あ

Fuji Xerox
DocuCentre-IV C2263
Series Controller Software

Security Target

Version 1.0.3

This document is a translation of the evaluated and

certified security target written in Japanese

-i-
 - Table of Contents -

1. ST INTRODUCTION ........................................................... 1
1.1. ST Reference .............................................................................1
1.2. TOE Reference ...........................................................................1
1.3. TOE Overview ............................................................................1
1.3.1. TOE Type and Major Security Features............................................... 1
1.3.2. Environment Assumptions ...............................................................4
1.3.3. Required Non-TOE Hardware and Software ......................................... 5
1.4. TOE Description ..........................................................................6
1.4.1. User Assumptions .......................................................................... 6
1.4.2. Logical Scope and Boundary ............................................................6
1.4.3. Physical Scope and Boundary ......................................................... 14
1.4.4. Guidance .................................................................................... 15

2. CONFORMANCE CLAIMS ...................................................16

2.1. CC Conformance Claims ............................................................ 16
2.2. PP Claims, Package Claims ......................................................... 16
2.2.1. PP Claims .................................................................................... 16
2.2.2. Package Claims ............................................................................ 16
2.2.3. Conformance Rationale ................................................................. 16

3. SECURITY PROBLEM DEFINITION ......................................17

3.1. Threats ................................................................................... 17
3.1.1. Assets Protected by TOE................................................................ 17
3.1.2. Threats ....................................................................................... 19
3.2. Organizational Security Policies................................................... 20
3.3. Assumptions ............................................................................ 20

4. SECURITY OBJECTIVES ....................................................21

4.1. Security Objectives for the TOE .................................................. 21
4.2. Security Objectives for the Environment ...................................... 22
4.3. Security Objectives Rationale ..................................................... 22

5. EXTENDED COMPONENTS DEFINITION ...............................26

5.1. Extended Components............................................................... 26

- ii -
6. SECURITY REQUIREMENTS ...............................................27
6.1. Security Functional Requirements ............................................... 32
6.1.1. Class FAU: Security audit............................................................. 32
6.1.2. Class FCS: Cryptographic support ................................................... 37
6.1.3. Class FDP: User data protection .................................................... 38
6.1.4. Class FIA: Identification and authentication ..................................... 43
6.1.5. Class FMT: Security management ................................................... 47
6.1.6. Class FPT: Protection of the TSF ................................................... 53
6.1.7. Class FTP: Trusted path/channels ................................................. 54
6.2. Security Assurance Requirements ............................................... 55
6.3. Security Requirement Rationale .................................................. 56
6.3.1. Security Functional Requirements Rationale ..................................... 56
6.3.2. Dependencies of Security Functional Requirements ........................... 60
6.3.3. Security Assurance Requirements Rationale ..................................... 63

7. TOE SUMMARY SPECIFICATION .........................................64

7.1. Security Functions .................................................................... 64
7.1.1. Hard Disk Data Overwrite (TSF_IOW).............................................. 65
7.1.2. Hard Disk Data Encryption (TSF_CIPHER) ........................................ 65
7.1.3. User Authentication (TSF_USER_AUTH) ........................................... 66
7.1.4. System Administrator’s Security Management (TSF_FMT) .................. 71
7.1.5. Customer Engineer Operation Restriction (TSF_CE_LIMIT) ................. 73
7.1.6. Security Audit Log (TSF_FAU) ........................................................ 73
7.1.7. Internal Network Data Protection (TSF_NET_PROT) ........................... 75
7.1.8. Fax Flow Security (TSF_FAX_FLOW) ................................................ 77

8. ACRONYMS AND TERMINOLOGY ........................................78

8.1. Acronyms ................................................................................ 78
8.2. Terminology ............................................................................. 79

9. REFERENCES ..................................................................82

- iii -
 - List of Figures and Tables -
Figure 1: Intended Operational Environment ........................................................4
Figure 2: MFD Units and TOE Logical Scope .......................................................... 7
Figure 3: Authentication Flow for Private Print and Mailbox ................................... 10
Figure 4: MFD Units and TOE Physical Scope ...................................................... 14
Figure 5: Assets under and not under Protection ................................................. 18

Table 1: Function Types and Functions provided by the TOE .................................... 2

Table 2: User Role Assumptions ..........................................................................6
Table 3: TOE Basic Functions ..............................................................................7
Table 4: Categories of TOE Setting Data............................................................. 18
Table 5: Threats Addressed by the TOE .............................................................. 19
Table 6: Organizational Security Policy............................................................... 20
Table 7: Assumptions ...................................................................................... 20
Table 8: Security Objectives for the TOE ............................................................ 21
Table 9: Security Objectives for the Environment ................................................ 22
Table 10: Correspondences between Security Objectives and Assumptions / Threats /
Organizational Security Policies ................................................................... 22
Table 11: Security Objectives Rationale for Security Problem ................................ 23
Table 12: Auditable Events of TOE and Individually Defined Auditable Events .......... 32
Table 13: Operations between Subjects and Objects Covered by MFD Access Control SFP
.............................................................................................................. 38
Table 14: Rules for Access Control .................................................................... 39
Table 15: Rules for Explicit Access Authorization ................................................. 40
Table 16: Subjects, Information, and Operations to cause the information flow........ 41
Table 17: List of Security Functions ................................................................... 47
Table 18: Security Attributes and Authorized Roles .............................................. 48
Table 19 Initialization property ........................................................................ 49
Table 20: Operation of TSF Data ....................................................................... 50
Table 21: Security Management Functions Provided by TSF .................................. 51
Table 22: EAL3 Assurance Requirements ............................................................ 55
Table 23: Correspondences between Security Functional Requirements and Security
Objectives ................................................................................................ 56
Table 24: Security Objectives to SFR Rationale ................................................... 57
Table 25: Dependencies of Functional Security Requirements ................................ 61
Table 26: Correspondences between Security Functional Requirements and TOE Security
Functions ................................................................................................. 64
Table 27: Management of security attributes ...................................................... 68
Table 28: Access Control.................................................................................. 69
Table 29: Details of Security Audit Log Data ....................................................... 73

- iv -
 Fuji Xerox C2263 Series Security Target

1. ST INTRODUCTION
This chapter describes Security Target (ST) Reference, TOE Reference, TOE Overview, and TOE
Description.

1.1. ST Reference
This section provides information needed to identify this ST.

ST Title: Fuji Xerox DocuCentre-IV C2263 Series Controller Software Security

Target
ST Version: V 1.0.3
Publication Date: November 23, 2011
Author: Fuji Xerox Co., Ltd.

1.2. TOE Reference

This section provides information needed to identify this TOE.
The TOE resides within the DocuCentre-IV C2263.
The TOE is identified by the following TOE name and ROM version:

TOE
Fuji Xerox DocuCentre-IV C2263 Series Controller Software.
Identification:
Version: Controller ROM Ver. 1.0.12
Manufacturer: Fuji Xerox Co., Ltd.

1.3. TOE Overview

1.3.1. TOE Type and Major Security Features

1.3.1.1. TOE Type

This TOE, categorized as an IT product, is the controller software for MFD and has copy, print, and
scan functions.
The TOE is provided as the firmware product which controls the whole MFD and protects the
following against threats: the document data stored on the internal HDD, the used document data, the
security audit log data, the document data exists on the internal network between the TOE and the
remote, and the TOE setting data. The TOE is stored on the controller ROM which is on the controller
board.

- 1 – Copyright 2012 by Fuji Xerox Co., Ltd.

 Fuji Xerox C2263 Series Security Target

1.3.1.2. Function Types

Table 1 shows the function types and functions provided by the TOE.

Table 1: Function Types and Functions Provided by the TOE

Function types Functions provided by the TOE

- Control Panel
- CWIS
- Copy
- Print
Basic Function
- Scan
- Network Scan
- Fax
- Direct Fax
- Hard Disk Data Overwrite
- Hard Disk Data Encryption
- User Authentication
- Administrator’s Security Management
Security Function
- Customer Engineer Operation Restriction
- Security Audit Log
- Internal Network Data Protection
- Fax Flow Security

・ The Data Security Kit, an option, must be used to obtain the security features of the TOE.
・ Optional Fax board (out of the TOE boundary) is required to use Fax, Direct Fax, and Fax Flow
Security functions.
・ To use print, scan, and Direct Fax functions, the following items shall be installed to the external
client for general user and that for system administrator: printer driver, Network Scan Utility,
and fax driver.

1.3.1.3. Usage and Major Security Features of TOE

The TOE is mainly used to perform the following functions:

・ Copy function and Control Panel function are to read the original data from IIT and print them
out from IOT according to the general user’s instruction from the control panel. When more than
one copy of an original data is ordered, the data read from IIT are first stored into the MFD
internal HDD. Then, the stored data are read out from the internal HDD for the required
number of times so that the required number of copies can be made.
・ Print function is to decompose and print out the print data transmitted by a general user client.
・ CWIS (CentreWare Internet Service) is to retrieve the document data scanned by MFD from
Mailbox.
It also enables a system administrator to refer to and rewrite TOE setting data via Web browser.

- 2 – Copyright 2012 by Fuji Xerox Co., Ltd.

 Fuji Xerox C2263 Series Security Target

・ Scan function and Control Panel function are to read the original data from IIT and store them
into Mailbox within the MFD internal HDD, according to the general user’s instruction from the
control panel.
The stored document data can be retrieved via standard Web browser by using CWIS or
Network Scan Utility.
・ Network Scan function and Control Panel function are to read the original data from IIT and
transmit the document data to FTP server, or SMB server according to the information set in the
MFD. This function is operated according to the general user’s instruction from the control
panel.
・ Fax function and Control Panel function are to send and receive fax data. According to the
general user’s instruction from the control panel to send a fax, the original data are read from IIT
and then sent to the destination via public telephone line. The document data are received from
the sender’s machine via public telephone line and then printed out from the recipient’s IOT or
stored in Mailbox.
・ The Direct Fax function is to send data from a user client to the destination via public telephone
line. The data are first sent to MFD as a print job and then to the destination without being
printed out.

The TOE provides the following security features:

・ Hard Disk Data Overwrite
To completely delete the used document data in the internal HDD, the data are overwritten with
new data after any job of copy, print, scan, etc. is completed.
・ Hard Disk Data Encryption
The document data and the security audit log data are encrypted before being stored into the
internal HDD when using any function of copy, print, scan, etc. or configuring various security
function settings.
・ User Authentication
Access to the TOE functions is restricted to the authorized user and this function identifies and
authenticates users. A user needs to enter his/her ID and password from the fax driver, Network
Scan Utility, ApeosWare Device Setup or CWIS of the general user client, or MFD control
panel.
・ System Administrator’s Security Management
This function allows only the system administrator identified and authorized from the control
panel or system administrator client to refer to and change the TOE security function settings.
・ Customer Engineer Operation Restriction
A system administrator can prohibit CE from referring to and changing the TOE security
function settings.
・ Security Audit Log
The important events of TOE such as device failure, configuration change, and user operation
are traced and recorded based on when and who used what function.
・ Internal Network Data Protection
This function protects the communication data on the internal network such as document data,

- 3 – Copyright 2012 by Fuji Xerox Co., Ltd.

 Fuji Xerox C2263 Series Security Target

security audit log data, and TOE setting data. (The following general encryption communication-
protocols are supported: SSL/TLS, IPSec, and SNMP v3.)
・ Fax Flow Security
This function prevents unauthorized access to the TOE or the internal network via Fax board
from public telephone line.

Note: The TOE does not provide the S/MIME function for E-mail and Internet Fax functions.

1.3.2. Environment Assumptions

This TOE is assumed to be used as an IT product at general office and to be connected to public
telephone line, user clients, and the internal network protected from threats on the external network by
firewall etc.
Figure 1 shows the general environment for TOE operation.

External
Network

General User Client

General User
-Printer Driver General User Client
-Fax Driver
-Network Scan -Printer Driver
General Utility Firewall -Fax Driver
User -Web Browser
USB

MFD
System Administrator
Client Internal
Network
System - Web Browser
- ApeosWare Device TOE
Administrator
Setup
USB

Fax Board

FTP Server

SMB Server

Public
Telephone
Line
General User CE System
Administrator

Figure 1: General Operational Environment

- 4 – Copyright 2012 by Fuji Xerox Co., Ltd.

 Fuji Xerox C2263 Series Security Target

1.3.3. Required Non-TOE Hardware and Software

In the operational environment shown in Figure 1, the TOE (controller software) and the following
non-TOE hardware/software exist.

(1) MFD:
The MFD has a user interface to provide MFD functions and the hardware for scan/print/copy
functions. It includes the control panel, ADF, IIT, IOT, controller board, and Fax board (option).

(2) General user client:

The hardware is a general-purpose PC. When a client is connected to the MFD via the internal
network and when the printer driver, Network Scan Utility, and fax driver are installed to the
client, the general user can request the MFD to print, fax, and retrieve the document data.
The user can also request the MFD to retrieve the scanned document data via Web browser by
using scan function of the MFD. Additionally, the general user can change the settings which
he/she registered to the MFD: Mailbox name, password, access control, and automatic deletion of
document.
When the client is connected to the MFD directly via USB and printer/fax driver is installed to the
client, the user can request the MFD to print/fax the document data.

(3) System administrator client:

The hardware is a general-purpose PC. A system administrator can refer to and change TOE
setting data via Web browser or ApeosWare Device Setup.

(4) FTP server:

The hardware/OS is a general-purpose PC or server. The MFD sends document data to FTP server
via FTP.

(5) SMB server:

The hardware/OS is a general-purpose PC or server. The MFD sends document data to SMB
server via SMB.

(6) Fax board:

The Fax board is connected to external public telephone line and supports G3 protocols. The Fax
board is connected to the MFD via USB interface to enable sending and receiving of fax.

The OS of (2) general user client and (3) system administrator client are assumed to be Windows XP,
Windows Vista, and Windows 7.

- 5 – Copyright 2012 by Fuji Xerox Co., Ltd.

 Fuji Xerox C2263 Series Security Target

1.4. TOE Description

This section describes user assumptions and logical/physical scope of this TOE.

1.4.1. User Assumptions

Table 2 specifies the roles of TOE users assumed in this ST.

Table 2: User Role Assumptions

User Role Description

Administrator of the
organization
General user
System administrator
(Key operator + System
Administrator Privilege [SA])
Customer engineer (CE)
An administrator or responsible official of the organization which
owns and uses TOE.
A user of TOE functions such as copy, print and fax.
A user who is authorized to manage the device using the system
administrator mode. A system administrator can refer to and rewrite
the TOE setting for device operation and that for security functions
via TOE control panel, ApeosWare Device Setup, and Web browser.
A user who can configure the TOE operational settings using the
interface for CE.

1.4.2. Logical Scope and Boundary

The logical scope of this TOE consists of each function of the programs recorded on the controller
ROM.
Figure 2 shows the logical architecture of the MFD.

- 6 – Copyright 2012 by Fuji Xerox Co., Ltd.

 Fuji Xerox C2263 Series Security Target

Logical Scope

TOE Controller ROM System

General User Administrator
Control Panel CWIS Client
System -Web Browser
Administrator User Internal Network - ApeosWare
Authentication Data Protection Device Setup
Customer System General User
Engineer Administrator’s Print
(Decompose) Client
Security - Printer driver
Management - Fax Driver
Security - Network Scan
Audit Log Copy Utility
- Web Browser
Fax Board Fax / Direct Fax
(Public Telephone
Fax Flow
Line) FTP Server
Security
Scan / Network SMB Server
Hard Disk Data Scan
Encryption

Hard Disk Data Customer Engineer

Overwrite Operation
Restriction

Internal HDD NVRAM/SEEPROM

Used Audit
Document Document Log TOE Setting Other Setting
Data Data Data Data Data

Figure 2: MFD Units and TOE Logical Scope

1.4.2.1. Basic Functions

As shown in Table 3, the TOE provides the functions of control panel, copy, print, scan, network scan,
fax, Direct Fax, and CWIS to general user.

Table 3: TOE Basic Functions

Function Description
Control Panel Control panel function is a user interface function for general user, CE, and
Function system administrator to operate MFD functions.
Copy Function Copy function is to read the original data from IIT and print them out from
IOT according to the general user’s instruction from the control panel.

- 7 – Copyright 2012 by Fuji Xerox Co., Ltd.

