Page 1
MP 7501/6001 series, Aficio MP 9001/8001/7001/6001 series Security Target Author : RICOH COMPANY, LTD. Date 2010-08-31 Version : 1.00 Copyright (c) 2010 RICOH COMPANY, LTD. All Rights Reserved.
Page 2
Page 1 of 82 Revision History Version Date Author Detail 1.00 2010-08-31 RICOH COMPANY, LTD. Released version. Copyright (c) 2010 RICOH COMPANY, LTD. All Rights Reserved.
Organisational Security Policies............27 Copyright (c) 2010 RICOH COMPANY, LTD. All Rights Reserved.
Page 4
7.1.1.3 Protection of Audit Logs...............67 7.1.1.4 Time Stamps..................67 7.1.2 SF.I&A User Identification and Authentication Function......67 7.1.2.1 User Identification and Authentication ..........68 7.1.2.2 Actions in Event of Identification and Authentication Failure ....68 Copyright (c) 2010 RICOH COMPANY, LTD. All Rights Reserved.
Page 5
References..................82 Copyright (c) 2010 RICOH COMPANY, LTD. All Rights Reserved.
Page 6
Table 30: Operations on document data ACL and authorised users...............71 Table 31: Access to administrator information....................72 Table 32: Authorised operations on general user information................73 Table 33: Administrators authorised to specify machine control data ............74 Copyright (c) 2010 RICOH COMPANY, LTD. All Rights Reserved.
Page 7
Page 6 of 82 Table 34: List of encryption operations on data stored on the HDD ..............76 Table 35: Specific terms used in this ST......................78 Copyright (c) 2010 RICOH COMPANY, LTD. All Rights Reserved.
TOE. Manufacturer : RICOH COMPANY, LTD. MFP Name Table 1 shows the MFP names for the Japanese version "Ricoh imagio MP 7501/6001 series" and the English version "Ricoh Aficio MP 9001/8001/7001/6001 series". Table 1: MFP names for each series...
Page 9
MP 6001 infotec MP 7001 infotec MP 8001 infotec MP 9001 MFP Model : SP MFP Version : Software System/Copy 1.15 Network Support 8.65 Scanner 01.19 Printer 1.15 02.00.00 Web Support 1.09 Copyright (c) 2010 RICOH COMPANY, LTD. All Rights Reserved.
Users can use these functions from the Operation Panel. Users can also use some of these functions remotely. The following are the major Security Functions of the TOE in this ST: Audit Function Identification and Authentication Function Document Data Access Control Function Stored Data Protection Function Copyright (c) 2010 RICOH COMPANY, LTD. All Rights Reserved.
USB connection, according to users' needs. Users can operate the TOE from the Operation Panel, a client computer connected to the local network, or a client computer connected to the TOE through USB. Figure 1 shows an example of the assumed TOE environment. Copyright (c) 2010 RICOH COMPANY, LTD. All Rights Reserved.
To print and fax from the client computer via the internal network or USB connection, the printer driver (RPCS printer driver for Ricoh imagio MP 7501/6001 series MFP and the PCL printer driver for Ricoh Copyright (c) 2010 RICOH COMPANY, LTD. All Rights Reserved.
2): Operation Panel Unit, Engine Unit, Fax Unit, Controller Board, Ic Ctlr, HDD, Network Unit, USB Port, and SD Card Slot. Figure 2 outlines the configuration of the TOE hardware. Figure 2 outlines the configuration of the TOE hardware. Copyright (c) 2010 RICOH COMPANY, LTD. All Rights Reserved.
The Engine Control Software sends information about the status of the Scanner Engine and Printer Engine to the MFP Control Software, and operates the Scanner Engine or Printer Engine according to instructions from the MFP Control Software. Copyright (c) 2010 RICOH COMPANY, LTD. All Rights Reserved.
Page 15
Network Unit is an interface board for connection to an Ethernet (100BASE-TX/10BASE-T) network. USB Port The USB Port is used to connect a client computer to the TOE, print or fax from the client computer. Copyright (c) 2010 RICOH COMPANY, LTD. All Rights Reserved.
Notes for Administrators: Using this Machine in a CC-Certified Environment (Written in Japanese) [English version-1] 9060/9070/9080/9090 MP 6001/MP 7001/MP 8001/MP 9001 LD360/LD370/LD380/LD390 Aficio MP 6001/7001/8001/9001 Operating Instructions About This Machine 9060/9070/9080/9090 MP 6001/MP 7001/MP 8001/MP 9001 Copyright (c) 2010 RICOH COMPANY, LTD. All Rights Reserved.
