Gestetner MP 6001, MP 6001, LD360, Aficio MP 6001, MP 6001 User Manual

...

imagio MP 7501/6001 series,

Aficio MP 9001/8001/7001/6001 series

Security Target

Author : RICOH COMPANY, LTD. Date : 2010-08-31 Version : 1.00

Page 1 of 82

Revision History

Version Date Author Detail

1.00 2010-08-31 RICOH COMPANY, LTD. Released version.

Page 2 of 82

Table of Contents

1 ST Introduction.................................................................................... 7

1.1 ST Reference..................................................................................7

1.2 TOE Reference................................................................................ 7

1.3 TOE Overview................................................................................ 9

1.3.1 TOE Type....................................................................................................9

1.3.2 TOE Usage and Major Security Features of TOE............................................9

1.3.3 Environment for TOE Usage and Non- TOE Configuration Items....................10

1.4 TOE Description.............................................................................12

1.4.1 Physical Boundary of TOE..........................................................................12

1.4.2 Guidance Documents.................................................................................. 15

1.4.3 User Roles.................................................................................................17

1.4.3.1 Responsible Manager of MFP................................................................17

1.4.3.2 Administrator......................................................................................17

1.4.3.3 Supervisor...........................................................................................17

1.4.3.4 General User....................................................................................... 18

1.4.3.5 Customer Engineer..............................................................................18

1.4.4 Logical Boundaries of TOE.......................................................................... 18

1.4.4.1 Basic Functions................................................................................... 19

1.4.4.2 Security Functions ...............................................................................21

1.4.5 Protected Assets......................................................................................... 25

1.4.5.1 Document Data....................................................................................25

1.4.5.2 Print Data...........................................................................................25

2 Conformance Claim ..............................................................................26

2.1 CC Conformance Claim.....................................................................26

2.2 PP Claims, Package Claims................................................................26

2.3 Conformance Rationale.....................................................................26

3 Security Problem Definitions...................................................................27

3.1 Threats.......................................................................................27

3.2 Organisational Security Policies...........................................................27

Page 3 of 82

3.3 Assumptions .................................................................................28

4 Security Objectives...............................................................................29

4.1 Security Objectives for TOE................................................................29

4.2 Security Objectives of Operational Environment........................................30

4.3 Security Objectives Rationale..............................................................30

4.3.1 Tracing...................................................................................................... 30

4.3.2 Tracing Justification...................................................................................31

5 Extended Components Definition...............................................................34

6 Security Requirements..........................................................................35

6.1 Security Functional Requirements........................................................35

6.1.1 Class FAU: Security audit........................................................................... 35

6.1.2 Class FCS: Cryptographic support...............................................................40

6.1.3 Class FDP: User data protection..................................................................41

6.1.4 Class FIA: Identification and authentication................................................44

6.1.5 Class FMT: Security management...............................................................46

6.1.6 Class FPT: Protection of the TSF.................................................................53

6.1.7 Class FTP: Trusted path/channels...............................................................53

6.2 Security Assurance Requirements .........................................................55

6.3 Security Requirements Rationale..........................................................56

6.3.1 Tracing...................................................................................................... 56

6.3.2 Justification of Traceability......................................................................... 57

6.3.3 Dependency Analysis..................................................................................61

6.3.4 Security Assurance Requirements Rationale................................................. 63

7 TOE Summary Specification....................................................................64

7.1 TOE Security Function.....................................................................64

7.1.1 SF.AUDIT Audit Function........................................................................65

7.1.1.1 Generation of Audit Logs......................................................................66

7.1.1.2 Reading Audit Logs ..............................................................................67

7.1.1.3 Protection of Audit Logs.......................................................................67

7.1.1.4 Time Stamps....................................................................................... 67

7.1.2 SF.I&A User Identification and Authentication Function.............................67

7.1.2.1 User Identification and Authentication .................................................. 68

7.1.2.2 Actions in Event of Identification and Authentication Failure..................68

Page 4 of 82

7.1.2.3 Password Feedback Area Protection......................................................69

7.1.2.4 Password Registration ..........................................................................69

7.1.3 SF.DOC_ACC Document Data Access Control Function...............................70

7.1.3.1 General User Operations on Document Data..........................................70

7.1.3.2 File Administrator Operations on Document Data..................................71

7.1.4 SF.SEC_MNG Security Management Function...........................................71

7.1.4.1 Management of Document Data ACL.....................................................71

7.1.4.2 Management of Administrator Information............................................ 72

7.1.4.3 Management of Supervisor or Information.............................................73

