Ricoh Aficio MP 4002 Manual
  1. Manuals
  2. Brands
  3. Ricoh Manuals
  4. All in One Printer
  5. Aficio MP 5002SP
  6. Manual
Ricoh Aficio MP 4002 Manual

Ricoh Aficio MP 4002 Manual

Aficio mp 4002/5002 series security target
Hide thumbs Also See for Aficio MP 4002:
Table of Contents

Advertisement

Quick Links

See also: User Manual
Portions of Aficio MP 4002/5002 series Security Target are reprinted with
written permission from IEEE, 445 Hoes Lane, Piscataway, New Jersey
08855, from IEEE 2600.1, Protection Profile for Hardcopy Devices,
Operational Environment A, Copyright © 2009 IEEE. All rights reserved.
This document is a translation of the evaluated and certified security target
written in Japanese.
Copyright (c) 2012 RICOH COMPANY, LTD. All rights reserved.
Aficio MP 4002/5002 series
Security Target
Author : RICOH COMPANY, LTD.
Date
: 2012-04-11
Version : 1.00

Advertisement

Table of Contents
loading

Related Manuals for Ricoh Aficio MP 4002

Summary of Contents for Ricoh Aficio MP 4002

  • Page 1 Date : 2012-04-11 Version : 1.00 Portions of Aficio MP 4002/5002 series Security Target are reprinted with written permission from IEEE, 445 Hoes Lane, Piscataway, New Jersey 08855, from IEEE 2600.1, Protection Profile for Hardcopy Devices, Operational Environment A, Copyright © 2009 IEEE. All rights reserved.

  • Page 2: Revision History

    Page 1 of 93 Revision History Version Date Author Detail 1.00 2012-04-11 RICOH COMPANY, LTD. Publication version. Copyright (c) 2012 RICOH COMPANY, LTD. All rights reserved.

  • Page 3: Table Of Contents

    Consistency Claim with TOE Type in PP ...............31 2.4.2 Consistency Claim with Security Problems and Security Objectives in PP ..31 2.4.3 Consistency Claim with Security Requirements in PP..........32 Security Problem Definitions....................35 Copyright (c) 2012 RICOH COMPANY, LTD. All rights reserved.
  • Page 4 Security Requirements Rationale ................68 6.3.1 Tracing ........................69 6.3.2 Justification of Traceability..................70 6.3.3 Dependency Analysis....................77 6.3.4 Security Assurance Requirements Rationale ............78 TOE Summary Specification....................80 Audit Function ......................80 Identification and Authentication Function ..............82 Copyright (c) 2012 RICOH COMPANY, LTD. All rights reserved.
  • Page 5 Network Protection Function..................87 Residual Data Overwrite Function................88 Stored Data Protection Function ................. 88 Security Management Function .................. 89 Software Verification Function ..................93 7.10 Fax Line Separation Function ..................93 Copyright (c) 2012 RICOH COMPANY, LTD. All rights reserved.
  • Page 6 Table 33 : Results of Dependency Analysis of TOE Security Functional Requirements ......77 Table 34 : List of Audit Events........................80 Table 35 : List of Audit Log Items ........................ 81 Copyright (c) 2012 RICOH COMPANY, LTD. All rights reserved.
  • Page 7 Table 39 : List of Cryptographic Operations for Stored Data Protection ............88 Table 40 : Management of TSF Data ......................89 Table 41 : List of Static Initialisation for Security Attributes of Document Access Control SFP ....92 Copyright (c) 2012 RICOH COMPANY, LTD. All rights reserved.

  • Page 8: St Introduction

    Table 1 : Identification Information of TOE MFP Names Ricoh Aficio MP 4002, Ricoh Aficio MP 4002G, Ricoh Aficio MP 5002, Ricoh Aficio MP 5002G, Savin MP 4002, Savin MP 4002G,...

  • Page 9: Toe Overview

    This TOE is an MFP, which is an IT device that inputs, stores, and outputs documents. 1.3.2 TOE Usage The operational environment of the TOE is illustrated below and the usage of the TOE is outlined in this section. Copyright (c) 2012 RICOH COMPANY, LTD. All rights reserved.

