How it Works
Fuji Xerox
Loading...
C2263
User Manual
136 pgs1.22 Mb0

Fuji Xerox C2265, C2263 User Manual

March 2016
Fuji Xerox
DocuCentre-V C2265/C2263models
with Hard Disk, Data Security, Scan,
and Fax
Version 1.1.7
This document is a translation of the evaluated
and certified security target written in Japanese.
- i -
- Table of Contents -
1. ST INTRODUCTION ................................................................................................................ 1
1.1. ST Reference .................................................................................................................................................. 1
1.2. TOE Reference ............................................................................................................................................... 1
1.3. TOE Overview ................................................................................................................................................ 2
1.3.1. TOE Type and Major Security Features ...................................................................................................... 2
1.3.2. Environment Assumptions ............................................................................................................................... 5
1.3.3. Required Non-TOE Hardware and Software ............................................................................................ 6
1.4. TOE Description ............................................................................................................................................ 8
1.4.1. User Assumptions ................................................................................................................................................ 8
1.4.2. Logical Scope and Boundary .......................................................................................................................... 8
1.4.3. Physical Scope and Boundary ..................................................................................................................... 17
1.4.4. Guidance .............................................................................................................................................................. 18
2. CONFORMANCE CLAIM ..................................................................................................... 20
2.1. CC Conformance Claim .......................................................................................................................... 20
2.2. PP claim, Package Claim ........................................................................................................................ 20
2.2.1. PP Claim ............................................................................................................................................................... 20
2.2.2. Package Claim ................................................................................................................................................... 20
2.2.3. Conformance Rationale ................................................................................................................................. 21
3. SECURITY PROBLEM DEFINITION ................................................................................ 23
3.1. Threats .......................................................................................................................................................... 23
3.1.1. Assets Protected by TOE ................................................................................................................................ 23
3.1.2. Threats agents ................................................................................................................................................... 26
3.1.3. Threats .................................................................................................................................................................. 26
3.2. Organizational Security Policies .......................................................................................................... 27
3.3. Assumptions ............................................................................................................................................... 27
4. Security Objectives ................................................................................................................ 28
4.1. Security Objectives for the TOE ........................................................................................................... 28
4.2. Security Objectives for the Environment ......................................................................................... 29
4.3. Security Objectives Rationale .............................................................................................................. 29
5. EXTENDED COMPONENTS DEFINITION .................................................................... 34
5.1. FPT_FDI_EXP Restricted forwarding of data to external interfaces .................................... 34
6. SECURITY REQUIREMENTS .............................................................................................. 36
6.1. Security Functional Requirements ..................................................................................................... 40
6.1.1. Class FAU: Security Audit .............................................................................................................................. 43
- ii -
6.1.2. Class FCS: Cryptographic Support ............................................................................................................. 50
6.1.3. Class FDP: User Data Protection ................................................................................................................ 51
6.1.4. Class FIA: Identification and Authentication ....................................................................................... 67
6.1.5. Class FMT: Security Management ............................................................................................................ 70
6.1.6. Class FPT: Protection of the TSF ................................................................................................................ 90
6.1.7. Class FTA: TOE Access ..................................................................................................................................... 92
6.1.8. Class FTP: Trusted Path/Channels ............................................................................................................. 92
6.2. Security Assurance Requirements ...................................................................................................... 93
6.3. Security Requirement Rationale ......................................................................................................... 94
6.3.1. Security Functional Requirements Rationale ........................................................................................ 94
6.3.2. Dependencies of Security Functional Requirements ....................................................................... 102
6.3.3. Security Assurance Requirements Rationale ...................................................................................... 107
7. TOE SUMMARY SPECIFICATION ................................................................................. 108
7.1. Security Functions ................................................................................................................................. 108
7.1.1. Hard Disk Data Overwrite (TSF_IOW) ................................................................................................... 110
7.1.2. Hard Disk Data Encryption (TSF_CIPHER) .......................................................................................... 111
7.1.3. User Authentication (TSF_USER_AUTH) ............................................................................................. 111
7.1.4. System Administrator’s Security Management (TSF_FMT) ........................................................ 117
7.1.5. Customer Engineer Operation Restriction (TSF_CE_LIMIT) ........................................................ 119
7.1.6. Security Audit Log (TSF_FAU) ................................................................................................................... 120
7.1.7. Internal Network Data Protection (TSF_NET_PROT) ..................................................................... 122
7.1.8. Information Flow Security (TSF_INF_FLOW) ..................................................................................... 124
7.1.9. Self Test (TSF_S_TEST) ................................................................................................................................ 125
8. ACRONYMS AND TERMINOLOGY ............................................................................... 126
8.1. Acronyms .................................................................................................................................................. 126
8.2. Terminology ............................................................................................................................................. 127
9. REFERENCES ........................................................................................................................ 131
- iii -
- List of Figures and Tables -
Figure 1 General Operational Environment ........................................................................................................... 6
Figure 2 MFD Units and TOE Logical Scope .......................................................................................................... 9
Figure 3 Authentication Flow for Private Print and Mailbox ........................................................................ 12
Figure 4 MFD Units and TOE Physical Scope ..................................................................................................... 17
Figure 5 Assets under and not under Protection .............................................................................................. 25
