Page 1
Page 1 of 81 Aficio MP 4001/5001 series with Fax Option Type 5001 Security Target : RICOH COMPANY, LTD., Yasushi FUNAKI Author Date : 2010-06-17 Version : 1.00 Copyright (c) 2010 RICOH COMPANY, LTD. All Rights Reserved.
Page 2
Page 2 of 81 Revision History Version Date Author Details Yasushi 1.00 2010-06-17 Released version. FUNAKI Copyright (c) 2010 RICOH COMPANY, LTD. All Rights Reserved.
Assumptions .................27 Copyright (c) 2010 RICOH COMPANY, LTD. All Rights Reserved.
Page 4
SF.I&A User Identification and Authentication Function......66 7.1.2.1 User Identification and Authentication ........... 67 7.1.2.2 Actions in Event of Identification and Authentication Failure ....67 7.1.2.3 Password Feedback Area Protection ............68 Copyright (c) 2010 RICOH COMPANY, LTD. All Rights Reserved.
Page 5
References..................80 Copyright (c) 2010 RICOH COMPANY, LTD. All Rights Reserved.
Page 6
Table 32: Administrators authorised to specify machine control data ............73 Table 33: List of encryption operations on data stored on the HDD ..............74 Table 34: Specific terms used in this ST......................77 Copyright (c) 2010 RICOH COMPANY, LTD. All Rights Reserved.
USB connection, according to users' needs. Users can operate the TOE from the Operation Panel, a client computer connected to the local network, or a client computer connected to the TOE though USB. Figure 1 shows an example of the assumed TOE environment. Copyright (c) 2010 RICOH COMPANY, LTD. All Rights Reserved.
FTP Server FTP server is used for the TOE to deliver the document data stored in the TOE to folders in FTP server. Copyright (c) 2010 RICOH COMPANY, LTD. All Rights Reserved.
The physical boundary of the TOE is the MFP, which consists of the following h ardware (shown in Figure 2): Operation Panel Unit, Engine Unit, Fax Unit, Controller Board, Ic Hdd, HDD, Network Unit, USB Port, and SD Card Slot. Figure 2 outlines the configuration of the TOE hardware. Copyright (c) 2010 RICOH COMPANY, LTD. All Rights Reserved.
The Fax Unit has an interface to the MFP Control Software. The interface provides the MFP Control Software with information about the status of fax communications and controls the fax communications according to instructions from the MFP Control Software. Copyright (c) 2010 RICOH COMPANY, LTD. All Rights Reserved.
Page 12
SD card. When installing the TOE, the CE inserts an SD card into the SD Card Slot to activate the Stored Data Protection Function. Copyright (c) 2010 RICOH COMPANY, LTD. All Rights Reserved.
MP 4001 /5001 LD140/LD150 Aficio MP 4001 /5001 Notes for Administrators: Using this Machine in a CC-Certified Environment VM Card Manuals [English version-2] Quick Reference Copy Guide Quick Reference Fax Guide Copyright (c) 2010 RICOH COMPANY, LTD. All Rights Reserved.
Page 14
Safety Information for MP 4001/ MP 5001 Notes for Users App2Me Start Guide Manuals for Users MP 4001/5001 Aficio MP 4001/5001 Manuals for Administrators Security Reference MP 4001/5001 Aficio MP 4001/5001 Copyright (c) 2010 RICOH COMPANY, LTD. All Rights Reserved.
Page 15
MP 4001/5001 Aficio MP 4001/5001 Manuals for Administrators Security Reference Supplement 9240/9250 MP 4001/5001 LD140/LD150 Aficio MP 4001/5001 Notes for Administrators: Using this Machine in a CC-Certified Environment VM Card Manuals Copyright (c) 2010 RICOH COMPANY, LTD. All Rights Reserved.
A "general user" is an authorised TOE user who is registered in the Address Book by a user administrator. General users can store document data in the TOE and perform operations on the document data. Copyright (c) 2010 RICOH COMPANY, LTD. All Rights Reserved.
Function, and Scanner Function. Administrators and supervisor are provided with the Management Function. These functions are accessed by pushing the relevant buttons on the Operation Panel. General users, administrators, and supervisor can use the Web Service Functions, depending on their role. Copyright (c) 2010 RICOH COMPANY, LTD. All Rights Reserved.
