of 85/85
Xerox WorkCentre 7328/7335/7345 Security Target Version 1.2.7 This document is a translation of the evaluated and certified security target written in Japanese

Xerox WorkCentre 7328/7335/7345 Security Target...Xerox WorkCentre 7328, Xerox WorkCentre 7335 and Xerox WorkCentre 7345 are identified as Xerox WorkCentre 7328/7335/7345 and use the

  • View
    19

  • Download
    1

Embed Size (px)

Text of Xerox WorkCentre 7328/7335/7345 Security Target...Xerox WorkCentre 7328, Xerox WorkCentre 7335 and...

  • Xerox WorkCentre 7328/7335/7345

    Security Target

    Version 1.2.7

    This document is a translation of the evaluated and certified security target written in Japanese

  • - i -

    - Table of Contents -

    1. ST OVERVIEW ................................................................................................... 1 1.1. ST Identification ....................................................................................................................1 1.2. ST Overview ..........................................................................................................................1 1.3. Common Criteria Conformance Claim..................................................................................2 1.4. References..............................................................................................................................2 1.5. Acronyms and Terminology...................................................................................................3

    1.5.1. Acronyms.................................................................................................................................... 3 1.5.2. Terminology................................................................................................................................ 4

    2. TOE DESCRIPTION ........................................................................................... 8 2.1. TOE Overview .......................................................................................................................8

    2.1.1. Product Type............................................................................................................................... 8 2.1.2. Function Types............................................................................................................................ 8 2.1.3. Service Overview ....................................................................................................................... 9

    2.1.3.1. Environment Assumptions......................................................................................................... 9 2.1.3.2. Security Function Overview .................................................................................................... 10

    2.2. User Assumptions ................................................................................................................ 11 2.3. Logical Scope and Boundary ............................................................................................... 11

    2.3.1. Basic Functions......................................................................................................................... 12 2.3.1.1. Control Panel Function ............................................................................................................ 12 2.3.1.2. Copy Function ......................................................................................................................... 12 2.3.1.3. Print Function .......................................................................................................................... 12 2.3.1.4. Scan Function, Network Scan Function................................................................................... 13 2.3.1.5. Fax Function ............................................................................................................................ 13 2.3.1.6. i-Fax / D-Fax Functions........................................................................................................... 13 2.3.1.7. CWIS Function ........................................................................................................................ 13

    2.3.2. Security Functions .................................................................................................................... 13 2.3.2.1. Hard Disk Data Overwrite (TSF_IOW)................................................................................... 13 2.3.2.2. Hard Disk Data Encryption (TSF_CIPHER) ........................................................................... 14 2.3.2.3. User Authentication (TSF_USER_AUTH).............................................................................. 14 2.3.2.4. System Administrator’s Security Management (TSF_FMT)................................................... 16 2.3.2.5. Customer Engineer Operation Restriction (TSF_CE_LIMIT) ................................................ 17 2.3.2.6. Security Audit Log (TSF_FAU)............................................................................................... 17 2.3.2.7. Internal Network Data Protection (TSF_NET_PROT)............................................................ 17 2.3.2.8. Fax Flow Security (TSF_FAX_FLOW) .................................................................................. 17

    2.4. Physical Scope and Boundary..............................................................................................17 2.5. Assets Protected by TOE .....................................................................................................19

    3. TOE SECURITY ENVIRONMENT ................................................................. 21

  • - ii -

    3.1. Assumptions.........................................................................................................................21 3.2. Threats..................................................................................................................................22 3.3. Organizational Security Policy ............................................................................................22

    4. SECURITY OBJECTIVES................................................................................ 23 4.1. Security Objectives for the TOE ..........................................................................................23 4.2. Security Objectives for the Environment.............................................................................23

    5. IT SECURITY REQUIREMENTS.................................................................... 25 5.1. TOE Security Functional Requirements ..............................................................................25

    5.1.1. Class FAU: Security Audit........................................................................................................ 25 5.1.2. Class FCS: Cryptographic support ........................................................................................... 28 5.1.3. Class FDP: User data protection............................................................................................... 29 5.1.4. Class FIA: Identification and authentication ............................................................................ 32 5.1.5. Class FMT: Security management............................................................................................ 33 5.1.6. Class FPT: Protection of TSF ................................................................................................... 37 5.1.7. Class FTP: Trusted path/channels............................................................................................. 38 5.1.8. TOE Security Function Strength............................................................................................... 38

    5.2. TOE Security Assurance Requirements ...............................................................................38 5.3. Security Requirements for the IT Environment ...................................................................39

    6. TOE SUMMARY SPECIFICATION ............................................................... 40 6.1. TOE Security Functions.......................................................................................................40

    6.1.1. Hard Disk Data Overwrite (TSF_IOW).................................................................................... 41 6.1.2. Hard Disk Data Encryption (TSF_CIPHER)............................................................................ 42 6.1.3. User Authentication (TSF_USER_AUTH) .............................................................................. 42 6.1.4. System Administrator’s Security Management (TSF_FMT).................................................... 44 6.1.5. Customer Engineer Operation Restriction (TSF_CE_LIMIT) ................................................. 45 6.1.6. Security Audit Log (TSF_FAU) ............................................................................................... 46 6.1.7. Internal Network Data Protection (TSF_NET_PROT) ............................................................ 48 6.1.8. Fax Flow Security (TSF_FAX_FLOW) ................................................................................... 50

    6.2. Security Function Strength Level ........................................................................................50 6.3. Assurance Measures.............................................................................................................50

    6.3.1. Configuration Management Description (TAS_CONFIG) .................................................... 51 6.3.2. TOE Configuration List (TAS_CONFIG_LIST) ................................................................... 51 6.3.3. Delivery, Introduction, and Operation Procedure Description (TAS_DELIVERY) .............. 51 6.3.4. Functional Specification (TAS_FUNC_SPEC)...................................................................... 52 6.3.5. Disclosure Paper(TAS_DISC_PAPER)................................................................................... 52 6.3.6. High-Level Design Specification (TAS_HIGHLDESIGN) ................................................... 52 6.3.7. Correspondence Analysis Description (TAS_REPRESENT) ................................................ 52 6.3.8. User Guide (TAS_GUIDANCE) ............................................................................................ 53 6.3.9. Test Plan and Report (TAS_TEST) ........................................................................................ 54 6.3.10. Vulnerability Analysis (TAS_VULNERABILITY) ........................................................... 54

  • - iii -

    7. PP CLAIMS........................................................................................................ 56 7.1. PP Reference ........................................................................................................................56 7.2. PP Refinement......................................................................................................................56 7.3. PP Addition ..........................................................................................................................56

    8. RATIONALE...................................................................................................... 57 8.1. Security Objectives Rationale..............................................................................................57 8.2. Security Requirements Rationale.........................................................................................60

    8.2.1. Security Functional Requirements Rationale ........................................................................... 60 8.2.2. Rationale for Security Functional Requirement of IT Environment......................................... 65 8.2.3. Rationale for Minimum Functional Strength Level.................................................................. 65 8.2.4. Dependencies of Security Functional Requirements ................................................................ 65 8.2.5. Interactions among Security Functional Requirements ............................................................ 68

    8.2.5.1. Bypass Prevention ................................................................................................................... 69 8.2.5.2. De-activation Prevention ......................................................................................................... 71 8.2.5.3. Interference .............................................................................................................................. 71 8.2.5.4. Detection of Defeat.................................................................................................................. 71

    8.2.6. Consistency Rationale between Security Functional Requirements......................................... 71 8.2.7. Requirement Rationale for Security Assurance ........................................................................ 73

    8.3. Rationale for TOE Summary Specification .........................................................................73 8.3.1. Rationale for TOE Security Function Requirements ................................................................ 73 8.3.2. Security Function Strength Rationale ....................................................................................... 76 8.3.3. Security Assurance Measures Rationale ................................................................................... 76

    8.4. PP Claims Rationale.............................................................................................................79

  • - iv -

    - List of Figures and Tables -

    Figure 1: Intended Operational Environment ................................................................................................ 9 Figure 2: MFP Units and TOE Logical Scope ............................................................................................. 12 Figure 3: Authentication Flow for Private Print and Mailbox ..................................................................... 15 Figure 4: MFP Units and TOE Physical Scope............................................................................................ 18 Figure 5: Assets under and not under Protection ......................................................................................... 20

