Ricoh Aficio MP c4501 Users Manual 121113
Ricoh Aficio MP c4501 Users Manual 121113
Ricoh Aficio MP c4501 Users Manual 121113
Security Target
Revision History
Table of Contents
1 ST Introduction ...................................................................................................................7
1.5 Glossary......................................................................................................................27
1.5.1 Glossary for This ST ................................................................................................. 27
2 Conformance Claim...........................................................................................................31
2.2 PP Claims...................................................................................................................31
4 Security Objectives............................................................................................................39
6 Security Requirements......................................................................................................49
List of Figures
List of Tables
1 ST Introduction
This section describes ST Reference, TOE Reference, TOE Overview and TOE Description.
1.1 ST Reference
This TOE is identified by the following: digital multi function product (hereafter "MFP") and Fax Controller
Unit (hereafter "FCU"), all of which constitute the TOE. The MFP is identified by its product name and
version. Although the MFP product names vary depending on sales areas and/or sales companies, the
components are identical. MFP versions consist of software and hardware versions. The FCU is identified by
its name and version. Table 1 shows the identification information of the TOE.
Names Versions
MFPs
Ricoh Aficio MP C4501, Software
Ricoh Aficio MP C5501, System/Copy 2.02
Ricoh Aficio MP C4501G,
Network Support 10.54
Ricoh Aficio MP C5501G,
Scanner 01.11.1
Gestetner MP C4501,
Gestetner MP C5501, Printer 1.01
Lanier MP C4501, Fax 02.01.00
Lanier MP C5501, RemoteFax 01.00.00
Lanier LD645C, Web Support 1.06
Lanier LD655C, Web Uapl 1.01
Lanier LD645CG,
NetworkDocBox 1.01
Lanier LD655CG,
nashuatec MP C4501, animation 1.00
nashuatec MP C5501, PCL 1.02
Rex-Rotary MP C4501, OptionPCLFont 1.02
Rex-Rotary MP C5501, Engine 1.03:04
Names Versions
infotec MP C4501, OpePanel 1.06
infotec MP C5501, LANG0 1.06
Savin C9145,
LANG1 1.06
Savin C9155,
Data Erase Std 1.01x
Savin C9145G,
Savin C9155G Hardware
Ic Key 01020700
Ic Ctlr 03
Options
FCU name Fax Option Type C5501 GWFCU3-21(WW) 03.00.00
Keywords : Digital MFP, Documents, Copy, Print, Scanner, Network, Office, Fax
This section defines TOE Type, TOE Usage and Major Security Features of TOE.
This TOE is a digital multi function product (hereafter "MFP"), which is an IT device that inputs, stores, and
outputs documents.
The operational environment of the TOE is illustrated below and the usage of the TOE is outlined in this
section.
The TOE is used by connecting to the local area network (hereafter "LAN") and telephone lines, as shown in
Figure 1. Users can operate the TOE from the Operation Panel of the TOE or through LAN communications.
Below, explanations are provided for the MFP, which is the TOE itself, and hardware and software other
than the TOE.
MFP
A machinery that is defined as the TOE. The MFP is connected to the office LAN, and users can perform the
following operations from the Operation Panel of the MFP:
- Various settings for the MFP,
- Copy, fax, storage, and network transmission of paper documents,
- Print, fax, network transmission, and deletion of the stored documents.
Also, the TOE receives information via telephone lines and can store it as a document.
LAN
Network used in the TOE environment.
Client computer
Performs as a client of the TOE if it is connected to the LAN, and users can remotely operate the MFP from
the client computer. The possible remote operations from the client computer are as follows:
- Various settings for the MFP using a Web browser installed on the client computer,
- Operation of documents using a Web browser installed on the client computer,
- Storage and printing of documents using the printer driver installed on the client computer,
- Storage and faxing of documents using the fax driver installed on the client computer.
Telephone line
A public line for the TOE to communicate with external faxes.
Firewall
A device to prevent the office environment from network attacks via the Internet.
FTP Server
A server used by the TOE for folder transmission of the stored documents in the TOE to its folders.
SMB Server
A server used by the TOE for folder transmission of the stored documents in the TOE to its folders.
SMTP Server
A server used by the TOE for e-mail transmission of the stored documents in the TOE.
RC Gate
An IT device used for @Remote. The function of RC Gate for @Remote is to relay communications
between the MFP and maintenance centre. A transfer path to other external interface for input information
from the RC Gate via network interface is not implemented in the TOE. The RC Gate products include
Remote Communication Gate A, Remote Communication Gate Type BN1, and Remote Communication
Gate Type BM1.
The TOE stores documents in it, and sends and receives documents to and from the IT devices connected to
the LAN. To ensure provision of confidentiality and integrity for those documents, the TOE has the
following security features:
- Audit Function
- Identification and Authentication Function
- Document Access Control Function
- Use-of-Feature Restriction Function
- Network Protection Function
- Residual Data Overwrite Function
- Stored Data Protection Function
- Security Management Function
- Software Verification Function
- Fax Line Separation Function
This section describes Physical Boundary of TOE, Guidance Documents, Definition of Users, Logical
Boundary of TOE, and Protected Assets.
The physical boundary of the TOE is the MFP, which consists of the following hardware components
(shown in Figure 2): Operation Panel Unit, Engine Unit, Fax Unit, Controller Board, HDD, Ic Ctlr, Network
Unit, USB Port, SD Card Slot, and SD Card.
Controller Board
The Controller Board is a device that contains Processors, RAM, NVRAM, Ic Key, and FlashROM. The
Controller Board sends and receives information to and from the units and devices that constitute the MFP,
and this information is used to control the MFP. The information to control the MFP is processed by the
MFP Control Software on the Controller Board. The following describes the components of the Controller
Board:
- Processor
A semiconductor chip that performs basic arithmetic processing for MFP operations.
- RAM
A volatile memory medium which is used as a working area for image processing such as
compressing/decompressing the image data. It can also be used to temporarily read and write
internal information.
- NVRAM
A non-volatile memory medium in which TSF data for configuring MFP operations is stored.
- Ic Key
A security chip that has the functions of random number generation, cryptographic key generation
and digital signature. It has the memory medium inside, and the signature root key is installed
before the TOE is shipped.
- FlashROM
A non-volatile memory medium in which the following software components are installed:
System/Copy, Network Support, Scanner, Printer, Fax, RemoteFax, Web Support, Web Uapl,
NetworkDocBox, animation, PCL, OptionPCLFont, LANG0, and LANG1. These are part of the
TOE and are included in the MFP Control Software.
Engine Unit
The Engine Unit consists of Scanner Engine that is an input device to read paper documents, Printer Engine
that is an output device to print and eject paper documents, and Engine Control Board. The Engine Control
Software is installed in the Engine Control Board. The Engine Control Software sends status information
about the Scanner Engine and Printer Engine to the Controller Board, and operates the Scanner Engine or
Printer Engine according to instructions from the MFP Control Software. Engine, which is one of the
components that constitute the TOE, is the identifier for the Engine Control Software.
Fax Unit
The Fax Unit is a unit that has a modem function for connection to a telephone line. It also sends and
receives fax data to and from other fax devices using the G3 standard for communication. The Fax Unit
sends and receives control information about the Controller Board and Fax Unit and fax data. FCU, which is
one of the components that constitute the TOE, is the identifier of the Fax Unit.
HDD
The HDD is a hard disk drive that is a non-volatile memory medium. It stores documents, login user names
and login passwords of normal users.
Ic Ctlr
The Ic Ctlr is a board that implements data encryption and decryption functions. It is provided with functions
for HDD encryption realisation.
Network Unit
The Network Unit is an external interface to an Ethernet (100BASE-TX/10BASE-T) LAN.
USB Port
The USB Port is an external interface to connect a client computer to the TOE for printing directly from the
client computer. During installation, this interface is disabled.
The following sets of user guidance documents are available for this TOE: [English version-1], [English
version-2], [English version-3], and [English version-4]. Selection of the guidance document sets depends on
the sales area and/or sales company. Guidance document sets will be supplied with individual TOE
component. Details of the document sets are as follows.
