CRP-C0212-01
Certification Report
Koji Nishigaki, Chairman
Information-technology Promotion Agency, Japan
Target of Evaluation
Application date/ID 2008-03-28 (ITC-8219)
Certification No. C0212
Sponsor Konica Minolta Business Technologies, Inc.
Name of TOE Japan : bizhub PRO 950 Zentai Seigyo Software
Overseas : bizhub PRO 950 Control Software
Version of TOE Image Control Program(Image Control I1) :
00I1-G00-10
Controller Control Program(IC Controller P) :
00P1-G00-11
PP Conformance None
Conformed Claim EAL3
Developer Konica Minolta Business Technologies, Inc.
Evaluation Facility Information Technology Security Center
Security Evaluation Division
This is to report that the evaluation result for the above TOE is certified as
follows.
2009-04-21
Takumi Yamasato, Technical Manager
Information Security Certification Office
IT Security Center
Evaluation Criteria, etc.: This TOE is evaluated in accordance with the following
criteria prescribed in the "IT Security Evaluation and
Certification Scheme".
- Common Criteria for Information Technology Security Evaluation Version 2.3
(ISO/IEC 15408:2005)
- Common Methodology for Information Technology Security Evaluation
Version 2.3 (ISO/IEC 18045:2005)
Evaluation Result: Pass
"Japan : bizhub PRO 950 Zentai Seigyo Software(Image Control Program (Image
Control I1) : 00I1-G00-10, Controller Control Program (IC Controller P) :
00P1-G00-11), Overseas : bizhub PRO 950 Control Software (Image Control
Program (Image Control I1) : 00I1-G00-10, Controller Control Program (IC
CRP-C0212-01
Controller P) : 00P1-G00-11)" has been evaluated in accordance with the
provision of the "IT Security Certification Procedure" by Information-technology
Promotion Agency, Japan, and has met the specified assurance requirements.
CRP-C0212-01
Notice:
This document is the English translation version of the Certification Report
published by the Certification Body of Japan Information Technology Security
Evaluation and Certification Scheme.
CRP-C0212-01
Table of Contents
1. Executive Summary ............................................................................... 1
1.1 Introduction ..................................................................................... 1
1.2 Evaluated Product ............................................................................ 1
1.2.1 Name of Product ......................................................................... 1
1.2.2 Product Overview ........................................................................ 1
1.2.3 Scope of TOE and Overview of Operation ...................................... 2
1.2.4 TOE Functionality ...................................................................... 3
1.3 Conduct of Evaluation ...................................................................... 5
1.4 Certificate of Evaluation ................................................................... 6
1.5 Overview of Report............................................................................ 6
1.5.1 PP Conformance ......................................................................... 6
1.5.2 EAL ........................................................................................... 6
1.5.3 SOF ........................................................................................... 6
1.5.4 Security Functions ..................................................................... 6
1.5.5 Threat ....................................................................................... 9
1.5.6 Organisational Security Policy ..................................................... 9
1.5.7 Configuration Requirements ........................................................ 9
1.5.8 Assumptions for Operational Environment .................................... 9
1.5.9 Documents Attached to Product ................................................. 10
2. Conduct and Results of Evaluation by Evaluation Facility ...................... 11
2.1 Evaluation Methods ........................................................................ 11
2.2 Overview of Evaluation Conducted ................................................... 11
2.3 Product Testing .............................................................................. 11
2.3.1 Developer Testing ..................................................................... 11
2.3.2 Evaluator Testing ..................................................................... 13
2.4 Evaluation Result ........................................................................... 14
3. Conduct of Certification ....................................................................... 15
4. Conclusion ......................................................................................... 16
4.1 Certification Result......................................................................... 16
4.2 Recommendations .......................................................................... 16
5. Glossary ............................................................................................. 17
6. Bibliography ....................................................................................... 19
CRP-C0212-01
1. Executive Summary
1.1 Introduction
This Certification Report describes the content of certification result in relation to IT
Security Evaluation of " Japan : bizhub PRO 950 Zentai Seigyo Software(Image
Control Program (Image Control I1) : 00I1-G00-10, Controller Control Program (IC
Controller P) : 00P1-G00-11), Overseas : bizhub PRO 950 Control Software (Image
Control Program (Image Control I1) : 00I1-G00-10, Controller Control Program (IC
Controller P) : 00P1-G00-11)" (hereinafter referred to as "the TOE") conducted by
Information Technology Security Center, Security Evaluation Division (hereinafter
referred to as "Evaluation Facility"), and it reports to the sponsor, Konica Minolta
Business Technologies, Inc.