    Table 1: Function Types and Capabilities ...................................................................................................... 8 Table 2: User Role Assumptions...................................................................................................................11 Table 3: Categories of TOE Configuration Data ......................................................................................... 20 Table 4: Assumptions................................................................................................................................... 21 Table 5: Threats Addressed by the TOE ...................................................................................................... 22 Table 6: Organizational Security Policy ...................................................................................................... 22 Table 7: Security Objectives for the TOE.................................................................................................... 23 Table 8: Security Objectives for the Environment....................................................................................... 23 Table 9: Auditable Events of TOE and Individually Defined Auditable Events.......................................... 25 Table 10: Operations between Subjects and Objects Covered by MFP Access Control SFP...................... 29 Table 11: Rules for Access Control ............................................................................................................. 30 Table 12: Rules for Explicit Access Authorization ...................................................................................... 31 Table 13: Subjects, Information, and Operations Covered by Fax Information Flow Control SFP ......... 32 Table 14: List of Security Functions............................................................................................................ 34 Table 15: Security Attributes and Authorized Roles.................................................................................... 34 Table 16: Operation of TSF Data................................................................................................................. 35 Table 17: Security Management Functions Provided by TSF ..................................................................... 36 Table 18: EAL2 Assurance Requirements ................................................................................................... 38 Table 19: Relations between Security Functional Requirements and TOE Security Functions .................. 41 Table 20: Details of Security Audit Log Data.............................................................................................. 47 Table 21: Assurance Components and Assurance Measures ....................................................................... 50 Table 22: Correspondences between TOE/Environment Security Objectives and TOE Security

    Environment ............................................................................................................................................ 57 Table 23: Security Objectives Rationale for Each TOE Security Environment .......................................... 57 Table 24: Correspondences between Security Functional Requirements and Security Objectives ............. 60 Table 25: Security Objectives to SFR Rationale.......................................................................................... 61 Table 26: Dependencies of Functional Security Requirements ................................................................... 65 Table 27: Interactions among Security Functional Requirements ............................................................... 68 Table 28: Bypass Prevention Rationale for Security Functional Requirements .......................................... 69 Table 29: De-activation Prevention Rationale for Security Functional Requirements ................................ 71 Table 30: Management Requirements of TOE Security Functions ............................................................. 72 Table 31: Rationale for Relations between Security Functional Requirements and TOE Security Functions

  • - v -

    ................................................................................................................................................................. 74 Table 32: Correspondences between Assurance Measures and Security Assurance Requirements ............ 76 Table 33: Sufficiency of Security Assurance Requirements by Assurance Measures ................................. 77

  • Security Target - Xerox WorkCentre 7328/7335/7345

    - 1 - Copyright© 2007 by Fuji Xerox Co., Ltd.

    1. ST OVERVIEW This chapter describes Security Target (ST) identification information, an overview of the ST, the evaluation assurance level of Target of Evaluation (TOE), Common Criteria (CC) conformance, references, acronyms, and terminology.

    1.1. ST Identification This section provides information needed to identify this ST and its Target of Evaluation (TOE). This ST complies with ISO/IEC 15408 (2005).

    (1) ST Identification

    ST Title: Xerox WorkCentre 7328/7335/7345 Security Target ST Version: Ver. 1.2.7 Author: Fuji Xerox Co., Ltd. Publication Date: November 27, 2007 CC Identification:

    Common Criteria for Information Technology Security Evaluation, Version 2.3 ISO/IEC 15408 (2005) Interpretations-0512

    Keywords:

    Multifunction System, Multi Function Peripheral, Copy, Print, Scan, Fax, Internal Hard Disk Drive, Document Overwrite, Document Encryption, Internal Network Data Protection, SSL/TLS, IPSec, SNMPv3, S/MIME

    (2) TOE Identification Xerox WorkCentre 7328, Xerox WorkCentre 7335 and Xerox WorkCentre 7345 are identified as Xerox WorkCentre 7328/7335/7345 and use the same ROM versions:

    TOE Identification: Xerox WorkCentre 7328/7335/7345 ROM Versions:

    - Controller+PS ROM Ver. 1.221.100 - IOT ROM Ver. 3.0.4 - IIT ROM Ver. 20.4.1 - ADF ROM Ver. 11.6.5

    Manufacturer: Fuji Xerox Co., Ltd.

    1.2. ST Overview This ST provides the security specifications of Xerox WorkCentre 7328/7335/7345 (hereinafter referred to as “MFP”). MFP is the short name of Multi Function Peripheral which has copy, print, scan and fax functions. This ST covers the security functions to protect, from unauthorized disclosure, the document data stored in the internal HDD after being processed by MFP and the used document data (i.e. the residual data after deleted). The ST also describes the protection of data transmitted over general encryption communication protocols. These protocols protect the security of data on the internal network between MFP and highly reliable remote server / client PC (hereinafter referred to as “between TOE and the remote”) as well as the identification data used at user authentication. However, the function to protect the internal network data is not available when the data is communicated with the remote which does

  • Security Target - Xerox WorkCentre 7328/7335/7345

    - 2 - Copyright© 2007 by Fuji Xerox Co., Ltd.

    not support the encryption communication protocols. Additionally, at the behest of the U.S. agency, the user data and TOE configuration data on the internal network are protected from unauthorized access via fax line using public telephone line. This TOE provides the following security functions:

    • Hard Disk Data Overwrite (TSF_IOW) • Hard Disk Data Encryption (TSF_CIPHER) • User Authentication (TSF_USER_AUTH) • System Administrator’s Security Management (TSF_FMT) • Customer Engineer Operation Restriction (TSF_CE_LIMIT) • Security Audit Log (TSF_FAU) • Internal Network Data Protection (TSF_NET_PROT) • Fax Flow Security (TSF_FAX_FLOW)

    1.3. Common Criteria Conformance Claim This ST conforms to the following evaluation standards for information security (CC). It does not

    conform to a Protection Profile (PP). - CC Part 2 - CC Part 3 - Evaluation Assurance Level: EAL 2

    1.4. References The following documentation was used to prepare this ST: Short Name Document Title

    [CC Part 1]

    Common Criteria for Information Technology Security Evaluation - Version 2.3 Part 1: Introduction and general model, dated August 2005, CCMB-2005-08-001 (Translation version 1.0, dated December 2005, translated by Information-Technology Promotion Agency, Japan)

    [CC Part 2]

    Common Criteria for Information Technology Security Evaluation - Version 2.3 Part 2: Security functional requirements, dated August 2005, CCMB-2005-08-002 (Translation version 1.0, dated December 2005, translated by Information-Technology Promotion Agency, Japan)

    [CC Part 3]

    Common Criteria for Information Technology Security Evaluation - Version 2.3 Part 3: Security assurance requirements, dated August 2005, CCMB-2005-08-003 (Translation version 1.0, dated December 2005, translated by Information-Technology Promotion Agency, Japan)

    [CEM]

    Common Methodology for Information Technology Security Evaluation - Version 2.3 Evaluation Methodology, dated August 2005, CCMB-2005-08-004 (Translation version 1.0, dated December 2005, translated by Information-Technology Promotion Agency, Japan)

    [ISO/IEC TR15446]

    WD N3374, Guide for the Production of PPs and STs - Version 0.93 (Provisional translation, dated January 2004,

  • Security Target - Xerox WorkCentre 7328/7335/7345

    - 3 - Copyright© 2007 by Fuji Xerox Co., Ltd.

    Short Name Document Title

    translated by Information-Technology Promotion Agency, Japan)

    [I-0512] Interpretations-0512 (Translation version 1.0, dated December 2005, translated by Information-Technology Promotion Agency, Japan)

    1.5. Acronyms and Terminology 1.5.1. Acronyms

    The following acronyms are used in this ST: Acronym Definition

    ADF Auto Document Feeder CC Common Criteria for Information Technology Security Evaluation CE Customer Engineer / Customer Service Engineer CWIS CentreWare Internet Service DC Digital Copier DRAM Dynamic Random Access Memory EAL Evaluation Assurance Level IIT Image Input Terminal IOT Image Output Terminal IT Information Technology IP Internet Protocol IPSec Security Architecture for Internet Protocol Kerberos A network authentication protocol which uses secret-key cryptography LDAP Lightweight Directory Access Protocol MFP Multi Function Peripheral NVRAM Non Volatile Random Access Memory PDL Page Description Language PP Protection Profile SAR Security Assurance Requirement SEEPROM Serial Electronically Erasable and Programmable Read Only Memory SF Security Function SFP Security Function Policy SFR Security Functional Requirement SMTP Simple Mail Transfer Protocol SNMPv3 Simple Network Management Protocol, Version 3 SOF Strength of Function SSLv3/TLSv1 (SSL/TLS)

    Secure Socket Layer, Version 3 / Transport Layer Security, Version 1

    ST Security Target S/MIME Secure/Multipurpose Internet Mail Extensions

  • Security Target - Xerox WorkCentre 7328/7335/7345

    - 4 - Copyright© 2007 by Fuji Xerox Co., Ltd.

