Canon Date of Issue: 2015/09/28 Canon imageRUNNER ADVANCE C350/C250 Series 2600.1 model Security Target Version 1.09 2015/09/28 Canon Inc. This document is a translation of the evaluated and certified security target written in Japanese. Copyright Canon Inc. 2015 Canon e: 2015/09/28 1.1 1.2 1.3 14 1.5 1.6 1.6.1 Physical Scope of the TOE 1.6.2 Logical Scope of the TOE 1.7 1.8 1.8.1 User Data 1.8.2 TSF Data. 1.8.3 Functions 2 2.1 2.2 2.3 2.3.1 SFR Packages reference . 2.3.2 SFR Package functions... 2.3.3 SFR Package attributes 2.4 3 3.1 3.2 3.3 3.4 3.5 4 4.1 4.2 4.3 4.4 5 5.1 5.2 6 6.1 6.1.1 User Authentication Function 6.1.2 Function Use Restriction Function 6.1.3 Job Output Restriction Functions 6.1.4 Forward Received Jobs Function. 6.1.5 HDD Data Erase Function... 6.1.6 HDD Data Encryption Function 6.1.7 LAN Data Protection Function. 6.1.8 Self-Test Function … Table of Contents ST introduction ST referenc TOE reference TOE overview. Terms and Abbreviations . TOE description Scope of the TOE.. Users of the TOE.. Assets... & & © = © © © 01H EE À Conformance claims ... CC Conformance claim. PP claim, Package claim SFR Packages PP Conformance rationale.. Security Problem Definition Notational conventions. Threats agents Threats to TOE Assets Organizational Security Policies Assumptions... Security Objecti Security Objectives for the TOE Security Objectives for the IT environment Security Objectives for the non-IT environment . Security Objectives rationale Extended components definition (APE ECD) FPT_CIP_EXP Confidentiality and integrity of stored data FPT_FDLEXP Restricted forwarding of data to external interfaces Security requirements ... Security functional requirements .. Copyright Canon Inc. 2015 Canon 6.1.9 Audit Log Function 6.1.10 Management Function 6.2 Security assurance requirements 6.3 Security functional requirements rationale 6.3.1 The completeness of security requirements 6.3.2 The sufficiency of security requirements 6.3.3 The dependencies of security requirements 6.4 Security assurance requirements rationale 7 TOE Summary specitication. 7.1 User Authentication Function 7.2 Function Use Restriction Function 7.3 Job Output Restriction Functions 7.3.1 Job Cancel... 7.3.2 In The JOB Access Control .... 7.3.3 Temporarily Stored FAX TX Jobs . 7.4 Forward Received Jobs Function 7.5 HDD Data Erase Function. 7.6 HDD Data Encryption Function. 7.6.1 Eneryption/Deeryption Function .. 7.6.2 Cryptographic Key Management Function wee 7.6.3 Device Identification and Authentication Function 7.7 LAN Data Protection Function 7.7.1 IP Packet Encryption Function 7.7.2 Cryptographic Key Management Function . 7.8 Self-Test Function 7.9 Audit Log Function 7.10 Management Functions.... 7.10.1 User Management Function 7.10.2 Device Management Function Trademark Notice - Canon, the Canon logo, imageRUNNER, imageRUNNER ADVANCE, MEAP, and the MEAP logo are trademarks of Canon Inc. - Microsoft, Windows, Windows XP, Windows 2000, Windows Vista, and Active Directory are trademarks or registered trademarks of Microsoft Corporation in the US. - Mac OS is a trademark of Apple Computer Inc. in the US. - Oracle and Java are registered trademarks of Oracle Corporation and its affiliates in the United States and in other countries. - All names of companies and products contained herein are trademarks or registered trademarks of the respective companies. - Portions of sections 1.1, 1.4, 5.3, 7, 8, 9, 10.1, 10.4, 10.5, 10.6, 11, 12.2, 12.3, 12.4, 13.2, 14.2, 15.2, 16.2, 17.2, 18.2, 19.2, 19.3, 19.4, Annex A and Annex B are reprinted with permission from IEEE, 445 Hoes Lane, Piscataway, New Jersey 08854, from IEEE 2600.1(tm)-2009 Standard for a Protection Profile in Operational Environment A, Copyright(c) 2009 IEEE. All rights reserved. Copyright Canon Inc. 2015 Canon Date of Issue: 2015/09/28 1 ST introduction 1.1 ST reference This section provides the Security Target (ST) identification information. ST name: Canon imageRUNNER ADVANCE C350/C250 Series 2600.1 model Security Target Version: 1.09 Issued by: Canon Inc. Date of Issue: 2015/09/28 Keywords: IEEE 2600, Canon, imageRUNNER, iR, Advance, digital MFP, multifunction product (MFP), copy, print, fax, send, facsimile, identification, authentication, access control, log, encryption, Secured Print, BOX, security kit 1.2 TOE reference This section provides the TOE identification information. TOE name: Canon imageRUNNER ADVANCE C350/C250 Series 2600.1 model Version: 1.0 The TOE is comprised of the following software, hardware, and licenses. iR-ADV Security Kit-J1 for IEEE 2600.1 Common Criteria Ver 1.00 Canon image RUNNER ADVANCE C350/C250 Series HDD Data Encryption Kit-C (Canon MFP Security Chip 2.01) Super G3 FAX Board-AN] (Standard equipment on “F” and “iF” models) Access Management System (License option: Standard-equipment in the United States and Canada) *Japanese Name iR-ADV Security Kit-J1 for IEEE 2600.1 Ver 1.00 Canon image RUNNER ADVANCE C350/C250 Series HDD Data Encryption Kit-C (Canon MFP Security Chip 2.01) Super G3 FAX Board-AN1 (Standard-equipment on "F" and “iF” model) Access Management System (License option: Standard-equipment in Japan) 1.3. TOE overview The TOE is a digital multi-function product (MFP) known as < Canon imageRUNNER ADVANCE C350/C250 Series 2600.1 model >. This is a version of the standard model < Canon imageRUNNER ADVANCE C350/C250 Series > which by installing/attaching the following 3 (or 4) products and making the proper settings, makes up the < Canon imageRUNNER ADVANCE C350/C250 Series 2600.1 model > or TOE. - iR-ADV Security Kit-J1 for IEEE 2600.1 Common Criteria - HDD Data Encryption Kit - Fax Board (Standard-equipment on "F" model) Copyright Canon Inc. 2015 Canon - (Access Management System) ! Date of Issue: 2015/09/28 For machines in Japan, this option is attached to MFP as "Security Option Kit-Al" by default. For machines in the United States and Canada, this option is standard-equipped. For machines in Asia and Oceania, "ACCESS MANAGEMENT SYSTEM KIT-B1" option is needed. < iR-ADV Security Kit-J1 for IEEE 2600.1 Common Criteria > contains the < 2600.1, Protection Profile for Hardcopy Devices, Operational Environment A > control software and security kit license. HDD Data Encryption Board is the hardware that encrypts all data stored in the HDD (including software). Fax Board is the hardware to use a fax facility. < Canon imageRUNNER ADVANCE C350/C250 Series 2600.1 model > is capable of fully implementing the Protection Profile (PP) for Multi-Function Products indicated below, as well as the security functions required by the 7 SFR Packages defined in the PP. Protection Profile - 2600.1, Protection Profile for Hardcopy Devices, Operational Environment A SFR Packages - 2600.1-PRT, SFR Package for Hardcopy Device Print Functions, Operational Environment A - 2600.1-SCN, SFR Package for Hardcopy Device Scan Functions, Operational Environment A - 2600.1-CPY, SFR Package for Hardcopy Device Copy Functions, Operational Environment A - 2600.1-FAX, SFR Package for Hardcopy Device Fax Functions, Operational Environment A - 2600.1-DSR, SFR Package for Hardcopy Device Document Storage and Retrieval (DSR) Functions, Operational Environment A - 2600.1-NVS, SFR Package for Hardcopy Device Nonvolatile Storage Functions, Operational Environment A - 2600.1-SMI, SFR Package for Hardcopy Device Shared-medium Interface Functions, Operational Environment A 14 Terms and Abbreviations The following terms and abbreviations are used throughout this ST. Table 1 - Terms and Abbreviations Terms/Abbreviations Description Multi-Function A machine that incorporates the functionality of multiple devices in one, such as Product (MFP) copier, fax, printer, and Universal Send, and containing a large capacity HDD to facilitate such capabilities. Control software Software that runs on the hardware of the device, and controls security functions. Control panel One of the hardware elements of the MFP, consisting of a touch panel and operation keys, which provides the interface for operation of the MFP. 1 "Access Management System" is a license option. The component of "Access Management System" is included in iR-ADV Security Kit-J1 for IEEE 2600.1 Common Criteria. Copyright Canon Inc. 2015 Canon Date of Issue: 2015/09/28 Terms/Abbreviations Description Remote UI An interface that provides access to the MFP from a Web browser via the LAN, to allow the acquisition of operating status, perform job operations or BOX operations, and making various settings. HDD Hard disk drive mounted on the MFP, where control software and assets are stored. I-Fax Short for Internet Fax. Uses the Internet to receive and send faxes. Image file Image data generated within the MFP, from operations such as scan, print, and receive. Temporary image file Image files generated during jobs such as Copy and Print, which are needed only until the job completes. Roles Used by access restriction functions to restrict the functions that each user can use. One role is associated with each user. In addition to pre-defined default roles, default roles may be modified to create custom roles. The default roles are: Administrator, Power User, General User, Limited User, and Guest User. A user assigned the Administrator role is capable of using management operations (administrative privileges). Administrator User assigned the Administrator role and has administrative privileges. Equivalent to U.ADMINISTRATOR defined in the PP. Job When a user uses the functions of the TOE to execute an operation on a document, a Job is the intended document data combined with the user instructions for processing those data. The operations that can be performed on a document are: Scan, Print, Copy, Fax TX, Save, and Delete. The processing phases for a Job issued by the user are: generation, execution, and completion. Document data User data processed within the MFP, consisting of image files and attribute information. Memory RX | Allows data received by fax/I-fax to be stored in the Memory RX Inbox for later (Reception) processing. Memory RX Inbox When memory reception is set, documents received by fax/I-fax are stored in the Memory RX Inbox. Stored documents can be printed or sent later. Mail