Sindoh MF2000, MF3000, MF4000, N610,

N410 Series
Security Target Lite V 1.0

1
 Document history
Version Date Description of change Remarks
V1.0 2017. 04. 03 Publication version

2
 Table of Contents

1. ST Introduction................................................................................................................................................ 8

1.1 Security Target References .......................................................................................................................... 8

1.2 TOE References ............................................................................................................................................... 8

1.3 TOE Overview .................................................................................................................................................. 9

1.3.1 TOE Type ................................................................................................................................................... 9

1.3.2 Purposes of TOE ...................................................................................................................................... 9

1.3.3 Major Security Features of TOE ..................................................................................................... 11

1.4 TOE Description ........................................................................................................................................... 12

1.4.1 Physical Boundary of TOE ................................................................................................................ 12

1.4.2 Logical Boundary of TOE .................................................................................................................. 14

1.4.2.1 Basic Functions .................................................................................................................................. 14

1.4.2.2 Security Functions ............................................................................................................................ 15

1.5 Terms and Definitions................................................................................................................................. 17

2. Conformance Claim..................................................................................................................................... 18

2.1 Conformance to Common Criteria......................................................................................................... 18

2.2 Conformance to Protection Profiles ....................................................................................................... 18

2.3 Conformance to Packages ......................................................................................................................... 18

2.4 Conformance Claim Rationale................................................................................................................. 18

3. Security Problem Definition ..................................................................................................................... 19

3.1 Threats ............................................................................................................................................................. 20

3.2 Organizational Security Policies.............................................................................................................. 20

3.3 Assumptions ................................................................................................................................................... 21

4. Security Objectives ...................................................................................................................................... 22

3
4.1 Security Objectives for the TOE ............................................................................................................. 22

4.2 Security Objectives for Operational Environment ........................................................................... 22

4.3 Security Objective Rationale .................................................................................................................... 24

5. Extended Components Definition ........................................................................................................... 27

6. Security Requirements ............................................................................................................................... 29

6.1 Security Functional Requirements ......................................................................................................... 33

6.1.1 Security Audit Class............................................................................................................................. 33

6.1.2 Cryptographic Support Class ........................................................................................................... 36

6.1.3 User Data Protection Class ................................................................................................................ 38

6.1.4 Identification and Authentication Class ........................................................................................ 41

6.1.5 Security Management Class .............................................................................................................. 43

6.1.6 TSF Protection Class ........................................................................................................................... 47

6.1.7 TOE Access Class ................................................................................................................................. 48

6.1.8 Trusted Path/Channel Class.............................................................................................................. 49

6.2 Assurance Requirements ........................................................................................................................... 50

6.2.1 Security Target Class........................................................................................................................... 50

6.2.2 Development Class................................................................................................................................ 55

6.2.3 Guidance Document Class ................................................................................................................. 58

6.2.4 Lifecycle Support Class....................................................................................................................... 59

6.2.5 Test Class ................................................................................................................................................. 61

6.2.6 Vulnerability Assessment Class ....................................................................................................... 63

6.3 Security Requirements Rationale ........................................................................................................... 64

6.3.1 Security Functional Requirements Rationale .............................................................................. 64

6.3.2 Security Assurance Requirements Rationale .............................................................................. 68

6.3.3 Dependency Rationale ......................................................................................................................... 68

4
7. TOE Summary Specification .................................................................................................................... 71

7.1 TOE Security Functions ............................................................................................................................. 71

7.1.1 Identification and Authentication ................................................................................................... 71

7.1.2 Access Control ....................................................................................................................................... 71

7.1.3 Audit.......................................................................................................................................................... 72

7.1.4 Security Management .......................................................................................................................... 73

7.1.5 Stored data protection ......................................................................................................................... 74

7.1.6 Self-Testing ............................................................................................................................................. 75

7.1.7 Fax Data Control................................................................................................................................... 75

7.1.8 Secure Communication ....................................................................................................................... 75

5
 List of Tables

[Table 1] General Specifications of MFP ............................................................................................................ 10

[Table 2] Firmware and software included in the TOE .................................................................................... 13

[Table 3] Secure Communication Protocol ......................................................................................................... 16

[Table 4] Threats to TOE ......................................................................................................................................... 20

[Table 5] Organizational Security Policies .......................................................................................................... 20

[Table 6] Assumptions for the TOE....................................................................................................................... 21

[Table 7] Security Objectives for the TOE .......................................................................................................... 22

[Table 8] Security Objectives for operational environment ............................................................................ 22

[Table 9] Completeness of Security Objectives ................................................................................................. 24

[Table 10] Sufficiency of Security Objectives .................................................................................................... 24

[Table 11] Definitions of subjects .......................................................................................................................... 29

[Table 12] User data .................................................................................................................................................. 30

[Table 13] TSF data ................................................................................................................................................... 30

[Table 14] TSF data ................................................................................................................................................... 31

[Table 15] Basic Functions provided by the TOE .............................................................................................. 31

[Table 16] Attributes ................................................................................................................................................. 32

[Table 17] Definitions of external entities ........................................................................................................... 32

[Table 18] Auditable events .................................................................................................................................... 33

[Table 19] Cryptographic operation ...................................................................................................................... 37

[Table 20] Data access control SFP ....................................................................................................................... 39

[Table 21] Basic function access control SFP .................................................................................................... 40

[Table 22] Managing of TSF data .......................................................................................................................... 46

6
[Table 23] Management functions ......................................................................................................................... 47

[Table 25] Completeness of security requirements ........................................................................................... 64

[Table 26] Security Functional Requirements Rationale ................................................................................. 65

[Table 27] Dependencies on the TOE Security Functional Components ..................................................... 68

[Table 28] Dependencies on the Assurance Requirements ............................................................................. 69

[Table 29] Audit events ............................................................................................................................................ 72

[Table 30] Managing of TSF Data ......................................................................................................................... 73

[Table 31] Encrypted Communication Provided by TOE ................................................................................ 75

7
1. ST Introduction
This document describes Security Target of Sindoh MF2000, MF3000, MF4000, N610, N410
Series (hereafter "TOE”). This security target describes the basic information on the
identification and operational environment of TOE and the security requirements and
assurance requirements provided by TOE. The purpose of this security target is to protect the
hardcopy device in the commercial information processing environment, which requires mid-
level document security, network security and security assurance.

1.1 Security Target References

This security target can be uniquely identified by the following reference information.

Title Sindoh MF2000, MF3000, MF4000, N610, N410 Series Security Target Lite
Version V1.0
Date April 3, 2017
Author Sindoh SW Development Department

1.2 TOE References

This security target can uniquely identify TOE using the following reference information. TOE
identification can be uniquely identified using the TOE name and SW Package.

TOE name Sindoh MF2000, MF3000, MF4000, N610, N410 Series

Date March 27, 2017
Developer Sindoh Co., Ltd.
SW Package JUNIPER_Pkg_170327_2 (JUNIPER_Pkg_170327_2.zip)
Components JUNIPER_CTL : JUNIPER_170327_2
JUNIPER_S_EGB : 02.06.41
JUNIPER_S_UICC : 0.0.8
JUNIPER_S_DFC : 01.59
JUNIPER_BANK : 1.02
JUNIPER_C_EGB : 02.06.40
JUNIPER_C_UICC : 0.0.8
JUNIPER_C_DFC : 01.45
MFP model MF2083, MF3033, MF4041, MF4091, N610, N611, N612, N613, N410, N411

8
1.3 TOE Overview
This section defines TOE Type, TOE Usage and Major Security Features of TOE.

1.3.1 TOE Type

TOE is IT products that control the functions of all MFPs (Multi-Function Peripherals1) including the
copy, print, scan, and fax functions.

1.3.2 Purposes of TOE

The operational environment of the TOE is illustrated below and the usage of TOE is described in this section.

[Figure 1] TOE operational environment

The TOE is used by connecting to the local area network (hereafter "LAN") as shown in [Figure 1].
Users can operate the TOE from the Operation Panel of the TOE or through LAN communications.
TOE (MFP) and hardware and software other than TOE will be described below.

1
MFP: A hardcopy device that fulfills multiple purposes by using multiple functions in different combinations
to replace several, single function devices.
9
The purpose of TOE (MFPs) and the specifications by MFP model are as follows.

 MFPs: The TOE is the MFP. The MFP is connected to LAN, and users can perform the following
operations from the Operation Panel of the MFP:

- Various settings for the MFP

- Copy: duplicating a hardcopy document

- Print: producing a hardcopy document from its electronic form

- Scan: producing an electronic document from its hardcopy form

- Fax: scanning documents in hardcopy form and transmitting them in electronic form over
PSTN(Public Switched Telephone Network) and receiving documents in electronic form over
PSTN and printing them in hardcopy form

TOE provides the following 10 MFP models and the detailed specifications of each model
are shown in the table below.

[Table 1] General Specifications of MFP

MFP Model N410 N411 N610 N611 N612 N613 MF2083 MF3033 MF4041 MF4091
Specification
Copy speed
26 30 26 30 40 45 26 30 40 45
(unit: ppm)
Memory(RAM) 1GB 2GB
Scanner Type CIS CCDM
Duplex Standard
5 inch Color
OP Type 9 inch Color TFT LCD
TFT LCD
CPU Quad Core (800MHz Dual Core + 533MHz Dual Core)
FAX module Standard
(None) or
SD Card (None) or 64GB 32GB
32GB
Storage
(None) or
SSD (None) or 256GB (None) or 256GB
256GB
Nand Flash 512MB 512MB 512MB
PS/PCL Control Standard (PCL 6, PCL5e, PS3)
* The options listed in [Table 1] are provided as a standard.
* SD Card and SSD are optional products provided at the user’s request, and are used for storing user data.

The external IT entities and software that are not included in TOE but needed for TOE operation are as follows:

 Web browser: Provides communication function between the Client Computer and the MFP.

 Printer driver: The software installed in the computer to use the TOE Print function.

10
 Scanner driver: The software installed in the computer to use the TOE Scan function.

 Client Computer: A computer that performs as a client of the TOE if it is connected to the LAN,
and users can remotely operate the MFP from the client computer. The possible remote operations
from the client computer are as follows:

- Various settings for the MFP using a Web browser installed on the client computer

- Storage and/or printing of documents using the printer driver installed on the client computer

- Storage image and/or sending scan command using the scan driver installed on the client
computer.

 Firewall: A device to prevent the office environment from network attacks via the Internet.

 File Server (FTP, WebDAV, and CIFS): A server used by the TOE for folder transmission of the
stored documents in the TOE to its folders.

 Mail Server: A server used by the TOE for e-mail transmission.

1.3.3 Major Security Features of TOE

The TOE stores documents in it, and sends and receives documents to and from the IT devices
connected to the LAN. To ensure provision of confidentiality and integrity for those documents, the
TOE has the following security features:

- Identification and Authentication

- Access Control

- Stored Data Protection

- Audit

- Secure Communication

- Security Management

- Self-Testing

- Fax Data Control

11
1.4 TOE Description
This section describes Physical Boundary of TOE, Guidance Documents, Definition of Users, Logical
Boundary of TOE, and Protected Assets.

1.4.1 Physical Boundary of TOE

The physical boundary of the TOE is the MFP, which consists of the following hardware
components: DFC Board, Operation Panel Unit, Engine Controller, System Controller Card,
Optional Tray, Printer Engine, USB Host CN, Flatbed Engine, SD Card, SSD, DC Power
Unit, AC Power Unit, Fax Board

[Figure 2] Hardware configuration of the TOE

 Printer Engine: Prints an electronic document as a hardcopy document

 USB Host CN: The connection device for USB flash drive

 DFC Board: The board for controlling the document feeder

 Flatbed Engine: Flatbed scanner device

 Operation Panel Unit: UI touch pad device provided to user so that he/she can use the TOE

 Engine Controller: Control board for controlling the Printer Engine

 System Controller Card: Control card for controlling the overall functions of the MFP

12
 SD Card: User data storage device

 SSD (Solid State Disk): User data storage device

 Optional Tray: Additional paper feeder

 DC Power Unit: Power button on the Operation Panel Unit

 AC Power Unit: Power switch connected to the power supply

 Fax Board: Fax modem for sending and receiving facsimile

 Near Field Communication (NFC): The near field communication device to provide the IP
information to the NFC terminal

The firmware and software included in the TOE are as follows:

[Table 2] Firmware and software included in the TOE

N610, N611, N612, N613, MF2083,

Classification N410, N411
MF3033, MF4041, MF4091

Controller S/W JUNIPER_CTL :JUNIPER_170327_2

Engine Control F/W JUNIPER_C_EGB :02.06.40 JUNIPER_S_EGB :02.06.41

UICC Control F/W JUNIPER_C_UICC :0.0.8 JUNIPER_S_UICC :0.0.8

DFC Control F/W JUNIPER_C_DFC :01.45 JUNIPER_S_DFC :01.59

Tray Control F/W JUNIPER_BANK :1.02

The Guidance Documents for using the TOE are as follows:

- Sindoh MF2000, MF3000, MF4000, N610, N410 Series User Manual V1.8 (N410/MF Series)

Sindoh MF2000, MF3000, MF4000, N610, N410 Series User Manual V1.8 (N610/MF
Series)

13
1.4.2 Logical Boundary of TOE

The basic functions and security functions are described as follows:

[Figure 3] TOE logical scope

1.4.2.1 Basic Functions

The basic functions are described as follows:

- Print function

producing a hardcopy document from its electronic form

- Scan function

producing an electronic document from its hardcopy form.