    Acronym Definition

    TOE Target of Evaluation TSC TSF Scope of Control TSF TOE Security Function TSFI TSF Interface TSP TOE Security Policy

    1.5.2. Terminology The following terms are used in this ST:

    Term Definition

    User Any entity outside TOE who interacts with the TOE: i.e. general user, key operator, and system administrator privilege (SA).

    General User Any person who uses copy, scan, fax, and print functions of MFP.

    Key Operator An authorized user who manages MFP maintenance and configures TOE security functions.

    System Administrator Privilege (SA)

    A user authorized by key operator to manage MFP maintenance and configure TOE security functions.

    System AdministratorAn authorized user who manages MFP maintenance and configures TOE security functions. This term covers both key operator and SA.

    Customer Engineer (CE)

    This term is equivalent to customer service engineer, a Xerox engineer who maintains and repairs MFP.

    Attacker A malicious user of TOE.

    Control Panel A panel of MFP on which buttons, lamps, and a touch screen panel are mounted to operate the MFP.

    General User Client A client for general user and SA to operate the MFP. System Administrator Client

    A client for system administrator. An administrator can refer to and rewrite TOE configuration data of MFP via Web browser.

    User Client This term covers both general user client and system administrator client. CentreWare Internet Service (CWIS)

    A service to retrieve the document data scanned by MFP from Mailbox. It also enables a system administrator to refer to and rewrite TOE configuration data via Web browser.

    Tool Mode

    An operation mode that enables a system administrator to refer to and rewrite TOE configuration for device operation and that for security functions according to the operational environment. This mode is distinguished from the operation mode that enables a general user to use the MFP functions.

    Print Driver Software for a general user to convert the data on a general user client into print data written in page description language (PDL), a readable format for MFP.

    Fax Driver Software for Direct Fax function, which enables a general user to fax data to the destination directly from a general user client through MFP. The user can send the fax data just as printing.

  • Security Target - Xerox WorkCentre 7328/7335/7345

    - 5 - Copyright© 2007 by Fuji Xerox Co., Ltd.

    Term Definition

    Network Scan UtilitySoftware for a general user client to retrieve the document data stored in Mailbox of MFP.

    Print Data The data written in PDL, a readable format for MFP, which is to be converted into bitmap data by TOE decompose function.

    Control Data The data that is transmitted by command and response interactions. This is one type of data transmitted between MFP hardware units.

    Bitmap Data The decomposed data of the data read by copy function and the print data transmitted from a user client to MFP. Bitmap data is stored into the internal HDD after being compressed in the unique process.

    Decompose Function A function to analyze and convert the print data written in PDL into bitmap data.

    Decompose To analyze and convert the data written in PDL into bitmap data by decompose function.

    Print Function A function to decompose and print out the print data transmitted by a user client. Print-Control Function

    A function to control the device to enable print operation.

    Store Print

    A print function in which bitmap data (decomposed print data) is temporarily stored in the MFP internal HDD and then printed out according to the general user’s instruction from the control panel. There are three ways for the Store Print:

    • Private Print Jobs are stored only when MFP authenticates a user with his/her ID and password which were preset in the print driver on a general user client. When the user is authenticated with his/her ID and password entered from the control panel, he/she can start print operation.

    • Sample Print When printing several copies, only one copy is printed out first as a sample document. A user can check its quality and send an instruction from the control panel to print out the remaining copies.

    • Mailbox Print Decomposed bitmap data is stored in Mailbox and printed out according to the general user’s instruction from the control panel.

    Original Texts, images and photos to be read from IIT in copy function.

    Copy Function

    A function in which original is read from IIT and then printed out from IOT according to the general user’s instruction from the control panel. When more than one copy is ordered for one original, the data read from IIT is first stored into the MFP internal HDD. Then, the stored data is read out from the HDD as needed so that required number of copies can be made.

    Copy Control Function

    A function to control the device to enable copy operation.

    Scan Function According to the general user’s instruction from the control panel, the original data is read from IIT and then stored into Mailbox within the MFP internal HDD.

  • Security Target - Xerox WorkCentre 7328/7335/7345

    - 6 - Copyright© 2007 by Fuji Xerox Co., Ltd.

    Term Definition

    The stored document data can be retrieved via standard Web browser by CWIS or Network Scan Utility function.

    Scan Control Function

    A function to control the device to enable scan operation.

    Network Scan Function

    A function in which original data is read from IIT and then transmitted to FTP server, SMB server, or Mail server according to the information set in the MFP. This function is operated according to the general user’s instruction from the control panel.

    Network Scan Control Function

    A function to control the device to enable network scan operation.

    Fax Function

    A function to send and receive fax data. According to the general user’s instruction from the control panel to send a fax, the original data is read from IIT and then sent to the destination via public telephone line. The document data is received from the sender’s machine and then printed out from the recipient’s IOT.

    Fax Control Function A function to control the device to enable fax operation.

    Direct Fax (D-Fax)Function

    A fax function in which data is sent via public telephone line directly from a user client. The data is first sent to MFP as a print job and then to the destination without being printed out.

    Internet Fax (i-Fax) Function

    A fax function in which the data is sent or received via the Internet, not public telephone line.

    D-Fax / i-Fax Control Function

    A function to control the device to enable D-Fax / i-Fax operation.

    Mailbox A logical box created in the MFP internal HDD. Mailbox stores the scanned document data or the data to be printed later. Mailbox is categorized into Personal Mailbox and Shared Mailbox.

    Personal Mailbox The Mailbox privately used by a general user. Each user can create his/her own Personal Mailbox.

    Shared Mailbox The Mailbox shared by any general user. Key operator can create the Shared Mailbox.

    Document Data

    Document data means all the image data transmitted across the MFP when any of copy, print, scan or fax functions is operated by a general user. The document data includes:

    • Bitmap data read from IIT and printed out from IOT (copy function), • Print data sent by general user client and its decomposed bitmap data (print

    function), • Bitmap data read from IIT and then stored into the internal HDD (scan

    function), • Bitmap data read from IIT and sent to the fax destination and the bitmap data

    faxed from the sender’s machine and printed out from the recipient’s IOT (fax function).

  • Security Target - Xerox WorkCentre 7328/7335/7345

    - 7 - Copyright© 2007 by Fuji Xerox Co., Ltd.

    Term Definition

    Used Document DataThe remaining data in the MFP internal HDD even after deletion. The document data is first stored into the internal HDD, used, and then only its file is deleted.

    Security Audit Log Data

    The chronologically recorded data of important events of TOE. The events such as device failure, configuration change, and user operation are recorded based on when and who caused what event and its result.

    Internally Stored Data

    The data which is stored in the general user client or in the general client and server, but does not include data regarding TOE functions.

    General Data The data on the internal network. The general data does not include data regarding TOE functions.

    TOE Configuration Data

    The data which is created by TOE or for TOE and may affect TOE operations. Specifically, it includes the information regarding the functions of Hard Disk Data Overwrite, Hard Disk Data Encryption, System Administrator’s Security Management, Customer Engineer Operation Restriction, Internal Network Data Protection, Security Audit Log, Mailbox, and User Authentication.

    General Client and Server

    Client and server which do not directly engage in TOE operations.

    Deletion from the Internal Hard Disk Drive (HDD)

    Deletion from the internal HDD means deletion of the management information. When deletion of document data from the internal HDD is requested, only the management information corresponding to the data is deleted. Therefore, user cannot access the document data which was logically deleted. However, the document data itself is not deleted but remains as the used document data until a new data is written in the same storage area.

    Overwrite To write over the area of the document data stored in the internal HDD when deleting the data.

    Cryptographic Seed Key

    The 12 alphanumeric characters to be entered by a user. When data in the internal HDD can be encrypted, a cryptographic key is generated based on the cryptographic seed key.

    Cryptographic Key The 128-bit data which is automatically generated based on the cryptographic seed key. Before the data is stored into the internal HDD, it is encrypted with the cryptographic key.

    External Network The network which cannot be managed by the organization that manages TOE. This does not include the internal network.

    Internal Network Channels between MFP and highly reliable remote server / client PC. The channels are located in the network of the organization, the owner of TOE, and are protected from the security risks coming from the external network.

    Network A general term to indicate both external and internal networks.

    User Authentication A function to limit the accessible TOE functions by identifying the user before he/she uses each TOE function.

    Local AuthenticationA mode to manage user authentication of TOE using the user information registered in the MFP.

  • Security Target - Xerox WorkCentre 7328/7335/7345

    - 8 - Copyright© 2007 by Fuji Xerox Co., Ltd.