server Server that facilitates I-fax transmission or email transmission of document data in the MFP. User authentication server Server that maintains user information such as user ID and password, for user authentication over the network. Firewall Device or system designed to protect the internal LAN against threats from the Internet. Time server Server that uses the Network Time Protocol to provide the accurate time over the Internet. [Secured Print] A button on the control panel that activates the Secured Print function (print jobs with a PIN). [Copy] A button on the control panel that activates the Copy function. [Fax] A button on the control panel that activates the Fax function. [Scan] Indicates the [Scan and Send] button on the control panel, which allows scanned documents to be sent to some location such as to an email address or a shared folder in a PC. Copyright Canon Inc. 2015 Canon Date of Issue: 2015/09/28 Terms/Abbreviations Description [Fax/I-Fax Inbox] A button on the control panel that activates the Fax/I-Fax Inbox function. There is Memory RX Inbox to store files received by Fax and I-Fax. [Access Stored Files] | A button on the control panel that allows the user to access files stored in Memory RX Inbox. Remote UI A button on the remote UI that allows the user to access files stored in Memory [Fax/l-Fax Inbox] | RX Inbox. Copyright Canon Inc. 2015 Canon Date of Issue: 2015/09/28 1.5 TOE description The TOE is a MFP that offers Copy, Print, Universal Send, Fax, and I-Fax RX capabilities. The TOE, which conforms to "2600.1, Protection Profile for Hardcopy Devices, Operational Environment A" is designed to operate in an environment such as the one shown below (as excerpted from "2600.1, Protection Profile for Hardcopy Devices, Operational Environment A" clause "1.1 Scope"). This standard is for a Protection Profile for Hardcopy Devices in a restrictive commercial information processing environment in which a relatively high level of document security, operational accountability, and information assurance are required. The typical information processed in this environment is trade secret, mission critical, or subject to legal and regulatory considerations, such as for privacy or governance. This environment is not intended to support life-critical or national security applications. This environment will be known as "Operational Environment A." Figure 1 shows the environment for which the TOE or < Canon imageRUNNER ADVANCE C350/C250 Series 2600.1 model > has been designed, with options included. Since not all of these features may be required, the actual operational environment is expected to differ than what is shown here. Figure 1 The assumed operational environment of the MFP < Canon imageRUNNER ADVANCE C350/C250 Series > Multi-Function Ze, Product Paper Paper LA NS zB À _ User authentication % | — server 2 User authenticat SV È —— User authentication ————> Aeneon rest ——— ‘Send via I~Fax/ E-Mail» _ Con + Receive I-Fax | ee RX Inbox — I Mai SI ( = TAN 0 GSA %, % %, \ N NS Time server Cntrnes Firewall So \ ) Wied browser In Figure 1, the MFP is connected by an internal LAN, to all of the other major components, namely the Mail Server, User Authentication Server, PC, and Firewall. Furthermore, the internal LAN is protected by Firewall from threats from the Internet. To send (via I-Fax or email) a previously scanned document or when receiving a document by I-Fax for example, the MFP connects to the Mail Server. By using a PC with a Web browser’, functions such as printing, storing, or I-Fax can also be executed remotely. However, in order to print from a PC, the appropriate printer driver needs to be installed in the PC. Alternatively, a USB cable could be used to connect the PC directly, and print or store document data from the PC. In this case, some configuration is required initially, in order to protect against data being taken out of the MFP and 2 This evaluation was performed using Microsoft Internet Explorer 8 as the Web browser. Copyright Canon Inc. 2015 Canon stored in a PC or USB device. Additionally, by attaching a fax board to the TOE, faxes can be sent and received over phone lines via the fax board. Date of Issue: 2015/09/28 The TOE also obtains accurate time from the Time server for time synchronization, and supports user authentication through the External Authentication Server. The functions available to the MFP in such an environment are listed below: - Copy function Produces duplicates of the hardcopy document by scanning and printing. - Print function Produces a hardcopy document from its electronic form (contained in the MFP or sent from a PC). - I-Fax RX (receive) function Uses the Internet to receive faxes. Data received by I-fax is not printed immediately; rather it is stored in Memory RX Inbox for processing at a later time. Stored documents can be printed, sent or deleted later. - Fax RX (receive) function Uses a fax line to receive faxes. Data received by fax is not printed immediately; rather it is stored in Memory RX Inbox for processing at a later time. Stored documents can be printed, sent or deleted later. - Fax TX (send) function Scanned document data or electronic documents stored in Memory RX Inbox can be retrieved for transmission by fax. - Universal Send function Scanned document data or electronic documents stored in Memory RX Inbox can be transmitted by email or I-fax, or sent to a shared folder on a PC, in TIFF or PDF file format. Copyright Canon Inc. 2015 Canon Date of Issue: 2015/09/28 1.6 Scope of the TOE The TOE conforms to "2600.1, Protection Profile for Hardcopy Devices, Operational Environment A" and is designed to meet the requirements specified therein, as described below. The physical and logical scopes of the TOE are described below. 1.6.1 Physical Scope of the TOE The TOE is a MFP consisting of hardware and software components. The physical scope of the TOE is illustrated in Figure 2. Figure 2 Hardware and software components of the TOE Control Software (TOE Software ) Fax Board h a Canon imageRUNNER ADVANCE (Homer ere C350/C250 Series HDD Data model” is equipped Encryption Board with Fax Board by MEP Main Unit default) (TOE: Hardware) (TOE: Hardware) (TOE: Hardware) In Figure 2, "Control Software" refers to the < iR-ADV Security Kit-J1 for IEEE 2600.1 Common Criteria >. Note also that the "MFP Main Unit" together with the < iR-ADV Security Kit-J1 for IEEE 2600.1 Common Criteria > makes up the MFP main unit. The TOE or < Canon imageRUNNER ADVANCE C350/C250 Series 2600.1 model > consists of the MFP main unit combined with the Encryption Board and the Fax Board. < Canon imageRUNNER ADVANCE C350/C250 Series >, or the hardware making up the TOE, refers to the following product lineup. Table 2 - Line of Products Products iR-ADV C350F, iR-ADV C350iF, iR-ADV C350i, iR-ADV C350, iR-ADV C250iF, iR-ADV C250i, iR-ADV C250 * In Japan, only iR-ADV C350F is sold. The documentation for the TOE is listed below. (English Name) - imageRUNNER ADVANCE C350/C250 Series 2600.1 model e-Manual CD (USE Version) - imageRUNNER ADVANCE C350iF/C250iF e-Manual - | ACCESS MANAGEMENT SYSTEM Individual Management Configuration Administrator Guide - imageRUNNER ADVANCE C350/C250 Series 2600.1 model e-Manual CD (APE Version) - imageRUNNER ADVANCE C350i/C250i e-Manual Copyright Canon Inc. 2015 Canon - | ACCESS MANAGEMENT SYSTEM Individual Management Configuration Administrator Guide - iR-ADV Security Kit-J1 for IEEE 2600.1 Common Criteria Certification Administrator Guide - Before Using the iR-ADV Security Kit-J1 for IEEE 2600.1 Common Criteria Certification - HDD Data Encryption Kit Reference Guide Date of Issue: 2015/09/28 (Japanese Name) - imageRUNNER ADVANCE C350/C250 Series 2600.1 model e-Manual - imageRUNNER ADVANCE C350F e-Manual - | ACCESS MANAGEMENT SYSTEM Individual Management Configuration Administrator Guide - iR-ADV Security Kit-J1 for IEEE 2600.1 Administrator Guide - Before Using the iR-ADV Security Kit-J1 for IEEE 2600.1 - HDD Data Encryption Kit User's Guide 1.6.2 Logical Scope of the TOE The logical scope of the TOE is illustrated in Figure 3 (excluding: User, User Authentication Server, Mail Server, PC, and Time Server). In the table, the security functions of the TOE are shown in blue. Figure 3 Functional configuration of the TOE User Auth Server Mail Server PC Time Server User Auth Function Email Function Web Browser Time Function LAN Data Protection LAN Data Protection LAN Data Protection LAN Data Protection F Authinfo DocData DocData Timelnfo TOE 1 1 1 | LAN Data Protection Function + + Hocument dat te pc Function Use Restriction User Authentication HDD Data Erase USB connection Job Output Restriction Self-Test Audit Log Document dat Management Function. Forward Received Jobs Fe FAX t | Phone line Print Copy Memory RX HDD Data Encryption Sean Send Receive ! i —> UI Fune Input Fune Output Fune HDD î > Flow of data Operate Ee ker ¥ Displa locument locument User In addition to the capabilities described in Section 1.5, the TOE embodies the following basic functionality. - Ul Functionality Copyright Canon Inc. 2015 Canon Date of Issue: 2015/09/28 Enables the user to operate the TOE from the control panel, and the TOE to display information on the control panel. Output Functionality Enables the TOE to output hardcopy documents. Input Functionality Enables the TOE to input hardcopy documents. The TOE embodies the following security functions. User Authentication Function Performs authentication on the user, to prevent any unauthorized access to the TOE. Two types of user authentication are supported: Internal Authentication wherein authentication takes place internally within the TOE, and External Authentication that uses an external user authentication server. External authentication uses Kerberos’ or LDAP* authentication. Function Use Restriction Function Uses role management to restrict the functions that each authenticated user can use. Job Output Restriction Function This function restricts access to print, cancel, and other job operations, to the user that executed the job. Forward Received Jobs Function This function restricts the machine from forwarding received data directly to the LAN. It is provided as a countermeasure against threats arising from misuse of the fax line. HDD Data Erase Function Function for erasing unnecessary data from the hard disk by overwriting the data, in order to prevent unauthorized use of previously generated image data. HDD Data Encryption Function Because the HDD (alone or together with the HDD Data Encryption Board) could potentially be removed for unauthorized access to its contents, the HDD Data Encryption Board addresses this threat by identifying the MFP at startup, so that it may only be used with the correct MFP. Additionally, all data stored in the HDD are encrypted to protect the confidentiality of the HDD data. LAN Data Protection Function To protect LAN data from IP packet sniffing, IP packets are encrypted using IPSec. Self-Test Function When the machine starts, this function checks to see that the primary security functions are running properly. Audit Log Function Allows auditing of user operations by generating logs stored in the HDD. Stored audit logs are protected and can be viewed. The date/time recorded on the audit log is provided by the TOE. The TOE's date/time information is set by the Management Function, or is set by time synchronization when the accurate time is 3 This evaluation was performed using Active Directory Domain Services? as the authentication server software for Kerberos. 