 characters.
Page 45 of 81 administrator IDs, administrator roles and supervisor ID]. FIA_USB.1.2 The TSF shall enforce the following rules on the initial association of user security attributes with subjects acting on the behalf of users: [assignment: rules for the initial association of attributes listed in Table 15].
Page 46 of 81 Security attributes Operations User roles Query - General users Newly create - Administrators Query, change - Administrators who own the administrator IDs Query - Supervisor Administrator roles Query, add, delete - Administrators who are assigned these administrator roles Supervisor ID Query, change - Supervisor Document data ACL Query, modify - File administrator - Document file owner - General users who have full control operation permissions for the relevant document data
Page 47 of 81 Hierarchical to: No other components. Dependencies: FMT_SMR.1 Security roles FMT_SMF.1 Specification of Management Functions FMT_MTD.1.1 The TSF shall restrict the ability to [selection: query, modify, delete, [assignment: register, change, entirely delete, newly create]] the [assignment: list of TSF data management in Table 18] to [assignment: roles in Table 18].
Page 48 of 81 TSF data Operations User roles Query General users, User administrator, Network administrator, File administrator, Supervisor Lockout Flag for general users Query, modify User administrator Lockout Flag for administrators Query, modify Supervisor Lockout Flag for supervisor Query, modify Machine administrator S/MIME User Information (a data item of general user information) Query, newly create, delete, change User administrator Applicable general users of S/MIME user informatio
Page 49 of 81 Functional requirements Management requirements Management items FDP_ACF.1 a) Managing the attributes used to make explicit access or denial based decisions. a) Management of the file administrator from administrator roles. FDP_IFC.1 None - FDP_IFF.1 a) Managing the attributes used to make explicit access based decisions. None: Attributes (data type) used to make explicit access-based decisions are fixed and there are no interfaces to change. FIA_AFL.
Page 50 of 81 Functional requirements Management requirements Management items - Security Management Function (management of supervisor information): management of supervisor authentication information by supervisor. FIA_UAU.7 None - FIA_UID.2 a) Management of the user identities. - Security Management Function (management of general user information): management of general user IDs by the user administrator.
Page 51 of 81 Functional requirements Management requirements Management items FMT_MTD.1 a) Managing the group of roles that can interact with the TSF data. None: No groups of roles can interact with TSF data. FMT_SMF.1 None - FMT_SMR.1 a) Managing the group of users that are part of a role. Management of administrator roles by administrators. FPT_STM.1 a) Management of the time.
Page 52 of 81 Dependencies: No dependencies. FPT_TST.1.1 The TSF shall run a suite of self tests [selection: during initial start-up] to demonstrate the correct operation of [selection: [assignment: encryption function of the Ic Hdd]]. FPT_TST.1.2 The TSF shall provide authorised users with the capability to verify the integrity of the [selection: [assignment: HDD cryptographic key]]. FPT_TST.1.
Page 53 of 81 Table 20: Services requiring trusted paths Related persons for communication Services that require a trusted path TSF E-mail service to client computer from TOE (S/MIME) Remote users Initial user authentication (SSL) TOE web service from client PC (SSL) Printing service from client PC (SSL) Fax service from client PC (SSL) Copyright (c) 2010 RICOH COMPANY, LTD. All Rights Reserved.
Page 54 of 81 6.2 Security Assurance Requirements The evaluation assurance level of this TOE is EAL3. Table 21 lists the assurance components of the TOE. These components meet evaluation assurance level 3 (EAL3). Other requirements are not included. Table 21: TOE security assurance requirements (EAL3) Assurance classes ADV: Development AGD: Guidance documents ALC: Life-cycle support ASE: Security Target evaluation ATE: Tests AVA: Vulnerability assessment Assurance components ADV_ARC.
Page 55 of 81 6.3 Security Requirements Rationale This section describes the rationale behind the security requirements. If all security functional requirements are satisfied as below, the security objectives defined in "4.1 Security Objectives for TOE" are fulfilled. Tracing Table 22 shows the relationship between the TOE security uf nctional requirements and TOE security objectives. The "v" in the table indicates that the TOE security functional requirement fulfils the TOE security objective.
FIA_USB.1 O.LINE_PROTECT O.GENUINE O.NET.PROTECT O.MEM.PROTECT O.MANAGE O.DOC_ACC v FMT_MSA.1 v FMT_MSA.3 v FMT_MTD.1 v FMT_SMF.1 v FMT_SMR.1 v FPT_STM.1 v FPT_TST.1 6.3.2 O.I&A O.AUDIT Page 56 of 81 v v FTP_ITC.1 v FTP_TRP.1 v Justification of Traceability This section describes how the TOE security objectives are fulfilled by the TOE security functional requirements corresponding to the TOE security objectives shown in Table 22. O.
Page 57 of 81 d) Reliable record of time of event To fulfil O.AUDIT , a reliable record of the times when events occurred should be available, as this will help identify security breaches. For this, FPT_STM.1 provides a trusted time stamp. O.I&A User identification and authentication Following are the rationale behind the functional requirements corresponding to O.I&A in Table 22, and these requirements are included to fulfil the O.I&A specification.