  • Page 10: Figure 1 : Example Of Toe Environment

    Print, fax, network transmission, and deletion of the stored documents. Also, the TOE receives information via telephone lines and can store it as a document. Network used in the TOE environment. Copyright (c) 2012 RICOH COMPANY, LTD. All rights reserved.
  • Page 11 RC Gate via network interface is not implemented in the TOE. The RC Gate products include Remote Communication Gate A, Remote Communication Gate Type BM1, and Remote Communication Gate Type BN1. Copyright (c) 2012 RICOH COMPANY, LTD. All rights reserved.

  • Page 12: Major Security Features Of Toe

    The physical boundary of the TOE is the MFP, which consists of the following hardware components (shown in Figure 2): Operation Panel Unit, Engine Unit, Fax Controller Unit, Controller Board, HDD, Ic Hdd, Network Unit, USB Port, SD Card Slot, and SD Card. Copyright (c) 2012 RICOH COMPANY, LTD. All rights reserved.

  • Page 13: Figure 2 : Hardware Configuration Of The Toe

    NVRAM A non-volatile memory medium in which TSF data for configuring MFP operations is stored. Ic Key A security chip that has the functions of random number generation, cryptographic key generation Copyright (c) 2012 RICOH COMPANY, LTD. All rights reserved.
  • Page 14 TOE, is the identifier for the FCU Control Software. The HDD is a hard disk drive that is a non-volatile memory medium. It stores documents, login user names and login passwords of normal users. Copyright (c) 2012 RICOH COMPANY, LTD. All rights reserved.

  • Page 15: Guidance Documents

    - MP 4002/4002SP/5002/5002SP Aficio MP 4002/4002SP/5002/5002SP User Guide D129-7803 - MP 4002/4002SP/5002/5002SP Aficio MP 4002/4002SP/5002/5002SP Read This First D129-7813 - Notes for Security Guide D143-7348 - SOFTWARE LICENSE AGREEMENT D645-7900 - Manuals Copyright (c) 2012 RICOH COMPANY, LTD. All rights reserved.

  • Page 16: Table 3 : Guidance For English Version-2

    RICOH Aficio MP 4002/MP 5002 LANIER MP 4002/MP 5002 SAVIN MP 4002/MP 5002 D129-7886 - Notes for Administrators: Using this Machine in a Network Environment Compliant with IEEE Std. 2600.1 -2009 D129-7924 Copyright (c) 2012 RICOH COMPANY, LTD. All rights reserved.

  • Page 17: Table 4 : Guidance For English Version-3

    D129-7922 - Operating Instructions Notes on Security Functions D129-7925 - Help 83NHCEENZ1.00 v124 - FAX OPTION TYPE 5002 (Machine Code: D629) INSTALLATION PROCEDURE For Machine Code: D129/D130 Copiers D629-8610 [English version-4] Copyright (c) 2012 RICOH COMPANY, LTD. All rights reserved.

  • Page 18: Definition Of Users

    The "user" referred to in this ST indicates a direct user. This direct user consists of normal users, administrators, and RC Gate. The following table (Table 6) shows the definitions of these direct users. Copyright (c) 2012 RICOH COMPANY, LTD. All rights reserved.

  • Page 19: Indirect User

    LAN settings. This privilege allows privilege configuration of network settings. Authorised to manage stored documents. This File management privilege privilege allows access management of stored documents. 1.4.3.2. Indirect User Responsible manager of MFP Copyright (c) 2012 RICOH COMPANY, LTD. All rights reserved.
  • Page 20 Customer engineer The customer engineer is a person who belongs to the organisation which maintains TOE operation. The customer engineer is in charge of installation, setup, and maintenance of the TOE. Copyright (c) 2012 RICOH COMPANY, LTD. All rights reserved.

