With Fax Option Type C5000 Security Target

Page 1 of 80Aficio MP C2800/C3300 series with Fax Option Type C5000Security TargetAuthor: RICOH COMPANY, LTD., Yasushi FUNAKIDate: 2010 -07 -29Version: 1.00Copyright (c) 2009,2010 RICOH COMPANY, LTD. All Rights Reserved.

Page 2 of 80Revision hiFUNAKIReleased versionCopyright (c) 2009,2010 RICOH COMPANY, LTD. All Rights Reserved.

Page 3 of 80Table of Contents1ST Introduction. 71.1ST Reference. 71.2TOE Reference . 71.3TOE Overview . 81.3.1TOE Type.81.3.2TOE Usage and Major Security Features of TOE.81.3.3Environment for TOE Usage and Non-TOE Configuration Items.81.4TOE Description .101.4.1Physical Boundaries of TOE.101.4.2Guidance Documents.131.4.3User Roles.151.4.3.1Responsible Manager of .4.3.4General User.151.4.3.5Customer Engineer.161.4.41.4.4.1Basic Functions .161.4.4.2Security Functions.181.4.523Logical Boundaries of TOE.16Protected Assets.221.4.5.1Document Data.221.4.5.2Print Data.22Conformance Claims .242.1CC Conformance Claim.242.2PP Claims, Package Claims.242.3Conformance Rationale.24Security Problem Definitions .253.1Threats .253.2Organisational Security Policies. 25Copyright (c) 2009,2010 RICOH COMPANY, LTD. All Rights Reserved.

Page 4 of 803.34Assumptions. 26Security Objectives . 274.1Security Objectives for TOE.274.2Security Objectives of Operational Environment.284.3Security Objectives Rationale. 284.3.1Tracing.284.3.2Tracing Justification.295Extended Components Definition. 326Security Requirements.336.17Security Functional Requirements. 336.1.1Class FAU: Security audit.336.1.2Class FCS: Cryptographic support.386.1.3Class FDP: User data protection.396.1.4Class FIA: Identification and Authentication.426.1.5Class FMT: Security management.446.1.6Class FPT: Protection of the TSF.516.1.7Class FTP: Trusted path/channels.516.2Security Assurance Requirements. 536.3Security Requirements Rationale. 546.3.1Tracing.546.3.2Justification of Traceability.556.3.3Dependency Analysis.596.3.4Security Assurance Requirements Rationale.61TOE Summary Specification.627.1TOE Security Function.627.1.1SF.AUDIT Audit Function.637.1.1.1Generation of Audit Logs.637.1.1.2Reading Audit Logs .657.1.1.3Protection of Audit Logs.657.1.1.4Time Stamps.657.1.2SF.I&A User Identification and Authentication Function.657.1.2.1User Identification and Authentication.667.1.2.2Actions in Event of Identification and Authentication Failure.66Copyright (c) 2009,2010 RICOH COMPANY, LTD. All Rights Reserved.

Page 5 of 807.1.2.3Password Feedback Area Protection.677.1.2.4Password Registration.677.1.3SF.DOC ACC Document Data Access Control Function.687.1.3.1General User Operations on Document Data.687.1.3.2File Administrator Operations on Document Data.697.1.4SF.SEC MNG Security Management Function.697.1.4.1Management of Document Data ACL.697.1.4.2Management of Administrator Information .707.1.4.3Management of Supervisor Information.717.1.4.4Management of General User Information.717.1.4.5Management of Machine Control Data.727.1.5SF.CE OPE LOCK Service Mode Lock Function.727.1.6SF.CIPHER Encryption Function.737.1.6.17.1.78Encryption of Document Data.73SF.NET PROT Network Communication Data Protection Function.747.1.7.1Use of Web Service Function from Client Computer.747.1.7.2Printing and Faxing from Client Computer.747.1.7.3Sending by E-mail from TOE.747.1.7.4Delivering to Folders from TOE.747.1.8SF.FAX LINE Protection Function for Intrusion via Telephone Line.747.1.9SF.GENUINE MFP Control Software Verification Function.74Appendix .768.1Definitions of Terminology.768.2References . 80Copyright (c) 2009,2010 RICOH COMPANY, LTD. All Rights Reserved.

Page 6 of 80List of FiguresFigure 1: Example TOE environment.9Figure 2: Hardware configuration of TOE.11Figure 3: Logical boundaries of TOE.16List of TablesTable 1: List of administrator roles.15Table 2: Correspondence between operations authorised by permissions to process document data.20Table 3: Relationship between security environment and security objectives.29Table 4: List of auditable events .33Table 5: List of cryptographic key generation.38Table 6: List of cryptographic operations.38Table 7: List of subjects, objects, and operations among subjects and objects.39Table 8: Subjects, objects and security attributes.39Table 9: Rules governing access .40Table 10: Rules governing access explicitly .40Table 11: List of subjects, information and operation.41Table 12: Security attributes corresponding to subjects or information.41Table 13: List of authentication events.42Table 14: Lockout release actions.42Table 15: Rules for initial association of attributes.44Table 16: Management roles of security attributes.45Table 17: Characteristics of static attribute initialisation.46Table 18: List of TSF data management.46Table 19: List of specifications of Management Functions.48Table 20: Services requiring trusted paths.52Table 21: TOE security assurance requirements (EAL3).53Table 22: Relationship between security objectives and functional requirements.54Table 23: Correspondence of dependencies of TOE security functional requirements.59Table 24: Relationship between TOE security functional requirements and TOE Security Functions.62Table 25: Auditable events and auditable information.64Table 26: User roles and authentication methods.66Table 27: Unlocking administrators for each user role.67Table 28: Default value for document data ACL.68Table 29: Operations of document data ACL and authorised users.69Table 30: Access to administrator information.70Table 31: Authorised operations on general user information.71Table 32: Administrators authorised to specify machine control data.72Table 33: List of encryption operations on data stored on the HDD.73Table 34: Specific terms used in this ST.76Copyright (c) 2009,2010 RICOH COMPANY, LTD. All Rights Reserved.

