Ricoh Aficio MP C3001 Series Manual
  1. Manuals
  2. Brands
  3. Ricoh Manuals
  4. All in One Printer
  5. Aficio MP C3001
  6. Manual

Ricoh Aficio MP C3001 Series Manual

Security target
Hide thumbs Also See for Aficio MP C3001 Series:
Table of Contents

Advertisement

Quick Links

See also: User Manual , Quick Reference Manual
Portions of Aficio MP C3001/C3501 series Security Target are reprinted with
written permission from IEEE, 445 Hoes Lane, Piscataway, New Jersey
08855, from IEEE 2600.1, Protection Profile for Hardcopy Devices,
Operational Environment A, Copyright © 2009 IEEE. All rights reserved.
This document is a translation of the evaluated and certified security target
written in Japanese.
Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.
Aficio MP C3001/C3501 series
Security Target
Author : RICOH COMPANY, LTD.
Date
: 2011-07-18
Version : 1.00

Advertisement

Table of Contents
loading
Need help?

Need help?

Do you have a question about the Aficio MP C3001 Series and is the answer not in the manual?

Questions and answers

Related Manuals for Ricoh Aficio MP C3001 Series

Summary of Contents for Ricoh Aficio MP C3001 Series

  • Page 1 Date : 2011-07-18 Version : 1.00 Portions of Aficio MP C3001/C3501 series Security Target are reprinted with written permission from IEEE, 445 Hoes Lane, Piscataway, New Jersey 08855, from IEEE 2600.1, Protection Profile for Hardcopy Devices, Operational Environment A, Copyright © 2009 IEEE. All rights reserved.

  • Page 2: Revision History

    Page 1 of 93 Revision History Version Date Author Detail 1.00 2011-07-18 RICOH COMPANY, LTD. Publication version. Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.

  • Page 3: Table Of Contents

    Consistency Claim with TOE Type in PP..............32 2.4.2 Consistency Claim with Security Problems and Security Objectives in PP ..32 2.4.3 Consistency Claim with Security Requirements in PP .......... 33 Security Problem Definitions ....................36 Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.
  • Page 4 Tracing ........................69 6.3.2 Justification of Traceability..................71 6.3.3 Dependency Analysis ....................77 6.3.4 Security Assurance Requirements Rationale............79 TOE Summary Specification .....................80 Audit Function ......................80 Identification and Authentication Function ...............82 Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.
  • Page 5 Document Access Control Function ................84 Use-of-Feature Restriction Function ................86 Network Protection Function ..................87 Residual Data Overwrite Function................87 Stored Data Protection Function................88 Security Management Function .................88 Software Verification Function...................93 7.10 Fax Line Separation Function..................93 Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.
  • Page 6 Table 32 : Relationship between Security Objectives and Functional Requirements........70 Table 33 : Results of Dependency Analysis of TOE Security Functional Requirements ......77 Table 34 : List of Audit Events........................80 Table 35 : List of Audit Log Items ........................81 Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.
  • Page 7 Table 39 : List of Cryptographic Operations for Stored Data Protection ............88 Table 40 : Management of TSF Data......................89 Table 41 : List of Static Initialisation for Security Attributes of Document Access Control SFP ....92 Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.

  • Page 8: St Introduction

    1.05 Lanier LD635C, Web Uapl 1.01 Lanier LD630CG, NetworkDocBox 1.01 Lanier LD635CG, animation 1.00 nashuatec MP C3001, 1.02 nashuatec MP C3501, Rex-Rotary MP C3001, OptionPCLFont 1.02 Rex-Rotary MP C3501, Engine 1.03:04 Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.

  • Page 9: Toe Overview

    This TOE is a digital multi function product (hereafter "MFP"), which is an IT device that inputs, stores, and outputs documents. 1.3.2 TOE Usage The operational environment of the TOE is illustrated below and the usage of the TOE is outlined in this section. Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.

  • Page 10: Figure 1 : Example Of Toe Environment

    Print, fax, network transmission, and deletion of the stored documents. Also, the TOE receives information via telephone lines and can store it as a document. Network used in the TOE environment. Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.

