Ricoh SP C820DN, SP C821DN, Pro 907EX, Pro 1107EX, Pro 1357EX Print Controller Design Guide for Information Security
...
Print Controller Design Guide for Information Security
Print Controller Design Guide for
Information Security:
04/23/2010
Product
Code
G188
G189
D059
D060
D061
M002
M003
M004
D062
D063
D065
D066
M001 SP 4210N LP37N AFICIO SP4210N MLP37N
GESTETNER LANIER RICOH SAVIN
C8140ND
C8150ND
Pro 907EX
Pro 1107EX
Pro 1357EX
Pro 907
Pro 1107
Pro 1357
MP6001
MP6001 SP
MP 7001
MP 7001SP
MP 8001
MP 8001SP
MP 9001
MP 9001SP
LP540C
LP550C
Pro 907EX
Pro 1107EX
Pro 1357EX
Pro 907
Pro 1107
Pro 1357
LD360
LD360sp
LD370
LD370sp
LD380
LD380sp
LD390
LD390sp
SP C820DN
SP C821DN
Pro 907EX
Pro 1107EX
Pro 1357EX
Pro 907
Pro 1107
Pro 1357
AFICIO MP 6001
MP 6001 SP
MP 7001
MP 7001 SP
MP 8001
MP 8001 SP
MP 9001
MP 9001 SP
CLP340D
CLP350D
Pro 907EX
Pro 1107EX
Pro 1357EX
Pro 907
Pro 1107
Pro 1357
9060
9060sp
9070
9070sp
9080
9080sp
9090
9090sp
Copyright 2010 RICOH Americas Corporation. All rights reserved. Page 1 of 86
Visit our Knowledgebase at:
http://www.ricoh-usa.com/support/knowledgebase.asp
Print Controller Design Guide for Information Security
TABLE OF CONTENTS
1. Internal System Configuration........................................................................................ 7
1-1 Hardware Configuration ............................................................................................. 7
1-1-1 MFP ........................................................................................................................ 7
1-1-2 LP ........................................................................................................................... 9
1-2 Software Configuration............................................................................................. 11
1-2-1 Shared Service Layers.......................................................................................... 11
1-2-2 Principal Machine Functions ................................................................................. 12
1-3 Data Security ........................................................................................................... 14
1-3-1 External I/F ........................................................................................................... 14
1-3-2 Protection of Program Data from Illegal Access via an External Device ............... 14
1-4 Protection of MFP/LP Firmware ............................................................................... 17
1-4-1 Firmware Installation/Update ................................................................................ 17
1-4-2 Verification of Firmware/Program Validity ............................................................. 20
1-5 Authentication, Access Control ................................................................................ 21
1-5-1 Authentication ....................................................................................................... 21
1-5-2 IC Card Authentication.......................................................................................... 24
1-5-3 Access Control...................................................................................................... 25
1-6 Administrator Settings.............................................................................................. 26
1-7 Data Protection ........................................................................................................ 27
1-7-1 Data Erase/Overwrite............................................................................................ 27
1-7-2 Encryption of Stored Data..................................................................................... 29
1-7-3 Protection of Address Book Data .......................................................................... 32
1-7-4 Document Server Documents (MFP models only) ................................................ 33
1-8 Job/Access Logs...................................................................................................... 35
1-9 Capture (MFP Models Only) .................................................................................... 39
1-9-1 Overview of Capture Operations........................................................................... 39
1-9-2 Operations that Generate Captured Images ......................................................... 39
Page 2 of 86
Print Controller Design Guide for Information Security
1-9-3 Capture Settings ................................................................................................... 41
1-9-4 Security Considerations........................................................................................ 42
1-9-5 Captured Documents and Log Data...................................................................... 42
1-10 Additional Methods for Increased Security............................................................... 42
2. Principal Machine Functions ........................................................................................ 43
2-1 Copier (MFP Models Only)....................................................................................... 43
2-1-1 Overview of Copier Operations............................................................................. 43
2-1-2 Data Security Considerations ............................................................................... 43
2-1-3 Protection of Copy Jobs in Progress..................................................................... 43
2-1-4 Protection of Document Server Documents.......................................................... 43
2-1-5 Protection of Copier/Document Server Features .................................................. 45
2-1-6 Restricting the Available Functions for Each Individual User ................................ 45
2-1-7 Job/Access Log Data Collection ........................................................................... 45
2-1-8 Print Backup ......................................................................................................... 45
2-2 Printer ...................................................................................................................... 47
2-2-1 Overview of Printer Operations............................................................................. 47
2-2-2 Data Flow.............................................................................................................. 47
2-2-3 Data Security Considerations ............................................................................... 51
2-3 Scanner (MFP Models Only).................................................................................... 54
2-3-1 Overview of Scanner Operations .......................................................................... 54
2-3-2 Data Flow Security Considerations....................................................................... 54
2-3-3 Protection of Data when Performing Scanning and Sending Operations.............. 55
2-3-4 Protection of Document Server Documents.......................................................... 56