  • Page 21: Logical Boundary Of Toe

    The Printer Function of TOE is to print or store the documents the TOE receives from the printer driver installed on the client computer. It also allows users to print and delete the stored documents from the Operation Panel or a Web browser. Copyright (c) 2012 RICOH COMPANY, LTD. All rights reserved.
  • Page 22 As for the Fax Function, the fax complying with the G3 standard, which uses a telephone line, is the target of evaluation. This function consists of Fax Transmission Function and Fax Reception Function. Fax Transmission Function is to send paper documents or images of electronic documents in the client Copyright (c) 2012 RICOH COMPANY, LTD. All rights reserved.
  • Page 23 TOE remotely, the TOE user needs to install the designated Web browser on the client computer following the guidance documents and connect the client computer to the TOE via the LAN. Copyright (c) 2012 RICOH COMPANY, LTD. All rights reserved.

  • Page 24: Security Functions

    The Document Access Control Function is to authorise the operations for documents and user jobs by the authorised TOE users who are authenticated by Identification and Authentication Function. It allows user's Copyright (c) 2012 RICOH COMPANY, LTD. All rights reserved.
  • Page 25 (same as the "fax line") can be prevented. Also, this function can be used to prohibit transmissions of received faxes so that unauthorised intrusion from the telephone lines to the LAN can be prevented. Copyright (c) 2012 RICOH COMPANY, LTD. All rights reserved.

  • Page 26: Protected Assets

    The MFP applications (Copy Function, Document Server Function, Printer Function, Scanner Function, and Fax Function) that are for management of the document data of user data are classified as protected assets, whose use is subject to restrictions. Copyright (c) 2012 RICOH COMPANY, LTD. All rights reserved.

  • Page 27: Glossary

    One of the procedures for identification and authentication of TOE users who are authorised to use the TOE. The TOE authenticates TOE users by using the login user names and the login passwords registered on the TOE. Copyright (c) 2012 RICOH COMPANY, LTD. All rights reserved.
  • Page 28 Function, Printer Function, Scanner Function, and Fax Function. Stored document type Classification of stored documents according to their purpose of use. This includes Document Server documents, printer documents, scanner documents, fax documents, and received fax documents. Copyright (c) 2012 RICOH COMPANY, LTD. All rights reserved.
  • Page 29 (S/MIME setting). Uniquely provided for each e-mail address, the S/MIME user information is registered and managed by the MFP administrator. Copyright (c) 2012 RICOH COMPANY, LTD. All rights reserved.
  • Page 30 The TOE displays the Repair Request Notification screen on the Operation Panel if paper jams frequently occur, or if the door or cover of the TOE is left open for a certain period of time while jammed paper is not removed. Copyright (c) 2012 RICOH COMPANY, LTD. All rights reserved.

  • Page 31: Conformance Claim

    Package Claims The SAR package which this ST and TOE conform to is EAL3+ALC_FLR.2. The selected SFR Packages from the PP are: 2600.1-PRT conformant 2600.1-SCN conformant 2600.1-CPY conformant 2600.1-FAX conformant 2600.1-DSR conformant Copyright (c) 2012 RICOH COMPANY, LTD. All rights reserved.

  • Page 32: Conformance Claim Rationale

    TOE and RC Gate. Also, the protected assets are not operated from the RC Gate. For these reasons, these communications do not affect any security problems and security objectives defined in the PP. Therefore, P.RCGATE.COMM.PROTECT and O.RCGATE.COMM.PROTECT were augmented, yet still conform to the PP. Copyright (c) 2012 RICOH COMPANY, LTD. All rights reserved.

  • Page 33: Consistency Claim With Security Requirements In Pp

    The refinement of FIA_UAU.2 and FIA_UID.2 is to identify the identification and authentication method for normal users or administrator and the identification and authentication method for RC Gate; it is not to change the security requirements specified by the PP. Copyright (c) 2012 RICOH COMPANY, LTD. All rights reserved.
  • Page 34 While FDP_ACF.1.3(b) in the PP allows users with administrator privileges to operate the TOE functions, this ST allows them to operate Fax Reception Function only, which is part of the TOE functions. Copyright (c) 2012 RICOH COMPANY, LTD. All rights reserved.
  • Page 35 The fax reception process, which is accessed when receiving from a telephone line, is regarded as a user with administrator privileges. Therefore, FDP_ACF.1.3(b) in this ST satisfies FDP_ACF.1.3(b) in the PP. Copyright (c) 2012 RICOH COMPANY, LTD. All rights reserved.

