Ricoh Aficio MP C3001 Manual Download Page 37

Page: 37 / 94

Page 36 of

3 Security Problem Definitions

This section describes Threats, Organisational Security Policies and Assumptions.

3.1 Threats

Defined and described below are the assumed threats related to the use and environment of this TOE. The

threats defined in this section are unauthorised persons with knowledge of published information about the

TOE operations and such attackers are capable of Basic attack potential.

T.DOC.DIS

Document

disclosure

Documents under the TOE management may be disclosed to persons without a login

user name, or to persons with a login user name but without an access permission to the

document.

T.DOC.ALT

Document

alteration

Documents under the TOE management may be altered by persons without a login user

name, or by persons with a login user name but without an access permission to the

document.

T.FUNC.ALT User

job

alteration

User jobs under the TOE management may be altered by persons without a login user

name, or by persons with a login user name but without an access permission to the user

job.

T.PROT.ALT

Alteration of TSF protected data

TSF Protected Data under the TOE management may be altered by persons without a

to the TSF Protected Data.

T.CONF.DIS

Disclosure of TSF confidential data

TSF Confidential Data under the TOE management may be disclosed to persons without

a login user name, or to persons with a login user name but without an access

permission to the TSF Confidential Data.

T.CONF.ALT

Alteration of TSF confidential data

TSF Confidential Data under the TOE management may be altered by persons without a

to the TSF Confidential Data.

Summary of Contents for Aficio MP C3001

Page 1: ...ns of Aficio MP C3001 C3501 series Security Target are reprinted with written permission from IEEE 445 Hoes Lane Piscataway New Jersey 08855 from IEEE 2600 1 Protection Profile for Hardcopy Devices Operational Environment A Copyright 2009 IEEE All rights reserved This document is a translation of the evaluated and certified security target written in Japanese ...

Page 3: ...Indirect User 20 1 4 4 Logical Boundary of TOE 21 1 4 4 1 Basic Functions 21 1 4 4 2 Security Functions 24 1 4 5 Protected Assets 26 1 4 5 1 User Data 26 1 4 5 2 TSF Data 27 1 4 5 3 Functions 27 1 5 Glossary 27 1 5 1 Glossary for This ST 27 2 Conformance Claim 31 2 1 CC Conformance Claim 31 2 2 PP Claims 31 2 3 Package Claims 31 2 4 Conformance Claim Rationale 32 2 4 1 Consistency Claim with TOE T...

Page 4: ...terfaces FPT_FDI_EXP 47 6 Security Requirements 49 6 1 Security Functional Requirements 49 6 1 1 Class FAU Security audit 49 6 1 2 Class FCS Cryptographic support 52 6 1 3 Class FDP User data protection 53 6 1 4 Class FIA Identification and authentication 58 6 1 5 Class FMT Security management 61 6 1 6 Class FPT Protection of the TSF 67 6 1 7 Class FTA TOE access 68 6 1 8 Class FTP Trusted path ch...

Page 5: ... Control Function 84 7 4 Use of Feature Restriction Function 86 7 5 Network Protection Function 87 7 6 Residual Data Overwrite Function 87 7 7 Stored Data Protection Function 88 7 8 Security Management Function 88 7 9 Software Verification Function 93 7 10 Fax Line Separation Function 93 ...

Page 6: ...cts b 54 Table 17 Subjects Objects and Security Attributes a 54 Table 18 Rules to Control Operations on Document Data and User Jobs a 55 Table 19 Additional Rules to Control Operations on Document Data and User Jobs a 56 Table 20 Subjects Objects and Security Attributes b 57 Table 21 Rule to Control Operations on MFP Applications b 57 Table 22 List of Authentication Events of Basic Authentication ...

Page 7: ...able 37 Stored Documents Access Control Rules for Normal Users 85 Table 38 Encrypted Communications Provided by the TOE 87 Table 39 List of Cryptographic Operations for Stored Data Protection 88 Table 40 Management of TSF Data 89 Table 41 List of Static Initialisation for Security Attributes of Document Access Control SFP 92 ...

Page 8: ...vary depending on sales areas and or sales companies the components are identical MFP versions consist of software and hardware versions The FCU is identified by its name and version Table 1 shows the identification information of the TOE Table 1 Identification Information of TOE Names Versions MFPs Software System Copy 1 03 Network Support 10 54 Scanner 01 05 Printer 1 02 Fax 02 00 00 RemoteFax 0...