- Copy function

duplicating a hardcopy document.

14
 - Fax function

scanning documents in hardcopy form and transmitting them in electronic form over PSTN
and receiving documents in electronic form over PSTN and printing them in hardcopy form

1.4.2.2 Security Functions

The security functions are described as follows:

- Identification and Authentication

To be able to access the TOE (using LUI or RUI) and use its functions, users must be
identified and authenticated using their ID/password. The identification and authentication
data of a user is stored in the database inside the TOE. When a user makes authentication
errors for the number of consecutive times pre-defined by the administrator, the
authentication will be limited according to the following authentication policies.

Administrator: Authentication is delayed for a specified amount of time

Normal user: Authentication is prevented until it is re-allowed by the administrator

Normal users can be identified and authenticated only through LUI, and the administrator
can be identified and authenticated through both LUI and RUI.

- Access Control

The TOE controls users who can access the document data generated by the print, scan, fax
and copy function based on the user ID, and denies all accesses except for document owners.
According to the basic function access right set by the administrator, the execution rights are
controlled based on user ID and user role. All accesses of normal users except the ones
explicitly permitted by the administrator are denied. The TOE provides the function to deny
all accesses except for the IPs allowed by the administrator.

- Audit

The TOE stores and manages internal history of actions occurring in the TOE, such as the
MFP job log, fax log, and audit log. These logs can be viewed and managed only by the
administrator through the operation panel. The job log (Print, Scan and Copy) and the fax log
can be viewed by the administrator and normal users.

- Security management

The TOE provides Security Management functions for managing TSF data and security
attributes (e.g. management of audit records, user management, IP filtering function
management, and user data repository management) necessary for safely managing the TOE.
Security management functions can be performed only by the administrator through LUI or
RUI.

15
- Stored Data Protection

Temporal save data for printing/fax transmission and permanent archive data are stored in the
user data repository (SD Card or SSD) installed in the TOE. To protect the user data stored in
the data repository, the function to encrypt the data repository is provided. Also, the function
to delete the data stored in the data repository is provided to prevent user data in the data
repository from leaking out.

- Self-Testing

To demonstrate correct operation of the TSF, the TOE conducts self-tests at start-up, at a
regular intervals, and at the request of authorized users. It also provides the function to verify
the integrity of TSF data and TSF to authorized users to assure that the TSF is operating
correctly.

- Fax data control

Unless explicitly permitted by the authorized administrative role, the forwarding of inbound
fax data through PSTN to external interfaces is limited by the TOE. Except for the fax data,
the forwarding of the data received from all external interfaces to all other external interfaces
is also limited.

- Secure Communication

The TOE provides an encrypted communication channel for the communication between
TOE and external IT entity to protect user data or TSF data transmitted.

[Table 3] Secure Communication Protocol

External IT Entity Encrypted Communication Protocol

Client Computer IPSec, TLS

FTP server IPSec, TLS

WebDAV server IPSec, TLS

Mail server IPSec, TLS

CIFS server IPSec

16
1.5 Terms and Definitions

- LUI (Local User Interface): The interface for general users and administrators who directly
access, use, and manage the MFP by using the operation panel

- RUI (Remote User Interface): The interface for general users and administrators who
remotely access, use, and manage the MFP over the web

- Operation Panel: The MFP's panel that provides LUI for interacting with users to perform
functions including security management and viewing the audit log

- Print: Print a hardcopy document from a document source in electronic form

- Scan: Produce an electronic document from a document source in hardcopy form

- Copy: Duplicate a hardcopy document

- Fax: Transmit and receive facsimiles of hardcopy documents over PSTN

- User data repository: The SD card or SSD (Solid-state disk) for storing user data

- TLI (Top Level Index): The identifier for classifying finished products

- User: Authorized users including normal users and administrators who have full or limited
access permission to MFP functions.

- Normal User: The users who are authorized by the administrator to perform actions on the
user document data by using the TOE.

- Administrator: Users with special privilege to manage the whole or parts of TOE and thus
influencing the TOE security policy.

- MFP Controller Software: A software component installed in the TOE. This component is
stored in NAND Flash Memory.

17
2. Conformance Claim
This section describes Conformance Claim.

2.1 Conformance to Common Criteria

 Common Criteria Identification

 Common Criteria for information Technology Security Evaluation, Part 1: Introduction and
general model, version 3.1r4, 2012. 9, CCMB-2012-09-001

 Common Criteria for Information Technology Security Evaluation, Part 2: SFR (Security
Functional Requirement), version 3.1r4, 2012. 9, CCMB-2012-09-002

 Common Criteria for Information Technology Security Evaluation, Part 3: SAR (Security
Assurance Requirement), version 3.1r4, 2012. 9, CCMB-2012-09-003

 Common Criteria Conformance

 Common Criteria for Information Technology Security Evaluation, Part 2 extended

 Common Criteria for Information Technology Security Evaluation, Part 3 conformant

2.2 Conformance to Protection Profiles

This security target does not conform to the protection profile.

2.3 Conformance to Packages

This security target conforms to the following assurance package:

 Assurance Package: EAL2

2.4 Conformance Claim Rationale

As this security target does not conform to the protection profile, no conformance claim rationale is
provided.

18
3. Security Problem Definition
This section describes threats, security policies of the organization, and assumptions.

The assets are as follows:

1) User data

User Data are data created by and for Users and do not affect the operation of the TOE
Security Functionality (TSF). This type of data is composed of two objects: User Document
Data and User Function Data.

User Document Data (D.DOC) consists of the information contained in a user’s document.
This includes the original document itself in either hardcopy or electronic form, image data,
or residually-stored data created by the hardcopy device while processing an original
document and printed hardcopy output.

User Function Data (D.FUNC) are the information about a user’s document or job to be
processed by the TOE.

2) TSF data

TSF Data are data (D.PROT) created by and for the TOE and that might affect the operation
of the TOE. This type of data is composed of two objects: TSF Protected Data and TSF
Confidential Data.

TSF Protected Data are assets for which alteration by a User who is neither an Administrator
nor the owner of the data would have an effect on the operational security of the TOE, but for
which disclosure is acceptable.

TSF Confidential Data (D.CONF) are assets for which either disclosure or alteration by a
User who is neither an Administrator nor the owner of the data would have an effect on the
operational security of the TOE.

3) TOE functions

Functions perform processing, storage, and transmission of data that may be present in TOE.

19
3.1 Threats
This security problem definition addresses threats posed by four categories of threats:

- Persons who are not permitted to use the TOE who may attempt to use the TOE.

- Persons who are authorized to use the TOE who may attempt to use TOE functions for which
they are not authorized.

- Persons who are authorized to use the TOE who may attempt to access data in ways for
which they are not authorized.

- Persons who unintentionally cause a software malfunction that may expose the TOE to
unanticipated threats

[Table 4] Threats to TOE

Threat Affected asset Description

T.DOC.DIS D.DOC User document data may be disclosed to unauthorized persons
T.DOC.ALT D.DOC User document data may be altered by unauthorized persons
T.FUNC.ALT D.FUNC User function data may be altered unauthorized persons
T.PROT.ALT D.PROT TSF protection data may be altered by unauthorized persons
T.CONF.DIS D.CONF TSF confidential data may be disclosed to unauthorized persons
T.CONF.ALT D.CONF TSF confidential data may be altered by unauthorized persons

3.2 Organizational Security Policies

[Table 5] Organizational Security Policies

Name Definition
To preserve operational accountability and security, Users will be
P.USER.AUTHORIZATION
authorized to use the TOE only as permitted by the TOE Owner
To detect corruption of the executable code in the TSF, procedures will
P.SOFTWARE.VERIFICATION
exist to self-verify executable code in the TSF.
To preserve operational accountability and security, records that provide an
audit trail of TOE use and security-relevant events will be created,
P.AUDIT.LOGGING
maintained, and protected from unauthorized disclosure or alteration, and
will be reviewed by authorized personnel.
To prevent unauthorized use of the external interfaces of the TOE,
P.INTERFACE.MANAGEMENT operation of those interfaces will be controlled by the TOE and its IT
environment.

20
3.3 Assumptions
[Table 6] Assumptions for the TOE

Assumption Definition
The TOE is located in a restricted or monitored environment that provides
A.ACCESS.MANAGED protection from unmanaged access to the physical components and data
interfaces of the TOE.
TOE Users are aware of the security policies and procedures of their
A.USER.TRAINING organization and are trained and competent to follow those policies and
procedures.
Administrators are aware of the security policies and procedures of their
organization, are trained and competent to follow the manufacturer’s guidance
A.ADMIN.TRAINING
and documentation, and correctly configure and operate the TOE in
accordance with those policies and procedures.
A.ADMIN.TRUST Administrators do not use their privileged access rights for malicious purposes.

21
4. Security Objectives
This section describes Security Objectives for TOE, Security Objectives of Operational Environment
and Security Objectives Rationale.

4.1 Security Objectives for the TOE

[Table 7] Security Objectives for the TOE

Objectives Definition
O.DOC.NO_DIS The TOE shall protect User Document Data from unauthorized disclosure.
O.DOC.NO_ALT The TOE shall protect User Document Data from unauthorized alteration.
O.FUNC.NO_ALT The TOE shall protect User Function Data from unauthorized alteration.
O.PROT.NO_ALT The TOE shall protect TSF Protected Data from unauthorized alteration.
O.CONF.NO_DIS The TOE shall protect TSF Confidential Data from unauthorized disclosure
O.CONF.NO_ALT The TOE shall protect TSF Confidential Data from unauthorized alteration.
The TOE shall require identification and authentication of Users and shall
O.USER.AUTHORIZED ensure that Users are authorized in accordance with security policies before
allowing them to use the TOE.
The TOE shall manage the operation of external interfaces in accordance with
O.INTERFACE.MANAGED
security policies.
O.SOFTWARE.VERIFIED The TOE shall provide procedures to self-verify executable code in the TSF.
The TOE shall create and maintain a log of TOE use and security-relevant
O.AUDIT.LOGGED
events and prevent its unauthorized disclosure or alteration.

4.2 Security Objectives for Operational Environment

[Table 8] Security Objectives for operational environment

Objectives Definition
If audit records are exported from the TOE to another trusted IT
OE.AUDIT_STORAGE.PROTECTED product, the TOE Owner shall ensure that those records are protected
from unauthorized access, deletion and modifications.
If audit records generated by the TOE are exported from the TOE to
another trusted IT product, the TOE Owner shall ensure that those
OE.AUDIT_ACCESS.AUTHORIZED
records can be accessed in order to detect potential security violations,
and only by authorized persons.
The IT environment shall provide protection from unmanaged access
OE.INTERFACE.MANAGED
to TOE external interfaces.
The TOE shall be placed in a secure or monitored area that provides
OE.PHYSICAL.MANAGED
protection from unmanaged physical access to the TOE.
The TOE Owner shall ensure that Users are aware of the security
OE.USER.TRAINED policies and procedures of their organization and have the training and
competence to follow those policies and procedures.
The TOE Owner shall ensure that TOE Administrators are aware of
the security policies and procedures of their organization; have the
OE.ADMIN.TRAINED training, competence, and time to follow the manufacturer’s guidance
and documentation; and correctly configure and operate the TOE in
accordance with those policies and procedures.

22
 The TOE Owner shall establish trust that TOE Administrators will not
OE.ADMIN.TRUSTED
use their privileged access rights for malicious purposes.
The TOE Owner shall ensure that audit logs are reviewed at
OE.AUDIT.REVIEWED appropriate intervals for security violations or unusual patterns of
activity.
The TOE Owner shall grant permission to Users to be authorized to
OE.USER.AUTHORIZED use the TOE according to the security policies and procedures of their
organization.

23
4.3 Security Objective Rationale
This section demonstrates that each threat, organizational security policy, and assumption are
mitigated by at least one security objective for the TOE, and that those Security Objectives counter
the threats, enforce the policies, and uphold the assumptions.

[Table 9] Completeness of Security Objectives

Definition of security problems

P.INTERFACE.MANAGEMENT
P.SOFTWARE.VERIFICATION
P.USER.AUTHORIZATION

A.ACCESS.MANAGED

A.ADMIN.TRAINING
P.AUDIT.LOGGING

A.USER.TRAINING

A.ADMIN.TRUST
T.FUNC.ALT

T.CONF.ALT
T.PROT.ALT

T.CONF.DIS
T.DOC.ALT
T.DOC.DIS

Security Objectives
O.DOC.NO_DIS O
O.DOC.NO_ALT O
O.FUNC.NO_ALT O
O.PROT.NO_ALT O
O.CONF.NO_DIS O
O.CONF.NO_ALT O
O.USER.AUTHORIZED O O O O O O O
O.INTERFACE.MANAGED O
O.SOFTWARE.VERIFIED O
O.AUDIT.LOGGED O
OE.AUDIT_STORAGE.PROTECTED O
OE.AUDIT_ACCESS.AUTHORIZED O
OE.INTERFACE.MANAGED O
OE.PHYSICAL.MANAGED O
OE.USER.TRAINED O
OE.ADMIN.TRAINED O
OE.ADMIN.TRUSTED O
OE.AUDIT.REVIEWED O
OE.USER.AUTHORIZED O O O O O O O

[Table 10] Sufficiency of Security Objectives

Threats, policies, and

Summary Objectives and rationale
assumptions
User document data may be O.DOC.NO_DIS protects D.DOC from
disclosed to unauthorized unauthorized disclosure.
persons. O.USER.AUTHORIZED establishes responsibility
T.DOC.DIS of the TOE Owner to appropriately grant
authorization.
OE.USER.AUTHORIZED establishes responsibility of
the TOE Owner to appropriately grant authorization.
User document data may be O.DOC.NO_ALT protects D.DOC from
altered by unauthorized persons. unauthorized alteration.
O.USER.AUTHORIZED establishes user
identification and authentication as the basis for
T.DOC.ALT authorization.
OE.USER.AUTHORIZED establishes
responsibility of the TOE Owner to
appropriately grant authorization.

