RICOH Aficio MP C5501 User Manual

Download

Page 1

Aficio MP C4501/C5501 series

Security T arget

Author : RICOH COMPANY, LTD. Date : 2011-07-18 Version : 1.00

Portions of Aficio MP C4501/C5501 seri es Security

Target are reprinted with

written permission from IEEE, 445 Hoes Lane, Piscataway, New Jersey

08855, from IEEE 2600.1, Protection Profile for Hardcopy Devices,

This document is a trans

lation of the evaluated and certified security target

written in Japanese.

Page 2

Page 1 of 93

Revision History

Version Date Author Detail

1.00 2011-07-18 RICOH COMPANY, LTD. Publication version.

Page 3

Page 2 of 93

Table of Contents

1 ST Introduction ...................................................................................................................7

1.1 ST Reference ................................................................................................................7

1.2 TOE Reference .............................................................................................................7

1.3 TOE Overview..............................................................................................................8

1.3.1 TOE Type ..................................................................................................................... 8

1.3.2 TOE Usage................................................................................................................... 8

1.3.3 Major Security Features of TOE .............................................................................. 10

1.4 TOE Description.........................................................................................................11

1.4.1 Physical Boundary of TOE ........................................................................................11

1.4.2 Guidance Documents ................................................................................................ 14

1.4.3 Definition of Users .................................................................................................... 18

1.4.3.1. Direct User ......................................................................................................... 18

1.4.3.2. Indirect User ...................................................................................................... 19

1.4.4 Logical Boundary of TOE ......................................................................................... 21

1.4.4.1. Basic Functions .................................................................................................. 21

1.4.4.2. Security Functions ............................................................................................. 24

1.4.5 Protected Assets ........................................................................................................ 26

1.4.5.1. User Data ........................................................................................................... 26

1.4.5.2. TSF Data ............................................................................................................ 27

1.4.5.3. Functions ............................................................................................................ 27

1.5 Glossary......................................................................................................................27

1.5.1 Glossary for This ST ................................................................................................. 27

2 Conformance Claim........................................................................................................... 31

2.1 CC Conformance Claim ..............................................................................................31

2.2 PP Claims................................................................................................................... 31

2.3 Package Claims..........................................................................................................31

2.4 Conformance Claim Rationale....................................................................................32

2.4.1 Consistency Claim with TOE Type in PP................................................................ 32

2.4.2 Consistency Claim with Security Problems and Security Objectives in PP ......... 32

2.4.3 Consistency Claim with Security Requirements in PP .......................................... 33

3 Security Problem Definitions ............................................................................................36

Page 4

Page 3 of 93

3.1 Threats .......................................................................................................................36

3.2 Organisational Security Policies ................................................................................37

3.3 Assumptions............................................................................................................... 37

4 Security Objectives............................................................................................................ 39

4.1 Security Objectives for TOE .......................................................................................39

4.2 Security Objectives of Operational Environment .......................................................40

4.2.1 IT Environment ......................................................................................................... 40

4.2.2 Non-IT Environment................................................................................................. 41

4.3 Security Objectives Rationale.....................................................................................42

4.3.1 Correspondence Table of Security Objectives ......................................................... 42

4.3.2 Security Objectives Descriptions ............................................................................. 43

5 Extended Components Definition......................................................................................47

5.1 Restricted forwarding of data to external interfaces (FPT_FDI_EXP) .......................47

6 Security Requirements...................................................................................................... 49

6.1 Security Functional Requirements.............................................................................49

6.1.1 Class FAU: Security audit ........................................................................................ 49

6.1.2 Class FCS: Cryptographic support .......................................................................... 52

6.1.3 Class FDP: User data protection ............................................................................. 53

6.1.4 Class FIA: Identification and authentication ......................................................... 58

6.1.5 Class FMT: Security management........................................................................... 61

6.1.6 Class FPT: Protection of the TSF............................................................................. 67

6.1.7 Class FTA: TOE access ............................................................................................. 68

6.1.8 Class FTP: Trusted path/channels........................................................................... 68

6.2 Security Assurance Requirements..............................................................................68

6.3 Security Requirements Rationale...............................................................................69

6.3.1 Tracing ....................................................................................................................... 69

6.3.2 Justification of Traceability...................................................................................... 71

6.3.3 Dependency Analysis ................................................................................................ 77

6.3.4 Security Assurance Requirements Rationale.......................................................... 79

7 TOE Summary Specification.............................................................................................80

7.1 Audit Function ...........................................................................................................80

7.2 Identification and Authentication Function ...............................................................82

Page 5

Page 4 of 93

7.3 Document Access Control Function ............................................................................84

7.4 Use-of-Feature Restriction Function .......................................................................... 86

7.5 Network Protection Function..................................................................................... 87

7.6 Residual Data Overwrite Function.............................................................................87

7.7 Stored Data Protection Function................................................................................88

7.8 Security Management Function .................................................................................88

7.9 Software Verification Function...................................................................................93

7.10 Fax Line Separation Function....................................................................................93

Page 6

Page 5 of 93

List of Figures

Figure 1 : Example of TOE Environment........................................................................................................9

Figure 2 : Hardware Configuration of the TOE.............................................................................................12

Figure 3 : Logical Scope of the TOE.............................................................................................................21

List of Tables

Table 1 : Identification Information of TOE....................................................................................................7

Table 2 : Guidance for English Version-1......................................................................................................14

Table 3 : Guidance for English Version-2......................................................................................................15

Table 4 : Guidance for English Version-3......................................................................................................17

Table 5 : Guidance for English Version-4......................................................................................................17

Table 6 : Definition of Users .........................................................................................................................19

Table 7 : List of Administrative Roles...........................................................................................................19

Table 8 : Definition of User Data ..................................................................................................................26

Table 9 : Definition of TSF Data...................................................................................................................27

Table 10 : Specific Terms Related to This ST...............................................................................................27

Table 11 : Rationale for Security Objectives.................................................................................................42

Table 12 : List of Auditable Events...............................................................................................................49

Table 13 : List of Cryptographic Key Generation.........................................................................................53

Table 14 : List of Cryptographic Operation...................................................................................................53

Table 15 : List of Subjects, Objects, and Operations among Subjects and Objects (a).................................54

Table 16 : List of Subjects, Objects, and Operations among Subjects and Objects (b).................................54

Table 17 : Subjects, Objects and Security Attributes (a) ...............................................................................54

Table 18 : Rules to Control Operations on Document Data and User Jobs (a)..............................................55

Table 19 : Additional Rules to Control Operations on Document Data and User Jobs (a)............................56

Table 20 : Subjects, Objects and Security Attributes (b)...............................................................................57

Table 21 : Rule to Control Operations on MFP Applications (b) ..................................................................57

Table 22 : List of Authentication Ev en ts of Basic Authentication.................................................................58

Table 23 : List of Actions for A uthentication Failure....................................................................................58

Table 24 : List of Security Attributes for Each User That Shall Be Maintained............................................59

Table 25 : Rules for Initial Association of Attr ibutes....................................................................................61

Table 26 : User Roles for Security Attributes (a)...........................................................................................62

Table 27 : User Roles for Security Attributes (b)..........................................................................................63

Table 28 : Authorised Identified Roles Allowed to Override Default Values................................................64

Table 29 : List of TSF Data...........................................................................................................................65

Table 30 : List of Specification of Management Functions...........................................................................66

Table 31 : TOE Security Assurance Requirements (EAL3+ALC_FLR.2)....................................................69

Table 32 : Relationship between Security Objectives and Functional Requirements....................................70

Table 33 : Results of Dependency Analysis of TOE Security Functional Requirements ..............................77

Table 34 : List of Audit Events......................................................................................................................80

Table 35 : List of Audit Log Items................................................................................................................81

Page 7

Page 6 of 93

Table 36 : Unlocking Administrators for Each User Role.............................................................................83

Table 37 : Stored Documents Access Control Rules for Normal Users.........................................................85

Table 38 : Encrypted Communications Provided by the TOE.......................................................................87

Table 39 : List of Cryptographic Operations for Stored Data Protection......................................................88

Table 40 : Management of TSF Data.............................................................................................................89

Table 41 : List of Static Initialisation for Security Attributes of Document Access Control SFP.................92

Page 8

Page 7 of 93

1 ST Introduction

This section describes ST Reference, TOE Reference, TOE Overview and TOE Description.

1.1 ST Reference

The following are the identification information of this ST. Title : Aficio MP C4501/C5501 series Security Target Version : 1.00 Date : 2011-07-18 Author : RICOH COMPANY, LTD.

1.2 TOE Reference

This TOE is identified by the following: digital multi function product (hereafter "MFP") and Fax Controller Unit (hereafter "FCU"), all of which constitute the TOE. The MFP is identified by its product name and version. Although the MFP product names vary depending on sales areas and/or sales companies, the components are identical. MFP versions consist of software and hardware versions. The FCU is identified by its name and version. Table 1 shows the identification information of the TOE.

Table 1 : Identification Information of TOE

Names Versions

MFPs

Software System/Copy 2.02 Network Support 10.54 Scanner 01.11.1 Printer 1.01 Fax 02.01.00 RemoteFax 01.00.00 Web Support 1.06 Web Uapl 1.01 NetworkDocBox 1.01 animation 1.00 PCL 1.02 OptionPCLFont 1.02

Ricoh Aficio MP C4501, Ricoh Aficio MP C5501, Ricoh Aficio MP C4501G, Ricoh Aficio MP C5501G, Gestetner MP C4501, Gestetner MP C5501, Lanier MP C4501, Lanier MP C5501, Lanier LD645C, Lanier LD655C, Lanier LD645CG, Lanier LD655CG, nashuatec MP C4501, nashuatec MP C5501, Rex-Rotary MP C4501, Rex-Rotary MP C5501,

Engine 1.03:04

Page 9

Page 8 of 93

Names Versions

OpePanel 1.06 LANG0 1.06 LANG1 1.06 Data Erase Std 1.01x Hardware Ic Key 01020700

infotec MP C4501, infotec MP C5501, Savin C9145, Savin C9155, Savin C9145G, Savin C9155G

Ic Ctlr 03

Options

FCU name Fax Option Type C5501 GWFCU3-21(WW) 03.00.00

Keywords : Digital MFP, Documents, Copy, Print, Scanner, Network, Office, Fax

1.3 TOE Overview

This section defines TOE Type, TOE Usage and Major Security Features of TOE.

1.3.1 TOE Type

This TOE is a digital multi function product (hereafter "MFP"), which is an IT device that inputs, stores, and outputs documents.

1.3.2 TOE Usage

The operat ional environment of the TOE is illustr ated below and the usage of the TOE is ou tlined in this section.

Page 10

Page 9 of 93

Figure 1 : Example of TOE Environment

The TOE is used by connecting to the local area network (hereafter "LAN") and telephone lines, as shown in Figure 1. Users can operate the TOE from the Operation Panel of the TOE or through LAN communications. Below, explanations are provided for the MFP, which is the TOE itself, and hardware and software other than the TOE .

MFP

A machinery that is defined as the TOE. The MFP is connected to the office LAN, and users can perform the following operations from the Operation Panel of the MFP:

- Various setti ngs for the MFP,

- Copy, fax, storage, and network transmission of paper documents,

- Print, fax, network transmission, and deletion of the stored documents. Also, the TOE receives information via telephone lines and can store it as a document.

LAN

Network used in the TOE environment.

Page 11

Page 10 of 93

Client computer

Performs a s a client of the T OE if it is c onnect ed to the LAN, and us ers can remote ly opera te the M FP from the client computer. The possible remote operations from the client computer are as follows:

- Various settings for the MFP using a Web browser installed on the client computer,

- Operation of documents using a Web browser installed on the client computer,

- Storage and printing of documents using the printer driver installed on the client computer,

- Storage and faxing of documents using the fax driver installed on the client computer.

Telepho ne line

A public line for the TOE to communicate with external faxes.

Firewall

A device to prevent the office environment from network attacks via the Internet.

FTP Server

A server used by the TOE for folder transmission of the stored documents in the TOE to its folders.

SMB Server

A server used by the TOE for folder transmission of the stored documents in the TOE to its folders.

SMTP Server

A server used by the TOE for e-mail transmission of the stored documents in the TOE.

External Authentication Server

A server that identifies and authenticates the TOE user with Windows authentication (Kerberos authentication method). This server is only used when External Authentication is applied. The TOE identifies and authenticates the user by communicating with the external authentication server via LAN.

RC Gate

An IT device used for @Remote. The function of RC Gate for @Remote is to relay communications between the MFP and maintenance centre. A transfer path to other external interface for input information from the RC Gate via network interface is not implemented in the TOE. The RC Gate products include Remote Communication Gate A, Remote Communication Gate Type BN1, and Remote Communication Gate Type BM1.

1.3.3 Major Security Features of TOE

The TOE stores documents in it, and sends and receives documents to and from the IT devices connected to the LAN. To ensure provision of confidentiality and integrity for those documents, the TOE has the following security features:

Page 12

Page 11 of 93

- Audit Function

- Identification and Authentication Function

- Document Access Control Function

- Use-of-Feature Restriction Function

- Network Protection Function

- Residual Data Overwrite Function

- Stored Data Protection Function

- Security Management Function

- Software Verification Function

- Fax Line Separation Function

1.4 TOE Description

This section describes Physical Boundary of TOE, Guidance Documents, Definition of Users, Logical Boundary of TOE, and Protected Assets.

1.4.1 Physical Boundary of TOE

The physical boundary of the TOE is the MFP, which consists of the following hardware components (shown in Figure 2) : Operatio n Pane l Unit, Engine Unit, Fax Unit, Controlle r Board, HDD, Ic Ctlr, Network Unit, USB Port, SD Card Slot, and SD Card.

Page 13

Page 12 of 93

Figure 2 : Hardware Configuration of the TOE

Controller Board

The Controller Board is a device that contains Processors, RAM, NVRAM, Ic Key, and FlashROM. The Controller Board sends and receives information to and from the units and devices that constitute the MFP, and this information is used to control the MFP. The information to control the MFP is processed by the MFP Control Soft ware on the Controlle r Board. The following de scribes the comp onents of the Contr oller Board:

- Processor A semiconductor chip that performs basic arithmetic processing for MFP operations.

- RAM A volatile memory medium which is used as a working area for image processing such as compressing/decompressing the image data. It can also be used to temporarily read and write internal information.

- NVRAM A non-volatile memory medium in which TSF data for configuring MFP operations is stored.

- Ic Key A security chip that has the functions of random number generation, cryptographic key generation

Page 14

Page 13 of 93

and digital signature. It has the memory medium inside, and the signature root key is installed before the TOE is shipped.

- FlashROM A non-volatile memory medium in which the following software components are installed: System/Copy, Network Support, Scanner, Printer, Fax, RemoteFax, Web Support, Web Uapl, NetworkDocBox, animation, PCL, OptionPCLFont, LANG0, and LANG1. These are part of the TOE and are included in the MFP Control Software.

Operation Panel Unit (hereafter "Operation Panel")

The Operation Panel is a user interface installed on the TOE and consists of the following devices: key switches, LED indicators, an LCD touch screen, and Operation Control Board. The Operation Control Board is connected to the key switches, LED indicators, and LCD touch screen. The Operation Panel Control Software is ins talle d on the Oper ation Pa nel Control Bo ard. The Op eration Panel Contr ol Softwar e perf orms the following:

1. Transfers operation instructions from the key switches and the LCD touch screen to the

Controller Board.

2. Controls the LEDs and displays information on the LCD touch screen according to display

instructions from the Controller Board.

OpePanel, which is one of the components that constitute the TOE, is the identifier for the Operation Panel Control Software.

Engine Unit

The Engine Unit consists of Scanner Engine that is an input device to read paper documents, Printer Engine that is an output device to print and eject paper documents, and Engine Control Board. The Engine Control Software is in stalled in the Engine Co ntrol Board. The Engine Cont rol Software sends statu s information about the Scanner Engine and Printer Engine to the Controller Board, and operates the Scanner Engine or Printer Engine according to instructions from the MFP Control Software. Engine, which is one of the components that constitute the TOE, is the identifier for the Engine Control Software.

Fax Unit

The Fax Unit is a unit that has a modem function for connection to a telephone line. It also sends and receives fax data to and from other fax devices using the G3 standard for communication. The Fax Unit sends and receives control information about the Controller Board and Fax Unit and fax data. FCU, which is one of the components that constitute the TOE, is the identifier of the Fax Unit.

HDD

The HDD is a hard disk d rive that is a non-volat ile memory me dium. It store s documents , login user names and login passwords of normal users.

Page 15

Page 14 of 93

Ic Ctlr

The Ic Ctlr is a board that implements data encryption and decryption functions. It is provided with functions for HDD encryption realisation.

Network Unit

The Network Unit is an external interface to an Ethernet (100BASE-TX/10BASE-T) LAN.

USB Port

The USB Port is an external interface to connect a client computer to the TOE for printing directly from the client computer. During installation, this interface is disabled.

SD Card/SD Card Slot

The SD Card is a memory medium in which Data Erase Std (MFP Control Software) are stored. When used, the SD Card is inse rted int o th e SD Card Slot t hat is inside the MFP . Only th e cust omer engine er is allo wed to open the cover and insert the SD Card into the SD Card Slot during installation.

1.4.2 Guidance Documents

The following sets of user guidance documents are available for this TOE: [English version-1], [English version-2], [English version-3], and [English version-4]. Selection of the guidance document sets depends on the sales area and/or sales company. Guidance document sets will be supplied with individual TOE component. Details of the document sets are as follows.

