Page 1 of 89 Revision History Version Date Author Detail 1.00 2011-09-15 RICOH COMPANY, LTD. Publication version. Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.
Consistency Claim with TOE Type in PP ...............28 2.4.2 Consistency Claim with Security Problems and Security Objectives in PP ..28 2.4.3 Consistency Claim with Security Requirements in PP..........29 Security Problem Definitions....................32 Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.
Page 4
Security Requirements Rationale ................65 6.3.1 Tracing ........................65 6.3.2 Justification of Traceability..................67 6.3.3 Dependency Analysis....................73 6.3.4 Security Assurance Requirements Rationale ............75 TOE Summary Specification....................76 Audit Function ......................76 Identification and Authentication Function ..............78 Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.
Page 5
Network Protection Function..................83 Residual Data Overwrite Function................83 Stored Data Protection Function ................. 84 Security Management Function .................. 84 Software Verification Function ..................89 7.10 Fax Line Separation Function ..................89 Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.
Page 6
Table 33 : Stored Documents Access Control Rules for Normal Users ............81 Table 34 : Encrypted Communications Provided by the TOE ..............83 Table 35 : List of Cryptographic Operations for Stored Data Protection ............84 Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.
Page 7
Page 6 of 89 Table 36 : Management of TSF Data ......................85 Table 37 : List of Static Initialisation for Security Attributes of Document Access Control SFP ....88 Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.
This TOE is a digital multi function product (hereafter "MFP"), which is an IT device that inputs, stores, and outputs documents. 1.3.2 TOE Usage The operational environment of the TOE is illustrated below and the usage of the TOE is outlined in this section. Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.
Print, fax, network transmission, and deletion of the stored documents. Also, the TOE receives information via telephone lines and can store it as a document. Network used in the TOE environment. Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.
The TOE stores documents in it, and sends and receives documents to and from the IT devices connected to the LAN. To ensure provision of confidentiality and integrity for those documents, the TOE has the following security features: Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.
The physical boundary of the TOE is the MFP, which consists of the following hardware components (shown in Figure 2): Operation Panel Unit, Engine Unit, Fax Unit, Controller Board, HDD, Ic Ctlr, Network Unit, USB Port, SD Card Slot, and SD Card. Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.
NVRAM A non-volatile memory medium in which TSF data for configuring MFP operations is stored. Ic Key A security chip that has the functions of random number generation, cryptographic key generation Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.
Page 14
TOE, is the identifier of the Fax Unit. The HDD is a hard disk drive that is a non-volatile memory medium. It stores documents, login user names and login passwords of normal users. Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.
MP C7501/C6001 series Operating Instructions <Notes on Security Functions> D081-7685 Notes for Administrators: using this Machine in a Network Environment Compliant with IEEE Std. 2600.1 -2009 D081-7684 Help 83NHBNJAR1.10 v110 Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.
Authorised to specify MFP device behaviour Machine management (network behaviours excluded). This privilege privilege allows configuration of device settings and view of the audit log. Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.
Customer engineer The customer engineer is a person who belongs to the organisation which maintains TOE operation. The customer engineer is in charge of installation, setup, and maintenance of the TOE. Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.
The Copy Function is to scan paper documents and copy scanned image data from the Operation Panel. Magnification and other editorial jobs can be applied to the copy image. It can also be stored on the HDD as a Document Server document. Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.
Page 19
TOE and with which secure communication can be ensured. E-mail transmission is possible only with the mail server and e-mail addresses that the MFP administrator pre-registers in the TOE and with which secure communication can be ensured. Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.
Page 20
Documents can be printed and deleted using the Operation Panel, while they can be printed, deleted and downloaded from a Web browser. According to the guidance document, users first install the specified fax driver on their own client computers, and then use this function. Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.
Also, this function provides the recorded audit log in a legible fashion for users to audit. This function can be used only by the MFP administrator to view and delete the recorded audit log. To view and delete the audit log, the Web Function will be used. Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.
Page 22
If the Printer Function is used, the protection function can be enabled using the printer driver to specify encrypted communication. If the folder transmission function of Scanner Function is used, the protection function can be enabled through encrypted communication. If the e-mail Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.
