Ricoh C400DN - Aficio SP Color Laser, Aficio MP C300 series, Aficio MP C300SR series, Aficio MP C400 series, Aficio MP C400SR series Printer Manual

Aficio MP C300/C300SR/C400/C400SR series

Security Target

Author : RICOH COMPANY, LTD.

Date : 2012-08-17

Version : 1.00

Portions of Aficio

MP C300/C300SR/C400/C400SR series Security Target are

reprinted with written permission from IEEE, 445 Hoes Lane, Piscataway, New

Jersey 08855,

from IEEE 2600.1, Protection Profile for Hardcopy Devices,

This document is a translation of the evaluated and certified security target

written in Japanese.

Page 1 of

91

Revision History

Version Date Author Detail

1.00 2012-08-17 RICOH COMPANY, LTD. Publication version.

Page 2 of

91

Table of Contents

1111 ST Introduction

ST IntroductionST Introduction

ST Introduction................................

................................................................

.....................................................

..........................................

..................... 7777

1.1

1.11.1

1.1 ST Reference

ST ReferenceST Reference

ST Reference ................................

................................................................

..................................................

....................................

.................. 7777

1.2

1.21.2

1.2 TOE Reference

TOE ReferenceTOE Reference

TOE Reference ................................

................................................................

...............................................

..............................

............... 7777

1.3

1.31.3

1.3 TOE Overview

TOE OverviewTOE Overview

TOE Overview................................

................................................................

................................................

................................

................ 8888

1.3.1 TOE Type..................................................................................................................... 8

1.3.2 TOE Usage................................................................................................................... 8

1.3.3 Major Security Features of TOE...............................................................................11

1.4

1.41.4

1.4 TOE Description

TOE DescriptionTOE Description

TOE Description................................

................................................................

...........................................

......................

........... 11

1111

11

1.4.1 Physical Boundary of TOE ........................................................................................11

1.4.2 Guidance Documents................................................................................................ 14

1.4.3 Definition of Users.................................................................................................... 17

1.4.3.1. Direct User ......................................................................................................... 17

1.4.3.2. Indirect User ...................................................................................................... 18

1.4.4 Logical Boundary of TOE ......................................................................................... 19

1.4.4.1. Basic Functions.................................................................................................. 19

1.4.4.2. Security Functions............................................................................................. 22

1.4.5 Protected Assets ........................................................................................................ 24

1.4.5.1. User Data ........................................................................................................... 24

1.4.5.2. TSF Data ............................................................................................................ 25

1.4.5.3. Functions............................................................................................................ 25

1.5

1.51.5

1.5 Glossary

GlossaryGlossary

Glossary................................

................................................................

........................................................

................................................

........................ 25

2525

25

1.5.1 Glossary for This ST ................................................................................................. 25

2222 Conformance Claim

Conformance ClaimConformance Claim

Conformance Claim................................

................................................................

.............................................

..........................

............. 29

2929

29

2.1

2.12.1

2.1 CC Conformance Claim

CC Conformance ClaimCC Conformance Claim

CC Conformance Claim................................

................................................................

................................ 29

2929

29

2.2

2.22.2

2.2 PP Claims

PP ClaimsPP Claims

PP Claims................................

................................................................

.....................................................

..........................................

..................... 29

2929

29

2.3

2.32.3

2.3 Package Claims

Package ClaimsPackage Claims

Package Claims................................

................................................................

............................................

........................

............ 29

2929

29

2.4

2.42.4

2.4 Conformance Claim Rationale

Conformance Claim RationaleConformance Claim Rationale

Conformance Claim Rationale ................................

................................................................

.....................................................

..........................................

..................... 30

3030

30

2.4.1 Consistency Claim with TOE Type in PP................................................................ 30

2.4.2 Consistency Claim with Security Problems and Security Objectives in PP......... 30

2.4.3 Consistency Claim with Security Requirements in PP.......................................... 31

3333 Security Problem Definitions

Security Problem DefinitionsSecurity Problem Definitions

Security Problem Definitions................................

................................................................

..............................................................

............................................................

.............................. 34

3434

34

Page 3 of

91

3.1

3.13.1

3.1 Threats

ThreatsThreats

Threats ................................

................................................................

.........................................................

..................................................

......................... 34

3434

34

3.2

3.23.2

3.2 Organisational Security Policies

Organisational Security PoliciesOrganisational Security Policies

Organisational Security Policies................................

................................................................

..................................................

....................................

.................. 35

3535

35

3.3

3.33.3

3.3 Assumptions

AssumptionsAssumptions

Assumptions................................

................................................................

.................................................

..................................

................. 35

3535

35

4444 Security Objectives

Security ObjectivesSecurity Objectives

Security Objectives................................

................................................................

..............................................

............................

.............. 37

3737

37

4.1

4.14.1

4.1 Security Objectives for TOE

Security Objectives for TOESecurity Objectives for TOE

Security Objectives for TOE................................

................................................................

.........................................................

..................................................

......................... 37

3737

37

4.2

4.24.2

4.2 Security Objectives of Operational Enviro

Security Objectives of Operational EnviroSecurity Objectives of Operational Enviro

Security Objectives of Operational Environment

nmentnment

nment................................

................................................................

........................................................

................................................

........................ 38

3838

38

4.2.1 IT Environment......................................................................................................... 38

4.2.2 Non-IT Environment................................................................................................. 39

4.3

4.34.3

4.3 Security Objectives Rationale

Security Objectives RationaleSecurity Objectives Rationale

Security Objectives Rationale................................

................................................................

......................................................

............................................

...................... 40

4040

40

4.3.1 Correspondence Table of Security Objectives ......................................................... 40

4.3.2 Security Objectives Descriptions ............................................................................. 41

5555 Extended Components Definition

Extended Components DefinitionExtended Components Definition

Extended Components Definition................................

................................................................

.......................................................

..............................................

