CRP-C0018-01 Certification Report Target of Evaluation Application date/ID April 19, 2004 (ITC-4026) Certification No. C0018 Sponsor Sharp Corporation Name of TOE (Version of TOE) Japan: Data Security Kit AR-FR4 version M.20 Overseas: Data Security Kit AR-FR4 version M.20 Data Security Kit AR-FR5 version E.20 PP Conformance None Conformed Claim EAL4 TOE Developer Sharp Corporation Evaluation Facility Fuji Research Institute Corporation Information Security Evaluation Center This is to report that the evaluation result for the above TOE is certified as follows. September 15, 2004 TABUCHI Haruki, Technical Manager Information Security Certification Office IT Security Center Information-Technology Promotion Agency, Japan Evaluation Criteria, etc.: This TOE is evaluated in accordance with the following criteria prescribed in the “General Requirements for IT Security Evaluation Facility”. - Common Criteria for Information Technology Security Evaluation Version 2.1 (ISO/IEC 15408:1999) - Common Methodology for Information Technology Security Evaluation Version 1.0 - CCIMB Interpretations-0210 Evaluation Result: Pass “Data Security Kit AR-FR4 version M.20 and Data Security Kit AR-FR5 version E.20” has been evaluated in accordance with the provision of the “General Rules for IT Product Security Certification” by Information-Technology Promotion Agency, Japan, and has met the specified assurance requirements. CRP-C0018-01 Notice: This document is the English translation version of the Certification Report published by the Certification Body of Japan Information Technology Security Evaluation and Certification Scheme. CRP-C0018-01 Table of Contents 1. Executive Summary .............................................................................. 1 1.1 Introduction .................................................................................... 1 1.2 Evaluated Product ............................................................................ 1 1.2.1 Name of Product ......................................................................... 1 1.2.2 Product Overview ....................................................................... 1 1.2.3 Scope of TOE and Overview of Operation ...................................... 2 1.3 Conduct of Evaluation ...................................................................... 3 1.4 Certificate of Evaluation ................................................................... 4 1.5 Overview of Report ........................................................................... 4 1.5.1 PP Conformance ......................................................................... 4 1.5.2 EAL ........................................................................................... 4 1.5.3 SOF ........................................................................................... 4 1.5.4 Security Functions ..................................................................... 4 1.5.5 Threat ....................................................................................... 6 1.5.6 Organisational Security Policy ..................................................... 6 1.5.7 Configuration Requirements ........................................................ 6 1.5.8 Assumptions for Operational Environment ................................... 7 1.5.9 Documents Attached to Product ................................................... 7 2. Conduct and Results of Evaluation by Evaluation Facility ...................... 10 2.1 Evaluation Methods ........................................................................ 10 2.2 Overview of Evaluation Conducted ................................................... 10 2.3 Product Testing .............................................................................. 10 2.3.1 Developer Testing ..................................................................... 10 2.3.2 Evaluator Testing ..................................................................... 13 2.4 Evaluation Result ........................................................................... 15 3. Conduct of Certification ...................................................................... 16 4. Conclusion ......................................................................................... 17 4.1 Certification Result ........................................................................ 17 4.2 Recommendations .......................................................................... 17 5. Glossary ............................................................................................. 18 6. Bibliography ....................................................................................... 