Page 18
Document Server Function can be printed and deleted using the Document Server Function. Document data stored in the D-BOX using the Scanner Function cannot be printed or deleted using the Document Server Copyright (c) 2010 RICOH COMPANY, LTD. All Rights Reserved.
Data Access Control Function, Stored Data Protection Function, Network Communication Data Protection Function, Security Management Function, Service Mode Lock Function, Telephone Line Intrusion Protection Function, and MFP Control Software Verification Function. This section describes these functions. Copyright (c) 2010 RICOH COMPANY, LTD. All Rights Reserved.
Page 20
Print Settings is also permitted. Table 2 shows the relationship between the operation authorised by the permissions to process document data and the operations possible on the document data. Copyright (c) 2010 RICOH COMPANY, LTD. All Rights Reserved.
This function allows administrators, supervisor, and general users who have been successfully authenticated by the previously described "Identification and Authentication Function" to perform the following operations for security management according to user role. Copyright (c) 2010 RICOH COMPANY, LTD. All Rights Reserved.
Page 22
Telephone Line Intrusion Protection Function This function is for devices equipped with a Fax Unit. It restricts communication over a telephone line to the TOE, so that the TOE receives only permitted data. Copyright (c) 2010 RICOH COMPANY, LTD. All Rights Reserved.
Print data is imported to the TOE via the internal network or the USB Port. When passing from Copyright (c) 2010 RICOH COMPANY, LTD. All Rights Reserved.
Page 24
Page 24 of 81 a client computer to the TOE through the internal network, print data is protected from leakage, and tampered data can be detected. Copyright (c) 2010 RICOH COMPANY, LTD. All Rights Reserved.
This ST and TOE do not conform to any PPs. This ST claims conformance to the following package: Package: EAL3 conformant Conformance Rationale Since this ST does not claim conformance to PPs, there is no rationale for PP conformance. Copyright (c) 2010 RICOH COMPANY, LTD. All Rights Reserved.
Attackers may gain access to the TOE through telephone lines. Organisational Security Policies The following security policy is assumed for organisations that demand integrity of the software installed in its IT products. Copyright (c) 2010 RICOH COMPANY, LTD. All Rights Reserved.
When the network that the TOE is connected to (the internal network) is connected to an external network such as the Internet, the internal network shall be protected from the external network. Copyright (c) 2010 RICOH COMPANY, LTD. All Rights Reserved.
(Protection of integrity of MFP Control Software) The TOE shall provide TOE users with a function that verifies the integrity of the MFP Control Software, which is installed in the FlashROM. Copyright (c) 2010 RICOH COMPANY, LTD. All Rights Reserved.
Table 3 demonstrates that each security objective corresponds to at least one threat, organisational security policy, or assumption. As indicated by the shaded region in Table 3, assumptions are not upheld by TOE security objectives. Copyright (c) 2010 RICOH COMPANY, LTD. All Rights Reserved.
As specified by OE.SUPERVISOR, the responsible manager of the MFP shall select a trusted person as a supervisor and instruct him/her on the role of supervisor. Therefore, A.SUPERVISOR is upheld. Copyright (c) 2010 RICOH COMPANY, LTD. All Rights Reserved.
Page 31
O.MEM.PROTECT is recorded in audit logs by O.AUDIT, and the function for reading audit logs is available to the machine administrator only, so that the machine administrator can later identify whether or not O.MEM.PROTECT was performed successfully. Therefore, the TOE can counter T.SALVAGE. Copyright (c) 2010 RICOH COMPANY, LTD. All Rights Reserved.
Page 32
To enforce this organisational security policy, the TOE provides the function to verify the integrity of MFP Control Software, which is installed in FlashROM, with the TOE users by O.GENUINE. Therefore, the TOE can enforce P.SOFTWARE. Copyright (c) 2010 RICOH COMPANY, LTD. All Rights Reserved.
In this ST and TOE, there are no e xtended components, i.e., the new security requirements and security assurance requirements that are not described in the CC, which is claimed the conformance in " 2 .1 CC Conformance Claim". Copyright (c) 2010 RICOH COMPANY, LTD. All Rights Reserved.
Basic: Actions taken due to the FAU_STG.4 Auditable events not recorded. audit storage failure. a) Minimal: Success and failure of the <Individually-defined auditable FCS_CKM.1 activity. events> 1. HDD cryptographic key b) Basic: The object attribute(s), and Copyright (c) 2010 RICOH COMPANY, LTD. All Rights Reserved.