....................... 45

4545

45

5.1

5.15.1

5.1 Restricted forwarding of data to external interfaces (FPT_FDI_EXP)

Restricted forwarding of data to external interfaces (FPT_FDI_EXP)Restricted forwarding of data to external interfaces (FPT_FDI_EXP)

Restricted forwarding of data to external interfaces (FPT_FDI_EXP) .......................

..............................................

....................... 45

4545

45

6666 Security Requirements

Security RequirementsSecurity Requirements

Security Requirements................................

................................................................

........................................

................

........ 47

4747

47

6.1

6.16.1

6.1 Security Functional Requirements

Security Functional RequirementsSecurity Functional Requirements

Security Functional Requirements ................................

................................................................

..............................................

............................

.............. 47

4747

47

6.1.1 Class FAU: Security audit........................................................................................ 47

6.1.2 Class FCS: Cryptographic support .......................................................................... 50

6.1.3 Class FDP: User data protection ............................................................................. 51

6.1.4 Class FIA: Identification and authentication ......................................................... 55

6.1.5 Class FMT: Security management........................................................................... 59

6.1.6 Class FPT: Protection of the TSF............................................................................. 65

6.1.7 Class FTA: TOE access............................................................................................. 65

6.1.8 Class FTP: Trusted path/channels........................................................................... 65

6.2

6.26.2

6.2 Security Assurance Requirements

Security Assurance RequirementsSecurity Assurance Requirements

Security Assurance Requirements................................

................................................................

...............................................

..............................

............... 66

6666

66

6.3

6.36.3

6.3 Security Requirements Rationale

Security Requirements RationaleSecurity Requirements Rationale

Security Requirements Rationale................................

................................................................

................................................

................................

................ 67

6767

67

6.3.1 Tracing ....................................................................................................................... 67

6.3.2 Justification of Traceability...................................................................................... 68

6.3.3 Dependency Analysis ................................................................................................ 75

6.3.4 Security Assurance Requirements Rationale.......................................................... 77

7777 TOE Summary Specification

TOE Summary SpecificationTOE Summary Specification

TOE Summary Specification................................

................................................................

...............................................................

..............................................................

............................... 78

7878

78

7.1

7.17.1

7.1 Audit Function

Audit FunctionAudit Function

Audit Function ................................

................................................................

.............................................

..........................

............. 78

7878

78

7.2

7.27.2

7.2 Identification and Authentication Function

Identification and Authentication FunctionIdentification and Authentication Function

Identification and Authentication Function ................................

................................................................

................................ 80

8080

80

Page 4 of

91

7.3

7.37.3

7.3 Document Access Control Function

Document Access Control FunctionDocument Access Control Function

Document Access Control Function ................................

................................................................

.............................................

..........................

............. 82

8282

82

7.4

7.47.4

7.4 Use

UseUse

Use----of

ofof

of----Feature Restriction Function

Feature Restriction FunctionFeature Restriction Function

Feature Restriction Function ................................

................................................................

...........................................

......................

........... 84

8484

84

7.5

7.57.5

7.5 Network Protection Function

Network Protection FunctionNetwork Protection Function

Network Protection Function................................

................................................................

.......................................................

..............................................

....................... 85

8585

85

7.6

7.67.6

7.6 Residual Data Ov

Residual Data OvResidual Data Ov

Residual Data Overwrite Function

erwrite Functionerwrite Function

erwrite Function................................

................................................................

..............................................

............................

.............. 85

8585

85

7.7

7.77.7

7.7 Stored Data Protection Function

Stored Data Protection FunctionStored Data Protection Function

Stored Data Protection Function................................

................................................................

.................................................

..................................

................. 86

8686

86

7.8

7.87.8

7.8 Security Management Function

Security Management FunctionSecurity Management Function

Security Management Function ................................

................................................................

..................................................

....................................

.................. 86

8686

86

7.9

7.97.9

7.9 Software Verification Function

Software Verification FunctionSoftware Verification Function

Software Verification Function ................................

................................................................

....................................................

........................................

.................... 91

9191

91

7.10

7.107.10

7.10 Fax Line Separation Function

Fax Line Separation FunctionFax Line Separation Function

Fax Line Separation Function ................................

................................................................

.....................................................

..........................................

..................... 91

9191

91

Page 5 of

91

List of Figures

Figure 1 : Example of TOE Environment ....................................................................................................... 9

Figure 2 : Hardware Configuration of the TOE ............................................................................................ 12

Figure 3 : Logical Scope of the TOE ............................................................................................................ 19

List of Tables

Table 1 : Identification Information of MFP................................................................................................... 7

Table 2 : Guidance for English Version-1 ..................................................................................................... 14

Table 3 : Guidance for English Version-2 ..................................................................................................... 15

Table 4 : Guidance for English Version-3 ..................................................................................................... 16

Table 5 : Definition of Users......................................................................................................................... 18

Table 6 : List of Administrative Roles .......................................................................................................... 18

Table 7 : Definition of User Data.................................................................................................................. 24

Table 8 : Definition of TSF Data................................................................................................................... 25

Table 9 : Specific Terms Related to This ST ................................................................................................. 25

Table 10 : Rationale for Security Objectives................................................................................................. 40

Table 11 : List of Auditable Events ............................................................................................................... 48

Table 12 : List of Cryptographic Key Generation......................................................................................... 51

Table 13 : List of Cryptographic Operation .................................................................................................. 51

Table 14 : List of Subjects, Objects, and Operations among Subjects and Objects (a) ................................. 52

Table 15 : List of Subjects, Objects, and Operations among Subjects and Objects (b)................................. 52

Table 16 : Subjects, Objects and Security Attributes (a) ............................................................................... 52

Table 17 : Rules to Control Operations on Document Data and User Jobs (a) ............................................. 53

Table 18 : Additional Rules to Control Operations on Document Data and User Jobs (a)............................ 54

Table 19 : Subjects, Objects and Security Attributes (b)............................................................................... 55

Table 20 : Rule to Control Operations on MFP Applications (b).................................................................. 55

Table 21 : List of Authentication Events of Basic Authentication ................................................................ 56