2-3-5 Protection of Sending Results and Status Information.......................................... 57
2-3-6 Protection of the Scanner Features Settings ........................................................ 57
2-3-7 Data Stored in the Job Log ................................................................................... 58
2-3-8 Terminology .......................................................................................................... 58
2-4 FAX (MFP Models Only) .......................................................................................... 59
2-4-1 Overview of FAX operations ................................................................................. 59
Page 3 of 86
Print Controller Design Guide for Information Security
2-4-2 Data Security Considerations ............................................................................... 60
2-4-3 Protection of the Journal and Documents in Document Server Storage ............... 61
2-4-4 Protection of FAX Transmission Operations ......................................................... 61
2-4-5 Protection of FAX Features Settings..................................................................... 62
2-4-6 The “Extended Security” Feature.......................................................................... 62
2-4-7 Job Log................................................................................................................. 62
2-4-8 Protection of Internet FAX Transmissions using S/MIME...................................... 62
2-4-9 Preventing FAX Transmission to Unintended Destination(s)................................. 63
2-5 NetFile (GWWS) ...................................................................................................... 64
2-5-1 Overview of NetFile Operations ............................................................................ 64
2-5-2 Data Flow.............................................................................................................. 65
2-5-3 Supplementary...................................................................................................... 65
2-5-4 Data Security Considerations ............................................................................... 67
2-6 Web Applications ..................................................................................................... 69
2-6-1 Web Server Framework ........................................................................................ 69
2-6-2 WebDocBox (MFP models only) ........................................................................... 70
3. Optional Features......................................................................................................... 73
3-1 @Remote................................................................................................................. 73
3-1-1 Overview of @Remote Operations ....................................................................... 73
3-1-2 Data Security Considerations ............................................................................... 73
3-2 The “Copy Data Security” Feature ........................................................................... 74
3-2-1 Overview of Copy Data Security Operations......................................................... 74
3-2-2 Data Flow.............................................................................................................. 75
4. Device SDK Applications (DSDK) ................................................................................ 77
4-1 Overview of Operations............................................................................................ 77
4-1-1 Installation............................................................................................................. 78
4-1-2 Overview of SDK Application Functions................................................................ 79
4-2 Data Flow................................................................................................................. 80
4-2-1 Scanning Functions: Sending Data Over the Network with the Copier and Scanner
Page 4 of 86
Print Controller Design Guide for Information Security
(MFP models only) ............................................................................................................ 80
4-2-2 FAX Functions (MFP models only)........................................................................ 80
4-2-3 Network Functions ................................................................................................ 81
4-2-4 Printer Functions................................................................................................... 81
4-2-5 Machine Administrative Functions (MFP models only).......................................... 81
4-2-6 Authentication Functions....................................................................................... 81
4-3 Data Security Considerations................................................................................... 83
4-3-1 Preventing the Installation of Illegal Applications .................................................. 83
4-3-2 Authentication of SDK Applications at Installation................................................. 83
4-3-3 Prevention of Access to Address Book Data and Machine Management Data..... 85
4-3-4 Protection Against Attacks on Principal MFP/LP Functions, Prevention of Damage to
the System ........................................................................................................................ 85
4-3-5 Protection Against Attacks from External Sources ................................................ 85
4-3-6 Certification of the SDK Application ...................................................................... 86
Page 5 of 86
Print Controller Design Guide for Information Security
Overview
This document describes the structural layout and functional operations of the hardware and software for
the multi-functional products and laser printers listed below (herein referred to as the “MFP” and “LP”,
respectively), which were designed and developed by Ricoh Co. Ltd. (herein referred to as Ricoh), as well
as the information security of image data and other information handled internally by Ricoh MFP/LPs.
The explanations will primarily focus on the following, with particular attention to demonstrating how
unauthorized access is not possible to local network environments via FAX telecommunications lines, nor
to any of the data stored in the MFP/LP.
• Operational summaries
• Data flow
• Data security considerations
Products to Which This Document Applies
This document applies to the following MFPs/LPs designed and developed by Ricoh:
Product
Code
G188
G189
D059
D060
D061
M002
M003
M004
D062
D063
D065
D066
M001 SP 4210N LP37N AFICIO SP4210N MLP37N
Note: Some of the hardware (e.g. external I/F) and functions described in this document may not be
supported by the end user’s machine. For these details, please refer to the Operating Instructions
for the specific machine in question.