4 This evaluation was performed using eDirectory 8.8 SP7 as the authentication server software for LDAP authentication. Copyright Canon Inc. 2015 Canon obtained from the Time Server. Date of Issue: 2015/09/28 - Management Function Consists of user management functions such as user registration and role management, and device management functions which enable proper operation of various security functions, which can only be specified by Administrators. 1.7 Users of the TOE The TOE has two types of users (U.USER): U.NORMAL and U.ADMINISTRATOR Table 3 - Users Designation Definition U.USER Any authorized User. U.NORMAL A User who is authorized to perform User Document Data processing functions of the TOE. U.ADMINISTRATOR | A User who has been specifically granted the authority to manage some portion or all of the TOE and whose actions may affect the TOE security policy (TSP). Administrators may possess special privileges that provide capabilities to override portions of the TSP. 1.8 Assets There are three types of assets: user data, TSF data, and functions. 1.8.1 User Data User data are created by the user, and have no effect on TOE security functions. There are two types of user data: D.DOC and D.FUNC. Table 4 - User Data Designation | Definition D.DOC User Document Data consist of the information contained in a user's document. This includes the original document itself in either hardcopy or electronic form, image data, or residually-stored data created by the hardcopy device while processing an original document and printed hardcopy output. D.FUNC User Function Data are the information about a user's document or job to be processed by the TOE. 1.8.2 TSF Data TSF Data are data that have an effect on TOE security functions. There are two types of TSF data: D.PROT and D.CONF. Table 5 - TSF Data Designation | Definition D.PROT TSF Protected Data are assets for which alteration by a User who is neither an Administrator nor the owner of the data would have an effect on the operational security of the TOE, but for which disclosure is acceptable. D.CONF TSF Confidential Data are assets for which either disclosure or alteration by a User who is neither an Administrator nor the owner of the data would have an effect on the operational security of the TOE. Copyright Canon Inc. 2015 Canon Date of Issue: 2015/09/28 A list of the TSF data used in this TOE is given in Table 6. Table 6 - List of TSF data Type TSF data Description Stored in D.PROT | User name User identification information used by the user | HDD identification and authentication function. Role Used by access restriction functions to restrict the | HDD functions that each user can use. Lockout policy | Settings for the lockout function, such as number of | HDD settings attempts before lockout and the lockout time. Password policy | Policy for the password for user authentication, such as | HDD settings minimum password length, allowed characters, and combination of character types. Auto Reset Time | Settings for session timeout in the control panel. Non-volatile setting memory Date/Time setting Specifies the date and time that is set. RTC HDD Data Erase | Settings for the HDD Data Erase function, including | Non-volatile setting the settings to enable or disable the HDD Data Erase | memory function. IPSec settings Settings for the LAN Data Protection function, | Non-volatile including the settings to enable or disable the LAN | memory Data Protection function. D.CONF | Password Password used to authenticate the user in the User | HDD Identification and Authentication function. Audit logs Logs generated by the Audit Log function. HDD Box PIN PIN used for access control to the Memory RX Inbox | HDD where the data is stored, for Job Output Restriction functions. 1.8.3. Functions Refer to the functions listed in Table 7. Copyright Canon Inc. 2015 Canon Date of Issue: 2015/09/28 2 Conformance claims 2.1 CC Conformance claim This ST conforms to the following Common Criteria (CC). - Common Criteria version: Version 3.1 Release 4 - Common Criteria conformance: Part 2 extended and Part 3 conformant - Assurance level: EAL3 augmented by ALC_FLR.2 2.2 PP claim, Package claim This ST conforms to the following Protection Profile (PP). - Title : 2600.1, Protection Profile for Hardcopy Devices, Operational Environment A - Version:1.0, dated June 2009 This ST is package-conformant to and package-augmented by the following SFR packages: - 2600.1-PRT conformant - 2600.1-SCN conformant - 2600.1-CPY conformant - 2600.1-FAX conformant - 2600.1-DSR conformant - 2600.1-NVS augmented - 2600.1-SMI augmented 2.3 SFR Packages 2.3.1 SFR Packages reference Title: 2600.1-PRT, SFR Package for Hardcopy Device Print Functions, Operational Environment A Package version: 1.0, dated June 2009 Common Criteria version: Version 3.1 Revision 2 Common Criteria conformance: Part 2 and Part 3 conformant Package conformance: EAL3 augmented by ALC_FLR.2 Usage: This SFR package shall be used for HCD products (such as printers, paper-based fax machines, and MFPs) that perform a printing function in which electronic document input is converted to physical document output. Title: 2600.1-SCN, SFR Package for Hardcopy Device Scan Functions, Operational Environment A Package version: 1.0, dated June 2009 Common Criteria version: Version 3.1 Revision 2 Common Criteria conformance: Part 2 and Part 3 conformant Package conformance: EAL3 augmented by ALC_FLR.2 Usage: This SFR package shall be used for HCD products (such as scanners, paper-based fax machines, and MFPs) that perform a scanning function in which physical document input is converted to electronic document output. Copyright Canon Inc. 2015 Canon Title: 2600.1-CPY, SFR Package for Hardcopy Device Copy Functions, Operational Environment A Package version: 1.0, dated June 2009 Common Criteria version: Version 3.1 Revision 2 Common Criteria conformance: Part 2 and Part 3 conformant Package conformance: EAL3 augmented by ALC_FLR.2 Usage: This Protection Profile shall be used for HCD products (such as copiers and MFPs) that perform a copy function in which physical document input is duplicated to physical document output. Date of Issue: 2015/09/28 Title: 2600.1-FAX, SFR Package for Hardcopy Device Fax Functions, Operational Environment A. Package version: 1.0, dated June 2009 Common Criteria version: Version 3.1 Revision 2 Common Criteria conformance: Part 2 and Part 3 conformant Package conformance: EAL3 augmented by ALC_FLR.2 Usage: This SFR package shall be used for HCD products (such as fax machines and MFPs) that perform a scanning function in which physical document input is converted to a telephone-based document facsimile (fax) transmission, and a printing function in which a telephone-based document facsimile (fax) reception is converted to physical document output. Title: 2600.1-DSR, SFR Package for Hardcopy Device Document Storage and Retrieval (DSR) Functions, Operational Environment A Package version: 1.0, dated June 2009 Common Criteria version: Version 3.1 Revision 2 Common Criteria conformance: Part 2 and Part 3 conformant Package conformance: EAL3 augmented by ALC_FLR.2 Usage: This SFR package shall be used for HCD products (such as MFPs) that perform a document storage and retrieval feature in which a document is stored during one job and retrieved during one or more subsequent jobs. Title: 2600.1-NVS, SFR Package for Hardcopy Device Nonvolatile Storage Functions, Operational Environment A Package version: 1.0, dated June 2009 Common Criteria version: Version 3.1 Revision 2 Common Criteria conformance: Part 2 extended and Part 3 conformant Package conformance: EAL3 augmented by ALC_FLR.2 Usage: This SFR package shall be used for products that provide storage of User Data or TSF Data in a nonvolatile storage device (NVS) that is part of the evaluated TOE but is designed to be removed from the TOE by authorized personnel. This package applies for TOEs that provide the ability to protect data stored on Removable Nonvolatile Storage devices from unauthorized disclosure and modification. If such protection is supplied only by the TOE environment, then this package cannot be claimed. Title: 2600.1-SMI, SFR Package for Hardcopy Device Shared-medium Interface Functions, Operational Environment A Package version: 1.0, dated June 2009 Common Criteria version: Version 3.1 Revision 2 Common Criteria conformance: Part 2 extended and Part 3 conformant Package conformance: EAL3 augmented by ALC_FLR.2 Usage: This SFR package shall be used for HCD products that transmit or receive User Data or TSF Data over a communications medium which, in conventional practice, is or can be simultaneously accessed by multiple users, such as wired network media and most radio frequency wireless media. This package applies for TOEs that provide a trusted channel function allowing for secure and authenticated communication with other IT systems. If such protection is supplied by only the TOE environment, then this package cannot be claimed. 