The reader of the Certification Report is advised to read the corresponding ST and
manuals (please refer to "1.5.9 Documents Attached to Product" for further details)
attached to the TOE together with this report. The assumed environment,
corresponding security objectives, security functional and assurance requirements
needed for its implementation and their summary specifications are specifically
described in ST. The operational conditions and functional specifications are also
described in the document attached to the TOE.
Note that the Certification Report presents the certification result based on assurance
requirements conformed to the TOE, and does not certify individual IT product itself.
Note: In this Certification Report, IT Security Evaluation Criteria and IT
Security Evaluation Method prescribed by IT Security Evaluation and
Certification Scheme are named CC and CEM, respectively.
1.2 Evaluated Product
1.2.1 Name of Product
The target product by this Certificate is as follows:
Name of Product: Japan :bizhub PRO 950 Zentai Seigyo Software
Overseas:bizhub PRO 950 control software
Version: Japan :Gazou seigyo program (Gazou seigyo I1) : 00I1-G00-10
Controller seigyo program(IC Controller P):00P1-G00-11
Overseas:Image Control Program(Image Control I1):00I1-G00-10
Controller Control Program(IC Controller P):00P1-G00-11
Developer: Konica Minolta Business Technologies, Inc.
1.2.2 Product Overview
This product (it is called "bizhub PRO 950 control software(*1)", hereafter.), that is
installed with digital MFP (it is called "bizhub PRO 950 series", hereafter.)
manufactured by Konica Minolta Business Technologies, Inc., is a software product for
the purpose of reducing the danger for the disclosure of document data stored every
user.
bizhub PRO 950 control software prevents the document data from disclosing during
the use of functions such as copier and printer. To protect the document data, it has a
"User BOX" function and a variety of management capabilities, additional highly
confidential HDD (Hard Disk Drive) with lock system(*2) to store the document.
1
CRP-C0212-01
bizhub PRO 950 control software is provided with bizhub PRO 950 series.
Fig 1-1 shows the expected operating environment with bizhub PRO 950 series in
office.
(*1) "bizhub PRO 950 zentai seigyo software" for Japan and "bizhub PRO 950 control
software" for overseas are the same product with different calling name.
(*2) HDD has the password so that the hard disk cannot be removed and read in
another equipment. HDD lock password is set in the hard disk lock function.
Figure 1-1 Operating Environment of bizhub PRO 950 series
bizhub PRO 950 series including the TOE is connected with the internal network and
public telephone line network as shown in Figure 1-1. The internal network is
connected with the client PC of general user, mail server and FTP server, to which
bizhub PRO 950 series sends the data. The TOE does not have the interface with the
external network. The TOE is connected with the external network only through
Firewall, so as to protect each of equipments on the internal network.
1.2.3 Scope of TOE and Overview of Operation
Figure 1-2 shows the structure of bizhub PRO 950 series including the TOE.
2
CRP-C0212-01
Scanning
function
FTP
function
Operation
panel
HDD １
Network
card
bizhub PRO 950 main unit
Internal
network
Print controller
PC data receiving
function
Control range of TOE
Basic
function
Service for administrator (management
function)
Service for CE (CE function)
bizhub PRO 950
Printing
function
Copier
function
Hardware
User BOX
Document data file
Printer
function
Manageme
nt function
Visible function for user
Scan to FTP
function
Scan to Email
function
Scan to PC(SMB)
function
HDD storage
function
HDD readout
function
SMB
function
Email
function
Controller
control
program
Document data
temporary storage
OS(VxWorks5.4)
USB
interface2
Document data
temporary storage
HDD2
RS232C
interface
Public telephone
line network
Modem
BOX readout
function
BOX storage
function
bizhub PRO 950 control software
Deletion function of document data
Deletion
function
OS(VxWorks5.4)
Image control
program
USB
interface1
CE
function
PC data receiving function
Figure 1-2 TOE Structure
bizhub PRO 950 series consists of the hardware and bizhub PRO 950 control software.