GESTETNER LANIER RICOH SAVIN
C8140ND
C8150ND
Pro 907EX
Pro 1107EX
Pro 1357EX
Pro 907
Pro 1107
Pro 1357
MP6001
MP6001 SP
MP 7001
MP 7001SP
MP 8001
MP 8001SP
MP 9001
MP 9001SP
LP540C
LP550C
Pro 907EX
Pro 1107EX
Pro 1357EX
Pro 907
Pro 1107
Pro 1357
LD360
LD360sp
LD370
LD370sp
LD380
LD380sp
LD390
LD390sp
SP C820DN
SP C821DN
Pro 907EX
Pro 1107EX
Pro 1357EX
Pro 907
Pro 1107
Pro 1357
AFICIO MP 6001
MP 6001 SP
MP 7001
MP 7001 SP
MP 8001
MP 8001 SP
MP 9001
MP 9001 SP
CLP340D
CLP350D
Pro 907EX
Pro 1107EX
Pro 1357EX
Pro 907
Pro 1107
Pro 1357
9060
9060sp
9070
9070sp
9080
9080sp
9090
9090sp
Page 6 of 86
Print Controller Design Guide for Information Security
1. Internal System Configuration
1-1 Hardware Configuration
1-1-1 MFP
Controller
Processing and
Control Unit
・CPU
RAM
・
Operation
Panel
Engine
Image
Processing
Scanning
Image
Processing
Printing
FCU
FAX comm.
control
RAM
- Page memory
- Firmware
Encryption
Processor
HDD
- Image data
- Mgmt. data
Flash ROM
TPM
NVRAM
- Settings
- Counters
System
Control
External Charge
Device I/F
USB
TypeA
USB
TypeB
Ethernet
Host I/F
Optional I/F:
Parallel
Gigabit
Ethernet
Wireless
LAN
Bluetooth
IEEE 1394
External
Controller I/F
Board
File Format
Converter
External Charge
Device
IC Card Reader
Pict Bridge
Compatible
Device
RC Gate
Internet
Line
SAF
I/F
To Public
Tel. Line
SD Card I/F
Page 7 of 86
Print Controller Design Guide for Information Security
• Serial communication between the external charge device I/F and external coin/card-operated
devices.
• External controller I/F board: Acts as the interface between the MFP and external controller.
• File Format Converter: Converts the file format of image files.
• RC Gate: Intermediary device connected to the MFP/LP via an Ethernet connection for performing
remote diagnostic operations including firmware updates and settings changes.
• SD card I/F: Used for performing service maintenance and as an interface for firmware storage media.
• RAM, HDD: Image data stored in the RAM and HDD memory undergoes compression, decompression
and other image processing.
• HDD storage: Data stored on the HDD is encrypted.
• TPM (Trusted Platform Module): When the MFP/LP main power is turned on, this security module
(chip) performs a verification on the validity of the software installed on the hardware platform, which
includes checking for any illegal alterations.
Page 8 of 86
Print Controller Design Guide for Information Security
1-1-2 LP
Controller
Processing and
Control Unit
・CPU
RAM
・
RAM
- Page memory
- Firmware
Encryption
Processor
HDD
- Image data
- Mgmt. data
USB
TypeA
USB
TypeB
Ethernet
IC Card Reader
Pict Bridge
Compatible
Device
Operation
Panel
Engine
Image
Processing
Printing
Flash ROM
TPM
NVRAM
- Settings
- Counters
System
Control
Host I/F
Optional I/F:
Parallel
Gigabit
Ethernet
Wireless
LAN
Bluetooth
RC Gate
Internet
SD Card I/F
Page 9 of 86
Print Controller Design Guide for Information Security
• RC Gate: Intermediary device connected to the LP via an Ethernet connection for performing remote
diagnostic operations including firmware updates and settings changes.
• SD card I/F: Used for performing service maintenance and as an interface for firmware storage media.
• RAM, HDD: Image data stored in the RAM and HDD memory undergoes compression, decompression
and other image processing.
• HDD storage: Data stored on the HDD is encrypted.
• TPM (Trusted Platform Module): When the MFP/LP main power is turned on, this security module
(chip) performs a verification on the validity of the software installed on the hardware platform, which
includes checking for any illegal alterations.
Page 10 of 86
Print Controller Design Guide for Information Security
1-2 Software Configuration
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Copier Scanner FAX
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
ECS MCS OCS FCS DCSNCS UCS CCS NRS MIRS
SRM
IMH
=-=-=-=-=-=-=-=-=-= Engine I/F =-=-=-=-=-=-=-=-=-=
Scanning Engine FCU
Printing Engine
Web
DocBox
Printer GW WS WebSys
LCS
S
libc
NetBSD
HDD Host I/F
SDK
VAS
DESS
EAC
SCS
Principal Machine
Functions
Shared Service Layers
MFP only MFP only
Software Configuration
1-2-1 Shared Service Layers
ECS (Engine Control Service) Controls engine operations for scanning and printing.