Table 1 Function Types and Functions provided by the TOE .......................................................................... 2
Table 2 User Role Assumptions .................................................................................................................................. 8
Table 3 TOE Basic Functions ..................................................................................................................................... 10
Table 4 Assets for User Data .................................................................................................................................... 23
Table 5 Assets for TSF Data ...................................................................................................................................... 24
Table 6 Other Assets .................................................................................................................................................... 24
Table 7 Threats to User Data and TSF Data ...................................................................................................... 26
Table 8 Organizational Security Policies .............................................................................................................. 27
Table 9 Assumptions .................................................................................................................................................... 27
Table 10 Security Objectives for the TOE ............................................................................................................ 28
Table 11 Security objectives for the environment ........................................................................................... 29
Table 12 Assumptions / Threats / Organizational Security policies and the Corresponding
Security Objectives .............................................................................................................................................. 30
Table 13 Security Objectives Rationale for Security Problem ...................................................................... 30
Table 14 Security functional Requirements ........................................................................................................ 40
Table 15 Auditable Events of TOE and Individually Defined Auditable Events ................................... 43
Table 16 Common Access Control SFP ................................................................................................................. 51
Table 17 SFR Package attributes ............................................................................................................................ 52
Table 18 Function Access Control SFP .................................................................................................................. 53
Table 19 PRT Access Control SFP ............................................................................................................................ 54
Table 20 SCN Access Control SFP ........................................................................................................................... 55
Table 21 CPY Access Control SFP ............................................................................................................................ 55
Table 22 FAX Access Control SFP ............................................................................................................................ 56
Table 23 DSR Access Control SFP ........................................................................................................................... 56
Table 24 D.FUNC Operation List ............................................................................................................................. 57
Table 25 List of Security Functions ........................................................................................................................ 71
Table 26 Security Attributes and Authorized Roles ......................................................................................... 72
Table 27 Security Attributes and Authorized Roles (Function Access) ..................................................... 73
Table 28 Security Attributes and Authorized Roles(PRT) .............................................................................. 74
Table 29 Security Attributes and Authorized Roles (SCN) ............................................................................ 75
Table 30 Security Attributes and Authorized Roles (FAX) ............................................................................. 77
Table 31 Security Attributes and Authorized Roles (DSR) ............................................................................ 78
Table 32 Security Attributes and Authorized Roles (D.FUNC) .................................................................... 79
- iv -
Table 33 Initialization property .............................................................................................................................. 79
Table 34 Initialization property .............................................................................................................................. 81
Table 35 Initialization property .............................................................................................................................. 84
Table 36 Operation of TSF Data ............................................................................................................................. 84
Table 37 Operation of TSF Data ............................................................................................................................. 86
Table 38 Security Management Functions Provided by TSF ....................................................................... 86
Table 39 Security Assurance Requirements ........................................................................................................ 93
Table 40 Security Functional Requirements and the Corresponding Security Objectives ................ 94
Table 41 Security Objectives to SFR Rationale .................................................................................................. 96
Table 42 Dependencies of Functional Security Requirements ................................................................. 103
Table 43 Security Functional Requirements and the Corresponding TOE Security Functions ..... 108
Table 44 Management of security attributes ................................................................................................. 113
Table 45 Access Control for Basic Functions ................................................................................................... 115
Table 46 Access Control for User Data .............................................................................................................. 115
Table 47 Details of Security Audit Log .............................................................................................................. 120
Fuji Xerox C2265/C2263 Security Target
- 1 - Copyright 2016 by Fuji Xerox Co., Ltd
1. ST INTRODUCTION
This chapter describes Security Target (ST) Reference, TOE Reference, TOE Overview,
and TOE Description.
1.1. ST Reference
This section provides information needed to identify this ST.
ST Title:
Fuji Xerox DocuCentre-V C2265/C2263 models
with Hard Disk, Data Security, Scan, and Fax
Security Target
ST Version: V 1.1.7
Publication Date: March 18, 2016
Author: Fuji Xerox Co., Ltd.
1.2. TOE Reference
This section provides information needed to identify this TOE.
The TOE is DocuCentre-V C2265 and DocuCentre-V C2263.
The TOE name is integrated as below.
TOE Identification:
Fuji Xerox DocuCentre-V C2265/C2263 models
with Hard Disk, Data Security, Scan, and Fax
Version:
Controller ROM Ver. 1.0.13 FAX ROM Ver. 2.0.8
Developer: Fuji Xerox Co., Ltd.
NOTE: When Fuji Xerox DocuCentre-V C2265/C2263 is not equipped with one or more of the
following: Hard Disk, Data Security, Scan, and Fax functions, the corresponding kits described
below shall be installed.
Function Extension Kit (Hard Disk): EC103136 (For Japan and for overseas) Fax Kit: QC100164 (For Japan), EC103127 (For overseas) Data Security Kit: EC103105 (For Japan) Scan Kit: EC103096 (For Japan), EC103123 (For overseas)
The followings are the target products.
(1) For Japan and for overseas
DocuCentre-V C2263: Controller ROM Ver. 1.0.1
FAX ROM Ver. 2.0.8
Fuji Xerox C2265/C2263 Security Target
- 2 - Copyright 2016 by Fuji Xerox Co., Ltd
(2) For overseas
DocuCentre-V C2265: Controller ROM Ver. 1.0.1
FAX ROM Ver. 2.0.8
1.3. TOE Overview
1.3.1. TOE Type and Major Security Features
1.3.1.1. TOE Type
This TOE, categorized as an IT product, is the Fuji Xerox DocuCentre-V C2265/C2263
(hereinafter referred to as “MFD”) which has the copy, print, scan, and fax functions.
The TOE is the product which controls the whole MFD and protects the data that are
transmitted over the encryption communication protocols.
These protocols protect the security of the TOE setting data, Mailbox, the security audit log
data and the document data on the internal network between the TOE and the remote.
The TOE also prevents the document data and the used document data in the internal HDD
from being disclosed by unauthorized person.
1.3.1.2. Function Types
Table 1 shows the Function types and functions provided by the TOE.
Table 1 Function Types and Functions provided by the TOE
Function types Functions provided by the TOE
Basic Function
- Control Panel
- Copy
- Print
- Scan
- Network Scan
- Fax
- Internet Fax Send
- CWIS
Security Function
- Hard Disk Data Overwrite
- Hard Disk Data Encryption System
- User Authentication
- Administrator’s Security Management
- Customer Engineer Operation Restriction
- Security Audit Log
- Internal Network Data Protection
- Information Flow Security
- Self Test
Fuji Xerox C2265/C2263 Security Target
- 3 - Copyright 2016 by Fuji Xerox Co., Ltd
As the TOE uses the Hard Disk Data Overwrite and Hard Disk Data Encryption functions, a
model to be used as the TOE shall be equipped with the internal HDD. Therefore, when the
model to be used is not equipped with the internal HDD, the internal HDD shall be
purchased and installed.