Digitised documents, deleted documents, temporary documents and their fragments, which are managed by the TOE. Function data Jobs specified by users. In this ST, a "user job" is referred to as a "job". Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.
Support, Web Uapl, NetworkDocBox, animation, RPCS, RPCS Font, LANG0, LANG1 and Data Erase Opt. Login user name An identifier assigned to each normal user, MFP administrator, and supervisor. The TOE identifies users by this identifier. Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.
Page 25
+PRT One of the document data attributes. Documents printed from the client computer, or documents stored in the TOE by locked print, hold print, and sample print using the client computer. Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.
Page 26
This list is assigned as an attribute of each normal user. Operation Panel Consists of a touch screen LCD and key switches. The Operation Panel is used by users to operate the TOE. Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.
Page 27
The TOE displays the Repair Request Notification screen on the Operation Panel if paper jams frequently occur, or if the door or cover of the TOE is left open for a certain period of time while jammed paper is not removed. Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.
Package Claims The SAR package which this ST and TOE conform to is EAL3+ALC_FLR.2. The selected SFR Packages from the PP are: 2600.1-PRT conformant 2600.1-SCN conformant 2600.1-CPY conformant 2600.1-FAX conformant 2600.1-DSR conformant Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.
TOE and RC Gate. Also, the protected assets are not operated from the RC Gate. For these reasons, these communications do not affect any security problems and security objectives defined in the PP. Therefore, P.RCGATE.COMM.PROTECT and O.RCGATE.COMM.PROTECT were augmented, yet still conform to the PP. Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.
The refinement of FIA_UAU.2 and FIA_UID.2 is to identify the identification and authentication method for normal users or administrator and the identification and authentication method for RC Gate; it is not to change the security requirements specified by the PP. Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.
Page 31
While FDP_ACF.1.3(b) in the PP allows users with administrator privileges to operate the TOE functions, this ST allows them to operate Fax Reception Function only, which is part of the TOE functions. Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.
Page 32
The fax reception process, which is accessed when receiving from a telephone line, is regarded as a user with administrator privileges. Therefore, FDP_ACF.1.3(b) in this ST satisfies FDP_ACF.1.3(b) in the PP. Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.
TSF Confidential Data under the TOE management may be altered by persons without a login user name, or by persons with a login user name but without an access permission to the TSF Confidential Data. Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.
The responsible manager of MFP trains users according to the guidance document and users are aware of the security policies and procedures of their organisation and are competent to follow those policies and procedures. Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.
Page 35
A.ADMIN.TRUST Trusted administrator The responsible manager of MFP selects administrators who do not use their privileged access rights for malicious purposes according to the guidance document. Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.
The TOE shall protect TSF Confidential Data from unauthorised alteration by persons without a login user name, or by persons with a login user name but without an access permission to the TSF Confidential Data. Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.
If audit logs are exported to a trusted IT product, the responsible manager of MFP shall ensure that those logs can be accessed in order to detect potential security violations, and only by authorised persons. Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.
Log audit The responsible manager of MFP shall ensure that audit logs are reviewed at appropriate intervals according to the guidance document for detecting security violations or unusual patterns of activity. Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.
TOE. By O.PROT.NO_ALT, the TOE protects the TSF protected Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.
Page 41
P.USER.AUTHORIZATION is enforced by these objectives. P. SOFTWARE.VERIFICATION P.SOFTWARE.VERIFICATION is enforced by O.SOFTWARE.VERIFIED. By O.SOFTWARE.VERIFIED, the TOE provides measures for self-verifying the executable code of the TSF. P.SOFTWARE.VERIFICATION is enforced by this objective. Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.
Page 42
By OE.PHYSICAL.MANAGED, the TOE is located in a restricted or monitored environment according to the guidance documents and is protected from the physical access by the unauthorised persons. A.ACCESS.MANAGED is upheld by this objective. A.ADMIN.TRAINING A.ADMIN.TRAINING is upheld by OE.ADMIN.TRAINED. Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.