24
T.FUNC.ALT User Function data may be O.FUNC.NO_ALT protects D.FUNC from
altered by unauthorized persons. unauthorized alteration.
O.USER.AUTHORIZED establishes user
identification and authentication as the basis for
authorization.
OE.USER.AUTHORIZED establishes
responsibility of the TOE Owner to
appropriately grant authorization.
T.PROT.ALT TSF protection data may be O.PROT.NO_ALT protects D.PROT from
altered by unauthorized persons. unauthorized alteration.
O.USER.AUTHORIZED establishes user
identification and authentication as the basis for
authorization.
OE.USER.AUTHORIZED establishes
responsibility of the TOE Owner to
appropriately grant authorization.
T.CONF.DIS TSF confidential data may be O.CONF.NO_DIS prevents D.CONF from
disclosed to unauthorized unauthorized disclosure.
persons. O.USER.AUTHORIZED establishes user
identification and authentication as the basis for
authorization.
OE.USER.AUTHORIZED establishes
responsibility of the TOE Owner to
appropriately grant authorization.
T.CONF.ALT TSF confidential data may be O.CONF.NO_ALT protects D.CONF from
altered by unauthorized persons. unauthorized alteration.
O.USER.AUTHORIZED establishes user
identification and authentication as the basis for
authorization.
OE.USER.AUTHORIZED establishes
responsibility of the TOE Owner to
appropriately grant authorization.
P.USER.AUTHORIZATION Users will be authorized to use O.USER.AUTHORIZED establishes user
the TOE. identification and authentication as the basis for
authorization.
OE.USER.AUTHORIZED establishes
responsibility of the TOE Owner to
appropriately grant authorization.
P.SOFTWARE.VERIFICATION Procedures will exist to self-verify O.SOFTWARE.VERIFIED provides procedures to
executable code in the TSF. self-verify executable code in the TSF.
P.AUDIT.LOGGING An audit trail of TOE use and O.AUDIT.LOGGED creates and maintains a log of
security-relevant events will be TOE use and security-relevant events and prevents
created, maintained, protected, unauthorized disclosure or alteration.
and reviewed. OE.AUDIT_STORAGE.PROTECTED protects
exported audit records from unauthorized access,
deletion, and modifications.
OE.AUDIT_ACCESS.AUTHORIZED establishes
responsibility of, the TOE Owner to provide
appropriate access to exported audit records.
OE.AUDIT.REVIEWED establishes responsibility
of the TOE Owner to ensure that audit logs are
appropriately reviewed.
P.INTERFACE.MANAGEMENT Operation of external interfaces O.INTERFACE.MANAGED manages the
will be controlled by the TOE operation of external interfaces in accordance with
and its IT environment. security policies.
OE.INTERFACE.MANAGED establishes a
protected environment for TOE external interfaces.
A.ACCESS.MANAGED The TOE environment provides OE.PHYSICAL.MANAGED establishes a
protection from unmanaged protected physical environment for the TOE.
access to the physical
components and data interfaces
of the TOE.

25
A.USER.TRAINING Administrators are aware of and OE.USER.TRAINED establishes responsibility of
trained to follow security the TOE Owner to provide appropriate User
policies and procedures. training.
A.ADMIN.TRAINING TOE Users are aware of and OE.ADMIN.TRAINED establishes responsibility
trained to follow security of the TOE Owner to provide appropriate
policies and procedures. Administrator training.
A.ADMIN.TRUST Administrators do not use their OE.ADMIN.TRUST establishes responsibility of
privileged access rights for the TOE Owner to have a trusted relationship with
malicious purposes. Administrators.

26
5. Extended Components Definition

FPT_FDI_EXP Restricted forwarding of data to external interfaces

Family behavior

This family defines requirements for the TSF to restrict direct forwarding of information from one
external interface to another external interface.

Many products receive information on specific external interfaces and are intended to transform and
process this information before it is transmitted on another external interface. However, some
products may provide the capability for attackers to misuse external interfaces to violate the security
of the TOE or devices that are connected to the TOE’s external interfaces. Therefore, direct
forwarding of unprocessed data between different external interfaces is forbidden unless explicitly
allowed by an authorized administrative role. The family FPT_FDI_EXP has been defined to specify
this kind of functionality.

Component leveling:

FPT_FDI_EXP Restricted forwarding of data to external interfaces 1

FPT_FDI_EXP.1 Restricted forwarding of data to external interfaces provides for the functionality to
require TSF controlled processing of data received over defined external interfaces before these data
are sent out on another external interface. Direct forwarding of data from one external interface to
another one requires explicit allowance by an authorized administrative role.

Management: FPT_FDI_EXP.1

The following actions could be considered for the management functions in FMT:

a) Definition of the role(s) that are allowed to perform the management activities

b) Management of the conditions under which direct forwarding can be allowed by an administrative
role

c) Revocation of such an allowance

Audit: FPT_FDI_EXP.1

There are no auditable events foreseen.

27
FPT_FDI_EXP.1 Restricted forwarding of data to external interfaces

Hierarchical to: No other components

Dependencies: FMT SMF.1 Specification of Management Functions

FMT_SMR.1 Security roles

FPT_FDI_EXP.1.1 The TSF shall provide the capability to restrict data received on
[assignment: list of external interfaces] from being forwarded without further
processing by the TSF to [assignment: list of external interfaces].

Rationale

Quite often, a TOE is supposed to perform specific checks and process data received on one external
interface before such (processed) data are allowed to be transferred to another external interface. That
is, direct forwarding of such data between different external interfaces is therefore a function that—if
allowed at all—can only be allowed by an authorized role.

It has been viewed as useful to have this functionality as a single component that allows specifying
the property to disallow direct forwarding and require that only an authorized role can allow this.
Since this is a function that is quite common for a number of products, it has been viewed as useful to
define an extended component.

The Common Criteria defines attribute-based control of user data flow in its FDP class. However, in
this ST, the authors needed to express the control of both user data and TSF data flow using
administrative control instead of attribute-based control. It is considered inappropriate to use
FDP_IFF and FDP_IFC by applying refinement for this purpose. Therefore, the authors decided to
define an extended component to address this functionality.

This extended component protects both user data and TSF data, and it could therefore be placed in
either the FDP or the FPT class. Since its purpose is to protect the TOE from misuse, the authors
believed that it was most appropriate to place it in the FPT class. It did not fit well in any of the
existing families in either class, and this led the authors to define a new family with just one member.

28
6. Security Requirements
This section describes Security Functional Requirements, Security Assurance Requirements and
Security Requirements Rationale. The operations (creation rule) applied to security function
requirements are as follows:

 Iteration

Iterated functional components are given unique identifiers by appending to the component name,
short name, and functional element name from the CC an iteration number inside parenthesis, for
example, FIA_AFL.1 (1) and FIA_AFL.1 (2).

 Assignment

The assignment operation is used to assign a specific value to an unspecified parameter such as the
length of a password. Showing the value in square brackets [assignment_value(s)] indicates an
assignment.

 Selection

The selection operation is used to select one or more options provided by the CC in stating a
requirement. Selections are denoted by underlined italicized text.

 Refinement

The refinement operation is used to add detail to a requirement, and, thus, further restricts a
requirement. Refinement of security requirements is denoted by bold text.

This ST defines all subjects, objects, operations, security attributes, and external entities used in
security requirements, as follows:

Subject (User)

Users are entities that are external to the TOE and which interact with the TOE. There may be two
types of Users: Normal and Administrator.

[Table 11] Definitions of subjects

Designation Definition
U.USER Any authorized User.
A User who is authorized to perform User Document Data processing
U.NORMAL
functions of the TOE
A User who has been specifically granted the authority to manage all of
the TOE and whose actions may affect the TOE security policy (TSP).
U.ADMINISTRATOR
Administrators may possess special privileges that provide capabilities
to override portions of the TSP.

29
Objects

Objects are passive entities in the TOE, that contain or receive information, and upon which Subjects
perform Operations. In this Protection Profile, Objects are equivalent to TOE Assets. There are three
types of Objects: User Data, TSF Data, and Functions.

User data

User Data are data created by and for Users and do not affect the operation of the TOE Security
Functionality (TSF). This type of data is composed of two objects: User Document Data and User
Function Data.

[Table 12] User data

Designation Definition
User Document Data consist of the information contained in a user’s document. This
includes the original document itself in either hardcopy or electronic form, image data, or
D.DOC
residually stored data created by the hardcopy device while processing an original
document and printed hardcopy output.
User Function Data are the information about a user’s document or job to be processed by
D.FUNC
the TOE.

TSF data

TSF Data are data created by and for the TOE and that might affect the operation of the TOE. This
type of data is composed of two objects: TSF Protected Data and TSF Confidential Data.

[Table 13] TSF data

Designation Definition
TSF Protected Data are assets for which alteration by a User who is neither an
D.PROT Administrator nor the owner of the data would have an effect on the operational security of
the TOE, but for which disclosure is acceptable.
TSF Confidential Data are assets for which either disclosure or alteration by a User who is
D.CONF neither an Administrator nor the owner of the data would have an effect on the operational
security of the TOE.

30
The TSF data used in the TOE is as follows:

[Table 14] TSF data

TSF data list TSF confidential data TSF protection data

Address book O
Job log, fax log O
Audit log O
User ID O
User password O
User roles (basic function) O
Security fax setting O
Network setting O
Security warning mail setting O
Mail server setting O
SD Card setting (LUI) O
SSD setting (LUI) O
Service port O
IPSec setting O
SNMP setting O
Login limit time O
Number of login attempts O
IP filtering setting O
Administrator connection IP
O
setting
Output authentication setting O
Fax data control setting O
MFP time setting O

TOE functions

TOE functions process, store, and send the data in the TOE.

[Table 15] Basic Functions provided by the TOE

Designation Definition
Printing: a function in which electronic document input is converted to physical document
F.PRT
output
Scanning: a function in which physical document input is converted to electronic document
F.SCN
output
Copying: a function in which physical document input is duplicated to physical document
F.CPY
output
Faxing: a function in which physical document input is converted to a telephone-based
F.FAX document facsimile (fax) transmission, and a function in which a telephone-based
document facsimile (fax) reception is converted to physical document output

31
Attributes

It refers to an identification of the functions related to certain data (e.g. security attributes) when data
is processed, stored, and sent. With the attributes of the TOE, it is possible to discriminate the
functions that are being executed from the related SFRs.

[Table 16] Attributes

Designation Description
+PRT Indicates data that are associated with a print job.
+SCN Indicates data that are associated with a scan job.
+CPY Indicates data that are associated with a copy job.
+FAXIN Indicates data that are associated with an inbound (received) fax job.
+FAXOUT Indicates data that are associated with an outbound (sent) fax job.

Operations

Operations are specific types of actions performed by a subject on an Object. This security target
includes 6 types of operations (read, modify, delete, register, backup/restoring the data, and execute).

External entities

[Table 17] Definitions of external entities

External entities Description

File server A server used by the TOE for folder transmission of the stored documents in the
(FTP, WebDAV, CIFS) TOE to its folders
Mail server A server used by the TOE for e-mail transmission.

32
6.1 Security Functional Requirements
The security function requirements defined in this security target are the related security function
components selected from Common Criteria Part 2 to meet the Security Objectives identified in
Chapter 4.

6.1.1 Security Audit Class

FAU_ARP.1 Security alarms

Hierarchical to: No other components

Dependencies: FAU_SAA.1 Potential violation analysis

FAU_ARP.1.1 The TSF shall take [send a warning mail to the administrator (U.ADMINISTRATOR)] upon
detection of a potential security violation.

