Xerox WorkCentre 5222/5225/5230. Security Target

Transcription

1 Xerox WorkCentre 5222/5225/5230 Security Target Version This document is a translation of the evaluated and certified security target written in Japanese

2 - Table of Contents - 1. ST INTRDUCTIN ST Identification ST verview Common Criteria Conformance Claim References Acronyms and Terminology Acronyms Terminology TE DESCRIPTIN TE verview Product Type Function Types Service verview Environment Assumptions Security Function verview User Assumptions Logical Scope and Boundary Basic Functions Control Panel Function Copy Function Print Function Scan Function, Network Scan Function FAX Function ifax / D-FAX Functions CWIS Function Security Functions Hard Disk Data verwrite (TSF_IW) Hard Disk Data Encryption (TSF_CIPHER) User Authentication (TSF_USER_AUTH) System Administrator s Security Management (TSF_FMT) Customer Engineer peration Restriction (TSF_CE_LIMIT) Security Audit Log (TSF_FAU) Internal Network Data Protection (TSF_NET_PRT) FAX Flow Security (TSF_FAX_FLW) Physical Scope and Boundary Assets Protected by TE TE SECURITY ENVIRNMENT i -

3 3.1. Assumptions Threats rganizational Security Policy SECURITY BJECTIVES Security bjectives for the TE Security bjectives for the Environment IT SECURITY REQUIREMENTS TE Security Functional Requirements Class FAU: Security Audit Class FCS: Cryptographic support Class FDP: User data protection Class FIA: Identification and authentication Class FMT: Security management Class FPT: Protection of TSF Class FTP: Trusted path/channels TE Security Function Strength TE Security Assurance Requirements Security Requirements for the IT Environment TE SUMMARY SPECIFICATIN TE Security Functions Hard Disk Data verwrite (TSF_IW) Hard Disk Data Encryption (TSF_CIPHER) User Authentication (TSF_USER_AUTH) System Administrator s Security Management (TSF_FMT) Customer Engineer peration Restriction (TSF_CE_LIMIT) Security Audit Log (TSF_FAU) Internal Network Data Protection (TSF_NET_PRT) FAX Flow Security (TSF_FAX_FLW) Security Function Strength Level Assurance Measures Configuration Management Description (TAS_CNFIG) TE Configuration List (TAS_CNFIG_LIST) Delivery, Introduction, and peration Procedure Description (TAS_DELIVERY) Functional Specification (TAS_FUNC_SPEC) High-Level Design Specification (TAS_HIGHLDESIGN) Correspondence Analysis Description (TAS_REPRESENT) User Guide (TAS_GUIDANCE) Test Plan and Report (TAS_TEST) Vulnerability Analysis (TAS_VULNERABILITY) ii -

4 7. PP CLAIMS PP Reference PP Tailoring PP Addition RATINALE Security bjectives Rationale Security Requirements Rationale Security Functional Requirements Rationale Rationale for Security Functional Requirement of IT Environment Rationale for Minimum Functional Strength Level Dependencies of Security Functional Requirements Interactions among Security Functional Requirements Bypass Prevention De-activation Prevention Interference Detection of Defeat Consistency Rationale between Security Functional Requirements Requirement Rationale for Security Assurance TE Summary Specification Rationale Rationale for TE Security Function Requirements Security Function Strength Rationale Security Assurance Measures Rationale PP Claims Rationale iii -

5 - List of Figures and Tables - Figure 1: Intended perational Environment Figure 2: MFP Units and TE Logical Scope Figure 3: Authentication Flow for Private Print and Mailbox...16 Figure 4: MFP Units and TE Physical Scope Figure 5: Assets under and not under Protection Table 1: Function Types and Capabilities... 9 Table 2: User Role Assumptions Table 3: Categories of TE Configuration Data Table 4: Assumptions Table 5: Threats Addressed by the TE Table 6: rganizational Security Policy Table 7: Security bjectives for the TE Table 8: Security bjectives for the Environment Table 9: Auditable Events of TE and Individually Defined Auditable Events Table 10: perations between Subjects and bjects Covered by MFP Access Control SFP Table 11: Rules for Access Control Table 12: Rules for Explicit Access Authorization Table 13: Subjects, Information, and perations Covered by FAX Information Flow Control SFP Table 14: List of Security Functions Table 15: Security Attributes and Authorized Roles Table 16: peration of TSF Data Table 17: Security Management Functions Provided by TSF Table 18: EAL2 Assurance Requirements Table 19: Relations between Security Functional Requirements and TE Security Functions Table 20: Details of Security Audit Log Data Table 21: Assurance Components and Assurance Measures Table 22: Correspondences between TE/Environment Security bjectives and TE Security Environment Table 23: Security bjectives Rationale for Each TE Security Environment Table 24: Correspondences between Security Functional Requirements and Security bjectives Table 25: Security bjectives to SFR Rationale Table 26: Dependencies of Functional Security Requirements Table 27: Interactions among Security Functional Requirements Table 28: Bypass Prevention Rationale for Security Functional Requirements Table 29: De-activation Prevention Rationale for Security Functional Requirements Table 30: Management Requirements of TE Security Functions Table 31: Rationale for Relations between Security Functional Requirements and TE Security Functions - iv -