 Fuji Xerox C2263 Series Security Target

When more than one copy of an original is ordered, the data read from IIT
are first stored into the MFD internal HDD. Then, the stored data are read out
from the internal HDD for the required number of times so that the required
number of copies can be made.
Print Function Print function is to print out the data according to the instruction from a
general user client. The print data created via printer driver are sent to the
MFD to be analyzed, decomposed, and printed out from IOT.
The print function is of two types: the normal print in which the data are
printed out from IOT directly after decomposed and the Store Print in which
the bitmap data are temporarily stored in the internal HDD and then printed
out from IOT according to the general user’s instruction from the control
panel.
Scan Function, Scan function is to read the original data from IIT and then store them into
Network Scan the internal HDD according to the general user’s instruction from the control
Function panel.
A general user can retrieve the stored document data from a general user
client via CWIS or Network Scan Utility.
Network scan function is to read the original data from IIT and automatically
transmit them to a general user client, FTP server, or SMB server according
to the information set in the MFD. A general user can request this function
from the control panel.
Fax Function Fax function is to send and receive fax data. According to the general user’s
instruction from the control panel to send a fax, the original data them read
from IIT and sent to the destination via public telephone line. The document
data are received from the sender’s machine via public telephone line.
Direct Fax Function Direct Fax function is to directly fax document data to the destination.
According to the instruction from a general user client to send a fax, the print
data created via fax driver are sent to the MFD, analyzed, and decomposed.
Then, the data are converted to the format for fax sending and sent to the
destination via public telephone line.
CWIS Function CWIS is to retrieve the scanned document data and the received fax data that
are stored in the internal HDD according to the instruction from Web browser
of a general user client.
CWIS also enables System Administrator’s Security Management by which a
system administrator can access and rewrite TOE setting data. For this, a
system administrator must be authenticated by his/her ID and password
entered from Web browser of a system administrator client.

1.4.2.2. Security Functions

The security functions provided by the TOE are the following.

- 8 – Copyright 2012 by Fuji Xerox Co., Ltd.

 Fuji Xerox C2263 Series Security Target

(1) Hard Disk Data Overwrite

To completely delete the used document data in the internal HDD, the data are overwritten with
new data after each job (copy, print, scan, Network Scan, Fax, or Direct Fax) is completed.
Without this function, the used document data remain and only the management data are deleted.

(2) Hard Disk Data Encryption

Some data such as the security audit log data and the document data in Mailbox remain in the
internal HDD even if the machine is powered off. To solve this problem, the document data and
security audit log data are encrypted before being stored into the internal HDD when operating
any function of copy, print, scan, network scan, fax, and Direct Fax or configuring various
security function settings.

(3) User Authentication

Access to the MFD functions is restricted to the authorized user. To be identified and
authenticated, a user needs to enter his/her ID and password from MFD control panel, fax driver,
Network Scan Utility, ApeosWare Device Setup, or CWIS of the user client.

Only the authenticated user can use the following functions:

a) Functions controlled by the MFD control panel:
Copy, fax (send), scan, network scan, Mailbox, and print (This print function requires the
Accounting System preset from printer driver. A user must be authenticated from the control
panel for print job.)
b) Functions controlled by Network Scan Utility of user client:
Function to retrieve document data from Mailbox
c) Functions controlled by CWIS:
Display of device condition, display of job status and its log, function to retrieve document data
from Mailbox, and print function by file designation

Among the above functions which require user authentication, some particularly act as security
functions. The following are the security functions which prevent the unauthorized reading of
document data in the internal HDD by an attacker who is impersonating an authorized user:
・ The Store Print function (Private Print function) and the Mailbox function, which require user
authentication from the control panel,
・ The function to retrieve document data from Mailbox (Mailbox function) which requires user
authentication by using CWIS or Network Scan Utility, and the Store Print function (Private
Print function) by file designation using CWIS.

Figure 3 shows the authentication flow of the above functions.

- 9 – Copyright 2012 by Fuji Xerox Co., Ltd.

 Fuji Xerox C2263 Series Security Target

User Client

Network Scan
Printer driver Web Browser Utility
(User ID Setting) (CWIS)

TOE
Classification Authentication Authentication

Private Mailbox
Scanned Data,
Print Job Print
Received Fax Data

Authentication from Control Panel

Print

Figure 3: Authentication Flow for Private Print and Mailbox

 Store Print Function (Private Print Function)

When the MFD is set to “Save as Private Charge Print,” and a user sends a print request from the
printer driver in which the Accounting System is preset, the print data are decomposed into
bitmap data, classified according to the user ID, and temporarily stored in the corresponding
Private Print area within the internal HDD.
In the same way, when the user is authenticated by entering his/her ID and password from CWIS
for authentication, and the user sends a print request by designating the files within a user client,
the print data are temporarily stored in Private Print area according to the user ID.
To refer to the stored print data, a user needs to enter his/her ID and password from the control
panel. When the user is authenticated, the data on the waiting list corresponding to the user ID are
displayed. The user can request printing or deletion of the data on the list.

 Mailbox Function
The scanned data and received fax data can be stored into Mailbox from IIT and Fax board which
are not shown in Figure 3.
To store the scanned data into Mailbox, a user needs to enter his/her ID and password from the
control panel. When the user is authenticated, the document data can be scanned from IIT and
stored into the internal HDD according to the user’s instruction from the control panel.
To store the received fax data into Mailbox, user authentication is not required. Among the

- 10 – Copyright 2012 by Fuji Xerox Co., Ltd.

 Fuji Xerox C2263 Series Security Target

received fax data transmitted over public telephone line, the following data are automatically
classified and stored into each corresponding Mailbox: the received fax data whose corresponding
Mailbox is specified by the sender, the received fax data from a particular sender (the data are
classified according to the sender’s telephone number), and the received fax data from an
unknown sender.
To retrieve, print, or delete the stored data in the Personal Mailbox corresponding to the each
registered user’s ID, user authentication is required; the MFD compares the user ID and password
preset in the device against those entered by a user from the control panel, CWIS, or Network
Scan Utility.

(4) System Administrator’s Security Management

To grant a privilege to a specific user, this TOE allows only the authenticated system
administrator to access the System Administrator mode which enables him/her to refer to and set
the following security functions from the control panel:
・ Refer to and set Hard Disk Data Overwrite;
・ Refer to and set Hard Disk Data Encryption;
・ Set the cryptographic seed key for Hard Disk Data Encryption;
・ Refer to and set the functions that use password entered from MFD control panel in user
authentication;
・ Set the ID and password of key operator (only a key operator is privileged);
・ Refer to and set the ID of SA / general user, and set the password ;
・ Refer to and set the access denial when system administrator’s authentication fails;
・ Refer to and set the limit of user password length (for general user and SA);
・ Refer to and set the SSL/TLS communication;
・ Refer to and set the IPSec communication;
・ Refer to and set the User Authentication;
・ Refer to and set the Store Print;
・ Refer to and set the date and time;

Additionally, this TOE allows only the system administrator, who is authenticated from the
system administrator client via Web browser using CWIS, to refer to and set the following
security functions via CWIS:
・ Set the ID the password of key operator (only a key operator is privileged);
・ Refer to and set the ID of SA / general user, and set the password;
・ Refer to and set the access denial when system administrator’s authentication fails;
・ Refer to and set the limit of user password length (for general user and SA);
・ Refer to and set Audit Log;
・ Refer to and set the SSL/TLS communication;
・ Refer to and set the IPSec communication;
・ Refer to and set the SNMPv3 communication;
・ Refer to and set the SNMPv3 authentication password.

- 11 – Copyright 2012 by Fuji Xerox Co., Ltd.

 Fuji Xerox C2263 Series Security Target

・ Create/upload/download an X.509 certificate;

・ Refer to and set the User Authentication;

Moreover, this TOE allows only the key operator (excluding SA), who is authenticated from the
system administrator client via ApeosWare Device Setup, to refer to and set the following security
functions:
・ Set the ID and password of key operator;
・ Refer to and set the ID of SA / general user, and set the password;
・ Refer to and set the functions that use the password entered from MFD control panel in user
authentication;
・ Refer to and set User Authentication;
・ Refer to and set date and time;

(5) Customer Engineer Operation Restriction

This TOE allows only the authenticated system administrator to refer to or enable/disable the
Customer Engineer Operation Restriction setting from the control panel and CWIS. For this, CE
cannot refer to or change the setting of each function described in (4) System Administrator’s
Security Management.

(6) Security Audit Log

The important events of TOE such as device failure, configuration change, and user operation are
traced and recorded based on when and who operated what function. Only a system administrator
can supervise or analyze the log data by downloading them in the form of tab-delimited text file
via Web browser using CWIS. To download the log data, SSL/TLS communication needs to be
enabled.

(7) Internal Network Data Protection

The communication data on the internal network such as document data, security audit log data,
and TOE setting data are protected by the following general encryption communication-protocols:
・ SSL/TLS
・ IPSec
・ SNMP v3

(8) Fax Flow Security

A Fax board is an option and is connected to TOE controller board via USB interface. An attacker
cannot access the TOE or the internal network from public telephone line via the Fax board.

1.4.2.3. Settings for the Secure Operation

System administrator shall set the following to enable security functions in 1.4.2.2.

- 12 – Copyright 2012 by Fuji Xerox Co., Ltd.

 Fuji Xerox C2263 Series Security Target

・ Hard Disk Data Overwrite

Set to [Enabled].
・ Hard Disk Data Encryption
Set to [Enabled].
・ Passcode Entry from Control Panel
Set to [Enabled].
・ Access denial when system administrator’s authentication fails
Default [5] Times.
・ SSL/TLS
Set to [Enabled]
・ IPSec
Set to [Enabled]
・ User Authentication
Set to [Local Authentication]
・ Store Print
Set to [Save As Private Charge Print]
・ Audit Log
Set to [Enabled]
・ SNMPv3
Set to [Enabled]
・ Customer Engineer Operation Restriction
Set to [Enabled]

- 13 – Copyright 2012 by Fuji Xerox Co., Ltd.

 Fuji Xerox C2263 Series Security Target

1.4.3. Physical Scope and Boundary

The physical scope of this TOE is the controller board. Figure 4 shows configuration of each unit and
TOE physical scope.

System Administrator
Control Panel buttons, lamps, touch screen panel
General User
CE

ADF Controller Board System Administrator

Controller ROM NVRAM Client

Ethernet
ADF
Copy Hard Disk General User Client
Board Control
Data FTP Server
Panel
Scan / Overwrite SMB Server
Network Customer
Scan SEEPROM
Hard Disk Engineer
IIT Data Operation

USB (device)
Print Encryption Restriction
IIT Board General User Client
(decompos
Security (USB)
e) DRAM
Fax Flow Audit Log
Security
Fax /
Direct Fax User
IOT Authenticat
CWIS System ion
IOT Board Administrat
or’s Security Network
Data
USB (host)

Management
Protection Fax Board
(Public Telephone Line)

CPU

: TOE
Internal HDD

Figure 4: MFD Units and TOE Physical Scope

The MFD consists of the PWB units of controller board and control panel, IIT, and IOT,ADF.
The controller board is connected to the control panel via the internal interfaces which transmit
control data, and the controller board is connected to the Fax board, the IIT board, and IOT board via
the internal interfaces which transmit document data and control data.
The controller board is a PWB which controls MFD functions of copy, print, scan, and fax. The board
has a network interface (Ethernet) and local interfaces (USB) and is connected to the IIT board and

- 14 – Copyright 2012 by Fuji Xerox Co., Ltd.

 Fuji Xerox C2263 Series Security Target

IOT board.
The control panel is a panel on which buttons, lamps, and a touch screen panel are mounted to use and
configure MFD functions of copy, print, scan, and fax.
The IIT (Image Input Terminal) is a device to scan an original and send its data to the controller board
for copy, scan, and fax functions.
The IOT (Image Output Terminal) is a device to output image data which was sent from the controller
board.
The ADF(Auto Document Feeder) is a device to automatically transfer original documents to IIT.

1.4.4. Guidance
The following are the guidance documents for this TOE.
・ DocuCentre-IV C2263 Administrator Guide
・ DocuCentre-IV C2263 User Guide
・ DocuCentre-IV C2263 Security Function Supplementary Guide

- 15 – Copyright 2012 by Fuji Xerox Co., Ltd.

 Fuji Xerox C2263 Series Security Target

2. CONFORMANCE CLAIMS

2.1. CC Conformance Claims

This ST and TOE conform to the following evaluation standards for information security (CC):

Common Criteria for Information Technology Security Evaluation

Part 1: Introduction and general model, Version 3.1 Revision 3 Japanese Version 1.0
Part 2: Security functional components, Version 3.1 Revision 3 Japanese Version 1.0
Part 3: Security assurance components, Version 3.1 Revision 3 Japanese Version 1.0

The security functional requirements of this ST conform to CC Part 2.

The security assurance requirements of this ST conform to CC Part 3.

2.2. PP Claims, Package Claims

2.2.1. PP Claims
There is no applicable Protection Profile.

2.2.2. Package Claims

This ST conforms to EAL3.

2.2.3. Conformance Rationale

There is no applicable PP rationale since this ST does not conform to PP.

- 16 – Copyright 2012 by Fuji Xerox Co., Ltd.

 Fuji Xerox C2263 Series Security Target

3. SECURITY PROBLEM DEFINITION

This chapter describes the threats, organizational security policies, and the assumptions for the use of
this TOE.

3.1. Threats

3.1.1. Assets Protected by TOE

This TOE protects the following assets (Figure 5):
(1) Right to use MFD functions
The general user’s right to use each function of the TOE is assumed as an asset to be protected.
(2) Document data stored for job processing
When a general user uses MFD functions of copy, print, fax, and scan, the document data are
temporarily stored in the internal HDD for image processing, transmission, and Store Print. The
user can retrieve the stored document data in the MFD from a general user client by CWIS
function and Network Scan Utility. The stored data include general user’s confidential
information and are assumed as assets to be protected.
(3) Used document data
When a general user uses MFD functions of copy, print, fax, and scan, the document data are
temporarily stored in the internal HDD for image processing, transmission, and Store Print. When
the jobs are completed or canceled, only the management information is deleted but the data itself
remains. The residual data include general user’s confidential information and are assumed as
assets to be protected.
(4) Security audit log data
In the function of Security Audit Log, the important events such as device failure, configuration
change and user operation are recorded based on when and who operated what function. For
preventive maintenance and response to the events and detection of unauthorized access, only a
system administrator can retrieve the log data stored in MFD by CWIS function. The log data are
assumed as assets to be protected.
(5) TOE setting data
A system administrator can set TOE security functions from the MFD control panel or system
administrator client by the function of System Administrator’s Security Management. The setting
data stored in the TOE (see Table 4) can be a threat to other assets if used without authorization
and are assumed as assets to be protected.

- 17 – Copyright 2012 by Fuji Xerox Co., Ltd.

 Fuji Xerox C2263 Series Security Target

General User Client

System Administrator Client
External
Network Asset under protection
- Printer Driver
- Fax Driver
- Web Browser Asset not under protection
- Network Scan Utility
- ApeosWare Device Setup
Internally Stored Data
Firewall TOE
Document data, security audit log
Document Data
data, and TOE setting data Used Document Data
transmitted in the internal network Security Audit Log Data
TOE Setting Data

Internal
Network Other Setting Data

General Data on the

Inaccessible
Internal Network
Public
Telephone
General Client Line
and Server

Internally Stored Data

Figure 5: Assets under and not under Protection

Note) The data stored in a general client and server within the internal network and the general data on
the internal network are not assumed as assets to be protected. This is because TOE functions prevent
the access to the internal network from public telephone line and it cannot be a threat.

Table 4 categorizes the TOE setting data recorded on NVRAM and SEEPROM of the controller
board.

Table 4: Categories of TOE Setting Data

Categories of TOE Setting Data (Note)

Data on Hard Disk Data Overwrite
Data on Hard Disk Data Encryption
Data on use of password entered from MFD control panel in user authentication
Data on minimum password length of user password
Data on ID and password of system administrator
Data on access denial due to authentication failures of system administrator

- 18 – Copyright 2012 by Fuji Xerox Co., Ltd.

 Fuji Xerox C2263 Series Security Target

Categories of TOE Setting Data (Note)

Data on Customer Engineer Operation Restriction
Data on Internal Network Data Protection
Data on Security Audit Log
Data on Mailbox
Data on User Authentication
Data on Store print
Data on date and time

Note: The setting data other than TOE setting data are also stored on NVRAM and SEEPROM. Those
setting data, however, are not assumed as assets to be protected because they do not engage in TOE
security functions.

3.1.2. Threats
Table 5 identifies the threats addressed by the TOE. An attacker is considered to have the disclosed
information on TOE operations and low-level attack capability.

Table 5: Threats Addressed by the TOE

Threat (Identifier) Description

An attacker may remove the internal HDD and connect it to commercial
tools so that he/she can read out and leak the document data, used
T.RECOVER
document data, security audit log data from the HDD without
authorization.
An attacker may access, read, or alter, from control panel or system
T.CONFDATA administrator client, the TOE setting data which only a system
administrator is allowed to access.
An attacker may read document data and security audit log data from
T.DATA_SEC
control panel or Web browser without authorization.
An attacker may intercept or alter document data, security audit log
T.COMM_TAP
data, and TOE setting data on the internal network.
An attacker may access the TOE and use TOE functions without
T.CONSUME
authorization.

- 19 – Copyright 2012 by Fuji Xerox Co., Ltd.

 Fuji Xerox C2263 Series Security Target

3.2. Organizational Security Policies

Table 6 below describes the organizational security policy the TOE must comply with.

Table 6: Organizational Security Policy

Organizational Policy
Description
(Identifier)
At the behest of the US military in Japan, it must be ensured that the
P.FAX_OPT
internal network cannot be accessed via public telephone line.