The "supervisor" is a user who manages and changes administrator passwords. One supervisor must be registered for the TOE. The default supervisor is registered for the TOE as a factory setting. The person Copyright (c) 2010 RICOH COMPANY, LTD. All Rights Reserved.
The logical boundaries of the TOE comprise the functions provided by the TOE. This section describes the "Basic Functions", which is the service provided by the TOE to users, and the "Security Functions", which counter threats to the TOE. These functions are outlined in Figure 3. Copyright (c) 2010 RICOH COMPANY, LTD. All Rights Reserved.
D-BOX. Document data stored in the D-BOX using the Copy Function can be printed and deleted using the "Document Server Function", which is part of the Basic Functions and described later. Copyright (c) 2010 RICOH COMPANY, LTD. All Rights Reserved.
Page 21
TOE to networks, user information, and information on restriction of use of document data. The user's ability to manage this information depends on the user's role (general user, Copyright (c) 2010 RICOH COMPANY, LTD. All Rights Reserved.
The machine administrator can read the audit logs using the Web Service Function, and delete the audit logs using both the Operation Panel and the Web Service Function. Copyright (c) 2010 RICOH COMPANY, LTD. All Rights Reserved.
Page 23
Print Settings is also permitted. Table 3 shows the relationship between the operation authorised by the permissions to process document data and the operations possible on the document data. Copyright (c) 2010 RICOH COMPANY, LTD. All Rights Reserved.
Management of document data ACL Allows only specified users to modify the document data ACL. Modifying the document data ACL includes changing document file owners, registering new document file users for the Copyright (c) 2010 RICOH COMPANY, LTD. All Rights Reserved.
Page 25
Telephone Line Intrusion Protection Function This function is for devices equipped with a Fax Unit. It restricts communication over a telephone line to the TOE, so that the TOE receives only permitted data. Copyright (c) 2010 RICOH COMPANY, LTD. All Rights Reserved.
Print data is imported to the TOE via the internal network or the USB Port. When passing from a client computer to the TOE through the internal network, print data is protected from leakage, and tampered data can be detected. Copyright (c) 2010 RICOH COMPANY, LTD. All Rights Reserved.
This ST and TOE do not conform to any PPs. This ST claims conformance to the following package: Package: EAL3 conformant Conformance Rationale Since this ST does not claim conformance to PPs, there is no rationale for PP conformance. Copyright (c) 2010 RICOH COMPANY, LTD. All Rights Reserved.
Attackers may gain access to the TOE through telephone lines. Organisational Security Policies The following security policy is assumed for organisations that demand integrity of the software installed in its IT products. Copyright (c) 2010 RICOH COMPANY, LTD. All Rights Reserved.
When the network that the TOE is connected to (the internal network) is connected to an external network such as the Internet, the internal network shall be protected from the external network. Copyright (c) 2010 RICOH COMPANY, LTD. All Rights Reserved.
O.GENUINE (Protection of integrity of MFP Control Software) The TOE shall provide TOE users with a function that verifies the integrity of the MFP Control Software. Copyright (c) 2010 RICOH COMPANY, LTD. All Rights Reserved.
Table 4 demonstrates that each security objective corresponds to at least one threat, organisational security policy, or assumption. As indicated by the shaded region in Table 4, assumptions are not upheld by TOE security objectives. Copyright (c) 2010 RICOH COMPANY, LTD. All Rights Reserved.
As specified by OE.SUPERVISOR, the responsible manager of the MFP shall select a trusted person as a supervisor and instruct him/her on the role of supervisor. Therefore, A.SUPERVISOR is upheld. Copyright (c) 2010 RICOH COMPANY, LTD. All Rights Reserved.
Page 33
O.MEM.PROTECT is recorded in audit logs by O.AUDIT, and the function for reading audit logs is available to the machine administrator only, so that the machine administrator can Copyright (c) 2010 RICOH COMPANY, LTD. All Rights Reserved.
Page 34
To enforce this organisational security policy, the TOE provides the function to verify the integrity of the MFP Control Software with the TOE users by O.GENUINE. Therefore, the TOE can enforce P.SOFTWARE. Copyright (c) 2010 RICOH COMPANY, LTD. All Rights Reserved.
In this ST and TOE, there are no extended components, i.e., the new security requirements and security assurance requirements that are not described in the CC, which is claimed the conformance in " 2.1 CC Conformance Claim". Copyright (c) 2010 RICOH COMPANY, LTD. All Rights Reserved.
