Page 1 of 91 Revision History Version Date Author Detail 1.00 2012-11-28 RICOH COMPANY, LTD. Publication version. Copyright (c) 2012 RICOH COMPANY, LTD. All rights reserved.
Consistency Claim with TOE Type in PP ...............30 2.4.2 Consistency Claim with Security Problems and Security Objectives in PP ..30 2.4.3 Consistency Claim with Security Requirements in PP..........31 Security Problem Definitions....................34 Copyright (c) 2012 RICOH COMPANY, LTD. All rights reserved.
Page 4
Security Requirements Rationale ................67 6.3.1 Tracing ........................67 6.3.2 Justification of Traceability..................69 6.3.3 Dependency Analysis....................75 6.3.4 Security Assurance Requirements Rationale ............77 TOE Summary Specification....................78 Audit Function ......................78 Identification and Authentication Function ..............80 Copyright (c) 2012 RICOH COMPANY, LTD. All rights reserved.
Page 5
Network Protection Function..................85 Residual Data Overwrite Function................86 Stored Data Protection Function ................. 86 Security Management Function .................. 87 Software Verification Function ..................91 7.10 Fax Line Separation Function ..................91 Copyright (c) 2012 RICOH COMPANY, LTD. All rights reserved.
Page 6
Table 32 : Results of Dependency Analysis of TOE Security Functional Requirements ......75 Table 33 : List of Audit Events........................78 Table 34 : List of Audit Log Items ........................ 79 Table 35 : Unlocking Administrators for Each User Role................82 Copyright (c) 2012 RICOH COMPANY, LTD. All rights reserved.
Page 7
Table 38 : List of Cryptographic Operations for Stored Data Protection ............87 Table 39 : Management of TSF Data ......................87 Table 40 : List of Static Initialisation for Security Attributes of Document Access Control SFP ....90 Copyright (c) 2012 RICOH COMPANY, LTD. All rights reserved.
This TOE is an MFP, which is an IT device that inputs, stores, and outputs documents. 1.3.2 TOE Usage The operational environment of the TOE is illustrated below and the usage of the TOE is outlined in this section. Copyright (c) 2012 RICOH COMPANY, LTD. All rights reserved.
Print, fax, network transmission, and deletion of the stored documents. Also, the TOE receives information via telephone lines and can store it as a document. Network used in the TOE environment. Copyright (c) 2012 RICOH COMPANY, LTD. All rights reserved.
Page 11
RC Gate via network interface is not implemented in the TOE. The RC Gate products include Remote Communication Gate A, Remote Communication Gate Type BM1, and Remote Communication Gate Type BN1. Copyright (c) 2012 RICOH COMPANY, LTD. All rights reserved.
The physical boundary of the TOE is the MFP, which consists of the following hardware components (shown in Figure 2): Operation Panel Unit, Engine Unit, Fax Controller Unit, Controller Board, HDD, Ic Hdd, Network Unit, USB Port, SD Card Slot, and SD Card. Copyright (c) 2012 RICOH COMPANY, LTD. All rights reserved.
NVRAM A non-volatile memory medium in which TSF data for configuring MFP operations is stored. Ic Key A security chip that has the functions of random number generation, cryptographic key generation Copyright (c) 2012 RICOH COMPANY, LTD. All rights reserved.
Page 14
TOE, is the identifier for the FCU Control Software. The HDD is a hard disk drive that is a non-volatile memory medium. It stores documents, login user names and login passwords of normal users. Copyright (c) 2012 RICOH COMPANY, LTD. All rights reserved.
[English version-3]. Selection of the guidance document sets depends on the sales area and/or sales company. Guidance document sets will be supplied with individual TOE component. Details of the document sets are as follows. [English version-1] Copyright (c) 2012 RICOH COMPANY, LTD. All rights reserved.