The components of bizhub PRO 950 control software are the image control program and
the controller control program. The hardware consists of bizhub PRO 950 series main
unit, print controller, HDD1, HDD2, operation panel, and network card. The HDD1 is
the storage device that stores the data (temporary storage is also possible.). The HDD2
is the storage device that stores temporarily the data. The TOE is bizhub PRO 950
control software and it operates with OS.
The hatching parts in Fig.1-2 show the control range of TOE, namely, each function
included in the TOE and the area of data extension created by the TOE.
1.2.4 TOE Functionality
The TOE consists of "basic function" that operates the document data stored in the
document data file of User BOX, "management function" that sets the TOE by the
administrator, and "CE function" that executes the initial setting of TOE (Registration
of administrator and Installation of TOE) by CE(*3).
(*3) Customer Engineer is a person who is enrolled at the company undertaken the
maintenance of bizhub PRO 950 series, and carries out the maintenance of bizhub
PRO 950 series.
1.2.4.1 Basic function of TOE
Basic functions are used to operate the document data. The User BOX is identified by
the User BOX identifier, and the User BOX password is set for every User BOX so as to
confirm the validity as the owner (general user) of each User BOX. The valid owner of
User BOX can access all the document data in his/her User BOX. Fig 1-3 shows the
processing overview of basic functions.
3
CRP-C0212-01
The Sub BOX is created in the User BOX, and the document data is stored together
into the Sub BOX.
Figure 1-3 Processing Architecture of Basic Function
The followings are the details of each function.
(1) Scanning function
By operating from the operation panel, the information of paper document is read
from the scanner, converted to the document data, and stored into the HDD1
temporary storage or DRAM temporary storage.
(2) PC data receiving function
The document data from the client PC is stored into the HDD2 temporary storage,
executed the data exchange, and stored into the HDD1 temporary storage or
DRAM temporary storage.
(3) BOX storage function
The temporary document data in the HDD1 temporary storage or in the DRAM
temporary storage is stored into the User BOX additionally.
(4) BOX readout function
The document data in the User BOX is temporarily read out to the HDD1
temporary storage or DRAM temporary storage.
(5) Printing function
The temporary document data in the HDD1 temporary storage or in the DRAM
temporary storage is printed out.
4
CRP-C0212-01
(6) Email function
The document data gotten by the scanning function, which is stored temporarily
into the HDD1 temporary storage or DRAM temporary storage, is attached to a
mail via the HDD2 temporary storage, and sent to the mail server.
(7) FTP function
The document data gotten by the scanning function, which is stored temporarily
into the HDD1 temporary storage or DRAM temporary storage, is sent to the FTP
server via the HDD2 temporary storage.
(8) SMB function
The document data gotten by the scanning function, which is stored temporarily
into the HDD1 temporary storage or DRAM temporary storage, is sent to the
shared folder of PC that is connected with the internal network via the HDD2
temporary storage.
(9) Deletion function
The document data in the use BOX, associated with the User BOX identifier is
deleted.
1.2.4.2 Management function
The administrator conducts the operational setting for the TOE functions through this
management function. Moreover the management function controls the related
information for the operation of digital MFP, such as the creation/attribution
change/deletion of User BOX, the printing of audit information, the initialization
process of HDD1 and HDD2 (setting of HDD lock password), the management of
troubleshooting/toner/number of prints.
1.2.4.3 CE function
The following function is provided so that the CE can execute the initial setting and
the maintenance for the TOE.
- Service setting mode
By operating from the operation panel, the CE executes the registration and change
of the administrator password by using the function of service setting mode.
1.3 Conduct of Evaluation
Based on the IT Security Evaluation/Certification Program operated by the
Certification Body, TOE functionality and its assurance requirements are being
evaluated by evaluation facility in accordance with those publicized documents such as
"IT Security Evaluation and Certification Scheme"[2], "IT Security Certification
Procedure"[3] and "Evaluation Facility Approval Procedure"[4].
Scope of the evaluation is as follow.
- Security design of the TOE shall be adequate;
- Security functions of the TOE shall be satisfied with security functional
requirements described in the security design;
- This TOE shall be developed in accordance with the basic security design;
- Above mentioned three items shall be evaluated in accordance with the CC Part 3
and CEM.
