Ricoh Aficio MP C305 Series Manual
  1. Manuals
  2. Brands
  3. Ricoh Manuals
  4. All in One Printer
  5. Aficio MP C305
  6. Manual

Ricoh Aficio MP C305 Series Manual

Security target
Hide thumbs Also See for Aficio MP C305 Series:
Table of Contents

Advertisement

Quick Links

Download this manual See also: User Manual
Portions of Aficio MP C305 series Security Target are reprinted with written
permission from IEEE, 445 Hoes Lane, Piscataway, New Jersey 08855, from
IEEE 2600.1, Protection Profile for Hardcopy Devices, Operational
Environment A, Copyright © 2009 IEEE. All rights reserved.
This document is a translation of the evaluated and certified security target
written in Japanese.
Copyright (c) 2012 RICOH COMPANY, LTD. All rights reserved.
Aficio MP C305 series
Security Target
Author : RICOH COMPANY, LTD.
Date
: 2012-11-28
Version : 1.00

Advertisement

Table of Contents
loading

Related Manuals for Ricoh Aficio MP C305 Series

Summary of Contents for Ricoh Aficio MP C305 Series

  • Page 1 Date : 2012-11-28 Version : 1.00 Portions of Aficio MP C305 series Security Target are reprinted with written permission from IEEE, 445 Hoes Lane, Piscataway, New Jersey 08855, from IEEE 2600.1, Protection Profile for Hardcopy Devices, Operational Environment A, Copyright © 2009 IEEE. All rights reserved.

  • Page 2: Revision History

    Page 1 of 91 Revision History Version Date Author Detail 1.00 2012-11-28 RICOH COMPANY, LTD. Publication version. Copyright (c) 2012 RICOH COMPANY, LTD. All rights reserved.

  • Page 3: Table Of Contents

    Consistency Claim with TOE Type in PP ...............30 2.4.2 Consistency Claim with Security Problems and Security Objectives in PP ..30 2.4.3 Consistency Claim with Security Requirements in PP..........31 Security Problem Definitions....................34 Copyright (c) 2012 RICOH COMPANY, LTD. All rights reserved.
  • Page 4 Security Requirements Rationale ................67 6.3.1 Tracing ........................67 6.3.2 Justification of Traceability..................69 6.3.3 Dependency Analysis....................75 6.3.4 Security Assurance Requirements Rationale ............77 TOE Summary Specification....................78 Audit Function ......................78 Identification and Authentication Function ..............80 Copyright (c) 2012 RICOH COMPANY, LTD. All rights reserved.
  • Page 5 Network Protection Function..................85 Residual Data Overwrite Function................86 Stored Data Protection Function ................. 86 Security Management Function .................. 87 Software Verification Function ..................91 7.10 Fax Line Separation Function ..................91 Copyright (c) 2012 RICOH COMPANY, LTD. All rights reserved.
  • Page 6 Table 32 : Results of Dependency Analysis of TOE Security Functional Requirements ......75 Table 33 : List of Audit Events........................78 Table 34 : List of Audit Log Items ........................ 79 Table 35 : Unlocking Administrators for Each User Role................82 Copyright (c) 2012 RICOH COMPANY, LTD. All rights reserved.
  • Page 7 Table 38 : List of Cryptographic Operations for Stored Data Protection ............87 Table 39 : Management of TSF Data ......................87 Table 40 : List of Static Initialisation for Security Attributes of Document Access Control SFP ....90 Copyright (c) 2012 RICOH COMPANY, LTD. All rights reserved.

  • Page 8: St Introduction

    Rex-Rotary MP C305, Gestetner MP C305, infotec MP C305 TOE Versions Software System/Copy 1.08 Network Support 12.25.3 03.00.00 RemoteFax 01.03.00 NetworkDocBox 1.00 Web Support 1.04 Web Uapl 1.02 animation 1.00 Scanner 01.05 Copyright (c) 2012 RICOH COMPANY, LTD. All rights reserved.

  • Page 9: Toe Overview

    This TOE is an MFP, which is an IT device that inputs, stores, and outputs documents. 1.3.2 TOE Usage The operational environment of the TOE is illustrated below and the usage of the TOE is outlined in this section. Copyright (c) 2012 RICOH COMPANY, LTD. All rights reserved.