  • Page 11: Major Security Features Of Toe

    The TOE stores documents in it, and sends and receives documents to and from the IT devices connected to the LAN. To ensure provision of confidentiality and integrity for those documents, the TOE has the following security features: Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.

  • Page 12: Toe Description

    The physical boundary of the TOE is the MFP, which consists of the following hardware components (shown in Figure 2): Operation Panel Unit, Engine Unit, Fax Unit, Controller Board, HDD, Ic Ctlr, Network Unit, USB Port, SD Card Slot, and SD Card. Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.

  • Page 13: Figure 2 : Hardware Configuration Of The Toe

    NVRAM A non-volatile memory medium in which TSF data for configuring MFP operations is stored. Ic Key A security chip that has the functions of random number generation, cryptographic key generation Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.
  • Page 14 TOE, is the identifier of the Fax Unit. The HDD is a hard disk drive that is a non-volatile memory medium. It stores documents, login user names and login passwords of normal users. Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.

  • Page 15: Guidance Documents

    Guidance Documents for Product Components - C9130/C9135/C9145/C9145A/C9155/C9155A C9130G/C9135G/C9145G/C9145AG/C9155G/C9155AG LD630C/LD635C/LD645C/LD645CA/LD655C/LD655CA LD630CG/LD635CG/LD645CG/LD645CAG/LD655CG/LD655CAG Aficio MP C3001/C3501/C4501/C4501A/C5501/C5501A Aficio MP C3001G/C3501G/C4501G/C4501AG/C5501G/C5501AG Operating Instructions About This Machine D088-7603A - C9130/C9135/C9145/C9145A/C9155/C9155A C9130G/C9135G/C9145G/C9145AG/C9155G/C9155AG LD630C/LD635C/LD645C/LD645CA/LD655C/LD655CA LD630CG/LD635CG/LD645CG/LD645CAG/LD655CG/LD655CAG Aficio MP C3001/C3501/C4501/C4501A/C5501/C5501A Aficio MP C3001G/C3501G/C4501G/C4501AG/C5501G/C5501AG Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.

  • Page 16: Table 3 : Guidance For English Version-2

    - Notes for Users D572-7010 - Notes for Users D088-7608 - Notes for Users D088-7759A - Manuals for Users Aficio MP C3001/MP C3001G/MP C3501/MP C3501G/MP C4501/MP C4501G/MP C4501A/MP C4501AG/MP C5501/MP C5501G/MP C5501A/MP C5501AG C9130/C9130G/C9135/C9135G/C9145/C9145G/C9145A/C9145AG/C9155/C9155G/C9 155A/C9155AG LD630C/LD630CG/LD635C/LD635CG/LD645C/LD645CG/LD645CA/LD645CAG/ LD655C/LD655CG/LD655CA/LD655CAG D089-6906A - Manuals for Administrators...
  • Page 17 D088-7889 - App2Me Start Guide D085-7905B - Notes for Users D572-7010 - Notes for Users D088-7404 - Manuals for Users Aficio MP C3001/MP C3001G/MP C3501/MP C3501G/MP C4501/MP C4501G/MP C4501A/MP C4501AG/ MP C5501/MP C5501G/MP C5501A/MP C5501AG C9130/C9130G/C9135/C9135G/C9145/C9145G/C9145A/C9145AG/C9155/C9155G/C9 155A/C9155AG LD630C/LD630CG/LD635C/LD635CG/LD645C/LD645CG/LD645CA/LD645CAG/L D655C/LD655CG/LD655CA/LD655CAG D089-6906A...

  • Page 18: Table 4 : Guidance For English Version-3

    D088-7430 - To Users of This Machine D029-7904 - Manuals for Users Aficio MP C3001/MP C3501/MP C4501/MP C4501A/MP C5501/MP C5501A MP C3001/MP C3501/MP C4501/MP C4501A/MP C5501/MP C5501A D089-6931A - Manuals for Administrators Security Reference Aficio MP C3001/MP C3501/MP C4501/MP C4501A/MP C5501/MP C5501A...

