November 2019
Fuji Xerox
ApeosPort-VII
C7773/C6673/C5573/C4473/C3373/
C3372/C2273
DocuCentre-VII
C7773/C6673/C5573/C4473/C3373/
C2273
Models with Data Security, Scan, and
Fax
Security Target
Version 1.1.7
This document is a translation of the evaluated
and certified security target written in Japanese.
- i -
- Table of Contents -
1. ST INTRODUCTION................................................................................................................1
1.1. ST Reference .....................................................................................................................................................1
1.2. TOE Reference..................................................................................................................................................1
1.3. TOE Overview....................................................................................................................................................2
TOE Type.....................................................................................................................................................................2
Usage and Major Security Features of TOE ..................................................................................................2
Environment Assumptions...................................................................................................................................3
Required Non-TOE Hardware and Software..................................................................................................4
1.4. TOE Description...............................................................................................................................................5
Users Assumptions..................................................................................................................................................5
Logical Scope and Boundary ..............................................................................................................................6
Physical Boundary of the TOE ............................................................................................................................8
2. CONFORMANCE CLAIM .....................................................................................................12
2.1. CC Conformance Claim.............................................................................................................................12
2.2. PP claim, Package Claim...........................................................................................................................12
PP Claim...................................................................................................................................................................12
Package Claim.......................................................................................................................................................12
Conformance Rationale.....................................................................................................................................12
3. SECURITY PROBLEM DEFINITION ................................................................................13
3.1. Threats .............................................................................................................................................................13
Assets Protected by TOE....................................................................................................................................13
Threats.....................................................................................................................................................................13
3.2. Organizational Security Policies............................................................................................................14
3.3. Assumptions...................................................................................................................................................15
4. Security Objectives................................................................................................................16
5. EXTENDED COMPONENTS DEFINITION....................................................................17
5.1. Extended Functional Requirements Definition...............................................................................17
Class FAU: Security Audit ..................................................................................................................................17
Class FCS: Cryptographic Support..................................................................................................................18
Class FDP: User Data Protection.....................................................................................................................23
Class FIA: Identification and Authentication............................................................................................25
Class FPT: Protection of the TSF.....................................................................................................................26
6. SECURITY REQUIREMENTS..............................................................................................30
6.1. Notation ..........................................................................................................................................................30
6.2. Security Functional Requirements........................................................................................................30
- ii -
Class FAU: Security Audit ..................................................................................................................................30
Class FCS: Cryptographic Support..................................................................................................................32
Class FDP: User Data Protection.....................................................................................................................40
Class FIA: Identification and Authentication............................................................................................44
Class FMT: Security Management.................................................................................................................46
Class FPT: Protection of the TSF.....................................................................................................................50
Class FTA: TOE Access.........................................................................................................................................51
Class FTP: Trusted Paths/Channels................................................................................................................52
6.3. Security Assurance Requirements ........................................................................................................54
6.4. Security Requirement Rationale ...........................................................................................................55
Dependencies of Security Functional Requirements ..............................................................................55
Security Assurance Requirements Rationale..............................................................................................58
7. TOE Summary Specification .............................................................................................59
7.1. Security Functions.......................................................................................................................................59
Identification and Authentication.................................................................................................................61
Security Audit........................................................................................................................................................62
Access Control .......................................................................................................................................................64
Security management........................................................................................................................................65
Trusted Operation................................................................................................................................................67
Data Encryption....................................................................................................................................................68
Trusted Communications..................................................................................................................................72
PSTN Fax-Network Separation........................................................................................................................73
Data Clearing.........................................................................................................................................................73
8. ACRONYMS AND TERMINOLOGY ..................................................................................75
8.1. Acronyms.........................................................................................................................................................75
8.2. Terminology ...................................................................................................................................................75
9. REFERENCES ...........................................................................................................................80
10. Appendix 1. Target models configuration table........................................................81
- iii -
- List of Figures and Tables -
Figure 1 Operational Environment Assumed by TOE ..........................................................................................3
Figure 2 TOE Logical Boundary.....................................................................................................................................6
Table 1 User Roles...............................................................................................................................................................5
Table 2 Physical Configuration Elements (MFD)...................................................................................................9
Table 3 Physical Components That Configure the TOE (the Fax Kit) ........................................................10
Table 4 Physical Components That Configure the TOE (guidance)...........................................................10
Table 5 Assets for User Data .......................................................................................................................................13
Table 6 Assets for TSF Data.........................................................................................................................................13
Table 7 Threats..................................................................................................................................................................13
Table 8 Organizational Security Policies.................................................................................................................14
Table 9 Assumptions.......................................................................................................................................................15
Table 10 Security Objectives for the TOE Environment...................................................................................16
Table 11 Auditable Events............................................................................................................................................31
Table 12 D.USER.DOC Access Control SFP ............................................................................................................41
Table 13 D.USER.JOB Access Control SFP..............................................................................................................42
Table 14 List of Security Functions...........................................................................................................................47
Table 15 Security Attributes and Authorized Roles...........................................................................................47
Table 16 Management of TSF Data ........................................................................................................................48
Table 17 Security Management Functions...........................................................................................................49
Table 18 Security Assurance Requirements..........................................................................................................54
Table 19 Dependencies of Functional Security Requirements.....................................................................55
Table 20 Security Functional Requirements and the Corresponding TOE Security Functions........59
Table 21 Details of Security Audit Log....................................................................................................................63
Table 22 Security management functions and their operationable UIs.................................................66
Table 23 Methods to destroy keys and key material stored in plaintext.................................................69
Fuji Xerox VII C7773/C6673/C5573/C4473/C3373/C3372/C2273 Security Target
- 1 - Copyright
2019 by Fuji Xerox Co., Ltd
1. ST INTRODUCTION
This chapter describes Security Target (ST) Reference, TOE Reference, TOE Overview, and TOE Description.
1.1. ST Reference
This section provides information needed to identify this ST.
ST Title:
Fuji Xerox ApeosPort-VII
C7773/C6673/C5573/C4473/C3373/C3372/C2273
DocuCentre-VII
C7773/C6673/C5573/C4473/C3373 /C2273
models with Data Security, Scan, and Fax
Security Target
ST Version: V 1.1.7
Publication Date: November 8, 2019
Author: Fuji Xerox Co., Ltd.
1.2. TOE Reference
This section provides information needed to identify the TOE.
TOE Identification:
Fuji Xerox ApeosPort-VII
C7773/C6673/C5573/C4473/C3373/C2273
DocuCentre-VII
C7773/C6673/C5573/C4473/C3373/C2273
models with Scan and Fax as standard features and
Data Security as an optional feature
Fuji Xerox ApeosPort-VII
C7773/C6673/C5573/C4473/C3373/C3372/C2273
DocuCentre-VII C7773/C6673/C5573/C4473
models with Scan and Data Security as standard
features and Fax as an optional feature
Version:
・Controller ROM: Ver. 1.1.14
・FAX ROM: Ver. 2.2.1
Developer: Fuji Xerox Co., Ltd.
Fuji Xerox ApeosPort-VII C7773/C6673/C5573/C4473/C3373/C2273 and DocuCentre-VII
C7773/C6673/C5573/C4473/C3373/C2273 models with Scan and Fax as standard features are models
with Scan and Fax as standard features that are shipped to Japan. They are identified with their product
name and their product codes of the MFDs that are shipped to Japan in “Appendix 1. Target models
configuration table”.
Fuji Xerox VII C7773/C6673/C5573/C4473/C3373/C3372/C2273 Security Target
- 2 - Copyright
2019 by Fuji Xerox Co., Ltd
Fuji Xerox ApeosPort-VII C7773/C6673/C5573/C4473/C3373/C3372/C2273 and DocuCentre-VII
C7773/C6673/C5573/C4473 models with Scan and Data Security as standard features are models with
Scan and Data Security as standard features that are shipped overseas. They are identified with their
product name and their product codes of the MFDs that are shipped to Japan in “Appendix 1. Target
models configuration table”).
The TOE is one of the following products with necessary functions enabled.
• Fuji Xerox ApeosPort-VII C7773/C6673/C5573/C4473/C3373/C2273 and DocuCentre-VII
C7773/C6673/C5573/C4473/C3373/C2273 with Scan and Fax as standard features with
Data Security enabled
• Fuji Xerox ApeosPort-VII C7773/C6673/C5573/C4473/C3373/C3372/C2273 and
DocuCentre-VII C7773/C6673/C5573/C4473 with Scan and Data Security as standard
features with Fax enabled
1.3. TOE Overview
TOE Type
The TOE is an MFD that is connected to a wired LAN and supports the copy, scan, print, fax, and
document storage and retrieval functions.
Usage and Major Security Features of TOE
The MFD has functions to copy, scan, print, and fax (send and receive) the documents handled by
users, store the scanned image data or the received fax data in a Mailbox, and retrieve the data
from the Mailbox. To prevent alteration and leakage of these documents, the MFD has functions to
identify and authenticate users, control access to documents and functions based on user roles,
encrypt the setting data and document data stored in MFD storage, protect the communication
data on the LAN, manage security settings (restricted to system administrators), monitor the use
of the security functions of the MFD (audit function), verify the integrity of the TSF executable
code and TSF data, assure the authenticity of the TSF executable code when updating the code,
separate the fax line and the LAN, and overwrite image data stored in the storage.
Fuji Xerox VII C7773/C6673/C5573/C4473/C3373/C3372/C2273 Security Target
- 3 - Copyright
2019 by Fuji Xerox Co., Ltd
Environment Assumptions
The operational environment of the MFD is shown below.
Figure 1 Operational Environment Assumed by TOE
The MFD is used in an environment that is connected to a wired Local Area Network (LAN) and
isolated from the external network by the firewall.
The MFD can connect to the public telephone line to send and receive fax data.
In order to overwrite the remaining image data, Hard Disk Data Overwrite is used. For models that
offer this function as an option, it is necessary to purchase the Data Security Kit and enable Hard
Disk Data Overwrite.
The users operate the MFD via various interfaces. Therefore, it is necessary to enable the
identification and authentication function to restrict operation permissions granted to each user.
Among the products that constitute the TOE, ApeosPort series products support local
authentication and remote authentication, but only local authentication is selected in the settings
of the TOE.
External
Network
Firewall
General User
General User Client
-Printer Driver
-Web Browser
TOE
System
Administrator
LAN
System Administrator
Client
-Web Browser
Mail Server
System
Administrator
General User
Audit Server
Public Telephone
Line
Fuji Xerox VII C7773/C6673/C5573/C4473/C3373/C3372/C2273 Security Target
- 4 - Copyright
2019 by Fuji Xerox Co., Ltd
Note;
・ The TOE's optional functions to print from USB and store to USB are set to disabled
in initial settings; they are not included in the target of evaluation. Therefore, the [Store
to USB] and [Media Print] buttons do not appear on the control panel.
・ There are two types of Mailboxes: The Personal Mailbox, which SAs and general users
can create and the Shared Mailbox, which the Key Operator can create. The guidance of
the TOE prohibits the use of the Shared Mailbox. In this ST, "Mailbox" means "Personal
Mailbox."
Required Non-TOE Hardware and Software
In the operational environment shown in Figure 1, the TOE is an MFD, and there are the following
non-TOE hardware/software.
(1) General user client
The hardware is a general-purpose computer.
When the computer is used as a printer client, the user needs to install a printer driver on the
computer in order to request the MFD to print.
In order to use the web server function of the MFD, the user needs to use the web browser
installed on the computer.
(2) System administrator client
The hardware is a general-purpose computer.
A web browser is necessary for a system administrator to refer to and change TOE settings.
(3) Mail server
A mail server is necessary for the MFD to send scanned documents via email. The hardware/OS
of the server is a general-purpose computer/server, and an email service that supports SMTP
protocol protected by TLS needs to be installed.
(4) Audit server
An audit server is necessary for the MFD to collect audit event data. The hardware/OS is a general-
purpose computer/server, and the MFD sends security audit logs to the audit server using HTTPS
on the request of the audit server.
In the TOE evaluation, the following hardware and software shall be used for the above functions.
The OS and web browser for (1) general user client and (2) system administrator client shall be
Windows 10 and Microsoft Edge.
(3) mail server shall be Postfix version 2.10.1.
The OS of (4) audit server shall be Windows 10, and the execution environment to retrieve logs
shall be PowerShell version 5.1. The server’s system administrator needs to create a PowerShell
script for log retrieval in accordance with the guidance and install it on the server.
Fuji Xerox VII C7773/C6673/C5573/C4473/C3373/C3372/C2273 Security Target
- 5 - Copyright
2019 by Fuji Xerox Co., Ltd
The printer driver described in (1) shall be either of the following printer drivers for applicable
models provided by Fuji Xerox.
For the Japanese market: ART EX Driver (Microsoft® WHQL Certified Driver)
For the overseas markets: 64-bit Windows Print Driver (PCL)
When updating the firmware, use a Fuji Xerox firmware update tool which is a maintenance tool
that runs on Windows 10 in an independent network environment.
1.4. TOE Description
This section describes user roles and logical/physical boundary of the TOE.
Users Assumptions
Table 1 specifies the TOE user roles assumed in this ST.
Table 1 User Roles
Name User data type Definition
U.NORMAL General user A User who is identified and
authorized and not granted
the administrative role.
U.ADMIN System administrator A User who is identified and
authorized and granted the
administrative role.
(In the TOE, the Key Operator
and SAs are U.ADMIN. They
are collectively referred to as
U.ADMIN in this ST.)
Fuji Xerox VII C7773/C6673/C5573/C4473/C3373/C3372/C2273 Security Target
- 6 - Copyright
2019 by Fuji Xerox Co., Ltd
Logical Scope and Boundary
The logical boundary of the TOE includes all security functions related to function types provided
by the TOE as described in section 1.3.1 and 1.3.4.
Figure 2 shows the logical architecture of the TOE.
Among the functions within the logical boundary, the ones without underlines are basic functions
and the ones with underlines are security functions.
Figure 2 TOE Logical Boundary
Basic Functions
(1) Print: The MFD receives a digital document sent from the client computer of a general user.
The received document is converted into a hard copy in accordance with the request from
the control panel.
TOE
General user
system
d
System
administrator
client
・Web browser
General user
client
・Printer driver
・Web browser
Identification and
authentication
Trusted
communications
Access control
Security
management
Logical boundary
Print
Copy
Fax
Public
telephone line
Scan
PSTN fax-network
separation
Mail server
Audit server
Data encryption
Data clearing
Document storage
and retrieval
Security Audit
Trusted operation
Client
computer for
maintenance
with
Windows 10
・Firmware
update tool
HDD/NVRAM1/NVRAM2/SEEPROM
Document
data
Audit
log data
Used
document
data
TOE
setting
data
Fuji Xerox VII C7773/C6673/C5573/C4473/C3373/C3372/C2273 Security Target
- 7 - Copyright
2019 by Fuji Xerox Co., Ltd
(2) Scan: The MFD scans the document on the scanner in accordance with the request from
the control panel and converts the document into a digital document. The TOE has
functions to send the converted document to the mail server and to store the document in
a Mailbox with the document storage and retrieval.
(3) Copy: The MFD copies the document on the scanner in accordance with the request from
the control panel.
(4) PSTN fax send: The MFD scans the document on the scanner in accordance with the
request from the control panel, sends the document data to the PSTN fax receiver through
PSTN using a standard PSTN fax protocol.
(5) PSTN fax receive: The MFD receives fax document data sent from the sender through PSTN
and stores the data in a specific Mailbox using the document storage and retrieval
function.
(6) Document storage and retrieval: Digital documents stored in a Mailbox are printed out or
sent to general user clients in response to requests by the control panel or general user
clients. In the TOE, documents to be stored in a Mailbox are scanned documents with the
scan function and received documents with the PSTN fax receive function.
Security Functions
The TOE provides with the following security functions to support the basic functions described in
1.4.2.1.
(1) Identification and Authentication
User identification and authentication ensure that functions of the MFD are accessible
only to users who have been authorized by an Administrator. User identification and
authentication is also used as the basis for access control and administrative roles and
helps associate security-relevant events and MFD use with specific users. Identification
and authentication is performed by the MFD.
When a user fails to be authenticated for multiple times, authentication cannot be
performed anymore.
Among the products that constitute the TOE, ApeosPort series supports local
authentication and remote authentication, but only local authentication is selected in the
TOE settings.
(2) Access Control
Access controls ensure that documents, information related to document processing, and
security-relevant data are accessible only to users who have appropriate access
permissions.
(3) Data Encryption
Data encryption ensures that the data and communications data stored in the TOE is not
accessed by a third party.
・ By policy, data encryption is also used to protect documents and confidential system
information on field-replaceable nonvolatile storage devices to protect such data if such
a device is removed from the MFD.
Fuji Xerox VII C7773/C6673/C5573/C4473/C3373/C3372/C2273 Security Target
- 8 - Copyright
2019 by Fuji Xerox Co., Ltd
・ The effectiveness of data encryption is assured through the use of internationally
accepted cryptographic algorithms.
(4) Trusted Communications
Trusted communications protect communication data in the internal network such as
document data, job information, security audit log data, and TOE setting data.
The TOE supports general encrypted communication protocols (TLS/HTTPS and TLS).
(5) Security Management
Role-based access controls ensure that the ability to refer to and configure the security
settings of the TOE from the control panel or a system administrator client is available
only to users who have been authorized with an administrator role.
(6) Security Audit
Information about when a function is operated by whom and important events of TOE
such as device failure, configuration change, and user operation are transferred to the
audit server and recorded as security audit log data. The data is encrypted by HTTPS
protocol when transferred.
(7) Trusted Operation
Software updates to the MFD are verified to ensure the authenticity of the software
before applying the update. The MFD performs self-tests to ensure that its operation is
not disrupted by some detectable malfunctions.
(8) PSTN Fax-Network Separation
PSTN fax-network separation ensures that the PSTN fax modem is not used to create a
data bridge between the PSTN and the LAN.
