c0183 Est
c0183 Est
c0183 Est
5225A/5230A
Security Target
Version 1.0.4
1. ST INTRODUCTION .......................................................................................... 1
1.1. ST Identification ....................................................................................................................1
1.2. ST Overview ..........................................................................................................................1
1.3. Common Criteria Conformance Claim ..................................................................................2
1.4. References..............................................................................................................................2
1.5. Acronyms and Terminology...................................................................................................3
1.5.1. Acronyms.................................................................................................................................... 3
1.5.2. Terminology................................................................................................................................ 4
-i-
3.1. Assumptions.........................................................................................................................22
3.2. Threats..................................................................................................................................23
3.3. Organizational Security Policy ............................................................................................23
5. IT SECURITY REQUIREMENTS.................................................................... 26
5.1. TOE Security Functional Requirements ..............................................................................26
5.1.1. Class FAU: Security Audit........................................................................................................ 26
5.1.2. Class FCS: Cryptographic support ........................................................................................... 29
5.1.3. Class FDP: User data protection............................................................................................... 30
5.1.4. Class FIA: Identification and authentication ............................................................................ 33
5.1.5. Class FMT: Security management............................................................................................ 34
5.1.6. Class FPT: Protection of TSF ................................................................................................... 38
5.1.7. Class FTP: Trusted path/channels............................................................................................. 39
5.1.8. TOE Security Function Strength............................................................................................... 39
5.2. TOE Security Assurance Requirements ...............................................................................39
5.3. Security Requirements for the IT Environment ...................................................................40
- ii -
7. PP CLAIMS........................................................................................................ 57
7.1. PP Reference ........................................................................................................................57
7.2. PP Tailoring..........................................................................................................................57
7.3. PP Addition ..........................................................................................................................57
8. RATIONALE...................................................................................................... 58
8.1. Security Objectives Rationale..............................................................................................58
8.2. Security Requirements Rationale.........................................................................................61
8.2.1. Security Functional Requirements Rationale ........................................................................... 61
8.2.2. Rationale for Security Functional Requirement of IT Environment......................................... 66
8.2.3. Rationale for Minimum Functional Strength Level.................................................................. 66
8.2.4. Dependencies of Security Functional Requirements ................................................................ 66
8.2.5. Interactions among Security Functional Requirements ............................................................ 69
8.2.5.1. Bypass Prevention ................................................................................................................... 70
8.2.5.2. De-activation Prevention ......................................................................................................... 72
8.2.5.3. Interference .............................................................................................................................. 72
8.2.5.4. Detection of Defeat.................................................................................................................. 72
8.2.6. Consistency Rationale between Security Functional Requirements......................................... 72
8.2.7. Requirement Rationale for Security Assurance ........................................................................ 74
8.3. TOE Summary Specification Rationale ...............................................................................74
8.3.1. Rationale for TOE Security Function Requirements ................................................................ 74
8.3.2. Security Function Strength Rationale ....................................................................................... 77
8.3.3. Security Assurance Measures Rationale ................................................................................... 77
8.4. PP Claims Rationale.............................................................................................................80
- iii -
- List of Figures and Tables -
- iv -
................................................................................................................................................................. 75
Table 32: Correspondences between Assurance Measures and Security Assurance Requirements ............ 77
Table 33: Sufficiency of Security Assurance Requirements by Assurance Measures ................................. 78
-v-
Security Target - Xerox WorkCentre 5225A/5230A
1. ST INTRODUCTION
This chapter describes Security Target (ST) identification information, an overview of the ST, the
evaluation assurance level of Target of Evaluation (TOE), Common Criteria (CC) conformance, references,
acronyms, and terminology.
1.1. ST Identification
This section provides information needed to identify this ST and its Target of Evaluation (TOE). This ST
complies with ISO/IEC 15408 (2005).
(1) ST Identification
1.2. ST Overview
This ST provides the security specifications of Xerox WorkCentre 5225A/5230A (hereinafter referred to
as “MFP”). MFP is the short name of Multi Function Peripheral which has copy, print, scan and FAX
functions.
This ST covers the security functions to protect, from unauthorized disclosure, the document data stored
in the internal HDD after being processed by MFP and the used document data (i.e. the residual data
after deleted). The ST also describes the protection of data transmitted over general encryption
communication protocols. These protocols protect the security of data on the internal network between
MFP and highly reliable remote server / client PC (hereinafter referred to as “between TOE and the
remote”) as well as the identification data used at user authentication. However, the function to protect
the internal network data is not available when the data is communicated with the remote which does
1.4. References
The following documentation was used to prepare this ST:
Short Name Document Title
Common Criteria for Information Technology Security Evaluation - Version 2.3
Part 1: Introduction and general model, dated August 2005, CCMB-2005-08-001
[CC Part 1]
(Translation version 1.0, dated December 2005,
translated by Information-Technology Promotion Agency, Japan)
Common Criteria for Information Technology Security Evaluation - Version 2.3
Part 2: Security functional requirements, dated August 2005, CCMB-2005-08-002
[CC Part 2]
(Translation version 1.0, dated December 2005,
translated by Information-Technology Promotion Agency, Japan)
Common Criteria for Information Technology Security Evaluation - Version 2.3
Part 3: Security assurance requirements, dated August 2005, CCMB-2005-08-003
[CC Part 3]
(Translation version 1.0, dated December 2005,
translated by Information-Technology Promotion Agency, Japan)
Common Methodology for Information Technology Security Evaluation - Version 2.3
Evaluation Methodology, dated August 2005, CCMB-2005-08-004
[CEM]
(Translation version 1.0, dated December 2005,
translated by Information-Technology Promotion Agency, Japan)
[ISO/IEC WD N3374, Guide for the Production of PPs and STs - Version 0.93
TR15446] (Provisional translation, dated January 2004,
Acronym Definition
TOE Target of Evaluation
TSC TSF Scope of Control
TSF TOE Security Function
TSFI TSF Interface
TSP TOE Security Policy
1.5.2. Terminology
The following terms are used in this ST:
Term Definition
Any entity outside TOE who interacts with the TOE: i.e. general user, key
User
operator, and system administrator privilege (SA).
General User Any person who uses copy, scan, FAX, and print functions of MFP.
An authorized user who manages MFP maintenance and configures TOE security
Key Operator
functions.
System Administrator A user authorized by key operator to manage MFP maintenance and configure
Privilege (SA) TOE security functions.
An authorized user who manages MFP maintenance and configures TOE security
System Administrator
functions. This term covers both key operator and SA.
Customer Engineer This term is equivalent to customer service engineer, a Xerox engineer who
(CE) maintains and repairs MFP.
Attacker A malicious user of TOE.
A panel of MFP on which buttons, lamps, and a touch screen panel are mounted
Control Panel
to operate the MFP.
General User Client A client for general user and SA to operate the MFP.
System Administrator A client for system administrator. An administrator can refer to and rewrite TOE
Client configuration data of MFP via Web browser.
User Client This term covers both general user client and system administrator client.
CentreWare Internet A service to retrieve the document data scanned by MFP from Mailbox.
Service It also enables a system administrator to refer to and rewrite TOE configuration
(CWIS) data via Web browser.
An operation mode that enables a system administrator to refer to and rewrite
TOE configuration for device operation and that for security functions according
Tool Mode
to the operational environment. This mode is distinguished from the operation
mode that enables a general user to use the MFP functions.