6 Table 32: Correspondences between Assurance Measures and Security Assurance Requirements Table 33: Sufficiency of Security Assurance Requirements by Assurance Measures v -

7 1. ST INTRDUCTIN This chapter describes Security Target (ST) identification information, an overview of the ST, the evaluation assurance level of Target of Evaluation (TE), Common Criteria (CC) conformance, references, acronyms, and terminology ST Identification This section provides information needed to identify this ST and its Target of Evaluation (TE). This ST complies with IS/IEC (2005). (1) ST Identification ST Title: Xerox WorkCentre 5222/5225/5230 Security Target ST Version: Ver Author: Fuji Xerox Co., Ltd. Publication Date: July 22, 2008 CC Identification: Common Criteria for Information Technology Security Evaluation, Version 2.3 IS/IEC (2005) Interpretations-0512 Keywords: Multifunction System, Multi Function Peripheral, Copy, Print, Scan, FAX, Internal Hard Disk Drive, Document verwrite, Document Encryption, Internal Network Data Protection, SSL/TLS, IPSec, SNMPv3, S/MIME (2) TE Identification The same TE operates for Xerox WorkCentre 5222, Xerox WorkCentre 5225 and Xerox WorkCentre 5230, and the 3 models are identified by the following same TE name and the same RM versions: TE Identification: Xerox WorkCentre 5222/5225/5230 RM Versions: - Controller+PS RM Ver IT RM Ver IIT RM Ver ADF RM Ver Manufacturer: Fuji Xerox Co., Ltd ST verview This ST provides the security specifications of Xerox WorkCentre 5222/5225/5230 (hereinafter referred to as MFP ). MFP is the short name of Multi Function Peripheral which has copy, print, scan and FAX functions. This ST covers the security functions to protect, from unauthorized disclosure, the document data stored in the internal HDD after being processed by MFP and the used document data (i.e. the residual data after deleted). The ST also describes the protection of data transmitted over general encryption communication protocols. These protocols protect the security of data on the internal network between MFP and highly reliable remote server / client PC (hereinafter referred to as between TE and the remote ) as well as the identification data used at user authentication. However, the function to protect Copyright 2008 by Fuji Xerox Co., Ltd.

8 the internal network data is not available when the data is communicated with the remote which does not support the encryption communication protocols. Additionally, at the behest of the U.S. agency, the user data and TE configuration data on the internal network are protected from unauthorized access via FAX line using public telephone line. This TE provides the following security functions: Hard Disk Data verwrite (TSF_IW) Hard Disk Data Encryption (TSF_CIPHER) User Authentication (TSF_USER_AUTH) System Administrator s Security Management (TSF_FMT) Customer Engineer peration Restriction (TSF_CE_LIMIT) Security Audit Log (TSF_FAU) Internal Network Data Protection (TSF_NET_PRT) FAX Flow Security (TSF_FAX_FLW) 1.3. Common Criteria Conformance Claim This ST conforms to the following evaluation standards for information security (CC). It does not conform to a Protection Profile (PP). - CC Part 2 - CC Part 3 - Evaluation Assurance Level: EAL References The following documentation was used to prepare this ST: Short Name [CC Part 1] [CC Part 2] [CC Part 3] Document Title Common Criteria for Information Technology Security Evaluation - Version 2.3 Part 1: Introduction and general model, dated August 2005, CCMB (Translation version 1.0, dated December 2005, translated by Information-Technology Promotion Agency, Japan) Common Criteria for Information Technology Security Evaluation - Version 2.3 Part 2: Security functional requirements, dated August 2005, CCMB (Translation version 1.0, dated December 2005, translated by Information-Technology Promotion Agency, Japan) Common Criteria for Information Technology Security Evaluation - Version 2.3 Part 3: Security assurance requirements, dated August 2005, CCMB (Translation version 1.0, dated December 2005, translated by Information-Technology Promotion Agency, Japan) Common Methodology for Information Technology Security Evaluation - Version 2.3 Evaluation Methodology, dated August 2005, CCMB [CEM] (Translation version 1.0, dated December 2005, translated by Information-Technology Promotion Agency, Japan) [IS/IEC WD N3374, Guide for the Production of PPs and STs - Version Copyright 2008 by Fuji Xerox Co., Ltd.

