Dell C7765DN MFP User Manual

Dell C7765dn

Color Multifunction Printer

Security Target

Version 1.1.3

This document is a translation of the evaluated
and certified security target written in Japanese.

September 2014

- Table of Contents -

1. ST INTRODUCTION ........................................................... 1

1.1. ST Reference ............................................................................. 1

1.2. TOE Reference ........................................................................... 1

1.3. TOE Overview ............................................................................ 1

1.3.1. TOE Type and Major Security Features ............................................... 1

1.3.2. Environment Assumptions ............................................................... 4

1.3.3. Required Non-TOE Hardware and Software ......................................... 5

1.4. TOE Description .......................................................................... 8

1.4.1. User Assumptions .......................................................................... 8

1.4.2. Logical Scope and Boundary ............................................................ 8

1.4.3. Physical Scope and Boundary ......................................................... 17

1.4.4. Guidance .................................................................................... 18

2. CONFORMANCE CLAIMS ................................................... 19

2.1. CC Conformance Claims ............................................................ 19

2.2. PP Claims, Package Claims ......................................................... 19

2.2.1. PP Claims .................................................................................... 19

2.2.2. Package Claims ............................................................................ 19

2.2.3. Conformance Rationale ................................................................. 19

3. SECURITY PROBLEM DEFINITION ...................................... 20

3.1. Threats ................................................................................... 20

3.1.1. Assets Protected by TOE ................................................................ 20

3.1.2. Threats ....................................................................................... 22

3.2. Organizational Security Policies ................................................... 23

3.3. Assumptions ............................................................................ 23

4. SECURITY OBJECTIVES .................................................... 24

4.1. Security Objectives for the TOE .................................................. 24

4.2. Security Objectives for the Environment ...................................... 25

4.3. Security Objectives Rationale ..................................................... 25

5. EXTENDED COMPONENTS DEFINITION ............................... 29

5.1. Extended Components ............................................................... 29

i

6. SECURITY REQUIREMENTS ............................................... 30

6.1. Security Functional Requirements ............................................... 35

6.1.1. Class FAU: Security audit ............................................................. 35

6.1.2. Class FCS: Cryptographic support ................................................... 40

6.1.3. Class FDP: User data protection .................................................... 41

6.1.4. Class FIA: Identification and authentication ..................................... 46

6.1.5. Class FMT: Security management ................................................... 51

6.1.6. Class FPT: Protection of the TSF ................................................... 58

6.1.7. Class FTP: Trusted path/channels ................................................. 59

6.2. Security Assurance Requirements ............................................... 60

6.3. Security Requirement R a tionale .................................................. 61

6.3.1. Security Functional Requirements Rationale ..................................... 61

6.3.2. Dependencies of Security Functional Requirements ........................... 66

6.3.3. Security Assurance Requirements Rationale ..................................... 69

7. TOE SUMMARY SPECIFICATION ......................................... 70

7.1. Security Functions .................................................................... 70

7.1.1. Hard Disk Data Overwrite (TSF_IOW) .............................................. 71

7.1.2. Hard Disk Data Encryption (TSF_CIPHER) ........................................ 71

7.1.3. User Authentication (TSF_USER_AUTH) ........................................... 72

7.1.4. System Administrator’s Security Management (TSF_FMT) .................. 78

7.1.5. Customer Engineer Operation Restriction (TSF_CE_LIMIT) ................. 79

7.1.6. Security Audit Log (TSF_FAU) ........................................................ 80

7.1.7. Internal Network Data Protection (TSF_NET_PROT) ........................... 82

7.1.8. Fax Flow Security (TSF_FAX_FLOW) ................................................ 85

7.1.9. Self Test (TSF_S_TEST) ................................................................. 85

8. ACRONYMS AND TERMINOLOGY ........................................ 86

8.1. Acronyms ................................................................................ 86

8.2. Terminology ............................................................................. 87

9. REFERENCES .................................................................. 91

ii

- List of Figures and Tables -

Figure 1: General Operational Environment .......................................................... 5

Figure 2: MFD Units and TOE Logical Scope .......................................................... 9

Figure 3: Authentication Flow for Private Print and Mailbox ................................... 12

Figure 4: MFD Units and TOE Physical Scope ...................................................... 17

Figure 5: Assets under and not under Protection ................................................. 21

Table 1: Function Types and Functions Provided by the TOE .................................... 2

Table 2: User Role Assumptions .......................................................................... 8

Table 3: TOE Basic Functions .............................................................................. 9

Table 4: Categories of TOE Setting Data............................................................. 21

Table 5: Threats Addressed by the TOE .............................................................. 22

Table 6: Organizational Security Policy ............................................................... 23

Table 7: Assumptions ...................................................................................... 23

Table 8: Security Objectives for the TOE ............................................................ 24

Table 9: Security Objectives for the Environment ................................................ 25

Table 10: Assumptions / Threats / Organizational Security Policies and the

Corresponding Security Objectives ............................................................... 25

Table 11: Security Objectives Rationale for Security Problem ................................ 26

Table 12: Auditable Events of TOE and Individually Defined Auditable Events .......... 35

T able 13: Oper ations between Subjects and Objects Covered by MFD Access Control SFP

.............................................................................................................. 41

Table 14: Rules for Access Control .................................................................... 42