[English version-1]
Operating Instructions
Troubleshooting D088-7653A
- Quick Reference Copy Guide D088-7526
- Quick Reference Printer Guide D088-7805
- Quick Reference Scanner Guide D088-7886
- App2Me Start Guide D085-7906B
- Notes for Users D088-7608
- Notes for Users D088-7759A
- Notes for Users D572-7010
- Manuals for Users
Aficio MP C3001/MP C3001G/MP C3501/MP C3501G/MP C4501/MP C4501G/MP
C4501A/MP C4501AG/MP C5501/MP C5501G/MP C5501A/MP C5501AG
C9130/C9130G/C9135/C9135G/C9145/C9145G/C9145A/C9145AG/C9155/C9155G/C9
155A/C9155AG
LD630C/LD630CG/LD635C/LD635CG/LD645C/LD645CG/LD645CA/LD645CAG/
LD655C/LD655CG/LD655CA/LD655CAG D089-6906A
- Manuals for Administrators
Aficio MP C3001/MP C3001G/MP C3501/MP C3501G/MP C4501/MP C4501G/MP
C4501A/MP C4501AG/MP C5501/MP C5501G/MP C5501A/MP C5501AG
C9130/C9130G/C9135/C9135G/C9145/C9145G/C9145A/C9145AG/C9155/C9155G/C9
155A/C9155AG
LD630C/LD630CG/LD635C/LD635CG/LD645C/LD645CG/LD645CA/LD645CAG/
LD655C/LD655CG/LD655CA/LD655CAG D089-6907A
- To Users of This Machine D029-7904
- Operating Instructions Notes on Security Functions D088-7706
- Notes for Administrators: Using this Machine in a Network Environment Compliant
with IEEE Std. 2600.1TM-2009 D088-7707
- Help 83NHBUENZ1.20 v116
[English version-2]
Aficio MP C3001/C3501/C4501/C4501A/C5501/C5501A
Aficio MP C3001G/C3501G/C4501G/C4501AG/C5501G/C5501AG
Operating Instructions
About This Machine D088-7609
- C9130/C9135/C9145/C9145A/C9155/C9155A
C9130G/C9135G/C9145G/C9145AG/C9155G/C9155AG
LD630C/LD635C/LD645C/LD645CA/LD655C/LD655CA
LD630CG/LD635CG/LD645CG/LD645CAG/LD655CG/LD655CAG
Aficio MP C3001/C3501/C4501/C4501A/C5501/C5501A
Aficio MP C3001G/C3501G/C4501G/C4501AG/C5501G/C5501AG
Operating Instructions
Troubleshooting D088-7657
- Quick Reference Copy Guide D088-7529
- Quick Reference Printer Guide D086-7800
- Quick Reference Scanner Guide D088-7889
- App2Me Start Guide D085-7905B
- Notes for Users D572-7010
- Manuals for Users
Aficio MP C3001/MP C3001G/MP C3501/MP C3501G/MP C4501/MP C4501G/MP
C4501A/MP C4501AG/MP C5501/MP C5501G/MP C5501A/MP C5501AG
C9130/C9130G/C9135/C9135G/C9145/C9145G/C9145A/C9145AG/C9155/C9155G/C9
155A/C9155AG
LD630C/LD630CG/LD635C/LD635CG/LD645C/LD645CG/LD645CA/LD645CAG/LD
655C/LD655CG/LD655CA/LD655CAG D089-6906A
- Manuals for Administrators
Aficio MP C3001/MP C3001G/MP C3501/MP C3501G/MP C4501/MP C4501G/MP
C4501A/MP C4501AG/MP C5501/MP C5501G/MP C5501A/MP C5501AG
C9130/C9130G/C9135/C9135G/C9145/C9145G/C9145A/C9145AG/C9155/C9155G/C9
155A/C9155AG
LD630C/LD630CG/LD635C/LD635CG/LD645C/LD645CG/LD645CA/LD645CAG/LD
655C/LD655CG/LD655CA/LD655CAG D089-6907A
- Notes for Users D088-7404
- To Users of This Machine D029-7903
- Operating Instructions Notes on Security Functions D088-7708
- Notes for Administrators: Using this Machine in a Network Environment Compliant
with IEEE Std. 2600.1TM-2009 D088-7709
- Help 83NHBUENZ1.20 v116
[English version-3]
FCU -
[English version-4]
Operating Instructions
About This Machine D088-7605A
- MP C3001/C3501/C4501/C4501A/C5501/C5501A
MP C3001/C3501/C4501/C4501A/C5501/C5501A
Aficio MP C3001/C3501/C4501/C4501A/C5501/C5501A
Operating Instructions
Troubleshooting D088-7655A
- Quick Reference Copy Guide D088-7527
- Quick Reference Printer Guide D088-7805
- Quick Reference Scanner Guide D088-7887
- Notes for Users D088-7608
- Notes for Users D088-7759A
- App2Me Start Guide D085-7906B
- Manuals for Users
Aficio MP C3001/MP C3501/MP C4501/MP C4501A/MP C5501/MP C5501A
MP C3001/MP C3501/MP C4501/MP C4501A/MP C5501/MP C5501A
D089-6908A
- Manuals for Administrators
Aficio MP C3001/MP C3501/MP C4501/MP C4501A/MP C5501/MP C5501A
MP C3001/MP C3501/MP C4501/MP C4501A/MP C5501/MP C5501A
D089-6909A
- To Users of This Machine D029-7904
- Notes for Users D060-7781
- Operating Instructions Notes on Security Functions D088-7706
- Notes for Administrators: Using this Machine in a Network Environment Compliant
with IEEE Std. 2600.1TM-2009 D088-7707
- Help 83NHBUENZ1.20 v116
This section defines the users related to the TOE. These users include those who routinely use the TOE
(direct users) and those who do not (indirect users). The direct users and indirect users are described as
follows:
The "user" referred to in this ST indicates a direct user. This direct user consists of normal users,
administrators, and RC Gate. The following table (Table 6) shows the definitions of these direct users.
Definition of Explanation
Users
A user who is allowed to use the TOE. A normal user is provided with a login user
Normal user name and can use Copy Function, Fax Function, Scanner Function, Printer Function,
and Document Server Function.
A user who is allowed to manage the TOE. An administrator performs management
Administrator
operations, which include issuing login names to normal users.
An IT device connected to networks. RC Gate performs the @Remote Service Function
of the TOE via RC Gate communication interface. Copy Function, Fax Function,
RC Gate
Scanner Function, Printer Function, Document Server Function, and Management
Function cannot be used.
The administrator means the user registered for TOE management. According to its roles, the administrator
can be classified as the supervisor and the MFP administrator. Up to four MFP administrators can be
registered and selectively authorised to perform user management, machine management, network
management, and file management. Therefore, the different roles of the management privilege can be
allocated to multiple MFP administrators individually. The "MFP administrator" in this ST refers to the MFP
administrator who has all management privileges (Table 7).
Definition of
Management Privileges Explanation
Administrator
Authorised to delete and register the login
Supervisor Supervisor
password of the MFP administrator.
Authorised to manage normal users. This
User management privilege privilege allows configuration of normal user
settings.
Authorised to specify MFP device behaviour
Machine management (network behaviours excluded). This privilege
privilege allows configuration of device settings and
MFP administrator view of the audit log.
Authorised to manage networks and configure
Network management
LAN settings. This privilege allows
privilege
configuration of network settings.
Authorised to manage stored documents. This
File management privilege privilege allows access management of stored
documents.
The responsible manager of MFP is a person who is responsible for selection of the TOE administrators in
the organisation where the TOE is used.
Customer engineer
The customer engineer is a person who belongs to the organisation which maintains TOE operation. The
customer engineer is in charge of installation, setup, and maintenance of the TOE.
Copy Function
The Copy Function is to scan paper documents and copy scanned image data from the Operation Panel.
Magnification and other editorial jobs can be applied to the copy image. It can also be stored on the HDD as
a Document Server document.
Printer Function
The Printer Function of TOE is to print or store the documents the TOE receives from the printer driver
installed on the client computer. It also allows users to print and delete the stored documents from the
Operation Panel or a Web browser.
- Receiving documents from the printer driver installed on the client computer.
The TOE receives documents from the printer driver installed on the client computer. Printing
methods for documents is selected by users from the printer driver. The printing methods include
direct print, Document Server storage, locked print, stored print, hold print, and sample print.