Page 35
Basic: Rejection or acceptance by (Outcome: Success/Failure) the TSF of any tested secret; 2. Changing authentication c) Detailed: Identification of any information of general users changes to the defined quality metrics. Copyright (c) 2010 RICOH COMPANY, LTD. All Rights Reserved.
Page 36
1. Newly creating authentication information of general users. 2. Changing authentication information of general users. 3. Deleting authentication information of general users. 4. Changing administrator Authentication information. 5. Changing supervisor Copyright (c) 2010 RICOH COMPANY, LTD. All Rights Reserved.
Page 37
FAU_GEN.1.2 The TSF shall record within each audit record at least the following information: a) Date and time of the event, type of event, subject identity (if applicable), and the outcome (success or failure) of the event; and Copyright (c) 2010 RICOH COMPANY, LTD. All Rights Reserved.
6.1.2 Class FCS: Cryptographic support FCS_CKM.1 Cryptographic key generation Hierarchical to: No other components. Dependencies: [FCS_CKM.2 Cryptographic key distribution, or Copyright (c) 2010 RICOH COMPANY, LTD. All Rights Reserved.
FDP_ACF.1 Security attribute based access control. FDP_ACC.1.1 The TSF shall enforce the [assignment: MFP access control SFP] on [assignment: List of Subjects, Objects, and Operation among Subjects and Objects in Table 7]. Copyright (c) 2010 RICOH COMPANY, LTD. All Rights Reserved.
ID or the document file user ID in the document data ACL associated with the document data, and if the matched ID has viewing, editing, editing/deleting, or full control permission. Copyright (c) 2010 RICOH COMPANY, LTD. All Rights Reserved.
Simple security attributes Hierarchical to: No other components. Dependencies: FDP_IFC.1 Subset information flow control FMT_MSA.3 Static attribute initialisation. FDP_IFF.1.1 The TSF shall enforce the [assignment: telephone line information flow SFP] based on the Copyright (c) 2010 RICOH COMPANY, LTD. All Rights Reserved.
[assignment: the consecutive numbers of times of Table 13 authentication failure for each user in the authentication events shown in Table 13: List of authentication events Authentication events User authentication using the control panel Copyright (c) 2010 RICOH COMPANY, LTD. All Rights Reserved.
FIA_SOS.1.1 The TSF shall provide a mechanism to verify that secrets meet [assignment: following quality metrics]. (1) Usable characters and its types: Upper-case letters: [A-Z] (26 letters) Lower-case letters: [a-z] (26 letters) Copyright (c) 2010 RICOH COMPANY, LTD. All Rights Reserved.
Page 44
FIA_ATD.1 User attribute definition. FIA_USB.1.1 The TSF shall associate the following user security attributes with subjects acting on the behalf of that user: [assignment: general user IDs, document data default ACL, Copyright (c) 2010 RICOH COMPANY, LTD. All Rights Reserved.
[assignment: security attributes in Table 16] to [assignment: users/roles in Table 16]. Table 16: Management roles of security attributes Security attributes Operations User roles General user IDs (a data Query, - User administrator item of general user newly create, information) delete Copyright (c) 2010 RICOH COMPANY, LTD. All Rights Reserved.
Maintenance (deletion, modification, None: Actions are fixed and not an object FAU_STG.4 addition) of actions to be taken in case of management. of audit storage failure. FCS_CKM.1 None FCS_COP.1 None FDP_ACC.1 None Copyright (c) 2010 RICOH COMPANY, LTD. All Rights Reserved.
Page 49
- Security Management Function (management of administrator information): new registration of administrators by administrators. - Security Management Function (management of administrator information): management of administrator authentication information by supervisor. Copyright (c) 2010 RICOH COMPANY, LTD. All Rights Reserved.
Page 50
Address Book. values. - Allows general users to modify the document data default ACL of their own general user information. c) None: No rules by which security attributes inherit specified values. Copyright (c) 2010 RICOH COMPANY, LTD. All Rights Reserved.
Reliable time stamps Hierarchical to: No other components. Dependencies: No dependencies. FPT_STM.1.1 The TSF shall be able to provide reliable time stamps. FPT_TST.1 TSF testing Hierarchical to: No other components. Copyright (c) 2010 RICOH COMPANY, LTD. All Rights Reserved.