  • Page 36: Security Problem Definitions

    TSF Confidential Data under the TOE management may be altered by persons without a login user name, or by persons with a login user name but without an access permission to the TSF Confidential Data. Copyright (c) 2012 RICOH COMPANY, LTD. All rights reserved.

  • Page 37: Organisational Security Policies

    The responsible manager of MFP trains users according to the guidance document and users are aware of the security policies and procedures of their organisation and are competent to follow those policies and procedures. Copyright (c) 2012 RICOH COMPANY, LTD. All rights reserved.
  • Page 38 A.ADMIN.TRUST Trusted administrator The responsible manager of MFP selects administrators who do not use their privileged access rights for malicious purposes according to the guidance document. Copyright (c) 2012 RICOH COMPANY, LTD. All rights reserved.

  • Page 39: Security Objectives

    The TOE shall protect TSF Confidential Data from unauthorised alteration by persons without a login user name, or by persons with a login user name but without an access permission to the TSF Confidential Data. Copyright (c) 2012 RICOH COMPANY, LTD. All rights reserved.

  • Page 40: Security Objectives Of Operational Environment

    If audit logs are exported to a trusted IT product, the responsible manager of MFP shall ensure that those logs can be accessed in order to detect potential security violations, and only by authorised persons. Copyright (c) 2012 RICOH COMPANY, LTD. All rights reserved.

  • Page 41: Non-It Environment

    Log audit The responsible manager of MFP shall ensure that audit logs are reviewed at appropriate intervals according to the guidance document for detecting security violations or unusual patterns of activity. Copyright (c) 2012 RICOH COMPANY, LTD. All rights reserved.

  • Page 42: Security Objectives Rationale

    Table 11 describes the correspondence between the assumptions, threats and organisational security policies, and each security objective. Table 11 : Rationale for Security Objectives T.DOC.DIS T.DOC.ALT T.FUNC.ALT T.PROT.ALT T.CONF.DIS T.CONF.ALT P.USER.AUTHORIZATION P.SOFTWARE.VERIFICATION P.AUDIT.LOGGING P.INTERFACE.MANAGEMENT P.STORAGE.ENCRYPTION P.RCGATE.COMM.PROTECT A.ACCESS.MANAGED A.ADMIN.TRAINING A.ADMIN.TRUST A.USER.TRAINING Copyright (c) 2012 RICOH COMPANY, LTD. All rights reserved.

  • Page 43: Security Objectives Descriptions

    TOE. By O.PROT.NO_ALT, the TOE protects the TSF protected Copyright (c) 2012 RICOH COMPANY, LTD. All rights reserved.
  • Page 44 P.USER.AUTHORIZATION is enforced by these objectives. P.SOFTWARE.VERIFICATION P.SOFTWARE.VERIFICATION is enforced by O.SOFTWARE.VERIFIED. By O.SOFTWARE.VERIFIED, the TOE provides measures for self-verifying the executable code of the TSF. P.SOFTWARE.VERIFICATION is enforced by this objective. Copyright (c) 2012 RICOH COMPANY, LTD. All rights reserved.
  • Page 45 By OE.PHYSICAL.MANAGED, the TOE is located in a restricted or monitored environment according to the guidance documents and is protected from the physical access by the unauthorised persons. A.ACCESS.MANAGED is upheld by this objective. A.ADMIN.TRAINING A.ADMIN.TRAINING is upheld by OE.ADMIN.TRAINED. Copyright (c) 2012 RICOH COMPANY, LTD. All rights reserved.
  • Page 46 By OE.USER.TRAINED, the responsible manager of MFP instructs the users in accordance with the guidance documents to make them aware of the security policies and procedures of their organisation, and the users follow those policies and procedures. OE.USER.TRAINED is upheld by this objective. Copyright (c) 2012 RICOH COMPANY, LTD. All rights reserved.