  • Page 19: Definition Of Users

    - Notes for Users D088-7608 - Notes for Users D088-7759A - Notes for Users D060-7781 - App2Me Start Guide D085-7906B - Manuals for Users Aficio MP C3001/MP C3501/MP C4501/MP C4501A/MP C5501/MP C5501A C3001/MP C3501/MP C4501/MP C4501A/MP C5501/MP C5501A D089-6908A - Manuals for Administrators...

  • Page 20: Direct User

    Authorised to manage networks and configure Network management settings. This privilege allows privilege configuration of network settings. Authorised to manage stored documents. This File management privilege privilege allows access management of stored documents. Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.

  • Page 21: Indirect User

    Customer engineer The customer engineer is a person who belongs to the organisation which maintains TOE operation. The customer engineer is in charge of installation, setup, and maintenance of the TOE. Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.

  • Page 22: Logical Boundary Of Toe

    The Copy Function is to scan paper documents and copy scanned image data from the Operation Panel. Magnification and other editorial jobs can be applied to the copy image. It can also be stored on the HDD as a Document Server document. Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.
  • Page 23 TOE and with which secure communication can be ensured. E-mail transmission is possible only with the mail server and e-mail addresses that the MFP administrator pre-registers in the TOE and with which secure communication can be ensured. Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.
  • Page 24 Documents can be printed and deleted using the Operation Panel, while they can be printed, deleted and downloaded from a Web browser. According to the guidance document, users first install the specified fax driver on their own client computers, and then use this function. Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.

  • Page 25: Security Functions

    Also, this function provides the recorded audit log in a legible fashion for users to audit. This function can be used only by the MFP administrator to view and delete the recorded audit log. To view and delete the audit log, the Web Function will be used. Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.
  • Page 26 If the Printer Function is used, the protection function can be enabled using the printer driver to specify encrypted communication. If the folder transmission function of Scanner Function is used, the protection function can be enabled through encrypted communication. If the e-mail Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.

  • Page 27: Protected Assets

    Digitised documents, deleted documents, temporary documents and their data fragments, which are managed by the TOE. Function Jobs specified by users. In this ST, a "user job" is referred to as a "job". Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.

  • Page 28: Tsf Data

    FlashROM and SD Card. The components that identify the TOE include System/Copy, Network Support, Scanner, Printer, Fax, RemoteFax, Web Support, Web Uapl, NetworkDocBox, animation, PCL, OptionPCLFont, LANG0, LANG1 and Data Erase Std. Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.
  • Page 29 +PRT One of the document data attributes. Documents printed from the client computer, or documents stored in the TOE by locked print, hold print, and sample print using the client computer. Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.
  • Page 30 This list is assigned as an attribute of each normal user. Operation Panel Consists of a touch screen LCD and key switches. The Operation Panel is used by users to operate the TOE. Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.
  • Page 31 The TOE displays the Repair Request Notification screen on the Operation Panel if paper jams frequently occur, or if the door or cover of the TOE is left open for a certain period of time while jammed paper is not removed. Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.

  • Page 32: Conformance Claim

    Package Claims The SAR package which this ST and TOE conform to is EAL3+ALC_FLR.2. The selected SFR Packages from the PP are: 2600.1-PRT conformant 2600.1-SCN conformant 2600.1-CPY conformant 2600.1-FAX conformant 2600.1-DSR conformant Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.

  • Page 33: Conformance Claim Rationale

    TOE and RC Gate. Also, the protected assets are not operated from the RC Gate. For these reasons, these communications do not affect any security problems and security objectives defined in the PP. Therefore, P.RCGATE.COMM.PROTECT and O.RCGATE.COMM.PROTECT were augmented, yet still conform to the PP. Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.

  • Page 34: Consistency Claim With Security Requirements In Pp

    The refinement of FIA_UAU.2 and FIA_UID.2 is to identify the identification and authentication method for normal users or administrator and the identification and authentication method for RC Gate; it is not to change the security requirements specified by the PP. Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.
  • Page 35 While FDP_ACF.1.3(b) in the PP allows users with administrator privileges to operate the TOE functions, this ST allows them to operate Fax Reception Function only, which is part of the TOE functions. Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.
  • Page 36 The fax reception process, which is accessed when receiving from a telephone line, is regarded as a user with administrator privileges. Therefore, FDP_ACF.1.3(b) in this ST satisfies FDP_ACF.1.3(b) in the PP. Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.