FAU_GEN.1 Audit data generation

Hierarchical to: No other components
Dependencies: FPT_STM.1 Reliable time stamps
FAU_GEN.1.1 The TSF shall be able to generate an audit record of the following auditable events.
a) Start-up and shut-down of the audit functions;

b) All auditable events for the not specified level of audit; and

c) [See the auditable events in [Table 18]]

[Table 18] Auditable events

SFR-related Auditable Events History of Auditable Events Related SFR

Audit log repository fill-up Details of audit log repository fill-up FAU_STG.4
Administrator/user authentication History of responses to authentication FIA_AFL.1
failure failures
Administrator/user authorization Authentication success/failure history FIA_UAU.1
Data access control setting History of data access control setting FMT_MSA.1(1)
change change
Basic function access control History of basic function access control FMT_MSA.1(2)
setting change setting change
Network information flow control History of network information flow FMT_MSA.1(3)
setting change control setting change
Data access control setting History of data access control setting FMT_MSA.3(1)
change change
Basic function access control History of basic function access control FMT_MSA.3(2)
setting change setting change
Network information flow control History of network information flow FMT_MSA.3(3)
setting change control setting change
Security management result History of administrator’s security FMT_MTD.1
management
Self-test result Self-test result(success/failure) FPT_TST.1
Session end result Session end details FTA_SSL.3

33
 Auditable event related to basic History of auditable event Remark
functions
Copy Copy record Auditable events of
Scan Scan record basic functions that
Fax Fax send/receive record are not related to
Print Print record SFR

FAU_GEN.1.2 The TSF shall record within each audit record at least the following information:

a) Date and time of the event, type of event, subject identity (if applicable), and the
outcome (success or failure) of the event; and

b) For each audit event type, based on the auditable event definitions of the
functional components included in the PP/ST, [None].

FAU_GEN.2 User identity association

Hierarchical to: No other components

Dependencies: FAU_GEN.1 Audit data generation

FIA_UID.1 Timing of identification

FAU_GEN.2.1 For audit events resulting from actions of identified users, the TSF shall be able to
associate each auditable event with the identity of the user that caused the event.

FAU_SAA.1 Potential violation analysis

Hierarchical to: No other components

Dependencies: FAU_GEN.1 Audit data generation

FAU_SAA.1.1 The TSF shall be able to apply a set of rules in monitoring the audited events and
based upon these rules indicate a potential violation of the enforcement of the
SFRs.

FAU_SAA.1.2 The TSF shall enforce the following rules for monitoring audited events:

a) Accumulation or combination of [continuous failures of user authorization (the

failure count follows the administrator’s setting)] known to indicate a potential
security violation;

b) [in case of the audit records repository fill-up, and a self-test result error]

34
FAU_SAR.1 Audit review

Hierarchical to: No other components.

Dependencies: FAU_GEN.1 Audit data generation

FAU_SAR.1.1 The TSF shall provide [U.ADMINISTRATOR] with the capability to read [all
audit records] from the audit records.

FAU_SAR.1.2 The TSF shall provide the audit records in a manner suitable for the user to
interpret the information.

FAU_SAR.2 Restricted audit review

Hierarchical to: No other components

Dependencies: FAU_SAR.1 Audit review

FAU_SAR.2.1 The TSF shall prohibit all users read access to the audit records, except
those users that have been granted explicit read-access.

FAU_SAR.3 Selectable audit review

Hierarchical to: No other components

Dependencies: FAU_SAR.1 Audit review

FAU_SAR.3.1 The TSF shall provide the ability to apply [Select] of audit data based on
[User ID].

FAU_STG.1 Protected audit trail storage

Hierarchical to: No other components

Dependencies: FAU_GEN.1 Audit data generation

FAU_STG.1.1 The TSF shall protect the stored audit records in the audit trail from
unauthorized deletion.

FAU_STG.1.2 The TSF shall be able to protect unauthorized modifications to the stored
audit records in the audit trail.

35
FAU_STG.4 Prevention of audit data loss

Hierarchical to: FAU_STG.3 Action in case of possible audit data loss

Dependencies: FAU_STG.1 Protected audit trail storage

FAU_STG.4.1 The TSF shall overwrite the oldest stored audit records and [send a warning email
to the administrator] if the audit trail is full.

6.1.2 Cryptographic Support Class

FCS_CKM.1(1) Cryptographic key generation

Hierarchical to: No other components

Dependencies: [FCS_CKM.2 Cryptographic key distribution or

FCS_COP.1 Cryptographic operation]

FCS_CKM.4 Cryptographic key destruction

FCS_CKM.1.1 The TSF shall generate cryptographic keys in accordance with a specified the
cryptographic key generation algorithm [Sindoh user data repository cryptographic
key generation algorithm] and specified cryptographic key sizes [256-bits] that
meet the following [None].

Application Note: This component describes that generate of cryptographic keys used to encrypt the
user data repository.

FCS_CKM.1(2) Cryptographic key generation

Hierarchical to: No other components

Dependencies: [FCS_CKM.2 Cryptographic key distribution or

FCS_COP.1 Cryptographic operation]

FCS_CKM.4 Cryptographic key destruction

FCS_CKM.1.1 The TSF shall generate cryptographic keys in accordance with a specified
cryptographic key generation algorithm [Password Based Key Derivation Function
(PBKDF1)] and specified cryptographic key sizes [256-bits] that meet the
following [RFC2898].

Application Note: This component describes that generate of cryptographic keys used for the address
book backup/restore function.

36
FCS_CKM.4 Cryptographic key destruction

Hierarchical to: No other components

Dependencies: [FDP_ITC.1 Import of user data without security attributes or

FDP_ITC.2 Import of user data including security attributes or

FCS_CKM.1 Cryptographic key generation]

FCS_CKM.4.1 The TSF shall destroy cryptographic keys in accordance with a specified
cryptographic key destruction method [initialized to 0(zero)] that meets the
following: [None].

FCS_COP.1 Cryptographic operation

Hierarchical to: No other components

Dependencies: [FDP_ITC.1 Import of user data without security attributes or

FDP_ITC.2 Import of user data including security attributes or

FCS_CKM.1 Cryptographic key generation]

FCS_CKM.4 Cryptographic key destruction

FCS_COP.1.1 The TSF shall perform the [Cryptographic operations in Table 19] in accordance
with a specified cryptographic algorithm [Algorithm in Table 19] and the
cryptographic key sizes [Cryptographic key sizes in [Table 19] that meet the
following: [None].

[Table 19] Cryptographic operation

Cryptographic operation Algorithm Cryptographic key size

User data repository
encryption
AES-CBC 256
User data repository
decryption
Address book backup data
encryption
AES-CBC 256
Address book backup data
decryption

37
6.1.3 User Data Protection Class

FDP_ACC.1(1) Subset access control

Hierarchical to: No other components

Dependencies: FDP_ACF.1 Security attribute based access control

FDP_ACC.1.1 The TSF must enforce the [data access control SFP] on [Table 20].

FDP_ACC.1(2) Subset access control

Hierarchical to: No other components

Dependencies: FDP_ACF.1 Security attribute based access control

FDP_ACC.1.1 The TSF shall enforce the [basic function access control SFP] on [Table 21].

FDP_ACF.1(1) Security attribute based access control

Hierarchical to: No other components

Dependencies: FDP_ACC.1 Subset access control

FMT_MSA.3 Static attribute initialization

FDP_ACF.1.1 The TSF shall enforce the [data access control SFP] to objects based on the
following: [subjects, objects and the security attributes and operations of subjects
and objects in Table 20].

FDP_ACF.1.2 The TSF shall enforce the following rules to determine if an operation among
controlled subjects and controlled objects is allowed: [the following list: Table 20].

FDP_ACF.1.3 The TSF shall explicitly authorize access of subjects to objects based on the
following additional rules: [None].

FDP_ACF.1.4 The TSF shall explicitly deny access of subjects to objects based on the following
additional rules: [None].

38
 [Table 20] Data access control SFP

Security
SFP name Object Attribute(s) Operation Subject Access control rule
attributes
Denied, except for
D.DOC +PRT Delete U.NORMAL User ID
his/her own documents
Denied, except for
D.DOC +PRT Read U.NORMAL User ID
his/her own documents
Denied, except for
D.DOC +SCN Delete U.NORMAL User ID
his/her own documents
Denied, except for
Data D.DOC +SCN Read U.NORMAL User ID
his/her own documents
access
+FAXIN Denied, except for
control D.DOC Delete U.NORMAL User ID
+FAXOUT his/her own documents
SFP
+FAXIN Denied, except for
D.DOC Read U.NORMAL User ID
+FAXOUT his/her own documents
D.DOC +CPY Read No restriction on access
+PRT
Denied, except for
+SCN
D.FUNC Delete U.NORMAL User ID his/her own function
+FAXIN
data
+FAXOUT
Application Note: If fax documents are received, the fax job owner is regarded as the administrator.

Application Note: The operation “Read” is described as follows according to the attributes of objects.
Operation(s) Attributes Description
Read +PRT Forward the hardcopy target to the hardcopy output handler
+SCN User document data is delivered through the interface selected by the user.
+CPY Forward the hardcopy target to the hardcopy output handler
+FAXIN Uses the hardcopy output handler to deliver the hardcopy target in order to
+FAXOUT receive fax (+FAXIN), and uses the fax interface to send and receive user
document data (+FAXOUT or +FAXIN)

FDP_ACF.1(2) Security attribute based access control

Hierarchical to: No other components

Dependencies: FDP_ACC.1 Subset access control

FMT_MSA.3 Static attribute initialization

FDP_ACF.1.1 The TSF must enforce the [basic function access control SFP] based on [Table 21].

FDP_ACF.1.2 The TSF must enforce the following rules to determine if an operation among
controlled subjects and controlled objects is allowed: [Table 211]

FDP_ACF.1.3 The TSF must explicitly authorize access of subjects to objects based on the
following additional rules: [None]

FDP_ACF.1.4 The TSF must explicitly deny access of subjects to objects based on the following
additional rules: [None]

[Table 21] Basic function access control SFP

SFP name Object Attribute Operation(s) Subject Security Control policy

39
 attribute
Basic F.PRT Denied, except for the
function F.SCN U.NORMAL explicitly
User ID,
access Permission Execute U.NORMAL authorized by
F.CPY user role
control U.ADMINISTRATOR
SFP F.FAX to use a function

FDP_IFC.2 Complete information flow control

Hierarchical to: FDP_IFC.1 Subset information flow control

Dependencies: FDP_IFF.1 Simple security attributes

FDP_IFC.2.1 The TSF shall enforce the [network information flow control security policy] on
[subject (external IT entities), information (network packet)] and all operations
that cause that information to flow to and from subjects covered by the SFP.

FDP_IFC.2.2 The TSF shall ensure that all operations that cause any information in the TOE to
flow to and from any subject in the TOE are covered by an information flow
control SFP.

FDP_IFF.1 Simple security attributes

Hierarchical to: No other components

Dependencies: FDP_IFC.1 Subset information flow control

FMT_MSA.3 Static attribute initialization

FDP_IFF.1.1 The TSF shall enforce the [network information flow control security policy]
based on the following types of subject and information security attributes: [list of
subjects and information controlled by the following SFP, and the security
attributes of subjects and information.

Subject: External IT
Information: Network Packet
Attributes of Subject: IP
Attributes of Information: IP]
FDP_IFF.1.2 The TSF shall permit an information flow between a controlled subject and
controlled information via a controlled operation if the following rules hold: [If the
subject’s IP is the IP registered as Allowed in the IP filtering policy set up by
U.ADMINISTRATOR].

FDP_IFF.1.3 The TSF shall enforce the [None].

FDP_IFF.1.4 The TSF shall explicitly authorize an information flow based on the following
rules: [None].
40
FDP_IFF.1.5 The TSF shall explicitly deny an information flow based on the following rules:
[None].

FDP_RIP.1 Subset residual information protection

Hierarchical to: No other components

Dependencies: No dependencies

FDP_RIP.1.1 The TSF shall ensure that any previous information content of a resource is made
unavailable upon the recovering resources from the following objects: [SD card
and SSD].

Application Note: User data stored in the SD card and SSD is encrypted print data and fax data.

6.1.4 Identification and Authentication Class

FIA_AFL.1(1) Authentication failure handling

Hierarchical to: No other components

Dependencies: FIA_UAU.1 Timing of authentication

FIA_AFL.1.1 The TSF shall detect when ranging between [3 and 10], which is configurable by
the administrator unsuccessful authentication attempts occur related to
[administrator authentication failures].

FIA_AFL.1.2 When the defined number of unsuccessful authentication attempts has been met,
the TSF shall [delay authentication by 5~30 minutes].

Application Note: The default number of authentication failures is 5 times during initial installation.

41
FIA_AFL.1(2) Authentication failure handling

Hierarchical to: No other components

Dependencies: FIA_UAU.1 Timing of authentication

FIA_AFL.1.1 The TSF shall detect when ranging between [3 and 10], which is configurable by
the administrator unsuccessful authentication attempts occur related to [general
user authentication failures].

FIA_AFL.1.2 When the defined number of unsuccessful authentication attempts has been met,
the TSF shall [delay authentication of general users]

Application Note: The default number of authentication failures is 5 times during initial installation,
and authentication of general users must be prevented until the administrator
changes authentication of the users.

FIA_ATD.1 User attribute definition

Hierarchical to: No other components

Dependencies: No dependencies

FIA_ATD.1.1 The TSF shall maintain the following list of security attributes belonging to
individual users: [User ID and users' job authority].

FIA_UAU.1 Timing of authentication

Hierarchical to: No other components

Dependencies: FIA_UID.1 Timing of identification

FIA_UAU.1.1 The TSF shall allow [receiving fax data and using menus unrelated to security
(product information, address book, job status, and product status information)] on
behalf of the user to be performed before the user is authenticated.