7.1.4.4 Management of General User Information.............................................73

7.1.4.5 Management of Machine Control Data...................................................74

7.1.5 SF.CE_OPE_LOCK Service Mode Lock Function..........................................75

7.1.6 SF.CIPHER Encryption Function..............................................................75

7.1.6.1 Encryption of Document Data...............................................................75

7.1.7 SF.NET_PROT Network Communication Data Protection Function................76

7.1.7.1 Use of Web Service Function from Client Computer................................76

7.1.7.2 Printing and Faxing from Client Computer............................................76

7.1.7.3 Sending by E-mail from TOE................................................................76

7.1.7.4 Delivering to Folders from TOE............................................................77

7.1.8 SF.FAX_LINE Protection Function for Intrusion via Telephone Line............77

7.1.9 SF.GENUINE MFP Control Software Verification Function.........................77

8 Appendix..........................................................................................78

8.1 Definitions of Terminology.................................................................78

8.2 References....................................................................................82

Page 5 of 82

List of Figures

Figure 1: Example of TOE environment ........................................................................................................11

Figure 2: Hardware configuration of TOE.....................................................................................................13

Figure 3: Logical boundaries of TOE.............................................................................................................19

List of Tables

Table 1: MFP names for each series.................................................................................................................7

Table 2: List of administrator roles ................................................................................................................17

Table 3: Correspondence between operations authorised by permissions to process document data and

operations possible on document data............................................................................................................23

Table 4: Relationship between security environment and security objectives...............................................31

Table 5: List of auditable events ....................................................................................................................35

Table 6: List of cryptographic key generation................................................................................................40

Table 7: List of cryptographic operations.......................................................................................................41

Table 8: List of subjects, objects, and operations among subjects and objects..............................................41

Table 9: Subjects, objects and security attributes...........................................................................................41

Table 10: Rules governing access ..................................................................................................................42

Table 11: Rules governing access explicitly..................................................................................................42

Table 12: List of subjects, information and operation....................................................................................43

Table 13: Security attributes corresponding to subjects or information.........................................................43

Table 14: List of authentication events...........................................................................................................44

Table 15: Lockout release actions..................................................................................................................44

Table 16: Rules for initial association of attributes........................................................................................46

Table 17: Management roles of security attributes.........................................................................................47

Table 18: Characteristics of static attribute initialisation...............................................................................48

Table 19: List of TSF data management.........................................................................................................48

Table 20: List of specifications of Management Functions............................................................................50

Table 21: Services requiring trusted paths.....................................................................................................54

Table 22: TOE Security assurance requirements (EAL3)..............................................................................55

Table 23: Relationship between security objectives and functional requirements.........................................56

Table 24: Correspondence of dependencies of TOE security functional requirements..................................61

Table 25: Relationship between TOE security functional requirements and TOE Security Functions..........64

Table 26: Auditable events and auditable information...................................................................................66

Table 27: User roles and authentication methods...........................................................................................68

Table 28: Unlocking administrators for each user role..................................................................................69

Table 29: Default value for document data ACL...........................................................................................71

Table 30: Operations on document data ACL and authorised users...............................................................71

Table 31: Access to administrator information...............................................................................................72

Table 32: Authorised operations on general user information........................................................................73

Table 33: Administrators authorised to specify machine control data............................................................74

Page 6 of 82

Table 34: List of encryption operations on data stored on the HDD..............................................................76

Table 35: Specific terms used in this ST........................................................................................................78

Page 7 of 82

1 ST Introduction

This section describes the ST reference, TOE reference, TOE overview, and TOE description.

1.1 ST Reference

The following are the identification information of this ST. Title : imagio MP 7501/6001 series, Aficio MP 9001/8001/7001/6001 series

Security Target Version : 1.00 Date : 2010-08-31 Author : RICOH COMPANY, LTD.

1.2 TOE Reference

This TOE is a digital multi function product (hereafter called "MFP") with an optional product, Fax Controller Unit (hereafter called "FCU"). The MFP is identified by the product name of the MFP (hereafter called "MFP name"), MFP model, and version of software/hardware, and the FCU is identified by the product name of the FCU (hereafter called "FCU name") and the version of FCU. The following are the identification information for the TOE.