  • Page 37: Security Problem Definitions

    TSF Confidential Data under the TOE management may be altered by persons without a login user name, or by persons with a login user name but without an access permission to the TSF Confidential Data. Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.

  • Page 38: Organisational Security Policies

    The responsible manager of MFP trains users according to the guidance document and users are aware of the security policies and procedures of their organisation and are competent to follow those policies and procedures. Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.
  • Page 39 A.ADMIN.TRUST Trusted administrator The responsible manager of MFP selects administrators who do not use their privileged access rights for malicious purposes according to the guidance document. Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.

  • Page 40: Security Objectives

    The TOE shall protect TSF Confidential Data from unauthorised alteration by persons without a login user name, or by persons with a login user name but without an access permission to the TSF Confidential Data. Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.

  • Page 41: Security Objectives Of Operational Environment

    If audit logs are exported to a trusted IT product, the responsible manager of MFP shall ensure that those logs can be accessed in order to detect potential security violations, and only by authorised persons. Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.

  • Page 42: Non-It Environment

    Log audit The responsible manager of MFP shall ensure that audit logs are reviewed at appropriate intervals according to the guidance document for detecting security violations or unusual patterns of activity. Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.

  • Page 43: Security Objectives Rationale

    Table 11 describes the correspondence between the assumptions, threats and organisational security policies, and each security objective. Table 11 : Rationale for Security Objectives T.DOC.DIS T.DOC.ALT T.FUNC.ALT T.PROT.ALT T.CONF.DIS T.CONF.ALT P.USER.AUTHORIZATION P.SOFTWARE.VERIFICATION P.AUDIT.LOGGING P.INTERFACE.MANAGEMENT P.STORAGE.ENCRYPTION P.RCGATE.COMM.PROTECT A.ACCESS.MANAGED A.ADMIN.TRAINING A.ADMIN.TRUST A.USER.TRAINING Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.

  • Page 44: Security Objectives Descriptions

    TOE. By O.PROT.NO_ALT, the TOE protects the TSF protected Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.
  • Page 45 P.USER.AUTHORIZATION is enforced by these objectives. P. SOFTWARE.VERIFICATION P.SOFTWARE.VERIFICATION is enforced by O.SOFTWARE.VERIFIED. By O.SOFTWARE.VERIFIED, the TOE provides measures for self-verifying the executable code of the TSF. P.SOFTWARE.VERIFICATION is enforced by this objective. Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.
  • Page 46 By OE.PHYSICAL.MANAGED, the TOE is located in a restricted or monitored environment according to the guidance documents and is protected from the physical access by the unauthorised persons. A.ACCESS.MANAGED is upheld by this objective. A.ADMIN.TRAINING A.ADMIN.TRAINING is upheld by OE.ADMIN.TRAINED. Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.
  • Page 47 By OE.USER.TRAINED, the responsible manager of MFP instructs the users in accordance with the guidance documents to make them aware of the security policies and procedures of their organisation, and the users follow those policies and procedures. OE.USER.TRAINED is upheld by this objective. Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.

  • Page 48: Extended Components Definition

    Quite often, a TOE is supposed to perform specific checks and process data received on one external interface before such (processed) data are allowed to be transferred to another external interface. Examples Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.
  • Page 49 The TSF shall provide the capability to restrict data received on [assignment: the Operation Panel, LAN, telephone line] from being forwarded without further processing by the TSF to [assignment: the LAN and telephone line]. Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.

  • Page 50: Security Requirements

    TOE. Table 12 : List of Auditable Events Functional Actions Which Should Be Auditable Auditable Events Requirements FDP_ACF.1(a) a) Minimal: Successful requests to Original: Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.
  • Page 51 Basic: All use of the authentication mechanism; c) Detailed: All TSF mediated actions performed before authentication of the user. FIA_UAU.2 a) Minimal: Unsuccessful use of the b) Basic: Success and failure of Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.
  • Page 52 Basic: All attempted uses of the trusted channel functions. d) Basic: Identification of the initiator and target of all trusted channel functions. FAU_GEN.2 User identity association Hierarchical to: No other components. Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.