  • Page 10: Figure 1 : Example Of Toe Environment

    Print, fax, network transmission, and deletion of the stored documents. Also, the TOE receives information via telephone lines and can store it as a document. Network used in the TOE environment. Copyright (c) 2012 RICOH COMPANY, LTD. All rights reserved.
  • Page 11 RC Gate via network interface is not implemented in the TOE. The RC Gate products include Remote Communication Gate A, Remote Communication Gate Type BM1, and Remote Communication Gate Type BN1. Copyright (c) 2012 RICOH COMPANY, LTD. All rights reserved.

  • Page 12: Major Security Features Of Toe

    The physical boundary of the TOE is the MFP, which consists of the following hardware components (shown in Figure 2): Operation Panel Unit, Engine Unit, Fax Controller Unit, Controller Board, HDD, Ic Hdd, Network Unit, USB Port, SD Card Slot, and SD Card. Copyright (c) 2012 RICOH COMPANY, LTD. All rights reserved.

  • Page 13: Figure 2 : Hardware Configuration Of The Toe

    NVRAM A non-volatile memory medium in which TSF data for configuring MFP operations is stored. Ic Key A security chip that has the functions of random number generation, cryptographic key generation Copyright (c) 2012 RICOH COMPANY, LTD. All rights reserved.
  • Page 14 TOE, is the identifier for the FCU Control Software. The HDD is a hard disk drive that is a non-volatile memory medium. It stores documents, login user names and login passwords of normal users. Copyright (c) 2012 RICOH COMPANY, LTD. All rights reserved.

  • Page 15: Guidance Documents

    [English version-3]. Selection of the guidance document sets depends on the sales area and/or sales company. Guidance document sets will be supplied with individual TOE component. Details of the document sets are as follows. [English version-1] Copyright (c) 2012 RICOH COMPANY, LTD. All rights reserved.

  • Page 16: Table 2 : Guidance For English Version-1

    - Notes for Security Guide D143-7348 - Manuals MP C305SP/MP C305SPF/Aficio MP C305SP/MP C305SPF D118-7576 - Printer/Scanner Drivers and Utilities RICOH Aficio MP C305SP/MP C305SPF LANIER MP C305SP/MP C305SPF SAVIN MP C305SP/MP C305SPF D118-7570A - SOFTWARE LICENSE AGREEMENT D645-7901 - Notes for Users...

  • Page 17: Table 4 : Guidance For English Version-3

    Equipment D127-6601 - Manuals MP C305SP/MP C305SPF/Aficio MP C305SP/MP C305SPF D118-7576 - Printer/Scanner Drivers and Utilities RICOH Aficio MP C305SP/MP C305SPF Gestetner MP C305SP/MP C305SPF LANIER MP C305SP/MP C305SPF D118-7572A - Notes for Users D127-7524 - SOFTWARE LICENSE AGREEMENT D645-7901...

  • Page 18: Definition Of Users

    Administrator Authorised to modify the login password of the Supervisor Supervisor MFP administrator. Authorised to manage normal users. This MFP administrator privilege allows configuration of normal user User management privilege settings. Copyright (c) 2012 RICOH COMPANY, LTD. All rights reserved.

  • Page 19: Indirect User

    Customer engineer The customer engineer is a person who belongs to the organisation which maintains TOE operation. The customer engineer is in charge of installation, setup, and maintenance of the TOE. Copyright (c) 2012 RICOH COMPANY, LTD. All rights reserved.

  • Page 20: Logical Boundary Of Toe

    The Printer Function is to print or store the documents received from the printer driver installed on the client computer. It also allows users to print and delete the documents stored in the TOE from the Operation Panel or the client computer. Copyright (c) 2012 RICOH COMPANY, LTD. All rights reserved.
  • Page 21 As for the Fax Function, the fax complying with the G3 standard, which uses a telephone line, is the target of evaluation. This function consists of Fax Transmission Function and Fax Reception Function. Fax Transmission Function is to send paper documents or images of electronic documents in the client Copyright (c) 2012 RICOH COMPANY, LTD. All rights reserved.
  • Page 22 In this ST, the Service Mode Lock Function is set to "ON" for the target of evaluation. Web Image Monitor Function The Web Image Monitor Function (hereafter "WIM") is for the TOE user to remotely control the TOE from the client computer. Copyright (c) 2012 RICOH COMPANY, LTD. All rights reserved.