MCS (Memory Control Service) Manages the memory in the Image Memory area (incl. the HDD), as
well as compression/decompression.
IMH (Image Memory Handler) Transfers data between the controller and engine.
OCS (Operation Panel Control
Service)
NCS (Network Control Service) Controls host I/F and protocol control (transport, session).
FCS (FAX Control Service) Exchanges data and commands with the FCU (FAX Control Unit),
Controls the panel LEDs, monitors panel keys and manages panel
objects and display messages.
which manages and controls FAX communication and
telecommunications lines.
Page 11 of 86
Print Controller Design Guide for Information Security
SCS (System Control Service) Manages the status of all internal operations performed on or by the
system as a whole, and controls the switching of the LCD screen as
well as the operational link between SP settings and machine
operations.
SRM (System Resource
Manager)
In addition to managing hardware resources, this module mediates
control of the printer engine, scanner engine and memory resources
during the image creation process.
DCS (Delivery Control Service) Controls all non-FAX transmission/reception of e-mail as well ass the
forwarding of image data to servers and folders.
MIRS (Machine Information
Controls the sending of machine configuration settings by e-mail
Report Service)
UCS (User Control Service) Manages the Address Book data.
CCS (Certification Control
Service)
Mediates communication between the principal machine function and
external charge device during the authentication process, as well as
the charge-related processing (e.g. counters).
NRS (New Remote Service) Controls remote correspondence with RC Gate (e.g. diagnostics,
firmware update, settings changes).
LCS (Log Control Service) Controls the MFP/LP’s access logs (e.g. Address Book, Document
Server, MFP/LP functions).
DESS (Data Encryption Security
Controls the encryption and decryption functions.
Service)
1-2-2 Principal Machine Functions
Copier Activates the scanning engine, which reads the original and then sends the data
on to the controller to be printed out from the printing engine. Secondary data,
such as that used for access control, is handled from the operation panel.
Printer Receives image data through the host interface, which then sends the data to the
controller. Also contains a printer language processing subsystem (e.g. RPCS)
that converts the printer language into image data, which is then printed out from
the printing engine. Secondary data is handled via the connection protocols
between the driver UI and the host I/F.
Scanner Activates the scanning engine, which reads the original and then sends the data
to a PC via the host I/F. Scanning can be initiated from both the operation panel
and from a PC via a TWAIN driver.
FAX Activates the scanning engine, which reads the original and then sends the data
to the FCU to be sent as a FAX via a telecommunications line. Also receives FAX
data and prints it out from the printing engine.
Page 12 of 86
Print Controller Design Guide for Information Security
Netfile
(GWWS)
As a server, GWWS provides some MFP/LP functionality to specific
network-connected PC utilities. This includes the ability to view and make
changes to user information and machine configuration settings, as well as to print
out or perform other operations on documents stored on the MFP/LP. GWWS also
acts as a client to external Web services, including transferring the machine log
data to specific log data collection utilities
WebSys A Web application that allows machine configuration settings to be viewed and
changed via a Web interface.
WebDocBox Allows operations to be peformed on Document Server documents stored in the
MFP (viewing, downloading, printing, deleting) via a Web interface.
SDK/VAS SDK: Applications provided by third-party vendors designed to function with
MFP/LP pricipal machine functions developed by Ricoh.
VAS: An MFP/LP API that standardizes the meanings of simplified commands
used by SDK applications when communicating with the MFP/LP.
EAC This module controls the TCP/IP command flow between the GW-API and
external controller connected to the MFP via the Gigabit Ethernet-compatible
network I/F. The EAC allows the external controller to initiate MFP operations
such as print jobs and scan jobs, as well as store Printer documents to the MFP
HDD. In addition, this module also makes it possible to change some of the
internal settings of the external controller from the MFP operation panel.
Note: This is only available on models capable of supporting an external
controller.
Page 13 of 86
Print Controller Design Guide for Information Security
1-3 Data Security
1-3-1 External I/F
The MFP/LP is equipped with the following external interfaces:
• Serial I/F for connection of external coin/card-operated devices.
• Serial I/F for connection of peripheral devices (e.g. DF, Finisher, LCT).
• Analog G3 FAX I/F (public telecommunications line), G4 FAX I/F (ISDN).
• Standard IEEE 1284 parallel I/F (Host I/F), which can function as a two-way parallel interface when
using a USB cable.
• Standard IEEE 1394 I/F
• 100BASE-TX and 10BASE-T compatible network I/F (Host I/F)
• Gigabit Ethernet-compatible network I/F (Host I/F options, external controller I/F board)
• Standard IEEE802.11b wireless LAN network I/F (Host I/F option)
• Bluetooth I/F (Host I/F option)
• USB2.0 Type B I/F (Host I/F)
• USB2.0 Type A I/F (IC card, Pictbridge)
1-3-2 Protection of Program Data from Illegal Access via an External Device
1. All of the above principal machine functions, as well as software for all shared service layers, run on
the UNIX operating system as independent processes (data/program modules). Memory space is
allocated specifically for each module, which makes it impossible for one module to directly access the
memory space of any other.