    2. TOE DESCRIPTION This chapter describes a TOE overview, assumption of TOE users, logical and physical scopes of TOE, and the assets protected by this TOE.

    2.1. TOE Overview 2.1.1. Product Type

    This TOE, categorized as an IT product, is the MFP which has the following functions: copy, print, scan, fax-control which enables fax communication through linkage with the external fax board, and Fax-Flow Security to prevent unauthorized access from the outside. The TOE is the product which controls the whole MFP and protects the data that is transmitted over the encryption communication protocols. These protocols protect the security of the TOE configuration data and the document data on the internal network between TOE and the remote. The TOE also protects, from unauthorized disclosure, the data in the internal HDD: the stored document data after being processed and the used document data.

    2.1.2. Function Types Table 1 shows the types of functions provided by the TOE.

    Table 1: Function Types and Capabilities

    MFP functions Function types

    (standard/optional) Function capabilities

    - Basic Function

    - CWIS - Hard Disk Data Overwrite - Hard Disk Data Encryption - System Administrator’s Security Management - Internal Network Data Protection - User Authentication - Customer Engineer Operation Restriction - Security Audit Log

    - Copy - Print

    Standard Function

    - Copy function - Print function

    - Scan - Network Scan

    Optional Function (Scan Kit) - Scan function - Network Scan function

    - Fax - i-Fax, D-Fax

    Optional Function (Fax Board not to be evaluated)

    - Fax function - i-Fax, D-Fax functions - Fax Flow Security

  • Security Target - Xerox WorkCentre 7328/7335/7345

    - 9 - Copyright© 2007 by Fuji Xerox Co., Ltd.

    2.1.3. Service Overview

    2.1.3.1. Environment Assumptions This TOE is assumed to be used as an IT product at general office and to be linked to the internal network, public telephone line, and user clients. Figure 1 shows the intended environment for TOE operation.

    Figure 1: Intended Operational Environment

    The following conditions are intended for the internal network environment linked to MFP:

    (1) General user client: When a client is linked to the MFP via the internal network and print driver, Network Scan Utility and fax driver are installed to the client, the general user can request the MFP to print, fax, and retrieve the document data. The user can also request the MFP to retrieve the scanned document data via Web browser. Additionally, the user can change the configurations which user registered to the MFP: Mailbox name,

    Public TelephoneLine

    TOE

    CE General User System Administrator

    General User

    General User Client

    - Print Driver - Fax Driver

    Mail Server

    FTP Server

    SMB Server

    External Network

    Firewall

    Internal Network

    System Administrator

    System AdministratorClient

    - Web Browser

    General User Client

    -Print Driver -Fax Driver -Network Scan Utility -Web Browser

    General User

    Fax Board

    USB IEEE1284

    USB

  • Security Target - Xerox WorkCentre 7328/7335/7345

    - 10 - Copyright© 2007 by Fuji Xerox Co., Ltd.

    password, access control, and automatic deletion of document. When the client is linked to the MFP directly via USB or IEEE1284 and print driver and fax driver are installed to the client, the user can request the MFP to print and fax the document data.

    (2) System administrator client: A system administrator can refer to and change TOE configuration data and download security audit log data via Web browser.

    (3) Mail server: The MFP sends/receives document data to/from Mail server via mail protocol.

    (4) FTP server: The MFP sends document data to FTP server via FTP.

    (5) SMB server: The MFP sends document data to SMB server via SMB.

    (6) Fax board: The fax board is connected to external public telephone line and supports G3/G4 protocols. The fax board is connected to the MFP via USB interface to enable fax communication.

    The OSs of general user client (1) and system administrator client (2) are assumed to be Windows 2000, Windows XP, and Windows Vista.

    2.1.3.2. Security Function Overview The following are the overview of the security functions provided by this TOE:

    • Hard Disk Data Overwrite prevents unauthorized disclosure of used document data. The document data created during each job processing is temporarily stored in the internal HDD. After each job is completed, the used data is overwritten with new data by this function. The function of Hard Disk Data Encryption is also provided to prevent unauthorized disclosure of the document data which was created during each job processing. The document data is encrypted before stored into the internal HDD.

    • Internal Network Data Protection protects the security of communication data (document data, security audit log data, and TOE configuration data). The TOE supports general encryption communication protocols such as SSL/TLS, IPSec, SNMPv3, and S/MIME, which enable the secure data transmission between TOE and the remote.

    • Security Audit Log monitors unauthorized use of TOE or attempts to it. The important events of TOE such as device failure, configuration change, and user operation are traced and recorded based on when and who operated what function.

    • System Administrator’s Security Management restricts the right to configure TOE security functions to the authenticated system administrator. To refer to or renew TOE operational configurations, a system administrator needs to enter his/her ID and password from the control panel and Web browser.

    • User Authentication restricts the right to use TOE functions to the authenticated general user. To use TOE, a user needs to enter his/her ID and password from the control panel, Web browser, or Network Scan Utility.

  • Security Target - Xerox WorkCentre 7328/7335/7345

    - 11 - Copyright© 2007 by Fuji Xerox Co., Ltd.

    • Customer Engineer Operation Restriction enables a system administrator to inhibit CE from configuring TOE security functions. This function prevents configuration change by an attacker who is impersonating CE.

    • FAX Flow Security prevents unauthorized access to the internal network via telephone line or a modem used for fax function. The data other than fax data cannot flow into the internal network so that unauthorized access is blocked.

    2.2. User Assumptions Table 2 specifies the roles of TOE users assumed in this ST.

    Table 2: User Role Assumptions

    User Role Description

    Administrator of the organization

    An administrator or responsible official of the organization which owns and uses TOE.

    General user A user of TOE functions such as copy, print and fax.

    System administrator (Key operator and SA)

    A user who is authorized to manage the device using the tool mode. The system administrator can refer to and rewrite the TOE configuration for device operation and that for security functions via Web browser.

    2.3. Logical Scope and Boundary The TOE logical scope consists of each function of the programs recorded in Controller ROM. Figure 2 shows the logical architecture of the TOE.

  • Security Target - Xerox WorkCentre 7328/7335/7345

    - 12 - Copyright© 2007 by Fuji Xerox Co., Ltd.

    Figure 2: MFP Units and TOE Logical Scope

    2.3.1. Basic Functions The TOE provides the functions of control panel, copy, print, scan, fax, i-Fax / D-Fax, and CWIS to general user.

    2.3.1.1. Control Panel Function Control panel function is for general user and system administrator to operate MFP functions. Buttons, lamps, and a touch screen panel are mounted on the control panel.

    2.3.1.2. Copy Function Copy function is to read the original data from IIT and print it out from IOT according to the general user’s instruction from the control panel.

    2.3.1.3. Print Function Print function is to print out the data according to the instruction from general user client. The print data created via print driver is sent to the MFP to be analyzed, decomposed, and printed out from IOT. The print function is of two types: the normal print in which the data is printed out from IOT directly after

    Controller ROM

    Scan / Network Scan Control

    Hard Disk Data Overwrite

    Hard Disk Data Encryption

    Security Audit Log

    CWIS

    User Authentication

    Internal Network Data Protection

    Fax Flow Security

    Customer Engineer Operation Restriction

    System Administrator’s

    Security Management

    Internal HDD

    Document Data

    Audit Log Data

    NVRAM/SEEPROM

    TOE Configuration

    Data

    Other Configuration

    Data

    Used Document

    Data

    TOE

    Fax/D-Fax/i-Fax Control

    Print Control (Decompose)

    General User

    Fax Board (Public Telephone Line) FTP Server

    SMB Server Mail Server

    System Administrator Client -Web Browser

    General User Client - Print Driver - Fax Driver - Network Scan

    Utility - Web Browser

    System Administrator

    Control Panel Control

    Copy Control

    Logical Scope

  • Security Target - Xerox WorkCentre 7328/7335/7345

    - 13 - Copyright© 2007 by Fuji Xerox Co., Ltd.

    decomposed and the Store Print in which the bitmap data is temporarily stored in the internal HDD and then printed out from IOT according to the general user’s instruction from the control panel.

    2.3.1.4. Scan Function, Network Scan Function Scan function is to read the original data from IIT and then store it into the internal HDD according to the general user’s instruction from the control panel. A general user can retrieve the stored document data from the general user client via CWIS or Network Scan Utility. Network scan function is to read the original data from IIT and then transmit it to the general user client, FTP server, Mail server, or SMB server according to the information set in the MFP. A general user can request this function from the control panel.

    2.3.1.5. Fax Function Fax function is to send and receive fax data. According to the general user’s instruction from the control panel to send a fax, the original data is read from IIT and then sent to the destination via public telephone line. The document data is received from the sender’s machine and then printed out from the recipient’s IOT.