2.3.2 SFR Package functions Functions perform processing, storage, and transmission of data that may be present in HCD products. The functions that are allowed, but not required in any particular conforming Security Target or Protection Profile, are listed in Table 7: Table 7 - SFR Package functions Copyright Canon Inc. 2015 Canon Date of Issue: 2015/09/28 Designation Definition F.PRT Printing: a function in which electronic document input is converted to physical document output F.SCN Scanning: a function in which physical document input is converted to electronic document output F.CPY Copying: a function in which physical document input is duplicated to physical document output F.FAX Faxing: a function in which physical document input is converted to a telephone-based document facsimile (fax) transmission, and a function in which a telephone-based document facsimile (fax) reception is converted to physical document output F.DSR Document storage and retrieval: a function in which a document is stored during one job and retrieved during one or more subsequent jobs F.NVS Nonvolatile storage: a function that stores User Data or TSF Data on a nonvolatile storage device that is part of the evaluated TOE but is designed to be removed from the TOE by authorized personnel F.SMI Shared-medium interface: a function that transmits or receives User Data or TSF Data over a communications medium which, in conventional practice, is or can be simultaneously accessed by multiple users, such as wired network media and most radio-frequency wireless media 2.3.3 SFR Package attributes When a function is performing processing, storage, or transmission of data, the identity of the function is associated with that particular data as a security attribute. This attribute in the TOE model makes it possible to distinguish differences in Security Functional Requirements that depend on the function being performed. The attributes that are allowed, but not required in any particular conforming Security Target or Protection Profile, are listed in Table 8: Table 8 - SFR Package attributes Designation | Definition +PRT Indicates data that are associated with a print job. +SCN Indicates data that are associated with a scan job. +CPY Indicates data that are associated with a copy job. +FAXIN Indicates data that are associated with an inbound (received) fax job. +FAXOUT _| Indicates data that are associated with an outbound (sent) fax job. +DSR Indicates data that are associated with a document storage and retrieval job. +NVS Indicates data that are stored on a nonvolatile storage device. +SMI Indicates data that are transmitted or received over a shared-medium interface. 2.4 PP Conformance rationale In addition to the primary functionality of the MFP (Copy, Print, Scan, and Fax), the TOE implements the Memory RX Inbox function, HDD encryption function, and the LAN data encryption function. As such, it is appropriate to conform to the SFR Packages (Chapter 2.2 PP claim, Package claim). In this ST, F.DSR refers to Memory RX Inbox. In the following, the ST is compared against the PP containing seven SFR Packages above. In terms of the Security Problem Definition, the ST is equivalent to the PP except for the addition of one other OSP: P.HDD.ACCESS.AUTHORIZATION This OSP is a restriction on the TOE, rather than a restriction on the operational environment. As such: - All TOEs that would meet the security problem definition in the ST also meet the security problem Copyright Canon Inc. 2015 Canon definition in the PP. Date of Issue: 2015/09/28 - All operational environments that would meet the security problem definition in the PP would also meet the security problem definition in the ST. In terms of Objectives, the ST is equivalent to the PP except for the addition of one other objective: O.HDD.ACCESS.AUTHORISED This objective is a restriction on the TOE. As such: - All TOEs that would meet the security objectives for the TOE in the ST also meet the security objectives for the TOE in the PP. - All operational environments that would meet the security objectives for the operational environment in the PP would also meet the security objectives for the operational environment in the ST. In terms of the functional requirements, the ST compared with the PP contains all functional requirements of the PP including the seven SFR Packages, as well as additional functional requirements, as shown in Table 9. Table 9 - Functional requirements specified in the PP and the ST PP_Package | PP functional requirement ST functional requirement ‘Common FAU_GEN.I FAU_GEN.I Common FAU_GEN.2 FAU_GEN.2 Common FAU_SAR.I FAU_SAR.1 Common FAU_SAR2 FAU_SAR.2 Common FAU_STG.1 FAU STG.I Common FAU_STG.4 FAU_STG.4 Common FDP_ACC.I(a) FDP_ACC.I(delete-job) Common FDP_ACC.1(b) FDP_ACC. I(exec-job) Common FDP_ACF.1(a) FDP_ACF.1(delete-job) Common FDP_ACF.1(b) FDP_ACF.I(exec-job) Common FDP_RIP.1 FDP_RIP.1 Common FIA_ATD.1 FIA_ATD.1 Common FIA_UAU.1 FIA_UAU.I Common FIA_UID.1 FIA_UID.1 Common FIA_USB.1 FIA_USB.1 Common FMT_MSA.I(a) FMT_MSA.I(delete-job) Common FMT_MSA.3(a) FMT_MSA.3(delete-job) Common FMT_MSA.1(b) FMT_MSA. I(exec-job) Common FMT_MSA.3(b) FMT_MSA.3(exec-job) Common FMT_MTD.I(FMT_MTD.1.1(a)) | FMT_MTD.1(device-mgt) Common FMT_MTD.1(FMT_MTD.1.1(b)) | FMT_MTD.1(user-mgt) Common FMT_SMF.1 FMT_SMF.1 Common FMT_SMR.1 FMT_SMR.1 Common FPT_STM.1 FPT_STM.1 Common FPT_TST.1 FPT_TST.1 Common FTA_SSL3 FTA_SSL.3(lui), FTA_SSL.3(rui) PRT FDP_ACC.I FDP_ACC.1(in-job) PRT FDP_ACF.1 FDP_ACF.1(in-job) SCN FDP_ACC.I FDP_ACC.I(in-job) SCN FDP_ACE.I FDP_ACF.I(in-job) CPY FDP_ACC.I FDP_ACC.I(in-job) CPY FDP_ACF.1 FDP_ACF.1(in-job) FAX FDP_ACC.1 FDP_ACC.1(in-job) FAX FDP_ACF.1 FDP_ACF.1(in-job) DSR FDP_ACC.1 FDP_ACC.1(in-job) DSR. FDP_ACF.1 FDP_ACF.1(in-job) NVS FPT_CIP_EXP.1 FPT_CIP_EXP.1 Copyright Canon Inc. 2015 Canon Date of Issue: 2015/09/28 PP_Package | PP functional requirement ST functional requirement SMI FAU_GEN.1 FAU_GEN.1 SMI FPT_FDI EXPI FPT_FDI EXP. SMI FTP_ITC.1 FTP_ITC.1 Common - FIA_AFL.1 Common - FIA_SOS.1 Common - FIA_UAU.7 NVS = FCS_COP.I(h) NVS:SMI = FCS_CKM.I SMI = FCS_COP.I(n) SMI - FCS_CKM.2 NVS - FPT_PHP.1 Note the following: For FDP_ACF.I(a) in the PP, the Subject for a Delete of +FAXIN/+DSR D.DOC, and Delete of +FAXIN/+DSR D.FUNC is specified as U.NORMAL. For FDP_ACF.1(delete-job) in the ST, the Subject is specified as U.ADMINISTRATOR, with Access Control rule for U.NORMAL specified as "Denied". For FDP_ACC.1 in the PP, the Subject for a Read of +FAXIN/+DSR D.DOC is specified as UNORMAL. For FDP_ACC.I(in-job) in the ST, the Subject for a Read is specified as U.ADMINISTRATOR, with Access Control rule for U.NORMAL specified as "Denied". The ST functional requirements as mentioned above, are restrictive in the scope of Subjects allowed to Delete or Read, and restrains U.NORMAL from having access to any Object. As such, the ST functional requirements specify greater restrictions than the corresponding PP functional requirements. For FDP_ACF.I(a) in the PP, the Subject for a Modify of +FAXIN/+DSR D.FUNC is specified as U.NORMAL. For FDP_ACFI(delete-job) in the ST, the Subject is specified as U.User, with Access Control rule specified as "Denied". The ST functional requirement as mentioned above, does not allow use of the function to any Subject. As such, the ST functional requirement specifies greater restriction than the corresponding PP functional requirement. Consequently, the SFRs of the ST are equivalent or more restrictive than SFRs of the PP. As such: ~ All TOEs that would meet the SFRs in the ST would also meet the SFRs in the PP. In terms of the Security Assurance Requirements, the ST and PP are equivalent. As such, this ST compared with the PP, specifies equal or greater restrictions on the TOE, and at most equal restrictions on the operational environment of the TOE. Therefore, this ST claims demonstrable conformance to the PP. Copyright Canon Inc. 2015 Canon Date of Issue: 2015/09/28 3 Security Problem Definition 3.1 3.2 Notational conventions Defined terms in full form are set in title case (for example, "Document Storage and Retrieval"). Defined terms in abbreviated form are set in all caps (for example, "DSR"). In tables that describe Security Objectives rationale, a checkmark ("¥") place at the intersection of a row and column indicates that the threat identified in that row is wholly or partially mitigated by the objective in that column. In tables that describe completeness of security requirements, a bold typeface letter "P" placed at the intersection of a row and column indicates that the requirement identified in that row performs a principal fulfillment of the objective indicated in that column. A letter "S" in such an intersection indicates that it performs a supporting fulfillment. In tables that describe the sufficiency of security requirements, a bold typeface requirement name and purpose indicates that the requirement performs a principal fulfillment of the objective in the same row. Requirement names and purposes set in normal typeface indicate that those requirements perform supporting fulfillments. In specifications of Security Functional Requirements (SFRs): Bold typeface indicates the portion of an SFR that has been completed or refined in this Protection Profile, relative to the original SFR definition in Common Criteria Part 2 or an Extended Component Definition. Italic typeface indicates the portion of an SFR that must be completed by the ST Author in a conforming Security Target. Bold italic typeface indicates the portion of an SFR that has been partially completed or refined in this Protection Profile, relative to the original SFR definition in Common Criteria Part 2 or an Extended Component Definition, but which also must be completed by the ST Author in a conforming Security Target. The following prefixes are used to indicate different entity types: Table 10- Notational prefix conventions Prefix Type of entity U. User D. Data F. Function T. Threat P. Polic A. Assumption O. | Objective OE. | Environmental objective + Security attribute Threats agents This security problem definition addresses threats posed by four categories of threat agents: a) Persons who are not permitted to use the TOE who may attempt to use the TOE b)Persons who are authorized to use the TOE who may attempt to use TOE functions for which they are not authorized. c) Persons who are authorized to use the TOE who may attempt to access data in ways for which they not authorized. Copyright Canon Inc. 2015 20 Canon Date of Issue: 2015/09/28 d)Persons who unintentionally cause a software malfunction that may expose the TOE to unanticipated threats. The threats and policies defined in this Protection Profile address the threats posed by these threat agents. 