  • Page 47: Extended Components Definition

    Quite often, a TOE is supposed to perform specific checks and process data received on one external interface before such (processed) data are allowed to be transferred to another external interface. Examples Copyright (c) 2012 RICOH COMPANY, LTD. All rights reserved.
  • Page 48 The TSF shall provide the capability to restrict data received on [assignment: the Operation Panel, LAN, telephone line] from being forwarded without further processing by the TSF to [assignment: the LAN and telephone line]. Copyright (c) 2012 RICOH COMPANY, LTD. All rights reserved.

  • Page 49: Security Requirements

    Locked out User, and Locked out User who is to be released]. Table 12 shows the action (CC rules) recommended by the CC as auditable for each functional requirement and the corresponding auditable events of the TOE. Copyright (c) 2012 RICOH COMPANY, LTD. All rights reserved.

  • Page 50: Table 12 : List Of Auditable Events

    (e.g. disabling of a terminal) taken and the subsequent, if appropriate, restoration to the normal state (e.g. re-enabling of a terminal). Copyright (c) 2012 RICOH COMPANY, LTD. All rights reserved.
  • Page 51 Detailed: every use of the rights of a role. FPT_STM.1 a) Minimal: changes to the time; a) Minimal: Settings of Year-Month-Day and b) Detailed: providing a timestamp. Hour-Minute Copyright (c) 2012 RICOH COMPANY, LTD. All rights reserved.
  • Page 52 The TSF shall provide [assignment: the MFP administrators] with the capability to read [assignment: all of log items] from the audit records. FAU_SAR.1.2 The TSF shall provide the audit records in a manner suitable for the user to interpret the information. Copyright (c) 2012 RICOH COMPANY, LTD. All rights reserved.

  • Page 53: Class Fcs: Cryptographic Support

    Table 14 : List of Cryptographic Operation Key Type Standard Cryptographic Cryptographic Cryptographic Operation Algorithm Key Size FIPS197 256 bits - Encryption when writing the data cryptographic on HDD - Decryption when reading the data Copyright (c) 2012 RICOH COMPANY, LTD. All rights reserved.

  • Page 54: Class Fdp: User Data Protection

    - RC Gate process Object - MFP application Operation - Execute FDP_ACF.1(a) Security attribute based access control Hierarchical to: No other components. Dependencies: FDP_ACC.1 Subset access control FMT_MSA.3 Static attribute initialisation Copyright (c) 2012 RICOH COMPANY, LTD. All rights reserved.

  • Page 55: Table 17 : Subjects, Objects And Security Attributes (A)

    Document +FAXOUT Read Normal user Not allowed. However, it is allowed for data process normal user process that created the document data. Copyright (c) 2012 RICOH COMPANY, LTD. All rights reserved.

  • Page 56: Table 19 : Additional Rules To Control Operations On Document Data And User Jobs (A)

    Objects Document Data Operations Subjects Rules to control Operations Attributes Document +PRT Delete Allows. data administrator process Document +FAXIN Delete Allows. data administrator process Document +DSR Delete Allows. data administrator process Copyright (c) 2012 RICOH COMPANY, LTD. All rights reserved.

  • Page 57: Table 20 : Subjects, Objects And Security Attributes (B)

    FDP_ACF.1.3(b) The TSF shall explicitly authorise access of subjects to objects based on the following additional rules: [assignment: rules that the Fax Reception Function operated using administrator permission is surely permitted]. Copyright (c) 2012 RICOH COMPANY, LTD. All rights reserved.

  • Page 58: Class Fia: Identification And Authentication

    The lockout for a supervisor is released by the lockout time set by the MFP administrator, release operation by the MFP administrator, or elapse of a given time after the TOE's restart. Copyright (c) 2012 RICOH COMPANY, LTD. All rights reserved.

  • Page 59: Table 24 : List Of Security Attributes For Each User That Shall Be Maintained

    Passwords that are composed of a combination of characters based on the password complexity setting specified by the MFP administrator can be registered. The MFP administrator specifies either Level 1 or Level 2 for password complexity setting. Copyright (c) 2012 RICOH COMPANY, LTD. All rights reserved.
  • Page 60 Help from a Web browser, system status, counter and information of inquiries, execution of fax reception, and repair request notification] on behalf of the user to be performed before the user is identified (refinement: identification with Basic Authentication). Copyright (c) 2012 RICOH COMPANY, LTD. All rights reserved.