5
CRP-C0212-01
More specific, the evaluation facility examined "Multi functional printer (digital
copier) bizhub PRO 950 Security Target" as the basis design of security functions for
the TOE (hereinafter referred to as "the ST")[1], the evaluation deliverables in relation
to development of the TOE and the development, manufacturing and shipping sites of
the TOE. The evaluation facility evaluated if the TOE is satisfied both Annex B of CC
Part 1 (either of [5], [8] or [11]) and Functional Requirements of CC Part 2 (either of [6],
[9] or [12]) and also evaluated if the development, manufacturing and shipping
environments for the TOE is also satisfied with Assurance Requirements of CC Part 3
(either of [7], [10] or [13]) as its rationale. Such evaluation procedure and its result are
presented in "bizhub PRO 950 Zentai Seigyo Software Evaluation Technical Report"
(hereinafter referred to as "the Evaluation Technical Report") [17]. Further, evaluation
methodology should comply with the CEM (either of [14], [15] or [16]).
1.4 Certification
The Certification Body verifies the Evaluation Technical Report and Observation
Report prepared by the evaluation facility and evaluation evidence materials, and
confirmed that the TOE evaluation is conducted in accordance with the prescribed
procedure. Certification review is also prepared for those concerns found in the
certification process. Evaluation is completed with the Evaluation Technical Report
dated 2009-04 submitted by the evaluation facility and those problems pointed out by
the Certification Body are fully resolved and confirmed that the TOE evaluation is
appropriately conducted in accordance with CC and CEM. The Certification Body
prepared this Certification Report based on the Evaluation Technical Report submitted
by the evaluation facility and concluded fully certification activities.
1.5 Overview of Report
1.5.1 PP Conformance
There is no PP to be conformed.
1.5.2 EAL
Evaluation Assurance Level of TOE defined by this ST is EAL3 conformance.
1.5.3 SOF
This ST claims "SOF-basic" as its minimum strength of function.
This TOE assumes the attack capability of general user to be low level. It is assumed
that this TOE is operated under the condition that secures the adequate security in
terms of physical and human. Therefore, SOF-Basic that can adequately resist for
attacking from the threat agent with the attack capability of low level is valid for the
security strength.
1.5.4 Security Functions
Security functions of the TOE are as follow.
6
CRP-C0212-01
(1) Identification and authentication
Function title Security function
IA.ADM_ADD
Registration of
administrator
Only the CE can operate it. The administrator is
registered in the TOE by registering the
administrator password.
The administrator is registered if the password
obeys the specification, and it is rejected if not
so.
IA.ADM_AUTH
Identification and
authentication of
administrator
Before the operator uses the TOE, he/she is
identified to be the registered administrator in
the TOE and authenticated to be the valid
administrator.
The operations of all the management functions
are not permitted before the identification and
authentication of administrator.
By accessing the interface for the authentication
of administrator by the operator, he/she is
identified to be the administrator, and
authenticated to the valid administrator using
the entered password.
In case of unsuccessful authentication, the
access is prohibited for five seconds.
IA.CE_AUTH
Identification and
authentication of CE
Before the operator uses the TOE, he/she is
identified to be the registered CE in the TOE and
authenticated to be the valid CE.
The operations of all the CE functions are not
permitted before the identification and
authentication of CE.
By using the interface for the authentication of
CE and the entered password by the operator,
he/she is authenticated to be the valid CE.
In case of unsuccessful authentication, the
access is prohibited for five seconds.
IA.PASS
Change of password
The passwords of administrator, CE, and User
BOX are changed.
The interface for password change is provided
and entering the new password is required.
The following shows the changeable passwords
by the type of user.
CE : CE password, Administrator password
Administrator : User BOX password,
Administrator password
General user who owns User BOX : User BOX
password of own User BOX
The password is changed if it obeys the
specification, and it is rejected if not so.
(2) Access control
Function title Security function
ACL.USR
Access rule and
control to general user
The general user who owns User BOX is
identified and authenticated. After he/she is
authenticated to be the valid user, the operable
coverage for the general user is limited
according to the following access rules.
The general user who owns User BOX is
7
CRP-C0212-01
identified and authenticated by the User BOX
identifier and User BOX password. The following
operation is permitted for only the User BOX
that corresponds to the User BOX identifier of
the general user who owns User BOX.