Table 15: Rules for Explicit Access Authorization ................................................. 43

Table 16: Subjects, Information, and Operations that cause the information to flow . 44

Table 17: List of Security Functions ................................................................... 51

Table 18: Security Attributes and Authorized Roles .............................................. 52

Table 19 Initialization property ........................................................................ 53

Table 20: Operation of TSF Data ....................................................................... 54

Table 21: Security Management Functions Provided by TSF .................................. 55

Table 22: EAL3 Assurance Requirements ............................................................ 60

Table 23: Security Functional Requirements and the Corresponding Security Objectives

.............................................................................................................. 61

Table 24: Security Objectives to SFR Rationale ................................................... 62

Table 25: Dependencies of Functional Security Requirements ................................ 66

Table 26: Security Functional Requirements and the Corresponding TOE Security

Functions ................................................................................................. 70

Table 27: Management of security attributes ...................................................... 75

Table 28: Access Control .................................................................................. 76

Table 29: Details of Security Audit Log Data ....................................................... 80

iii

Dell C7765dn Security Target

1. ST INTRODUCTION

This chapter describes Security Target (ST) Reference, TOE Reference, TOE Overview, and TOE
Description.

1.1. ST Reference

This section provides information needed to identify this ST.

ST Title: Dell C7765dn Color Multifunction Printer Security Target
ST Version: V 1.1.3
Publication Date: September 8, 2014
Author: Fuji Xerox Co., Ltd.

1.2. TOE Reference

This section provides information needed to identify this TOE.
The TOE is C7765dn Color Multifunction Printer.
The TOE is identified by the following TOE name and ROM versions.

TOE
Identification:

Version:

Manufacturer: Fuji Xerox Co., Ltd.

Dell C7765dn Color Multifunction Printer

Controller ROM Ver. 2.205.5
IOT ROM Ver. 41.1.0
ADF ROM Ver. 12.5.0

1.3. TOE Overvi ew

1.3.1. TOE Type and Major Security Features

1.3.1.1. TOE Type

This TOE, categorized as an IT product, is the Dell C7765dn Color Multifunction Printer (hereinafter
referred to as “MFD”) which has the copy, print, scan, and fax functions.
The TOE is the product which controls the whole MFD and protects the following against threats:
The document data stored on the internal HDD, the used document data, the security audit log data,
the document data exists on the internal network between the TOE and the remote, and the TOE
setting data.

1.3.1.2.

Table 1 shows the function types and functions provided by the TOE.

Function Types

- 1 -

Dell C7765dn Security Target

Table 1: Function Types and Functions Provided by the TOE

Function types Functions provided by the TOE

- Control Panel

- Copy

- Print

- Scan

Basic Function

- Network Scan

- Fax

- Direct Fax (with local authentication only)

- Internet Fax

- Remote Configuration

- Hard Disk Data Overwrite

- Hard Disk Data Encryption

- User Authentication

- Administrator’s Security Management

Security Function

- Customer Engineer Operation Restriction

- Security Audit Log

- Internal Network Data Protection

- Fax Flow Security

- Self Test

・ Optional Fax board (out of the TOE boundary) is required to use Fax, Direct Fax, Internet Fax,

and Fax Flow Security functions.

・ To use print, scan, and Direct Fax functions, the following items shall be installed to the

external client for general user and that for system administrator: printer driver, Network Scan
Utility, and fax driver.

・ There are two types of user authentication, local authentication and remote authentication, and

the TOE behaves with either one of the authentication types depending on the setting.
In this ST, the difference of the TOE behavior is described if the TOE behaves differently
depending on the type of authentication being used. Unless specified, the behavior of the TOE
is the same for both authentication types.
There are two types of Remote Authentication: LDAP Authentication and Kerberos
Authentication. To set SA (system administrator privilege) as user role assumption in Kerberos
authentication, LDAP server is also necessary.

・ For Kerberos authentication, it is also possible to use Smart Card (CAC/PIV) instead of

authentication from the control panel with an ID and a password. User information and
certificates in Smart Card and an OCSP server are used for authentication.
In the same way as other types of authentication, LDAP server is required for setting SA. For
Smart Card authentication, an optional card reader (not included in TOE) needs to be
connected.

・

- 2 -

Dell C7765dn Security Target

1.3.1.3. Usage and Major Security Features of TOE

The TOE is mainly used to perform the following functions:

・ Copy function and Control Panel function are to read the original data from IIT and print them

out from IOT according to the general user’s instruction from the control panel. When more
than one copy of an original data is ordered, the data read from IIT are first stored into the
MFD internal HDD. Then, the stored data are read out from the internal HDD for the required
number of times so that the required number of copies can be made.

・ Print function is to decompose and print out the print data transmitted by a general user client.
・ Configuration Web Tool is to retrieve the document data scanned by MFD from Mailbox.

It also enables a system administrator to refer to and rewrite TOE setting data via Web
browser.

・ Scan function and Control Panel function are to read the original data from IIT and store them

into Mailbox within the MFD internal HDD, according to the general user’s instruction from
the control panel.
The stored document data can be retrieved via standard Web browser by using Configuration
Web Tool or Network Scan Utility (with local authentication only).

・ Network Scan function and Control Panel function are to read the original data from IIT and

transmit the document data to FTP server, SMB server, or Mail server, according to the
information set in the MFD. This function is operated according to the general user’s
instruction from the control panel.