19 CRP-C0018-01 1 1. Executive Summary 1.1 Introduction This Certification Report describes the content of certification result in relation to IT Security Evaluation of “Japan: Data Security Kits AR-FR4 version M.20, overseas: Data Security Kits AR-FR4 version M.20 and Data Security Kits AR-FR5 version E.20 ” (hereinafter referred to as “the TOE”) conducted by Fuji Research Institute Corporation (hereinafter referred to as “Evaluation Facility”), and it reports to the sponsor, Sharp Corporation. The reader of the Certification Report is advised to read the corresponding ST and manuals (please refer to “1.5.9 Documents Attached to Product” for further details) attached to the TOE together with this report. The assumed environment, corresponding security objectives, security functional and assurance requirements needed for its implementation and their summary specifications are specifically described in ST. The operational conditions and functional specifications are also described in the document attached to the TOE. Note that the Certification Report presents the certification result based on assurance requirements conformed to the TOE, and does not certify individual IT product itself. Note: In this Certification Report, IT Security Evaluation Criteria and IT Security Evaluation Method prescribed by IT Security Evaluation and Certification Scheme are named CC and CEM, respectively. 1.2 Evaluated Product 1.2.1 Name of Product The target product by this Certificate is as follows: Name of Product: Japan : Data Security Kit AR-FR4 version M.20 overseas : Data Security Kit AR-FR4 version M.20 Data Security Kit AR-FR5 version E.20 Developer: Sharp Corporation 1.2.2 Product Overview This product called the digital multi-functional data security kit (hereafter referred to as DSK) is the firmware designed to reduce the danger of information leak, preventing the document or image data temporarily stored in a digital multi-functional device (hereafter referred to as MFD) from being opened. An MFD, which is an office machine, is configured as a print function unit with optional copy / image scanning / fax functions. If it comes only with a print function unit (and with no other optional function), it is called MFP (Multi-Function Printer) and considered as an MFD. The DSK is offered as an upgrade kit of the MFD firmware. CRP-C0018-01 1.2.3 Scope of TOE and Overview of Operation The TOE physical configuration is the DSK. As shown in the Figure 1-1, the DSK is installed as MFD firmware ROM replacing the standard one. The controller unit containing the DSK comes with a microprocessor; the firmware to be executed by the microprocessor; the volatile RAM to be used when the firmware is executed; and the EEPROM for storing the security settings. Spooled data, which are to be the TOE protected assets, are stored in the volatile RAM as RAM disk. An optional HDD can also be installed for the storage. As for the optional fax function, the Flash memory on the fax interface is used for spooling. The HDD, RAM and Flash memory in the MFD are generically called MSD (Mass Storage Device). All operations on MFD including the DSK security settings are performed through the operational panel. Scanner unit (MFD configuration only) MFD base Alphnumeric-kana display Operation panel Touch panel type operation panel Finisher, etc. (option) Paper feed disk (option) Fax expansion unit (option) Engine unit (paper feeding, laser, drum, fusing, and finisher control) Controller unit Firmware ROM (Standard or DSK) Fax interface (option) Print server card (option) Volatile RAM EEPROM HDD (option) RAM disk Flash memory Microprocessor Figure 1-1: DSK in MFD The Figure 1-2 shows the TOE logical scope. The TOE as MFD controller unit firmware intervenes the input from the operational panel for the existing MFD functions or the writing to MSD, calling the codes for executing security functions. Abbreviations of the TOE security functions (to be detailed in the section 1.5.4) are highlighted. The parameter setups on the user interface relating to the operational panel and the message functions are screened. The others are the functions for encryption or clearance. 2 CRP-C0018-01 MFD operation panel functions EEPROM TOE Events within controller unit Key operator programs O S Device driver type component Operation panel (touch panel or alphanumeric kana display) Key operator code MSD (HDD, RAM, Flash memory) "Deleting" message TSF_FDC Power ON Power OFF Deletion screen 1 TSF_FDC Read job No power Encryption key Key operator code change TSF_FMT Decryption / physical reading TSF_FDE Encryption / physical writing TSF_FDE Read file Delete file Overwrite all memory TSF_FDC Delete job Store job Write file Destroy key TSF_FKD Decryption key Security settings TSF_FMT Job ends Job occurs Process job MFD functions excluding TOE Key operator code entry TSF_AUT Settings excluding TSF MFD management Overwrite file TSF_FDC Security settings Generate key TSF_FKG Initialization MFD operation Main Controller starts Deletion screen 2 TSF_FDC Figure 1-2: TOE logical scope 1.3 Conduct of Evaluation Based on the IT Security Evaluation/Certification Program operated by the Certification Body, TOE functionality and its assurance requirements are being evaluated by evaluation facility in accordance with those publicized documents such as “Guidance for IT Security Certification Application, etc.”