Page 1 of 30
Copyright (c) 2007 RICOH COMPANY, LTD. All Rights Reserved.
Security Target for
imagio Security Card Type 7,
DataOverwriteSecurity Unit Type H
Author: Atsushi SATOH and Junko YAEGASHI, RICOH COMPANY, LTD.
Date: 2007-12-13
Version: 1.00
This document is a translation of the evaluated and certified security target
written in Japanese.
Page 2 of 30
Copyright (c) 2007 RICOH COMPANY, LTD. All Rights Reserved.
Revision history
Version Date Author Description
1.00 2007-12-13 Junko YAEGASHI Revised ST version 1.00 according to fixed the TOE
version.
Page 3 of 30
Copyright (c) 2007 RICOH COMPANY, LTD. All Rights Reserved.
Table of Contents
1 ST introduction ............................................................................................................................................. 6
1.1 ST identification .................................................................................................................................. 6
1.2 ST overview.......................................................................................................................................... 6
1.3 CC conformance.................................................................................................................................. 6
2 TOE description............................................................................................................................................ 7
2.1 TOE overview ...................................................................................................................................... 7
2.1.1 Product type ...................................................................................................................................... 7
2.1.2 Positioning of the TOE...................................................................................................................... 7
2.1.3 The MFP in which the TOE can be installed..................................................................................... 7
2.1.4 Operational environment of MFP on which TOE is mounted........................................................... 8
2.2 Physical boundary of the TOE ........................................................................................................... 9
2.3 Logical boundary of the TOE........................................................................................................... 11
2.3.1 TOE functionality............................................................................................................................ 12
2.3.2 MFP functionality ........................................................................................................................... 13
2.4 Terminology ....................................................................................................................................... 14
3 TOE security environment.......................................................................................................................... 16
3.1 Assumptions....................................................................................................................................... 16
3.2 Threats................................................................................................................................................ 16
3.3 Organisational security policies ....................................................................................................... 16
4 Security objectives....................................................................................................................................... 17
4.1 Security objectives for the TOE ....................................................................................................... 17
4.2 Security objectives for the environment.......................................................................................... 17
4.2.1 Security objectives for the IT environment..................................................................................... 17
4.2.2 Security objectives for the non-IT environment.............................................................................. 17
5 IT security requirements............................................................................................................................. 18
5.1 TOE security functional requirements ............................................................................................ 18
5.2 Minimum strength of function claim............................................................................................... 18
5.3 TOE security assurance requirements............................................................................................. 18
5.4 Explicitly stated TOE security functional requirements................................................................ 19
5.5 Security requirements for the IT environment ............................................................................... 19
6 TOE summary specification ....................................................................................................................... 20
6.1 TOE security functions ..................................................................................................................... 20
6.2 Strength of function claim................................................................................................................. 20
6.3 Assurance measures .......................................................................................................................... 21
7 PP claims..................................................................................................................................................... 23
8 Rationale ..................................................................................................................................................... 24
Page 4 of 30
Copyright (c) 2007 RICOH COMPANY, LTD. All Rights Reserved.
8.1 Security objectives rationale............................................................................................................. 24
8.2 Security requirements rationale....................................................................................................... 25
8.2.1 Rationale for functional requirements............................................................................................. 25
8.2.2 Rationale for minimum strength of function................................................................................... 25
8.2.3 Dependency of security functional requirements............................................................................ 25
8.2.4 Rationale for assurance requirements.............................................................................................. 26
8.2.5 Mutual support of security requirements......................................................................................... 26
8.2.6 Rationale for explicitly stated security requirements ...................................................................... 26
8.3 TOE summary specification rationale............................................................................................. 28
8.3.1 Rationale for TOE security functions.............................................................................................. 28
8.3.2 Rationale for Strength of function claim......................................................................................... 28
8.3.3 Rationale for combination of security functions ............................................................................. 28
8.3.4 Rationale for assurance measures.................................................................................................... 28
8.4 PP claims rationale............................................................................................................................ 29
Annex A............................................................................................................................................................... 30
Page 5 of 30
Copyright (c) 2007 RICOH COMPANY, LTD. All Rights Reserved.
List of Figures
Figure 1: Environment for the usage of MFP ................................................................................................. 8
Figure 2: Structure of MFP hardware ........................................................................................................... 10
Figure 3: Structure of MFP software............................................................................................................. 11
Figure 4: MFP and the TOE functions and its relations................................................................................ 12
List of Tables
Table 1: Terminology related to DOMS........................................................................................................ 14
Table 2: TOE security assurance requirement (EAL3) ................................................................................. 19
Table 3: Assurance requirements for EAL3 and assurance measures ........................................................... 21
Table 4: Relation between security needs and objectives ............................................................................. 24
Table 5: Relation between security objective and functional requirements .................................................. 25
Table 6: Dependencies of TOE security functional requirements................................................................. 25
Table 7: Mutual support of security requirement.......................................................................................... 26
Table 8: Relation between TOE security functional requirements and TOE security function..................... 28
Table 9: The MFP models in which the TOE can be installed ...................................................................... 30
Page 6 of 30
Copyright (c) 2007 RICOH COMPANY, LTD. All Rights Reserved.