Manufacturer : RICOH COMPANY, LTD. MFP Name : Table 1 shows the MFP names for the Japanese version "Ricoh imagio MP 7501/6001 series" and the

English version "Ricoh Aficio MP 9001/8001/7001/6001 series".

Table 1: MFP names for each series

Name of series MFP name

Ricoh imagio MP 7501/6001 series - Ricoh imagio MP 6001

- Ricoh imagio MP 7501

Page 8 of 82

Ricoh Aficio MP 9001/8001/7001/6001 series - Ricoh Aficio MP 6001

- Ricoh Aficio MP 7001

- Ricoh Aficio MP 8001

- Ricoh Aficio MP 9001

- Savin 9060

- Savin 9070

- Savin 9080

- Savin 9090

- Lanier LD360

- Lanier LD370

- Lanier LD380

- Lanier LD390

- Lanier MP 6001

- Lanier MP 7001

- Lanier MP 8001

- Lanier MP 9001

- Gestetner MP 6001

- Gestetner MP 7001

- Gestetner MP 8001

- Gestetner MP 9001

- nashuatec MP 6001

- nashuatec MP 7001

- nashuatec MP 8001

- nashuatec MP 9001

- Rex-Rotary MP 6001

- Rex-Rotary MP 7001

- Rex-Rotary MP 8001

- Rex-Rotary MP 9001

- infotec MP 6001

- infotec MP 7001

- infotec MP 8001

- infotec MP 9001

MFP Model : SP

MFP Version :

Software System/Copy 1.15 Network Support 8.65 Scanner 01.19 Printer 1.15 Fax 02.00.00 Web Support 1.09

Page 9 of 82

Web Uapl 1.05 Network Doc Box 1.04

Hardware Ic Key 1100 Ic Ctlr 03

FCU Name : <Japanese version> imagio FAX Unit Type 18

: <English version> Fax Option Type 9001

FCU Version : GWFCU3-16(WW) 02.00.00

Note: If an "e" is suffixed to the print er version (described as "X.YY"), the "e" identifies the language of the printer version (the English version is suffixed with an "e" and the Japanese version is not suffixed with an "e"). This suffix does not affect any Security Functions. "X.YY" is used for the identification of Security Functions.

Keywords : Digital MFP, Documents, Copy, Print, Scanner, Fax, Network, Office

1.3 TOE Overview

This section defines the TOE type, TOE usage and major security features of the TOE, and the environment for the TOE usage and non-TOE configuration items.

1.3.1 TOE Type

The TOE is an MFP, which is an IT device that provides the functions of a copier, scanner, printer, and fax (optional). These functions are for digitising paper documents and managing and printing them.

1.3.2 TOE Usage and Major Security Features of TOE

The TOE has functions for inputting paper and electronic documents into the TOE, storing the input document data, and outputting it. Paper documents are input using the MFP's scanning device, and electronic documents are input by receiving them from a client computer via a network, USB connection, or fax. The output function includes printing, Fax Transmission, and transferring to networked servers or client computers. The TOE incorporates some of these functions and provides a Copy Function, Scanner Function, Printer Function, and Fax Function. Users can use these functions from the Operation Panel. Users can also use some of these functions remotely.

The following are the major Security Functions of the TOE in this ST:

1. Audit Function

2. Identification and Authentication Function

3. Document Data Access Control Function

4. Stored Data Protection Function

Page 10 of 82

5. Network Communication Data Protection Function

6. Security Management Function

7. Service Mode Lock Function

8. Telephone Line Intrusion Protection Function

9. MFP Control Software Verification Function

For the Security Functions listed above, each function is described in "1.4.4.2 Security Functions".

1.3.3 Environment for TOE Usage and Non-TOE Configuration Items

The TOE is assumed to be located in a general office. The TOE can be connected to other devices over a network, telephone line, or USB connection, according to users' needs. Users can operate the TOE from the Operation Panel, a client computer connected to the local network, or a client computer connected to the TOE through USB. Figure 1 shows an example of the assumed TOE environment.

Page 11 of 82

Figure 1: Example of TOE environment

The following describes non-TOE configuration:

Internal Network

The internal network connects the TOE with various types of servers (FTP, SMB, and SMTP servers) and client computers. It is connected to the Internet via firewall. IPv4 is for the protocol of the internal network.