Software for a general user to convert the data on a general user client into print
Print Driver
data written in page description language (PDL), a readable format for MFP.
Software for Direct FAX function, which enables a general user to FAX data to
FAX Driver the destination directly from a general user client through MFP. The user can
send the FAX data just as printing.
Network Scan Utility Software for a general user client to retrieve the document data stored in Mailbox
Term Definition
of MFP.
The data written in PDL, a readable format for MFP, which is to be converted
Print Data
into bitmap data by TOE decompose function.
The data that is transmitted by command and response interactions. This is one
Control Data
type of data transmitted between MFP hardware units.
The decomposed data of the data read by copy function and the print data
Bitmap Data transmitted from a user client to MFP. Bitmap data is stored into the internal
HDD after being compressed in the unique process.
Decompose Function A function to analyze and convert the print data written in PDL into bitmap data.
To analyze and convert the data written in PDL into bitmap data by decompose
Decompose
function.
Print Function A function to decompose and print out the print data transmitted by a user client.
Print-Control
A function to control the device to enable print operation.
Function
A print function in which bitmap data (decomposed print data) is temporarily
stored in the MFP internal HDD and then printed out according to the general
user’s instruction from the control panel. There are three ways for the Store Print:
• Private Print
Jobs are stored only when MFP authenticates a user with his/her ID and
password which were preset in the print driver on a general user client. When
the user is authenticated with his/her ID and password entered from the
Store Print control panel, he/she can start print operation.
• Sample Print
When printing several copies, only one copy is printed out first as a sample
document. A user can check its quality and send an instruction from the
control panel to print out the remaining copies.
• Mailbox Print
Decomposed bitmap data is stored in Mailbox and printed out according to
the general user’s instruction from the control panel.
Original Texts, images and photos to be read from IIT in copy function.
A function in which original is read from IIT and then printed out from IOT
according to the general user’s instruction from the control panel. When more
Copy Function than one copy is ordered for one original, the data read from IIT is first stored
into the MFP internal HDD. Then, the stored data is read out from the HDD as
needed so that required number of copies can be made.
Copy Control
A function to control the device to enable copy operation.
Function
According to the general user’s instruction from the control panel, the original
Scan Function data is read from IIT and then stored into Mailbox within the MFP internal HDD.
The stored document data can be retrieved via standard Web browser by CWIS or
Term Definition
Network Scan Utility function.
Scan Control
A function to control the device to enable scan operation.
Function
A function in which original data is read from IIT and then transmitted to FTP
Network Scan server, SMB server, or Mail server according to the information set in the MFP.
Function This function is operated according to the general user’s instruction from the
control panel.
Network Scan
A function to control the device to enable network scan operation.
Control Function
A function to send and receive FAX data. According to the general user’s
instruction from the control panel to send a FAX, the original data is read from
FAX Function IIT and then sent to the destination via public telephone line. The document data
is received from the sender’s machine and then printed out from the recipient’s
IOT.
FAX Control
A function to control the device to enable FAX operation.
Function
A FAX function in which data is sent via public telephone line directly from a
Direct FAX (D-FAX)
user client. The data is first sent to MFP as a print job and then to the destination
Function
without being printed out.
Internet FAX (iFAX) A FAX function in which the data is sent or received via the Internet, not public
Function telephone line.
D-FAX / iFAX
A function to control the device to enable D-FAX / iFAX operation.
Control Function
A logical box created in the MFP internal HDD. Mailbox stores the scanned
Mailbox document data or the data to be printed later. Mailbox is categorized into
Personal Mailbox and Shared Mailbox.
The Mailbox privately used by a general user. Each user can create his/her own
Personal Mailbox
Personal Mailbox.
The Mailbox shared by any general user. Key operator can create the Shared
Shared Mailbox
Mailbox.
Document data means all the image data transmitted across the MFP when any of
copy, print, scan or FAX functions is operated by a general user. The document
data includes:
• Bitmap data read from IIT and printed out from IOT (copy function),
• Print data sent by general user client and its decomposed bitmap data (print
Document Data
function),
• Bitmap data read from IIT and then stored into the internal HDD (scan
function),
• Bitmap data read from IIT and sent to the FAX destination and the bitmap
data faxed from the sender’s machine and printed out from the recipient’s
Term Definition
IOT (FAX function).
The remaining data in the MFP internal HDD even after deletion. The document
Used Document Data
data is first stored into the internal HDD, used, and then only its file is deleted.
The chronologically recorded data of important events of TOE. The events such
Security Audit Log
as device failure, configuration change, and user operation are recorded based on
Data
when and who caused what event and its result.
Internally Stored The data which is stored in the general user client or in the general client and
Data server, but does not include data regarding TOE functions.
The data on the internal network. The general data does not include data
General Data
regarding TOE functions.
The data which is created by TOE or for TOE and may affect TOE operations.
Specifically, it includes the information regarding the functions of Hard Disk
TOE Configuration
Data Overwrite, Hard Disk Data Encryption, System Administrator’s Security
Data
Management, Customer Engineer Operation Restriction, Internal Network Data
Protection, Security Audit Log, Mailbox, and User Authentication.
General Client and
Client and server which do not directly engage in TOE operations.
Server
Deletion from the internal HDD means deletion of the management information.
When deletion of document data from the internal HDD is requested, only the
Deletion from the
management information corresponding to the data is deleted. Therefore, user
Internal Hard Disk
cannot access the document data which was logically deleted. However, the
Drive (HDD)
document data itself is not deleted but remains as the used document data until a
new data is written in the same storage area.
To write over the area of the document data stored in the internal HDD when
Overwrite
deleting the data.
The 12 alphanumeric characters to be entered by a user. When data in the internal
Cryptographic Seed
HDD can be encrypted, a cryptographic key is generated based on the
Key
cryptographic seed key.
The 128-bit data which is automatically generated based on the cryptographic
Cryptographic Key seed key. Before the data is stored into the internal HDD, it is encrypted with the
cryptographic key.
The network which cannot be managed by the organization that manages TOE.
External Network
This does not include the internal network.
Channels between MFP and highly reliable remote server / client PC. The
Internal Network channels are located in the network of the organization, the owner of TOE, and
are protected from the security risks coming from the external network.
Network A general term to indicate both external and internal networks.
A function to limit the accessible TOE functions by identifying the user before
User Authentication
he/she uses each TOE function.
Local Authentication A mode to manage user authentication of TOE using the user information
Term Definition
registered in the MFP.
2. TOE DESCRIPTION
This chapter describes a TOE overview, assumption of TOE users, logical and physical scopes of TOE,
and the assets protected by this TOE.
External
Network
TOE
System Administrator
Client Internal
Network
- Web Browser
System
Administrator
USB
Fax Board
Mail Server
FTP Server
SMB Server
Public Telephone
Line
General User CE System
Administrator
The following conditions are intended for the internal network environment linked to MFP:
(1) General user client:
When a client is linked to the MFP via the internal network and print driver, Network Scan Utility and
FAX driver are installed to the client, the general user can request the MFP to print, FAX, and retrieve
the document data.
The user can also request the MFP to retrieve the scanned document data via Web browser.
Additionally, the user can change the configurations which user registered to the MFP: Mailbox name,
password, access control, and automatic deletion of document.
When the client is linked to the MFP directly via USB, and print driver and FAX driver are installed
to the client, the user can request the MFP to print and FAX the document data.
(2) System administrator client:
A system administrator can refer to and change TOE configuration data and download security audit
log data via Web browser.