[2], “General Requirements for IT Security Evaluation Facility”[3] and “General Requirements for Sponsors and Registrants of IT Security Certification”[4]. Scope of the evaluation is as follow. - Security design of the TOE shall be adequate; - Security functions of the TOE shall be satisfied with security functional requirements described in the security design; - This TOE shall be developed in accordance with the basic security design; - Above mentioned three items shall be evaluated in accordance with the CC Part 3 and CEM. More specific, the evaluation facility examined “Digital MFD Data Security Kit AR-FR4/AR-FR5 Security Target Version 0.04” as the basis design of security functions for the TOE (hereinafter referred to as “the ST”)[1], the evaluation deliverables in relation to development of the TOE and the development, manufacturing and shipping sites of the TOE. The evaluation facility evaluated if the TOE is satisfied both Annex C 3 CRP-C0018-01 4 of CC Part 1 (either of [5], [8], [11] or [14]) and Functional Requirements of CC Part 2 (either of [6], [9], [12] or [15]) and also evaluated if the development, manufacturing and shipping environments for the TOE is also satisfied with Assurance Requirements of CC Part 3 (either of [7], [10], [13] or [16]) as its rationale. Such evaluation procedure and its result are presented in “Digital MFD Data Security Kit AR-FR4/AR-FR5 Evaluation Report Evaluation Technical Report” (hereinafter referred to as “the Evaluation Technical Report”) [21]. Further, evaluation methodology should comply with the CEM Part 2 (either of [17], [18] or [19]). In addition, the each part of CC and CEM shall include contents of interpretations[20]. 1.4 Certificate of Evaluation The Certification Body verifies the Evaluation Technical Report and Observation Report prepared by the evaluation facility and evaluation evidence materials, and confirmed that the TOE evaluation is conducted in accordance with the prescribed procedure. Certification review is also prepared for those problems found in the certification process. Evaluation is completed with the Evaluation Technical Report dated August 3 , 2004 submitted by the evaluation facility and those problems pointed out by the Certification Body are fully resolved and confirmed that the TOE evaluation is appropriately conducted in accordance with CC and CEM. The Certification Body prepared this Certification Report based on the Evaluation Technical Report submitted by the evaluation facility and concluded fully certification activities. 1.5 Overview of Report 1.5.1 PP Conformance There is no PP to be conformed. 1.5.2 EAL Evaluation Assurance Level of TOE defined by this ST is EAL4 conformance. 1.5.3 SOF This ST claims “SOF-basic” as its minimum strength of function. This TOE is assumed to be for normal office use. Means and time of a direct attack on TOE are restricted by the environmental assumptions. Therefore the SOF-basic level, which is the level to countermeasure against low-level attacks, is considered sufficient. Even if the MSD is removed from the environment (for its usage), the data clearance and the cryptographic functions will enable a countermeasure against low-level attacks. However, the cryptographic functions are not treated as part of functional strength in this evaluation. 1.5.4 Security Functions Security functions of the TOE are as follow. The abbreviation of each security function corresponds to the one in the Figure 1-2. (1) Data clearance function (TSF_FDC): The MFD spools document or image data to HDD or RAM for a printer / copy / image scanning processing; and to the Flash CRP-C0018-01 5 memory for a fax processing. Even though these areas are freed for the memory management upon completion of a job, there are remaining data on the memory. The TOE data clearance function clears these data left out on a spool area (HDD, RAM, Flash memory) by overwriting them. The function can perform three actions: (1) “Auto clearance upon completion of each job” for the corresponding data area, (2) “Auto clearance upon power-on” to automatically clear the entire spool area of HDD or RAM by overwrites when the TOE is powered on, and (3) “Entire data area clearance” to manually clear the entire area of HDD, RAM or Flash memory by overwrites. The data clearance function is operated at the operational panel. A message and two screens will appear for the three actions: the clearance message for “Auto clearance upon completion of each job,” the clearance screen 1 for “Auto clearance upon power-on,” and the clearance screen 2 for “Entire data area clearance.” (2) Cryptographic operation function (TSF_FDE): For processing data, the MFD creates the data file in MSD and reads the corresponding data for each job. The cryptographic operation function is used for