  • Page 23: Security Functions

    Authentication only, this function can be used to register passwords that fulfil the requirements of the Minimum Character No. (i.e. minimum password length) and obligatory character types the MFP administrator specifies, so that the lockout function can be enabled and login password quality can be protected. Copyright (c) 2012 RICOH COMPANY, LTD. All rights reserved.
  • Page 24 Software Verification Function The Software Verification Function is to verify the integrity of the executable codes of the MFP Control Software and FCU Control Software and to ensure that they can be trusted. Copyright (c) 2012 RICOH COMPANY, LTD. All rights reserved.

  • Page 25: Protected Assets

    This data must be protected from changes by unauthorised persons and reading by users without viewing permissions. In this ST, "confidential data", listed below, is referred to as "TSF confidential data". Login password, audit log, and HDD cryptographic key. Copyright (c) 2012 RICOH COMPANY, LTD. All rights reserved.

  • Page 26: Functions

    One of the procedures for identification and authentication of TOE users who are authorised to use the TOE. The TOE authenticates TOE users by using the login user names and the login passwords registered on the TOE. Copyright (c) 2012 RICOH COMPANY, LTD. All rights reserved.
  • Page 27 Function, Printer Function, Scanner Function, and Fax Function. Stored document type Classification of stored documents according to their purpose of use. This includes Document Server documents, printer documents, scanner documents, fax documents, and received fax documents. Copyright (c) 2012 RICOH COMPANY, LTD. All rights reserved.
  • Page 28 (S/MIME setting). Uniquely provided for each e-mail address, the S/MIME user information is registered and managed by the MFP administrator. Copyright (c) 2012 RICOH COMPANY, LTD. All rights reserved.
  • Page 29 The TOE displays the Repair Request Notification screen on the Operation Panel if paper jams frequently occur, or if the door or cover of the TOE is left open for a certain period of time while jammed paper is not removed. Copyright (c) 2012 RICOH COMPANY, LTD. All rights reserved.

  • Page 30: Conformance Claim

    Package Claims The SAR package which this ST and TOE conform to is EAL3+ALC_FLR.2. The selected SFR Packages from the PP are: 2600.1-PRT conformant 2600.1-SCN conformant 2600.1-CPY conformant 2600.1-FAX conformant 2600.1-DSR conformant Copyright (c) 2012 RICOH COMPANY, LTD. All rights reserved.

  • Page 31: Conformance Claim Rationale

    TOE and RC Gate. Also, the protected assets are not operated from the RC Gate. For these reasons, these communications do not affect any security problems and security objectives defined in the PP. Therefore, P.RCGATE.COMM.PROTECT and O.RCGATE.COMM.PROTECT were augmented, yet still conform to the PP. Copyright (c) 2012 RICOH COMPANY, LTD. All rights reserved.

  • Page 32: Consistency Claim With Security Requirements In Pp

    The refinement of FIA_UAU.2 and FIA_UID.2 is to identify the identification and authentication method for normal users or administrator and the identification and authentication method for RC Gate; it is not to change the security requirements specified by the PP. Copyright (c) 2012 RICOH COMPANY, LTD. All rights reserved.
  • Page 33 While FDP_ACF.1.3(b) in the PP allows users with administrator privileges to operate the TOE functions, this ST allows them to operate Fax Reception Function only, which is part of the TOE functions. Copyright (c) 2012 RICOH COMPANY, LTD. All rights reserved.
  • Page 34 The fax reception process, which is accessed when receiving from a telephone line, is regarded as a user with administrator privileges. Therefore, FDP_ACF.1.3(b) in this ST satisfies FDP_ACF.1.3(b) in the PP. Copyright (c) 2012 RICOH COMPANY, LTD. All rights reserved.