Page 7 of 801 ST IntroductionThis section describes the ST reference, TOE reference, TOE overview, and TOE description.1.1ST ReferenceThe following are the identification information of this ST.1.2ST Title:ST Version: 1.00Aficio MP C2800/C3300 series with Fax Option Type C5000 Security TargetDate: 2010-07 -29Author: RICOH COMPANY, LTD., Yasushi FUNAKITOE ReferenceThis TOE is a digital multi function product (hereafter called an "MFP") with an optional product, FaxController Unit (hereafter called an "FCU"), and is identified by the name of the MFP, version ofsoftware/hardware, and the name and version of the FCU. The TOE is a combination of one of the followingMFPs and an FCU, and also matches the following software/hardware version.Manufacturer : RICOH COMPANY, LTD.MFP Name:Ricoh Aficio MP C2800, Ricoh Aficio MP C2800G, Ricoh Aficio MP C3300, Ricoh Aficio MPC3300GSavin C2828, Savin C2828G, Savin C3333 , Savin C3333GLanier LD528C, Lanier LD528CG, Lanier LD533C, Lanier LD533CGLanier MP C2800, Lanier MP C3300Gestetner MP C2800 , Gestetner MP C3300nashuatec MP C2800 , nashuatec MP C3300Rex-Rotary MP C2800 , Rex-Rotary MP C3300infotec MP C2800, infotec MP C3300MFP Software/Hardware Version:SoftwareHardwareFCU NameSystem/CopyNetwork Support1.228.27ScannerPrinterFaxWeb SupportWeb UaplNetwork Doc Box01.231.2204.00.001.101.081.03Ic KeyIc Ctlr110003: Fax Option Type C5000Copyright (c) 2009,2010 RICOH COMPANY, LTD. All Rights Reserved.

Page 8 of 80FCU Version : GWFCU3-13(WW)Keywords1.304.04.00: Digital MFP, Documents, Copy, Print, Scanner, Fax, Network, OfficeTOE OverviewThis section defines the TOE type, TOE usage and major security features of the TOE, the environment forthe TOE usage and non -TOE configuration items.1.3.1TOE TypeThe TOE is a digital MFP, which is an IT device that provides the functions of a copier, scanner, printer, andfax (optional). These functions are for digitising paper documents and managing and printing them.1.3.2TOE Usage and Major Security Features of TOEThe TOE has functions for inputting paper and electronic documents into the TOE, storing the inputdocument data, and outputting it. Paper documents are input using the MFP's scanning device, and electronicdocuments are input by receiving them from a client computer via a network, USB connection, or fax. Theoutput function includes printing, Fax Transmission, and transferring to networked servers or clientcomputers. The TOE incorporates some of these functions and provides a Copy Function, Scanner Function,Printer Function, and Fax Function.The following are the major Security Functions of the TOE in this ST:1.Audit Function2.Identification and Authentication Function3.Document Data Access Control Function4.Stored Data Protection Function5.Network Communication Data Protection Function6.Security Management Function7.Service Mode Lock Function8.Telephone Line Intrusion Protection Function9.MFP Control Software Verification FunctionFor the Security Functions listed above, each function is described in "1.4.4.2 Security Functions".1.3.3Environment for TOE Usage and Non-TOE Configuration ItemsThe TOE is assumed to be located in a general office. The TOE can be connected to other devices over anetwork, telephone line, or USB connection, according to users' needs. Users can operate the TOE from theOperation Panel, a client computer connected to the local network, or a client computer connected to theTOE though USB. Figure 1 shows an example of the assumed TOE environment.Copyright (c) 2009,2010 RICOH COMPANY, LTD. All Rights Reserved.

Page 9 of 80Figure 1: Example TOE environmentThe following describes non-TOE configuration:Internal NetworkThe internal network connects the TOE with various types of servers (FTP, SMB, and SMTP servers) andclient computers. It is connected to the Internal via firewall. IPv4 is for the protocol

Manufacturer : RICOH COMPANY, LTD. MFP Name : Ricoh Aficio MP C2800, Ricoh Aficio MP C2800G, Ricoh Aficio MP C3300, Ricoh Aficio MP C3300G Savin C2828, Savin C2828G, Savin C3333, Savin C3333G Lanier LD528C , Lanier LD528CG , Lanier LD533C , Lanier LD533CG Lanier MP C2800, Lanier MP C3300 Gestetner MP C2800 , Gestetner MP C3300