CRP-C0118-01
Certification Report
Buheita Fujiwara, Chairman
Information-ｔechnology Promotion Agency, Japan
Target of Evaluation
Application date/ID 2007-07-09 (ITC-7160)
Certification No. C0118
Sponsor Konica Minolta Business Technologies, Inc.
Name of TOE Japan: bizhub PRO C5500 / ineo+5500 Gazou
Seigyo Program
Overseas: bizhub PRO C5500 / ineo+5500
Image Control Program
Version of TOE A0E70Y0-00I1-G00-10
PP Conformance None
Conformed Claim EAL3
Developer Konica Minolta Business Technologies, Inc.
Evaluation Facility Mizuho Information & Research Institute, Inc.
Center for Evaluation of Information Security
This is to report that the evaluation result for the above TOE is certified as
follows.
2007-09-27
Haruki Tabuchi, Technical Manager
Information Security Certification Office
IT Security Center
Evaluation Criteria, etc.: This TOE is evaluated in accordance with the following
criteria prescribed in the “IT Security Evaluation and
Certification Scheme”.
- Common Criteria for Information Technology Security Evaluation Version 2.3
(ISO/IEC 15408:2005)
- Common Methodology for Information Technology Security Evaluation
Version 2.3 (ISO/IEC 18045:2005)
Evaluation Result: Pass
“Japan: bizhub PRO C5500 / ineo+5500 Gazou Seigyo Program, Overseas: bizhub
PRO C5500 / ineo+5500 Image Control Program, version: A0E70Y0-00I1-G00-10”
has been evaluated in accordance with the provision of the “IT Security
Certification Procedure” by Information-ｔechnology Promotion Agency, Japan,
and has met the specified assurance requirements.
CRP-C0118-01
Notice:
This document is the English translation version of the Certification Report
published by the Certification Body of Japan Information Technology Security
Evaluation and Certification Scheme.
CRP-C0118-01
Table of Contents
1. Executive Summary ............................................................................... 1
1.1 Introduction ..................................................................................... 1
1.2 Evaluated Product ............................................................................ 1
1.2.1 Name of Product ......................................................................... 1
1.2.2 Product Overview ........................................................................ 1
1.2.3 Scope of TOE and Overview of Operation....................................... 2
1.2.4 TOE Functionality ....................................................................... 3
1.3 Conduct of Evaluation....................................................................... 5
1.4 Certification ..................................................................................... 6
1.5 Overview of Report ............................................................................ 6
1.5.1 PP Conformance.......................................................................... 6
1.5.2 EAL ........................................................................................... 6
1.5.3 SOF ........................................................................................... 6
1.5.4 Security Functions ...................................................................... 6
1.5.5 Threat ........................................................................................ 9
1.5.6 Organizational Security Policy...................................................... 9
1.5.7 Configuration Requirements ........................................................ 9
1.5.8 Assumptions for Operational Environment .................................. 10
1.5.9 Documents Attached to Product ................................................. 10
2. Conduct and Results of Evaluation by Evaluation Facility....................... 12
2.1 Evaluation Methods ........................................................................ 12
2.2 Overview of Evaluation Conducted ................................................... 12
2.3 Product Testing .............................................................................. 12
2.3.1 Developer Testing...................................................................... 12
2.3.2 Evaluator Testing...................................................................... 14
2.4 Evaluation Result ........................................................................... 15
3. Conduct of Certification ....................................................................... 16
4. Conclusion.......................................................................................... 17
4.1 Certification Result ......................................................................... 17
4.2 Recommendations ........................................................................... 17
5. Glossary ............................................................................................. 18
6. Bibliography ....................................................................................... 20
CRP-C0118-01
1
1. Executive Summary
1.1 Introduction
This Certification Report describes the content of certification result in relation to IT
Security Evaluation of “Japan: bizhub PRO C5500 / ineo+5500 Gazou Seigyo Program,
Overseas: bizhub PRO C5500 / ineo+5500 Image Control Program, version:
A0E70Y0-00I1-G00-10” (hereinafter referred to as “the TOE”) conducted by Mizuho
Information & Research Institute, Inc. Center for Evaluation of Information Security
(hereinafter referred to as “Evaluation Facility”), and it reports to the sponsor, Konica
Minolta Business Technologies, Inc.