For direct print, documents received by the TOE will be printed. The documents will not be stored
in the TOE.
For Document Server storage, the received documents will be stored on the HDD as Document
Server documents.
For locked print, stored print, hold print, and sample print, the received documents will be stored
on the HDD as printer documents. A dedicated password, which is used for locked print, is not
subject to this evaluation.
- Operating from the Operation Panel
The TOE can print or delete printer documents according to the operations by users from the
Operation Panel.
- Operating from a Web browser
The TOE can print or delete printer documents according to the operations by users from a Web
browser.
- Deleting printer documents by the TOE
The deletion of printer documents by the TOE differs depending on printing methods. If locked
print, hold print, or sample print is specified, the TOE deletes printer documents when printing is
complete. If stored print is specified, the TOE does not delete printer documents even when
printing is complete.
According to the guidance document, users first install the specified printer driver on their own client
computers, and then use this function.
Scanner Function
The Scanner Function is to scan paper documents by using the Operation Panel. The scanned documents will
be sent to folders or by e-mail. The documents to be sent to folders or by e-mail will be stored in the TOE, so
that they can be transmitted afterwards. The documents stored in the TOE are called scanner documents.
Scanner documents can be sent to folders or by e-mail, or deleted from the Operation Panel or a Web
browser.
Folder transmission can be applied only to the destination folders in a server that the MFP administrator
pre-registers in the TOE and with which secure communication can be ensured. E-mail transmission is
possible only with the mail server and e-mail addresses that the MFP administrator pre-registers in the TOE
and with which secure communication can be ensured.
Fax Function
The Fax Function is to send paper documents and documents received from the fax driver installed on the
client computer to external faxes (Fax Transmission Function). Also, this function can be used to receive
documents from external faxes (Fax Reception Function).
Documents to be sent by fax can be stored in the TOE. Those documents stored in the TOE for fax
transmission are called fax documents. Fax documents can be sent by fax, and they also can be printed,
deleted, and sent to folders.
The documents received by fax can be stored in the TOE, printed, deleted from the TOE, and downloaded to
the client computer.
- Fax Transmission Function
A function to send paper documents, documents in the client computer, and fax documents to
external faxes over a telephone line.
Paper documents will be scanned and sent by fax using the Operation Panel. The documents in the
client computer are sent by fax from the fax driver installed on the client computer. Fax documents
are sent by fax from the Operation Panel or a Web browser. Documents can be sent by fax only to
the telephone numbers that are pre-registered in the TOE.
- Fax Data Storage Function
A function to temporarily store paper documents or documents in the client computer for fax
transmission in the TOE. Those documents stored in the TOE are called fax documents. Paper
documents will be scanned and stored using the Operation Panel. The documents in the client
computer are sent to and stored in the TOE by operating the fax driver installed on the client
computer.
- Operation Function for Fax Documents
A function to print or delete fax documents. This function can be used from the Operation Panel or
a Web browser.
- Folder Transmission Function of Fax Data
A function to send fax documents to folders by using the Operation Panel.
The MFP administrator must pre-register the destination server that provides secure
communication with the TOE. Users select the destination server from the servers that the MFP
administrator pre-registers, and send data to the folder.
- Fax Reception Function
A function to receive documents from external faxes via the telephone line and store the received
documents in the TOE. Those stored documents in the TOE are called received fax documents.
- Operation Function for Received Fax Documents
A function to operate the received fax documents from the Operation Panel or a Web browser.
Documents can be printed and deleted using the Operation Panel, while they can be printed, deleted
and downloaded from a Web browser.
According to the guidance document, users first install the specified fax driver on their own client computers,
and then use this function.
Management Function
The Management Function is to control the MFP's overall behaviour. This function can be implemented
using the Operation panel or a Web browser.
Maintenance Function
The Maintenance Function is to perform maintenance service for the MFP if it is malfunctioning. When
analysing causes of the malfunction, a customer engineer performs this function from the Operation Panel.
The customer engineer will implement this function following the procedures that are allowed to customer
engineers only. If the MFP administrator sets the Service Mode Lock Function to "ON", the customer
engineer cannot use this function.
In this ST, the Service Mode Lock Function is set to "ON" for the target of evaluation.
Web Function
A function for the TOE user to remotely control the TOE from the client computer. To control the TOE
remotely, the TOE user needs to install the designated Web browser on the client computer following the
guidance documents and connect the client computer to the TOE via the LAN.
Audit Function
The Audit Function is to generate the audit log of TOE use and security-relevant events (hereafter, "audit
events"). Also, this function provides the recorded audit log in a legible fashion for users to audit. This
function can be used only by the MFP administrator to view and delete the recorded audit log. To view and
delete the audit log, the Web Function will be used.
transmission function of Scanner Function is used, the protection function can be enabled through encrypted
communication with communication requirements that are specified for each e-mail address. If the LAN-Fax
Transmission Function of Fax Function is used, the protection function can be enabled using the fax driver to
specify encrypted communication. When communicating with RC Gate, encrypted communication is used.
Assets to be protected by the TOE are user data, TSF data, and functions.
The user data is classified into two types: document data and function data. Table 8 defines user data
according to these data types.
Type Description
Document Digitised documents, deleted documents, temporary documents and their
data fragments, which are managed by the TOE.
Function Jobs specified by users. In this ST, a "user job" is referred to as a "job".
data
The TSF data is classified into two types: protected data and confidential data. Table 9 defines TSF data
according to these data types.
Type Description
Protected data This data must be protected from changes by unauthorised persons. No security
threat will occur even this data is exposed to the public. In this ST, "protected
data", listed below, is referred to as "TSF protected data".
Login user name, Number of Attempts before Lockout, settings for Lockout
Release Timer, lockout time, date settings (year/month/day), time settings,
Minimum Character No., Password Complexity Setting, S/MIME user
information, destination folder, stored and received document user, document
user list, available function list, and user authentication procedures.
Confidential data This data must be protected from changes by unauthorised persons and reading by
users without viewing permissions. In this ST, "confidential data", listed below, is
referred to as "TSF confidential data".
Login password, audit log, and HDD cryptographic key.
1.4.5.3. Functions
The MFP applications (Copy Function, Document Server Function, Printer Function, Scanner Function, and
Fax Function) that are for management of the document data of user data are classified as protected assets,
whose use is subject to restrictions.
1.5 Glossary
For clear understanding of this ST, Table 10 provides the definitions of specific terms.
Terms Definitions
MFP Control Software A software component installed in the TOE. This component is stored in
FlashROM and SD Card. The components that identify the TOE include
System/Copy, Network Support, Scanner, Printer, Fax, RemoteFax, Web
Support, Web Uapl, NetworkDocBox, animation, PCL, OptionPCLFont,
LANG0, LANG1 and Data Erase Std.
Terms Definitions
Login user name An identifier assigned to each normal user, MFP administrator, and supervisor.
The TOE identifies users by this identifier.
Login password A password associated with each login user name.
Lockout A type of behaviour to deny login of particular users.
Auto logout A function for automatic user logout if no access is attempted from the
Operation Panel or Web Function before the predetermined auto logout time
elapses.
Auto logout time for the Operation Panel:
Time specified by the MFP administrator within 60 to 999 seconds.
Auto logout time for the Web Function:
30 minutes (this cannot be changed by users). This auto logout time is also
referred to as "fixed auto logout time".
Minimum Character No. The minimum number of registrable password digits.
Password Complexity The minimum combination of the characters and symbols that can be used as
Setting registrable passwords.
There are four types of characters: uppercase and lower case alphabets, digits
and symbols.
There are Level 1 and Level 2 Password Complexity Settings. Level 1 requires a
password to be a combination of two or more types of characters and symbols
specified above. Level 2 requires a password to be a combination of three or
more types of characters and symbols specified above.
Basic Authentication One of the procedures for identification and authentication of TOE users who
are authorised to use the TOE. The TOE authenticates TOE users by using the
login user names and the login passwords registered on the TOE.
External Authentication One of the procedures for identification and authentication of TOE users who
are authorised to use the TOE. The TOE authenticates TOE users by using the
login user names and the login passwords registered on the external
authentication server connected to the MFP via LAN. External Authentication
implemented in the TOE includes Windows Authentication, LDAP
Authentication, and Integration Server Authentication. Windows Authentication
supports NTLM Authentication and Kerberos Authentication. As for this ST, the
term "External Authentication" refers to Windows Authentication using
Kerberos Authentication method.