[English version-1]

Table 2 : Guidance for English Version-1

TOE

Components

Guidance Documents for Produ ct

MFP

- C9130/C9135/C9145/C9145A/C9155/C9155A C9130G/C9135G/C9145G/C9145AG/C9155G/C9155AG LD630C/LD635C/LD645C/LD645CA/LD655C/LD655CA LD630CG/LD635CG/LD645CG/LD645CAG/LD655CG/LD655CAG Aficio MP C3001/C3501/C4501/C4501A/C5501/C5501A Aficio MP C3001G/C3501G/C4501G/C4501AG/C5501G/C5501AG Operating Instructions About This Machine D088-7603A

Page 16

Page 15 of 93

Operating Instructions Troubleshooting D088-7653A

- Quick Reference Copy Guide D088-7526

- Quick Reference Printer Guide D088-7805

- Quick Reference Scanner Guide D088-7886

- App2Me Start Guide D085-7906B

- Notes for Users D088-7608

- Notes for Users D088-7759A

- Notes for Users D572-7010

- Manuals for Users Aficio MP C3001/MP C3001G/MP C3501/MP C3501G/MP C4501/MP C4501G/MP C4501A/MP C4501AG/MP C5501/MP C5501G/MP C5501A/MP C5501AG C9130/C9130G/C9135/C9135G/C9145/C9145G/C9145A/C9145AG/C9155/C9155G/C9 155A/C9155AG LD630C/LD630CG/LD635C/LD635CG/LD645C/LD645CG/LD645CA/LD645CAG/ LD655C/LD655CG/LD655CA/LD655CAG D089-6906A

- Manuals for Administrators Aficio MP C3001/MP C3001G/MP C3501/MP C3501G/MP C4501/MP C4501G/MP C4501A/MP C4501AG/MP C5501/MP C5501G/MP C5501A/MP C5501AG C9130/C9130G/C9135/C9135G/C9145/C9145G/C9145A/C9145AG/C9155/C9155G/C9 155A/C9155AG LD630C/LD630CG/LD635C/LD635CG/LD645C/LD645CG/LD645CA/LD645CAG/ LD655C/LD655CG/LD655CA/LD655CAG D089-6907A

- To Users of This Machine D029-7904

- Operating Instructions Notes on Security Functions D088-7706

- Notes for Administrators: Using this Machine in a Network Environment Compliant with IEEE Std. 2600.1

-2009 D088-7707

- Help 83NHBUENZ1.20 v116

FCU - Quick Reference Fax Guide D545-8506

[English version-2]

Table 3 : Guidance for English Version-2

TOE

Components

Guidance Documents for Produ ct

MFP

- C9130/C9135/C9145/C9145A/C9155/C9155A C9130G/C9135G/C9145G/C9145AG/C9155G/C9155AG LD630C/LD635C/LD645C/LD645CA/LD655C/LD655CA LD630CG/LD635CG/LD645CG/LD645CAG/LD655CG/LD655CAG

Page 17

Page 16 of 93

Aficio MP C3001/C3501/C4501/C4501A/C5501/C5501A Aficio MP C3001G/C3501G/C4501G/C4501AG/C5501G/C5501AG Operating Instructions About This Machine D088-7609

- Quick Reference Copy Guide D088-7529

- Quick Reference Printer Guide D086-7800

- Quick Reference Scanner Guide D088-7889

- App2Me Start Guide D085-7905B

- Notes for Users D572-7010

- Notes for Users D088-7404

- To Users of This Machine D029-7903

- Operating Instructions Notes on Security Functions D088-7708

- Notes for Administrators: Using this Machine in a Network Environment Compliant with IEEE Std. 2600.1

-2009 D088-7709

- Help 83NHBUENZ1.20 v116

FCU - Quick Reference Fax Guide D545-8506

[English version-3]

Page 18

Page 17 of 93

Table 4 : Guidance for English Version-3

TOE

Components

Guidance Documents for Produ ct

MFP

- Safety Information for MP C3001/MP C3501/MP C4501/MP C4501A/MP C5501/MP C5501A/Aficio MP C3001/Aficio MP C3501/Aficio MP C4501/Aficio MP C4501A/Aficio MP C5501/Aficio MP C5501A D088-7400A

- Quick Reference Copy Guide D088-7525

- Quick Reference Fax Guide D545-8505

- Quick Reference Printer Guide D088-7804

- Quick Reference Scanner Guide D088-7885

- App2Me Start Guide D085-7904B

- Manuals for This Machine D081-7602

- Notes for Users D088-7430

- Notes for Users D088-7420

- To Users of This Machine D029-7904

- Manuals for Users Aficio MP C3001/MP C3501/MP C4501/MP C4501A/MP C5501/MP C5501A MP C3001/MP C3501/MP C4501/MP C4501A/MP C5501/MP C5501A A D089-6931A

- Manuals for Administrators Security Reference Aficio MP C3001/MP C3501/MP C4501/MP C4501A/MP C5501/MP C5501A MP C3001/MP C3501/MP C4501/MP C4501A/MP C5501/MP C5501A D089-6933A

- Operating Instructions Notes on Security Functions D088-7704

- Notes for Administrators: Using this Machine in a Network Environment Compliant with IEEE Std. 2600.1

-2009 D088-7705

- Help 83NHBUENZ1.20 v116

FCU -

[English version-4]

Table 5 : Guidance for English Version-4

TOE

Components

Guidance Documents for Produ ct

MFP

- MP C3001/C3501/C4501/C4501A/C5501/C5501A MP C3001/C3501/C4501/C4501A/C5501/C5501A Aficio MP C3001/C3501/C4501/C4501A/C5501/C5501A

Page 19

Page 18 of 93

Operating Instructions About This Machine D088-7605A

- MP C3001/C3501/C4501/C4501A/C5501/C5501A MP C3001/C3501/C4501/C4501A/C5501/C5501A Aficio MP C3001/C3501/C4501/C4501A/C5501/C5501A Operating Instructions Troubleshooting D088-7655A

- Quick Reference Copy Guide D088-7527

- Quick Reference Printer Guide D088-7805

- Quick Reference Scanner Guide D088-7887

- Notes for Users D088-7608

- Notes for Users D088-7759A

- App2Me Start Guide D085-7906B

- Manuals for Users Aficio MP C3001/MP C3501/MP C4501/MP C4501A/MP C5501/MP C5501A MP C3001/MP C3501/MP C4501/MP C4501A/MP C5501/MP C5501A D089-6908A

- Manuals for Administrators Aficio MP C3001/MP C3501/MP C4501/MP C4501A/MP C5501/MP C5501A MP C3001/MP C3501/MP C4501/MP C4501A/MP C5501/MP C5501A D089-6909A

- To Users of This Machine D029-7904

- Notes for Users D060-7781

- Operating Instructions Notes on Security Functions D088-7706

- Notes for Administrators: Using this Machine in a Network Environment Compliant with IEEE Std. 2600.1

-2009 D088-7707

- Help 83NHBUENZ1.20 v116

FCU - Quick Reference Fax Guide D545-8507

1.4.3 Definition of Users

This section defines the users related to the TOE. These users include those who routinely use the TOE (direct users) and those who do not (indirect users). The direct users and indirect users are described as follows:

1.4.3.1. Direct User

The "user" referred to in this ST indicates a direct user. This direct user consists of normal users, administrators, and RC Gate. The following table (Table 6) shows the definitions of these direct users.

Page 20

Page 19 of 93

Table 6 : Definition of Users

Definition of

Users

Explanation

Normal user

A user who is allowed to use the TOE. A normal user is provided with a login user name and can use Copy Function, Fax Function, Scanner Function, Printer Function, and Document Server Function.

Administrator

A user who is allowed to manage the TOE. An administrator performs management operations, which include issuing login names to normal users.

RC Gate

An IT device connected to networks. RC Gate performs the @Remote Service Function of the TOE via RC Gate communication interface. Copy Function, Fax Function, Scanner Function, Printer Function, Document Server Function, and Management Function cannot be used.

The administ rator means th e user register ed for TOE manageme nt. According t o its roles, t he administrat or can be classified as the supervisor and the MFP administrator. Up to four MFP administrators can be registered and selectively authorised to perform user management, machine management, network management, and file management. Therefore, the different roles of the management privilege can be allocated to mult ip le MFP a d minist r at or s ind ividu a ll y. T h e "MFP ad minis t ra to r " in th is ST refer s t o the MFP administrator who has all management privileges (Table 7).

Table 7 : List of Administrative Roles

Definition of

Administrator

Management Privileg es Explanation

Supervisor Supervisor

Authorised to delete and register the login password of the MFP administrat or.

User management privilege

Authorised to manage normal users. This privilege allows configuration of normal user settings.

Machine management privilege

Authorised to specify MFP device behaviour (network behaviours excluded). This privilege allows configuration of device settings and view of the audit log.

Network management privilege

Authorised to manage networks and configure LAN settings. This privilege allows configuration of network settings.

MFP administrator

File management privilege

Authorise d to manage store d documents. This privilege allows access management of stored documents.

1.4.3.2. Indirect User

Responsible manager of MFP

Page 21

Page 20 of 93

The responsible manager of MFP is a person who is responsible for selection of the TOE administrators in the organisation where the TOE is used.

Customer engineer The customer engineer is a person who belongs to the organisation which maintains TOE operation. The

customer engineer is in charge of installation, setup, and maintenance of the TOE.

Page 22

Page 21 of 93

1.4.4 Logical Boundary of TOE

The Basic Functions and Security Functions are described as follows:

Figure 3 : Logical Scope of the TOE

1.4.4.1. Basic Functions

The overview of the Basic Functions is described as follows:

Copy Function

The Copy Function is to scan paper documents and copy scanned image data from the Operation Panel. Magnificat io n an d o t her edit or ia l j obs ca n be app lied t o t h e co py image . I t c an a lso be s tore d o n t h e HDD as a Document Server document.

Page 23

Page 22 of 93

Printer Function

The Printer Function of TOE is to print or store the documents the TOE receives from the printer driver installed on the client computer. It also allows users to print and delete the stored documents from the Operation Panel or a Web browser.

- Receiving documents from the printer driver installed on the client computer. The TOE receives documents from the printer driver installed on the client computer. Printing

methods for documents is selected by users from the printer driver. The printing methods include direct print, Document Server storage, locked print, stored print, hold print, and sample print. For direct print, documents received by the TOE will be printed. The documents will not be stored in the TOE. For Document Server storage, the received documents will be stored on the HDD as Document Server documents. For locked print, stored print, hold print, and sample print, the received documents will be stored on the HDD as pr inter documents. A dedica ted password, which is us ed for locked print, is not subject to this evaluation.

- Operating from the Operation Panel The TOE can print or delete printer documents according to the operations by users from the Operation Panel.

- Operating from a Web browser The TOE can print or delete printer documents according to the operations by users from a Web browser.

- Deleting printer documents by the TOE The deletion of printer documents by the TOE differs depending on printing methods. If locked print, hold print, or sample print is specif ied, the TOE dele tes print er documents when printing is complete. If stored print is specified, the TOE does not delete printer documents even when printing is complete.

According to the guidance document, users first install the specified printer driver on their own client computers, and then use this function.

Scanner Function

The Scanner Function is to scan paper documents by using the Operation Panel. The scanned documents will be sent to folders or by e-mail. The documents to be sent to folders or by e-mail will be stored in the TOE, so that they can be transmitted afterwards. The documents stored in the TOE are called scanner documents. Scanner documents can be sent to folders or by e-mail, or deleted from the Operation Panel or a Web browser.

Folder t ransmission can be applied only to the destination f olders in a ser ver that the MFP a dministrator pre-registers in the TOE and with which secure communication can be ensured. E-mail transmission is possible only with the mail server and e-mail addresses that the MFP administrator pre-registers in the TOE and with which secure communication can be ensured.

Page 24

Page 23 of 93

Fax Function

The Fax Function is to send paper documents and documents received from the fax driver installed on the client computer to external faxes (Fax Transmission Function). Also, this function can be used to receive documents from external faxes (Fax Reception Function).

Documents to be sent by fax can be stored in the TOE. Those documents stored in the TOE for fax transmission are called fax documents. Fax documents can be sent by fax, and they also can be printed, deleted, and sent to folders.

The documents received by fax can be stored in the TOE, printed, deleted from the TOE, and downloaded to the client computer.

- Fax Transmission Function A function to send paper documents, documents in the client computer, and fax documents to

external faxes over a telephone line. Paper docume nts will be s ca nned and se nt by fax us ing the Operatio n Pane l. The doc uments in the

client co mput er are sent by f a x fr o m the fax dr iver ins t a lled on t he c lie nt co mput er. Fax docu me nts are sent by fax from the Operation Panel or a Web browser. Documents can be sent by fax only to the telephone numbers that are pre-reg istered i n the TOE.

- Fax Data Storage Function A function to temporarily store paper documents or documents in the client computer for fax

transmission in the TOE. Those documents stored in the TOE are called fax documents. Paper documents will be scanned and stored using the Operation Panel. The documents in the client computer are sent to and stored in the TOE by operating the fax driver installed on the client computer.

- Operation Function for Fax Documents A function to print or delete fax documents. This function can be used from the Operation Panel or

a Web browser.

- Folder Transmission Function of Fax Data A function to send fax documents to folders by using the Operation Panel. The MFP administrator must pre-register the destination server that provides secure

communication with the TOE. Users select the destination server from the servers that the MFP administrator pre-registers, and send data to the folder.

- Fax Reception Function A function to receive documents from external faxes via the telephone line and store the received documents in the TOE. Those stored documents in the TOE are called received fax documents.

- Operation Function for Received Fax Documents A function to operate the received fax documents from the Operation Panel or a Web browser. Documents can be printed and deleted using the Operation Panel, while they can be printed, deleted and downloaded from a Web browser.

According to the guidance document, users first install the specified fax driver on their own client computers, and then use this function.

Page 25

Page 24 of 93

Document Server Function

The Document Server Function is to operate documents stored in the TOE by using the Oper ation Panel and a Web browser.

From the Operation Panel, users can store, print and delete Document Server documents. Also, users can print and delete fax documents.

From a Web browser, users can print and delete Document Server documents, fax, print, download, and delete fax documents. Also, users can send scanner documents to folders or by e-mail, download and delete them.

Management Function

The Management Function is to control the MFP's overall behaviour. This function can be implemented using the Operation panel or a Web browser.

Maintenance Function

The Maintenance Function is to perform maintenance service for the MFP if it is malfunctioning. When analysing causes of the malfunction, a customer engineer performs this function from the Operation Panel. The customer engineer will implement this function following the procedures that are allowed to customer engineers only. If the MFP administrator sets the Service Mode Lock Function to "ON", the customer engineer cannot use this function.

In this ST, the Service Mode Lock Function is set to "ON" for the target of evaluation.

Web Function

A function for the TOE user to remotely control the TOE from the client computer. To control the TOE remotely, the TOE user needs to install the designated Web browser on the client computer following the guidance documents and connect the client computer to the TOE via the LAN.

@Remote Service Function

A function for the TOE to communicate with RC Gate via networks for @Remote Service. As for the configuration of this TOE, this function has no access to the protected assets.

1.4.4.2. Security Functions

The Security Functions are described as follows:

Audit Function

The Audit Function is to generate the audit log of TOE use and security-relevant events (hereafter, "audit events"). Also, this function provides the recorded audit log in a legible fashion for users to audit. This function can be used only by the MFP administrator to view and delete the recorded audit log. To view and delete the audit log, the Web Function will be used.

Page 26

Page 25 of 93

Identification and Authentication Function

The Identification and Authentication Function is to verify persons before they use the TOE. The persons are allowed to use the TOE only when confirmed as the authorised user.

Users can use the TOE from the Operation Panel or via the network. By the network, users can use the TOE from a Web browser, printer/fax driver, and RC Gate.

To use the TOE from the Op erat ion Pane l or a Web bro wser, a use r will be req uired t o enter his or her login user name and login password so that the user can be verified as a normal user, MFP administrator, or supervisor.

To use the Print er or Fax Funct ion from the prin ter or fax driver , a user will be r equired to ente r his or her login user name and login password received from the printer or fax drivers, so that the user can be verified as a normal user.

To use the @Remote Service Function from the RC Gate communication interface, it will be verified whether the communication requ es t is sent from RC Gate.

Methods to verify normal users are Basic Authentication and external server authentication. The users will be verified by the MFP administrator-specified procedure, whereas the MFP administrator and supervisor can be verified only by the Basic Authentication.

This function includes protection functions for the authentication feedback area, where dummy characters are displayed if a login password is entered using the Operation Panel. In addition to this and for the Basic Authentication only, this function can be used to register passwords that fulfil the requirements of the Minimum Character No. (i.e. minimum password length) and obligatory character types the MFP administrator specifies, so that the lockout function can be enabled and login password quality can be protected.

Document Access Control Function

The Document Access Control Function is to authorise the operations for documents and user jobs by the authorised TOE users who are authenticated by Identification and Authentication Function. It allows user's operation on the user documents and user jobs based on the privileges for the user role, or the operation permissions for each user.

Use-of-Feature Restriction Function

The Use-of-Feature Restriction Function is to authorise the operations of Copy Function, Printer Function, Scanner Function, Document Server Function and Fax Function by the authorised TOE users who are authenticated by Identification and Authentication Function. It authorises the use of functions based on the user role and the operation permissions for each user.

Network Protection Function

The Network Protection Function is to prevent information leakage through wiretapping on the LAN and detect data tampering. The protection function can be enabled using a Web browser to specify the URL for possible encrypted communication. If the Printer Function is used, the protection function can be enabled using the printer driver to specify encrypted communication. If the folder transmission function of Scanner Function is used, the protection function can be enabled through encrypted communication. If the e-mail

Page 27

Page 26 of 93

transmission function of Scanner Function is used, the protection function can be enabled through encrypted communication with communication requirements that are specified for each e-mail address. If the LAN-Fax Transmission Function of Fax Function is used, the protection function can be enabled using the fax driver to specify encrypted communication. When communicating with RC Gate, encrypted communication is used.

Residual Data Overwrite Function

The Residual Da ta Overwrite Function is to overwrite specif ic patter ns on the HDD and disable t he reusing of the residual data included in deleted documents, temporary documents and their fragments on the HDD.

Stored Data Protection Function

The Stored Data Protection Function is to encrypt the data on the HDD and protect the data so that data leakage can be prevented.

Security Management Function

The Security Management Function is to control operations for TSF data in accordance with user role privileges or user privileges allocated to normal users, MFP administrator, and supervisor.

Software Verification Function

The Software Verification Function is to verify the integrity of the executable codes of the MFP Control Software and FCU Control Software and to ensure that they can be trusted.

Fax Line Separation Function

The Fax Line Separation Function is to restrict input information from the telephone lines so that only fax data can be received and unauthorised intrusion from the telephone lines (same as the "fax line") can be prevented. Also, this function can be used to prohibit transmissions of received faxes so that unauthorised intrusion from the telephone lines to the LAN can be prevented.

1.4.5 Protected Assets

Assets to be protected by the TOE are user data, TSF data, and functions.

1.4.5.1. User Data

The user data is classified into two types: document data and function data. Table 8 defines user data according to these data types.

Table 8 : Definition of User Data

Type Description

Document data

Digitised documents, deleted documents, temporary documents and their fragments, which are managed by the TOE.

Function Jobs specified by users. In this ST, a "user job" is referred to as a "job".

Page 28

Page 27 of 93

data

1.4.5.2. TSF Data

The TSF data is classified into two types: protected data and confidential data. Table 9 defines TSF data according to these data types.

Table 9 : Definition of TSF Data

Type Description

Protected data This data must be protected from changes by unauthorised persons. No security

threat will occur even this data is exposed to the public. In this ST, "protected data", listed below, is referred to as "TSF protected data". Login user name, Number of Attempts before Lockout, settings for Lockout Release Timer, lockout time, date settings (year/month/day), time settings, Minimum Character No., Password Complexity Setting, S/MIME user information, destination folder, stored and received document user, document user list, available function list, and user authentication procedures.

Confidential data This data must be protected from changes by unauthorised persons and reading by

users without viewing permissions. In this ST, "confidential data", listed below, is referred to as "TSF confidential data". Login password, audit log, and HDD cryptographic key.

1.4.5.3. Functions

The MFP applications (Copy Function, Document Server Function, Printer Function, Scanner Function, and Fax Function) that are for management of the document data of user data are classified as protected assets, whose use is subject to restrictions.

1.5 Glossary

1.5.1 Glossary for This ST

For clear understanding of this ST, Table 10 provides the definitions of specific terms.

Table 10 : Specific Terms Related to This ST

Terms Definitions

MFP Control Software A software component installed in the TOE. This component is stored in

FlashROM and SD Card. The components that identify the TOE include System/Copy, Network Support, Scanner, Printer, Fax, RemoteFax, Web Support, Web Uapl, NetworkDocBox, animation, PCL, OptionPCLFont, LANG0, LANG1 and Data Erase Std.

Page 29

Page 28 of 93

Terms Definitions

The TOE identifies users by this identifier. Login password A password associated with each login user name. Lockout A type of behaviour to deny login of particular users. Auto logout A function for automatic user logout if no access is attempted from the

Operation Panel or Web Function before the predetermined auto logout time

elapses.

Auto logout time for the Operation Panel:

Time specified by the MFP administrator within 60 to 999 seconds.

Auto logout time for the Web Function:

30 minutes (this cannot be changed by users). This auto logout time is also

referred to as "fixed auto logout time". Minimum Character No. The minimum number of registrable password digits. Password Complexity

Setting

The minimum co mbination of the characters and symbo ls that can be used as

registrable passwords.