When a model to be used as the TOE does not have the Data Security function, the Data
Security Kit shall be purchased and installed. (The target products intended for Japan do
not have the Data Security function.)
As the TOE uses the following functions: fax, the Internet fax send, scan, and network scan,
when a model to be used as the TOE does not have one or more of the said functions, the
Fax Kit and/or Scan Kit shall be purchased and installed.
To use print function, the printer driver shall be installed to the external client for general
user and that for system administrator.
There are two types of user authentication, local authentication and remote
authentication, and the TOE behaves with either one of the authentication types
depending on the setting.
In this ST, the difference of the TOE behavior is described if the TOE behaves differently
depending on the type of authentication being used. Unless specified, the behavior of the
TOE is the same for both authentication types.
There are two types of remote authentication, LDAP authentication and Kerberos
authentication. To set SA (system administrator privilege) as user role assumption in
Kerberos authentication, LDAP server is also necessary.
Note:
For Japanese model does not have Remote Authentication function and S/MIME function.
Each function of Remote Authentication, S/MIME, E-mail, and Internet Fax Send that are
written in the following sections is subject to evaluation of for overseas model only.
The TOE’s optional functions to print from USB and store to USB are not included in the
target of evaluation.
Therefore, the [Store to USB] and [Media Print] buttons do not appear on the control panel.
1.3.1.3. Usage and Major Security Features of TOE
The TOE is mainly used to perform the following functions:
Copy function and Control Panel function are to read the original data from IIT and print
them out from IOT according to the general user’s instruction from the control panel.
When more than one copy of original data are ordered, the data read from IIT are first
stored into the MFD internal HDD. Then, the stored data are read out from the internal
HDD for the required number of times so that the required number of copies can be made.
Print function is to decompose and print out the print data transmitted by a general user
client.
CWIS (CentreWare Internet Services) is to retrieve the document data scanned by MFD
from Mailbox.
Fuji Xerox C2265/C2263 Security Target
- 4 - Copyright 2016 by Fuji Xerox Co., Ltd
It also enables a system administrator to refer to and rewrite TOE setting data via Web
browser.
Scan function and Control Panel function are to read the original data from IIT and store
them into Mailbox within the MFD internal HDD, according to the general user’s instruction
from the control panel.
The stored document data can be retrieved via standard Web browser by using CWIS.
Network Scan function and Control Panel function are to read the original data from IIT
and transmit the document data to FTP server, or Mail server, according to the information
set in the MFD. This function is operated according to the general user’s instruction from
the control panel.
Fax function and Control Panel function are to send and receive fax data. According to the
general user’s instruction from the control panel to send a fax, the original data are read
from IIT and then sent to the destination via public telephone line. The document data are
received from the sender’s machine via public telephone line and then stored in Mailbox.
The Internet Fax Send function and Control Panel function are to send and receive fax data
via the Internet, not public telephone line.
The TOE provides the following security features:
(1) Hard Disk Data Overwrite
To completely delete the used document data in the internal HDD, the data are overwritten
with new data after any job of copy, print, scan, etc. is completed.
(2) Hard Disk Data Encryption
The document data are encrypted before being stored into the internal HDD when using any
function of copy, print, scan, etc. or configuring various security function settings.
(3) User Authentication
Access to the TOE functions is restricted to the authorized user and this function identifies
and authenticates users. A user needs to enter his/her ID and password from the MFD
control panel, or general user client by using CWIS.
(4) System Administrator’s Security Management
This function allows only the system administrator identified and authorized from the
control panel or system administrator client to refer to and change the TOE security function
settings.
(5) Customer Engineer Operation Restriction
A system administrator can prohibit CE from referring to, and changing the TOE security
function settings.
(6) Security Audit Log
The important events of TOE such as device failure, configuration change, and user
Fuji Xerox C2265/C2263 Security Target
- 5 - Copyright 2016 by Fuji Xerox Co., Ltd
operation are traced and recorded based on when and who used what function.
(7) Internal Network Data Protection
This function protects the communication data on the internal network such as document
data, security audit log data, Mailbox and TOE setting data.
The following general encryption communication- protocols are supported: SSL/TLS, IPSec,
and S/MIME.
(8) Information Flow Security
This function restricts the unpermitted communication between external interfaces and
internal network.
(9) Self Test
This function verifies the integrity of TSF executable code and TSF data.
1.3.2. Environment Assumptions
This TOE is assumed to be used as an IT product at general office and to be connected to public
telephone line, user clients, and the internal network protected from threats on the external
network by firewall etc.
Figure 1 shows the general environment for TOE operation.
Fuji Xerox C2265/C2263 Security Target
- 6 - Copyright 2016 by Fuji Xerox Co., Ltd
Figure 1 General Operational Environment
1.3.3. Required Non-TOE Hardware and Software
In the operational environment shown in Figure 1, the TOE (MFD) and the following non-TOE
hardware/software exist.
(1) General user client:
The hardware is a general-purpose PC. When a client is connected to the MFD via the
internal network and when the printer driver is installed to the client, the general user can
request the MFD to print, and retrieve the document data.
The user can also request the MFD to retrieve the scanned document data via Web browser
by using scan function of the MFD. Additionally, the general user can change the settings
which he/she registered to the MFD: Mailbox name, password, access control, and automatic
deletion of document.
Public
Te l e ph o n e
Line
CE
System
Administrator
General User
General User Client
-Printer Driver
External Network
Firewall
Internal
Network
System
Administrator
System Administrator Client
-Web Browser
General User Client
-Printer Driver
-Web Browser
General User
USB
Mail Server
FTP Server
LDAP Server
Kerberos Server
TOE
General User
Fuji Xerox C2265/C2263 Security Target
- 7 - Copyright 2016 by Fuji Xerox Co., Ltd
When the client is connected to the MFD directly via USB and printer driver is installed to the
client, the user can request the MFD to print the document data.