・ Fax function and Control Panel function are to send and receive fax data. According to the

general user’s instruction from the control panel to send a fax, the original data are read from
IIT and then sent to the destination via public telephone line. The document data are received
from the sender’s machine via public telephone line and then printed out from the recipient’s
IOT or stored in Mailbox.

・ The Internet Fax function and Control Panel function are to send and receive fax data via the

Internet, not public telephone line.

・ The Direct Fax function is to send data from a user client to the destination via public

telephone line (with local authentication only). The data are first sent to MFD as a print job
and then to the destination without being printed out.

The TOE provides the following security features:

(1) Hard Disk Data Overwrite

To completely delete the used document data in the internal HDD, the data are overwritten with
new data after any job of copy, print, scan, etc. is completed.

(2) Hard Disk Data Encryption

The document data and the security audit log data are encrypted before being stored into the
internal HDD when using any function of copy, print, scan, etc. or configuring various security
function settings.

(3) User Authentication

Access to the TOE functions is restricted to the authorized user and this function identifies and

- 3 -

Dell C7765dn Security Target

authenticates users. A user needs to enter his/her ID and password from the fax driver, Network
Scan Utility, or Web browser of the general user client, or MFD control panel.
A user can also use Smart Card authentication (CAC/PIV) for identification and authentication.

(4) System Administrator’s Security Management

This function allows only the system administrator identified and authorized from the control
panel or system administrator client to refer to and change the TOE security function settings.

(5) Customer Engineer Operation Restriction

A system administrator can prohibit CE from referring to and changing the TOE security
function settings.

(6) Security Audit Log

The important events of TOE such as device failure, configuration change, and user operation
are traced and recorded based on when and who used what function.

(7) Internal Network Data Protection

This function protects the communication data on the internal network such as document data,
security audit log data, and TOE setting data. (The following general encryption
communication- protocols are supported: SSL/TLS, IPSec, SNMP v3, and S/MIME.)

(8) Fax Flow Security

This function prevents unauthorized access to the TOE or the internal network via Fax board
from public telephone line.

(9) Self Test

This function verifies the integrity of TSF executable code and TSF data.

1.3.2. Environment Assumptions

This TOE is assumed to be used as an IT product at general office and to be connected to public
telephone line, user clients, and the internal network protected from threats on the external network by
firewall etc.
Figure 1 shows the general environment for TOE operation.

- 4 -

t

Web

owser

r

General
User

System
Administrator

Dell C7765dn Security Target

General User Client

-Printer Driver

-Fax Driver

-Network Scan
Utility

Br

-

System Administrator

Client

-Web Browser

Mail Server

FTP Server

SMB Server

LDAP Server

Kerberos Server

OCSP Server

External
Network

Firewall

Internal
Network

Public
Telephone
Line

USB Media

USB

USB

Fax Board

General User

General User

General User Clien

-Printer Driver

-Fax Driver

USB

ＴＯＥ

CE

System
Administrator

Card Reade

USB

Figure 1: General Operational Environment

1.3.3. Required Non-TOE Hardware and Software

In the operational environment shown in Figure 1, the TOE (MFD) and the following non-TOE
hardware/software exist.

(1) General user client:

The hardware is a general-purpose PC. When a client is connected to the MFD via the internal
network and when the printer driver, Network Scan Utility, and fax driver are installed to the
client, the general user can request the MFD to print, fax, and retrieve the document data.
The user can also request the MFD to retrieve the scanned document data via Web browser by
using scan function of the MFD. Additionally, the general user can change the settings which
he/she registered to the MFD: Mailbox name, password, access control, and automatic deletion of

- 5 -

Dell C7765dn Security Target

document.
When the client is connected to the MFD directly via USB and printer/fax driver is installed to the
client, the user can request the MFD to print/fax the document data.

(2) System administrator client:

The hardware is a general-purpose PC. A system administrator can refer to and change TOE
setting data via Web browser.

(3) Mail server:

The hardware/OS is a general-purpose PC or server. The MFD sends/receives document data
to/from Mail server via mail protocol.

(4) FTP server:

The hardware/OS is a general-purpose PC or server. The MFD sends document data to FTP server
via FTP.

(5) SMB server:

The hardware/OS is a general-purpose PC or server. The MFD sends document data to SMB
server via SMB.

(6) LDAP server

The hardware/OS is a general-purpose PC or server. The MFD acquires identification and
authentication information from LDAP server via LDAP. In addition, it acquires SA information
of user role assumptions.

(7) Kerberos server

The hardware/OS is a general-purpose PC or server. The MFD acquires identification and
authentication information from Kerberos server via Kerberos.

(8) OCSP Server

The hardware/OS is a general-purpose PC or server.
The MFD retrieves information on revocation status of certificates other than self-signed
certificates from an OCSP server, if the certificate revocation retrieval setting is enabled.

(9) Fax board:

The Fax board is connected to external public telephone line and supports G3 protocols. The
Fax board is connected to the MFD via USB interface to enable sending and receiving of fax.

(10) Card Reader

A card reading device for supporting PKI certification that uses Smart Card (CAC/PIV).

- 6 -

Dell C7765dn Security Target

(11) USB Media

The USB Media is used for printing data stored in the USB Media and for storing scanned data.