  • Page 61: Table 25 : Rules For Initial Association Of Attributes

    - Available function list Supervisor Supervisor process - User role MFP administrator MFP administrator process - Login user name of MFP administrator - User role RC Gate RC Gate process - User role Copyright (c) 2012 RICOH COMPANY, LTD. All rights reserved.

  • Page 62: Class Fmt: Security Management

    Query Supervisor Document data attribute No operation permitted None Document user list [when document data attributes are No operation permitted None (+PRT), (+SCN), (+CPY), and (+FAXOUT)] Copyright (c) 2012 RICOH COMPANY, LTD. All rights reserved.

  • Page 63: Table 27 : User Roles For Security Attributes (B)

    (however, query is not allowed in case of External Authentication) Function type No operation permitted None User role No operation permitted None FMT_MSA.3(a) Static attribute initialisation Hierarchical to: No other components. Copyright (c) 2012 RICOH COMPANY, LTD. All rights reserved.

  • Page 64: Table 28 : Authorised Identified Roles Allowed To Override Default Values

    The TSF shall restrict the ability to [selection: query, modify, delete, [assignment: newly create]] the [assignment: list of TSF data in Table 29] to [assignment: the user roles in Table 29]. Copyright (c) 2012 RICOH COMPANY, LTD. All rights reserved.

  • Page 65: Table 29 : List Of Tsf Data

    MFP administrator Destination information for delete folder transmission Query Normal user Stored Reception File User Query, modify MFP administrator User authentication method Query MFP administrator IPSec setting information Query, modify MFP administrator Copyright (c) 2012 RICOH COMPANY, LTD. All rights reserved.

  • Page 66: Table 30 : List Of Specification Of Management Functions

    Query and modification of document user list by MFP administrator Query and modification of document user list by the normal user who stored the document Query and modification of available function list by MFP administrator Copyright (c) 2012 RICOH COMPANY, LTD. All rights reserved.

  • Page 67: Class Fpt: Protection Of The Tsf

    No dependencies. FPT_TST.1.1 The TSF shall run a suite of self tests [selection: during initial start-up] to demonstrate the correct operation of [selection: [assignment: the MFP Control Software, FCU Control Software]]. Copyright (c) 2012 RICOH COMPANY, LTD. All rights reserved.

  • Page 68: Class Fta: Toe Access

    The TSF shall initiate communication via the trusted channel for [assignment: communication via the LAN of document data, function data, protected data, and confidential data, and communication with RC Gate via the LAN]. Copyright (c) 2012 RICOH COMPANY, LTD. All rights reserved.

  • Page 69: Security Assurance Requirements

    Vulnerability assessment Security Requirements Rationale This section describes the rationale for security requirements. If all security functional requirements are satisfied as below, the security objectives defined in "4 Security Objectives" are fulfilled. Copyright (c) 2012 RICOH COMPANY, LTD. All rights reserved.

  • Page 70: Tracing

    Table 32 : Relationship between Security Objectives and Functional Requirements FAU_GEN.1 FAU_GEN.2 FAU_STG.1 FAU_STG.4 FAU_SAR.1 FAU_SAR.2 FCS_CKM.1 FCS_COP.1 FDP_ACC.1(a) FDP_ACC.1(b) FDP_ACF.1(a) FDP_ACF.1(b) FDP_RIP.1 FIA_AFL.1 FIA_ATD.1 FIA_SOS.1 FIA_UAU.1(a) FIA_UAU.1(b) FIA_UAU.2 FIA_UAU.7 FIA_UID.1(a) FIA_UID.1(b) FIA_UID.2 Copyright (c) 2012 RICOH COMPANY, LTD. All rights reserved.