Client Computer

A Web browser of a client computer that is connected to the internal network allows users to access and operate the TOE, and permits data communications. Internet Explorer 6.0 or later must be pre-installed on the client computer. To print and fax from the client computer via the internal network or USB connection, the printer driver (RPCS printer driver for Ricoh imagio MP 7501/6001 series MFP and the PCL printer driver for Ricoh

Internal

network

Internal

network

Internet

(External network)

Telephone line

Office

Firewall

USB Connect

Printer driver

Fax driver

Web browser

Printer driver Fax driver

MFP

(TOE)

Client computerClient computer

SMTP server

FTP server

SMB server

Internal

network

Internal

network

Internet

(External network)

Telephone line

Office

Firewall

USB Connect

Printer driver

Fax driver

Web browser

Printer driver Fax driver

MFP

(TOE)

MFP

(TOE)

Client computerClient computerClient computerClient computer

SMTP serverSMTP server

FTP serverFTP server

SMB serverSMB server

Page 12 of 82

Aficio MP 9001/8001/7001/6001 series MFP) and fax driver must be downloaded and installed into the client computer from the website indicated in the user guidance.

FTP Server

FTP server is used for the TOE to deliver the document data stored in the TOE to folders in FTP server.

SMB Server

SMB server is used for the TOE to send the document data stored in the TOE to folders in SMB server.

SMTP Server

SMTP server is used for the TOE to send the document data stored in the TOE to a client computer by e-mail.

Telephone Line

A telephone line is a line used to send and receive fax data from an external fax when the optional fax is installed.

Firewall

A firewall is a device that is set between the internal and the external network and protects the internal network from the external network.

1.4 TOE Description

This section describes the physical boundaries of the TOE, user guidance documents, user roles, logical boundaries of the TOE, and protected assets.

1.4.1 Physical Boundary of TOE

The physical boundary of the TOE is the MFP, which consists of the following hardware (shown in Figure

2): Operation Panel Unit, Engine Unit, Fax Unit, Controller Board, Ic Ctlr, HDD, Network Unit, USB Port, and SD Card Slot. Figure 2 outlines the configuration of the TOE hardware.

Figure 2 outlines the configuration of the TOE hardware.

Page 13 of 82

Figure 2: Hardware configuration of TOE

Operation Panel Unit (hereafter "Operation Panel")

The Operation Panel is an interface device that is installed on the TOE for use by users. It features key switches, LED indicators, an LCD touch screen, and the Operation Panel Control Board. The Operation Panel Control Software is installed in the Operation Panel Control Board. The Operation Panel Control Software controls the LEDs and displays information on the LCD touch screen after input information has been sent from the key switches and LCD touch screen to the MFP Control Software, or in response to direct instructions from the MFP Control Software.

Engine Unit

The Engine Unit contains a Scanner Engine, Printer Engine, and the Engine Control Board. The Scanner Engine is an input device to read the paper documents. The Printer Engine is an output device for printing and outputting of paper documents. The Engine Control Software is installed in the Engine Control Board. The Engine Control Software sends information about the status of the Scanner Engine and Printer Engine to the MFP Control Software, and operates the Scanner Engine or Printer Engine according to instructions from the MFP Control Software.

Page 14 of 82

Fax Unit (optional)

The Fax Unit is a device that has a modem function to send and receive fax data when connected to a telephone line. The Fax Unit has an interface to the MFP Control Software. The interface provides the MFP Control Software with information about the status of fax communications and controls the fax communications according to instructions from the MFP Control Software.

Controller Board

The Controller Board contains Processors, FlashROM, RAM, NVRAM, and Ic Key. It is connected to the Operation Panel Unit, Engine Unit, Fax Unit, Network Unit, USB Port, SD Card Slot, and Ic Ctlr. The Ic Ctlr is also connected to the HDD. The following are descriptions of these components:

[Processor] A semiconductor chip that carries out the basic arithmetic processing of the MFP operation. [FlashROM]

A memory medium that System/Copy, Network Support, Fax, Web Support, Web Uapl, and Network Doc Box are installed on. These components identify the TOE of the MFP Control Software.

[RAM] A volatile memory medium used for image processing.

[NVRAM] A non-volatile memory medium in which MFP Control Data for configuring the MFP operation is stored.

[Ic Key] A security chip that generates random numbers and encryption keys, and detects any tampering with the MFP Control Software.

Ic Ctlr

A security chip that encrypts information to be stored on the HDD and decrypts information to be read from the HDD.