1 ST introduction
1.1 ST identification
The information to identify this document and the TOE is shown below.
ST title: Security Target for
imagio Security Card Type 7,
DataOverwriteSecurity Unit Type H
ST version: 1.00
Date: 2007-12-13
Author: Atsushi SATOH and Junko YAEGASHI, RICOH COMPANY, LTD.
Product: imagio Security Card Type 7,
DataOverwriteSecurity Unit Type H
Note: Hereafter these products are called with a generic name “Data Overwrite Module”.
“imagio Security Card Type 7” is a name in Japan.
“DataOverwriteSecurity Unit Type H” is a name in other countries.
TOE identification: TOE name in Japan: imagio Security Card Type 7 Software
TOE name in other countries: DataOverwriteSecurity Unit Type H Software
TOE version: 1.01x
CC version: CC version 2.3, ISO/IEC 15408:2005
Keywords: Digital MFP, hard disk, overwrite, protection for residual information
1.2 ST overview
This ST describes the data overwrite module software (hereinafter: DOMS) installed in Multi Function
Product (hereinafter: MFP) produced by Ricoh Co., Ltd. The MFP is an OA device consisting of copy
function, printer function, scanner function and facsimile function. This TOE is an option kit of the MFP
for safer use. This TOE is installed in the MFP, and its function is to overwrite designated areas of the
HDD by the MFP for erasure.
1.3 CC conformance
This document meets the followings:
- CC part 2 extended
- CC part 3 conformant
- EAL3 conformant
There are no Protection Profiles claimed to which this ST is conformant.
Page 7 of 30
Copyright (c) 2007 RICOH COMPANY, LTD. All Rights Reserved.
2 TOE description
2.1 TOE overview
2.1.1 Product type
The product classification of this TOE is a software product installed as an option of the MFP. This
software product overwrites designated areas of the HDD by receiving instructions from the MFP in which
the software is installed.
2.1.2 Positioning of the TOE
The TOE is used for the purpose of overwriting area of the HDD for erasure information to prevent reuse of
the information in the area designated by the MFP.
The HDD used by the MPF is divided into RAW area and UNIX area. The TOE monitors supervised
information of RAW area on the HDD in shared memory of the MFP. If the TOE found an indicated area
to be overwritten for erasure, the TOE executes overwriting for erasure that area. In addition, the TOE
receives instructions from the MFP to overwrite information (UNIX data) of UNIX area and execute the
instructions. Moreover, the TOE has a function to overwrite all information on the HDD mounted in the
MFP in order to prevent leaking of confidential information from stored information on the HDD; for
example, return due to termination of the lease/rental agreement, movement to another department or
disposal of the MFP.
The MFP determines which information to be overwritten and designates HDD areas or data information to
the TOE.
The MFP saves temporary image data on the HDD for working data. When copying, printing, scanning or
facsimile processing have finished; the MFP deletes the above-mentioned temporarily working image data.
And, when a user indicates image data storage, the MFP stores the image data on the HDD. When a user
indicates deletion of stored image data, the MFP deletes above-mentioned stored image data. “Deletion
data” means “making unnecessary information apparently non-existent” for the copy, printer, scanner,
facsimile and document box functions. In fact, although deleted image data can be no longer used by
those functions of the MFP, their contents actually exist on the HDD. When stored information, as image
data, is deleted, the MFP supervises those data as residual information. Depending on functions, the MFP
stores the data into either RAW area or UNIX area. In order that the MFP can inform the TOE of the
existence/non-existence of residual information in RAW area, the MFP records supervised information
into shared memory. In addition, when residual information exists in UNIX area, the MFP indicates the
TOE to overwrite.
2.1.3 The MFP in which the TOE can be installed
As for Ricoh MFP, the optional products’ list is prepared for each MFP model. The list contains
description of the product information concerning optional products, which can be mounted in relevant
Page 8 of 30
Copyright (c) 2007 RICOH COMPANY, LTD. All Rights Reserved.
MFP. For an MFP in which the TOE can be installed, the TOE is mentioned as an optional product in that
list. By reference to the optional products list of the MFP, an MFP user can distinguish which MFP can
be installed with the TOE.
The MFP models in which the TOE can be installed are listed in Annex A.
2.1.4 Operational environment of MFP on which TOE is mounted
The TOE is software that operates on the MFP, and is provided as an option to extend the functions of the
MFP. The MFP does not only consist of the basic copy function, but also several varieties of functions on
its single unit, including facsimile, printer and scanner. It is assumed that this TOE is installed and used
on an MFP working in a general office. The MFP is mounted with an internal HDD. The HDD is used
for storing image data of the copy and printer. During business hours , the MFP is under the supervision
of persons related to the office. However, at night or when on holidays, there is a possibility of an
outsider intruding unwatched office and removing away the HDD.
Figure 1 shows an assumed operational environment of the MFP.
Firewall
MFP
External network
Internal network
Public telephone
network
Mail Server FTP Server NetWare
User PC
TOE
Figure 1: Operational environment of the MFP
The following items are connected to the MFP in the operational environment.