Table 22 : List of Actions for Authentication Failure.................................................................................... 56

Table 23 : List of Security Attributes for Each User That Shall Be Maintained ........................................... 56

Table 24 : Rules for Initial Association of Attributes .................................................................................... 59

Table 25 : User Roles for Security Attributes (a) .......................................................................................... 60

Table 26 : User Roles for Security Attributes (b) .......................................................................................... 61

Table 27 : Authorised Identified Roles Allowed to Override Default Values................................................ 61

Table 28 : List of TSF Data........................................................................................................................... 62

Table 29 : List of Specification of Management Functions........................................................................... 63

Table 30 : TOE Security Assurance Requirements (EAL3+ALC_FLR.2).................................................... 66

Table 31 : Relationship between Security Objectives and Functional Requirements ................................... 67

Table 32 : Results of Dependency Analysis of TOE Security Functional Requirements .............................. 75

Table 33 : List of Audit Events...................................................................................................................... 78

Table 34 : List of Audit Log Items ................................................................................................................ 79

Table 35 : Unlocking Administrators for Each User Role............................................................................. 81

Page 6 of

91

Table 36 : Stored Documents Access Control Rules for Normal Users ........................................................ 83

Table 37 : Encrypted Communications Provided by the TOE ...................................................................... 85

Table 38 : List of Cryptographic Operations for Stored Data Protection ...................................................... 86

Table 39 : Management of TSF Data ............................................................................................................ 87

Table 40 : List of Static Initialisation for Security Attributes of Document Access Control SFP ................. 90

Page 7 of

91

1 ST Introduction

This section describes ST Reference, TOE Reference, TOE Overview and TOE Description.

1.1 ST Reference

The following are the identification information of this ST.

Title : Aficio MP C300/C300SR/C400/C400SR series Security Target

Version : 1.00

Date : 2012-08-17

Author : RICOH COMPANY, LTD.

1.2 TOE Reference

This TOE is a digital multifunction product (hereafter "MFP") with "Fax Option Type C400" option installed.

The TOE is identified by the MFP names and the versions of components that constitute the TOE. The

identification information of the TOE is shown below. Although there are several MFP product names

depending on sales areas and/or sales companies, their components are identical.

Table 1 : Identification Information of MFP

MFP Names Ricoh Aficio MP C300, Ricoh Aficio MP C300SR,

Ricoh Aficio MP C400, Ricoh Aficio MP C400SR,

Savin C230, Savin C230SR,

Savin C240, Savin C240SR,

Lanier LD130C, Lanier LD130CSR,

Lanier LD140C, Lanier LD140CSR,

Lanier MP C300, Lanier MP C300SR,

Lanier MP C400, Lanier MP C400SR,

nashuatec MP C300, nashuatec MP C300SR,

nashuatec MP C400, nashuatec MP C400SR,

Rex-Rotary MP C300, Rex-Rotary MP C300SR,

Rex-Rotary MP C400, Rex-Rotary MP C400SR,

Gestetner MP C300, Gestetner MP C300SR,

Gestetner MP C400, Gestetner MP C400SR,

infotec MP C300, infotec MP C300SR,

infotec MP C400, infotec MP C400SR

Software

System/Copy 2.05

TOE Versions

Network Support 10.57

Page 8 of

91

Fax 02.00.00

RemoteFax 01.00.00

NetworkDocBox 1.04

Web Support 1.02

Web Uapl 1.01

animation 1.00

Scanner 01.04

Printer 1.01

PCL 1.07

OptionPCLFont 1.02

Data Erase Std 1.01x

GWFCU3-23 (WW) 03.00.00

Engine 1.02:02

OpePanel 1.03

LANG0 1.03

LANG1 1.03

Hardware

Ic Key 01020700

Ic Ctlr 03

Keywords : Digital MFP, Documents, Copy, Print, Scanner, Network, Office, Fax

1.3 TOE Overview

This section defines TOE Type, TOE Usage and Major Security Features of TOE.

1.3.1 TOE Type

This TOE is an MFP, which is an IT device that inputs, stores, and outputs documents.

1.3.2 TOE Usage

The operational environment of the TOE is illustrated below and the usage of the TOE is outlined in this

section.

Page 9 of

91

Figure 1 : Example of TOE Environment

The TOE is used by connecting to the local area network (hereafter "LAN") and telephone lines, as shown in

Figure 1. Users can operate the TOE from the Operation Panel of the TOE or through LAN communications.

Below, explanations are provided for the MFP, which is the TOE itself, and hardware and software other

than the TOE.

MFP

A machinery that is defined as the TOE. The MFP is connected to the office LAN, and users can perform the

following operations from the Operation Panel of the MFP:

- Various settings for the MFP,

- Copy, fax, storage, and network transmission of paper documents,

- Print, fax, network transmission, and deletion of the stored documents.

Also, the TOE receives information via telephone lines and can store it as a document.

LAN

Network used in the TOE environment.

Page 10 of

91

Client computer

A computer that performs as a client of the TOE if it is connected to the LAN, and users can remotely

operate the MFP from the client computer. The possible remote operations from the client computer are as

follows:

- Various settings for the MFP using a Web browser installed on the client computer,

- Operation of documents using a Web browser installed on the client computer,

- Storage and printing of documents using the printer driver installed on the client computer,

- Storage and faxing of documents using the fax driver installed on the client computer.

Telephone line

A public line for the TOE to communicate with external faxes.

Firewall

A device to prevent the office environment from network attacks via the Internet.

FTP Server

A server used by the TOE for folder transmission of the stored documents in the TOE to its folders.

SMB Server

A server used by the TOE for folder transmission of the stored documents in the TOE to its folders.

SMTP Server

A server used by the TOE for e-mail transmission of the stored documents in the TOE.

External Authentication Server

A server that identifies and authenticates the TOE user with Windows authentication (Kerberos

authentication method). This server is only used when External Authentication is applied. The TOE

identifies and authenticates the user by communicating with the external authentication server via LAN.