Page 9: ...ame Fax Option Type C5501 GWFCU3 21 WW 03 00 00 Keywords Digital MFP Documents Copy Print Scanner Network Office Fax 1 3 TOE Overview This section defines TOE Type TOE Usage and Major Security Features of TOE 1 3 1 TOE Type This TOE is a digital multi function product hereafter MFP which is an IT device that inputs stores and outputs documents 1 3 2 TOE Usage The operational environment of the TOE...

Page 10: ...vided for the MFP which is the TOE itself and hardware and software other than the TOE MFP A machinery that is defined as the TOE The MFP is connected to the office LAN and users can perform the following operations from the Operation Panel of the MFP Various settings for the MFP Copy fax storage and network transmission of paper documents Print fax network transmission and deletion of the stored ...

Page 11: ...smission of the stored documents in the TOE to its folders SMTP Server A server used by the TOE for e mail transmission of the stored documents in the TOE External Authentication Server A server that identifies and authenticates the TOE user with Windows authentication Kerberos authentication method This server is only used when External Authentication is applied The TOE identifies and authenticat...

Page 12: ...ty Management Function Software Verification Function Fax Line Separation Function 1 4 TOE Description This section describes Physical Boundary of TOE Guidance Documents Definition of Users Logical Boundary of TOE and Protected Assets 1 4 1 Physical Boundary of TOE The physical boundary of the TOE is the MFP which consists of the following hardware components shown in Figure 2 Operation Panel Unit...

Page 13: ...processed by the MFP Control Software on the Controller Board The following describes the components of the Controller Board Processor A semiconductor chip that performs basic arithmetic processing for MFP operations RAM A volatile memory medium which is used as a working area for image processing such as compressing decompressing the image data It can also be used to temporarily read and write in...

Page 14: ... according to display instructions from the Controller Board OpePanel which is one of the components that constitute the TOE is the identifier for the Operation Panel Control Software Engine Unit The Engine Unit consists of Scanner Engine that is an input device to read paper documents Printer Engine that is an output device to print and eject paper documents and Engine Control Board The Engine Co...

Page 15: ...of user guidance documents are available for this TOE English version 1 English version 2 English version 3 and English version 4 Selection of the guidance document sets depends on the sales area and or sales company Guidance document sets will be supplied with individual TOE component Details of the document sets are as follows English version 1 Table 2 Guidance for English Version 1 TOE Componen...

Page 16: ... Administrators Aficio MP C3001 MP C3001G MP C3501 MP C3501G MP C4501 MP C4501G MP C4501A MP C4501AG MP C5501 MP C5501G MP C5501A MP C5501AG C9130 C9130G C9135 C9135G C9145 C9145G C9145A C9145AG C9155 C9155G C9 155A C9155AG LD630C LD630CG LD635C LD635CG LD645C LD645CG LD645CA LD645CAG LD655C LD655CG LD655CA LD655CAG D089 6907A To Users of This Machine D029 7904 Operating Instructions Notes on Secu...

Page 17: ... Manuals for Users Aficio MP C3001 MP C3001G MP C3501 MP C3501G MP C4501 MP C4501G MP C4501A MP C4501AG MP C5501 MP C5501G MP C5501A MP C5501AG C9130 C9130G C9135 C9135G C9145 C9145G C9145A C9145AG C9155 C9155G C9 155A C9155AG LD630C LD630CG LD635C LD635CG LD645C LD645CG LD645CA LD645CAG L D655C LD655CG LD655CA LD655CAG D089 6906A Manuals for Administrators Aficio MP C3001 MP C3001G MP C3501 MP C3...

Page 18: ...MP C5501 MP C5501A A D089 6931A Manuals for Administrators Security Reference Aficio MP C3001 MP C3501 MP C4501 MP C4501A MP C5501 MP C5501A MP C3001 MP C3501 MP C4501 MP C4501A MP C5501 MP C5501A D089 6933A Safety Information for MP C3001 MP C3501 MP C4501 MP C4501A MP C5501 MP C5501A Aficio MP C3001 Aficio MP C3501 Aficio MP C4501 Aficio MP C4501A Aficio MP C5501 Aficio MP C5501A D088 7400A Note...

Page 19: ...Manuals for Users Aficio MP C3001 MP C3501 MP C4501 MP C4501A MP C5501 MP C5501A MP C3001 MP C3501 MP C4501 MP C4501A MP C5501 MP C5501A D089 6908A Manuals for Administrators Aficio MP C3001 MP C3501 MP C4501 MP C4501A MP C5501 MP C5501A MP C3001 MP C3501 MP C4501 MP C4501A MP C5501 MP C5501A D089 6909A To Users of This Machine D029 7904 Operating Instructions Notes on Security Functions D088 7706...