- User PC:
User PC requests printing documents and sending facsimile data to MFP. Also User PC can receive
scanned data from MFP and stored image data into the MFP.
Page 9 of 30
Copyright (c) 2007 RICOH COMPANY, LTD. All Rights Reserved.
- Mail server, FTP server, NetWare server:
MFP can send image data scanned by itself to Mail server, FTP server or NetWare server.
- Public telephone line:
MFP uses Public telephone line to send and receive facsimile data.
A firewall should be installed between the internal and the external networks in order to protect the devices
connected to the internal network. In addition, assume that public telephone line can be only used for
sending and receiving facsimile data, but it is impossible to intrude into the MFP or the internal network
through this line.
2.2 Physical boundary of the TOE
Ricoh’s MFP is composed of hardware and software.
The hardware is composed of printing engine, scanner unit, facsimile unit, operation panel, HDD and
controller board.
The printing engine prints out data from copy and printer functions and also received data through the
facsimile unit in parallel controlling paper feed and paper eject.
The scanner unit gets in image data from paper documents. It is used for copy, scanner and facsimile
sending functions to get in image data.
The facsimile unit operates sending and receiving of facsimile data.
The operation panel displays information to general users and administrator and also receives input
command/data entered by general users and administrator. General users and administrator can make use
of functions of the MFP with operating the operation panel.
Image data is stored on the HDD. During copying, printing, scanning or facsimile sending and receiving,
the MFP temporarily stores image data for working. Accumulating image data with instruction of general
users is also stored on the HDD.
The controller board controls whole of the MFP. The controller board is equipped with a processor and
RAM to execute software in the MFP, ROM on which software such as operating system (OS) and various
application modules are installed, NV-RAM on which setting information for MFP is stored, and Host
interface connected to user PC and servers. And also SD memory card, in which software of additional
function is stored, can be attached to the controller board. DOMS is stored on SD memory card, and SD
memory card is mounted in the controller board.
Figure 2 shows the hardware structure of the MFP.
Page 10 of 30
Copyright (c) 2007 RICOH COMPANY, LTD. All Rights Reserved.
Controler board
HDD
RAM
Processor
SDmemory
card
Operation
panel
Scanner unit
Facsimile unit
Printing engine
DOMS
TOE
NV-RAM
Host
interface
ROM
Figure 2: Hardware Structure of the MFP
The software is composed of OS, Common Service Module (CSM), and application modules.
The OS manages the hardware such as HDD and provides interfaces to operate these hardware resources.
The OS is UNIX-like operating system ported by Ricoh.
The application modules provide functions such as copy, printing, scanning and facsimile to general users.
These modules receive operational instructions from general users and request the required processes to
CSM to realize each function.
CSM provides common functions that are used by the application modules. Also CSM provides such as a
management function for the HDD areas on which image data and residual information exist, and display
function for the status of residual information on the operation panel.
SCS is contained in CSM. SCS controls all applications running on the MFP and manages setting
information. Moreover, SCS starts up Erase All Memory function of DOMS in case of request from
administrator.
The HDD is divided into RAW area and UNIX area, and data is stored into each area according to MFP
functions.
IMH is contained in CSM. IMH controls, through the OS, image data transfer between the printing engine,
the scanner unit or the facsimile unit and the controller board. IMH also manages the existence or
non-existence of image data and residual information in RAW area of the HDD, and records that
management information into shared memory.
ZFSD is contained in CSM. ZFSD always monitors UNIX area of the HDD and informs DOMS that
unnecessary files are found.
DOMS includes three software modules, HSM, ZFE and HDE. Those modules are extended functions for
CSM.
HSM monitors management information recorded in shared memory, that information indicates status of
RAW area of the HDD. When HSM finds a record that indicates a deleted area by the MFP, Through the
OS, HSM overwrites that area of the HDD indicated by the record.
When ZFE receives a notice of a discarded file in UNIX area from ZFSD, ZFE overwrites that file.
Page 11 of 30
Copyright (c) 2007 RICOH COMPANY, LTD. All Rights Reserved.
When HDE is called by SCS due to a request from administrator, HDE overwrites whole area on the HDD.
Figure 3 shows the software structure of the MFP.
MFP software
Operating System
TOE
HDD
UNIX area/RAW area
occurence
residual
information
watching
RAW area
Erase All
Memory
Printer
application
Scanner
application
Facsimile
application
Copy
application
Document
box
application
Application modules
operational configuration
start Erase All Memory
Shared
memory
recording
RAW area
status
Common service
modules
IMH
SCS ZFSD
watching
UNIX area
notification of
UNIX area
DOMS
HSM ZFE HDE
RAW area
Auto Erase
Memory
UNIX area
Auto Erase
Memory
request for
permission to
overwrite
Figure 3: Software Structure of the MFP
2.3 Logical boundary of the TOE
[Logical boundary of the TOE]
The TOE provides Auto Erase Memory function for RAW area in order to overwrite designated RAW area
of the HDD by the MFP. The TOE monitors RAW area management information in shared memory and
finds an area indicated to be overwritten, then executes. Also, the TOE provides Auto Erase Memory
function for UNIX area to overwrite indicated UNIX area in response to an order from the MFP.