There are four types of characters: uppercase and lower case alphabets, digits

and symbols.

There are Level 1 and Level 2 Password Complexity Settings. Level 1 requires a

password to be a combination of two or more types of characters and symbols

specified above. Level 2 requires a password to be a combination of three or

more types of characters and symbols specified above. Basic Authentication One of the procedures for identification and authentication of TOE users who

are authorised to use the TOE. The TOE authenticates TOE users by using the

login user names and the login passwords registered on the TOE. External Authentication One of the procedures for identification and authentication of TOE users who

are authorised to use the TOE. The TOE authenticates TOE users by using the

authentication server connected to the MFP via LAN. External Authentication

implemented in the TOE includes Windows Authentication, LDAP

Authentication, and Integration Server Authentication. Windows Authentication

supports NTLM Authentication and Kerberos Authentication. As for this ST, the

term "External Authentication" refers to Windows Authentication using

Kerberos Authentication method. HDD An abbreviat ion of h ard dis k dr ive. I n t his docume nt, un le ss ot her wise s pe c ified ,

"HDD" indicates the HDD installed on the TOE. User job A sequence of operations of each TOE function (Copy Function, Document

Server Function, Scanner Function, Printer Function and Fax Function) from

beginning to end. A user job may be suspended or cancelled by users during

operation. If a user job is cancelled, the job will be terminated. Documents General term for paper documents and electronic documents used in the TOE. Document data

attributes

Attributes of document data, such as +PRT, +SCN, +CPY, +FAXOUT,

+FAXIN, and +DSR. +PRT One of the document data attributes. Documents printed from the client

computer, or documents stored in the TOE by locked print, hold print, and

sample print using the client computer.

Page 30

Page 29 of 93

Terms Definitions

+SCN One of the document data attributes. Documents sent to IT devices by e-mail or

sent to folders, or downloaded on the client computer from the MFP. For these

operations the Scanner Function is used. +CPY One of the document data attributes. Documents copied by using Printer

Function. +FAXOUT One of the document data attributes. Documents sent by fax or to folders by

using Fax Function. +FAXIN One of the document data attributes. Documents received from the telephone

line. Documents stored in the TOE after the reception are also included. +DSR One of the document data attributes. Document stored in the TOE by using Copy

Function, Scanner Function, Document Server Function, and Fax Data Storage

Function. Documents stored in the TOE after being printed with Document

Server printing or stored print from the client computer, Document user list One of the security attributes of document data.

A list of the login user names of the normal users whose access to documents is

authorised, and it can be set for each document data. This list does not include

the login user names of MFP administrators whose access to the document data

is possible for administration. Stored documents Documents stored in the TOE so that they can be used with Document Server

Function, Printer Function, Scanner Function, and Fax Function. Stored document type Classification of stored documents according to their purpose of use. This

includes Document Server documents, printer documents, scanner documents,

fax documents, and received fax documents. Document Server

documents

One of the stored document types. Documents stored in the TOE when Document Server storage is selected as the printing method for Copy Function, Document Server Function, and Printer Function.

Printer documents One of the stored document types. Documents stored in the TOE when any one

of locked print, hold printing, and sample print is selected as the printing method

for Printer Function. Scanner documents One of the stored document types. Documents stored in the TOE using Scanner

Function. Fax documents One of the stored document types. Documents scanned and stored using Fax

Function, and those stored using the LAN Fax. Received fax documents One of the stored document types. Documents received by fax and stored. These

documents are externally received and whose "users cannot be identified". MFP application A general term for each function the TOE provides: Copy Function, Document

Server Function, Scanner Function, Printer Function, and Fax Function. Available function list A list of the functions (Copy Function, Printer Function, Scanner Function,

Document Server Function, and Fax Function) that normal users are authorised

to access. This list is assigned as an attribute of each normal user. Operation Panel Consists of a touch screen LCD and key switches. The Operation Panel is used

by users to operate the TOE.

Page 31

Page 30 of 93

Terms Definitions

Users for stored and received documents

A list of the normal users who are authorised to read and delete received fax

documents. Folder transmission A function that sends documents from the MFP via networks to a shared folder

in an SMB Server by using SMB protocol or that sends documents to a shared

folder in an FTP Server by using FTP protocol. The following documents can be

delivered to folders: scanned documents using Scanner Function and Fax

Function, and scanned and stored documents using Scanner Function and Fax

Function.

IPSec protects the communication for realising this function. Destination folder Destination information for the "folder transmission" function. The destination

folder includes the path information to the destination server, the folder in the

server, and identification and authentication information for user access. The

destination folder is registered and managed by the MFP administrator. E-mail transmission A function to send documents by e-mail from the MFP via networks to the

SMTP Server. The documents that can be delivered using this function include:

scanned documents using Scanner Function, and scanned and stored document

data using Scanner Function.

S/MIME protects the communication for realising this function. S/MIME user

information

This infor mation is requir ed for e-mail tra nsmission using S/M IME. Also, this

information consists of e-mail address, user certificate, and encryption setting

(S/MIME setting). Uniquely provided for each e-mail address, the S/MIME user

information is registered and managed by the MFP administrator. LAN Fax One of Fax Functions. A function that transmits fax data and stores the

documents using the fax driver on client computer. Sometimes referred to as

"PC FAX". @Remote General term for remote diagnosis maintenance services for the TOE. Also

called @Remote Service. Maintenance centre The facility where the centre server of @Remote is located. Repair Request

Notification

A function for users to request a repair to the maintenance centre via RC Gate

from the TOE.

The TOE displays the Repair Request Notification screen on the Operation Panel

if paper jams frequently occur, or if the door or cover of the TOE is left open for

a certain period of time while jammed paper is not removed.

Page 32

Page 31 of 93

2 Conformance Claim

This section describes Conformance Claim.

2.1 CC Conformance Claim

The CC conformance claim of this ST and TOE is as follows:

- CC version for which this ST and TOE claim conformance Part 1:

Introduction and general model July 2009 Version 3.1 Revision 3 Final (Japanese translation ver.1.0 Final) CCMB-2009-07-001

Part 2:

Security functional components July 2009 Version 3.1 Revision 3 Final (Japanese translation ver.1.0 Final) CCMB-2009-07-002

Part 3:

Security assurance components July 2009 Version 3.1 Revision 3 Final (Japanese translation ver.1.0 Final) CCMB-2009-07-003

- Functional requirements: Part 2 extended

- Assurance requirements: Part 3 conformance

2.2 PP Claims

The PP to which this ST and TOE are demonstrable conformant is:

PP Name/Identification : 2600.1, Protection Profile for Hardcopy Devices, Operational Environment A

Version : 1.0, dated June 2009

Notes: The PP name which is published in Common Criteria Portal is "IEEE Standard for a Protection Profile in Operational Environment A (IEEE Std 2600.1-2009)".

2.3 Package Claims

The SAR package which this ST and TOE conform to is EAL3+ALC_FLR.2. The selected SFR Packages from the PP are:

2600.1-PRT conformant

2600.1-SCN conformant

2600.1-CPY conformant

2600.1-FAX conformant

2600.1-DSR conformant

Page 33

Page 32 of 93

2600.1-SMI conformant

2.4 Conformance Claim Rationale

2.4.1 Consistency Claim with TOE Type in PP

The targeted product type by the PP is the Hardcopy devices (hereafter, HCDs). The HCDs consist of the scanner device and print device, and have the interface to connect telephone line. The HCDs combine these devices and equip one or more functions of Copy Function, Scanner Function, Printer Function or Fax Function. The Document Server Function is also available when installing the non-volatile memory medium, such as hard disk drive, as additional equipments.

The MFP is the type of this TOE. The MFP has the devices the HCDs have, and equips the functions that HCDs equip including the additional equipments. Therefore, this TOE type is consistent with the TOE type in the PP.

2.4.2 Consistency Claim with Security Problems and Security Objectives in PP

Defining all security problems in the PP, P.STORAGE_ENCRYPTION and P.RCGATE.COMM.PROTECT were augmented to the security problem definitions in chapter 3. Defining all security objectives in the PP, O.STORAGE.ENCRYPTED and O.RCGATE.COMM.PROTECT were augmented to the security objectives in chapter 4. Described below are the rationale for these augmented security problems and security objectives that conform to the PP. Although the PP is written in English, the security problem definitions in chapter 3 and security objectives in chapter 4 are translated from English into Japanese. If the literal translation of the PP was thought to be difficult for readers to understand the PP in Japanese, the translation was made comprehensible. This, however, does not mean that its description deviates from the requirements of the PP conformance. Also, the description is neither increased nor decreased.

Augmentation of P.STORAGE_ENCRYPTION and O.STORAGE.ENCRYPTED

P.STORAGE_ENCRYPTION and O. STORAGE.ENCRYPT ED encr ypt data on HDD and sat isf y both oth er organisational security policies in the PP and security objectives of the TOE. Therefore, P.STORAGE_ENCRYPTION and O.STORAGE.ENCRYPTED were augmented but still conform to the PP.

Augmentation of P.RCGATE.COMM.PROTECT and O.RCGATE.COMM.PROTECT

P.RCGATE.COMM.PROTECT and O.RCGATE. COMM .P ROTECT refer to s e curit y proble ms a nd s ecur it y objectives respectively, both of which are concerned with communications between the TOE and RC Gate. These communications are not assumed in the PP, so that they are independent from the PP. Neither transmission nor reception of the protected assets defined in the PP takes place in the communication between the TOE and RC Gate. Also, the protected assets are not operated from the RC Gate. For these reasons, these communications do not affect any security problems and security objectives defined in the PP.

Therefore, P.RCGATE.COMM.PROTECT and O.RCGATE.COMM.PROTECT were augmented, yet still conform to the PP.

Page 34

Page 33 of 93

For those points mentioned above, the security problems and security objectives in this ST are consistent with those in the PP.

2.4.3 Consistency Claim with Security Requirements in PP

The SFRs for this TOE consist of the Common Security Functional Requirements, 2600.1-PRT, 2600.1-SCN,

2600.1-CPY, 2600.1-FAX, 2600.1-DSR, and 2600.1-SMI.

The Common Security Functional Requirements are the indispensable SFR specified by the PP. 2600.1-PRT,

2600.1-SCN, 2600.1-CPY, 2600.1-FAX, 2600.1-DSR, and 2600.1-SMI are selected from the SFR Package

specified by the PP.

2600.1-NVS is not selected because this TOE does not have any non-volatile memory medium that is

detachable. Although the security requirements of this ST were partly augmented and instantiated over the security

requireme nts of the PP, the y are still consiste nt with the PP. De scribed below ar e the parts augment ed and instantiated with the reasons for their consistency with the PP.

Augmentation of FAU_STG.1, FAU_STG. 4, FAU_SAR .1, and FAU_SAR .2

FAU_STG.1, FAU_STG.4, FAU_SAR.1, and FAU_SAR.2 are augmented according to PP APPLICATION NOTE7 in order for the TOE to maintain and manage the audit logs.

Augmentation of FIA_AFL.1, FIA_UAU.7, and FIA_SOS.1

For the Basic Authentication function of the TOE, FIA_AFL.1, FIA_UAU.7, and FIA_SOS.1 are augmented according to PP APPLICATION NOTE36.

Refinement of FIA_UAU.1(a), FIA_UAU.1(b), FIA_UID.1(a), FIA_UID.1(b), and FIA_SOS.1

For authentication of normal users of this TOE, Basic Authentication conducted by the TOE and authentication conducted by the external authentication server can be used. According to PP APPLICATION NOTE 35, the authentications of users are assumed to be executed by the TOE or external IT devices. For this reason, both Basic Authentication and External Authentication comply with the PP. The refinement of FIA_UAU.1(a), FIA_UAU.1(b), FIA_UID.1(a), FIA_UID.1(b), and FIA_SOS.1 is to identify these authentication methods; it is not to change the security requirements specified by the PP.

Augmentation and Refinement of FIA_UAU.2 and FIA_UID.2

Since the identification and authentication method for RC Gate differs from the identification and authentication methods for normal users or administrator, FIA_UAU.2 and FIA_UID.2 are augmented according to PP APPLICATION NOTE 37 and PP APPLICATION NOTE 41, aside from FIA_UAU.1(a), FIA_UAU.1(b), FIA_UID.1(a) and FIA_UID.1(b).

The refinement of FIA_UAU.2 and FIA_UID.2 is to identify the identification and authentication method for normal users or administrator and the identification and authentication method for RC Gate; it is not to change the security requirements specified by the PP.

Page 35

Page 34 of 93

Ownership of Received Fax Documents

For the ownership of the received fax documents, the TOE has the characteristic that the ownership of the document is assigned to the intended user. This is according to PP APPLICATION NOTE 93.

Augmentation of FCS_CKM.1 and FCS_CO P.1

This TOE claims O.STORAGE.ENCRYPTED as the security objectives for the data protection applied to non-volatile memory media that are neither allowed to be attached nor removed by the administrator. To fulfil this claim, additional changes were augmented to the functional requirements FCS_CKM.1 and FCS_COP.1 and to the functional requirements interdependent with FCS_CKM.1 and FCS_COP.1; however, these changes still satisfy the functional requirements demanded in the PP.

Augmentation of information protected by FTP_ITC.1

FTP_ITC.1 was changed in this TOE. This change only augmented communication with RC Gate via LAN on the information protected by FTP_ITC.1 that the PP requires; it is to restrict the requirements in the PP. Therefore, this satisfies the functional requirements demanded in the PP.

Augmentation of restricted forwarding of data to external interface (FPT_FDI_EXP)

This TOE, in accordance with the PP, extends the functional requirement Part 2 due to the addition of the restricted forwarding of data to external interfaces (FPT_FDI_EXP).

Consistency Rationale of FDP_ACF.1(a)

While FDP_ACF.1.1(a) and FDP_ACF.1.2(a) in the PP require the access control SFP to the document data that is defined for each SFR package in the PP, this ST requires the access control SFP to the document data that is defined for each document data attribute, which is the security attribute for objects. This is not a deviation from the PP but an instantiation of the PP.

Although FDP_ACF.1.3(a) in the PP has no additional rules on access control of document data and user jobs, this ST allows the MFP administrator to delete document data and user jobs.

The TOE allows the MFP administrator to delete document data and user jobs on behalf of normal users who are privileged to delete them in case normal users cannot execute such privileges for some reasons. This does not deviate from the access control SFP defined in the PP.

Although FDP_ACF.1.4(a) in the PP has no additional rules on access control of document data and user jobs, this ST rejects supervisor and RC Gate to operate document data and user jobs.

Supervisor and RC Gate are not identified in the PP and are the special users for this TOE. This indicates that the PP does not allow users to operate the TOE, unless they are identified as the users of

document data and user jobs. Therefore, FDP_ACF.1 (a) in this ST satisfies FDP_ACF.1 (a) in the PP.

Additional Rules on FDP_ACF.1.3(b)

While FDP_ACF.1.3(b) in the PP allows users with administrator privileges to operate the TOE functions, this ST allows them to operate Fax Reception Function only, which is part of the TOE functions.

Page 36

Page 35 of 93

The TOE allows the MFP administrator to delete document data and user jobs (document access control SFP, FDP_ACC.1(a) and FDP_ACF.1(a)), and as a result, the TSF restrictively allows the MFP administrator to access the TOE functions. Therefore, the requirements described in FDP_ACF.1.3(b) in the PP are satisfied at the same time. The fax reception process, which is accessed when receiving from a telephone line, is regarded as a user with administrator privileges. Therefore, FDP_ACF.1.3(b) in this ST satisfies FDP_ACF.1.3(b) in the PP.

Page 37

Page 36 of 93

3 Security Problem Definitions

This section describes Threats, Organisational Security Policies and Assumptions.

3.1 Threats

Defined and described below are the assumed threats relat ed to the use and envi ronmen t of this TOE. The threats defined in this section are unauthorised persons with knowledge of published information about the TOE operations and such attackers are capable of Basic attack potential.

T.DOC.DIS Document disclosure

Documents under the TOE management may be disclosed to persons without a login user name, or to persons with a login user name but without an access permission to the document.

T.DOC.ALT Document alteration

Documents under the TOE management may be altered by persons without a login user name, or by persons with a login user name but without an access permission to the document.

T.FUNC.ALT User job alteration

User jobs under the TOE management may be altered by persons without a login user name, or by persons with a login user name but without an access permission to the user job.

T.PROT.ALT Alteration of TSF protected data

TSF Protected Data under the TOE management may be altered by persons without a login user name, or by persons with a login user name but without an access permission to the TSF Protected Data.

T.CONF.DIS Disclosure of TSF confidential data

TSF Confidential Data under the TOE management may be disclosed to persons without a login user name, or to persons with a login user name but without an access permission to the TSF Confidenti al Data.

T.CONF.ALT Alteration of TSF confidential data

TSF Confidential Data under the TOE management may be altered by persons without a login user name, or by persons with a login user name but without an access permission to the TSF Confidential Data.

Page 38

Page 37 of 93

3.2 Organisational Security Policies

The following organisational security policies are taken:

P.USER.AUTHORIZATION User identification and auth en ti ca tio n

Only users with operation permission of the TOE shall be authorised to use the TOE.

P.SOFTWARE.VERIFICATION Software verification

Procedures shall exist to self-verify executable code in the TSF.

P.AUDIT.LOGGING Management of audit log records

The TOE shall create and maintain a log of TOE use and security-relevant events. The audit log shall be protected from unauthorised disclosure or alteration, and shall be reviewed by authorised persons.

P.INTERFACE.MANAGEMENT Management of external interfaces

To prevent unauthorised use of the external interfaces of the TOE, operation of those interfaces shall be controlled by the TOE and its IT environment.

P.STORAGE.ENCRYPTION Encryption of storage devices

The data stored on the HDD inside the TOE shall be encrypted.

P.RCGATE.COMM.PROTECT Protection of communication with RC Gate

As for communication with RC Gate, the TOE shall protect the communication data between itself and RC Gate.

3.3 Assumptions

The assumptions related to this TOE usage environment are identified and described.

A.ACCESS.MANAGED Access management

According to the guidance document, the TOE is placed in a restricted or monitored area that provides protection from phy sical access by unautho rised per son s.

A.USER.TRAINING User training

The responsible manager of MFP trains users according to the guidance document and users are aware of the security policies and procedures of their organisation and are competent to follow those policies and procedures.

Page 39

Page 38 of 93

A.ADMIN.TRAINING Administrator training

Administrators are aware of the security policies and procedures of their organisation, are competent to correctly configure and operate the TOE in accordance with the guidance document following those policies and procedures.

A.ADMIN.TRUST Trusted administrator

The responsible manager of MFP selects administrators who do not use their privileged access rights for malicious purposes according to the guidance document.

Page 40

Page 39 of 93

4 Security Objectives

This section describes Security Objectives for TOE, Security Objectives of Operational Environment and Security Objectives Rationale.

4.1 Security Objectives for TOE

This section describes the security objectives for the TOE.

O.DOC.NO_DIS Protection of document disclosure

The TOE shall protect documents from unauthorised disclosure by persons without a login user name, or by persons with a login user name but without an access permission to the document.

O.DOC.NO_ALT Protection of document alteration

The TOE shall protect documents from unauthorised alteration by persons without a login user name, or by persons with a login user name but without an access permission to the document.

O.FUNC.NO_ALT Protection of user job alteration

The TOE shall protect user jobs from unauthorised alteration by persons without a login user name, or by persons with a login user name but without an access permission to the job.