The reader of the Certification Report is advised to read the corresponding ST and
manuals (please refer to “1.5.9 Documents Attached to Product” for further details)
attached to the TOE together with this report. The assumed environment,
corresponding security objectives, security functional and assurance requirements
needed for its implementation and their summary specifications are specifically
described in ST. The operational conditions and functional specifications are also
described in the document attached to the TOE.
Note that the Certification Report presents the certification result based on assurance
requirements conformed to the TOE, and does not certify individual IT product itself.
Note: In this Certification Report, IT Security Evaluation Criteria and IT
Security Evaluation Method prescribed by IT Security Evaluation and
Certification Scheme are named CC and CEM, respectively.
1.2 Evaluated Product
1.2.1 Name of Product
The target product by this Certificate is as follows:
Name of Product: Japan: bizhub PRO C5500 / ineo+5500 Gazou Seigyo Program
Overseas: bizhub PRO C5500 / ineo+5500 Image Control Program
Version: A0E70Y0-00I1-G00-10
Developer: Konica Minolta Business Technologies, Inc.
1.2.2 Product Overview
This product (Hereinafter referred to as “bizhub PRO C5500 Image Control
Program”∗
1), that is installed on digital MFP (Hereinafter referred to as “bizhub PRO
C5500 Series”) manufactured by Konica Minolta Business Technologies, Inc., is a
software product for the purpose of reducing the risk for disclosure of document data in
bizhub PRO C5500 Series.
bizhub PRO C5500 Image Control Program prevents document data in bizhub PRO
C5500 Series from disclosing during the use of functions such as copier and printer. It
offers the protective function∗
2 with password lock system against the risk of reading
∗
1: shows “bizhub PRO C5500 / ineo+5500 Gazou Seigyo Program” for Japan and “bizhub PRO
C5500 / ineo+5500 Image Control Program” for overseas.
∗
2: HDD has the password so that it cannot be removed and read in another equipment. HDD
lock password is set in the HDD lock function.
CRP-C0118-01
2
data out illegally from HDD (Hard Disk Drive) which is a medium for storing
temporarily document data.
Figure 1-1 shows the expected operating environment with bizhub PRO 5500 Series in
office.
Office
bizhub PRO C5500 Series
Image Control
Program
TOE
Print
Controller
Internal Network
Mail
Server
Client PC Client PC
Firewall
Internet
Modem
External Network
Public
Telephone
Line
Network
Figure 1-1 Operating Environment of bizhub PRO C5500 Series
bizhub PRO C5500 Series including the TOE is connected with an internal network
and a public telephone line network as shown in Figure 1-1. When an external network
is connected, it is connected through a firewall in order to protect each of equipments
in the internal network.
1.2.3 Scope of TOE and Overview of Operation
Figure 1-2 shows the structure of bizhub PRO C5500 Series including the TOE.
CRP-C0118-01
3
bizhub PRO C5500 Series
bizhub PRO C5500 Image Control Program TOE
OS
Hardware
bizhub PRO C5500 Series Main Unit
HDD（Option）
Operation
Panel
RS232C
Interface
Modem
Centronics
Interface
Internal
Network
Control Range of TOE
Administrator Service
（Management Function）
CE Service （CE Function）
Basic Function
User Visible Function
DRAM
Service
Port
Interface
Exclusive
Interface
Public Telephone
Line Network
Print
Controller
CE Function
Management
Function
Printer
Function
Scanner
Function
Copy
Function
Print Function
Temporary Store Document Data
Scan Function
Figure 1-2 TOE Structure
bizhub PRO C5500 Series consists of hardware, OS and bizhub PRO C5500 Image
Control Program. The hardware includes bizhub PRO C5500 Series main unit,
DRAM/HDD section, operation panel, network card, and various interfaces. The HDD
is an optional unit (not equipped as standard). The DRAM/HDD section stores
temporarily document data. The DRAM is not accessed from outside and the temporary
stored data in DRAM is deleted by turning the power off. bizhub PRO C5500 Image
Control Program operates on OS.