HDD

The hard disk drive, where image data and user information for identification and authentication are stored.

Network Unit

Network Unit is an interface board for conn ection to an Ethernet (100BASE-TX/10BASE-T) network.

USB Port

The USB Port is used to connect a client computer to the TOE, print or fax from the client computer.

Page 15 of 82

SD Card Slot/SD Card

Customer engineers (hereafter called a "CE") use the SD Card Slot if they use an SD card for maintenance operations. They also use the SD Card Slot for read operations that are applied to an SD Card that the scanner and printer are installed on. The scanner and printer are part of the MFP Control Software. This SD Card must be always set in the SD Card Slot. The SD Card Slot is located on the side of the TOE, and is normally covered. When a CE performs maintenance work, s/he removes this cover to insert and remove the SD card. When installing the TOE, the CE inserts an SD card into the SD Card Slot to activate the Stored Data Protection Function.

1.4.2 Guidance Documents

The following sets of user guidance documents are available for this TOE: [Japanese version], [English version-1], and [English version-2]. Selection of the guidance document sets depends on the sales areas and/or companies. Details of the document sets are as follows:

[Japanese version]

- imagio MP 9001/7501/6001 series Operating Instructions <About This Machine> (Written

in Japanese)

- imagio MP 9001/7501/6001 series Operating Instructions <Troubleshooting> (Written in

Japanese)

- imagio MP 9001/7501/6001 series Operating Instructions <Copy & Document Server

Reference> (Written in Japanese)

- imagio MP 9001/7501/6001 series Operating Instructions <Facsimile Reference> (Written in

Japanese)

- imagio MP 9001/7501/6001 series Operating Instructions <Security Reference> (Written in

Japanese)

- Operating Instructions Drivers & Utilities imagio MP 9001/9001T/7501/6001

- imagio MP 9001/7501/6001 series Operating Instructions <Notes for Security Functions>

(Written in Japanese)

- Notes for Administrators: Using this Machine in a CC-Certified Environment (Written in

Japanese)

[English version-1]

- 9060/9070/9080/9090

MP 6001/MP 7001/MP 8001/MP 9001 LD360/LD370/LD380/LD390 Aficio MP 6001/7001/8001/9001 Operating Instructions About This Machine

- 9060/9070/9080/9090

MP 6001/MP 7001/MP 8001/MP 9001

Page 16 of 82

LD360/LD370/LD380/LD390 Aficio MP 6001/7001/8001/9001 Operating Instructions Troubleshooting

- 9060/9070/9080/9090

MP 6001/MP 7001/MP 8001/MP 9001 LD360/LD370/LD380/LD390 Aficio MP 6001/7001/8001/9001 Operating Instructions Copy and Document Server Reference

- Quick Reference Copy Guide

- Quick Reference Fax Guide

- Quick Reference Printer Guide

- Quick Reference Scanner Guide

- Manuals for Users

9060/9060sp/9070/9070sp/9080/9080sp/9090/9090sp MP 6001/MP 6001 SP/MP 7001/MP 7001 SP/MP 8001/MP 8001 SP/MP 9001/MP 9001 SP LD360/LD360 sp/LD370/LD370 sp/LD380/LD380 sp/LD390/LD390 sp Aficio MP 6001/MP 6001 SP/MP 7001/MP 7001 SP/MP 8001/MP 8001 SP/MP 9001/MP 9001 SP

- Manuals for Administrators

9060/9060sp/9070/9070sp/9080/9080sp/9090/9090sp MP 6001/MP 6001 SP/MP 7001/MP 7001 SP/MP 8001/MP 8001 SP/MP 9001/MP 9001 SP LD360/ LD360 sp/LD370/LD370 sp/LD380/LD380 sp/LD390/LD390 sp Aficio MP 6001/MP 6001 SP/MP 7001/MP 7001 SP/MP 8001/MP 8001 SP/MP 9001/MP 9001 SP

- Notes for Security Functions

- Notes for Administrators: Using this Machine in a CC-Certified Environment

[English version-2]

- Manuals for This Machine

- Quick Reference Copy Guide

- Quick Reference Fax Guide

- Quick Reference Printer Guide

- Quick Reference Scanner Guide

- Manuals for Users

MP 6001/MP 6001 SP/MP 7001/MP 7001 SP/MP 8001/MP 8001 SP/MP 9001/MP 9001 SP Aficio MP 6001/MP 6001 SP/MP 7001/MP 7001 SP/MP 8001/MP 8001 SP/MP 9001/MP 9001 SP A

- Manuals for Administrators

Security Reference

Page 17 of 82

MP 6001/MP 6001 SP/MP 7001/MP 7001 SP/MP 8001/MP 8001 SP/MP 9001/MP 9001 SP Aficio MP 6001/MP 6001 SP/MP 7001/MP 7001 SP/MP 8001/MP 8001 SP/MP 9001/MP 9001 SP

- Notes for Security Functions

- Notes for Administrators: Using this Machine in a CC-Certified Environment

1.4.3 User Roles

This section describes the roles involved in this TOE operation.