HDD An abbreviation of hard disk drive. In this document, unless otherwise specified,
"HDD" indicates the HDD installed on the TOE.
User job A sequence of operations of each TOE function (Copy Function, Document
Server Function, Scanner Function, Printer Function and Fax Function) from
beginning to end. A user job may be suspended or cancelled by users during
operation. If a user job is cancelled, the job will be terminated.
Documents General term for paper documents and electronic documents used in the TOE.
Document data Attributes of document data, such as +PRT, +SCN, +CPY, +FAXOUT,
attributes +FAXIN, and +DSR.
+PRT One of the document data attributes. Documents printed from the client
computer, or documents stored in the TOE by locked print, hold print, and
sample print using the client computer.
Terms Definitions
+SCN One of the document data attributes. Documents sent to IT devices by e-mail or
sent to folders, or downloaded on the client computer from the MFP. For these
operations the Scanner Function is used.
+CPY One of the document data attributes. Documents copied by using Printer
Function.
+FAXOUT One of the document data attributes. Documents sent by fax or to folders by
using Fax Function.
+FAXIN One of the document data attributes. Documents received from the telephone
line. Documents stored in the TOE after the reception are also included.
+DSR One of the document data attributes. Document stored in the TOE by using Copy
Function, Scanner Function, Document Server Function, and Fax Data Storage
Function. Documents stored in the TOE after being printed with Document
Server printing or stored print from the client computer,
Document user list One of the security attributes of document data.
A list of the login user names of the normal users whose access to documents is
authorised, and it can be set for each document data. This list does not include
the login user names of MFP administrators whose access to the document data
is possible for administration.
Stored documents Documents stored in the TOE so that they can be used with Document Server
Function, Printer Function, Scanner Function, and Fax Function.
Stored document type Classification of stored documents according to their purpose of use. This
includes Document Server documents, printer documents, scanner documents,
fax documents, and received fax documents.
Document Server One of the stored document types. Documents stored in the TOE when
documents Document Server storage is selected as the printing method for Copy Function,
Document Server Function, and Printer Function.
Printer documents One of the stored document types. Documents stored in the TOE when any one
of locked print, hold printing, and sample print is selected as the printing method
for Printer Function.
Scanner documents One of the stored document types. Documents stored in the TOE using Scanner
Function.
Fax documents One of the stored document types. Documents scanned and stored using Fax
Function, and those stored using the LAN Fax.
Received fax documents One of the stored document types. Documents received by fax and stored. These
documents are externally received and whose "users cannot be identified".
MFP application A general term for each function the TOE provides: Copy Function, Document
Server Function, Scanner Function, Printer Function, and Fax Function.
Available function list A list of the functions (Copy Function, Printer Function, Scanner Function,
Document Server Function, and Fax Function) that normal users are authorised
to access. This list is assigned as an attribute of each normal user.
Operation Panel Consists of a touch screen LCD and key switches. The Operation Panel is used
by users to operate the TOE.
Terms Definitions
Users for stored and A list of the normal users who are authorised to read and delete received fax
received documents documents.
Folder transmission A function that sends documents from the MFP via networks to a shared folder
in an SMB Server by using SMB protocol or that sends documents to a shared
folder in an FTP Server by using FTP protocol. The following documents can be
delivered to folders: scanned documents using Scanner Function and Fax
Function, and scanned and stored documents using Scanner Function and Fax
Function.
IPSec protects the communication for realising this function.
Destination folder Destination information for the "folder transmission" function. The destination
folder includes the path information to the destination server, the folder in the
server, and identification and authentication information for user access. The
destination folder is registered and managed by the MFP administrator.
E-mail transmission A function to send documents by e-mail from the MFP via networks to the
SMTP Server. The documents that can be delivered using this function include:
scanned documents using Scanner Function, and scanned and stored document
data using Scanner Function.
S/MIME protects the communication for realising this function.
S/MIME user This information is required for e-mail transmission using S/MIME. Also, this
information information consists of e-mail address, user certificate, and encryption setting
(S/MIME setting). Uniquely provided for each e-mail address, the S/MIME user
information is registered and managed by the MFP administrator.
LAN Fax One of Fax Functions. A function that transmits fax data and stores the
documents using the fax driver on client computer. Sometimes referred to as
"PC FAX".
@Remote General term for remote diagnosis maintenance services for the TOE. Also
called @Remote Service.
Maintenance centre The facility where the centre server of @Remote is located.
Repair Request A function for users to request a repair to the maintenance centre via RC Gate
Notification from the TOE.
The TOE displays the Repair Request Notification screen on the Operation Panel
if paper jams frequently occur, or if the door or cover of the TOE is left open for
a certain period of time while jammed paper is not removed.
2 Conformance Claim
This section describes Conformance Claim.
2.2 PP Claims
2600.1-SMI conformant
The targeted product type by the PP is the Hardcopy devices (hereafter, HCDs). The HCDs consist of the
scanner device and print device, and have the interface to connect telephone line. The HCDs combine these
devices and equip one or more functions of Copy Function, Scanner Function, Printer Function or Fax
Function. The Document Server Function is also available when installing the non-volatile memory medium,
such as hard disk drive, as additional equipments.
The MFP is the type of this TOE. The MFP has the devices the HCDs have, and equips the functions that
HCDs equip including the additional equipments. Therefore, this TOE type is consistent with the TOE type
in the PP.
For those points mentioned above, the security problems and security objectives in this ST are consistent
with those in the PP.
The SFRs for this TOE consist of the Common Security Functional Requirements, 2600.1-PRT, 2600.1-SCN,
2600.1-CPY, 2600.1-FAX, 2600.1-DSR, and 2600.1-SMI.
The Common Security Functional Requirements are the indispensable SFR specified by the PP. 2600.1-PRT,
2600.1-SCN, 2600.1-CPY, 2600.1-FAX, 2600.1-DSR, and 2600.1-SMI are selected from the SFR Package
specified by the PP.
2600.1-NVS is not selected because this TOE does not have any non-volatile memory medium that is
detachable.
Although the security requirements of this ST were partly augmented and instantiated over the security
requirements of the PP, they are still consistent with the PP. Described below are the parts augmented and
instantiated with the reasons for their consistency with the PP.
The TOE allows the MFP administrator to delete document data and user jobs (document access control SFP,
FDP_ACC.1(a) and FDP_ACF.1(a)), and as a result, the TSF restrictively allows the MFP administrator to
access the TOE functions. Therefore, the requirements described in FDP_ACF.1.3(b) in the PP are satisfied
at the same time. The fax reception process, which is accessed when receiving from a telephone line, is
regarded as a user with administrator privileges.
Therefore, FDP_ACF.1.3(b) in this ST satisfies FDP_ACF.1.3(b) in the PP.
3.1 Threats
Defined and described below are the assumed threats related to the use and environment of this TOE. The
threats defined in this section are unauthorised persons with knowledge of published information about the
TOE operations and such attackers are capable of Basic attack potential.
3.3 Assumptions
The assumptions related to this TOE usage environment are identified and described.
4 Security Objectives
This section describes Security Objectives for TOE, Security Objectives of Operational Environment and
Security Objectives Rationale.
4.2.1 IT Environment
This section describes the rationale for security objectives. The security objectives are for upholding the
assumptions, countering the threats, and enforcing the organisational security policies that are defined.
Table 11 describes the correspondence between the assumptions, threats and organisational security policies,
and each security objective.