RC Gate

An IT device used for @Remote. The function of RC Gate for @Remote is to relay communications

between the MFP and maintenance centre. A transfer path to other external interface for input information

from the RC Gate via network interface is not implemented in the TOE. The RC Gate products include

Remote Communication Gate A, Remote Communication Gate Type BN1, and Remote Communication

Gate Type BM1.

Page 11 of

91

1.3.3 Major Security Features of TOE

The TOE stores documents in it, and sends and receives documents to and from the IT devices connected to

the LAN. To ensure provision of confidentiality and integrity for those documents, the TOE has the

following security features:

- Audit Function

- Identification and Authentication Function

- Document Access Control Function

- Use-of-Feature Restriction Function

- Network Protection Function

- Residual Data Overwrite Function

- Stored Data Protection Function

- Security Management Function

- Software Verification Function

- Fax Line Separation Function

1.4 TOE Description

This section describes Physical Boundary of TOE, Guidance Documents, Definition of Users, Logical

Boundary of TOE, and Protected Assets.

1.4.1 Physical Boundary of TOE

The physical boundary of the TOE is the MFP, which consists of the following hardware components

(shown in Figure 2): Operation Panel Unit, Engine Unit, Fax Controller Unit, Controller Board, HDD, Ic Ctlr,

Network Unit, USB Port, SD Card Slot, and SD Card.

Page 12 of

91

Figure 2 : Hardware Configuration of the TOE

Controller Board

The Controller Board is a device that contains Processors, RAM, NVRAM, Ic Key, and FlashROM. The

Controller Board sends and receives information to and from the units and devices that constitute the MFP,

and this information is used to control the MFP. The information to control the MFP is processed by the

MFP Control Software on the Controller Board. The following describes the components of the Controller

Board:

- Processor

A semiconductor chip that performs basic arithmetic processing for MFP operations.

- RAM

A volatile memory medium which is used as a working area for image processing such as

compressing/decompressing the image data. It can also be used to temporarily read and write

internal information.

- NVRAM

A non-volatile memory medium in which TSF data for configuring MFP operations is stored.

- Ic Key

A security chip that has the functions of random number generation, cryptographic key generation

Page 13 of

91

and digital signature. It has the memory medium inside, and the signature root key is installed

before the TOE is shipped.

- FlashROM

A non-volatile memory medium in which the following software components are installed:

System/Copy, Network Support, Scanner, Printer, Fax, RemoteFax, Web Support, Web Uapl,

NetworkDocBox, animation, PCL, OptionPCLFont, LANG0, and LANG1. These are part of the

TOE and are included in the MFP Control Software.

Operation Panel Unit (hereafter "Operation Panel")

The Operation Panel is a user interface installed on the TOE and consists of the following devices: key

switches, LED indicators, an LCD touch screen, and Operation Control Board. The Operation Control Board

is connected to the key switches, LED indicators, and LCD touch screen. The Operation Panel Control

Software is installed on the Operation Panel Control Board. The Operation Panel Control Software performs

the following:

1. Transfers operation instructions from the key switches and the LCD touch screen to the

Controller Board.

2. Controls the LEDs and displays information on the LCD touch screen according to display

instructions from the Controller Board.

OpePanel, which is one of the components that constitute the TOE, is the identifier for the Operation Panel

Control Software.

Engine Unit

The Engine Unit consists of Scanner Engine that is an input device to read paper documents, Printer Engine

that is an output device to print and eject paper documents, and Engine Control Board. The Engine Control

Software is installed in the Engine Control Board. The Engine Control Software sends status information

about the Scanner Engine and Printer Engine to the Controller Board, and operates the Scanner Engine or

Printer Engine according to instructions from the MFP Control Software. Engine, which is one of the

components that constitute the TOE, is the identifier for the Engine Control Software.

Fax Controller Unit (FCU)

The Fax Controller Unit is a unit that has a modem function for connection to a telephone line. It also sends

and receives fax data to and from other fax devices using the G3 standard for communication. The Fax

Controller Unit sends and receives control information about the Controller Board and the FCU and fax data.

FCU Control Software is installed on the FCU. GWFCU3-23(WW), which is one of the components that

constitute the TOE, is the identifier for the FCU Control Software.

HDD

The HDD is a hard disk drive that is a non-volatile memory medium. It stores documents, login user names

and login passwords of normal users.

Page 14 of

91

Ic Ctlr

The Ic Ctlr is a board that implements data encryption and decryption functions. It is provided with functions

for HDD encryption realisation.

Network Unit

The Network Unit is an external interface to an Ethernet (100BASE-TX/10BASE-T) LAN.

USB Port

The USB Port is an external interface to connect a client computer to the TOE for printing directly from the

client computer. During installation, this interface is disabled.

SD Card/SD Card Slot

There are SD Card Slots for customer engineer and for users.

The SD Card Slot for customer engineer is used when the customer engineer installs the TOE. A cover is

placed on the SD Card Slot during the TOE operation so that an SD Card cannot be inserted into or removed

from the slot. The SD Card, where Data Erase Std is written, is inserted into the slot in advance.

The SD Card Slot for users is used by users to print documents in the SD Card. The slot is disabled at the

time of installation.

1.4.2 Guidance Documents

The following sets of user guidance documents are available for this TOE: [English version-1], [English

version-2], and [English version-3]. Selection of the guidance document sets depends on the sales area and/or

sales company. Guidance document sets will be supplied with individual TOE component. Details of the

document sets are as follows.