3.3. Assumptions
Table 7 shows the assumptions for the operation and use of this TOE.

Table 7: Assumptions

Assumption
Description
(Identifier)
Personnel Confidence
A system administrator shall have the necessary knowledge of TOE
A.ADMIN security functions to perform the given role of managing the TOE and
shall not operate the TOE with malicious intent.
Protection Mode
A system administrator shall configure and set the TOE properly
A.SECMODE according to the security policy of organization and the product
guidance document to manage the TOE and its external environment.

- 20 – Copyright 2012 by Fuji Xerox Co., Ltd.

 Fuji Xerox C2263 Series Security Target

4. SECURITY OBJECTIVES
This chapter describes the security objectives for the TOE and for the environment and the rationale.

4.1. Security Objectives for the TOE

Table 8 defines the security objectives to be accomplished by the TOE.

Table 8: Security Objectives for the TOE

Security
Description
Objectives(Identifier)
The TOE must provide the Security Audit Log function and its log data
O.AUDITS
which are necessary to monitor unauthorized access.
The TOE must encrypt the document data, used document data, and
O.CIPHER security audit log data to be stored into the HDD so that they cannot be
analyzed even if retrieved.
The TOE must provide encryption communication function to protect the
document data, security audit log data, and TOE setting data on the
O.COMM_SEC
internal network between TOE and the remote from interception and
alteration.
The TOE must prevent the unauthorized access to the internal network via
O.FAX_SEC
Fax modem from public telephone line.
The TOE must inhibit a general user from accessing the TOE setting data.
The TOE allows only the authenticated system administrator to access the
O.MANAGE
system administrator mode which enables him/her to configure the
security functions.
The TOE must provide overwrite function to prevent the used document
O.RESIDUAL
data in the internal HDD from being reproduced or recovered.
The TOE must provide the function to identify TOE user and allow only
O.USER the authorized user to retrieve, and delete the document data and to change
the password.
O.RESTRICT The TOE must inhibit an unauthorized user from using the TOE functions.

- 21 – Copyright 2012 by Fuji Xerox Co., Ltd.

 Fuji Xerox C2263 Series Security Target

4.2. Security Objectives for the Environment

Table 9 defines the security objectives for the TOE environment.

Table 9: Security Objectives for the Environment

Security
Description
Objectives(Identifier)
A system administrator who is assigned by an organization administrator
OE.ADMIN as an appropriate and reliable person for this TOE management and who
receives necessary training to manage the TOE.
A system administrator shall configure and set the TOE properly according
to the security policy of organization and the product guidance document
to manage the TOE.
OE.SEC
In addition, a system administrator shall manage the external IT
environment according to the security policy of organization and the
product guidance document.

4.3. Security Objectives Rationale

The security objectives are established to correspond to the assumptions specified in Security Problem
Definition, to counter the threats, or to realize the organizational security policies. Table 10 shows
assumptions / threats / organizational security policies and the corresponding security objectives.
Moreover, Table 11 shows that each defined security problem is covered by the security objectives.

Table 10: Assumptions / Threats / Organizational Security Policies and the Corresponding Security
Objectives

Security Problems
T.COMM_TAP
T.CONFDATA
A.SECMODE

T.DATA_SEC

T.CONSUME
T.RECOVER

P.FAX_OPT
A.ADMIN

Security Objectives
O.AUDITS        
O.CIPHER        
O.COMM_SEC        
O.FAX_SEC        
O.MANAGE        
O.RESIDUAL        
O.USER        
O.RESTRICT        

- 22 – Copyright 2012 by Fuji Xerox Co., Ltd.

 Fuji Xerox C2263 Series Security Target

Security Problems

T.COMM_TAP
T.CONFDATA
A.SECMODE

T.DATA_SEC

T.CONSUME
T.RECOVER

P.FAX_OPT
A.ADMIN
Security Objectives
OE.ADMIN        
OE.SEC        

Table 11: Security Objectives Rationale for Security Problem

Security Problem Security Objectives Rationale

By satisfying the following objective, A.ADMIN can be realized:
By OE.ADMIN, a system administrator is assigned by an organization
A.ADMIN administrator as an appropriate and reliable person for this TOE
management, and receives necessary training to manage the TOE and
performs the TOE management according to the guidance.
By satisfying the following objectives, A.SECMODE can be realized:
By OE.SEC, a system administrator shall configure and set the TOE
properly according to the security policy of organization and the
A.SECMODE product guidance document to manage the TOE.
In addition, a system administrator shall manage the external IT
environment according to the security policy of organization and the
product guidance document.
By satisfying the following objective, T.RECOVER can be countered:
By OE.SEC, it is necessary to enable the TOE security functions (i.e.
Hard Disk Data Overwrite and Hard Disk Data Encryption) and disable
the reading-out of the document data and security audit log data in the
internal HDD as well as the recovery of the used document data. To be
specific, this threat can be countered by the following security
T.RECOVER objectives: O.CIPHER and O.RESIDUAL.
By O.CIPHER, the document data and security audit log data in the
internal HDD are encrypted to disable the reference and reading-out of
the document data, used document data, and security audit log data.
By O.RESIDUAL, the used document data are overwritten and deleted
to disable the recovery and reproduction of the used document data
stored in the internal HDD.
By satisfying the following objective, T.CONFDATA can be
T.CONFDATA countered:
By OE.SEC, it is necessary to enable the security functions (i.e. User

- 23 – Copyright 2012 by Fuji Xerox Co., Ltd.

 Fuji Xerox C2263 Series Security Target

Security Problem Security Objectives Rationale

Authentication with Password, System Administrator Password,
Access Denial due to System Administrator’s Authentication Failures,
Customer Engineer Operation Restriction, and Audit Log) and permits
only the authenticated system administrator to change the TOE setting
data. In addition, it is necessary to manage the external IT environment
according to the security policy of organization and the product
guidance document.
To be specific, this threat can be countered by the following security
objectives, O.MANAGE, O.USER, and O.AUDITS:
By O.MANAGE, only the authenticated system administrator is
allowed to enable/disable the TOE security functions and to refer to /
update the TOE setting data.
By O.USER, only the authorized user is allowed to change the
password.
By O.AUDITS, the audit log function necessary to monitor
unauthorized access and the security audit log data are provided.
By satisfying the following objective, T.CONSUME can be countered.
T.CONSUME
By O.RESTRICT, the access to the TOE can be controlled.
By satisfying the following objectives, T.COMM_TAP can be
countered.
By OE.SEC, the document data, security audit log data, and TOE
setting data on the internal network can be protected from interception.
By O.COMM_SEC, the client/server authentication function of
T.COMM_TAP
encryption communication protocol allows only the authorized user to
send/receive the communication data. Encrypting communication data
with encryption function also disables the interception and alteration of
the internal network data (incl. document data, security audit log data,
and TOE setting data).
By satisfying the following objectives, T.DATA_SEC can be countered.
By OE.SEC, it is necessary to enable the following passwords, user
authentication function, and security audit log function: User Password,
System Administrator Password, User Authentication, Security Audit
Log. Then, only the authenticated user is allowed to access the security
audit log data and document data. In addition, it is necessary to manage
T.DATA_SEC
the external IT environment according to the security policy of
organization and the product guidance document.
By O.USER, only the authenticated user is allowed to read out the
document data and security audit log data stored in the internal HDD.
By O.MANAGE, only the authenticated system administrator is
allowed to configure the TOE security functions.

- 24 – Copyright 2012 by Fuji Xerox Co., Ltd.

 Fuji Xerox C2263 Series Security Target

Security Problem Security Objectives Rationale

By O.AUDITS, the audit log function necessary to monitor
unauthorized access and the security audit log data are provided.
By satisfying the following objectives, P.FAX_OPT can be observed.
By O.FAX_SEC, the access to the internal network via public
P.FAX_OPT telephone line is disabled. This realizes P.FAX_OPT.
Since the data received from public telephone line are not sent to the
internal network, the internal network cannot be accessed.

- 25 – Copyright 2012 by Fuji Xerox Co., Ltd.

 Fuji Xerox C2263 Series Security Target

5. EXTENDED COMPONENTS DEFINITION

5.1. Extended Components

This ST conforms to CC Part 2 and CC Part 3, and there are no extended components which shall be
defined.

- 26 – Copyright 2012 by Fuji Xerox Co., Ltd.

 Fuji Xerox C2263 Series Security Target

6. SECURITY REQUIREMENTS
This chapter describes the security functional requirements, security assurance requirements, and
security requirement rationale.
The terms and phrases used in this chapter are defined below.

- Subject
Term/phrase
Key Operator Process
SA Process
General User Process
Receiving information from
public telephone line
Sending information to public
telephone line
Sending information to the
internal network
Receiving information from the
internal network.
Definition
Operation upon using Mailbox and Store Print when
the user authentication of key operator succeeded.
Operation upon using Mailbox and Store Print when
the user authentication of SA succeeded.
Operation upon using Mailbox and Store Print when
the user authentication of general user succeeded.
To receive the document data from the sender’s
machine via public telephone line, as receiving fax
data.
To send the document data to the destination via public
telephone line according to the general user’s
instruction from the control panel or client PC, as
sending fax data.
To send the Network Scan data to the destination, a
client PC, within the internal network.
To receive the print data or the Direct Fax from the
sender, a client PC, within the internal network.

- Object
Term/phrase Definition
Mailbox A logical box created in the MFD internal HDD.
Mailbox can store the scanned document data or the
document data received via fax, categorizing by users
and senders.
Personal Mailbox The Mailbox privately used by a general user. Each
user can create his/her own Personal Mailbox.
Shared Mailbox The Mailbox shared by any general user. Key operator
can create the Shared Mailbox.
Store Print A print function in which bitmap data (decomposed
print data) are temporarily stored in the MFD internal
HDD and then printed out according to the
authenticated general user’s instruction from the
control panel.

- 27 – Copyright 2012 by Fuji Xerox Co., Ltd.

 Fuji Xerox C2263 Series Security Target

Used document data stored in the The remaining data in the MFD internal HDD even
internal HDD after deletion. The document data are first stored into
the internal HDD, used, and then only their files are
deleted.
Document data Document data means all the data including image data
transmitted across the MFD when any of copy, print,
scan or fax functions is operated by a general user.
Security Audit Log The chronologically recorded data of important events
of the TOE. The events such as device failure,
configuration change, and user operation are recorded
based on when and who caused what event and its
result.

- Operation
Term/phrase Definition
Delivery MFD receives the data from public telephone line for
fax function.
Modify of behavior To change the settings of the following information:
User Authentication (Local)
Store Print (Save or Deletion of login failure job)
Internal Network Data Protection (Certificate and
encryption type)
Hard Disk Data Overwrite (number of overwrite, data
of overwrite)
Modify Changes of TSF data and security attributes (user
identifier).

- Data
Term/phrase Definition
Data on public telephone line The data which flow on public telephone line for fax
Fax data communication.

- Security attributes
Term/phrase Definition
General User role Indicates the authority required for general user to use
the TOE.
SA role Indicates the authority required for SA to use the TOE.
Key Operator role Indicates the authority required for key operator to use
the TOE.
General User identifier User ID and password used to authenticate and identify
general user.

- 28 – Copyright 2012 by Fuji Xerox Co., Ltd.

 Fuji Xerox C2263 Series Security Target
SA identifier
Key Operator identifier
Owner identifier of Mailbox
(Personal, Shared)
Owner identifier of Store Print
- Entity outside the TOE
Term/phrase
System Administrator
Key Operator
System Administrator Privilege
(SA)
General User
- Other terminology
Term/phrase
The Fuji Xerox’s standard
method, FXOSENC
AES
Access denial due to
authentication failure of system
administrator ID
Data on use of password entered
from MFD control panel in user
authentication
Data on ID of key operator
Data on password of key operator
User ID and password used to authenticate and identify
SA.
User ID and password used to authenticate and identify
key operator.
Data on each Mailbox, incl. permitted user, box name,
password, conditions for deleting documents, etc.
Data on Private Print, incl. user ID, password,
measures to be taken at authentication failure, etc.
Definition
This term covers both key operator and SA.
An authorized user who manages MFD maintenance
and makes TOE security function settings.
The user(s) who manage MFD maintenance and
configure TOE security functions. SA can be
created/registered by key operator or the other SA who
is already registered.
Any person who uses copy, scan, fax, and print
functions of MFD.
Definition
The Fuji Xerox’s standard algorithm to generate a
cryptographic key. This is used when MFD is booted.
The FIPS-standard encryption algorithm used for
encryption/decryption of Hard Disk data.
When the number of unsuccessful authentication
attempts of system administrator ID has exceeded the
specified number of times, the control panel does not
accept any operation except power-on and power-off,
and ApeosWare Device Setup and the web browser do
not accept authentication operation until the MFD main
unit is powered off/on.
The data on whether to enable/disable the use of
password to be entered from MFD control panel in user
authentication. Included in the TOE setting data.
ID data for key operator authentication. Included in the
TOE setting data.
Password data for key operator authentication.
Included in the TOE setting data.
- 29 – Copyright 2012 by Fuji Xerox Co., Ltd.
 Fuji Xerox C2263 Series Security Target
Data on ID of SA
Data on password of SA
Data on ID of General User
Data on password of General User
Data on access denial due to
authentication failures of system
administrator
Data on Security Audit Log
Data on User Authentication
Data on Store Print
Data on Internal Network Data
Protection
Data on Customer Engineer
Operation Restriction
Data on Hard Disk Data
Encryption
ID data for SA authentication. Included in the TOE
setting data.
Password data for SA authentication. Included in the
TOE setting data.
ID data for general user authentication. Included in the
TOE setting data.
Password data for general user authentication. Included
in the TOE setting data.
The data on whether to enable/disable access denial
due to authentication failure of system administrator
ID. They also incorporate the data on the allowable
number of the failures before access denial. Included in
the TOE setting data.
The data on whether to enable/disable the function to
trace/ record the important events of the TOE such as
device failure, configuration change, and user
operation, based on when and who operated what
function.
The data on whether to enable/disable the
authentication function using the data on user
authentication when copy, scan, fax, and print
functions of MFD are used. It also incorporates the
data on the setting. Included in the TOE setting data.
The setting data on whether to store the received print
data to Private Print area or print it out. Included in the
TOE setting data.
The data on whether to enable/disable the general
encryption communication protocols to protect the
communication data on the internal network such as
document data, security audit log data, and TOE setting
data. They also incorporate the data on the setting.
Included in the TOE setting data.
The data on whether to enable/disable Customer
Engineer Operation Restriction. Included in the TOE
setting data.
The data on whether to enable/disable the functions
related to Hard Disk Data Encryption. They also
incorporate the data on the encryption seed key.
Included in the TOE setting data.
- 30 – Copyright 2012 by Fuji Xerox Co., Ltd.
 Fuji Xerox C2263 Series Security Target
Data on Hard Disk Data
Overwrite
Data on date and time
Public telephone line
System Administrator mode
Certificate
Printer driver
Fax Driver
Network Scan Utility
The data on whether to enable/disable the functions
related to Hard Disk Data Overwrite. They also
incorporate the data on the number of pass (overwrite
procedure). Included in the TOE setting data.
The horologe information to manage log. Included in
the TOE setting data.
The line/network on which the data flow for fax
communication.
An operation mode that enables a system administrator
to refer to and rewrite TOE setting for device operation
and that for security functions according to the
operational environment. This mode is distinguished
from the operation mode that enables a general user to
use the MFD functions.
Defined in the X.509 which is recommended by ITU-T.
The data for user authentication (name, identification
name, organization where he/she belongs to, etc.),
public key, expiry date, serial number, signature, etc.
Software to convert the data on a general user client
into print data written in page description language
(PDL), a readable format for MFD. Used on the user
client.
Software for Direct Fax function, which enables a
general user to fax data to the destination directly from
a general user client through MFD. The user can send
the fax data just as printing. Used on the user client.
Software for a general user client to retrieve the
document data stored in Mailbox of MFD.
- 31 – Copyright 2012 by Fuji Xerox Co., Ltd.
 Fuji Xerox C2263 Series Security Target

6.1. Security Functional Requirements

Security functional requirements which ｔhe TOE offers are described below. The security functional
requirements are based on the class and component which are specified by the [CC part 2].

6.1.1. Class FAU: Security audit

FAU_GEN.1 Audit data generation
Hierarchical to: No other components.
Dependencies: FPT_STM.1 Reliable time stamps

FAU_GEN.1.1 The TSF shall be able to generate an audit record of the following
auditable events:
a) Start-up and shutdown of the audit functions;
b) All auditable events for the [selection, choose one of: minimum,
basic, detailed, not specified] level of audit; and
c) [assignment: other specifically defined auditable events].