    2.3.1.6. i-Fax / D-Fax Functions i-Fax function is to send and receive fax data as in the normal fax function. According to the general user’s instruction from the control panel to send a fax, the original data is read from IIT and then sent to the destination via the Internet. The document data is received from the sender’s machine via the Internet and then printed out from the recipient’s IOT. D-Fax function is to directly fax document data to the destination. According to the general user’s instruction from his/her client to send a fax, the print data created via fax driver is sent to the MFP, analyzed, and decomposed. Then, the data is converted to the format for fax sending and sent to the destination via public telephone line.

    2.3.1.7. CWIS Function CWIS is to retrieve the scanned document data and the received fax data from the internal HDD according to the instruction from Web browser of the general user client. A system administrator can also access and rewrite TOE configuration data in the function of System Administrator’s Security Management. For this, the system administrator must be authenticated by his/her ID and password entered from Web browser of the system administrator client.

    2.3.2. Security Functions The TOE is a MFP and not a general-purpose computer nor software. Therefore, its security functions are not architecturally jeopardized by such factors as bypass, destruction, interception, and alteration. The security functions provided by the TOE are the following:

    2.3.2.1. Hard Disk Data Overwrite (TSF_IOW) To completely delete the used document data in the internal HDD, the data is overwritten with new data after each job is completed. Without this function, the used document data remains and only its management data is deleted. Additionally, Scheduled Image Overwrite function is provided to delete the stored data at the specific time scheduled by a system administrator.

  • Security Target - Xerox WorkCentre 7328/7335/7345

    - 14 - Copyright© 2007 by Fuji Xerox Co., Ltd.

    2.3.2.2. Hard Disk Data Encryption (TSF_CIPHER) The document data and security audit log data are encrypted before stored into the internal HDD.

    2.3.2.3. User Authentication (TSF_USER_AUTH) Access to the MFP functions is restricted to the authorized user. A general user needs to enter his/her ID and password from MFP control panel, print driver, Network Scan Utility, or Web browser (CWIS) of the general user client.

    Only the authenticated general user can use the following functions: (1) Functions controlled by the MFP control panel: Copy, fax (send), i-Fax (send), scan, network scan, Mailbox, and print (This print function requires user ID and password preset from print driver. A user must be authenticated from the control panel for print job.) (2) Functions controlled by Network Scan Utility of general user client: Function to retrieve document data from Mailbox (3) Functions controlled by CWIS: Display of device condition, display of job status and its log, function to retrieve document data from Mailbox, and print function by file designation Among the above functions which require user authentication, some particularly act as security functions. The following are the security functions which prevent the unauthorized reading of document data in the internal HDD by an attacker who is impersonating a legitimate user: - The print function (Private Print function) and the Mailbox function, which require user authentication from the control panel, - The function to retrieve document data from Mailbox which requires user authentication from CWIS or Network Scan Utility (Mailbox function), and the print function by file designation from CWIS (Private Print function).

    Figure 3 shows the authentication flow of the above functions.

  • Security Target - Xerox WorkCentre 7328/7335/7345

    - 15 - Copyright© 2007 by Fuji Xerox Co., Ltd.

    Figure 3: Authentication Flow for Private Print and Mailbox

    • Private Print Function To enable this function, the user needs to configure the MFP to “store an authenticated job to Private Print area*” and also needs to preset his/her ID and password from print driver of the general user client. When a general user sends a print request from print driver, the MFP compares the user ID and password against those preset in the MFP. Only when the user is authenticated, the print data is decomposed into bitmap data. Then, the data is classified according to the user ID and temporarily stored in the corresponding Private Print area within the internal HDD. (*Private Print area means the storage area of data for Private Print.) The user can also enable this function by entering his/her ID and password from CWIS for authentication and by sending a print request with designating the files within the general user client. To refer to the stored print data, a general user needs to enter his/her ID and password from the control panel. Then, the data on the waiting list corresponding to the user ID is displayed. The user can request print or deletion of the data on the list.

    • Mailbox Function The scanned data and received fax data can be stored into Mailbox from IIT and fax board which are not shown in Figure 3. To store the scanned data into Mailbox, a general user needs to enter his/her ID and password from the control panel. Then, the document data can be scanned from IIT and stored into the internal HDD according to the user’s instruction from the control panel. To store the received fax data into Mailbox, user authentication is not required. Among the received fax data transmitted over public telephone line, the following data are automatically classified and stored into

    TOE

    Print

    Scanned Data, Received Fax Data

    General User Client

    Print Driver (User ID and Password Setting)

    Web Browser (CWIS)

    Authenticated Print Job

    PrivatePrint

    Authentication from General User Client

    Mailbox

    Authentication from Control Panel

    Internal Authentication

    Network Scan Utility

    Authentication from General User Client

  • Security Target - Xerox WorkCentre 7328/7335/7345

    - 16 - Copyright© 2007 by Fuji Xerox Co., Ltd.

    each corresponding Mailbox: the received fax data whose corresponding Mailbox is specified by the sender, the received fax data from a particular sender (the data is classified according to the sender’s telephone number), and the received fax data from an unknown sender. To refer to, retrieve, print, or delete the stored data in the Personal Mailbox corresponding to the each registered user’s ID, user authentication is required; the MFP compares the user ID and password preset in the device against those entered by the general user from the control panel, CWIS, or Network Scan Utility. Besides Personal Mailbox, Shared Mailbox is provided so that authorized general users can share the same Mailbox. Only a key operator can create the Shared Mailbox.

    2.3.2.4. System Administrator’s Security Management (TSF_FMT) To accord a privilege to a specific user, this TOE allows only the authenticated system administrator to access the tool mode which enables him/her to configure the following security functions from the control panel:

    • Enable or disable Hard Disk Data Overwrite;

    • Enable or disable Hard Disk Data Encryption;

    • Configure the cryptographic seed key for Hard Disk Data Encryption;

    • Enable or disable use of password entered from MFP control panel in user authentication;

    • Change the ID and password of key operator (only a key operator is privileged);

    • Change the ID and password of SA and general user;

    • Set the allowable number of system administrator’s authentication failures before access denial;

    • Configure the minimum password length (for general user and SA);

    • Enable or disable Customer Engineer Operation Restriction;

    • Enable/disable SSL/TLS communication and configure the detail;

    • Enable/disable IPSec communication and configure the detail;

    • Enable/disable S/MIME communication and configure the detail;

    • Enable/disable Scheduled Image Overwrite and set the time;

    • Configure User Authentication;

    • Set date and time.

    Additionally, this TOE allows only the system administrator authenticated from Web browser to configure the following security functions via CWIS:

    • Change the ID and password of key operator (only a key operator is privileged);

    • Change the ID and password of SA and general user;

    • Set the allowable number of system administrator’s authentication failures before access denial;

    • Enable or disable Audit Log;

    • Enable/disable SSL/TLS communication and configure the detail;

    • Enable/disable IPSec communication and configure the detail;

  • Security Target - Xerox WorkCentre 7328/7335/7345

    - 17 - Copyright© 2007 by Fuji Xerox Co., Ltd.

    • Enable/disable SNMPv3 communication and configure the detail;

    • Configure the authentication password for SNMPv3 communication;

    • Enable/disable S/MIME communication and configure the detail;

    • Download/upload and create an X.509 certificate;

    • Enable/disable Scheduled Image Overwrite and set the time;

    • Configure User Authentication.

    2.3.2.5. Customer Engineer Operation Restriction (TSF_CE_LIMIT) A system administrator can restrict CE’s operation in the tool mode to inhibit CE from referring to or changing TOE security configurations. This function can prevent configuration change by an attacker who is impersonating CE.

    2.3.2.6. Security Audit Log (TSF_FAU) The important events of TOE such as device failure, configuration change, and user operation are traced and recorded based on when and who operated what function. Only the system administrator can supervise or analyze the log data by downloading it in the form of tab-delimited text file via Web browser. To download the log data, SSL/TLS communication needs to be enabled.

    2.3.2.7. Internal Network Data Protection (TSF_NET_PROT) The communication data on the internal network such as document data, security audit log data, and TOE configuration data are protected by the following general encryption communication- protocols:

    • SSL/TLS

    • IPSec

    • SNMPv3

    • S/MIME

    2.3.2.8. Fax Flow Security (TSF_FAX_FLOW) A fax board is an option and is connected to TOE controller board via USB interface. An attacker cannot access the TOE inside or its internal network via the fax board.