Page 20: ...e administrator can be classified as the supervisor and the MFP administrator Up to four MFP administrators can be registered and selectively authorised to perform user management machine management network management and file management Therefore the different roles of the management privilege can be allocated to multiple MFP administrators individually The MFP administrator in this ST refers to ...

Page 21: ...ible manager of MFP is a person who is responsible for selection of the TOE administrators in the organisation where the TOE is used Customer engineer The customer engineer is a person who belongs to the organisation which maintains TOE operation The customer engineer is in charge of installation setup and maintenance of the TOE ...

Page 22: ...s Figure 3 Logical Scope of the TOE 1 4 4 1 Basic Functions The overview of the Basic Functions is described as follows Copy Function The Copy Function is to scan paper documents and copy scanned image data from the Operation Panel Magnification and other editorial jobs can be applied to the copy image It can also be stored on the HDD as a Document Server document ...

Page 23: ... the Operation Panel Operating from a Web browser The TOE can print or delete printer documents according to the operations by users from a Web browser Deleting printer documents by the TOE The deletion of printer documents by the TOE differs depending on printing methods If locked print hold print or sample print is specified the TOE deletes printer documents when printing is complete If stored p...

Page 24: ... documents or documents in the client computer for fax transmission in the TOE Those documents stored in the TOE are called fax documents Paper documents will be scanned and stored using the Operation Panel The documents in the client computer are sent to and stored in the TOE by operating the fax driver installed on the client computer Operation Function for Fax Documents A function to print or d...

Page 25: ...the procedures that are allowed to customer engineers only If the MFP administrator sets the Service Mode Lock Function to ON the customer engineer cannot use this function In this ST the Service Mode Lock Function is set to ON for the target of evaluation Web Function A function for the TOE user to remotely control the TOE from the client computer To control the TOE remotely the TOE user needs to...

Page 26: ...ion Panel In addition to this and for the Basic Authentication only this function can be used to register passwords that fulfil the requirements of the Minimum Character No i e minimum password length and obligatory character types the MFP administrator specifies so that the lockout function can be enabled and login password quality can be protected Document Access Control Function The Document Ac...

Page 27: ... user role privileges or user privileges allocated to normal users MFP administrator and supervisor Software Verification Function The Software Verification Function is to verify the integrity of the executable codes of the MFP Control Software and FCU Control Software and to ensure that they can be trusted Fax Line Separation Function The Fax Line Separation Function is to restrict input informat...

Page 28: ...n procedures Confidential data This data must be protected from changes by unauthorised persons and reading by users without viewing permissions In this ST confidential data listed below is referred to as TSF confidential data Login password audit log and HDD cryptographic key 1 4 5 3 Functions The MFP applications Copy Function Document Server Function Printer Function Scanner Function and Fax Fu...

Page 29: ...ification and authentication of TOE users who are authorised to use the TOE The TOE authenticates TOE users by using the login user names and the login passwords registered on the TOE External Authentication One of the procedures for identification and authentication of TOE users who are authorised to use the TOE The TOE authenticates TOE users by using the login user names and the login passwords...

Page 30: ... Function and Fax Function Stored document type Classification of stored documents according to their purpose of use This includes Document Server documents printer documents scanner documents fax documents and received fax documents Document Server documents One of the stored document types Documents stored in the TOE when Document Server storage is selected as the printing method for Copy Functi...

Page 31: ...om the MFP via networks to the SMTP Server The documents that can be delivered using this function include scanned documents using Scanner Function and scanned and stored document data using Scanner Function S MIME protects the communication for realising this function S MIME user information This information is required for e mail transmission using S MIME Also this information consists of e mail...

Page 32: ...uly 2009 Version 3 1 Revision 3 Final Japanese translation ver 1 0 Final CCMB 2009 07 003 Functional requirements Part 2 extended Assurance requirements Part 3 conformance 2 2 PP Claims The PP to which this ST and TOE are demonstrable conformant is PP Name Identification 2600 1 Protection Profile for Hardcopy Devices Operational Environment A Version 1 0 dated June 2009 Notes The PP name which is ...

Page 33: ... PP is written in English the security problem definitions in chapter 3 and security objectives in chapter 4 are translated from English into Japanese If the literal translation of the PP was thought to be difficult for readers to understand the PP in Japanese the translation was made comprehensible This however does not mean that its description deviates from the requirements of the PP conformanc...