  • Page 71: Justification Of Traceability

    The MFP administrator, supervisor and RC Gate are not allowed to view document data. Copyright (c) 2012 RICOH COMPANY, LTD. All rights reserved.
  • Page 72 FMT_MSA.3(a) surely sets the restrictive value to the security attributes of document data (object) when the document data are generated. satisfying FDP_ACC.1(a), FDP_ACF.1(a), FDP_RIP.1, FTP_ITC.1, FMT_MSA.1(a) FMT_MSA.3(a), which security functional requirements for these countermeasures, O.DOC.NO_ALT is fulfilled. Copyright (c) 2012 RICOH COMPANY, LTD. All rights reserved.
  • Page 73 The TSF protected data sent and received by the TOE via the LAN are protected by FTP_ITC.1. By satisfying FMT_MTD.1, FMT_SMF.1, FMT_SMR.1 and FTP_ITC.1, which are the security functional requirements for these countermeasures, O.PROT.NO_ALT is fulfilled. Copyright (c) 2012 RICOH COMPANY, LTD. All rights reserved.
  • Page 74 TOE functions. As for normal users, the MFP administrator, and a supervisor, who all access the TOE from the Operation Panel or from the client PC over a network, the Copyright (c) 2012 RICOH COMPANY, LTD. All rights reserved.
  • Page 75 By satisfying FDP_ACC.1(b), FDP_ACF.1(b), FIA_UID.1(a), FIA_UID.1(b), FIA_UID.2, FIA_UAU.1(a), FIA_UAU.1(b), FIA_UAU.2, FIA_ATD.1, FIA_USB.1, FIA_UAU.7, FIA_AFL.1, FIA_SOS.1, FTA_SSL.3, FMT_MSA.1(b) and FMT_MSA.3(b), which are the security functional requirements for these countermeasures, O.USER.AUTHORIZED is fulfilled. Copyright (c) 2012 RICOH COMPANY, LTD. All rights reserved.
  • Page 76 MFP administrator to view the audit log. To fulfil this security objective, it is required to implement the following countermeasures. (1) Record the audit log. FAU_GEN.1 and FAU_GEN.2 record the events, which should be auditable, with the identification information of the occurrence factor. Copyright (c) 2012 RICOH COMPANY, LTD. All rights reserved.
  • Page 77 FTP_ITC.1 allows the TOE to establish the communication that protects the data from tampering and disclosure for the communication between the TOE and RC Gate. By satisfying FTP_ITC.1, which is the security functional requirement for this countermeasure, O.RCGATE.COMM.PROTECT is fulfilled. Copyright (c) 2012 RICOH COMPANY, LTD. All rights reserved.

  • Page 78: Dependency Analysis

    None None None FIA_UAU.1(a) FIA_UID.1(a) FIA_UID.1(a) None FIA_UAU.1(b) FIA_UID.1(b) FIA_UID.1(b) None FIA_UAU.2 FIA_UID.1 FIA_UID.2 None FIA_UAU.7 FIA_UAU.1 FIA_UAU.1 None FIA_UID.1(a) None None None FIA_UID.1(b) None None None FIA_UID.2 None None None Copyright (c) 2012 RICOH COMPANY, LTD. All rights reserved.

  • Page 79: Security Assurance Requirements Rationale

    However, protection of the secrecy of relevant information is required to make security attacks more difficult, and it is important to ensure a secure development environment. Development security (ALC_DVS.1) is therefore important also. Copyright (c) 2012 RICOH COMPANY, LTD. All rights reserved.
  • Page 80 TOE operation according to flow reporting procedure (ALC_FLR.2). Based on the terms and costs of the evaluation, the evaluation assurance level of EAL3+ALC_FLR.2 is appropriate for this TOE. Copyright (c) 2012 RICOH COMPANY, LTD. All rights reserved.

  • Page 81: Toe Summary Specification

    Success and failure of login operations (except login operations from RC Gate) Success and failure of login operations from RC Gate communication interface Starting and releasing Lockout Table 30 Record of Management Function Copyright (c) 2012 RICOH COMPANY, LTD. All rights reserved.