9 Short Name Document Title TR15446] (Provisional translation, dated January 2004, translated by Information-Technology Promotion Agency, Japan) Interpretations-0512 [I-0512] (Translation version 1.0, dated December 2005, translated by Information-Technology Promotion Agency, Japan) 1.5. Acronyms and Terminology Acronyms The following acronyms are used in this ST: Acronym Definition ADF Auto Document Feeder CC Common Criteria for Information Technology Security Evaluation CE Customer Engineer / Customer Service Engineer CWIS CentreWare Internet Service DC Digital Copier DRAM Dynamic Random Access Memory EAL Evaluation Assurance Level IIT Image Input Terminal IT Image utput Terminal IT Information Technology IP Internet Protocol IPSec Security Architecture for Internet Protocol Kerberos A network authentication protocol which uses secret-key cryptography LDAP Lightweight Directory Access Protocol MFP Multi Function Peripheral NVRAM Non Volatile Random Access Memory PDL Page Description Language PP Protection Profile SAR Security Assurance Requirement SEEPRM Serial Electronically Erasable and Programmable Read nly Memory SF Security Function SFP Security Function Policy SFR Security Functional Requirement SMTP Simple Mail Transfer Protocol SNMPv3 Simple Network Management Protocol, Version 3 SF Strength of Function SSLv3/TLSv1 (SSL/TLS) Secure Socket Layer, Version 3 / Transport Layer Security, Version 1 ST Security Target Copyright 2008 by Fuji Xerox Co., Ltd.

10 Acronym S/MIME TE TSC TSF TSFI TSP Definition Secure/Multipurpose Internet Mail Extensions Target of Evaluation TSF Scope of Control TE Security Function TSF Interface TE Security Policy Terminology The following terms are used in this ST: Term Definition User Any entity outside TE who interacts with the TE: i.e. general user, key operator, and system administrator privilege (SA). General User Any person who uses copy, scan, FAX, and print functions of MFP. Key perator An authorized user who manages MFP maintenance and configures TE security functions. System Administrator Privilege (SA) A user authorized by key operator to manage MFP maintenance and configure TE security functions. System Administrator An authorized user who manages MFP maintenance and configures TE security functions. This term covers both key operator and SA. Customer Engineer (CE) This term is equivalent to customer service engineer, a Xerox engineer who maintains and repairs MFP. Attacker A malicious user of TE. Control Panel A panel of MFP on which buttons, lamps, and a touch screen panel are mounted to operate the MFP. General User Client A client for general user and SA to operate the MFP. System Administrator Client A client for system administrator. An administrator can refer to and rewrite TE configuration data of MFP via Web browser. User Client This term covers both general user client and system administrator client. CentreWare Internet Service (CWIS) A service to retrieve the document data scanned by MFP from Mailbox. It also enables a system administrator to refer to and rewrite TE configuration data via Web browser. An operation mode that enables a system administrator to refer to and rewrite Tool Mode TE configuration for device operation and that for security functions according to the operational environment. This mode is distinguished from the operation mode that enables a general user to use the MFP functions. Print Driver Software for a general user to convert the data on a general user client into print data written in page description language (PDL), a readable format for MFP. Software for Direct FAX function, which enables a general user to FAX data to FAX Driver the destination directly from a general user client through MFP. The user can send the FAX data just as printing Copyright 2008 by Fuji Xerox Co., Ltd.

11 Term Network Scan Utility Print Data Control Data Bitmap Data Decompose Function Decompose Print Function Print-Control Function Store Print riginal Copy Function Copy Control Function Scan Function Definition Software for a general user client to retrieve the document data stored in Mailbox of MFP. The data written in PDL, a readable format for MFP, which is to be converted into bitmap data by TE decompose function. The data that is transmitted by command and response interactions. This is one type of data transmitted between MFP hardware units. The decomposed data of the data read by copy function and the print data transmitted from a user client to MFP. Bitmap data is stored into the internal HDD after being compressed in the unique process. A function to analyze and convert the print data written in PDL into bitmap data. To analyze and convert the data written in PDL into bitmap data by decompose function. A function to decompose and print out the print data transmitted by a user client. A function to control the device to enable print operation. A print function in which bitmap data (decomposed print data) is temporarily stored in the MFP internal HDD and then printed out according to the general user s instruction from the control panel. There are three ways for the Store Print: Private Print Jobs are stored only when MFP authenticates a user with his/her ID and password which were preset in the print driver on a general user client. When the user is authenticated with his/her ID and password entered from the control panel, he/she can start print operation. Sample Print When printing several copies, only one copy is printed out first as a sample document. A user can check its quality and send an instruction from the control panel to print out the remaining copies. Mailbox Print Decomposed bitmap data is stored in Mailbox and printed out according to the general user s instruction from the control panel. Texts, images and photos to be read from IIT in copy function. A function in which original is read from IIT and then printed out from IT according to the general user s instruction from the control panel. When more than one copy is ordered for one original, the data read from IIT is first stored into the MFP internal HDD. Then, the stored data is read out from the HDD as needed so that required number of copies can be made. A function to control the device to enable copy operation. According to the general user s instruction from the control panel, the original data is read from IIT and then stored into Mailbox within the MFP internal HDD Copyright 2008 by Fuji Xerox Co., Ltd.