  • Page 53: Class Fcs: Cryptographic Support

    FCS_COP.1 Cryptographic operation] FCS_CKM.4 Cryptographic key destruction FCS_CKM.1.1 The TSF shall generate cryptographic keys in accordance with a specified cryptographic key generation algorithm [assignment: cryptographic key generation algorithm in Table 13] and Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.

  • Page 54: Class Fdp: User Data Protection

    FDP_ACF.1 Security attribute based access control FDP_ACC.1.1(a) The TSF shall enforce the [assignment: document access control SFP] on [assignment: list of subjects, objects, and operations among subjects and objects in Table 15]. Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.

  • Page 55: Table 15 : List Of Subjects, Objects, And Operations Among Subjects And Objects (A)

    Table 17 : Subjects, Objects and Security Attributes (a) Category Subjects or Objects Security Attributes Subject Normal user process - Login user name of normal user - User role Subject MFP administrator process - User role Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.

  • Page 56: Table 18 : Rules To Control Operations On Document Data And User Jobs (A)

    Document +CPY Delete Normal user Not allowed. However, it is allowed for data process normal user process that created the document data. Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.

  • Page 57: Table 19 : Additional Rules To Control Operations On Document Data And User Jobs (A)

    [assignment: deny the operations on the document data and user jobs in case of supervisor process or RC Gate process]. FDP_ACF.1(b) Security attribute-based access control Hierarchical to: No other components. Dependencies: FDP_ACC.1 Subset access control FMT_MSA.3 Static attribute initialisation Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.

  • Page 58: Table 20 : Subjects, Objects And Security Attributes (B)

    No dependencies. FDP_RIP.1.1 The TSF shall ensure that any previous information content of a resource is made unavailable upon the [selection: deallocation of the resource from] the following objects: [assignment: user documents]. Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.

  • Page 59: Class Fia: Identification And Authentication

    No dependencies. FIA_ATD.1.1 The TSF shall maintain the following list of security attributes belonging to individual users: [assignment: the security attributes listed in Table 24 for each user in Table 24]. Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.

  • Page 60: Table 24 : List Of Security Attributes For Each User That Shall Be Maintained

    Help from a Web browser, system status, counter and information of inquiries, execution of fax reception, and repair request notification] on behalf of the user to be performed before the user is authenticated (refinement: authentication with Basic Authentication). Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.
  • Page 61 No dependencies. FIA_UID.1.1(b) The TSF shall allow [assignment: the viewing of the list of user jobs, Web Image Monitor Help from a Web browser, system status, counter and information of inquiries, execution Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.

  • Page 62: Class Fmt: Security Management

    The TSF shall enforce the following rules governing changes to the user security attributes associated with subjects acting on the behalf of users: [assignment: none]. 6.1.5 Class FMT: Security management FMT_MSA.1(a) Management of security attributes Hierarchical to: No other components. Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.

  • Page 63: Table 26 : User Roles For Security Attributes (A)

    [when document data attribute is (+DSR)] modify document data Document user list Query, MFP administrator [when document data attribute modify (+FAXIN)] -: No user roles are permitted for operations by the TOE. Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.

  • Page 64: Table 27 : User Roles For Security Attributes (B)

    FMT_MSA.1 Management of security attributes FMT_SMR.1 Security roles FMT_MSA.3.1(a) The TSF shall enforce the [assignment: document access control SFP] to provide [selection: restrictive] default values for security attributes that are used to enforce the SFP. Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.

  • Page 65: Table 28 : Authorised Identified Roles Allowed To Override Default Values

    FMT_MTD.1 Management of TSF data Hierarchical to: No other components. Dependencies: FMT_SMR.1 Security roles FMT_SMF.1 Specification of Management Functions Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.

  • Page 66: Table 29 : List Of Tsf Data

    S/MIME user information (however, operation of query on user certificate is not allowed in case of External Authentication) Newly create, modify, query, MFP administrator Destination information for delete folder transmission Query Normal user Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.