Page 34: ...AU 7 and FIA_SOS 1 For the Basic Authentication function of the TOE FIA_AFL 1 FIA_UAU 7 and FIA_SOS 1 are augmented according to PP APPLICATION NOTE36 Refinement of FIA_UAU 1 a FIA_UAU 1 b FIA_UID 1 a FIA_UID 1 b and FIA_SOS 1 For authentication of normal users of this TOE Basic Authentication conducted by the TOE and authentication conducted by the external authentication server can be used Accor...

Page 35: ..._FDI_EXP Consistency Rationale of FDP_ACF 1 a While FDP_ACF 1 1 a and FDP_ACF 1 2 a in the PP require the access control SFP to the document data that is defined for each SFR package in the PP this ST requires the access control SFP to the document data that is defined for each document data attribute which is the security attribute for objects This is not a deviation from the PP but an instantiat...

Page 36: ... 1 a and as a result the TSF restrictively allows the MFP administrator to access the TOE functions Therefore the requirements described in FDP_ACF 1 3 b in the PP are satisfied at the same time The fax reception process which is accessed when receiving from a telephone line is regarded as a user with administrator privileges Therefore FDP_ACF 1 3 b in this ST satisfies FDP_ACF 1 3 b in the PP ...

Page 37: ...ons with a login user name but without an access permission to the document T FUNC ALT User job alteration User jobs under the TOE management may be altered by persons without a login user name or by persons with a login user name but without an access permission to the user job T PROT ALT Alteration of TSF protected data TSF Protected Data under the TOE management may be altered by persons withou...

Page 38: ... use of the external interfaces of the TOE operation of those interfaces shall be controlled by the TOE and its IT environment P STORAGE ENCRYPTION Encryption of storage devices The data stored on the HDD inside the TOE shall be encrypted P RCGATE COMM PROTECT Protection of communication with RC Gate As for communication with RC Gate the TOE shall protect the communication data between itself and ...

Page 39: ...procedures of their organisation are competent to correctly configure and operate the TOE in accordance with the guidance document following those policies and procedures A ADMIN TRUST Trusted administrator The responsible manager of MFP selects administrators who do not use their privileged access rights for malicious purposes according to the guidance document ...

Page 40: ...of user job alteration The TOE shall protect user jobs from unauthorised alteration by persons without a login user name or by persons with a login user name but without an access permission to the job O PROT NO_ALT Protection of TSF protected data alteration The TOE shall protect TSF Protected Data from unauthorised alteration by persons without a login user name or by persons with a login user n...

Page 41: ...yption of storage devices The TOE shall ensure that the data is encrypted first and then stored on the HDD O RCGATE COMM PROTECT Protection of communication with RC Gate The TOE shall conceal the communication data on the communication path between itself and RC Gate and detect any tampering with those communication data 4 2 Security Objectives of Operational Environment This section describes the...

Page 42: ...in users according to the guidance document and ensure that users are aware of the security policies and procedures of their organisation and have the competence to follow those policies and procedures OE ADMIN TRAINED Administrator training The responsible manager of MFP shall ensure that administrators are aware of the security policies and procedures of their organisation have the training comp...

Page 43: ...r Security Objectives O DOC NO_DIS O DOC NO_ALT O FUNC NO_ALT O PROT NO_ALT O CONF NO_DIS O CONF NO_ALT O USER AUTHORIZED OE USER AUTHORIZED O SOFTWARE VERIFIED O AUDIT LOGGED OE AUDIT_STORAGE PROTCTED OE AUDIT_ACCESS_AUTHORIZED OE AUDIT REVIEWED O INTERFACE MANAGED OE PHYSICAL MANAGED OE INTERFACE MANAGED O STORAGE ENCRYPTED O RCGATE COMM PROTECT OE ADMIN TRAINED OE ADMIN TRUSTED OE USER TRAINED ...

Page 44: ...orised in accordance with the security policies before being allowed to use the TOE By O DOC NO_ALT the TOE protects the documents from unauthorised alteration by persons without a login user name or by persons with a login user name but without an access permission to the document T DOC ALT is countered by these objectives T FUNC ALT T FUNC ALT is countered by O FUNC NO_ALT O USER AUTHORIZED and ...

Page 45: ...ble manager of MFP gives the authority to use the TOE to users who follow the security policies and procedures of their organisation By O USER AUTHORIZED the TOE requires identification and authentication of users and users are authorised in accordance with the security policies before being allowed to use the TOE By O CONF NO_ALT the TOE protects the TSF confidential data from unauthorised altera...

Page 46: ...nforced by O INTERFACE MANAGED and OE INTERFACE MANAGED By O INTERFACE MANAGED the TOE manages the operation of the external interfaces in accordance with the security policies By OE INTERFACE MANAGED the TOE constructs the IT environment that prevents unmanaged access to TOE external interfaces P INTERFACE MANAGEMENT is enforced by these objectives P STORAGE ENCRYPTION P STORAGE ENCRYPTION is enf...