Furthermore, the TOE provides Erase All Memory function to make all information on the HDD
irreversible.
[Logical boundary of the MFP]
Page 12 of 30
Copyright (c) 2007 RICOH COMPANY, LTD. All Rights Reserved.
The MFP provides copy, printer, scanner, and facsimile functions to general users. These functions store
working data on the HDD. When a process is finished, working data becomes disused, and remains as
residual information on the HDD.
The MFP also provides document box function. This function stores image data on the HDD by user’s
operation. When stored image data becomes no longer required, that image data is deleted by general
user’s operation, and remains as residual information.
The MFP manages existence or non-existence of residual information in RAW area and UNIX area on the
HDD. The MFP records management information for residual information in shared memory to notify the
TOE of existence or non-existence of residual information in RAW area. Also, the MFP orders the TOE
to overwrite that information when the MFP finds existence of residual information in UNIX area.
Furthermore, the MFP provides sequential overwrite configuration function to control the behaviour of
Auto Erase Memory of the TOE. Also, the MFP provides batch overwrite activation function to control
the behaviour of Erase All Memory of the TOE. Furthermore, the MFP provides status indication
function of residual information for users to be able to check residual information.
Figure 4 shows the MFP and the TOE functions and those relations.
MFP
Batch
overwrite
activation
Sequential
overwrite
configuration
Status
indication of
residual
information
Printer
Copy
Scanner
Facsimile
Document
box
TOE
HDD
residual information occur
overwrite
indicate
status
configure
Residual
information
management
notify
DOMS
Auto Erase Memory
RAW area
Auto Erase
Memory
Erase All
Memory
UNIX area
Auto Erase
Memory
start up
Figure 4: The MFP and the TOE functions and those relations
2.3.1 TOE functionality
Details of the functions provided by the TOE are described below.
[Auto Erase Memory]
HSM monitors management information of RAW area on the HDD, that information is recorded in shared
memory. HSM requests IMH of permission to overwrite designated area of the HDD based on the
Page 13 of 30
Copyright (c) 2007 RICOH COMPANY, LTD. All Rights Reserved.
management information in shared memory. When receiving IMH permission, HSM overwrites that area
with specified method. When finished overwriting, HSM notifies IMH of completion of overwriting the
area, and start again to monitor management information of RAW area on the HDD.
When received notice of existence of unnecessary file in UNIX area from ZFSD, ZFE overwrites the file
area with specified method.
[Erase All Memory]
When called by the MFP, HDE overwrites all area of the HDD. Additionally Erase All Memory can be
suspended by order of the MFP.
2.3.2 MFP functionality
Details of the MFP functions out of the TOE but related to the TOE are described below.
[Management of residual information]
The MFP manages existence of residual information in RAW area of the HDD, and records the
management information into shared memory to notify HSM. Also, the MFP monitors UNIX area, and
notifies ZFE of unnecessary file when found.
[Configuration of Auto Erase Memory]
Only administrator can activate or deactivate Auto Erase Memory through the operation panel of the MFP.
[Start up / Suspend of Erase All Memory]
Only administrator can start up batch overwrite function, Erase All Memory of the TOE, through the
operation panel of the MFP. The MFP resets configuration values recorded in NV-RAM to factory default
values. Then, the MFP stops all jobs other than Erase All Memory, and starts up Erase All Memory.
Also, administrator can suspend Erase All Memory during overwriting. When the MFP is started again,
then Erase All Memory restarts.
[Indicating status of residual information]
When DOMS is running, icon that indicates status of residual information is displayed don the operation
panel of the MFP. When residual information exists on the HDD, an icon that indicates existence of
residual information is displayed on the operation panel. During overwriting residual information, that
icon blinks on and off. When residual information does not exist on the HDD, another icon that indicates
non-existence of residual information is displayed. Thereby, general users and administrator can confirm
existence or non-existence of residual information easily. Displaying icon, also, indicates that DOMS is
installed correctly and overwrite function is activated.
[General functions of MFP]
Page 14 of 30
Copyright (c) 2007 RICOH COMPANY, LTD. All Rights Reserved.
The MFP has copy/printer/scanner/facsimile/document box functions. Those functions create working
data or store image data in RAW area or UNIX area of the HDD. When those data become unnecessary,
the MFP manages those data as residual information, and gives the TOE directions to overwrite them.
[Miscellaneous]
If the power is turned off during overwriting, the MFP can restart overwriting process of the TOE after the
power is turned on.
The jobs of copy/printer/scanner/facsimile/document box have higher priority processes than the TOE.
If overwriting process of the TOE and the other job are started simultaneously , the TOE waits for
completion of the job and starts overwriting. If another job is started during overwriting of the TOE, the
TOE is suspended and restarted after completion of the job.
2.4 Terminology
For realizing of this ST, the meanings of specific terminology are defined in Table 1.