2. Data transfer between modules is Unix socket-based, whereby communication is performed along
ID-protected communication paths. This ensures exclusive connections among the modules present in
the MFP/LP, thereby preventing access by any module outside this pre-determined set. For example,
incoming FAX data will only be sent to those modules designated to perform FAX data operations. This
arrangement prevents illegal access to networks and internal programs from an outside line.
3. All image data stored on the HDD or stored temporarily in the Image Memory is managed by a memory
control module called the MCS (Memory Control Service), which ensures that the data can only be
accessed by specified machine function(s). In addition, this arrangement prevents illegal access to this
data from an outside line.
User data, such as the Address Book data stored in the HDD/flash ROM and User Code data stored in
the NV-RAM, is managed by the UCS module. Access to this data is not possible by any module
except those pre-determined modules in the MFP/LP itself. This arrangement ensures that the data
stored in the MFP/LP cannot be accessed illegally via an external I/F.
Page 14 of 86
Print Controller Design Guide for Information Security
4. Communication between the MFP/LP and its peripherals is conducted via the peripheral I/F using
Ricoh-unique protocols. These exchanges are limited to pre-determined commands and data, and only
take place after the MFP/LP has recognized the peripheral device. If the MFP/LP receives illegal data
from the peripheral, it will judge that a perhiperal device failure has occurred or that the device is not
connected. This prevents any illegal access to internal programs or data.
5. The MFP communicates with external coin/card-operated devices through the External Charge Device
I/F in accordance with the same protocols used for its peripherals described in #4 above. It is possible
to utilize such devices in tandem with the access control settings for each user, in which case the
device and MFP exchange the relevant information (e.g. User Code data).
6. With the @Remote function, the MFP/LP is connected via the network to a Ricoh-developed device
known as RC Gate, which is then connected to the @Remote Center, or to the @Remote Center
directly. When connecting to the center directly, the MFP/LP communicates via a LAN connection over
the Internet. Before transferring any data, mutual authentication is performed using digital certificates
between the MFP/LP and RC Gate or MFP/LP and @Remote Center, which ensures that the MFP/LP
cannot connect to any device other than RC Gate or to its single, pre-assigned @Remote Center.
Communication between RC Gate/@Remote Center and the MFP/LP modules responsible for
@Remote operations is performed over exclusive socket-based connections, as described in #2 above.
In addition, it is also possible to change the MFP/LP settings to prohibit @Remote communication.
7. External controllers are connected to the MFP via the Gigabit Ethernet-compatible network I/F, and are
then routed internally through the external controller interface board. The internal arrangement is
designed such that the external controller cannot gain access to the MFP internal modules until after it
has successfully cleared the device registration process.
In addition to sending data for printing to the MFP, the external controller is also capable of storing
image data received from the PC inside its own memory as well as obtaining scanned data just
following an MFP scanning job. It is not able to access any of the image data stored in the MFP.
8. The standard IEEE1284 parallel I/F, USB I/F (Type B), and Bluetooth I/F treat all incoming data as print
data. This print data can only be sent to pre-specified modules responsible for executing printing
operations. In addition, using MFP/LP settings, it is possible to disable each interface individually.
9. The USB I/F (Type A) only allows connection with devices that support either IC card-based
authentication or PictBridge printing functions. Each function can be enabled/disabled individually.
PictBridge printing functions (color MFP/LPs only):
After the identity of the connected PictBridge device is verified, the interface and device exchange only
pre-defined commands and/or data. Access to data stored inside the MFP/LP is not possible. In
addition, if User Authentication has been enabled, the machine will not accept commands or data from
any PictBridge functions that do not require authentication.
Page 15 of 86
Print Controller Design Guide for Information Security
IC card-based authentication functions:
Authentication is mutual and encrypted, which prevents impersonation and ensures that data is
properly protected.
Page 16 of 86
Print Controller Design Guide for Information Security
1-4 Protection of MFP/LP Firmware
1-4-1 Firmware Installation/Update
It is possible to update the firmware stored on the MFP/LP using an SD card or via a remote connection.
The following process is used to verify the validity of all firmware introduced into the MFP/LP in the field.
This applies to firmware updates as well as to new installations of MFP/LP options.
Firmware Installation/Update Using an SD Card
Since SD cards themselves are generic items that are widely available for purchase in the field, the
following process is used to prevent the illegal introduction of firmware into the MFP/LP via this storage
media. Briefly stated, a license server assigns a digital signature to the firmware, which the MFP/LP
then uses to authenticate the firmware when it is introduced in the field.
