Page 1 of 87 Revision History Version Date Author Detail 1.00 2011-04-12 RICOH COMPANY, LTD. Publication version. Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.
Consistency Claim with TOE Type in PP ...............28 2.4.2 Consistency Claim with Security Problems and Security Objectives in PP ..28 2.4.3 Consistency Claim with Security Requirements in PP..........28 Security Problem Definitions....................31 Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.
Page 4
Class FTP: Trusted path/channels................62 Security Assurance Requirements................62 Security Requirements Rationale ................63 6.3.1 Tracing ........................63 6.3.2 Justification of Traceability..................64 6.3.3 Dependency Analysis....................70 6.3.4 Security Assurance Requirements Rationale ............72 TOE Summary Specification....................73 Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.
Page 5
Table 34: Relationship between Security Objectives and Functional Requirements ........63 Table 35: Result of Dependency Analysis of TOE Security Functional Requirements......... 70 Table 36: Auditable Events and Audit Data ....................73 Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.
Page 6
Table 41: Security Attributes Management of TOE Function Access Control SFP ........81 Table 42: List of Static Initialisation for Security Attributes of Common Access Control SFP....82 Table 43: Management of TSF Data ......................83 Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.
This TOE is a digital multi function product (hereafter "MFP"), which is an IT device that inputs, stores, and outputs documents. 1.3.2 TOE Usage The operational environment of the TOE is illustrated below and the usage of the TOE is outlined in this section. Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.
Various settings for the MFP using a Web browser, Print, fax, network transmission, and deletion of user documents using a Web browser, Store and print of documents using the printer driver, Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.
The physical boundary of the TOE is the MFP, which consists of the following hardware components (shown in Figure 2): Operation Panel Unit, Engine Unit, Fax Unit, Controller Board, HDD, Ic Ctlr, Network Unit, USB Port, SD Card Slot, and SD Card. Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.
It has the memory medium inside, and the signature root key is installed before the TOE is shipped. - FlashROM A non-volatile memory medium in which the following software components are installed: Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.
Page 13
The Network Unit is an external interface to an Ethernet (100BASE-TX/10BASE-T) LAN. USB Port The USB Port is an external interface to connect a client computer to the TOE for printing directly from the client computer. During installation, this interface is disabled. Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.
This section defines the users related to the TOE. These users include those who routinely use the TOE (direct users) and those who do not (indirect users). The direct users and indirect users are described as follows: Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.
LAN settings. This privilege allows configuration privilege of network settings. Authorised to manage user documents. This File management privilege allows access management of user privilege documents. 1.4.3.2. Indirect User Responsible manager of MFP Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.
The Copy Function is to scan paper documents and print scanned image data according to the specified number of copies, magnification, and custom settings. It can also be used to store scanned image data in the Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.
Page 21
Fax documents can be sent by fax using the Operation Panel to access the TOE. Fax transmission is allowed only for the telephone numbers that are pre-registered in the TOE. Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.
Page 22
A function for the TOE user to remotely control the TOE from the client computer. To control the TOE remotely, the TOE user needs to install the designated Web browser on the client computer following the guidance documents and connect the client computer to the TOE via the LAN. Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.
If the LAN-Fax Transmission Function of Fax Function is used, the protection function can be enabled using the fax driver to specify encrypted communication. Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.
Digitised user documents, deleted documents, temporary documents and their data fragments, which are managed by the TOE. Function Jobs specified by users. In this ST, a "user job" is referred to as a "job". data Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.
An identifier assigned to each user. The TOE identifies users by this identifier. Login password A password associated with each login user name. Lockout A type of behaviour to deny login of particular users. Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.
Page 26
Function, and those stored using the LAN Fax. - Received fax document: The value for the fax data received and stored. This document is externally received, and its user cannot be identified. Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.
Page 27
MFP administrator. LAN Fax One of Fax Functions. A function that transmits fax data and stores the documents using the fax driver on client computer. Sometimes referred to as "PC FAX". Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.