Table 1: Terminology related to DOMS
Term Definition
MFP Multi Function Product;
This is a printer that has multiple functions such as copy, printer in one
machine. The TOE of this ST is used in the MFP that is produced by Ricoh.
DOMS Data Overwrite Modules;
This module has a function to overwrite an area of the HDD for preventing
analysis of a footprint of data.
HSM One of modules contained within DOMS;
This module executes sequential overwriting the data in RAW area specified
to overwrite by the MFP.
ZFE One of modules contained within DOMS;
This module executes sequential overwriting the data in UNIX area specified
to overwrite by the MFP.
HDE One of modules contained within DOMS;
This module executes batch overwriting the whole HDD.
CSM Common Service Modules;
These modules provide general functions commonly used by applications such
as copy or printer. The management function of image data is also included in
CSM.
SCS One of modules contained within CSM;
This module supervises applications running on the MFP, and manages
configuration information. Also, SCS activates butch overwrite function,
Erase All Memory of DOMS, upon request of the administrator.
IMH One of modules contained within CSM; .
This module controls, through the OS, image data transfer between printing
Page 15 of 30
Copyright (c) 2007 RICOH COMPANY, LTD. All Rights Reserved.
engine, scanner unit, or facsimile unit and controller board. IMH also manages
existence or non-existence of image data and residual information in RAW
area of the HDD, and records the management information in shared memory.
ZFSD One of modules contained within CSM; .
This module always monitors UNIX area of the HDD and notifies DOMS of
occurrence of unnecessary files.
Residual
information
The residual information means unnecessary information generated with
deletion of image data by the MFP. Generally, “Delete” process removes
image data logically, but traces of deleted data exist actually. Those traces are
residual information.
UNIX area HDD area managed by OS file system; The data that exists in this area can be
accessed by normal file operation.
RAW area HDD area not managed by OS file system; The data that exists on this area is
managed by CSM in its own way without use of OS file operation.
Document box It is a logical box in which electronic files of documents are stored. It can be
used when document box option is installed.
SD memory
card
SD memory card is secure digital memory card. It is a memory device with
high functionality, as small as postal stamp. It is used to provide the TOE or
other applications to the MFP.
Page 16 of 30
Copyright (c) 2007 RICOH COMPANY, LTD. All Rights Reserved.
3 TOE security environment
3.1 Assumptions
In this section, the assumptions concerning the environment of the TOE are identified and described.
A.MODE.AUTOMATIC It is assumed that the execution of Auto Erase Memory of the TOE
is not aborted.
The execution of Auto Erase Memory of the TOE is not aborted by turning off the
power of the MFP before the TOE finishes overwriting.
A.MODE.MANUAL It is assumed that the execution of Erase All Memory of the TOE
is not suspended.
The execution of Erase All Memory of the TOE is not suspended without user’s intent
by pressing the [Suspend] button or turning off the power of the MFP before the
function finishes.
3.2 Threats
There are no threats countered by the TOE or the environment.
3.3 Organisational security policies
In this section, the organisational security policy with which the TOE shall comply is identified and
described.
P.UNREADABLE The TOE shall prevent from retrieving information on the HDD
area specified by the MFP.
The TOE shall prevent from retrieving information on the HDD area specified by the
MFP.
Page 17 of 30
Copyright (c) 2007 RICOH COMPANY, LTD. All Rights Reserved.
4 Security objectives
4.1 Security objectives for the TOE
In this section, the security objectives for the TOE are described. The security objectives for the TOE
realize the organisational security policy described in section 3.3.
O.OVERWRITE The TOE shall ensure that the information on the area ordered by
the MFP to overwrite cannot be retrieved.
The TOE overwrites designated information on the HDD by the MFP to prevent from
retrieving.
4.2 Security objectives for the environment
4.2.1 Security objectives for the IT environment
There are no security objectives for the IT environment against assumptions or threats.
4.2.2 Security objectives for the non-IT environment
In this section, the security objectives for the environment except the IT environment are described.
Those security objectives are countered against the assumptions or threats described in section 3.
OE.MODE.AUTOMATIC User shall not turn off the power of the MFP before overwrite of
Auto Erase Memory finishes.
When turning off the power of the MFP, user shall confirm the icon shown on the
operation panel and then turns off the power with the condition that the overwriting by
Auto Erase Memory is finished.
OE.MODE.MANUAL User shall manage the MFP to prevent the function of Erase All
Memory from being suspended.
When Erase All Memory executing, user manages the MFP to prevent the function
from being suspended by pressing the [Suspend] button or turning off the power of the
MFP without user’s intent.
Page 18 of 30
Copyright (c) 2007 RICOH COMPANY, LTD. All Rights Reserved.
5 IT security requirements
5.1 TOE security functional requirements
In this section, the TOE security functional requirement to achieve the security objective that described in
section 4.1 is identified and described. The parts of the assignment and selection operations defined in
[CC] are implemented and identified with [bold letters and brackets].
FPT_RVM.1 Non-bypassability of the TSP
Hierarchical to: No other components.