12 Term Scan Control Function Network Scan Function Network Scan Control Function FAX Function FAX Control Function Direct FAX (D-FAX) Function Internet FAX (ifax) Function D-FAX / ifax Control Function Mailbox Personal Mailbox Shared Mailbox Document Data Definition The stored document data can be retrieved via standard Web browser by CWIS or Network Scan Utility function. A function to control the device to enable scan operation. A function in which original data is read from IIT and then transmitted to FTP server, SMB server, or Mail server according to the information set in the MFP. This function is operated according to the general user s instruction from the control panel. A function to control the device to enable network scan operation. A function to send and receive FAX data. According to the general user s instruction from the control panel to send a FAX, the original data is read from IIT and then sent to the destination via public telephone line. The document data is received from the sender s machine and then printed out from the recipient s IT. A function to control the device to enable FAX operation. A FAX function in which data is sent via public telephone line directly from a user client. The data is first sent to MFP as a print job and then to the destination without being printed out. A FAX function in which the data is sent or received via the Internet, not public telephone line. A function to control the device to enable D-FAX / ifax operation. A logical box created in the MFP internal HDD. Mailbox stores the scanned document data or the data to be printed later. Mailbox is categorized into Personal Mailbox and Shared Mailbox. The Mailbox privately used by a general user. Each user can create his/her own Personal Mailbox. The Mailbox shared by any general user. Key operator can create the Shared Mailbox. Document data means all the image data transmitted across the MFP when any of copy, print, scan or FAX functions is operated by a general user. The document data includes: Bitmap data read from IIT and printed out from IT (copy function), Print data sent by general user client and its decomposed bitmap data (print function), Bitmap data read from IIT and then stored into the internal HDD (scan function), Bitmap data read from IIT and sent to the FAX destination and the bitmap Copyright 2008 by Fuji Xerox Co., Ltd.

13 Term Used Document Data Security Audit Log Data Internally Stored Data General Data TE Configuration Data General Client and Server Deletion from the Internal Hard Disk Drive (HDD) verwrite Cryptographic Seed Key Cryptographic Key External Network Internal Network Network User Authentication Definition data faxed from the sender s machine and printed out from the recipient s IT (FAX function). The remaining data in the MFP internal HDD even after deletion. The document data is first stored into the internal HDD, used, and then only its file is deleted. The chronologically recorded data of important events of TE. The events such as device failure, configuration change, and user operation are recorded based on when and who caused what event and its result. The data which is stored in the general user client or in the general client and server, but does not include data regarding TE functions. The data on the internal network. The general data does not include data regarding TE functions. The data which is created by TE or for TE and may affect TE operations. Specifically, it includes the information regarding the functions of Hard Disk Data verwrite, Hard Disk Data Encryption, System Administrator s Security Management, Customer Engineer peration Restriction, Internal Network Data Protection, Security Audit Log, Mailbox, and User Authentication. Client and server which do not directly engage in TE operations. Deletion from the internal HDD means deletion of the management information. When deletion of document data from the internal HDD is requested, only the management information corresponding to the data is deleted. Therefore, user cannot access the document data which was logically deleted. However, the document data itself is not deleted but remains as the used document data until a new data is written in the same storage area. To write over the area of the document data stored in the internal HDD when deleting the data. The 12 alphanumeric characters to be entered by a user. When data in the internal HDD can be encrypted, a cryptographic key is generated based on the cryptographic seed key. The 128-bit data which is automatically generated based on the cryptographic seed key. Before the data is stored into the internal HDD, it is encrypted with the cryptographic key. The network which cannot be managed by the organization that manages TE. This does not include the internal network. Channels between MFP and highly reliable remote server / client PC. The channels are located in the network of the organization, the owner of TE, and are protected from the security risks coming from the external network. A general term to indicate both external and internal networks. A function to limit the accessible TE functions by identifying the user before he/she uses each TE function Copyright 2008 by Fuji Xerox Co., Ltd.

14 Term Local Authentication Definition A mode to manage user authentication of TE using the user information registered in the MFP Copyright 2008 by Fuji Xerox Co., Ltd.

15 2. TE DESCRIPTIN This chapter describes a TE overview, assumption of TE users, logical and physical scopes of TE, and the assets protected by this TE TE verview Product Type This TE, categorized as an IT product, is the MFP which has the following functions: copy, print, scan, FAX-control which enables FAX communication through linkage with the external FAX board, and FAX-Flow Security to prevent unauthorized access from the outside. The TE is the product which controls the whole MFP and protects the data that is transmitted over the encryption communication protocols. These protocols protect the security of the TE configuration data and the document data on the internal network between TE and the remote. The TE also protects, from unauthorized disclosure, the data in the internal HDD: the stored document data after being processed and the used document data Function Types Table 1 shows the types of functions provided by the TE. Table 1: Function Types and Capabilities MFP functions - Basic Function - Copy - Print - Scan - Network Scan - FAX ifax, D-FAX Function types (standard/optional) Standard Function ptional Function (Data Security Kit) Standard Function ptional Function (Scan Kit) ptional Function (FAX Board not to be evaluated) Function capabilities - CWIS - System Administrator s Security Management - Internal Network Data Protection - User Authentication - Security Audit Log - Hard Disk Data verwrite - Hard Disk Data Encryption - Customer Engineer peration Restriction - Copy function - Print function - Scan function - Network Scan function - FAX function - ifax, D-FAX functions - FAX Flow Security Copyright 2008 by Fuji Xerox Co., Ltd.