(3) Mail server:
The MFP sends/receives document data to/from Mail server via mail protocol.
(4) FTP server:
The MFP sends document data to FTP server via FTP.
(5) SMB server:
The MFP sends document data to SMB server via SMB.
(6) FAX board:
The FAX board is connected to external public telephone line and supports G3/G4 protocols. The
FAX board is connected to the MFP via USB interface to enable FAX communication.
The OSs of general user client (1) and system administrator client (2) are assumed to be Windows 2000,
Windows XP, and Windows Vista.
Scan Utility.
• Customer Engineer Operation Restriction enables a system administrator to inhibit CE from
configuring TOE security functions. This function prevents configuration change by an attacker who
is impersonating CE.
• FAX Flow Security prevents unauthorized access to the internal network via telephone line or a
modem used for FAX function. The data other than FAX data cannot flow into the internal network so
that unauthorized access is blocked.
Logical Scope
TOE Controller ROM
The print function is of two types: the normal print in which the data is printed out from IOT directly after
decomposed and the Store Print in which the bitmap data is temporarily stored in the internal HDD and
then printed out from IOT according to the general user’s instruction from the control panel.
Only the authenticated general user can use the following functions:
(1) Functions controlled by the MFP control panel:
Copy, FAX (send), iFAX (send), scan, network scan, Mailbox, and print (This print function requires
user ID and password preset from print driver. A user must be authenticated from the control panel for
print job.)
(2) Functions controlled by Network Scan Utility of general user client:
Function to retrieve document data from Mailbox
(3) Functions controlled by CWIS:
Display of device condition, display of job status and its log, function to retrieve document data from
Mailbox, and print function by file designation
Among the above functions which require user authentication, some particularly act as security
functions. The following are the security functions which prevent the unauthorized reading of document
data in the internal HDD by an attacker who is impersonating a legitimate user:
- The print function (Private Print function) and the Mailbox function, which require user authentication
from the control panel,
- The function to retrieve document data from Mailbox which requires user authentication from CWIS
or Network Scan Utility (Mailbox function), and the print function by file designation from CWIS
(Private Print function).
Authenticated Private
Print Job Print Scanned Data, Mailbox
Received Fax Data
each corresponding Mailbox: the received FAX data whose corresponding Mailbox is specified by the
sender, the received FAX data from a particular sender (the data is classified according to the sender’s
telephone number), and the received FAX data from an unknown sender.
To refer to, retrieve, print, or delete the stored data in the Personal Mailbox corresponding to the each
registered user’s ID, user authentication is required; the MFP compares the user ID and password preset in
the device against those entered by the general user from the control panel, CWIS, or Network Scan
Utility.
Besides Personal Mailbox, Shared Mailbox is provided so that authorized general users can share the same
Mailbox. Only a key operator can create the Shared Mailbox.
Additionally, this TOE allows only the system administrator authenticated from Web browser to configure
the following security functions via CWIS:
• Change the ID and password of key operator (only a key operator is privileged);
• Change the ID and password of SA and general user;
• Set the allowable number of system administrator’s authentication failures before access denial;
• Enable or disable Audit Log;
• Enable/disable SSL/TLS communication and configure the detail;
• Enable/disable IPSec communication and configure the detail;
Ethernet
ADF General User Client,
Scan- Data Engineer Mail Server,
ROM Control Overwrite Operation FTP Server,
Restriction SMB Server
Print Hard Disk Security SEEPROM
IIT
USB (device)
Control Data Audit Log
IIT Board decompose Encryption General User Client
(USB)
IIT
ROM FAX User Internal
/i FAX Authentica Network DRAM
/D- FAX tion Data
Control Protection
IOT
CWIS System FAX Flow
IOT Board Administra- Security
IOT tor’s Security
ROM
USB (host)
Management
FAX Board (Public
Telephone Line)
CPU
: TOE
Internal HDD
The physical scope of this TOE is the whole MFP except FAX board. The TOE physical scope consists of
the PWB units of controller board, control panel, ADF board, IIT board, and IOT board.
The controller board is connected to the control panel and the ADF board via the internal interfaces which
transmit control data, to the IIT board and IOT board via the internal interfaces which transmit document
data and control data, and to the FAX board via USB interface.
The controller board is a PWB which controls MFP functions of copy, print, scan, and FAX. The board has
a network interface (Ethernet) and local print interfaces (USB device) and is connected to the IIT board
and IOT board .
The control panel is a panel on which buttons, lamps, and a touch screen panel are mounted to enable MFP
functions of copy, print, scan, and FAX.
The ADF (Automatic Document Feeder) is a device to automatically feed more than one original.
The IIT (Image Input Terminal) is a device to scan the original and send the scanned data to the controller
board for copy, print, scan, and FAX functions.
The IOT (Image Output Terminal) is a device to output image information which was sent from the
controller board.
Note) The data stored in the general client and server within the internal network and the general data on
the internal network are not assumed as assets to be protected. This is because TOE functions prevent the
access to the internal network from public telephone line and it cannot be a threat.
Internal
Network Other Configuration
Data
General Data on the Internal
Network Inaccessible
General Client
and Server Public
Telephone
Internally Stored Data
Line
Table 3 categorizes the TOE configuration data recorded in NVRAM and SEEPROM of the controller
board.
Note) Configuration data other than TOE configuration data are also stored in NVRAM and SEEPROM.
Those configuration data, however, are not assumed as assets to be protected because they do not engage
in TOE security functions.
3.1. Assumptions
Table 4 shows the assumptions for the operation and use of this TOE.
Table 4: Assumptions
3.2. Threats
Table 5 identifies the threats addressed by the TOE. These threats are considered to be users with public
knowledge of how the TOE operates. The attackers are considered to have low-level attack capability.
Organizational Policy
Description
(Identifier)
Request from the U.S. agency
At the behest of the U.S. agency, it must be ensured that the internal network
P.FAX_OPT
cannot be accessed via public telephone line.
4. SECURITY OBJECTIVES
This section describes the security objectives for the TOE and for the environment.
Security Objectives
Description
(Identifier)
An administrator of organization assigns an appropriate and reliable person
OE.ADMIN
for TOE management as a system administrator and trains him/her.
A system administrator needs to configure the TOE security functions as
follows.
• Use of password entered from MFP control panel in user
OE.AUTH
authentication: enabled
• Length of system administrator password: 9 characters or more
• Access denial due to authentication failure of system administrator ID:
Security Objectives
Description
(Identifier)
enabled
• Allowable number of system administrator’s authentication failures before
access denial: 5
• Customer Engineer Operation Restriction: enabled
• Type of authentication: User Authentication enabled (select Local
Authentication)
• Length of user password (for general user and SA): 9 characters or more
• Private Print configuration: store an authenticated job to Private Print area
A system administrator needs to configure the TOE as follows so that the
document data, security audit log data, and TOE configuration data are
protected from interception.
• SNMPv3 communication: enabled
• Length of authentication password for SNMPv3 communication: 8
OE.COMMS_SEC
characters or more
• SSL/TLS communication: enabled
• IPSec communication: enabled
• S/MIME communication: enabled
• SMB communication: disabled
A system administrator needs to configure the TOE functions of Hard Disk
Data Overwrite, Hard Disk Data Encryption, and Security Audit Log as
follows.