- Reading out and printing of document
In case of unsuccessful identification and
authentication, the identification and
authentication trials are prohibited for five
seconds.
(3) Audit
Function title Security function
AUD.LOG
Record of audit
information
The audit information regarding the action of
security functions is recorded.
Auditable events are as follows.
- Startup and shutdown of audit functions
- Success and failure in identifying and
authenticating of administrator, CE, general
user who owns User BOX
- Success in registering password of
administrator and general user who owns User
BOX
- Success in changing password and HDD lock
password of administrator, CE, and general
user who owns User BOX
- Success in reading out of document data
AUD.MNG
Management of audit
area
The area of audit storage is controlled by ring
buffer format in order to create and store the
audit information.
(4) Management support
Function title Security function
MNG.MODE
Setting of security
reinforcement mode
Only the administrator is permitted the function
to stop the security reinforcement mode.
MNG.ADM
Management support
function
(Administrator)
The following operations are permitted and
executed by only the administrator.
- Creation of User BOX, registration of User BOX
identifier, and setting of User BOX password
- Inquiry of audit information
The registration is executed if the User BOX
password obeys the specification, it is not
rejected if not so.
MNG.HDD
HDD lock password
function
The following operations are permitted and
executed by only the administrator.
- Change of HDD lock password
The HDD lock password is set and changed to
HDD device if the User BOX password obeys the
specification, they are rejected if not so.
8
CRP-C0212-01
1.5.5 Threat
This TOE assumes such threats presented in Table 1-1 and provides functions for
countermeasure to them.
Table 1-1 Assumed Threats
Identifier Threat
T.ACCESS
(Unauthenticated
access to the BOX)
When a general user uses the user function from
the operation panel, there is a possible threat of
disclosing the document data that the other
general user owns in his/her User BOX.
T.HDDACCESS
(Unauthenticated
access to the HDD)
- When a general user connects the HDD1 with
an illegal device, there is a possible threat of
disclosing the document data in the HDD1.
- When a general user connects the HDD2 with
an illegal device, there is a possible threat of
disclosing the document data in the HDD2.
T.IMPADMIN
(Impersonation of the
CE and administrator)
When a general user uses illegally the interfaces
for CE function and administrator function,
there is a possible threat of disclosing the
document data.
1.5.6 Organizational Security Policy
There is no the required security policy of the organization upon use of the TOE.
1.5.7 Configuration Requirements
The TOE is a software product installed to bizhub PRO 950 series.
The TOE is installed as a security function at time of bizhub PRO 950 series shipping
or built-in configuration on user site by Web downloading from CE.
1.5.8 Assumptions for Operational Environment
Table 1-2 shows the assumptions in the environment where this TOE is used.
When these assumptions are not fulfilled, effective operation of the security functions
for the TOE is not assured.
Table 1-3 Assumptions in Use of the TOE
Identifier Assumption
ASM.PLACE (Installation
condition for the TOE)
The TOE shall be installed in the area where only
the product-related person can operate.
ASM.NET (Setting
condition for the internal
network)
The TOE shall be connected with the internal
network that the disclosure of document data will
not occur.
ASM.ADMIN
(Reliable administrator)
The administrator shall not carry out an illegal
act.
ASM.CE (Personal
condition for the CE)
The CE shall not carry out an illegal act.
ASM.USR (Management The general user shall not disclose his/her own
9
CRP-C0212-01
of the general user) User BOX password.
1.5.9 Documents Attached to Product
The documents attached to this TOE are shown as follows.
- Japanese version
<Manuals for CE>
- bizhub PRO 950 Installation Manual A0Y5961011
- bizhub PRO 950 Service Manual Field Service CCA0Y5-M-FJ1-0550
<Manuals for Administrator and General User>
- bizhub PRO 950 User's Guide Copier A0Y5955600
- bizhub PRO 950 User's Guide Network Scanner A0Y5960000
- bizhub PRO 950 User's Guide POD Administrator's Reference A0Y5956100
- bizhub PRO 950 User's Guide Security A0Y5956600
- Overseas version
<Manuals for CE>
- bizhub PRO 950 INSTALLATION MANUAL A0Y5961111
- bizhub PRO 950 SERVICE MANUAL Field Service CCA0Y5-M-FE1-0510
<Manuals for Administrator and General User>
- bizhub PRO 950 User's Guide Copier A0Y5955700
- bizhub PRO 950 User's Guide Network Scanner A0Y5960100
- bizhub PRO 950 User's Guide POD Administrator's Reference A0Y5956200
- bizhub PRO 950 User's Guide Security A0Y5956700
10
CRP-C0212-01
2. Conduct and Results of Evaluation by Evaluation Facility
2.1 Evaluation Methods
Evaluation was conducted by using the evaluation methods prescribed in CEM in
accordance with the assurance requirements in CC Part 3. Details for evaluation
activities are report in the Evaluation Technical Report. It described the description of
overview of the TOE, and the contents and verdict evaluated by each work unit
prescribed in CEM.