Basic: Unsuccessful attempts to FAU_SAR.2 Auditable events not recorded. read information from the audit records. FAU_STG.1 None a) Basic: Actions taken due to the FAU_STG.4 Auditable events not recorded. audit storage failure. Copyright (c) 2010 RICOH COMPANY, LTD. All Rights Reserved.
Page 37
1. Lockout start authentication attempts 2. Lockout release actions (e.g. disabling of a terminal) taken subsequent, appropriate, restoration to the normal state (e.g. re-enabling of a terminal). FIA_ATD.1 None Copyright (c) 2010 RICOH COMPANY, LTD. All Rights Reserved.
Page 38
2. Changing document data ACL a) Basic: Modifications of the default FMT_MSA.3 Auditable events not recorded. setting of permissive or restrictive rules. b) Basic: All modifications of the initial values of security attributes. Copyright (c) 2010 RICOH COMPANY, LTD. All Rights Reserved.
Page 39
Communication IP address) channel functions. c) Basic: All attempted uses of the trusted channel functions. d) Basic: Identification of the initiator and target of all trusted channel functions. Copyright (c) 2010 RICOH COMPANY, LTD. All Rights Reserved.
Page 40
FAU_STG.1 Protected audit trail storage Hierarchical to: No other components. Dependencies: FAU_GEN.1 Audit data generation. FAU_STG.1.1 The TSF shall protect the stored audit records in the audit trail from unauthorised deletion. Copyright (c) 2010 RICOH COMPANY, LTD. All Rights Reserved.
[assignment: cryptographic algorithm shown in Table 7] and cryptographic key sizes [assignment: cryptographic key size shown in Table 7] that meet the following: [assignment: standards shown in Table 7]. Copyright (c) 2010 RICOH COMPANY, LTD. All Rights Reserved.
Security attributes - Administrator IDs Subjects Administrator process - Administrator roles - General user ID Subjects General user process - Document data default ACL Objects Document data - Document data ACL Copyright (c) 2010 RICOH COMPANY, LTD. All Rights Reserved.
FDP_IFC.1 Subset information flow control Hierarchical to: No other components. Dependencies: FDP_IFF.1 Simple security attributes. FDP_IFC.1.1 The TSF shall enforce the [assignment: telephone line information flow SFP] on Copyright (c) 2010 RICOH COMPANY, LTD. All Rights Reserved.
[assignment: no rules, based on security attributes that explicitly authorise information flows]. FDP_IFF.1.5 The TSF shall explicitly deny an information flow based on the following rules: [assignment: no rules, based on security attributes that explicitly deny information flows]. Copyright (c) 2010 RICOH COMPANY, LTD. All Rights Reserved.
There is also a special Lockout release: If an administrator (any role) or a supervisor is locked out, restarting the TOE has the same effect as the Lockout release operation performed by an unlocking administrator. FIA_ATD.1 User attribute definition Hierarchical to: No other components. Copyright (c) 2010 RICOH COMPANY, LTD. All Rights Reserved.
Page 46
TSF-mediated actions on behalf of that user. FIA_UAU.7 Protected authentication feedback Hierarchical to: No other components. Dependencies: FIA_UAU.1 Timing of authentication. FIA_UAU.7.1 The TSF shall provide only [assignment: displaying a dummy letter (*: asterisks, or ?: Copyright (c) 2010 RICOH COMPANY, LTD. All Rights Reserved.
However, the administrator cannot delete the assigned administrator role if that role is assigned to no other administrators]. 6.1.5 Class FMT: Security management FMT_MSA.1 Management of security attributes Hierarchical to: No other components. Copyright (c) 2010 RICOH COMPANY, LTD. All Rights Reserved.
[selection: [assignment: specified as shown in Table 18] for security attributes that are used to enforce the SFP. FMT_MSA.3.2 The TSF shall allow the [assignment: no authorised identified roles] to specify alternative Copyright (c) 2010 RICOH COMPANY, LTD. All Rights Reserved.
Query, Setting for Lockout Release Timer Machine administrator modify Query, Lockout time Machine administrator modify Date and time of system clock Query, Machine administrator Date setting, time setting (hour, minute, modify Copyright (c) 2010 RICOH COMPANY, LTD. All Rights Reserved.
Page 50
Hierarchical to: No other components. Dependencies: No dependencies. FMT_SMF.1.1 The TSF shall be capable of performing the following Management Functions: [assignment: list of specifications of Management Functions described in Table 20]. Copyright (c) 2010 RICOH COMPANY, LTD. All Rights Reserved.