• Hard Disk Data Overwrite: enabled
OE.FUNCTION • Hard Disk Data Encryption: enabled
• Size of cryptographic seed key for Hard Disk Data Encryption: 12
characters
• Scheduled Image Overwrite: enabled
• Security Audit Log: enabled
5. IT SECURITY REQUIREMENTS
This chapter describes TOE security requirements and the security functional requirements to the IT
environment.
Table 9 shows the actions to be audited (defined by CC) and the corresponding auditable events
(events to be recorded as execution log) of TOE.
functions. events>
Minimal: Identification of the user Creation/deletion of certificates.
associated with all trusted path
failures, if available.
Basic: All attempted uses of the
trusted path functions.
Basic: Identification of the user
associated with all trusted path
invocations, if available.
Table 10: Operations between Subjects and Objects Covered by MFP Access Control SFP
general user identification information is set as its owner is created. The document
data is then stored inside.
- Deletion and retrieval of document data
When the general user identification information of the general user process matches
the owner identification information of Store Print area, retrieval and deletion of the
document data inside are allowed. When the document data is deleted, the
corresponding Store Print area is also deleted.
Key Operator Process
- Creation and Deletion of Shared Mailbox
In the key operator process, creation and deletion of Shared Mailbox are allowed.
FDP_ACF.1.3 The TSF shall explicitly authorize access of subjects to objects based on the
following additional rules: [assignment: the rules, shown in Table 12, for
explicitly authorizing access of the subject to an object based on security
attributes].
FDP_ACF.1.4 The TSF shall explicitly deny access of subjects to objects based on
the [assignment: no rules to explicitly deny the access].
Dependencies: FDP_ACC.1 Subset access control
FMT_MSA.3 Static attribute initialization
(3) FDP_IFC.1 Subset information flow control
Hierarchical to: No other components
FDP_IFC.1.1 The TSF shall enforce the [assignment: FAX information flow control
SFP] on [assignment: subjects, information, and operations to cause
the information flow, listed in Table 13.]
Table 13: Subjects, Information, and Operations Covered by FAX Information Flow Control SFP
authentication].
FIA_AFL.1.2 (1) When the defined number of unsuccessful authentication attempts has been
met or surpassed, the TSF shall [assignment: never allow the control panel
to accept any operation except power cycle. Web browser is also inhibited
from accepting authentication operation until the main unit is cycled].
Dependencies: FIA_UAU.1 Timing of Authentication
(1) FIA_AFL.1 (2) Authentication failure handling
Hierarchical to: No other components
FIA_AFL.1.1 (2) The TSF shall detect when [selection: [assignment: one]] unsuccessful
authentication attempts occur related to [assignment: general user
authentication].
FIA_AFL.1.2 (2) When the defined number of unsuccessful authentication attempts has been
met or surpassed, the TSF shall [assignment: have the control panel to
display the message of “authentication was failed” and to require reentry of
the user information. The TSF shall also have Web browser and Network
Scan Utility to reenter the user information].
Dependencies: FIA_UAU.1 Timing of Authentication
(2) FIA_UAU.2 User authentication before any action
Hierarchical to: FIA_UAU.1 Timing of authentication
FIA_UAU.2.1 The TSF shall require each user to be successfully authenticated before
allowing any other TSF-mediated actions on behalf of that user.
Dependencies: FIA_UID.1 Timing of identification
(3) FIA_UAU.7 Protected authentication feedback
Hierarchical to: No other components.
FIA_UAU.7.1 The TSF shall provide only [assignment: display of asterisks (“*”) to hide
the entered password characters] to the user while the authentication is in
progress.
Dependencies: FIA_UAU.1 Timing of authentication
(4) FIA_UID.2 User identification before any action
Hierarchical to: FIA_UID.1 Timing of identification
FIA_UID.2.1 The TSF shall require each user to identify itself before allowing any other
TSF-mediated actions on behalf of that user.
Dependencies: No dependencies.
Dependencies: No dependencies.
(6) FMT_SMR.1 (1) Security role
Hierarchical to: No other components.
FMT_SMR.1.1 (1) The TSF shall maintain the roles [assignment: system administrator].
FMT_SMR.1.2 (1) The TSF shall be able to associate users with roles.
Dependencies: FIA_UID.1 Timing of Identification
(7) FMT_SMR.1 (2) Security role
Hierarchical to: No other components.
FMT_SMR.1.1 (2) The TSF shall maintain the roles [assignment: general user].
FMT_SMR.1.2 (2) The TSF shall be able to associate users with roles.
Dependencies: FIA_UID.1 Timing of identification
Assurance
Assurance Component Name Dependencies
Requirements
Class ACM: Configuration management
ACM_CAP.2 Configuration items None
Class ADO: Delivery and operation
ADO_DEL.1 Delivery procedures None
ADO_IGS.1 Installation, generation, and start-up procedures AGD_ADM.1
Class ADV: Development
ADV_FSP.1 Informal functional specification ADV_RCR.1
ADV_HLD.1 Descriptive high-level design ADV_FSP.1, ADV_RCR.1
ADV_RCR.1 Informal correspondence demonstration None
Assurance
Assurance Component Name Dependencies
Requirements
Class AGD: Guidance document
AGD_ADM.1 Administrator guidance ADV_FSP.1,
AGD_USR.1 User guidance ADV_FSP.1
Class ATE: Tests
ATE_COV.1 Evidence of coverage ADV_FSP.1, ATE_FUN.1
ATE_FUN.1 Functional testing None
ADV_FSP.1, AGD_ADM.1,
ATE_IND.2 Independent testing-Sample
AGD_USR.1, ATE_FUN.1
Class AVA: Vulnerability assessment
AVA_SOF.1 Strength of TOE security function evaluation ADV_FSP.1, ADV_HLD.1
ADV_FSP.1, ADV_HLD.1,
AVA_VLA.1 Developer vulnerability analysis
AGD_ADM.1, AGD_USR.1
The TOE is a MFP and not a general-purpose computer nor software. Therefore, its security functions are
not architecturally jeopardized by such factors as bypass, destruction, interception, and alteration. The
logical framework of TOE processing is that every “session” of the MFP is unique so that each TOE
security function cannot have bypass measures. Moreover, the TOE security functional requirements
control the object transfer between the TOE and its environment so that the interactions between a user and
the TOE satisfy the following:
• A user cannot transfer data between domains.
• A user cannot upload the feasible codes, objects, or configuration files to the TOE.
• A user cannot refer to or rewrite the domain data.
The security functions provided by this TOE are configured to certainly operate because it is realized by
unique software within the controller ROM, which does not have bypass measures.
Table 19: Relations between Security Functional Requirements and TOE Security Functions
Security functions
TSF_USER_AUTH
TSF_FAX_FLOW
TSF_NET_PROT
TSF_CE_LIMIT
TSF_CIPHER
TSF_FMT
TSF_IOW
TSF_FAU
TOE
security functional
requirements
FAU_GEN.1 O
FAU_SAR.1 O
FAU_SAR.2 O
FAU_STG.1 O
FAU_STG.4 O
FCS_CKM.1 O
FCS_COP.1 O
FDP_ACC.1 O O
FDP_ACF.1 O O
FDP_IFC.1 O
FDP_IFF.1 O
FDP_RIP.1 O
FIA_AFL.1 (1) O
FIA_AFL.1 (2) O
FIA_UAU.2 O
FIA_UAU.7 O
FIA_UID.2 O
FMT_MOF.1 O O
FMT_MSA.1 O O
FMT_MSA.3 O
FMT_MTD.1 O O
FMT_SMF.1 O
FMT_SMR.1 (1) O
FMT_SMR.1 (2) O
FPT_RVM.1 O O O O O O O O
FPT_STM.1 O
FTP_TRP.1 O
procedure.