(9) Data Clearing
Used document data stored in the internal storage is overwritten after any of the
functions such as copy, print, and scan is completed.
Physical Boundary of the TOE
The physical boundary of the TOE is the whole MFD. The TOE does not include options and add-
ons that are not relevant to security, such as finishers. Physical configuration elements of the TOE
are described in Tables 2 to 4.
The Fax Kit is an option board that makes the fax function available to devices that do not offer
the fax function as a standard function. If a device has the fax function as an option, the Fax Kit
needs to be purchased and attached to the device so that the fax function becomes available.
The interfaces to connect personal storage devices (portable flash memory devices, etc.) to the
MFD are disabled.
For the combinations of physical components that configure each TOE, see “Appendix 1. Target
models configuration table.”
Some product codes represent more than one product name. In such cases, the product name
depends on the settings configured by the Customer Engineer after the MFD is delivered.
Fuji Xerox VII C7773/C6673/C5573/C4473/C3373/C3372/C2273 Security Target
- 9 - Copyright
2019 by Fuji Xerox Co., Ltd
Table 2 Physical Configuration Elements (MFD)
Product code Version Format Delivery
method
Names of corresponding
products
NC100559 Controller ROM
Ver.1.1.14, Fax
ROM Ver.2.2.1
Hardware incorporated
with a binary firmware
Courier DocuCentre-VII C2273 PFS
DocuCentre-VII C3373 PFS
ApeosPort-VII C2273 PFS
ApeosPort -VII C3373 PFS
NC100560 Controller ROM
Ver.1.1.14, Fax
ROM Ver.2.2.1
Hardware incorporated
with a binary firmware
Courier DocuCentre-VII C4473 PFS
DocuCentre-VII C5573 PFS
ApeosPort-VII C4473 PFS
ApeosPort -VII C5573 PFS
NC100561 Controller ROM
Ver.1.1.14, Fax
ROM Ver.2.2.1
Hardware incorporated
with a binary firmware
Courier DocuCentre-VII C6673 PFS
DocuCentre-VII C7773 PFS
ApeosPort-VII C6673 PFS
ApeosPort -VII C7773 PFS
NC100562 Controller ROM
Ver.1.1.14, Fax
ROM Ver.2.2.1
Hardware incorporated
with a binary firmware
Courier ApeosPort-VII C3373 PFS-2TS
NC100563 Controller ROM
Ver.1.1.14, Fax
ROM Ver.2.2.1
Hardware incorporated
with a binary firmware
Courier ApeosPort -VII C5573 PFS-
2TS
TC101310 Controller ROM
Ver.1.1.14
Hardware incorporated
with a binary firmware
Courier ApeosPort-VII C2273 CPS w/
4TM
TC101311 Controller ROM
Ver.1.1.14
Hardware incorporated
with a binary firmware
Courier ApeosPort-VII C3372 CPS w/
4TM
TC101312 Controller ROM
Ver.1.1.14
Hardware incorporated
with a binary firmware
Courier ApeosPort-VII C3373 CPS w/
4TM
TC101313 Controller ROM
Ver.1.1.14
Hardware incorporated
with a binary firmware
Courier DocuCentre-VII C4473 CPS
w/ 4TM
TC101314 Controller ROM
Ver.1.1.14
Hardware incorporated
with a binary firmware
Courier DocuCentre-VII C5573 CPS
w/ 4TM
TC101315 Controller ROM
Ver.1.1.14
Hardware incorporated
with a binary firmware
Courier ApeosPort-VII C4473 CPS w/
4TM
TC101316 Controller ROM
Ver.1.1.14
Hardware incorporated
with a binary firmware
Courier ApeosPort-VII C5573 CPS w/
4TM
TC101320 Controller ROM
Ver.1.1.14
Hardware incorporated
with a binary firmware
Courier ApeosPort-VII C2273 CPS w/
TTM
TC101321 Controller ROM
Ver.1.1.14
Hardware incorporated
with a binary firmware
Courier ApeosPort-VII C3372 CPS w/
TTM
Fuji Xerox VII C7773/C6673/C5573/C4473/C3373/C3372/C2273 Security Target
- 10 - Copyright
2019 by Fuji Xerox Co., Ltd
TC101322 Controller ROM
Ver.1.1.14
Hardware incorporated
with a binary firmware
Courier ApeosPort-VII C3373 CPS w/
TTM
TC101323 Controller ROM
Ver.1.1.14
Hardware incorporated
with a binary firmware
Courier DocuCentre-VII C4473 CPS
w/ TTM
TC101324 Controller ROM
Ver.1.1.14
Hardware incorporated
with a binary firmware
Courier DocuCentre-VII C5573 CPS
w/ TTM
TC101325 Controller ROM
Ver.1.1.14
Hardware incorporated
with a binary firmware
Courier ApeosPort-VII C4473 CPS w/
TTM
TC101326 Controller ROM
Ver.1.1.14
Hardware incorporated
with a binary firmware
Courier ApeosPort-VII C5573 CPS w/
TTM
TC101327 Controller ROM
Ver.1.1.14
Hardware incorporated
with a binary firmware
Courier DocuCentre-VII C6673 CPS
w/ TTM
TC101328 Controller ROM
Ver.1.1.14
Hardware incorporated
with a binary firmware
Courier DocuCentre-VII C7773 CPS
w/ TTM
TC101329 Controller ROM
Ver.1.1.14
Hardware incorporated
with a binary firmware
Courier ApeosPort-VII C6673 CPS w/
TTM
TC101330 Controller ROM
Ver.1.1.14
Hardware incorporated
with a binary firmware
Courier ApeosPort-VII C7773 CPS w/
TTM
Table 3 Physical Components That Configure the TOE (the Fax Kit)
Product code Version Format Delivery method Product name
EC103747 Fax ROM Ver.2.2.1 Hardware incorporated
with a binary firmware
Courier Fax Kit 3
Table 4 Physical Components That Configure the TOE (guidance)
Guidance code Format Delivery method Guidance name
ME8355J1-2 HTML file in a DVD Courier (included in
package with MFD)
ApeosPort-VII
C7773/C6673/C5573/C4473/
C3373/C2273,
DocuCentre-VII
C7773/C6673/C5573/C4473/
C3373/C2273 User Guide
ME8390J1-
1_20191009
PDF file in a DVD Courier (included in
package with MFD)
ApeosPort-VII
C7773/C6673/C5573/C4473/
C3373/C2273,
DocuCentre-VII
C7773/C6673/C5573/C4473/
C3373/C2273 Security Function
Supplementary Guide
Fuji Xerox VII C7773/C6673/C5573/C4473/C3373/C3372/C2273 Security Target
- 11 - Copyright
2019 by Fuji Xerox Co., Ltd
ME8351E2-2 PDF file in a DVD Courier (included in
package with MFD)
ApeosPort-VII
C7773/C6673/C5573/C4473/
C3373/C3372/C2273,
DocuCentre-VII
C7773/C6673/C5573/C4473/
C3373/C3372/C2273
User Guide
ME8390E2-
1_20191009
PDF file in a DVD Courier (included in
package with MFD)
ApeosPort-VII
C7773/C6673/C5573/C4473/
C3373/C3372/C2273,
DocuCentre-VII
C7773/C6673/C5573/C4473/
C3373/C3372/C2273 Security
Function Supplementary Guide
Fuji Xerox VII C7773/C6673/C5573/C4473/C3373/C3372/C2273 Security Target
- 12 - Copyright
2019 by Fuji Xerox Co., Ltd
2. CONFORMANCE CLAIM
2.1. CC Conformance Claim
This ST and TOE claim conformance to the following versions of CC:
Common Criteria for Information Technology Security Evaluation
Part 1: Introduction and general model (April 2017 Version 3.1 Revision 5)
Part 2: Security functional components (April 2017 Version 3.1 Revision 5)
Part 3: Security assurance components (April 2017 Version 3.1 Revision 5)
CC Part2 extended
CC Part3 conformant
2.2. PP claim, Package Claim
PP Claim
This ST claims exact conformance to the following HCD-PP.
Title: Protection Profile for Hardcopy Devices
Version: 1.0 dated September 10, 2015
Errata: Protection Profile for Hardcopy Devices – v1.0 Errata #1, June 2017
Package Claim
This Security Target and TOE do not claim package conformance.
Conformance Rationale
This ST and TOE satisfy the conditions required by the PP.
The TOE type conforms to the PP because this ST and TOE satisfy the following conditions required
by the PP and claim exact conformance to the PP.
• Required Uses
Printing, scanning, copying, network communications, administration
• Conditionally Mandatory Uses
PSTN faxing, storage and retrieval, field-replaceable nonvolatile storage.
• Optional Uses
Image overwrite
Fuji Xerox VII C7773/C6673/C5573/C4473/C3373/C3372/C2273 Security Target
- 13 - Copyright
2019 by Fuji Xerox Co., Ltd
3. SECURITY PROBLEM DEFINITION
This chapter describes the threats, organizational security policies, and the assumptions for the use of the
TOE.
3.1. Threats
Assets Protected by TOE
The TOE protects the following assets.
Table 5 Assets for User Data
Designation User Data type Definition
D.USER.DOC User Document Data Information contained in a User’s
Document, in electronic or hardcopy form
D.USER.JOB User Job Data Information related to a User’s Document
or Document Processing Job
Table 6 Assets for TSF Data
Designation TSF Data type Definition
D.TSF.PROT Protected TSF Data TSF Data for which alteration by a User
who is neither the data owner nor in an
Administrator role might affect the
security of the TOE, but for which
disclosure is acceptable
D.TSF.CONF Confidential TSF Data TSF Data for which either disclosure or
alteration by a User who is neither the
data owner nor in an Administrator role
might affect the security of the TOE
Threats
Table 7 identifies the threats addressed by the TOE.
Table 7 Threats
Designation Definition
T.UNAUTHORIZED_ACCESS An attacker may access (read, modify, or delete) User
Document Data or change (modify or delete) User Job Data in
the TOE through one of the TOE’s interfaces.
T.TSF_COMPROMISE An attacker may gain Unauthorized Access to TSF Data in the
TOE through one of the TOE’s interfaces.
Fuji Xerox VII C7773/C6673/C5573/C4473/C3373/C3372/C2273 Security Target
- 14 - Copyright
2019 by Fuji Xerox Co., Ltd
T.TSF_FAILURE A malfunction of the TSF may cause loss of security if the TOE
is permitted to operate.
T.UNAUTHORIZED_UPDAT
E
An attacker may cause the installation of unauthorized
software on the TOE.
T.NET_COMPROMISE An attacker may access data in transit or otherwise
compromise the security of the TOE by monitoring or
manipulating network communication.
3.2. Organizational Security Policies
Table 8 describes the organizational security policies the TOE must comply with.
Table 8 Organizational Security Policies
Designation Definition
P.AUTHORIZATION Users must be authorized before performing Document
Processing and administrative functions.
P.AUDIT Security-relevant activities must be audited, and the log of
such actions must be protected and transmitted to an External
IT Entity.
P.COMMS_PROTECTION The TOE must be able to identify itself to other devices on the
LAN.
P.STORAGE_ENCRYPTION
(conditionally mandatory)
If the TOE stores User Document Data or Confidential TSF
Data on Field-Replaceable Nonvolatile Storage Devices, it will
encrypt such data on those devices.
P.KEY_MATERIAL
(conditionally mandatory)
Cleartext keys, submasks, random numbers, or any other values
that contribute to the creation of encryption keys for Field-
Replaceable Nonvolatile Storage of User Document Data or
Confidential TSF Data must be protected from unauthorized
access and must not be stored on that storage device.
P.FAX_FLOW
(conditionally mandatory)
If the TOE provides a PSTN fax function, it will ensure
separation between the PSTN fax line and the LAN.
P.IMAGE_OVERWRITE
(optional)
Upon completion or cancellation of a Document Processing
job, the TOE shall overwrite residual image data from its Field-
Replaceable Nonvolatile Storage Devices.
Fuji Xerox VII C7773/C6673/C5573/C4473/C3373/C3372/C2273 Security Target
- 15 - Copyright
2019 by Fuji Xerox Co., Ltd
3.3. Assumptions
Table 9 describes the assumptions for the performance, operation, and use of the TOE.
Table 9 Assumptions
Designation Definition
A.PHYSICAL Physical security, commensurate with the value of the TOE and
the data it stores or processes, is assumed to be provided by
the environment.
A.NETWORK The Operational Environment is assumed to protect the TOE
from direct, public access to its LAN interface.
A.TRUSTED_ADMIN TOE Administrators are trusted to administer the TOE
according to site security policies.
A.TRAINED_USERS Authorized Users are trained to use the TOE according to site
security policies.
Fuji Xerox VII C7773/C6673/C5573/C4473/C3373/C3372/C2273 Security Target
- 16 - Copyright
2019 by Fuji Xerox Co., Ltd
4. Security Objectives
This chapter describes the security objectives for the TOE and for the environment and the rationale.
Table 10 defines the security objectives for the TOE environment.
Table 10 Security Objectives for the TOE Environment
Designation Definition
OE.PHYSICAL_PROTECTION The Operational Environment shall provide physical security,
commensurate with the value of the TOE and the data it stores
or processes.
OE.NETWORK_PROTECTIO
N
The Operational Environment shall provide network security to
protect the TOE from direct, public access to its LAN interface.
OE.ADMIN_TRUST The TOE Owner shall establish trust that Administrators will not
use their privileges for malicious purposes.
OE.USER_TRAINING The TOE Owner shall ensure that Users are aware of site
security policies and have the competence to follow them.
OE.ADMIN_TRAINING The TOE Owner shall ensure that Administrators are aware of
site security policies and have the competence to use
manufacturer’s guidance to correctly configure the TOE and
protect passwords and keys accordingly.
Fuji Xerox VII C7773/C6673/C5573/C4473/C3373/C3372/C2273 Security Target
- 17 - Copyright
2019 by Fuji Xerox Co., Ltd
5. EXTENDED COMPONENTS DEFINITION
Extended components in this section are defined in HCD-PP.
5.1. Extended Functional Requirements Definition
Class FAU: Security Audit
FAU_STG_EXT Extended: External Audit Trail Storage
Family Behavior:
This family defines requirements for the TSF to ensure that secure transmission of audit data from TOE to
an External IT Entity.
Component leveling:
FAU_STG_EXT.1 External Audit Trail Storage requires the TSF to use a trusted channel implementing a
secure protocol.
Management:
The following actions could be considered for the management functions in FMT:
• The TSF shall have the ability to configure the cryptographic functionality.
Audit:
The following actions should be auditable if FAU_GEN Security Audit Data Generation is included in the
PP/ST:
• There are no auditable events foreseen.
FAU_STG_EXT.1 Protected Audit Trail Storage
Hierarchical to: No other components.
Dependencies: FAU_GEN.1 Audit data generation,
FTP_ITC.1 Inter-TSF trusted channel
FAU_STG_EXT.1.1 The TSF shall be able to transmit the generated audit data to an External IT Entity
using a trusted channel according to FTP_ITC.1.
Rationale:
The TSF is required that the transmission of generated audit data to an External IT Entity which relies on
a non-TOE audit server for storage and review of audit records. The storage of these audit records and the
ability to allow the administrator to review these audit records is provided by the Operational Environment
in that case. The Common Criteria does not provide a suitable SFR for the transmission of audit data to
an External IT Entity.
FAU_STG_EXT.1 Extended: External Audit Trail Storage interfaces 1
Fuji Xerox VII C7773/C6673/C5573/C4473/C3373/C3372/C2273 Security Target
- 18 - Copyright
2019 by Fuji Xerox Co., Ltd
This extended component protects the audit records, and it is therefore placed in the FAU class with a
single component.
Class FCS: Cryptographic Support
FCS_CKM_EXT Extended: Cryptographic Key Management
Family Behavior:
This family addresses the management aspects of cryptographic keys. Especially, this extended
component is intended for cryptographic key destruction.
Component leveling:
FCS_CKM_EXT.4 Cryptographic Key Material Destruction ensures not only keys but also key materials that
are no longer needed are destroyed by using an approved method.
Management:
The following actions could be considered for the management functions in FMT:
• There are no management actions foreseen.
Audit:
The following actions should be auditable if FAU_GEN Security Audit Data Generation is included in the
PP/ST:
• There are no auditable events foreseen.
FCS_CKM_EXT.4 Cryptographic Key Material Destruction
Hierarchical to: No other components.
Dependencies: [FCS_CKM.1(a) Cryptographic Key Generation (for
asymmetric keys), or
FCS_CKM.1(b) Cryptographic key generation
(Symmetric Keys)],
FCS_CKM.4 Cryptographic key destruction
FCS_CKM_EXT.4.1 The TSF shall destroy all plaintext secret and private cryptographic keys and
cryptographic critical security parameters when no longer needed.
Rationale:
Cryptographic Key Material Destruction is to ensure the keys and key materials that are no longer needed
are destroyed by using an approved method, and the Common Criteria does not provide a suitable SFR for
the Cryptographic Key Material Destruction.
FCS_CKM_EXT.4 Extended: Cryptographic Key Material Destruction 4
Fuji Xerox VII C7773/C6673/C5573/C4473/C3373/C3372/C2273 Security Target
- 19 - Copyright
2019 by Fuji Xerox Co., Ltd
This extended component protects the cryptographic key and key materials against exposure, and it is
therefore placed in the FCS class with a single component.
FCS_HTTPS_EXT Extended: HTTPS selected
Family Behavior:
Components in this family define requirements for protecting remote management sessions between the
TOE and a Security Administrator. This family describes how HTTPS will be implemented. This is a new
family defined for the FCS Class.
Component leveling:
FCS_HTTPS_EXT.1 HTTPS selected, requires that HTTPS be implemented according to RFC 2818 and
supports TLS.
Management:
The following actions could be considered for the management functions in FMT:
• There are no management actions foreseen.