[English version-1]

Table 2 : Guidance for English Version-1

TOE

Components

Guidance Documents for Product

MFP - C230/C230SR/C240/C240SR

LD130C/LD130CSR/LD140C/LD140CSR

Aficio MP C300/C300SR/C400/C400SR

Operating Instructions

About This Machine M026-7401

- Note for Users M026-7438

- Quick Reference Copy Guide M026-7412

- Quick Reference Printer Guide M026-7429

- Quick Reference Scanner Guide M026-7434

Page 15 of

91

- C230/C230SR/C240/C240SR

LD130C/LD130CSR/LD140C/LD140CSR

Aficio MP C300/C300SR/C400/C400SR

Operating Instructions

Troubleshooting M026-7415

- Notes for Users M026-7439

- Notes to users in the United States of America D566-7091

- About the Software on the CD-ROM M080-8547

- SOFTWARE LICENSE AGREEMENT D376-7905

- Notes for Users D081-7678

- Notes for Administrators: Using this Machine in a Network Environment

Compliant with IEEE Std. 2600.1TM-2009 M026-7442

- Operating Instructions Notes on Security Functions M026-7443

- Manuals for Users

Aficio MP C300/MP C300SR/MP C400/MP C400SR

C230/C230SR/C240/C240SR

LD130C/LD130CSR/LD140C/LD140CSR M026-6908

- Manuals for Administrators

Aficio MP C300/MP C300SR/MP C400/MP C400SR

C230/C230SR/C240/C240SR

LD130C/LD130CSR/LD140C/LD140CSR M026-6909

- Help 83NHBVENZ1.00 v118

FCU - Quick Reference Fax Guide D483-8504

- Fax Option Type C400

(Machine Code: D483)

Installation Procedure

For Machine Code:

M022/ M024/ M026/ M028 Copiers D483-8610A

[English version-2]

Table 3 : Guidance for English Version-2

TOE

Components

Guidance Documents for Product

MFP - Safety Information for MP C300/MP C300SR/MP C400/MP C400SR/Aficio MP C300/

Aficio MP C300SR/Aficio MP C400/Aficio MP C400SR M026-7399

- Note for Users M026-7437

- Quick Reference Copy Guide M026-7411

- Quick Reference Fax Guide D483-8503

Page 16 of

91

- Quick Reference Printer Guide M026-7428

- Quick Reference Scanner Guide M026-7433

- CE Marking Traceability Information

(For EU Countries Only) AA00-0253A

- Notes for Users M026-7510

- About the Software on the CD-ROM M080-8547

- Manuals for This Machine D081-7602

- Safety Information A232-8561A

- Notes for Users D081-7676

- SOFTWARE LICENSE AGREEMENT D376-7905

- Notes for Administrators: Using this Machine in a Network Environment

Compliant with IEEE Std. 2600.1TM-2009 M026-7440

- Operating Instructions Notes on Security Functions M026-7441

- Manuals for Users

Aficio MP C300/MP C300SR/MP C400/MP C400SR

MP C300/MP C300SR/MP C400/MP C400SR

A M026-6906

- Manuals for Administrators

Security Reference

Aficio MP C300/MP C300SR/MP C400/MP C400SR

MP C300/MP C300SR/MP C400/MP C400SR M026-6910

- Help 83NHBVENZ1.00 v118

FCU - Fax Option Type C400

(Machine Code: D483)

Installation Procedure

For Machine Code:

M022/ M024/ M026/ M028 Copiers D483-8610A

[English version-3]

Table 4 : Guidance for English Version-3

TOE

Components

Guidance Documents for Product

MFP - MP C300/C300SR/C400/C400SR

MP C300/C300SR/C400/C400SR

Aficio MP C300/C300SR/C400/C400SR

Operating Instructions

About This Machine M026-7403

- Note for Users M026-7438

Page 17 of

91

- Quick Reference Copy Guide M026-7413

- Quick Reference Printer Guide M026-7429

- Quick Reference Scanner Guide M026-7435

- MP C300/C300SR/C400/C400SR

MP C300/C300SR/C400/C400SR

Aficio MP C300/C300SR/C400/C400SR

Operating Instructions

Troubleshooting M026-7417

- Notes for Users M026-7439

- About the Software on the CD-ROM M080-8547

- SOFTWARE LICENSE AGREEMENT D376-7905

- Notes for Users D081-7678

- User Information on Electrical & Electronic Equipment D127-6601

- Notes for Administrators: Using this Machine in a Network Environment

Compliant with IEEE Std. 2600.1TM-2009 M026-7442

- Operating Instructions Notes on Security Functions M026-7443

- Manuals for Users

Aficio MP C300/MP C300SR/MP C400/MP C400SR

MP C300/MP C300SR/MP C400/MP C400SR M026-6904

- Manuals for Administrators

Aficio MP C300/MP C300SR/MP C400/MP C400SR

MP C300/MP C300SR/MP C400/MP C400SR M026-6905

- Help 83NHBVENZ1.00 v118

FCU - Quick Reference Fax Guide D483-8505

- Fax Option Type C400

(Machine Code: D483)

Installation Procedure

For Machine Code:

M022/ M024/ M026/ M028 Copiers D483-8610A

1.4.3 Definition of Users

This section defines the users related to the TOE. These users include those who routinely use the TOE

(direct users) and those who do not (indirect users). The direct users and indirect users are described as

follows:

1.4.3.1. Direct User

The "user" referred to in this ST indicates a direct user. This direct user consists of normal users,

administrators, and RC Gate. The following table (Table 5) shows the definitions of these direct users.

Page 18 of

91

Table 5 : Definition of Users

Definition of

Users

Explanation

Normal user

A user who is allowed to use the TOE. A normal user is provided with a login user name and can use Copy Function, Fax Function, Scanner Function, Printer Function, and Document Server Function.

Administrator

A user who is allowed to manage the TOE. An administrator performs management operations, which include issuing login names to normal users.

RC Gate

An IT device connected to networks. RC Gate performs the @Remote Service Function of the TOE via RC Gate communication interface. Copy Function, Fax Function, Scanner Function, Printer Function, Document Server Function, and Management Function cannot be used.

The administrator means the user registered for TOE management. According to its roles, the administrator

can be classified as the supervisor and the MFP administrator. Up to four MFP administrators can be

registered and selectively authorised to perform user management, machine management, network

management, and file management. Therefore, the different roles of the management privilege can be

allocated to multiple MFP administrators individually. The "MFP administrator" in this ST refers to the MFP

administrator who has all management privileges (Table 6).