[selection, choose one of: minimum, basic, detailed, not specified]

- not specified
[assignment: other specifically defined auditable events]
- the actions to be audited (defined by CC) and the corresponding
auditable events (events to be recorded as execution log) of TOE. Shown
in Table 12

Table 12: Auditable Events of TOE and Individually Defined Auditable Events

Functional Actions to be audited (defined by CC) Auditable events of

Requirements TOE
FAU_GEN.1 None -
FAU_SAR.1 a) Basic: Reading of information from the audit Basic: Successful
records. download of audit log
data.
FAU_SAR.2 a) Basic: Unsuccessful attempts to read information Basic: Unsuccessful
from the audit records. download of audit log
data.
FAU_STG.1 None -
FAU_STG.4 a) Basic: Actions taken due to the audit storage None
failure.
FCS_CKM.1 a) Minimal: Success and failure of the activity. None
b) Basic: The object attribute(s), and object value(s)
excluding any sensitive information (e.g. secret or

- 32 – Copyright 2012 by Fuji Xerox Co., Ltd.

 Fuji Xerox C2263 Series Security Target

private keys).

FCS_COP.1 a) Minimal: Success and failure, and the type of None

cryptographic operation.
b) Basic: Any applicable cryptographic mode(s) of
operation, subject attributes and object attributes.
FDP_ACC.1 None -
FDP_ACF.1 a) Minimal: Successful requests to perform an Basic: Creation/deletion
operation on an object covered by the SFP. of Mailbox.
b) Basic: All requests to perform an operation on an User name, job
object covered by the SFP. information, and
c) Detailed: The specific security attributes used in success/failure
making an access check. regarding access to
Mailbox and execution
of Store Print.
FDP_IFC.1 None -
FDP_IFF.1 a) Minimal: Decisions to permit requested None
information flows.
b) Basic: All decisions on requests for information
flow.
c) Detailed: The specific security attributes used in
making an information flow enforcement decision.
d) Detailed: Some specific subsets of the
information that has flowed based upon policy
goals (e.g. auditing of downgraded material).
FDP_RIP.1 None -
FIA_AFL.1 a) Minimal: the reaching of the threshold for the <Minimal>
unsuccessful authentication attempts and the actions Authentication lock of
(e.g. disabling of a terminal) taken and the system administrator
subsequent, if appropriate, restoration to the normal Authentication failure
state (e.g. re-enabling of a terminal). from control panel and
CWIS.
FIA_ATD.1 None -
FIA_SOS.1 a) Minimal: Rejection by the TSF of any tested <Individually defined
secret; auditable events>
b) Basic: Rejection or acceptance by the TSF of any Registration of user and
tested secret; changes in user
c) Detailed: Identification of any changes to the registration data
defined quality metrics (password)

- 33 – Copyright 2012 by Fuji Xerox Co., Ltd.

 Fuji Xerox C2263 Series Security Target

FIA_UAU.1 a) Minimal: Unsuccessful use of the authentication < Basic >

mechanism; Success/failure of
b) Basic: All use of the authentication mechanism. authentication
c) Detailed: All TSF mediated actions performed
before authentication of the user.
FIA_UAU.7 None -
FIA_UID.1 a) Minimal: Unsuccessful use of the user < Basic >
identification mechanism, including the user Success/failure of
identity provided; authentication
b) Basic: All use of the user identification
mechanism, including the user identity provided.
FIA_USB.1 a) Minimal: Unsuccessful binding of user security < Basic >
attributes to a subject (e.g. creation of a subject). Registration of system
b) Basic: Success and failure of binding of user administrator, and
security attributes to a subject (e.g. success or changes in user
failure to create a subject). registration data (role)
FMT_MOF.1 a) Basic: All modifications in the behavior of the <Basic>
functions in the TSF. Changes in security
function configuration.
FMT_MSA.1 a) Basic: All modifications of the values of security <Basic>
attributes. Creation/deletion of
Mailbox.
User name, job
information, and
success/failure
regarding access to
Mailbox and execution
of Store Print.
FMT_MSA.3 a) Basic: Modifications of the default setting of None
permissive or restrictive rules.
b) Basic: All modifications of the initial values of
security attributes.
FMT_MTD.1. a) Basic: All modifications to the values of TSF <Individually defined
data. auditable events>
Changes in registration
data (ID, password) of
system administrator,
and in the setting of
security functions.
FMT_SMF.1 a) Minimal: Use of the management functions. < Minimal >
Access to system

- 34 – Copyright 2012 by Fuji Xerox Co., Ltd.

 Fuji Xerox C2263 Series Security Target

administrator mode
FMT_SMR.1 a) Minimal: modifications to the group of users that <Minimal>
are part of a role; Registration of system
b) Detailed: every use of the rights of a role. administrator, changes
in user registration data
(role), and deletion of
system administrator
FPT_STM.1 a) Minimal: changes to the time; <Minimal>
b) Detailed: providing a timestamp. Changes in time setting.
FTP_TRP.1 a) Minimal: Failures of the trusted path functions. <Minimal>
b) Minimal: Identification of the user associated Failure of the trusted
with all trusted path failures, if available. Communication within a
c) Basic: All attempted uses of the trusted path specified period of time,
functions. and client host data
d) Basic: Identification of the user associated with (host name or IP
all trusted path invocations, if available. address)

FAU_GEN.1.2 The TSF shall record within each audit record at least the following
information:
a) Date and time of the event, type of event, subject identity (if
applicable), and the outcome (success or failure) of the event; and
b) For each audit event type, based on the auditable event definitions of
the functional components included in the PP/ST, [assignment: other
audit relevant information].

[assignment: other audit relevant information].

- none

FAU_SAR.1: Audit review

Hierarchical to: No other components.
Dependencies: FAU_GEN.1 Audit data generation

FAU_SAR.1.1 The TSF shall provide [assignment: authorized users] with the capability
to read [assignment: list of audit information] from the audit records.

FAU_SAR.1.2 The TSF shall provide the audit records in a manner suitable for the user
to interpret the information.

[assignment: authorized users]

- system administrator
[assignment: list of audit information]

- 35 – Copyright 2012 by Fuji Xerox Co., Ltd.

 Fuji Xerox C2263 Series Security Target

- all log information

FAU_SAR.1.2 The TSF shall provide the audit records in a manner suitable for the user
to interpret the information.

FAU_SAR.2 Restricted audit review

Hierarchical to: No other components.
Dependencies: FAU_SAR.1 Audit review

FAU_SAR.2.1 The TSF shall prohibit all users read access to the audit records, except
those users that have been granted explicit read-access.

FAU_STG.1 Protected audit trail storage

Hierarchical to: No other components.
Dependencies: FAU_GEN.1 Audit data generation

FAU_STG.1.1 The TSF shall protect the stored audit records in the audit trail from
unauthorized deletion.

FAU_STG.1.2 The TSF shall be able to [selection, choose one of: prevent, detect]
unauthorized modifications to the stored audit records in the audit trail.

[selection, choose one of: prevent, detect]

- prevent

FAU_STG.4 Prevention of audit data loss

Hierarchical to: FAU_STG.3 Action in case of possible audit data loss
Dependencies: FAU_STG.1 Protected audit trail storage

FAU_STG.4.1 The TSF shall [selection, choose one of: “ignore audited events”,
“prevent audited events, except those taken by the authorized user with
special rights”, “overwrite the oldest stored audit records”] and
[assignment: other actions to be taken in case of audit storage failure] if
the audit trail is full.

[selection, choose one of: “ignore audited events”, “prevent audited

events, except those taken by the authorized user with special rights”,
“overwrite the oldest stored audit records”]
- overwrite the oldest stored audit records
[assignment: other actions to be taken in case of audit storage failure]
- no other actions to be taken

- 36 – Copyright 2012 by Fuji Xerox Co., Ltd.

 Fuji Xerox C2263 Series Security Target

6.1.2. Class FCS: Cryptographic support

FCS_CKM.1 Cryptographic key generation
Hierarchical to: No other components
Dependencies: [FCS_CKM.2 Cryptographic key distribution, or
FCS_COP.1 Cryptographic operation]
FCS_CKM.4 Cryptographic key destruction

FCS_CKM.1.1 TSF shall generate cryptographic keys in accordance with a specified

cryptographic key generation algorithm [assignment: cryptographic key
generation algorithm] and specified cryptographic key sizes [assignment:
cryptographic key sizes] that meet the following: [assignment: list of
standards].

[assignment: list of standards]

- none
[assignment: cryptographic key generation algorithm]
- the Fuji Xerox’s standard method, FXOSENC
[assignment: cryptographic key sizes]
- 256bits

FCS_COP.1 Cryptographic operation

Hierarchical to: No other components
Dependencies: [FDP_ITC.1 Import of user data without security attributes, or
FDP_ITC.2 Import of user data with security attributes, or
FCS_CKM.1 Cryptographic key generation]
FCS_CKM.4 Cryptographic key destruction

FCS_COP.1.1 The TSF shall perform [assignment: list of cryptographic operations] in

accordance with a specified cryptographic algorithm [assignment:
cryptographic algorithm] and cryptographic key sizes [assignment:
cryptographic key sizes] that meet the following: [assignment: list of
standards].

[assignment: list of standards]

- FIPS PUB 197
[assignment: cryptographic algorithm]
- AES
[assignment: cryptographic key sizes]
- 256bits
[assignment: list of cryptographic operations]
- encryption of the document data and security audit log data to be

- 37 – Copyright 2012 by Fuji Xerox Co., Ltd.

 Fuji Xerox C2263 Series Security Target

stored in the internal HDD and decryption of the document data and
security audit log data retrieved from the internal HDD.

6.1.3. Class FDP: User data protection

FDP_ACC.1 Subset access control
Hierarchical to: No other components.
Dependencies: FDP_ACF.1 Security attribute based access control

FDP_ACC.1.1 The TSF shall enforce the [assignment: access control SFP] on
[assignment: list of subjects, objects, and operations among subjects and
objects covered by the SFP].

[assignment: access control SFP]

- MFD access control SFP
[assignment: list of subjects, objects, and operations among subjects and
objects covered by the SFP].
- subjects, objects, and operations between subjects and objects listed in
Table 13

Table 13: Operations between Subjects and Objects Covered by MFD Access Control SFP

Subject Object Operation

Key operator process Mailbox Creation of Personal Mailbox
Deletion of Personal Mailbox
Creation of Shared Mailbox
Deletion of Shared Mailbox
Deletion of all document data
Retrieval of all document data
Store Print Deletion of all document data
Retrieval of all document data
SA process Mailbox Creation of Personal Mailbox
Deletion of Personal Mailbox
Deletion of all document data
Retrieval of all document data
Store Print Deletion of all document data
Retrieval of all document data
General user process Mailbox Creation of Personal Mailbox
Deletion of Personal Mailbox
Deletion of all document data
Retrieval of all document data
Store Print Deletion of document data
Retrieval of document data

- 38 – Copyright 2012 by Fuji Xerox Co., Ltd.

 Fuji Xerox C2263 Series Security Target

FDP_ACF.1 Security attribute based access control

Hierarchical to: No other components.
Dependencies: FDP_ACC.1 Subset access control
FMT_MSA.3 Static attribute initialization

FDP_ACF.1.1 The TSF shall enforce the [assignment: access control SFP] to objects
based on the following: [assignment: list of subjects and objects
controlled under the indicated SFP, and for each, the SFP-relevant
security attributes, or named groups of SFP-relevant security attributes].

[assignment: access control SFP]

- MFD access control SFP
[assignment: list of subjects and objects controlled under the indicated
SFP, and for each, the SFP-relevant security attributes, or named groups
of SFP-relevant security attributes].
- general user identifier corresponding to the general user process, SA
identifier corresponding to the SA process, Key operator identifier
corresponding to the Key operator process,
- owner identifier corresponding to each Mailbox, owner identifier
corresponding to each Store Print area

FDP_ACF.1.2 The TSF shall enforce the following rules to determine if an operation
among controlled subjects and controlled objects is allowed:
[assignment: rules governing access among controlled subjects and
controlled objects using controlled operations on controlled objects].

[assignment: rules governing access among controlled subjects and

controlled objects using controlled operations on controlled objects].
- the rules, shown in Table 14, for controlling the access among
controlled subjects using the controlled operations on the controlled
objects

Table 14: Rules for Access Control

Rules for Mailbox Operation in the General User Process and SA Process
- Creation of Personal Mailbox
In the general user process and SA process to create Personal Mailbox, the Personal
Mailbox in which general user identifier and SA identifier are set as its owner is
created.
- Deletion of Personal Mailbox
When the general user identifier and SA identifier of the general user process and SA
process match the owner identifier of Personal Mailbox, deletion of the

- 39 – Copyright 2012 by Fuji Xerox Co., Ltd.

 Fuji Xerox C2263 Series Security Target

corresponding Personal Mailbox is allowed.

- Retrieval and deletion of document data in Personal Mailbox
When the general user identifier and SA identifier of the general user process and SA
process match the owner identifier of Mailbox, retrieval and deletion of the document
data inside are allowed.
- Retrieval and deletion of document data in Shared Mailbox
Retrieval and deletion of document data in Shared Mailbox are allowed.
Rules for Store Print Operation in the General User Process and SA Process
- Deletion and retrieval of document data
When the general user identifier and SA identifier of the general user process and SA
process match the owner identifier of Store Print, retrieval and deletion of the
document data inside are allowed. When the document data are deleted, the
corresponding Store Print area is also deleted.
Mailbox Operation in the Key Operator Process
-In the key operator process, creation and deletion of Shared Mailbox in which the
key operator identifier is set are allowed, and creation and deletion of Personal
Mailbox by all registered users are allowed.

FDP_ACF.1.3 The TSF shall explicitly authorize access of subjects to objects based on
the following additional rules: [assignment: rules, based on security
attributes, that explicitly authorize access of subjects to objects].

[assignment: rules, based on security attributes, that explicitly authorise

access of subjects to objects].
- the rules, shown in Table 15, for explicitly authorizing access of the
subject to an object based on security attributes.

Table 15: Rules for Explicit Access Authorization

Rule for Mailbox Operation in the Key Operator Process

- In the key operator process, deletion of all Mailbox, deletion and retrieval of the
document data inside are allowed.
Rule for Store Print Operation in the Key Operator Process and SA Process
- In the key operator process and SA process, regarding all Store Print, deletion and
retrieval of the document data inside are allowed.

FDP_ACF.1.4 The TSF shall explicitly deny access of subjects to objects based on the
following additional rules [assignment: rules, based on security
attributes, that explicitly deny access of subjects to objects].

[assignment: rules, based on security attributes, that explicitly deny

access of subjects to objects].

- 40 – Copyright 2012 by Fuji Xerox Co., Ltd.

 Fuji Xerox C2263 Series Security Target

- no rules that explicitly deny the access

FDP_IFC.1 Subset information flow control

Hierarchical to: No other components
Dependencies: FDP_IFF.1 Simple security attributes

FDP_IFC.1.1 The TSF shall enforce the [assignment: information flow control SFP] on
[assignment: list of subjects, information, and operations that cause
controlled information to flow to and from controlled subjects covered
by the SFP].

[assignment: list of subjects, information, and operations that cause

controlled information to flow to and from controlled subjects covered
by the SFP]
- subjects, information, and operations that cause the information to
flow, which are listed in Table 16.

Table 16: Subjects, Information, and Operations that cause the information to flow

Subject Information Operation

Receiving information from public Data on public Delivery
telephone line telephone line
Sending information to the internal
network

[assignment: information flow control SFP]

- Fax information flow control SFP

FDP_IFF.1 Simple security attributes

Hierarchical to: No other components
Dependencies: FDP_IFC.1 Subset information flow control
FMT_MSA.3 Static attribute initialization

FDP_IFF.1.1 The TSF shall enforce the [assignment: information flow control SFP]
based on the following types of subject and information security
attributes: [assignment: list of subjects and information controlled under
the indicated SFP, and for each, the security attributes].

[assignment: information flow control SFP]

- Fax information flow control SFP
[assignment: list of subjects and information controlled under the
indicated SFP, and for each, the security attributes]
- none. (Sending information to public telephone line, receiving

- 41 – Copyright 2012 by Fuji Xerox Co., Ltd.

 Fuji Xerox C2263 Series Security Target

information from the internal network, and the corresponding data on

the public telephone line are not controlled under the Fax information
flow control SFP).

FDP_IFF.1.2 The TSF shall permit an information flow between a controlled subject
and controlled information via a controlled operation if the following
rules hold: [assignment: for each operation, the security attribute-based
relationship that must hold between subject and information security
attributes].

[assignment: for each operation, the security attribute-based relationship

that must hold between subject and information security attributes]
- the data received from public telephone line must not be sent to the
internal network at any case

FDP_IFF.1.3 The TSF shall enforce the [assignment: additional information flow
control SFP rules].

[assignment: additional information flow control SFP rules]

- none.

FDP_IFF.1.4 The TSF shall explicitly authorize an information flow based on the
following rules: [assignment: rules, based on security attributes, that
explicitly authorize information flows].

[assignment: rules, based on security attributes, that explicitly authorize

information flows]
- none.

FDP_IFF.1.5 The TSF shall explicitly deny an information flow based on the
following rules: [assignment: rules, based on security attributes, that
explicitly deny information flows].

[assignment: rules, based on security attributes, that explicitly deny

information flows].
- none.

FDP_RIP.1 Subset residual information protection

Hierarchical to: No other components
Dependencies: No dependencies

FDP_RIP.1.1 The TSF shall ensure that any previous information content of a resource

- 42 – Copyright 2012 by Fuji Xerox Co., Ltd.