The hatching parts in Figure 1-2 show the control range of TOE, namely, each function
provided by the TOE and the storage area of document data controlled by the TOE.
1.2.4 TOE Functionality
The TOE consists of “basic function” that executes copying/printing/scanning of
document data, “management function” that sets the TOE by the administrator, and
“CE function” that executes the initial setting of TOE (Administrator registration and
TOE installation) by the CE ∗
3.
1.2.4.1 Basic function of TOE
Basic functions are scan function and print function. By these functions combination,
copy function, printer function and scanner function are provided for the user.
In copy function, the document data (digitized data) scanned from paper document is
∗
3 Customer Engineer: belongs to the company undertaken to maintain bizhub PRO C5500
Series, and executes maintenance of bizhub PRO 5500 Series.
CRP-C0118-01
4
once stored into the temporary storage area of DRAM/HDD and then printing is
performed after reading out from there. In printer function, the document data from
client PC is converted by the external print controller and is entered to bizhub PRO
C5500 Series. It is once stored into the temporary storage area of DRAM/HDD and
then printing is performed after reading out from there. The document data stored into
the temporary storage DRAM is deleted by turning the power off. In scanner function,
the digitized data scanned from paper document is transmitted to the external print
controller without temporarily storing. Figure 1-3 shows the processing overview of
basic functions.
bizhub PRO C5500 Series
Client
PC
Temporary
Storage
DRAM/HDD
Document
Data
Document
Data
Paper
Document
Basic Function
Print
Controller
Paper
Document
Print
Controller
Document Data
Read Function
Document Data
Output Function
Document
Data
Creation
Input Source Output Destination
Scan
Function
Print
Function
Figure 1-3 Processing Architecture of Basic Function
The following shows user functions and basic functions provided for the user.
No User function Basic function
1 Copy function Scan function and Print function
2 Printer function Print function
3 Scanner function Scan function
The followings are the details of each basic function.
(1) Scan function
The information of paper document that is requested through the operation panel by
general user, is scanned and converted to digitized data. It is stored on the
temporary storage area in copy function, and is directly transmitted to the external
print controller in scan function.
(2) Print function
The document data stored on the temporary storage DRAM/HDD is printed out.
CRP-C0118-01
5
1.2.4.2 Management function
The administrator uses management function to execute administrator password
change, security strengthen mode setting∗
4, TOE network information setting and
operation setting of functions provided by the TOE. In addition, management function
controls information related to operation of digital MFP, such as printing audit
information, controlling the number of prints, troubleshooting, and checking toner
shortage.
1.2.4.3 CE function
The following functions are provided so that the CE can execute the initial setting and
the maintenance for the TOE.
- Service setting mode
The CE executes registration and change of administrator password through the
operation panel.
- CSRS (CS Remote Care)
The CE gets information for the hardware maintenance such as the number of prints,
jam frequency, and toner shortage through a computer connected to public line
network or Internet.
1.3 Conduct of Evaluation
Based on the IT Security Evaluation/Certification Program operated by the
Certification Body, TOE functionality and its assurance requirements are being
evaluated by evaluation facility in accordance with those publicized documents such as
“IT Security Evaluation and Certification Scheme”[2], “IT Security Certification
Procedure”[3] and “Evaluation Facility Approval Procedure”[4].
Scope of the evaluation is as follow.
- Security design of the TOE shall be adequate;
- Security functions of the TOE shall be satisfied with security functional
requirements described in the security design;
- This TOE shall be developed in accordance with the basic security design;
- Above mentioned three items shall be evaluated in accordance with the CC Part 3
and CEM.
More specific, the evaluation facility examined “Multi functional printer (digital
copier) bizhub PRO C5500 / ineo+ 5500 Series Version 2” as the basis design of security
functions for the TOE (hereinafter referred to as “the ST”)[1], the evaluation
deliverables in relation to development of the TOE and the development,
manufacturing and shipping sites of the TOE. The evaluation facility evaluated if the
TOE is satisfied both Annex B of CC Part 1 (either of [5], [8] or [11]) and Functional
Requirements of CC Part 2 (either of [6], [9] or [12]) and also evaluated if the
development, manufacturing and shipping environments for the TOE is also satisfied
with Assurance Requirements of CC Part 3 (either of [7], [10] or [13]) as its rationale.