The OS of (1) general user client and (2) system administrator client are assumed to be Windows XP,
Windows Vista, and Windows 7.
The (6) LDAP server, (7) Kerberos server, and (8) OCSP server are assumed to be Windows Active
Directory.
The (10) Card Reader is assumed to be SCR331 or SCR3310 v2.0.

- 7 -

Dell C7765dn Security Target

1.4. TOE Description

This section describes user assumptions and logical/physical scope of this TOE.

1.4.1. User Assumptions

Table 2 specifies the roles of TOE users assumed in this ST.

Table 2: User Role Assumptions

User Role Description

Administrator of the
organization
General user A user of TOE functions such as copy, print and fax.

System administrator
(Key operator + System
Administrator Privilege [SA])

Customer engineer (CE)

An administrator or responsible official of the organization which
owns and uses TOE.

A user who is authorized to manage the device using the system
administrator mode. A system administrator can refer to and rewrite
the TOE setting for device operation and that for security functions
via TOE control panel, and Web browser.
A user who can configure the TOE operational settings using the
interface for CE.

1.4.2. Logical Scope and Boundary

The logical scope of this TOE consists of each function of the programs.
Figure 2 shows the logical architecture of the MFD.

- 8 -

Dell C7765dn Security Target

g

r

y

t

g

General User

System
Administrator

ineer

Customer
En

Card Reader
LDAP Server
Kerberos Server
OCSP Server

Fax Board
(Public Telephone
Line)

TOE

Controller ROM

Internal HDD

Used
Document
Data

Control Panel

Use

Authentication

System

Administrator’s

Security

Management

Security

Audit Log

Fax Flow

Securit

Hard Disk Data

Encryption

Hard Disk Data

Overwrite

Self T est

Document
Data

Audit
Log
Data

Remote

Confi

uration

Internal Network

Data Protection

Prin

(Decompose)

Copy

Fax / Direct Fax

/ Internet Fax

Scan / Network

Scan

Customer Engineer

Operation

Restriction

NVRAM/SEEPROM

TOE Setting
Data

Logical Scope

System
Administrator
Client

-Web Browser

General User
Client

- Printer driver

- Fax Driver

- Network Scan
Utility

- Web Browser

FTP Server
SMB Server
Mail Server

USB Media

Other Setting
Data

Figure 2: MFD Units and TOE Logical Scope

1.4.2.1.

Basic Functions

As shown in Table 3, the TOE provides the functions of control panel, copy, print, scan, network scan,
fax, Internet Fax, Direct Fax (with local authentication only), and Remote Configuration to general
user.

Table 3: TOE Basic Functions

Function Description
Control Panel
Function

Control panel function is a user interface function for general user, CE, and
system administrator to operate MFD functions.

Copy Function Copy function is to read the original data from IIT and print them out from

- 9 -

Dell C7765dn Security Target

IOT according to the general user’s instruction from the control panel.
When more than one copy of an original is ordered, the data read from IIT
are first stored into the MFD internal HDD. Then, the stored data are read out
from the internal HDD for the required number of times so that the required
number of copies can be made.

Print Function Print function is to print out the data according to the instruction from a

general user client. The print data created via printer driver are sent to the
MFD to be analyzed, decomposed, and printed out from IOT.
The print function is of two types: the normal print in which the data are
printed out from IOT directly after decomposed and the Store Print in which
the bitmap data are temporarily stored in the internal HDD and then printed
out from IOT according to the general user’s instruction from the control
panel.
There is also the function to print data stored in an external USB Media by

designating the data from the control panel.
Scan Function,
Network Scan
Function

Scan function is to read the original data from IIT and then store them into

the internal HDD or an external USB Media according to the general user’s

instruction from the control panel.

A general user can retrieve the stored document data from a general user

client via Configuration Web Tool or Network Scan Utility (with local

authentication only).

Network scan function is to read the original data from IIT and automatically

transmit them to a general user client, FTP server, Mail server, or SMB server

according to the information set in the MFD. A general user can request this

function from the control panel.
Fax Function Fax function is to send and receive fax data. According to the general user’s

instruction from the control panel to send a fax, the original data them read

from IIT and sent to the destination via public telephone line. The document

data are received from the sender’s machine via public telephone line.
Direct Fax (with local
authentication only)
Function,
Internet Fax Function

Direct Fax function is to directly fax document data to the destination.

According to the instruction from a general user client to send a fax, the print

data created via fax driver are sent to the MFD, analyzed, and decomposed.

Then, the data are converted to the format for fax sending and sent to the

destination via public telephone line.

Internet Fax function is to send and receive fax data as in the normal Fax

function. According to the general user’s instruction from the control panel to

send a fax, the original data are read from IIT and sent to the destination via

the Internet. The document data are received from the sender’s machine via

the Internet and printed out from the recipient’s IOT.
Remote
Configuration

Remote Configuration Function enables System Administrator’s Security

Management by which a system administrator can access and rewrite TOE

- 10 -

Dell C7765dn Security Target

Function setting data. For this, a system administrator must be authenticated by his/her

ID and password entered from Web browser of a system administrator client.

In addition remote Configuration function is to retrieve the scanned

document data and the received fax data that are stored in the internal HDD

according to the instruction from Web browser of a general user client.