OE.AUDIT_ACCESS_AUTHORIZED
OE.AUDIT_STORAGE.PROTCTED
O.RCGATE.COMM.PROTECT
OE.INTERFACE.MANAGED
OE.PHYSICAL.MANAGED
O.INTERFACE.MANAGED
O.STORAGE.ENCRYPTED
O.SOFTWARE.VERIFIED
OE.USER.AUTHORIZED
O.USER.AUTHORIZED
OE.AUDIT.REVIEWED
OE.ADMIN.TRUSTED
OE.ADMIN.TRAINED
OE.USER.TRAINED
O.AUDIT.LOGGED
O.FUNC.NO_ALT
O.CONF.NO_ALT
O.PROT.NO_ALT
O.CONF.NO_DIS
O.DOC.NO_ALT
O.DOC.NO_DIS
T.DOC.DIS X X X
T.DOC.ALT X X X
T.FUNC.ALT X X X
T.PROT.ALT X X X
T.CONF.DIS X X X
T.CONF.ALT X X X
P.USER.AUTHORIZATION X X
P.SOFTWARE.VERIFICATION X
P.AUDIT.LOGGING X X X X
P.INTERFACE.MANAGEMENT X X
P.STORAGE.ENCRYPTION X
P.RCGATE.COMM.PROTECT X
A.ACCESS.MANAGED X
A.ADMIN.TRAINING X
A.ADMIN.TRUST X
A.USER.TRAINING X
The following describes the rationale for each security objective being appropriate to satisfy the threats,
assumptions and organisational security policies.
T.DOC.DIS
T.DOC.DIS is countered by O.DOC.NO_DIS, O.USER.AUTHORIZED and OE.USER.AUTHORIZED.
By OE.USER.AUTHORIZED, the responsible manager of MFP gives the authority to use the TOE to users
who follow the security policies and procedures of their organisation. By O.USER.AUTHORIZED, the TOE
requires identification and authentication of users, and users are authorised in accordance with the security
policies before being allowed to use the TOE. By O.DOC.NO_DIS, the TOE protects the documents from
unauthorised disclosure by persons without a login user name, or by persons with a login user name but
without an access permission to those documents.
T.DOC.DIS is countered by these objectives.
T.DOC.ALT
T.DOC.ALT is countered by O.DOC.NO_ALT, O.USER.AUTHORIZED and OE.USER.AUTHORIZED.
By OE.USER.AUTHORIZED, the responsible manager of MFP gives the authority to use the TOE to users
who follow the security policies and procedures of their organisation. By O.USER.AUTHORIZED, the TOE
requires identification and authentication of users, and users are authorised in accordance with the security
policies before being allowed to use the TOE. By O.DOC.NO_ALT, the TOE protects the documents from
unauthorised alteration by persons without a login user name, or by persons with a login user name but
without an access permission to the document.
T.DOC.ALT is countered by these objectives.
T.FUNC.ALT
T.FUNC.ALT is countered by O.FUNC.NO_ALT, O.USER.AUTHORIZED and OE.USER.AUTHORIZED.
By OE.USER.AUTHORIZED, the responsible manager of MFP gives the authority to use the TOE to users
who follow the security policies and procedures of their organisation. By O.USER.AUTHORIZED, the TOE
requires identification and authentication of users, and users are authorised in accordance with the security
policies before being allowed to use the TOE. By O.FUNC.NO_ALT, the TOE protects the user jobs from
unauthorised alteration by persons without a login user name, or by persons with a login user name but
without an access permission to the user job.
T.FUNC.ALT is countered by these objectives.
T.PROT.ALT
T.PROT.ALT is countered by O.PROT.NO_ALT, O.USER.AUTHORIZED and OE.USER.AUTHORIZED.
By OE.USER.AUTHORIZED, the responsible manager of MFP gives the authority to use the TOE to users
who follow the security policies and procedures of their organisation. By O.USER.AUTHORIZED, the TOE
requires identification and authentication of users, and users are authorised in accordance with the security
policies before being allowed to use the TOE. By O.PROT.NO_ALT, the TOE protects the TSF protected
data from unauthorised alteration by persons without a login user name, or by persons with a login user name
but without an access permission to the TSF protected data.
T.PROT.ALT is countered by these objectives.
T.CONF.DIS
T.CONF.DIS is countered by O.CONF.NO_DIS, O.USER.AUTHORIZED and OE.USER.AUTHORIZED.
By OE.USER.AUTHORIZED, the responsible manager of MFP gives the authority to use the TOE to users
who follow the security policies and procedures of their organisation. By O.USER.AUTHORIZED, the TOE
requires identification and authentication of users, and users are authorised in accordance with the security
policies before being allowed to use the TOE. By O.CONF.NO_DIS, the TOE protects the TSF confidential
data from unauthorised disclosure by persons without a login user name, or by persons with a login user
name but without an access permission to the TSF confidential data.
T.CONF.DIS is countered by these objectives.
T.CONF.ALT
T.CONF.ALT is countered by O.CONF.NO_ALT, O.USER.AUTHORIZED and OE.USER.AUTHORIZED.
By OE.USER.AUTHORIZED, the responsible manager of MFP gives the authority to use the TOE to users
who follow the security policies and procedures of their organisation. By O.USER.AUTHORIZED, the TOE
requires identification and authentication of users, and users are authorised in accordance with the security
policies before being allowed to use the TOE. By O.CONF.NO_ALT, the TOE protects the TSF confidential
data from unauthorised alteration by persons without a login user name, or by persons with a login user name
but without an access permission to the TSF confidential data.
T.CONF.ALT is countered by these objectives.
P.USER.AUTHORIZATION
P.USER.AUTHORIZATION is enforced by O.USER.AUTHORIZED and OE.USER.AUTHORIZED.
By OE.USER.AUTHORIZED, the responsible manager of MFP gives the authority to use the TOE to users
who follow the security policies and procedures of their organisation. By O.USER.AUTHORIZED, the TOE
requires identification and authentication of users, and users are authorised in accordance with the security
policies before being allowed to use the TOE.
P.USER.AUTHORIZATION is enforced by these objectives.
P. SOFTWARE.VERIFICATION
P.SOFTWARE.VERIFICATION is enforced by O.SOFTWARE.VERIFIED.
By O.SOFTWARE.VERIFIED, the TOE provides measures for self-verifying the executable code of the
TSF.
P.SOFTWARE.VERIFICATION is enforced by this objective.
P. AUDIT.LOGGING
P . AU D I T . L O G G I N G i s e n f o r c e d b y O . A U D I T . L O G G E D , O E . A U D I T . R E V I E W E D ,
OE.AUDIT_STORAGE.PROTECTED and OE.AUDIT_ACCESS.AUTHORIZED.
By O.AUDIT.LOGGED, the TOE creates and maintains a log of TOE use and security-relevant events in the
MFP and prevents its unauthorised disclosure or alteration.
By OE.AUDIT.REVIEWED, the responsible manager of MFP reviews audit logs at appropriate intervals for
security violations or unusual patterns of activity according to the guidance document.
By OE.AUDIT_STORAGE.PROTECTED, if audit records are exported from the TOE to another trusted IT
product, the responsible manager of MFP protects those records from unauthorised access, deletion and
alteration. By OE.AUDIT_ACCESS.AUTHORIZED, the responsible manager of MFP ensures that those
records can be accessed in order to detect potential security violations, and only by authorised persons.
P.AUDIT.LOGGING is enforced by these objectives.
P.INTERFACE.MANAGEMENT
P.INTERFACE.MANAGEMENT is enforced by O.INTERFACE.MANAGED and OE.INTERFACE.MANAGED.
By O.INTERFACE.MANAGED, the TOE manages the operation of the external interfaces in accordance
with the security policies. By OE.INTERFACE.MANAGED, the TOE constructs the IT environment that
prevents unmanaged access to TOE external interfaces.
P.INTERFACE.MANAGEMENT is enforced by these objectives.
P.STORAGE.ENCRYPTION
P.STORAGE.ENCRYPTION is enforced by O.STORAGE.ENCRYPTED.
By O.STORAGE.ENCRYPTED, the TOE shall encrypt the data to be written on the HDD, and written on
the HDD shall be those encrypted data.
P.STORAGE.ENCRYPTION is enforced by this objective.
P.RCGATE.COMM.PROTECT
P.RCGATE.COMM.PROTECT is enforced by O.RCGATE.COMM.PROTECT.
By O.RCGATE.COMM.PROTECT, the TOE shall conceal the communication data on the communication
path between itself and RC Gate, and detect any tampering with those communication data.
P.RCGATE.COMM.PROTECT is enforced by this objective.
A.ACCESS.MANAGED
A.ACCESS.MANAGED is upheld by OE.PHYSICAL.MANAGED.
By OE.PHYSICAL.MANAGED, the TOE is located in a restricted or monitored environment according to
the guidance documents and is protected from the physical access by the unauthorised persons.