  • Page 82: Table 35 : List Of Audit Log Items

    Communicating e-mail Communicating e-mail address for - E-mail transmission of address e-mail transmission of attachments attachments Lockout operation type Information to identify starting - Starting and releasing Lockout and releasing Lockout Lockout Copyright (c) 2012 RICOH COMPANY, LTD. All rights reserved.

  • Page 83: Identification And Authentication Function

    When the entered login user name is the login user name of MFP administrator or supervisor, the TOE checks if the entered login password matches with the one pre-registered by the MFP administrator or supervisor in the TOE. Copyright (c) 2012 RICOH COMPANY, LTD. All rights reserved.
  • Page 84 - An "unlocking administrator" shown in Table 36 and specified for each user role releases the lockout. - In case of the MFP administrator and supervisor, sixty seconds elapse since the MFP becomes executable after its power is turned off and then on. Copyright (c) 2012 RICOH COMPANY, LTD. All rights reserved.

  • Page 85: Document Access Control Function

    Document Access Control Function The Document Access Control Function is to allow authorised TOE users to operate document data and user jobs in accordance with the provided user role privilege or user privilege. Copyright (c) 2012 RICOH COMPANY, LTD. All rights reserved.

  • Page 86: Table 37 : Stored Documents Access Control Rules For Normal Users

    Operation Document Server Print Fax transmission documents Panel Function Delete Operation Print Printer Function Printer documents Panel Delete E-mail transmission of Operation attachments Scanner Function Scanner documents Panel Folder transmission Delete Copyright (c) 2012 RICOH COMPANY, LTD. All rights reserved.
  • Page 87 MFP administrator. Other users are not allowed to operate user jobs. When a user job is cancelled, any documents operated by the cancelled job will be deleted. Copyright (c) 2012 RICOH COMPANY, LTD. All rights reserved.

  • Page 88: Use-Of-Feature Restriction Function

    Kerberos AES(128bits, 256bits), 3DES(168bits) authentication server RC Gate SSL3.0, TLS1.0 AES(128bits, 256bits), 3DES(168bits) FTP server IPSec AES(128bits, 192bits, 256bits), 3DES(168bits) SMB server IPSec AES(128bits, 192bits, 256bits), 3DES(168bits) SMTP server S/MIME 3DES(168bits) Copyright (c) 2012 RICOH COMPANY, LTD. All rights reserved.

  • Page 89: Residual Data Overwrite Function

    Following operations by the MFP administrator, the TOE generates a cryptographic key. If a login user is the MFP administrator, the screen to generate an HDD cryptographic key is provided from the Operation Panel. Copyright (c) 2012 RICOH COMPANY, LTD. All rights reserved.

  • Page 90: Security Management Function

    Stored document types are MFP administrator, Document Server document, Operation Panel, Query, applicable normal scanner document, fax document Web browser modify user who stored the and printer document (with stored document print) Copyright (c) 2012 RICOH COMPANY, LTD. All rights reserved.
  • Page 91 MFP administrator Authentication modify Query, MFP administrator modify Operation Panel, Date settings (year/month/day) Web browser Query Supervisor, normal user Query, MFP administrator modify Operation Panel, Time Web browser Supervisor, Query normal user Copyright (c) 2012 RICOH COMPANY, LTD. All rights reserved.
  • Page 92 (*2): If the MFP administrator modifies Stored Reception File User, and if the stored document type of the document user list of document data is received fax document, the list will be modified to the values of the Stored Reception File User. Copyright (c) 2012 RICOH COMPANY, LTD. All rights reserved.

  • Page 93: Table 41 : List Of Static Initialisation For Security Attributes Of Document Access Control Sfp

    (stored document type is the Stored Reception File User list. fax received document) User jobs Login user name of Login user name of a normal user who newly normal user creates a user job. Copyright (c) 2012 RICOH COMPANY, LTD. All rights reserved.

  • Page 94: Software Verification Function

    Since the TOE is set to prohibit forwarding of received fax data during installation, received fax data will not be forwarded. Copyright (c) 2012 RICOH COMPANY, LTD. All rights reserved.

This manual is also suitable for:

Aficio mp 4002gAficio mp 5002gAficio mp 4002spgAficio mp 5002spg

Table of Contents