FPT_RVM.1.1 The TSF shall ensure that TSP enforcement functions are invoked and succeed before each
function within the TSC is allowed to proceed.
Dependencies: No dependencies
5.2 Minimum strength of function claim
The minimum strength level claimed for the TOE is SOF-Basic.
5.3 TOE security assurance requirements
The evaluation assurance level claimed for the TOE is EAL3. The assurance components for the TOE are
shown in Table 2. It is the set of components defined by the evaluation assurance level (EAL) 3 and no
other requirements have been augmented.
Page 19 of 30
Copyright (c) 2007 RICOH COMPANY, LTD. All Rights Reserved.
Table 2: TOE security assurance requirement (EAL3)
Assurance class Assurance component
ACM_CAP.3 Authorisation controls
ACM:
Configuration management ACM_SCP.1 TOE CM coverage
ADO_DEL.1 Delivery procedures
ADO:
Delivery and operation ADO_IGS.1 Installation, generation, and start-up procedures
ADV_FSP.1 Informal functional specification
ADV_HLD.2 Security enforcing high-level design
ADV:
Development
ADV_RCR.1 Informal correspondence demonstration
AGD_ADM.1 Administrator guidance
AGD:
Guidance documents AGD_USR.1 User guidance
ALC:
Life cycle support
ALC_DVS.1 Identification of security measures
ATE_COV.2 Analysis of coverage
ATE_DPT.1 Testing: high-level design
ATE_FUN.1 Functional testing
ATE:
Tests
ATE_IND.2 Independent testing - sample
AVA_MSU.1 Examination of guidance
AVA_SOF.1 Strength of TOE security function evaluation
AVA:
Vulnerability assessment
AVA_VLA.1 Developer vulnerability analysis
5.4 Explicitly stated TOE security functional requirements
In this section, explicitly stated TOE security functional requirements that achieve the security objective are
described.
FDP_SIP.1 Specified information protection
Hierarchical to: No other components.
FDP_SIP.1.1 The TSF shall ensure that any previous information content of a specified resource is made
unavailable.
Dependencies: No dependencies
5.5 Security requirements for the IT environment
There are no security requirements for the IT environment.
Page 20 of 30
Copyright (c) 2007 RICOH COMPANY, LTD. All Rights Reserved.
6 TOE summary specification
6.1 TOE security functions
SF.OVERWRITE
The TSF has two types of overwriting functionality, Auto Erase Memory and Erase All Memory.
(1) Auto Erase Memory
The TSF monitors management information of RAW area of the HDD recorded in shared memory, and
overwrite HDD area specified by the management information.
The TSF also overwrite UNIX area of the HDD specified by the MFP.
(2) Erase All Memory
The TSF overwrites all data on the HDD. The TSF can suspend Erase All Memory by order of the MFP
Application notes:
Auto Erase Memory and Erase All Memory use one of the following three methods to overwrite the
HDD.
(1) NSA method: the TSF overwrites data in following procedure.
- Overwriting twice with random numbers,
- Overwriting once with Null (0).
(2) DoD method: the TSF overwrites data in following procedure.
- Overwriting once with fixed numbers,
- Overwriting once with complement of above fixed numbers,
- Overwriting once with random numbers,
- Carrying out final verification.
(3) Random Numbers method: the TSF overwrites specified number of times with random
numbers.
When Random Numbers method is chosen, number of times is specified.
6.2 Strength of function claim
There are no security functions realized by probabilistic or permutational mechanisms.
Page 21 of 30
Copyright (c) 2007 RICOH COMPANY, LTD. All Rights Reserved.
6.3 Assurance measures
In this section, assurance measures for the TOE are described. The assurance measures listed in Table 3
meet security assurance requirements listed in the section 5.3.
Table 3: Assurance requirements for EAL3 and assurance measures
Assurance class Assurance
component
Assurance measure
ACM_CAP.3
ACM:
Configuration Management ACM_SCP.1
Configuration Management Plan for
imagio Security Card Type 7,
DataOverwriteSecurity Unit Type H,
imagio Security Card Type 9,
DataOverwriteSecurity Unit Type I
ADO_DEL.1 Delivery Procedure for
imagio Security Card Type 7,
DataOverwriteSecurity Unit Type H,
imagio Security Card Type 9,
DataOverwriteSecurity Unit Type I
ADO:
Delivery and operation
ADO_IGS.1 Production Procedure for
imagio Security Card Type 7,
DataOverwriteSecurity Unit Type H,
imagio Security Card Type 9,
DataOverwriteSecurity Unit Type I
Service Manual for
imagio Security Card Type 7
imagio Security Card Type 9
Service Manual for
DataOverwriteSecurity Unit Type H
DataOverwriteSecurity Unit Type I
ADV_FSP.1
ADV_HLD.2
Zoffy V3 system design
IMH design specification B0.HDD overwrite
functional specification
IMH design specification B0.HDD overwrite I/F:
command specification
LPUX specification 05 library HDD overwrite
library I/F specification
ZOFFY-V3 UNIX filesystem Auto Erase Memory
system basic design
ZOFFY-V2/V3 HDD Erase All Memory system
basic design
ADV:
Development
ADV_RCR.1 Correspondence Analysis for
imagio Security Card Type 7,
DataOverwriteSecurity Unit Type H,
imagio Security Card Type 9,
DataOverwriteSecurity Unit Type I
Page 22 of 30
Copyright (c) 2007 RICOH COMPANY, LTD. All Rights Reserved.