A.ACCESS.MANAGED is upheld by this objective.
A.ADMIN.TRAINING
A.ADMIN.TRAINING is upheld by OE.ADMIN.TRAINED.
By OE.ADMIN.TRAINED, the responsible manager of MFP ensures that the administrators are aware of the
security policies and procedures of their organisation. For this, the administrators have the training,
competence, and time to follow the guidance documents, and correctly configure and operate the TOE in
accordance with those policies and procedures.
A.ADMIN.TRAINING is upheld by this objective.
A.ADMIN.TRUST
A.ADMIN.TRUST is upheld by OE.ADMIN.TRUSTED.
By OE.ADMIN.TRUSTED, the responsible manager of MFP selects the administrators and they will not
abuse their privileges in accordance with the guidance documents.
A.ADMIN.TRUST is upheld by this objective.
A.USER.TRAINING
A.USER.TRAINING is upheld by OE.USER.TRAINED.
By OE.USER.TRAINED, the responsible manager of MFP instructs the users in accordance with the
guidance documents to make them aware of the security policies and procedures of their organisation, and
the users follow those policies and procedures.
OE.USER.TRAINED is upheld by this objective.
Family behaviour
This family defines requirements for the TSF to restrict direct forwarding of information from one external
interface to another external interface.
Many products receive information on specific external interfaces and are intended to transform and process
this information before it is transmitted on another external interface. However, some products may provide
the capability for attackers to misuse external interfaces to violate the security of the TOE or devices that are
connected to the TOE's external interfaces. Therefore, direct forwarding of unprocessed data between
different external interfaces is forbidden unless explicitly allowed by an authorized administrative role. The
family FPT_FDI_EXP has been defined to specify this kind of functionality.
Component levelling:
FPT_FDI_EXP.1 Restricted forwarding of data to external interfaces provides for the functionality to require
TSF controlled processing of data received over defined external interfaces before these data are sent out on
another external interface. Direct forwarding of data from one external interface to another one requires
explicit allowance by an authorized administrative role.
Management: FPT_FDI_EXP.1
The following actions could be considered for the management functions in FMT:
a) Definition of the role(s) that are allowed to perform the management activities
b) Management of the conditions under which direct forwarding can be allowed by an administrative role
c) Revocation of such an allowance
Audit: FPT_FDI_EXP.1
There are no auditable events foreseen.
Rationale:
Quite often, a TOE is supposed to perform specific checks and process data received on one external
interface before such (processed) data are allowed to be transferred to another external interface. Examples
are firewall systems but also other systems that require a specific work flow for the incoming data before it
can be transferred. Direct forwarding of such data (i.e., without processing the data first) between different
external interfaces is therefore a function that—if allowed at all—can only be allowed by an authorized role.
It has been viewed as useful to have this functionality as a single component that allows specifying the
property to disallow direct forwarding and require that only an authorized role can allow this. Since this is a
function that is quite common for a number of products, it has been viewed as useful to define an extended
component.
The Common Criteria defines attribute-based control of user data flow in its FDP class. However, in this
Protection Profile, the authors needed to express the control of both user data and TSF data flow using
administrative control instead of attribute-based control. It was found that using FDP_IFF and FDP_IFC for
this purpose resulted in SFRs that were either too implementation-specific for a Protection Profile or too
unwieldy for refinement in a Security Target. Therefore, the authors decided to define an extended
component to address this functionality.
This extended component protects both user data and TSF data, and it could therefore be placed in either the
FDP or the FPT class. Since its purpose is to protect the TOE from misuse, the authors believed that it was
most appropriate to place it in the FPT class. It did not fit well in any of the existing families in either class,
and this led the authors to define a new family with just one member.
6 Security Requirements
This section describes Security Functional Requirements, Security Assurance Requirements and Security
Requirements Rationale.
This section describes the TOE security functional requirements for fulfilling the security objectives defined
in section 4.1. The security functional requirements are quoted from the requirement defined in the CC Part2.
The security functional requirements that are not defined in CC Part2 are quoted from the extended security
functional requirements defined in the PP (IEEE Standard for a Protection Profile in Operational
Environment A (IEEE Std 2600.1-2009)).
The part with assignment and selection defined in the [CC] is identified with [bold face and brackets].
The part with refinement is identified with (refinement:).
specified cryptographic key sizes [assignment: cryptographic key sizes in Table 13] that
meet the following: [assignment: standards in Table 13].
Table 15 : List of Subjects, Objects, and Operations among Subjects and Objects (a)
Table 16 : List of Subjects, Objects, and Operations among Subjects and Objects (b)
FDP_ACF.1.2(a) The TSF shall enforce the following rules to determine if an operation among controlled
subjects and controlled objects is allowed: [assignment: rules to control operations among
subjects and objects shown in Table 18].
Table 18 : Rules to Control Operations on Document Data and User Jobs (a)
Document +CPY Read Normal user Not allowed. However, it is allowed for
data process normal user process that created the
document data.
Document +DSR Delete Normal user Not allowed. However, it is allowed for
data process normal user process with login user
name of normal user registered on
document user list for document data.
Document +DSR Read Normal user Not allowed. However, it is allowed for
data process normal user process with login user
name of normal user registered on
document user list for document data.
User jobs No setting of Delete Normal user Not allowed. However, it is allowed for
document data process normal user process with login user
attribute name of normal user, which is the
security attribute of user jobs.
FDP_ACF.1.3(a) The TSF shall explicitly authorise access of subjects to objects based on the following
additional rules: [assignment: rules to control operations among subjects and objects
shown in Table 19].
Table 19 : Additional Rules to Control Operations on Document Data and User Jobs (a)
FDP_ACF.1.4(a) The TSF shall explicitly deny access of subjects to objects based on the following additional
rules: [assignment: deny the operations on the document data and user jobs in case of
supervisor process or RC Gate process].
FDP_ACF.1.1(b) The TSF shall enforce the [assignment: TOE function access control SFP] to objects based
on the following: [assignment: subjects or objects, and their corresponding security
attributes shown in Table 20].
FDP_ACF.1.2(b) The TSF shall enforce the following rules to determine if an operation among controlled
subjects and controlled objects is allowed: [assignment: rule to control operations among
objects and subjects shown in Table 21].
Authentication Events
User authentication using the Operation Panel
User authentication using the TOE from client computer Web
browser
User authentication when printing from the client computer
User authentication when using LAN Fax from client computer
FIA_AFL.1.2 When the defined number of unsuccessful authentication attempts has been [selection: met],
the TSF shall [assignment: perform actions shown in Table 23].
Table 24 : List of Security Attributes for Each User That Shall Be Maintained
FIA_UAU.1.2(a) The TSF shall require each user to be successfully authenticated before allowing any other
TSF-mediated actions on behalf of that user.
of fax reception, and repair request notification] on behalf of the user to be performed before
the user is identified (refinement: authentication of MFP administrator and supervisor with
Basic Authentication, and identification of normal user with external authentication server).
FIA_UID.1.2(b) The TSF shall require each user to be successfully identified before allowing other
TSF-mediated actions on behalf of that user.
FMT_MSA.3.2(a) The TSF shall allow the [assignment: authorised identified roles shown in Table 28] to
specify alternative initial values to override the default values when an object or information is
created.
FMT_MTD.1.1 The TSF shall restrict the ability to [selection: query, modify, delete, [assignment: newly
create]] the [assignment: list of TSF data in Table 29] to [assignment: the user roles in
Table 29].
Management Functions
New creation, query, modification, and deletion of the login user name of normal user by MFP administrator
when the Basic Authentication is used
Query of own login user name by normal user when the Basic Authentication is used
New creation, query, modification, and deletion of the login user name of normal user by MFP administrator
when External Authentication is used
Query and modification of login user name of supervisor by supervisor
New creation of login user name of MFP administrator by MFP administrator
Query and modification of own login user name by MFP administrator
Query of login user name of MFP administrator by supervisor
New creation and modification of login password of normal user by MFP administrator when the Basic
Authentication is used
Modification of own login password by normal user when the Basic Authentication is used
Modification of login password of supervisor by supervisor
Modification of login password of MFP administrator by supervisor
New creation of login password of MFP administrator by MFP administrator
Modification of own login password by MFP administrator
Query of minimum character number by MFP administrator when the Basic Authentication is used
Query of Password Complexity by MFP administrator when the Basic Authentication is used
Query of Number of Attempts before Lockout by MFP administrator when the Basic Authentication is used
Query of Lockout Release Timer Setting by MFP administrator when the Basic Authentication is used
Query of lockout time by MFP administrator when the Basic Authentication is used
Query and modification of document user list by MFP administrator
Query and modification of document user list by the normal user who stored the document
Query and modification of available function list by MFP administrator
Query of own available function list by normal user when the Basic Authentication is used
The evaluation assurance level of this TOE is EAL3+ALC_FLR.2. Table 31 lists the assurance components
of the TOE. ALC_FLR.2 was added to the set of components defined in evaluation assurance level 3
(EAL3).