(2) System administrator client:
The hardware is a general-purpose PC. A system administrator can refer to and change TOE
setting data via Web browser.
(3) Mail server:
The hardware/OS is a general-purpose PC or server. The MFD sends/receives document data
to/from Mail server via mail protocol.
(4) FTP server:
The hardware/OS is a general-purpose PC or server. The MFD sends document data to FTP
server via FTP.
(5) LDAP server:
The hardware/OS is a general-purpose PC or server. The MFD acquires identification and
authentication information from LDAP server via LDAP. In addition, it acquires SA
information of user role assumptions.
(6) Kerberos server:
The hardware/OS is a general-purpose PC or server. The MFD acquires identification and
authentication information from Kerberos server via Kerberos.
The OS of (1) general user client and (2) system administrator client are assumed to be
Windows Vista, and Windows 7.
The (5) LDAP server and (6) Kerberos server are assumed to be Windows Active Directory.
Fuji Xerox C2265/C2263 Security Target
- 8 - Copyright 2016 by Fuji Xerox Co., Ltd
1.4. TOE Description
This section describes user assumptions and logical/physical scope of this TOE.
1.4.1. User Assumptions
Table 2 specifies the roles of TOE users assumed in this ST.
Table 2 User Role Assumptions
Designation PP Definition Description
U.USER Any authorized User. User:
U.NORMAL A User who is authorized to
perform User Document Data
processing functions of the TOE.
General user:
A user of TOE functions such
as copy, print, and fax.
U.ADMINISTRATOR A User who has been specifically
granted the authority to manage
some portion or all of the TOE and
whose actions may affect the TOE
security policy (TSP).
Administrators may possess special
privileges that provide capabilities
to override portions of the TSP.
System administrator (key
operator and SA):
A user who is authorized to
manage the device using the
system administrator mode. A
system administrator can refer
to and change the TOE setting
for device operation and that
for security functions via TOE
control panel and Web
browser.
TOE Owner A person or organizational entity
responsible for protecting TOE
assets and establishing related security policies
Administrator of the
organization:
An administrator or
responsible official of the
organization which owns and
uses TOE.
Customer Engineer - A user who can configure the
TOE operational settings using
the interface for CE.
1.4.2. Logical Scope and Boundary
The logical scope of this TOE is each function of the programs.
Figure 2 shows the logical architecture of the MFD.
Fuji Xerox C2265/C2263 Security Target
- 9 - Copyright 2016 by Fuji Xerox Co., Ltd
Figure 2 MFD Units and TOE Logical Scope
There are the following 4 types for Channel.
a) Private Medium Interface
Control panel and local interface that cannot be accessed by multiple simultaneous
Users.
b) Shared Medium Interface
Mechanisms for exchanging information that can be simultaneously accessed by
multiple Users; such as network interface.
c) Original Document Handler
Control Panel CWIS Copy Print Scan / Network Scan Fax Internet Fax Send
Hard Disk Data Overwrite Hard Disk Data Encryption User Authentication System Administrator’s Security Management Customer Engineer Operation Restriction Security Audit Log Internal Network Data Protection Information Flow Security Self Test
Logical Scope
TOE
User Data
User
Document
Data
User
Function
Data
TSF Data
TSF
Confident
ial Data
Internal HDD / NVRAM / SEEPROM
Input
Channel(s)
Output
Channel(s)
General User Client (Web Browser, Printer Driver) System Administrator Client (Web Browser) Servers (FTP Server, Mail Server, LDAP Server, Kerberos Server) Public Telephone Line(Fax General User, System Administrator
TSF
Protected
Data
Fuji Xerox C2265/C2263 Security Target
- 10 - Copyright 2016 by Fuji Xerox Co., Ltd
Mechanisms for transferring User Document Data into the TOE in hardcopy form.
d) HardCopy Output Handler
Mechanisms for transferring User Document Data out of the TOE in hardcopy form.
1.4.2.1. Basic Functions
The TOE provides the functions of control panel, copy, print, scan, network scan, fax, internet fax
send, and CWIS to general user.
Table 3 TOE Basic Functions
Function Description
Copy Function Copy function is to read the original data from IIT and print them out
from IOT according to the general user’s instruction from the control
panel
When more than one copy of an original is ordered, the data read from IIT
are first stored into the MFD internal HDD. Then, the stored data are read
out from the internal HDD for the required number of times so that the
required number of copies can be made.
Print Function Print function is to print out the data according to the instruction from a
general user client. The print data created via printer driver are sent to the
MFD to be analyzed, decomposed, and printed out from IOT.
The print data are sent by either being decomposed to the data in PDL via
printer driver or the document file being designated directly from web
browser of CWIS.
The print function is of two types: the normal print in which the data are
printed out from IOT directly after decomposed and the Store Print in
which the bitmap data are temporarily stored in the internal HDD and
then printed out from IOT according to the general user’s instruction from
the control panel.
Scan Function,
Network Scan
Function
Scan function is to read the original data from IIT and then store them
into the internal HDD according to the general user’s instruction from the
control panel.
A general user can retrieve the stored document data from a general user
client via CWIS.
Network scan function is to read the original data from IIT and
automatically transmit them to a general user client, FTP server, or Mail
server according to the information set in the MFD. A general user can
request this function from the control panel.
Fax Function Fax function is to send and receive fax data. According to the general
user’s instruction from the control panel to send a fax, the original data
are read from IIT and sent to the destination via public telephone line.
The document data are received from the sender’s machine via public
Fuji Xerox C2265/C2263 Security Target
- 11 - Copyright 2016 by Fuji Xerox Co., Ltd
telephone line.