 Fuji Xerox C2263 Series Security Target

is made unavailable upon the [selection: allocation of the resource to,

deallocation of the resource from] the following objects: [assignment:
list of objects].

[assignment: list of objects]

- used document data stored in the internal HDD
[selection: allocation of the resource to, deallocation of the resource
from]
- deallocation of the resource from

6.1.4. Class FIA: Identification and authentication

FIA_AFL.1(1) Authentication failure handling
Hierarchical to: No other components
Dependencies: FIA_UAU.1 Timing of authentication

FIA_AFL.1.1(1) The TSF shall detect when [selection: [assignment: positive integer
number], an administrator configurable positive integer within
[assignment: range of acceptable values]] unsuccessful authentication
attempts occur related to [assignment: list of authentication events].

[assignment: list of authentication events]

- key operator authentication
[selection: [assignment: positive integer number] , an administrator
configurable positive integer within [assignment: range of acceptable
values]
- [assignment: positive integer number]
[assignment: positive integer number]
-5

FIA_AFL.1.2 (1) When the defined number of unsuccessful authentication attempts has
been [selection: met, surpassed], the TSF shall [assignment: list of
actions].

[selection: met, surpassed]

- met
[assignment: list of actions]
- never allow the control panel to accept any operation except power
cycle. Web browser and ApeosWare Device Setup are also inhibited from
accepting authentication operation until the main unit is cycled.

FIA_AFL.1(2) Authentication failure handling

Hierarchical to: No other components

- 43 – Copyright 2012 by Fuji Xerox Co., Ltd.

 Fuji Xerox C2263 Series Security Target

Dependencies: FIA_UAU.1 Timing of authentication

FIA_AFL.1.1 (2) The TSF shall detect when [selection: [assignment: positive integer
number], an administrator configurable positive integer within
[assignment: range of acceptable values]] unsuccessful authentication
attempts occur related to [assignment: list of authentication events].

[assignment: list of authentication events]

- SA authentication
[selection: [assignment: positive integer number] , an administrator
configurable positive integer within [assignment: range of acceptable
values]
- [assignment: positive integer number]
[assignment: positive integer number]
-5

FIA_AFL.1.2 (2) When the defined number of unsuccessful authentication attempts has
been [selection: met, surpassed], the TSF shall [assignment: list of
actions].

[selection: met, surpassed]

- met
[assignment: list of actions]
- never allow the control panel to accept any operation except power
cycle. Web browser is also inhibited from accepting authentication
operation until the main unit is cycled.

FIA_AFL.1 (3) Authentication failure handling

Hierarchical to: No other components
Dependencies: FIA_UAU.1 Timing of authentication

FIA_AFL.1.1 (3) The TSF shall detect when [selection: [assignment: positive integer
number], an administrator configurable positive integer within
[assignment: range of acceptable values]] unsuccessful authentication
attempts occur related to [assignment: list of authentication events].

[assignment: list of authentication events]

- general user authentication
[selection: [assignment: positive integer number] , an administrator
configurable positive integer within [assignment: range of acceptable
values]
- [assignment: positive integer number]

- 44 – Copyright 2012 by Fuji Xerox Co., Ltd.

 Fuji Xerox C2263 Series Security Target

[assignment: positive integer number]

-1

FIA_AFL.1.2 (3) When the defined number of unsuccessful authentication attempts has
been [selection: met, surpassed], the TSF shall [assignment: list of
actions].

[selection: met, surpassed]

- met
[assignment: list of actions]
- have the control panel to display the message of “authentication was
failed” and to require reentry of the user information. The TSF shall also
have Web browser and Network Scan Utility to reenter the user
information

FIA_ATD.1 User attribute definition

Hierarchical to: No other components.
Dependencies: No dependencies.

FIA_ATD.1.1 The TSF shall maintain the following list of security attributes belonging
to individual users: [assignment: list of security attributes].

[assignment: list of security attributes].

- Key Operator role
- SA role
- General User role

FIA_SOS.1.1 The TSF shall provide a mechanism to verify that secrets (SA password
and U.NORMAL password) meet [assignment: a defined quality metric].

[assignment: a defined quality metric].

- Password length is restricted to 9 or more characters

FIA_UAU.1 Timing of authentication

Hierarchical to: No other components
Dependencies: FIA_UID.1 Timing of identification

FIA_UAU.1.1 The TSF shall allow [assignment: list of TSF mediated actions] on behalf
of the user to be performed before the user is authenticated.

[assignment: list of TSF mediated actions]

- data receive from public telephone line

- 45 – Copyright 2012 by Fuji Xerox Co., Ltd.

 Fuji Xerox C2263 Series Security Target

- storing the document data delivered from printer driver

FIA_UAU.1.2 The TSF shall require each user to be successfully authenticated before
allowing any other TSF-mediated actions on behalf of that user.

FIA_UAU.7 Protected authentication feedback

Hierarchical to: No other components
Dependencies: FIA_UAU.1 Timing of authentication

FIA_UAU.7.1 The TSF shall provide only [assignment: list of feedback] to the user
while the authentication is in progress.

[assignment: list of feedback]

- display of asterisks (“*”) to hide the entered password characters

FIA_UID.1 Timing of identification

Hierarchical to: No other components.
Dependencies: No dependencies

FIA_UID.1.1 The TSF shall allow [assignment: list of TSF-mediated actions] on

behalf of the user to be performed before the user is identified.

[assignment: list of TSF-mediated actions]

- fax receive from public telephone line

FIA_UID.1.2 The TSF shall require each user to be successfully identified before
allowing any other TSF-mediated actions on behalf of that user.

FIA_USB.1 User-subject binding Hierarchical to: No other components.

Dependencies: FIA_ATD.1 User attribute definition

FIA_USB.1.1 The TSF shall associate the following user security attributes with
subjects acting on the behalf of that user: [assignment: list of user
security attributes].

[assignment: list of user security attributes].

- Key Operator role
- SA role
- General User role

FIA_USB.1.2 The TSF shall enforce the following rules on the initial association of
user security attributes with subjects acting on the behalf of users:

- 46 – Copyright 2012 by Fuji Xerox Co., Ltd.

 Fuji Xerox C2263 Series Security Target

[assignment: rules for the initial association of attributes].

[assignment: rules for the initial association of attributes].

- none

FIA_USB.1.3 The TSF shall enforce the following rules governing changes to the user
security attributes associated with subjects acting on the behalf of users:
[assignment: rules for the changing of attributes].

[assignment: rules for the changing of attributes].

- none

6.1.5. Class FMT: Security management

FMT_MOF.1 Management of security functions behavior
Hierarchical to: No other components
Dependencies: FMT_SMR.1 Security roles
FMT_SMF.1 Specification of Management Functions

FMT_MOF.1.1 The TSF shall restrict the ability to [selection: determine the behavior of,
disable, enable, modify the behavior of] the functions [assignment: list of
functions] to [assignment: the authorized identified roles].

[selection: determine the behavior of, disable, enable, modify the

behavior of]
- enable, disable, or modify the behavior of
[assignment: list of functions]
- for security listed in Table 17
[assignment: the authorized identified roles]
- the roles listed in Table 17

Table 17: List of Security Functions

Security Functions enable, disable, Roles

or modify the
behavior of
Use of password entered from MFD control enable, disable Key operator, SA
panel in user authentication
Access denial due to authentication failure enable, disable Key operator, SA
of system administrator ID
User Authentication enable, disable, Key operator, SA
modify
Security Audit Log enable, disable Key operator, SA

- 47 – Copyright 2012 by Fuji Xerox Co., Ltd.

 Fuji Xerox C2263 Series Security Target

enable, disable,
Store Print Key operator, SA
modify
Internal Network Data Protection enable, disable, Key operator, SA
modify
Customer Engineer Operation Restriction enable, disable Key operator, SA
Hard Disk Data Encryption enable, disable Key operator, SA
Hard Disk Data Overwrite enable, disable, Key operator, SA
modify

FMT_MSA.1 Management of security attributes

Hierarchical to: No other components.
Dependencies: [FDP_ACC.1 Subset access control, or
FDP_IFC.1 Subset information flow control]
FMT_SMR.1 Security roles
FMT_SMF.1 Specification of Management Functions

FMT_MSA.1.1 The TSF shall enforce the [assignment: access control SFP(s),
information flow control SFP(s)] to restrict the ability to [selection:
change default, query, modify, delete, [assignment: other operations]] the
security attributes [assignment: list of security attributes] to [assignment:
the authorized identified roles].

[assignment: access control SFP(s), information flow control SFP(s)]

- MFD access control SFP
[selection: change default, query, modify, delete, [assignment: other
operations]]
- query, modify, delete,[assignment: other operations]
[assignment: other operations]
- create
[assignment: list of security attributes]
- user identifier, Mailbox owner identifier, and Store Print owner
identifier
[assignment: the authorized identified roles].
- the operations and roles listed in Table 18

Table 18: Security Attributes and Authorized Roles

Security Attribute query, delete, modify, Roles

create
Key operator identifier modify Key operator
SA identifier query, modify delete, Key operator, SA
create

- 48 – Copyright 2012 by Fuji Xerox Co., Ltd.

 Fuji Xerox C2263 Series Security Target

General user identifier query, modify delete, Key operator, SA

create
Mailbox owner identifier query, delete, create General user , SA
(Personal Mailbox)
All Mailbox owner identifier query, delete, create Key operator
(All of Personal Mailbox)
Mailbox owner identifier query, delete, create Key operator
(Shared Mailbox)
Store Print owner identifier query, delete Key operator,
SA , General user
All Store Print owner identifier query, delete Key operator, SA

FMT_MSA.3 Static attribute initialization

Hierarchical to: No other components.
Dependencies: FMT_MSA.1 Management of security attributes
FMT_SMR.1 Security roles

FMT_MSA.3.1 The TSF shall enforce the [assignment: access control SFP, information
flow control SFP] to provide [selection, choose one of: restrictive,
permissive, [assignment: other property]] default values for security
attributes that are used to enforce the SFP.

[assignment: access control SFP, information flow control SFP]

- MFD access control SFP
[selection, choose one of: restrictive, permissive, [assignment: other
property]]
- [assignment: other property]
- Initialization property in Table 19

Table 19 Initialization property

Object Security Attributes Default

mail box Owner identifier of mail box Creator’s user identifier and
store print Owner identifier of store available user identifier
print

FMT_MSA.3.2 The TSF shall allow the [assignment: the authorized identified roles] to
specify alternative initial values to override the default values when an
object or information is created.

[assignment: the authorized identified roles]

- 49 – Copyright 2012 by Fuji Xerox Co., Ltd.

 Fuji Xerox C2263 Series Security Target

- none

FMT_MTD.1 Management of TSF data

Hierarchical to: No other components
Dependencies: FMT_SMR.1 Security roles
FMT_SMF.1 Specification of Management Functions

FMT_MTD.1.1 The TSF shall restrict the ability to [selection: change default, query,
modify, delete, clear, [assignment: other operations]] the [assignment:
list of TSF data] to [assignment: the authorized identified roles].

[selection: change default, query, modify, delete, clear, [assignment:

other operations]]
- query, modify, delete
[assignment: other operations]]
- create
[assignment: list of TSF data]
- TSF data listed in Table 19
[assignment: the authorized identified roles].
- the roles listed in Table 20

Table 20: Operation of TSF Data

TSF Data query, modify, delete, Roles

create
Data on key operator ID modify Key operator
Data on key operator Password modify Key operator
Data on SA ID query, modify , Key operator, SA
delete,create
Data on SA Password modify Key operator, SA
Data on General user ID query, modify, Key operator, SA
delete,create
Data on General user Password modify Key operator,
SA ,General user
Data on User Authentication query, modify Key operator, SA
Data on use of password entered from query, modify Key operator, SA
MFD control panel in user
authentication
Data on minimum password length of
query, modify Key operator, SA
user password
Data on store print
query, modify Key operator, SA

- 50 – Copyright 2012 by Fuji Xerox Co., Ltd.

 Fuji Xerox C2263 Series Security Target

Data on Access denial due to query, modify Key operator, SA

authentication failure of system
administrator
Data on Security Audit Log query, modify Key operator, SA
Data on Internal Network Data query, modify, delete Key operator, SA
Protection
Data on Customer Engineer Operation query, modify Key operator, SA
Restriction
Data on Hard Disk Data Encryption query, modify Key operator, SA
Data on Hard Disk Data Overwrite query, modify Key operator, SA
Data on date and time query, modify Key operator, SA

FMT_SMF.1 Specification of Management Functions

Hierarchical to: No other components
Dependencies: No dependencies

FMT_SMF.1.1 The TSF shall be capable of performing the following management

functions: [assignment: list of management functions to be provided by
the TSF].

[assignment: list of management functions to be provided by the TSF]

- Security Management Functions listed in Table 21

Table 21: Security Management Functions Provided by TSF

Functional Management items defined by CC Management functions of

requirements TOE
FAU_GEN.1 There are no management activities Management of data on
Security Audit Log settings
foreseen.
FAU_SAR.1 a) maintenance (deletion, modification, Management of data on key
operator (ID and password)
addition) of the group of users with read
Management of data on SA
access right to the audit records.
(ID and password)
FAU_SAR.2 None -
FAU_STG.1 None -
FAU_STG.4 a) maintenance (deletion, modification, None
Reason: The control
addition) of actions to be taken in case of
parameter of audit log is
audit storage failure. fixed and is not managed.
FCS_CKM.1 None -
FCS_COP.1 None Management of data on
Hard Disk Data Encryption
FDP_ACC.1 None -
FDP_ACF.1 a) Managing the attributes used to make Management of owner
identifier of Mailbox
explicit access or denial based decisions.
Management of owner

- 51 – Copyright 2012 by Fuji Xerox Co., Ltd.

 Fuji Xerox C2263 Series Security Target

identifier of store print

Management of data on store
print
FDP_IFC.1 None -
FDP_IFF.1 a) Managing the attributes used to make None
explicit access based decisions. Reason: Access is restricted
and does not need to be
managed.
FDP_RIP.1 a) The choice of when to perform residual Management of data on
information protection (i.e. upon allocation Hard Disk Data Overwrite
or deallocation) could be made
configurable within the TOE.
FIA_AFL.1 a) Management of the threshold for Management of allowable
unsuccessful authentication attempts; number of system
b) Management of actions to be taken in administrator’s
the event of an authentication failure. authentication failures
Management of Access
Denial
FIA_ATD.1 a) if so indicated in the assignment, the None
Reason: There are no
authorized administrator might be able to
additional security attributes
define additional security attributes for and there are no additional
users. security attributes to be
managed.
FIA_SOS.1 a) the management of the metric used to - Management of data on
minimum password length of
verify the secrets.
user password

FIA_UAU.1 a) Management of the authentication data - Management of data on use

by an administrator; of password entered from
b) Management of the authentication data MFD control panel in user
by the associated user; authentication.
c) Managing the list of actions that can be - Management of data on key
taken before the user is authenticated.
operator(ID and password)
- Management of data on SA
and general user (ID and
password)
- Management of data on
user authentication.
FIA_UAU.7 None -
FIA_UID.1 a) The management of the user identities. - Management of data on key
b) If an authorised administrator can operator(ID)
change the actions allowed before
- Management of data on SA
identification, the managing of the action
lists. and general user (ID)
- Management of data on
user authentication.
FIA_USB.1 a) an authorized administrator can define None
Reason: Action and security
default subject security attributes.
attributes are fixed and are
b) an authorized administrator can change not managed.

- 52 – Copyright 2012 by Fuji Xerox Co., Ltd.

 Fuji Xerox C2263 Series Security Target

subject security attributes.

FMT_MOF.1 a) Managing the group of roles that can Management of data on
interact with the functions in the TSF; Customer Engineer
Operation Restriction
FMT_MSA.1 a) managing the group of roles that can None
Reason: The role group is
interact with the security attributes;
fixed and is not managed.
b) management of rules by which security
attributes inherit specified values.
FMT_MSA.3 a) managing the group of roles that can None
Reason: The role group is
specify initial values;
only a system administrator
b) managing the permissive or restrictive and is not managed.
setting of default values for a given access
control SFP;
c) management of rules by which security
attributes inherit specified values.
FMT_MTD.1. a) Managing the group of roles that can Management of data on
interact with the TSF data. Customer Engineer
Operation Restriction
FMT_SMF.1 None -
FMT_SMR.1 a) Managing the group of users that are None
part of a role. Reason: The role group is
fixed and is not managed
FPT_STM.1 a) management of the time. Management of time and
data.
FTP_TRP.1 a) Configuring the actions that require Management of data on
Internal Network Data
trusted path, if supported.
Protection.

FMT_SMR.1 Security roles

Hierarchical to: No other components
Dependencies: FIA_UID.1 Timing of identification

FMT_SMR.1.1 The TSF shall maintain the roles [assignment: the authorized identified
roles].

[assignment: the authorized identified roles]

- system administrator ,SA, general user

FMT_SMR.1.2 The TSF shall be able to associate users with roles.