Administrator Authorised to modify the login password of the Supervisor Supervisor MFP administrator. Authorised to manage normal users. This MFP administrator privilege allows configuration of normal user User management privilege settings. Copyright (c) 2012 RICOH COMPANY, LTD. All rights reserved.
Customer engineer The customer engineer is a person who belongs to the organisation which maintains TOE operation. The customer engineer is in charge of installation, setup, and maintenance of the TOE. Copyright (c) 2012 RICOH COMPANY, LTD. All rights reserved.
The Printer Function is to print or store the documents received from the printer driver installed on the client computer. It also allows users to print and delete the documents stored in the TOE from the Operation Panel or the client computer. Copyright (c) 2012 RICOH COMPANY, LTD. All rights reserved.
Page 21
As for the Fax Function, the fax complying with the G3 standard, which uses a telephone line, is the target of evaluation. This function consists of Fax Transmission Function and Fax Reception Function. Fax Transmission Function is to send paper documents or images of electronic documents in the client Copyright (c) 2012 RICOH COMPANY, LTD. All rights reserved.
Page 22
In this ST, the Service Mode Lock Function is set to "ON" for the target of evaluation. Web Image Monitor Function The Web Image Monitor Function (hereafter "WIM") is for the TOE user to remotely control the TOE from the client computer. Copyright (c) 2012 RICOH COMPANY, LTD. All rights reserved.
Authentication only, this function can be used to register passwords that fulfil the requirements of the Minimum Character No. (i.e. minimum password length) and obligatory character types the MFP administrator specifies, so that the lockout function can be enabled and login password quality can be protected. Copyright (c) 2012 RICOH COMPANY, LTD. All rights reserved.
Page 24
Software Verification Function The Software Verification Function is to verify the integrity of the executable codes of the MFP Control Software and FCU Control Software and to ensure that they can be trusted. Copyright (c) 2012 RICOH COMPANY, LTD. All rights reserved.
This data must be protected from changes by unauthorised persons and reading by users without viewing permissions. In this ST, "confidential data", listed below, is referred to as "TSF confidential data". Login password, audit log, and HDD cryptographic key. Copyright (c) 2012 RICOH COMPANY, LTD. All rights reserved.
One of the procedures for identification and authentication of TOE users who are authorised to use the TOE. The TOE authenticates TOE users by using the login user names and the login passwords registered on the TOE. Copyright (c) 2012 RICOH COMPANY, LTD. All rights reserved.
Page 27
Function, Printer Function, Scanner Function, and Fax Function. Stored document type Classification of stored documents according to their purpose of use. This includes Document Server documents, printer documents, scanner documents, fax documents, and received fax documents. Copyright (c) 2012 RICOH COMPANY, LTD. All rights reserved.
Page 28
(S/MIME setting). Uniquely provided for each e-mail address, the S/MIME user information is registered and managed by the MFP administrator. Copyright (c) 2012 RICOH COMPANY, LTD. All rights reserved.
Page 29
The TOE displays the Repair Request Notification screen on the Operation Panel if paper jams frequently occur, or if the door or cover of the TOE is left open for a certain period of time while jammed paper is not removed. Copyright (c) 2012 RICOH COMPANY, LTD. All rights reserved.
Package Claims The SAR package which this ST and TOE conform to is EAL3+ALC_FLR.2. The selected SFR Packages from the PP are: 2600.1-PRT conformant 2600.1-SCN conformant 2600.1-CPY conformant 2600.1-FAX conformant 2600.1-DSR conformant Copyright (c) 2012 RICOH COMPANY, LTD. All rights reserved.
TOE and RC Gate. Also, the protected assets are not operated from the RC Gate. For these reasons, these communications do not affect any security problems and security objectives defined in the PP. Therefore, P.RCGATE.COMM.PROTECT and O.RCGATE.COMM.PROTECT were augmented, yet still conform to the PP. Copyright (c) 2012 RICOH COMPANY, LTD. All rights reserved.