  • Page 67: Table 30 : List Of Specification Of Management Functions

    Query and modification of document user list by the normal user who stored the document Query and modification of available function list by MFP administrator Query of own available function list by normal user when the Basic Authentication is used Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.

  • Page 68: Class Fpt: Protection Of The Tsf

    The TSF shall provide authorised users with the capability to verify the integrity of [selection: [assignment: the audit log data file]]. FPT_TST.1.3 The TSF shall provide authorised users with the capability to verify the integrity of [selection: [assignment: the stored TSF executable code]]. Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.

  • Page 69: Class Fta: Toe Access

    The evaluation assurance level of this TOE is EAL3+ALC_FLR.2. Table 31 lists the assurance components of the TOE. ALC_FLR.2 was added to the set of components defined in evaluation assurance level 3 (EAL3). Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.

  • Page 70: Security Requirements Rationale

    Table 32 shows the relationship between the TOE security functional requirements and TOE security objectives. Table 32 shows that each TOE security functional requirement fulfils at least one TOE security objective. Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.

  • Page 71: Table 32 : Relationship Between Security Objectives And Functional Requirements

    Table 32 : Relationship between Security Objectives and Functional Requirements FAU_GEN.1 FAU_GEN.2 FAU_STG.1 FAU_STG.4 FAU_SAR.1 FAU_SAR.2 FCS_CKM.1 FCS_COP.1 FDP_ACC.1(a) FDP_ACC.1(b) FDP_ACF.1(a) FDP_ACF.1(b) FDP_RIP.1 FIA_AFL.1 FIA_ATD.1 FIA_SOS.1 FIA_UAU.1(a) FIA_UAU.1(b) FIA_UAU.2 FIA_UAU.7 FIA_UID.1(a) FIA_UID.1(b) FIA_UID.2 FIA_USB.1 FPT_FDI_EXP.1 FMT_MSA.1(a) FMT_MSA.1(b) FMT_MSA.3(a) Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.

  • Page 72: Justification Of Traceability

    FMT_MSA.1(a) specifies the available operations (newly create, query, modify and delete) on the login user name, and available operations (query and modify) on the document user list, and a specified user Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.
  • Page 73 Deletion is the only modification operation on this TOE's user jobs. (2) Use trusted channels for sending or receiving user jobs. The user jobs sent and received by the TOE via the LAN are protected by FTP_ITC.1. Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.
  • Page 74 The TSF confidential data sent and received by the TOE via the LAN are protected by FTP_ITC.1. By satisfying FMT_MTD.1, FMT_SMF.1, FMT_SMR.1 and FTP_ITC.1, which are the security functional requirements for these countermeasures, O.CONF.NO_DIS is fulfilled. Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.
  • Page 75 FDP_ACC.1(b) and FDP_ACF.1(b) allow the applicable normal user to use the MFP application according to the operation permission granted to the successfully identified and authenticated normal user. Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.
  • Page 76 (2) Automatically terminate the connection to the Operation Panel and LAN interface. FTA_SSL.3 terminates the session after no operation is performed from the Operation Panel or LAN interface for certain period. Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.
  • Page 77 O.STORAGE.ENCRYPTED Encryption of storage devices O.STORAGE.ENCRYPTED is the security objective to ensure the data to be written into the HDD is encrypted. To fulfil this security objective, it is required to implement the following countermeasures. Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.

  • Page 78: Dependency Analysis

    FPT_STM.1 FPT_STM.1 None FAU_GEN.2 FAU_GEN.1 FAU_GEN.1 None FIA_UID.1 FIA_UID.1 FAU_STG.1 FAU_GEN.1 FAU_GEN.1 None FAU_STG.4 FAU_STG.1 FAU_STG.1 None FAU_SAR.1 FAU_GEN.1 FAU_GEN.1 None FAU_SAR.2 FAU_SAR.1 FAU_SAR.1 None FCS_CKM.1 [FCS_CKM.2 or FCS_COP.1 FCS_CKM.4 FCS_COP.1] Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.
  • Page 79 [FDP_ACC.1(b) FDP_ACC.1(b) None or FDP_IFC.1] FMT_SMR.1 FMT_SMR.1 FMT_SMF.1 FMT_SMF.1 FMT_MSA.3(a) FMT_MSA.1(a) FMT_MSA.1(a) None FMT_SMR.1 FMT_SMR.1 FMT_MSA.3(b) FMT_MSA.1(b) FMT_MSA.1(b) None FMT_SMR.1 FMT_SMR.1 FMT_MTD.1 FMT_SMR.1 FMT_SMR.1 None FMT_SMF.1 FMT_SMF.1 FMT_SMF.1 None None None Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.