FIA_UAU.1.2 The TSF shall require each user to be successfully authenticated before allowing
any other TSF-mediated actions on behalf of that user.

FIA_UAU.7 Protected authentication feedback

Hierarchical to: No other components

Dependencies: FIA_UAU.1 Timing of authentication

FIA_UAU.7.1 The TSF shall provide only [*] to user while authentication is in progress.

42
FIA_UID.1 Timing of identification

Hierarchical to: No other components

Dependencies: No dependencies

FIA_UID.1.1 The TSF shall allow [using menus unrelated to security (product information,
address book, job status and product status information)] on behalf of the user to
be performed before the user is identified.

FIA_UID.1.2 The TSF shall require each user to be successfully identified before allowing any
other TSF-mediated actions on behalf of that user.

FIA_USB.1 User-subject binding

Hierarchical to: No other components

Dependencies: FIA_ATD.1 User attribute definition

FIA_USB.1.1 The TSF shall associate the following user security attributes with subjects acting
on behalf of that user: [User ID and user role]

FIA_USB.1.2 The TSF shall enforce the following rules on the initial association of user security
attributes with subjects acting on the behalf of users: [Allocating the security
attributes of U.USER to subjects acting on behalf of the user].

FIA_USB.1.3 The TSF shall enforce the following rules governing changes to the user security
attributes associated with subjects acting on the behalf of users: [The security
attributes of the connected session are not changed].

6.1.5 Security Management Class

FMT_MSA.1(1) Management of security attributes

Hierarchical to: No other components

Dependencies: [FDP_ACC.1 Subset access control or

FDP_IFC.1 Subset information flow control]

FMT_SMF.1 Specifications of management functions

FMT_SMR.1 Security roles

FMT_MSA.1.1 The TSF shall enforce the [data access control SFP] to restrict the ability to query,
modify, delete, [add] the [Table 20] to [U.ADMINISTRATOR].

FMT_MSA.1(2) Management of security attributes

43
 Hierarchical to: No other components

Dependencies: [FDP_ACC.1 Subset access control or

FDP_IFC.1 Subset information flow control]

FMT_SMF.1 Specifications of management functions

FMT_SMR.1 Security roles

FMT_MSA.1.1 The TSF shall enforce the [basic function access control SFP] to restrict the ability
to query, modify the security attributes on the [Table 20] to
[U.ADMINISTRATOR].

FMT_MSA.1(3) Management of security attributes

Hierarchical to: None

Dependencies: [FDP_ACC.1 Subset access control or

FDP_IFC.1 Subset information flow control]

FMT_SMF.1 Specifications of management functions

FMT_SMR.1 Security roles

FMT_MSA.1.1 The TSF shall enforce the [network information flow control security policy] to
restrict the ability to query, modify, delete, [add] the security attributes of the [IP
address] to [U.ADMINISTRATOR].

FMT_MSA.3(1) Static attribute initialization

Hierarchical to: No other components

Dependencies: FMT_MSA.1 Management of security attributes

FMT_SMR.1 Security roles

FMT_MSA.3.1 The TSF shall enforce the [data access control SFP] to provide restrictive default
values for security attributes that are used to enforce the SFP.

FMT_MSA.3.2 The TSF shall allow the [U.ADMINISTRATOR] to specify alternative initial
values to override the default values when an object or information is created.

FMT_MSA.3(2) Static attribute initialization

44
 Hierarchical to: No other components

Dependencies: FMT_MSA.1 Management of security attributes

FMT_SMR.1 Security roles

FMT_MSA.3.1 The TSF shall enforce the [basic function access control SFP] to provide
restrictive default values for security attributes that are used to enforce the SFP.

FMT_MSA.3.2 The TSF shall allow the [U.ADMINISTRATOR] to specify alternative initial
values to override the default values when an object or information is created.

FMT_MSA.3(3) Static attribute initialization

Hierarchical to: No other components

Dependencies: FMT_MSA.1 Management of security attributes

FMT_SMR.1 Security roles

FMT_MSA.3.1 The TSF shall enforce the [network information flow control security policy] to
provide restrictive default values for security attributes that are used to enforce the
SFP.

FMT_MSA.3.2 The TSF shall allow the [U.ADMINISTRATOR] to specify alternative initial
values to override the default values when an object or information is created.

45
FMT_MTD.1 Management of TSF data

Hierarchical to: No other components

Dependencies: FMT_SMR.1 Security roles

FMT_SMF.1 Specification of Management Functions

FMT_MTD.1.1 The TSF shall restrict the ability to query, modify, delete, [add, backup/restore] the
[the following list: Table 22] to [U.ADMINISTRATOR].

[Table 22] Managing of TSF data

Backup/
TSF data list Query Modify Delete Add User roles
restore
Address book O O O O O U.USER
(* U.NORMAL can
modify, delete and register
his/her own address book.)
job log, fax log O - - - - U.USER
Audit log O - - - - U.ADMINISTRATOR
User ID O O - - -
User password - O - - -
User roles(basic function) O O - - -
Security fax setting O O - - -
network setting O O - - -
Security warning mail O O O O -
setting
Mail server setting O O O O -
SD Card setting(LUI) O O - - -
SSD setting(LUI) O O - - -
Service port O O - - -
IPSec setting O O O O -
SNMP setting O O - - -
Login limit time O O - - -
Login attempts O O - - -
IP filtering setting O O O O -
Administrator connection O O O O -
IP setting
Output authentication O O - - -
setting
Fax data control setting O O - - -
MFP time setting O O - - -

46
FMT_SMF.1 Specification of Management Functions

Hierarchical to: No other components

Dependencies: No dependencies

FMT_SMF.1.1 The TSF shall be capable of performing the following management functions: [the
following list: Table 23].

[Table 23] Management functions

Management functions Related SFR

FAU_SAR.1
Viewing audit log FAU_SAR.2
FAU_SAR.3
FMT_MSA.1(1)
FMT_MSA.1(2)
FMT_MSA.1(3)
Management of security attributes
FMT_MSA.3(1)
FMT_MSA.3(2)
FMT_MSA.3(3)
Managing TSF data FMT_MTD.1

FMT_SMR.1 Security roles

Hierarchical to: No other components

Dependencies: FIA_UID.1 Timing of identification

FMT_SMR.1.1 The TSF shall maintain the roles [U.ADMINISTRATOR, U.NORMAL].

FMT_SMR.1.2 The TSF must be able to associate users with roles.

6.1.6 TSF Protection Class

FPT_FDI_EXP.1Restricted forwarding of data to external interfaces

Hierarchical to: No other components

Dependencies: FMT_SMF.1 Specification of Management Functions

FMT_SMR.1 Security roles

FPT_FDI_EXP.1.1 The TSF shall provide the capability to restrict data received on [any external
interface] from being forwarded without further processing by the TSF to [any
Shared-medium interface].

47
FPT_STM.1 Reliable time stamps

Hierarchical to: No other components

Dependencies: No dependencies

FPT_STM.1.1 The TSF shall be able to provide reliable time stamps.

FPT_TST.1 TSF testing

Hierarchical to: No other components

Dependencies: No dependencies

FPT_TST.1.1 The TSF shall run a suite of self-tests during initial startup, periodically
during normal operations and at the request of authorized users to demonstrate
the correct operation of [MFP Controller Software].

FPT_TST.1.2 The TSF shall provide authorized users with the capability to verify the integrity
of [Encryption Key Data].

FPT_TST.1.3 The TSF shall provide authorized users with the capability to verify the integrity
of [Stored TSF executable code].

6.1.7 TOE Access Class

FTA_SSL.3 TSF-initiated termination

Hierarchical to: No other components

Dependencies: No dependencies

FTA_SSL.3.1 The TSF shall terminate an interactive session after [between 60 seconds,
specified by the administrator, and 600 seconds. The default value is 60 seconds].

48
6.1.8 Trusted Path/Channel Class

FTP_ITC.1 Inter-TSF trusted channel

Hierarchical to: No other components

Dependencies: No dependencies

FTP_ITC.1.1 The TSF shall provide a communication channel between itself and another trusted
IT product that is logically distinct from other communication channels and
provides assured identification of its end points and protection of the channel data
from modification or disclosure.

FTP_ITC.1.2 The TSF shall permit the TSF and another trusted IT product to initiate
communication via the trusted channel.

FTP_ITC.1.3 The TSF shall initiate communication via the trusted channel for
[communication with trusted IT products].

49
6.2 Assurance Requirements
The assurance requirements of this security target consist of the assurance components of Common
Criteria Part 3 (CCMB-2012-09-003), and the evaluation assurance level is EAL2.

6.2.1 Security Target Class

ASE_INT.1 ST introduction

Dependencies: No dependencies

Developer action elements:

ASE_INT.1.1D The developer shall provide an ST introduction.

Content and presentation elements:

ASE_INT.1.1C The ST introduction shall contain an ST reference, a TOE reference, a TOE

overview, and a TOE description.

ASE_INT.1.2C The ST reference shall uniquely identify the ST.

ASE_INT.1.3C The TOE reference shall identify the TOE.

ASE_INT.1.4C The TOE overview shall summarize the usage and major security features of the
TOE.

ASE_INT.1.5C The TOE overview must identify the TOE type.

ASE_INT.1.6C The TOE overview shall identify any non-TOE hardware/software/firmware

required by the TOE.

ASE_INT.1.7C The TOE description shall describe the physical boundary of the TOE.

ASE_INT.1.8C The TOE description shall describe the logical scope of the TOE.

Evaluator action elements:

ASE_INT.1.1E The evaluator shall confirm that the information provided meets all requirements
for content and presentation of evidence.

ASE_INT.1.2E The evaluator shall confirm that the TOE reference, the TOE overview and the
TOE description are consistent with each other.

50
ASE_CCL.1 Conformance Claims

Dependencies: ASE_INT.1 Introduction

ASE_ECD.1 Extended components definition

ASE_REQ.1 Stated security requirements

Developer action elements:

ASE_CCL.1.1D The developer shall provide a conformance claim.

ASE_CCL.1.2D The developer shall provide a conformance claim rationale.

Content and presentation elements:

ASE_CCL.1.1C The Conformance Claim shall contain a CC conformance claim that identifies the
version of the CC to which the ST and the TOE claim conformance.

ASE_CCL.1.2C The CC conformance claim shall describe the conformance of the ST to CC

Part 2 as either CC Part 2 conformant or CC Part 2 extended..

ASE_CCL.1.3C The CC conformance claim shall describe the conformance of the ST to CC Part 3
as either CC Part 3 Conformant or CC Part 3 Extended.

ASE_CCL.1.4C The CC conformance claim shall be consistent with the extended components
definition.

ASE_CCL.1.5C The conformance claim shall identify all PPs and security requirement packages to
which the ST claims conformance.

ASE_CCL.1.6C The conformance claim shall describe any conformance of the ST to a

package as either package-conformant or package-augmented.

ASE_CCL.1.7C The conformance claim rationale shall demonstrate that the TOE type is
consistent with the TOE type in the PPs for which conformance is being
claimed.

ASE_CCL.1.8C The conformance claim rationale shall demonstrate that the statement of the
security problem definition is consistent with the statement of the security
problem definition in the PPs for which conformance is being claimed.

ASE_CCL.1.9C The conformance claim rationale shall demonstrate that the statement of
security objectives is consistent with the statement of security objectives in
the PPs for which conformance is being claimed.

ASE_CCL.1.10C The conformance claim rationale shall demonstrate that the statement of
security requirements is consistent with the statement of security
requirements in the PPs for which conformance is being claimed.

51
 Evaluator action elements:

ASE_CCL.1.1E The evaluator shall confirm that the information provided meets all
requirements for content and presentation of evidence.

ASE_SPD.1 Security problem definition

Dependencies: No dependencies

Developer action elements:

ASE_SPD.1.1D The developer shall provide a security problem definition.

Content and presentation elements:

ASE_SPD.1.1C The security problem definition shall describe the threats.

ASE_SPD.1.2C All threats shall be described in terms of a threat agent, an asset, and an
adverse action.

ASE_SPD.1.3C The security problem definition shall describe the OSPs.

ASE_SPD.1.4C The security problem definition shall describe the assumptions about the
operational environment of the TOE.

Evaluator action elements:

ASE_SPD.1.1E The evaluator shall confirm that the information provided meets all
requirements for content and presentation of evidence.

ASE_OBJ.2 Security Objectives

Dependencies: ASE_SPD.1 Security problem definition

Developer action elements:

ASE_OBJ.2.1D The developer shall provide a statement of security objectives.

ASE_OBJ.2.2D The developer shall provide a security objectives rationale.

Content and presentation elements:

ASE_OBJ.2.1C The statement of security objectives shall describe the security objectives for the
TOE and the security objectives for the operational environment.

ASE_OBJ.2.2C The security objectives rationale shall trace each security objective for
the TOE back to threats countered by that security objective and OSPs

52
 enforced by that security objective.

ASE_OBJ.2.3C The security objectives rationale shall trace each security objective for
the operational environment back to threats countered by that security
objective, OSPs enforced by that security objective, and assumptions
upheld by that security objective.

ASE_OBJ.2.4C The security objectives rationale shall demonstrate that the security
objectives counter all threats.

ASE_OBJ.2.5C The security objectives rationale shall demonstrate that the security
objectives enforce all OSPs.