1.4.3.1 Responsible Manager of MFP

The "responsible manager" of the MFP is a person who belongs to the organisation that uses the TOE, and has the role of selecting the TOE administrators and TOE supervisor. The responsible manager of the MFP selects up to four administrators and one supervisor. When selecting administrators, the responsible manager assigns each administrator one or more of the following administrator roles: user administration, machine administration, network administration, and/or file administration.

1.4.3.2 Administrator

An "administrator" is a user who is registered on the TOE as an administrator. One to four administrators can be registered for the TOE. Administrator roles for administrators include user administration, machine administration, network administration, and file administration. Administrators may have concurrent administrator roles, and administrator roles can be assigned to one or more administrators. One default administrator is registered and assigned to all four administrator roles as a factory setting. When the TOE is being installed, the administrators who are selected by the responsible manager change the settings of their own administrator IDs, passwords, and administrator roles. Table 2 describes the duties involved in each administrator role.

Table 2: List of administrator roles

Administrator role Explanation about duties involved

User administration Managing general users. Machine administration Managing machines and performing audits. Network administration Managing the TOE's network connections. File administration Managing the documents stored in the TOE.

1.4.3.3 Supervisor

The "supervisor" is a user who manages and changes administrator passwords. One supervisor must be registered for the TOE. The default supervisor is registered for the TOE as a factory setting. The person

Page 18 of 82

selected to be a supervisor by the responsible manager can change the supervisor ID and password of the default supervisor.

1.4.3.4 General User

A "general user" is an authorised TOE user who is registered in the Address Book by a user administrator. General users can store document data in the TOE and perform operations on the document data.

1.4.3.5 Customer Engineer

A customer engineer (hereafter "CE") is an expert in maintenance of the TOE and is employed by manufacturers, technical support service companies, and sales companies.

1.4.4 Logical Boundaries of TOE

The logical boundaries of the TOE comprise the functions provided by the TOE. This section describes the "Basic Functions", which is the service provided by the TOE to users, and the "Security Functions", which counter threats to the TOE. These functions are outlined in Figure 3.

Page 19 of 82

Figure 3: Logical boundaries of TOE

1.4.4.1 Basic Functions

Basic Functions include the Copy Function, Printer Function, Fax Function, Scanner Function, Document Server Function, and Management Function, which are operated from the Operation Panel, and the Web Service Function, which is operated from the Web browser of a client computer. General users are provided with the Copy Function, Document Server Function, Printer Function, Fax Function, and Scanner Function. Administrators and supervisor are provided with the Management Function. These functions are accessed by pushing the relevant buttons on the Operation Panel. General users, administrators, and supervisor can use the Web Service Functions, depending on their role.

Copy Function

This function is for scanning originals and printing the scanned image according to the Print Settings specified by the user. Print Settings include the number of copies, magnification, and custom settings (e.g. printing multiple pages onto a single sheet). In addition, the scanned original images can be stored in the D-BOX. Document data stored in the D-BOX using the Copy Function can be printed and deleted using the "Document Server Function", which is part of the Basic Functions and described later.

Page 20 of 82

Printer Function

This function is for printing out the print data sent from a client computer. The TOE receives the print data from a client computer on the network or directly connected to its USB Port. The TOE prints the received data using its Direct Print Function or Store and Print Function. The print data can be stored in the D-BOX as document data using the Store and Print Function, and the stored document data can be printed and deleted using the "Document Server Function", which is part of the Basic Functions and described later.