Audit:
The following actions should be auditable if FAU_GEN Security Audit Data Generation is included in the
PP/ST:
• Failure of HTTPS session establishment
FCS_HTTPS_EXT.1 HTTPS selected
Hierarchical to: No other components.
Dependencies: No dependencies.
FCS_HTTPS_EXT.1.1 The TSF shall implement the HTTPS protocol that complies with RFC 2818.
FCS_HTTPS_EXT.1.2 The TSF shall implement HTTPS using TLS as specified in FCS_HTTPS_EXT.1.
Rationale:
HTTPS is one of the secure communication protocols, and the Common Criteria does not provide a suitable
SFR for the communication protocols using cryptographic algorithms.
This extended component protects the communication data using cryptographic algorithms, and it is
therefore placed in the FCS class with a single component.
FCS_KYC_EXT Extended: Cryptographic Operation (Key Chaining)
FCS_HTTPS_EXT.1 Extended: HTTPS selected
Destruction interfaces
1
Fuji Xerox VII C7773/C6673/C5573/C4473/C3373/C3372/C2273 Security Target
- 20 - Copyright
2019 by Fuji Xerox Co., Ltd
Family Behavior:
This family provides the specification to be used for using multiple layers of encryption keys to ultimately
secure the protected data encrypted on the storage.
Component leveling:
FCS_KYC_EXT.1 Key Chaining, requires the TSF to maintain a key chain and specifies the characteristics
of that chain.
Management:
The following actions could be considered for the management functions in FMT:
• There are no management actions foreseen.
Audit:
The following actions should be auditable if FAU_GEN Security Audit Data Generation is included in the
PP/ST:
• There are no auditable events foreseen.
FCS_KYC_EXT.1 Key Chaining
Hierarchical to: No other components.
Dependencies: [FCS_COP.1(e) Cryptographic operation (Key
Wrapping),
FCS_SMC_EXT.1 Extended: Submask Combining,
FCS_COP.1(i) Cryptographic operation (Key Transport), FCS_KDF_EXT.1 Cryptographic Operation
(Key Derivation), and/or
FCS_COP.1(f) Cryptographic operation (Key
Encryption)].
FCS_KYC_EXT.1.1 The TSF shall maintain a key chain of: [selection: one, using a submask as the BEV or
DEK; intermediate keys originating from one or more submask(s) to the BEV or DEK using the following
method(s): [selection: key wrapping as specified in FCS_COP.1(e), key combining as specified in
FCS_SMC_EXT.1, key encryption as specified in FCS_COP.1(f), key derivation as specified in
FCS_KDF_EXT.1, key transport as specified in FCS_COP.1(i)]] while maintaining an effective strength of
[selection: 128-bit and 256-bit].
Rationale:
Key Chaining ensures that the TSF maintains the key chain, and also specifies the characteristics of that
chain. However, the Common Criteria does not provide a suitable SFR for the management of multiple
layers of encryption key to protect encrypted data.
This extended component protects the TSF data using cryptographic algorithms, and it is therefore placed
in the FCS class with a single component.
FCS_KYC_EXT.1 Extended: Key Chaining 1
Fuji Xerox VII C7773/C6673/C5573/C4473/C3373/C3372/C2273 Security Target
- 21 - Copyright
2019 by Fuji Xerox Co., Ltd
FCS_RBG_EXT Extended: Cryptographic Operation (Random Bit Generation)
Family Behavior:
This family defines requirements for random bit generation to ensure that it is performed in accordance
with selected standards and seeded by an entropy source.
Component leveling:
FCS_RBG_EXT.1 Random Bit Generation requires random bit generation to be performed in accordance
with selected standards and seeded by an entropy source.
Management:
The following actions could be considered for the management functions in FMT:
• There are no management actions foreseen.
Audit:
The following actions should be auditable if FAU_GEN Security Audit Data Generation is included in the
PP/ST:
• There are no auditable events foreseen.
FCS_RBG_EXT.1 Random Bit Generation
Hierarchical to: No other components.
Dependencies: No dependencies.
FCS_RBG_EXT.1.1 The TSF shall perform all deterministic random bit generation services in accordance
with [selection: ISO/IEC 18031:2011, NIST SP 800-90A] using [selection: Hash_DRBG (any), HMAC_DRBG
(any), CTR_DRBG (AES)].
FCS_RBG_EXT.1.2 The deterministic RBG shall be seeded by an entropy source that accumulates entropy
from [selection: [assignment: number of software-based sources] software-based noise source(s),
[assignment: number of hardware-based sources] hardware-based noise source(s)] with a minimum of
[selection: 128 bits, 256 bits] of entropy at least equal to the greatest security strength, according to
ISO/IEC 18031:2011 Table C.1 “Security strength table for hash functions”, of the keys and hashes that it
will generate.
Rationale:
Random bits/number will be used by the SFRs for key generation and destruction, and the Common Criteria
does not provide a suitable SFR for the random bit generation.
This extended component ensures the strength of encryption keys, and it is therefore placed in the FCS
class with a single component.
FCS_RBG_EXT.1 Extended: Random Bit Generation 1
Fuji Xerox VII C7773/C6673/C5573/C4473/C3373/C3372/C2273 Security Target
- 22 - Copyright
2019 by Fuji Xerox Co., Ltd
FCS_TLS_EXT Extended: TLS selected
Family Behavior:
This family addresses the ability for a server and/or a client to use TLS to protect data between a client
and the server using the TLS protocol.
Component leveling:
FCS_TLS_EXT.1 TLS selected, requires the TLS protocol implemented as specified.
Management:
The following actions could be considered for the management functions in FMT:
• There are no management actions foreseen.
Audit:
The following actions should be auditable if FAU_GEN Security Audit Data Generation is included in the
PP/ST:
• Failure of TLS session establishment
FCS_TLS_EXT.1 Extended: TLS selected
Hierarchical to: No other components.
Dependencies: FCS_CKM.1(a) Cryptographic Key Generation (for
asymmetric keys)
FCS_COP.1(a) Cryptographic Operation (Symmetric
encryption/decryption)
FCS_COP.1(b) Cryptographic Operation (for signature
generation/verification)
FCS_COP.1(c) Cryptographic Operation (Hash
Algorithm)
FCS_COP.1(g) Cryptographic Operation (for keyed-
hash message authentication)
FCS_RBG_EXT.1 Extended: Cryptographic Operation
(Random Bit Generation)
FCS_TLS_EXT.1.1 The TSF shall implement one or more of the following protocols [selection: TLS 1.0 (RFC
2246), TLS 1.1 (RFC 4346), TLS 1.2 (RFC 5246)] supporting the following cipher suites:
Mandatory cipher suites:
TLS_RSA_WITH_AES_128_CBC_SHA
Optional cipher suites:
FCS_TLS_EXT.1 Extended: TLS selected 1
Fuji Xerox VII C7773/C6673/C5573/C4473/C3373/C3372/C2273 Security Target
- 23 - Copyright
2019 by Fuji Xerox Co., Ltd
[selection:
None
TLS_RSA_WITH_AES_256_CBC_SHA
TLS_DHE_RSA_WITH_AES_128_CBC_SHA
TLS_DHE_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA256
TLS_RSA_WITH_AES_256_CBC_ SHA256
TLS_DHE_RSA_WITH_AES_128_CBC_ SHA256
TLS_DHE_RSA_WITH_AES_256_CBC_ SHA256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
].
Rationale:
TLS is one of the secure communication protocols, and the Common Criteria does not provide a suitable
SFR for the communication protocols using cryptographic algorithms.
This extended component protects the communication data using cryptographic algorithms, and it is
therefore placed in the FCS class with a single component.
Class FDP: User Data Protection
FDP_DSK_EXT Extended: Protection of Data on Disk
Family Behavior:
This family is to mandate the encryption of all protected data written to the storage.
Component leveling:
FDP_DSK_EXT.1 Extended: Protection of Data on Disk, requires the TSF to encrypt all the Confidential
TSF and User Data stored on the Field-Replaceable Nonvolatile Storage Devices in order to avoid storing
these data in plaintext on the devices.
FDP_DSK_EXT.1 Extended: Protection of Data on Disk 1
Fuji Xerox VII C7773/C6673/C5573/C4473/C3373/C3372/C2273 Security Target
- 24 - Copyright
2019 by Fuji Xerox Co., Ltd
Management:
The following actions could be considered for the management functions in FMT:
• There are no management actions foreseen.
Audit:
The following actions should be auditable if FAU_GEN Security Audit Data Generation is included in the
PP/ST:
• There are no auditable events foreseen.
FDP_DSK_EXT.1 Protection of Data on Disk
Hierarchical to: No other components.
Dependencies: FCS_COP.1(d) Cryptographic operation (AES Data
Encryption/Decryption)
FDP_DSK_EXT.1.1 The TSF shall [selection: perform encryption in accordance with FCS_COP.1(d), use a
self-encrypting Field-Replaceable Nonvolatile Storage Device that is separately CC certified to conform to
the FDE EE cPP] such that any Field- Replaceable Nonvolatile Storage Device contains no plaintext User
Document Data and no plaintext confidential TSF Data.
FDP_DSK_EXT.1.2 The TSF shall encrypt all protected data without user intervention.
Rationale:
Extended: Protection of Data on Disk is to specify that encryption of any confidential data without user
intervention, and the Common Criteria does not provide a suitable SFR for the Protection of Data on Disk.
This extended component protects the Data on Disk, and it is therefore placed in the FDP class with a
single component.
FDP_FXS_EXT Extended: Fax Separation
Family Behavior:
This family addresses the requirements for separation between PSTN fax line and the LAN to which TOE is
connected.
Component leveling:
FDP_FXS_EXT.1 Fax Separation, requires the fax interface cannot be used to create a network bridge
between a PSTN and the LAN to which TOE is connected.
Management:
The following actions could be considered for the management functions in FMT:
• There are no management actions foreseen.
FDP_FXS_EXT.1 Extended: Fax Separation 1
Fuji Xerox VII C7773/C6673/C5573/C4473/C3373/C3372/C2273 Security Target
- 25 - Copyright
2019 by Fuji Xerox Co., Ltd
Audit:
The following actions should be auditable if FAU_GEN Security Audit Data Generation is included in the
PP/ST:
• There are no auditable events foreseen.
FDP_FXS_EXT.1 Fax separation
Hierarchical to: No other components.
Dependencies: No dependencies.
FDP_FXS_EXT.1.1 The TSF shall prohibit communication via the fax interface, except transmitting or
receiving User Data using fax protocols.
Rationale:
Fax Separation is to protect a LAN against attack from PSTN line, and the Common Criteria does not
provide a suitable SFR for the Protection of TSF or User Data.
This extended component protects the TSF Data or User Data, and it is therefore placed in the FDP class
with a single component.
Class FIA: Identification and Authentication
FIA_PMG_EXT Extended: Password Management
Family Behavior:
This family defines requirements for the attributes of passwords used by administrative users to ensure
that strong passwords and passphrases can be chosen and maintained.
Component leveling:
FIA_PMG _EXT.1 Password management requires the TSF to support passwords with varying composition
requirements, minimum lengths, maximum lifetime, and similarity constraints.
Management:
The following actions could be considered for the management functions in FMT:
• There are no management actions foreseen.
Audit:
The following actions should be auditable if FAU_GEN Security Audit Data Generation is included in the
PP/ST:
• There are no auditable events foreseen.
FIA_PMG _EXT.1 Password management
FIA PMG EXT.1 Extended: Password Management 1
Fuji Xerox VII C7773/C6673/C5573/C4473/C3373/C3372/C2273 Security Target
- 26 - Copyright
2019 by Fuji Xerox Co., Ltd
Hierarchical to: No other components.
Dependencies: No dependencies.
FIA_PMG _EXT.1.1 The TSF shall provide the following password management capabilities for User
passwords:
Passwords shall be able to be composed of any combination of upper and lower case letters, numbers, and
the following special characters: [selection: “!”, “@”, “#”, “$”, “%”, “^”, “&”, “*”, “(“, “)”, [assignment: other
characters]];
Minimum password length shall be settable by an Administrator, and have the capability to require
passwords of 15 characters or greater.
Rationale:
Password Management is to ensure the strong authentication between the endpoints of communication,
and the Common Criteria does not provide a suitable SFR for the Password Management.
This extended component protects the TOE by means of password management, and it is therefore placed
in the FIA class with a single component.
Class FPT: Protection of the TSF
FPT_KYP_EXT Extended: Protection of Key and Key Material
Family Behavior:
This family addresses the requirements for keys and key materials to be protected if and when written to
nonvolatile storage.
Component leveling:
FPT_KYP_EXT.1 Extended: Protection of key and key material, requires the TSF to ensure that no plaintext
key or key materials are written to nonvolatile storage.
Management:
The following actions could be considered for the management functions in FMT:
• There are no management actions foreseen.
Audit:
The following actions should be auditable if FAU_GEN Security Audit Data Generation is included in the
PP/ST:
• There are no auditable events foreseen.
FPT_KYP_EXT.1 Protection of Key and Key Material
Hierarchical to: No other components.
FPT_KYP_EXT.1 Extended: Protection of key and key material 1
Fuji Xerox VII C7773/C6673/C5573/C4473/C3373/C3372/C2273 Security Target
- 27 - Copyright
2019 by Fuji Xerox Co., Ltd
Dependencies: No dependencies.
FPT_KYP_EXT.1.1 The TSF shall not store plaintext keys that are part of the keychain specified by
FCS_KYC_EXT.1 in any Field-Replaceable Nonvolatile Storage Device, and not store any such plaintext key
on a device that uses the key for its encryption.
Rationale:
Protection of Key and Key Material is to ensure that no plaintext key or key material are written to
nonvolatile storage, and the Common Criteria does not provide a suitable SFR for the protection of key
and key material.
This extended component protects the TSF data, and it is therefore placed in the FPT class with a single
component.
FPT_SKP_EXT Extended: Protection of TSF Data
Family Behavior:
This family addresses the requirements for managing and protecting the TSF data, such as cryptographic
keys. This is a new family modelled as the FPT Class.
Component leveling:
FPT_SKP_EXT.1 Protection of TSF Data (for reading all symmetric keys), requires preventing symmetric
keys from being read by any user or subject. It is the only component of this family.
Management:
The following actions could be considered for the management functions in FMT:
• There are no management actions foreseen.
Audit:
The following actions should be auditable if FAU_GEN Security Audit Data Generation is included in the
PP/ST:
• There are no auditable events foreseen.
FPT_SKP_EXT.1 Protection of TSF Data
Hierarchical to: No other components.
Dependencies: No dependencies.
FPT_SKP_EXT.1.1 The TSF shall prevent reading of all pre-shared keys, symmetric keys, and private keys.
Rationale:
Protection of TSF Data is to ensure the pre-shared keys, symmetric keys and private keys are protected
securely, and the Common Criteria does not provide a suitable SFR for the protection of such TSF data.
FPT_SKP_EXT.1 Extended: Protection of TSF Data 1
Fuji Xerox VII C7773/C6673/C5573/C4473/C3373/C3372/C2273 Security Target
- 28 - Copyright
2019 by Fuji Xerox Co., Ltd
This extended component protects the TOE by means of strong authentication using Pre- shared Key, and
it is therefore placed in the FPT class with a single component.
FPT_TST_EXT Extended: TSF testing
Family Behavior:
This family addresses the requirements for self-testing the TSF for selected correct operation.
Component leveling:
FPT_TST_EXT.1 TSF testing requires a suite of self-testing to be run during initial start-up in order to
demonstrate correct operation of the TSF.
Management:
The following actions could be considered for the management functions in FMT:
• There are no management actions foreseen.
Audit:
The following actions should be auditable if FAU_GEN Security Audit Data Generation is included in the
PP/ST:
• There are no auditable events foreseen.
FPT_TST_EXT.1 TSF testing
Hierarchical to: No other components.
Dependencies: No dependencies.
FPT_TST_EXT.1.1 The TSF shall run a suite of self-tests during initial start-up (and power on) to
demonstrate the correct operation of the TSF.
Rationale:
TSF testing is to ensure the TSF can be operated correctly, and the Common Criteria does not provide a
suitable SFR for the TSF testing. There is no SFR defined for TSF testing.
This extended component protects the TOE, and it is therefore placed in the FPT class with a single
component.
FPT_TUD_EXT Extended: Trusted Update
Family Behavior:
This family defines requirements for the TSF to ensure that only administrators can update the TOE
firmware/software, and that such firmware/software is authentic.
Component leveling:
FPT_TST_EXT.1 Extended: TSF testing 1
Fuji Xerox VII C7773/C6673/C5573/C4473/C3373/C3372/C2273 Security Target
- 29 - Copyright
2019 by Fuji Xerox Co., Ltd
FPT_TUD_EXT.1 Trusted Update, ensures authenticity and access control for updates.
Management:
The following actions could be considered for the management functions in FMT:
• There are no management actions foreseen.
Audit:
The following actions should be auditable if FAU_GEN Security Audit Data Generation is included in the
PP/ST:
• There are no auditable events foreseen.
FPT_TUD_EXT.1 Trusted Update
Hierarchical to: No other components.
Dependencies: [FCS_COP.1(b) Cryptographic Operation (for signature
generation/verification), or
FCS_COP.1(c) Cryptographic operation (Hash
Algorithm)].
FPT_TUD_EXT.1.1 The TSF shall provide authorized administrators the ability to query the current version
of the TOE firmware/software.
FPT_TUD_EXT.1.2 The TSF shall provide authorized administrators the ability to initiate updates to TOE
firmware/software.
FPT_TUD_EXT.1.3 The TSF shall provide a means to verify firmware/software updates to the TOE using a
digital signature mechanism and [selection: published hash, no other functions] prior to installing those
updates.
Rationale:
Firmware/software is a form of TSF Data, and the Common Criteria does not provide a suitable SFR for the
management of firmware/software. In particular, there is no SFR defined for importing TSF Data.
This extended component protects the TOE, and it is therefore placed in the FPT class with a single
component.