TOE]]. Table 20 shows the services that require the trusted path defined in FTP_TRP.1.3 and used by each user who communicates via trusted path described in FTP_TRP.1.2. Copyright (c) 2010 RICOH COMPANY, LTD. All Rights Reserved.
E-mail service to client computer from TOE (S/MIME) Initial user authentication (SSL) Remote users TOE web service from client PC (SSL) Printing service from client PC (SSL) Fax service from client PC (SSL) Copyright (c) 2010 RICOH COMPANY, LTD. All Rights Reserved.
Table 22 shows that each TOE security functional requirement fulfils at least one TOE security objective. Table 22: Relationship between security objectives and functional requirements FAU_GEN.1 FAU_SAR.1 FAU_SAR.2 FAU_STG.1 FAU_STG.4 FCS_CKM.1 FCS_COP.1 FDP_ACC.1 FDP_ACF.1 FDP_IFC.1 FDP_IFF.1 FIA_AFL.1 FIA_ATD.1 FIA_SOS.1 FIA_UAU.2 FIA_UAU.7 FIA_UID.2 Copyright (c) 2010 RICOH COMPANY, LTD. All Rights Reserved.
If auditable events occur and the audit log files are full, FAU_STG.4 prevents loss of recent audit logs by writing the newer audit logs over audit logs that have the oldest time stamp. Copyright (c) 2010 RICOH COMPANY, LTD. All Rights Reserved.
Page 57
For general users, FDP_ACC.1 and FDP_ACF.1 allow storage of document data, and when the general user IDs associated with general user processes are registered in the document data ACL of a document, Copyright (c) 2010 RICOH COMPANY, LTD. All Rights Reserved.
Page 58
- supervisor to query and specify the Lockout Flag for administrators, and specify supervisor authentication information; and - supervisor and applicable administrators to change administrator authentication information. Specify Management Functions. To fulfil O.MANAGE, the Security Management Functions for the implemented TSF shall be Copyright (c) 2010 RICOH COMPANY, LTD. All Rights Reserved.
Page 59
The SSL protocol protects document data and print data that are is travelling through a web service, print service, or fax service from a client computer from leakage and attempts at tampering. Copyright (c) 2010 RICOH COMPANY, LTD. All Rights Reserved.
None FAU_STG.4 FAU_STG.1 FAU_STG.1 None [FCS_CKM.2 or FCS_CKM.1 FCS_COP.1 FCS_CKM.4 FCS_COP.1] FCS_CKM.4 [FDP_ITC.1 or FCS_COP.1 FCS_CKM.1 FCS_CKM.4 FDP_ITC.2 or FCS_CKM.1] FCS_CKM.4 FDP_ACC.1 FDP_ACF.1 FDP_ACF.1 None FDP_ACF.1 FDP_ACC.1 FDP_ACC.1 None FMT_MSA.3 FMT_MSA.3 Copyright (c) 2010 RICOH COMPANY, LTD. All Rights Reserved.
Page 61
Rationale for Removing Dependencies on FIA_UAU.1 Since this TOE employs FIA_UAU.2, which is hierarchical to FIA_UAU.1, the dependency on FIA_UAU.1 is satisfied by FIA_AFL.1 and FIA_UAU.7. Copyright (c) 2010 RICOH COMPANY, LTD. All Rights Reserved.
Development security (ALC_DVS.1) is therefore important also. Based on the terms and costs of the evaluation, the evaluation assurance level of EAL3 is appropriate for this TOE. Copyright (c) 2010 RICOH COMPANY, LTD. All Rights Reserved.
As Table 24 shows, at least one TOE Security Function satisfies each security functional requirements described in section "6.1". Table 24: Relationship between TOE security functional requirements and TOE Security Functions FAU_GEN.1 FAU_SAR.1 FAU_SAR.2 FAU_STG.1 FAU_STG.4 FCS_CKM.1 FCS_COP.1 FDP_ACC.1 FDP_ACF.1 Copyright (c) 2010 RICOH COMPANY, LTD. All Rights Reserved.
The TOE generates audit log entries whenever an auditable event occurs, and appends these to audit log files. Audit logs consist of basic audit information and ex panded audit information. Basic audit information is data Copyright (c) 2010 RICOH COMPANY, LTD. All Rights Reserved.
