Security Target
Page 4
... Requirements 53 6.3 Security Requirements Rationale 54 6.3.1 Tracing...54 6.3.2 Justification of Traceability 55 6.3.3 Dependency Analysis...59 6.3.4 Security Assurance Requirements Rationale 61 7 TOE Summary Specification 62 7.1 TOE Security Function 62 7.1.1 SF.AUDIT Audit Function 63 7.1.1.1 Generation of Audit Logs 63 7.1.1.2 Reading Audit Logs ...65 7.1.1.3 Protection of Audit Logs...Authentication Function 65 7.1.2.1 User Identification and Authentication 66 7.1.2.2 Actions in Event of Identification and Authentication Failure 66 Copyright (c) 2009,2010 RICOH COMPANY, LTD.
... Requirements 53 6.3 Security Requirements Rationale 54 6.3.1 Tracing...54 6.3.2 Justification of Traceability 55 6.3.3 Dependency Analysis...59 6.3.4 Security Assurance Requirements Rationale 61 7 TOE Summary Specification 62 7.1 TOE Security Function 62 7.1.1 SF.AUDIT Audit Function 63 7.1.1.1 Generation of Audit Logs 63 7.1.1.2 Reading Audit Logs ...65 7.1.1.3 Protection of Audit Logs...Authentication Function 65 7.1.2.1 User Identification and Authentication 66 7.1.2.2 Actions in Event of Identification and Authentication Failure 66 Copyright (c) 2009,2010 RICOH COMPANY, LTD.
Security Target
Page 6
...roles of security attributes 45 Table 17: Characteristics of static attribute initialisation 46 Table 18: List of TSF data management...46 Table 19: List of specifications of Management Functions 48 Table 20: Services requiring trusted paths...52 Table 21: TOE security assurance requirements (EAL3 53 Table 22: Relationship between security ... 32: Administrators authorised to specify machine control data 72 Table 33: List of encryption operations on data stored on the HDD 73 Table 34: Specific terms used in this ST...76 Copyright (c) 2009,2010 RICOH COMPANY, LTD. All Rights Reserved.
...roles of security attributes 45 Table 17: Characteristics of static attribute initialisation 46 Table 18: List of TSF data management...46 Table 19: List of specifications of Management Functions 48 Table 20: Services requiring trusted paths...52 Table 21: TOE security assurance requirements (EAL3 53 Table 22: Relationship between security ... 32: Administrators authorised to specify machine control data 72 Table 33: List of encryption operations on data stored on the HDD 73 Table 34: Specific terms used in this ST...76 Copyright (c) 2009,2010 RICOH COMPANY, LTD. All Rights Reserved.
Security Target
Page 34
...data successful 2. None a) Minimal: Successful requests to perform an operation on an object covered by the SFP. c) Detailed: The specific security attributes used in making an access check. HDD cryptographic key generation (Outcome: Success/Failure) 1. re -enabling of document data...of cryptographic operation. Deletion of operation, subject and object attributes. Lockout start 2. Newly creating authentication Copyright (c) 2009,2010 RICOH COMPANY, LTD. b) Basic: The object attribute(s), and object value(s) excluding any tested secret; secret or private keys...
...data successful 2. None a) Minimal: Successful requests to perform an operation on an object covered by the SFP. c) Detailed: The specific security attributes used in making an access check. HDD cryptographic key generation (Outcome: Success/Failure) 1. re -enabling of document data...of cryptographic operation. Deletion of operation, subject and object attributes. Lockout start 2. Newly creating authentication Copyright (c) 2009,2010 RICOH COMPANY, LTD. b) Basic: The object attribute(s), and object value(s) excluding any tested secret; secret or private keys...
Security Target
Page 45
... Reserved. Supervisor - Page 45 of 80 FDP_IFC.1 Subset information flow control] FMT_SMR.1 Security roles FMT_SMF.1 Specification of general user information) Query, modify User roles - The general user who own the administrator IDs - Copyright (c) 2009,2010 RICOH COMPANY, LTD. Administrators who have full control operation permissions for security attributes that are assigned these...
... Reserved. Supervisor - Page 45 of 80 FDP_IFC.1 Subset information flow control] FMT_SMR.1 Security roles FMT_SMF.1 Specification of general user information) Query, modify User roles - The general user who own the administrator IDs - Copyright (c) 2009,2010 RICOH COMPANY, LTD. Administrators who have full control operation permissions for security attributes that are assigned these...
