CRP-C0266-01 Certification Report Kazumasa Fujie, Chairman Information-technology Promotion Agency, Japan Target of Evaluation Application date/ID Certification No. Sponsor Name of TOE Version of TOE PP Conformance Assurance Package Developer Evaluation Facility 2010-2-22 (ITC-0289) C0266 RICOH COMPANY, Ltd.
CRP-C0266-01 Evaluation Criteria, etc.: This TOE is evaluated in accordance with the following criteria prescribed in the "IT Security Evaluation and Certification Scheme". - Common Criteria for Information Technology Security Evaluation Version 3.1 Release 2 - Common Methodology for Information Technology Security Evaluation Version 3.1 Release 2 Evaluation Result: Pass "Following MFP with FCU (Fax Option Type C5000).
CRP-C0266-01 Notice: This document is the English translation version of the Certification Report published by the Certification Body of Japan Information Technology Security Evaluation and Certification Scheme.
CRP-C0266-01 Table of Contents 1. Executive Summary.............................................................................. 1 1.1 Product Overview ............................................................................ 1 1.1.1 Assurance Package...................................................................... 1 1.1.2 TOE and Security Functionality ................................................... 1 1.1.2.1 Threats and Security Objectives ................................................
CRP-C0266-01 8.2 9. Recommendations ......................................................................... 37 Annexes ............................................................................................ 37 10. Security Target................................................................................ 37 11. Glossary ......................................................................................... 38 12. Bibliography .............................................................
CRP-C0266-01 1. Executive Summary This Certification Report describes the content of certification result in relation to IT Security Evaluation of "Following MFP with FCU (Fax Option Type C5000).
CRP-C0266-01 Functions from unauthorised persons by limiting the usage of the Security Management Functions. For these security functionalities, the evaluation for the validity of the design policy and the correctness of the implementation is conducted in the scope of the assurance package. The next clause describes the assumed threats and assumptions in this TOE. 1.1.2.
CRP-C0266-01 They shall not perform the illegal acts to abuse their own privileges, leak or tamper the document data as protected assets, and to deactivate the Security Functions of the TOE. 1.1.3 Disclaimers This TOE cannot assure security in the following cases: - If the settings in the Service Mode Lock Function are disabled, the TOE after that will not be CC-certified. - In the same way, if the TOE is configured with the following settings, the TOE will not be CC-certified.
CRP-C0266-01 2. Identification of TOE The TOE is identified as follows: Name of TOE Following MFP with FCU (Fax Option Type C5000).
CRP-C0266-01 3. Security Policy This chapter describes security function policies and organisational security policies. The TOE imports the paper documents of users, receives the document data from client computers which are connected via Network, stores the confidential document data into HDD of the TOE, and performs outputting by print and delivery. Therefore, the TOE is a digital MFP with Security Function regarding receiving, storing, and outputting the document data.
CRP-C0266-01 Identifier T.TRANSIT T.FAX_LINE Threat Attackers may illegally obtain, leak or tamper with document data or print data sent or received by the TOE via the internal network. *Note: The "document and print data sent or received by the TOE" can exist on the USB interface or telephone lines; however, obtaining and tampering with data that is in transit through these media is not considered a threat. Attackers may illegally gain access to the TOE through telephone lines. 3.1.1.
CRP-C0266-01 usage and access document data, is countered by the user identification and authentication and the access control of protected assets. The TOE, if users request the usage of the TOE functions, in accordance with user roles, checks whether or not the users are authorised to use TOE functions, and grants the permission for using the functions. The available roles for the TOE are as follows: - General User - Supervisor - Administrator The administrator has the following roles.
CRP-C0266-01 Table 3-2 Relation between Operational Authorities for the Document Data and the Operation Permission (Document File Owner) Authorised Operations Operational Authorities for the Document Data View Edit Edit/Delete Full Control Read Document Data X X X X Delete Document Data - - X X Change Print Settings - X X X Modify Document Data ACL - - - X - Newly create document file users - Delete document file users - Change operational authorities As mentioned above, although a
CRP-C0266-01 (file administrators) such as management of the document data ACL, management of administrator information, etc.) Whatever the contents of the document data ACL are, the administrator (file administrator) is allowed to delete all the document data and modify all document data ACL (newly create the document file users, delete the document file users, change the operational authorities and document file owners).