Page 47: ...s upheld by this objective A ADMIN TRUST A ADMIN TRUST is upheld by OE ADMIN TRUSTED By OE ADMIN TRUSTED the responsible manager of MFP selects the administrators and they will not abuse their privileges in accordance with the guidance documents A ADMIN TRUST is upheld by this objective A USER TRAINING A USER TRAINING is upheld by OE USER TRAINED By OE USER TRAINED the responsible manager of MFP i...

Page 48: ...ily FPT_FDI_EXP has been defined to specify this kind of functionality Component levelling FPT_FDI_EXP Restricted forwarding of data to external interfaces 1 FPT_FDI_EXP 1 Restricted forwarding of data to external interfaces provides for the functionality to require TSF controlled processing of data received over defined external interfaces before these data are sent out on another external interf...

Page 49: ...ntrol instead of attribute based control It was found that using FDP_IFF and FDP_IFC for this purpose resulted in SFRs that were either too implementation specific for a Protection Profile or too unwieldy for refinement in a Security Target Therefore the authors decided to define an extended component to address this functionality This extended component protects both user data and TSF data and it...

Page 50: ...nerate an audit record of the following auditable events a Start up and shutdown of the audit functions b All auditable events for the selection not specified level of audit and c assignment auditable events of the TOE shown in Table 12 FAU_GEN 1 2 The TSF shall record within each audit record at least the following information a Date and time of the event type of event subject identity if applica...

Page 51: ...to folder and deleting are the job types of additional information that are required by the PP FDP_ACF 1 b a Minimal Successful requests to perform an operation on an object covered by the SFP b Basic All requests to perform an operation on an object covered by the SFP c Detailed The specific security attributes used in making an access check Original Not recorded FIA_UAU 1 a a Minimal Unsuccessfu...

Page 52: ...m including the user identity provided b Basic All use of the user identification mechanism including the user identity provided b Basic Success and failure of login operation FMT_SMF 1 a Minimal Use of the management functions a Minimal Record of management items in Table 30 FMT_SMR 1 a Minimal modifications to the group of users that are part of a role b Detailed every use of the rights of a rol...

Page 53: ...nt no other actions to be taken in case of audit storage failure if the audit trail is full FAU_SAR 1 Audit review Hierarchical to No other components Dependencies FAU_GEN 1 Audit data generation FAU_SAR 1 1 The TSF shall provide assignment the MFP administrators with the capability to read assignment all of log items from the audit records FAU_SAR 1 2 The TSF shall provide the audit records in a ...

Page 54: ...ignment cryptographic operations shown in Table 14 in accordance with a specified cryptographic algorithm assignment cryptographic algorithm shown in Table 14 and cryptographic key sizes assignment cryptographic key sizes shown in Table 14 that meet the following assignment standards shown in Table 14 Table 14 List of Cryptographic Operation Key Type Standard Cryptographic Algorithm Cryptographic ...

Page 55: ...Table 16 List of Subjects Objects and Operations among Subjects and Objects b Subjects Normal user process MFP administrator process Supervisor process RC Gate process Object MFP application Operation Execute FDP_ACF 1 a Security attribute based access control Hierarchical to No other components Dependencies FDP_ACC 1 Subset access control FMT_MSA 3 Static attribute initialisation FDP_ACF 1 1 a Th...

Page 56: ...ated the document data Document data SCN Delete Normal user process Not allowed However it is allowed for normal user process that created the document data Document data SCN Read Normal user process Not allowed However it is allowed for normal user process that created the document data Document data FAXOUT Delete Normal user process Not allowed However it is allowed for normal user process that ...

Page 57: ...SF shall explicitly authorise access of subjects to objects based on the following additional rules assignment rules to control operations among subjects and objects shown in Table 19 Table 19 Additional Rules to Control Operations on Document Data and User Jobs a Objects Document Data Attributes Operations Subjects Rules to control Operations Document data PRT Delete MFP administrator process All...

Page 58: ...Control Operations on MFP Applications b Object Operation Subject Rule to control Operations MFP application Execute Normal user process Allows executing MFP application which MFP administrator allowed in available function list for normal user process FDP_ACF 1 3 b The TSF shall explicitly authorise access of subjects to objects based on the following additional rules assignment rules that the Fa...