the data file creation: it uses the cryptographic key produced by the cryptographic key generation function (to be described below) to encrypt data and scan them to MSD while it uses the same key to restore the data that have been retrieved for a processing. (3) Cryptographic key generation function (TSF_FKG) and cryptographic key destruction function (TSF_FKD): The generation (destruction) function of a cryptographic key generates (destructs) the key that will be (was) used by the above cryptographic operation function. Upon start of the MFD, the cryptographic generation function generates a cryptographic key based on the date, time and tick time, and stores it to the volatile RMA. The key cannot be accessed from the operational panel or any other external interface. The cryptographic key destruction function is executed upon power-off of the volatile RAM (like when the device itself is powered off or power outage occurs). The cryptographic key generated by the cryptographic key generation function continues to be used until it is destroyed by the cryptographic key destruction function. (4) Authentication function (TSF_AUT): The TOE has the authentication function because only the MFD administrator (called a key operator) is allowed to access the security administration function (to be described later). The key operator who enters the key operator code at the operational panel will be authenticated if the code matches the value stored in EEPROM of the MFD. (5) Security administration function (TSF_FMT): The settings and interface that can be managed by users are offered for the TOE security function. The operational panel gives users the interface with the following security administration function. - Data clearance setting: The function sets up the behavior of the data clearance function (TSF_FDC). You can set up the auto clearance execution/cancel upon power-on; the number of times data are auto-cleared upon completion of each job; the number of times the entire area is cleared; and the number of times data are auto-cleared upon power-on. The setup CRP-C0018-01 6 values are stored in EEPROM. - Key operator code setting: You can change the key operator code used for authentication. When the new key operator code is entered, the TOE checks if it is a 5-digit value. The setup value is stored in EEPROM. 1.5.5 Threat This TOE assumes such threats presented in Table 1-1 and provides functions for countermeasure to them. Table 1-1 Assumed Threats Identifier Threat T.RECOVER A malicious user may attempt to recover document or image data from the residual data in the MSD of a copy, print, scan, or fax job by physically removing the MSD from the MFD and using commercially available tools to read its contents. T.ALTER It is possible that a malicious user may change the settings of the security management function of the TOE. 1.5.6 Organisational Security Policy There is no Organisational security policy required for using the TOE. 1.5.7 Configuration Requirements The TOE, a ready-to-use upgrade kit for the MFD, is the ROM product that replaces a part of the ROM in MFD. The Table 1-2 lists the MFD models for the TOE. Table 1-2 MFD models for TOE DSK model / version MFD models AF-FR4 Version M.20 MFD models for oversea destinations: AR-M350, AR-M450, AR-M280N, AR-M350N, AR-M450N, AR-M280U, AR-M350U, AR-M450U, AR-M300U, AR-M300N, DM-3551, DM-4551 MFD models for destinations in Japan: AR-310M, AR-350M, AR-450M, AR-310S, AR-350S, AR-450S, AR-310F, AR-350F, AR-450F, DM-3551, DM-4551 AF-FR5 Version E.20 Printer models for overseas destinations: AR-P350, AR-P450, DM-3500, DM-3501, DM-4500, DM-4501 CRP-C0018-01 7 1.5.8 Assumptions for Operational Environment Assumptions required in environment using this TOE presents in the Table 1-3. The effective performance of the TOE security functions are not assured unless these preconditions are satisfied. Table 1-3 Assumptions in Use of the TOE Identifier Assumptions A.OFFICE The MFD with the TOE incorporated will be installed in a normal office environment. When the office employees are all out of the office, security measures such as locking the doors are taken. In addition, if someone needs to enter the office when no employees are present, there is a means of verifying that the person is an authorized employee. A.PROCEDURE The key operator carefully follows these procedures: - Verifies that the TOE is installed. - Configures suitable data clear and clear repetition settings. - Regularly changes the key operator code. - Uses a key operator code that cannot be guessed easily. Does not disclose the key operator code to others. 