  • Page 35: Security Problem Definitions

    TSF Confidential Data under the TOE management may be altered by persons without a login user name, or by persons with a login user name but without an access permission to the TSF Confidential Data. Copyright (c) 2012 RICOH COMPANY, LTD. All rights reserved.

  • Page 36: Organisational Security Policies

    The responsible manager of MFP trains users according to the guidance document and users are aware of the security policies and procedures of their organisation and are competent to follow those policies and procedures. Copyright (c) 2012 RICOH COMPANY, LTD. All rights reserved.
  • Page 37 A.ADMIN.TRUST Trusted administrator The responsible manager of MFP selects administrators who do not use their privileged access rights for malicious purposes according to the guidance document. Copyright (c) 2012 RICOH COMPANY, LTD. All rights reserved.

  • Page 38: Security Objectives

    The TOE shall protect TSF Confidential Data from unauthorised alteration by persons without a login user name, or by persons with a login user name but without an access permission to the TSF Confidential Data. Copyright (c) 2012 RICOH COMPANY, LTD. All rights reserved.

  • Page 39: Security Objectives Of Operational Environment

    If audit logs are exported to a trusted IT product, the responsible manager of MFP shall ensure that those logs can be accessed in order to detect potential security violations, and only by authorised persons. Copyright (c) 2012 RICOH COMPANY, LTD. All rights reserved.

  • Page 40: Non-It Environment

    Log audit The responsible manager of MFP shall ensure that audit logs are reviewed at appropriate intervals according to the guidance document for detecting security violations or unusual patterns of activity. Copyright (c) 2012 RICOH COMPANY, LTD. All rights reserved.

  • Page 41: Security Objectives Rationale

    Table 10 describes the correspondence between the assumptions, threats and organisational security policies, and each security objective. Table 10 : Rationale for Security Objectives T.DOC.DIS T.DOC.ALT T.FUNC.ALT T.PROT.ALT T.CONF.DIS T.CONF.ALT P.USER.AUTHORIZATION P.SOFTWARE.VERIFICATION P.AUDIT.LOGGING P.INTERFACE.MANAGEMENT P.STORAGE.ENCRYPTION P.RCGATE.COMM.PROTECT A.ACCESS.MANAGED A.ADMIN.TRAINING A.ADMIN.TRUST A.USER.TRAINING Copyright (c) 2012 RICOH COMPANY, LTD. All rights reserved.

  • Page 42: Security Objectives Descriptions

    TOE. By O.PROT.NO_ALT, the TOE protects the TSF protected Copyright (c) 2012 RICOH COMPANY, LTD. All rights reserved.
  • Page 43 P.USER.AUTHORIZATION is enforced by these objectives. P.SOFTWARE.VERIFICATION P.SOFTWARE.VERIFICATION is enforced by O.SOFTWARE.VERIFIED. By O.SOFTWARE.VERIFIED, the TOE provides measures for self-verifying the executable code of the TSF. P.SOFTWARE.VERIFICATION is enforced by this objective. Copyright (c) 2012 RICOH COMPANY, LTD. All rights reserved.
  • Page 44 By OE.PHYSICAL.MANAGED, the TOE is located in a restricted or monitored environment according to the guidance documents and is protected from the physical access by the unauthorised persons. A.ACCESS.MANAGED is upheld by this objective. A.ADMIN.TRAINING A.ADMIN.TRAINING is upheld by OE.ADMIN.TRAINED. Copyright (c) 2012 RICOH COMPANY, LTD. All rights reserved.
  • Page 45 By OE.USER.TRAINED, the responsible manager of MFP instructs the users in accordance with the guidance documents to make them aware of the security policies and procedures of their organisation, and the users follow those policies and procedures. OE.USER.TRAINED is upheld by this objective. Copyright (c) 2012 RICOH COMPANY, LTD. All rights reserved.

  • Page 46: Extended Components Definition

    Quite often, a TOE is supposed to perform specific checks and process data received on one external interface before such (processed) data are allowed to be transferred to another external interface. Examples Copyright (c) 2012 RICOH COMPANY, LTD. All rights reserved.
  • Page 47 The TSF shall provide the capability to restrict data received on [assignment: the Operation Panel, LAN, telephone line] from being forwarded without further processing by the TSF to [assignment: the LAN and telephone line]. Copyright (c) 2012 RICOH COMPANY, LTD. All rights reserved.