    2.4. Physical Scope and Boundary Figure 4 shows configuration of each unit and TOE physical scope.

  • Security Target - Xerox WorkCentre 7328/7335/7345

    - 18 - Copyright© 2007 by Fuji Xerox Co., Ltd.

    Figure 4: MFP Units and TOE Physical Scope

    The physical scope of this TOE is the whole MFP except fax board. The TOE physical scope consists of the PWB units of controller board, control panel, ADF board, IIT board, and IOT board. The controller board is connected to the control panel and the ADF board via the internal interfaces which transmit control data, to the IIT board and IOT board via the internal interfaces which transmit document data and control data, and to the fax board via USB interface. The controller board is a PWB which controls MFP functions of copy, print, scan, and fax. The board has a network interface (Ethernet) and local print interfaces (IEEE1284 and USB device) and is connected to the IIT board and IOT board . The control panel is a panel on which buttons, lamps, and a touch screen panel are mounted to enable MFP functions of copy, print, scan, and fax. The ADF (Automatic Document Feeder) is a device to automatically feed more than one original.

    : TOE

    Control Panel buttons, lamps, touch screen panel

    System Administrator Client, General User Client, Mail Server, FTP Server, SMB Server

    General User Client(USB)

    Internal HDD

    Fax Board (PublicTelephone Line)

    NVRAM

    SEEPROM

    DRAM

    Ethernet U

    SB(device)

    IEEE 1284

    Controller ROM Copy-/ Scan-

    Control

    Hard Disk Data

    Overwrite

    Hard Disk Data

    Encryption

    Security Audit Log

    Print Control

    decompose

    Fax/i-Fax /D-Fax Control

    CWIS

    User Authentica

    tion

    Internal Network

    Data Protection

    Fax Flow Security

    Customer Engineer Operation Restriction

    System Administra-

    tor’s Security Management

    CPU

    Controller Board

    IIT

    IIT Board IIT

    ROM

    IOT

    IOT Board IOT

    ROM

    ADF

    ADF Board ADF ROM

    USB

    (host)

    General User Client (IEEE1284)

    System Administrator, General User

  • Security Target - Xerox WorkCentre 7328/7335/7345

    - 19 - Copyright© 2007 by Fuji Xerox Co., Ltd.

    The IIT (Image Input Terminal) is a device to scan the original and send the scanned data to the controller board for copy, print, scan, and fax functions. The IOT (Image Output Terminal) is a device to output image information which was sent from the controller board.

    2.5. Assets Protected by TOE This TOE protects the following assets:

    • Right to use MFP functions The general user’s right to use each function of TOE is assumed as an asset to be protected.

    • Document data stored for job processing When a general user uses MFP functions of copy, print, fax, and scan, the document data is temporarily stored in the internal HDD for image processing, transmission, and Store Print. The user can retrieve the stored document data in the MFP from the general user client by CWIS function and Network Scan Utility. The stored data includes general user’s confidential information and is assumed as an asset to be protected.

    • Used document data When a general user uses MFP functions of copy, print, fax, and scan, the document data is temporarily stored in the internal HDD for image processing, transmission, and Store Print. When the jobs are completed or canceled, only the management information is deleted but the data itself remains. The residual data includes general user’s confidential information and is assumed as an asset to be protected.

    • Security audit log data In the function of Security Audit Log, the important events such as device failure, configuration change and user operation are recorded based on when and who operated what function. For preventive maintenance and response to the events and detection of unauthorized access, only a system administrator can retrieve the log data stored in MFP by CWIS function. The log data is assumed as an asset to be protected.

    • TOE configuration data A system administrator can configure TOE security functions from the MFP control panel or system administrator client by the function of System Administrator’s Security Management. The configuration data stored in the TOE (see Table 3) can be a threat to other assets if used without authorization and is assumed as an asset to be protected.

    Note) The data stored in the general client and server within the internal network and the general data on the internal network are not assumed as assets to be protected. This is because TOE functions prevent the access to the internal network from public telephone line and it cannot be a threat.

  • Security Target - Xerox WorkCentre 7328/7335/7345

    - 20 - Copyright© 2007 by Fuji Xerox Co., Ltd.

    Figure 5: Assets under and not under Protection

    Table 3 categorizes the TOE configuration data recorded in NVRAM and SEEPROM of the controller board.

    Table 3: Categories of TOE Configuration Data

    Categories of TOE Configuration Data (Note)

    Data on Hard Disk Data Overwrite Data on Hard Disk Data Encryption Data on System Administrator’s Security Management Data on Customer Engineer Operation Restriction Data on Internal Network Data Protection Data on Security Audit Log Data on Mailbox Data on User Authentication Data on date and time

    Note) Configuration data other than TOE configuration data are also stored in NVRAM and SEEPROM. Those configuration data, however, are not assumed as assets to be protected because they do not engage in TOE security functions.

    Public Telephone

    Line

    External Network

    Firewall

    Internal Network

    General Client and Server

    General User Client System Administrator Client

    - Print Driver - Fax Driver - Web Browser - Network Scan Utility

    TOE Document data, Security Audit Log data,

    and TOE configuration data transmitted in the internal network

    General Data on the Internal Network Inaccessible

    Document Data Used Document Data Security Audit Log Data TOE Configuration Data

    Internally Stored Data

    Asset under protection

    Asset not under protection

    Other Configuration Data

    Internally Stored Data

  • Security Target - Xerox WorkCentre 7328/7335/7345

    - 21 - Copyright© 2007 by Fuji Xerox Co., Ltd.

    3. TOE SECURITY ENVIRONMENT This chapter describes the security aspects of the intended environment for the TOE. This includes assumptions regarding the TOE, threats to the TOE, and organizational security policy.

    3.1. Assumptions Table 4 shows the assumptions for the operation and use of this TOE.

    Table 4: Assumptions

    Assumption (Identifier) Description

    Personnel Confidence

    A.ADMIN A system administrator shall have the necessary knowledge of TOE security functions to perform the given role of managing the TOE and shall not operate it viciously.

    Protection Mode

    A.SECMODE

    A system administrator shall configure the TOE as follows: • Use of password entered from MFP control panel in user authentication:

    enabled • Length of system administrator password: 9 characters or more • Access denial due to authentication failure of system administrator ID:

    enabled • Allowable number of system administrator’s authentication failures before

    access denial: 5 • Customer Engineer Operation Restriction: enabled • Type of authentication: User Authentication enabled • Length of user password (for general user and SA): 9 characters or more • Private Print configuration: store an authenticated job to Private Print area • Audit Log: enabled • SNMPv3 communication: enabled • Length of authentication password for SNMPv3 communication: 8

    characters or more • SSL/TLS communication: enabled • IPSec communication: enabled • S/MIME communication: enabled • SMB communication: disabled • Hard Disk Data Overwrite: enabled • Hard Disk Data Encryption: enabled • Size of cryptographic seed key for Hard Disk Data Encryption: 12

    characters • Scheduled Image Overwrite: enabled

  • Security Target - Xerox WorkCentre 7328/7335/7345

    - 22 - Copyright© 2007 by Fuji Xerox Co., Ltd.

    3.2. Threats Table 5 identifies the threats addressed by the TOE. These threats are considered to be users with public knowledge of how the TOE operates. The attackers are considered to have low-level attack capability.

    Table 5: Threats Addressed by the TOE

    Threat (Identifier) Description

    Unauthorized retrieval of document data and security audit log data stored in the internal HDD

    T.RECOVER An attacker may remove the internal HDD and connect it to commercial tools so that he/she can read out and leak the stored document data, used document data, and security audit log data.

    Unauthorized access to document data and TOE configuration data

    T.CONFDATA An attacker may access, read, or alter, from control panel or Web browser, the TOE configuration data which only a system administrator is allowed to access.

    T.DATA_SEC An attacker may read document data and security audit log data from control panel or Web browser without authorization.

    Interception of document data and TOE configuration data

    T.COMM_TAP An attacker may intercept or alter document data, security audit log data, and TOE configuration data on the internal network.

    T.CONSUME An attacker may access TOE and use TOE functions without authorization.

    3.3. Organizational Security Policy Table 6 below describes the organizational security policy the TOE must comply with.

    Table 6: Organizational Security Policy

    Organizational Policy (Identifier)

    Description

    Request from the U.S. agency

    P.FAX_OPT At the behest of the U.S. agency, it must be ensured that the internal network cannot be accessed via public telephone line.

  • Security Target - Xerox WorkCentre 7328/7335/7345

    - 23 - Copyright© 2007 by Fuji Xerox Co., Ltd.