Security Target
Page 46
...specified pro perty. FMT_MTD.1 Management of Attempts before Lockout Setting for the applicable general user (document file owner). Dependencies: FMT_SMR.1 Security roles FMT_SMF.1 Specification of Management Functions FMT_MTD.1.1 The TSF shall restrict the ability to[selection: query, modify, delete, [assignment: register, change , delete Change Supervisor ...Supervisor Supervisor Applicable administrator of administrator authentication information Machine administrator Machine administrator Machine administrator Machine administrator Copyright (c) 2009,2010 RICOH COMPANY, LTD.
...specified pro perty. FMT_MTD.1 Management of Attempts before Lockout Setting for the applicable general user (document file owner). Dependencies: FMT_SMR.1 Security roles FMT_SMF.1 Specification of Management Functions FMT_MTD.1.1 The TSF shall restrict the ability to[selection: query, modify, delete, [assignment: register, change , delete Change Supervisor ...Supervisor Supervisor Applicable administrator of administrator authentication information Machine administrator Machine administrator Machine administrator Machine administrator Copyright (c) 2009,2010 RICOH COMPANY, LTD.
Security Target
Page 47
... User administrator Supervisor Machine administrator User administrator Applicable general users of S/MIME user information General users User administrator, General users FMT_SMF.1 Specification of Management Functions described in Table19 Copyright (c) 2009,2010 RICOH COMPANY, LTD. Dependencies: No dependencies. FMT_SMF.1.1 The TSF shall be capable of performing the following Management Functions: [assignment: list of...
... User administrator Supervisor Machine administrator User administrator Applicable general users of S/MIME user information General users User administrator, General users FMT_SMF.1 Specification of Management Functions described in Table19 Copyright (c) 2009,2010 RICOH COMPANY, LTD. Dependencies: No dependencies. FMT_SMF.1.1 The TSF shall be capable of performing the following Management Functions: [assignment: list of...
Security Target
Page 48
... administrator manages the following settings of general Copyright (c) 2009,2010 RICOH COMPANY, LTD. None: Actions are no interfaces to make explicit access based decisions. All Rights Reserved. None a) Managing the attributes used to change. Minimum Password Length - Table 19: List of specifications of Management Functions Page 48 of 80 Functional requirements FAU_GEN...
... administrator manages the following settings of general Copyright (c) 2009,2010 RICOH COMPANY, LTD. None: Actions are no interfaces to make explicit access based decisions. All Rights Reserved. None a) Managing the attributes used to change. Minimum Password Length - Table 19: List of specifications of Management Functions Page 48 of 80 Functional requirements FAU_GEN...
Security Target
Page 53
...this TOE is EAL3. Other requirements are not included. sample Vulnerability analysis Copyright (c) 2009,2010 RICOH COMPANY, LTD. All Rights Reserved. Page 53 of 80 6.2 Security Assurance Requirements This evaluation ....1 ASE_OBJ.2 ASE_REQ.2 ASE_SPD.1 ASE_TSS.1 ATE_COV.2 ATE_DPT.1 ATE_FUN.1 ATE_IND.2 AVA_VAN.2 Assurance components Security architecture description Functional specification with complete Architectural design Operational user guidance Preparative procedures Authorisation controls Implementation representation CM coverage Delivery procedures Identification of security ...
...this TOE is EAL3. Other requirements are not included. sample Vulnerability analysis Copyright (c) 2009,2010 RICOH COMPANY, LTD. All Rights Reserved. Page 53 of 80 6.2 Security Assurance Requirements This evaluation ....1 ASE_OBJ.2 ASE_REQ.2 ASE_SPD.1 ASE_TSS.1 ATE_COV.2 ATE_DPT.1 ATE_FUN.1 ATE_IND.2 AVA_VAN.2 Assurance components Security architecture description Functional specification with complete Architectural design Operational user guidance Preparative procedures Authorisation controls Implementation representation CM coverage Delivery procedures Identification of security ...
Security Target
Page 55
... Reserved. For this , FAU_STG.4 protects audit logs from unauthorised deletion and prevents unauthorised tampering. Copyright (c) 2009,2010 RICOH COMPANY, LTD. c ) Protect audit logs To fulfil O.AUDIT, audit logs should have the oldest time stamp. If... v v v v v 6.3.2 Justification of Security Functions should be audited. For this, FAU_SAR.1 allows only the machine administrator to fulfil the O.AUDIT specification. a ) Record audit logs To fulfil O.AUDIT, the performance of Traceability This section describes how the TOE security objectives are included to read audit logs...