O.PROT.NO_ALT Protection of TSF protected data alteration

The TOE shall protect TSF Protected Data from unauthorised alteration by persons without a login user name, or by persons with a login user name but without an access permission to the TSF Protected Data.

O.CONF.NO_DIS Protection of TSF confidential data disclosure

The TOE shall protect TSF Confidential Data from unauthorised disclosure by persons without a login user name, or by persons with a login user name but without an access permission to the TSF Confidenti al Data.

O.CONF.NO_ALT Protection of TSF confidential data alteration

The TOE sha ll protect TSF Conf idential Data from unauthor ised alterat ion by persons without a login user name, or by persons with a login user name but without an access permission to the TSF Confidenti al Data.

Page 41

Page 40 of 93

O.USER.AUTHOR IZE D User identification and authen ti ca tion

The TOE shall require identification and authentication of users and shall ensure that users are authorised in accordance with security policies before allowing them to use the TOE.

O.INTERFACE.MANAGED Management of external interfaces by TOE

The TOE shall manage the operation of external interfaces in accordance with the security policies.

O.SOFTWARE.VERIFIED Software verification

The TOE shall provide procedures to self-verify executable code in the TSF.

O.AUDIT.LOGGED Management of audit log records

The TOE shall create and maintain a log of TOE use and security-relevant events in the MFP and prevent its unauthorised disclosure or alteration.

O.STORAGE.ENCRYPTED Encryption of storage devices

The TOE shall ensure that the data is encrypted first and then stored on the HDD.

O.RCGATE.COMM.PROTECT Protection of communication with RC Gate

The TOE shall conceal the communication data on the communication path between itself and RC Gate, and detect any tampering with those communication data.

4.2 Security Objectives of Operational Environment

This section describes the security objectives of the operational environment.

4.2.1 IT Environment

OE.AUDIT_STORAGE.PROTECTED Audit log protection in trusted IT products

If audit logs are exported to a trusted IT product, the responsible manager of MFP shall ensure that those logs are protected from unauthorised access, deletion and modifications.

OE.AUDIT_ACCESS.AUTHORIZED Audit log access control in trusted IT products

If audit logs are exported to a trusted IT product, the responsible manager of MFP shall ensure that those logs can be accessed in order to detect potential security violations, and only by authorised persons.

Page 42

Page 41 of 93

OE.INTERFACE.MANAGED Management of external interfaces in IT environment

The IT environment shall take a countermeasure for the prevention of unmanaged access to TOE external inte rf ace s.

4.2.2 Non-IT Environment

OE.PHYSICAL.MANAGED Physical management

According to the guidance document, the TOE shall be placed in a secure or monitored area that provides protection from phy sical access to the TOE by unauthorise d persons.

OE.USER.AUTHORIZED Assignment of user authority

The responsible manager of MFP shall give users the authority to use the TOE in accordance with the security policies and procedures of their organisation.

OE.USER.TRAINED User training

The responsible manager of MFP shall train users according to the guidance document and ensure that users are aware of the security policies and procedures of their organisation and have the competence to follow those policies and procedures.

OE.ADMIN.TRAINED Administrator training

The responsible manager of MFP shall ensure that administrators are aware of the security policies and procedures of their organisation; have the training, competence, and time to follow the guidance document; and correctly configure and operate the TOE according to those policies and procedures.

OE.ADMIN.TRUSTED Trusted administrator

The responsible manager of MFP shall select administrators who will not use their privileged access rights for malicious purposes according to the guidance document.

OE.AUDIT.REVIEWED Log audit

The responsible manager of MFP shall ensure that audit logs are reviewed at appropriate intervals according to the guidance document for detecting security violations or unusual patterns of activity.

Page 43

Page 42 of 93

4.3 Security Objectives Rationale

This section describes the rationale for security objectives. The security objectives are for upholding the assumptions, countering the threats, and enforcing the organisational security policies that are defined.

4.3.1 Correspondence Table of Security Objectives

Table 11 describes the correspondence between the assumptions, threats and organisational security policies, and each security objective.

Table 11 : Rationale for Security Objec tive s

O.DOC.NO_DIS

O.DOC.NO_ALT

O.FUNC.NO_ALT

O.PROT.NO_ALT

O.CONF.NO_DIS

O.CONF.NO_ALT

O.USER.AUTHORIZED

OE.USER.AUTHORIZED

O.SOFTWARE.VERIFIED

O.AUDIT.LOGGED

OE.AUDIT_STORAGE.PROTCTED

OE.AUDIT_ACCESS_AUTHORIZED

OE.AUDIT.REVIEWED

O.INTERFACE.MANAGED

OE.PHYSICAL.MANAGED

OE.INTERFACE.MANAGED

O.STORAGE.ENCRYPTED

O.RCGATE.COMM.PROTECT

OE.ADMIN.TRAINED

OE.ADMIN.TRUSTED

OE.USER.TRAINED

T.DO C.DIS

X X

T.DOC.ALT

X X

T.FUNC.ALT

X X

T.PROT. ALT

X X

T.CONF.DIS

X X

T.CON F.ALT

X X X

P.USER.AUTHORIZATION

X X

P. SOFTWARE.VERIFICATION

P.AUDIT.LOGGING

X X X X

P.INTERFACE.MANAGEMENT

P.STORAGE.ENCRYPTION

P.RCGATE.COMM.PROTECT

A.ACCESS.MANAGED

A.ADMIN.TRAINING

A.ADMIN.TRUST

A.USER.TRAINING

Page 44

Page 43 of 93

4.3.2 Security Objectives Descriptions

The following describes the rationale for each security objective being appropriate to satisfy the threats, assumptions and organisa tional secu rity polici es.

T.DOC.DIS

T.DOC.DIS is countered by O.DOC.NO_DIS, O.USER.AUTHORIZED and OE.USER.AUTHORIZED. By OE.USER.AUTHORIZED, the responsible manager of MFP gives the authority to use the TOE to users

who follow the security policies and procedures of their organisation. By O.USER.AUTHORIZED, the TOE requires identification and authentication of users, and users are authorised in accordance with the security policies before being allowed to use the TOE. By O.DOC.NO_DIS, the TOE protects the documents from unauthorised disclosure by persons without a login user name, or by persons with a login user name but without an access permission to those documents.

T.DOC.DIS is countered by these objectives.

T.DOC.ALT

T.DOC.ALT is countered by O.DOC.NO_ALT, O.USER.AUTHORIZED and OE.USER.AUTHORIZED. By OE.USER.AUTHORIZED, the responsible manager of MFP gives the authority to use the TOE to users

who follow the security policies and procedures of their organisation. By O.USER.AUTHORIZED, the TOE requires identification and authentication of users, and users are authorised in accordance with the security policies bef ore being allowed t o use the TOE. By O.DOC.NO_ ALT, the TOE prot ects the docume nts from unauthorised alteration by persons without a login user name, or by persons with a login user name but without an access permission to the document.

T.DOC.ALT is countered by these objectives.

T.FUNC.ALT

T.FUNC.ALT is countered by O.FUNC.NO_ALT, O.USER.AUTHORIZED and OE.USER.AUTHORIZED. By OE.USER.AUTHORIZED, the responsible manager of MFP gives the authority to use the TOE to users

who follow the security policies and procedures of their organisation. By O.USER.AUTHORIZED, the TOE requires identification and authentication of users, and users are authorised in accordance with the security policies before being allowed to use the TOE. By O.FUNC.NO_ALT, the TOE protects the user jobs from unauthorised alteration by persons without a login user name, or by persons with a login user name but without an access permission to the user job.

T.FUNC.ALT is countered by these objectives.

T.PROT.ALT

T.PROT.ALT is countered by O.PROT.NO_ALT, O.USER.AUTHORIZED and OE.USER.AUTHORIZED. By OE.USER.AUTHORIZED, the responsible manager of MFP gives the authority to use the TOE to users

Page 45

Page 44 of 93

data from unauthorised alteration by persons without a login user name, or by persons with a login user name but without an access permission to the TSF protected data.

T.PROT.ALT is countered by these objectives.

T.CONF.DIS

T.CONF.DIS is countered by O.CONF.NO_DIS, O.USER.AUTHORIZED and OE.USER.AUTHORIZED. By OE.USER.AUTHORIZED, the responsible manager of MFP gives the authority to use the TOE to users

who follow the security policies and procedures of their organisation. By O.USER.AUTHORIZED, the TOE requires identification and authentication of users, and users are authorised in accordance with the security policies before being allowed to use the TOE. By O.CONF.NO_DIS, the TOE protects the TSF confidential data from unauthorised disclosure by persons without a login user name, or by persons with a login user name but without an access permission to the TSF confidential data.

T.CONF.DIS is countered by these objectives.

T.CONF.ALT

T.CONF.ALT is countered by O.CONF.NO_ALT, O.USER.AUTHORIZED and OE.USER.AUTHORIZED. By OE.USER.AUTHORIZED, the responsible manager of MFP gives the authority to use the TOE to users

who follow the security policies and procedures of their organisation. By O.USER.AUTHORIZED, the TOE requires identification and authentication of users, and users are authorised in accordance with the security policies before being allowed to use the TOE. By O.CONF.NO_ALT, the TOE protects the TSF confidential data from unauthorised alteration by persons without a login user name, or by persons with a login user name but without an access permission to the TSF confidential data.

T.CONF.ALT is countered by these objectives.

P.USER.AUTHORIZATION

P.USER.AUTHORIZATION is enforced by O.USER.AUTHORIZED and OE.USER.AUTHORIZED. By OE.USER.AUTHORIZED, the responsible manager of MFP gives the authority to use the TOE to users

P.USER.AUTHORIZATION is enforced by these objectives.

P. SOFTWARE.VERIFICATION

P.SOFTWARE.VERIFICATION is enforced by O.SOFTWARE.VERIFIED. By O.SOFTWARE.VERIFIED, the TOE provides measures for self-verifying the executable code of the

TSF. P.SOFTWARE.VERIFICATION is enforced by this objective.

Page 46

Page 45 of 93

P. AUDIT.LOGGING

P.AUDIT.LOGGING is enforced by O.AUDIT.LOGGED, OE.AUDIT.REVIEWED, OE.AUDIT_STORAGE.PROTECTED and OE.AUDIT_ACCESS.AUTHORIZED.

By O.AUDIT.LOGGED, the TOE creates and maintains a log of TOE use and security-relevant events in the MFP and prevents its unauthorised disclosure or alteration.

By OE.AUDIT.REVIEWED, the responsible manager of MFP reviews audit logs at appropriate intervals for security violations or unusual patterns of activity according to the guidance document.

By OE.AUDIT_STORAGE.PROTECTED, if audit records are exported from the TOE to another trusted IT product, the responsible manager of MFP protects those records from unauthorised access, deletion and alteration. By OE.AUDIT_ACCESS.AUTHORIZED, the responsible manager of MFP ensures that those records can be accessed in order to detect potential security violations, and only by authorised persons.

P.AUDIT.LOGGING is enforced by these objectives.

P.INTERFACE.MANAGEMENT

P.INTERFACE.MANAGEMENT is enforced by O.INTERFACE.MANAGED and OE.INTERFACE.MANAGED. By O.INTERFACE.MANAGED, the TOE manages the operation of the external interfaces in accordance

with the security policies. By OE.INTERFACE.MANAGED, the TOE constructs the IT environment that prevents unmanaged acce ss to TOE ext er nal inte rfa ce s.

P.INTERFACE.MANAGEMENT is enforced by these objectives.

P.STORAGE.ENCRYPTION

P.STORAGE.ENCRYPTION is enforced by O.STORAGE.ENCRYPTED. By O.STORAGE.ENCRYPTED, the TOE shall encrypt the data to be written on the HDD, and written on

the HDD shall be those encrypted data. P.STORAGE.ENCRYPTION is enforced by this objective.

P.RCGATE.COMM.PROTECT

P.RCGATE.COMM.PROTECT is enforced by O.RCGATE.COMM.PROTECT. By O.RCGATE.COMM.PROTECT, the TOE shall conceal the communication data on the communication path between itself and RC Gate, and detect any tampering with those communication data. P.RCGATE.COMM.PROTECT is enforced by this objective.

A.ACCESS.MANAGED

A.ACCESS.MANAGED is upheld by OE.PHYSICAL.MANAGED. By OE.PHYSICAL.MANAGED, the TOE is located in a restricted or monitored environment according to

the guidance documents and is protected from the physical access by the unauthorised persons. A.ACCESS.MANAGED is upheld by this objective.

A.ADMIN.TRAINING

A.ADMIN.TRAINING is upheld by OE.ADMIN.TRAINED.

Page 47

Page 46 of 93

By OE.ADMIN.TRAINED, the responsible manager of MFP ensures that the administrators are aware of the security policies and procedures of their organisation. For this, the administrators have the training, competence, and time to follow the guidance documents, and correctly configure and operate the TOE in accordance with those policies and procedures.

A.ADMIN.TRAINING is upheld by this objective.

A.ADMIN.TRUST

A.ADMIN.TRUST is upheld by OE.ADMIN.TRUSTED. By OE.ADMIN.TRUSTED, the responsible manager of MFP selects the administrators and they will not

abuse their privileges in accordance with the guidance documents. A.ADMIN.TRUST is upheld by this objective.

A.USER.TRAINING

A.USER.TRAINING is upheld by OE.USER.TRAINED. By OE.USER.TRAINED, the responsible manager of MFP instructs the users in accordance with the

guidance documents to make them aware of the security policies and procedures of their organisation, and the users follow those policies and procedures.

OE.USER.TRAINED is upheld by this objective.

Page 48

Page 47 of 93

5 Extended Components Definition

This section describes Extended Components Definition.

5.1 Restricted forwarding of data to external interfaces (FPT_FDI_EXP)

Family behaviour

This family d efines re quirements for the TSF to r estrict di rect forwar ding of info rmation from o ne externa l interface to another external interface.

Many products receive information on specific external interfaces and are intended to transform and process this infor mation befo re it is trans mitted on ano ther exter nal inte rface. However , some produ cts may pro vide the capability for attackers to misuse external interfaces to violate the security of the TOE or devices that are connected to the TOE's external interfaces. Therefore, direct forwarding of unprocessed data between different externa l interfa ces is f orbidde n unless explicit ly allowed by an aut horiz ed administ rative r ole. Th e family FPT_FDI_EXP has been defined to specify this kind of functionality.

Component lev el l ing :

FPT_FDI_EXP: Rest ri ct ed fo rwardi ng of data t o ext ernal i nterfaces 1

FPT_FDI_EXP.1 Restricted forwarding of data to external interfaces provides for the functionality to require TSF controlled processing of data received over defined external interfaces before these data are sent out on another external interface. Direct forwarding of data from one external interface to another one requires explicit allowance by an authorized administrative role.

Management: FPT_FDI_EXP.1

The following actions could be considered for the management functions in FMT: a) Definition of the role(s) that are allowed to perform the management activities b) Management of the conditions under which direct forwarding can be allowed by an administrative role c) Revocation of such an allowance

Audit: FPT_FDI_EXP.1

There are no auditable events foreseen.

Rationale:

Quite often, a TOE is supposed to perform specific checks and process data received on one external interface before such (processed) data are allowed to be transferred to another external interface. Examples

Page 49

Page 48 of 93

are firewall systems but also other systems that require a specific work flow for the incoming data before it can be transferred. Direct forwarding of such data (i.e., without processing the data first) between different external interfaces is therefore a function that—if allowed at all—can only be allowed by an authorized role.

It has been viewed as useful to have this functionality as a single component that allows specifying the property to disallow direct forwarding and require that only an authorized role can allow this. Since this is a function that is quite common for a number of products, it has been viewed as useful to define an extended component.

The Common Criter ia defines attribute-bas ed control of user data flow in it s FDP class. However, in this Protection Profile, the authors needed to express the control of both user data and TSF data flow using administrative control instead of attribute-based control. It was found that using FDP_IFF and FDP_IFC for this purpos e resulted in SFRs that were either too implemen tation-specific for a Prot ection Profile or too unwieldy for refinement in a Security Target. Therefore, the authors decided to define an extended component to address this functional i ty.

This extended component protects both user data and TSF data, and it could therefore be placed in either the FDP or the FPT class. Since its purpose is to protect the TOE from misuse, the authors believed that it was most appropriate to place it in the FPT class. It did not fit well in any of the existing families in either class , and this led the authors to define a new family with just one member.

FPT_FDI_EXP.1 Restricted forwarding of data to external interfaces

Hierarchical to: No other compo nents Dependencies: FMT_SMF.1 Specification of Management Functions

FMT_SMR.1 Security roles

FPT_FDI_EXP.1.1 The TSF shall provide the capability to restrict data received on [assignment: the

Operation Panel, LAN, telephone line] from being forwarded without further processing by the TSF to [assignment: the L AN and telephone line].

Page 50

Page 49 of 93

6 Security Requirements

This section describes Security Functional Requirements, Security Assurance Requirements and Security Requirements Rationale.

6.1 Security Functional Requirements

This sect ion des cribe s the TOE sec urit y funct iona l requ ire ments f or fulf illing th e se cur ity obj ect ives d efined in section 4.1. The security functional requirements are quoted from the requirement defined in the CC Part2. The security functional requirements that are not defined in CC Part2 are quoted from the extended security functional requirements defined in the PP (IEEE Standard for a Protection Profile in Operational Environment A (IEEE Std 2600.1-2009)).

The part with assignment and selection defined in the [CC] is identified with [bold face and brackets]. The part with refinement is identified with (refinement:).

6.1.1 Class FAU: Security audit

FAU_GEN.1 Audit data generation

Hierarchical to: No other components. Dependencies: FPT_STM.1 Reliable time stamps FAU_GEN.1.1 The TSF shall be able to generate an audit record of the following auditable ev ents:

a) Start-u p and shutdown of the audit functions; b) All auditable events for the [selection: not specified] level of audit; and c) [assi gnment: auditable events of the TOE shown in Table 12].

FAU_GEN.1.2 The TSF shall recor d within each audit record at least the f ollowing i nformation:

a) Date and time of the event, type of event, subject identity (if applicable), and the outcome (success or failure) of the event; and b) For each audit event type, based on the auditable event definitions of the functional component s included in the PP/ST, [assignment: types of job for FDP_ACF.1(a), all login

user names that attempted the user identification for FIA_UID.1, communication direction of Web Function, communication IP address of the communication used for Web Function and folder transmission, recipient's e-mail address used for e-mail transmission, and communication direction of communication with RC Gate].

Table 12 shows the action (CC rules) recommended by the CC as auditable for each functional requirement and the corresponding auditable events of the TOE.

Table 12 : List of Auditable Events

Functional

Requirements

Actions Which Should Be Auditable Auditable Events

FDP_ACF.1(a) a) Minimal: Successful requests to Original:

Page 51

Page 50 of 93

perform an operation on an object

covered by the SFP. b) Basic: All requests to perform an

operation on an object covered by the SFP.

c) Detailed: The specific security attributes used in making an access check.

- Start and end operation of storing document data.

- Start and end operation of printing document data.

- Start and end operation of downloading document data.

- Start and end operation of faxing document data.

- Start and end operation of sending document data by e-mail.

- Start and end operation of delivering document data to folder.

- Start and end operation of deleting document data.

Those described above, "storing, printing, downloading, faxing, sending by e-mail, delivering to folder, and deleting", are the job types of additional information that are required by the PP.