Such evaluation procedure and its result are presented in “Multi functional printer
(digital copier) bizhub PRO C5500 / ineo+ 5500 Series Evaluation Technical Report”
∗
4 Security strengthen mode is enabled so as to make functions provided by the TOE more
secure condition. In a state of effective security strengthen mode, HDD lock password is
set not to be read/written data. At the time of bizhub PRO C5500 Series power on, the TOE
commands HDD to authenticate and unlock by using the lock password. The HDD confirms
to be the valid TOE and unlocks so as to make reading/writing data possible.
CRP-C0118-01
6
(hereinafter referred to as “the Evaluation Technical Report”) [17]. Further, evaluation
methodology should comply with the CEM (either of [14], [15] or [16]).
1.4 Certification
The Certification Body verifies the Evaluation Technical Report prepared by the
evaluation facility and evaluation evidence materials, and confirmed that the TOE
evaluation is conducted in accordance with the prescribed procedure. Certification
review is also prepared for those concerns found in the certification process.
Evaluation is completed with the Evaluation Technical Report dated 2007-09
submitted by the evaluation facility and those problems pointed out by the
Certification Body are fully resolved and confirmed that the TOE evaluation is
appropriately conducted in accordance with CC and CEM. The Certification Body
prepared this Certification Report based on the Evaluation Technical Report submitted
by the evaluation facility and concluded fully certification activities.
1.5 Overview of Report
1.5.1 PP Conformance
There is no PP to be conformed.
1.5.2 EAL
Evaluation Assurance Level of TOE defined by this ST is EAL3 conformance.
1.5.3 SOF
This ST claims “SOF-basic” as its minimum strength of function.
This TOE assumes the attack capability of attacker to be low level. It assumes to be
operated under the condition secured adequate security in terms of physical and
human aspect. Therefore, the security strength satisfies SOF-Basic that is able to
resist sufficiently the attack from the threat agent with low level attack capability.
1.5.4 Security Functions
Security functions of the TOE are as follow.
(1) Identification and authentication.
Function title Specification of security function
IA.ADM_ADD
Administrator
registration
IA.ADM_ADD registers the administrator in the
TOE. Only the CE operates IA.ADM_ADD. The CE
registers the administrator password.
IA.ADM_ADD provides an interface for
CRP-C0118-01
7
administrator registration. The administrator
registration interface requests password entry for
registering the administrator.
For the password entered by the administrator, the
permitted value is verified according to the
following rules.
- A password shall be 8 characters.
- A password shall be composed of alphabetic capital
letters, small letters, and numerals. (All is
one-byte characters.)
- A password shall not be identical to the previous
password used.
In the verification of permitted value, the
administrator is registered if the rules are obeyed,
and it is rejected if not so.
IA.ADM_AUTH
Administrator
identification and
authentication
Before the operator can use the TOE,
IA.ADM_AUTH identifies that he/she is the
registered administrator in the TOE and
authenticates that he/she is the administrator.
IA.ADM_AUTH does not permit any operation of the
management functions before identification and
authentication of the administrator. The interface
for administrator identification and authentication
requests to enter the password registered by
IA.ADM_ADD and the password changed by
IA.PASS. IA.ADM_AUTH identifies that he/she is
the administrator through the interface display for
administrator identification and authentication,
and it authenticates that he/she is the
administrator by the entered password. When the
administrator enters the password, dummy
characters (*) are displayed instead of the entered
password.
When the authentication is unsuccessful, the
interface for administrator identification and
authentication is provided after five seconds.
IA.CE_AUTH
CE identification
Before the operator can use the TOE, IA.CE_AUTH
identifies that he/she is the registered CE in the
CRP-C0118-01
8
and authentication TOE and authenticates that he/she is the CE.
IA.CE_AUTH does not permit any operate of the CE
functions before identification and authentication of
the CE. It requests to enter the password changed
by IA.PASS. IA.CE_AUTH identifies that he/she is
the CE through the interface display for CE
identification and authentication, and it
authenticates that he/she is the CE by the entered
password. When the CE enters the password,
dummy characters (*) are displayed instead of the
entered password.