Management Function FIA_SOS.1 verify the secrets. (management of machine control data): The user administrator manages the following settings of the machine control data: - Minimum Password Length - Password Complexity Setting Copyright (c) 2010 RICOH COMPANY, LTD. All Rights Reserved.
Page 52
An authorised administrator can b) Administrators can add own assigned change subject security attributes. administrator roles to other administrators and delete administrator roles. Copyright (c) 2010 RICOH COMPANY, LTD. All Rights Reserved.
Page 53
FTP_ITC.1 trusted channel, if supported. trusted channels are fixed. a) Configuring the actions that require None: Actions that require trusted paths FTP_TRP.1 trusted path, if supported. are fixed. FMT_SMR.1 Security roles Copyright (c) 2010 RICOH COMPANY, LTD. All Rights Reserved.
The TSF shall initiate communication via the trusted channel for [assignment: Deliver to Folders from TOE to SMB server (IPSec) service and Deliver to Folders from TOE to FTP server (IPSec) service]. Copyright (c) 2010 RICOH COMPANY, LTD. All Rights Reserved.
E-mail service to client computer from TOE (S/MIME) Initial user authentication (SSL) Remote users TOE web service from client PC (SSL) Printing service from client PC (SSL) Fax service from client PC (SSL) Copyright (c) 2010 RICOH COMPANY, LTD. All Rights Reserved.
Table 23 shows that each TOE security functional requirement fulfils at least one TOE security objective. Table 23: Relationship between security objectives and functional requirements FAU_GEN.1 FAU_SAR.1 FAU_SAR.2 FAU_STG.1 FAU_STG.4 FCS_CKM.1 FCS_COP.1 FDP_ACC.1 FDP_ACF.1 FDP_IFC.1 FDP_IFF.1 FIA_AFL.1 FIA_ATD.1 FIA_SOS.1 FIA_UAU.2 FIA_UAU.7 FIA_UID.2 Copyright (c) 2010 RICOH COMPANY, LTD. All Rights Reserved.
If auditable events occur and the audit log files are full, FAU_STG.4 prevents loss of recent audit logs by writing the newer audit logs over audit logs that have the oldest time stamp. Copyright (c) 2010 RICOH COMPANY, LTD. All Rights Reserved.
Page 59
For general users, FDP_ACC.1 and FDP_ACF.1 allow storage of document data, and when the general user IDs associated with general user processes are registered in the document data ACL of a document, Copyright (c) 2010 RICOH COMPANY, LTD. All Rights Reserved.
Page 60
- a supervisor to query and specify the Lockout Flag for administrators, and specify supervisor authentication information; and - a supervisor and applicable administrators to change administrator authentication information. Copyright (c) 2010 RICOH COMPANY, LTD. All Rights Reserved.
Page 61
The SSL protocol protects document data and print data that are is travelling through a web service, print service, or fax service from a client computer from leakage and attempts at tampering. Copyright (c) 2010 RICOH COMPANY, LTD. All Rights Reserved.
None FAU_STG.4 FAU_STG.1 FAU_STG.1 None [FCS_CKM.2 or FCS_CKM.1 FCS_COP.1 FCS_CKM.4 FCS_COP.1] FCS_CKM.4 [FDP_ITC.1 or FCS_COP.1 FCS_CKM.1 FCS_CKM.4 FDP_ITC.2 or FCS_CKM.1] FCS_CKM.4 FDP_ACC.1 FDP_ACF.1 FDP_ACF.1 None FDP_ACF.1 FDP_ACC.1 FDP_ACC.1 None FMT_MSA.3 FMT_MSA.3 Copyright (c) 2010 RICOH COMPANY, LTD. All Rights Reserved.
Page 63
Rationale for Removing Dependencies on FIA_UAU.1 Since this TOE employs FIA_UAU.2, which is hierarchical to FIA_UAU.1, the dependency on FIA_UAU.1 is satisfied by FIA_AFL.1 and FIA_UAU.7. Copyright (c) 2010 RICOH COMPANY, LTD. All Rights Reserved.
Development security (ACL_DVS.1) is therefore important also. Based on the terms and costs of the evaluation, the evaluation assurance level of EAL3 is appropriate for this TOE. Copyright (c) 2010 RICOH COMPANY, LTD. All Rights Reserved.
As Table 25 shows, at least one TOE Security Function satisfies each security functional requirements described in section "6.1". Table 25: Relationship between TOE security functional requirements and TOE Security Functions FAU_GEN.1 FAU_SAR.1 FAU_SAR.2 FAU_STG.1 FAU_STG.4 FCS_CKM.1 FCS_COP.1 FDP_ACC.1 Copyright (c) 2010 RICOH COMPANY, LTD. All Rights Reserved.