FDP_ACF.1(b) a) Minimal: Successful requests to

perform an operation on an object covered by the SFP.

b) Basic: All requests to perform an operation on an object covered by the SFP.

c) Detailed: The specific security attributes used in making an access check.

Original: Not recorded.

FIA_UAU.1(a) a) Minimal: Unsuccessful use of the

authentication mechanism; b) Basic: All use of the authentication

mechanism; c) Detailed: All TSF mediated actions

performed before authentication of the user.

b) Basic: Success and failure of login operation

FIA_UAU.1(b) a) Minimal: Unsuccessful use of the

authentication mechanism; b) Basic: All use of the authentication

mechanism; c) Detailed: All TSF mediated actions

performed before authentication of the user.

b) Basic: Success and failure of login operation

FIA_UAU.2 a) Minimal: Unsuccessful use of the b) Basic: Success and failure of

Page 52

Page 51 of 93

authentication mechanism; b) Basic: All use of the authentication

mechanism.

FIA_UID.1(a) a) Minimal: Unsuccessful use of the

user identification mechanism, including the user identity provided;

b) Basic: All use of the user identification mechanism, including the user identity provided.

b) Basic: Success and failure of login operation. Also includes the user identification that is required by the PP as the additional information.

FIA_UID.1(b) a) Minimal: Unsuccessful use of the

user identification mechanism, including the user identity provided;

b) Basic: All use of the user identification mechanism, including the user identity provided.

b) Basic: Success and failure of login operation. Also includes the user identification that is required by the PP as the additional information.

FIA_UID.2 a) Minimal: Unsuccessful use of the

user identification mechanism, including the user identity provided;

b) Basic: All use of the user identification mechanism, including the user identity provided.

b) Basic: Success and failure of login operation

FMT_SMF.1 a) Minimal: Use of the management

functions.

a) Minimal: Record of management items in Table 30.

FMT_SMR.1 a) Minimal: modifications to the

group of users that are part of a role; b) Detailed: every use of the rights of

a role.

No record due to no modification.

FPT_STM.1 a) Minimal: changes to the time;

b) Detailed: providing a timestamp.

a) Minimal: Settings of Year-Month-Day and Hour-Minute

FTA_SSL.3 a) Minimal: Termination of an

interactive session by the session locking mechanism.

a) Minimal: Termination of session by auto logout.

FTP_ITC.1 a) Minimal: Failure of the trusted

channel functions. b) Minimal: Identification of the

initiator and target of failed trusted channel functions.

c) Basic: All attempted uses of the trusted channel functions.

d) Basic: Iden tification of the init iator and target of all trusted channel functions.

a) Minimal: Failure of communication with trusted channel.

FAU_GEN.2 User identity association

Hierarchical to: No other compo nents.

Page 53

Page 52 of 93

Dependencies: FAU_GEN.1 Audit data generation

FIA_UID.1 Timing of identification

FAU_GEN.2.1 For audit events resulting from actions of identified users, the TSF shall be able to associate

each audi table event with the identity of the use r that caused the event.

FAU_STG.1 Protected audit trail storage

Hierarchical to: No other compo nents. Dependencies: FAU_GEN.1 Audit data generation FAU_STG.1.1 The TSF shall protect the stored audit records in the audit trail from unauthorised deletion. FAU_STG.1 .2 The TSF sha ll be able to [selection: prevent] unauthorised modifications to the stored audit

records in the audit trail.

FAU_STG.4 Prevention of audit data loss

Hierarchical to: FAU_STG.3 Action in case of possible audit data loss Dependencies: FAU_STG.1 Protect ed audit trail storage FAU_STG.4.1 The TSF shall [selection: overwrite the oldest stored audit records] and [assignment: no

other act ions to be taken in case of audit storage failure] if the audit trail is full.

FAU_SAR.1 Audit review

Hierarchical to: No other compo nents. Dependencies: FAU_GEN.1 Audit data generation FAU_SAR.1.1 The TSF shall provide [assignment: the MFP administrators] with the capability to read

[assignment: all of log i tems] from the audit records.

FAU_SAR.1.2 The TSF shall provide the audit records in a manner suitable for the user to interpret the

information.

FAU_SAR.2 Restricted audit review

Hierarchical to: No other compo nents. Dependencies: FAU_SAR.1 Audit review FAU_SAR.2.1 The TSF shall pr ohibit all u sers read access to th e audit reco rds, excep t those use rs that ha ve

been granted explicit read-access.

6.1.2 Class FCS: Cryptographic support

FCS_CKM.1 Cryptographic key generation

Hierarchical to: No other compo nents. Dependencies: [FCS_CKM.2 Cryptographic key distribution, or

FCS_CO P.1 Cryptogra phic operation] FCS_CK M.4 Cryptographic key destruction

FCS_CKM.1.1 The TSF shall generate cryptographic keys in accordance with a specified cryptographic key

generati on algorithm [assignment: cryptographic key generation algorithm in Table 13] and

Page 54

Page 53 of 93

specified cryptographic key sizes [assignment: cryptographic key sizes in Table 13] that meet the following: [assignment: standards in Table 13].

Table 13 : List of Cryptographic Key Generation

Key Type Standard Cryptographic Key

Generation Algorithm

Cryptographic

Key Size

HDD cryptographic key BSI-AIS31 TRNG 256 bits

FCS_COP.1 Cryptographic operation

Hierarchical to: No other compo nents. Dependencies: [FDP_ITC.1 Import of user data without security attributes, or

FDP_ITC.2 Import of user data with security attributes, or FCS_CKM.1 Cryptographic key generation] FCS_CK M.4 Cryptographic key destruction

FCS_COP.1.1 The TSF shall perform [assignment: cryptographic operations shown in Table 14] in

accordance with a specified cryptographic algorithm [assignment: cryptographic algorithm

shown in Table 14 ] and cryptographic key sizes [assignment: cryptogra phic key size s s how n in Table 14] that meet the following: [assignm ent: standards shown in Table 14].

Table 14 : List of Cryptographic Operation

Key Type Standard Cryptographic

Algorithm

Cryptographic

Key Size

Cryptographic Opera tion

HDD

cryptographic

key

FIPS197 AES 256 bits - Encryption when writing the data

on HDD

- Decryption when reading the data from HDD

6.1.3 Class FDP: User data protection

FDP_ACC.1(a) Subset access control

Hierarchical to: No other compo nents. Dependencies: FDP_ACF.1 Security attribute based access control FDP_ACC.1.1(a) The TSF shall enforce the [assignme nt: document access control SFP] on [assignment: list

of subjects, objects, and operations among subjects and objects in Table 15].

Page 55

Page 54 of 93

Table 15 : List of Subjects, Objects, and Operations among Subjects and Objects (a)

Subjects - Normal user process

- MFP administrator process

- Supervisor process

- RC Gate process

Objects - Document data

- User jobs

Operations - Read

- Delete

FDP_ACC.1(b) Subset access control

Hierarchical to: No other compo nents. Dependencies: FDP_ACF.1 Security attribute based access control FDP_ACC.1.1(b) The TSF shall enforce the [assignment: TOE function access control SFP] on [assignment:

list of subjects, objects, and operations among subjects and objects in Table 16].

Table 16 : List of Subjects, Objects, and Operations among Subjects and Objects (b)

Subjects - Normal user process

- MFP administrator process

- Supervisor process

- RC Gate process Object - MFP application Operation - Execute

FDP_ACF.1(a) Security attribute based access control

Hierarchical to: No other compo nents. Dependencies: FDP_ACC.1 Subset access control

FMT_MSA.3 Static attribute initialisation

FDP_AC F.1.1(a) The TSF shall enforce the [assignment: document access control SFP] t o objects based on the

following: [assignment: subjects or objects, and their corresponding security attributes

shown in Table 17].

Table 17 : Subjects, Objects and Security Attributes (a)

Category Subjects or Objects Security Attributes

Subject Normal user process - Login user name of normal user

- User role

Subject MFP administrator process - User role

Page 56

Page 55 of 93

Subject Supervisor process - User role Subject RC Gate process - User role Object Document data - Document data attribute

- Document user list

Object User job - Login user name of normal user

FDP_ACF.1.2(a) The TSF shall enforce the following rules to determine if an operation among controlled

subjects and controlled objects is allowed: [assignment: rules to control operations a mong

subjects and objects shown in Table 18].

Table 18 : Rules to Control Operations on Document Data and User Jobs (a)

Objects Document Data

Attributes

Operations Subjects Rules to control Opera t ions

Document data

+PRT Delete Normal user

process

Not allowed. Ho wever, it is allowed f or normal user process that created the document data.

Document data

+PRT Read Normal user

process

Not allowed. Ho wever, it is allowed f or normal user process that created the document data.

Document data

+SCN Delete Normal user

process

Not allowed. Ho wever, it is allowed f or normal user process that created the document data.

Document data

+SCN Read Normal user

process

Not allowed. Ho wever, it is allowed f or normal user process that created the document data.

Document data

+FAXOUT Delete Normal user

process

Not allowed. Ho wever, it is allowed f or normal user process that created the document data.

Document data

+FAXOUT Read Normal user

process

Not allowed. Ho wever, it is allowed f or normal user process that created the document data.

Document data

+FAXIN Delete Normal user

process

Not allowed. Ho wever, it is allowed f or normal user process with login user name of normal user registered on document user list for document data.

Document data

+FAXIN Read Normal user

process

Not allowed. Ho wever, it is allowed f or normal user process with login user name of normal user registered on document user list for document data.

Document data

+CPY Delete Normal user

process

Not allowed. Ho wever, it is allowed f or normal user process that created the document data.

Page 57

Page 56 of 93

Document data

+CPY Read Normal user

process

Not allowed. Ho wever, it is allowed f or normal user process that created the document data.

Document data

+DSR Delete Normal user

process

Not allowed. Ho wever, it is allowed f or normal user process with login user name of normal user registered on document user list for document data.

Document data

+DSR Read Normal user

process

Not allowed. Ho wever, it is allowed f or normal user process with login user name of normal user registered on document user list for document data.

User jobs No setting of

document data attribute

Delete Normal user

process

Not allowed. Ho wever, it is allowed f or normal user process with login user name of normal user, which is the security attribute of user jobs.

FDP_ACF.1.3(a) The TSF shall explicitly authorise access of subjects to objects based on the following

additional rules: [assignment: rules to control operations among subjects and objects

shown in Table 19].

Table 19 : Additional Rules to Control Operations on Document Data and User Jobs (a)

Objects Document Data

Attributes

Operations Subjects Rules to control Operations

Document data

+PRT Delete MFP

administrator process

Allows.

Document data

+FAXIN Delete MFP

administrator process

Allows.

Document data

+DSR Delete MFP

administrator process

Allows.

User jobs No setting of

document data attribute

Delete MFP

administrator process

Allows.

FDP_ACF.1.4(a) The TSF shall explicitly deny access of subjects to objects based on the following additional

rules: [assignment: deny the operations on the document data and user jobs in case of

supervisor process or RC Gate process].

FDP_ACF.1(b) Security attribute-based access control

Hierarchical to: No other compo nents. Dependencies: FDP_ACC.1 Subset access control

FMT_MSA.3 Static attribute initialisation

Page 58

Page 57 of 93

FDP_ACF.1.1(b) The TSF shall enforce the [assignment: TOE function access control SFP] to objects based

on the following: [assignment: subjects or objects, and their corresponding security

attributes shown in Table 20].

Table 20 : Subjects, Objects and Security Attributes (b)

Category Subjects or Objects Security Attributes

Normal user process - Login user name of normal user

- Available function list

- User role

Supervisor process - User role

Subject

RC Gate process - User role

Object MFP application - Function type

FDP_ACF.1.2(b) The TSF shall enforce the following rules to determine if an operation among controlled

subjects and controlled objects is allowed: [assignment: rule to control operations a mong

objects and subjects shown in Table 21].

Table 21 : Rule to Control Operations on MFP Applications (b)

Object Operation Subject Rule to control Op e ra tions

MFP application Execute Normal user process Allows executing MFP application

which MFP administrator allowed in available function list for normal user process.

FDP_ACF.1.3(b) The TSF shall explicitly authorise access of subjects to objects based on the following

additional rules: [assignment: rules that the Fax Reception Function operated using administrator permission is surely permitted].

FDP_ACF.1.4(b) The TSF shall explicitly deny access of subjects to objects based on the following additional

rules: [assignment: de ny an opera ti on o n M F P applica tion in case of supervis or process or

RC Gate process].

FDP_RIP.1 Subset residual information protection

Hierarchical to: No other compo nents. Dependencies: No dependencies. FDP_RIP.1.1 The TSF shall ensure that any previous information content of a resource is made unavailable

upon the [selection: deallocation of the resource from] the following objects: [assignment: user documents].

Page 59

Page 58 of 93

6.1.4 Class FIA: Identification and authentication

FIA_AFL.1 Authentication failure handling

Hierarchical to: No other compo nents. Dependencies: FIA_UAU.1 Timing of authentication FIA_AFL.1.1 The TSF shall detect when [selection: an administrator configurable positive integer within

[assignme nt: 1 to 5]] unsucc essful au thenticati on atte mpts occ ur related to [assignment: the authentication events of Basic Authentication shown in Table 22].

Table 22 : List of Authentication Events of Basic Authentication

Authentication Events

User authentication using the Operation Panel User authentication using the TOE from client computer Web

browser User authentication when printing from the client computer User authentication when using LAN Fax from client computer

FIA_AFL.1.2 When the defined number of unsuccessful authentication attempts has been [selection: met],

the TSF shall [assignment: perform actions shown in Table 23].

Table 23 : List of Actions for Authentication Failure

Unsuccessfully

Authenticated Users

Actions for Auth en ti ca tion Failure

Normal user T he lockout for the normal user is released by the lockout time set by the MFP

administrator, or release operation by the MFP administrator.

Supervisor The lockout for a supervisor is released by the lockout time set by the MFP

administrator, release oper ation by the MFP admin istrator or the TOE's restart.

MFP administrator The lockout f or the MFP administ rator is re leased by the lo ckout time set by th e

MFP administrator, release operation by a supervisor or the TOE's restart.

FIA_ATD.1 User attribute definition

Hierarchical to: No other compo nents. Dependencies: No dependencies. FIA_ATD.1.1 The TSF shall maintain the following list of security attributes belonging to individual users:

[assignment: the security attributes listed in Table 24 for each user in Table 24].

Page 60

Page 59 of 93

Table 24 : List of Security Attributes for Each User That Shall Be Maintained

Users List of Security Attributes

Normal user - Login user name of normal user

- User role

- Available function list Supervisor - User role MFP administrator - Login user name of MFP administrator

- User role RC Gate - User role

FIA_SOS.1 Verification of secrets

Hierarchical to: No other compo nents. Dependencies: No dependencies. FIA_SOS.1.1 The TSF shall provide a mechanism to verify that secrets (refinement: secrets used in Basic

Authentication) meet [assignm ent: the following quality m etrics].

(1) Usable character and types:

Upper-case letters: [A-Z] (26 letters) Lower-case le tte rs: [a- z] (2 6 le tt er s) Numbers: [0- 9] (t en digits) Symbols: SP (spaces) ! " # $ % & ' ( ) * + , - . / : ; < = > ? @ [ \ ] ^ _ ` { | } ~ (33 symbols)

(2) Registrable password length:

For normal users: No fewer than the minimum character number specified by MFP administrator (8-32 characters) and no more than 128 characters. For MFP administrators and a supervisor: No fewer than the minimum character number specified by MFP administrator (8-32 characters) and no more than 32 characters.

(3) Rule:

Passwords that are composed of a combination of characters based on the password complexity setting specified b y t he MFP ad minis tr at or c an b e regist e r e d. The M FP a dmin is tr ato r spec ifie s e ither Level 1 or Level 2 for password complexity setting.

FIA_UAU.1(a) Timing of authentication

Hierarchical to: No other compo nents. Dependen cies: FIA_UID.1 Timing of identification FIA_UAU.1.1( a) The T SF shall a llow [assignment: the viewing of the list of user jobs, Web Image Monitor

Help from a Web browser, system status, counter and information of inquiries, execution of fax reception, and repair request notification] on behalf of the user to be performed before the user is authenticated (refinement: authentication with Basic Authenti cation).

Page 61

Page 60 of 93

FIA_UAU.1.2(a) The TSF shall require each user to be successfully authenticated before allowing any other

TSF-mediated actio ns on behalf of that user.

FIA_UAU.1(b) Timing of authentication

Hierarchical to: No other compo nents. Dependen cies: FIA_UID.1 Timing of identification FIA_UAU.1.1( b) The TSF sha ll allo w [assignment: the viewing of the list of user jobs, Web Image Monitor

Help from a Web browser, system status, counter and information of inquiries, execution of fax reception, and repair request notification] on behalf of the user to be performed before

the user is authenticated (refinement: authentication of MFP administrator and supervisor with Basic Authentication, and authentication of normal user w ith external authentication server).

FIA_UAU.1.2(b) The TSF shall require each user to be successfully authenticated before allowing any other

TSF-mediated actio ns on behalf of that user.

FIA_UAU.2 User authentication before action

Hierarch ical to: FI A_UAU.1 Timing of authenticat i on Dependen cies: FIA_UID.1 Timing of identification FIA_UAU.2.1 The TSF shall r equire each us er to be succe ssfull y authe ntica ted (re fineme nt: au thenti cation of

a person who intends to use the TOE from RC Gate communication interface) before allowing other TSF-mediated actions on behalf of that user.

FIA_UAU.7 Protected authentication feedback

Hierarchical to: No other compo nents. Dependencies: FIA_UAU.1 Timing of authentication FIA_UAU.7.1 The TSF shall provide only [assignment: displaying dummy letters as authentication

feedback on the Op eration Panel] to the user while the authentication is in progress.

FIA_UID.1(a) Timing of identification

Hierarchical to: No other compo nents. Dependencies: No dependencies. FIA_UID.1.1(a) The TSF shall allow [assignme nt: the viewing of the list of user jobs, Web Image Monitor

Help from a Web browser, system status, counter and information of inquiries, execution of fax reception, and repair request notification] on behalf of the user to be performed before

the user is i dentified (refinement: identification with Basic Authentication).

FIA_UID.1.2(a) The TSF shall require each user to be successfully identified before allowing any other

TSF-mediated actio ns on behalf of that user.

FIA_UID.1(b) Timing of identification

Hierarchical to: No other compo nents. Dependencies: No dependencies. FIA_UID.1.1(b) The TSF shall allow [assignment: the viewing of the list of user jobs, Web Image Monitor

Help from a Web browser, system status, counter and information of inquiries, execution

Page 62

Page 61 of 93

of fax reception, and repair request notification] on behalf of the user to be performed before the user is identified (refinement: authentication of MFP administrator and supervisor with Basic Authentication, and identification of normal user with external authenticatio n server).

FIA_UID.1.2(b) The TSF shall require each user to be successfully identified before allowing other

TSF-mediated actio ns on behalf of that user.

FIA_UID.2 User identi fi cation bef ore act ion

Hierarchical to: FIA_UID.1Timing of identification Dependencies: No dependencies. FIA_UID.2.1 The TSF shall require each user to be successfully identified (refinement: identification of a

person who intends to use the TOE from RC Gate communication interface) before allowing other TSF-mediated actions on behalf of that user.

FIA_USB.1 User-subject binding

Hierarchical to: No other compo nents. Dependencies: FIA_ATD.1 User attr ibute defini tion FIA_USB.1.1 The TSF shall associate the following user security attributes with subjects acting on the behalf

of that user: [assignment: login user name of normal user, login user name of MFP administrator, available function list, an d user role].