2.2 Overview of Evaluation Conducted
The history of evaluation conducted was present in the Evaluation Technical Report as
follows.
Evaluation has started on 2009-03 and concluded by completion the Evaluation
Technical Report dated 2009-04. The evaluation facility received a full set of
evaluation deliverables necessary for evaluation provided by developer, and examined
the evidences in relation to a series of evaluation conducted. Additionally, the
evaluation facility directly visited the development and manufacturing sites on
2009-03 and examined procedural status conducted in relation to each work unit for
configuration management, delivery and operation and lifecycle by investigating
records and staff hearing. Further, the evaluation facility executed sampling check of
conducted testing by developer and evaluator testing by using developer testing
environment at developer site on 2009-03.
Concerns found in evaluation activities for each work unit were all issued as
Observation Report and were reported to developer. These concerns were reviewed by
developer and all problems were solved eventually.
As for concerns indicated during evaluation process by the Certification Body, the
certification review was sent to the evaluation facility. These were reflected to
evaluation after investigation conducted by the evaluation facility and the developer.
2.3 Product Testing
An outline of the developer test evaluated by the evaluators and the evaluator test
executed by the evaluator is shown as follows.
2.3.1 Developer Testing
1) Developer test environment
Figure 2-1 shows the structure of the test system executed by the developer.
11
CRP-C0212-01
bizhub PRO 950
Testing penetration
PC
Mail server
WindowsXP(SP3)
FTP server
WindowsXP(SP3)
SMB server
WindowsXP(SP3)
CSRC Terminal
Client PC
Controller NIC
Main body NIC
Internal network
Figure 2-1 Structural Diagram of the Developer Testing System
2) Outlining of the developer test
The outline of the test executed by the developer is as follows.
a. Test structure
Figure 2-1 shows the test structure executed by the developer.
- TOE (bizhub PRO 950 control software (Image control program (Image control
I1) 00I1-G00-10, Controller control program (IP control P) 00P1-G00-11)) is
installed to bizhub PRO 950 series.
- bizhub PRO 950 is connected to the internal network (100BASE-T).
- bizhub PRO 950 is connected to client PC, mail server, FTP server, SMB server
and CSRC terminal through the internal network.
CSRC is connected only by LAN in the test structure, however, it does not have
an influence on the test results of security functions because it is non security
function. Even if only one of the structure described in the ST is selected as the
test structure (ST describes that CSRC terminal is selectable either RS232C
interface or E-mail interface connected by LAN.), it is consistent with the
structure identified in the ST.
Therefore, it can be judged that the developer test is executed in the same TOE
testing environment with the TOE structure identified in the ST.
b. Testing method
The following methods are used for the test.
(1) The operation of security functions is confirmed by the operation of TSFI
(2) If testing of TSFI and subsystem interface cannot be performed by the
operation through the external interface directly connected to bizhub PRO
12
CRP-C0212-01
950 series, it is performed with methods by indirectly stimulating the
interface.
(3) For the observation of test behavior, the direct confirmation is performed if it
can be confirmed by the external TSFI, the behavior of test results is
confirmed by using a measuring equipment(bizhub PRO 950) if it can not be
observed.
(4) By comparing the expected behavior with the actual test results obtained at
test execution, whether the test objects are achieved or not, is determined.
c. Range of the executed test
Testing is performed about 26 items by the developer.
The coverage analysis is conducted and examined to testing satisfactorily all of
the security functions described in the functional specification and the external
interface. Then, the depth analysis is conducted and examined to testing
satisfactorily all the subsystems described in the high-level design and the
subsystem interfaces.
d. Results
The test results by the developer confirmed that the expected test results and
the actual test results are consistent. The evaluator confirmed the execution
method of the developer test and the legitimacy of the executed items, and
confirmed that the execution method and execution results are consistent with
those shown in the test plan.