Page 59: ...e defined number of unsuccessful authentication attempts has been selection met the TSF shall assignment perform actions shown in Table 23 Table 23 List of Actions for Authentication Failure Unsuccessfully Authenticated Users Actions for Authentication Failure Normal user The lockout for the normal user is released by the lockout time set by the MFP administrator or release operation by the MFP ad...

Page 60: ...users No fewer than the minimum character number specified by MFP administrator 8 32 characters and no more than 128 characters For MFP administrators and a supervisor No fewer than the minimum character number specified by MFP administrator 8 32 characters and no more than 32 characters 3 Rule Passwords that are composed of a combination of characters based on the password complexity setting spec...

Page 61: ...cated refinement authentication of a person who intends to use the TOE from RC Gate communication interface before allowing other TSF mediated actions on behalf of that user FIA_UAU 7 Protected authentication feedback Hierarchical to No other components Dependencies FIA_UAU 1 Timing of authentication FIA_UAU 7 1 The TSF shall provide only assignment displaying dummy letters as authentication feedb...

Page 62: ...ser attribute definition FIA_USB 1 1 The TSF shall associate the following user security attributes with subjects acting on the behalf of that user assignment login user name of normal user login user name of MFP administrator available function list and user role FIA_USB 1 2 The TSF shall enforce the following rules on the initial association of user security attributes with subjects acting on th...

Page 63: ...P administrator Login user name of normal user for Basic Authentication Query Normal user who owns the applicable login user name Login user name of normal user for External Authentication Query modify delete newly create MFP administrator Login user name of supervisor Query modify Supervisor Newly create MFP administrator Query modify MFP administrator who owns the applicable login user name Logi...

Page 64: ...ation permission Query modify delete newly create MFP administrator Login user name of normal user for Basic Authentication Query Normal user who owns the applicable login user name Login user name of normal user for External Authentication Query modify delete newly create MFP administrator Query modify MFP administrator Available function list Query however query is not allowed in case of Externa...

Page 65: ... normal user No authorised identified roles FMT_MSA 3 b Static attribute initialisation Hierarchical to No other components Dependencies FMT_MSA 1 Management of security attributes FMT_SMR 1 Security roles FMT_MSA 3 1 b The TSF shall enforce the assignment TOE function access control SFP to provide selection assignment the permissive to the available function list restrictive to the function type ...

Page 66: ...Lockout for Basic Authentication Query MFP administrator Setting for Lockout Release Timer for Basic Authentication Query MFP administrator Lockout time for Basic Authentication Query MFP administrator Query modify MFP administrator Date setting year month day time setting hour minute Query Supervisor normal user Minimum character number for Basic Authentication Query MFP administrator Password co...

Page 67: ...ministrator Query of login user name of MFP administrator by supervisor New creation and modification of login password of normal user by MFP administrator when the Basic Authentication is used Modification of own login password by normal user when the Basic Authentication is used Modification of login password of supervisor by supervisor Modification of login password of MFP administrator by supe...

Page 68: ...hical to No other components Dependencies FIA_UID 1 Timing of identification FMT_SMR 1 1 The TSF shall maintain the roles assignment normal user supervisor MFP administrator and RC Gate FMT_SMR 1 2 The TSF shall be able to associate users with roles 6 1 6 Class FPT Protection of the TSF FPT_STM 1 Reliable time stamps Hierarchical to No other components Dependencies No dependencies FPT_STM 1 1 The ...

Page 69: ...ination of communication with RC Gate 6 1 8 Class FTP Trusted path channels FTP_ITC 1 Inter TSF trusted channel Hierarchical to No other components Dependencies No dependencies FTP_ITC 1 1 The TSF shall provide a communication channel between itself and another trusted IT product that is logically distinct from other communication channels and provides assured identification of its end points and ...

Page 70: ... ASE_ECD 1 Extended components definition ASE_INT 1 ST introduction ASE_OBJ 2 Security objectives ASE_REQ 2 Derived security requirements ASE_SPD 1 Security problem definition ASE Security Target evaluation ASE_TSS 1 TOE summary specification ATE_COV 2 Analysis of coverage ATE_DPT 1 Testing basic design ATE_FUN 1 Functional testing ATE Tests ATE_IND 2 Independent testing sample AVA Vulnerability a...

Page 71: ...O SOFTWARE VERIFIED O AUDIT LOGGED O STORAGE ENCRYPTED O RCGATE COMM PROTECT FAU_GEN 1 X FAU_GEN 2 X FAU_STG 1 X FAU_STG 4 X FAU_SAR 1 X FAU_SAR 2 X FCS_CKM 1 X FCS_COP 1 X FDP_ACC 1 a X X X FDP_ACC 1 b X FDP_ACF 1 a X X X FDP_ACF 1 b X FDP_RIP 1 X X FIA_AFL 1 X FIA_ATD 1 X FIA_SOS 1 X FIA_UAU 1 a X X FIA_UAU 1 b X X FIA_UAU 2 X X FIA_UAU 7 X FIA_UID 1 a X X FIA_UID 1 b X X FIA_UID 2 X X FIA_USB 1...