Internet Fax Send
Function
Internet Fax Send function is to send and receive fax data as in the normal
Fax function. According to the general user’s instruction from the control
panel to send a fax, the original data are read from IIT and sent to the
destination via the Internet.
Control Panel
Function
Control panel function is a user interface function for general user, CE, and
system administrator to operate MFD functions.
CWIS Function CWIS function is to operate from Web browser of a general user client for
general users.
CWIS also enables System Administrator’s Security Management by
which a system administrator can access and rewrite TOE setting data. For
this, a system administrator must be authenticated by his/her ID and
password entered from Web browser of a system administrator client.
1.4.2.2. Security Functions
The security functions provided by the TOE are the following.
(1) Hard Disk Data Overwrite
To completely delete the used document data in the internal HDD, the data are overwritten
with new data after each job (copy, print, scan, network scan, fax, or internet fax send) is
completed. Without this function, the used document data remain and only the
management data are deleted.
(2) Hard Disk Data Encryption
Some data such as the document data in Mailbox remain in the internal HDD even if the
machine is powered off. To solve this problem, the document data are encrypted before
being stored into the internal HDD when operating any function of copy, print, scan, network
scan, fax, and internet fax send or configuring various security function settings.
(3) User Authentication
Access to the MFD functions is restricted to the authorized user. To be identified and
authenticated, a user needs to enter his/her ID and password from MFD control panel, or the
CWIS/Printer Driver of the user client.
Only the authenticated user can use the following functions:
a) Functions controlled by the MFD control panel:
Copy, fax (send), internet fax send, scan, network scan, Mailbox, and print (This print
function requires the Accounting System preset from printer driver. A user must be
authenticated from the control panel for print job.)
b) Functions controlled by CWIS:
Display of device condition, display of job status and its log, function to retrieve
Fuji Xerox C2265/C2263 Security Target
- 12 - Copyright 2016 by Fuji Xerox Co., Ltd
TOE
document data from Mailbox, and print function by file designation.
c) Functions using printer driver of user client
The data of user client is decomposed to the print data described in PDL readable by
the MFD, and the print data are stored in TOE (Private Print Function).
When a user sends a print request from the printer driver in which the Accounting
System is preset, the MFD decomposes the received data into bitmap data and stores
the data in the internal HDD as private print according to the user ID.
Among the above functions which require user authentication, some particularly act as
security functions. The following are the security functions which prevent the unauthorized
reading of document data in the internal HDD by an attacker who is impersonating an
authorized user:
- The Store Print function (Private Print function) and the Mailbox function, which require
user authentication from the control panel.
- The function to retrieve document data from Mailbox(Mailbox function) which requires
user authentication by using CWIS, and the Store Print function(Private Print function) by file
designation using CWIS.
Figure 3 shows the authentication flow of Private Print Function and Mailbox Function.
Figure 3 Authentication Flow for Private Print and Mailbox
Print
Scanned Data,
Received Fax Data
User Client
Printer Driver
Web Browser
(CWIS)
Print Job
Private
Print
Authentication
Authentication
Authentication
Authentication from Control Panel
Fuji Xerox C2265/C2263 Security Target
- 13 - Copyright 2016 by Fuji Xerox Co., Ltd
Store Print Function (Private Print Function)
When the MFD is set to “Save as Private Charge Print,” and a user sends a print request from
the printer driver in which the Accounting System is preset, after the user has been
successfully identified and authenticated, the print data are decomposed into bitmap data,
classified according to the user ID, and temporarily stored in the corresponding Private Print
area within the internal HDD.
In the same way, when the user is authenticated by entering his/her ID and password from
CWIS for authentication, and the user sends a print request by designating the files within a
user client, the print data are temporarily stored in Private Print area according to the user
ID.
To refer to the stored print data, a user needs to enter his/her ID and password from the
control panel. When the user is authenticated, the data on the waiting list corresponding to
the user ID are displayed. The user can request printing or deletion of the data on the list.
Mailbox Function
The scanned data and received fax data can be stored into Mailbox from IIT and Fax board
which are not shown in Figure 3.
To store the scanned data into Mailbox, a user needs to enter his/her ID and password from
the control panel, and needs to be authenticated to use scan function.
When the user is authenticated, the document data can be scanned from IIT and stored into
the internal HDD according to the user’s instruction from the control panel.
To store the received fax data into Mailbox, user authentication is not required. Among the
received fax data transmitted over public telephone line, the following data are
automatically classified and stored into each corresponding Mailbox: the received fax data
whose corresponding Mailbox is specified by the sender. Also, all the received fax data can
be distributed and stored into Mailbox according to over which line the data are transmitted.
To retrieve, print, or delete the stored data in the Personal Mailbox corresponding to the each
registered user’s ID, user authentication is required; the MFD compares the user ID and
password preset in the device against those entered by a user from the control panel, or the
CWIS
(4) System Administrator’s Security Management
To grant a privilege to a specific user, this TOE allows only the authenticated system
administrator to access the System Administrator mode which enables him/her to refer to
and set the following security functions from the control panel:
Refer to and set the Hard Disk Data Overwrite; Refer to and set the Hard Disk Data Encryption; Set the cryptographic seed key for Hard Disk Data Encryption; Refer to and set the function that use password entered from MFD control panel in user
authentication;
Fuji Xerox C2265/C2263 Security Target
- 14 - Copyright 2016 by Fuji Xerox Co., Ltd
Set the ID and the password of key operator (only a key operator is privileged); Refer to and set the ID of SA / general user and set the password(with local authentication
only);
Refer to and set the access denial when system administrator’s authentication fails; Refer to and set the limit of user password length (for general user and SA, with local
authentication only);
Refer to and set the SSL/TLS communication; Refer to and set the IPSec communication; Refer to and set the S/MIME communication; Refer to and set the User Authentication; Refer to and set the Store Print; Refer to and set the date and time; Refer to and set Auto Clear of Control Panel; Refer to and set the Self Test; Refer to and set the Report print;
Additionally, this TOE allows only the system administrator, who is authenticated from the
system administrator client via Web browser using CWIS, to refer to and set the following
security functions via CWIS:
Set the ID and the password of key operator (only a key operator is privileged); Refer to and set the ID of SA / general user and set the password(with local authentication
only);
Refer to and set the access denial when system administrator’s authentication fails; Refer to and set the limit of user password length (for general user and SA, with local
authentication only);
Refer to and set the Security Audit Log; Refer to and set the SSL/TLS communication; Refer to and set the IPSec communication; Refer to and set the S/MIME communication; Create/upload/download an X.509 certificate; Refer to and set the User Authentication; Refer to and set the Auto Clear of CWIS;
(5) Customer Engineer Operation Restriction
This TOE allows only the authenticated system administrator to refer to or enable/disable
the Customer Engineer Operation Restriction setting from the control panel and CWIS. For
this, CE cannot refer to or change the setting of each function described in (4) System
Administrator’s Security Management.