FPT_TUD_EXT.1 Extended: Trusted Update 1
Fuji Xerox VII C7773/C6673/C5573/C4473/C3373/C3372/C2273 Security Target
- 30 - Copyright
2019 by Fuji Xerox Co., Ltd
6. SECURITY REQUIREMENTS
This chapter describes the security functional requirements, security assurance requirements, and security
requirement rational.
6.1. Notation
Bold typeface indicates the portion of an SFR that has been completed or refined in HCD-PP, relative to
the original SFR definition in Common Criteria Part 2 or to its Extended Component Definition.
Bold italic typeface indicates the portion of an SFR that has been partially completed or refined in HCD-
PP. It also must be selected and/or completed in this ST.
Underlined bold italic typeface in parentheses that follows underlined bold typeface indicates the
portion of an SFR that has been partially completed in HCD-PP and refined in this ST.
Italic typeface indicates the text within an SFR that must be selected and/or completed in this ST.
Gray italic typeface indicates the text within an SFR that has not been selected in this ST.
Underlined italic typeface indicates the text within an SFR that has been assigned in this ST.
The definition of SFR components followed by (a), (b)… is as described in the PP. SFR components followed
by (a1), (a2)… represent required iterations of iterations.
6.2. Security Functional Requirements
Security functional requirements provided by the TOE are described below.
Class FAU: Security Audit
FAU_GEN.1 Audit data generation
(for O.AUDIT)
Hierarchical to: No other components.
Dependencies: FPT_STM.1 Reliable time stamps
FAU_GEN.1.1 The TSF shall be able to generate an audit record of the
following auditable events:
a) Start-up and shutdown of the audit functions;
b) All auditable events for the not specified level of audit; and
c) All auditable events specified in Table 11, [assignment: no
other auditable events].
FAU_GEN.1.2 The TSF shall record within each audit record at least the
following information:
a) Date and time of the event, type of event, subject identity (if
applicable), and the outcome (success or failure) of the event;
and
Fuji Xerox VII C7773/C6673/C5573/C4473/C3373/C3372/C2273 Security Target
- 31 - Copyright
2019 by Fuji Xerox Co., Ltd
b) For each audit event type, based on the auditable event
definitions of the functional components included in the PP/ST,
additional information specified in Table 11, [assignment: no
other relevant information].
Table 11 Auditable Events
Auditable Events Relevant SFR Additional
Information
Job completion FDP_ACF.1 Type of job
Unsuccessful User authentication FIA_UAU.1 None
Unsuccessful User identification FIA_UID.1 None
Use of management functions FMT_SMF.1 None
Modification to the group of Users that
are part of a role
FMT_SMR.1 None
Changes to the time FPT_STM.1 None
Failure to establish session FTP_ITC.1,
FTP_TRP.1(a),
FTP_TRP.1(b)
Reason for
failure
FAU_GEN.2 User identity association
(for O.AUDIT)
Hierarchical to: No other components.
Dependencies: FAU_GEN.1 Audit data generation
FIA_UID.1 Timing of identification
FAU_GEN.2.1 For audit events resulting from actions of identified users, the
TSF shall be able to associate each auditable event with the
identity of the user that caused the event.
FAU_STG_EXT.1 Extended: External Audit Trail Storage
(for O.AUDIT)
Hierarchical to: No other components.
Dependencies: FAU_GEN.1 Audit data generation,
FTP_ITC.1 Inter-TSF trusted channel.
FAU_STG_EXT.1.1 The TSF shall be able to transmit the generated audit data to
an External IT Entity using a trusted channel according to
FTP_ITC.1.
Fuji Xerox VII C7773/C6673/C5573/C4473/C3373/C3372/C2273 Security Target
- 32 - Copyright
2019 by Fuji Xerox Co., Ltd
Class FCS: Cryptographic Support
FCS_CKM.1(a) Cryptographic Key Generation (for asymmetric keys)
(for O.COMMS_PROTECTION)
Hierarchical to: No other components.
Dependencies: [FCS_COP.1(b) Cryptographic Operation (for signature
generation/verification), or
FCS_COP.1(i) Cryptographic operation (Key Transport)]
FCS_CKM_EXT.4 Extended: Cryptographic Key Material
Destruction
FCS_CKM.1.1(a) Refinement: The TSF shall generate asymmetric cryptographic
keys used for key establishment in accordance with
[selection:
• NIST Special Publication 800-56A, “Recommendation for
Pair-Wise Key Establishment Schemes Using Discrete
Logarithm Cryptography” for finite field-based key
establishment schemes;
• NIST Special Publication 800-56A, “Recommendation for
Pair-Wise Key Establishment Schemes Using Discrete
Logarithm Cryptography” for elliptic curve-based key
establishment schemes and implementing “NIST curves” P-
256, P-384 and [selection: P-521, no other curves] (as
defined in FIPS PUB 186-4, “Digital Signature Standard”)
• NIST Special Publication 800-56B, “Recommendation for
Pair-Wise Key Establishment Schemes Using Integer
Factorization Cryptography” for RSA-based key
establishment schemes
] and specified cryptographic key sizes equivalent to, or
greater than, a symmetric key strength of 112 bits.
FCS_CKM.1(b) Cryptographic key generation (Symmetric Keys)
(for O.COMMS_PROTECTION, O.STORAGE_ENCRYPTION)
Hierarchical to: No other components.
Dependencies: [FCS_COP.1(a) Cryptographic Operation (Symmetric
encryption/decryption), or
FCS_COP.1(d) Cryptographic Operation (AES Data
Encryption/Decryption), or
FCS_COP.1(e) Cryptographic Operation (Key Wrapping), or
FCS_COP.1(f) Cryptographic operation (Key Encryption), or
Fuji Xerox VII C7773/C6673/C5573/C4473/C3373/C3372/C2273 Security Target
- 33 - Copyright
2019 by Fuji Xerox Co., Ltd
FCS_COP.1(g) Cryptographic Operation (for keyed-hash
message authentication), or
FCS_COP.1(h) Cryptographic Operation (for keyed-hash
message authentication)]
FCS_CKM_EXT.4 Extended: Cryptographic Key Material
Destruction
FCS_RBG_EXT.1 Extended: Cryptographic Operation (Random
Bit Generation)
FCS_CKM.1.1(b) Refinement: The TSF shall generate symmetric cryptographic
keys using a Random Bit Generator as specified in
FCS_RBG_EXT.1 and specified cryptographic key sizes
[selection: 128-bit, 256-bit] that meet the following: No
Standard.
FCS_CKM.4 Cryptographic key destruction
(for O.COMMS_PROTECTION, O.STORAGE_ENCRYPTION,
O.PURGE_DATA)
Hierarchical to: No other components.
Dependencies: [FCS_CKM.1(a) Cryptographic Key Generation (for asymmetric
keys), or
FCS_CKM.1(b) Cryptographic key generation (Symmetric Keys)]
FCS_CKM.4.1 Refinement: The TSF shall destroy cryptographic keys in
accordance with a specified cryptographic key destruction
method [selection:
For volatile memory, the destruction shall be executed by
[selection: powering off a device, [assignment: other
mechanism that ensures keys are destroyed]].
For nonvolatile storage, the destruction shall be executed by
a [selection: single, three or more times] overwrite of key
data storage location consisting of [selection: a pseudo
random pattern using the TSF’s RBG (as specified in
FCS_RBG_EXT.1), a static pattern], followed by a [selection:
read-verify, none]. If read-verification of the overwritten
data fails, the process shall be repeated again;
] that meets the following: [selection: NIST SP800-88, no
standard].
Fuji Xerox VII C7773/C6673/C5573/C4473/C3373/C3372/C2273 Security Target
- 34 - Copyright
2019 by Fuji Xerox Co., Ltd
FCS_CKM_EXT.4 Cryptographic Key Material Destruction
(for O.COMMS_PROTECTION, O.STORAGE_ENCRYPTION,
O.PURGE_DATA)
Hierarchical to: No other components.
Dependencies: [FCS_CKM.1(a) Cryptographic Key Generation (for asymmetric
keys), or
FCS_CKM.1(b) Cryptographic key generation (Symmetric
Keys)],
FCS_CKM.4 Cryptographic key destruction
FCS_CKM_EXT.4.1 The TSF shall destroy all plaintext secret and private
cryptographic keys and cryptographic critical security
parameters when no longer needed.
FCS_COP.1(a) Cryptographic Operation (Symmetric encryption/decryption)
(for O.COMMS_PROTECTION)
Hierarchical to: No other components.
Dependencies: FCS_CKM.1(b) Cryptographic key generation (Symmetric Keys)
FCS_CKM_EXT.4 Extended: Cryptographic Key Material
Destruction
FCS_COP.1.1(a) Refinement: The TSF shall perform encryption and decryption
in accordance with a specified cryptographic algorithm AES
operating in [assignment: CBC, GCM] and cryptographic key
sizes 128-bits and 256-bits that meets the following:
FIPS PUB 197, “Advanced Encryption Standard (AES)”
[Selection: NIST SP 800-38A, NIST SP 800-38B, NIST SP 800-
38C, NIST SP 800-38D]
FCS_COP.1(b1) Cryptographic Operation (for signature
generation/verification)
(for O.UPDATE VERIFICATION)
Hierarchical to: No other components.
Dependencies: FCS_CKM.1(a) Cryptographic Key Generation (for asymmetric
keys)
FCS_CKM_EXT.4 Extended: Cryptographic Key Material
Destruction
FCS_COP.1.1(b1) Refinement: The TSF shall perform cryptographic signature
services in accordance with a [selection:
Fuji Xerox VII C7773/C6673/C5573/C4473/C3373/C3372/C2273 Security Target
- 35 - Copyright
2019 by Fuji Xerox Co., Ltd
-Digital Signature Algorithm (DSA) with key sizes (modulus)
of [assignment: 2048 bits or greater],
RSA Digital Signature Algorithm (rDSA) with key sizes
(modulus) of [assignment: 2048 bits or greater], or
-Elliptic Curve Digital Signature Algorithm (ECDSA) with key
sizes of [assignment: 256 bits or greater]]
that meets the following [selection:
Case: Digital Signature Algorithm FIPS PUB 186-4, “Digital
Signature Standard”
Case: RSA Digital Signature Algorithm FIPS PUB 186-4,
“Digital Signature Standard”
Case: Elliptic Curve Digital Signature Algorithm FIPS PUB
186-4, “Digital Signature Standard”
The TSF shall implement “NIST curves” P-256, P384 and
[selection: P521, no other curves] (as defined in FIPS PUB
186-4, “Digital Signature Standard”).
].
FCS_COP.1(b2) Cryptographic Operation (for signature
generation/verification)
(for O.COMMS_PROTECTION)
Hierarchical to: No other components.
Dependencies: FCS_CKM.1(a) Cryptographic Key Generation (for asymmetric
keys)
FCS_CKM_EXT.4 Extended: Cryptographic Key Material
Destruction
FCS_COP.1.1(b2) Refinement: The TSF shall perform cryptographic signature
services in accordance with a [selection:
-Digital Signature Algorithm (DSA) with key sizes (modulus) of
[assignment: 2048 bits or greater],
RSA Digital Signature Algorithm (rDSA) with key sizes
(modulus) of [assignment: 2048 bits, 3072 bits], or
-Elliptic Curve Digital Signature Algorithm (ECDSA) with key
sizes of [assignment: 256 bits, 384bits, 521bits]]
that meets the following [selection:
Case: Digital Signature Algorithm FIPS PUB 186-4, “Digital
Signature Standard”
Case: RSA Digital Signature Algorithm FIPS PUB 186-4,
“Digital Signature Standard”
Case: Elliptic Curve Digital Signature Algorithm FIPS PUB
186-4, “Digital Signature Standard”
Fuji Xerox VII C7773/C6673/C5573/C4473/C3373/C3372/C2273 Security Target
- 36 - Copyright
2019 by Fuji Xerox Co., Ltd
The TSF shall implement “NIST curves” P-256, P384 and
[selection: P521, no other curves] (as defined in FIPS PUB
186-4, “Digital Signature Standard”).
].
FCS_COP.1(c1) Cryptographic operation (Hash Algorithm)
(selected in FPT_TUD_EXT.1.3, or with FCS_SNI_EXT.1.1)
Hierarchical to: No other components.
Dependencies: No dependencies.
FCS_COP.1.1(c1) Refinement: The TSF shall perform cryptographic hashing
services in accordance with [selection: SHA-1, SHA-256, SHA-
384, SHA-512] that meet the following: [ISO/IEC 10118-
3:2004].
FCS_COP.1(c2) Cryptographic operation (Hash Algorithm)
(for O.COMMS_PROTECTION)
Hierarchical to: No other components.
Dependencies: No dependencies.
FCS_COP.1.1(c2) Refinement: The TSF shall perform cryptographic hashing
services in accordance with [selection: SHA-1, SHA-256, SHA-
384, SHA-512] that meet the following: [ISO/IEC 10118-
3:2004].
FCS_COP.1(d) Cryptographic operation (AES Data Encryption/Decryption)
(for O. STORAGE_ENCRYPTION)
Hierarchical to: No other components.
Dependencies: FCS_CKM.1(b) Cryptographic key generation (Symmetric Keys)]
FCS_CKM_EXT.4 Extended: Cryptographic Key Material
Destruction
FCS_COP.1.1(d) The TSF shall perform data encryption and decryption in
accordance with a specified cryptographic algorithm AES used
in [selection: CBC, GCM, XTS] mode and cryptographic key
sizes [selection: 128 bits, 256 bits] that meet the following:
AES as specified in ISO/IEC 18033-3, [selection: CBC as
specified in ISO/IEC 10116, GCM as specified in ISO/IEC
19772, and XTS as specified in IEEE1619].
Fuji Xerox VII C7773/C6673/C5573/C4473/C3373/C3372/C2273 Security Target
- 37 - Copyright
2019 by Fuji Xerox Co., Ltd
FCS_COP.1(f) Cryptographic operation (Key Encryption)
(selected from FCS_KYC_EXT.1.1)
Hierarchical to: No other components.
Dependencies: FCS_CKM.1(b) Cryptographic key generation (Symmetric Keys)
FCS_CKM_EXT.4 Extended: Cryptographic Key Material
Destruction
FCS_COP.1.1(f) Refinement: The TSF shall perform key encryption and
decryption in accordance with a specified cryptographic
algorithm AES used in [[selection: CBC, GCM] mode] and
cryptographic key sizes [selection: 128 bits, 256 bits] that
meet the following: [AES as specified in ISO /IEC 18033-3,
[selection: CBC as specified in ISO/IEC 10116, GCM as
specified in ISO/IEC 19772].
FCS_COP.1(g) Cryptographic Operation (for keyed-hash message
authentication)
(selected with FCS_IPSEC_EXT.1.4)
Hierarchical to: No other components.
Dependencies: FCS_CKM.1(b) Cryptographic key generation (Symmetric Keys)
FCS_CKM_EXT.4 Extended: Cryptographic Key Material
Destruction
FCS_COP.1.1(g) Refinement: The TSF shall perform keyed-hash message
authentication in accordance with a specified cryptographic
algorithm HMAC-[selection: SHA-1, SHA-224, SHA-256, SHA-
384, SHA-512], key size [assignment: 160, 256, 384], and
message digest sizes [selection: 160, 224, 256, 384, 512] bits
that meet the following: FIPS PUB 198-1, "The Keyed-Hash
Message Authentication Code, and FIPS PUB 180-3, “Secure
Hash Standard.”
FCS_HTTPS_EXT.1 HTTPS selected
(selected in FTP_ITC.1.1, FTP_TRP.1.1)
Hierarchical to: No other components.
Dependencies: FCS_TLS_EXT.1 Extended: TLS selected
FCS_HTTPS_EXT.1.1 The TSF shall implement the HTTPS protocol that complies
with RFC 2818.
Fuji Xerox VII C7773/C6673/C5573/C4473/C3373/C3372/C2273 Security Target
- 38 - Copyright
2019 by Fuji Xerox Co., Ltd
FCS_HTTPS_EXT.1.2 The TSF shall implement HTTPS using TLS as specified in
FCS_TLS_EXT.1.
FCS_KYC_EXT.1 Key Chaining
(for O.STORAGE_ENCRYPTION)
Hierarchical to: No other components.
Dependencies: [FCS_COP.1(e) Cryptographic operation (Key Wrapping), or
FCS_SMC_EXT.1 Extended: Submask Combining, or
FCS_COP.1(f) Cryptographic operation (Key Encryption), or
FCS_KDF_EXT.1 Cryptographic Operation (Key Derivation),
and/or
FCS_COP.1(i) Cryptographic operation (Key Transport)]
FCS_KYC_EXT.1.1 The TSF shall maintain a key chain of: [selection: one, using a
submask as the BEV or DEK; intermediate keys originating from
one or more submask(s) to the BEV or DEK using the following
method(s): [selection: key wrapping as specified in
FCS_COP.1(e), key combining as specified in FCS_SMC_EXT.1,
key encryption as specified in FCS_COP.1(f), key derivation as
specified in FCS_KDF_EXT.1, key transport as specified in
FCS_COP.1(i)]] while maintaining an effective strength of
[selection: 128 bits, 256 bits].
FCS_RBG_EXT.1 Cryptographic Operation (Random Bit Generation)
(for O.STORAGE_ENCRYPTION and O.COMMS_PROTECTION)
Hierarchical to: No other components.
Dependencies: No dependencies.
FCS_RBG_EXT.1.1 The TSF shall perform all deterministic random bit generation
services in accordance with [selection: ISO/IEC 18031:2011,
NIST SP 800-90A] using [selection: Hash_DRBG (any),
HMAC_DRBG (any), CTR_DRBG (AES)].