When the authentication is unsuccessful, the
interface for CE identification and authentication is
provided after five seconds.
IA.PASS
Password change
IA.PASS changes the administrator password or CE
password that is the authentication information for
administrator or CE.
IA.PASS provides an interface for password change
and requests to
enter a new password.
The following shows the password available to
change depending on the type of user.
CE : CE password, Administrator password
Administrator : Administrator password
For the password entered by the product-related
persons, the permitted value is verified according to
the following rules.
- A password shall be 8 characters.
- A password shall be composed of alphabetic capital
letters, small letters, and numerals. (All is
one-byte characters.)
- A password shall not be identical to the previous
password used.
In the verification of permitted value, the password
is changed if the rules are obeyed.
(2) Management support
CRP-C0118-01
9
Function title Specification of security function
MNG.MODE
Setting of security
strengthen mode
MNG.MODE permits and executes only for the
administrator to enable or disable the security
strengthen mode.
MNG.HDD
HDD lock password
function
MNG.HDD permits and executes only for the
administrator the following processing.
- Change of HDD lock password
For the HDD lock password entered by the
administrator, the permitted value is verified
according to the following rules.
- A password shall be 8 to 32 characters.
- A password shall be composed of alphabetic capital
letters, small letters, and numerals. (All is
one-byte characters.)
In the verification of permitted value, the HDD lock
password is set or changed in the HDD device if the
rules are obeyed, and the change is rejected if not
so.
1.5.5 Threat
This TOE assumes such threats presented in Table 1-1 and provides functions for
countermeasure to them.
Table 1-1 Assumed Threats
Identifier Threat
T.HDDACCESS
(Unauthorized access
to the HDD)
When a general user changes the setting on
security strengthen mode and connects the HDD
with an illegal device, the document data is read
out.
1.5.6 Organizational Security Policy
There is no required security policy of the organization upon use of the TOE.
1.5.7 Configuration Requirements
The TOE is a software product installed on bizhub PRO C5500 Series.
The TOE is installed as a security function at time of bizhub PRO C5500 Series.
CRP-C0118-01
10
1.5.8 Assumptions for Operational Environment
Assumptions required in environment using this TOE presents in the Table 1-2.
The effective performance of the TOE security functions are not assured unless these
preconditions are satisfied.
Table 1-2 Assumptions in Use of the TOE
Identifier Assumptions
ASM.SECMOD
(Operating setting
condition for the
security strengthen
mode)
- The administrator enables the security
strengthen mode.
- bizhub PRO C5500 Series mounts an optional
HDD.
ASM.NET
(Setting condition for
the internal network)
- When the internal network with bizhub PRO
C5500 Series including the TOE is connected to
the external network, bizhub PRO C5500 Series
cannot be accessed by the external network.
ASM.ADMIN
(Reliable
administrator)
- The administrator shall not carry out an illegal
act.
ASM.CE
(Personal condition
for the CE)
- The CE shall not carry out an illegal act.
ASM.SECRET
(Operational
condition on the
confidential
information)
- When the TOE is used, the administrator
password and HDD lock password shall not be
disclosed by the administrator.
- The CE password shall not be disclosed by the
CE.
1.5.9 Documents Attached to Product
Documents attached to the TOE are listed below.