Table 6 : List of Administrative Roles

Definition of

Administrator

Management Privileges Explanation

Supervisor Supervisor

Authorised to modify the login password of the MFP administrator.

User management privilege

Authorised to manage normal users. This privilege allows configuration of normal user settings.

Machine management privilege

Authorised to specify MFP device behaviour (network behaviours excluded). This privilege allows configuration of device settings and view of the audit log.

Network management privilege

Authorised to manage networks and configure LAN settings. This privilege allows configuration of network settings.

MFP administrator

File management privilege

Authorised to manage stored documents. This privilege allows access management of stored documents.

1.4.3.2. Indirect User

Responsible manager of MFP

Page 19 of

91

The responsible manager of MFP is a person who is responsible for selection of the TOE administrators in

the organisation where the TOE is used.

Customer engineer

The customer engineer is a person who belongs to the organisation which maintains TOE operation. The

customer engineer is in charge of installation, setup, and maintenance of the TOE.

1.4.4 Logical Boundary of TOE

The Basic Functions and Security Functions are described as follows:

Figure 3 : Logical Scope of the TOE

1.4.4.1. Basic Functions

The overview of the Basic Functions is described as follows:

Copy Function

The Copy Function is to scan paper documents and copy scanned image data from the Operation Panel.

Magnification and other editorial jobs can be applied to the copy image. It can also be stored on the HDD as

a Document Server document.

Page 20 of

91

Printer Function

The Printer Function of TOE is to print or store the documents the TOE receives from the printer driver

installed on the client computer. It also allows users to print and delete the stored documents from the

Operation Panel or a Web browser.

- Receiving documents from the printer driver installed on the client computer.

The TOE receives documents from the printer driver installed on the client computer. Printing

methods for documents is selected by users from the printer driver. The printing methods include

direct print, Document Server storage, locked print, stored print, hold print, and sample print.

For direct print, documents received by the TOE will be printed. The documents will not be stored

in the TOE.

For Document Server storage, the received documents will be stored on the HDD as Document

Server documents.

For locked print, stored print, hold print, and sample print, the received documents will be stored

on the HDD as printer documents. A dedicated password, which is used for locked print, is not

subject to this evaluation.

- Operating from the Operation Panel

The TOE can print or delete printer documents according to the operations by users from the

Operation Panel.

- Operating from a Web browser

The TOE can print or delete printer documents according to the operations by users from a Web

browser.

- Deleting printer documents by the TOE

The deletion of printer documents by the TOE differs depending on printing methods. If locked

print, hold print, or sample print is specified, the TOE deletes printer documents when printing is

complete. If stored print is specified, the TOE does not delete printer documents even when

printing is complete.

According to the guidance document, users first install the specified printer driver on their own client

computers, and then use this function.

Scanner Function

The Scanner Function is to scan paper documents by using the Operation Panel. The scanned documents will

be sent to folders or by e-mail. The documents to be sent to folders or by e-mail will be stored in the TOE, so

that they can be transmitted afterwards. The documents stored in the TOE are called scanner documents.

Scanner documents can be sent to folders or by e-mail, or deleted from the Operation Panel or a Web

browser.

Folder transmission can be applied only to the destination folders in a server that the MFP administrator

pre-registers in the TOE and with which secure communication can be ensured. E-mail transmission is

possible only with the mail server and e-mail addresses that the MFP administrator pre-registers in the TOE

and with which secure communication can be ensured.

Page 21 of

91

Fax Function

The Fax Function is to send paper documents and documents received from the fax driver installed on the

client computer to external faxes (Fax Transmission Function). Also, this function can be used to receive

documents from external faxes (Fax Reception Function). As for the Fax Function, the fax complying with

the G3 standard, which uses a telephone line, is the target of evaluation.

Documents to be sent by fax can be stored in the TOE. Those documents stored in the TOE for fax

transmission are called fax documents. Fax documents can be sent by fax, and they also can be printed,

deleted, and sent to folders.

The documents received by fax can be stored in the TOE, printed, deleted from the TOE, and downloaded to

the client computer.

- Fax Transmission Function

A function to send paper documents, documents in the client computer, and fax documents to

external faxes over a telephone line.

Paper documents will be scanned and sent by fax using the Operation Panel. The documents in the

client computer are sent by fax from the fax driver installed on the client computer. Fax documents

are sent by fax from the Operation Panel or a Web browser. Documents can be sent by fax only to

the telephone numbers that are pre-registered in the TOE.

- Fax Data Storage Function

A function to temporarily store paper documents or documents in the client computer for fax

transmission in the TOE. Those documents stored in the TOE are called fax documents. Paper

documents will be scanned and stored using the Operation Panel. The documents in the client

computer are sent to and stored in the TOE by operating the fax driver installed on the client

computer.

- Operation Function for Fax Documents

A function to print or delete fax documents. This function can be used from the Operation Panel or

a Web browser.

- Folder Transmission Function of Fax Data

A function to send fax documents to folders by using the Operation Panel.

The MFP administrator must pre-register the destination server that provides secure

communication with the TOE. Users select the destination server from the servers that the MFP

administrator pre-registers, and send data to the folder.

- Fax Reception Function

A function to receive documents from external faxes via the telephone line and store the received

documents in the TOE. Those stored documents in the TOE are called received fax documents.

- Operation Function for Received Fax Documents

A function to operate the received fax documents from the Operation Panel or a Web browser.

Documents can be printed and deleted using the Operation Panel, while they can be printed, deleted

and downloaded from a Web browser.

According to the guidance document, users first install the specified fax driver on their own client computers,

and then use this function.

Page 22 of

91

Document Server Function

The Document Server Function is to operate documents stored in the TOE by using the Operation Panel and

a Web browser.

From the Operation Panel, users can store, print and delete Document Server documents. Also, users can

print and delete fax documents.

From a Web browser, users can print and delete Document Server documents, fax, print, download, and

delete fax documents. Also, users can send scanner documents to folders or by e-mail, download and delete

them.