List of the used document data which is to be overwritten and deleted is on the internal HDD. When the
existence of the used document data is shown in this list at the time of booting the system, this function
overwrites and deletes the used document data.
Additionally, Scheduled Image Overwrite function is provided to delete the stored data at the specific time
scheduled by a system administrator.
Hard Disk Data Overwrite is configured to certainly operate because it is realized by unique software that
does not have bypass measures.
Among the above functions which require user authentication, some particularly act as security
functions. The following are the security functions which prevent the unauthorized reading of document
data in the internal HDD by an attacker who is impersonating a legitimate user:
- The print function (Private Print function) and the Mailbox function, which require user authentication
from the control panel,
- The function to retrieve document data from Mailbox which requires user authentication from CWIS
or Network Scan Utility (Mailbox function), and the print function by file designation from CWIS
(Private Print function).
• Private Print Function
To enable this function, the user needs to configure the MFP to “store an authenticated job to Private
Print area*” and also needs to preset his/her ID and password from print driver of the general user client.
When a general user sends a print request from print driver, the MFP compares the user ID and
password against those preset in the MFP. Only when the user is authenticated, the print data is
decomposed into bitmap data. Then, the data is classified according to the user ID and temporarily
stored in the corresponding Private Print area within the internal HDD.
The user can also enable this function by entering his/her ID and password from CWIS for
authentication and by sending a print request with files designated within the general user client.
To refer to the stored print data, a general user needs to enter his/her ID and password from the control
panel. Then, the data on the waiting list corresponding to the user ID is displayed. The user can request
print or deletion of the data on the list.
• Mailbox Function
The scanned data and received FAX data can be stored into Mailbox from IIT and FAX board which are
not shown in Figure 3.
To store the scanned data into Mailbox, a general user needs to enter his/her ID and password from the
control panel. Then, the document data can be scanned from IIT and stored into the internal HDD
according to the user’s instruction from the control panel.
To store the received FAX data into Mailbox, user authentication is not required. Among the received
FAX data transmitted over public telephone line, the following data are automatically classified and
stored into each corresponding Mailbox: the received FAX data whose corresponding Mailbox is
specified by the sender, the received FAX data from a particular sender (the data is classified according
to the sender’s telephone number), and the received FAX data from an unknown sender.
To refer to, retrieve, print, or delete the stored data in the Personal Mailbox corresponding to each
registered user ID, user authentication is required; the MFP compares the user ID and password preset in
the MFP against those entered by the general user from the control panel, CWIS, or Network Scan
Utility.
Besides Personal Mailbox, Shared Mailbox is provided so that authorized general users can share the
same Mailbox. Only a key operator can create the Shared Mailbox.
* Mailbox can be categorized into Shared Mailbox and Personal Mailbox and operates as follows:
Personal Mailbox Shared Mailbox
Creation of Available for general user Available for key operator
Mailbox
Deletion of Available for registered general Available for key operator
Mailbox user and key operator
Storage of Available for registered general Available for general user and
document data user and key operator key operator
Retrieval of Available for registered general Available for general user and
document data user and key operator key operator
Deletion of Available for registered general Available for general user and
document data user and key operator key operator
• To identify and authenticate a system administrator (key operator and SA), the MFP compares
the system administrator ID and password preset in the MFP against those entered from the
control panel or CWIS of the system administrator client. Only when the authentication is
succeeded, he/she can access System Administrator’s Security Management.
• When the authentication of a general user fails for wrong ID and password, the control panel
displays “authentication was failed” and requires reentry of the user information.
Web browser and Network Scan Utility also require reentry of the user information.
• When the authentication of a system administrator fails for wrong ID and password, reentry of
the user information is required just as the general user’s authentication failure. However, when
unsuccessful authentication attempts occurred five times, the control panel does not accept any
operation except power cycle; Web browser does not accept authentication operation until the
main unit is cycled.
• Only a system administrator can create, change, and delete the general user ID. A general user
can change his/her own password from the control panel.
The entered password characters are all displayed as asterisks (“*”) to hide the password.
User Authentication is configured to certainly operate because it is realized by unique software that does
not have bypass measures.
Additionally, the function of TSF_FMT allows only an authenticated system administrator to configure the
following TOE security functions via CWIS. The system administrator needs to be authenticated via the
Web browser which is securely connectable with HTTPS.
• Refer to the setting of key operator ID and change the ID and password (only a key operator is
privileged);
• Refer to the setting of ID of SA and general user and change the ID and password;
• Refer to the setting of access denial due to authentication failure of system administrator, enable/disable
it, and set the allowable number of failures;
• Refer to the setting of TSF_FAU and enable/disable it,
(When TSF_FAU is enabled, security audit log data can be downloaded in the form of tab-delimited
text to a system administrator client.);
• Refer to the setting of SSL/TLS communication of TSF_NET_PROT, enable/disable it, and configure
the details;
• Refer to the setting of IPSec communication of TSF_NET_PROT, enable/disable it, and configure the
details;
• Refer to the setting of SNMPv3 communication of TSF_NET_PROT, enable/disable it, and configure
the details;
• Configure authentication password for SNMPv3 communication;
• Refer to the setting of S/MIME communication of TSF_NET_PROT, enable/disable it, and configure
the details;
• Download/upload and create an X.509 certificate;
• Refer to the setting of Scheduled Image Overwrite, enable/disable it, and set the time;
• Refer to the setting of TSF_USER_AUTH and enable/disable Local Authentication.
Customer Engineer Operation Restriction is configured to certainly operate because it is realized by unique
software that does not have bypass measures.
The auditable events are recorded with the following fixed size entries:
• Log ID: consecutive numbers as an audit log identifier (1 - 60000)
• Date: date data (yyyy/mm/dd, mm/dd/yyyy, or dd/mm/yyyy)
• Time: time data (hh:mm:ss)
• Logged Events: event name (arbitrary characters of up to 32 digits)
• User Name: user name (arbitrary characters of up to 32 digits)
• Description: description on events (arbitrary characters of up to 32 digits, see below for details)
• Status: status or result of event processing (arbitrary characters of up to 32 digits, see below for
details)
• Optionally Logged Items: additional information recorded to audit log (except common record
items)
Security Audit Log is configured to certainly operate because it is realized by unique software that does
not have bypass measures.
Protection from the alteration is realized by HMAC (Hashed Message Authentication Code - IETF RFC
2104) of SSL/TLS.
When SSL/TLS communication is enabled on the Web client, requests from the client must be received
via HTTPS. The SSL/TLS communication needs to be enabled before IPSec, SNMPv3, or S/MIME is
enabled or before security audit log data is downloaded by a system administrator.
(2) IPSec
According to the IPSec communication which is configured by a system administrator using the tool
mode, IPSec ensuring secure data transmission is supported. This protects the security of document data,
security audit log data, and TOE configuration data on the internal network.
IPSec establishes the security association to determine the parameters (e.g. private key and
cryptographic algorithm) to be used in the IPSec communication between TOE and the remote. After the
association is established, all transmission data among the specified IP addresses is encrypted by the
transport mode of IPSec until the TOE is powered off or reset. A cryptographic key is generated at the
time of booting a session and lost at the time of ending the session or powering off the MFP main unit.