    4. SECURITY OBJECTIVES This section describes the security objectives for the TOE and for the environment.

    4.1. Security Objectives for the TOE Table 7 defines the security objectives to be accomplished by the TOE.

    Table 7: Security Objectives for the TOE

    Objectives (Identifier) Description

    O.AUDITS The TOE must provide Security Audit Log and its log data which are necessary to monitor unauthorized access.

    O.CIPHER The TOE encrypts the document data and security audit log data to be stored in the internal HDD so that they cannot be analyzed even if retrieved.

    O.COMM_SEC The TOE protects the document data, security audit log data, and TOE configuration data on the internal network between TOE and the remote from interception and alteration.

    O.FAX_SEC The TOE must prevent the unauthorized access to internal network via fax modem from public telephone line.

    O.MANAGE

    The TOE must inhibit a general user from accessing TOE configuration data and security audit log data. The TOE allows only the authenticated system administrator to access the tool mode which enables security function configuration.

    O.RESIDUAL The TOE must prevent the used document data in the internal HDD from being reproduced or recovered.

    O.USER The TOE must provide the function for a general user to identify TOE user and allow only the proper user to read the document data.

    O.RESTRICT The TOE must inhibit an unauthorized user from using the TOE.

    4.2. Security Objectives for the Environment Table 8 defines the security objectives for the TOE environment.

    Table 8: Security Objectives for the Environment

    Security Objectives (Identifier)

    Description

    OE.ADMIN An administrator of organization assigns an appropriate and reliable person for TOE management as a system administrator and trains him/her.

    OE.AUTH

    A system administrator needs to configure the TOE security functions as follows.

    • Use of password entered from MFP control panel in user authentication: enabled

    • Length of system administrator password: 9 characters or more • Access denial due to authentication failure of system administrator ID:

  • Security Target - Xerox WorkCentre 7328/7335/7345

    - 24 - Copyright© 2007 by Fuji Xerox Co., Ltd.

    Security Objectives (Identifier)

    Description

    enabled • Allowable number of system administrator’s authentication failures before

    access denial: 5 • Customer Engineer Operation Restriction: enabled • Type of authentication: User Authentication enabled (select Local

    Authentication) • Length of user password (for general user and SA): 9 characters or more • Private Print configuration: store an authenticated job to Private Print area

    OE.COMMS_SEC

    A system administrator needs to configure the TOE as follows so that the document data, security audit log data, and TOE configuration data are protected from interception.

    • SNMPv3 communication: enabled • Length of authentication password for SNMPv3 communication: 8

    characters or more • SSL/TLS communication: enabled • IPSec communication: enabled • S/MIME communication: enabled • SMB communication: disabled

    OE.FUNCTION

    A system administrator needs to configure the TOE functions of Hard Disk Data Overwrite, Hard Disk Data Encryption, and Security Audit Log as follows.

    • Hard Disk Data Overwrite: enabled • Hard Disk Data Encryption: enabled • Size of cryptographic seed key for Hard Disk Data Encryption: 12

    characters • Scheduled Image Overwrite: enabled • Security Audit Log: enabled

  • Security Target - Xerox WorkCentre 7328/7335/7345

    - 25 - Copyright© 2007 by Fuji Xerox Co., Ltd.

    5. IT SECURITY REQUIREMENTS This chapter describes TOE security requirements and the security functional requirements to the IT environment.

    5.1. TOE Security Functional Requirements Security functional requirements which the TOE offers are described below. Security functional requirements are based on the class and component which are specified by the [CC part 2].

    5.1.1. Class FAU: Security Audit (1) FAU_GEN.1 Audit Data Generation

    Hierarchical to: No other components.

    FAU_GEN.1.1: The TSF shall be able to generate an audit record of the following auditable events: a) Start-up and shutdown of the audit functions; b) All auditable events for the [selection: not specified] level of audit; and c) [assignment: Individually defined auditable events].

    FAU_GEN.1.2 The TSF shall record within each audit record at least the following information: a) Date and time of the event, type of event, subject identity, and the

    outcome (success or failure) of the event; and for each audit event type, based on the auditable event definitions of the functional components included in the PP/ST, [assignment: none].

    Dependencies: FPT_STM.1 Reliable time stamps Table 9 shows the actions to be audited (defined by CC) and the corresponding auditable events (events to be recorded as execution log) of TOE.

    Table 9: Auditable Events of TOE and Individually Defined Auditable Events

    Functional

    requirements

    Actions to be audited (defined by CC) Auditable events of TOE

    FAU_GEN.1 None -

    FAU_SAR.1 Basic: Reading of information from the audit records.

    Basic: Successful download of audit log data.

    FAU_SAR.2 Basic: Unsuccessful attempts to read information from the audit records.

    Basic: Unsuccessful download of audit log data.

    FAU_STG.1 None -

    FAU_STG.4 Basic: Actions taken due to the audit storage failure.

    None

    FCS_CKM.1 Minimal: Success and failure of the activity.

    None

  • Security Target - Xerox WorkCentre 7328/7335/7345

    - 26 - Copyright© 2007 by Fuji Xerox Co., Ltd.

    Basic: The object attribute(s), and object value(s) excluding any sensitive information (e.g. secret or private keys).

    FCS_COP.1 Minimal: Success and failure, and the type of cryptographic operation. Basic: Any applicable cryptographic mode(s) of operation, subject attributes and object attributes.

    None

    FDP_ACC.1 None -

    FDP_ACF.1 Minimal: Successful requests to perform an operation on an object covered by the SFP. Basic: All requests to perform an operation on an object covered by the SFP. Detailed: The specific security attributes used in making an access check.

    Basic: Creation/deletion of Mailbox. User name, job information, and success/failure regarding access to Mailbox and execution of Store Print.

    FDP_IFC.1 None -

    FDP_IFF.1 Minimal: Decisions to permit requested information flows. Basic: All decisions on requests for information flow. Detailed: The specific security attributes used in making an information flow enforcement decision. Detailed: Some specific subsets of the information that has flowed based upon policy goals (e.g. auditing of downgraded material).

    None

    FDP_RIP.1 None -

    FIA_AFL.1 Minimal: the reaching of the threshold for the unsuccessful authentication attempts and the actions (e.g. disabling of a terminal) taken and the subsequent, if appropriate, restoration to the normal state (e.g. re-enabling of a terminal).

    Continuous authentication failures.

    FIA_UAU.2 Minimal: Unsuccessful use of the authentication mechanism; Basic: All use of the authentication mechanism.

    Continuous authentication failures.

  • Security Target - Xerox WorkCentre 7328/7335/7345

    - 27 - Copyright© 2007 by Fuji Xerox Co., Ltd.

    FIA_UAU.7 None -

    FIA_UID.2 Minimal: Unsuccessful use of the user identification mechanism, including the user identity provided; Basic: All use of the user identification mechanism, including the user identity provided.

    Continuous authentication failures.

    FMT_MOF.1 Basic: All modifications in the behavior of the functions in the TSF.

    Changes in security function configuration.

    FMT_MSA.1 Basic: All modifications of the values of security attributes.

    Creation/deletion of Mailbox. User name, job information, and success/failure regarding access to Mailbox and execution of Store Print.

    FMT_MSA.3 Basic: Modifications of the default setting of permissive or restrictive rules.Basic: All modifications of the initial values of security attributes.

    Successful/unsuccessful authentication of system administrator.

    FMT_MTD.1.

    Basic: All modifications to the values of TSF data.

    Changes in security function configuration.

    FMT_SMF.1 Minimal: Use of the management functions.

    Successful/unsuccessful authentication of system administrator.

    FMT_SMR.1 Minimal: modifications to the group of users that are part of a role; Detailed: every use of the rights of a role.

    Successful/unsuccessful authentication of system administrator.

    FPT_RVM.1 None -

    FPT_STM.1 Minimal: changes to the time; Detailed: providing a timestamp.

    Changes in time setting.

    FTP_TRP.1 Minimal: Failures of the trusted path functions. Minimal: Identification of the user

    Creation/deletion of certificates.

  • Security Target - Xerox WorkCentre 7328/7335/7345

    - 28 - Copyright© 2007 by Fuji Xerox Co., Ltd.

    associated with all trusted path failures, if available. Basic: All attempted uses of the trusted path functions. Basic: Identification of the user associated with all trusted path invocations, if available.

    (2) FAU_SAR.1 Audit review Hierarchical to: No other components. FAU_SAR.1.1 The TSF shall provide [assignment: system administrator] with the

    capability to read [assignment: all log information] from the audit records. FAU_SAR.1.2 The TSF shall provide the audit records in a manner suitable for the user to

    interpret the information.

    Dependencies: FAU_GEN.1 Audit data generation

    (3) FAU_SAR.2 Restricted audit review Hierarchical to: No other components. FAU_SAR.2.1 The TSF shall prohibit all users read access to the audit records, except those

    users that have been granted explicit read-access.