Management Function

The Management Function is to control the MFP's overall behaviour. This function can be implemented

using the Operation panel or a Web browser.

Maintenance Function

The Maintenance Function is to perform maintenance service for the MFP if it is malfunctioning. When

analysing causes of the malfunction, a customer engineer performs this function from the Operation Panel.

The customer engineer will implement this function following the procedures that are allowed to customer

engineers only. If the MFP administrator sets the Service Mode Lock Function to "ON", the customer

engineer cannot use this function.

In this ST, the Service Mode Lock Function is set to "ON" for the target of evaluation.

Web Function

A function for the TOE user to remotely control the TOE from the client computer. To control the TOE

remotely, the TOE user needs to install the designated Web browser on the client computer following the

guidance documents and connect the client computer to the TOE via the LAN.

@Remote Service Function

A function for the TOE to communicate with RC Gate via networks for @Remote Service.

In this function, [Proh. Some Services] is selected for @Remote setting information. The scope of evaluation

covers the operation with a restriction of access to the protected assets and software of the TOE.

1.4.4.2. Security Functions

The Security Functions are described as follows:

Audit Function

The Audit Function is to generate the audit log of TOE use and security-relevant events (hereafter, "audit

events"). Also, this function provides the recorded audit log in a legible fashion for users to audit. This

function can be used only by the MFP administrator to view and delete the recorded audit log. To view and

delete the audit log, the Web Function will be used.

Page 23 of

91

Identification and Authentication Function

The Identification and Authentication Function is to verify persons before they use the TOE. The persons are

allowed to use the TOE only when confirmed as the authorised user.

Users can use the TOE from the Operation Panel or via the network. By the network, users can use the TOE

from a Web browser, printer/fax driver, and RC Gate.

To use the TOE from the Operation Panel or a Web browser, a user will be required to enter his or her login

user name and login password so that the user can be verified as a normal user, MFP administrator, or

supervisor.

To use the Printer or Fax Function from the printer or fax driver, a user will be required to enter his or her

login user name and login password received from the printer or fax drivers, so that the user can be verified

as a normal user.

To use the @Remote Service Function from the RC Gate communication interface, it will be verified

whether the communication request is sent from RC Gate.

Methods to verify normal users are Basic Authentication and External Authentication. The users will be

verified by the MFP administrator-specified procedure, whereas the MFP administrator and supervisor can

be verified only by the Basic Authentication.

This function includes protection functions for the authentication feedback area, where dummy characters are

displayed if a login password is entered. In addition to this and for the Basic Authentication only, this

function can be used to register passwords that fulfil the requirements of the Minimum Character No. (i.e.

minimum password length) and obligatory character types the MFP administrator specifies, so that the

lockout function can be enabled and login password quality can be protected.

Document Access Control Function

The Document Access Control Function is to authorise the operations for documents and user jobs by the

authorised TOE users who are authenticated by Identification and Authentication Function. It allows user's

operation on the user documents and user jobs based on the privileges for the user role, or the operation

permissions for each user.

Use-of-Feature Restriction Function

The Use-of-Feature Restriction Function is to authorise the operations of Copy Function, Printer Function,

Scanner Function, Document Server Function and Fax Function by the authorised TOE users who are

authenticated by Identification and Authentication Function. It authorises the use of functions based on the

user role and the operation permissions for each user.

Network Protection Function

The Network Protection Function is to prevent information leakage through wiretapping on the LAN and

detect data tampering. The protection function can be enabled using a Web browser to specify the URL for

possible encrypted communication. If the Printer Function is used, the protection function can be enabled

using the printer driver to specify encrypted communication. If the folder transmission function of Scanner

Function is used, the protection function can be enabled through encrypted communication. If the e-mail

transmission function of Scanner Function is used, the protection function can be enabled through encrypted

Page 24 of

91

communication with communication requirements that are specified for each e-mail address. If the LAN-Fax

Transmission Function of Fax Function is used, the protection function can be enabled using the fax driver to

specify encrypted communication. When communicating with RC Gate, encrypted communication is used.

Residual Data Overwrite Function

The Residual Data Overwrite Function is to overwrite specific patterns on the HDD and disable the reusing

of the residual data included in deleted documents, temporary documents and their fragments on the HDD.

Stored Data Protection Function

The Stored Data Protection Function is to encrypt the data on the HDD and protect the data so that data

leakage can be prevented.

Security Management Function

The Security Management Function is to control operations for TSF data in accordance with user role

privileges or user privileges allocated to normal users, MFP administrator, and supervisor.

Software Verification Function

The Software Verification Function is to verify the integrity of the executable codes of the MFP Control

Software and FCU Control Software and to ensure that they can be trusted.

Fax Line Separation Function

The Fax Line Separation Function is to restrict input information from the telephone lines so that only fax

data can be received and unauthorised intrusion from the telephone lines (same as the "fax line") can be

prevented. Also, this function can be used to prohibit transmissions of received faxes so that unauthorised

intrusion from the telephone lines to the LAN can be prevented.

1.4.5 Protected Assets

Assets to be protected by the TOE are user data, TSF data, and functions.

1.4.5.1. User Data

The user data is classified into two types: document data and function data. Table 7 defines user data

according to these data types.

Table 7 : Definition of User Data

Type Description

Document data

Digitised documents, deleted documents, temporary documents and their fragments, which are managed by the TOE.

Function data Jobs specified by users. In this ST, a "user job" is referred to as a "job".

Page 25 of

91

1.4.5.2. TSF Data

The TSF data is classified into two types: protected data and confidential data. Table 8 defines TSF data

according to these data types.

Table 8 : Definition of TSF Data

Type Description

Protected data

This data must be protected from changes by unauthorised persons. No security threat will occur even this data is exposed to the public. In this ST, "protected data", listed below, is referred to as "TSF protected data". Login user name, Number of Attempts before Lockout, settings for Lockout Release Timer, lockout time, date settings (year/month/day), time settings, Minimum Character No., Password Complexity Setting, S/MIME user information, destination folder, Stored Reception File User, document user list, available function list, and user authentication procedures.