Page 72: ...To fulfil this security objective it is required to implement the following countermeasures 1 Specify and implement the access control to the document data FDP_ACC 1 a and FDP_ACF 1 a only allow the following persons to view document data according to the document data attributes the normal user who generated the document data or the normal user who is registered on the document user list of the d...

Page 73: ... by FDP_RIP 1 3 Use trusted channels for sending or receiving document data The document data sent and received by the TOE via the LAN interface are protected by FTP_ITC 1 4 Management of the security attributes FMT_MSA 1 a specifies the available operations newly create query modify and delete on the login user name and available operations query and modify on the document user list and a specifi...

Page 74: ...d data The TSF protected data sent and received by the TOE via the LAN are protected by FTP_ITC 1 By satisfying FMT_MTD 1 FMT_SMF 1 FMT_SMR 1 and FTP_ITC 1 which are the security functional requirements for these countermeasures O PROT NO_ALT is fulfilled O CONF NO_DIS Protection of TSF confidential data disclosure O CONF NO_DIS is the security objective to allow only users who can maintain the se...

Page 75: ...o that only valid users can use the TOE functions The authentication failure handling and verification of secrets are the security policies for authentication using passwords when the TOE is accessed from the Operation Panel or a Web browser of client computer documents are printed by using the client computer and faxed by LAN fax from the client computer To fulfil this security objective it is re...

Page 76: ...ion type FMT_MSA 3 b sets the permissive default value to the available function list and sets the restrictive default value to the function type By satisfying FDP_ACC 1 b FDP_ACF 1 b FIA_UID 1 a FIA_UID 1 b FIA_UID 2 FIA_UAU 1 a FIA_UAU 1 b FIA_UAU 2 FIA_ATD 1 FIA_USB 1 FIA_UAU 7 FIA_AFL 1 FIA_SOS 1 FTA_SSL 3 FMT_MSA 1 b and FMT_MSA 3 b which are the security functional requirements for these cou...

Page 77: ... the security intrusion and allow the MFP administrator to view the audit log To fulfil this security objective it is required to implement the following countermeasures 1 Record the audit log FAU_GEN 1 and FAU_GEN 2 record the events which should be auditable with the identification information of the occurrence factor 2 Protect the audit log FAU_STG 1 protects the audit logs from the alteration ...

Page 78: ...d RC Gate are concealed and any tampering on the communication path is detected To fulfil this security objective it is required to implement the following countermeasure 1 Use trusted channel for the communication with RC Gate FTP_ITC 1 allows the TOE to establish the communication that protects the data from tampering and disclosure for the communication between the TOE and RC Gate By satisfying...

Page 79: ...UID 1 a FIA_UID 1 a None FIA_UAU 1 b FIA_UID 1 b FIA_UID 1 b None FIA_UAU 2 FIA_UID 1 FIA_UID 2 None FIA_UAU 7 FIA_UAU 1 FIA_UAU 1 None FIA_UID 1 a None None None FIA_UID 1 b None None None FIA_UID 2 None None None FIA_USB 1 FIA_ATD 1 FIA_ATD 1 None FPT_FDI_EXP 1 FMT_SMF 1 FMT_SMR 1 FMT_SMF 1 FMT_SMR 1 None FMT_MSA 1 a FDP_ACC 1 a or FDP_IFC 1 FMT_SMR 1 FMT_SMF 1 FDP_ACC 1 a FMT_SMR 1 FMT_SMF 1 No...

Page 80: ... that it will be used in a general office and this TOE does not assume the attackers with the possibility of moderate or greater level attacks Architectural design ADV_TDS 2 is adequate to show the validity of commercially available products A high attack potential is required for the attacks that circumvent or tamper with the TSF which is not covered in this evaluation The vulnerability analysis ...

Page 81: ...e recorded and expanded log items are recorded only when audit events occur and the audit log items shown in Table 35 are recorded FPT_STM 1 The date year month day and time hour minute second the TOE records for the audit log are derived from the system clock of the TOE FAU_SAR 1 FAU_SAR 2 and FAU_STG 1 The TOE displays the operation menu for audit logs to be read on a Web browser screen only whe...