• Japanese version
<Manuals for CE>
- bizhub PRO C5500 Installation Manual A0E7956000
- bizhub PRO C6500 / C6500P / C5500 Service Manual Field Service
CCA0E7-M-FJ2-0000
<Manuals for Administrator>
- bizhub PRO C5500 User’s Guide Copier A0E7955000
- bizhub PRO C5500 User’s Guide POD Administrator’s Reference A0E7957000
- bizhub PRO C5500 User’s Guide Security A0E7955500
• Overseas version
<Manuals for CE>
- bizhub PRO C5500 INSTALLATION MANUAL A0E7956200
- bizhub PRO C6500 / C6500P / C5500 SERVICE MANUAL Field Service
CCA0E7-M-FE2-0000
- COLOR MFP 55ppm INSTALLATION MANUAL A0E7956300
CRP-C0118-01
11
<Manuals for Administrator>
- bizhub PRO C5500 User’s Guide Copier A0E7955100
- bizhub PRO C5500 User’s Guide POD Administrator’s Reference A0E7957100
- bizhub PRO C5500 User’s Guide Security A0E7955600
- ineo+5500 User’s Guide [Copier] A0E7959500
- ineo+5500 User’s Guide [POD Administrator’s Reference] A0E7959700
- ineo+5500 User’s Guide [Security] A0E7959600
CRP-C0118-01
12
2. Conduct and Results of Evaluation by Evaluation Facility
2.1 Evaluation Methods
Evaluation was conducted by using the evaluation methods prescribed in CEM in
accordance with the assurance requirements in CC Part 3. Details for evaluation
activities are report in the Evaluation Technical Report. It described the description of
overview of the TOE, and the contents and verdict evaluated by each work unit
prescribed in CEM.
2.2 Overview of Evaluation Conducted
The history of evaluation conducted was present in the Evaluation Technical Report as
follows.
Evaluation has started on 2007-07 and concluded by completion the Evaluation
Technical Report dated 2007-09. The evaluation facility received a full set of
evaluation deliverables necessary for evaluation provided by developer, and examined
the evidences in relation to a series of evaluation conducted. Additionally, the
evaluation facility directly visited the development and manufacturing sites on
2007-08 and examined procedural status conducted in relation to each work unit for
configuration management, delivery and operation and lifecycle by investigating
records and staff hearing. Further, the evaluation facility executed sampling check of
conducted testing by developer and evaluator testing by using developer testing
environment at developer site on 2007-08.
Concerns found in evaluation activities for each work unit were all issued as
Observation Report and were reported to developer. These concerns were reviewed by
developer and all problems were solved eventually.
As for concerns indicated during evaluation process by the Certification Body, the
certification review was sent to the evaluation facility. These were reflected to
evaluation after investigation conducted by the evaluation facility and the developer.
2.3 Product Testing
Overview of developer testing evaluated by evaluator and evaluator testing conducted
by evaluator are as follows.
2.3.1 Developer Testing
1) Developer Test Environment
Test configuration performed by the developer is showed in the Figure 2-1.
CRP-C0118-01
13
Office
bizhub PRO C5500 Series
Image Control
Program
TOE
Print
Controller
Internal Network
Mail
Server
Client PC Client PC
Firewall
Internet
Modem
External Network
Public
Telephone
Line
Network
Figure 2-1 Configuration of Developer Testing
2) Outlining of Developer Testing
Outlining of the testing performed by the developer is as follow.
a. Test configuration
Test configuration performed by the developer is showed in the Figure 2-1.
Developer testing was performed at the same TOE testing environment with the
TOE configuration identified in ST.
- Test machine
bizhub PRO C5500 / ineo+5500
More than one unit is prepared for a part of test.
- Test environment
Network: Connected to Ethernet environment (10Base-T)
Client PC: WindowsXP (Japanese version/English version)
Application: Internet Explorer (Ver.6)
Mail server: Connected to internal network
Print controller: IC-408 (built-in type)
(Print controller is not essential because it does not relate to this test.)
b. Testing Approach
For the testing, following approach was used.
1. The operation of security functions is confirmed by the operation of TSFI.
2. If testing of TSFI and subsystem interface cannot be performed by the
operation through the external interface directly connected to bizhub PRO
C5500 Series, it is performed with methods by indirectly stimulating the
interface.
3. For the observation of test behavior, the direct confirmation is performed if it
can be confirmed by the external TSFI, the behavior of test results is
confirmed by using a measuring equipment if it can not be observed.
CRP-C0118-01
14
4. By comparing the expected behavior with the actual test results obtained at
test execution, whether the test objects are achieved or not, are determined.
c. Scope of Testing Performed
Testing is performed 22 items by the developer.