CRP-C0266-01 According to the roles, users are allowed for the Security Management Function.
CRP-C0266-01 5) Management Function of Machine Control Data > Administrator (File Administrator) + Query the date and time of system clock + Query Service Mode Lock Function > Administrator (Machine Administrator) + Query and modify Number of Attempts before Lockout + Query and modify Settings for Lockout Release Timer + Query and modify Lockout Time + Query and modify the date and time of system clock + Query and modify Lockout Flag of supervisor + Query and newly create HDD Encryption Keys + Query audit
CRP-C0266-01 The TOE generates a 256 bit encryption key by using a generation algorithm for the encryption key which conforms to BSI-AIS 31. The TOE uses the generated encryption key and cryptographic algorithm AES that matches and FIPS PUB 197, encrypts the document data, and stores it on the HDD. The TOE decrypts this when loading the document data from the HDD.
CRP-C0266-01 fax data, transfers the received data from fax process of the fax unit to fax reception process of the controller board. Also, recording implemented actions of intrusion prevention via telephone lines in audit logs enables re-detection of security breaches if the intrusion prevention via telephone lines is not correctly performed. Therefore, T.
CRP-C0266-01 4. Assumptions and Clarification of Scope In this chapter, it describes the assumptions and the operational environment to operate the TOE as useful information for the judgment before the assumed reader uses the TOE. 4.1 Usage Assumptions Table 4-1 shows assumptions to operate the TOE. The effective performance of the TOE Security Functions are not assured unless these assumptions are satisfied. Identifier Table 4-1 Assumptions in Use of the TOE Assumptions A.
CRP-C0266-01 4.2 Environment Assumptions This TOE is installed in general offices and connected to the internal networks, and it is used by client computers connected to the internal networks likewise. Figure 4-1 shows the general operational environment as assumptions of this TOE. Figure 4-1 Operational Environment and Configuration Figure 4-1 gives an example environment to handle office documents in general offices where the TOE is assumed to be used.
CRP-C0266-01 TOE and SMB server. However, the reliability of hardware shown in this configuration and the working software is outside the scope of this evaluation but it is considered of being fully reliable. 4.
CRP-C0266-01 Basic Function Fax Function (Reception) Fax Function (Immediate Transmission / Memory Transmission) Fax Function (Stored Documents Fax Transmission) Fax Function (Fax Explanation Protected Assets Protection Receive fax data from the connected telephone lines, print or store the received fax data on the HDD. Especially when storing on the HDD, this function stores the fax data and converts it to Fax Reception Data and then (after encrypted) stores it in the D-BOX.
CRP-C0266-01 Basic Function Transmission from Computer) Fax Function (IP-Fax) Fax Function (Internet Fax Function) Scanner Function (Scan) Scanner Function (Administration) Explanation Protected Protection Assets The case of receiving via USB print data from a client computer is outside the scope of this evaluation. Print data Fax Function (IP-Fax) is outside the scope of this evaluation. Do not use this function.
CRP-C0266-01 Basic Function Document Server Function (Scan) Document Server Function Protected Explanation Assets After decrypting the document data (only for the Scanner Function) stored in the D-BOX, the Web browser of a client computer will download the data by the encrypted communication via the internal network. Web Scan paper documents using the scanner engine, encrypt and store the documents as document data (non-Scanner Function) in the D-BOX.
CRP-C0266-01 Basic Function Web Service Function Explanation Remotely operate the TOE by authorised TOE users (general users, administrators, and the supervisor) using a Web browser running on a client computer. However, this function can only operate the function described in this table from "Copy function" to "Management function". There are some functions that are not available with this function. 20 Protected Assets Web communication (Command, Document data, etc.
CRP-C0266-01 5. Architectural Information This chapter explains the purpose and the relation on a scope of the TOE and the main component. 5.1 TOE boundary and component The TOE consists of configuration items shown in Figure 5-1. The TOE is equipped with Fax Unit (FCU) which is an optional product to MFP. Figure 5.