Page 82: ...who intends to use the TOE via RC Gate communication interface is excluded Table 35 List of Audit Log Items Audit Log Items Setting Values of Audit Log Items Audit Events to record Audit Logs Starting date time of an event Values of the TOE system clock at an event occurrence Ending date time of an event Values of the TOE system clock at an event occurrence Event types Audit event identity Subject...

Page 83: ...n password is complete When the TOE is used from the printer driver or fax driver the TOE receives the login user name and login password entered from each driver by a user When the entered login user name is the login user name of a normal user MFP administrator or supervisor the TOE checks if the entered login password match with the one pre registered in the TOE FIA_UAU 1 b and FIA_UID 1 b Appl...

Page 84: ...The TOE logs out immediately after receiving the transmission information from the fax driver The TOE terminates a session with RC Gate immediately after the communication with RC Gate is complete FIA_UAU 7 Regarding login passwords entered by a person who intends to use the TOE from the Operation Panel or a Web browser the TOE does not display the entered login password but it displays a sequence...

Page 85: ...ntification and authentication information of RC Gate When the TOE receives a certificate from an IT device to access the TOE via RC Gate communication interface the TOE checks if the certificate matches another certificate installed in the TOE Only if the certificate sent from the IT device matches the one installed in the TOE so that the IT device is identified as RC Gate the IT device whose use...

Page 86: ...r the TOE displays a list of the stored documents that register the login user names of the normal users who logged in to the document user list and an operation menu They will be displayed according to the rules shown in Table 37 The privileges that allow users to edit the document user list are shown in 7 8 Security Management Function Also the TOE allows only the user job owner to view and dele...

Page 87: ...s are privileged to use Document Server Function 2 Access control rule on user jobs The TOE displays on the Operation Panel a menu to cancel a user job only if the user who logs in from the Operation Panel is a user job owner or MFP administrator and a cancellation of a user job is attempted by the owner or MFP administrator Other users are not allowed to operate user jobs When a user job is cance...

Page 88: ...ws the encrypted communications provided by the TOE Table 38 Encrypted Communications Provided by the TOE Encrypted communications provided by the TOE Communicating Devices Protocols Cryptographic Algorithms Client computer TLS1 0 AES 128bits 256bits 3DES 168bits External authentication server Kerberos AES 128bits 256bits 3DES 168bits RC Gate SSL3 0 TLS1 0 AES 128bits 256bits 3DES 168bits FTP serv...

Page 89: ...the data so that data leakage can be prevented FCS_CKM 1 and FCS_COP 1 The TOE encrypts data before writing it on the HDD and decrypts the encrypted data after reading it from the HDD This process is applied to all data written on and read from the HDD Detailed cryptographic operations are shown in Table 39 Table 39 List of Cryptographic Operations for Stored Data Protection Encryption triggering ...

Page 90: ... Newly create MFP administrator Query modify Applicable MFP administrator Login user name of MFP administrator Operation Panel Web browser Query Supervisor Document data attributes No operation interfaces available No operations allowed Document user list Stored document types are Document Server document scanner document fax document and printer document with stored print Operation Panel Web brow...

Page 91: ...ed Operation Panel Web browser Query MFP administrator Settings for Lockout Release Timer when Basic Authentication is applied Web browser Query MFP administrator Lockout time for Basic Authentication Web browser Query MFP administrator Query modify MFP administrator Date settings year month day Operation Panel Web browser Query Supervisor normal user Query modify MFP administrator Time Operation ...

Page 92: ...whose operations are allowed by the TOE 1 The login user name of a normal user that is registered on an external authentication server is not changed even though the MFP administrator newly creates modifies and deletes the login user name of the normal user 2 If the MFP administrator modifies stored and received document users and if the stored document type of the document user list of document d...

Page 93: ...t from the client computer Document data stored document types are Document Server document scanner document and fax document Document user list Default values of a document user list assigned to each user Document data stored document type is printer document Document user list Login user name of a normal user who stored the document data Document data stored document type is fax received documen...

Page 94: ...ays the error message and becomes unavailable If the hash matches its original value and the certificate is verified the TOE becomes available The TOE also verifies the integrity of the audit log data files The TOE outputs the information used for integrity verification so that the integrity of the FCU Control Software can be verified To check the integrity of the FCU Control Software the informat...

Search results

Summary of Contents for Aficio MP C3001

Reviews:

Related manuals for Aficio MP C3001

Brands by name

Popular brands

Ricoh Aficio MP C3001, Manual

Search results

Summary of Contents for Aficio MP C3001

Reviews:

Related manuals for Aficio MP C3001

Brands by name

Popular brands