Confidential data

This data must be protected from changes by unauthorised persons and reading by users without viewing permissions. In this ST, "confidential data", listed below, is referred to as "TSF confidential data". Login password, audit log, and HDD cryptographic key.

1.4.5.3. Functions

The MFP applications (Copy Function, Document Server Function, Printer Function, Scanner Function, and

Fax Function) that are for management of the document data of user data are classified as protected assets,

whose use is subject to restrictions.

1.5 Glossary

1.5.1 Glossary for This ST

For clear understanding of this ST, Table 9 provides the definitions of specific terms.

Table 9 : Specific Terms Related to This ST

Terms Definitions

MFP Control Software

A software component installed in the TOE. This component is stored in FlashROM and SD Card. The components that identify the TOE include System/Copy, Network Support, Scanner, Printer, Fax, RemoteFax, Web Support, Web Uapl, NetworkDocBox, animation, PCL, OptionPCLFont, LANG0, LANG1 and Data Erase Std.

FCU Control Software

A software component installed in the TOE. This component is stored in the FCU. Among the software components by which the TOE is identified, GWFCU3-23(WW) is this.

Page 26 of

91

Terms Definitions

Login user name

An identifier assigned to each normal user, MFP administrator, and supervisor. The TOE identifies users by this identifier.

Login password A password associated with each login user name.

Lockout A type of behaviour to deny login of particular users.

Auto logout

A function for automatic user logout if no access is attempted from the Operation Panel or Web Function before the predetermined auto logout time elapses. Auto logout time for the Operation Panel: Time specified by the MFP administrator within 60 to 999 seconds. Auto logout time for the Web Function: 30 minutes (this cannot be changed by users). This auto logout time is also referred to as "fixed auto logout time".

Minimum Character No. The minimum number of registrable password digits.

Password Complexity Setting

The minimum combination of the characters and symbols that can be used as registrable passwords. There are four types of characters: uppercase and lower case alphabets, digits and symbols. There are Level 1 and Level 2 Password Complexity Settings. Level 1 requires a password to be a combination of two or more types of characters and symbols specified above. Level 2 requires a password to be a combination of three or more types of characters and symbols specified above.

Basic Authentication

One of the procedures for identification and authentication of TOE users who are authorised to use the TOE. The TOE authenticates TOE users by using the login user names and the login passwords registered on the TOE.

External Authentication

One of the procedures for identification and authentication of TOE users who are authorised to use the TOE. The TOE authenticates TOE users by using the login user names and the login passwords registered on the external authentication server connected to the MFP via LAN. External Authentication implemented in the TOE includes Windows Authentication, LDAP Authentication, and Integration Server Authentication. Windows Authentication supports NTLM Authentication and Kerberos Authentication. As for this ST, the term "External Authentication" refers to Windows Authentication using Kerberos Authentication method.

HDD

An abbreviation of hard disk drive. In this document, unless otherwise specified, "HDD" indicates the HDD installed on the TOE.

User job

A sequence of operations of each TOE function (Copy Function, Document Server Function, Scanner Function, Printer Function and Fax Function) from beginning to end. A user job may be suspended or cancelled by users during operation. If a user job is cancelled, the job will be terminated.

Documents General term for paper documents and electronic documents used in the TOE.

Document data attributes

Attributes of document data, such as +PRT, +SCN, +CPY, +FAXOUT, +FAXIN, and +DSR.

+PRT

One of the document data attributes. Documents printed from the client computer, or documents stored in the TOE by locked print, hold print, and sample print using the client computer.

Page 27 of

91

Terms Definitions

+SCN

One of the document data attributes. Documents sent to IT devices by e-mail or sent to folders, or downloaded on the client computer from the MFP. For these operations the Scanner Function is used.

+CPY

One of the document data attributes. Documents copied by using Printer Function.

+FAXOUT

One of the document data attributes. Documents sent by fax or to folders by using Fax Function.

+FAXIN

One of the document data attributes. Documents received from the telephone line. Documents stored in the TOE after the reception are also included.

+DSR

One of the document data attributes. Document stored in the TOE by using Copy Function, Scanner Function, Document Server Function, and Fax Data Storage Function. Documents stored in the TOE after being printed with Document Server printing or stored print from the client computer,

Document user list One of the security attributes of document data.

A list of the login user names of the normal users whose access to documents is authorised, and it can be set for each document data. This list does not include the login user names of MFP administrators whose access to the document data is possible for administration.

Stored documents

Documents stored in the TOE so that they can be used with Document Server Function, Printer Function, Scanner Function, and Fax Function.

Stored document type

Classification of stored documents according to their purpose of use. This includes Document Server documents, printer documents, scanner documents, fax documents, and received fax documents.

Document Server documents

One of the stored document types. Documents stored in the TOE when Document Server storage is selected as the printing method for Copy Function, Document Server Function, and Printer Function.

Printer documents

One of the stored document types. Documents stored in the TOE when any one of locked print, hold printing, and sample print is selected as the printing method for Printer Function.

Scanner documents

One of the stored document types. Documents stored in the TOE using Scanner Function.

Fax documents

One of the stored document types. Documents scanned and stored using Fax Function, and those stored using the LAN Fax.

Received fax documents

One of the stored document types. Documents received by fax and stored. These documents are externally received and whose "users cannot be identified".

MFP application

A general term for each function the TOE provides: Copy Function, Document Server Function, Scanner Function, Printer Function, and Fax Function.

Available function list

A list of the functions (Copy Function, Printer Function, Scanner Function, Document Server Function, and Fax Function) that normal users are authorised to access. This list is assigned as an attribute of each normal user.

Operation Panel

Consists of a touch screen LCD and key switches. The Operation Panel is used by users to operate the TOE.

Ricoh C400DN - Aficio SP Color Laser, Aficio MP C300 series, Aficio MP C300SR series, Aficio MP C400 series, Aficio MP C400SR series Printer Manual

Specifications and Main Features

Frequently Asked Questions

User Manual