6.1.6. Class FPT: Protection of the TSF

FPT_STM.1 Reliable time stamps
Hierarchical to: No other components.
Dependencies: No dependencies.

- 53 – Copyright 2012 by Fuji Xerox Co., Ltd.

 Fuji Xerox C2263 Series Security Target

FPT_STM.1.1 The TSF shall be able to provide reliable time stamps.

6.1.7. Class FTP: Trusted path/channels

FTP_TRP.1 Trusted path
Hierarchical to: No other components.
Dependencies: No dependencies.

FTP_TRP.1.1 The TSF shall provide a communication path between itself and
[selection: remote, local] users that is logically distinct from other
communication paths and provides assured identification of its end
points and protection of the communicated data from [selection:
modification, disclosure, [assignment: other types of integrity or
confidentiality violation]].

[selection: remote, local]

- remote
[selection: modification, disclosure, [assignment: other types of integrity
or confidentiality violation]].
- modification, disclosure

FTP_TRP.1.2 The TSF shall permit [selection: the TSF, local users, remote users] to
initiate communication via the trusted path.

[selection: the TSF, local users, remote users]

- remote users

FTP_TRP.1.3 The TSF shall require the use of the trusted path for [selection: initial
user authentication, [assignment: other services for which trusted path is
required]].

[selection: initial user authentication, [assignment: other services for

which trusted path is required]].
- TOE communication service via Web, communication service for
printer driver, communication service for fax driver, communication
service for network utility, communication service for ApeosWare Device
Setup, and other services which require trusted path

- 54 – Copyright 2012 by Fuji Xerox Co., Ltd.

 Fuji Xerox C2263 Series Security Target

6.2. Security Assurance Requirements

The requirements for the TOE security assurance are described in Table 22.
The evaluation assurance level of the TOE is EAL3. All the requirement components for assurance are
quoted directly from the component of EAL3 specified by [the CC part 3].

Table 22: EAL3 Assurance Requirements

Assurance
Assurance Component Name
Requirements
Class ADV: Development
ADV_ARC.1 Security architecture description
ADV_FSP.3 Functional specification with complete summary
ADV_TDS.2 Architectural design
Class AGD: Guidance documents
AGD_OPE.1 Operational user guidance
AGD_PRE.1 Preparative procedures
Class ALC: Life-cycle support
ALC_CMC.3 Authorization controls
ALC_CMS.3 Implementation representation CM coverage
ALC_DEL.1 Delivery procedures
ALC_DVS.1 Identification of security measures
ALC_LCD.1 Developer defined life-cycle model
Class ASE: Security Target evaluation
ASE_CCL.1 Conformance claims
ASE_ECD.1 Extended components definition
ASE_INT.1 ST introduction
ASE_OBJ.2 Security objectives
ASE_REQ.2 Derived security requirements
ASE_SPD.1 Security problem definition
ASE_TSS.1 TOE summary specification
Class ATE: Tests
ATE_COV.2 Analysis of coverage
ATE_DPT.1 Testing: basic design
ATE_FUN.1 Functional testing
ATE_IND.2 Independent testing - sample
Class AVA: Vulnerability assessment
AVA_VAN.2 Vulnerability analysis

- 55 – Copyright 2012 by Fuji Xerox Co., Ltd.

 Fuji Xerox C2263 Series Security Target

6.3. Security Requirement Rationale

6.3.1. Security Functional Requirements Rationale

Table 23 lists security functional requirements and the corresponding security objectives. As shown in
Table 23, each security functional requirement corresponds to at least one security objective of the
TOE.
Table 24 shows the rationale demonstrating that each security objective is assured by TOE security
functional requirements.

Table 23: Security Functional Requirements and the Corresponding Security Objectives

Security Objectives

O.COMM_SEC

O.RESIDUAL

O.RESTRICT
O.MANAGE
O.FAX_SEC
O.AUDITS

O.CIPHER

O.USER
Security Functional
Requirements
FAU_GEN.1        
FAU_SAR.1        
FAU_SAR.2        
FAU_STG.1        
FAU_STG.4        
FCS_CKM.1        
FCS_COP.1        
FDP_ACC.1        
FDP_ACF.1        
FDP_IFC.1        
FDP_IFF.1        
FDP_RIP.1        
FIA_AFL.1 (1)        
FIA_AFL.1 (2)        
FIA_AFL.1 (3)        
FIA_ATD.1        
FIA_SOS.1        
FIA_UAU.1        
FIA_UAU.7        
FIA_UID.1        
FIA_USB.1        
FMT_MOF.1        
FMT_MSA.1        

- 56 – Copyright 2012 by Fuji Xerox Co., Ltd.

 Fuji Xerox C2263 Series Security Target

Security Objectives

O.COMM_SEC

O.RESIDUAL

O.RESTRICT
O.MANAGE
O.FAX_SEC
O.AUDITS

O.CIPHER

O.USER
Security Functional
Requirements
FMT_MSA.3        
FMT_MTD.1        
FMT_SMF.1        
FMT_SMR.1        
FPT_STM.1        
FTP_TRP.1        

Table 24: Security Objectives to SFR Rationale

Security Objectives Security Functional Requirements Rationale

O. AUDITS is the objective that provides the function to record auditable
events and its log data.
By satisfying the following security requirements, O.AUDITS can be
realized.
By FAU_GEN.1, the security audit log data are generated for the
auditable events: (However, audit is unnecessary for the following
functional requirements for each reason described below.)
- FAU_STG.4: The total number of audit log data events is fixed. The
data are stored and updated automatically.
- FCS_CKM.1: When cryptographic key generation fails, a system error
occurs at the time of booting of the MFD.
- FSC_COP.1: An encryption failure is monitored as job status.
O.AUDITS
- FDP_IFF.1: The flow is fixed. No event is to be monitored.
- FMT_MSA.3: No change is to be applied to default values and rules.
By FAU_SAR.1, the authorized system administrator can read the
security audit log data from an audit log file.
By FAU_SAR.2, only the authorized system administrator can access the
audit log.
By FAU_STG.1, the security audit log data stored in an audit log file is
protected from unauthorized deletion and alteration.
By FAU_STG.4, when the audit log file is full, the oldest stored audit
record is overwritten and a new audit event is stored into the audit log
file.
By FPT_STM.1, the auditable events are recorded with time stamp in the

- 57 – Copyright 2012 by Fuji Xerox Co., Ltd.

 Fuji Xerox C2263 Series Security Target

Security Objectives Security Functional Requirements Rationale

audit log, using highly reliable clock of the TOE.
O. CIPHER is the objective that encrypts the used document data and the
security audit log data i in the internal HDD so that they cannot be
analyzed even if retrieved.
By satisfying the following security requirements, O.CIPHER can be
realized.
O.CIPHER By FCS_CKM.1, the cryptographic key is generated in accordance with
the specified cryptographic key size (256 bits).
By FCS_COP.1, the document data and security audit log data to be
stored into the internal HDD are encrypted and then decrypted when the
data are read, in accordance with the determined cryptographic algorithm
and cryptographic key size.
O.COMM_SEC is the objective that protects the document data, security
audit log data, and TOE setting data on the internal network from
interception and alteration.
By satisfying the following security requirements, O.COMM_SEC can
O.COMM_SEC be realized:
By FTP_TRP.1, a highly reliable communication path is provided
through communication data encryption protocol so that the document
data, security audit log data, and TOE setting data on the internal
network between the TOE and the remote can be protected from threats.
O.FAX_SEC is the objective that prevents the unauthorized access to the
internal network via public telephone line.
By satisfying the following security requirements, O.FAX_SEC can be
O.FAX_SEC realized:
By FDP_IFC.1 and FDP_IFF.1, the internal network to which the TOE is
connected is prevented from being accessed via public telephone line
from the communication path of TOE fax modem.
O. MANAGE is the objective that allows only an authenticated system
administrator to access the system administrator mode for security
function setting and inhibits a general user from accessing the TOE
setting data. By satisfying the following security requirements,
O.MANAGE can be realized:
By FIA_AFL.1 (1), successive attacks are prevented because the power
O.MANAGE
needs to be cycled when the number of key operator authentication
failures reaches the defined number of times.
By FIA_AFL.1(2), successive attacks are prevented because the power
needs to be cycled when the number of SA authentication failures
reaches the defined number of times.
By FIA_UAU.1 and FIA_UID.1, user authentication is performed to

- 58 – Copyright 2012 by Fuji Xerox Co., Ltd.

 Fuji Xerox C2263 Series Security Target

Security Objectives Security Functional Requirements Rationale

identify an authorized system administrator or general user.
By FIA_UAU.7, unauthorized disclosure of the authentication
information (password) is prevented because the authentication feedback
is protected.
By FMT_MOF.1, the person who enables/disables TOE security
functions and makes functional settings is limited to system
administrator.
By FMT_MTD.1, the person who can make settings of TOE security
functions is limited to system administrator. Thus, only system
administrators can query, modify, and create TSF data.
By FMT_SMF.1, TOE security management functions are provided for
system administrator.
By FMT_SMR.1 (1), the role related to the security is limited to system
administrator by maintaining the role of system administrator as a user
who has special authority.
O.RESIDUAL is the objective that disables the reproduction and
recovery of the used document data in the internal HDD.
By satisfying the following security requirements, O.RESIDUAL can be
O.RESIDUAL
realized:
By FDP_RIP.1, the previous information of the used document data
stored in the internal HDD is made unavailable.
O.RESTRICT is the objective that offers the function to inhibit an
unauthorized person from using the TOE.
By satisfying the following security requirements, O.RESTRICT can be
realized:
By FIA_AFL.1 (1), successive attacks are prevented because the power
needs to be cycled when the number of key operator authentication
failures reaches the defined number of times.
By FIA_AFL.1 (2), successive attacks are prevented because the power
O.RESTRICT needs to be cycled when the number of SA authentication failures
reaches the defined number of times.
By FIA_AFL.1 (3), when general user authentication fails, “incorrect
password” message is displayed, requesting password re-entry.
By FIA_UIA.1 and FIA_UID.1, user authentication is performed to
identify an authorized general user and system administrator.
By FIA_UAU.7, unauthorized disclosure of the authentication
information (password) is prevented because the authentication feedback
is protected.
O.USER is the objective that identifies the TOE user and allows only the
O.USER
authorized user to retrieve, and delete the document data and to change

- 59 – Copyright 2012 by Fuji Xerox Co., Ltd.

 Fuji Xerox C2263 Series Security Target

Security Objectives Security Functional Requirements Rationale

password.
By satisfying the following security requirements, O.USER can be
realized:
By FDP_ACC.1 and FDP_ACF.1, user authentication is performed. Only
authorized user is allowed to operate the objects.
By FIA_AFL.1 (1), successive attacks are prevented because the power
needs to be cycled when the number of key operator authentication
failures reaches the defined number of times.
By FIA_AFL.1 (2), successive attacks are prevented because the power
needs to be cycled when the number of SA authentication failures
reaches the defined number of times.
By FIA_AFL.1 (3), when general user authentication fails, “incorrect
password” message is displayed, requesting password re-entry.
By FIA_ATD.1 and FIA_USB.1, each role of key operator, SA, and
general user is maintained and only the authorized users are associated
with the subjects.
By FIA_SOS1, the minimum length of password for SA and general user
is limited.
By FIA_UAU.1 and FIA_UID.1, user authentication is performed to
identify an authorized general user and system administrator.
By FIA_UAU.7, unauthorized disclosure of the authentication
information (password) is prevented because the authentication feedback
is protected.
By FMT_MSA.1, the query, modify, deletion, and creation of security
attributes are managed.
By FMT_MSA.3, the suitable default values are managed.
By FMT_MTD.1, the setting of password for key operator is limited to
key operator, that for SA is limited to key operator and SA, and that for
general user is limited to system administrator and the general user
(when it is his/her own).
By FMT_SMF.1, TOE security management functions are provided for
authorized users.
By FMT_SMR.1, the role of general user and system administrator is
maintained and associated with the general user and system
administrator.

6.3.2. Dependencies of Security Functional Requirements

Table 25 describes the functional requirements that security functional requirements depend on and
those that do not and the reason why it is not problematic even if dependencies are not satisfied.

- 60 – Copyright 2012 by Fuji Xerox Co., Ltd.

 Fuji Xerox C2263 Series Security Target

Table 25: Dependencies of Functional Security Requirements

Functional Requirement Dependencies of Functional Requirements

Requirement that Requirement that is not dependent on
Requirement and its name
is dependent on and its rationale
FAU_GEN.1
FPT_STM.1 -
Audit data generation
FAU_SAR.1
FAU_GEN.1 -
Audit review
FAU_SAR.2
FAU_SAR.1 -
Restricted audit review
FAU_STG.1
Protected audit trail FAU_GEN.1 -
storage
FAU_STG.4
Prevention of audit data FAU_STG.1 -
loss
FCS_CKM.4:
A cryptographic key is generated when MFD is
FCS_CKM.1
booted, and stored on DRAM (volatile memory).
Cryptographic key
A cryptographic key does not need to be
generation FCS_COP.1
destructed because this key is lost when the MFD
(The stored data in the
main unit is powered off.
internal HDD)
Therefore, the dependency on FCS_CKM.4 does
not need to be satisfied.
FCS_CKM.4:
FCS_COP.1 A cryptographic key is generated when MFD is
Cryptographic operation booted, and stored on DRAM (volatile memory).
FCS_CKM.1
(The stored data in the A cryptographic key does not need to be
internal HDD) destructed because this key is lost when the MFD
main unit is powered off.
FDP_ACC.1
FDP_ACF.1 -
Subset access control
FDP_ACF.1
FDP_ACC.1
Security attribute based -
FMT_MSA.3
access control
FDP_IFC.1
Subset information flow
FDP_IFF.1 -
control
(Fax information flow)
FDP_IFF.1 FDP_IFC.1 FMT_MSA.3:
Simple security attributes A static attribute initialization is not required

- 61 – Copyright 2012 by Fuji Xerox Co., Ltd.

 Fuji Xerox C2263 Series Security Target

Functional Requirement Dependencies of Functional Requirements

Requirement that Requirement that is not dependent on
Requirement and its name
is dependent on and its rationale
(Fax information flow) because Fax Information Flow has no security
attribute.
FDP_RIP.1
Subset residual None
information protection
FIA_AFL.1(1)
Authentication failure
FIA_UAU.1
handling
(Key operator)
FIA_AFL.1(2)
Authentication failure
FIA_UAU.1
handling
(SA)
FIA_AFL.1(3)
Authentication failure
FIA_UAU.1
handling
(General user)
FIA_ATD.1
None
User attribute definition
FIA_SOS.1
None
Verification of secrets
FIA_UAU.1
FIA_UID.1
Timing of authentication
FIA_UAU.7
Protected authentication FIA_UID.1
feedback
FIA_UID.1
None
Timing of identification
FIA_USB.1
FIA_ATD.1 -
User-subject binding
FMT_MOF.1
FMT_SMF.1
Management of security -
FMT_SMR.1
functions behavior
FMT_MSA.1 FDP_ACC.1
Management of security FMT_SMF.1 -
attributes FMT_SMR.1
FMT_MSA.3 FMT_MSA.1
-
Static attribute FMT_SMR.1

- 62 – Copyright 2012 by Fuji Xerox Co., Ltd.

 Fuji Xerox C2263 Series Security Target

Functional Requirement Dependencies of Functional Requirements

Requirement that Requirement that is not dependent on
Requirement and its name
is dependent on and its rationale
initialization
FMT_MTD.1 FMT_SMF.1
-
Management of TSF data FMT_SMR.1
FMT_SMF.1
Specification of None
management functions
FMT_SMR.1
FIA_UID.1
Security roles
FPT_STM.1
None
Reliable time stamp
FTP_TRP.1
None
Trusted Path

6.3.3. Security Assurance Requirements Rationale

This TOE is for a MFD, a commercial product. The following threats are assumed to be caused by a
low-level attacker: attack or interception/alteration of data on internal network via a MFD external
interface from control panel, Web browser or ApeosWare Device Setup of system administrator’s
client; and reading-out of information by removing the internal HDD and connecting it to a
commercial tool.
To counter these threats, this TOE is required to provide the security functions which assure security.

The evaluation assurance level of the TOE is EAL3 which includes the following analyses:
- Analysis of the security measures of the TOE at development phase
(Performing/analyzing systematic tests and evaluating the management of the development
environment and the developed products.)
Analysis of whether the sufficient guidance information is included so that the security functions can
be used safely. Therefore, EAL 3 is the reasonable evaluation level for this TOE.

- 63 – Copyright 2012 by Fuji Xerox Co., Ltd.

 Fuji Xerox C2263 Series Security Target

7. TOE SUMMARY SPECIFICATION

This chapter describes the summary specifications of the security functions provided by this TOE.

7.1. Security Functions

Table 26 shows security functional requirements and the corresponding TOE security functions.
The security functions described in this section satisfy the TOE security functional requirements that
are specified in section 6.1 of this ST.