1.5.9 Documents Attached to Product Documents attached to the TOE are listed below. AR-FR4 Japanese version - Document name: Instruction manual: Data Security Kit AR-FR4 - Version: 2003L DSC1 CINSJ2300FC53 - Intended reader: Key operator (administrator of the site) - Contents: Offered as the guidance to use the TOE. The items necessary for managing and operating the TOE in a secure manner are described. Written in Japanese. - Document name: AR-FR4 installation manual* - Version: TCADZ6011FCZ1(1) - Intended reader: DSK service person (a maintenance administrator dispatched for the sales company) - Contents: The Japanese-version AR-FR4 comes as ROMs (BOOT ROM and MAIN ROM), which this document describes how to install in MFP. Besides Japanese, the document is available in English, French, German and Spanish. - Document name: SHARP MFP Data Security Version:M.20 E.20 Installation Check list; Instruction manual supplementary version; Models: AR-FR4 and CRP-C0018-01 8 AR-FR5 - Version: 1.0 - Intended reader: Key operator and DSK service person - Contents: The items that DSK service person and Key operator are required to perform for the secure management and operations of TOE are described to help install TOE. Described in Japanese. AR-FR4 Overseas version - Document name: AR-FR4 Data Security Kit Operation Manual - Version: 2003M DSC1 CINSZ2302FC53 - Intended reader: Key operator (Administrator of the sites to be used) - Contents: Offered as the guidance to use the TOE. The items necessary for managing and operating the TOE safely. Available in English, French, German and Spanish. - Document name: AR-FR4 installation procedure manual* - Version TCADZ5011FCZ1(1) - Intended reader: DSK service person (Maintenance administrator dispatched from a sales company) - Contents: The overseas-version AR-FR4 comes in the form of ROMs (BOOT and MAIN). The manual explains how to install these ROMs in MFP. Besides Japanese, the manual is available in English, French, German and Spanish. - Document name: SHARP MFP Data Security Kit Version:M.20 E.20 Installation Checklist Supplemental Sheet Models:AR-FR4 AR-FR5 - Version: 1.0 - Intended reader: Key operator and DSK service person - Contents: The items that DSK service person and Key operator are required to perform for the secure management and operations of TOE are described to help install the TOE. Available in English. AR-FR5 Overseas version - Document name: AR-FR5 Data Security Kit Operation Manual - Version: 2003M DSC1 CINSZ2304FC53 - Intended reader: Key operator (Administrator of the sites to be used) - Contents: Offered as the guidance to use the TOE. The items necessary for managing and operating the TOE safely are described. Available in English, French, German and Spanish. - Document name: AR-FR4 installation procedure manual* - Version: TCADZ6011FCZ1(1) - Intended reader: DSK service person (Maintenance administrator dispatched CRP-C0018-01 9 from a sales company) - Contents: The overseas-version AR-FR5 comes in the form of a ROM (MAIN only). The manual describes how to install it. Besides Japanese, it is available in English, French, German and Spanish. - Document name: SHARP MFP Data Security Kit Version:M.20 E.20 Installation Checklist Supplemental Sheet Models:AR-FR4 AR-FR5 - Version: 1.0 - Intended reader: Key operator and DSK service person - Contents: The items that DSK service person and Key operator are required to perform for the secure management and operations are described. Available in Japanese. * All of the Japanese-version AR-FR4 installation manual and the English-, French-, German- and Spanish-version installation manuals describe the same contents. CRP-C0018-01 10 2. Conduct and Results of Evaluation by Evaluation Facility 2.1 Evaluation Methods Evaluation was conducted by using the evaluation methods prescribed in CEM Part 2 in accordance with the assurance requirements in CC Part 3. Details for evaluation activities are report in the Evaluation Technical Report. It described the description of overview of the TOE, and the contents and verdict evaluated by each work unit prescribed in CEM Part 2. 2.2 Overview of Evaluation Conducted The history of evaluation conducted was present in the Evaluation Technical Report as follows. Evaluation has started on May, 2004 and concluded by completion the Evaluation Technical Report dated August, 2004. The evaluation facility received a full set of evaluation deliverables necessary for evaluation provided by developer, and examined the evidences in relation to a series of evaluation conducted. Additionally, the evaluation facility directly visited the development and manufacturing sites on May, 2004 and examined procedural status conducted in relation to each work unit for configuration management, delivery and operation and lifecycle by investigating records and staff hearing. Further, the evaluation facility executed sampling check of conducted testing by developer and evaluator testing by using developer testing environment at developer site on May, 2004. Problems found in evaluation activities for each work unit were all issued as Observation Report and were reported to developer. These problems were reviewed by developer and all problems were solved eventually. As for problem indicated during evaluation process by the Certification Body, the certification review was sent to the evaluation facility. These were reflected to evaluation after investigation conducted by the evaluation facility and the developer. 