  • Page 48: Security Requirements

    Locked out User, and Locked out User who is to be released]. Table 11 shows the action (CC rules) recommended by the CC as auditable for each functional requirement and the corresponding auditable events of the TOE. Copyright (c) 2012 RICOH COMPANY, LTD. All rights reserved.

  • Page 49: Table 11 : List Of Auditable Events

    Minimal: Unsuccessful use of the b) Basic: Success and failure of login authentication mechanism; operation b) Basic: All use of the authentication mechanism; c) Detailed: All TSF mediated actions performed before authentication of the user. Copyright (c) 2012 RICOH COMPANY, LTD. All rights reserved.
  • Page 50 Minimal: Identification of the initiator and target of failed trusted channel functions. c) Basic: All attempted uses of the trusted channel functions. d) Basic: Identification of the initiator and target of all trusted channel functions. Copyright (c) 2012 RICOH COMPANY, LTD. All rights reserved.

  • Page 51: Class Fcs: Cryptographic Support

    6.1.2 Class FCS: Cryptographic support FCS_CKM.1 Cryptographic key generation Hierarchical to: No other components. Dependencies: [FCS_CKM.2 Cryptographic key distribution, or FCS_COP.1 Cryptographic operation] FCS_CKM.4 Cryptographic key destruction Copyright (c) 2012 RICOH COMPANY, LTD. All rights reserved.

  • Page 52: Class Fdp: User Data Protection

    FDP_ACF.1 Security attribute based access control FDP_ACC.1.1(a) The TSF shall enforce the [assignment: document access control SFP] on [assignment: list of subjects, objects, and operations among subjects and objects in Table 14]. Copyright (c) 2012 RICOH COMPANY, LTD. All rights reserved.

  • Page 53: Table 14 : List Of Subjects, Objects, And Operations Among Subjects And Objects (A)

    Normal user process - Login user name of normal user - User role Subject MFP administrator process - User role Subject Supervisor process - User role Subject RC Gate process - User role Copyright (c) 2012 RICOH COMPANY, LTD. All rights reserved.

  • Page 54: Table 17 : Rules To Control Operations On Document Data And User Jobs (A)

    Document +CPY Read Normal user Not allowed. However, it is allowed for data process normal user process that created the document data. Copyright (c) 2012 RICOH COMPANY, LTD. All rights reserved.

  • Page 55: Table 18 : Additional Rules To Control Operations On Document Data And User Jobs (A)

    [assignment: deny the operations on the document data and user jobs in case of supervisor process or RC Gate process]. FDP_ACF.1(b) Security attribute-based access control Hierarchical to: No other components. Dependencies: FDP_ACC.1 Subset access control FMT_MSA.3 Static attribute initialisation Copyright (c) 2012 RICOH COMPANY, LTD. All rights reserved.

  • Page 56: Table 19 : Subjects, Objects And Security Attributes (B)

    No dependencies. FDP_RIP.1.1 The TSF shall ensure that any previous information content of a resource is made unavailable upon the [selection: deallocation of the resource from] the following objects: [assignment: user documents]. Copyright (c) 2012 RICOH COMPANY, LTD. All rights reserved.

  • Page 57: Class Fia: Identification And Authentication

    No dependencies. FIA_ATD.1.1 The TSF shall maintain the following list of security attributes belonging to individual users: [assignment: the security attributes listed in Table 23 for each user in Table 23]. Copyright (c) 2012 RICOH COMPANY, LTD. All rights reserved.

  • Page 58: Table 23 : List Of Security Attributes For Each User That Shall Be Maintained

    (refinement: authentication with Basic Authentication). FIA_UAU.1.2(a) The TSF shall require each user to be successfully authenticated before allowing any other TSF-mediated actions on behalf of that user. Copyright (c) 2012 RICOH COMPANY, LTD. All rights reserved.
  • Page 59 FIA_UID.1.1(b) The TSF shall allow [assignment: the viewing of the list of user jobs, WIM Help, system status, counter and information of inquiries, execution of fax reception, and repair request notification] on behalf of the user to be performed before the user is identified (refinement: Copyright (c) 2012 RICOH COMPANY, LTD. All rights reserved.