16 Service verview Environment Assumptions This TE is assumed to be used as an IT product at general office and to be linked to the internal network, public telephone line, and user clients. Figure 1 shows the intended environment for TE operation. External Network General User General User Client -Print Driver -Fax Driver -Network Scan Utility -Web Browser Firewall General User General User Client - Print Driver - Fax Driver USB System Administrator System Administrator Client - Web Browser Internal Network USB TE Fax Board Mail Server FTP Server SMB Server Public Telephone Line General User CE System Administrator Figure 1: Intended perational Environment The following conditions are intended for the internal network environment linked to MFP: (1) General user client: When a client is linked to the MFP via the internal network and print driver, Network Scan Utility and FAX driver are installed to the client, the general user can request the MFP to print, FAX, and retrieve the document data. The user can also request the MFP to retrieve the scanned document data via Web browser Copyright 2008 by Fuji Xerox Co., Ltd.

17 Additionally, the user can change the configurations which user registered to the MFP: Mailbox name, password, access control, and automatic deletion of document. When the client is linked to the MFP directly via USB, and print driver and FAX driver are installed to the client, the user can request the MFP to print and FAX the document data. (2) System administrator client: A system administrator can refer to and change TE configuration data and download security audit log data via Web browser. (3) Mail server: The MFP sends/receives document data to/from Mail server via mail protocol. (4) FTP server: The MFP sends document data to FTP server via FTP. (5) SMB server: The MFP sends document data to SMB server via SMB. (6) FAX board: The FAX board is connected to external public telephone line and supports G3/G4 protocols. The FAX board is connected to the MFP via USB interface to enable FAX communication. The Ss of general user client (1) and system administrator client (2) are assumed to be Windows 2000, Windows XP, and Windows Vista Security Function verview The following are the overview of the security functions provided by this TE: Hard Disk Data verwrite prevents unauthorized disclosure of used document data. The document data created during each job processing is temporarily stored in the internal HDD. After each job is completed, the used data is overwritten with new data by this function. The function of Hard Disk Data Encryption is also provided to prevent unauthorized disclosure of the document data which was created during each job processing. The document data is encrypted before stored into the internal HDD. Internal Network Data Protection protects the security of communication data (document data, security audit log data, and TE configuration data). The TE supports general encryption communication protocols such as SSL/TLS, IPSec, SNMPv3, and S/MIME, which enable the secure data transmission between TE and the remote. Security Audit Log monitors unauthorized use of TE or attempts to it. The important events of TE such as device failure, configuration change, and user operation are traced and recorded based on when and who operated what function. System Administrator s Security Management restricts the right to configure TE security functions to the authenticated system administrator. To refer to or renew TE operational configurations, a system administrator needs to enter his/her ID and password from the control panel and Web browser. User Authentication restricts the right to use TE functions to the authenticated general user. To use TE, a user needs to enter his/her ID and password from the control panel, Web browser, or Network Copyright 2008 by Fuji Xerox Co., Ltd.

18 Scan Utility. Customer Engineer peration Restriction enables a system administrator to inhibit CE from configuring TE security functions. This function prevents configuration change by an attacker who is impersonating CE. FAX Flow Security prevents unauthorized access to the internal network via telephone line or a modem used for FAX function. The data other than FAX data cannot flow into the internal network so that unauthorized access is blocked User Assumptions Table 2 specifies the roles of TE users assumed in this ST. Table 2: User Role Assumptions User Administrator of the organization General user System administrator (Key operator and SA) Role Description An administrator or responsible official of the organization which owns and uses TE. A user of TE functions such as copy, print and FAX. A user who is authorized to manage the device using the tool mode. The system administrator can refer to and rewrite the TE configuration for device operation and that for security functions via Web browser Logical Scope and Boundary The TE logical scope consists of each function of the programs recorded in Controller RM. Figure 2 shows the logical architecture of the TE Copyright 2008 by Fuji Xerox Co., Ltd.

19 TE Controller RM Logical Scope General User System Administrator Control Panel Control User Authentication CWIS Internal Network Data Protection System Administrator Client -Web Browser System Administrator s Security Management Security Audit Log Print Control (Decompose) Copy Control General User Client - Print Driver - FAX Driver - Network Scan Utility - Web Browser Fax Board (Public Telephone Line) FAX Flow Security Hard Disk Data Encryption FAX /D- FAX /ifax Control Scan / Network Scan Control FTP Server SMB Server Mail Server Hard Disk Data verwrite Customer Engineer peration Restriction Internal HDD NVRAM/SEEPRM Used Document Data Document Data Audit Log Data TE Configuration Data ther Configuration Data Figure 2: MFP Units and TE Logical Scope Basic Functions The TE provides the functions of control panel, copy, print, scan, FAX, ifax / D-FAX, and CWIS to general user Control Panel Function Control panel function is for general user and system administrator to operate MFP functions. Buttons, lamps, and a touch screen panel are mounted on the control panel Copy Function Copy function is to read the original data from IIT and print it out from IT according to the general user s instruction from the control panel Print Function Print function is to print out the data according to the instruction from general user client. The print data created via print driver is sent to the MFP to be analyzed, decomposed, and printed out from IT Copyright 2008 by Fuji Xerox Co., Ltd.