3.3. Threats to TOE Assets This section describes threats to assets described in clause 1.8. Table 11- Threats to User Data for the TOE Threat Affected asset Description T.DOC.DIS D.DOC User Document Data may be disclosed to unauthorized persons T.DOC.ALT D.DOC User Document Data may be altered by unauthorized persons T.FUNC.ALT | D.FUNC User Function Data may be altered by unauthorized persons Table 12- Threats to TSF Data for the TOE Threat Affected asset Description T.PROT.ALT D.PROT TSF Protected Data may be altered by unauthorized persons T.CONF.DIS D.CONF TSF Confidential Data may be disclosed to unauthorized persons T.CONF.ALT D.CONF TSF Confidential Data may be altered by unauthorized persons 3.4 Organizational Security Policies This section describes the Organizational Security Policies (OSPs) that apply to the TOE. OSPs are used to provide a basis for Security Objectives that are commonly desired by TOE Owners in this operational environment but for which it is not practical to universally define the assets being protected or the threats to those assets. Table 13- Organizational Security Policies Name Definition P.USER.AUTHORIZATION To preserve operational accountability and security, Users will be authorized to use the TOE only as permitted by the TOE Owner P.SOFTWARE. VERIFICATION To detect corruption of the executable code in the TSF, procedures will exist to self-verify executable code in the TSF P.AUDIT.LOGGING To preserve operational accountability and security, records that provide an audit trail of TOE use and security-relevant events will be created, maintained, and protected from unauthorized disclosure or alteration, and will be reviewed by authorized personnel P.INTERFACE.MANAGEMENT To prevent unauthorized use of the external interfaces of the TOE, operation of those interfaces will be controlled by the TOE and its IT environment P.HDD.ACCESS.AUTHORIZATION To prevent access TOE assets in the HDD with connecting the other HCDs, TOE will have authorized access the HDD data. Copyright Canon Inc. 2015 21 Canon Date of Issue: 2015/09/28 3.5 Assumptions The Security Objectives and Security Functional Requirements defined in subsequent sections of this Protection Profile are based on the condition that all of the assumptions described in this section are satisfied. Table 14- Assumptions Assumption Definition A.ACCESS.MANAGED | The TOE is located in a restricted or monitored environment that provides protection from unmanaged access to the physical components and data interfaces of the TOE. A.USER.TRAINING TOE Users are aware of the security policies and procedures of their organization, and are trained and competent to follow those policies and procedures. A.ADMIN.TRAINING — | Administrators are aware of the security policies and procedures of their organization, are trained and competent to follow the manufacturer's guidance and documentation, and correctly configure and operate the TOE in accordance with those policies and procedures. A.ADMIN.TRUST Administrators do not use their privileged access rights for malicious purposes. Copyright Canon Inc. 2015 22 Canon 4 Security Objectives 41 Date of Issue: 2015/09/28 Security Objectives for the TOE This section describes the Security Objectives that are satisfied by the TOE. Table 15- Security Objectives for the TOE Objective Definition O.DOC.NO DIS The TOE shall protect User Document Data from unauthorized disclosure. O.DOC.NO_ALT The TOE shall protect User Document Data from unauthorized alteration. O.FUNC.NO_ALT The TOE shall protect User Function Data from unauthorized alteration. O.PROT.NO_ALT The TOE shall protect TSF Protected Data from unauthorized alteration. O.CONF.NO DIS The TOE shall protect TSF Confidential Data from unauthorized disclosure. O.CONF.NO ALT The TOE shall protect TSF Confidential Data from unauthorized alteration. O.USER.AUTHORIZED The TOE shall require identification and authentication of Users, and shall ensure that Users are authorized in accordance with security policies before allowing them to use the TOE. O.INTERFACE.MANAGED The TOE shall manage the operation of external interfaces in accordance with security policies. O.SOFTWARE. VERIFIED The TOE shall provide procedures to self-verify executable code in the TSF. O.AUDIT.LOGGED The TOE shall create and maintain a log of TOE use and security-relevant events, and prevent its unauthorized disclosure or alteration. O.HDD.ACCESS.AUTHORISED The TOE shall protect TOE assets in the HDD from accessing without the TOE authorization. 4.2 Security Objectives for the IT environment This section describes the Security Objectives for the IT environment. Table 16- Security Objectives for the IT environment Objective Definition OE.AUDIT_STORAGE.PROTECTED If audit records are exported from the TOE to another trusted IT product, the TOE Owner shall ensure that those records are protected from unauthorized access, deletion and modifications. OE.AUDIT_ACCESS.AUTHORIZED If audit records generated by the TOE are exported from the TOE to another trusted IT product, the TOE Owner shall ensure that those records can be accessed in order to detect potential security violations, and only by authorized persons OE.INTERFACE.MANAGED The IT environment shall provide protection from unmanaged access to TOE external interfaces. 4.3 Security Objectives for the non-IT environment This section describes the Security Objectives for non-IT environments. Table 17- Security Objectives for the non-IT environment Copyright Canon Inc. 2015 23 Canon Date of Issue: 2015/09/28 Objective Definition OE.PHYSICAL.MANAGED The TOE shall be placed in a secure or monitored area that provides protection from unmanaged physical access to the TOE. OE.USER.AUTHORIZED The TOE Owner shall grant permission to Users to be authorized to use the TOE according to the security policies and procedures of their organization. OE.USER.TRAINED The TOE Owner shall ensure that Users are aware of the security policies and procedures of their organization, and have the training and competence to follow those policies and procedures. OE.ADMIN.TRAINED The TOE Owner shall ensure that TOE Administrators are aware of the security policies and procedures of their organization, have the training, competence, and time to follow the manufacture: guidance and documentation, and correctly configure and operate the TOE in accordance with those policies and procedures. OE.ADMIN.TRUSTED The TOE Owner shall establish trust that TOE Administrators will not use their privileged access rights for malicious purposes. OE.AUDIT.REVIEWED The TOE Owner shall ensure that audit logs are reviewed at appropriate intervals for security violations or unusual patterns of activity. 4.4 Security Objectives rationale This section describes the rationale for the Security Objectives. Table 18-Completeness of Security Objectives Threats. Policies, and Assumptions Objectives I0.DOC.NO_ALT |0.PROT.NO_ALT I0.CONF.NO_ALT (D.CONF.NO DIS (D.FUNC.NO_ALT (OE.AUDIT_ACCESS.AUTHORIZED (O.HDD.ACCESS.AUTHORISED (OE.AUDIT_STORAGE.PROTECTED IOE.AUDIT.REVIEWED IOE.INTERFACE.MANAGED I0.INTERFACE.MANAGED (OE.ADMIN.TRAINED (O.SOFTWARE. VERIFIED |0.AUDIT. LOGGED IOE.PHYISCAL.MANAGED IOE.ADMIN.TRUSTED IOE.USER.TRAINED |T.DOC.DIS <0.DOC.NO_DIS |T.DOC.ALT < |T.FUNC.ALT |T.PROT.ALT IT. CONF.DIS |T.CONF.ALT [P.USER.AUTHORIZATION SSI TOE Function Access Control SFP FMT_MSA.3.2(exec-job) The TSF shall allow the [assignment the authorized identified roles| to specify alternative initial values to override the default values when an object or information is created. [assignment: the authorized identified roles] - Nobody Copyright Canon Inc. 2015 33 Canon Date of Issue: 2015/09/28 FDP_ACC.1(exec-job) Subset access control Hierarchical to: No other components. Dependencies: FDP_ACF.1 Security attribute based access control FDP_ACC.1.1(exec-job) | The TSF shall enforce the TOE Function Access Control SFP on users as subjects, TOE functions as objects, and the right to use the functions as operations. FDP_ACF.1(exec-job) Security attribute based access control Hierarchical to: No other components. Dependencies: FDP_ACC.1 Subset access control FMT_MSA.3 Static attribute initialisation FDP_ACF.1.1(exec-job) The TSF shall enforce the TOE Function Access Control SFP to objects based on the following: users and [assignment: list of TOE functions and the security attribute(s) used to determine the TOE Function Access Control SFP. [assignment: List of TOE functions and the security attribute(s) used to determine the TOE Function Access Control SFÄ - objects controlled under the TOE Function Access Control SFP in Table 20, and for each, the indicated security attributes in Table 20. FDP_ACF.1.2(exec-job) | The TSF shall enforce the following rules to determine if an operation among controlled subjects and controlled objects is allowed: [selection: the user is explicitly authorized hy ULADMINISTATOR to use a function, a user that is authorized to use the TOE is automatically authorized to use the functions [assignment: List of functional, [assignment other conditions]. [selection: the user is explicitly authorized by U.ADMINISTATOR to use a function, a user that is authorized to use the TOE is automatically authorized to use the functions [assignment: list of functions], [assignment: other conditions|] - [assignment: other conditions] [assignment: other conditions] - rules specified in the TOE Function Access Control SFP in Table 20 governing access