2.3.2 Evaluator Testing
1) Evaluator test environment
The system structure of the test executed by the evaluator has the same structure
as the developer test.
2) Outlining of evaluator test
The outline of the test executed by the evaluator is as follows.
a. Test structure
Figure 2-1 shows the test structure executed by the evaluator. The evaluator
test executed at test environment that was same configuration as the TOE
configured following ST.
The penetration test executed by the evaluator executed at the test
configuration of Figure 2-1 and a part of penetration test was executed at bizhub
PRO 950 installed TOE that was connected ISW by USB cable. Furthermore the
evaluator confirmed test environment that was same configuration as the TOE
configured following ST.
b. Test method
The following methods are used for the sampling test.
(1) Test items selected more than 50% items from developer test.
(2) Test items more than one selected for each of TSFI with each developer test.
13
CRP-C0212-01
(3) Test items related all user interface selected at least more than one with
developer test.
(4) A set of closed test items selected with developer test.
The following methods are used for the independent test.
(1) This operation of security functions is confirmed by the operation of TSFI.
(2) The subsystem interface is tested by the operation through the external
interface connected to bizhub PRO 950 series.
(3) If testing of TSFI cannot be performed by the operation through the external
interface directly connected to bizhub PRO 950, it is performed with methods
by indirectly stimulating the interface.
(4) By comparing the expected behavior with the actual test results obtained at
test execution, whether the test objects are achieved or not, is determined.
The penetration test is executed by the following policy.
Penetration test is executed to confirm that there is no vulnerability possible to
be abused by attacker of low level in the TOE or whether there is the remaining
vulnerability in the operating environment regulated in the ST.
c. Range of the executed test
The tests are set for the following test volume/coverage.
Sampling test is 18 items, independent test is 10 items, penetration test is 6
items created by evaluator and total volume is 34 items.
d. Results
All the executed evaluator tests have been properly completed and the behavior
of the TOE was confirmed. The evaluator confirmed that all of the test results
were consistent with the expected behavior. From the results of penetration test
by evaluator, it was confirmed that there was no obvious vulnerability with
possibility to be abused in the environment that the TOE intends.
2.4 Evaluation Result
The evaluator had the conclusion that the TOE satisfies all work units prescribed in
CEM by submitting the Evaluation Technical Report.
14
CRP-C0212-01
3. Conduct of Certification
The following certification was conducted based on each materials submitted by
evaluation facility during evaluation process.
1. Contents pointed out in the Observation Report shall be adequate.
2. Contents pointed out in the Observation Report shall properly be reflected.
3. Evidential materials submitted were sampled, its contents were examined, and
related work units shall be evaluated as presented in the Evaluation Technical
Report.
4. Rationale of evaluation verdict by the evaluator presented in the Evaluation
Technical Report shall be adequate.
5. The Evaluator's evaluation methodology presented in the Evaluation Technical
Report shall conform to the CEM.
Concerns found in certification process were prepared as certification review, which
were sent to evaluation facility.
The Certification Body confirmed such concerns pointed out in Observation Report and
certification review were solved in the ST and the Evaluation Technical Report.
15
CRP-C0212-01
4. Conclusion
4.1 Certification Result
The Certification Body verified the Evaluation Technical Report, the Observation
Report and the related evaluation evidential materials submitted and confirmed that
all evaluator action elements required in CC Part 3 are conducted appropriately to the
TOE. The Certification Body verified the TOE is satisfied the EAL3 assurance
requirements prescribed in CC Part 3.
4.2 Recommendations
OE.WATCH[Administrator is monitoring to TOE not to do irregular access and
forbid to enter to the TOE setting place when Administrator being absent.] being
security policy of environment to use TOE in secure condition is another charge of
protecting to expose protected assets against attacking by HDD password made out by
analysis service.
16
CRP-C0212-01
5. Glossary
The abbreviations used in this report are listed below.
CC: Common Criteria for Information Technology Security
Evaluation
CEM: Common Methodology for Information Technology Security
Evaluation
EAL: Evaluation Assurance Level
PP: Protection Profile
SOF: Strength of Function
ST: Security Target
TOE: Target of Evaluation
TSF: TOE Security Functions
The glossaries used in this report are listed below.