- Cryptographic key generated as IPSec (ESP: Encapsulating Security Payload) at every session
Specifically, one of the following combinations between secret-key cryptographic method and hash
method is adopted:
Cryptographic Method and Size of Hash Method
Secret Key
AES / 128 bits SHA-1
3-Key Triple-DES /168 bits SHA-1
(3) SNMPv3
According to the SNMPv3 communication which is configured by a system administrator using the tool
mode, SNMPv3 is supported. This is one of the security solutions for the network management protocol,
SNMP. As defined in IETF RFC3414, SNMPv3 is used for not only data encryption but also
authentication of each SNMP message.
To enable this function, both authentication password and privacy password need to be set up in both
TOE and the remote server. Length of both passwords must be 8 characters or more.
Authentication of SNMPv3 uses SHA-1 hash function; encryption of the protocol uses CBC-DES. A
cryptographic key is generated at the time of booting a session and lost at the time of ending the session
or powering off the MFP main unit.
Cryptographic key generated as SNMPv3 at every session:
Cryptographic Method and Size of Hash Method
Secret Key
DES / 56 bits SHA-1
(4) S/MIME
According to the S/MIME communication which is configured by a system administrator using the tool
mode, S/MIME ensuring secure mail communication is supported. This protects the security of
(TAS_DELIVERY)
The following are described in the “WorkCentre 5222/5225/5230/5225A/5230A Series Delivery,
Introduction, and Operation Procedure Description”:
- Procedure to identify TOE and maintain the integrity of TOE in transit
- All procedures that are applied from the creation environment to the delivery to user, for maintaining the
security of TOE
- Method to check that TOE is correct when user receives it
- Notes on the security of introduction, installation, and booting, and method to check the correct
introduction, installation, and booting
- Exceptional events and measures to deal with such events
- Minimum system requirement that is necessary for the safe introduction and installation
• ADV_RCR.1
environment
- Result of checking that notes on vulnerability related to TOE configuration and settings for functions’
operation-conditions are described in the manual
7. PP CLAIMS
This chapter describes Protection Profile (PP) claims.
7.1. PP Reference
There is no reference to PP.
7.2. PP Tailoring
There is no refinement to PP.
7.3. PP Addition
There is no addition to PP.
8. RATIONALE
This chapter describes security objectives rationale, security requirements rationale, and rationale for TOE
summary specification.
Table 22: Correspondences between TOE/Environment Security Objectives and TOE Security Environment
T.COMM_TAP
T.CONFDATA
A.SECMODE
T.DATA_SEC
T.CONSUME
T.RECOVER
P.FAX_OPT
A.ADMIN
TOE/environment
security objectives
O.AUDITS O O
O.CIPHER O
O.COMM_SEC O
O.FAX_SEC O
O.MANAGE O O
O.RESIDUAL O
O.USER O O
O.RESTRICT O
OE.ADMIN O
OE.AUTH O O O
OE.COMMS_SEC O O
OE.FUNCTION O O O
Table 23: Security Objectives Rationale for Each TOE Security Environment
TOE Security
TOE Security Objectives Rationale
Environment
By satisfying the following objective, A.ADMIN can be realized:
- OE.ADMIN
A.ADMIN
By OE.ADMIN, an organization person in charge selects a suitable member
for system administrator and provides management and education.
By satisfying the following objectives, A.SECMODE can be realized:
A.SECMODE
- OE.AUTH
TOE Security
TOE Security Objectives Rationale
Environment
By OE.AUTH, a system administrator sets an appropriate ID and password
and enables user authentication.
- OE.COMMS_SEC
By OE.COMMS_SEC, the internal network data (incl. document data, security
audit log data, and TOE configuration data) are protected from interception.
- OE.FUNCTION
By OE.FUNCTION, Hard Disk Data Overwrite, Hard Disk Data Encryption,
and Security Audit Log are enabled.
By satisfying the following objective, T.RECOVER can be countered:
- OE.FUNCTION
By OE.FUNCTION, it is necessary to enable the TOE security functions (i.e.
Hard Disk Data Overwrite and Hard Disk Data Encryption) and disable the
reading-out of the document data and security log data in the internal HDD as
well as the recovery of the used document data. To be specific, this threat can
be countered by the following security objectives: O.CIPHER and
O.RESIDUAL.
T.RECOVER
- O.CIPHER
By O.CIPHER, the document data and security audit log data in the internal
HDD are encrypted to disable the reference and reading-out of the document
data and security audit log data.
- O.RESIDUAL
By O.RESIDUAL, the used document data is overwritten and deleted to
disable the recovery and reproduction of the used document data stored in the
internal HDD.
By satisfying the following objective, T.CONFDATA can be countered:
- OE.AUTH
By OE.AUTH, it is necessary to enable the security functions (i.e. User
Authentication with Password, System Administrator Password, Allowable
Number of System Administrator’s Authentication Failures before Access
Denial, Customer Engineer Operation Restriction) and permits only the
authenticated system administrator to change the TOE configuration data. To
T.CONFDATA be specific, this threat can be countered by the following security objective:
- O.MANAGE
By O.MANAGE, only the authenticated system administrator is allowed to
enable/disable TOE security functions and to refer to / update the TOE
configuration data.
- O.AUDITS
By O.AUDITS, the audit log function necessary to monitor unauthorized
access and the security audit log data are provided.
TOE Security
TOE Security Objectives Rationale
Environment
By satisfying the following objectives, T.CONSUME can be countered.
- O.USER
T.CONSUME By O.USER, only the authenticated user is allowed to use the MFP.
- O.RESTRICT
By O.RESTRICT, the access to the TOE can be controlled.
By satisfying the following objectives, T.COMM_TAP can be countered.
- O.COMM_SEC
By O.COMM_SEC, only the legitimate user is allowed to use the MFP
through Network Authentication of encryption communication protocol.
Encrypting communication data with encryption function also disables the
T.COMM_TAP
interception and alteration of the internal network data (incl. document data,
security audit log data, and TOE configuration data).
- OE.COMMS_SEC
By OE.COMMS_SEC, the document data, security audit log data, and TOE
configuration data on the internal network can be protected from interception.
By satisfying the following objectives, T.DATA_SEC can be countered.
- OE.AUTH and OE.FUNCTION
By OE.AUTH and OE.FUNCTION, it is necessary to enable the following
password and user authentication function and the security audit log function:
User Password, System Administrator Password, Local Authentication,
Security Audit Log. Then, only the authenticated user is allowed to access the
security audit log data and document data.
- O.USER
T.DATA_SEC
By O.USER, only the authenticated user is allowed to read out the document
data and security log data stored in the internal HDD.
- O.MANAGE
By O.MANAGE, only the authenticated system administrator is allowed to
configure the security functions.
- O.AUDITS
By O.AUDITS, the audit log function necessary to monitor unauthorized
access and the security audit log data are provided.
By satisfying the following objectives, P.FAX_OPT can be observed.
- O.FAX_SEC
By O.FAX_SEC, the access to the internal network via public telephone line is
P.FAX_OPT
disabled. This realizes P.FAX_OPT.
Since the data received from public telephone line is not sent to the internal
network, the internal network cannot be accessed.