The coverage analysis is conducted and it is verified that all the security
functions and external interfaces stipulated in the function specifications are
satisfactorily tested. The depth analysis is conducted and it is verified that all
the subsystems and subsystem interfaces stipulated in the high level design are
satisfactorily tested.
d. Result
The evaluator confirmed consistencies between the expected test results and the
actual test results provided by the developer. The evaluator confirmed the
execution method of the developer test and the legitimacy of the executed items,
and confirmed that the execution method and execution results are consistent
with those shown in the test plan.
2.3.2 Evaluator Testing
1) Evaluator Test Environment
Test configuration performed by the evaluator is showed in the Figure 2-2.
Figure 2-2 Configuration of Evaluator Testing
Test configuration performed by the evaluator differs from the configuration in the
ST, however it is judged to be equivalence them for the following reason.
There is no function that accesses the TOE by the internal network in a state of
effective security strengthen mode, thus, whether to connect with the network does
not affect the test. Therefore, it can be judged that the configuration performed by
the evaluator without network connection is equivalence TOE configuration
identified in ST.
2) Outlining of Evaluator Testing
Outlining of testing performed by the evaluator is as follow.
a. Test configuration
Test configuration performed by the evaluator is showed in the Figure 2-2. The
CRP-C0118-01
15
evaluator test is performed for the TOE configured following bizhub PRO C5500
Installation Manual.
b. Testing Approach
For the testing, following approach was used.
1. The operation of security functions is confirmed by the operation of TSFI.
2. If testing of TSFI and subsystem interface cannot be performed by the
operation through the external interface directly connected to bizhub PRO
C5500 Series, it is performed with methods by indirectly stimulating the
interface.
3. For the observation of test behavior, the direct confirmation is performed if it
can be confirmed by the external TSFI, the behavior of test results is
confirmed by using a measuring equipment if it can not be observed.
4. By comparing the expected behavior with the actual test results obtained at
test execution, whether the test objects are achieved or not, are determined.
c. Scope of Testing Performed
The evaluator performed 20 tests in total: 5 independent tests, 8 sampled
developer tests and 7 intrusion tests. As the selection criteria of the test item,
the followings are taken into account.
<Independent test>
1. Security function that enters security parameter.
2. Function used from Web interface found by the examination of guidance and
functional specifications.
3. Security function about the effectiveness of HDD lock password.
<Sampled developer test>
1. Exceed 20% of the total developer test items.
2. Cover all security functions without specifying any security function.
3. Include function needed to operate prior to security strengthen mode on.
<Intrusion test>
1. Function that should be made invalid in security strengthen mode.
2. Measure to make security strengthen mode invalid.
3. Occurrence of unsecured condition by operating security strengthen mode
on/off.
4. Occurrence of unsecured condition by pressing Reset button on the operation
panel.
5. Occurrence of unsecured condition by intruding from network.
6. Start-up at unsecured condition by installing HDD that is not set lock
password on MFP activated security strengthen mode.
d. Result
All evaluator testing conducted is completes correctly and could confirm the
behavior of the TOE. The evaluator also confirmed that all the test results are
consistent with the behavior.
2.4 Evaluation Result
The evaluator had the conclusion that the TOE satisfies all work units prescribed in
CEM by submitting the Evaluation Technical Report.
CRP-C0118-01
16
3. Conduct of Certification
The following certification was conducted based on each materials submitted by
evaluation facility during evaluation process.
1. Contents pointed out in the Observation Report shall be adequate.
2. Contents pointed out in the Observation Report shall properly be reflected.
3. Evidential materials submitted were sampled, its contents were examined, and
related work units shall be evaluated as presented in the Evaluation Technical
Report.
CRP-C0118-01
17
4. Conclusion
4.1 Certification Result
The Certification Body verified the Evaluation Technical Report, the Observation
Report and the related evaluation evidential materials submitted and confirmed that
all evaluator action elements required in CC Part 3 are conducted appropriately to the
TOE. The Certification Body verified the TOE is satisfied the EAL3 assurance
requirements prescribed in CC Part 3.
4.2 Recommendations
None
CRP-C0118-01
18
5. Glossary
The abbreviations used in this report are listed below.