Page 58 of 81 FDP_ACC.1 and FDP_ADF.1 allow the general user to perform operations on document data. The operations that are permitted follow the operation permissions specified in the document data for each general user ID in the document data ACL. O. MANAGE Security management Following are the rationale behind the functional requirements corresponding to O.MANAGE in Table 22, and these requirements are included to fulfil the O.MANAGE specification. a) Management of security attributes. To fulfil O.
Page 59 of 81 performed. For this, FMT_SMF.1 specifies the required Security Management Functions for the Security Function requirements. d) Authorised use of Security Management Functions. To fulfil O.MANAGE, authorised users shall be associated with the security management roles, and operation permissions for the Security Management Functions shall be maintained, since the use of the Security Management Functions depends on the authorised user roles. FMT_SMR.
Page 60 of 81 O.GENUINE Protection of integrity of MFP Control Software integrity Following are the rationale behind the functional requirements corresponding to O.GENUINE in Table 22, and these requirements are included to fulfil the O.GENUINE specification. a) Check the integrity of the MFP Control Software. To fulfil O.GENUINE, the integrity of the MFP Control Software, which is installed in FlashROM, shall be verified. For this, FPT_TST.
Page 61 of 81 TOE security functional requirements Dependencies claimed by CC Dependencies satisfied in ST Dependencies not satisfied in ST FDP_IFC.1 FDP_IFF.1 FDP_IFF.1 None FDP_IFF.1 FDP_IFC.1 FMT_MSA.3 FDP_IFC.1 FMT_MSA.3 None FIA_AFL.1 FIA_UAU.1 FIA_UAU.2 FIA_UAU.1 FIA_ATD.1 None None None FIA_SOS.1 None None None FIA_UAU.2 FIA_UID.1 FIA_UID.2 FIA_UID.1 FIA_UAU.7 FIA_UAU.1 FIA_UAU.2 FIA_UAU.1 FIA_UID.2 None None None FIA_USB.1 FIA_ATD.1 FIA_ATD.1 None FMT_MSA.
Page 62 of 81 Rationale for Removing Dependencies on FIA_UID.1 Since this TOE employs FIA_UID.2, which is hierarchical to FIA_UID.1, the dependency on FIA_UID.1 is satisfied by FIA_UAU.2 and FMR_SMR.1. 6.3.4 Security Assurance Requirements Rationale This TOE is a commercially available product. It is assumed that it will be used in general offices, and that the possibility of basic security attacks on this TOE exists. Architectural design (ADV_TDS.
Page 63 of 81 7 TOE Summary Specification This section provides a specification summary of the Security Functions of this TOE. 7.1 TOE Security Function The TOE provides the following TOE Security Functions to satisfy the security functional requirements described in section "6.1" SF.AUDIT Audit Function SF.I&A User Identification and Authentication Function SF.DOC_ACC Document Data Access Control Function SF.SEC_MNG Security Management Function SF.CE_OPE_LOCK Service Mode Lock Function SF.
FDP_IFC.1 v FDP_IFF.1 v FIA_AFL.1 v FIA_ATD.1 v FIA_SOS.1 v FIA_UAU.2 v FIA_UAU.7 v FIA_UID.2 v FIA_USB.1 v v v FMT_MSA.1 v FMT_MSA.3 v FMT_MTD.1 v v FMT_SMF.1 v v FMT_SMR.1 v v FPT_STM.1 SF.GENUINE SF.FAX_LINE SF.NET_PROT SF.CIPHER SF.CE_OPE_LOCK SF.SEC_MNG SF.DOC_ACC SF.I&A SF.AUDIT Page 64 of 81 v v v FPT_TST.1 v v FTP_ITC.1 v FTP_TRP.1 v Following are the security functional requirements that correspond to these TOE Security Functions. 7.1.1 SF.
Page 65 of 81 recorded when any kind of auditable event occurs. Expanded audit information is data recorded for the generation of auditable events that require additional information for audit. Table 25 shows the audit information for each auditable event. If there is insufficient space in the audit log files to append new audit log files, older audit logs (identifiable by their time and date details) are overwritten with newer audit logs.
Page 66 of 81 *1: The starting of Audit Function is substituted with the event of the TOE startup. This TOE does not record the ending of Audit Function. The starting and ending of Audit Function audit the state of inactivity of Audit Function. Since Audit Function works as long as the TOE works and it is not necessary to audit the state of inactivity of Audit Function, it is appropriate not to record the ending of Audit Function.
Page 67 of 81 7.1.2.1 User Identification and Authentication The TOE displays a login window when users attempt to use the TOE Security Functions from the Operation Panel or the Web Service Function. This window requires the user to enter their ID and password, and then identifies and authenticates the user based on the entered user IDs and passwords.
Page 68 of 81 When either of the following two Lockout release actions, (1) or (2), is performed by a user whose Lockout Flag is set to "Active", the TOE resets the Lockout Flag for that user to "Inactive" and releases the Lockout. (1) Auto Lockout Release If the user fails to authenticate after making the number of attempts specified to initiate lockout, and the lockout time has elapsed, then lockout will be released upon the first successful identification and authentication by the locked-out user.