CRP-C0266-01 (4) Network Unit The Network Unit is an interface (100BASE-TX/10BASE-T) network. board for connection to an Ethernet (5) Controller Board The controller board contains processors, RAM, NVRAM, Ic Key and FlashROM. The Ic Key is a security chip that generates random numbers and encryption keys, and detects any tampering with the MFP control software. MFP control software is installed in the FlashROM that is on this Controller Board.
CRP-C0266-01 However, the TOE must not modify the following environments and settings: - Store and restore an address book data to the SD card.
CRP-C0266-01 6. Documentations The identification of documents attached to the TOE is listed below. The document attached to this TOE has the following four sets by the difference between the selling area and sales companies. It explains the difference of those sets as follows. It is the same content except the explained difference.
CRP-C0266-01 Document Name Number of part Manuals for Users C2828/C3333/C4040/C5050 MP C2800/MP C3300/MP C4000/MP C5000 LD528C/LD533C/LD540C/LD550C Aficio MP C2800/MP C3300/MP C4000/MP C5000 D029-6648A Manuals for Administrators C2828/C3333/C4040/C5050 MP C2800/MP C3300/MP C4000/MP C5000 LD528C/LD533C/LD540C/LD550C Aficio MP C2800/MP C3300/MP C4000/MP C5000 D029-6649A Notes for Security Functions D029-7415 Notes for Administrators:Using this Machine in a CC-Certified Environment D029-7412 Table 6-
CRP-C0266-01 Table 6-3 [English version - 3] Product attachment document for Asia Number of Document Name part MP C2800/C3300/C4000/C5000 MP C2800/C3300/C4000/C5000 Aficio MP C2800/C3300/C4000/C5000 Operating Instructions About This Machine D029-7605 MP C2800/C3300/C4000/C5000 MP C2800/C3300/C4000/C5000 Aficio MP C2800/C3300/C4000/C5000 Operating Instructions Troubleshooting D029-7655A Quick Reference Copy Guide D029-7527 Quick Reference Fax Guide D393-8507 Quick Reference Printer Guide D029-7806
CRP-C0266-01 7. Evaluation conducted by Evaluation Facility and results 7.1 Evaluation Approach Evaluation was conducted by using the evaluation methods prescribed in CEM in accordance with the assurance components in CC Part 3. Details for evaluation activities are reported in the Evaluation Technical Report. In the Evaluation Technical Report, it explains the summary of the TOE, the content of the evaluation and verdict of each work unit. 7.
CRP-C0266-01 Aficio MP C3300G 192.168.13.87 MP C3300 192.168.13.89 Aficio MP C2800X2 192.168.13.90 192.168.13.88 Telephone Switchboard Simulator(TLE-101Ⅲ) PSTN Certificate Issuance PSTN 4 Hubs (LSW2-GT-8NPR LSW2-GT-16NPR) Router (RTX-1000) Internal Network (Independent of Office Networks) Mail Server SMB/FTP Server 192.168.13.8 OS: Windows Server 2003 Client PCs 192.168.13.141 OS: Windows XP Web browser: IE6.0 192.168.13.148 OS: Windows XP Web browser: IE8.0 192.168.13.
CRP-C0266-01 Table 7-1 explains non-TOE configuration items in the developer testing. Table 7-1 Developer Testing Configuration Items Configuration Item Detail Client Computer Web browser (3 machines) - Internet Explorer 6.0 (IE6) - Internet Explorer 7.0 (IE7) - Internet Explorer 8.0 (IE8) Driver - PCL 6 driver V1.0.0.0 or V1.2.0.0 - LAN Fax driver V1.
CRP-C0266-01 items of the TOE" are developed by the developer and are used after confirming that they are normally operated. Table 7-2 Tools for the Developer Testing Name of tool WireShark 1.0. 2 Zenmap 4.
CRP-C0266-01 evaluator: 1) Evaluator Independent Testing Environment Figure 7-2 shows the evaluator independent testing configuration executed by the evaluator. Aficio Aficio MP C3300G MP C2800 192.168.13.63 192.168.13.64 Telephone Switchboard Simulator(TLE-101Ⅲ) PSTN Certificate Issuance PSTN 4 Hubs (LSW2-GT-8NPR LSW2-GT-16NPR) Router (RTX-1000) Internal Network (Independent of Office Networks) Mail Server SMB/FTP Server 192.168.13.8 OS: Windows Server 2003 Client PCs 192.168.13.