ASE_OBJ.2.6C The security objectives rationale shall demonstrate that the security
objectives for the operational environment uphold all assumptions.

Evaluator action elements:

ASE_OBJ.2.1E The evaluator shall confirm that the information provided meets all
requirements for content and presentation of evidence.

ASE_ECD.1 Extended components definition

Dependencies: No dependencies.

Developer action elements:

ASE_ECD.1.1D The developer shall provide a statement of security requirements.

ASE_ECD.1.2D The developer shall provide an extended components definition.

Content and presentation elements:

ASE_ECD.1.1C The statement of security requirements shall identify all extended security
requirements.

ASE_ECD.1.2C The extended components definition shall define an extended component

for each extended security requirement.

ASE_ECD.1.3C The extended components definition shall describe how each extended
component is related to the existing CC components, families, and classes.

ASE_ECD.1.4C The extended components definition shall use the existing CC components,
families, classes, and methodology as a model for presentation.

ASE_ECD.1.5C The extended components shall consist of measurable and objective

elements such that conformance or nonconformance to these elements can

53
 be demonstrated.

Evaluator action elements:

ASE_ECD.1.1E The evaluator shall confirm that the information provided meets all
requirements for content and presentation of evidence.

ASE_ECD.1.2E The evaluator shall confirm that no extended component can be clearly
expressed using existing components.

ASE_REQ.2 Derived security requirements

Dependencies: ASE_OBJ.2 Security objectives

ASE_ECD.1 Extended components definition

Developer action elements:

ASE_REQ.2.1D The developer shall provide a statement of security requirements.

ASE_REQ.2.2D The developer shall provide a security requirements rationale.

Content and presentation elements:

ASE_REQ.2.1C The statement of security requirements shall describe the SFR and the SAR.

ASE_REQ.2.2C All subjects, objects, operations, security attributes, external entities and
other terms that are used in the SFRs and the SARs shall be defined.

ASE_REQ.2.3C The statement of security requirements shall identify all operations on the
security requirements.

ASE_REQ.2.4C All operations shall be performed correctly.

ASE_REQ.2.5C Each dependency of the security requirements shall either be satisfied, or

the security requirements rationale shall justify the dependency not being
satisfied.

ASE_REQ.2.6C The security requirements rationale shall trace each SFR back to the
security objectives for the TOE.

ASE_REQ.2.7C The security requirements rationale shall demonstrate that the SFRs
meet all security objectives for the TOE.

ASE_REQ.2.8C The security requirements rationale shall explain why the SARs were
chosen.

ASE_REQ.2.9C The statement of security requirements shall be internally consistent.

54
 Evaluator action elements:

ASE_REQ.2.1E The evaluator shall confirm that the information provided meets all
requirements for content and presentation of evidence.

ASE_TSS.1 TOE Summary Specifications

Dependencies: ASE_INT.1 introduction

ASE_REQ.1 Stated security requirements

ADV_FSP.1 Basic functional specifications

Developer action elements:

ASE_TSS.1.1D The developer shall provide TOE Summary Specifications.

Content and presentation elements:

ASE_TSS.1.1C The TOE Summary Specifications shall describe how the TOE meets each SFR.

Evaluator action elements:

ASE_TSS.1.1E The evaluator shall confirm that the information provided meets all
requirements for content and presentation of evidence.

ASE_TSS.1.2E The evaluator shall confirm that the TOE summary specification is
consistent with the TOE overview and the TOE description.

6.2.2 Development Class

ADV_ARC.1 Security Architecture Description

Dependencies: ADV_FSP.1 Basic functional specifications

ADV_TDS.1 Basic design

Developer action elements:

ADV_ARC.1.1D The developer shall design and implement the TOE so that the security
features of the TSF cannot be bypassed.

ADV_ARC.1.2D The developer shall design and implement the TSF so that it is able to
protect itself from tampering by untrusted active entities.

ADV_ARC.1.3D The developer shall provide a security architecture description of the

TSF.

55
 Content and presentation elements:

ADV_ARC.1.1C The security architecture description shall be at a level of detail

commensurate with the description of the SFR-enforcing abstractions
described in the TOE design document.

ADV_ARC.1.2C The security architecture description shall describe the security domains
maintained by the TSF consistently with the SFRs.

ADV_ARC.1.3C The security architecture description shall describe how the TSF
initialisation process is secure.

ADV_ARC.1.4C The security architecture description shall demonstrate that the TSF
protects itself from tampering.

ADV_ARC.1.5C The security architecture description shall demonstrate that the TSF
prevents bypass of the SFR-enforcing functionality.

Evaluator action elements:

ADV_ARC.1.1E The evaluator shall confirm that the information provided meets all
requirements for content and presentation of evidence.

ADV_FSP.2 Security-enforcing functional specifications

Dependencies: ADV_TDS.1 Basic design

Developer action elements:

ADV_FSP.2.1D The developer shall provide a functional specification.

ADV_FSP.2.2D The developer shall provide a tracing from the functional specification to the SFRs.

Content and presentation elements:

ADV_FSP.2.1C The functional specification shall completely represent the TSF.

ADV_FSP.2.2C The functional specification shall describe the purpose and method of use
for all TSFI.

ADV_FSP.2.3C The functional specification shall identify and describe all parameters
associated with each TSFI.

ADV_FSP.2.4C For each SFR-enforcing TSFI, the functional specification shall describe
the SFR-enforcing actions associated with the TSFI.

ADV_FSP.2.5C For each SFR-enforcing TSFI, the functional specification shall describe
direct error messages resulting from processing associated with the SFR-
56
 enforcing actions.

ADV_FSP.2.6C The tracing shall demonstrate that the SFRs trace to TSFIs in the functional
specification.

Evaluator action elements:

ADV_FSP.2.1E The evaluator shall confirm that the information provided meets all
requirements for content and presentation of evidence.

ADV_FSP.2.2E The evaluator shall determine that the functional specification is an

accurate and complete instantiation of the SFRs.

ADV_TDS.1 Basic design

Dependencies: ADV_FSP.2 Security-enforcing functional specification

Developer action elements:

ADV_TDS.1.1D The developer shall provide the design of the TOE.

ADV_TDS.1.2D The developer shall provide a mapping from the TSFI of the functional
specification to the lowest level of decomposition available in the TOE design.

Content and presentation elements:

ADV_TDS.1.1C The design shall describe the structure of the TOE in terms of subsystems.

ADV_TDS.1.2C The design shall identify all subsystems of the TSF.

ADV_TDS.1.3C The design shall describe the behavior of each SFR-supporting or SFR non-
interfering TSF subsystem in sufficient detail to determine that it is not SFR-
enforcing.

ADV_TDS.1.4C The design shall summarize the SFR-enforcing behavior of the SFR enforcing
subsystems.

ADV_TDS.1.5C The design shall provide a description of the interactions among SFR enforcing
subsystems of the TSF, and between the SFR-enforcing subsystems of the TSF and
other subsystems of the TSF.

ADV_TDS.1.6C The mapping shall demonstrate that all TSFIs trace to the behavior described in
the TOE design that they invoke.

Evaluator action elements:

ADV_TDS.1.1E The evaluator shall confirm that the information provided meets all
requirements for content and presentation of evidence.

57
ADV_TDS.1.2E The evaluator must determine that the design is an accurate and complete
instantiation of all security functional requirements.

6.2.3 Guidance Document Class

AGD_OPE.1 Operational user guidance

Dependencies: ADV_FSP.1 Basic functional specifications

Developer action elements:

AGD_OPE.1.1D The developer shall provide operational user guidance.

Content and presentation elements:

AGD_OPE.1.1C The operational user guidance shall describe, for each user role, the
user-accessible functions and privileges that should be controlled in a
secure processing environment, including appropriate warnings.

AGD_OPE.1.2C The operational user guidance shall describe, for each user role, how to
use the available interfaces provided by the TOE in a secure manner.

AGD_OPE.1.3C The operational user guidance shall describe, for each user role, the
available functions and interfaces, in particular all security parameters
under the control of the user, indicating secure values as appropriate.

AGD_OPE.1.4C The operational user guidance shall, for each user role, clearly present
each type of security-relevant event relative to the user-accessible functions
that need to be performed, including changing the security characteristics of
entities under the control of the TSF.

AGD_OPE.1.5C The operational user guidance shall identify all possible modes of operation
of the TOE (including operation following failure or operational error),
their consequences and implications for maintaining secure operation.

AGD_OPE.1.6C The operational user guidance shall, for each user role, describe the
security measures to be followed in order to fulfill the security objectives
for the operational environment as described in the ST.

AGD_OPE.1.7C The operational user guidance shall be clear and reasonable.

Evaluator action elements:

AGD_OPE.1.1E The evaluator shall confirm that the information provided meets all
requirements for content and presentation of evidence.

58
AGD_PRE.1 Preparation procedures

Dependencies: No dependencies

Developer action elements:

AGD_PRE.1.1D The developer shall provide the TOE including its preparative procedures.

Content and presentation elements:

AGD_PRE.1.1C The preparative procedures shall describe all the steps necessary for secure
acceptance of the delivered TOE in accordance with the developer's delivery
procedures.

AGD_PRE.1.2C The preparative procedures shall describe all the steps necessary for secure
installation of the TOE and for the secure preparation of the operational
environment in accordance with the security objectives for the operational
environment as described in the ST.

Evaluator action elements:

AGD_PRE.1.1E The evaluator shall confirm that the information provided meets all requirements
for content and presentation of evidence.

AGD_PRE.1.2E The evaluator shall apply the preparative procedures to confirm that the TOE can
be prepared securely for operations.

6.2.4 Lifecycle Support Class

ALC_CMC.2 Use of the configuration management system

Dependencies: ALC_CMS.1 TOE CM coverage

Developer action elements:

ALC_CMC.2.1D The developer shall provide the TOE and a reference for the TOE.

ALC_CMC.2.2D The developer shall provide the CM documentation.

ALC_CMC.2.3D The developer shall use a CM system.

Content and presentation elements:

ALC_CMC.2.1C The TOE shall be labeled with its unique reference.

ALC_CMC.2.2C The CM documentation shall describe the method used to uniquely identify
the configuration items.

ALC_CMC.2.3C The CM system shall uniquely identify all configuration items.

59
 Evaluator action elements:

ALC_CMC.2.1E The evaluator shall confirm that the information provided meets all
requirements for content and presentation of evidence.

ALC_CMS.2 Parts of the TOE CM coverage

Dependencies: No dependencies

Developer action elements:

ALC_CMS.2.1D The developer shall provide a configuration list for the TOE.

Content and presentation elements:

ALC_CMS.2.1C The configuration list shall include the following: the TOE itself; the
evaluation evidence required by the SARs; and the parts that comprise the
TOE.

ALC_CMS.2.2C The configuration list shall uniquely identify the configuration items.

ALC_CMS.2.3C For each TSF relevant configuration item, the configuration list shall
indicate the developer of the item.

Evaluator action elements:

ALC_CMS.2.1E The evaluator shall confirm that the information provided meets all
requirements for content and presentation of evidence.

ALC_DEL.1 Distribution procedure

Dependencies: No dependencies

Developer action elements:

ALC_DEL.1.1D The developer shall document and provide procedures for delivery of
the TOE or parts of it to the consumer.

ALC_DEL.1.2D The developer shall use the delivery procedures.

Content and presentation elements:

ALC_DEL.1.1C The delivery documentation shall describe all procedures that are necessary to
maintain security when distributing versions of the TOE to the consumer.

Evaluator action elements:

60
ALC_DEL.1.1E The evaluator shall confirm that the information provided meets all
requirements for content and presentation of evidence.

6.2.5 Test Class

ATE_COV.1 Evidence of test coverage

Dependencies: ADV_FSP.2 Security-enforcing functional specifications

ATE_FUN.1 Functional testing

ATE_COV.1.1D The developer shall provide evidence of the test coverage.

Content and presentation elements:

ATE_COV.1.1C The evidence of the test coverage shall show the correspondence between
the tests in the test documentation and the TSFIs in the functional
specification.

Evaluator action elements:

ATE_COV.1.1E The evaluator shall confirm that the information provided meets all
requirements for content and presentation of evidence.

ATE_FUN.1 Functional testing

Dependencies: ATE_COV.1 Evidence of coverage

Developer action elements:

ATE_FUN.1.1D The developer shall test the TSF and document the results.

ATE_FUN.1.2D The developer shall provide test documentation.

Content and presentation elements:

ATE_FUN.1.1C The test documentation shall consist of test plans, expected test results and actual
test results.

ATE_FUN.1.2C The test plans shall identify the tests to be performed and describe the scenarios
for performing each test. These scenarios must include any ordering dependencies
on the results of other tests.

ATE_FUN.1.3C The expected test results shall show the anticipated outputs of a successful
execution of the tests.

ATE_FUN.1.4C The actual test results shall be consistent with the expected test results.

61
 Evaluator action elements:

ATE_FUN.1.1E The evaluator shall confirm that the information provided meets all
requirements for content and presentation of evidence.

ATE_IND.2 Independent testing - sample

Dependencies: ADV_FSP.2 Security-enforcing functional specifications

AGD_OPE.1 Operational user guidance

AGD_PRE.1 Preparative procedures

ATE_COV.1 Evidence of test coverage

ATE_FUN.1 Functional testing

Developer action elements:

ATE_IND.2.1D The developer shall provide the TOE for testing.