Page 43
By OE.USER.TRAINED, the responsible manager of MFP instructs the users in accordance with the guidance documents to make them aware of the security policies and procedures of their organisation, and the users follow those policies and procedures. OE.USER.TRAINED is upheld by this objective. Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.
Quite often, a TOE is supposed to perform specific checks and process data received on one external interface before such (processed) data are allowed to be transferred to another external interface. Examples Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.
Page 45
The TSF shall provide the capability to restrict data received on [assignment: the Operation Panel, LAN, telephone line] from being forwarded without further processing by the TSF to [assignment: the LAN and telephone line]. Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.
RC Gate]. Table 8 shows the action (CC rules) recommended by the CC as auditable for each functional requirement and the corresponding auditable events of the TOE. Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.
Minimal: Unsuccessful use of the b) Basic: Success and failure of login authentication mechanism; operation b) Basic: All use of the authentication mechanism; c) Detailed: All TSF mediated actions performed before authentication of the user. Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.
Page 48
Basic: All attempted uses of the trusted channel functions. d) Basic: Identification of the initiator and target of all trusted channel functions. FAU_GEN.2 User identity association Hierarchical to: No other components. Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.
FDP_ACF.1 Security attribute based access control FDP_ACC.1.1(a) The TSF shall enforce the [assignment: document access control SFP] on [assignment: list of subjects, objects, and operations among subjects and objects in Table 11]. Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.
Table 13 : Subjects, Objects and Security Attributes (a) Category Subjects or Objects Security Attributes Subject Normal user process - Login user name of normal user - User role Subject MFP administrator process - User role Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.
Document +CPY Delete Normal user Not allowed. However, it is allowed for data process normal user process that created the document data. Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.
[assignment: deny the operations on the document data and user jobs in case of supervisor process or RC Gate process]. FDP_ACF.1(b) Security attribute-based access control Hierarchical to: No other components. Dependencies: FDP_ACC.1 Subset access control FMT_MSA.3 Static attribute initialisation Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.
No dependencies. FDP_RIP.1.1 The TSF shall ensure that any previous information content of a resource is made unavailable upon the [selection: deallocation of the resource from] the following objects: [assignment: user documents]. Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.
No dependencies. FIA_ATD.1.1 The TSF shall maintain the following list of security attributes belonging to individual users: [assignment: the security attributes listed in Table 20 for each user in Table 20]. Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.
Help from a Web browser, system status, counter and information of inquiries, execution of fax reception, and repair request notification] on behalf of the user to be performed before the user is authenticated (refinement: authentication with Basic Authentication). Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.
Page 57
No dependencies. FIA_UID.1.1(b) The TSF shall allow [assignment: the viewing of the list of user jobs, Web Image Monitor Help from a Web browser, system status, counter and information of inquiries, execution Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.
The TSF shall enforce the following rules governing changes to the user security attributes associated with subjects acting on the behalf of users: [assignment: none]. 6.1.5 Class FMT: Security management FMT_MSA.1(a) Management of security attributes Hierarchical to: No other components. Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.
[when document data attribute is (+DSR)] modify document data Document user list Query, MFP administrator [when document data attribute modify (+FAXIN)] -: No user roles are permitted for operations by the TOE. Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.
FMT_MSA.1 Management of security attributes FMT_SMR.1 Security roles FMT_MSA.3.1(a) The TSF shall enforce the [assignment: document access control SFP] to provide [selection: restrictive] default values for security attributes that are used to enforce the SFP. Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.
The TSF shall restrict the ability to [selection: query, modify, delete, [assignment: newly create]] the [assignment: list of TSF data in Table 25] to [assignment: the user roles in Table 25]. Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.
Query Normal user Users for stored and received documents Query, modify MFP administrator User authentication method Query MFP administrator FMT_SMF.1 Specification of Management Functions Hierarchical to: No other components. Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.
Query and deletion of audit logs by MFP administrator New creation of HDD encryption key by MFP administrator New creation, modification, query and deletion of S/MIME user information by MFP administrator Query of S/MIME user information by normal user Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.
The TSF shall provide the capability to restrict data received on [assignment: the Operation Panel, LAN, telephone line] from being forwarded without further processing by the TSF to [assignment: the LAN and telephone line]. Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.