The refinement of FIA_UAU.2 and FIA_UID.2 is to identify the identification and authentication method for normal users or administrator and the identification and authentication method for RC Gate; it is not to change the security requirements specified by the PP. Copyright (c) 2012 RICOH COMPANY, LTD. All rights reserved.
Page 33
While FDP_ACF.1.3(b) in the PP allows users with administrator privileges to operate the TOE functions, this ST allows them to operate Fax Reception Function only, which is part of the TOE functions. Copyright (c) 2012 RICOH COMPANY, LTD. All rights reserved.
Page 34
The fax reception process, which is accessed when receiving from a telephone line, is regarded as a user with administrator privileges. Therefore, FDP_ACF.1.3(b) in this ST satisfies FDP_ACF.1.3(b) in the PP. Copyright (c) 2012 RICOH COMPANY, LTD. All rights reserved.
TSF Confidential Data under the TOE management may be altered by persons without a login user name, or by persons with a login user name but without an access permission to the TSF Confidential Data. Copyright (c) 2012 RICOH COMPANY, LTD. All rights reserved.
The responsible manager of MFP trains users according to the guidance document and users are aware of the security policies and procedures of their organisation and are competent to follow those policies and procedures. Copyright (c) 2012 RICOH COMPANY, LTD. All rights reserved.
Page 37
A.ADMIN.TRUST Trusted administrator The responsible manager of MFP selects administrators who do not use their privileged access rights for malicious purposes according to the guidance document. Copyright (c) 2012 RICOH COMPANY, LTD. All rights reserved.
The TOE shall protect TSF Confidential Data from unauthorised alteration by persons without a login user name, or by persons with a login user name but without an access permission to the TSF Confidential Data. Copyright (c) 2012 RICOH COMPANY, LTD. All rights reserved.
If audit logs are exported to a trusted IT product, the responsible manager of MFP shall ensure that those logs can be accessed in order to detect potential security violations, and only by authorised persons. Copyright (c) 2012 RICOH COMPANY, LTD. All rights reserved.
Log audit The responsible manager of MFP shall ensure that audit logs are reviewed at appropriate intervals according to the guidance document for detecting security violations or unusual patterns of activity. Copyright (c) 2012 RICOH COMPANY, LTD. All rights reserved.
TOE. By O.PROT.NO_ALT, the TOE protects the TSF protected Copyright (c) 2012 RICOH COMPANY, LTD. All rights reserved.
Page 43
P.USER.AUTHORIZATION is enforced by these objectives. P.SOFTWARE.VERIFICATION P.SOFTWARE.VERIFICATION is enforced by O.SOFTWARE.VERIFIED. By O.SOFTWARE.VERIFIED, the TOE provides measures for self-verifying the executable code of the TSF. P.SOFTWARE.VERIFICATION is enforced by this objective. Copyright (c) 2012 RICOH COMPANY, LTD. All rights reserved.
Page 44
By OE.PHYSICAL.MANAGED, the TOE is located in a restricted or monitored environment according to the guidance documents and is protected from the physical access by the unauthorised persons. A.ACCESS.MANAGED is upheld by this objective. A.ADMIN.TRAINING A.ADMIN.TRAINING is upheld by OE.ADMIN.TRAINED. Copyright (c) 2012 RICOH COMPANY, LTD. All rights reserved.
Page 45
By OE.USER.TRAINED, the responsible manager of MFP instructs the users in accordance with the guidance documents to make them aware of the security policies and procedures of their organisation, and the users follow those policies and procedures. OE.USER.TRAINED is upheld by this objective. Copyright (c) 2012 RICOH COMPANY, LTD. All rights reserved.
Quite often, a TOE is supposed to perform specific checks and process data received on one external interface before such (processed) data are allowed to be transferred to another external interface. Examples Copyright (c) 2012 RICOH COMPANY, LTD. All rights reserved.