These audit logs must be protected from loss before audit. Only the machine administrator is permitted to read audit logs and delete entire audit logs. Following are explanations of each functional item in "SF.AUDIT Audit Function" and their corresponding security functional requirements. Copyright (c) 2010 RICOH COMPANY, LTD. All Rights Reserved.
Deletion of administrator role Addition of administrator role Changing document data ACL ID of object document data Changing date and time of system clock Communication with trusted IT Communication IP address product Copyright (c) 2010 RICOH COMPANY, LTD. All Rights Reserved.
User Identification and Authentication Function To allow authorised users to operate the TOE according to their roles and authorisation, the TOE identifies and authenticates users prior to their use of the TOE Security Functions. Copyright (c) 2010 RICOH COMPANY, LTD. All Rights Reserved.
Lockout Flag for that user to "Active". The machine administrator can specify 1 to 5 as the Number of Attempts before Lockout. When a user authenticates successfully, as described in "7.1.2.1 User Identification and Authentication", the Copyright (c) 2010 RICOH COMPANY, LTD. All Rights Reserved.
This function checks if the password to be registered or changed meets conditions (2) and (3). If it does, the password is registered. If it does not, the password is not registered and an error message appears. (1) Usable characters and its types: Copyright (c) 2010 RICOH COMPANY, LTD. All Rights Reserved.
Table 3 shows the relationship between the operation permissions for document data and operations on document data. Table 29 shows the value of the document data ACL when storing document data. Copyright (c) 2010 RICOH COMPANY, LTD. All Rights Reserved.
- Document file owners - General users with full control authorisation - File administrators Registration of new document file users - Document file owners - General users with full control authorisation Copyright (c) 2010 RICOH COMPANY, LTD. All Rights Reserved.
General users themselves data default ACL, S/MIME user information) Query general user information registered to Address User administrators Book General users themselves (general user ID, document data default ACL, S/MIME user information) Copyright (c) 2010 RICOH COMPANY, LTD. All Rights Reserved.
Password Complexity Level 1 or Level Query, Operation User administrators Setting modify Panel Date and time of Date, time (hour, Query, M achine Operation system clock minute, second) modify administrators Panel, Copyright (c) 2010 RICOH COMPANY, LTD. All Rights Reserved.
When the machine administrator uses the Operation Panel to instruct the TOE to generate an HDD encryption key, the TOE generates a 256-bit HDD encryption key using the TRNG encryption key Copyright (c) 2010 RICOH COMPANY, LTD. All Rights Reserved.
When sending document data by e-mail to a client computer, the TOE attaches the document data to e-mail and sends the e-mail using S/MIME. The S/MIME destination information is registered as S/MIME user information within general user information. Users can send e-mail referring to the registered destination Copyright (c) 2010 RICOH COMPANY, LTD. All Rights Reserved.
The TOE becomes available for users only if the integrity of the control software can be verified. If integrity cannot be verified, it indicates that the MFP Control Software is not correct. By the above, FPT_TST.1 (TSF testing) is satisfied. Copyright (c) 2010 RICOH COMPANY, LTD. All Rights Reserved.
Information about each general user that is required for using S/MIME. information Includes e-mail address, user certificates, and a specified value for S/MIME use. A server for sharing files with a client computer using Server Message Block SMB server Protocol. Copyright (c) 2010 RICOH COMPANY, LTD. All Rights Reserved.
Page 80
An administrator role assigning responsibility for management of general User administration users. The user administrator is a person who has the user management role. Copyright (c) 2010 RICOH COMPANY, LTD. All Rights Reserved.
Page 81
An item of administrator information and an identification code for Administrator ID identification and authentication of the administrator. Indicates the administrator's login name on this TOE. Administrator A password for identification and authentication of an administrator. authentication information Copyright (c) 2010 RICOH COMPANY, LTD. All Rights Reserved.
Page 82
General users who are registered in the document data ACL but are not Document file user owners of the document data. Copyright (c) 2010 RICOH COMPANY, LTD. All Rights Reserved.
Common Methodology for Information Technology Security Evaluation Version 3.1 Evaluation methodology Revision 2(CCMB-2007-09-0004) "Japanese-translated version" Common Methodology for Information Technology Security Evaluation version 3.1 Evaluation Methodology Revision 2 [Japanese translation ver. 2.0] Copyright (c) 2010 RICOH COMPANY, LTD. All Rights Reserved.
Need help?
Do you have a question about the Aficio MP 8001 and is the answer not in the manual?
Questions and answers