... Reserved. For this , FAU_STG.4 protects audit logs from unauthorised deletion and prevents unauthorised tampering. Copyright (c) 2009,2010 RICOH COMPANY, LTD. c ) Protect audit logs To fulfil O.AUDIT, audit logs should have the oldest time stamp. If... v v v v v 6.3.2 Justification of Security Functions should be audited. For this, FAU_SAR.1 allows only the machine administrator to fulfil the O.AUDIT specification. a ) Record audit logs To fulfil O.AUDIT, the performance of Traceability This section describes how the TOE security objectives are included to read audit logs...
Security Target
Page 56
... attempts reaches the number specified by the user administrator, and it enables only passwords that are included to fulfil the O.DOC_ACC specification. c ) Complicate decoding of passwords. For this , FIA_ATD.1 and FIA_USB.1 bind successfully identified and authenticated users with security attributes...to O.DOC_ACC inTable 22, and these requirements are registered in the document data ACL of a document, Copyright (c) 2009,2010 RICOH COMPANY, LTD. FIA_SOS.1 accepts only passwords that satisfy the Minimum Password Length and password character combination specified by the machine ...
... attempts reaches the number specified by the user administrator, and it enables only passwords that are included to fulfil the O.DOC_ACC specification. c ) Complicate decoding of passwords. For this , FIA_ATD.1 and FIA_USB.1 bind successfully identified and authenticated users with security attributes...to O.DOC_ACC inTable 22, and these requirements are registered in the document data ACL of a document, Copyright (c) 2009,2010 RICOH COMPANY, LTD. FIA_SOS.1 accepts only passwords that satisfy the Minimum Password Length and password character combination specified by the machine ...
Security Target
Page 57
.... b) Management and protection of document data. For this , FMT_MSA.1 allows: - authorised TOE users to fulfil the O.MANAGE specification. and - MANAGE Security management Following are the rationale behind the functional requirements corresponding to O.MANAGE inTable 22, and these requirements... To fulfil O.MANAGE, access to TSF data shall be limited to specified users only, and a default value shall be Copyright (c) 2009,2010 RICOH COMPANY, LTD. FMT_MTD.1 also allows: - To fulfil O.MANAGE, management of general users, and newly create, delete, and change their own administrator...
.... b) Management and protection of document data. For this , FMT_MSA.1 allows: - authorised TOE users to fulfil the O.MANAGE specification. and - MANAGE Security management Following are the rationale behind the functional requirements corresponding to O.MANAGE inTable 22, and these requirements... To fulfil O.MANAGE, access to TSF data shall be limited to specified users only, and a default value shall be Copyright (c) 2009,2010 RICOH COMPANY, LTD. FMT_MTD.1 also allows: - To fulfil O.MANAGE, management of general users, and newly create, delete, and change their own administrator...
Security Target
Page 58
... the validity of encryption keys and the performance of a trusted path (described later) between the TOE and remote users. Copyright (c) 2009,2010 RICOH COMPANY, LTD. a ) Generate the encryption keys and perform encryption operations adequately. FMT_SMR.1 associates authorised users with a general user, one of ...tampering with document data. Page 58 of data stored in Table 22, and these requirements are included to fulfil the O.MEM.PROTECT specification. The SSL protocol protects document data and print data that are is protected by e -mail from the TOE to a client computer...
... the validity of encryption keys and the performance of a trusted path (described later) between the TOE and remote users. Copyright (c) 2009,2010 RICOH COMPANY, LTD. a ) Generate the encryption keys and perform encryption operations adequately. FMT_SMR.1 associates authorised users with a general user, one of ...tampering with document data. Page 58 of data stored in Table 22, and these requirements are included to fulfil the O.MEM.PROTECT specification. The SSL protocol protects document data and print data that are is protected by e -mail from the TOE to a client computer...