FIA_USB.1.2 The TSF shall enforce the following rules on the initial association of user security attributes

with subjects acting on the behalf of users: [assignment: rules for the initial association of

attributes listed in Table 25].

Table 25 : Rules for Initial Association of Attributes

Users Subjects User Security Attributes

Normal user Normal user process - Login user name of normal user

- User role

- Available function list Supervisor Supervisor process - User role MFP administrator MFP administrator process - Login user name of MFP administrator

- User role RC Gate RC Gate process - User role

FIA_USB.1.3 The TSF shall enforce the following rules governing chan ges to the user security attributes

associated with subjects acting on the behal f of users: [assignment: none].

6.1.5 Class FMT: Security management

FMT_MSA.1(a) Management of security attributes

Hierarchical to: No other compo nents.

Page 63

Page 62 of 93

Dependen ci es: [FDP_ACC.1 Subset acce ss co nt rol , or

FDP_IFC.1 Subset information f low control] FMT_SMR.1 Security roles FMT_SMF.1 Specification of Management Function

FMT_MSA.1.1(a) The TSF shall enforce the [assignment: document access control SFP] to restrict the ability to

[selection: query, modify, delete, [assignment: newly create]] the security attributes [assignme nt: security attributes in Table 26] to [assignme nt: the user roles with operation permission in Table 26].

Table 26 : User Roles for Security Attributes (a)

Security Attributes Operations User Roles

with Operation Permission

Query, modify, delete, newly create

MFP administrator

Query

Normal user who owns the applicable login user name

Query, modify, delete, newly create

MFP administrator

Query, modify

Supervisor

Newly create MFP administrator Query,

modify

MFP administrator who owns the applicable login user name

Query Supervisor Document data attribute No operation permitted Document user list

[when document data attributes are (+PRT), (+SCN), (+CPY), and (+FAXOUT)]

No operation permitted -

Document user list [when document data attribute is (+DSR)]

Query,

modify

MFP administrator, applicable normal user who stored the

document data

Document user list [when document data attribute is

(+FAXIN)]

Query,

modify

MFP administrator

-: No user roles are permitted for operations by the TOE.

Page 64

Page 63 of 93

FMT_MSA.1(b)Manag e ment of security attributes

Hierarchical to: No other compo nents. Dependen ci es: [FDP_ACC.1 Subset acce ss co nt rol , or

FDP_IFC.1 Subset information f low control] FMT_SMR.1 Security roles FMT_SMF.1 Specification of Management Function

FMT_MSA.1.1(b)The TSF shall enforce the [assignment: TOE function access control SFP] to restrict the

ability to [selection: query, modi fy, delete, [assignment: newly create] ] the security attributes

[assignme nt: security attributes in Table 27] to [assignme nt: the user roles with operation permission in Table 27].

Table 27 : User Roles for Security Attributes (b)

Security Attributes Operations User Roles with operation permission

Query, modify, delete, newly create

MFP administrator

Query Normal user who owns the applicable

Query, modify, delete, newly create

MFP administrator

Query, modify

MFP administrator

Available function list

Query (however, query is not allowed in case of External Authentication)

Applicable normal user

Function type No operation permitted User role No operation permitted -

-: No user roles are permitted for operations by the TOE.

FMT_MSA.3(a) Static attribute initialisation

Hierarchical to: No other compo nents. Dependencies: FMT_MSA.1 Management of security attributes

FMT_SMR.1 Security roles

FMT_MSA.3.1(a) The TSF shall enforce the [assignment: document access control SFP] to provide [selection:

restrictive] default values for se curity attributes that are used to enforce the SFP.

Page 65

Page 64 of 93

FMT_MSA.3.2(a) The TSF shall allow the [assignment: authorised identified roles shown in Table 28] to

specify alternative initial values to override the default values when an object or information is created.

Table 28 : Authorised Identified Roles Allowed to Override Default Values

Objects Security

Attributes

Authorised Identified Roles

Document data Document data

attribute

- No authorised identified roles

Document data [when document

data attribute is (+DSR)]

Document user list

- MFP administrator

- Normal user who stored the applicable document data

Document data [when document

data attributes are (+PRT), (+SCN), (+CPY), (+FAXIN), and (+FAXOUT)]

Document user list

- No authorised identified roles

User job Login user name

of normal user

- No authorised identified roles

FMT_MSA.3(b) Static attribute initialisation

Hierarchical to: No other compo nents. Dependencies: FMT_MSA.1 Management of security attributes

FMT_SMR.1 Security roles

FMT_MSA.3.1(b)The TSF shall enforce the [assignment: TOE function access control SFP] to provide

[selection: [assignment: the permissive to the available function list, restrictive to the function type, restrictive to the user role]] default values for security attributes that are used

to enforce the SFP.

FMT_MSA.3.2(b) The TSF shall allow the [assignme nt: MFP administrator for the available function list, no

authorised identified roles for the function type, no authorised identified roles for the user role] to specify alternative initial values to override the default values when an object or

information is created.

FMT_MTD.1 Management of TSF data

Hierarchical to: No other compo nents. Dependencies: FMT_SMR.1 Security roles

FMT_SMF.1 Specification of Management Functions

Page 66

Page 65 of 93

FMT_MTD.1.1 The TSF shall restrict the ability to [selection: query, modify, delete, [assignment: newly

create]] the [assignment: list of TSF data in Table 29] to [assignment: the user roles in Table 29].

Table 29 : List of TSF Data

TSF Data Operations User Roles

Newly create, modify MFP administrator

Modify Normal user who owns the login

password

Modify Supervisor Newly create MFP administrator

Modify MFP administrator who owns the

Number of Attempts before Lockout for Basic Authentication

Query MFP administrator

Setting for Lockout Release Timer for Basic Authentication

Query MFP administrator

Lockout time for Basic Authentication

Query MFP administrator

Query, modify MFP administrator

Date setting (year, month, day), time setting (hour, minute)

Query Supervisor,

normal user

Minimum character number for Basic Authentication

Query MFP administrator

Password complexity setting for Basic Authentication

Query MFP administrator

Audit logs Query, delete MFP administrator HDD cryptographic key Newly create MFP administrator

Newly create, modify, query, delete

MFP administrator

S/MIME user information

Query (however, operation of query

on user certificate is not allowed in case of External Authentication)

Normal user

Newly create, modify, query, delete

MFP administrator

Destination information for folder transmission

Query Normal user

Page 67

Page 66 of 93

TSF Data Operations User Roles

Users for stored and received documents

Query, modify MFP administrator

User authentication method Query MFP administrator

FMT_SMF.1 Specification of Managemen t Functions

Hierarchical to: No other compo nents. Dependencies: No dependencies. FMT_SMF.1 .1 The TSF shall be capable of performin g the following man agement functions : [assignment:

management fun ctions shown in Table 30].

Table 30 : List of Specification of Management Functions

Management Functions

New creation, query, modification, and deletion of the login user name of normal user by MFP administrator when the Basic Authentication is used

Query of own login user name by normal user when the Basic Authentication is used New creation, query, modification, and deletion of the login user name of normal user by MFP administrator

when External Authentication is used Query and modification of login user name of supervisor by supervisor New creation of login user name of MFP administrator by MFP administrator Query and modification of own login user name by MFP administrator Query of login user name of MFP administrator by supervisor New creation and modification of login password of normal user by MFP administrator when the Basic

Authentication is used Modification of own login password by normal user when the Basic Authentication is used Modification of login password of supervisor by supervisor Modification of login password of MFP administrator by supervisor New creation of login password of MFP administrator by MFP administrator Modification of own login password by MFP administrator Query of minimum character number by MFP administrator when the Basic Authentication is used Query of Password Complexity by MFP administrator when the Basic Authentication is used Query of Number of Attempts before Lockout by MFP administrator when the Basic Authentication is used Query of Lockout Release Timer Setting by MFP administrator when the Basic Authentication is used Query of lockout time by MFP administrator when the Basic Authentication is used Query and modification of document user list by MFP administrator Query and modification of document user list by the normal user who stored the document Query and modification of available function list by MFP administrator Query of own available function list by normal user when the Basic Authentication is used

Page 68

Page 67 of 93

Query and modification of date and time by MFP administrator Query of date and time by supervisor Query of date and time by normal user Query and deletion of audit logs by MFP administrator New creation of HDD encryption key by MFP administrator New creation, modification, query and deletion of S/MIME user information by MFP administrator Query of S/MIME user information by normal user New creation, modification, query and deletion of destination information for folder transmission by MFP

administrator Query of destination information for folder transmission by normal user Query and modification of users for stored and received documents by MFP administrator Query of user authentication method by MFP administrator

FMT_SMR.1 Security roles

Hierarchical to: No other compo nents. Dependen cies: FIA_UID.1 Timing of identification FMT_SMR.1 .1 The TSF shall main t ai n the roles [assignment: normal user, supervisor, MFP administrator,

and RC G ate].

FMT_SMR.1.2 The TSF shall be able to associate users with roles.

6.1.6 Class FPT: Protection of the TSF

FPT_STM.1 Reliable time stamps

Hierarchical to: No other compo nents. Dependencies: No dependencies. FPT_STM.1.1 The TSF shall be able to provide reliable time stamps.

FPT_TST.1 TSF testing

Hierarchical to: No other compo nents. Dependencies: No dependencies. FPT_TST.1.1 The TSF shall run a suite of self tests [selection: duri ng initial start-up] to demonstrate the

correct operation of [selection: [assignment: the MFP Control Software, FCU Control Software]].

FPT_TST .1.2 The TSF sha ll pr ovide au thor ised use rs with the ca pabili ty to ve rify the int egrit y of [selection:

[assignment: the au dit log data file]].

FPT_TST .1.3 The TSF sha ll pr ovide au thor ised use rs with the ca pabili ty to ve rify the int egrit y of [selection:

[assignment: the stored TSF executable code]].

Page 69

Page 68 of 93

FPT_FDI_EXP.1 Restricted forwarding of data to external interfaces

Hierarchical to: No other compo nents. Dependencies: FMT_SMF.1 Specification of Management Functions

FMT_SMR.1 Security roles

FPT_FDI_EXP.1.1 The TSF shall provide the capability to restrict data received on [assignment: the

Operation Panel, LAN, telephone line] from be ing forwarde d without fu rther proc essing by the TSF to [assignment: the LAN and telephone line].

6.1.7 Class FTA: TOE access

FTA_SSL.3 TSF-initiated termination

Hierarchical to: No other compo nents. Dependencies: No dependencies. FTA_SSL.3.1 The TSF shall terminate an interactive session after a [assignment: elapsed time of auto

logout, completion of document data reception from the printer driver, completion of document da t a re ce ption from the f a x driver, and termination of c ommunicati on with RC Gate].

6.1.8 Class FTP: Trusted path/channels

FTP_ITC.1 Inter-TSF trusted channel

Hierarchical to: No other compo nents. Dependencies: No dependencies. FTP_ITC.1.1 The TSF shall provide a communication channel between itself and another trusted IT product

that is logically distinct from other communication channels and provides assured identification of its end points and protection of the channel data from modification or disclosure.

FTP_ITC.1.2 The TSF shall permit [selection: the TSF, another trusted IT product] to initiate

communication via the trusted channel.

FTP_ITC.1.3 The TSF shall initiate communication via the trusted channel for [assignme nt: communication

via the LAN of docu ment data, funct ion data, pr otecte d data, and co nfidentia l data, and communication with RC Gate via the LAN].

6.2 Security Assurance Requirements

The evaluation assurance level of this TOE is EAL3+ALC_FLR.2. Table 31 lists the assurance components of the TOE. ALC_FLR.2 was added to the set of components defined in evaluation assurance level 3 (EAL3).

Page 70

Page 69 of 93

Table 31 : TOE Security Assurance Requirements (EAL3+ALC_FLR.2)

Assurance Classes Assurance Components

ADV_ARC.1 Security architecture description ADV_FSP.3 Functional specification with complete summary

ADV: Development

ADV_TDS.2 Architectural design AGD_OPE.1 Operational user guidance AGD:

Guidance documents

AGD_PRE.1 Preparative procedures ALC_CMC.3 Authorisation controls ALC_CMS.3 Implementation representation CM coverage ALC_DEL.1 Delivery procedures ALC_DVS.1 Identification of security measures ALC_LCD.1 Developer defined life-cycle model

ALC: Life-cycle support

ALC_FLR.2 Flaw reporting procedures ASE_CCL.1 Conformance claims ASE_ECD.1 Extended components definition ASE_INT.1 ST introduction ASE_OBJ.2 Security objectives ASE_REQ.2 Derived security requirements ASE_SPD.1 Security problem definition

ASE: Security Target evaluation

ASE_TSS.1 TOE summary specification ATE_COV.2 Analysis of coverage ATE_DPT.1 Testing: basic design ATE_FUN.1 Functional testing

ATE: Tests

ATE_IND.2 Independent testing - sample

AVA: Vulnerability assessment

AVA_VAN.2 Vulnerability analysis

6.3 Security Requirements Rationale

This section describes the rationale for security requirements. If all security functional requirements are satisfied as below, the security objectives defined in "4 Security

Objectives" are fulfilled.

6.3.1 Tracing

Table 32 shows the relationship between the TOE security functional requirements and TOE security objectives. Table 32 shows that each TOE security functional requirement fulfils at least one TOE security objective.

Page 71

Page 70 of 93

Table 32 : Relationship between Security Objectives and Functional Requirements

O.DOC.NO_DIS

O.DOC.NO_ALT

O.FUNC.NO_ALT

O.PROT.NO_ALT

O.CONF.NO_DIS

O.CONF.NO_ALT

O.USER.AUTHORIZED

O.INTERFACE.MANAGED

O.SOFTWARE.VERIFIED

O.AUDIT.LOGGED

O.STORAGE.ENCRYPTED

O.RCGATE.COMM.PROTECT

FAU_GEN.1 X FAU_GEN.2 X FAU_STG.1 X FAU_STG.4 X FAU_SAR.1 X FAU_SAR.2 X FCS_CKM.1 X FCS_COP.1 X FDP_ACC.1(a) X X X FDP_ACC.1(b) X FDP_ACF.1(a) X X X FDP_ACF.1(b) X FDP_RIP.1 X X FIA_AFL.1 X FIA_ATD.1 X FIA_SOS.1 X FIA_UAU.1(a) X X FIA_UAU.1(b) X X FIA_UAU.2 X X FIA_UAU.7 X FIA_UID.1(a) X X FIA_UID.1(b) X X FIA_UID.2 X X FIA_USB.1 X FPT_FDI_EXP.1 X FMT_MSA.1(a) X X X FMT_MSA.1(b) X FMT_MSA.3(a) X X X

Page 72

Page 71 of 93

O.DOC.NO_DIS

O.DOC.NO_ALT

O.FUNC.NO_ALT

O.PROT.NO_ALT

O.CONF.NO_DIS

O.CONF.NO_ALT

O.USER.AUTHORIZED

O.INTERFACE.MANAGED

O.SOFTWARE.VERIFIED

O.AUDIT.LOGGED

O.STORAGE.ENCRYPTED

O.RCGATE.COMM.PROTECT

FMT_MSA.3(b) X FMT_MTD.1 X X X X FMT_SMF.1 X X X X FMT_SMR.1 X X X X FPT_STM.1 X FPT_TST.1 X FTA_SSL.3 X X FTP_ITC.1 X X X X X X X

6.3.2 Justification of Traceability

This sectio n describes be low how the TOE securit y objectives ar e fulfilled by t he TOE security f unctional requirements corresponding to the TOE security objectives.

O.DOC.NO_DIS Protect ion of docu men t disclosu re

O.DOC.NO_DIS is the security objective to prevent the documents from unauthorised disclosure by persons without a login user name, or by persons with a login user name but without an access permission to the document. To fulfil this security objective, it is required to implement the following countermeasures.

(1) Specify and implement the access control to the document data.

FDP_ACC.1(a) and FDP_ACF.1(a) only allow the following persons to view document data according to the document data attributes: the normal user who generated the document data or the normal user who is registered on the document user list of the document data. The MFP administrator, supervisor and RC Gate are not allowed to view document data.

(2) Prevent reading the deleted documents, temporary documents and their fragments.

Deleted documents, temporary documents and their fragments are prevented from being read by FDP_RIP.1.

(3) Use trusted channels for sending or receiving document data.

The document data sent and received by the TOE via the LAN are protected by FTP_ITC.1.

(4) Management of the security attribute s.

Page 73

Page 72 of 93

is thus restricted to perform each operation. FMT_MSA.3(a) surely sets the restrictive value to the security attributes of document data (object) when document data are generated.

By satisfying FDP_ACC.1(a), FDP_ACF.1(a), FDP_RIP.1, FTP_ITC.1, FMT_MSA.1(a) and FMT_MSA.3(a), which are the security functional requirements for these countermeasures, O.DOC.NO_DIS is fulfilled.

O.DOC.NO_ALT Protection of document alteration

O.DOC.NO_ALT is the security objective to prevent the documents from unauthorised alteration by persons without a login user name, or by persons with a login user name but without an access permission to the document. To fulfil this security objective, it is required to implement the following countermeasures.

(1) Specify and implement the access control to document data.

FDP_ACC.1(a) and FDP_ACF.1(a) allow the following persons to delete document data (there is no "editing operation" of document data) according to the document data attributes: the normal user who generated the document data, the normal user who is registered in the document user list of the document data, and the MFP administrator. The supervisor and RC Gate are not allowed to delete document data.

(2) Prevent deleting the deleted documents, temporary documents and their fragments.

Deleted documents, temporary documents and their fragments are prevented from being used by FDP_RIP.1.

(3) Use trusted channels for sending or receiving document data.

The document data sent and received by the TOE via the LAN interface are protected by FTP_ITC.1.

(4) Management of the security attribute s.

FMT_MSA.1(a) specifies the available operations (newly create, query, modify and delete) on the login user name, and available operations (query and modify) on the document user list, and a specified user is thus restricted to perform each operation. FMT_MSA.3(a) surely sets the restrictive value to the security attributes of document data (object) when the document data are generated.

By satisfying FDP_ACC.1(a), FDP_ACF.1(a), FDP_RIP.1, FTP_ITC.1, FMT_MSA.1(a) and FMT_MSA.3(a), which are the security functional requirements for these countermeasures, O.DOC.NO_ALT is fulfilled.

O.FUNC.NO_ALT Protection of user job alteration

O.FUNC.NO_ALT is the security objective to prevent the user jobs from unauthorised alteration by persons without a login user name, or by persons with a login user name but without an access permission to the user job. To fulfil this security objective, it is required to implement the following countermeasures.

(1) Specify and implement the access control to user jobs.

FDP_ACC.1(a) and FDP_ACF.1(a) allow the MFP administrator to delete user jobs, and the normal user with the permission to delete the applicable user job. The supervisor and RC Gate are not allowed to delete user jobs. Deletion is the only modification operation on this TOE's user jobs.

(2) Use trusted channels for sending or receiving user jobs.

The user jobs sent and received by the TOE via the LAN are protected by FTP_ITC.1.

Page 74

Page 73 of 93

(3) Management of the security attribute s.

FMT_MSA.1(a) restricts each available operation (newly create, query, modify and delete) for the login user name to specified users only. FMT_MSA.3(a) sets the restrictive value to the security attributes of user jobs (object) when the user jobs are generated.

By satisfying FDP_ACC.1(a), FDP_ACF.1(a), FTP_ITC.1, FMT_MSA.1(a) and FMT_MSA.3(a), which are the security functional requirements for these countermeasures, O.FUNC.NO_ALT is fulfilled.