Assurance class Assurance
component
Assurance measure
AGD_ADM.1
AGD:
Guidance documents AGD_USR.1
“imagio Security Card Type 7
imagio Security Card Type 9
Operating Instructions”
“DataOverwriteSecurity Unit Type H
DataOverwriteSecurity Unit Type I
Operating Instructions”
ALC:
Life cycle support
ALC_DVS.1 Development Security Plan for
imagio Security Card Type 7,
DataOverwriteSecurity Unit Type H,
imagio Security Card Type 9,
DataOverwriteSecurity Unit Type I
ATE_COV.2
ATE_COV.1
ATE_FUN.1
Test Document for
imagio Security Card Type 7,
DataOverwriteSecurity Unit Type H,
imagio Security Card Type 9,
DataOverwriteSecurity Unit Type I
Test Result for
imagio Security Card Type 7,
DataOverwriteSecurity Unit Type H,
imagio Security Card Type 9,
DataOverwriteSecurity Unit Type I
ATE:
Tests
ATE_IND.2 TOE
AVA_MSU.1
AVA_SOF.1
AVA:
Vulnerability assessment
AVA_VLA.1
Vulnerability Assessment for
imagio Security Card Type 7,
DataOverwriteSecurity Unit Type H,
imagio Security Card Type 9,
DataOverwriteSecurity Unit Type I
Notes: The documents listed in Table 3 are written in Japanese except for the "DataOverwriteSecurity Unit
Type H DataOverwriteSecurity Unit Type I Service Manual", "DataOverwriteSecurity Unit Type H
DataOverwriteSecurity Unit Type I Operating Instructions" and the TOE.
Page 23 of 30
Copyright (c) 2007 RICOH COMPANY, LTD. All Rights Reserved.
7 PP claims
There are no Protection Profiles claimed to which this ST is conformant.
Page 24 of 30
Copyright (c) 2007 RICOH COMPANY, LTD. All Rights Reserved.
8 Rationale
8.1 Security objectives rationale
In this section, it is demonstrated that the security objectives stated in section 4 are appropriate and cover
all aspects of the security environment stated in section 3.
Table 4 shows that each security objective addresses at least one threat or assumption, and that each threat
and assumption is covered by at least one security objective.
Table 4: Relation between security needs and objectives
O.OVERWRITE
OE.MODE.AUTOMATIC
OE.MODE.MANUAL
P.UNREADABLE X
A.MODE.AUTOMATIC X
A.MODE.MANUAL X
P.UNREADABLE is achieved by O.OVERWRITE, because O.OVERWRITE ensures that the information
on the area of the HDD specified by the MFP becomes unreadable by overwriting.
A.MODE.AUTOMATIC is achieved by OE.MODE.AUTOMATIC, because it is ensured that overwrite of
the TOE is not interrupted by waiting for completion of overwrite when shutting down the MFP.
A.MODE.MANUAL is achieved by OE.MODE.MANUAL, because it is prevented from suspending Erase
All Memory against user’s intent to keep the MFP under watch.
Page 25 of 30
Copyright (c) 2007 RICOH COMPANY, LTD. All Rights Reserved.
8.2 Security requirements rationale
8.2.1 Rationale for functional requirements
In this section, it is demonstrated that security functional requirements stated in section 5 achieve security
objectives for the TOE and IT environment identified in section 4.
Table 5 shows that TOE security functional requirements meet security objectives for the TOE and IT
environment.
Table 5: Relation between security objective and functional requirements
FDP_SIP.1
FPT_RVM.1
O.OVERWRITE X X
O.OVERWRITE is achieved by FDP_SIP.1, because this requirement ensures that the information
specified by the MFP becomes unavailable, i.e. no one can retrieve the information specified by the MFP.
Furthermore, it is ensured that the TSP cannot be bypassed with FPT_RVM.1.
8.2.2 Rationale for minimum strength of function
This TOE is an option of the MFP as products in the market. It is assumed that the MFP, which is
operating environment of the TOE, is used in general office. So, it is appropriate that minimum strength
of function for the TOE is SOF-Basic.
8.2.3 Dependency of security functional requirements
Table 6 shows dependencies of TOE security functional requirements. The dependencies in this ST are
satisfied for interdependence of CC requirements.
Table 6: Dependencies of TOE security functional requirements
TOE security functional
requirement
Dependencies required
by CC
Dependencies satisfied in this
ST
FDP_SIP.1 None None
FPT_RVM.1 None None
As shown in Table 6 above, FDP_SIP.1 and FPT_RVM.1 have no dependencies required by CC. So,
there are no dependencies to be satisfied by TOE security functional requirements.
Page 26 of 30
Copyright (c) 2007 RICOH COMPANY, LTD. All Rights Reserved.