among controlled users as subjects and controlled objects using controlled operations on controlled objects FDP_ACF.1.3(exec-job) The TSF shall explicitly authorise access of subjects to objects based on the following additional rules: the user acts in the role U.ADMINISTRATOR, [assignment: other rules, based on security attributes, that explicitly authorise access of subjects to objects]. [assignment: other rules, based on security attributes, that explicitly authorise access of subjects to objects] - None FDP_ACF.1.4(exec-job) The TSF shall explicitly deny access of subjects to objects based on the [assignment: rules, based on security attributes, that explicitly deny access of subjects to objects). [assignment: rules, based on security attributes, that explicitly deny access of Copyright Canon Inc. 2015 34 Canon subjects to objects] - None Date of Issue: 2015/09/28 Table 20-TOE Function Access Control SFP Object Attribute Operation(s) Subject | Attribute | Access control rule Use ofthe For the attribute of the Object, . function, using Role the role associated with the Secured Print] +PRT pointer to the U.USER Subject, must be authorized to Object. perform the Operation. Use of the Role For the attribute of the Object, +CPY function, using the role associated with the Copy] pointer to the U.USER Subject, must be authorized to Object. perform the Operation. Use of the Role For the attribute of the Object, +SCN function, using the role associated with the Scan] pointer to the U.USER Subject, must be authorized to Object. perform the Operation. Use of the Role For the attribute of the Object, function, using the role associated with the Fax] +FAXOUT pointer to the U.USER Subject, must be authorized to Object. perform the Operation. Use of the Role For the attribute of the Object, +FAXIN function, using the role associated with the Fax/I-Fax Inbox] +DSR pointer to the U.USER Subject, must be authorized to Object. perform the Operation. Remote UI +FAXIN | Hseofthe Role If the role associated with the +DSR inter to the | U.USER Subject is Administrator, the Fax/I-Fax Inbox] Object. Operation is permitted. 6.1.3 Job Output Restriction Functions 6.1.3.1 Delete Job FMT_MSA.1(delete-job) Management of security attributes Hierarchical to: No other components. Dependencies: [FDP_ACC.1 Subset access control, or FDP_IFC.1 Subset information flow control] FMT_SMR.1 Security roles FMT_SMF.1 Specification of Management Functions FMT_MSA.1.1(delete-job) The TSF shall enforce the Common Access Control SFP in Table 22, [assignment: access control SFP(s), information flow control SFP(s)\ to restrict the ability to [selection: change_default, query, modify, delete, lassignment: other operations] the security attributes [assignment: list of security attributes] to [assignment: the authorised identified roles]. [assignment: access control SFP(s), information flow control SFP(s)| - In The Job Access Control SFP in Table 23 [selection: change_default, query, modify, delete, [assignment: other operations| - Refer to "Operation" in Table 21. Copyright Canon Inc. 2015 35 Canon [assignment: Jist of security attributes] - Refer to "Security Attributes" in Table 21. Date of Issue: 2015/09/28 [assignment: the authorised identified roles] - Refer to "Role" in Table 21. Table 21-Management of security attributes Security Attributes Operation Role User name delete, create, query U.ADMINISTRATOR PIN of Memory RX Box modify, create U.ADMINISTRATOR APPLICATION NOTE 1. This Protection Profile does not define any mandatory security attributes, but some may be defined by SFR packages or by the ST Author. The ST Author should define how security attributes are managed. Note that this Protection Profile allows the ST Author to instantiate "Nobody" as an authorized identified role, which makes it possible for the ST Author to state that some management actions (e.g., deleting a security attribute) may not be performed by any User. FMT_MSA.3(delete-job) Static attribute initialisation Hierarchical to: No other components. Dependencies: FMT_MSA.1 Management of security attributes FMT_SMR.1 Security roles FMT_MSA.3.1(delete-job) The TSF shall enforce the Common Access Control SFP in Table 22, [assignment: access control SFP information flow control SFA to provide [selection, choose one of: restrictive, permissive, lassignment: other property] default values for security attributes that are used to enforce the SFP. [assignment: access control SFP information flow control SFA = Common Access Control SFP in Table 22 - In The Job Access Control SFP in Table 23 [selection, choose one of: restrictive, permissive, lassignment: other property) - restrictive FMT_MSA.3.2(delete-job) The TSF shall allow the [assignment the authorized identified roles| to specify alternative initial values to override the default values when an object or information is created. [assignment: the authorized identified roles] - Nobody FDP_ACC.1(delete-job)Subset access control Hierarchical to: No other components. Dependencies: FDP_ACF.1 Security attribute based access control FDP_ACC.1.1(delete-job) The TSF shall enforce the Common Access Control SFP in Table 22 on the list of users as subjects, objects, and operations among subjects and objects covered by the Common Access Control SFP in Table 22. Copyright Canon Inc. 2015 36 Canon Date of Issue: 2015/09/28 FDP_ACF.1(delete-job) Security attribute based access control Hierarchical to: No other components. Dependencies: FDP_ACC.1 Subset access control FMT_MSA.3 Static attribute initialisation FDP_ACF.1.1(delete-job) The TSF shall enforce the Common Access Control SFP in Table 22 to objects based on the following: the list of users as subjects and objects controlled under the Common Access Control SFP in Table 22, and for each, the indicated security attributes in Table 22. FDP_ACF.1.2(delete-job) The TSF shall enforce the following rules to determine if an operation among controlled subjects and controlled objects is allowed: rules specified in the Common Access Control SFP in Table 22 governing access among controlled users as subjects and controlled objects using controlled operations on controlled objects. FDP_ACF.1.3(delete-job) The TSF shall explicitly authorise access of subjects to objects based on the following additional rules: [assignment: rules, based on security attributes, that explicitly authorise access of subjects to objects). [assignment: rules, based on security attributes, that explicitly authorise access of subjects to objects] - _U.ADMINISTRATOR is authorized to delete any D.DOC/D.FUNC. - U.ADMINISTRATOR is authorized to modify any +CPY, +SCN, +DSR, +FAXOUT D.FUNC. FDP_ACF.1.4(delete-job) The TSF shall explicitly deny access of subjects to objects based on the [assignment: rules, based on security attributes, that explicitly deny access of subjects to objects). [assignment: rules, based on security attributes, that explicitly deny access of subjects to objects] - None Table 22-Common Access Control SFP Object Attribute Operation(s) | Subject Access control rule D.DOC +PRT,+SCN,+CPY, Delete U.NORMAL | Denied, except for his/her own +FAXOUT documents D.DOC | +FAXIN, +DSR Delete U.NORMAL | Denied D.FUNC | +PRT,+SCN,+CPY, Modify; U.NORMAL | Denied, except for his/her own +FAXOUT Delete function data D.FUNC | +FAXIN, +DSR Modify U.USER Denied D.FUNC | +FAXIN, +DSR Delete U.NORMAL | Denied 6.1.3.2 In The Job Copyright Canon Inc. 2015 37 Canon Date of Issue: 2015/09/28 FDP_ACC.1(in-job) Subset access control Hierarchical to: No other components. Dependencies: FDP_ACF.1 Security attribute based access control FDP_ACC.1.1Gn-job) The TSF shall enforce the In The Job Access Control SFP in Table 23 on the list of subjects, objects, and operations among subjects and objects covered by the In The Job Access Control SFP in Table 23. FDP_ACF.1(in-job) Security attribute based access control Hierarchical to: No other components. Dependencies: FDP_ACC.1 Subset access control FMT_MSA.3 Static attribute initialisation FDP_ACF.1.1(in-job) The TSF shall enforce the In The Job Access Control SFP in Table 23 to objects based on the following: the list of subjects and objects controlled under the In The Job Access Control SFP in Table 23, and for each, the indicated security attributes in Table 23. FDP_ACF.1.2(in-job) The TSF shall enforce the following rules to determine if an operation among controlled subjects and controlled objects is allowed: rules specified in the In The Job Access Control SFP in Table 23 governing access among Users and controlled objects using controlled operations on controlled objects. FDP_ACF.1.3(in-job) The TSF shall explicitly authorise access of subjects to objects based on the following additional rules: [assignment: rules, based on security attributes, that explicitly authorise access of subjects to objects]. [assignment: rules, based on security attributes, that explicitly authorise access of subjects to objects] - U.ADMINISTRATOR is authorized to read any +FAXIN/+DSR D.Doc FDP_ACF.1.4(in-job) The TSF shall explicitly deny access of subjects to objects based on the [assignment: rules, based on security attributes, that explicitly deny access of subjects to objects). [assignment: rules, based on security attributes, that explicitly deny access of subjects to objects] = None Table 23-In The Job Access Control SFP Object Attribute(s) Operation | Subject Access control rule D.DOC_ | +PRT Read U.USER Denied, except for his/her own documents D.DOC |+SCN Read U.USER Denied, except for his/her own documents D.DOC | +CPY Read U.USER Denied D.DOC | +FAXIN Read U.NORMAL | Denied +DSR D.DOC | +FAXOUT Read U.USER Denied, except for his/her own documents Copyright Canon Inc. 2015 38 Canon 6.1.4 Forward Received Jobs Function Date of Issue: 2015/09/28 FPT_FDI_EXP.1 Restricted forwarding of data to external interfaces Hierarchical to: No other components. Dependencies: FMT_SMF.1 Specification of Management Functions FMT_SMR.1 Security roles. FPT_FDI_EXP.1.1 The TSF shall provide the capability to restriet data received on any external Interface from being forwarded without further processing by the TSF to any Shared-medium Interface. 