FCS_RBG_EXT.1.2 The deterministic RBG shall be seeded by at least one entropy
source that accumulates entropy from [selection:
[assignment:1] software-based noise source(s), [assignment:
number of hardware-based sources] hardware-based noise
source(s)] with a minimum of [selection: 128 bits, 256 bits] of
entropy at least equal to the greatest security strength,
according to ISO/IEC18031:2011 Table C.1 “Security Strength
Fuji Xerox VII C7773/C6673/C5573/C4473/C3373/C3372/C2273 Security Target
- 39 - Copyright
2019 by Fuji Xerox Co., Ltd
Table for Hash Functions”, of the keys and hashes that it will
generate.
FCS_TLS_EXT.1 TLS selected
(selected in FTP_ITC.1.1, FTP_TRP.1.1)
Hierarchical to: No other components.
Dependencies: FCS_CKM.1(a) Cryptographic Key Generation (for asymmetric
keys)
FCS_COP.1(a) Cryptographic Operation (Symmetric
encryption/decryption)
FCS_COP.1(b) Cryptographic Operation (for signature
generation/verification)
FCS_COP.1(c) Cryptographic Operation (Hash Algorithm)
FCS_COP.1(g) Cryptographic Operation (for keyed-hash
message authentication)
FCS_RBG_EXT.1 Extended: Cryptographic Operation (Random
Bit Generation)
FCS_TLS_EXT.1.1 The TSF shall implement one or more of the following
protocols [selection: TLS 1.0 (RFC 2246), TLS 1.1 (RFC 4346),
TLS 1.2 (RFC 5246)] supporting the following cipher suites:
Mandatory Ciphersuites:
TLS_RSA_WITH_AES_128_CBC_SHA
Optional Ciphersuites:
[selection:
None
TLS_RSA_WITH_AES_256_CBC_SHA
TLS_DHE_RSA_WITH_AES_128_CBC_SHA
TLS_DHE_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA256
TLS_RSA_WITH_AES_256_CBC_ SHA256
TLS_DHE_RSA_WITH_AES_128_CBC_ SHA256
TLS_DHE_RSA_WITH_AES_256_CBC_ SHA256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
Fuji Xerox VII C7773/C6673/C5573/C4473/C3373/C3372/C2273 Security Target
- 40 - Copyright
2019 by Fuji Xerox Co., Ltd
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
].
Class FDP: User Data Protection
FDP_ACC.1 Subset access control
(for O.ACCESS_CONTROL and O.USER_AUTHORIZATION)
Hierarchical to: No other components.
Dependencies: FDP_ACF.1 Security attribute-based access control
FDP_ACC.1.1 Refinement: The TSF shall enforce the User Data Access Control
SFP on subjects, objects, and operations among subjects and
objects specified in Table 12 and Table 13.
FDP_ACF.1 Security attribute-based access control
(for O.ACCESS_CONTROL and O.USER_AUTHORIZATION)
Hierarchical to: No other components.
Dependencies: FDP_ACC.1 Subset access control
FMT_MSA.3 Static attribute initialization
FDP_ACF.1.1 Refinement: The TSF shall enforce the User Data Access
Control SFP to objects based on the following: subjects, objects,
and attributes specified in Table 12 and Table 13.
FDP_ACF.1.2 Refinement: The TSF shall enforce the following rules to
determine if an operation among controlled subjects and
controlled objects is allowed: rules governing access among
controlled subjects and controlled objects using controlled
operations on controlled objects specified in Table 12 and
Table 13.
FDP_ACF.1.3 Refinement: The TSF shall explicitly authorize access of
subjects to objects based on the following additional rules:
[assignment: none].
Fuji Xerox VII C7773/C6673/C5573/C4473/C3373/C3372/C2273 Security Target
- 41 - Copyright
2019 by Fuji Xerox Co., Ltd
FDP_ACF.1.4 Refinement: The TSF shall explicitly deny access of subjects to
objects based on the following additional rules: [assignment:
none].
Table 12 D.USER.DOC Access Control SFP
"Create" "Read" "Modify" "Delete"
Print
Operation:
Submit a
document to be
printed
View image or
Release
printed output
Modify
stored
document
Delete
stored
document
Job owner (note 1) denied
U.ADMIN denied
U.NORMAL denied Denied denied
Unauthenticated denied denied denied denied
Scan
Operation:
Submit a
document for
scanning
View scanned
image
Modify
stored
image
Delete
stored
image
Job owner (note 2) denied
U.ADMIN denied
U.NORMAL denied denied denied
Unauthenticated denied denied denied denied
Copy
Operation:
Submit a
document for
copying
View scanned
image or
Release
printed copy
output
Modify
stored
image
Delete
stored
image
Job owner (note 2) denied
U.ADMIN denied
U.NORMAL denied denied denied
Unauthenticated denied denied denied denied
Fax send
Operation:
Submit a
document to
send as a fax
View scanned
image
Modify
stored
image
Delete
stored
image
Job owner (note 2) denied
U.ADMIN denied
U.NORMAL denied denied denied
Unauthenticated Denied denied denied denied
Fax receive
Operation:
Receive a fax
and store it
View fax
image or
Release
printed fax
output
Modify
image of
received fax
Delete
image of
received
fax
Fax owner (note 3) denied
U.ADMIN (note 4) denied
Fuji Xerox VII C7773/C6673/C5573/C4473/C3373/C3372/C2273 Security Target
- 42 - Copyright
2019 by Fuji Xerox Co., Ltd
U.NORMAL (note 4) denied denied denied
Unauthenticated (note 4) denied denied denied
Storage /
Retrieval Operation: Store document
Retrieve stored
document
Modify
stored
document
Delete
stored
document
Job owner (note 1) denied
U.ADMIN (note 5) denied (note 5)
U.NORMAL denied denied denied
Unauthenticated denied denied denied denied
Table 13 D.USER.JOB Access Control SFP
"Create" * "Read" "Modify" "Delete"
Print
Operation: Create print job
View print
queue/log
Modify print
job
Cancel
print job
Job owner (note 1)
U.ADMIN
U.NORMAL denied denied
Unauthenticated denied denied denied denied
Scan
Operation: Create scan job
View scan
status/log
Modify scan
job
Cancel scan
job
Job owner (note 2) denied
U.ADMIN denied
U.NORMAL denied denied
Unauthenticated Denied denied denied denied
Copy
Operation: Create copy job
View copy
status/log
Modify copy
job
Cancel copy
job
Job owner (note 2)
U.ADMIN
U.NORMAL denied denied
Unauthenticated Denied denied denied denied
Fax send
Operation:
Create fax send
job
View fax job
status/log
Modify fax
send job
Cancel fax
send job
Job owner (note 2) denied
U.ADMIN denied
U.NORMAL denied denied
Unauthenticated Denied denied denied denied
Fax receive
Operation:
Create fax receive
job
View fax
receive
status/log
Modify fax
receive job
Cancel fax
receive job
Fax owner (note 3) denied
U.ADMIN (note 4) denied
Fuji Xerox VII C7773/C6673/C5573/C4473/C3373/C3372/C2273 Security Target
- 43 - Copyright
2019 by Fuji Xerox Co., Ltd
U.NORMAL (note 4) denied denied
Unauthenticated (note 4) denied denied denied
Storage /
Retrieval
Operation:
Create storage /
retrieval job
View storage
/ retrieval log
Modify
storage /
retrieval job
Cancel
storage /
retrieval
job
Job owner (note 1) denied
U.ADMIN denied
U.NORMAL denied denied
Unauthenticated denied denied denied denied
Note 1: Job Owner is identified by a credential or assigned to an authorized User as part of the process of
submitting a print or storage Job.
Note 2: Job Owner is assigned to an authorized User as part of the process of initiating a scan, copy, fax
send, or retrieval Job.
Note 3: Job Owner of received faxes is assigned by configuration. Ownership of received faxes is assigned
to a specific user.
Note 4: PSTN faxes are received from outside of the TOE, they are not initiated by Users of the TOE.
Note 5: Key Operator can operate the DOC/JOB of all users, while SA can operate the DOC/JOB of his/her
own only.
FDP_DSK_EXT.1 Protection of Data on Disk
(for O.STORAGE_ENCRYPTION)
Hierarchical to: No other components.
Dependencies: FCS_COP.1(d) Cryptographic operation (AES Data
Encryption/Decryption).
FDP_DSK_EXT.1.1 The TSF shall [selection: perform encryption in accordance with
FCS_COP.1(d), use a self-encrypting Field-Replaceable
Nonvolatile Storage Device that is separately CC certified to
conform to the FDE EE cPP], such that any Field- Replaceable
Nonvolatile Storage Device contains no plaintext User
Document Data and no plaintext Confidential TSF Data.
FDP_DSK_EXT.1.2 The TSF shall encrypt all protected data without user
intervention.
FDP_FXS_EXT.1 Fax separation
(for O.FAX_NET_SEPARATION)
Hierarchical to: No other components.
Fuji Xerox VII C7773/C6673/C5573/C4473/C3373/C3372/C2273 Security Target
- 44 - Copyright
2019 by Fuji Xerox Co., Ltd
Dependencies: No dependencies.
FDP_FXS_EXT.1.1 The TSF shall prohibit communication via the fax interface,
except transmitting or receiving User Data using fax protocols.
FDP_RIP.1(a) Subset residual information protection
(for O.IMAGE_OVERWRITE)
Hierarchical to: No other components.
Dependencies: No dependencies.
FDP_RIP.1.1(a) Refinement: The TSF shall ensure that any previous
information content of a resource is made unavailable by
overwriting data upon the deallocation of the resource from
the following objects: D.USER.DOC.
Class FIA: Identification and Authentication
FIA_AFL.1 Authentication failure handling
(for O.USER_I&A)
Hierarchical to: No other components.
Dependencies: FIA_UAU.1 Timing of authentication
FIA_AFL.1.1 The TSF shall detect when [selection: [assignment: 5], an
administrator configurable positive integer within [assignment:
range of acceptable values]] unsuccessful authentication
attempts occur related to [assignment: User authentication
(with local authentication)].
FIA_AFL.1.2 When the defined number of unsuccessful authentication
attempts has been [selection: met, surpassed], the TSF shall
[assignment: Identification and authentication of relevant user
is inhibited until TOE is cycled.].
FIA_ATD.1 User attribute definition
(for O.USER_AUTHORIZATION)
Hierarchical to: No other components.
Dependencies: No dependencies.
Fuji Xerox VII C7773/C6673/C5573/C4473/C3373/C3372/C2273 Security Target
- 45 - Copyright
2019 by Fuji Xerox Co., Ltd
FIA_ATD.1.1 The TSF shall maintain the following list of security attributes
belonging to individual users: [assignment: User Identifier, User
Role].
FIA_PMG_EXT.1 Password Management
(for O.USER_I&A)
Hierarchical to: No other components.
Dependencies: No dependencies.
FIA_PMG_EXT.1.1 The TSF shall provide the following password management
capabilities for user passwords:
・ Passwords shall be able to be composed of any combination
of upper and lower case letters, numbers, and the following
special characters: [selection: “!”, “@”, “#”, “$”, “%”, “^”, “&”,
“*”, “(“, “)”, [assignment: ” (space)”, “””, “’”, “+”, “,”, “-“, “/”, “:”,
“;”, “<”, “=”, “>”, “?”, “[“, “¥”, “]”, “_”, “`”, “{“, “|”, “}”, “~”]];
・ Minimum password length shall be settable by an
Administrator, and have the capability to require
passwords of 15 characters or greater;
FIA_UAU.1 Timing of authentication
(for O.USER_I&A)
Hierarchical to: No other components.
Dependencies: FIA_UID.1 Timing of identification
FIA_UAU.1.1 Refinement: The TSF shall allow [assignment: storing the fax
data received from public telephone line] on behalf of the
user to be performed before the user is authenticated.
FIA_UAU.1.2 The TSF shall require each user to be successfully
authenticated before allowing any other TSF-mediated
actions on behalf of that user.
FIA_UAU.7 Protected authentication feedback
(for O.USER_I&A)
Hierarchical to: No other components.
Dependencies: FIA_UAU.1 Timing of authentication
FIA_UAU.7.1 The TSF shall provide only [assignment: Web UI: ●, Local UI:
asterisks] to the user while the authentication is in progress.
Fuji Xerox VII C7773/C6673/C5573/C4473/C3373/C3372/C2273 Security Target
- 46 - Copyright
2019 by Fuji Xerox Co., Ltd
FIA_UID.1 Timing of identification
(for O.USER_I&A and O.ADMIN_ROLES)
Hierarchical to: No other components.
Dependencies: No dependencies.
FIA_UID.1.1 Refinement: The TSF shall allow [assignment: storing the fax
data received from public telephone line] on behalf of the
user to be performed before the user is identified.
FIA_UID.1.2 The TSF shall require each user to be successfully identified
before allowing any other TSF-mediated actions on behalf
of that user.
FIA_USB.1 User-subject binding
(for O.USER_I&A)
Hierarchical to: No other components.
Dependencies: FIA_ATD.1 User attribute definition
FIA_USB.1.1 The TSF shall associate the following user security attributes
with subjects acting on the behalf of that user: [assignment:
User Identifier, User Role].
FIA_USB.1.2 The TSF shall enforce the following rules on the initial
association of user security attributes with subjects acting
on the behalf of users: [assignment: none].
FIA_USB.1.3 The TSF shall enforce the following rules governing changes
to the user security attributes associated with subjects
acting on the behalf of users: [assignment: none].
Class FMT: Security Management
FMT_MOF.1 Management of security functions behavior
(for O.ADMIN_ROLES)
Hierarchical to: No other components.
Dependencies: FMT_SMR.1 Security roles
FMT_SMF.1 Specification of Management Functions
FMT_MOF.1.1 Refinement: The TSF shall restrict the ability to [selection:
determine the behavior of, disable, enable, modify the
Fuji Xerox VII C7773/C6673/C5573/C4473/C3373/C3372/C2273 Security Target
- 47 - Copyright
2019 by Fuji Xerox Co., Ltd
behavior of] the functions [assignment: List of security
functions in Table 14] to U.ADMIN.
Table 14 List of Security Functions
Function Operation
User Authentication enable, disable
Auditing enable, disable
Trusted communications enable, disable, modify
the behavior
Storage Data Encryption enable, disable
Hard Disk Data cleaning enable, disable, modify
the behavior
Firmware update enable, disable
Self Test enable, disable
FMT_MSA.1 Management of security attributes
(for O.ACCESS_CONTROL and O.USER_AUTHORIZATION)
Hierarchical to: No other components.
Dependencies: FDP_ACC.1 Subset access control
FMT_SMR.1 Security roles
FMT_SMF.1 Specification of Management Functions
FMT_MSA.1.1 Refinement:The TSF shall enforce the User Data Access
Control SFP to restrict the ability to [selection:
change_default, query, modify, delete, [assignment:
creation]] the security attributes [assignment: the security
attributes listed in Table 15] to [assignment: the roles listed
in Table 15].
Table 15 Security Attributes and Authorized Roles
Security attributes Operation Role
User identifier (Key Operator case) modify Key Operator
User identifier (General case) modify,
delete, creation
U.ADMIN
User Role (Key Operator case) query Key Operator
User Role (General case) query, modify U.ADMIN
FMT_MSA.3 Static attribute initialization
(for O.ACCESS_CONTROL and O.USER_AUTHORIZATION)
Hierarchical to: No other components.
Dependencies: FMT_MSA.1 Management of security attributes
Fuji Xerox VII C7773/C6673/C5573/C4473/C3373/C3372/C2273 Security Target
- 48 - Copyright
2019 by Fuji Xerox Co., Ltd
FMT_SMR.1 Security roles
FMT_MSA.3.1 Refinement:The TSF shall enforce the User Data Access
Control SFP to provide [selection, choose one of: restrictive,
permissive, [assignment: none]] default values for security
attributes that are used to enforce the SFP.
FMT_MSA.3.2 Refinement:The TSF shall allow the [selection: U.ADMIN, no
role] to specify alternative initial values to override the
default values when an object or information is created.
FMT_MTD.1 Management of TSF data
(for O.ACCESS CONTROL)
Hierarchical to: No other components.
Dependencies: FMT_SMR.1 Security roles
FMT_SMF.1 Specification of Management Functions
FMT_MTD.1.1 Refinement: The TSF shall restrict the ability to perform the
specified operations on the specified TSF Data to the
roles specified in Table 16.
Table 16 Management of TSF Data
Data Operation Authorized Role(s)
TSF Data owned by U.NORMAL or associated with documents or jobs owned by
U.NORMAL.
U.NORMAL password modify U.ADMIN, the
owning
U.NORMAL.
TSF Data not owned by a U.NORMAL
Key Operator password modify U.Admin (Key
Operator)
SA password modify U.ADMIN
Data on use of password entered from
MFD control panel in user
authentication
query, modify U.ADMIN
Data on minimum user password
length
query, modify U.ADMIN
Data on Store Print query, modify U.ADMIN
Data on access denial due to
authentication failure
query, modify U.ADMIN
Data on Customer Engineer operation
restriction
query, modify U.ADMIN
Fuji Xerox VII C7773/C6673/C5573/C4473/C3373/C3372/C2273 Security Target
- 49 - Copyright
2019 by Fuji Xerox Co., Ltd
Data on date and time query, modify U.ADMIN
Data on Auto Clear query, modify U.ADMIN
Data on Report Print query, modify U.ADMIN
Software, firmware, and related configuration data
Controller ROM,
Fax ROM
modify U.ADMIN
FMT_SMF.1 Specification of Management Functions
(for O.USER_AUTHORIZATION, O.ACCESS_CONTROL, and
O.ADMIN_ROLES)
Hierarchical to: No other components.
Dependencies: No dependencies.
FMT_SMF.1.1 The TSF shall be capable of performing the following
management functions: [assignment: Security Management
Functions listed in Table 17].