Table 28 shows the relationship between the TOE security functional requirements and TOE security objectives. Table 28 shows that each TOE security functional requirement fulfils at least one TOE security objective. Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.
FMT_MSA.1(a) specifies the available operations (newly create, query, modify and delete) on the login user name, and available operations (query and modify) on the document user list, and a specified user Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.
Page 69
Deletion is the only modification operation on this TOE's user jobs. (2) Use trusted channels for sending or receiving user jobs. The user jobs sent and received by the TOE via the LAN are protected by FTP_ITC.1. Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.
Page 70
The TSF confidential data sent and received by the TOE via the LAN are protected by FTP_ITC.1. By satisfying FMT_MTD.1, FMT_SMF.1, FMT_SMR.1 and FTP_ITC.1, which are the security functional requirements for these countermeasures, O.CONF.NO_DIS is fulfilled. Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.
Page 71
FDP_ACC.1(b) and FDP_ACF.1(b) allow the applicable normal user to use the MFP application according to the operation permission granted to the successfully identified and authenticated normal user. Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.
Page 72
(2) Automatically terminate the connection to the Operation Panel and LAN interface. FTA_SSL.3 terminates the session after no operation is performed from the Operation Panel or LAN interface for certain period. Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.
Page 73
O.STORAGE.ENCRYPTED Encryption of storage devices O.STORAGE.ENCRYPTED is the security objective to ensure the data to be written into the HDD is encrypted. To fulfil this security objective, it is required to implement the following countermeasures. Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.
TOE operation according to flow reporting procedure (ALC_FLR.2). Based on the terms and costs of the evaluation, the evaluation assurance level of EAL3+ALC_FLR.2 is appropriate for this TOE. Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.
Shutdown of the Audit Function (*1) Success and failure of login operations (*2) Success and failure of login operations from RC Gate communication interface Table 26 Record of Management Function Date settings (year/month/day), time settings (hour/minute) Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.
- Web Function communication address - Folder transmission - Printing via networks - LAN Fax via networks - Communication with RC Gate Communicating e-mail Communicating e-mail - E-mail transmission address address for e-mail transmission Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.
When the sent login user name and login password are identified and authenticated, the user is allowed to use the TOE according to the identified user role. Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.
"unlocking administrator" shown in Table 32 and specified for each user role releases the lockout. Table 32 : Unlocking Administrators for Each User Role User Roles (Locked out Users) Unlocking Administrators Normal user MFP administrator Supervisor MFP administrator MFP administrator Supervisor Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.
The TOE controls user operations for document data and user jobs in accordance with (1) access control rule on document data and (2) access control rule on user jobs. (1) Access control rule on document data Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.
The Use-of-Feature Restriction Function is to authorise TOE users to use Copy Function, Printer Function, Scanner Function, Document Server Function and Fax Function in accordance with the roles of the identified and authenticated TOE users and user privileges set for each user. Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.
For sequential overwriting, the TOE constantly monitors the information on a residual data area, and overwrites the area if any existing residual data is discovered. If the user deletes document data, the TOE Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.
Function, and 3) set appropriate default values to security attributes, all of which accord with user role privileges or user privileges that are assigned to normal users, MFP administrator, or supervisor. Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.
Page 86
Web browser modify user who stored the documents Query, MFP administrator modify Query Operation Panel, Available function list (Query is Web browser Applicable normal unavailable for user External Authentication) Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.
Page 87
Query, Audit log Web browser MFP administrator delete HDD cryptographic key Operation panel Newly create MFP administrator Newly create, Operation Panel, modify, S/MIME user information MFP administrator Web browser query, delete Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.
Page 88
FMT_MSA.3(a) and FMT_MSA.3(b) The TOE sets default values for objects and subjects according to the rules described in Table 37 when those objects and subjects are generated. Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.
Page 89
Document Server Function, or Fax Function is available. For Basic Authentication, these values are specified by the MFP administrator. For External Authentication, the values indicate that none of the functions is available. Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.
Since the TOE is set to prohibit forwarding of received fax data during installation, received fax data will not be forwarded. Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.