2.3 Product Testing Overview of developer testing evaluated by evaluator and evaluator testing conducted by evaluator are as follows. 2.3.1 Developer Testing 1) Developer Test Environment The Figure 2-1 shows the configuration of the testing system implemented by the developer. The Table 2-1 lists the devices and software tools used in the testing environment. CRP-C0018-01 a) MFD 11 Figure 2-1 Configuration of Developer Testing Table 2-1 Devices and tools used by the developer Name Overview (for each type) Testing device a) MFD MFD with TOE to be installed (AR-350S) b) NIC Board for connecting MFD to LAN c) Test ROM TOE (AR-FR4 version.M20) d) Serial communications cable The RS-232C compliant cable for connecting MFD and the debug terminal PC e) Resetting switch The switching button to be pressed for manually resetting the CPU on the MFD controller board. f) Conversion connector Connecter for converting the 2.5-inch IDE interface to the 3.5-inch IDE interface. g)-j) PC PC that enables the tools to confirm the MSD contents. Controller 2.5inch HDD g) Debug terminal PC d) Serial communication e)Riset swhitch b) NIC c) Test ROM f) Coversion connecter LAN k) Serial communications software Serial t h) FTP server PC IDE interface Note: Same PC was used from g) to j) 2.5inch HDD n) FTP server software i) FTP client PC l) TIFF viewer m) decode.exe o) File dump software j) HDD analiser PC p) Hard disk dump CRP-C0018-01 12 Testing tool k) Serial communications software Terminal simulation software (TeraTerm Pro 2.3 19J) for the operation(s) via MFD and serial communications l) TIFF Viewer Image view software (IFAX VIEW version 3.0) for viewing the MFD-created compressed images on PC. m) decode.exe Software created by the developer for restoring the MFD-encrypted data file by using any key. n) FTP server software Server software (WAR-FTPD version 1.65) for forwarding the MFD-created data as a file by using FTP. o) File dump software Binary editor for dumping files on PC in hexadecimal numbers (Stirling version 1.31) p) Hard disk dump software Software that can read any specified sector in the hard disk and display/edit its contents. (DiskDump version 1.20) 2) Outlining of Developer Testing Outlining of the testing performed by the developer is as follow. a. Test configuration The Figure 2-1 and the Table 2-1 show the configuration of the testing conducted by the developer. As for TOE, the debug ROM of AR-FR4 version M20 was used. It has the interface on which the test results can be confirmed, making the testing easy and sure. Without this interface, the ROM equals the product ROM. Therefore, the configuration meets the ST description. b. Testing Approach The developer used the operational panel, a job execution and/or a power-on to turn each security function (data clearance, encryption, cryptographic key generation, authentication, security control) into the completed state or into the incomplete state by the interruptions, read the results from the TOE or the MFD as direct data, and confirmed the contents on the debug PC. The MSD contents are forwarded to the PC via LAN cable through the operations on MFD debug commands from the terminal connected by serial cable. Moreover, the HDD was physically removed from the MFD and connected to the debug PE through IDE for the confirmation of the contents. These data are confirmed by the image tools and the dump tools on the PC. The cryptographic key for the testing was used to encrypt the data. The same cryptographic key that was used for the encryption was used on the PC side for the restoration so that the data could be confirmed. CRP-C0018-01 c. Scope of Testing Performed The testing was conducted for all of the TOE security functions except for the cryptographic key destruction (data clearance, cryptographic operation, cryptographic key generation, authentication, security control). Moreover, all of the interfaces identified in the functional specifications were tested, and the correspondence between each function and external interfaces were also confirmed. There are the total number of 28 items for testing, including the serial procedure for the encryption, restoration and data clearance for HDD/RAM and Flash memory. It was concluded that this total number is sufficient for the developer testing. The cryptographic key destruction is due to the system characteristic causing loss of the stored contents upon power shutdown of the volatile RAM. For this reason, this function was excluded from the testing of TOE security functions. d. Result The evaluator confirmed that the developer conducted the testing appropriately; that the implemented items were valid; and that the methodology and results match those described by the functional test specifications. 