  • Page 60: Class Fmt: Security Management

    [assignment: none]. 6.1.5 Class FMT: Security management FMT_MSA.1(a) Management of security attributes Hierarchical to: No other components. Dependencies: [FDP_ACC.1 Subset access control, or FDP_IFC.1 Subset information flow control] Copyright (c) 2012 RICOH COMPANY, LTD. All rights reserved.

  • Page 61: Table 25 : User Roles For Security Attributes (A)

    [when document data attribute is (+DSR)] modify document data Document user list Query, MFP administrator [when document data attribute is modify (+FAXIN)] FMT_MSA.1(b)Management of security attributes Hierarchical to: No other components. Copyright (c) 2012 RICOH COMPANY, LTD. All rights reserved.

  • Page 62: Table 26 : User Roles For Security Attributes (B)

    FMT_MSA.3.2(a) The TSF shall allow the [assignment: authorised identified roles shown in Table 27] to specify alternative initial values to override the default values when an object or information is created. Copyright (c) 2012 RICOH COMPANY, LTD. All rights reserved.

  • Page 63: Table 27 : Authorised Identified Roles Allowed To Override Default Values

    TSF Data Operations User Roles Newly create, modify MFP administrator Login password of normal user Modify Normal user who owns the login for Basic Authentication password Login password of supervisor Modify Supervisor Copyright (c) 2012 RICOH COMPANY, LTD. All rights reserved.
  • Page 64 Query MFP administrator IPSec setting information Query, modify MFP administrator @Remote setting information Query MFP administrator Device Certificate Modify MFP administrator FMT_SMF.1 Specification of Management Functions Hierarchical to: No other components. Copyright (c) 2012 RICOH COMPANY, LTD. All rights reserved.

  • Page 65: Table 29 : List Of Specification Of Management Functions

    Query of own available function list by normal user when the Basic Authentication is used Query and modification of date and time by MFP administrator Query of date and time by supervisor Query of date and time by normal user Copyright (c) 2012 RICOH COMPANY, LTD. All rights reserved.

  • Page 66: Class Fpt: Protection Of The Tsf

    The TSF shall provide authorised users with the capability to verify the integrity of [selection: [assignment: the audit log data file]]. FPT_TST.1.3 The TSF shall provide authorised users with the capability to verify the integrity of [selection: [assignment: the stored TSF executable code]]. Copyright (c) 2012 RICOH COMPANY, LTD. All rights reserved.

  • Page 67: Class Fta: Toe Access

    The evaluation assurance level of this TOE is EAL3+ALC_FLR.2. Table 30 lists the assurance components of the TOE. ALC_FLR.2 was added to the set of components defined in evaluation assurance level 3 (EAL3). Copyright (c) 2012 RICOH COMPANY, LTD. All rights reserved.

  • Page 68: Security Requirements Rationale

    Table 31 shows the relationship between the TOE security functional requirements and TOE security objectives. Table 31 shows that each TOE security functional requirement fulfils at least one TOE security objective. Copyright (c) 2012 RICOH COMPANY, LTD. All rights reserved.

  • Page 69: Table 31 : Relationship Between Security Objectives And Functional Requirements

    Table 31 : Relationship between Security Objectives and Functional Requirements FAU_GEN.1 FAU_GEN.2 FAU_STG.1 FAU_STG.4 FAU_SAR.1 FAU_SAR.2 FCS_CKM.1 FCS_COP.1 FDP_ACC.1(a) FDP_ACC.1(b) FDP_ACF.1(a) FDP_ACF.1(b) FDP_RIP.1 FIA_AFL.1 FIA_ATD.1 FIA_SOS.1 FIA_UAU.1(a) FIA_UAU.1(b) FIA_UAU.2 FIA_UAU.7 FIA_UID.1(a) FIA_UID.1(b) FIA_UID.2 FIA_USB.1 FPT_FDI_EXP.1 FMT_MSA.1(a) FMT_MSA.1(b) FMT_MSA.3(a) Copyright (c) 2012 RICOH COMPANY, LTD. All rights reserved.