Package Claims The SAR package which this ST and TOE conform to is EAL3+ALC_FLR.2. The selected SFR Packages from the PP are: 2600.1-PRT conformant 2600.1-SCN conformant 2600.1-CPY conformant 2600.1-FAX conformant 2600.1-DSR conformant Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.
For the ownership of the received fax documents, the TOE has the characteristic that the ownership of the document is assigned to the intended user. This is according to PP APPLICATION NOTE 93. Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.
Page 30
For conforming to the PP, some sections in this document are literally translated to make it easier for readers to understand when translating English into Japanese. However, this translation is not beyond the requirements of the PP conformance. Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.
Page 31
PP are satisfied. The functional requirements FCS_CKM.1 and FCS_COP.1 are added and their dependent functional requirements are also added and changed in order to realise O.STORAGE.ENCRYPTED, however, these changes do not interfere the functional requirements demanded in the PP. Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.
TSF Confidential Data under the TOE management may be altered by persons without a login user name, or by persons with a login user name but without an access permission to the TSF Confidential Data. Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.
Administrators are aware of the security policies and procedures of their organisation, are competent to correctly configure and operate the TOE in accordance with the guidance document following those policies and procedures. Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.
Page 34
Page 33 of 87 A.ADMIN.TRUST Trusted administrator The responsible manager of MFP selects administrators who do not use their privileged access rights for malicious purposes according to the guidance document. Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.
The TOE shall protect TSF Confidential Data from unauthorised alteration by persons without a login user name, or by persons with a login user name but without an access permission to the TSF Confidential Data. Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.
Management of external interfaces in IT environment The IT environment shall provide protection from unmanaged access to TOE external interfaces (LAN). The responsible manager of MFP shall give an instruction to Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.
Log audit The responsible manager of MFP shall ensure that audit logs are reviewed at appropriate intervals according to the guidance document for detecting security violations or unusual patterns of activity. Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.
TOE. By O.PROT.NO_ALT, the TOE protects the TSF protected Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.
Page 40
P.USER.AUTHORIZATION is enforced by these objectives. P. SOFTWARE.VERIFICATION P.SOFTWARE.VERIFICATION is enforced by O.SOFTWARE.VERIFIED. By O.SOFTWARE.VERIFIED, the TOE provides measures for self-verifying the executable code of the TSF. P.SOFTWARE.VERIFICATION is enforced by this objective. Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.
Page 41
By OE.PHYSICAL.MANAGED, the TOE is located in a restricted or monitored environment according to the guidance documents and is protected from the physical access by the unauthorised persons. A.ACCESS.MANAGED is upheld by this objective. A.ADMIN.TRAINING A.ADMIN.TRAINING is upheld by OE.ADMIN.TRAINED. Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.
Page 42
By OE.USER.TRAINED, the responsible manager of MFP instructs the users in accordance with the guidance documents to make them aware of the security policies and procedures of their organisation, and the users follow those policies and procedures. OE.USER.TRAINED is upheld by this objective. Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.
Definition of the role(s) that are allowed to perform the management activities Management of the conditions under which direct forwarding can be allowed by an administrative role Revocation of such an allowance Audit: FPT_FDI_EXP.1 There are no auditable events foreseen. Rationale: Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.
Page 44
The TSF shall provide the capability to restrict data received on [assignment: the Operation Panel, LAN, telephone line] from being forwarded without further processing by the TSF to [assignment: the LAN and telephone line]. Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.
Table 12 : List of Auditable Events Functional Actions Which Should Be Auditable Auditable Events Requirements FDP_ACF.1(a) a) Minimal: Successful requests to Original: perform an operation on an object - Start and end operation of Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.
Page 46
FMT_SMF.1 a) Minimal: Use of the management Minimal: Record functions. management items in Table 32. FMT_SMR.1 a) Minimal: modifications to the record Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.
Page 47
The TSF shall [selection: overwrite the oldest stored audit records] and [assignment: no other actions to be taken in case of audit storage failure] if the audit trail is full. FAU_SAR.1 Audit review Hierarchical to: No other components. Dependencies: FAU_GEN.1 Audit data generation Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.