Fax Function

This function is for sending and receiving fax data over a telephone line. Fax Functions consists of the Fax Receive Function (hereafter called Fax Reception), the Fax Transmission Function (hereafter called "Fax Transmission"), and a function for printing and deleting fax data. Fax Reception either prints received fax data, or converts received fax data into fax reception data and then stores it in the D-BOX. Fax reception data stored in the D-BOX can be printed and deleted using the Fax Function or "Document Server Function", which is part of the Basic Functions and described later. Fax Transmission includes Immediate Transmission, Memory Transmission, and Stored Documents Fax Transmission, which are available from the Operation Panel, and also includes LAN-Fax Transmission, which is available from a client computer. Document data stored in the D-BOX for faxing can be printed and deleted using the "Document Server Function", which is part of the Basic Functions and described later.

Although the MFP provides IP-Fax and Internet Fax Function as a part of the Fax Function, no evaluation based on this document is applied to these functions.

Scanner Function

This function is for scanning and digitising paper originals and delivering scanned images to folders or sending them as document data by e-mail via networks. A client computer can process scanned data. This function can also be used for storing scanned images in the D-BOX as document data. Document data that is stored in the D-BOX using this function can be sent by e-mail, delivered to folders, and deleted using this function.

Document Server Function

This function is for scanning originals and storing scanned image data in the D-BOX as document data. In addition, document data stored in the D-BOX using the Copy Function, Printer Function, Fax Function, or Document Server Function can be printed and deleted using the Document Server Function. Document data stored in the D-BOX using the Scanner Function cannot be printed or deleted using the Document Server Function. When document data is printed, the Print Setting information for the stored document data will be updated according to the user's settings.

Management Function

This function is for setting the following information: information for configuring the machine operation, information for connecting the TOE to networks, user information, and information on restriction of use of document data. The user's ability to manage this information depends on the user's role (general user,

Page 21 of 82

administrator, or supervisor). This function is available from the Operation Panel or by accessing the Web Service Function from a client computer. Some information can be managed from the Operation Panel, client computer, and both. As for Management Functions, security-related functions are described later in "Security Management Function" in "1.4.4.2 Security Functions". Although the Management Function also provides Back Up/Restore Address Book functions, no evaluation based on this document is applied to these functions.

Web Service Function

This function is for allowing authorised TOE users (general users, administrators or supervisor) to operate the TOE remotely from a client computer. Remote operation is possible if a Web browser is installed on the client computer and the TOE and client computer are network-connected. Users can use this function by accessing the web server of the TOE from their computer's Web browser. The following TOE operations are available:

1. Printing document data stored in the D-BOX.

Document data stored using the Copy Function, Document Server Function, Fax Function, or Printer Function can be printed. When document data is printed, the Print Setting information for the stored document data will be updated according to the user's settings.

2. Sending document data stored in the D-BOX.

Document data stored using the Scanner Function can be sent.

3. Deleting document data stored in the D-BOX.

4. Downloading document data stored in the D-BOX.

Document data stored using the Scanner Function or Fax Function can be downloaded.

5. Subset of Management Functions.

6. Checking the status of the TOE.

1.4.4.2 Security Functions

The Security Functions include the Audit Function, Identification and Authentication Function, Document Data Access Control Function, Stored Data Protection Function, Network Communication Data Protection Function, Security Management Function, Service Mode Lock Function, Telephone Line Intrusion Protection Function, and MFP Control Software Verification Function. This section describes these functions.

Audit Function

This function is for checking the operational status of the TOE, and for recording events in the audit log, which is necessary for the detection of security breaches. Only the machine administrator is able to read and delete the recorded audit logs. The machine administrator can read the audit logs using the Web Service Function, and delete the audit logs using both the Operation Panel and the Web Service Function.

Page 22 of 82

Identification and Authentication Function

This function is for those who attempt to use the TOE from the Operation Panel or a client computer. It prompts the users to enter their user IDs and authentication details for user identification and authentication. However, when printing or faxing from a client computer, this function sends the user's ID and authentication details to the TOE after the users enters their user ID and authentication details from printer or fax drivers, which are outside the TOE. The TOE then attempts to identify and authenticate the user with the received user ID and authentication information.

The Identification and Authentication Function includes the following:

- Account Lockout: If the number of consecutive unsuccessful attempts with the same particular user ID reaches the specified Number of Attempts before Lockout, this function temporarily prevents further login attempts from this user ID.

- Authentication Feedback Area Protection: When a user enters their password, this function masks the password with protection characters as it appears in the authentication feedback area, in order to prevent the password being viewed by others.

- Password Quality Maintenance: This forces users to register passwords that satisfy both the Minimum Password Length and Password Complexity Setting, which the user administrator sets in advance.