Security Target
Page 59
...MFP Control Software, which is installed in ST None None None None None FCS_CKM.4 FCS_CKM.4 None None Copyright (c) 2009,2010 RICOH COMPANY, LTD. Page 59 of 80 O.GENUINE Protection of integrity of MFP Contr ol Software integrity Following are the rationale ...functional requirements FAU_GEN.1 FAU_SAR.1 FAU_SAR.2 FAU_STG.1 FAU_STG.4 FCS_CKM.1 FCS_COP.1 FDP_ACC.1 FDP_ACF.1 Dependencies claimed by an attacker to fulfil theO.LINE_PROTECT specification. To fulfil O.GENUINE, the integrity of the MFP Control Software, which is installed in FlashROM, shall be prevented. Table 23: ...
...MFP Control Software, which is installed in ST None None None None None FCS_CKM.4 FCS_CKM.4 None None Copyright (c) 2009,2010 RICOH COMPANY, LTD. Page 59 of 80 O.GENUINE Protection of integrity of MFP Contr ol Software integrity Following are the rationale ...functional requirements FAU_GEN.1 FAU_SAR.1 FAU_SAR.2 FAU_STG.1 FAU_STG.4 FCS_CKM.1 FCS_COP.1 FDP_ACC.1 FDP_ACF.1 Dependencies claimed by an attacker to fulfil theO.LINE_PROTECT specification. To fulfil O.GENUINE, the integrity of the MFP Control Software, which is installed in FlashROM, shall be prevented. Table 23: ...
Security Target
Page 62
....CIPHER SF.NET_PROT SF.FAX_LINE SF.GENUINE FAU_GEN.1 v FAU_SAR.1 v FAU_SAR.2 v FAU_STG.1 v FAU_STG.4 v FCS_CKM.1 v FCS_COP.1 v FDP_ACC.1 v FDP_ACF.1 v Copyright (c) 2009,2010 RICOH COMPANY, LTD. Page 62 of 80 7 TOE Summary Specification This section provides a specification summary of the Security Functions of this TOE. 7.1 TOE Security Function The TOE provides the following TOE Security Functions to...
....CIPHER SF.NET_PROT SF.FAX_LINE SF.GENUINE FAU_GEN.1 v FAU_SAR.1 v FAU_SAR.2 v FAU_STG.1 v FAU_STG.4 v FCS_CKM.1 v FCS_COP.1 v FDP_ACC.1 v FDP_ACF.1 v Copyright (c) 2009,2010 RICOH COMPANY, LTD. Page 62 of 80 7 TOE Summary Specification This section provides a specification summary of the Security Functions of this TOE. 7.1 TOE Security Function The TOE provides the following TOE Security Functions to...
Security Target
Page 66
...user authenticates successfully, as described in "7.1.2.1 User Identification and Authentication", the When either of Attempts before any action), FIA_USB.1 (User-subject binding), FMT_SMF.1 (Specification of Management Functions), and FMT_SMR.1 (Security Roles) are satisfied. 7.1.2.2 Actions in the Address Book. The TOE also identifies and authenticates the user based on... the supervisor to administrator processes, associates administrator processes with the supervisor ID, and maintains those bindings and associations. Copyright (c) 2009,2010 RICOH COMPANY, LTD. All Rights Reserved.
...user authenticates successfully, as described in "7.1.2.1 User Identification and Authentication", the When either of Attempts before any action), FIA_USB.1 (User-subject binding), FMT_SMF.1 (Specification of Management Functions), and FMT_SMR.1 (Security Roles) are satisfied. 7.1.2.2 Actions in the Address Book. The TOE also identifies and authenticates the user based on... the supervisor to administrator processes, associates administrator processes with the supervisor ID, and maintains those bindings and associations. Copyright (c) 2009,2010 RICOH COMPANY, LTD. All Rights Reserved.
Security Target
Page 67
...26 letters) Lower-case letters: [a -z] (26 letters) Numbers: [0-9] (10 digits) Symbols: SP (space 33 symbols) Copyright (c) 2009,2010 RICOH COMPANY, LTD. All Rights Reserved. Page 67 of 80 (1) Auto Lockout Release If the user fails to authenticate after making the number of attempts ...the Web browser of a client computer by the locked-out user. From the above , FIA_AFL.1 (Authentication failure handling) and FMT_SMF.1 (Specification of Management Functions) are satisfied. 7.1.2.3 Password Feedback Area Protection The TOE displays a string of masking characters (*: asterisks or : bullets) ...