[assignment: cryptographic algorithm shown in Table 14] and cryptographic key sizes [assignment: cryptographic key sizes shown in Table 14] that meet the following: [assignment: standards shown in Table 14]. Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.
Table 16]. Table 16: List of Subjects, Objects, and Operations among Subjects and Objects (b) Subjects Objects Operations among Subjects and Objects Normal user process MFP application Execute Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.
FDP_ACF.1.2(a) The TSF shall enforce the following rules to determine if an operation among controlled subjects and controlled objects is allowed: [assignment: rules on user documents in Table 18 and rules on user jobs in Table 19]. Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.
(print, download, fax, e-mail and folder transmission) and deletion are allowed for that normal user process. Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.
FDP_ACF.1.2(b) The TSF shall enforce the following rules to determine if an operation among controlled subjects and controlled objects is allowed: [assignment: operations on objects by subjects and rules governing access to operations shown in Table 22]. Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.
User authentication using the Operation Panel User authentication using the TOE from client computer Web browser User authentication when printing from the client computer User authentication when using LAN Fax from client computer Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.
Page 55
The TSF shall require each user to be successfully identified before allowing any other TSF-mediated actions on behalf of that user. FIA_USB.1 User-subject binding Hierarchical to: No other components. Dependencies: FIA_ATD.1 User attribute definition Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.
Login user name of normal user delete Normal user who owns the applicable Query login user name Application type No operations permitted Login user name of supervisor Query, Supervisor Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.
MFP administrator modify Query Applicable normal user Function type No operations permitted -: No user roles are permitted for operations by the TOE. FMT_MSA.3(a) Static attribute initialisation Hierarchical to: No other components. Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.
FMT_MSA.3.2(a) The TSF shall allow the [assignment: authorised identified roles shown in Table 30] to specify alternative initial values to override the default values when an object or information is created. Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.
The TSF shall restrict the ability to [selection: query, modify, delete, [assignment: newly create]] the [assignment: list of TSF data in Table 31] to [assignment: the user roles in Table 31]. Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.
FMT_SMF.1 Specification of Management Functions Hierarchical to: No other components. Dependencies: No dependencies. FMT_SMF.1.1 The TSF shall be capable of performing the following management functions: [assignment: management functions shown in Table 32]. Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.
Query of destination information for folder transmission by normal user Query and modification of users for stored and received documents by MFP administrator FMT_SMR.1 Security roles Hierarchical to: No other components. Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.
The TSF shall terminate an interactive session after a [assignment: elapsed time of auto logout, completion of print data reception from the printer driver, and completion of transmission information reception from the fax driver]. Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.
Table 34 shows that each TOE security functional requirement fulfils at least one TOE security objective. Table 34: Relationship between Security Objectives and Functional Requirements FAU_GEN.1 FAU_GEN.2 FAU_STG.1 FAU_STG.4 FAU_SAR.1 FAU_SAR.2 FCS_CKM.1 FCS_COP.1 FDP_ACC.1(a) Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.
To normal users, the available document type of the user document is restricted by the executing MFP application, and the normal user can read only user document for which the reading permission is granted. The MFP administrator and supervisor are not allowed to read the user documents. Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.
Page 66
(object) when the user document is generated. satisfying FDP_ACC.1(a), FDP_ACF.1(a), FDP_RIP.1, FTP_ITC.1, FMT_MSA.1(a) FMT_MSA.3(a), which security functional requirements for these countermeasures, O.DOC.NO_ALT is fulfilled. Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.
Page 67
O.CONF.NO_DIS is the security objective to allow only users who can maintain the security to disclose the TSF confidential data. To fulfil this security objective, it is required to implement the following countermeasures. Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.
Page 68
FIA_UAU.1 authenticates the users if the user is the registered user or not prior to the TOE use. (2) Allow the successfully identified and authenticated user to use the TOE. FIA_ATD.1 and FIA_USB.1 manage the access procedures to the protected assets of the users who are Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.
Page 69
(2) Automatically terminate the connection to the Operation Panel and LAN interface. FTA_SSL.3 terminates the session after no operation is performed from the Operation Panel or LAN interface for certain period. Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.