Table 26: Security Functional Requirements and the Corresponding TOE Security Functions

Security Functions

TSF_USER_AUTH

TSF_FAX_FLOW
TSF_NET_PROT
TSF_CE_LIMIT
TSF_CIPHER

TSF_FMT
TSF_IOW

TSF_FAU
Security Functional
Requirements
FAU_GEN.1        
FAU_SAR.1        
FAU_SAR.2        
FAU_STG.1        
FAU_STG.4        
FCS_CKM.1        
FCS_COP.1        
FDP_ACC.1        
FDP_ACF.1        
FDP_IFC.1        
FDP_IFF.1        
FDP_RIP.1        
FIA_AFL.1 (1)        
FIA_AFL.1 (2)        
FIA_AFL.1 (3)        
FIA_ATD.1        
FIA_SOS.1        
FIA_UAU.1        
FIA_UAU.7        
FIA_UID.1        
FIA_USB.1        
FMT_MOF.1        
FMT_MSA.1        

- 64 – Copyright 2012 by Fuji Xerox Co., Ltd.

 Fuji Xerox C2263 Series Security Target

Security Functions

TSF_USER_AUTH

TSF_FAX_FLOW
TSF_NET_PROT
TSF_CE_LIMIT
TSF_CIPHER

TSF_FMT
TSF_IOW

TSF_FAU
Security Functional
Requirements
FMT_MSA.3        
FMT_MTD.1        
FMT_SMF.1        
FMT_SMR.1        
FPT_STM.1        
FTP_TRP.1        

The summary of each TOE security function and the corresponding security functional requirements
are described below.

7.1.1. Hard Disk Data Overwrite (TSF_IOW)

According to Hard Disk Data Overwrite setting which is configured by a system administrator with
the system administrator mode, the used document data in the internal HDD are deleted by either one
or three pass overwrite procedure on the document data area when each job of copy, print, scan,
Network Scan, fax, or Direct Fax is completed.
This is because whether to prioritize efficiency or security depends on the usage environment of the
MFD.
When efficiency is prioritized, one pass overwrite procedure is applied. When security is prioritized,
three pass overwrite procedure is applied. Three pass overwrite has lower processing speed than one
pass but can provide more solid overwrite function. Therefore, three pass is an appropriate number of
times to overwrite.

(1) FDP_RIP.1 Subset Residual Information Protection

To control the overwrite function conducted after each job, two options are available: one pass
(zero) overwrite procedure and three pass (random number / random number / zero) overwrite
procedure.
List of the used document data which are to be overwritten and deleted is on the internal HDD.
When the existence of the used document data are found in this list at the time of booting the
TOE, the overwrite function is performed.

7.1.2. Hard Disk Data Encryption (TSF_CIPHER)

According to Hard Disk Data Encryption setting which is configured by a system administrator with
the system administrator mode, the document data and security audit log data are encrypted before

- 65 – Copyright 2012 by Fuji Xerox Co., Ltd.

 Fuji Xerox C2263 Series Security Target

stored into the internal HDD when operating any function of copy, print, scan, Network Scan, fax,
Direct Fax, or configuring various security function settings.

(1) FCS_CKM.1 Cryptographic key generation

The TOE uses the “hard disk data encryption seed key” configured by a system administrator and
generates a 256-bit encryption key at the time of booting through FXOSENC algorithm, which is
Fuji Xerox’s standard method and a secure algorithm with sufficient complexity. (When the "hard
disk data encryption seed key" is the same, the same cryptographic key is generated.)

(2) FCS_COP.1 Cryptographic operation

Before storing the document data and security audit log data into the internal HDD, the TOE
encrypts the data using the 256-bit cryptographic key generated at the time of booting
(FCS_CKM.1) and the AES algorithm based on FIPS PUBS 197. When reading out the stored
data, the TOE decrypts the data also using the 256-bit cryptographic key generated at the time of
booting and the AES algorithm.

7.1.3. User Authentication (TSF_USER_AUTH)

Access to the MFD functions is restricted to the authorized user. A user needs to enter his/her ID and
password from the fax driver / Network Scan Utility / CWIS / ApeosWare Device Setup of the user
client, or MFD control panel.
Authentication is performed using the user information registered in MFD.
The registration method for the user information is provided by only Local Authentication.
a) Local Authentication
In local authentication, authentication is managed by using the user information registered in the
TOE.

Only the authenticated user can use the following functions:

 Functions controlled by the MFD control panel
Copy, fax (send), scan, network scan, Mailbox operation, and print (This print function requires
the Accounting System preset from printer driver. A user must be authenticated from the control
panel for print job.)
 Functions controlled by Network Scan Utility of user client
Function to retrieve document data from Mailbox.
 Functions controlled by CWIS
Display of device condition, display of job status and its log, function to retrieve document data
from Mailbox, and print function by file designation
 Functions controlled by ApeosWare Device Setup (Available for key operator only.)
Creation, deletion, and setting change of Mailbox

In addition, access to and setting change of the TOE security functions are restricted to the authorized
system administrator. A system administrator needs to enter his/her ID and password from MFD

- 66 – Copyright 2012 by Fuji Xerox Co., Ltd.

 Fuji Xerox C2263 Series Security Target

control panel or system administrator client.

(1) FIA_AFL.1 (1) Authentication failure handling

The function of the TOE to handle the authentication failures is provided for the key operator
authentication which is performed before accessing the system administrator mode. When the
number of unsuccessful authentication attempts with system administrator ID reaches 5 times, the
control panel does not accept any operation except power cycle, and the web browser and
ApeosWare Device Setup do not accept authentication operation until the MFD main unit is
powered off/on.

(2) FIA_AFL.1 (2) Authentication failure handling

The function of the TOE to handle the authentication failures is provided for the SA
authentication which is performed before accessing the system administrator mode. When the
number of unsuccessful authentication attempts with system administrator ID reaches 5 times, the
control panel does not accept any operation except power cycle, and the web browser do not
accept authentication operation until the MFD main unit is powered off/on.

(3) FIA_AFL.1 (3) Authentication failure handling

The function of the TOE to handle the authentication failures is provided for the general user
authentication which is performed before using the MFD functions. When the entered password
does not match the one set by an authorized user, the message saying “authentication was failed”
is displayed on the control panel, requesting re-entry of the user information.
Re-entry of user information is also required at Web browser and Network Scan Utility

(4) FIA_ATD.1 User attribute definition

The function of the TOE to define and retain the roles of key operator, SA, and general user.

(5) FIA_UAU.1 Timing of authentication

FIA_UID.1 Timing of identification
The TOE requests a user to enter his/her ID and password before permitting him/her to operate
the MFD function via Web browser, Network Scanner Utility, ApeosWare Device Setup, and fax
driver of a user client, or the control panel. The entered user ID and password are verified
against the data registered in the TOE setting data.
This identification (FIA_UID.1) and the authentication (FIA_UAU.1) are simultaneously
performed, and the operation is allowed only when both of the identification and authentication
succeed.
In the Private Print function, the received user ID from the printer driver of a user client is
compared with the ID registered in the TOE setting. The print data are classified according to the
user ID and temporarily stored in the TOE.
When receiving fax data by the public telephone line, the TOE receives the fax data and stores
them in Mailbox before performing user identification and authentication.

- 67 – Copyright 2012 by Fuji Xerox Co., Ltd.

 Fuji Xerox C2263 Series Security Target

(6) FIA_SOS.1 Verification of secrets

When setting a password of SA and general user, the TOE rejects settings if the password is less
than the minimum number of characters.

(7) FIA_UAU.7 Protected authentication feedback

The TOE offers the function to display the same number of asterisks (`*`) as the entered-password
characters on the control panel, Web browser, or ApeosWare Device Setup in order to hide the
password at the time of user authentication.

(8) FIA_USB.1 User-subject binding

With the authenticated ID, TOE associates the roles of key operator, SA, and general user with the
subjects.

(9) FMT_MSA.1 Management of security attributes

With the user authentication function, the TOE permits the authenticated user to handle the
identities related to each Mailbox and Store Print as shown in Table 27.

Table 27: Management of security attributes

Security Attributes query, modify ,delete, Roles

create
Key operator identifier modify Key operator,
SA identifier query, modify ,delete, Key operator, SA
create
General user identifier query, Modify ,delete, Key operator, SA
create
Mailbox owner identifier query, delete, create General user, SA
(Personal Mailbox)
All Mailbox owner query, delete, create Key operator
identifier (All of Personal
Mailbox)
Mailbox owner identifier query, delete, create Key operator
(Shared Mailbox)
Store Print owner identifier query, delete Key operator, SA,
General user
All Store Print owner query, delete Key operator, SA
identifier

(10) FMT_MTD.1 Management of TSF data

FMT_SMF.1 Specification of management functions
The TOE provides the user interface for setting password only to the authenticated authorized
user.

- 68 – Copyright 2012 by Fuji Xerox Co., Ltd.

 Fuji Xerox C2263 Series Security Target

The setting of password for key operator is limited to key operator, that for SA is limited to key
operator and SA, and that for general user is limited to system administrator and the general user
(when it is his/her own).

(11) FMT_SMR.1 Security role

The TOE maintains the roles of system administrator and general user and associates these roles
to the authorized users.

(12) FDP_ACC.1 Subset access control

FDP_ACF.1 Security attribute based access control
With the user authentication function, the TOE permits the authenticated user to operate Mailbox
and Store Print (Private Print) as shown in Table 28.

Table 28: Access Control

Personal Mailbox Shared Mailbox Store Print

Creation of Mailbox Available for general Available for key -
user, SA and key operator
operator
Deletion of Mailbox Available for Available for key -
registered general operator
user ,SA and key
operator
Retrieval and Available for Available for general Available for general
Deletion of document registered general user, SA and key user, SA and key
data user ,SA and key operator operator
operator
Retrieval and Available for key Available for key Available for SA and
Deletion of all operator operator key operator
document data

User authentication is performed before accessing Mailbox or Store Print.

a) Private Print Function

When the MFD is set to “Save as Private Charge Print,” and a user sends a print request from the
printer driver in which the Accounting System is preset, the print data are decomposed into
bitmap data, classified according to the user ID, and temporarily stored in the corresponding
Private Print area within the internal HDD.
In the same way, when the user is authenticated by entering his/her ID and password from CWIS
for authentication, and the user sends a print request by designating the files within a user client,
the print data are temporarily stored in Private Print area according to the user ID.
To refer to the stored print data, a user needs to enter his/her ID and password from the control

- 69 – Copyright 2012 by Fuji Xerox Co., Ltd.

 Fuji Xerox C2263 Series Security Target

panel. When the user is authenticated, the data on the waiting list corresponding to the user ID are
displayed. The user can request printing or deletion of the data on the list.

b) Mailbox Function
The scanned data and received fax data can be stored into Mailbox from IIT and Fax board which
are not shown in Figure 3.
To store the scanned data into Mailbox, a user needs to enter his/her ID and password from the
MFD control panel. When the user is authenticated, the document data can be scanned from IIT
and stored into the internal HDD according to the user’s instruction from the control panel.
To store the received fax data into Mailbox, user authentication is not required. Among the
received fax data transmitted over public telephone line, the following data are automatically
classified and stored into each corresponding Mailbox: the received fax data whose corresponding
Mailbox is specified by the sender, the received fax data from a particular sender (the data are
classified according to the sender’s telephone number), and the received fax data from an
unknown sender.
To retrieve, print, or delete the stored data in the Personal Mailbox corresponding to each
registered user ID, user authentication is required; the MFD compares the user ID and password
preset in the MFD against those entered by a general user from the control panel, CWIS, or
Network Scan Utility.

Mailbox Operation by a General User / SA

- Creation of Personal Mailbox
When a general user / SA operates to create Personal Mailbox, the Personal Mailbox in which
general user identifier / SA identifier is set as its owner is created.
- Deletion of Personal Mailbox
When the general user identifier / SA identifier matches the owner identifier of Personal
Mailbox, deletion of the corresponding Personal Mailbox is allowed.
- Retrieval and deletion of document data in Personal Mailbox
When the general user identifier / SA identifier matches the owner identifier of Personal
Mailbox, retrieval and deletion of the document data inside are allowed.
- Retrieval and deletion of document data in Shared Mailbox
Retrieval and deletion of document data in Shared Mailbox are allowed.

 Store Print Operation by a General User / SA

- Deletion and retrieval of document data
When the general user identifier / SA identifier matches the owner identifier of Store Print area,
retrieval and deletion of the document data inside are allowed. When the document data are
deleted, the corresponding Store Print area is also deleted.

 Mailbox Operation by the Key Operator

Creation and deletion of Shared Mailbox are allowed.
Creation and deletion of Personal Mailboxes of all the registered users are permitted only if the

- 70 – Copyright 2012 by Fuji Xerox Co., Ltd.

 Fuji Xerox C2263 Series Security Target

key operator operates via ApeosWare Device Setup.For all Mailboxes, the key operator's
operations to delete Mailbox, and to retrieve, and delete the document data inside are allowed.

 Store Print Operation by the Key Operator / SA

For all the Store Print areas, the key operator's / SA's operations to retrieve and delete the
document data inside are allowed.

7.1.4. System Administrator’s Security Management (TSF_FMT)

To grant a privilege to a specific user, this function allows only the authorized system administrator to
access the system administrator mode which enables him/her to refer to and configure the settings of
the following TOE security functions from the control panel or system administrator client.

(1) FMT_MOF.1 Management of security functions behavior

FMT_MTD.1 Management of TSF data
FMT_SMF.1 Specification of management functions
The TOE provides a user interface which allows only the authenticated system administrator to
refer to / change the TOE setting data related to the following TOE security functions and to make
setting whether to enable/disable each function.
With these functions, the required security management functions are provided.

The settings of the following TOE security functions can be referred to and changed from the
control panel.
・ Refer to the setting of Hard Disk Data Overwrite, enable/disable it, and set the number of pass
(overwrite procedure);
・ Refer to the setting of Hard Disk Data Encryption and enable/disable it;
・ Set the cryptographic seed key for Hard Disk Data Encryption;
・ Refer to the setting on the use of password entered from MFD control panel in user
authentication, and enable/disable it;
・ Refer to the setting of access denial due to authentication failure of system administrator
identification, enable/disable it, and set the allowable number of the failures before access
denial;
・ Change the key operator ID and password (only a key operator is privileged);
・ Refer to the setting of access denial due to authentication failure of system administrator,
enable/disable it, and set the allowable number of failures;
・ Refer to and set the minimum password length (for general user and SA);
・ Refer to the setting of SSL/TLS communication of Internal Network Data Protection,
enable/disable it, and configure the details;
・ Refer to the setting of IPSec communication of Internal Network Data Protection, enable/disable
it, and configure the details;
・ Refer to the setting of User Authentication and select disable/Local Authentication, and
configure the details;

- 71 – Copyright 2012 by Fuji Xerox Co., Ltd.

 Fuji Xerox C2263 Series Security Target

・ Refer to the setting of Store Print and set store/print;

・ Refer to and set date and time;

With CWIS function, the settings of the following TOE security functions can be referred to and
changed from a system administrator client via Web browser.
・ Change the key operator ID and password (only a key operator is privileged);
・ Refer to the setting of ID of SA and general user and change the ID and password;
・ Refer to the setting of access denial due to authentication failures of system administrator,
enable/disable it, and set the allowable number of the failures before access denial;
・ Refer to and set the minimum password length (for general user and SA);
・ Refer to the setting of Security Audit Log and enable/disable it,
(When Security Audit Log is enabled, security audit log data can be downloaded in the form of
tab-delimited text to a system administrator client.);
・ Refer to the setting of SSL/TLS communication of Internal Network Data Protection,
enable/disable it, and configure the details;
・ Refer to the setting of IPSec communication of Internal Network Data Protection, enable/disable
it, and configure the details;
・ Refer to the setting of SNMP v3 communication of Internal Network Data Protection,
enable/disable it, and configure the details;
・ Set the authentication password for SNMPv3 communication;
・ Download/upload and create an X.509 certificate;
・ Refer to the setting of User Authentication and select disable/Local Authentication, and
configure the details;

This TOE allows only the key operator (exc. SA) who is authenticated from system administrator
client via ApeosWare Device Setup to refer to and set the following security functions.
・ Change the key operator ID and password;
・ Refer to the setting of ID of SA and general user and change the ID and password;
・ Refer to and set the setting on the use of password entered from MFD control panel in user
authentication;
・ Refer to the setting of User Authentication and select disable/Local Authentication, and
configure the details;
・ Refer to and set date and time;

(2) FMT_MSA.1 Management of security attributes

The TOE restricts the handling of the general user identifier only to a system administrator.

(3) FMT_MSA.3 Static attribute initialization

Regarding Mailbox and Store Print, the TOE sets the user identifier created as owner identifier
and the available user identifier, and set them as default values of security attributes.

- 72 – Copyright 2012 by Fuji Xerox Co., Ltd.

 Fuji Xerox C2263 Series Security Target

(4) FMT_SMR.1 Security roles

The system administrator's role is maintained and the role is associated with a system
administrator.

7.1.5. Customer Engineer Operation Restriction (TSF_CE_LIMIT)

A system administrator can restrict CE’s operation in the system administrator mode to inhibit CE
from referring to / changing the settings related to System Administrator’s Security Management
(TSF_FMT). This function can prevent setting change by an attacker who is impersonating CE.