O.PROT.NO_ALT Protection of TSF protected data alteration

O.PROT.NO_ALT is the security objective to allow only users who can maintain the security to alter the TSF protected data. To fulfil this security objective, it is required to implement the following countermeasures.

(1) Management of the TSF protected data.

By FMT_MTD.1, only the MFP administrator is allowed to manage the date, time, S/MIME user information, destination folder and users for stored and received documents.

(2) Specification of the Management Function.

FMT_SMF.1 performs the required Management Functions for Security Function.

(3) Specification of the roles.

FMT_SMR.1 maintains the users who have the privileges.

(4) Use trusted channels for sending or receiving the TSF protected data.

The TSF protected data sent and received by the TOE via the LAN are protected by FTP_ITC.1.

By satisfying FMT_MTD.1, FMT_SMF.1, FMT_SMR.1 and FTP_ITC.1, which are the security functional requirements for these countermeasures, O.PROT.NO_ALT is fulfilled.

O.CONF.NO_DIS Protect ion of TSF confident ial data disc losure

O.CONF.NO_DIS is the security objective to allow only users who can maintain the security to disclose the TSF confidential data. To fulfil this security objective, it is required to implement the following countermeasures.

(1) Management of the TSF confidential data.

FMT_MTD.1 allows the MFP administrator and applicable normal user to operate the login password of normal user. A supervisor is allowed to operate the login password of supervisor. The supervisor and applicable MFP administrator are a llowed to o perate the login passwor d of administrator. The M FP administrator is only allowed to operate the audit log and HDD cryptographic key.

(2) Specification of the Management Function.

FMT_SMF.1 performs the required Management Functions for Security Function.

(3) Specification of the roles.

FMT_SMR.1 maintains the users who have the privileges.

(4) Use trusted channels for sending or receiving TSF confidential data.

The TSF confidential data sent and received by the TOE via the LAN are protected by FTP_ITC.1.

By satisfying FMT_MTD.1, FMT_SMF.1, FMT_SMR.1 and FTP_ITC.1, which are the security functional requirements for these countermeasures, O.CONF.NO_DIS is fulfilled.

Page 75

Page 74 of 93

O.CONF.NO_ALT Protection of TSF confidential data alteration

O.CONF.NO_ALT is the security objective to allow only users who can maintain the security to alter the TSF confidential data. To fulfil this security objective, it is required to implement the following countermeasures.

(1) Management of the TSF confidential data.

(2) Specification of the Management Function.

FMT_SMF.1 performs the required Management Functions for Security Function.

(3) Specification of the roles.

FMT_SMR.1 maintains the users who have the privileges.

(4) Use trusted channels for sending or receiving TSF confidential data.

The TSF confidential data sent and received by the TOE via the LAN are protected by FTP_ITC.1.

By satisfying FMT_MTD.1, FMT_SMF.1, FMT_SMR.1 and FTP_ITC.1, which are the security functional requirements for these countermeasures, O.CONF.NO_ALT is fulfilled.

O.USER.AUTHORIZED User identification and authentication

O.USER.AUTHORIZED is the security objective to restrict users in accordance with the security policies so that only valid users can use the TOE functions. The authentication failure handling and verification of secrets are the security policies for authentication using passwords when the TOE is accessed from the Operation Panel or a Web browser of client computer, documents are printed by using the client computer, and faxed b y LAN fax f rom th e client comput er. To fulf il this secur ity obj ect ive, it is req uired t o impleme nt the following countermeasur es.

(1) Identify and authenticate the users prior to the TOE use.

FIA_UID.1(a) and FIA_UAU.1(a) identify and authenticate the persons who attempt to use the TOE from the Operation Panel or client computer on the network by the Basic Authentication. FIA_UID.1(b) and FIA_UAU.1(b) identify and authenticate the persons by the Basic Authentication if the person who attempts to use the TOE from the Operation Panel or client computer on the network is the MFP administrator or supervisor, and if the person is the normal user, the External Authentication is used for the identification and authentication. FIA_UID.2 identifies the person who attempts to use the TOE from the interface for RC Gate communication, and FIA_UAU.2 authenticates RC Gate.

(2) Allow the successfully identified and authenticated user to use the TOE.

FIA_ATD.1 and FIA_USB.1 manage the access procedures to the protected assets of the users who are defined in advance, and associate the users who are successfully identified and authenticated with the access procedures. FDP_ACC.1(b) and FDP_ACF.1(b) allow the applicable normal user to use the MFP application according to the operation permission granted to the successfully identified and authenticated normal user.

Page 76

Page 75 of 93

(3) Complicate decoding of login password.

FIA_UAU.7 displays dummy letters as authentication feedback on the Operation Panel and prevents the login password from disclosure. FIA_SOS.1 accepts only passwords that satisfy the minimum character number and password character combination specified for the Basic Authentication by the MFP administrator, and makes it difficult to guess the password. For the External Authentication, this depends on the settings for the External Authentication. FIA_AFL.1 does not allow the user who is unsuccessfully authenticated by the Basic Authentication for certain times to access to the TOE for certain period. For the External Authentication, this depends on the settings for the External Authentication.

(4) Terminate login automatically.

FTA_SSL.3 automatically logs out of the Operation Panel or a Web browser after no operation is performed from the Operation Panel or a Web browser for certain period and the auto logout time elapses. It also logs out the status of document data reception after the completion of document data reception from the printer driver or fax driver. The TOE terminates the session with RC Gate after completing the communication with RC Gate.

(5) Management of the security attribute s.

According to FMT_MSA.1(b), the login user name and available function list of normal user are managed by the MFP administrator, and users are not allowed to operate the function type. FMT_MSA.3(b) sets the permissive default value to the available function list, and sets the restrictive default value to the function type.

By satisfying FDP_ACC.1(b), FDP_ACF.1(b), FIA_UID.1(a), FIA_UID.1(b), FIA_UID.2, FIA_UAU.1(a), FIA_UAU.1(b), FIA_UAU.2, FIA_ATD.1, FIA_USB.1, FIA_UAU.7, FIA_AFL.1, FIA_SOS.1, FTA_SSL.3, FMT_MSA.1(b) and FMT_MSA.3(b), which are the security functional requirements for these countermeasures, O.USER.AUTHORIZED is fulfilled.

The function for 2600.1-SMI (F.SMI), selected SFR Package from the PP, is used in conjunction with the function whose access control is enforced by FDP_ACC.1(b) and FDP_ACF.1(b). Therefore, the access control for F.SMI is included with the access control by FDP_ACC.1(b) and FDP_ACF.1(b) and fulfilled.

O.INTERFACE.MANAGED Management of external interfaces by TOE

O.INTERFACE.MANAGED is the security objective to ensure that the TOE manages the operation of external interface according to the security policy. To fulfil this security objective, it is required to implement the following countermeasur es.

(1) Identify and authenticate the users prior to use the Operation Panel and LAN interface.

FIA_UID.1(a) and FIA_UID.1(b) identify the persons who attempt to use the TOE from the Operation Panel or client computer on the network, and FIA_UAU.1(a) and FIA_UAU.1(b) authenticate the identified users. FIA_UID.2 identifies the persons who attempt to use the TOE from the interface for RC Gate communication, and FIA_UAU.2 authenticates the persons.

(2) Automatically terminate the connection to the Operation Panel and LAN interface.

FTA_SSL.3 terminates the session after no operation is performed from the Operation Panel or LAN interface for certain period.

Page 77

Page 76 of 93

(3) Restricted forwarding of data to external interfaces.

FPT_FDI_EXP.1 prevents the data received from the Operation Panel, LAN interface and telephone line from being transmitted from the LAN or telephone line without further processing by the TSF.

By satisfying FIA_UID.1(a), FIA_UID.1(b), FIA_UAU.1(a), FIA_UAU.1(b), FIA_UID.2, FIA_UAU.2, FTA_SSL.3 and FPT_FDI_EXP.1, which are the security functional requirements for these countermeasures, O.INTERFACE.MANAGED is fu lfille d .

O.SOFTWARE.VERIFIED Software verification

O.SOFTWARE.VERIFIED is the security objective to ensure that MFP Control Software and FCU Control Software are verified. To fulfil this security objective, it is required to implement the following countermeasures.

(1) Self-check

FPT_TST.1 checks if the MFP Control Software and FCU Control Software are verified software at the start-up.

By satisfying FTP_TST.1, which is the security functional requirement for this countermeasure, O.SOFTWARE.VERIFIED is fulfilled.

O.AUDIT.LOGGED Management of audit log records

O.AUDIT.LOGGED is t he se c urit y obj ect ive t o r ecor d the audit lo g re qu ire d to de te ct t h e sec urit y int r us io n, and allow the MFP administrator t o view the audit log. To fu lfil this security obj ective, it is required to implement the following countermeasures.

(1) Record the audit log.

FAU_GEN.1 and FAU_GEN.2 record the events, which should be auditable, with the identification information of the occurrence factor.

(2) Protect the audit log.

FAU_STG.1 protects the audit logs from the alteration, and FAU_STG.4 deletes the audit logs that have the oldest time stamp, and records the new audit logs if auditable events occur and the audit log files are full.

(3) Provide Audit Function.

FAU_SAR.1 allows the MFP administrator to read audit logs in a format that can be audited. FAU_SAR.2 prohibits the persons othe r than the MFP admini strat or reading the audit logs.

(4) Reliable occurrence time of the event

FPT_STM.1 provides a trusted time stamp, and a reliable record of the times when events occurred are recorded in the audit log.

By satisfying FAU_GEN.1, FAU_GEN.2, FAU_STG.1, FAU_STG.4, FAU_SAR.1, FAU_SAR.2 and FPT_STM.1, which are the security functional requirements for these countermeasures, O.AUDIT.LOGGED is fulfilled.

O.STORAGE.ENCRYPTED Encryption of storage devices

O.STORAGE.ENCRYPTED is the security objective to ensure the data to be written into the HDD is encrypted. To fulfil this security objective, it is required to implement the following countermeasures.

Page 78

Page 77 of 93

(1) Generate appropriate cryptographic keys.

FCS_CKM.1 generates the cryptographic key for encryption.

(2) Perform cryptographic operation.

FCS_COP.1 encrypts the data to be stored in the HDD, and decrypts the data to be read from the HDD.

(3) Manage the TSF data.

FMT_MTD.1 allows the MFP administrator to manage the cryptographic keys.

(4) Specification of Management Function.

FMT_SMF.1 performs the required Management Functions for Security Function.

(5) Specification of the roles.

FMT_SMR.1 maintains the users who have the privileges.

By satisfying FCS_CKM.1, FCS_COP.1, FMT_MTD.1, FMT_SMF.1 and FMT_SMR.1, which are the security functional requirements for these countermeasures, O.STORAGE.ENCRYPTED is fulfilled.

O.RCGATE.COMM.PROTECT Protection of communication with RC Gate

O.RCGATE.COMM.PROTECT is the security objective to ensure the communication data between the TOE and RC Gate are concealed, and any tampering on the communication path is detected. To fulfil this security objective, it is required to implement the following countermeasure.

(1) Use trusted channel for the communication with RC Gate

FTP_ITC.1 allows the T OE to esta blish the c ommunicat ion that prot ects the d ata from ta mpering a nd disclosure for the communication between the TOE and RC Gate.

By satisfying FTP_ITC.1, which is the security functional requirement for this countermeasure, O.RCGATE.COMM.PROTECT is fulfilled.

6.3.3 Dependency Analysis

Table 33 shows the result of dependency analysis in this ST for the TOE security functional requirements.

Table 33 : Results of Dependency Analysis of TOE Security Functional Requirements

TOE Security

Functional

Requirements

Claimed

Dependencies

Satisfied in ST

Dependencies

Not Satisfied in

FAU_GEN.1 FPT_STM.1 FPT_STM.1 None FAU_GEN.2 FAU_GEN.1

FIA_UID.1

FAU_GEN.1 FIA_UID.1

None

FAU_STG.1 FAU_GEN.1 FAU_GEN.1 None FAU_STG.4 FAU_STG.1 FAU_STG.1 None FAU_SAR.1 FAU_GEN.1 FAU_GEN.1 None FAU_SAR.2 FAU_SAR.1 FAU_SAR.1 None FCS_CKM.1 [FCS_CKM.2 or

FCS_COP.1]

FCS_COP.1 FCS_CKM.4

Page 79

Page 78 of 93

FCS_CKM.4

FCS_COP.1 [FDP_ITC.1 or

FDP_ITC.2 or FCS_CKM.1]

FCS_CKM.4

FCS_CKM.1 FCS_CKM.4

FDP_ACC.1(a) FDP_ACF.1(a) FDP_ACF.1(a) None FDP_ACC.1(b) FDP_ACF.1(b) FDP_ACF.1(b) None FDP_ACF.1(a) FDP_ACC.1(a)

FMT_MSA.3(a)

FDP_ACC.1(a) FMT_MSA.3(a)

None

FDP_ACF.1(b) FDP_ACC.1(b)

FMT_MSA.3(b)

FDP_ACC.1(b) FMT_MSA.3(b)

None

FDP_RIP.1 None None None FIA_AFL.1 FIA_UAU.1(a) FIA_UAU.1(a) None FIA_ATD.1 None None None FIA_SOS.1 None None None FIA_UAU.1(a) FIA_UID.1(a) FIA_UID.1(a) None FIA_UAU.1(b) FIA_UID.1(b) FIA_UID.1(b) None FIA_UAU.2 FIA_UID.1 FIA_UID.2 None FIA_UAU.7 FIA_UAU.1 FIA_UAU.1 None FIA_UID.1(a) None None None FIA_UID.1(b) None None None FIA_UID.2 None None None FIA_USB.1 FIA_ATD.1 FIA_ATD.1 None FPT_FDI_EXP.1 FMT_SMF.1

FMT_SMR.1

FMT_SMF.1 FMT_SMR.1

None

FMT_MSA.1(a) [FDP_ACC.1(a) or

FDP_IFC.1] FMT_SMR.1 FMT_SMF.1

FDP_ACC.1(a) FMT_SMR.1 FMT_SMF.1

None

FMT_MSA.1(b) [FDP_ACC.1(b)

or FDP_IFC.1] FMT_SMR.1 FMT_SMF.1

FDP_ACC.1(b) FMT_SMR.1 FMT_SMF.1

None

FMT_MSA.3(a) FMT_MSA.1(a)

FMT_SMR.1

FMT_MSA.1(a) FMT_SMR.1

None

FMT_MSA.3(b) FMT_MSA.1(b)

FMT_SMR.1

FMT_MSA.1(b) FMT_SMR.1

None

FMT_MTD.1 FMT_SMR.1

FMT_SMF.1

FMT_SMR.1 FMT_SMF.1

None

FMT_SMF.1 None None None

Page 80

Page 79 of 93

FMT_SMR.1 FIA_UID.1 FIA_UID.1 None FPT_STM.1 None None None FPT_TST.1 None None None FTA_SSL.3 None None None FTP_ITC.1 None None None

The following explains the rationale for acceptability in all cases where a dependency is not satisfied:

Rationale for Removing Dependencies on FCS_CKM.4

Once the MFP a dministrator generat es the cryptographic ke y that is used for the HDD enc ryption of this TOE at the start of TOE operation, the cryptographic key will be continuously used for the HDD and will not be deleted. Therefore, cryptographic key destruction by the standard method is unnecessary.

6.3.4 Security Assurance Requirements Rationale

This TOE is sof tware for the MFP , which is a commerc ially available p roduct. The MFP is a ssumed that it will be used in a gener al office a nd this TOE does not as sume the attac kers with th e possibilit y of moder ate or greater level attacks.

Architectural design (ADV_TDS.2) is adequate to show the validity of commercially available products. A high attack potential is required for the attacks that circumvent or tamper with the TSF, which is not covered in this evaluation. The vulnerability analysis (AVA_VAN.2) is therefore adequate for general needs.

However, protection of the secrecy of relevant information is required to make security attacks more difficult, and it is important to ensure a secure development environment. Development security (ALC_DVS.1) is therefore important also.

In order to securely operate the TOE continuously, it is important to appropriately remediate the flaw discovered after the start of TOE operation according to flow reporting procedure (ALC_FLR.2).

Based on the terms and costs of the evaluation, the evaluation assurance level of EAL3+ALC_FLR.2 is appropriate for this TOE.

Page 81

Page 80 of 93

7 TOE Summary Specification

This section describes the TOE summary specification for each security function. The security functions are described for each corresponding security functional requirement.

7.1 Audit Function

The Audit Function is to generate the audit log of TOE use and security-relevant events (hereafter, "audit events"). This function provides the recorded audit log in a legible fashion for users to audit (audit log review). The recorded audit log can be viewed and deleted only by the MFP administrator.

FAU_GEN.1 and FAU_GEN.2

The TOE records the audit log items, shown in Table 35, on the HDD in the T OE when audit events shown in Table 34 occur. Audit log items include basic log items and expanded log items. Basic log items are recorded whenever audit logs are recorded, and expanded log items are recorded only when audit events occur and the audit log items shown in Table 35 are recorded.

FPT_STM.1

The date (year/month/day) and time (hour/minute/second) the TOE records for the audit log are derived from the system clock of the TOE.

FAU_SAR.1, FAU_SAR.2, and FAU_STG. 1

The TOE displays the operation menu for audit logs to be read on a Web browser screen only when it is accessed by the MFP administrator. The TOE provides the audit logs in a text format when the MFP administrator instructs the TOE to read the audit logs.

FAU_STG.4

The TOE writes the newest audit log over the oldest audit log when there is insufficient space in the audit log files to append the newest audit log.

Table 34 : List of Audit Events

Audit Events

Start-up of the Audit Function (*1) Shutdown of the Audit Function (*1) Success and failure of login operation s (*2) Success and failure of login operation s from RC Gate communi cati on inter face Table 30 Record of Management Function Date settings (year/month/day), time settings (hour/minute)

Page 82

Page 81 of 93

Termination of session by auto logout Web Function communication Folder transmission E-mail transmission Printing via networks LAN Fax via networks Storing document data Reading document data (print, download, fax transmission, e-mail transmission, and

folder transmission) Deleting document data Success and failure of creation, modification, and deletion of S/MIME user information Success and failure of creation, modifi ca tion, and deleti on of destin ation fol de rs Communication with RC Gate

(*1): The start-up and shutdown of Audit Function are substituted with the TOE start-up event. (*2): Login operation by a person who intends to use the TOE via RC Gate communication interface is

excluded.

Table 35 : List of Audit Log Items

Audit Log Items Setting Values of Audit Log

Items

Audit Events to record Audit Logs

Starting date/time of an event

Values of the TOE system clock at an event occurrence

Ending date/time of an event

Values of the TOE system clock at

an event occurrence Event types Audit event identity Subject identity User or TOE identity for an audit

event caused by the user or TOE

Basic Log Items

Outcome Audit event outcome (success or

failure)

- All auditable events shown in Table 34

Communication directions Communication directions

(IN/OUT)

- Web Function communication

- Communication with RC Gate

Expanded Log Items

Communicating IP address Communicating IP address - Web Function

communication

- Folder transmission

- Printing via networks

- LAN Fax via networks

- Communication with RC Gate

Page 83

Page 82 of 93

Communicating e-mail

address

Communicatin g e-mail address for e-mail transmission

- E-mail transmission

7.2 Identification and Authentication Function

The Identification and Authentication Function is to verify whether persons who intend to use the TOE are authorised users (MFP administrator, supervisor, normal users, and RC Gate) by referring to the identification and authentication information obtained from the users, so that only persons who are confirmed as authorised users are allowed to use the TOE. Verification methods for normal users include those by Basic Authentication and External Authentication. Either Basic Authentication or External Authentication will be selected when the TOE is installed.