Page 69 of 81 Numbers: [0-9] (10 digits) Symbols: SP (space) ! " # $ % & ' ( ) * + , - . / : ; < = > ? @ [ \ ] ^ _ ` { | } ~ (33 symbols) (2) Registerable password length: General users No fewer than the Minimum Password Length specified by the user administrator (8-32 characters) and no more than 128 characters. Administrators and supervisor No fewer than the Minimum Password Length specified by the user administrator (8-32 characters) and no more than 32 characters.
Page 70 of 81 By the above, FDP_ACC.1 (Subset access control) and FDP_ACF.1 (Security attribute based access control) are satisfied. 7.1.3.2 File Administrator Operations on Document Data If the logged-in user from the Operation Panel or Web Service Function is a file administrator, the TOE allows that user to display a list of document data and to delete the document data in the list individually or all at once. By the above, FDP_ACC.1 (Subset access control) and FDP_ACF.
Page 71 of 81 - General users with full control authorisation If the logged-in user is a file administrator, the TOE allows that user to perform operations on all document data ACLs, including changing document file owners and their access rights, and newly registering and deleting document file users and changing their access rights. If the logged-in user is a general user, the TOE allows that user to perform operations only on document data ACLs for which the user has full control authorisation.
Page 72 of 81 FMT_MTD.1 (Management of TSF data), FMT_SMF.1 (Specification of management functions) and FMT_SMR.1 (Security roles) are satisfied. 7.1.4.3 Management of Supervisor Information Management of supervisor information allows only supervisor to query and change supervisor ID, and to change supervisor authentication information from the Operation Panel or Web Service Function.
Page 73 of 81 be reading document data and modifying the document data ACL. By the above, FMT_MSA.1 (Management of security attributes), FMT_MTD.1 (Management of TSF data), FMT_SMF.1 (Specification of management functions), and FMT_SMR.1 (Security roles) are satisfied. 7.1.4.5 Management of Machine Control Data Management of machine control data allows setting of machine control data by specified users only.
Page 74 of 81 7.1.5 SF.CE_OPE_LOCK Service Mode Lock Function The Service Mode Lock Function restricts use of the M aintenance Functions to CEs only, based on the Service Mode Lock Function setting specified by the machine administrator. The TOE allows the machine administrator to set the Service Mode Lock Function from the Operation Panel, and allows all authorised users to view the value of the setting.
Page 75 of 81 By the above, FCS_CKM.1 (Cryptographic key generation), FCS_COP.1 (Cryptographic operation), FMT_MTD.1 (Management of TSF data), and FPT_TST.1 (TSF testing) are satisfied. 7.1.7 SF.NET_PROT Network Communication Data Protection Function This protects document data and print data in transit on internal networks from leakage, and also detects attempts at tampering. Following are explanations of each functional item in "SF.
Page 76 of 81 7.1.9 SF.GENUINE MFP Control Software Verification Function At every TOE start -up, the MFP Control Software Verification Function verifies the integrity of theMFP Control Software that is installed in the FlashROM. The TOE verifies the integrity of the executable code of the MFP Control Software each time the TOE starts up. The TOE becomes available for users only if the integrity of the control software can be verified.
Page 77 of 81 8 Appendix 8.1 Definitions of Terminology For ease of reader understanding, Table 34 provides definitions of the terms used in this ST. Table 34: Specific terms used in this ST Terms Definitions D-BOX A storage area for document data on the HDD. FTP server A server for sending files to a client computer and receiving files from a client computer using File Transfer Protocol. HDD An abbreviation of "Hard Disk Drive". Refers to the HDD installed in the TOE.
Page 78 of 81 Terms Definitions SMTP server A server for sending e-mail using Simple Mail Transfer Protocol. Address Book A database containing general user information for each general user. Back Up/Restore Address Book A function for backing up the Address Book to SD cards and restoring the TOE Address Book from backups made on SD cards.
Page 79 of 81 Terms Definitions Number of Attempts before Lockout The number of consecutive failed authentication attempts that can be made using the same user ID before the user is locked out. Lockout A function that prohibits access to the TOE to the specific user IDs. Lockout Flag An item of data that is assigned to each authorised user. The Lockout Flag for a locked-out user is set to "Active", and the Lockout Flag for a Lockout-released user is set to "Inactive".
Page 80 of 81 Terms 8.2 Definitions Administrator role Management Functions given to administrators. There are four types of administrator role: user administration, machine administration, network administration, and file administration. Each administrator role is assigned to a registered administrator. Machine administration An administrator role that assigns responsibility for machine management and performing audits. The machine administrator is a person who has the machine management role.
Page 81 of 81 - CC Version 3.1 Revision 2 Evaluation Criteria: "English version" Common Criteria for Information Technology Security Evaluation Version3.1 Part 1: Introduction and general model Revision 1(CCMB-2006-09-001) Part 2: Security functional components Revision 2(CCMB-2007-09-002) Part 3: Security assurance components Revision 2(CCMB-2007-09-003) "Japanese-translated version" Common Criteria for Information Technology Security Evaluation Version3.