Page 70
O.AUDIT.LOGGED is the security objective to ensure the encryption when writing data into the HDD, and decryption when reading data from the HDD. To fulfil this security objective, it is required to implement the following countermeasures. Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.
FCS_COP.1 FCS_CKM.4 FCS_COP.1] FCS_CKM.4 FCS_COP.1 [FDP_ITC.1 or FCS_CKM.1 FCS_CKM.4 FDP_ITC.2 or FCS_CKM.1] FCS_CKM.4 FDP_ACC.1(a) FDP_ACF.1(a) FDP_ACF.1(a) None FDP_ACC.1(b) FDP_ACF.1(b) FDP_ACF.1(b) None FDP_ACF.1(a) FDP_ACC.1(a) FDP_ACC.1(a) None FMT_MSA.3(a) FMT_MSA.3(a) FDP_ACF.1(b) FDP_ACC.1(b) FDP_ACC.1(b) None Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.
Page 72
TOE at the start of TOE operation, the cryptographic key will be continuously used for the HDD and will not be deleted. Therefore, cryptographic key destruction by the standard method is unnecessary. Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.
TOE operation according to flow reporting procedure (ALC_FLR.2). Based on the terms and costs of the evaluation, the evaluation assurance level of EAL3+ALC_FLR.2 is appropriate for this TOE. Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.
Communicating IP address Storing user documents Reading user documents (print, download, fax transmission, e-mail transmission, and folder transmission) Deleting user documents Success and failure of new creation, modification, deletion S/MIME user information Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.
The TOE encrypts data before writing it to the HDD, and decrypts data after reading it from the HDD. This process is performed for all data written to and read from the HDD. The following are the specific cryptographic operations: Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.
- If the MFP application executed from a Web browser is the Fax Function, it is allowed to print, download and delete the received fax document. The normal user is required the operation permission for Document Server Function to perform the operation on received fax document. Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.
Page 77
It also overwrites the area on the HDD where the temporary document and its fragments that are created during the user job execution exist with the specific pattern after the user job completes. Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.
It checks if the registering or changing password meets the conditions (2) and (3). If it does, the TOE registers the login password. If it does not, it does not register the login password and displays an error message. Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.
Page 79
Web Image Monitor Help from a Web browser, system status, counter, and information of inquiries, and execution of fax reception. Table 39 shows the identified user by Identification and Authentication Function, and authentication procedures. Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.
MFP administrator process is associated with the login user name of MFP administrator as security attributes. These associations are reflected to the operation permissions for each user role. Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.
Document user list of user documents Operation Panel Query, MFP administrator including received fax documents. (*1) Web browser modify -: No user roles are permitted for operations by the TOE. Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.
FMT_MSA.3(a) (Static attribute initialisation) The TOE sets the default value for the security attribute in Table 42 that corresponds to the object in Table 42 when generating the object listed in Table 42. Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.
For Fax Function: the value that identifies the Fax Function. FMT_MTD.1 (Management of TSF data) The TOE allows only specified users to operate the information of the TSF (TSF data) from the specified operation interfaces as shown in Table 43. Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.
Operation Panel query, S/MIME user information Web browser delete Query Normal user Newly create, MFP administrator modify Destination information folder Operation Panel query, transmission Web browser delete Query Normal user Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.
Page 85
Query and deletion of audit logs by MFP administrator New creation of HDD cryptographic key by MFP administrator New creation, modification, query and deletion of S/MIME user information by MFP administrator Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.
Page 86
Query of login user name of that MFP administrator Modification of login password of that MFP administrator A supervisor is allowed the following operations: Query and modification of login user name of supervisor Modification of login password of supervisor Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.
Page 87
TOE and a client computer, which is a trusted IT product, for the operations via a Web browser of client computer, and the operations of printing, fax transmission, and fax data storage from client Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.
Page 88
The TOE provides S/MIME communication as a trusted channel of the TSF to protect the LAN communication between the TOE and servers for e-mailing to an SMTP Server, which are trusted IT products. Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.