1. The Ricoh license server applies the SHA-1 algorithm (Secure Hash Algorithm 1) to the program to
generate the value MD1. A private key is used to encrypt this value, which is then used as the
firmware’s digital signature.
2. The firmware in the SD card is introduced into the MFP/LP via the SD card slot.
3. The MFP/LP checks the firmware to identify the type (e.g. System, Printer, FAX, LCD). It then
verifies that the model name is the same as its own, and in the case of a firmware update, that the
firmware version is newer that the one already installed.
4. The MFP/LP then applies SHA-1 to the program to generate MD1, after which it uses a public key
to decrypt the digital signature to generate MD2.
5. If MD1 = MD2, the firmware update process begins.
Using a public key to decrypt the digital signature allows the MFP/LP to verify that the firmware has not
been altered since it was assigned the digital signature by the license server.
The basic identifying information of the firmware (version, type, etc.) is stored in the MFP/LP as the
update is being performed. Therefore, the update can be reinitiated using the same SD card in the
event that it is interrupted by a sudden loss of power or other cause. After recovery is initiated, the
MFP/LP checks to see that the data in the SD card has not been altered, and then resumes the
update.
1. Verification of model and target
machine functions (Copier, Printer,
etc.)
2. Verification of firmware version
3. Generate MD1
using SHA-1
Program
Digital
signature
4. Decryption
Public key
6. Firmware is overwritten
with new files
If MD1 ≠ MD2
Update process is cancelled
and new firmware is not
MD1
5. Compare MD1
and MD2
MD2
If MD1 = MD2
installed
3. Files are sent
SDSD
SDSD
6464MBMB
6464MBMB
SD card
Program
Digital signature
"MD": Message Digest
Ricoh License Server
1. Generate MD
using SHA-1
2. Generate
digital signature
MD
Private key
Firmware Update Using an SD Card
Page 17 of 86
Print Controller Design Guide for Information Security
Remote Firmware Update
In addition to using an SD card, it is also possible to update the firmware by transmitting the firmware
files to the MFP/LP via a remote connection. Since these files are transmitted over public Internet
communication paths in some cases, routed through multiple servers before reaching their destination,
it is necessary to use the authentication process described above for remote updates as well. The
process for remote updates is virtually the same as that for the SD card-based update described
above, with the following differences:
Remote headers are attached to the digital signature before the files are sent to the MFP/LP.
If the update is interrupted for some reason, it is possible to retry the update by resending the file.
There are three main scenarios in which a remote firmware update is performed, the process for which
is the same as described above (see illustrations below). In each scenario, all of the security features
described above are employed.
The update is performed by a field engineer in the field via a PC
The update is performed using the @Remote function, normally by an individual with access rights
to the @Remote Center GUI
The update is performed via Web SmartDeviceMonitor Professional IS, usually by the end user
1. Check remote headers to confirm that a
remote update is being requested
2. Verification of model and target
machine functions (Copier, Printer, etc.)
3. Verification of firmware version
5. Generate MD1
Program
Digital
signature
using SHA-1
6. Decryption
Public key
8. Firmware is overwritten
with new files
Remote Firmware Installation Performed by a Field Technician
4. Files are sent
If MD1 ≠ MD2
Update process is cancelled and
new firmware is not installed
MD1
7. Compare
MD and MD2
MD2
If MD1 = MD2
Ricoh distribution server
3. Download
Client PC
(from a client PC)
Program + digital
signature
Program
Digital signature
Digital
signature
Ricoh license server
1. Generate MD
using SHA-1
2. Generate
digital signature
MD
Private key
Page 18 of 86
Print Controller Design Guide for Information Security
Installation
via RC-Gate
Download
Digital signature
Update performed using Web Smart Device Monitor V2
(device management utility)
RC-Gate
Installation directly from
@Remote Center
@Remote Center
Remote Firmware Installation using @Remote
Remote installation
Ridoc IO OperationServer
commands issued
Client PC
Download
Ricoh distribution server
Update
Program +
digital signature
Program +
digital signature
Ricoh Licenese Server
Digital signature
Ricoh license server
Remote Firmware Installation via Web SmartDeviceMonitor Professional IS
(performed by the end user)
Page 19 of 86
Print Controller Design Guide for Information Security
1-4-2 Verification of Firmware/Program Validity
Overview
In order to continually ensure the validity of all controller core programs and application firmware
installed on the MFP/LP at the time of product shipment, as well as those that are newly installed as
updates through the process explained in section 1.4.1 above, the MFP/LP performs a validation
process known as Trusted Boot every time the main system is booted up. Covering the range of
software from boot programs to end-point functions and applications, the Trusted Boot validation
process provides comprehensive, TPM-based security.