1.4.2.2.

Security Functions

The security functions provided by the TOE are the following.

(1) Hard Disk Data Overwrite

To completely delete the used document data in the internal HDD, the data are overwritten with
new data after each job (copy, print, scan, Network Scan, Fax, Internet Fax, or Direct Fax) is
completed. Without this function, the used document data remain and only the management data
are deleted.

(2) Hard Disk Data Encryption

Some data such as the security audit log data and the document data in Mailbox remain in the
internal HDD even if the machine is powered off. To solve this problem, the document data and
security audit log data are encrypted before being stored into the internal HDD when operating
any function of copy, print, scan, network scan, fax, Internet Fax, and Direct Fax (with local
authentication only), or configuring various security function settings.

(3) User Authentication

Access to the TOE functions is restricted to the authorized user.

A user needs to enter his/her ID and password from the fax driver, Network Scan Utility, or Web
browser of the general user client, or MFD control panel.

A user can also use Smart Card

authentication on the control panel.

Only the identified and authenticated user can use the following functions:

a) Functions controlled by the MFD control panel:

Copy, fax (send), Internet Fax (send), scan, network scan, Mailbox, and print (This print function
requires the Accounting System preset from printer driver. A user must be authenticated from the
control panel for print job.)

b) Functions controlled by Network Scan Utility of user client(with local authentication only):

Function to retrieve document data from Mailbox

c) Functions controlled by Configuration Web Tool:

Display of device condition, display of job status and its log, function to retrieve document data
from Mailbox, and print function by file designation

Among the above functions which require user authentication, some particularly act as security
functions. The following are the security functions which prevent the unauthorized reading of

- 11 -

Dell C7765dn Security Target

t

r

t

document data in the internal HDD by an attacker who is impersonating an authorized user:

・ The Store Print function (Private Print function) and the Mailbox function, which require user

authentication from the control panel or Smart Card.

・ The function to retrieve document data from Mailbox (Mailbox function) which requires user

authentication by using Configuration Web Tool or Network Scan Utility (with local
authentication only), and the Store Print function (Private Print function) by file designation
using Configuration Web Tool.

Figure 3 shows the authentication flow of the above functions.

User Client

Printer driver

Web Browse

Network Scan

Utility

(with local authentication

only)

TOE

Classification

Authentication

Authentication

Print Job

Private
Prin

Scanned Data,

Mailbox

Authentication from Control Panel or Smart Card

Prin

Figure 3: Authentication Flow for Private Print and Mailbox

 Store Print Function (Private Print Function)

When the MFD is set to “Save as Private Charge Print,” and a user sends a print request from the
printer driver in which the Accounting System is preset, the print data are decomposed into
bitmap data, classified according to the user ID, and temporarily stored in the corresponding
Private Print area within the internal HDD.
In the same way, when a user is authenticated by entering his/her ID and password from
Configuration Web Tool for authentication, and the user sends a print request by designating the
files within a user client, the print data are temporarily stored in Private Print area according to
the user ID.
To refer to the stored print data, a user needs to enter his/her ID and password from the control

- 12 -

Dell C7765dn Security Target

panel or to use Smart Card (CAC/PIV). When the user is authenticated, the data on the waiting
list corresponding to the user ID are displayed. The user can request printing or deletion of the
data on the list.

 Mailbox Function

The scanned data and received fax data can be stored into Mailbox from IIT and Fax board which
are not shown in Figure 3.
To store the scanned data into Mailbox, a user needs to enter his/her ID and password from the
control panel or to use Smart Card (CAC/PIV). When the user is authenticated, the document data
can be scanned from IIT and stored into the internal HDD according to the user’s instruction from
the control panel.
To store the received fax data into Mailbox, user authentication is not required. Among the
received fax data transmitted over public telephone line, the following data are automatically
classified and stored into each corresponding Mailbox: the received fax data whose corresponding
Mailbox is specified by the sender, the received fax data from a particular sender (the data are
classified according to the sender’s telephone number), and the received fax data from an
unknown sender.
To retrieve, print, or delete the stored data in the Personal Mailbox corresponding to the each
registered user’s ID, user authentication is required; the MFD compares the user ID and password
preset in the device against those entered by a user from the control panel, Configuration Web
Tool, or Network Scan Utility(with local authentication only). For user authentication, Smart
Card authentication is also available on the control panel.

(4) System Administrator’s Security Management

To grant a privilege to a specific user, this TOE allows only the authenticated system
administrator to access the System Administrator mode which enables him/her to refer to and set
the following security functions from the control panel:

・ Refer to and set Hard Disk Data Overwrite;
・ Refer to and set Hard Disk Data Encryption;
・ Set the cryptographic seed key for Hard Disk Data Encryption;
・ Refer to and set the functions that use password entered from MFD control panel in user

authentication;

・ Set the ID and password of key operator (only a key operator is privileged);
・ Refer to and set the ID of SA / general user, and set the password (with local authentication

only);

・ Refer to and set the access denial when system administrator’s authentication fails;
・ Refer to and set the limit of user password length (for general user and SA) (with local

authentication only);

・ Refer to and set the SSL/TLS communication;
・ Refer to and set the IPSec communication;
・ Refer to and set the S/MIME communication;