Page 47
The TSF shall provide the capability to restrict data received on [assignment: the Operation Panel, LAN, telephone line] from being forwarded without further processing by the TSF to [assignment: the LAN and telephone line]. Copyright (c) 2012 RICOH COMPANY, LTD. All rights reserved.
Locked out User, and Locked out User who is to be released]. Table 11 shows the action (CC rules) recommended by the CC as auditable for each functional requirement and the corresponding auditable events of the TOE. Copyright (c) 2012 RICOH COMPANY, LTD. All rights reserved.
Minimal: Unsuccessful use of the b) Basic: Success and failure of login authentication mechanism; operation b) Basic: All use of the authentication mechanism; c) Detailed: All TSF mediated actions performed before authentication of the user. Copyright (c) 2012 RICOH COMPANY, LTD. All rights reserved.
Page 50
Minimal: Identification of the initiator and target of failed trusted channel functions. c) Basic: All attempted uses of the trusted channel functions. d) Basic: Identification of the initiator and target of all trusted channel functions. Copyright (c) 2012 RICOH COMPANY, LTD. All rights reserved.
6.1.2 Class FCS: Cryptographic support FCS_CKM.1 Cryptographic key generation Hierarchical to: No other components. Dependencies: [FCS_CKM.2 Cryptographic key distribution, or FCS_COP.1 Cryptographic operation] FCS_CKM.4 Cryptographic key destruction Copyright (c) 2012 RICOH COMPANY, LTD. All rights reserved.
FDP_ACF.1 Security attribute based access control FDP_ACC.1.1(a) The TSF shall enforce the [assignment: document access control SFP] on [assignment: list of subjects, objects, and operations among subjects and objects in Table 14]. Copyright (c) 2012 RICOH COMPANY, LTD. All rights reserved.
Normal user process - Login user name of normal user - User role Subject MFP administrator process - User role Subject Supervisor process - User role Subject RC Gate process - User role Copyright (c) 2012 RICOH COMPANY, LTD. All rights reserved.
Document +CPY Read Normal user Not allowed. However, it is allowed for data process normal user process that created the document data. Copyright (c) 2012 RICOH COMPANY, LTD. All rights reserved.
[assignment: deny the operations on the document data and user jobs in case of supervisor process or RC Gate process]. FDP_ACF.1(b) Security attribute-based access control Hierarchical to: No other components. Dependencies: FDP_ACC.1 Subset access control FMT_MSA.3 Static attribute initialisation Copyright (c) 2012 RICOH COMPANY, LTD. All rights reserved.
No dependencies. FDP_RIP.1.1 The TSF shall ensure that any previous information content of a resource is made unavailable upon the [selection: deallocation of the resource from] the following objects: [assignment: user documents]. Copyright (c) 2012 RICOH COMPANY, LTD. All rights reserved.
No dependencies. FIA_ATD.1.1 The TSF shall maintain the following list of security attributes belonging to individual users: [assignment: the security attributes listed in Table 23 for each user in Table 23]. Copyright (c) 2012 RICOH COMPANY, LTD. All rights reserved.
(refinement: authentication with Basic Authentication). FIA_UAU.1.2(a) The TSF shall require each user to be successfully authenticated before allowing any other TSF-mediated actions on behalf of that user. Copyright (c) 2012 RICOH COMPANY, LTD. All rights reserved.
Page 59
FIA_UID.1.1(b) The TSF shall allow [assignment: the viewing of the list of user jobs, WIM Help, system status, counter and information of inquiries, execution of fax reception, and repair request notification] on behalf of the user to be performed before the user is identified (refinement: Copyright (c) 2012 RICOH COMPANY, LTD. All rights reserved.
[assignment: none]. 6.1.5 Class FMT: Security management FMT_MSA.1(a) Management of security attributes Hierarchical to: No other components. Dependencies: [FDP_ACC.1 Subset access control, or FDP_IFC.1 Subset information flow control] Copyright (c) 2012 RICOH COMPANY, LTD. All rights reserved.