Table 17 Security Management Functions
Management Functions Operation
Registration of U.NORMAL/SA query, modify, delete
creation
Data on user authentication query, modify
Key Operator identifier modify
Key Operator password modify
Data on use of password entered from MFD
control panel in user authentication
query, modify
Data on Store Print query, modify
Data on trusted communications query, modify
Data on date and time query, modify
Data on auditing query, modify
Data on storage data encryption query, modify
Data on hard disk data cleaning query, modify
Data on Customer Engineer operation
restriction
query, modify
Data on Self Test query, modify
Data on access denial due to authentication
failure
query, modify
Data on minimum user password length query, modify
Data on Auto Clear query, modify
Data on firmware update query, modify
Data on Report Print query, modify
Fuji Xerox VII C7773/C6673/C5573/C4473/C3373/C3372/C2273 Security Target
- 50 - Copyright
2019 by Fuji Xerox Co., Ltd
FMT_SMR.1 Security roles
(for O.ACCESS_CONTROL, O.USER_AUTHORIZATION, and
O.ADMIN_ROLES)
Hierarchical to: No other components.
Dependencies: FIA_UID.1 Timing of identification
FMT_SMR.1.1 Refinement: The TSF shall maintain the roles U.ADMIN
(U.ADMIN, SA, Key Operator), U.NORMAL.
FMT_SMR.1.2 The TSF shall be able to associate users with roles.
Class FPT: Protection of the TSF
FPT_KYP_EXT.1 Protection of Key and Key Material
(for O.KEY_MATERIAL)
Hierarchical to: No other components.
Dependencies: No dependencies.
FPT_KYP_EXT.1.1 Refinement: The TSF shall not store plaintext keys that are part
of the keychain specified by FCS_KYC_EXT.1 in any Field-
Replaceable Nonvolatile Storage Device.
FPT_SKP_EXT.1 Protection of TSF Data
(for O.COMMS PROTECTION)
Hierarchical to: No other components.
Dependencies: No dependencies.
FPT_SKP_EXT.1.1 The TSF shall prevent reading of all pre-shared keys, symmetric
keys, and private keys.
FPT_STM.1 Reliable time stamps
(for O.AUDIT)
Hierarchical to: No other components.
Dependencies: No dependencies.
FPT_STM.1.1 The TSF shall be able to provide reliable time stamps.
Fuji Xerox VII C7773/C6673/C5573/C4473/C3373/C3372/C2273 Security Target
- 51 - Copyright
2019 by Fuji Xerox Co., Ltd
FPT_TST_EXT.1 TSF testing
(for O.TSF_SELF_TEST)
Hierarchical to: No other components.
Dependencies: No dependencies.
FPT_TST_EXT.1.1 The TSF shall run a suite of self-tests during initial start-up (and
power on) to demonstrate the correct operation of the TSF.
FPT_TUD_EXT.1 Trusted Update
(for O.UPDATE_VERIFICATION)
Hierarchical to: No other components.
Dependencies: FCS_COP.1(b) Cryptographic Operation (for signature
generation/verification),
FCS_COP.1(c) Cryptographic operation (Hash Algorithm).
FPT_TUD_EXT.1.1 The TSF shall provide authorized administrators the ability to
query the current version of the TOE firmware/software.
FPT_TUD_EXT.1.2 The TSF shall provide authorized administrators the ability to
initiate updates to TOE firmware/software.
FPT_TUD_EXT.1.3 The TSF shall provide a means to verify firmware/software
updates to the TOE using a digital signature mechanism and
[selection: published hash, no other functions] prior to
installing those updates.
Class FTA: TOE Access
FTA_SSL.3 TSF-initiated termination
(for O.USER_I&A)
Hierarchical to: No other components.
Dependencies: No dependencies.
FTA_SSL.3.1 The TSF shall terminate an interactive session after a
[assignment:
Auto Clear time for the control panel: 10 to 900 seconds
Login timeout for the Web UI: 6 to 240 minutes
There is no inactive time with printer driver
].
Fuji Xerox VII C7773/C6673/C5573/C4473/C3373/C3372/C2273 Security Target
- 52 - Copyright
2019 by Fuji Xerox Co., Ltd
Class FTP: Trusted Paths/Channels
FTP_ITC.1 Inter-TSF trusted channel
(for O.COMMS_PROTECTION, O.AUDIT)
Hierarchical to: No other components.
Dependencies: [FCS_IPSEC_EXT.1 Extended: IPsec selected, or FCS_TLS_EXT.1
Extended: TLS selected, or FCS_SSH_EXT.1 Extended: SSH
selected, or FCS_HTTPS_EXT.1 Extended: HTTPS selected].
FTP_ITC.1.1 Refinement: The TSF shall use [selection: IPsec, SSH, TLS,
TLS/HTTPS] to provide a trusted communication channel
between itself and authorized IT entities supporting the
following capabilities: [selection: authentication server,
[assignment: Audit Log Server, Mail Server]] that is logically
distinct from other communication channels and provides
assured identification of its end points and protection of the
channel data from disclosure and detection of modification of
the channel data.
FTP_ITC.1.2 Refinement: The TSF shall permit the TSF, or the authorized IT
entities, to initiate communication via the trusted channel
FTP_ITC.1.3 Refinement: The TSF shall initiate communication via the
trusted channel for [assignment: mail service, and audit
transmission service].
FTP_TRP.1(a) Trusted path (for Administrators)
(for O.COMMS_PROTECTION)
Hierarchical to: No other components.
Dependencies: [FCS_IPSEC_EXT.1 Extended: IPsec selected, or
FCS_TLS_EXT.1 Extended: TLS selected, or
FCS_SSH_EXT.1 Extended: SSH selected, or
FCS_HTTPS_EXT.1 Extended: HTTPS selected].
FTP_TRP.1.1(a) Refinement: The TSF shall use [selection, choose at least one
of: IPsec, SSH, TLS, TLS/HTTPS] to provide a trusted
communication path between itself and remote administrators
that is logically distinct from other communication paths and
provides assured identification of its end points and protection
of the communicated data from disclosure and detection of
modification of the communicated data.
Fuji Xerox VII C7773/C6673/C5573/C4473/C3373/C3372/C2273 Security Target
- 53 - Copyright
2019 by Fuji Xerox Co., Ltd
FTP_TRP.1.2(a) Refinement: The TSF shall permit remote administrators to
initiate communication via the trusted path
FTP_TRP.1.3(a) Refinement: The TSF shall require the use of the trusted path for
initial administrator authentication and all remote
administration actions.
FTP_TRP.1(b) Trusted path (for Non-administrators)
(for O.COMMS_PROTECTION)
Hierarchical to: No other components.
Dependencies: [FCS_IPSEC_EXT.1 Extended: IPsec selected, or
FCS_TLS_EXT.1 Extended: TLS selected, or
FCS_SSH_EXT.1 Extended: SSH selected, or
FCS_HTTPS_EXT.1 Extended: HTTPS selected].
FTP_TRP.1.1(b) Refinement : The TSF shall use [selection, choose at least one
of: IPsec, SSH, TLS, TLS/HTTPS] to provide a trusted
communication path between itself and remote users that is
logically distinct from other communication paths and provides
assured identification of its end points and protection of the
communicated data from disclosure and detection of
modification of the communicated data.
FTP_TRP.1.2(b) Refinement: The TSF shall permit [selection: the TSF, remote
users] to initiate communication via the trusted path
FTP_TRP.1.3(b) Refinement: The TSF shall require the use of the trusted path for
initial user authentication and all remote user actions.
Fuji Xerox VII C7773/C6673/C5573/C4473/C3373/C3372/C2273 Security Target
- 54 - Copyright
2019 by Fuji Xerox Co., Ltd
6.3. Security Assurance Requirements
The requirements for the TOE security assurance are described in Table 18.
Table 18 Security Assurance Requirements
Assurance Class Assurance
Components
Assurance Components
Description
Security Target Evaluation
ASE_CCL.1 Conformance claims
ASE_ECD.1 Extended components
definition
ASE_INT.1 ST introduction
ASE_OBJ.1 Security objectives for the
operational environment
ASE_REQ.1 Stated security requirements
ASE_SPD.1 Security Problem Definition
ASE_TSS.1 TOE Summary Specification
Development ADV_FSP.1 Basic functional specification
Guidance Documents AGD_OPE.1 Operational user guidance
AGD_PRE.1 Preparative procedures
Life-cycle support ALC_CMC.1 Labelling of the TOE
ALC_CMS.1 TOE CM coverage
Tests
ATE_IND.1
Independent testing –
Conformance
Vulnerability assessment AVA_VAN.1 Vulnerability survey
The rationale for choosing these security assurance requirements is that they define a minimum security
baseline that is based on the anticipated threat level of the attacker, the security of the Operational
Environment in which the TOE is deployed, and the relative value of the TOE itself.
Fuji Xerox VII C7773/C6673/C5573/C4473/C3373/C3372/C2273 Security Target
- 55 - Copyright
2019 by Fuji Xerox Co., Ltd
6.4. Security Requirement Rationale
Dependencies of Security Functional Requirements
Table 19 describes the functional requirements that security functional requirements depend on
and those that do not and the reason why it is not problematic even if dependencies are not
satisfied.
Table 19 Dependencies of Functional Security Requirements
Functional Requirements Dependencies of Functional Requirements
Requirement and its name Requirement specified in PP
Un-fulfilled
requirement and its
rationale
Fulfilme
nt
FAU_GEN.1
Audit data generation
FPT_STM.1 - OK
FAU_GEN.2
User identity association
FAU_GEN.1
FIA_UID.1
- OK
FAU_STG_EXT.1
Extended: External audit trail
storage
FAU_GEN.1
FTP_ITC.1
- OK
FCS_CKM.1(a)
Cryptographic key generation
(asymmetric keys)
[FCS_COP.1(b), or
FCS_COP.1(i)]
FCS_CKM_EXT.4
- OK
FCS_CKM.1(b)
Cryptographic key generation
(symmetric keys)
[FCS_COP.1(a), or
FCS_COP.1(d), or
FCS_COP.1(e), or
FCS_COP.1(f), or
FCS_COP.1(g), or
FCS_COP.1(h)]
FCS_CKM_EXT.4
FCS_RBG_EXT.1
- OK
FCS_CKM.4
Cryptographic key destruction
[FCS_CKM.1(a), or
FCS_CKM.1(b)]
- OK
FCS_CKM_EXT.4
Extended: Cryptographic key
material destruction
[FCS_CKM.1(a), or
FCS_CKM.1(b)]
FCS_CKM.4
- OK
FCS_COP.1(a)
Cryptographic operation
(symmetric
encryption/decryption)
FCS_CKM.1(b)
FCS_CKM_EXT.4
- OK
FCS_COP.1(b)
Cryptographic operation
(signature
generation/verification)
FCS_CKM.1(a)
FCS_CKM_EXT.4
- OK
Fuji Xerox VII C7773/C6673/C5573/C4473/C3373/C3372/C2273 Security Target
- 56 - Copyright
2019 by Fuji Xerox Co., Ltd
Functional Requirements Dependencies of Functional Requirements
Requirement and its name Requirement specified in PP
Un-fulfilled
requirement and its
rationale
Fulfilme
nt
FCS_COP.1(c)
Cryptographic operation (hash
algorithm)
None - OK
FCS_COP.1(d)
Cryptographic operation (AES
data encryption/decryption)
CS_CKM.1(b)
FCS_CKM_EXT.4
- OK
FCS_COP.1(f)
Cryptographic operation (key
encryption)
CS_CKM.1(b)
FCS_CKM_EXT.4
- OK
FCS_COP.1(g)
Cryptographic operation (for
keyed-hash message
authentication)
CS_CKM.1(b)
FCS_CKM_EXT.4
- OK
FCS_HTTPS_EXT.1
Extended: HTTPS selected
FCS_TLS_EXT.1 - OK
FCS_KYC_EXT.1
Extended: Key chaining
[FCS_COP.1(e), or
FCS_SMC_EXT.1, or
FCS_COP.1(i), or
FCS_KDF_EXT.1, and/or
FCS_COP.1(f)]
- OK
FCS_RBG_EXT.1
Extended: Cryptographic
operation (random bit
generation)
None -
FCS_TLS_EXT.1
Extended: TLS selected
FCS_CKM.1(a)
FCS_COP.1(a)
FCS_COP.1(b)
FCS_COP.1(c)
FCS_COP.1(g)
FCS_RBG_EXT.1
- OK
FDP_ACC.1
Subset access control
FDP_ACF.1 - OK
FDP_ACF.1
Security attribute-based access
control
FDP_ACC.1
FMT_MSA.3
- OK
FDP_DSK_EXT.1
Extended: Protection of data on
disk
FCS_COP.1(d) - OK
FDP_FXS_EXT.1 None -
Fuji Xerox VII C7773/C6673/C5573/C4473/C3373/C3372/C2273 Security Target
- 57 - Copyright
2019 by Fuji Xerox Co., Ltd
Functional Requirements Dependencies of Functional Requirements
Requirement and its name Requirement specified in PP
Un-fulfilled
requirement and its
rationale
Fulfilme
nt
Extended: Fax separation
FDP_RIP.1(a)
Subset residual information
protection
None -
FIA_AFL.1
Authentication failure handling
FIA_UAU.1 - OK
FIA_ATD.1
User attribute definition
None -
FIA_PMG_EXT.1
Extended: Password
management
None -
FIA_UAU.1
Timing of authentication
FIA_UID.1 - OK
FIA_UAU.7
Protected authentication
feedback
FIA_UAU.1 - OK
FIA_UID.1
Timing of authentication
None -
FIA_USB.1
User-subject binding
FIA_ATD.1 - OK
FMT_MOF.1
Management of security
functions behavior
FMT_SMF.1
FMT_SMR.1
- OK
FMT_MSA.1
Management of security
attributes
FDP_ACC.1
FMT_SMF.1
FMT_SMR.1
- OK
FMT_MSA.3
Static attribute initialization
FMT_MSA.1
FMT_SMR.1
- OK
FMT_MTD.1
Management of TSF data
FMT_SMF.1
FMT_SMR.1
- OK
FMT_SMF.1
Specification of management
functions
None -
FMT_SMR.1
Security roles
FIA_UID.1 - OK
FPT_KYP_EXT.1
Extended: Protection of key and
key material
None -
FPT_SKP_EXT.1 None -
Fuji Xerox VII C7773/C6673/C5573/C4473/C3373/C3372/C2273 Security Target
- 58 - Copyright
2019 by Fuji Xerox Co., Ltd
Functional Requirements Dependencies of Functional Requirements
Requirement and its name Requirement specified in PP
Un-fulfilled
requirement and its
rationale
Fulfilme
nt
Extended: Protection of TSF
data
FPT_STM.1
Reliable time stamps
None -
FPT_TST_EXT.1
Extended: TSF testing
None -
FPT_TUD_EXT.1
Extended: Trusted update
FCS_COP.1(b)
FCS_COP.1(c)
- OK
FTA_SSL.3
TSF-initiated termination
None -
FTP_ITC.1
Inter-TSF trusted channel
[FCS_IPSEC_EXT.1, or
FCS_TLS_EXT.1, or
FCS_SSH_EXT.1, or
FCS_HTTPS_EXT.1]
- OK
FTP_TRP.1(a)
Trusted path (for
administrators)
[FCS_IPSEC_EXT.1, or
FCS_TLS_EXT.1, or
FCS_SSH_EXT.1, or
FCS_HTTPS_EXT.1]
- OK
FTP_TRP.1(b)
Trusted path (for non-
administrators)
[FCS_IPSEC_EXT.1, or
FCS_TLS_EXT.1, or
FCS_SSH_EXT.1, or
FCS_HTTPS_EXT.1]
- OK
Security Assurance Requirements Rationale
The rationale for choosing these security assurance requirements is that they define a minimum
security baseline that is based on the anticipated threat level of the attacker, the security of the
Operational Environment in which the TOE is deployed, and the relative value of the TOE itself. The
assurance activities throughout the ST are used to provide tailored guidance on the specific
expectations for completing the security assurance requirements.
Fuji Xerox VII C7773/C6673/C5573/C4473/C3373/C3372/C2273 Security Target
- 59 - Copyright
2019 by Fuji Xerox Co., Ltd
7. TOE Summary Specification
This chapter describes the summary specifications of the security functions provided by the TOE.
7.1. Security Functions
Table 20 shows security functional requirements and the corresponding TOE security functions.
The security functions described in this section satisfy the TOE security functional requirements specified
in section 6.1 of this ST.
Table 20 Security Functional Requirements and the Corresponding TOE Security Functions
Security functions
Identification
and
authentication
Security
audit
Access
control
Security
management
Trusted
operation
Data
encryption
Trusted
communications
PSTN
fax-network
separation
Data
clearing
SFRs
FAU_GEN.1 
FAU_GEN.2 
FAU_STG_EXT.1 
FCS_CKM.1(a) 
FCS_CKM.1(b) 
FCS_CKM.4 
FCS_CKM_EXT.4 
FCS_COP.1(a) 
FCS_COP.1(b1) 
FCS_COP.1(b2) 
FCS_COP.1(c1) 
FCS_COP.1(c2) 
FCS_COP.1(d) 
FCS_COP.1(f) 
FCS_COP.1(g) 
FCS_HTTPS_EXT.1 
FCS_KYC_EXT.1 
FCS_RBG_EXT.1  
Fuji Xerox VII C7773/C6673/C5573/C4473/C3373/C3372/C2273 Security Target
- 60 - Copyright
2019 by Fuji Xerox Co., Ltd
Security functions
Identification
and
authentication
Security
audit
Access
control
Security
management
Trusted
operation
Data
encryption
Trusted
communications
PSTN
fax-network
separation
Data
clearing
SFRs
FCS_TLS_EXT.1 
FDP_ACC.1 
FDP_ACF.1 
FDP_DSK_EXT.1 
FDP_FXS_EXT.1 
FDP_RIP.1(a) 
FIA_AFL.1 
FIA_ATD.1 
FIA_PMG_EXT.1 
FIA_UAU.1 
FIA_UAU.7 
FIA_UID.1 
FIA_USB.1 
FMT_MOF.1 
FMT_MSA.1 
FMT_MSA.3 
FMT_MTD.1  
FMT_SMF.1  
FMT_SMR.1 
FPT_KYP_EXT.1 
FPT_SKP_EXT.1 
FPT_STM.1 
FPT_TST_EXT.1 
FPT_TUD_EXT.1 
FTA_SSL.3 
FTP_ITC.1 
FTP_TRP.1(a) 
FTP_TRP.1(b) 
Fuji Xerox VII C7773/C6673/C5573/C4473/C3373/C3372/C2273 Security Target
- 61 - Copyright
2019 by Fuji Xerox Co., Ltd
Identification and Authentication
Identification and authentication ensure that functions of the MFD are accessible only to users
who have permissions. A user needs to enter his/her ID and password from the MFD control panel
or CWIS/Printer Driver of the user client.