- 13 -

Dell C7765dn Security Target

・ Refer to and set the User Authentication;
・ Refer to and set the Store Print;
・ Refer to and set the date and time;
・ Refer to and set the Self Test;

Additionally, this TOE allows only the system administrator, who is authenticated from the
system administrator client via Web browser using Configuration Web Tool, to refer to and set the
following security functions via Configuration Web Tool:

・ Set the ID the password of key operator (only a key operator is privileged);
・ Refer to and set the ID of SA / general user, and set the password (with local authentication

only);

・ Refer to and set the access denial when system administrator’s authentication fails;
・ Refer to and set the limit of user password length (for general user and SA, with local

authentication only);

・ Refer to and set Audit Log;
・ Refer to and set the SSL/TLS communication;
・ Refer to and set the IPSec communication;
・ Refer to and set the SNMPv3 communication;
・ Refer to and set the SNMPv3 authentication password.
・ Refer to and set the S/MIME communication;
・ Create/upload/download an X.509 certificate;
・ Refer to and set the User Authentication;

(5) Customer Engineer Operation Restriction

This TOE allows only the authenticated system administrator to refer to or enable/disable the
Customer Engineer Operation Restriction setting from the control panel and Configuration Web
Tool. For this, CE cannot refer to or change the setting of each function described in (4) System
Administrator’s Security Management.

(6) Security Audit Log

The important events of TOE such as device failure, configuration change, and user operation are
traced and recorded based on when and who operated what function. Only a system administrator
can supervise or analyze the log data by downloading them in the form of tab-delimited text file
via Web browser using Configuration Web Tool. To download the log data, SSL/TLS
communication needs to be enabled.

(7) Internal Network Data Protection

The communication data on the internal network such as document data, security audit log data,
and TOE setting data are protected by the following general encryption communication-protocols:

・ SSL/TLS
・ IPSec

- 14 -

Dell C7765dn Security Target

・ SNMP v3
・ S/MIME

(8) Fax Flow Security

A Fax board is an option and is connected to TOE controller board via USB interface. An attacker
cannot access the TOE or the internal network from public telephone line via the Fax board.

(9) Self Test

The TOE can execute the self test function to verify the integrity of TSF executable code and TSF
data.

1.4.2.3.

Settings for the Secure Operation

System administrator shall set the following to enable security functions in 1.4.2.2.

・ Hard Disk Data Overwrite

Set to [Enabled].

・ Hard Disk Data Encryption

Set to [Enabled].

・ Passcode Entry for Control Panel

Set to [Enabled].

・ Access denial when system administrator’s authentication fails

Default [5] Times.

・ User Passcode Minimum Length (for general user and SA)

Set to [9] characters

・ SSL/TLS

Set to [Enabled]

・ IPSec

Set to [Enabled]

・ S/MIME

Set to [Enabled]

・ User Authentication

Set to [Local Authentication] or [Remote Authentication]

・ Store Print

Set to [Save As Private Charge Print]

・ Audit Log

Set to [Enabled]

・ SNMPv3

Set to [Enabled]

・ Customer Engineer Operation Restriction

Set to [Enabled]

- 15 -

・ Self Test

Set to [Enabled]

Dell C7765dn Security Target

- 16 -

Dell C7765dn Security Target

(

)

(
)

t

(

)

(
)

r

1.4.3. Physical Scope and Boundary

The physical scope of this TOE is the MFD. Figure 4 shows configuration of each unit and TOE
physical scope.

ADF

ADF

Board

ADF

ROM

IOT

IOT Board

IOT

ROM

IIT

IIT Board

Control Panel buttons, lamps, touch screen panel

Controller Board

Controller ROM

Copy

Scan /

Network

Scan

Print

(decompos

e)

Fax/ Direct

Fax

/Internet

Fax

Remote

Configura

tion

Hard Disk

Data

Overwrite

Hard Disk

Data

Encryption

Fax Flow

Security

System

Administrat
or’s Security
Management

Self T est

CPU

Internal HDD

Control

Customer

Engineer

Operation

Restriction

Security

Audit Log

User_Auth

entication

Network

Protection

Panel

Data

NVRAM

SEEPROM

DRAM

Ethernet USB

device

USB

host

USB

host

System Administrator
General User
CE

System Administrator

Client
General User Client
Mail Server
FTP Server
SMB Server
LDAP Server
Kerberos Server
OCSP Server

General User Clien

USB

Card Reade

USB Media

Fax Board
(Public T elephone Line)

: TOE

Figure 4: MFD Units and TOE Physical Scope

The MFD consists of the PWB units of controller board and control panel, IIT, and IOT,ADF.
The controller board is connected to the control panel via the internal interfaces which transmit
control data, and the controller board is connected to the Fax board, the IIT board, and IOT board via
the internal interfaces which transmit document data and control data.
The controller board is a PWB which controls MFD functions of copy, print, scan, and fax. The board
has a network interface (Ethernet) and local interfaces (USB) and is connected to the IIT board and

- 17 -

Dell C7765dn Security Target

IOT board.
The control panel is a panel on which buttons, lamps, and a touch screen panel are mounted to use and
configure MFD functions of copy, print, scan, and fax.
The IIT (Image Input Terminal) is a device to scan an original and send its data to the controller board
for copy, scan, and fax functions.
The IOT (Image Output Terminal) is a device to output image data which was sent from the controller
board.
The ADF (Auto Document Feeder) is a device to automatically transfer original documents to IIT.