20 The print function is of two types: the normal print in which the data is printed out from IT directly after decomposed and the Store Print in which the bitmap data is temporarily stored in the internal HDD and then printed out from IT according to the general user s instruction from the control panel Scan Function, Network Scan Function Scan function is to read the original data from IIT and then store it into the internal HDD according to the general user s instruction from the control panel. A general user can retrieve the stored document data from the general user client via CWIS or Network Scan Utility. Network scan function is to read the original data from IIT and then transmit it to the general user client, FTP server, Mail server, or SMB server according to the information set in the MFP. A general user can request this function from the control panel FAX Function FAX function is to send and receive FAX data. According to the general user s instruction from the control panel to send a FAX, the original data is read from IIT and then sent to the destination via public telephone line. The document data is received from the sender s machine and then printed out from the recipient s IT ifax / D-FAX Functions ifax function is to send and receive FAX data as in the normal FAX function. According to the general user s instruction from the control panel to send a FAX, the original data is read from IIT and then sent to the destination via the Internet. The document data is received from the sender s machine via the Internet and then printed out from the recipient s IT. D-FAX function is to directly FAX document data to the destination. According to the general user s instruction from his/her client to send a FAX, the print data created via FAX driver is sent to the MFP, analyzed, and decomposed. Then, the data is converted to the format for FAX sending and sent to the destination via public telephone line CWIS Function CWIS is to retrieve the scanned document data and the received FAX data from the internal HDD according to the instruction from Web browser of the general user client. A system administrator can also access and rewrite TE configuration data in the function of System Administrator s Security Management. For this, the system administrator must be authenticated by his/her ID and password entered from Web browser of the system administrator client Security Functions The TE is a MFP and not a general-purpose computer nor software. Therefore, its security functions are not architecturally jeopardized by such factors as bypass, destruction, interception, and alteration. The security functions provided by the TE are the following: Hard Disk Data verwrite (TSF_IW) To completely delete the used document data in the internal HDD, the data is overwritten with new data after each job is completed. Without this function, the used document data remains and only its management data is deleted. Additionally, Scheduled Image verwrite function is provided to delete the stored data at the specific time Copyright 2008 by Fuji Xerox Co., Ltd.

21 scheduled by a system administrator Hard Disk Data Encryption (TSF_CIPHER) The document data and security audit log data are encrypted before stored into the internal HDD User Authentication (TSF_USER_AUTH) Access to the MFP functions is restricted to the authorized user. A general user needs to enter his/her ID and password from MFP control panel, print driver, Network Scan Utility, or Web browser (CWIS) of the general user client. nly the authenticated general user can use the following functions: (1) Functions controlled by the MFP control panel: Copy, FAX (send), ifax (send), scan, network scan, Mailbox, and print (This print function requires user ID and password preset from print driver. A user must be authenticated from the control panel for print job.) (2) Functions controlled by Network Scan Utility of general user client: Function to retrieve document data from Mailbox (3) Functions controlled by CWIS: Display of device condition, display of job status and its log, function to retrieve document data from Mailbox, and print function by file designation Among the above functions which require user authentication, some particularly act as security functions. The following are the security functions which prevent the unauthorized reading of document data in the internal HDD by an attacker who is impersonating a legitimate user: - The print function (Private Print function) and the Mailbox function, which require user authentication from the control panel, - The function to retrieve document data from Mailbox which requires user authentication from CWIS or Network Scan Utility (Mailbox function), and the print function by file designation from CWIS (Private Print function). Figure 3 shows the authentication flow of the above functions Copyright 2008 by Fuji Xerox Co., Ltd.