FIA_UAU.1(a) and FIA_UID.1(a): Application of Basic Authentication

The TOE identifies and authenticates a user by checking the login user name and login password entered by the user. However, regarding the viewing of user job lists, Web Image Monitor Help from a Web browser, system status, the counter and information of inquiries, execution of fax reception, and repair request notifications, the TOE identification and authentication is not required for the use of the TOE.

When the TOE is used from the Operation Panel or a Web browser, the screen for a user to enter his or her login user name and login password is displayed, and this screen will be displayed until the entry of the login user name and login password is complete.

When the TOE is used from the printer driver or fax driver, the TOE receives the login user name and login password entered from each driver by a user.

When the entered login user name is the login user name of a normal user, MFP administrator, or supervisor, the TOE checks if the entered login password match with the one pre-registered in the TOE.

FIA_UAU.1(b) and FIA_UID.1(b): Application of External Authentication

When the TOE is used from the printer driver or fax driver, the TOE receives the login user name and login password entered from each driver by a user.

When the entered login user name is the login user name of MFP administrator or supervisor, the TOE checks if the entered login password matches with the one pre-registered by the MFP administrator or supervisor in the TOE. When the entered login user name is not the login user name of the MFP administrator or supervisor, the entered login user name and login password are sent to an external authentication server for confirmation.

Page 84

Page 83 of 93

When the sent login user name and login password are identified and authenticated, the user is allowed to use the TOE according to the identified user role.

FIA_USB.1, FIA_ATD.1, and FMT_SMR. 1

If a user is identified and authenticated as a result of checking FIA_UAU.1(a), FIA_UID.1(a), FIA_UAU.1(b), and FIA_UID.1(b), the use of the TOE by the user is allowed as the identified user role (normal user, MFP administrator, or supervisor). The user role assigned to the user at login will be maintained until the user logs out. If user identification and authentication fails, use of the TOE is denied.

FTA_SSL.3

The automatic logout function the TOE provides is activated if the auto logout time (60 - 999 seconds) specified by the MFP administrator elapses after the final operation from the Operation Panel by the user who logs on to the TOE from the Operation Panel.

The automatic logout function the TOE provides is activated if the fixed auto logout time (30 minutes by default) elapses after the final operation from a Web browser by the user who logs on to the TOE from a Web browser.

The TOE logs out immediately after receiving the print data from the printer driver. The TOE logs out immediately after receiving the transmission information from the fax driver. The TOE terminates a session with RC Gate immediately after the communication with RC Gate is

complete.

FIA_UAU.7

Regarding login passwor ds entered by a person who intends to use the TOE from the Operation Panel or a Web browser, the TOE does not display the entered login password but it displays a sequence of dummy characters whose length is the same as that of the entered password.

FIA_AFL.1

When Basic Authentication is applied, the TOE counts the number of identification and authentication attempts t hat conse cutively re sult in f ailur e using the login use r name of a nor mal user, M FP admin istrato r, or supervisor. When External Authentication is applied, the TOE counts the number of identification and authentication attempts that consecutively result in failure using the login user name of an MFP administrator or supervisor. The TOE locks out the login user name if the number of consecutive login failures exceeds the number of attempts before lockout.

If a user name is locked o ut, th e user with t hat user name is not a llowed t o log in unle ss the locko ut time set in advance elapses or an "unlocking administrator" shown in Table 36 and specified for each user role releases the lockout.

Table 36 : Unlocking Administrators for Each User Role

User Roles (Locked out Users) Unlocking Administrators

Normal user MFP administrator

Page 85

Page 84 of 93

Supervisor MFP administrator

MFP administrator Supervisor

FIA_SOS.1

Login passwords for users can be registe red onl y if these passwords mee t the following conditions: (1) Usable characters and types:

Upper-case letters: [A-Z] (26 letters) Lower-case le tte rs: [a- z] (2 6 le tt er s) Numbers: [0- 9] (t en digits) Symbols: SP (space) ! " # $ % & ' ( ) * + , - . / : ; < = > ? @ [ \ ] ^ _ ` { | } ~ (33 symbols)

(2) Registrable password length:

- For normal users No less than the minimum character number for password (8-32 characters) specified by the MFP administrator and no more than 128 characters.

- For MFP administrators and a supervisor No less than the minimum character number for password (8-32 characters) specified by the MFP administrator and no more than 32 characters.

(3) Combination of character types:

The number of combined character types specified by the MFP administrators (two types or more, or three types or more).

FIA_UAU.2, FIA_UID.2, and FIA_USB.1

A certificate is a set of identification and authentication information of RC Gate. When the TOE receives a certificate from an IT device to access the TOE via RC Gate communication interface, the TOE checks if the certificate matches another certificate installed in the TOE. Only if the certificate sent from the IT device matches the one installed in the TOE so that the IT device is identified as RC Gate, the IT device whose user role is RC Gate is allowed to use the TOE.

FPT_FDI_EXP.1

The TOE inputs information after the TSF reliably identifies and authenticates the input information from the Operation Panel or the client computer via LAN interface. Therefore, the input information cannot be forwarded unless the TSF is not involved in information identification and authentication.

7.3 Document Access Control Function

The Document Access Control Function is to allow authorised TOE users to operate document data and user jobs in accordance with the provided user role privilege or user privilege.

FDP_ACC.1(a) and FDP_ACF.1(a)

The TOE controls user operations for document data and user jobs in accordance with (1) access control rule on document data and (2) access control rule on user jobs.

Page 86

Page 85 of 93

(1) Access control rule on document data

The TOE provides users with the interface for stored documents to be printed, downloaded to the client computers , sent by fax, sent b y e-mail, s ent to f older s, and d elete d. The in terfa ce ena bles use rs to delete all the stored documents.

Users authorised to operate stored documents are MFP administrator and normal users. The supervisor and RC Gate are not allowed to operate stored documents.

When the MFP administrator or a normal user logs in from the Operation Panel or a Web browser, the TOE displays a list of the stored documents whose operations are authorised and the menu for the authorised operations (printing, downloading to the client computers, fax transmission, e-mail transmission, sending to folders, deletion, and deletion of all files).

When the MFP administrator logs in from the Operation Panel or a Web browser, the TOE displays a list of all the stored documents and the operation menu for deletion and deletion of all files. The MFP administrator can select and delete a document from the list of the stored documents or all documents. When a normal user logs in from the Operation Panel or a Web browser, the TOE displays a list of the stored documents that register the login user names of the normal users who logged in to the document user list, and an operation menu. They will be displayed according to the rules shown in Table 37. The privileges that allow users to edit the document user list are shown in "7.8 Security Management Function".

Also, the TOE allows only the user job owner to view and delete the document data handled as a user job while Copy Function, Printer Function, Scanner Function, Fax Function, or Document Server Function is being used.

While no interface to change job owners is provided, an interface to cancel user jobs is provided. If a user job is cancelled, any document the cancelled job operates will be deleted.

Table 37 : Stored Documents Access Control Rules for Normal Users

I/F to be Used Available Funct ions

for Users

Types of Stored Documents

displayed in the List

Operations

displayed on the Menu

Operation Panel

Document Server Function

Document Server documents

Print Delete

Operation Panel

Document Server Function

Fax transmission documents

Print Delete

Operation Panel

Printer Function Printer documents

Print Delete

Operation Panel

Scanner Function Scanner documents

E-mail transmission Folder transmission Delete

Operation Panel

Fax Function Fax transmission documents

Fax transmission Folder transmission Print Delete

Operation Panel

Fax Function Fax reception documents

Print Delete

Page 87

Page 86 of 93

Web browser

Document Server Function

Document Server documents

Print Delete

Web browser

Document Server Function

Scanner documents

E-mail transmission Folder transmission Download Delete (Operations above are authorised only if normal users are privileged to use Scanner Function)

Web browser

Document Server Function

Fax transmission documents

Fax transmission Download Print

Delete (Operations above are authorised only if normal users are privileged to use Fax Function)

Web browser Printer Function Printer documents

Print Delete

Web browser Fax Function Fax reception documents

Print Download Delete (Operations above are authorised only if normal users are privileged to use Document Server Function)

(2) Access control rule on user jobs

The TOE displays on the Operation Panel a menu to cancel a user job only if the user who logs in from the Operation Panel is a user job owner or MFP administrator and a cancellation of a user job is attempted by the owner or MFP administrator. Other users are not allowed to operate user jobs.

When a user job is cancelled, any documents operated by the cancelled job will be deleted. However, if t he doc ume nt da ta o per at ed by th e c anc e lled user j ob is a st ored do cume nt, the d ata will not

be deleted and remain stored in the TOE.

7.4 Use-of-Feature Restriction Function

The Use-of-Feature Restriction Function is to authorise TOE users to use Copy Function, Printer Function, Scanner Function, Document Server Function and Fax Function in accordance with the roles of the identified and authenticated TOE users and user privileges set for each user.

Page 88

Page 87 of 93

FDP_ACC.1(b) and FDP_ACF.1(b)

The TOE verifies the role for an authorised TOE user who attempts to start operating Copy Function, Printer Function, Scanner Function, Document Server Function, and Fax Function.

If the role is that of normal user, the user can operate only functions that are included in the available function list set for each normal user.

If the role is that of MFP administrator, the user can operate Fax Reception Function that corresponds to MFP management.

If the role is that of supervisor and RC Gate, using any functions is not allowed.

7.5 Network Protection Function

The Network Protection Function is to provide network monitoring to prevent information leakage when LAN is used and to detect data tampering.

FTP_ITC.1

The encrypted communications provided by the TOE differ depending on communicating devices. Table 38 shows the encrypted communications provided by the TOE.

Table 38 : Encrypted Communications Provided by the TOE

Encrypted communications provided by the TOE Communicating

Devices

Protocols Cryp tographic Algori thms

Client computer TLS1.0 AES(128bits, 256bits), 3DES(168bits) External authentication server

Kerberos AES(128bits, 256bits), 3DES(168bits)

RC Gate SSL3.0, TLS1.0 AES(128bits, 256bits), 3DES(168bits) FTP server IPSec AES(128bits, 192bits, 256bits), 3DES(168bits) SMB server IPSec AES(128bits, 192bits, 256bits), 3DES(168bits) SMTP server S/MIME 3DES(168bits)

7.6 Residual Data Overwrite Function

The Residual Da ta Overwrite Function is to overwrite specif ic patter ns on the HDD and disable t he reusing of the residual data included in the deleted documents, temporary documents and their fragments on the HDD.

FDP_RIP.1

Methods to dele te the HDD area thro ugh overwritin g include se quential overwrit ing and batch overwriting. For sequential overwriting, the TOE constantly monitors the information on a residual data area, and overwrites the area if any existing residual data is discovered. If the user deletes document data, the TOE

Page 89

Page 88 of 93

applies the method specified by the MFP administrator and overwrites the area on the HDD where the digital image data of the document data is stored. Also, when a user job is complete, the TOE applies the method specified by the MFP administrator and overwrites the area on the HDD where temporary documents that are created while a user job is executed or the fragments of those temporary documents are stored.

For batch overwriting, the TOE collectively overwrites the HDD with the method specified by the MFP administrator.

Overwriting methods include NSA method, DoD method, and random number method. An overwriting method is specified by the MEP administrator when the TOE is installed. NSA method overwrites twice by random numbers and once by Null(0). The DoD method overwrites once by fixed value, once by its complement, and further by random numbers to be verified afterwards. Random number method overwrites for three to nine times by random numbers. The MFP administrator specifies the number of times to overwrite when the TOE is installed.

7.7 Stored Data Protection Function

The Stored Da ta Protection Function is to encrypt the data on the HDD and protect the dat a so that data leakage can be prevented.

FCS_CKM.1 and FCS_COP.1

The TOE encrypts data before writing it on the HDD, and decrypts th e encrypted data afte r reading it fro m the HDD. This p rocess is applied to all d ata written on and rea d from the HDD. Detailed cryptographic operations are shown in Table 39.

Table 39 : List of Cryptographic Operations for Stored Data Protection

Encryption-triggering

Operations

Cryptographic

Operations

Standard

Cryptographic

Algorithm

Key Size

Writing data to HDD Encrypt

Reading data from HDD Decrypt

FIPS197 AES 256 bits

Following operations by the MFP administrator, the TOE generates a cryptographic key. If a login user is the MFP administrator, the screen to generate an HDD cryptographic key is provided from the Operation Panel.

If the MFP adminis tr ato r gives in s t ruc t ions to gene rat e a n HDD crypt ogr aphic key fr om the Oper atio n Pa ne l, the TOE uses a genuine random number generator and generates random numbers that conform to the standard BSI-AIS31.

7.8 Security Management Function

The Security Management Function consists of functions to 1) control operations for TSF data, 2) maintain user roles assigned to normal users, MFP administrator, or supervisor to operate the Security Management Function, and 3) set appropriate default values to security attributes, all of which accord with user role privileges or user privileges that are assigned to normal users, MFP administrator, or supervisor.

Page 90

Page 89 of 93

FMT_MSA.1(a), FMT_MSA.1( b), FMT_ MSA.3( a), FMT_ MTD .1, FMT_S MF.1 and FMT_SMR .1

The TOE allows operations for TSF data according to the rules described in Table 40.

Table 40 : Management of TSF Data

TSF Data Operation

Interface

Operations Users

Newly create, query, modify, delete

MFP administrator

Operation Panel, Web browser

Query

Applicable normal user

Operation Panel, Web browser

Newly create, query, modify, delete

MFP administrator

Operation Panel, Web browser

Query, modify

Supervisor

Newly create MFP administrator Query,

modify

Applicable MFP administrator

Operation Panel, Web browser

Query Supervisor

Document data attributes

No operation interfaces avail abl e

No operations allowed

Document user list Stored document types are Document Server document, scanner document, fax document and printer document (with stored print)

Operation Panel, Web browser

Query, modify

MFP administrator, applicable normal user who stored the document

Document user list Stored document type is fax received document(*2)

Operation Panel, Web browser

Query, modify

MFP administrator

Default values of the document user list

Operation Panel, Web browser

Query, modify

MFP administrator, applicable normal user who stored the documents

Query, modify

MFP administrator

Available function list

Operation Panel, Web browser

Query (Query is unavailable for External Authentication)

Applicable normal user

Page 91

Page 90 of 93

Function types

No operation interfaces avail abl e

No operations allowed

User roles

No operation interfaces avail abl e

No operations allowed

Newly create, modify

MFP administrator

Operation Panel, Web browser

Modify Applicable normal

user

Operation Panel, Web browser

Modify Supervisor

Modify Supervisor Newly create MFP administrator

Operation Panel, Web browser

Modify Applicable MFP

administrator

Number of Attempts before Lockout when Basic Authentication is applied

Operation Panel, Web browser

Query MFP administrator

Settings for Lockout Release Timer when Basic Authentication is applied

Web browser Query MFP administrator

Lockout time for Basic Authentication

Web browser Query MFP administrator

Query, modify

MFP administrator

Date settings (year/month/day)

Operation Panel, Web browser

Query Supervisor,

normal user

Query, modify

MFP administrator

Time

Operation Panel, Web browser

Query

Supervisor, normal user

Minimum character number of password for Basic Authentication

Operation panel Query MFP administrator

Password complexity setting for Basic Authentication

Operation panel Query MFP administrator

Audit log Web browser

Query, delete

MFP administrator

HDD cryptographic key Operation panel Newly create MFP administrator

S/MIME user information

Operation Panel, Web browser

Newly create, modify, query, delete

MFP administrator

Page 92

Page 91 of 93

Query,

(Query operation for a user certificate is unavailable for External Authentication)

Normal user

Newly create, modify, query, delete

MFP administrator

Destination folder

Operation Panel, Web browser

Query Normal user

Users for stored and received documents

Operation Panel, Web browser

Query, modify

MFP administrator

User authentication proce dures

Operation Panel, Web browser

Query MFP administrator

-: No user roles whose operations are allowed by the TOE

(*1): The login user name of a normal user that is registered on an external authentication server is not changed even though the MFP administrator newly creates, modifies, and deletes the login user name of the normal user.

(*2): If the MFP administrator modifies stored and received document users, and if the stored document type of the document user list of document data is received fax document, the list will be modified to the values of the stored and received document users.

FMT_MSA.3(a) and FMT_MSA.3(b)

The TOE sets default values for objects and subjects according to the rules described in Table 41 when those objects and subjects are generated.

Page 93

Page 92 of 93

Table 41 : List of Static Initialisation for Security Attributes of Document Access Control SFP

Objects/Subjects Security attributes Default values

Document data Document data attribute +PRT: Documents printed from the client

computer with direct print, locked print, hold print, and sample print. +SCN: Documents sent by e-mail or to fold ers from the MFP. +CPY: Documents copi ed using the MFP. +FAXOUT: Documents sent by fax from the MFP or client computer. +FAXIN: Documents received from a telephone line. +DSR: Documents stored in the TOE by using Copy Function, Scanner Function, Document Server Function and Fax Data Storage Function. Documents printed using Document Server printing or stored print from the client computer.

Document data (stored document types are Document Server document, scanner document and fax document)

Document user list Default values of a docume nt u ser lis t ass igned

to each user.

Document data (stored document type is printer document)

Document user list Login user name of a normal user who stored

the document data.

Document data (stored document type is fax received document)

Document user list Login user name of a normal user included in

the stored and received document user list.

User jobs Login user name of

normal user

Normal user Available function lists Values to indicate whether or not Copy

Function, Printer Function, Scanner Function, Document Server Function, or Fax Function is available. For Basic Authentication, these values are specified by the MFP administrator. For External Authentication, the values indicate that none of the functions is available.

Page 94

Page 93 of 93

Each MFP application (Copy Function, Printer Function, Scanner Function, Document Server Function and Fax Function)

Function type The values specified for each function type is

as follows: For Copy Function, values to identify Copy Function. For Document Server Function, values to identify Document Server Function. For Printer Fun ction, value s to identif y Printer Function. For Scanner Function, values to identify Scanner Function. For Fax Function, values to identify Fax Function.

7.9 Software Verification Function

The Software Verification Function is to verify the integrity of the executable codes of the MFP Control Software and FCU Control Software and confirm that these codes can be trusted.

FPT_TST.1

The TOE verifies software at the TOE sta rt- u p. The TOE verifies the integrity of the MFP Control Software first by using the hash and then by checking the certificate. If the hash does not match its original value or the certificate verification fails, the TOE displays the error message and becomes unavailable. If the hash matches its original value and the certificate is verified, the TOE becomes available. The TOE also verifies the integrity of the audit log data files. The TOE outputs the information used for integrity verification so that the integrity of the FCU Control Software can be verified. To check the integrity of the FCU Control Software, the information the TOE outputs will be compa red with the informatio n descr ibed in the guidance d ocuments , so that the in tegrit y of the FCU Control Software can be verified.

7.10 Fax Line Separation Function

The Fax Line Separation Function is to receive only faxes as input information from telephone lines so that unauthorised intrusion from telephone lines can be prevented. This function also can be used to prohibit transmissions of received faxes so that unauthorised intrusion from telephone lines to the LAN can be prevented.

FPT_FDI_EXP.1

The TOE receives fax data only as input information from telephone lines. If any communication that does not comply with the fax protocol is performed, the line is disconnected. Since the TOE is set to prohibit forwarding of received fax data during installation, received fax data will not be forwarded.