  • Page 80: Security Assurance Requirements Rationale

    TOE operation according to flow reporting procedure (ALC_FLR.2). Based on the terms and costs of the evaluation, the evaluation assurance level of EAL3+ALC_FLR.2 is appropriate for this TOE. Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.

  • Page 81: Toe Summary Specification

    Shutdown of the Audit Function (*1) Success and failure of login operations (*2) Success and failure of login operations from RC Gate communication interface Table 30 Record of Management Function Date settings (year/month/day), time settings (hour/minute) Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.

  • Page 82: Table 35 : List Of Audit Log Items

    - Communication with RC Gate Communicating IP address Communicating IP address - Web Function communication - Folder transmission - Printing via networks - LAN Fax via networks - Communication with RC Gate Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.

  • Page 83: Identification And Authentication Function

    When the entered login user name is not the login user name of the MFP administrator or supervisor, the entered login user name and login password are sent to an external authentication server for confirmation. Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.

  • Page 84: Table 36 : Unlocking Administrators For Each User Role

    "unlocking administrator" shown in Table 36 and specified for each user role releases the lockout. Table 36 : Unlocking Administrators for Each User Role User Roles (Locked out Users) Unlocking Administrators Normal user MFP administrator Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.

  • Page 85: Document Access Control Function

    FDP_ACC.1(a) and FDP_ACF.1(a) The TOE controls user operations for document data and user jobs in accordance with (1) access control rule on document data and (2) access control rule on user jobs. Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.

  • Page 86: Table 37 : Stored Documents Access Control Rules For Normal Users

    Operation Scanner Function Scanner documents Folder transmission Panel Delete Fax transmission Operation Folder transmission Fax Function Fax transmission documents Panel Print Delete Operation Print Fax Function Fax reception documents Panel Delete Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.

  • Page 87: Use-Of-Feature Restriction Function

    The Use-of-Feature Restriction Function is to authorise TOE users to use Copy Function, Printer Function, Scanner Function, Document Server Function and Fax Function in accordance with the roles of the identified and authenticated TOE users and user privileges set for each user. Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.

  • Page 88: Network Protection Function

    For sequential overwriting, the TOE constantly monitors the information on a residual data area, and overwrites the area if any existing residual data is discovered. If the user deletes document data, the TOE Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.

  • Page 89: Stored Data Protection Function

    Function, and 3) set appropriate default values to security attributes, all of which accord with user role privileges or user privileges that are assigned to normal users, MFP administrator, or supervisor. Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.

  • Page 90: Table 40 : Management Of Tsf Data

    Web browser modify user who stored the documents Query, MFP administrator modify Query Operation Panel, Available function list (Query is Web browser Applicable normal unavailable for user External Authentication) Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.
  • Page 91 Query, Audit log Web browser MFP administrator delete HDD cryptographic key Operation panel Newly create MFP administrator Newly create, Operation Panel, modify, S/MIME user information MFP administrator Web browser query, delete Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.
  • Page 92 FMT_MSA.3(a) and FMT_MSA.3(b) The TOE sets default values for objects and subjects according to the rules described in Table 41 when those objects and subjects are generated. Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.

  • Page 93: Table 41 : List Of Static Initialisation For Security Attributes Of Document Access Control Sfp

    Document Server Function, or Fax Function is available. For Basic Authentication, these values are specified by the MFP administrator. For External Authentication, the values indicate that none of the functions is available. Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.

  • Page 94: Software Verification Function

    Since the TOE is set to prohibit forwarding of received fax data during installation, received fax data will not be forwarded. Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.

This manual is also suitable for:

Aficio mp c3501 series

Table of Contents

Save PDF