22 General User Client Print Driver (User ID and Password Setting) Web Browser (CWIS) Network Scan Utility TE Internal Authentication Authentication from General User Client Authentication from General User Client Authenticated Print Job Private Print Scanned Data, Received Fax Data Mailbox Authentication from Control Panel Print Figure 3: Authentication Flow for Private Print and Mailbox Private Print Function To enable this function, the user needs to configure the MFP to store an authenticated job to Private Print area* and also needs to preset his/her ID and password from print driver of the general user client. When a general user sends a print request from print driver, the MFP compares the user ID and password against those preset in the MFP. nly when the user is authenticated, the print data is decomposed into bitmap data. Then, the data is classified according to the user ID and temporarily stored in the corresponding Private Print area within the internal HDD. (*Private Print area means the storage area of data for Private Print.) The user can also enable this function by entering his/her ID and password from CWIS for authentication and by sending a print request with designating the files within the general user client. To refer to the stored print data, a general user needs to enter his/her ID and password from the control panel. Then, the data on the waiting list corresponding to the user ID is displayed. The user can request print or deletion of the data on the list. Mailbox Function The scanned data and received FAX data can be stored into Mailbox from IIT and FAX board which are not shown in Figure 3. To store the scanned data into Mailbox, a general user needs to enter his/her ID and password from the control panel. Then, the document data can be scanned from IIT and stored into the internal HDD according to the user s instruction from the control panel. To store the received FAX data into Mailbox, user authentication is not required. Among the received FAX data transmitted over public telephone line, the following data are automatically classified and stored into Copyright 2008 by Fuji Xerox Co., Ltd.

23 each corresponding Mailbox: the received FAX data whose corresponding Mailbox is specified by the sender, the received FAX data from a particular sender (the data is classified according to the sender s telephone number), and the received FAX data from an unknown sender. To refer to, retrieve, print, or delete the stored data in the Personal Mailbox corresponding to the each registered user s ID, user authentication is required; the MFP compares the user ID and password preset in the device against those entered by the general user from the control panel, CWIS, or Network Scan Utility. Besides Personal Mailbox, Shared Mailbox is provided so that authorized general users can share the same Mailbox. nly a key operator can create the Shared Mailbox System Administrator s Security Management (TSF_FMT) To accord a privilege to a specific user, this TE allows only the authenticated system administrator to access the tool mode which enables him/her to configure the following security functions from the control panel: Enable or disable Hard Disk Data verwrite; Enable or disable Hard Disk Data Encryption; Configure the cryptographic seed key for Hard Disk Data Encryption; Enable or disable use of password entered from MFP control panel in user authentication; Change the ID and password of key operator (only a key operator is privileged); Change the ID and password of SA and general user; Set the allowable number of system administrator s authentication failures before access denial; Configure the minimum password length (for general user and SA); Enable or disable Customer Engineer peration Restriction; Enable/disable SSL/TLS communication and configure the detail; Enable/disable IPSec communication and configure the detail; Enable/disable S/MIME communication and configure the detail; Enable/disable Scheduled Image verwrite and set the time; Configure User Authentication; Set date and time. Additionally, this TE allows only the system administrator authenticated from Web browser to configure the following security functions via CWIS: Change the ID and password of key operator (only a key operator is privileged); Change the ID and password of SA and general user; Set the allowable number of system administrator s authentication failures before access denial; Enable or disable Audit Log; Enable/disable SSL/TLS communication and configure the detail; Enable/disable IPSec communication and configure the detail; Copyright 2008 by Fuji Xerox Co., Ltd.

24 Enable/disable SNMPv3 communication and configure the detail; Configure the authentication password for SNMPv3 communication; Enable/disable S/MIME communication and configure the detail; Download/upload and create an X.509 certificate; Enable/disable Scheduled Image verwrite and set the time; Configure User Authentication Customer Engineer peration Restriction (TSF_CE_LIMIT) A system administrator can restrict CE s operation in the tool mode to inhibit CE from referring to or changing TE security configurations. This function can prevent configuration change by an attacker who is impersonating CE Security Audit Log (TSF_FAU) The important events of TE such as device failure, configuration change, and user operation are traced and recorded based on when and who operated what function. nly the system administrator can supervise or analyze the log data by downloading it in the form of tab-delimited text file via Web browser. To download the log data, SSL/TLS communication needs to be enabled Internal Network Data Protection (TSF_NET_PRT) The communication data on the internal network such as document data, security audit log data, and TE configuration data are protected by the following general encryption communication- protocols: SSL/TLS IPSec SNMPv3 S/MIME FAX Flow Security (TSF_FAX_FLW) A FAX board is an option and is connected to TE controller board via USB interface. An attacker cannot access the TE inside or its internal network via the FAX board Physical Scope and Boundary Figure 4 shows configuration of each unit and TE physical scope Copyright 2008 by Fuji Xerox Co., Ltd.

25 Control Panel buttons, lamps, touch screen panel System Administrator, General User ADF ADF Board ADF RM IIT IIT Board IIT RM IT IT Board IT RM Controller Board Controller RM Copy-/ Scan- Control Hard Disk Data verwrite Customer Engineer peration Restriction Print Control decompose FAX /i FAX /D- FAX Control CWIS Hard Disk Data Encryption User Authentica tion System Administrator s Security Management CPU Security Audit Log Internal Network Data Protection FAX Flow Security NVRAM SEEPRM DRAM Ethernet USB (device) USB (host) System Administrator Client, General User Client, Mail Server, FTP Server, SMB Server General User Client (USB) FAX Board (Public Telephone Line) : TE Internal HDD Figure 4: MFP Units and TE Physical Scope The physical scope of this TE is the whole MFP except FAX board. The TE physical scope consists of the PWB units of controller board, control panel, ADF board, IIT board, and IT board. The controller board is connected to the control panel and the ADF board via the internal interfaces which transmit control data, to the IIT board and IT board via the internal interfaces which transmit document data and control data, and to the FAX board via USB interface. The controller board is a PWB which controls MFP functions of copy, print, scan, and FAX. The board has a network interface (Ethernet) and local print interfaces (USB device) and is connected to the IIT board and IT board. The control panel is a panel on which buttons, lamps, and a touch screen panel are mounted to enable MFP functions of copy, print, scan, and FAX. The ADF (Automatic Document Feeder) is a device to automatically feed more than one original Copyright 2008 by Fuji Xerox Co., Ltd.