User BOX: Directory being stored for documents data.
Documents data: Computerized data for text and graphic
Paper documents: Documents was written on a paper
Operating panel: Operating Unit for using bizhub PRO 950 by touch panel
display.
Internal network: This is LAN in an office which introduces bizhub PRO 950
series, and is connected with the client PC and several
servers such as mail server and FTP server.
External network: Network except internal network such as the Internet.
SMB: This is the application protocol to communicate between the
computers on the network under Microsoft-OS series.
CSRC: CS Remote Care for short-Remote Management system of
machine send and receive machine management data with
using E-mail and phone line from machine to CS Remote
Center PC. Be able to call Center PC in case of trouble
occurred.
Hard Disk Lock Function:
The HDD for storing the document data shall prevent the
unauthenticated access by means of the HDD lock password.
17
CRP-C0212-01
HDD lock password:
Password that releases the forbidden state to read and write
on HDD.
General User: Enrollment of organization being purchased bizhub PRO 950.
He/she use copier/printer/fax.
Administrator: A Person is charged of machine management. He/she belongs
to enrollment of organization being purchased bizhub PRO
950.
CE: Enrollment of company being charged bizhub PRO 950
maintenance. CE shall execute the maintenance for bizhub
PRO 950 and enter into the maintenance contract of bizhub
PRO 950 with Administrator or responsible person.
Responsible person:
A person belongs to organization being purchased bizhub PRO
950. He/she shall decide administrator of bizhub PRO 950.
The product-related persons:
The general user, administrator, and CE.
18
CRP-C0212-01
6. Bibliography
[1] Multi functional printer (digital copier) bizhub PRO 950 Security Target Version5
(March 16, 2009) Konica Minolta Business Technologies, Inc.
[2] IT Security Evaluation and Certification Scheme, May 2007,
Information-technology Promotion Agency, Japan CCS-01
[3] IT Security Certification Procedure, May 2007, Information-technology
Promotion Agency, Japan CCM-02
[4] Evaluation Facility Approval Procedure, May 2007, Information-technology
Promotion Agency, Japan CCM-03
[5] Common Criteria for Information Technology Security Evaluation Part 1:
Introduction and general model Version 2.3 August 2005 CCMB-2005-08-001
[6] Common Criteria for Information Technology Security Evaluation Part 2:
Security functional requirements Version 2.3 August 2005 CCMB-2005-08-002
[7] Common Criteria for Information Technology Security Evaluation Part 3:
Security assurance requirements Version 2.3 August 2005 CCMB-2005-08-003
[8] Common Criteria for Information Technology Security Evaluation Part 1:
Introduction and general model Version 2.3 August 2005 CCMB-2005-08-001
(Translation Version 1.0 December 2005)
[9] Common Criteria for Information Technology Security Evaluation Part 2:
Security functional requirements Version 2.3 August 2005 CCMB-2005-08-002
(Translation Version 1.0 December 2005)
[10] Common Criteria for Information Technology Security Evaluation Part 3:
Security assurance requirements Version 2.3 August 2005 CCMB-2005-08-003
(Translation Version 1.0 December 2005)
[11] ISO/IEC 15408-1:2005 - Information Technology - Security techniques -
Evaluation criteria for IT security - Part 1: Introduction and general model
[12] ISO/IEC 15408-2:2005 - Information technology - Security techniques -
Evaluation criteria for IT security - Part 2: Security functional requirements
[13] ISO/IEC 15408-3:2005 - Information technology - Security techniques -
Evaluation criteria for IT security - Part 3: Security assurance requirements
[14] Common Methodology for Information Technology Security Evaluation:
Evaluation Methodology Version 2.3 August 2005 CCMB-2005-08-004
[15] Common Methodology for Information Technology Security Evaluation:
Evaluation Methodology Version 2.3 August 2005 CCMB-2005-08-004
(Translation Version 1.0 December 2005)
[16] ISO/IEC 18045:2005 Information technology - Security techniques - Methodology
for IT security evaluation
[17] bizhub PRO 950 Zentai Seigyo Software Evaluation Technical Report Version 1.4 ,
19
CRP-C0212-01
20
April 15, 2009, Information Technology Security Center, Security Evaluation
Division