(6) Security Audit Log
The important events of TOE such as device failure, configuration change, and user
operation are traced and recorded based on when and who operated what function. Only a
Fuji Xerox C2265/C2263 Security Target
- 15 - Copyright 2016 by Fuji Xerox Co., Ltd
system administrator can supervise or analyze the log data by downloading them in the
form of tab-delimited text file via Web browser using CWIS. To download the log data,
SSL/TLS communication needs to be enabled.
(7) Internal Network Data Protection
The communication data on the internal network such as document data, Mailbox, security
audit log data, and TOE setting data are protected by the following general encryption
communication-protocols:
SSL/TLS IPSec S/MIME
(8) Information Flow Security
This TOE has the function of restricting the unpermitted communication between external
interfaces and internal network.
Fax board of TOE device option is connected to a controller board via USB interface, but the
unauthorized access from a public telephone line to the inside TOE or internal network via
fax board cannot be made.
(9) Self Test
This TOE can execute the self test function to verify the integrity of TSF executable code and
TSF data.
1.4.2.3. Settings for the Secure Operation
System administrator shall set the following to enable security functions in 1.4.2.2.
Hard Disk Data Overwrite
Set to [1 Overwrite] or [3 Overwrites]
Hard Disk Data Encryption
Set to [Enabled]
Passcode Entry from Control Panel
Set to [Enabled]
Access denial when system administrator’s authentication fails
Default [5] Times
User Passcode Minimum Length (for general user and SA)
Set to [9] characters
SSL/TLS
Set to [Enabled]
IPSec
Set to [Enabled]
S/MIME
Fuji Xerox C2265/C2263 Security Target
- 16 - Copyright 2016 by Fuji Xerox Co., Ltd
Set to [Enabled]
User Authentication
Set to [Login to Local Authentication] or [Remote Authentication]
Store Print
Set to [Save as Private Charge Print]
Auto Clear
Set to [Enabled]
Security Audit Log
Set to [Enabled]
Customer Engineer Operation Restriction
Set to [Enabled]
Self Test
Set to [Enabled]
Fuji Xerox C2265/C2263 Security Target
- 17 - Copyright 2016 by Fuji Xerox Co., Ltd
1.4.3. Physical Scope and Boundary
The physical scope of this TOE is the MFD. Figure 4 shows configuration of each unit and TOE
physical scope.
Figure 4 MFD Units and TOE Physical Scope
The MFD consists of the controller board, Fax Board, Internal HDD, control panel, IIT, ADF and
IOT.
Control Panel buttons, lamps, touch screen panel
System Administrator Client General User Client Mail Server FTP Server LDAP Server Kerberos Server
Fax B o a rd
SEEPROM
DRAM
Controller ROM
Copy Hard Disk
Data
Overwrite
Hard Disk
Data
Encryptio
n
Security
Audit Log
Print
Control
decompos
e
Fax /Inter
net Fax
Send
CWIS
Informati
on Flow Securit
y
Network
Data
Protection
User
Authentic
ation
Customer
Engineer
Operation
Restrictio
n
System
Administr
ator’s
Security
Manage
CPU
Controller Board
System Administrator General User Customer Engineer
Self Test
Scan/
Network
Scan
Control
Panel
Public Telephone Line
: TOE
Ethernet USB (device)
General User Client
(USB)
IOT
IOT Board
IIT
IIT Board
USB(host)
Internal HDD
NVRAM
Fax
ROM
ADF
ADF Board
Fuji Xerox C2265/C2263 Security Target
- 18 - Copyright 2016 by Fuji Xerox Co., Ltd
The controller board is connected to the control panel via the internal interfaces which transmit
control data, to the IIT board and IOT board via the internal interfaces which transmit
document data and control data.
The controller board is a PWB which controls MFD functions of copy, print, scan, and fax. The
board has a network interface (Ethernet) and local interfaces (USB) and is connected to the IIT
board and IOT board. The program is installed in Controller ROM.
FAX board is the interface between a public telephone line and the controller board and is
connected to the controller board via USB.
The program is installed in FAXROM inside the FAX board.
The IOT (Image Output Terminal) is a device to output image data which was sent from the
controller board.
The IIT (Image Input Terminal) is a device to scan an original and send its data to the
controller board for copy, scan, and Fax functions.
The ADF (Auto Document Feeder) is a device to automatically transfer original documents to
IIT.
The control panel is a panel on which buttons, lamps, and a touch screen panel are mounted to
use and configure MFD functions of copy, print, scan, and fax.
NVRAM (Including SD Memory) and the internal HDD in TOE are not the removable memory
media.
4 types of Channel correspond to the following in TOE.
Private Medium Interface
Control panel, USB
Shared Medium Interface
Ethernet
Original Document Handler
IIT
HardCopy Output Handler
IOT
1.4.4. Guidance
The following are the guidance documents for this TOE.