Table 24: Correspondences between Security Functional Requirements and Security Objectives
Security Objectives
O.COMM_SEC
O.RESIDUAL
O.RESTRICT
O.MANAGE
O.FAX_SEC
O.AUDITS
O.CIPHER
TOE
O.USER
Security Functional
Requirements
FAU_GEN.1 O
FAU_SAR.1 O
FAU_SAR.2 O O
FAU_STG.1 O
FAU_STG.4 O
FCS_CKM.1 O O
FCS_COP.1 O O
FDP_ACC.1 O
FDP_ACF.1 O
FDP_IFC.1 O
FDP_IFF.1 O
FDP_RIP.1 O
FIA_AFL.1 (1) O
FIA_AFL.1 (2) O O
FIA_UAU.2 O O O
FIA_UAU.7 O O O
FIA_UID.2 O O O
FMT_MOF.1 O
FMT_MSA.1 O
FMT_MSA.3 O
FMT_MTD.1 O
FMT_SMF.1 O
FMT_SMR.1 (1) O
FMT_SMR.1 (2) O
FPT_RVM.1 O O O O O O O O
Security Objectives
O.COMM_SEC
O.RESIDUAL
O.RESTRICT
O.MANAGE
O.FAX_SEC
O.AUDITS
O.CIPHER
TOE
O.USER
Security Functional
Requirements
FPT_STM.1 O
FTP_TRP.1 O
The functional strength level of FIA_AFL.1 (1), FIA_AFL.1 (2), FIA_UAU.2, and FIA_UAU.7 is SOF-basic,
satisfying the functional security strength that TOE requires.
FIA_UID.2
User identification before None
any action
FMT_MOF.1
FMT_SMF.1
Management of security -
FMT_SMR.1 (1)
functions behavior
FMT_MSA.1 FMT_SMF.1
-
Management of security FMT_SMR.1
Functional Requirement
De-activation
Functional Bypass Prevention
Requirement Name Prevention
Requirement ID
FAU_GEN.1 Audit data generation FPT_RVM.1 FMT_MOF.1
FAU_SAR.1 Audit review FPT_RVM.1 FMT_MOF.1
FAU_SAR.2 Restricted audit review FPT_RVM.1 FMT_MOF.1
FAU_STG.1 Protected audit trail storage FPT_RVM.1 FMT_MOF.1
FAU_STG.4 Prevention of audit data loss FPT_RVM.1 FMT_MOF.1
FCS_CKM.1 Cryptographic key generation FPT_RVM.1 FMT_MOF.1
FCS_COP.1 Cryptographic operation FPT_RVM.1 FMT_MOF.1
FDP_ACC.1 Subset access control FPT_RVM.1 FMT_MOF.1
Functional Requirement
De-activation
Functional Bypass Prevention
Requirement Name Prevention
Requirement ID
FDP_ACF.1 Access control functions FPT_RVM.1 FMT_MOF.1
FDP_IFC.1 Subset information flow control FPT_RVM.1 FMT_MOF.1
FDP_IFF.1 Simple security attribute FPT_RVM.1 FMT_MOF.1
Subset residual information
FDP_RIP.1 FPT_RVM.1 FMT_MOF.1
protection
FIA_AFL.1 (1) Authentication failure handling FPT_RVM.1 -
FIA_AFL.1 (2) Authentication failure handling FPT_RVM.1 -
User authentication before any
FIA_UAU.2 FPT_RVM.1 -
action
FIA_UAU.7 Protected authentication feedback FPT_RVM.1 -
User identification before any
FIA_UID.2 FPT_RVM.1 -
action
Management of security functions
FMT_MOF.1 - -
behavior
FMT_MSA.1 Management of security attributes FPT_RVM.1 -
FMT_MSA.3 Static attribute initialization FPT_RVM.1 -
FMT_MTD.1 Management of TSF data FPT_RVM.1 -
Specification of management
FMT_SMF.1 - -
functions
FMT_SMR.1 (1) Security roles - -
FMT_SMR.1 (2) Security roles - -
FPT_RVM.1 Non-bypassability of the TSP - -
FPT_STM.1 Reliable time stamp FPT_RVM.1 FMT_MOF.1
FTP_TRP.1 Trusted Path FPT_RVM.1 FMT_MOF.1
Functional
Bypass Prevention Rationale for Functional Requirements
Requirement
FPT_RVM.1
FAU_GEN.1 These security functional requirements are configured by unique software that does
FAU_SAR.1 not have bypass measures and cannot be replaced with another software or module.
FAU_SAR.2 Based on system administrator setting, every time an auditable event occurs, the
FAU_STG.1 fact is always recorded in the audit log file with time stamp. Therefore, audit log
FAU_STG.4 function cannot be circumvented, and non-bypassability is ensured.
Functional
Bypass Prevention Rationale for Functional Requirements
Requirement
FPT_STM.1
These security functional requirements are configured by unique software that does
not have bypass measures and cannot be replaced with another software or module.
FCS_CKM.1
Based on system administrator setting, the functions are configured to certainly
FCS_COP.1
operate. Therefore, cryptographic-key generation and cryptographic operation
cannot be circumvented, and non-bypassability is ensured.
These security functional requirements are configured by unique software that does
not have bypass measures and cannot be replaced with another software or module.
Also, the function of identification and authentication of system administrator is
always performed when functions that require user authentication are accessed.
Therefore, “user identification before any action,” “user authentication before any
FDP_ACC.1
action,” and “protected authentication-feedback” cannot be circumvented, and
FDP_ACF.1
non-bypassability is ensured.
FIA_AFL.1 (1)
For authentication of system administrator, there is no function to cancel the
FIA_AFL.1 (2)
authentication-denial status that occurs when the number of access denials due to
FIA_UAU.2
authentication failure reaches its maximum. The operations other than power cycle
FIA_UAU.7
are disabled.
FIA_UID.2
For authentication of general user, an error message is displayed and user
authentication cannot be circumvented.
Moreover, there is no function to cancel user authentication failure status.
Therefore, user authentication cannot be circumvented, and non-bypassability is
ensured.
These security functional requirements are configured by unique software that does
not have bypass measures and cannot be replaced with another software or module.
FDP_IFC.1
The data received from public telephone line can never be sent to the internal
FDP_IFF.1
network at any case. Therefore, this function cannot be circumvented, and
non-bypassability is ensured.
This security functional requirement is configured by unique software that does not
have bypass measures and cannot be replaced with another software or module.
Based on system administrator setting, the function is also configured to certainly
operate.
FTP_TRP.1
In the communication between TOE and the remote, the document data, security
audit log data, and TQE configuration data on the internal network are protected
from interception. Thus, this function cannot be circumvented, and
non-bypassability is ensured.
This security functional requirement is configured by unique software that does not
have bypass measures and cannot be replaced with another software or module.
FDP_RIP.1
Based on system administrator setting, the functions are also configured to
certainly operate.
Functional
Bypass Prevention Rationale for Functional Requirements
Requirement
In addition, the TOE is configured that, when overwrite processing is stopped due
to power off, the overwrite deletion processing is re-started by power-on. Thus, this
function cannot be circumvented, and non-bypassability is ensured.
This security functional requirement is configured by unique software that does not
have bypass measures and cannot be replaced with another software or module.
FMT_MTD.1 When TSF data is accessed, the authentication of system administrator always
needs to be performed. Thus, this function cannot be circumvented, and
non-bypassability is ensured.
8.2.5.3. Interference
Although this TOE is connected to the public telephone line, no unauthorized objects can exist since FAX
flow security function denies external access at any event. For other interfaces than FAX as well, since
only a system administrator is allowed to manage the behaviors of security functions, no unauthorized
programs and objects can exist. Therefore, access control is not necessary and TOE security functions are
not destroyed.
management activity that can be foreseen for each functional requirement is assigned as a management
requirement of each component. Table 30 shows the management functions that each functional
requirement component requires.