6.3.1 Tracing
Table 32 shows the relationship between the TOE security functional requirements and TOE security
objectives. Table 32 shows that each TOE security functional requirement fulfils at least one TOE security
objective.
O.RCGATE.COMM.PROTECT
O.INTERFACE.MANAGED
O.STORAGE.ENCRYPTED
O.SOFTWARE.VERIFIED
O.USER.AUTHORIZED
O.AUDIT.LOGGED
O.FUNC.NO_ALT
O.CONF.NO_ALT
O.PROT.NO_ALT
O.CONF.NO_DIS
O.DOC.NO_ALT
O.DOC.NO_DIS
FAU_GEN.1 X
FAU_GEN.2 X
FAU_STG.1 X
FAU_STG.4 X
FAU_SAR.1 X
FAU_SAR.2 X
FCS_CKM.1 X
FCS_COP.1 X
FDP_ACC.1(a) X X X
FDP_ACC.1(b) X
FDP_ACF.1(a) X X X
FDP_ACF.1(b) X
FDP_RIP.1 X X
FIA_AFL.1 X
FIA_ATD.1 X
FIA_SOS.1 X
FIA_UAU.1(a) X X
FIA_UAU.1(b) X X
FIA_UAU.2 X X
FIA_UAU.7 X
FIA_UID.1(a) X X
FIA_UID.1(b) X X
FIA_UID.2 X X
FIA_USB.1 X
FPT_FDI_EXP.1 X
FMT_MSA.1(a) X X X
FMT_MSA.1(b) X
FMT_MSA.3(a) X X X
O.RCGATE.COMM.PROTECT
O.INTERFACE.MANAGED
O.STORAGE.ENCRYPTED
O.SOFTWARE.VERIFIED
O.USER.AUTHORIZED
O.AUDIT.LOGGED
O.FUNC.NO_ALT
O.CONF.NO_ALT
O.PROT.NO_ALT
O.CONF.NO_DIS
O.DOC.NO_ALT
O.DOC.NO_DIS
FMT_MSA.3(b) X
FMT_MTD.1 X X X X
FMT_SMF.1 X X X X
FMT_SMR.1 X X X X
FPT_STM.1 X
FPT_TST.1 X
FTA_SSL.3 X X
FTP_ITC.1 X X X X X X X
This section describes below how the TOE security objectives are fulfilled by the TOE security functional
requirements corresponding to the TOE security objectives.
Table 33 shows the result of dependency analysis in this ST for the TOE security functional requirements.
FCS_CKM.4
FCS_COP.1 [FDP_ITC.1 or FCS_CKM.1 FCS_CKM.4
FDP_ITC.2 or
FCS_CKM.1]
FCS_CKM.4
FDP_ACC.1(a) FDP_ACF.1(a) FDP_ACF.1(a) None
FDP_ACC.1(b) FDP_ACF.1(b) FDP_ACF.1(b) None
FDP_ACF.1(a) FDP_ACC.1(a) FDP_ACC.1(a) None
FMT_MSA.3(a) FMT_MSA.3(a)
FDP_ACF.1(b) FDP_ACC.1(b) FDP_ACC.1(b) None
FMT_MSA.3(b) FMT_MSA.3(b)
FDP_RIP.1 None None None
FIA_AFL.1 FIA_UAU.1(a) FIA_UAU.1(a) None
FIA_ATD.1 None None None
FIA_SOS.1 None None None
FIA_UAU.1(a) FIA_UID.1(a) FIA_UID.1(a) None
FIA_UAU.1(b) FIA_UID.1(b) FIA_UID.1(b) None
FIA_UAU.2 FIA_UID.1 FIA_UID.2 None
FIA_UAU.7 FIA_UAU.1 FIA_UAU.1 None
FIA_UID.1(a) None None None
FIA_UID.1(b) None None None
FIA_UID.2 None None None
FIA_USB.1 FIA_ATD.1 FIA_ATD.1 None
FPT_FDI_EXP.1 FMT_SMF.1 FMT_SMF.1 None
FMT_SMR.1 FMT_SMR.1
FMT_MSA.1(a) [FDP_ACC.1(a) or FDP_ACC.1(a) None
FDP_IFC.1] FMT_SMR.1
FMT_SMR.1 FMT_SMF.1
FMT_SMF.1
FMT_MSA.1(b) [FDP_ACC.1(b) FDP_ACC.1(b) None
or FDP_IFC.1] FMT_SMR.1
FMT_SMR.1 FMT_SMF.1
FMT_SMF.1
FMT_MSA.3(a) FMT_MSA.1(a) FMT_MSA.1(a) None
FMT_SMR.1 FMT_SMR.1
FMT_MSA.3(b) FMT_MSA.1(b) FMT_MSA.1(b) None
FMT_SMR.1 FMT_SMR.1
FMT_MTD.1 FMT_SMR.1 FMT_SMR.1 None
FMT_SMF.1 FMT_SMF.1
FMT_SMF.1 None None None
The following explains the rationale for acceptability in all cases where a dependency is not satisfied:
This TOE is software for the MFP, which is a commercially available product. The MFP is assumed that it
will be used in a general office and this TOE does not assume the attackers with the possibility of moderate
or greater level attacks.
Architectural design (ADV_TDS.2) is adequate to show the validity of commercially available products. A
high attack potential is required for the attacks that circumvent or tamper with the TSF, which is not covered
in this evaluation. The vulnerability analysis (AVA_VAN.2) is therefore adequate for general needs.
However, protection of the secrecy of relevant information is required to make security attacks more difficult,
and it is important to ensure a secure development environment. Development security (ALC_DVS.1) is
therefore important also.
In order to securely operate the TOE continuously, it is important to appropriately remediate the flaw
discovered after the start of TOE operation according to flow reporting procedure (ALC_FLR.2).
Based on the terms and costs of the evaluation, the evaluation assurance level of EAL3+ALC_FLR.2 is
appropriate for this TOE.
The Audit Function is to generate the audit log of TOE use and security-relevant events (hereafter, "audit
events"). This function provides the recorded audit log in a legible fashion for users to audit (audit log
review). The recorded audit log can be viewed and deleted only by the MFP administrator.
FPT_STM.1
The date (year/month/day) and time (hour/minute/second) the TOE records for the audit log are derived from
the system clock of the TOE.
FAU_STG.4
The TOE writes the newest audit log over the oldest audit log when there is insufficient space in the audit log
files to append the newest audit log.
Audit Events
Start-up of the Audit Function (*1)
Shutdown of the Audit Function (*1)
Success and failure of login operations (*2)
Success and failure of login operations from RC Gate communication interface
Table 30 Record of Management Function
Date settings (year/month/day), time settings (hour/minute)
Audit Log Items Setting Values of Audit Log Audit Events to record
Items Audit Logs
Starting date/time of an Values of the TOE system clock at - All auditable events shown
event an event occurrence in Table 34
Basic Log Items
Gate
Communicating IP address Communicating IP address - Web Function
communication
- Folder transmission
- Printing via networks
- LAN Fax via networks
- Communication with RC
Gate
The Identification and Authentication Function is to verify whether persons who intend to use the TOE are
authorised users (MFP administrator, supervisor, normal users, and RC Gate) by referring to the
identification and authentication information obtained from the users, so that only persons who are
confirmed as authorised users are allowed to use the TOE. Verification methods for normal users include
those by Basic Authentication and External Authentication. Either Basic Authentication or External
Authentication will be selected when the TOE is installed.
When the sent login user name and login password are identified and authenticated, the user is allowed to use
the TOE according to the identified user role.