User information registered in the MFD is used for identification and authentication.
(1) FIA_AFL.1 Authentication failure handling
The TOE provides a function to handle the authentication failures for the user
authentication performed before the user accesses the TOE. This function detects the
failure of local authentication performed by the user. When the number of unsuccessful
authentication attempts of the user reaches 5 times, which is set as the allowable
number of failures, the TOE does not accept authentication operation of the user until
the TOE is powered off/on.
(2) FIA_ATD.1 User attribute definition
FIA_USB.1 User-subject binding
The TOE defines a user ID and a role as an attribute for each user and assign the
attributes to authenticated users.
(3) FIA_PMG_EXT.1 Password Management
In the TOE, user passwords for local authentication (when they are newly created or
changed) and the Key Operator’s password (when it is changed) are composed of any
combination of upper and lower case letters, numbers, and the following special
characters: [selection: “!”, “@”, “#”, “$”, “%”, “^”, “&”, “*”, “(”, “)”, “(space)”, “””, “’”, “+”, “,”, “-
“, “/”, “:”, “;”, “<”, “=”, “>”, “?”, “[”, “¥”, “]”, “_”, “`”, “{“, “|”, “}”, “~”]
A system administrator can set the minimum length of the password between 0 to 63.
Because of this, the TOE can require passwords of 15 characters or greater.
(4) FIA_UAU.1 Timing of authentication
FIA_UID.1 Timing of identification
The TOE supports local authentication as the user identification and authentication
method.
There are four types of interfaces that require user identification and authentication: the
control panel, web browser of the user client, printer driver, and audit server.
The TOE requests a user to enter his/her ID and password via web browser of a user client
or the control panel before permitting him/her to operate the MFD function. The entered
user ID and password are verified against the data registered in the TOE.
The audit server prepares a PowerShell script in which system administrators’ IDs and
passwords are written, and the script is executed on the audit server. Then the audit
Fuji Xerox VII C7773/C6673/C5573/C4473/C3373/C3372/C2273 Security Target
- 62 - Copyright
2019 by Fuji Xerox Co., Ltd
server sends the IDs and passwords to the TOE via https, and the TOE performs
identification and authentication according to the IDs and passwords.
When Store Print is performed, identification and authentication are performed based on
the ID and password assigned to the print data from the client computer.
The identification (FIA_UID.1) and authentication (FIA_UAU.1) are simultaneously
performed, and the operation on the TOE is allowed only when both of the identification
and authentication succeed.
When receiving fax data via the public telephone line, the TOE receives the fax data
without user identification and authentication.
(5) FIA_UAU.7 Protected authentication feedback
The TOE provides a function to display the same number of symbols* as the password
characters entered on the control panel or web browser in order to hide the password at
the time of user authentication.
* Asterisks (*) on the control panel and bullets (●) on the web browser.
(6) FTA_SSL.3 TSF-initiated termination
The TOE clears the login (authentication session) and requests re-authentication if there
is no access to CWIS from web browser for a specified period of time (settable from 6 to
240 mins).
In addition, when there is no operation from the control panel for a specified period of
time (settable from 10 to 900 seconds), the setting on the control panel is cleared and
the screen returns to the authentication screen.
The session with the printer driver is not retained. The session ends immediately after a
print request is processed.
Security Audit
Auditable events including important events of the TOE, such as device failure, configuration
change, and user operation, are traced and recorded based on when and who operated what
function in accordance with the Security Audit Log setting, which is configured by a system
administrator in the system administrator mode. All the TOE users are the targets of this audit log.
(1) FAU_GEN.1 Audit data generation
FAU_GEN.2 User identity association
The TOE records auditable events shown in Table 21, such as job completion, user
identification and authentication failure, and use of security management functions by
identified and authenticated users, in the audit log. The date and time when the event
occurred, the type of the event, the user who caused the event (if known), and the result
of the event are recorded in the audit data of each event.
When the TOE records a defined auditable event in the audit log file, the TOE correlates
the event with the identification information of the user who caused the event.
Fuji Xerox VII C7773/C6673/C5573/C4473/C3373/C3372/C2273 Security Target
- 63 - Copyright
2019 by Fuji Xerox Co., Ltd
Table 21 Details of Security Audit Log
Auditable Events Logged Events Description Result
Start-up and
shutdown of the audit
functions
System Status Started normally
(cold boot)
-
Started normally
(warm boot)
Shutdown requested
Job completion Job Status Print Completed,
Canceled by User
Copy
Scan
Fax
Mailbox*1
Unsuccessful User
authentication
Unsuccessful User
identification
(control panel)
Login/Logout Login Failed
(Invalid UserID),
Failed
(Invalid Password)
Unsuccessful User
authentication
Unsuccessful User
identification
(CWIS and audit
server)
Login/Logout Login Failed Web User
Interface
Unsuccessful User
authentication
Unsuccessful User
identification
(printer driver)
Job Status Print Aborted
Use of management
functions
(When the user
queries or modifies
the security
management
functions in Table 17)
Device Settings View Security Setting Successful
Change Security Setting
Switch Authentication Mode
Edit User*2
Successful
Add User
Delete User
Audit Policy Audit Log Enable/Disable
Modification to the
group of Users that
are part of a role
Device Settings Edit User*3
Successful
Changes to the time Device Settings Adjust Time Successful
Fuji Xerox VII C7773/C6673/C5573/C4473/C3373/C3372/C2273 Security Target
- 64 - Copyright
2019 by Fuji Xerox Co., Ltd
Failure to establish
session (TLS)
Communication Trusted Communications Failed
(Protocol,
communication
destination, and the
reason of failure are
stored)
*1) “Mailbox” means operation on documents stored in Mailbox.
*2) When “ID”, “Password”, and “Name” attributes are modified, the modification is recorded.
*3) When “Role” attribute is modified, the modification is recorded.
(2) FAU_STG_EXT.1 Extended: External Audit Trail Storage
The TOE records the defined auditable event in the internal storage of the TOE. Up to
15,049 events can be stored. When the number of recorded events exceeds 15,049, the
audit log file with the oldest time stamp is deleted, and a new auditable event is stored.
When an external audit server requests the TOE to send the security audit log data, the
TOE sends all stored data to the server as a tab-separated text file. The data is encrypted
with TLS/HTTPS.
Only authenticated system administrators can retrieve security audit log data.
(3) FPT_STM.1 Reliable time stamps
The TOE provides a function to issue the time stamp of TOE’s clock function when the
defined auditable event is recorded in the audit log file.
As specified in FMT_MTD.1, only system administrators can change the clock setting.
Access Control
Only the authenticated and identified user can use the following functions. Available functions
depend on the interface that accesses the TSF.
a) Functions controlled by the MFD control panel
Copy, fax (send), scan, document storage and retrieval, print (This print function requires
the Accounting System preset on printer driver. A user must be authenticated on the
control panel.), device condition display, job status and log display, and referring to /
changing the TOE setting data (system administrators only)
b) Functions controlled by CWIS
Device condition display, job status and log display, function to retrieve document data
from Mailbox, print function by file designation, and referring to / changing the TOE
setting data (system administrators only)
c)Functions that use the printer driver of the user client
When a user sends a print request from the printer driver of the user’s client in which the
Accounting System is preset, the MFD decomposes the received data into bitmap data
and stores the data in the internal HDD as private print according to the user ID if the
identification and authentication are successful.
Fuji Xerox VII C7773/C6673/C5573/C4473/C3373/C3372/C2273 Security Target
- 65 - Copyright
2019 by Fuji Xerox Co., Ltd
(1) FDP_ACC.1 Subset access control
FDP_ACF.1 Security attribute based access control
The TOE controls access to the jobs and document data of each basic function in
accordance with Tables 12 and 13. For the notes in brackets at the ends of the following
sentences, refer to the notes of Tables 12 and 13.
The user who started each function is assigned as the owner of the job and document
data of the function and only the owner or system administrators can access the job and
document data. However, only system administrators can access the data of a fax that is
being received and the data that is being transmitted from the client computer.
Regarding print jobs, a user ID is included in the print data sent by the client computer.
The owner of the print job is identified with the user ID (note 1).
Regarding scan, copy, and fax send jobs, the user associated with the user ID that is
logged in on the control panel is assigned as the job owner (note 2).
Regarding fax jobs that are in progress, system administrators are assigned as the job
owners because the user who started the fax send feature cannot be identified. (note 3)
Regarding the stored data of a received fax, the user ID associated with the Mailbox that
stores the data is assigned as the owner (note 3).
Because Jobs and data of received faxes are sent from outside of the TOE, no TOE user
can create jobs or data of received faxes. (note 4)
In the TOE, the document storage and retrieval functions specified in the PP is the
function to store/retrieve scanned documents to/from the Mailbox. When a user
stores/retrieves data to/from a Mailbox, the user has to be logged in beforehand. When a
user stores scanned documents in a Mailbox, the Key Operator can select the Mailbox
from all Mailboxes, while a general user can only select the user’s own Mailbox. After
selecting the Mailbox to store scanned documents, the user scans the documents. The
user who owns the selected Mailbox becomes the owner of the scanned documents (note
1). Only the owner of the data stored in the Mailbox or the Key Operator can retrieve,
print (and select the number of copies and the paper size), and delete the stored data.
Although SAs are included in system administrators, they cannot access the data in the
Mailboxes of other users (note 5).
None of print, scan, copy, fax send, fax receive, and document storage and retrieval
functions has a feature to edit document data.
Functions to modify the jobs of scan, fax send, and fax receive are not provided.
Security management
(1) FMT_MOF.1 Management of security functions behavior
FMT_MTD.1 Management of TSF data
FMT_SMF.1 Specification of Management Functions
FMT_MSA.1 Management of security attributes
FMT_MSA.3 Static attribute initialization
FMT_SMR.1 Security roles
Fuji Xerox VII C7773/C6673/C5573/C4473/C3373/C3372/C2273 Security Target
- 66 - Copyright
2019 by Fuji Xerox Co., Ltd
The TOE provides identified and authenticated system administrators with user interfaces
to refer to and change settings of security management functions shown in Table 22 that
are related to the TOE security functions and to customize detailed settings of each
function.
Identified and authenticated general users can only change their own passwords.
As shown above, the required security management functions are satisfied.
As in Table 12 and Table 13, the TOE sets the ID of the user who started each basic
function as the default value of the ID of the owner of the job and document data of
each function. For details, refer to “7.1.3. Access Control (1) FDP_ACC.1 Subset access
control FDP_ACF.1 Security attribute based access control.”
The TOE associates the roles of the Key Operator, SA, system administrator, and general
user to the legitimate users and maintains the association.
In the TOE, the default value of the user role, which is a security attribute, is the general
user.
Table 22 Security management functions and their operationable UIs
Security management item Control panel CWIS
Refer to the setting of Hard Disk Data Overwrite, enable/disable it,
and set the number of pass (overwrite procedure)
 
Refer to the setting of Storage Data Encryption and
enable/disable it
 -
Refer to the setting of the use of password entered from MFD
control panel in user authentication and enable/disable it
 -
Refer to the setting of access denial due to authentication failure
of the user, enable/disable it, and set the allowable number of
failures
 
Set the ID and the password of the Key Operator (only the Key
Operator is privileged)
 
Refer to the setting of the ID of a user and change the ID and
password
Refer to the assigned role of the user and set SA or general user as
the role
 
Refer to and set the minimum password length  
Refer to the setting of communication data encryption,
enable/disable it, and configured the detailed settings.
 
Refer to the setting of TLS certificate and create/update the
certificate
- 
Refer to the setting of User Authentication and enable/disable
Local Authentication
 
Refer to the setting of Store Print and set store/print  -
Refer to and set date and time  -
Refer to the setting of Self Test and enable/disable it  -
Refer to the setting of firmware update and enable/disable it  -
Fuji Xerox VII C7773/C6673/C5573/C4473/C3373/C3372/C2273 Security Target
- 67 - Copyright
2019 by Fuji Xerox Co., Ltd
Refer to and set Auto Clear of Control Panel and CWIS  -
Refer to the setting of Report Print and select whether to allow
only the system administrators / all users to use the function
 -
Refer to and set Customer Engineer Operation Restriction
(enable/disable the function and set password for maintenance)
 
Refer to the setting of the security audit function and
enable/disable it (When enabled, the security audit log data can
be sent to the audit server as a tab-separated text file.)
- 
(2) FPT_SKP_EXT.1 Protection of TSF Data
The TOE stores a KEK (Key Encryption Key) in plaintext in NVRAM2, but the TOE does not
provide an interface to read the KEK to any users. The circuit board which NVRAM2 is
soldered to is not for storage.
A DEK (Data Encryption Key) is encrypted with KEK in AES-CBC and is stored in NVRAM1
and HDD. The one in HDD is a backup.
When the TOE is turned on, the encrypted DEK stored in NVRAM1 is decrypted with a KEK
stored in NVRAM2. While the TOE is in operation, the DEK is stored in DRAM in plaintext.
The TOE does not provide an interface to read the plaintext DEK stored in DRAM to any
users. The plaintext DEK is destroyed when the TOE is turned off.
Certificates with secret keys used for TLS communications, etc. are encrypted with the
mechanism described in 7.1.6 (15) and stored in the HDD. The interface to read the
secret key is not provided to any users.
The TLS session key and TLS EC Diffie-Hellman secret key used for communication are
stored in the DRAM in plaintext, but the interface to read the plaintext session key stored
in the DRAM is not provided to any users. The plaintext session key is destroyed when the
TOE is turned off.
Trusted Operation
(1) FPT_TST_EXT.1 TSF testing
The TSF consists of two firmware: Controller ROM and Fax ROM. Verification of the
integrity of these two firmware guarantees the operation of the TSF.
When the TOE is turned on, Controller ROM and Fax ROM respectively calculate 4 bytes
and 2 bytes checksums to verify whether the checksums match the specified value. When
an error occurs, an error message is displayed on the control panel, and the TOE cancels
the startup. The TOE operates health tests described in [1]11.3 on the DRBG. When the
test is failed, the TOE displays an error message on the control panel and cancels the
startup. The specifications of the DRBG is described in 7.1.6.
(2) FPT_TUD_EXT.1 Trusted Update
FMT_MTD.1 Management of TSF data
FMT_SMF.1 Specification of Management Functions
Fuji Xerox VII C7773/C6673/C5573/C4473/C3373/C3372/C2273 Security Target
- 68 - Copyright
2019 by Fuji Xerox Co., Ltd
The system administrators can see the current version of the TOE firmware on the control
panel by operating it or on paper by printing the configuration report.
The system administrators can update the TOE firmware by using a firmware update tool.
The tool includes a binary file that contains Controller ROM and Fax ROM.
When the TOE receives a binary file that contains firmware sent from the firmware
update tool executed by the permission of a system administrator, the TOE verifies the
digital signature attached to the binary file. When the verification fails, the update is
cancelled, an error notification appears on the control panel, and the TOE stops. The
digital signature attached to the binary file is a RSASSA-PKCS1-v1.5 digital signature that
is made by hashing the binary file with SHA-256 and encrypting the hash value with a
2048-bit secret key. Therefore, in order to verify the digital signature, 1) decrypt the
digital signature attached to the binary file with the RSA public key for firmware
signature verification, 2) hash the binary file with SHA-256, and 3) compare the
decrypted value and the hash value. When the two values are the same, verification is
successful and if not, verification is failed.
Data Encryption
(1) FCS_CKM.1(a) Cryptographic Key Generation (for asymmetric keys)
Elliptic curve cryptography described in [2] is applied to generate the asymmetric key
used for the key establishment (EC Diffie-Hellman) for TLS cryptographic protocol.
Methods to generate an elliptic curve-based key shall follow [3] 5.6.1.2.2 and [2]
Appendix B.4.2. TLS EC Diffie-Hellman secret key is a random number generated by AES-
256 CTR DRBG described in (14) seeded with values generated by Linux /dev/random.
Supported elliptic curves are P-256, P-384, and P-521 as described in [2] Appendix D, and
the elliptic curve to be used is decided in TLS negotiation.
The TOE uses elliptic curve cryptography described in [2] or RSA described in [4] to
generate an asymmetric key for the TLS server certificate. The asymmetric key is
generated on the user request from CWIS. Methods to generate an elliptic curve-based
key shall follow [3] 5.6.1.2.2 and [2] Appendix B.4.2. Methods to generate an RSA-based
key shall follow [4] 6.3.1.3. The prime number used in the procedure shall be created
following [2] B.3.3. Supported elliptic curves are P-256, P-384, and P-521 as described in
[2] Appendix D, and supported RSA key sizes are 2048-bit and 3072-bit. The user selects
one and requests to generate a key on CWIS. AES-256 CTR DRBG described in (14) is
used to generate random probable primes.
The TOE does not make any changes to the above key generation methods and does not
use any other methods.