The security management functions that are defined in FMT_SMF.1 of “Specification of Management
Functions” are in line with the management functions defined in Table 30. Thus, TOE security functional
requirements are internally consistent in terms of security management functions.
Table 31: Rationale for Relations between Security Functional Requirements and TOE Security Functions
Functional Rationale for Relations between Security Function Requirements and TOE Security
Requirement Functions
By TSF_FAU, the defined auditable event is recorded in the audit log and the audit
FAU_GEN.1
data is generated.
FAU_SAR.1 By TSF_FAU, all the information recorded in the audit log can be read.
By TSF_FAU, the person who reads the audit log is limited to the authenticated
FAU_SAR.2
system administrator.
By TSF_FAU, the audit log data is protected from untrusted alteration and
FAU_STG.1
modification.
By TSF_FAU, when audit trail file is full, the oldest stored audit record is
FAU_STG.4
overwritten with the new data so that the new data is not lost but surely recorded.
By TSF_CIPHER, TOE uses the “hard disk data encryption seed key” configured by
FCS_CKM.1 a system administrator and generates a 128-bit encryption key through FXOSENC
algorithm, a secure algorithm with sufficient complexity, at the time of booting.
By TSF_CIPHER, TOE uses the automatically-generated encryption key and can
FCS_COP.1
encrypt/decrypt the document data and security audit log data in the internal HDD.
By TSF_USER_AUTH, a system administrator needs to perform user authentication
before accessing the tool mode.
FDP_ACC.1 By TSF_USER_AUTH, a general user needs to perform user authentication before
FDP_ACF.1 accessing the Mailbox or the Store Print.
By TSF_FMT, the person who accesses the tool mode is limited to the authenticated
system administrator.
FDP_IFC.1 By TSF_FAX_FLOW, the data received from public telephone line is not sent to the
FDP_IFF.1 internal network. Thus, the internal network is not accessed.
By TSF_IOW, TOE overwrites and deletes the used document data file stored in the
internal HDD.
To control overwrite/delete function, two options are available: one pass (zero)
overwrite procedure and three pass (random number / random number / zero)
overwrite procedure. This is because whether to prioritize efficiency or security
FDP_RIP.1 depends on the usage environment of the MFP.
When efficiency is prioritized, one pass overwrite procedure is applied. When
security is prioritized, three pass overwrite procedure is applied. Three pass overwrite
has lower processing speed than one pass but can provide more solid overwrite
function and thus can fully confront the low-level attacks trying to reproduce the
data. Therefore, three pass is an appropriate number of times to overwrite.
By TSF_USER_AUTH, a system administrator needs to perform user authentication
before accessing the tool mode. The function for authentication failure handling is
FIA_AFL.1 (1) provided. When the defined number of access denials due to unsuccessful
authentication attempts with system administrator ID has been met or surpassed, any
operation except power cycle is disabled.
Functional Rationale for Relations between Security Function Requirements and TOE Security
Requirement Functions
By TSF_USER_AUTH, a general user needs to perform user authentication before
using MFP functions. However, when the entered password does not match the one
FIA_AFL.1 (2)
set by a proper user, the message saying “incorrect password” is displayed,
requesting re-entry of the password.
By TSF_USER_AUTH, TOE requests a user to enter the password before permitting
a system administrator to operate at the control panel or a system administrator or
general user to operate at Web browser. The entered password is compared against
FIA_UAU.2
the password registered on the TOE. This authentication and the identification
(FIA_UID.2) are simultaneously performed, and the operation is allowed only when
both of the identification and authentication succeed.
By TSF_USER_AUTH, TOE offers the function to display the same number of
FIA_UAU.7 asterisks (`*`) as the entered-password characters on the control panel or the Web
browser in order to hide the password at the time of user authentication.
FIA_UID.2 By TSF_USER_AUTH, TOE requests a user to enter the user ID before permitting a
system administrator to operate at the control panel or a system administrator or a
general user to operate at Web browser.
The entered ID is verified against the ID registered on the TOE.
This identification and the authentication (FIA_UAU.2) are simultaneously
performed, and the operation is allowed only when both of the identification and
authentication succeed.
By TSF_FMT and TSF_CE_LIMIT, TOE permits the authenticated system
FMT_MOF.1 administrator to set the TOE configuration data. The person who changes the TOE
configuration data is limited to system administrator.
By TSF_FMT, TOE limits the person who queries/deletes/creates the identifier of
general user and that for Shared Mailbox to system administrator.
FMT_MSA.1
By TSF_USER_AUTH, TOE permits the authenticated user to query/delete/create
the identifier for Personal Mailbox and Store Print.
FMT_MSA.3 By TSF_FMT, TOE offers an appropriate default value.
By TSF_FMT and TSF_CE_LIMIT, TOE limits the person who changes the TOE
FMT_MTD.1
configuration data to the authenticated system administrator.
By TSF_FMT, TOE limits the person who changes the TOE configuration data to the
FMT_SMF.1
authenticated system administrator.
By TSF_FMT, a system administrator's role is maintained and the role is associated
FMT_SMR.1 (1)
with the system administrator.
By TSF_USER_AUTH, a general user's role is maintained and the role is associated
FMT_SMR.1 (2)
with the proper general user.
All TOE security functions are configured to certainly operate because they are
FPT_RVM.1
realized by unique software that does not have bypass measures.
FPT_STM.1 By TSF_FAU, the time stamp of TOE’s clock function is issued when the defined
Functional Rationale for Relations between Security Function Requirements and TOE Security
Requirement Functions
auditable event is recorded in the audit log file.
By TSF_NET_PROT, the document data, security audit log data, and TOE
configuration data are protected by the encryption communication protocol that
ensures secure data communication between TOE and the remote. This trusted path is
FTP_TRP.1
logically distinct from other communication paths and provides assured identification
of its endpoints and protection of the communication data from modification or
disclosure.
Table 32: Correspondences between Assurance Measures and Security Assurance Requirements
Assurance Measures
(identifier)
TAS_VULNERABILITY
TAS_HIGHLDESIGN
TAS_CONFIG_LIST
TAS_REPRESENT
TAS_FUNC_SPEC
TAS_GUIDANCE
TAS_DELIVERY
TAS_CONFIG
TAS_TEST
Security Assurance
Requirements
ACM_CAP.2 O O
ADO_DEL.1 O O
ADO_IGS.1 O O
ADV_FSP.1 O
ADV_HLD.1 O
ADV_RCR.1 O
AGD_ADM.1 O
AGD_USR.1 O
ATE_COV.1 O
Assurance Measures
(identifier)
TAS_VULNERABILITY
TAS_HIGHLDESIGN
TAS_CONFIG_LIST
TAS_REPRESENT
TAS_FUNC_SPEC
TAS_GUIDANCE
TAS_DELIVERY
TAS_CONFIG
TAS_TEST
Security Assurance
Requirements
ATE_FUN.1 O
ATE_IND.2 O
AVA_SOF.1 O
AVA_VLA.1 O
As in Table 18 of “5.2 TOE Security Assurance Requirements,” one or more assurance measures
correspond to all the TOE security assurance requirements necessary for EAL2. The assurance measures
cover the evidences that TOE security assurance requirements defined in this ST request. Therefore, the
evidences that TOE security assurance requirements for EAL2 request are all satisfied.