CRP-C0266-01 IPSec, S/MIME), execute supplemental tests to ensure these functions always work effectively. To take these viewpoints into account and to test the Security Functions and interfaces, 192 items were identified for sampling testing of the developer testing. - Testing will be enforced for the following behaviours, which are essential to verify correct operations of the Security Functions. > Every possible combination of Access Control Function related to stored documents.
CRP-C0266-01 The independent testing used the tools of Table 7-2 in the developer testing. For evaluator independent testing, 40 items for independent testing and 192 items for sampling testing are specified in Table 7-3 and 7-4.
CRP-C0266-01 Number Category name of testing item Number of testing item 16 Password entry 9 17 Confirming the firm validity 3 18 Encryption of HDD data 1 19 Generation of encryption key and update processing 2 Total 192 c. Result All the executed evaluator independent testing was correctly completed, and the evaluator confirmed the behavior of TOE. The evaluator confirmed consistencies between the expected behavior and all the testing results. 7.3.
CRP-C0266-01 b. Evaluator Penetration testing Outline The evaluators executed the following evaluator penetration testing to identify possibly exploitable vulnerabilities. The testing environment is the same as the environment of the evaluator independent testing. The configuration figure is also the same as the one in Figure 7-2.
CRP-C0266-01 No. Overview of Penetration Testing T8 Ensured access via URL is denied, even if URLs for protected assets and TOE resources are derived from URLs used by the TOE. Ensured no access measures to the TOE are usable through the Web interfaces without prior identification and authentication of the user. Ensured no Security Functions are usable through the Web interfaces without prior identification and authentication of the user.
CRP-C0266-01 8. Certification The certification body conducted the following certification based on each materials submitted by the Evaluation Facility during evaluation process. 1. Contents pointed out in the Observation Report shall be adequate. 2. Contents pointed out in the Observation Report shall properly be reflected. 3. Evidential materials submitted were sampled, its contents were examined, and related work units shall be evaluated as presented in the Evaluation Technical Report. 4.
CRP-C0266-01 11. Glossary The abbreviations relating to CC used in this report are listed below. CC Common Criteria for Information Technology Security Evaluation CEM Common Methodology for Information Technology Security Evaluation EAL Evaluation Assurance Level PP Protection Profile ST Security Target TOE Target of Evaluation TSF TOE Security Functionality The abbreviations relating to TOE used in this report are listed below.
CRP-C0266-01 The definition of terms used in this report is listed below. A database containing general user information for each general user. Address Book Administrator One of the authorised TOE users who manages the TOE. Administrators are given administrator roles and perform administrative operations accordingly. Up to four administrators can be registered, and each administrator is given one or more administrator roles. Administrator Management Functions given to administrators.
CRP-C0266-01 Internet Fax IP-Fax IPv4 Protocol IPv6 Protocol LAN-Fax Transmission Lockout A function that reads a fax original then converts the scanned image to an e-mail format for sending as data over the Internet to a machine with an e-mail address. A function that sends and receives document files between two faxes that are directly connected to a TCP/IP network. It can also send document files to a fax that is connected to a telephone line.
CRP-C0266-01 Print Settings Processor S/MIME User Information Sending by E-mail SMB Protocol SMB Server SMTP server Stored Data Protection Print Settings for printed output, including paper size, printing magnification, and custom information (such as duplex or layout settings). Hardware that processes the instructions of software in the computer. It has an arithmetic logic unit, a peripheral circuit, and memory units that store instructions or data.
CRP-C0266-01 12. Bibliography [1] IT Security Evaluation and Certification Scheme, May 2007, Information-technology Promotion Agency, Japan CCS-01 [2] IT Security Certification Procedure, May 2007, Information-technology Promotion Agency, Japan CCM-02 [3] Evaluation Facility Approval Procedure, May 2007, Information-technology Promotion Agency, Japan CCM-03 [4] Common Criteria for Information Technology Security Evaluation Part1: Introduction and general model Version 3.