CC: Common Criteria for Information Technology Security
Evaluation
CE: Customer Engineer
CEM: Common Methodology for Information Technology Security
Evaluation
CSRC: CS Remote Care
DRAM: Dynamic Random Access Memory
EAL: Evaluation Assurance Level
HDD: Hard Disk Drive
OS: Operating System
PP: Protection Profile
SOF: Strength of Function
ST: Security Target
TOE: Target of Evaluation
TSF: TOE Security Functions
The glossaries used in this report are listed below.
Administrator: Administrator belongs to the organization that introduces
bizhub PRO C5500 Series, and performs the operational
management of bizhub PRO C5500 Series.
Centronics interface: Interface to connect with maintenance computer when
setting and creating the TOE.
Document data: Digitized information data such as characters and figures.
External network: Network (e.g. Internet and so on) except the internal
network.
HDD lock function: HDD has the password so that it cannot be removed and
read in another equipment.
HDD lock password: HDD lock password is set in the HDD lock function.
Internal network: LAN in an organization that introduces bizhub PRO C5500
Series. Connected with the client PC and several servers
CRP-C0118-01
19
such as Mail server and FTP server.
Operation panel: Touch panel display and operation buttons integrated into
main frame of bizhub PRO C5500 Series.
Paper document: Paper-based document with information such as characters
and figures.
RS232C interface: Interface to connect with Public Telephone Line Network
through modem.
Service port interface: Interface to connect with maintenance computer when
setting and creating the TOE.
Temporary storage: Input document data is stored temporarily into DRAM/HDD
until it is printed as paper document.
CRP-C0118-01
20
6. Bibliography
[1] Multi functional printer (digital copier) bizhub PRO C5500 / ineo+5500 Series
Security Target Version 2 (August 10, 2007) Konica Minolta Business
Technologies, Inc.
[2] IT Security Evaluation and Certification Scheme, May 2007,
Information-technology Promotion Agency, Japan CCS-01
[3] IT Security Certification Procedure, May 2007, Information-technology
Promotion Agency, Japan CCM-02
[4] Evaluation Facility Approval Procedure, May 2007, Information-technology
Promotion Agency, Japan CCM-03
[5] Common Criteria for Information Technology Security Evaluation Part 1:
Introduction and general model Version 2.3 August 2005 CCMB-2005-08-001
[6] Common Criteria for Information Technology Security Evaluation Part 2:
Security functional requirements Version 2.3 August 2005 CCMB-2005-08-002
[7] Common Criteria for Information Technology Security Evaluation Part 3:
Security assurance requirements Version 2.3 August 2005 CCMB-2005-08-003
[8] Common Criteria for Information Technology Security Evaluation Part 1:
Introduction and general model Version 2.3 August 2005 CCMB-2005-08-001
(Translation Version 1.0 December 2005)
[9] Common Criteria for Information Technology Security Evaluation Part 2:
Security functional requirements Version 2.3 August 2005 CCMB-2005-08-002
(Translation Version 1.0 December 2005)
[10] Common Criteria for Information Technology Security Evaluation Part 3:
Security assurance requirements Version 2.3 August 2005 CCMB-2005-08-003
(Translation Version 1.0 December 2005)
[11] ISO/IEC 15408-1:2005 - Information Technology - Security techniques -
Evaluation criteria for IT security - Part 1: Introduction and general model
[12] ISO/IEC 15408-2:2005 - Information technology - Security techniques -
Evaluation criteria for IT security - Part 2: Security functional requirements
[13] ISO/IEC 15408-3:2005 - Information technology - Security techniques -
Evaluation criteria for IT security - Part 3: Security assurance requirements
[14] Common Methodology for Information Technology Security Evaluation:
Evaluation Methodology Version 2.3 August 2005 CCMB-2005-08-004
[15] Common Methodology for Information Technology Security Evaluation:
Evaluation Methodology Version 2.3 August 2005 CCMB-2005-08-004
(Translation Version 1.0 December 2005)
[16] ISO/IEC 18045:2005 Information technology - Security techniques - Methodology
for IT security evaluation
CRP-C0118-01
21
[17] Multi functional printer (digital copier) bizhub PRO C5500 / ineo+5500 Series
Evaluation Technical Report Version 1.0, September 11, 2007, Mizuho
Information & Research Institute, Inc. Center for Evaluation of Information
Security