(1) FMT_MOF.1 Management of security functions behavior

FMT_MTD.1 Management of TSF data
FMT_SMF.1 Specification of management functions
The TOE provides a user interface which allows only the authenticated system administrator to
refer to / change (enable/disable) the TOE settings related to Customer Engineer Operation
Restriction from the control panel and CWIS.
With these functions, the required security management functions are provided.
(2) FMT_SMR.1 Security roles
The system administrator's role is maintained and the role is associated with a system
administrator.

7.1.6. Security Audit Log (TSF_FAU)

According to Security Audit Log setting which is configured by a system administrator using the
system administrator mode, the important events of the TOE such as device failure, configuration
change, and user operation are traced and recorded based on when and who operated what function.
All the TOE users are the targets of this audit log.

(1) FAU_GEN.1 Audit data generation

It is assured that the defined auditable event is recorded in the audit log.
Table 29 shows the details of the audit log data.

Table 29: Details of Security Audit Log Data

The auditable events are recorded with the following fixed size entries:
- Log ID: consecutive numbers as an audit log identifier (1 - 60000)
- Date: date data (yyyy/mm/dd, mm/dd/yyyy, or dd/mm/yyyy)
- Time: time data (hh:mm:ss)
- Logged Events: event name (arbitrary characters of up to 32 digits)
- User Name: user name (arbitrary characters of up to 32 digits)
- Description: description on events
(arbitrary characters of up to 32 digits, see below for details)
- Status: status or result of event processing
(arbitrary characters of up to 32 digits, see below for details)
- Optionally Logged Items: additional information recorded to audit log
(except common record items)
- 73 – Copyright 2012 by Fuji Xerox Co., Ltd.
 Fuji Xerox C2263 Series Security Target

Logged Events Description Status

Change in Device Status
Started normally (cold boot)
System Status Started normally (warm boot) -
Shutdown requested
User operation (Local) Start/End
User Authentication
Login Successful, Failed (Invalid
UserID), Failed (Invalid
Logout
Login/Logout Password), Failed
Locked System Administrator -
Authentication (Number of authentication
Detected continuous Authentication Fail failures recorded)
Change in Audit Policy
Audit Policy Audit Log Enable/Disable
Job Status
Print
Copy Completed, Completed
Scan with Warnings, Canceled
Job Status Fax by User, Canceled by
Mailbox Shutdown, Aborted,
Print Reports Unknown
Job Flow Service
Change in Device Settings
Adjust Time
Create Mailbox Successful/Failed
Device Settings Delete Mailbox
Switch Authentication Mode Successful
Change Security Setting (Setting items recorded)
Access to Data Stored in Device
Import Certificate
Delete Certificate
Add Address Entry
Device Data Successful/Failed
Delete Address Entry
Edit Address Entry
Export Audit Log

- 74 – Copyright 2012 by Fuji Xerox Co., Ltd.

 Fuji Xerox C2263 Series Security Target

Logged Events Description Status

Failed
(Protocol and
Communication Trusted Communication
communication
destination stored)

(2) FAU_SAR.1 Audit review

It is assured that all the information recorded in the audit log can be retrieved.
Security audit log data can be downloaded in the form of tab-delimited text by pressing the button
“store as a text file.” To download security audit log data, SSL/TLS communication needs to be
enabled before using Web browser.

(3) FAU_SAR.2 Restricted audit review

The person who retrieves the audit log is limited to the authenticated system administrator. A
system administrator can access the audit log only via Web browser and the access from the
control panel is inhibited. Therefore, a system administrator needs to log in from Web browser to
access the audit log.

(4) FAU_STG.1 Protected audit trail storage

There is no function to delete the audit log, and the audit log data are protected from untrusted
alteration and modification.

(5) FAU_STG.4 Prevention of audit data loss

When audit log file is full, the oldest stored audit record is overwritten with the new data so that
the new data is not lost but surely recorded.
Auditable events are stored with time stamps into NVRAM. When the number of stored events
reaches 50, the 50 logs on NVRAM is stored into one file (“audit log file”) within the internal
HDD. Up to 15,000 events can be stored. When the number of recorded events exceeds 15,000,
the oldest audit log file is overwritten and a new audit event is stored.

(6) FPT_STM.1 Reliable time stamps

The time stamp of TOE’s clock function is issued when the defined auditable event is recorded in
the audit log file.
By TSF_FMT, only a system administrator is enabled to change the clock setting.

7.1.7. Internal Network Data Protection (TSF_NET_PROT)

Internal Network Data Protection is provided by the following four protocols which are configured by
a system administrator using the system administrator mode:

(1) FTP_TRP.1 Trusted Path

- 75 – Copyright 2012 by Fuji Xerox Co., Ltd.

 Fuji Xerox C2263 Series Security Target

The document data, security audit log data, and TOE setting data are protected by the encryption
communication protocol that ensures secure data communication between the TOE and IT
products (communication service via Web, communication service for printer driver,
communication service for fax driver, communication service for network utility, communication
service for ApeosWare Device Setup, and other services which require trusted path). This trusted
path is logically distinct from other communication paths and provides assured identification of
its endpoints and protection of the communication data from modification or disclosure.

a) SSL/TLS
According to the SSL/TLS communication which is configured by a system administrator using
the system administrator mode, SSL/TLS ensuring secure data transmission is supported. This
protects the security of document data, security audit log data, and TOE setting data on the
internal network.
By supporting SSL/TLS, the TOE can act as SSL/TLS server or SSL/TLS client. Moreover,
SSL/TLS can protect data transmission between the TOE and the remote from interception and
alteration. Protection from interception is realized by encrypting transmission data with the
following cryptographic keys. A cryptographic key is generated at the time of starting a session
and lost at the time of ending the session or powering off the MFD main unit.
Cryptographic key generated as SSLv3/TLSv1/TLSv1.2 upon every session.
Specifically, one of the cryptographic suites below is adopted:

Cryptographic Suites of SSL/TLS Cryptographic Method and Hash Method

Size of Secret Key
SSL_RSA_WITH_RC4_128_SHA RC4 / 128 bits SHA-1
SSL_RSA_WITH_3DES_EDE_CBC_SHA 3-Key Triple-DES / 168 bits SHA-1
TLS_RSA_WITH_AES_128_CBC_SHA AES / 128 bits SHA-1
TLS_RSA_WITH_AES_256_CBC_SHA AES / 256 bits SHA-1
TLS_RSA_WITH_AES_128_CBC_SHA256 AES / 128 bits SHA256
TLS_RSA_WITH_AES_256_CBC_SHA256 AES / 256 bits SHA256

Protection from the alteration is realized by HMAC (Hashed Message Authentication Code -
IETF RFC 2104) of SSL/TLS.
When SSL/TLS communication is enabled on the Web client, requests from the client must be
received via HTTPS. The SSL/TLS communication needs to be enabled before IPSec, or
SNMPv3 is enabled or before security audit log data are downloaded by a system administrator.

b) IPSec
According to the IPSec communication which is configured by a system administrator using the
system administrator mode, IPSec ensuring secure data transmission is supported. This protects
the security of document data, security audit log data, and TOE setting data on the internal
network.

- 76 – Copyright 2012 by Fuji Xerox Co., Ltd.

 Fuji Xerox C2263 Series Security Target

IPSec establishes the security association to determine the parameters (e.g. private key and
cryptographic algorithm) to be used in the IPSec communication between the TOE and the
remote. After the association is established, all transmission data among the specified IP
addresses are encrypted by the transport mode of IPSec until the TOE is powered off or reset. A
cryptographic key is generated at the time of starting a session and lost at the time of ending the
session or powering off the MFD main unit.

Cryptographic key generated as IPSec (ESP: Encapsulating Security Payload) at every session
Specifically, one of the following combinations between secret-key cryptographic method and
hash method is adopted:

Cryptographic Method and Size Hash Method

of Secret Key
AES / 128 bits SHA-1
3-Key Triple-DES /168 bits SHA-1

c) SNMPv3
According to the SNMP v3 communication which is configured by a system administrator using
the system administrator mode, SNMP v3 is supported. This is one of the security solutions for
the network management protocol, SNMP. As defined in IETF RFC3414, SNMP v3 is used for
not only data encryption but also authentication of each SNMP message.
To enable this function, both authentication password and privacy password need to be set up in
both the TOE and the remote server. Length of both passwords must be 8 characters or more.
Authentication of SNMP v3 uses SHA-1 hash function; encryption of the protocol uses
CBC-DES. A cryptographic key is generated at the time of starting a session and lost at the time
of ending the session or powering off the MFD main unit.

Cryptographic key generated as SNMP v3 at every session:

Cryptographic Method and Size Hash Method

of Secret Key
DES / 56 bits SHA-1

7.1.8. Fax Flow Security (TSF_FAX_FLOW)

This function inhibits unauthorized access to the TOE via the Fax board, which is connected to the
controller board via USB interface, at any case. The data on public telephone line are not delivered to
the internal network.

(1) FDP_IFC.1 Subset information flow control

FDP_IFF.1 Simple security attributes
The data on public telephone line are not delivered to the internal network.

- 77 – Copyright 2012 by Fuji Xerox Co., Ltd.

 Fuji Xerox C2263 Series Security Target

8. ACRONYMS AND TERMINOLOGY

8.1. Acronyms
The following acronyms are used in this ST:

Acronym Definition
ADF Auto Document Feeder
CC Common Criteria
CE Customer Engineer / Customer Service Engineer
CWIS CentreWare Internet Service
DRAM Dynamic Random Access Memory
EAL Evaluation Assurance Level
FIPS PUB Federal Information Processing Standard publication
IIT Image Input Terminal
IOT Image Output Terminal
IT Information Technology
IP Internet Protocol
MFD Multi Function Device
NVRAM Non Volatile Random Access Memory
PDL Page Description Language
PP Protection Profile
SAR Security Assurance Requirement
SEEPROM Serial Electronically Erasable and Programmable Read Only Memory
SFP Security Function Policy
SFR Security Functional Requirement
SMTP Simple Mail Transfer Protocol
SOF Strength of Function
ST Security Target
TOE Target of Evaluation
TSF TOE Security Function

- 78 – Copyright 2012 by Fuji Xerox Co., Ltd.

 Fuji Xerox C2263 Series Security Target

8.2. Terminology
The following terms are used in this ST:

Term Definition
Any entity outside the TOE who interacts with the TOE: i.e. general user,
User
system administrator, and CE.
System Administrator A user authorized by key operator to manage MFD maintenance and
Privilege (SA) configure TOE security functions.
An authorized user who manages MFD maintenance and configures TOE
System Administrator
security functions. This term covers both key operator and SA.
Customer Engineer
Customer service engineer, an engineer who maintains and repairs MFD.
(CE)
Attacker A malicious user of TOE
A panel of MFD on which buttons, lamps, and a touch screen panel are
Control Panel
mounted to operate the MFD
General User Client A client for general user.
System Administrator A client for system administrator. An administrator can refer to and rewrite
Client TOE setting data of MFD via Web browser and ApeosWare Device Setup.
CWIS is a service on a Web server in the TOE to confirm the status of the
CentreWare Internet
TOE, change settings of the TOE, and request retrieval and printing of
Service
documents toward the TOE via the Web browser of the user client.
(CWIS)
CWIS can be used via the Windows standard Web browser.
Software for a key operator to conduct settings and management of
multiple MFDs from the system administrator client. It enables reference
ApeosWare Device
and editing of registration information such as user information, access
Setup
restriction, mailbox, address book, and job flow, and also the basic device
information in a list.
An operation mode that enables a system administrator to refer to and
System Administrator rewrite TOE setting for device operation and that for security functions
Mode according to the operational environment. This mode is distinguished from
the operation mode that enables a general user to use the MFD functions.
Software for Direct Fax function, which enables a general user to fax data
Fax Driver to the destination directly from a general user client through MFD. The
user can send the fax data just as printing. Used on the user client.
Software for a general user client to retrieve the document data stored in
Network Scan Utility
Mailbox of MFD.
Software to convert the data on a general user client into print data written
Printer driver in page description language (PDL), a readable format for MFD. Used on
the user client.
Print Data The data written in PDL, a readable format for MFD, which are to be

- 79 – Copyright 2012 by Fuji Xerox Co., Ltd.

 Fuji Xerox C2263 Series Security Target

Term Definition
converted into bitmap data by the TOE decompose function.
The data that are transmitted by command and response interactions. This
Control Data
is one the type of the data transmitted between MFD hardware units.
The decomposed data of the data read by the copy function and the print
data transmitted from a user client to MFD by the print function. Bitmap
Bitmap Data
data are stored into the internal HDD after being compressed in the unique
process.
A function to analyze and convert the print data written in PDL into
Decompose Function
bitmap data.
To analyze and convert the data written in PDL into bitmap data by the
Decompose
decompose function.
Original Texts, images and photos to be read from IIT in the copy function.
Document data means all the data, including images, transmitted across
the MFD when any of copy, print, scan or fax functions is used by a
general user. The document data includes:
- Bitmap data read from IIT and printed out from IOT (copy function),
- Print data sent by general user client and its decomposed bitmap data
Document Data (print function),
- Bitmap data read from IIT and then stored into the internal HDD (scan
function),
- Bitmap data read from IIT and sent to the fax destination and the bitmap
data faxed from the sender’s machine and printed out from the recipient’s
IOT (fax function).
The remaining data in the MFD internal HDD even after deletion. The
Used Document Data document data are first stored into the internal HDD, used, and then only
their files are deleted.
The chronologically recorded data of important events of the TOE. The
Security Audit Log
events such as device failure, configuration change, and user operation are
Data
recorded based on when and who caused what event and its result.
The data which are stored in a general user client or in the general client
Internally Stored Data
and server, but do not include data regarding TOE functions.
The data on the internal network. The general data do not include data
General Data
regarding TOE functions.
The data which are created by the TOE or for the TOE and may affect the
TOE operations. Specifically, they includes the information regarding the
functions of Hard Disk Data Overwrite, Hard Disk Data Encryption,
TOE Setting Data System Administrator’s Security Management, Customer Engineer
Operation Restriction, Use of password entered from MFD control panel
in user authentication, ID and password of system administrator, access
denial due to authentication failure of system administrator, Internal

- 80 – Copyright 2012 by Fuji Xerox Co., Ltd.

 Fuji Xerox C2263 Series Security Target

Term Definition
Network Data Protection, Security Audit Log, Mailbox, and User
Authentication.
General Client and
Client and server which do not directly engage in TOE operations
Server
Deletion from the internal HDD means deletion of the management
information. When deletion of document data from the internal HDD is
Deletion from the requested, only the management information corresponding to the data is
Internal Hard Disk deleted. Therefore, user cannot access the document data which were
Drive (HDD) logically deleted. However, the document data themselves are not deleted
but remain as the used document data until new data is written in the same
storage area.
To write over the area of the document data stored in the internal HDD
Overwrite
when deleting the data.
The 12 alphanumeric characters to be entered by a user. When data in the
Cryptographic Seed
internal HDD are encrypted, a cryptographic key is generated based on the
Key
cryptographic seed key.
The 256-bit data which is automatically generated based on the
Cryptographic Key cryptographic seed key. Before the data are stored into the internal HDD,
they are encrypted with the cryptographic key.
Network A general term to indicate both external and internal networks.
The network which cannot be managed by the organization that manages
External Network
the TOE. This does not include the internal network.
Channels between MFD and highly reliable remote server / client PC. The
channels are located in the network of the organization, the owner of the
Internal Network
TOE, and are protected from the security risks coming from the external
network.
A function to limit the accessible TOE functions by identifying the user
User Authentication
before he/she uses each TOE function.
A mode to manage user authentication of the TOE using the user
Local Authentication
information registered in the MFD.

- 81 – Copyright 2012 by Fuji Xerox Co., Ltd.

 Fuji Xerox C2263 Series Security Target

9. REFERENCES
The following documentation was used to prepare this ST.

Short Name Document Title

Common Criteria for Information Technology Security Evaluation - Version 3.1
Part 1: Introduction and general model, dated July 2009, CCMB-2009-07-001
［CC Part 1］
(Japanese version 1.0, dated December 2009,
translated by Information-Technology Promotion Agency, Japan)
Common Criteria for Information Technology Security Evaluation - Version 3.1
Part 2: Security functional components, dated July 2009, CCMB-2009-07-002
［CC Part 2］
(Japanese version 1.0, dated December 2009,
translated by Information-Technology Promotion Agency, Japan)
Common Criteria for Information Technology Security Evaluation - Version 3.1
Part 3: Security assurance components, dated July 2009, CCMB-2009-07-003
［CC Part 3］
(Japanese version1.0, dated December 2009,
translated by Information-Technology Promotion Agency, Japan)
Common Methodology for Information Technology Security Evaluation - Version 3.1
Evaluation Methodology, dated July 2009, CCMB-2009-07-004
［CEM］
(Japanese version 1.0, dated December 2009,
translated by Information-Technology Promotion Agency, Japan)

- 82 – Copyright 2012 by Fuji Xerox Co., Ltd.