[when document data attribute is (+DSR)] modify document data Document user list Query, MFP administrator [when document data attribute is modify (+FAXIN)] FMT_MSA.1(b)Management of security attributes Hierarchical to: No other components. Copyright (c) 2012 RICOH COMPANY, LTD. All rights reserved.
FMT_MSA.3.2(a) The TSF shall allow the [assignment: authorised identified roles shown in Table 27] to specify alternative initial values to override the default values when an object or information is created. Copyright (c) 2012 RICOH COMPANY, LTD. All rights reserved.
TSF Data Operations User Roles Newly create, modify MFP administrator Login password of normal user Modify Normal user who owns the login for Basic Authentication password Login password of supervisor Modify Supervisor Copyright (c) 2012 RICOH COMPANY, LTD. All rights reserved.
Page 64
Query MFP administrator IPSec setting information Query, modify MFP administrator @Remote setting information Query MFP administrator Device Certificate Modify MFP administrator FMT_SMF.1 Specification of Management Functions Hierarchical to: No other components. Copyright (c) 2012 RICOH COMPANY, LTD. All rights reserved.
Query of own available function list by normal user when the Basic Authentication is used Query and modification of date and time by MFP administrator Query of date and time by supervisor Query of date and time by normal user Copyright (c) 2012 RICOH COMPANY, LTD. All rights reserved.
The TSF shall provide authorised users with the capability to verify the integrity of [selection: [assignment: the audit log data file]]. FPT_TST.1.3 The TSF shall provide authorised users with the capability to verify the integrity of [selection: [assignment: the stored TSF executable code]]. Copyright (c) 2012 RICOH COMPANY, LTD. All rights reserved.
The evaluation assurance level of this TOE is EAL3+ALC_FLR.2. Table 30 lists the assurance components of the TOE. ALC_FLR.2 was added to the set of components defined in evaluation assurance level 3 (EAL3). Copyright (c) 2012 RICOH COMPANY, LTD. All rights reserved.
Table 31 shows the relationship between the TOE security functional requirements and TOE security objectives. Table 31 shows that each TOE security functional requirement fulfils at least one TOE security objective. Copyright (c) 2012 RICOH COMPANY, LTD. All rights reserved.
FMT_MSA.1(a) specifies the available operations (newly create, query, modify and delete) on the login user name, and available operations (query and modify) on the document user list, and a specified user Copyright (c) 2012 RICOH COMPANY, LTD. All rights reserved.
Page 71
Deletion is the only modification operation on this TOE's user jobs. (2) Use trusted channels for sending or receiving user jobs. The user jobs sent and received by the TOE via the LAN are protected by FTP_ITC.1. Copyright (c) 2012 RICOH COMPANY, LTD. All rights reserved.
Page 72
HDD cryptographic key. (2) Specification of the Management Function. FMT_SMF.1 performs the required Management Functions for Security Function. (3) Specification of the roles. FMT_SMR.1 maintains the users who have the privileges. Copyright (c) 2012 RICOH COMPANY, LTD. All rights reserved.
Page 73
FIA_ATD.1 and FIA_USB.1 manage the access procedures to the protected assets of the users who are defined in advance, and associate the users who are successfully identified and authenticated with the access procedures. Copyright (c) 2012 RICOH COMPANY, LTD. All rights reserved.
Page 74
Panel or client computer on the network, and FIA_UAU.1(a) and FIA_UAU.1(b) authenticate the identified users. FIA_UID.2 identifies the persons who attempt to use the TOE from the interface for RC Gate communication, and FIA_UAU.2 authenticates the persons. Copyright (c) 2012 RICOH COMPANY, LTD. All rights reserved.
Page 75
FPT_STM.1 provides a trusted time stamp, and a reliable record of the times when events occurred are recorded in the audit log. By satisfying FAU_GEN.1, FAU_GEN.2, FAU_STG.1, FAU_STG.4, FAU_SAR.1, FAU_SAR.2 and FPT_STM.1, which are the security functional requirements for these countermeasures, O.AUDIT.LOGGED is fulfilled. Copyright (c) 2012 RICOH COMPANY, LTD. All rights reserved.