Content and presentation elements:

ATE_IND.2.1C The TOE shall be suitable for testing.

ATE_IND.2.2C The developer must provide an equivalent set of resources to those that were used
in the developer's functional testing of the TSF.

Evaluator action elements:

ATE_IND.2.1E The evaluator shall confirm that the information provided meets all requirements
for content and presentation of evidence.

ATE_IND.2.2E The evaluator shall execute a sample test for the test items in the test
documentation to verify the developer test results.

ATE_IND.2.3E The evaluator shall test a subset of the TSF to confirm that the TSF operates as
specified.

62
6.2.6 Vulnerability Assessment Class

AVA_VAN.2 Vulnerability analysis

Dependencies: ADV_ARC.1 Security architecture description

ADV_FSP.2 Security-enforcing functional specifications

ADV_TDS.1 Basic design

AGD_OPE.1 Operational user guidance

AGD_PRE.1 Preparative procedures

Developer action elements:

AVA_VAN.2.1D The developer shall provide the TOE for testing.

Content and presentation elements:

AVA_VAN.2.1C The TOE shall be suitable for testing.

Evaluator action elements:

AVA_VAN.2.1E The evaluator shall confirm that the information provided meets all
requirements for content and presentation of evidence.

AVA_VAN.2.2E The evaluator shall perform a search of public domain sources to

identify potential vulnerabilities in the TOE.

AVA_VAN.2.3E The evaluator shall perform an independent vulnerability analysis of the

TOE using the guidance documentation, functional specification, TOE
design and security architecture description to identify potential
vulnerabilities in the TOE.

AVA_VAN.2.4E The evaluator shall conduct penetration testing, based on the identified
potential vulnerabilities, to determine that the TOE is resistant to attacks
performed by an attacker possessing Basic attack potential.

63
6.3 Security Requirements Rationale
6.3.1 Security Functional Requirements Rationale

[Table 24] Completeness of security requirements

Security objective

O.INTERFACE.MANAGED

O.SOFTWARE.VERIFIED
O.USER.AUTHORIZED

O.AUDIT.LOGGED
O.FUNC.NO_ALT

O.CONF.NO_ALT
O.PROT.NO_ALT

O.CONF.NO_DIS
O.DOC.NO_ALT
O.DOC.NO_DIS

Security functional
requirements
FAU_ARP.1 O
FAU_GEN.1 O
FAU_GEN.2 O
FAU_SAA.1 O
FAU_SAR.1 O
FAU_SAR.2 O
FAU_SAR.3 O
FAU_STG.1 O
FAU_STG.4 O
FCS_CKM.1(1) O O O
FCS_CKM.1(2) O O O
FCS_CKM.4 O O O
FCS_COP.1 O O O
FDP_ACC.1(1) O O O
FDP_ACC.1(2) O
FDP_ACF.1(1) O O O
FDP_ACF.1(2) O
FDP_IFC.2 O
FDP_IFF.1 O
FDP_RIP.1 O
FIA_AFL.1(1) O
FIA_AFL.1(2) O
FIA_ATD.1 O
FIA_UAU.1 O O
FIA_UAU.7 O
FIA_UID.1 O O O O O O O O O
FIA_USB.1 O
FMT_MSA.1(1) O O O
FMT_MSA.1(2) O
FMT_MSA.1(3) O
FMT_MSA.3(1) O O O
FMT_MSA.3(2) O
FMT_MSA.3(3) O
FMT_MTD.1 O O O
FMT_SMF.1 O O O O O O
FMT_SMR.1 O O O O O O O
FPT_FDI_EXP.1 O
FPT_STM.1 O
FPT_TST.1 O
FTA_SSL.3 O
FTP_ITC.1 O O O O O O

64
 [Table 25] Security Functional Requirements Rationale

Security Objectives SFR Rationale

Supports cryptographic operations when it is
FCS_CKM.1(1) requested that the key for encrypting the user data
repository should be generated
Supports cryptographic operations when it is required
FCS_CKM.4 that the key for the user data repository encryption
should be destroyed
Enforces protection when cryptographic operations
FCS_COP.1
for the user data repository encryption is required
Enforces protection for establishing the access
FDP_ACC.1(1)
control policy
Supports the access control policy by providing the
FDP_ACF.1(1)
access control function
Enforces protection by making residual data
O.DOC.NO_DIS FDP_RIP.1
unavailable
Supports the access control and security role when
FIA_UID.1
user identification is required
Supports the access control function by controlling
FMT_MSA.1(1)
security attributes
Supports the access control function by controlling
FMT_MSA.3(1)
the default values of security attributes
Supports control of security attributes when the
FMT_SMF.1
attribute control function is required
Supports control of security attributes when security
FMT_SMR.1
roles are required
Enforces protection by requesting the use of trusted
FTP_ITC.1
channels for data communication through the SMI
Supports cryptographic operations when it is required
FCS_CKM.1(1) that the key for the user data repository encryption
should be generated
Supports cryptographic operations when it is required
FCS_CKM.4 that the key for the user data repository encryption
should be destroyed
Enforces protection when cryptographic operations
FCS_COP.1
are required for the user data repository encryption
Enforces protection by establishing the access control
FDP_ACC.1(1)
policy
Supports the access control policy by providing the
FDP_ACF.1(1)
access control function
O.DOC.NO_ALT
Supports the access control and security roles when
FIA_UID.1
user identification is required
Supports the access control function by controlling
FMT_MSA.1(1)
security attributes
Supports the access control function by controlling
FMT_MSA.3(1)
the default values of security attributes
Supports control of security attributes when the
FMT_SMF.1
attribute control function is required
Supports control of security attributes when security
FMT_SMR.1
roles are required
Enforces protection by requesting the use of trusted
FTP_ITC.1
channels for data communication through SMI
Supports cryptographic operations when it is required
that the key for encryption of the user data repository
O.FUNC.NO_ALT FCS_CKM.1(1)
should be generated

65
 Supports cryptographic operations when it is required
FCS_CKM.4 that the key for encrypting the user data repository
should be destroyed
Enforces protection when cryptographic operations
FCS_COP.1
for encrypting the user data repository is required
Enforces protection by establishing the access control
FDP_ACC.1(1)
policy
Supports the access control policy by providing the
FDP_ACF.1(1)
access control function
Supports the access control and security roles when
FIA_UID.1
user identification is required
Supports the access control function by controlling
FMT_MSA.1(1)
security attributes
Supports the access control function by controlling
FMT_MSA.3(1)
the default values of security attributes
Supports control of security attributes when the
FMT_SMF.1
attribute control function is required
Supports control of security attributes when security
FMT_SMR.1
roles are required
Enforces protection by requesting the use of trusted
FTP_ITC.1
channels for data communication through SMI
Supports cryptographic operations when it is required
FCS_CKM.1(2) that the key for encrypting the address book
backup/restore function should be generated
Supports the access control and security roles when
FIA_UID.1
user identification is required
FMT_MTD.1 Enforces the protection function by restricting access
O.PROT.NO_ALT
Supports control of security attributes when the
FMT_SMF.1
attribute control function is required
Supports control of security attributes when security
FMT_SMR.1
roles are required
Enforces protection by requesting the use of trusted
FTP_ITC.1
channels for data communication through SMI
Supports cryptographic operations when it is required
FCS_CKM.1(2) that the key for encrypting the address book
backup/restore function should be generated
Supports the access control and security roles when
FIA_UID.1
user identification is required
FMT_MTD.1 Enforces the protection function by restricting access
O.CONF.NO_DIS
Supports control of security attributes when the
FMT_SMF.1
attribute control function is required
Supports control of security attributes when security
FMT_SMR.1
roles are required
Enforces protection by requesting the use of trusted
FTP_ITC.1
channels for data communication through SMI
Supports cryptographic operations when it is required
FCS_CKM.1(2) that the key for encrypting the address book
backup/restore function should be generated
Supports the access control and security roles when
FIA_UID.1
user identification is required
FMT_MTD.1 Enforces the protection function by restricting access
O.CONF.NO_ALT
Supports control of security attributes when the
FMT_SMF.1
attribute control function is required
Supports control of security attributes when security
FMT_SMR.1
roles are required
Enforces protection by requesting that the use of trusted
FTP_ITC.1
channels for data communication through the SMI

66
 Enforces authentication by establishing the access
FDP_ACC.1(2)
control policy
Supports the access control policy by providing the
FDP_ACF.1(2)
access control function
Delays authentication when authentication fails
FIA_AFL.1(1)
(U.ADMINISTRATOR)
Prevents authentication when authentication fails
FIA_AFL.1(2)
(U.NORMALAD)
Supports authentication in connection with user
FIA_ATD.1
security attributes
FIA_UAU.1 Enforces authentication with user authentication
O.USER.AUTHORIZED Supports authentication by protecting authentication
FIA_UAU.7
information feedback
Enforces authentication when user identification is
FIA_UID.1
required
Enforces authentication by classifying subject
FIA_USB.1
security attributes linked to user roles
Supports the access control function by controlling
FMT_MSA.1(2)
security attributes
Supports the access control function by controlling
FMT_MSA.3(2)
the default values of security attributes
Supports control of security attributes when security
FMT_SMR.1
roles are required
Manages by establishing the network information
FDP_IFC.2
flow control policy
Supports the network information flow control policy
FDP_IFF.1
by providing the information flow control function
FIA_UAU.1 Enforces authentication with user authentication
Enforces authentication when user identification is
FIA_UID.1
required
O.INTERFACE.MANAGED Supports the information flow control function by
FMT_MSA.1(3)
controlling security attributes
Supports the information flow control function by
FMT_MSA.3(3)
controlling the default values of security attributes
Enforces the function to restrict the direct forwarding
FPT_FDI_EXP.1
of data from one external interface to another
Enforces authentication when the termination of an
FTA_SSL.3
inactive session is required
Enforces software verification when self-test is
O.SOFTWARE.VERIFIED FPT_TST.1
required
Enforces a security warning in case of security
FAU_ARP.1
breaches
Enforces the audit record policy when audit logs are
FAU_GEN.1
required in relation to MFP functions
Supports the security audit policy when the audit logs
FAU_GEN.2
of information linked to logged events are generated
Provides support when analysis of logged security
FAU_SAA.1
audits is required
O.AUDIT.LOGGED Enforces restriction of the viewing of stored audit
FAU_SAR.1
records to U.ADMINISTRATOR
Prohibits all users from reading audit records except
FAU_SAR.2
for those users who are clearly allowed to read
Enforces application when the viewing of stored
FAU_SAR.3 audit records according to the standard of logical
relationship is required
Enforces protection of the audit records repository by
FAU_STG.1
preventing unauthorized alteration of stored audit records

67
 Enforces protection of audit data from loss by
FAU_STG.4
overwriting oldest audit records
Enforces authentication when user identification is
FIA_UID.1
required
Supports the security audit policy by providing a
FPT_STM.1
correct time stamp when audit records are created

6.3.2 Security Assurance Requirements Rationale

This security target was developed in consideration of the assumption that it is operated in a limited
environment where the level of document security and operational responsibilities require a relatively high level
of assurance. The TOE was developed in consideration of the fact that it is operated in a physically secure
environment and unauthorized access over the network is limited. User data is encrypted and stored in the SD
card or SSD inside the MFP. The SD and SSD are inaccessible unless they are physically separated from the
MFP. So user data is safe from the physical disclosure. Also, the self-verification function for executable codes
is provided so that the malfunctions of the MFP can be detected. Accordingly, the Evaluation Assurance Level 2
is appropriate.