6.1.5 HDD Data Erase Function FDP_RIP.1 Subset residual information protection Hierarchical to: No other components. Dependencies: No dependencies FDP_RIP.1.1 The TSF shall ensure that any previous information content of a resource is made unavailable upon the [selection: a//ocation of the resource to, deallocation of the resource from] the following objects: D.DOC, lassignment: Jist of objects]. [selection: allocation of the resource to, deallocation of the resource from] - deallocation of the resource from [assignment: List of objects] = None 6.1.6 HDD Data Encryption Function 6.1.6.1 Encryption/Decryption Function FCS_COP.1(h) Cryptographic operation Hierarchical to: No other components. Dependencies: [FDP_ITC.1 Import of user data without security attributes, or FDP_ITC.2 Import of user data with security attributes, or FCS_CKM.1 Cryptographic key generation] FCS_CKM.4 Cryptographic key destruction FCS_COP.1.1(h) The TSF shall perform [assignment: Jist of cryptographic operations] in accordance with a specified cryptographic algorithm [assignment: cryptographic algorithm] and cryptographic key sizes [assignment: cryptographic key sizes| that meet the following: [assignment: Zist of standards]. [assignment: list of cryptographic operations] - Encryption of data written to the HDD - Decryption of data read out from the HDD [assignment: cryptographic algorithm] Copyright Canon Inc. 2015 39 Canon - AES Date of Issue: 2015/09/28 [assignment: cryptographic key sizes] - 256 bit [assignment: list of standards] - FIPS PUB 197 FPT_CIP_EXP.1 Confidentiality and integrity of stored data Hierarchical to: No other components. Dependencies: No dependencies FPT_CIP_EXP.1.1 The TSF shall provide a function that ensures the confidentiality and integrity of user and TSF data when either is written to [assignment: a Removable Nonvolatile Storage devicel. [assignment: a Removable Nonvolatile Storage devicel - HDD FPT_CIP_EXP.1.2 The TSF shall provide a function that detects and performs [assignment: Jist of actions] when it detects alteration of user and TSF data when either is written to [assignment: a Removable Nonvolatile Storage devicel. [assignment: Jist of actions] = no action [assignment: a Removable Nonvolatile Storage devicel - HDD APPLICATION NOTE 2. Today many manufacturers are looking at hardware solutions such as fully encrypting disks to meet disk encryption requirements. Some of these drives will not allow data to be written to the drive unless the correct credentials (either the key itself or credentials required to unlock the key stored in a secure area of the drive) are presented. Assuming that this functionality can not be bypassed, detection of modifications is not a useful function within the TOE and therefore it should be possible to instantiate "no action" in the assignment for the "list of actions" in FPT_CIP_EXP.1.2, arguing that unauthorized modification is prevented by the design of the system. Quote from [PP Guide] 6.1.6.2 Device Identification and Authentication Function FPT_PHP.1 Passive detection of physical attack Hierarchical to: No other components. Dependencies: No dependencies. FPT_PHP.1.1 The TSF shall provide unambiguous detection of physical tampering that might compromise the TSF. [refinement] physical tampering -> Physical replacement of the HDD and HDD Data Encryption Board FPT_PHP.1.2 The TSF shall provide the capability to determine whether physical tampering with the TSF's devices or TSF's elements has occurred. Copyright Canon Inc. 2015 40 Canon [refinement] physical tampering -> Physical replacement of the HDD and HDD Data Encryption Board Date of Issue: 2015/09/28 6.1.7 LAN Data Protection Function 6.1.7.1 IP Packet Encryption Function FCS_COP.1(n) Cryptographic operation Hierarchical to: No other components. Dependencies: [FDP_ITC.1 Import of user data without security attributes, or FDP_ITC.2 Import of user data with security attributes, or FCS_CKM.1 Cryptographic key generation] FCS_CKM.4 Cryptographic key destruction FCS_COP1.1(n) The TSF shall perform [assignment: Jist of cryptographic operations] in accordance with a specified cryptographic algorithm [assignment: cryptographic algorithm) and cryptographic key sizes [assignment: cryptographic key sizes| that meet the following: [assignment: /ist of standards]. lassignment: Jist of cryptographic operations| - Encryption of IP packets sent to the LAN - Decryption of IP packets received from the LAN [assignment: cryptographic algorithm] - Refer to "Cryptographic Algorithm" in Table 24. assignment: cryptographic key sizes) - Refer to "Cryptographic Key Sizes" in Table 24. [assignment: Jist of standards] - Refer to "List of Standards" in Table 24. Table 24- IPSec cryptographic algorithm, key sizes and standards cryptographic algorithm cryptographic key sizes list of standards 3DES-CBC 168 bit FIPS PUB 46-3 AES-CBC 128 bit, 192bit, 256 bit FIPS PUB 197 AES-GCM 128 bit, 192bit, 256 bit SP800-38D FTP_ITC.1 Inter-TSF trusted channel Hierarchical to: No other components. Dependencies: No dependencies. FTP_ITC.1.1 The TSF shall provide a communication channel between itself and another trusted IT product that is logically distinct from other communication channels and provides assured identification of its end points and protection of the communicated data from modification or disclosure. FTP_ITC.1.2 The TSF shall permit the TSF, another trusted IT product to initiate communication via the trusted channel. Copyright Canon Inc. 2015 41 Canon FTP_ITC.1.3 Date of Issue: 2015/09/28 The TSF shall initiate communication via the trusted channel for communication of D.DOC, D.FUNC, D.PROT, and D.CONF over any Shared-medium Interface. 6.1.8 Self-Test Function FPT_TST.1 FPT_TST.1.1 FPT_TST.1.2 FPT_TST.1.3 TSF testing Hierarchical to: No other components. Dependencies: No dependencies. The TSF shall run a suite of self tests [selection: during initial start-up, peviodically during normal operation, at the request of the authorised user, at the conditions [assignment: conditions under which self test should occur\] to demonstrate the correct operation of [selection: [assignment: parts of TSA, the TSH. [selection: during initial start-up, periodically during normal operation, at the request of the authorised user, at the conditions lassignment: conditions under which self test should occur\] - during initial start-up [selection: [assignment: parts of TSA, the TSH - Cryptographic algorithms used with the LAN Data Protection Function (AES, 3DES) The TSF shall provide authorised users with the capability to verify the integrity of [selection: assignment: parts of TSA, TSF data]. [selection: [assignment parts of TSF, TSF datal - Cryptographic key The TSF shall provide authorised users with the capability to verify the integrity of stored TSF executable code. 6.1.9 Audit Log Function FAU_GEN.1 Audit data generation Hierarchical to: No other components. Dependencies: FPT_STM.1 Reliable time stamps FAU_GEN.1.1 The TSF shall be able to generate an audit record of the following auditable events: - Start-up and shutdown of the audit functions; -All auditable events for the [selection, choose one of: minimum, basic, detailed, not specified] level of audit; and -all Auditable Events as each is defined for its Audit Level (if one is specified) for the Relevant SFR in Table 25; [assignment: other specifically defined auditable events]. [selection, choose one of: minimum, basic, detailed, not specified) Copyright Canon Inc. 2015 42 Canon - not specified Date of Issue: 2015/09/28 [assignment other specifically defined auditable events] - None FAU_GEN.1.2 The TSF shall record within each audit record at least the following information: -Date and time of the event, type of event, subject identity (if applicable), and the outcome (success or failure) of the event; and -For each audit event type, based on the auditable event definitions of the functional components included in the PP/ST, for each Relevant SFR listed in Table 25: (1) information as defined by its Audit Level (if one is specified), and (2) all Additional Information (if any is required); [assignment: other audit relevant information]. assignment: other audit relevant information| - None Table 25-Audit data requirements Auditable event Relevant SFR Audit level Additional information Job completion FDP_ACF.1 Not specified Type of job Both successful and unsuccessful use of the FIA_UAU.1 Basic None required authentication mechanism Both successful and unsuccessful use of the FIA_UID.1 Basic Attempted user identification mechanism identity, if available Use of the management functions FMT_SMF.1 Minimum None required Modifications to the group of users that are FMT_SMR.1 Minimum None required part of a role Changes to the time FPT_STM.1 Minimum None required Termination of an interactive session by the FTA_SSL.3 Minimum None required session locking mechanism* Failure of the trusted channel functions FTP_ITC.1 Minimum None required FAU_GEN.2 User identity association Hierarchical to: No other components. Dependencies: FAU_GEN.1 Audit data generation FIA_UID.1 Timing of identification FAU_GEN.2.1 For audit events resulting from actions of identified users, the TSF shall be able to associate each auditable event with the identity of the user that caused the event. FPT_STM.1 Reliable time stamps Hierarchical to: No other components. Dependencies: No dependencies. FPT_STM.1.1 The TSF shall be able to provide reliable time stamps. 