  • Page 70: Justification Of Traceability

    FMT_MSA.1(a) specifies the available operations (newly create, query, modify and delete) on the login user name, and available operations (query and modify) on the document user list, and a specified user Copyright (c) 2012 RICOH COMPANY, LTD. All rights reserved.
  • Page 71 Deletion is the only modification operation on this TOE's user jobs. (2) Use trusted channels for sending or receiving user jobs. The user jobs sent and received by the TOE via the LAN are protected by FTP_ITC.1. Copyright (c) 2012 RICOH COMPANY, LTD. All rights reserved.
  • Page 72 HDD cryptographic key. (2) Specification of the Management Function. FMT_SMF.1 performs the required Management Functions for Security Function. (3) Specification of the roles. FMT_SMR.1 maintains the users who have the privileges. Copyright (c) 2012 RICOH COMPANY, LTD. All rights reserved.
  • Page 73 FIA_ATD.1 and FIA_USB.1 manage the access procedures to the protected assets of the users who are defined in advance, and associate the users who are successfully identified and authenticated with the access procedures. Copyright (c) 2012 RICOH COMPANY, LTD. All rights reserved.
  • Page 74 Panel or client computer on the network, and FIA_UAU.1(a) and FIA_UAU.1(b) authenticate the identified users. FIA_UID.2 identifies the persons who attempt to use the TOE from the interface for RC Gate communication, and FIA_UAU.2 authenticates the persons. Copyright (c) 2012 RICOH COMPANY, LTD. All rights reserved.
  • Page 75 FPT_STM.1 provides a trusted time stamp, and a reliable record of the times when events occurred are recorded in the audit log. By satisfying FAU_GEN.1, FAU_GEN.2, FAU_STG.1, FAU_STG.4, FAU_SAR.1, FAU_SAR.2 and FPT_STM.1, which are the security functional requirements for these countermeasures, O.AUDIT.LOGGED is fulfilled. Copyright (c) 2012 RICOH COMPANY, LTD. All rights reserved.

  • Page 76: Dependency Analysis

    Functional Dependencies Satisfied in ST Not Satisfied in Requirements FAU_GEN.1 FPT_STM.1 FPT_STM.1 None FAU_GEN.2 FAU_GEN.1 FAU_GEN.1 None FIA_UID.1 FIA_UID.1 FAU_STG.1 FAU_GEN.1 FAU_GEN.1 None FAU_STG.4 FAU_STG.1 FAU_STG.1 None FAU_SAR.1 FAU_GEN.1 FAU_GEN.1 None Copyright (c) 2012 RICOH COMPANY, LTD. All rights reserved.
  • Page 77 [FDP_ACC.1(a) or FDP_ACC.1(a) None FDP_IFC.1] FMT_SMR.1 FMT_SMR.1 FMT_SMF.1 FMT_SMF.1 FMT_MSA.1(b) [FDP_ACC.1(b) FDP_ACC.1(b) None or FDP_IFC.1] FMT_SMR.1 FMT_SMR.1 FMT_SMF.1 FMT_SMF.1 FMT_MSA.3(a) FMT_MSA.1(a) FMT_MSA.1(a) None FMT_SMR.1 FMT_SMR.1 FMT_MSA.3(b) FMT_MSA.1(b) FMT_MSA.1(b) None FMT_SMR.1 FMT_SMR.1 Copyright (c) 2012 RICOH COMPANY, LTD. All rights reserved.

  • Page 78: Security Assurance Requirements Rationale

    TOE operation according to flow reporting procedure (ALC_FLR.2). Based on the terms and costs of the evaluation, the evaluation assurance level of EAL3+ALC_FLR.2 is appropriate for this TOE. Copyright (c) 2012 RICOH COMPANY, LTD. All rights reserved.

  • Page 79: Toe Summary Specification

    Success and failure of login operations (Login attempts from RC Gate are excluded) Success and failure of login operations from RC Gate Communication interface Starting and releasing Lockout Table 29 Record of Management Function Copyright (c) 2012 RICOH COMPANY, LTD. All rights reserved.