The MFP/LP uses the unique digital signature assigned to each program/firmware in order to judge its
validity. The public key used for this verification is stored in an overwrite-protected, non-volatile region
of the TPM, which makes it extremely difficult for the key itself to be altered in any way, providing
additional protection of the programs/firmware.
Trusted Boot employs two methods to verify the validity of the programs/firmware mentioned above:
RTM (Root Trust of Measurement) is used to validate the controller core programs, which include
the MFP/LP operating system, BIOS, and boot loader. Using the TPM, this method is capable of
detecting any alterations made to these programs.
The same digital signature-based verification process explained in section 1.4.1 is used to
validate the application firmware
Trusted Boot is integrated with the protection of the user’s encryption keys (see section 1.8 for details),
ensuring that only valid programs are given access to these keys.
Note: Produced by STMicroelectronics, TPM is a product of the ST19WP18 family, which has earned
Common Criteria certification (EAL5+).
Page 20 of 86
Print Controller Design Guide for Information Security
1-5 Authentication, Access Control
1-5-1 Authentication
When enabled, User Authentication requires all users to go through a username and password-based
authentication process before MFP/LP operations can be performed. This is true in cases where the
user attempts to access MFP/LP functions via the operation panel as well as via a network connection.
There are five types of User Authentication:
Basic Authentication
User Code Authentication
Windows Authentication
LDAP Authentication
Integration Server Authentication
As the authentication server, the MFP/LP can be used for Basic Authentication, a Windows NT4.0
server, Windows 2000 server or Server2003 can be used for Windows Authentication, and an LDAP
server can be used for LDAP Authentication. In addition, when “Integration Server Auth” is selected
from the User Authentication menu, the MFP/LP connects to the actual authentication server via an
Integration Server. In this case, the authentication is performed using the User Authentication
functions of ScanRouter, ScanRouter Document Server, Web SmartDeviceMonitor Professional IS or
ScanRouter Web Navigator.
Note: See “Windows Authentication, LDAP Authentication” and “Integration Server Authentication”
diagrams below.
Usernames:
Format: US-ASCII, WinLatin1, WinLatin2, WinCyrillic
Length: Maximum 32 characters
Note:
Although it is possible to input the 2-byte characters used in display languages such as
Chinese, Japanese, Taiwanese, and Korean, they are not supported.
Although usernames longer than 32 characters are invalid, the input field will accept up to
128 characters in order to make the 32-character limit more difficult to surmise.
Passwords:
Format: US-ASCII, WinLatin1, WinLatin2, WinCyrillic
Length: Maximum 128 characters (general users), 32 characters (Administrators).
Note: Although it is possible to input the 2-byte characters used in display languages such as
Chinese, Japanese, Taiwanese, and Korean, they are not supported.
Before authentication at the MFP/LP operation panel can be performed, uses must be pre-registered
Page 21 of 86
Print Controller Design Guide for Information Security
in the MFP/LP. The communication path can be encrypted using SSL, however for environments that
do not support SSL protocol, the password itself is encrypted using an encryption key specified by the
Administrator. To do this, however, the Printer/Scanner option must be installed.To protect against
brute force password cracks and DoS attacks via repeated login, the MFP/LP is capable of detecting a
high frequency of illegal login requests. Administrators can view the detection results by accessing the
job log, or by checking the notification e-mail sent to them. Also, for any consecutive failed
authentication attempts, the MFP/LP will delay its response.
It is possible to set the MFP/LP to automatically lock out any user if the number of failed login attempts
by that user exceeds the predetermined limit (access is denied and further usage of that account is
prohibited). Additionally, when the operator registers their authentication password, the MFP/LP
checks the format against the password policy. This policy is set by the Administrator using the
following parameters:
Minimum length: Can be set to a value from 1– 32 characters
Complexity: Can be set to “Level 1”, “Level 2”, or “Off”
Level 1 requires that the password contain two or more of the following types of characters, while
Level 2 requires that the password contain three or more types: English capital letters, English
lower-case letters, numbers, symbols.
Note: These two features apply to general user accounts authenticated through Basic Authentication
(performed by the MFP/LP), and to Administrator accounts authenticated through all
authentication modes. When users log in via an external server, instead of performing the
password policy check described above, the MFP/LP follows the authentication results received
from the server.
The information for performing the authentication of administrators is encrypted and then stored in the
MFP/LP in non-volatile memory. Therefore, it is always possible to perform authentication on
administrators even when a failure occurs with the MFP/LP HDD or one or more of the external
authentication servers is down.
In the case of Windows Authentication, NTLMv1 Authentication or Kerberos Authentication is
performed with the specified domain controller, after which an attempt is made to establish an LDAP
connection with the active directory. The e-mail address, FAX number and GUID are then obtained for
users who successfully clear the authentication. The same NTLM Authentication process is performed
for LDAP Authentication as well, after which an LDAP search is performed to obtain the user’s e-mail
address, FAX number and GUID.