Although this TOE has other Identification and Authentication Functions, this evaluation does not cover the functions other than those listed above.

Document Data Access Control Function

This function restricts operations on document data stored in the D-BOX to specified users only. Operations on document data include reading and deleting. Each of these operations is as follows:

Reading document data: Read document data stored in the D-BOX. Deleting document data: Delete document data stored in the D-BOX.

The TOE allows specified users, (file administrators, and general users) to perform operations on document data. File administrators are allowed to delete any document data. General users are allowed to perform only operations that are authorised by the permissions to process document data. The operation permissions in document data include read-only, edit, edit/delete, and full control. For editing permission, the same operation on document data is permitted as the read-only permission, and changing the Print Settings is also permitted. Table 3 shows the relationship between the operation authorised by the permissions to process document data and the operations possible on the document data.

Page 23 of 82

Table 3: Correspondence between operations authorised by permissions to process document data

and operations possible on document data

Operations possible on document

data

Operation permissions Authorised by permissions to process document data

Reading document data

Deleting document data Read-only v Edit v Edit/delete v v

Full control v v

X: possible, Blank: impossible

The operation permissions for each document can be specified for each general user.

Stored Data Protection Function

The Stored Data Protection Function is for protecting document data stored on the HDD from leakage, by making it difficult to understand unless the document data is accessed and read in the normal way.

Network Communication Data Protection Function

This function is for protecting document data and print data in transit on the network from unauthorised access. The communication protocol that is used to protect the communication data differs according to the method by which the document or print data is sent. The network administrator decides the communication protocol to apply based on the environment in which the TOE is operating and the intended usage of the TOE.

1. Download document data using the Web Service Function from a client computer (SSL protocol)

2. Print or fax from a client computer (SSL protocol)

3. Deliver document data to FTP server or SMB server from the TOE (IPSec protocol)

4. Send document data attached to e-mail to a client computer from the TOE (S/MIME)

Security Management Function

This function allows administrators, supervisor, and general users who have been successfully authenticated by the previously described "Identification and Authentication Function" to perform the following operations for security management according to user role.

1. Management of document data ACL

Allows only specified users to modify the document data ACL. Modifying the document data ACL includes changing document file owners, registering new document file users for the

Page 24 of 82

document data ACL, deleting document file users previously registered for document data ACL, and changing operation permissions specified in document data. Only file administrators can change the document file owners. File administrators, document file owners, and document file users with full control permissions can perform other operations. When document data is stored, its document data ACL is set to the document data default ACL.

2. Management of administrator information

Allows specified users to register and delete administrators, to add and delete administrator roles, and change administrator IDs and passwords. Only administrators are allowed to register another administrator or add an administrator role to another administrator. Such administrators can delete an administrator or an administrator role, and change an administrator's ID. Administrators and a supervisor can change administrator passwords. An administrator is permitted to add an administrator role to another administrator, provided that the first administrator is already assigned that administrator role, and an administrator is permitted to delete one of his/her administrator roles, provided that at least one other administrator is assigned that administrator role. Since administrators are required to have at least one administrator role, one or more of their roles must be given to a new administrator when they register another administrator. If administrators delete all of their own administrator roles, their administrator information will be automatically deleted.

3. Management of general user information

Allows only users with specified user roles to newly create, change, and delete general user information. The relationship between user roles and authorised operations is:

- User administrators can newly create, change, and delete general user information.

- General users can change their own general user information that is registered to them in the Address Book, with the exception of their user IDs.

4. Management of supervisor information

A supervisor can change his/her supervisor ID and password.

5. Management of machine control data

Each administrator is allowed to configure the items of machine control data that correspond to their administrator role (machine administrator, user administrator, or and file administrator).

Service Mode Lock Function

The Maintenance Function is used by CEs who receive a request from the machine administrator to perform maintenance on the TOE from the Operation Panel. The Service Mode Lock Function prevents the Maintenance Function being used. In this evaluation, the Service Mode Lock Function set to "On".

Telephone Line Intrusion Protection Function

This function is for devices equipped with a Fax Unit. It restricts communication over a telephone line to the TOE, so that the TOE receives only permitted data.

+ 58 hidden pages

Gestetner MP 6001, MP 6001, LD360, Aficio MP 6001, MP 6001 User Manual

Specifications and Main Features

Frequently Asked Questions

User Manual