  • Page 80: Table 34 : List Of Audit Log Items

    Communicating e-mail Communicating e-mail address for - E-mail transmission of address e-mail transmission of attachments attachments Lockout operation type Information to identify starting - Starting and releasing Lockout and releasing Lockout Lockout Copyright (c) 2012 RICOH COMPANY, LTD. All rights reserved.

  • Page 81: Identification And Authentication Function

    When the entered login user name is the login user name of MFP administrator or supervisor, the TOE checks if the entered login password matches with the one pre-registered by the MFP administrator or supervisor in the TOE. Copyright (c) 2012 RICOH COMPANY, LTD. All rights reserved.
  • Page 82 If a user name is locked out, the user with that user name is not allowed to log in unless any of the following conditions is fulfilled. - The lockout time set by the MFP administrator elapses. - An "unlocking administrator" shown in Table 35 and specified for each user role releases the lockout. Copyright (c) 2012 RICOH COMPANY, LTD. All rights reserved.

  • Page 83: Table 35 : Unlocking Administrators For Each User Role

    The TOE inputs information after the TSF reliably identifies and authenticates the input information from the Operation Panel or the client computer via LAN interface. Therefore, the input information cannot be forwarded unless the TSF is not involved in information identification and authentication. Copyright (c) 2012 RICOH COMPANY, LTD. All rights reserved.

  • Page 84: Document Access Control Function

    Operations displayed in the List for Users displayed on the Menu Operation Document Server Print Document Server documents Panel Function Delete Operation Document Server Print Fax transmission documents Panel Function Delete Copyright (c) 2012 RICOH COMPANY, LTD. All rights reserved.
  • Page 85 Download Delete (Operations above are Web browser Fax Function Fax reception documents authorised only if normal users are privileged to use Document Server Function) (2) Access control rule on user jobs Copyright (c) 2012 RICOH COMPANY, LTD. All rights reserved.

  • Page 86: Use-Of-Feature Restriction Function

    Table 37 : Encrypted Communications Provided by the TOE Communicating Encrypted communications provided by the TOE Devices Protocols Cryptographic Algorithms Client computer TLS1.0 AES(128bits, 256bits), 3DES(168bits) External Kerberos AES(128bits, 256bits) authentication server RC Gate SSL3.0, TLS1.0 AES(128bits, 256bits), 3DES(168bits) Copyright (c) 2012 RICOH COMPANY, LTD. All rights reserved.

  • Page 87: Residual Data Overwrite Function

    The TOE encrypts data before writing it on the HDD, and decrypts the encrypted data after reading it from the HDD. This process is applied to all data written on and read from the HDD. Detailed cryptographic operations are shown in Table 38. Copyright (c) 2012 RICOH COMPANY, LTD. All rights reserved.

  • Page 88: Security Management Function

    Operation Panel, Query, Login user name of supervisor Supervisor Web browser modify Login user name of MFP Operation Panel, Newly create MFP administrator administrator Web browser Query, Applicable MFP modify administrator Copyright (c) 2012 RICOH COMPANY, LTD. All rights reserved.
  • Page 89 Web browser modify is applied Settings for Lockout Release Timer Query, when Basic Authentication is Web browser MFP administrator modify applied Lockout time for Basic Query, Web browser MFP administrator Authentication modify Copyright (c) 2012 RICOH COMPANY, LTD. All rights reserved.
  • Page 90 Operation Panel, User authentication method Query MFP administrator Web browser Operation Panel, Query, IPSec setting information MFP administrator Web browser modify Operation Panel, @Remote setting information Query MFP administrator Web browser Copyright (c) 2012 RICOH COMPANY, LTD. All rights reserved.

  • Page 91: Table 40 : List Of Static Initialisation For Security Attributes Of Document Access Control Sfp

    Document data Document user list Login user name of a normal user included in (stored document type is the Stored Reception File User list. fax received document) Copyright (c) 2012 RICOH COMPANY, LTD. All rights reserved.

  • Page 92: Software Verification Function

    Since the TOE is set to prohibit forwarding of received fax data during installation, received fax data will not be forwarded. Copyright (c) 2012 RICOH COMPANY, LTD. All rights reserved.

This manual is also suitable for:

Aficio mp c305spMp c305spf

Table of Contents