ID of object document data Changing date and time of system clock Communication with trusted IT Communication IP address product Communication with remote user Deletion of entire audit log -: No applicable expanded audit information Copyright (c) 2010 RICOH COMPANY, LTD. All Rights Reserved.
TOE Security Functions. Following are the explanations of each functional item in "SF.I&A User Identification Authentication Function" and their corresponding functional requirements. Copyright (c) 2010 RICOH COMPANY, LTD. All Rights Reserved.
When a user authenticates successfully, as described in "7.1.2.1 User Identification and Authentication", the TOE resets the number of available authentication attempts for that user to 0 and starts counting from 0. Copyright (c) 2010 RICOH COMPANY, LTD. All Rights Reserved.
If it does not, the password is not registered and an error message appears. (1) Usable characters and its types: Upper-case letters: [A-Z] (26 letters) Lower-case letters: [a-z] (26 letters) Copyright (c) 2010 RICOH COMPANY, LTD. All Rights Reserved.
Table 28 shows the value of the document data ACL when storing document data. Table 28: Default value for document data ACL Type of document data Default value for document data ACL Document data stored by a general user Document data default ACL Copyright (c) 2010 RICOH COMPANY, LTD. All Rights Reserved.
Deletion of document file users - Document file owners - General users with full control authorisation Changing of document file users' operation - File administrators permissions for document data - Document file owners Copyright (c) 2010 RICOH COMPANY, LTD. All Rights Reserved.
If the logged-in user is an administrator or supervisor, the TOE allows that user to perform the operations shown in Table 30, respectively. By the above, FIA_USB.1 (User-subject binding), FMT_MSA.1 (Management of security attributes), Copyright (c) 2010 RICOH COMPANY, LTD. All Rights Reserved.
When new general user information is created, the new general user ID will be set to the value of the document data default ACL as the document file owner, and authorised operations on the document data will Copyright (c) 2010 RICOH COMPANY, LTD. All Rights Reserved.
M achine Web Service Inactive supervisor modify administrators Function By the above, FIA_AFL.1 (Authentication failure handling), FMT_MTD.1 (Management of TSF data), FMT_SMF.1 (Specification of management function), and FMT_SMR.1 (Security roles) are satisfied. Copyright (c) 2010 RICOH COMPANY, LTD. All Rights Reserved.
HDD encryption keys. If the TOE is not able to verify the integrity of the HDD encryption keys, it will show that the HDD encryption keys have changed. Copyright (c) 2010 RICOH COMPANY, LTD. All Rights Reserved.
When it receives fax data from the telephone line, the TOE passes the data to the Controller Board. If the received data is not fax data, the TOE discards it. By the above, FDP_IFC.1 (Subset information flow control) and FDP_IFF.1 (Simple security attributes) are satisfied. Copyright (c) 2010 RICOH COMPANY, LTD. All Rights Reserved.
The TOE becomes available for users only if the integrity of the control software can be verified. If integrity cannot be verified, it indicates that the MFP Control Software is not correct. By the above, FPT_TST.1 (TSF testing) is satisfied. Copyright (c) 2010 RICOH COMPANY, LTD. All Rights Reserved.
Information about each general user that is required for using S/MIME. information Includes e-mail address, user certificates, and a specified value for S/MIME use. A server for sharing files with a client computer using Server Message Block SMB server Protocol. Copyright (c) 2010 RICOH COMPANY, LTD. All Rights Reserved.
Page 78
An administrator role assigning responsibility for management of general User administration users. The user administrator is a person who has the user management role. Copyright (c) 2010 RICOH COMPANY, LTD. All Rights Reserved.
Page 79
An item of administrator information and an identification code for Administrator ID identification and authentication of the administrator. Indicates the administrator's login name on this TOE. Administrator A password for identification and authentication of an administrator. authentication information Copyright (c) 2010 RICOH COMPANY, LTD. All Rights Reserved.
General users who are registered in the document data ACL but are not Document file user owners of the document data. References Following are the documents referenced in this document. Copyright (c) 2010 RICOH COMPANY, LTD. All Rights Reserved.
Page 81
Common Methodology for Information Technology Security Evaluation Version 3.1 Evaluation methodology Revision 2(CCMB-2007-09-0004) "Japanese-translated version" Common Methodology for Information Technology Security Evaluation version 3.1 Evaluation Methodology Revision 2 [Japanese translation ver. 2.0] Copyright (c) 2010 RICOH COMPANY, LTD. All Rights Reserved.