8.2.4 Rationale for assurance requirements
This TOE is an option of the MFP as products in the market. It is assumed that the MFP which is
operating environment of the TOE is used in general offices, and the attackers with moderate attack
potential or over is not assumed for the TOE.
In addition, the TOE realizes the security function with simple mechanism such as overwriting data, which
has no probabilistic or no permutational mechanism, therefore the high-level design evaluation
(ADV_HLD.2) is sufficient to demonstrate the validity of that mechanism. Furthermore, a high-level
attack capability is needed for attacks such as bypassing or tampering TSF, but those are out of scope of
this evaluation. That is to say, an analysis of apparent vulnerability (AVA_VLA.1) is sufficient for general
needs.
On the other hand, for making it more difficult to attack, it is needed to keep pertinent information in
security. So it is important to ensure that the development environment is in security, that is, development
security (ALC_DVS.1).
So, considering evaluation period and cost, EAL3 is appropriate for the TOE.
8.2.5 Mutual support of security requirements
Table 7 shows mutual support of security requirements.
Table 7: Mutual support of security requirement
Functional requirement Bypass Deactivate Tamper
FDP_SIP.1 FPT_RVM.1 None None
[Bypass]
Once the TOE is started, FDP_SIP.1 is certainly executed. So, there is no bypass for FDP_SIP.1.
[Deactivate]
Once the TOE is started, FDP_SIP.1 is certainly executed. So, there is no deactivation for FDP_SIP.1.
[Tamper]
There is no illegal subject for the TOE. So, the TSF is not tampered.
8.2.6 Rationale for explicitly stated security requirements
The functional requirement FDP_SIP.1 used for the TOE is an explicitly stated security requirement. The
purpose of the TOE is to make residual information of the MFP unavailable in cooperation with the MFP.
So, FDP_RIP.1 seems to meet the purpose. But the MFP performs the management of residual
information, and the TOE overwrites the information according to the order of the MFP. Thereby,
FDP_RIP.1 is not applicable. So, the security requirement extended for the TOE based on FDP_RIP.1 is
applied. Also, the explicitly stated security requirement is extended in the same style as CC Part 2
security requirements and to a comparable level of detail.
The explicitly stated security requirement is stated as the security function separated off the part of
determining residual information from FDP_RIP.1.
Page 27 of 30
Copyright (c) 2007 RICOH COMPANY, LTD. All Rights Reserved.
FDP_RIP.1, basis of the requirement, is not required any dependencies and particular assurance
requirements. So, the explicitly stated functional requirement does not need any dependencies and
assurance requirements.
Also, the assurance requirements of EAL3 package are sufficient to assure the explicitly stated security
requirement, because it is obvious that the evidences by special documents for the requirement are not
needed.
Page 28 of 30
Copyright (c) 2007 RICOH COMPANY, LTD. All Rights Reserved.
8.3 TOE summary specification rationale
8.3.1 Rationale for TOE security functions
In this section, it is demonstrated that the TOE security function described in section 6.1 realizes TOE
security functional requirements stated in section 5.1.
Table 8 shows that the TOE security function meets TOE security functional requirements.
Table 8: Relation between TOE security functional requirements and TOE security function
SF.OVERWRITE
FDP_SIP.1 X
FPT_RVM.1 X
SF.OVERWRITE ensures that information specified by the MFP is unavailable by overwriting. Therefore,
FDP_SIP.1 is realized.
After activated the TOE, SF.OVERWRITE is surely performed. Therefore, FPT_RVM.1 is realized.
8.3.2 Rationale for Strength of function claim
As described in section 6.2, no security function has probabilistic or permutational mechanisms. So, SOF
claim is not needed for this ST.
8.3.3 Rationale for combination of security functions
As described in section 8.3.1, the TOE has one security function. This shows that the ST has no mutual
support of security functions. So, the security function performs to satisfy security functional
requirements by itself.
8.3.4 Rationale for assurance measures
In section 6.3, documents as assurance measures and the TOE meet all security assurance requirements
required for EAL3, and all evidences required for security assurance requirements are covered by those
documents and the TOE. So, TOE security assurance requirements are satisfied.
Page 29 of 30
Copyright (c) 2007 RICOH COMPANY, LTD. All Rights Reserved.
8.4 PP claims rationale
There are no Protection Profiles claimed to which this ST is conformant.
Page 30 of 30
Copyright (c) 2007 RICOH COMPANY, LTD. All Rights Reserved.
Annex A
The MFP models in which the TOE can be installed are listed in Table 9.
Table 9: The MFP models in which the TOE can be installed
Product names in Japan Product names in other country
Ricoh imagio C6000 series
Ricoh imagio C7500 series
Ricoh Aficio MP C6000 series
Ricoh Aficio MP C7500 series
Savin C6055/C7570 series
Lanier LD260c/275c series
Lanier MP C6000/C7500 series
Gestetner MP C6000/C7500 series
Infotec MP C6000/C7500 series
NRG MP C6000/C7500 series
Notes: ”series” means the product group, they have some different configurations which have no effect on
the performance of the TOE.