1.4.4. Guidance

The following are the guidance documents for this TOE.

・ Dell C7765dn Color Multifunction Printer User’s Guide; KB3206EN0-5

(SHA1 hash value: ffa87cc19460eeda82c42194b6dfdb1e2eefb5fb)

・ Dell C5765dn/C7765dn Security Function Supplementary Guide: KE3036EN0-1

(SHA1 hash value: 930f93de08df2629aed52f9de314e7df2adccffd)

・ Dell C7765dn Smart Card Reader Installation and Configuration Guide: KE3037EN0-3

(SHA1 hash value: 40524e2e02908e5479b981e205b7d75440c5f084)

- 18 -

Dell C7765dn Security Target

2. CONFORMANCE CLAIMS

2.1. CC Conformance Claims

This ST and TOE conform to the following evaluation standards for information security (CC):

Common Criteria for Information Technology Security Evaluation
Part 1: Introduction and general model, Version 3.1 Revision 4 Japanese Version 1.0
Part 2: Security functional components, Version 3.1 Revision 4 Japanese Version 1.0
Part 3: Security assurance components, Version 3.1 Revision 4 Japanese Version 1.0

The security functional requirements of this ST conform to CC Part 2.
The security assurance requirements of this ST conform to CC Part 3.

2.2. PP Claims, Package Claims

2.2.1. PP Claims

There is no applicable Protection Profile.

2.2.2. Package Claims

This ST conforms to EAL3.

2.2.3. Conformance Rationale

There is no applicable PP rationale since this ST does not conform to PP.

- 19 -

Dell C7765dn Security Target

3. SECURITY PROBLEM DEFINITION

This chapter describes the threats, organizational security policies, and the assumptions for the use of
this TOE.

3.1. Threats

3.1.1. Assets Protected by TOE

This TOE protects the following assets (Figure 5):

(1) Right to use MFD functions

The general user’s right to use each function of the TOE is assumed as an asset to be protected.

(2) Document data stored for job processing

When a general user uses MFD functions of copy, print, fax, and scan, the document data are
temporarily stored in the internal HDD for image processing, transmission, and Store Print. The
user can retrieve the stored document data in the MFD from a general user client by
Configuration Web Tool and Network Scan Utility (with local authentication only). The stored
data include general user’s confidential information and are assumed as assets to be protected.

(3) Used document data

When a general user uses MFD functions of copy, print, fax, and scan, the document data are
temporarily stored in the internal HDD for image processing, transmission, and Store Print. When
the jobs are completed or canceled, only the management information is deleted but the data itself
remains. The residual data include general user’s confidential information and are assumed as
assets to be protected.

(4) Security audit log data

In the function of Security Audit Log, the important events such as device failure, configuration
change and user operation are recorded based on when and who operated what function. For
preventive maintenance and response to the events and detection of unauthorized access, only a
system administrator can retrieve the log data stored in MFD by Configuration Web Tool.
The log data are assumed as assets to be protected.

(5) TOE setting data

A system administrator can set TOE security functions from the MFD control panel or system
administrator client by the function of System Administrator’s Security Management. The setting
data stored in the TOE (see Table 4) can be a threat to other assets if used without authorization
and are assumed as assets to be protected.

- 20 -

t

General User Client

System Administrator Client

- Printer Driver

- Fax Driver

- Web Browser

- Network Scan Utility

Internally Stored Data

Document data, security audit log
data, and TOE setting data
transmitted in the internal network

TOE setting data transmitted
in the internal network

- LDAP Server

- Kerberos Server

- OCSP Server

Internally Stored Data

Dell C7765dn Security Target

External
Network

Firewall

Internal

Network

General Data on the
Internal Network

General Clien

and Server

Internally Stored Data

Asset under protection

Asset not under protection

TOE

Document Data
Used Document Data
Security Audit Log Data

TOE Setting Data

Other Setting Data

Inaccessible

Public

Telephone

Line

Figure 5: Assets under and not under Protection

Note) The data stored in a general client and server within the internal network and the general data on
the internal network are not assumed as assets to be protected. This is because TOE functions prevent
the access to the internal network from public telephone line and it cannot be a threat.

Table 4 categorizes the TOE setting data recorded on NVRAM and SEEPROM of the controller
board.

Table 4: Categories of TOE Setting Data

Categories of TOE Setting Data (Note)

Data on Hard Disk Data Overwrite
Data on Hard Disk Data Encryption
Data on use of password entered from MFD control panel in user authentication
Data on minimum password length of user password
Data on ID and password of key operator
Data on ID and password of SA/General user

- 21 -

Dell C7765dn Security Target

Categories of TOE Setting Data (Note)
Data on access denial due to authentication failures of system administrator
Data on Customer Engineer Operation Restriction
Data on Internal Network Data Protection
Data on Security Audit Log
Data on Mailbox
Data on User Authentication

Data on Store print
Data on date and time
Data on Self Test

Note: The setting data other than TOE setting data are also stored on NVRAM and SEEPROM. Those
setting data, however, are not assumed as assets to be protected because they do not engage in TOE
security functions.

* Only the time zone / summer time information is saved in NVRAM as the data on date and time.