5 See "Section 14.1 IEEE Std 2600.1 Errata" in the PP Guide. In IEEE Std 2600.1, this is indicated as "Locking of an interactive session by the session locking mechanism" but notes that this is a transcription error. Copyright Canon Inc. 2015 43 Canon Date of Issue: 2015/09/28 FAU_SAR.1 Audit review Hierarchical to: No other components. Dependencies: FAU_GEN.1 Audit data generation FAU_SAR.1.1 The TSF shall provide [assignment: authorised users| with the capability to read [assignment: List of audit information] from the audit records. [assignment authorised users] - U.ADMINISTRATOR assignment: list of audit information] - Refer to the audit logs listed in Table 25. FAU_SAR.1.2 The TSF shall provide the audit records in a manner suitable for the user to interpret the information. FAU_SAR.2 Restricted audit review Hierarchical to: No other components. Dependencies: FAU_SAR.1 Audit review FAU_SAR.2.1 The TSF shall prohibit all users read access to the audit records, except those users that have been granted explicit read-access. FAU_STG.1 Protected audit trail storage Hierarchical to: No other components. Dependencies: FAU_GEN.1 Audit data generation FAU_STG.1.1 The TSF shall protect the stored audit records in the audit trail from unauthorised deletion. FAU_STG.1.2 The TSF shall be able to [selection, choose one of: prevent, detect] unauthorised modifications to the stored audit records in the audit trail. [selection, choose one of: prevent, detect| = prevent FAU_STG.4 Prevention of audit data loss Hierarchical to: FAU_STG.3 Action in case of possible audit data loss Dependencies: FAU_STG.1 Protected audit trail storage FAU_STG.4.1 The TSF shall [selection, choose one of: "ignore audited events", "prevent audited events, except those taken by the authorised user with special rights", "overwrite the oldest stored audit records’| and [assignment: other actions to be taken in case of audit storage failure] if the audit trail is full. Copyright Canon Inc. 2015 Canon Date of Issue: 2015/09/28 [selection, choose one of: "ignore audited events", "prevent audited events, except those taken by the authorised user with special rights", "overwrite the oldest stored audit records" - “overwrite the oldest stored audit records" [assignment: other actions to be taken in case of audit storage failure] = None 6.1.10 Management Function 6.1.10.1 User Management Function FIA_SOS.1 Verification of secrets Hierarchical to: No other components. Dependencies: No dependencies FIA_SOS.1.1 The TSF shall provide a mechanism to verify that secrets meet [assignment: 2 defined quality metric]. [assignment: a defined quality metrie - Use a password 4 to 32 characters in length - Prohibit the use of 3 or more consecutive characters - Use at least one uppercase character (A to Z) - Use at least one lowercase character (a to z) - Use at least one number (0-9) - Use at least one non-alphabet characters (*-@[]:;,./21"#$%&'Q=-|{+*}_?><) - Allowed characters - All characters other than control characters FMT_MTD.1(user-mgt) Management of TSF data Hierarchical to: No other components. Dependencies: FMT_SMR.1 Security roles FMT_SMF.1 Specification of Management Functions FMT_MTD.1.1 (user-mgt) The TSF shall restrict the ability to [selection: change default, query, modify, delete, clear, lassignment: other operations] the [assignment: List of TSF data associated with a U.NORMAL or TSF Data associated with documents or jobs owned by a U.NORMAL to [selection, choose one of: Nobody, [selection: U.ADMINISTRATOR, the U.NORMAL to whom such TSF data are associated]. (selection: change default, query, modify, delete, clear, [assignment: other operations/\ - Refer to "Operation" in Table 26. [assignment: Jist of TSF data associated with a U.NORMAL or TSF Data associated with documents or jobs owned by a U.NORMAL - Refer to "TSF Data" in Table 26. [selection, choose one of: Nobody, [selection: U.ADMINISTRATOR, the U.NORMAL to whom such TSF data are associated|] - Refer to "Role" in Table 26. Table 26- User information management Copyright Canon Inc. 2015 45 Canon Date of Issue: 2015/09/28 TSF data Role Operation User name U.ADMINISTRATOR | delete, create, query role U.ADMINISTRATOR | modify, delete, create, query Passwords U.ADMINISTRATOR | modify, delete, create Own password U.NORMAL modify FMT_SMR.1 Security roles Hierarchical to: No other components. Dependencies: FIA_UID.1 Timing of identification FMT_SMR.1.1 The TSF shall maintain the roles UADMINISTRATOR, U.NORMAL, Iselection: Nobody, assignment: the authorised identified roles]). [selection: Nobody, lassignment: the authorised identified roles|] - Nobody FMT_SMR.1.2 The TSF shall be able to associate users with roles, except for the role "Nobody" to which no user shall be associated. 6.1.10.2 Cryptographic Key Management Function FCS_CKM.1 Cryptographic key generation Hierarchical to: No other components. Dependencies: [FCS_CKM.2 Cryptographic key distribution, or FCS_COP.1 Cryptographic operation] FCS_CKM.4 Cryptographic key destruction FCS_CKM.1.1 The TSF shall generate cryptographic keys in accordance with a specified cryptographic key generation algorithm l[assignment: cryptographic key generation algorithm| and specified cryptographic key sizes [assignment: cryptographic key sizes| that meet the following: [assignment: List of standards]. assignment: cryptographic key generation algorithm] - Cryptographic key generation algorithm according to FIPS PUB 186-2 assignment: cryptographic key sizes) = 128bit, 168bit, 192bit, 256 bit [assignment: Jist of standards] - FIPS PUB 186-2 FCS_CKM.2 Cryptographic key distribution Hierarchical to: No other components. Dependencies: [FDP_ITC.1 Import of user data without security attributes, or FDP_ITC.2 Import of user data with security attributes, or FCS_CKM.1 Cryptographic key generation] FCS_CKM.4 Cryptographic key destruction Copyright Canon Inc. 2015 46 Canon FCS_CKM.2.1 The TSF shall distribute cryptographic keys in accordance with a specified cryptographic key distribution method [assignment: cryptographic key distribution method) that meets the following: [assignment: Jist of standardsl. Date of Issue: 2015/09/28 [assignment: cryptographic key distribution method] - DH (Diffie Hellman) and ECDH (Elliptic Curve Diffie Hellman) [assignment: Zist of standards] - SP800-56A 6.1.10.3 Device Management Function FMT_MTD.1(device-mgt) Management of TSF data Hierarchical to: No other components. Dependencies: FMT_SMR.1 Security roles FMT_SMF.1 Specification of Management Functions FMT_MTD.1.1(device-mgt)The TSF shall restrict the ability to [selection: change_default, query, modify, delete, clear, assignment: other operations) the [assignment: list of TSF data) to [selection, choose one of: Nobody, [selection: U.ADMINISTRATOR, [assignment: the authorized identified roles except U.NORMALIII]. [selection: change_default, query, modify, delete, clear, [assignment: other operations/\ - Refer to "Operation" in Table 27. [assignment: list of TSF data] - Referto "TSF Data Table 27. [selection, choose one of: Nobody, [selection: U. ADMINISTRATOR, lassignment: the authorized identified roles except U.NORMAL|]] - Refer to "Role" in Table 27. Table 27- Device management function TSF Data Role Operation Date/Time settings U.ADMINISTRATOR | modify HDD Data Erase settings U.ADMINISTRATOR | query, modify IPSec settings U.ADMINISTRATOR | query, modify Auto Reset settings U.ADMINISTRATOR | query, modify Lockout policy settings U.ADMINISTRATOR | query, modify Password policy settings U.ADMINISTRATOR | query, modify Audit log U.ADMINISTRATOR | query, delete Copyright Canon Inc. 47 2015 Canon FMT_SMF.1 Specification of Management Functions Date of Issue: 2015/09/28 Hierarchical to: No other components. Dependencies: No dependencies. FMT_SMF.1.1 The TSF shall be capable of performing the following management functions: [assignment List of management functions to be provided by the TSF). [assignment List of management functions to be provided by the TSF - Refer to "Management Function" in Table 28. Table 28-The management of security requirements Management Function Operation Date/Time settings modify HDD Data Erase settings query, modify IPSec settings query, modify Auto Reset settings query, modify Lockout policy settings query, modify Password policy settings query, modify Audit log query, delete Username delete, create, query role modify, delete, create, query Password modify, delete, create PIN of Memory RX Box modify, create Own password modify 6.2 Security assurance requirements This section defines the security assurance requirements for the TOE. Table 29 lists the security assurance requirements for 2600.1-PP, Protection Profile for Hardcopy Devices, Operational Environment A, and related SFR packages, EAL 3 augmented by ALC_FLR.2. Table 29- 2600.1 Security Assurance Requirements Assurance Class Assurance components ADV: Development ADV_ARC.1 Security architecture description ADV_FSP.3 Functional specification with complete summary ADV_TDS.2 Architectural design AGD: Guidance documents AGD_OPE.1 Operational user guidance Copyright Canon Inc. 2015 48 Canon Date of Issue: 2015/09/28 Assurance Class Assurance components AGD_PRE.1 Preparative procedures ALC: Life-cycle support ALC_CMC.3 Authorisation controls ALC_CMS.3 Implementation representation CM coverage ALC_DEL.1 Delivery procedures ALC _DVS.1 Identification of security measures ALC_FLR.2 Flaw reporting procedures (augmentation of EAL3) ALC_LCD.1 Developer defined life-cycle model ASE: Security Target evaluation ASE_CCL.1 Conformance claims ASE_ECD.1 Extended components definition ASE_INT.1 ST introduction ASE_OBJ.2 Security objectives ASE_REQ.2 Derived security requirements ASE_SPD.1 Security problem definition ASE_TSS.1 TOE summary specification ATE: Tests ATE_COV.2 Analysis of coverage ATE_DPT.1 Testing: basic design ATE_FUN.1 Functional testing ATE_IND.2 Independent testing - sample AVA: Vulnerability assessment AVA_VAN.2 Vulnerability analysis 6.3 Security functional requirements rationale 6.3.1. The completeness of security requirements Table 30 provides a mapping of TOE Security Objectives and security functional requirements. This shows how each of the security functional requirements corresponds to at least one TOE Security Objective. Bold typeface items provide principal (P) fulfillment of the objectives, and normal typeface items provide supporting (S) fulfillment. Table 30-The completeness of security requirements Objectives a a a 2 2 la ë algls = 8/2\e 5 zl\2l|Sleal=z „Is 5 5\|2|5|5 2 > |3|5 a2 /2/S/5/5/2/8 8/8] 4 ! 'lo|lo|2e|e|5|x:|2|S | os \ieoe|ı2|z2 | 2 |zı<) - Allowed characters: - All characters other than control characters [Lockout Policy Settings] The number of attempts before lockout and the lockout time can be set. - Number of attempts before lockout Select a value from 1 to 10 (Initial value: 3) - Lockout time Select a value from | to 60 minutes (Initial value: 3 minutes) END Copyright Canon Inc. 2015 63