(1) For Japan
DocuCentre-V C2263 Administrator Guide: ME7472J1-1
(SHA1 hash value: 0aeb4a0cc3607d03fd387ce23ce6bc00e96da02e)
DocuCentre-V C2263 User Guide:ME7471J1-1
(SHA1 hash value: 51c82a75e9bd48a66590832d7e7a42739b561ac6)
DocuCentre-V C2263 Security Function Supplementary Guide: ME7594J1-2
(SHA1 hash value: 60ad9a6573e1ab10b52d8a5635f29661c9980647)
Fuji Xerox C2265/C2263 Security Target
- 19 - Copyright 2016 by Fuji Xerox Co., Ltd
(2) For overseas
DocuCentre-V C2265/C2263 Administrator Guide:ME7480E2-1
(SHA1 hash value: 4616727b449dc0072caf1744e70338c635172870)
DocuCentre-V C2265/C2263 User Guide:ME7479E2-1
(SHA1 hash value: fb0c53b456e425c76f6926fd41f26e6c69fdc6b7)
DocuCentre-V C2265/C2263 Security Function Supplementary GuideME7595E2-2
(SHA1 hash value: e37a16c67566c8ff639c1051e69c156026f1a504)
Fuji Xerox C2265/C2263 Security Target
- 20 - Copyright 2016 by Fuji Xerox Co., Ltd
2. CONFORMANCE CLAIM
2.1. CC Conformance Claim
This ST and TOE conform to the following evaluation standards for information security (CC):
CC version which ST and TOE claim to conform to:
Common Criteria for Information Technology Security Evaluation
Part 1: Introduction and general model (September 2012 Version 3.1 Revision 4)
Part 2: Security functional components (September 2012 Version 3.1 Revision 4)
Part 3: Security assurance components (September 2012 Version 3.1 Revision 4)
CC Part2 extended [FPT_FDI_EXP.1]
CC Part3 conformant
2.2. PP claim, Package Claim
2.2.1. PP Claim
This Security Target claims demonstrable conformance to :
U.S. Government Approved Protection Profile - U.S. Government Protection Profile for Hardcopy
Devices Version 1.0 (IEEE Std. 2600.2
TM
-2009)
This PP conforms to "IEEE Standard Protection Profile for Hardcopy Devices in IEEE Std
2600-2008, Operational Environment B", and also satisfies "CCEVS Policy Letter #20".
2.2.2. Package Claim
This Security Target claims EAL2 augmented by ALC_FLR.2.
Also, it claims the following packages of the SFR Package that can select PP description as the
package conformant.
Title: 2600.2-PRT, SFR Package for Hardcopy Device Print Functions, Operational Environment B
Package Version: 1.0
Title: 2600.2-SCN, SFR Package for Hardcopy Device Scan Functions, Operational Environment B
Package Version: 1.0
Title: 2600.2-CPY, SFR Package for Hardcopy Device Copy Functions, Operational Environment B
Package Version: 1.0
Title: 2600.2-FAX, SFR Package for Hardcopy Device Fax Functions, Operational Environment B
Package Version: 1.0
Fuji Xerox C2265/C2263 Security Target
- 21 - Copyright 2016 by Fuji Xerox Co., Ltd
Title: 2600.2-DSR, SFR Package for Hardcopy Device Document Storage and Retrieval (DSR)
Functions, Operational Environment B
Package Version: 1.0
Title: 2600.2-SMI, SFR Package for Hardcopy Device Shared-medium Interface Functions,
Operational Environment B
Package Version: 1.0
2.2.3. Conformance Rationale
This ST is written with the functions partially added, covering the following written in IEEE Std.
2600.2
TM
-2009: Common HCD Functions, Print Functions, Scan Functions, Copy Functions, Fax
Functions, Document Storage and Retrieval Functions, and Shared-medium Interfaces
Functions.
The type of TOE in this ST is the MFD (Multi Function Device) with copy, print, scan, and fax
functions, and is the same term as Hardcopy Device written in 4.1 Typical Products of PP,
incorporating the required functions.
Also, as shown below, the Security Problem Definition, Security Objectives, and Security
Functional Requirements are written covering the PP.
P.CIPHER is added for OSP for the TOE in addition to Threats / OSP / Assumptions required
in PP. P.CIPHER is the data encryption of the internal HDD, and is independent from other
Problem Definition, causing no impact.
Threats to user data are also added.
There is no change in Assumptions. Therefore, the Threats / OSP / Assumptions are more
restrictive than the statement of the Security Problem Definition of PP.
Security Objectives are set by excluding OE.AUDIT_STORAGE.PROTECTED and
OE.AUDIT_ACCESS.AUTHORIZED from the Security Objectives for the environment
specified in PP. As other contents are quoted without any changes and there is no
additional objective, the Security Objectives for the environment have the restrictions
equivalent to or less than that in the statement of Security Objectives of PP.
O.AUDIT_STORAGE.PROTECTED and O.AUDIT_ACCESS.AUTHORIZED are added for the
Security Objectives for the TOE in addition to the Security Objectives required in PP.
The Security Objectives for the TOE are more restrictive than the statement in the Security
Objectives of PP.
The relation between the SFR specified by PP and that used by ST is shown in Table 14.
Fuji Xerox C2265/C2263 Security Target
- 22 - Copyright 2016 by Fuji Xerox Co., Ltd
The detailed SFR description and the added SFR content for each SFR are described.
The description of the operation of registering the document data of Common Access
Control SFP is added. However, only the authorized user can register the document data,
thus FDP_ACC.1 / FDP_ACF.1 is more restrictive than PP.
The security attributes of +SMI is not defined, but as there is no operation to restrict the
transfer of FPT_FDI_EXP.1, it is equivalent to the PP requirement.
As it is defined in the access control SFP of D.DOC that some deletion processing is not
allowed for U.USER, FDP_ACC.1 is more restrictive than PP.
Only the authorized user can add the access control SFP of D.FUNC for the creation and
registration of D.FUNC, thus FDP_ACC.1 / FDP_ACF.1 is more restrictive than PP.