3.1.2. Threats

Table 5 identifies the threats addressed by the TOE. An attacker is considered to have the disclosed
information on TOE operations and low-level attack capability.

Table 5: Threats Addressed by the TOE

Threat (Identifier) Description

An attacker may remove the internal HDD and connect it to commercial
tools so that he/she can read out and leak the document data, used

T.RECOVER

document data, security audit log data from the HDD without
authorization.
An attacker may access, read, or alter, from control panel or system

T.CONFDATA

administrator client, the TOE setting data which only a system
administrator is allowed to access.
An attacker may read document data and security audit log data from

T.DATA_SEC

control panel or Web browser without authorization.
An attacker may intercept or alter document data, security audit log

T.COMM_TAP

data, and TOE setting data on the internal network.
An attacker may access the TOE and use TOE functions without

T.CONSUME

authorization.

- 22 -

Dell C7765dn Security Target

3.2. Organizational Security Policies

Table 6 below describes the organizational security policy the TOE must comply with.

Table 6: Organizational Security Policy

Organizational Policy

Description

(Identifier)

TOE shall ensure that the internal network cannot be accessed via

P.FAX_OPT

public telephone line.

P.VERIFY The TOE shall execute self-test to verify the integrity of TSF executable

code and TSF data.
The TOE shall execute HDD overwrite to delete the used document

P.OVERWRITE

data in the internal HDD.

3.3. Assumptions

Table 7 shows the assumptions for the operation and use of this TOE.

Table 7: Assumptions

Assumption

(Identifier)

Description

Personnel Confidence

A.ADMIN

A.USER

Protection Mode

A.SECMODE

A.ACCESS

A system administrator shall have the necessary knowledge of TOE
security functions to perform the given role of managing the TOE and
shall not operate the TOE with malicious intent.
TOE users shall be trained and have competence about the TOE
operation and precautions according to the policies of their
organization and the product guidance.

A system administrator shall configure and set the TOE properly
according to the security policy of organization and the product
guidance document to manage the TOE and its external environment.
The TOE is located in a restricted or monitored environment that
provides protection from unmanaged access to the physical
components and data interfaces of the TOE.

- 23 -

Dell C7765dn Security Target

4. SECURITY OBJECTIVES

This chapter describes the security objectives for the TOE and for the environment and the rationale.

4.1. Security Objectives for the TOE

Table 8 defines the security objectives to be accomplished by the TOE.

Security

Objectives(Identifier)

O.AUDITS

O.CIPHER

O.COMM_SEC

O.FAX_SEC

O.MANAGE

Table 8: Security Objectives for the TOE

Description

The TOE must provide the Security Audit Log function and its log data
which are necessary to monitor unauthorized access.
The TOE must encrypt the document data, used document data, and
security audit log data to be stored into the HDD so that they cannot be
analyzed even if retrieved.
The TOE must provide encryption communication function to protect the
document data, security audit log data, and TOE setting data on the
internal network between TOE and the remote from interception and
alteration.
The TOE must prevent the unauthorized access to the internal network via
Fax modem from public telephone line.
The TOE must inhibit a general user from accessing the TOE setting data.
The TOE allows only the authenticated system administrator to access the
system administrator mode which enables him/her to configure the
security functions.

O.RESIDUAL

O.USER

O.RESTRICT The TOE must inhibit an unauthorized user from using the TOE functions.
O.VERIFY The TOE must provide self-test function to verify the integrity of TSF

The TOE must provide overwrite function to prevent the used document
data in the internal HDD.
The TOE must provide the function to identify TOE user and allow only
the authorized user to retrieve, and delete the document data and to change
the password.

executable code and TSF data.

- 24 -

Dell C7765dn Security Target

4.2. Security Objectives for the Environment

Table 9 defines the security objectives for the TOE environment.

Security

Objectives(Identifier)

OE.ADMIN

OE.USER

OE.SEC

OE.PHYSICAL

Table 9: Security Objectives for the Environment

Description

A system administrator who is assigned by an organization administrator
as an appropriate and reliable person for this TOE management and who
receives necessary training to manage the TOE.
The system administrator shall ensure that users have competence by
training users about the TOE operation and precautions according to the
policies of their organization and the product guidance.
A system administrator shall configure and set the TOE properly according
to the security policy of organization and the product guidance document
to manage the TOE.
In addition, a system administrator shall manage the external IT
environment according to the security policy of organization and the
product guidance document.
The TOE shall be placed in a secure or monitored area that provides
protection from unmanaged physical access to the TOE.

4.3. Security Objectives Rationale

The security objectives are established to correspond to the assumptions specified in Security Problem
Definition, to counter the threats, or to realize the organizational security policies. Table 10 shows
assumptions / threats / organizational security policies and the corresponding security objectives.
Moreover, Table 11 shows that each defined security problem is covered by the security objectives.

Table 10: Assumptions / Threats / Organizational Security Policies and the Corresponding Security

Objectives

Security Problems

A.ADMIN

A.USER

A.SECMODE

A.ACCESS

T.RECOVER

T.CONFDATA

T.COMM_TAP

T.DATA_SEC

T.CONSUME

Security Objectives
O.AUDITS



P.FAX_OPT

P.VERIFY

P. OVERWRITE

O.CIPHER
O.COMM_SEC





- 25 -