TOE operation according to flow reporting procedure (ALC_FLR.2). Based on the terms and costs of the evaluation, the evaluation assurance level of EAL3+ALC_FLR.2 is appropriate for this TOE. Copyright (c) 2012 RICOH COMPANY, LTD. All rights reserved.
Success and failure of login operations (Login attempts from RC Gate are excluded) Success and failure of login operations from RC Gate Communication interface Starting and releasing Lockout Table 29 Record of Management Function Copyright (c) 2012 RICOH COMPANY, LTD. All rights reserved.
Communicating e-mail Communicating e-mail address for - E-mail transmission of address e-mail transmission of attachments attachments Lockout operation type Information to identify starting - Starting and releasing Lockout and releasing Lockout Lockout Copyright (c) 2012 RICOH COMPANY, LTD. All rights reserved.
When the entered login user name is the login user name of MFP administrator or supervisor, the TOE checks if the entered login password matches with the one pre-registered by the MFP administrator or supervisor in the TOE. Copyright (c) 2012 RICOH COMPANY, LTD. All rights reserved.
Page 82
If a user name is locked out, the user with that user name is not allowed to log in unless any of the following conditions is fulfilled. - The lockout time set by the MFP administrator elapses. - An "unlocking administrator" shown in Table 35 and specified for each user role releases the lockout. Copyright (c) 2012 RICOH COMPANY, LTD. All rights reserved.
The TOE inputs information after the TSF reliably identifies and authenticates the input information from the Operation Panel or the client computer via LAN interface. Therefore, the input information cannot be forwarded unless the TSF is not involved in information identification and authentication. Copyright (c) 2012 RICOH COMPANY, LTD. All rights reserved.
Operations displayed in the List for Users displayed on the Menu Operation Document Server Print Document Server documents Panel Function Delete Operation Document Server Print Fax transmission documents Panel Function Delete Copyright (c) 2012 RICOH COMPANY, LTD. All rights reserved.
Page 85
Download Delete (Operations above are Web browser Fax Function Fax reception documents authorised only if normal users are privileged to use Document Server Function) (2) Access control rule on user jobs Copyright (c) 2012 RICOH COMPANY, LTD. All rights reserved.
The TOE encrypts data before writing it on the HDD, and decrypts the encrypted data after reading it from the HDD. This process is applied to all data written on and read from the HDD. Detailed cryptographic operations are shown in Table 38. Copyright (c) 2012 RICOH COMPANY, LTD. All rights reserved.
Operation Panel, Query, Login user name of supervisor Supervisor Web browser modify Login user name of MFP Operation Panel, Newly create MFP administrator administrator Web browser Query, Applicable MFP modify administrator Copyright (c) 2012 RICOH COMPANY, LTD. All rights reserved.
Page 89
Web browser modify is applied Settings for Lockout Release Timer Query, when Basic Authentication is Web browser MFP administrator modify applied Lockout time for Basic Query, Web browser MFP administrator Authentication modify Copyright (c) 2012 RICOH COMPANY, LTD. All rights reserved.
Page 90
Operation Panel, User authentication method Query MFP administrator Web browser Operation Panel, Query, IPSec setting information MFP administrator Web browser modify Operation Panel, @Remote setting information Query MFP administrator Web browser Copyright (c) 2012 RICOH COMPANY, LTD. All rights reserved.
Document data Document user list Login user name of a normal user included in (stored document type is the Stored Reception File User list. fax received document) Copyright (c) 2012 RICOH COMPANY, LTD. All rights reserved.
Since the TOE is set to prohibit forwarding of received fax data during installation, received fax data will not be forwarded. Copyright (c) 2012 RICOH COMPANY, LTD. All rights reserved.