Kerberos Authentication can be used for LDAP Authentication and LDAP searches. Kerberos
Authentication tickets are not stored in non-volatile memory, and are destroyed as soon as the
Page 22 of 86
Print Controller Design Guide for Information Security
authentication process is successful.
Active sessions will expire under the following conditions:
When the “Logout” button is pressed in User Tools
When the “Logout” hard key is pressed (on MFPs/LPs that have this key)
When the MFP/LP enters Low-power Mode or Energy Saver Mode
After a pre-determined amount of time has passed (automatic logout)
Authentication information
(input from operation panel)
Authentication
LAN
Job + authentication
information
PC
Windows Server
Active Directory
or LDAP server
Windows Authentication, LDAP Authentication
Authentication information
(input from operation panel)
Integration Server
Job + Auth. Info.
Authentication
LAN
Basic Auth.
One method is selected (1-4)
[1]
[2] [3] [4]
PC
Windows Server
LDAP Server Customized
Integration Server Authentication
Auth. Server
Page 23 of 86
Print Controller Design Guide for Information Security
Auth. Server
1-5-2 IC Card Authentication
Overview
IC Card Authentication is provided to the field in the form of an optional IC card. The information
necessary to perform the authentication functions described in section 1.4.1 above (username and
password) can be stored to this IC card and then used to authenticate MFP/LP users. This feature
supports IC cards built to Ricoh specifications.
To use this option, it is necessary to install the “ADK” (Authentication Development Kit), a local
customization solution.
Data Flow
When the IC card is placed in the reader, if it contains a function release code, the user will be prompted
to enter this code in order to proceed with the authentication. The CSC compares the code entered with
the one stored in the IC card, and if these two match, it then obtains the username and password stored
in the card and begins the authentication process. If the IC card does not contain a function release code,
the CSC simply reads the username and password stored in the IC card and begins the authentication
process automatically.
Authentication information
(input from the operation panel)
Job + Auth. Info.
PC
LDAP Server
IC Card Authentication
Information is encrypted
Authentication information
(stored in the IC card)
One server is selected
Authentication
LAN
Integration Server
LAN
Windows Server
Customized
Page 24 of 86
Print Controller Design Guide for Information Security
1-5-3 Access Control
Users logged-in as administrators are able to make changes to the following security-related settings:
Access restrictions for individual users: Access to each principal MFP/LP function can be controlled for
each individual user. In the case of Windows Authentication and Integration Server Authentication, it is
also possible to set such restrictions for global groups as well as individual users.
On MFP/LPs with e-mail transmission applications, to prevent the impersonation of the user by a third
party, it is possible to set the MFP/LP so that the e-mail address of the logged-in user is set as the
“From” field whenever an e-mail is sent. Users who do not have a registered e-mail address would not
be able to send e-mail.
It is possible to prohibit the sending of e-mail to any address except those that have been approved.
This is true for addresses that are entered manually as well as those registered in the Address Book.
It is possible to prohibit unauthenticated users as well as general users from viewing or making any
changes to the User Tools settings.
An 8-digit protection code can be assigned to each individual Address Book entry to protect its
contents, so that users cannot freely select addresses to send e-mail and/or impersonate other users
as the sender. If the code entered by the operator does not match the one in the MFP/LP, no
operations can be performed on the address. In addition, it is possible to create an access control list
(ACL) for each individual Address Book entry and Document Server document at both the individual
user and group levels.
Page 25 of 86
Print Controller Design Guide for Information Security
1-6 Administrator Settings
In order to disperse the risk of malicious operations by a single individual with administrator-level access
rights, the MFP/LP allows the following five types of administrators to be registered.
1. Machine Administrator: Manages the User Tools settings and ensures that the MFP/LP is always in
good working order.
2. Network Administrator: Manages the network-related User Tools settings and ensures that
protections against illegal remote access are properly maintained.
3. Document Administrator: Manages the document storage-related User Tools settings, access
privileges for stored documents, and the stored documents themselves.
4. User Administrator: Manages the user information stored in the Address Book, as well as the access
rights to this information.
5. Supervisor: Manages the passwords of the four administrators listed above, in case any passwords
are forgotten.
Each individual administrator is able to change their own username and password, however they are
not able to change the usernames and passwords of other administrators.
It is possible to assign two or more (or all) of the above titles to the same individual user.
In the event a Supervisor forgets the passwords, the only way to resolve the condition is to initialize the
MFP/LP back to its factory shipment condition. (Even field technicians cannot access this information).
If the MLP/LP is initialized in this way, all of the user information, document data, and settings stored in
the MLP/LP since installation will be initialized (erased).
Page 26 of 86
Loading...