26 The IIT (Image Input Terminal) is a device to scan the original and send the scanned data to the controller board for copy, print, scan, and FAX functions. The IT (Image utput Terminal) is a device to output image information which was sent from the controller board Assets Protected by TE This TE protects the following assets: Right to use MFP functions The general user s right to use each function of TE is assumed as an asset to be protected. Document data stored for job processing When a general user uses MFP functions of copy, print, FAX, and scan, the document data is temporarily stored in the internal HDD for image processing, transmission, and Store Print. The user can retrieve the stored document data in the MFP from the general user client by CWIS function and Network Scan Utility. The stored data includes general user s confidential information and is assumed as an asset to be protected. Used document data When a general user uses MFP functions of copy, print, FAX, and scan, the document data is temporarily stored in the internal HDD for image processing, transmission, and Store Print. When the jobs are completed or canceled, only the management information is deleted but the data itself remains. The residual data includes general user s confidential information and is assumed as an asset to be protected. Security audit log data In the function of Security Audit Log, the important events such as device failure, configuration change and user operation are recorded based on when and who operated what function. For preventive maintenance and response to the events and detection of unauthorized access, only a system administrator can retrieve the log data stored in MFP by CWIS function. The log data is assumed as an asset to be protected. TE configuration data A system administrator can configure TE security functions from the MFP control panel or system administrator client by the function of System Administrator s Security Management. The configuration data stored in the TE (see Table 3) can be a threat to other assets if used without authorization and is assumed as an asset to be protected. Note) The data stored in the general client and server within the internal network and the general data on the internal network are not assumed as assets to be protected. This is because TE functions prevent the access to the internal network from public telephone line and it cannot be a threat Copyright 2008 by Fuji Xerox Co., Ltd.

27 General User Client System Administrator Client - Print Driver - Fax Driver - Web Browser - Network Scan Utility External Network Asset under protection Asset not under protection Internally Stored Data Document data, Security Audit Log data, and TE configuration data transmitted in the internal network General Data on the Internal Network General Client and Server Internally Stored Data Firewall Internal Network Inaccessible TE Document Data Used Document Data Security Audit Log Data TE Configuration Data ther Configuration Data Public Telephone Line Figure 5: Assets under and not under Protection Table 3 categorizes the TE configuration data recorded in NVRAM and SEEPRM of the controller board. Table 3: Categories of TE Configuration Data Categories of TE Configuration Data (Note) Data on Hard Disk Data verwrite Data on Hard Disk Data Encryption Data on System Administrator s Security Management Data on Customer Engineer peration Restriction Data on Internal Network Data Protection Data on Security Audit Log Data on Mailbox Data on User Authentication Data on date and time Note) Configuration data other than TE configuration data are also stored in NVRAM and SEEPRM. Those configuration data, however, are not assumed as assets to be protected because they do not engage in TE security functions Copyright 2008 by Fuji Xerox Co., Ltd.

28 3. TE SECURITY ENVIRNMENT This chapter describes the security aspects of the intended environment for the TE. This includes assumptions regarding the TE, threats to the TE, and organizational security policy Assumptions Table 4 shows the assumptions for the operation and use of this TE. Table 4: Assumptions Assumption (Identifier) Personnel Confidence A.ADMIN Protection Mode A.SECMDE Description A system administrator shall have the necessary knowledge of TE security functions to perform the given role of managing the TE and shall not operate it viciously. A system administrator shall configure the TE as follows: Use of password entered from MFP control panel in user authentication: enabled Length of system administrator password: 9 characters or more Access denial due to authentication failure of system administrator ID: enabled Allowable number of system administrator s authentication failures before access denial: 5 Customer Engineer peration Restriction: enabled Type of authentication: User Authentication enabled Length of user password (for general user and SA): 9 characters or more Private Print configuration: store an authenticated job to Private Print area Audit Log: enabled SNMPv3 communication: enabled Length of authentication password for SNMPv3 communication: 8 characters or more SSL/TLS communication: enabled IPSec communication: enabled S/MIME communication: enabled SMB communication: disabled Hard Disk Data verwrite: enabled Hard Disk Data Encryption: enabled Size of cryptographic seed key for Hard Disk Data Encryption: 12 characters Scheduled Image verwrite: enabled Copyright 2008 by Fuji Xerox Co., Ltd.