FTA_SSL.3
The automatic logout function the TOE provides is activated if the auto logout time (60 - 999 seconds)
specified by the MFP administrator elapses after the final operation from the Operation Panel by the user
who logs on to the TOE from the Operation Panel.
The automatic logout function the TOE provides is activated if the fixed auto logout time (30 minutes by
default) elapses after the final operation from a Web browser by the user who logs on to the TOE from a
Web browser.
The TOE logs out immediately after receiving the print data from the printer driver.
The TOE logs out immediately after receiving the transmission information from the fax driver.
The TOE terminates a session with RC Gate immediately after the communication with RC Gate is
complete.
FIA_UAU.7
Regarding login passwords entered by a person who intends to use the TOE from the Operation Panel or a
Web browser, the TOE does not display the entered login password but it displays a sequence of dummy
characters whose length is the same as that of the entered password.
FIA_AFL.1
When Basic Authentication is applied, the TOE counts the number of identification and authentication
attempts that consecutively result in failure using the login user name of a normal user, MFP administrator,
or supervisor. When External Authentication is applied, the TOE counts the number of identification and
authentication attempts that consecutively result in failure using the login user name of an MFP administrator
or supervisor. The TOE locks out the login user name if the number of consecutive login failures exceeds the
number of attempts before lockout.
If a user name is locked out, the user with that user name is not allowed to log in unless the lockout time set
in advance elapses or an "unlocking administrator" shown in Table 36 and specified for each user role
releases the lockout.
FIA_SOS.1
Login passwords for users can be registered only if these passwords meet the following conditions:
(1) Usable characters and types:
Upper-case letters: [A-Z] (26 letters)
Lower-case letters: [a-z] (26 letters)
Numbers: [0-9] (ten digits)
Symbols: SP (space) ! " # $ % & ' ( ) * + , - . / : ; < = > ? @ [ \ ] ^ _ ` { | } ~ (33 symbols)
(2) Registrable password length:
- For normal users
No less than the minimum character number for password (8-32 characters) specified by the MFP
administrator and no more than 128 characters.
- For MFP administrators and a supervisor
No less than the minimum character number for password (8-32 characters) specified by the MFP
administrator and no more than 32 characters.
(3) Combination of character types:
The number of combined character types specified by the MFP administrators (two types or more, or
three types or more).
FPT_FDI_EXP.1
The TOE inputs information after the TSF reliably identifies and authenticates the input information from the
Operation Panel or the client computer via LAN interface. Therefore, the input information cannot be
forwarded unless the TSF is not involved in information identification and authentication.
The Document Access Control Function is to allow authorised TOE users to operate document data and user
jobs in accordance with the provided user role privilege or user privilege.
The Use-of-Feature Restriction Function is to authorise TOE users to use Copy Function, Printer Function,
Scanner Function, Document Server Function and Fax Function in accordance with the roles of the identified
and authenticated TOE users and user privileges set for each user.
The Network Protection Function is to provide network monitoring to prevent information leakage when
LAN is used and to detect data tampering.
FTP_ITC.1
The encrypted communications provided by the TOE differ depending on communicating devices. Table 38
shows the encrypted communications provided by the TOE.
The Residual Data Overwrite Function is to overwrite specific patterns on the HDD and disable the reusing
of the residual data included in the deleted documents, temporary documents and their fragments on the
HDD.
FDP_RIP.1
Methods to delete the HDD area through overwriting include sequential overwriting and batch overwriting.
For sequential overwriting, the TOE constantly monitors the information on a residual data area, and
overwrites the area if any existing residual data is discovered. If the user deletes document data, the TOE
applies the method specified by the MFP administrator and overwrites the area on the HDD where the digital
image data of the document data is stored. Also, when a user job is complete, the TOE applies the method
specified by the MFP administrator and overwrites the area on the HDD where temporary documents that are
created while a user job is executed or the fragments of those temporary documents are stored.
For batch overwriting, the TOE collectively overwrites the HDD with the method specified by the MFP
administrator.
Overwriting methods include NSA method, DoD method, and random number method. An overwriting
method is specified by the MEP administrator when the TOE is installed. NSA method overwrites twice by
random numbers and once by Null(0). The DoD method overwrites once by fixed value, once by its
complement, and further by random numbers to be verified afterwards. Random number method overwrites
for three to nine times by random numbers. The MFP administrator specifies the number of times to
overwrite when the TOE is installed.
The Stored Data Protection Function is to encrypt the data on the HDD and protect the data so that data
leakage can be prevented.
Following operations by the MFP administrator, the TOE generates a cryptographic key. If a login user is the
MFP administrator, the screen to generate an HDD cryptographic key is provided from the Operation Panel.
If the MFP administrator gives instructions to generate an HDD cryptographic key from the Operation Panel,
the TOE uses a genuine random number generator and generates random numbers that conform to the
standard BSI-AIS31.
The Security Management Function consists of functions to 1) control operations for TSF data, 2) maintain
user roles assigned to normal users, MFP administrator, or supervisor to operate the Security Management
Function, and 3) set appropriate default values to security attributes, all of which accord with user role
privileges or user privileges that are assigned to normal users, MFP administrator, or supervisor.
No operation No operations
Function types -
interfaces available allowed
No operation No operations -
User roles
interfaces available allowed
Newly create,
Login passwords of normal users MFP administrator
Operation Panel, modify
when Basic Authentication is
Web browser Modify Applicable normal
applied
user
Operation Panel, Modify Supervisor
Login password of supervisor
Web browser
Modify Supervisor
Login password of MFP Operation Panel, Newly create MFP administrator
administrator Web browser Modify Applicable MFP
administrator
Number of Attempts before
Operation Panel,
Lockout when Basic Authentication Query MFP administrator
Web browser
is applied
Settings for Lockout Release Timer
when Basic Authentication is Web browser Query MFP administrator
applied
Lockout time for Basic
Web browser Query MFP administrator
Authentication
Query,
MFP administrator
Operation Panel, modify
Date settings (year/month/day)
Web browser Query Supervisor,
normal user
Query,
MFP administrator
Operation Panel, modify
Time
Web browser Supervisor,
Query
normal user
Minimum character number of
Operation panel Query MFP administrator
password for Basic Authentication
Password complexity setting for
Operation panel Query MFP administrator
Basic Authentication
Query,
Audit log Web browser MFP administrator
delete
HDD cryptographic key Operation panel Newly create MFP administrator
Newly create,
Operation Panel, modify,
S/MIME user information MFP administrator
Web browser query,
delete
Table 41 : List of Static Initialisation for Security Attributes of Document Access Control SFP
Each MFP application Function type The values specified for each function type is
(Copy Function, Printer as follows:
Function, Scanner For Copy Function, values to identify Copy
Function, Document Function.
Server Function and Fax For Document Server Function, values to
Function) identify Document Server Function.
For Printer Function, values to identify Printer
Function.
For Scanner Function, values to identify
Scanner Function.
For Fax Function, values to identify Fax
Function.
The Software Verification Function is to verify the integrity of the executable codes of the MFP Control
Software and FCU Control Software and confirm that these codes can be trusted.
FPT_TST.1
The TOE verifies software at the TOE start-up.
The TOE verifies the integrity of the MFP Control Software first by using the hash and then by checking the
certificate. If the hash does not match its original value or the certificate verification fails, the TOE displays
the error message and becomes unavailable. If the hash matches its original value and the certificate is
verified, the TOE becomes available. The TOE also verifies the integrity of the audit log data files.
The TOE outputs the information used for integrity verification so that the integrity of the FCU Control
Software can be verified. To check the integrity of the FCU Control Software, the information the TOE
outputs will be compared with the information described in the guidance documents, so that the integrity of
the FCU Control Software can be verified.
The Fax Line Separation Function is to receive only faxes as input information from telephone lines so that
unauthorised intrusion from telephone lines can be prevented. This function also can be used to prohibit
transmissions of received faxes so that unauthorised intrusion from telephone lines to the LAN can be
prevented.
FPT_FDI_EXP.1
The TOE receives fax data only as input information from telephone lines. If any communication that does
not comply with the fax protocol is performed, the line is disconnected. Since the TOE is set to prohibit
forwarding of received fax data during installation, received fax data will not be forwarded.