    Dependencies: FAU_SAR.1 Audit review

    (4) FAU_STG.1 Protected audit trail storage Hierarchical to: No other components. FAU_STG.1.1 The TSF shall protect the stored audit records from unauthorized

    delete. FAU_STG.1.2 The TSF shall be able to [selection: prevent] unauthorized

    modifications to the stored audit records in the audit trail.

    Dependencies: FAU_GEN.1 Audit data generation

    (5) FAU_STG.4 Prevention of audit data loss Hierarchical to: FAU_STG.3 FAU_STG.4.1 The TSF shall [selection: overwrite the oldest stored audit records]

    and [assignment: no other actions to be taken] if the audit trail is full.

    Dependencies: FAU_STG.1 Protected audit trail storage

    5.1.2. Class FCS: Cryptographic support (1) FCS_CKM.1 Cryptographic key generation

    Hierarchical to: No other components FCS_CKM.1.1 The TSF shall generate cryptographic keys in accordance with a

    specified cryptographic key generation algorithm [assignment: the Fuji Xerox’s standard method, FXOSENC] and specified cryptographic key sizes [assignment: 128 bits] that meet the

  • Security Target - Xerox WorkCentre 7328/7335/7345

    - 29 - Copyright© 2007 by Fuji Xerox Co., Ltd.

    following: [assignment: none].

    Dependencies: [ FCS_CKM.2 Cryptographic key distribution, or FCS_COP.1 Cryptographic operation] FCS_CKM.4 Cryptographic key destruction FMT_MSA.2 Secure security attributes

    (2) FCS_COP.1 Cryptographic operation Hierarchical to: No other components FCS_COP.1.1 The TSF shall perform [assignment: encryption of the document data

    and security audit log data to be stored in the internal HDD and decryption of the document data and security audit log data retrieved from the internal HDD] in accordance with a specified cryptographic algorithm [assignment: AES] and cryptographic key sizes [assignment: 128 bits] that meet the following: [assignment: FIPS PUB 197].

    Dependencies: FCS_CKM.1 Cryptographic key generation FCS_CKM.4 Cryptographic key destruction FMT_MSA.2 Secure security attributes

    5.1.3. Class FDP: User data protection (1) FDP_ACC.1 Subset access control

    Hierarchical to: No other components

    FDP_ACC.1.1 The TSF shall enforce the [assignment: MFP access control SFP] on [assignment: subjects, objects, and operations between subjects and objects listed in Table 10].

    Table 10: Operations between Subjects and Objects Covered by MFP Access Control SFP

    Subject Object Operation Mailbox Deletion of Personal Mailbox

    Creation of Shared Mailbox Deletion of Shared Mailbox Storage of document data Deletion of document data Retrieval of document data

    Key operator process

    Store Print Storage of document data Deletion of document data Retrieval of document data

  • Security Target - Xerox WorkCentre 7328/7335/7345

    - 30 - Copyright© 2007 by Fuji Xerox Co., Ltd.

    Mailbox Creation of Personal Mailbox Deletion of Personal Mailbox Storage of document data Retrieval of document data Deletion of document data

    General user process

    Store Print Storage of document data Deletion of document data Retrieval of document data

    Dependencies: FDP_ACF.1 Security attribute based access control

    (2) FDP_ACF.1 Security attribute based access control Hierarchical to: No other components FDP_ACF.1.1 The TSF shall enforce the [assignment: MFP access control SFP] to

    objects based on the following: [assignment: general user identification information corresponding to the general user process, owner identification information corresponding to each Mailbox, and owner identification information corresponding to each Store Print area.]

    FDP_ACF.1.2 The TSF shall enforce the following rules to determine if an operation among controlled subjects and controlled objects is allowed: [assignment: the rules, shown in Table 11, for controlling the access of the controlled subjects to the controlled objects for the controlled operations].

    Table 11: Rules for Access Control

    General User Process Rules for Mailbox Operation

    - Creation of Personal Mailbox In the general user process to create Personal Mailbox, the Personal Mailbox in which general user identification information is set as its owner is created.

    - Deletion of Personal Mailbox When the general user identification information of the general user process matches the owner identification information of Personal Mailbox, deletion of the corresponding Personal Mailbox is allowed.

    - Storage, retrieval, and deletion of document data in Personal Mailbox When the general user identification information of the general user process matches the owner identification information of Mailbox, storage, retrieval, and deletion of the document data inside are allowed.

    - Storage, retrieval, and deletion of document data in Shared Mailbox Storage, retrieval, and deletion of document data in Shared Mailbox are allowed.

    Rules for Store Print Operation - Storage of document data

    In the general user process to store document data, the Store Print area in which

  • Security Target - Xerox WorkCentre 7328/7335/7345

    - 31 - Copyright© 2007 by Fuji Xerox Co., Ltd.

    general user identification information is set as its owner is created. The document data is then stored inside.

    - Deletion and retrieval of document data When the general user identification information of the general user process matches the owner identification information of Store Print area, retrieval and deletion of the document data inside are allowed. When the document data is deleted, the corresponding Store Print area is also deleted.

    Key Operator Process - Creation and Deletion of Shared Mailbox

    In the key operator process, creation and deletion of Shared Mailbox are allowed.

    FDP_ACF.1.3 The TSF shall explicitly authorize access of subjects to objects based on the following additional rules: [assignment: the rules, shown in Table 12, for explicitly authorizing access of the subject to an object based on security attributes].

    Table 12: Rules for Explicit Access Authorization

    Key Operator Process Rule for Mailbox Operation

    - In the key operator process, deletion of Personal and Shared Mailbox, storage, deletion, and retrieval of the document data inside are allowed.

    Rule for Store Print Operation - In the key operator process, all operations regarding Store Print (i.e. storage, deletion, and retrieval of the document data inside) are allowed.

    FDP_ACF.1.4 The TSF shall explicitly deny access of subjects to objects based on

    the [assignment: no rules to explicitly deny the access]. Dependencies: FDP_ACC.1 Subset access control

    FMT_MSA.3 Static attribute initialization

    (3) FDP_IFC.1 Subset information flow control Hierarchical to: No other components FDP_IFC.1.1 The TSF shall enforce the [assignment: fax information flow control

    SFP] on [assignment: subjects, information, and operations to cause the information flow, listed in Table 13.]

  • Security Target - Xerox WorkCentre 7328/7335/7345

    - 32 - Copyright© 2007 by Fuji Xerox Co., Ltd.

    Table 13: Subjects, Information, and Operations Covered by Fax Information Flow Control SFP

    Subject Information Operation Receiving information from public telephone line Sending information to the internal network

    Data on public telephone line Delivery

    Dependencies: FDP_IFF.1 Simple security attribute

    (4) FDP_IFF.1 Simple security attribute Hierarchical to: No other components FDP_IFF.1.1 The TSF shall enforce the [assignment: fax information flow control SFP]

    based on the following types of subject and information security attributes: [assignment: none. (Sending information to public telephone line, receiving information from the internal network, and the corresponding data on the public telephone line are not controlled under the fax information flow control SFP)].

    FDP_IFF.1.2 The TSF shall permit an information flow between a controlled subject and controlled information via a controlled operation if the following rules hold: [assignment: the data received from public telephone line must not be sent to the internal network at any case].

    FDP_IFF.1.3 The TSF shall enforce the [assignment: none]. FDP_IFF.1.4 The TSF shall provide the following [assignment: none]. FDP_IFF.1.5 The TSF shall explicitly authorize an information flow based on the

    following rules: [assignment: none]. FDP_IFF.1.6 The TSF shall explicitly deny an information flow based on the following

    rules: [assignment: none]. Dependencies: FDP_IFC.1 Subset information flow control FMT_MSA.3 Static attribute initialization

    (5) FDP_RIP.1 Subset Residual Information Protection Hierarchical to: No other components FDP_RIP.1.1 The TSF shall ensure that any previous information content of a resource is

    made unavailable upon the [selection: deallocation of the resource from] the following objects: [assignment: used document data stored in the internal HDD].

    Dependencies: No dependencies.

    5.1.4. Class FIA: Identification and authentication (1) FIA_AFL.1 (1) Authentication failure handling

    Hierarchical to: No other components

    FIA_AFL.1.1 (1) The TSF shall detect when [selection: [assignment: five]] unsuccessful authentication attempts occur related to [assignment: system

  • Security Target - Xerox WorkCentre 7328/7335/7345

    - 33 - Copyright© 2007 by Fuji Xerox Co., Ltd.

    administrator authentication]. FIA_AFL.1.2 (1) When the