...26 letters) Lower-case letters: [a -z] (26 letters) Numbers: [0-9] (10 digits) Symbols: SP (space 33 symbols) Copyright (c) 2009,2010 RICOH COMPANY, LTD. All Rights Reserved. Page 67 of 80 (1) Auto Lockout Release If the user fails to authenticate after making the number of attempts ...the Web browser of a client computer by the locked-out user. From the above , FIA_AFL.1 (Authentication failure handling) and FMT_SMF.1 (Specification of Management Functions) are satisfied. 7.1.2.3 Password Feedback Area Protection The TOE displays a string of masking characters (*: asterisks or : bullets) ...
Security Target
Page 68
...the document data ACL. Availability of document data is registered for document data ACL Document data default ACL Copyright (c) 2009,2010 RICOH COMPANY, LTD. The user administrator specifies either Level 1 or Level 2 for document data and operations on document data. ...Complexity Setting specified by the user administrator can be registered. By the above, FIA_SOS.1 (Verification of secrets) and FMT_SMF.1 (Specification of Management Functions) are satisfied. 7.1.3 SF.DOC_ACC Document Data Access Control Function The TOE restricts user access to operations that allows...
...the document data ACL. Availability of document data is registered for document data ACL Document data default ACL Copyright (c) 2009,2010 RICOH COMPANY, LTD. The user administrator specifies either Level 1 or Level 2 for document data and operations on document data. ...Complexity Setting specified by the user administrator can be registered. By the above, FIA_SOS.1 (Verification of secrets) and FMT_SMF.1 (Specification of Management Functions) are satisfied. 7.1.3 SF.DOC_ACC Document Data Access Control Function The TOE restricts user access to operations that allows...
Security Target
Page 70
... information, and administrator roles. By the above , FMT_MSA.1 (Management of security attributes), FMT_MSA.3 (Static attribute initialisation), and FMT_SMF.1 (Specification of management functions) are assigned to another administrator.) If the logged-in user is an administrator or supervisor, the TOE allows that user... to perform operations on administrator information. Copyright (c) 2009,2010 RICOH COMPANY, LTD. All Rights Reserved. Page 70 of 80 If the logged-in user is a file administrator, the TOE allows...
... information, and administrator roles. By the above , FMT_MSA.1 (Management of security attributes), FMT_MSA.3 (Static attribute initialisation), and FMT_SMF.1 (Specification of management functions) are assigned to another administrator.) If the logged-in user is an administrator or supervisor, the TOE allows that user... to perform operations on administrator information. Copyright (c) 2009,2010 RICOH COMPANY, LTD. All Rights Reserved. Page 70 of 80 If the logged-in user is a file administrator, the TOE allows...
Security Target
Page 71
... information from the Operation Panel or Web Service Function. By the above , FMT_MSA.1 (Management of security attributes), FMT_MTD.1 (Management of TSF data), FMT_SMF.1 (Specification of management functions), and FMT_SMR.1 (Security roles) are satisfied. General user information includes general user IDs, general user authentication information, document data default ACL, and... Information Management of supervisor information allows only supervisor to query and change supervisor ID, and to change supervisor authentication information. Copyright (c) 2009,2010 RICOH COMPANY, LTD.
... information from the Operation Panel or Web Service Function. By the above , FMT_MSA.1 (Management of security attributes), FMT_MTD.1 (Management of TSF data), FMT_SMF.1 (Specification of management functions), and FMT_SMR.1 (Security roles) are satisfied. General user information includes general user IDs, general user authentication information, document data default ACL, and... Information Management of supervisor information allows only supervisor to query and change supervisor ID, and to change supervisor authentication information. Copyright (c) 2009,2010 RICOH COMPANY, LTD.
Security Target
Page 72
... Web Service Function Web Service Function By the above, FIA_AFL.1 (Authentication failure handling), FMT_MTD.1 (Management of TSF data), FMT_SMF.1 (Specification of machine control data by specified users only. Copyright (c) 2009,2010 RICOH COMPANY, LTD. All Rights Reserved. The TOE allows only specified users to CEs only, based on the Service Mode Lock...
... Web Service Function Web Service Function By the above, FIA_AFL.1 (Authentication failure handling), FMT_MTD.1 (Management of TSF data), FMT_SMF.1 (Specification of machine control data by specified users only. Copyright (c) 2009,2010 RICOH COMPANY, LTD. All Rights Reserved. The TOE allows only specified users to CEs only, based on the Service Mode Lock...