2.3.2 Evaluator Testing 1) Evaluator Test Environment The Figure 2-2 shows the testing system configuration of the test conducted by the evaluator. The Table 2-2 lists each device of the configuration. 13 Figure 2-2 Configuration of evaluator’s Testing a) MFD Controller 2.5inch HDD g) Debug terminal PC e)Riset swhitch b) NIC c) Test ROM j) HDD analiser PC f) Conversion connecter LAN d) Serial communications cable k) Serial communications software Serial port h) FTP server PC IDE interface Note: Same PC was used from g) to j) n) FTP server software i) FTP client PC l) TIFF viewer m) decode.exe o) File dump software 2.5inch HDD p) Hard disk dump f) USB-IDE HDD case 2.5inch HDD USB interface CRP-C0018-01 14 Table 2-2 Devices and tools used by the evaluator Name Overview(for each item) Test device a) MFD MFD with TOE to be installed (AR-310M) b) NIC Board for connecting MFD to LAN c) Test ROM TOE (AR-FR4 version.M20) d) Serial communications cable The RS-232C compliant cable for connecting MFD and the debug terminal PC e) Reset switch Button switch to be pressed for manually resetting the MFD controller board f) Conversion connector Connector for converting the 2.5-inch IDE interface to the 3.5-inch IDE interface g) to j) PCs PCs for activating the tools to confirm the MSD contents Test tool k) Serial communications software Terminal emulator software (TeraTerm Pro version 2.3 1.9J) for the operation(s) via MFD and serial communications l) TIFF viewer Image view software (IFAX VIEWER version 3.0) for displaying the MFD-created compressed images on PC m) decode.exe Developer software for restoring the MFD-encrypted data file with any key n) FTP server software Server software (WAR-FTPD version 1.65) for forwarding the MFD-created data as a file via FTP o) File dump software Binary editor (Stirling version 1.31) for the hexadecimal dumping of files on PC p) Hard disk dump software Software (DiskDump version 1.20) for reading any specified sector in the hard disk and for displaying and editing its contents CRP-C0018-01 15 2) Outlining of Evaluator Testing Outlining of testing performed by the evaluator is as follow. a. Test configuration The Figure 2-2 and Table 2-2 show the configuration of the test conducted by the evaluator. The configuration matches the ST statements and the developer’s testing environment. USB interface was used for better efficiency of testing. b. Testing Approach The evaluator concluded that the developer’s testing methodology is appropriate for examining the expected behavior of the security functions and hence followed the developer’s methodology. The evaluator turned each security function into the completed state through the operational panel or a job or the power-on; or into the incomplete state through their suspensions, read the resulting data directly from TOE or MFD, and confirmed the contents on the debug PC. The MSD contents are forwarded to the PC via LAN cable by operating on the MFD debug command from the terminal connected via serial cable. Moreover, the HDD was physically removed from the MFD and connected to the debug PC via IDE or USB for better efficiency of testing in order to confirm the contents. These data are confirmed on the PC through the image and dump tools. To encrypt data, a specific cryptographic key was used in this testing. The same key used for the encryption was again used for the restoration and confirmation on the PC side. (See the Figure 2-2) c. Scope of Testing Performed The valuator testing was conducted for all of the security functions except for the cryptographic key destruction. The typical testing patterns including normal actions and operational cancellations were implemented. The testing items counted 15 including the serial procedure related to the MSD data clearance: encryption/restoration/clearance of data. To cover all of the security functions except for the cryptographic key destruction and all spooling (HDD, RAM disk and Flash memory), the 6 items out of the developer testing items were selected and implemented. d. Result The evaluator testing produced the expected results. The testing, which was sampled from the developer testing, was confirmed to have produced the results matching the functional testing specifications. 2.4 Evaluation Result The evaluator had the conclusion that the TOE satisfies all work units prescribed in CEM Part 2 by submitting the Evaluation Technical Report. CRP-C0018-01 16 3. Conduct of Certification The following certification was conducted based on each materials submitted by evaluation facility during evaluation process. 1. Contents pointed out in the Observation Report shall be adequate. 2. Contents pointed out in the Observation Report shall properly be reflected. 3. Evidential materials submitted were sampled, its contents were examined, and related work units shall be evaluated as presented in the Evaluation Technical Report. 4. Rationale of evaluation verdict by the evaluator presented in the Evaluation Technical Report shall be adequate. 