Other SFRs specified in PP are equivalent to the requirement, and TOE is set to be more
restrictive by the additional SFR.
Therefore, the SFR of this ST is more restrictive than that of PP.
In this ST, the content quoted from the SFR of PP is written in italics, describing the content
required by PP.
Also, the assigned part is similarly written in italics, including the part fixed in PP.
Among the Security Objectives Rationale specified in PP, the objective of
P.AUDIT.LOGGING replaces OE.AUDIT_STORAGE.PROTECTED and
OE.AUDIT_ACCESS.AUTHORIZED with O.AUDIT_STORAGE.PROTECTED and
O.AUDIT_ACCESS.AUTHORIZED.
Also, O.CIPHER is added to the objectives of P.CIPHER. Others describe the content
required by PP without any changes to show its assurance.
Objectives are assured as the description is added for the added TOE objectives and SFR.,
The relationship between FMT_MSA.1 and the security objectives are different from PP, but
this does not change the content of security requirements specified in PP. This is because,
in order to protect user data, the requirements to prevent disclosure and alteration of
security attributes are apllied to TSF data security objectives.
As to other TOE objectives and SFR, the contents required by PP are described.
The SAR specified in PP describes the content required by PP without any changes.
Therefore, this ST demonstrably conforms to IEEE Std. 2600.2
TM
-2009
Fuji Xerox C2265/C2263 Security Target
- 23 - Copyright 2016 by Fuji Xerox Co., Ltd
3. SECURITY PROBLEM DEFINITION
This chapter describes the threats, organizational security policies, and the assumptions for the
use of this TOE.
3.1. Threats
3.1.1. Assets Protected by TOE
This TOE protects the following assets
Table 4 Assets for User Data
Designation PP Definition Asset under Protection Description
D.DOC User Document Data
consists of the
information contained in
a user’s document. This
includes the original
document itself in either
hardcopy or electronic
form, image data, or
residually-stored data
created by the hardcopy
device while processing
an original document and
printed hardcopy output.
Document data stored
for job processing
When a user uses MFD
functions of copy, print, fax,
and scan, the document data
are temporarily stored in the
internal HDD for image
processing, transmission, and
Store Print. The user can
retrieve the stored document
data in the MFD from a
general user client by CWIS
function.
Used document data
after job processing
When a user uses MFD
functions of copy, print, fax,
and scan, the document data
are temporarily stored in the
internal HDD for image
processing, transmission, and
Store Print. When the jobs are
completed or canceled, only
the management information
is deleted but the data itself
remains.
D.FUNC
User Function Data are
the information about a
user’s document or job to
be processed by the TOE.
Mailbox Logical box that is created in
the internal HDD to store the
document data scanned by
scan function or fax receive
function.
Fuji Xerox C2265/C2263 Security Target
- 24 - Copyright 2016 by Fuji Xerox Co., Ltd
Table 5 Assets for TSF Data
Designation PP Definition Asset under Protection Description
D.PROT
TSF Protected Data are
assets for which alteration
by a User who is neither
an Administrator nor the
owner of the data would
have an effect on the
operational security of
the TOE, but for which
disclosure is acceptable.
Tab le 26 、Table 27Table 28 Tab le 29 、Table 30Table 31 Tab le 32 、Table 36Table 37
(excluding the
following D.CONF)
Even though the contents of
the TOE setting data and
security attributes are
disclosed, it will not be a
security threat.
D.CONF
TSF Confidential Data are
assets for which either
disclosure or alteration by
a User who is neither an
Administrator nor the
owner of the data would
have an effect on the
operational security of
the TOE.
-Data on General user
Password
-Data on Security
Audit Log(Table 15)
-Data on Hard Disk
Data Encryption
- Data on Internal
Network Data
Protection
The system administrator can
set security functions of TOE
from the MFD’s control panel
or the system administrator
client by using the System
Administrator’s Security
Management function. The
setting data are saved in TOE.
General users can set their IDs
and passwords from the
MFD’s control panel by using
the User Authentication
function. The setting data are
saved in TOE.
The system administrator can
retrieve the security audit log
data from the system
administrator client. The
security audit log data are
saved in TOE.
Table 6 Other Assets
Designation PP Definition Asset under Protection Description
Functions Functions perform
processing, storage, and
transmission of data that
may be present in HCD
products. These functions
are used by SFR packages.
MFD functions Only the permitted user can
use the copy, print, scan, and
Fax functions of TOE.
Fuji Xerox C2265/C2263 Security Target
- 25 - Copyright 2016 by Fuji Xerox Co., Ltd
Figure 5 Assets under and not under Protection
Note) The data stored in a general client and server within the internal network and the general
data on the internal network are not assumed as assets to be protected. This is because TOE
functions prevent the access to the internal network from public telephone line and it cannot be
a threat.
TSF data in Table 5 are stored in the internal HDD, NVRAM(Including SD Memory) and
SEEPROM of the controller board.
However, the present time data are not included.
The setting data other than TOE setting data are also stored on NVRAM(Including SD Memory)
and SEEPROM. Those setting data, however, are not assumed as assets to be protected because
they do not engage in TOE security functions.
Security Audit Log data are temporarily stored in NVRAM, but stored in the internal HDD as a
file.
Public
Te l e ph o n e
Line
External Network
Firewall
Internal
Network
General Client and Server
General User Client System Administrator Client
- Printer Driver
- Web Browser
TOE
Document data, security audit log data, mail box, and TOE setting data transmitted in the internal network
General Data on the Internal N
etwo
rk
Inaccessible
-Document Data
- Used Document Data
- Security Audit Log Data
- TOE Setting Data
- Mail Box
Internally Stored Data
Asset under protection
Asset not under protection
Other Setting Data
Internally Stored Data
LDAP Server Kerberos Server
Internally Stored Data
TOE setting data transmitted in the internal network
Loading...
+ 106 hidden pages
Buy Points How it Works FAQ Contact Us Questions and Suggestions Privacy Policy Cookie Policy Terms of Use