6.3.3 Dependency Rationale

[Table 26] Dependencies on the TOE Security Functional Components

Security Functional Claimed Dependencies

No.
Requirements Dependencies Satisfaction in ST (No.)
1 FAU_ARP.1 FAU_SAA.1 4
2 FAU_GEN.1 FPT_STM.1 35
FAU_GEN.1 1
3 FAU_GEN.2
FIA_UID.1 24
4 FAU_SAA.1 FAU_GEN.1 2
5 FAU_SAR.1 FAU_GEN.1 2
6 FAU_SAR.2 FAU_SAR.1 5
7 FAU_SAR.3 FAU_SAR.1 5
8 FAU_STG.1 FAU_GEN.1 2
9 FAU_STG.4 FAU_STG.1 8
FCS_CKM.2 or FCS_COP.1 12
10 FCS_CKM.1(1)
FCS_CKM.4 11
FCS_CKM.2 or FCS_COP.1 Not satisfied
FCS_CKM.4 (As the cryptographic key
for the address book
backup/restore function is
11 FCS_CKM.1(2) generated by user input
during every backup or
restore, but is not stored in
the system, key destruction
is not necessary.)
12 FCS_CKM.4 FDP_ITC.1 or FDP_ITC.2 or FCS_CKM.1 10
FDP_ITC.1 or FDP_ITC.2 or FCS_CKM.1 10
13 FCS_COP.1
FCS_CKM.4 12
14 FDP_ACC.1(1) FDP_ACF.1(1) 14
15 FDP_ACC.1(2) FDP_ACF.1(2) 15
FDP_ACC.1(1) 14
16 FDP_ACF.1(1)
FMT_MSA.3(1) 31
FDP_ACC.1(2) 15
17 FDP_ACF.1(2)
FMT_MSA.3(2) 32

68
 18 FDP_IFC.2 FDP_IFF.1 19
FDP_IFC.1 18
19 FDP_IFF.1
FMT_MSA.3(3) 33
20 FDP_RIP.1 - -
21 FIA_AFL.1(1) FIA_UAU.1 24
22 FIA_AFL.1(2) FIA_UAU.1 24
23 FIA_ATD.1 - -
24 FIA_UAU.1 FIA_UID.1 26
25 FIA_UAU.7 FIA_UAU.1 24
26 FIA_UID.1 - -
27 FIA_USB.1 FIA_ATD.1 23
FDP_ACC.1 or FDP_IFC.1 14
28 FMT_MSA.1(1) FMT_SMF.1 35
FMT_SMR.1 36
FDP_ACC.1 or FDP_IFC.1 15
29 FMT_MSA.1(2) FMT_SMF.1 35
FMT_SMR.1 36
FDP_ACC.1 or FDP_IFC.1 18
30 FMT_MSA.1(3) FMT_SMF.1 35
FMT_SMR.1 36
FMT_MSA.1(1) 28
31 FMT_MSA.3(1)
FMT_SMR.1 36
FMT_MSA.1(2) 29
32 FMT_MSA.3(2)
FMT_SMR.1 36
FMT_MSA.1(3) 39
33 FMT_MSA.3(3)
FMT_SMR.1 36
FMT_SMF.1 35
34 FMT_MTD.1
FMT_SMR.1 36
35 FMT_SMF.1 - -
36 FMT_SMR.1 FIA_UID.1 26
37 FPT_STM.1 - -
38 FPT_TST.1 - -
39 FTA_SSL.3 - -
40 FTP_ITC.1 - -
FMT_SMF.1 35
41 FPT_FDI_EXP.1
FMT_SMR.1 36

[Table 27] Dependencies on the Assurance Requirements

Security Assurance Claimed Dependencies

No.
Requirements Dependencies Satisfaction in ST (No.)
ADV_FSP.1 2
1 ADV_ARC.1
ADV_TDS.1 3
2 ADV_FSP.2 ADV_TDS.1 3
3 ADV_TDS.1 ADV_FSP.2 2
4 AGD_OPE.1 ADV_FSP.1 2
5 AGD_PRE.1 -
6 ALC_CMC.2 ALC_CMS.1 7
7 ALC_CMS.2 -
8 ALC_DEL.1 -
9 ASE_INT.1 -
ASE_INT.1 9
10 ASE_CCL.1 ASE_ECD.1 11
ASE_REQ.1 13
11 ASE_ECD.1
12 ASE_OBJ.2 ASE_SPD.1 14
ASE_OBJ.2 12
13 ASE_REQ.2
ASE_ECD.1 11
14 ASE_SPD.1 -
ASE_INT.1 9
15 ASE_TSS.1
ASE_REQ.1 13

69
 ADV_FSP.1 2
ADV_FSP.2 2
16 ATE_COV.1
ATE_FUN.1 17
17 ATE_FUN.1 ATE_COV.1 16
ADV_FSP.2 2
AGD_OPE.1 4
18 ATE_IND.2 AGD_PRE.1 5
ATE_COV.1 16
ATE_FUN.1 17
ADV_ARC.1 1
ADV_FSP.2 2
19 AVA_VAN.2 ADV_TDS.1 3
AGD_OPE.1 4
AGD_PRE.1 5

70
7. TOE Summary Specification

7.1 TOE Security Functions

This section describes the security functions performed by the TOE to meet the security function
requirements described in Section 6.1.

7.1.1 Identification and Authentication

The TSF provides the function for identifying and authenticating users (U.USER). The administrator
(U.ADMISTRATOR) uses the browser installed on the client computer through network connection
to perform TOE security management, or uses the operation panel of the TOE to perform security
management. General users (U.NORMAL) can use the operation panel of the TOE to use the
functions provided by the TOE. If the administrator accesses the TOE for security management, the
TOE identifies and authenticates the administrator so that the authorized administrator can perform
security management. If the user accesses the TOE, the TOE identifies and authenticates the user so
that the functions of the TOE are provided to the authorized user. The user identification and
authentication mechanism is provided using the general ID/password method. If a user fails to be
authenticated as often as the number of times specified by the administrator, authentication will be
restricted according to the following authentication failure policies.

Administrator: Authentication is delayed for a certain amount of time specified by

administrator.
Normal user: Authentication is prevented until the administrator allows it.

By default, up to five user failures are allowed, and the administrator may define the number of
failures with an integer between 3 and 10.

When accessing the TOE through the RUI, users may use such functions as using menus unrelated to
security (viewing product information, address book, job status, and product status information)
before identification and authentication.

While users are entering identification and authentication information, authentication information will
be masked with * so that authentication feedback information can be protected.

7.1.2 Access Control

The TSF protects user data by controlling access to user data while users are using the MFP. For the
user data created by print, scan, and fax functions, the TOE denies accesses of all users excluding the document
owner based on the user ID. When logged in to the TOE through LUI, normal users can view or print the list of
the print data they own and they also can forward scan data of their choice to external entities (USB, email
address, CIFS, WebDAV, FTP). When logged in to the TOE through LUI, administrators can view or print the
list of fax data. The deletion of user data or jobs are only allowed to the owner of print, scan, fax functions.
There is no access restriction on copy function.

71
The TSF controls access based on user ID and user's role with regard to using the basic functions of
the MFP. When logged in to the TOE through LUI, normal users can only execute the functions that are
allowed by the administrator (print, scan, copy, and fax).

The TSF provides the information flow control function based on the IP of the external IT entity. For
external IT entities accessing the TOE over the network, the administrator can control them based on
information flow control security policy setting.

7.1.3 Audit

The TSF generates audit logs for all jobs performed by the TSF and all actions performed by users.
Audit logs are generated and stored when the MFP boots up and shuts down, and when related events
listed in [Table 28] below occur.

[Table 28] Audit events

SFR-related Auditable events History of auditable events Related SFR

Audit log repository fill-up Details of audit log repository fill-up FAU_STG.4

Administrator/user authentication History of responses to authentication FIA_AFL.1

failure failures
Administrator/user authentication Authentication success/failure history FIA_UAU.1

Data access control setting change History of data access control setting FMT_MSA.1(1)
change
Basic function access control setting History of basic function access control FMT_MSA.1(2)
change setting change
Network information flow control History of network information flow FMT_MSA.1(3)
setting change control setting change
Data access control setting change History of data access control setting FMT_MSA.3(1)
change
Basic function access control setting History of basic function access control FMT_MSA.3(2)
change setting change
Network information flow control History of network information flow FMT_MSA.3(3)
setting change control setting change
Security Management result History of administrator’s security FMT_MTD.1
management
Self-test result Self-test result (success/failure) FPT_TST.1
Session end result Session termination result FTA_SSL.3
Default function related auditable History of auditable events Remark
events
Copy Copy record Auditable events of
Scan Scan record default functions that
Fax Fax send/receive record are not related to SFR
Print Print record

The TSF records event dates using the time stamp provided by the MFP when generating audit logs,
and records information on event type, subject’s identity and event result (success or failure).

72
The TSF provides the capability to detect potential violations, such as the administrator’s consecutive
authentication failures, audit log repository fill-up, and errors during self-tests based on the stored
audit data. If there are potential errors, the TSF uses e-mail to send a warning to help the administrator
operate TSF stably.

The audit log created by TSF can be viewed and managed only by the administrator through the
operation panel. The job log (Print, Scan and Copy) and fax log can be viewed by the administrator
and the user through the operation panel. When looking up the created audit data, the TSF can look up
the auditable events by user ID.

If the audit data repository is full, the TSF continuously stores the latest audit history by overwriting
oldest audit data first.

7.1.4 Security Management

The TSF provides management functions for TSF data defined in the [Table 30]. These functions are
used in access control policy for the administrator whose identification and authentication have been
completed.

[Table 29] Managing of TSF Data

Backup
TSF data list Query Modify Delete Add User roles
/restore
Address book O O O O O U.USER
(* U.NORMAL can modify,
delete and register his/her
own address book.)
job log, fax log O - - - - U.USER
Audit log O - - - - U.ADMINISTRATOR
User ID O O - - -
User password - O - - -
User roles(basic O O - - -
function)
Security fax setting O O - - -
network setting O O - - -
Security warning mail O O O O -
setting
Mail server setting O O O O -
SD Card setting(LUI) O O - - -
SSD setting(LUI) O O - - -
Service port O O - - -
IPSec setting O O O O -
SNMP setting O O - - -
Login limit time O O - - -
Login attempts O O - - -
IP filtering setting O O O O -
Administrator O O O O -
connection IP setting
Output authentication O O - - -
setting
Fax data control setting O O - - -
MFP time setting O O - - -

73
The administrator can perform security management on the web through the operation panel of the
MFP. The administrator must check the details of the security warning sent by the TSF via e-mail, and
perform security management so that the TSF is always secure. To protect the address book data when
performing the address book backup/restore functions, the TSF provides the function to encrypt the
address book. The cryptographic algorithm used for encryption is the AES block cryptographic
algorithm, and 256-bit cryptographic keys are used. The TSF uses the Password Based Key
Derivation Function (PBKDF1) to generate the cryptographic key when generating the cryptographic
keys used for encrypting the address book. The cryptographic key for the address book backup/restore
functions is generated by user input at every backup or restore, and it is not stored in the system.

If the administrator manages the TOE via web (RUI) or operation panel (LUI), the TSF controls the
session. If the administrator does not do anything after login, the TSF provides the capability to
terminate the session. By default, the session is terminated after 60 seconds, and the value can be any
number between 60 seconds and 600 seconds depending on the setting made by the administrator.

7.1.5 Stored data protection

The TSF provides the capability to protect user data stored in the TOE. The image data generated by
the fax / scan jobs and the documents in the form of electronic files stored by the normal user for
printing will be stored in the user data repository installed in the TOE (SD Card or SSD).

The TSF provides the capability to encrypt the data repository to protect stored user data. The
cryptographic algorithm used for encryption is the AES block cryptographic algorithm. The AES
cryptographic algorithm uses 256-bit cryptographic keys.

The TSF uses the Shindoh data repository cryptographic key generation algorithm to generate
cryptographic keys when generating the cryptographic keys used for encryption. The generated
cryptographic keys will be stored in the secure repository of the device. When destroying
cryptographic key, it is overwritten with ‘0’.

The TSF provides the function to delete the data stored in the user data repository. As the user data
repository is installed physically inside the TOE, it is impossible to take the data repository out
without permission. If the product is replaced or put into disuse, however, the data in the data
repository must be deleted. At this time, the TSF deletes all domains of the data repository
(overwriting them with ‘0’). Also, the TSF destroys the cryptographic keys used for encryption by
overwriting them with ‘0’ when deleting all domains of the user data repository.

74
7.1.6 Self-Testing

The TOE performs self-test on a subset of the TSF to demonstrate correct operations of the TSF. The
self-test is done at TOE start-up and regularly during the operation by the administrator. TOE
conducts self-tests when it starts periodically during regular operations and at the request of the
administrator. The MFP Controller Software is subject to self-test.

Also, the TSF provides the capability to check the integrity of a subset of the TSF data (Encryption
Key Data) and stored TSF executable code. To check integrity, SHA256 hash algorithm is used. The
hash values from the data saved at initial installation and the data saved by an on-demand integrity
check are compared for integrity check. If the integrity of the TSF data is found compromised, the
issue is reported to the administrator by an email and an audit result is logged.

7.1.7 Fax Data Control

The TOE restricts data forwarding to external interfaces. The TOE restricts the forwarding of inbound
fax data over PSTN to external interfaces. Direct data forwarding from PSTN to other interfaces is
possible only in case where it is explicitly allowed by authorized administrative roles. Excluding the
fax data, all inbound data from external interfaces are not allowed to be forwarded to any external
interface.

7.1.8 Secure Communication

The TSF provides encrypted communication listed in the [Table 31] below to ensure the security of
the transmitted data during communication between the TOE and external IT entities (Client
Computer, FTP server, WebDAV server, CIFS server and Mail server).

[Table 30] Encrypted Communication Provided by TOE

Encrypted Communication Provided by TOE

External IT Entity
Protocol Encryption algorithm
IPSec AES (128bits), 3DES (168bits)
Client Computer TLS 1.0, TLS 1.1,
AES(128bits, 192bits, 256bits), 3DES (168bits)
TLS1.2
IPSec AES (128bits), 3DES (168bits)
FTP server TLS 1.0, TLS 1.1,
AES (128bits, 192bits, 256bits), 3DES (168bits)
TLS1.2
IPSec AES (128bits), 3DES (168bits)
WebDAV server TLS 1.0, TLS 1.1,
AES (128bits, 192bit, 256bits), 3DES (168bits)
TLS1.2
CIFS server IPSec AES (128bits), 3DES (168bits)
IPSec AES (128bits), 3DES (168bits)
Mail server TLS 1.0, TLS 1.1,
AES (128bits, 192bits, 256bits), 3DES (168bits)
TLS1.2

75