5. The Evaluator’s evaluation methodology presented in the Evaluation Technical Report shall conform to the CEM. Problems found in certification process were prepared as certification review, which were sent to evaluation facility. The Certification Body confirmed such problems pointed out in Observation Report and certification review were solved in the ST and the Evaluation Technical Report. CRP-C0018-01 17 4. Conclusion 4.1 Certification Result The Certification Body verified the Evaluation Technical Report, the Observation Report and the related evaluation evidential materials submitted and confirmed that all evaluator action elements required in CC Part 3 are conducted appropriately to the TOE. The Certification Body verified the TOE is satisfied the EAL4 assurance requirements prescribed in CC Part 3. 4.2 Recommendations The TOE asset that needs to be protected is the MSD data removed from the MFD, whereas the opposing threat is to recover the remaining data from the MSD. Therefore, you have to remember that there is no resistance against a threat that uses legal means during the TOE operation. (For example, using an illicitly-obtained password to print the spooled data held by the job retention function) So the TOE users must understand the usage environment envisaged by the guidance in order to well manage the TOE. CRP-C0018-01 18 5. Glossary The abbreviations used in this report are listed below. CC Common Criteria for Information Technology Security Evaluation CEM Common Methodology for Information Technology Security Evaluation DSK Data Security Kit EAL Evaluation Assurance Level MFD Multi-Function Device MFP Multi-Function Printer MSD Mass Storage Device PP Protection Profile SOF Strength of Function ST Security Target TOE Target of Evaluation TSF TOE Security Functions TSP TOE Security Policy CRP-C0018-01 19 6. Bibliography [1] Digital MFD Data Security Kit AR-FR4/AR-FR5 Security Target Version 0.04: Sharp Corporation; July 30, 2004 [2] Guidance for IT Security Certification Application, etc. April 2004, Information-Technology Promotion Agency, ITQM-23 (Revised on November 5, 2004) [3] General Requirements for IT Security Evaluation Facility, April 2004, Information-Technology Promotion Agency, ITQM-07 [4] General Requirements for Sponsors and Registrants of IT Security Certification, April 2004, Information-Technology Promotion Agency, ITQM-08 (Revised on November 5, 2004) [5] Common Criteria for Information Technology Security Evaluation Part 1: Introduction and general model Version 2.1 August 1999 CCIMB-00-031 [6] Common Criteria for Information Technology Security Evaluation Part 2: Security functional requirements Version 2.1 August 1999 CCIMB-99-032 [7] Common Criteria for Information Technology Security Evaluation Part 3: Security assurance requirements Version 2.1 August 1999 CCIMB-99-033 [8] Common Criteria for Information Technology Security Evaluation Part 1: Introduction and general model Version 2.1 August 1999 CCIMB-99-031 (Translation Version 1.2 January 2001) [9] Common Criteria for Information Technology Security Evaluation Part 2: Security functional requirements Version 2.1 August 1999 CCIMB-99-032 (Translation Version 1.2 January 2001) [10] Common Criteria for Information Technology Security Evaluation Part 3: Security assurance requirements Version 2.1 August 1999 CCIMB-99-033 (Translation Version 1.2 January 2001) [11] ISO/IEC15408-1: 1999 - Information Technology - Security techniques - Evaluation criteria for IT security - Part 1: Introduction and general model JIS [12] ISO/IEC 15408-2: 1999 - Information technology - Security techniques - Evaluation criteria for IT security - Part 2: Security functional requirements [13] ISO/IEC 15408-3:1999 - Information technology - Security techniques – Evaluation criteria for IT security - Part 3: Security assurance requirements [14] JIS X 5070-1: 2000 - Security techniques - Evaluation criteria for IT security - Part 1: General Rules and general model [15] JIS X 5070-2: 2000 - Security techniques - Evaluation criteria for IT security - Part 2: Security functional requirements [16] JIS X 5070-3: 2000 - Security techniques - Evaluation criteria for IT security - Part 3: Security assurance requirements CRP-C0018-01 20 [17] Common Methodology for Information Technology Security Evaluation CEM-99/045 Part 2: Evaluation Methodology Version 1.0 August 1999 [18] Common Methodology for Information Technology Security Evaluation CEM-99/045 Part 2: Evaluation Methodology Version 1.0 August 1999 (Translation Version 1.0 February 2001) [19] JIS TR X 0049: 2001 – Common Methodology for Information Technology Security Evaluation [20] CCIMB Interpretations-0210(February 2001) [21] Digital MFD Data Security Kit AR-FR4/AR-FR5 Evaluation Report: Fuji Research Institute Corporation; August 3, 2004; 03002795-01-R002-02 [22] JISEC Homepage Certified products list (http://www.ipa.go.jp/security/jisec/cert-list.html)