(2) FCS_CKM.1(b) Cryptographic Key Generation (symmetric keys)
The TOE uses random numbers that consist of arbitrary number of bits for the DEK and
the session keys for trusted communications. Specifically, a 256-bit number for the DEK, a
256-bit number for the KEK to encrypt the DEK, a 128 to 256-bit number (depends on the
Fuji Xerox VII C7773/C6673/C5573/C4473/C3373/C3372/C2273 Security Target
- 69 - Copyright
2019 by Fuji Xerox Co., Ltd
encryption method decided in the negotiation) for the master key of TLS session keys are
generated. For random number generation, AES-256 CTR DRBG described in (14) is used.
The DRGB is called when the key chain described in (12) is generated and when the TLS
communication session starts.
(3) FCS_CKM.4 Cryptographic key destruction
FCS_CKM_EXT.4 Cryptographic Key Material Destruction
The TOE destroys plaintext keys and key materials when they are no longer needed (*).
Table 23 shows keys and key materials that are stored in the TOE in plaintext and how to
destroy them. These keys and materials are copied to the working memory of RAM when
an encryption is performed. The copied data on RAM is deleted when the TOE is turned
off because it is no longer needed.
(*) The DEK is stored in NVRAM1 and HDD, but it is not destroyed because it is encrypted
as described in (10). The asymmetric key for TLS server certificate described in (1) is
stored in the HDD, but it is not destroyed because it is encrypted with the mechanism
described in (15). The public key used for the verification of firmware signature is not
destroyed because it is not classified as either of secret key, private cryptographic key, or
cryptographic critical security parameter.
Table 23 Methods to destroy keys and key material stored in plaintext
(4) FCS_COP.1(a) Cryptographic Operation (Symmetric encryption/decryption)
The TOE supports AES-CBC described in [5] and AES-GCM (128-bit and 256-bit) described
in [6] for the symmetric encryption/decryption of TLS. AES follows [7].
(5) FCS_COP.1(b1) Cryptographic Operation (for signature generation/verification)
The TOE supports RSA digital signature described in [2] for the verification of the
authenticity of the firmware update. The key size is 2048-bit. The format of the signature
follows RSASSA-PKCS1-v1.5 described in [2] 5.5 (f).
(6) FCS_COP.1(b2) Cryptographic Operation (for signature generation/verification)
When verifying the target of TLS communication, the TOE generates RSA digital
signatures and elliptic curve digital signatures described in [2] and verifies with them.
Supported RSA key sizes are 2048-bit and 3072-bit. Supported NIST elliptic curves are
Key type Storage Destruction method
KEK (Key Encryption
Key)
NVRAM2 Overwritten once with the random value
generated using DRBG described in (14) when
the user requests mass delete from the
administrator menu on the control panel.
TLS session key RAM
(volatile)
Destroyed when the TOE is turned off.
TLS EC Diffie-Hellman
secret key
Fuji Xerox VII C7773/C6673/C5573/C4473/C3373/C3372/C2273 Security Target
- 70 - Copyright
2019 by Fuji Xerox Co., Ltd
P256, P384, and P521. The format of the RSA digital signature follows RSASSA-PKCS1-
v1.5 described in [2] 5.5 (f). The methods of generation and verification of the elliptic
curve digital signature follows [2] 6.4.
(7) FCS_COP.1(c1) Cryptographic operation (Hash Algorithm)
The TOE uses SHA256 when hashing a firmware image file for the verification of the
authenticity of the firmware update. The TOE compares the SHA256 hash value and the
value of the signature decrypted with RSA to verify the signature. The hash algorithm
follows [8].
(8) FCS_COP.1(c2) Cryptographic operation (Hash Algorithm)
The TOE supports SHA1, SHA256, and SHA384 for the hash calculation in TLS. The hash
algorithms follow [8]. They are used for the calculation for the digest authentication of
keyed-hash message authentication described in (11) and digital signature
generation/verification.
(9) FCS_COP.1(d) Cryptographic operation (AES Data Encryption/Decryption)
The TOE supports AES described in [9] as the encryption method of DEK and supports
CBC described in [10] as the block cipher mode. The key size is 256-bit. The sector number
of the storage and the DEK are used to calculate the IV.
(10) FCS_COP.1(f) Cryptographic operation (Key Encryption)
As described in (12), the TOE encrypts DEK (256-bit) using AES described in [9]. The key
size is 256-bit. Supported block cipher mode is CBC described in [10]. IV is a random
number generated by AES-256 CTR DRBG described in (14).
(11) FCS_COP.1(g) Cryptographic Operation (for keyed-hash message authentication)
The TOE supports the following for the keyed-hash message authentication of TLS.
・ Key size (bit): 160, 256, and 384
・ Hash: SHA-1, SHA-256, and SHA-384
・ Hash value length (bit): 160, 256, and 384
The hash algorithm follows [11], and the keyed-hash message authentication algorithm
(HMAC) follows [12].
(12) FCS_KYC_EXT.1 Key Chaining
In the TOE, the DEK and the KEK, which encrypts the DEK, are in a keychain. When the
TOE is turned on without DEK chain (more specifically, when the TOE is turned on for the
first time in the factory and when the TOE is turned on for the first time after mass delete
is performed on the system administrator menu on the control panel), the TOE generates
the DEK and KEK using DRBG described in (14). The DEK is encrypted with KEK as
described in (10) and stored in NVRAM1 and HDD, and the KEK is stored in NVRAM2 in
plaintext. When the TOE is turned on on other occasions, the TOE decrypts the encrypted
DEK stored in NVRAM1 with the KEK retrieved from NVRAM2 as described in (10). The
Fuji Xerox VII C7773/C6673/C5573/C4473/C3373/C3372/C2273 Security Target
- 71 - Copyright
2019 by Fuji Xerox Co., Ltd
length of both DEK and KEK are 256-bit. As described in (14), DRBG has sufficient
amount of entropy, so the strength of both DEK and KEK is 256-bit, which means that the
256-bit strength is maintained in the key chain.
(13) FPT_KYP_EXT.1 Protection of Key and Key Material
As described in (12), when the TOE is turned on for the first time without DEK chain, the
TOE generates a DEK and a KEK using DRBG described later, stores the DEK encrypted
with KEK in NVRAM1 and HDD, and stores the KEK in NVRAM2 in plaintext. The DEK and
KEK are not stored in other storage. NVRAM2 is not a Field-Replaceable Nonvolatile
Storage Device, so plaintext keys that are part of the keychain specified by (12) is not
stored in any Field-Replaceable Nonvolatile Storage Device.
(14) FCS_RBG_EXT.1 Cryptographic Operation (Random Bit Generation)
For random number generation, the TOE uses AES-256 CTR DRBG that follows [1]10.2.1.
This DRBG has derivation function and reseed function, but does not have prediction
resistance function. It uses a random number generated by Linux kernel /dev/random as
the seed. Linux Random Number Generator (LRNG), which provides /dev/random, and the
read noise of the clock counter, which is input in LRNG, are included in the entropy pool
of DRBG. The noise is created by a software so that the clock counter reads at random
timings. DRBG uses the seed provided by /dev/random as the entropy input and nonce,
but the amount of entropy is more than 256-bit × 1.5, which is sufficient according to [1]
8.6.7.
The TOE generates the DEK and the master key of TLS session keys using the DRBG.
(15) FDP_DSK_EXT.1 Protection of Data on Disk
The TOE encrypts/decrypts each data block in the storage device. For example, when a
file or metadata is written in the storage device, the data blocks that constitute the file or
metadata are written and encrypted. After that, the data blocks are written in the storage
device. Encryption method follows FCS_COP.1(d). The storage devices to be encrypted are
field-replaceable HDD and NVRAM1. There are no field-replaceable devices except for the
HDD and NVRAM1.
The encryption/decryption described above starts to be performed when the TOE is
turned on. As described in (12), the DEK to be used for encryption/decryption is generated
when the TOE is turned on without an encryption key chain.
All plaintext user data and plaintext secret TSF data are encrypted because they are
written in the partitions to be encrypted on the HDD and NVRAM1. The partitions not to
be encrypted on the HDD and NVRAM1 store only program images, control parameters,
and the DEK encrypted with KEK in the method specified in (10). Plaintext user data and
plaintext secret TSF data is not stored in those partitions. As described in (12), the DEK is
encrypted when the TOE is turned on without an encryption key chain. NVRAM2, which
stores the plaintext KEK, is not a field-replaceable storage device.
Fuji Xerox VII C7773/C6673/C5573/C4473/C3373/C3372/C2273 Security Target
- 72 - Copyright
2019 by Fuji Xerox Co., Ltd
Trusted Communications
(1) FCS_HTTPS_EXT.1 HTTPS selected
There is a setting that turns all communication traffic between the TOE and the web
browser and audit server into secure channels using HTTPS. Only system administrators
can change this setting, and it is performed on CWIS. HTTPS follows [13].
When the TOE receives a request to connect to CWIS from the web browser of a client
computer, the TOE and the client computer establish the TLS negotiation and start
HTTPS communication. Identification, authentication, and all remote operation on the
TOE through CWIS of the client computer are performed via HTTPS communication.
When the audit server the security audit log data, the TOE sends the data to the audit
server via HTTPS communication.
(2) FCS_TLS_EXT.1 TLS selected
The supported TLS communication is TLS 1.2 described in [14].
The cipher suite to be used in the TLS communication is negotiated while the client and
server are connected with TLS. In TLS communication, the TOE can be a client or a server
depending on the function in operation. For example, the TOE acts as a server when
accessing CWIS. The TOE acts as a client when sending scanned documents via email.
The TOE selects an appropriate cipher suite that the TOE supports from the cipher suites
suggested by the client. Cipher suites supported by the TOE are as follows:
・ TLS_RSA_WITH_AES_128_CBC_SHA
・ TLS_RSA_WITH_AES_256_CBC_SHA
・ TLS_RSA_WITH_AES_128_CBC_SHA256
・ TLS_RSA_WITH_AES_256_CBC_SHA256
・ TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
・ TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
・ TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
・ TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
・ TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
・ TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
・ TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
・ TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
・ TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
・ TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
・ TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
・ TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
(3) FTP_ITC.1 Inter-TSF trusted channel
The TOE supports the following trusted communication protocols for the communication
between the TOE and the audit server and the mail server. This ensures identification of
the TOE’s end points and protection of the channel data from disclosure and
modification.
・ Audit server: TLS/HTTPS
Fuji Xerox VII C7773/C6673/C5573/C4473/C3373/C3372/C2273 Security Target
- 73 - Copyright
2019 by Fuji Xerox Co., Ltd
・ Mail server: TLS
(4) FTP_TRP.1(a) Trusted path (for Administrators)
The TOE supports the following trusted communication protocols for each interface
between the TOE and the remote computers of system administrators. This ensures
identification of the TOE’s end points and protection of the channel data from disclosure
and modification.
・ CWIS: TLS/HTTPS
(5) FTP_TRP.1(b) Trusted path (for Non-administrators)
The TOE supports the following trusted communication protocols for each interface to
access the TOE from the remote computers of general users. This ensures identification of
the TOE’s end points and protection of the channel data from disclosure and
modification.
・ CWIS: TLS/HTTPS
・ Printing with the printer driver: TLS
PSTN Fax-Network Separation
(1) FDP_FXS_EXT.1 Fax separation
The TOE is equipped with a fax modem function, which enables the TOE to send/receive
fax data through the public phone line.
The only supported protocol is ITU-T G3 mode.
Only the fax documents of the user are allowed to be sent/received with the fax interface.
The TOE is not equipped with a data modem function, so external data communication
commands cannot be received, which means the TOE cannot be accessed by
unauthorized means from the fax line. Also, the TOE does not offer the function to deliver
data between the public phone line and the internal network, so the data received
through the public phone line is not sent to the internal network.
Data Clearing
(1) FDP_RIP.1(a) Subset residual information protection
When the Hard Disk Data Overwrite is enabled to be conducted after each job by a
system administrator, the TOE overwrites the used document data stored in the internal
HDD after each job of copy, print, scan, fax, document storage functions is finished.
To control Hard Disk Data Overwrite conducted after each job, two options are available:
one pass (overwriting with zero) overwrite procedure and three pass (overwriting and
verification with zero / one / random number) overwrite procedure. However, when the
storage encryption function is enabled, the data for overwriting (zero / one / random
number) is encrypted before overwriting. A list of the used document data to be
overwritten and deleted is on the internal HDD, and the TOE checks the list when it is
Fuji Xerox VII C7773/C6673/C5573/C4473/C3373/C3372/C2273 Security Target
- 74 - Copyright
2019 by Fuji Xerox Co., Ltd
turned on. If used document data that has not been deleted is found on the list, Hard
Disk Data Overwrite is performed.
Fuji Xerox VII C7773/C6673/C5573/C4473/C3373/C3372/C2273 Security Target
- 75 - Copyright
2019 by Fuji Xerox Co., Ltd
8. ACRONYMS AND TERMINOLOGY
8.1. Acronyms
The following acronyms are used in this ST:
Acronym Definition
CC Common Criteria
CWIS Centre Ware Internet Services
DRAM Dynamic Random Access Memory
FIPS PUB Federal Information Processing Standard publication
IIT Image Input Terminal
IOT Image Output Terminal
MFD Multi Function Device
NVRAM Non Volatile Random Access Memory
PDL Page Description Language
PP Protection Profile
SEEPROM Serial Electronically Erasable and Programmable Read Only Memory
SFP Security Function Policy
SFR Security Functional Requirement
SMTP Simple Mail Transfer Protocol
ST Security Target
TOE Target of Evaluation
TSF TOE Security Function
8.2. Terminology
The following terms are used in this ST:
Term Definition
Destruction Destruction is to delete the target so that the location of the target cannot be
traced from the file system and volatile memory. Overwriting of the storage of
the target is not included in destruction.
KEK Abbreviation of Key Encryption Key. In this ST, KEK is a cryptographic key to
encrypt the DEK.
DEK Abbreviation of Data Encryption Key. In this ST, DEK is a cryptographic key for
storage.
Flash memory SD or eMMC.
Storage Non-volatile flash memory or HDD.
SEEP Abbreviation of Serial Electrically Erasable PROM. A non-volatile flash memory
that is connected to the CPU on the controller board.
Fuji Xerox VII C7773/C6673/C5573/C4473/C3373/C3372/C2273 Security Target
- 76 - Copyright
2019 by Fuji Xerox Co., Ltd
Web UI A service that allows users to control the TOE through the web browser of the
user client.
Mailbox A location to store scanned documents and received fax documents.
Computers on the network can retrieve the stored documents from the Mailbox.
Store Print A print function that temporarily stores bitmap data (decomposed print data) in
the internal HDD of the MFD and then print out in accordance with the
authenticated user’s instruction from the control panel.
Used document
data
The remaining data in the internal HDD of the MFD after deletion. After a
document stored in the internal HDD is used, only its file is deleted, and the data
inside remains.
Document data A collective term for all the data, including image data, transmitted across the
MFD when any of copy, print, scan, fax, or document storage functions is used by
a general user (U.NORMAL) or an SA.
Security audit log
data
The chronologically recorded data of auditable events including important events
of the TOE, such as device failure, configuration change, and user operation.
These events are traced and recorded based on when and who operated what
function.
User role A role assigned to an identified and authenticated user. The TOE defines the Key
Operator role, SA role, and general user role.
Key Operator role The authority required for the Key Operator to use the TOE.
SA role The authority required for an SA to use the TOE.
U.NORMAL role The authority required for a general user (U.NORMAL) to use the TOE.
User identifier Information to identify users. User ID.
Key Operator
identifier
A user ID with the Key Operator role.
Key Operator An authorized user who maintains the MFD and performs settings of the security
functions of the TOE.
SA An authorized user who maintains the MFD and performs settings of the security
functions of the TOE. An SA account is created by the Key Operator or an SA who
is already registered.
U.ADMIN A collective term for Key Operator and SA.
CentreWare
Internet Services
(CWIS)
CWIS is a service that allows the user to access the TOE via the web browser of
the client computer. The user can confirm the status of the TOE, change settings
of the TOE, and request retrieval and printing of documents.
CWIS operates on a standard web browser of Windows.
User
authentication
A function to identify the user before he/she uses each TOE function so that the
TOE can limit the access to the TOE functions.
User authentication has two modes (local authentication and remote
authentication). The TOE uses local authentication.
Local
Authentication
A mode to perform user authentication of the TOE using the user information
registered in the MFD.
Remote
Authentication
A mode to perform user authentication of the TOE using the user information
registered in the external authentication server.
Fuji Xerox VII C7773/C6673/C5573/C4473/C3373/C3372/C2273 Security Target
- 77 - Copyright
2019 by Fuji Xerox Co., Ltd
Hard Disk Data
Overwrite
A function to delete document data stored in the HDD by writing over the area of
the data with certain data.
Storage data
encryption
A function to encrypt the storage that stores some of the assets under protection.
Decompose
function
A function to analyze the data written in PDL and convert the data into bitmap
data.
Decompose
The action of analyzing the data written in PDL and converting the data into
bitmap data by using the decompose function.
System
administrator
mode
An operation mode that enables a system administrator to refer to and rewrite
TOE device operation settings and security function settings in order to adjust
those settings in accordance with the operational environment. System
administrator mode is distinguished from the operation mode that enables a
general user to use the MFD functions.
Auto Clear
A function to automatically log out after a specified period of time passes
without any operations performed on the control panel or CWIS.
Customer Engineer Customer service engineer, an engineer who maintains and repairs the MFD.
Attacker
A person who accesses the TOE or protected property by unauthorized means.
Includes users who attempt access by disguising themselves as authenticated
users.
Control panel
A panel on which buttons, lamps, and a touch-screen display, which are necessary
for MFD operations, are arranged.
General user client A client for a general user.
System
administrator
client
A client for a system administrator. A system administrator can refer to and
change the TOE setting data of the MFD via web browser.
Printer driver
A software to convert the data on a general user client into print data written in
page description language (PDL), a readable format for MFD. Used on the user
client.
Print data
The data written in PDL, a readable format for MFD. Print data is converted into
bitmap data by the decompose function of the TOE.
Bitmap data
The decomposed data of the data read by the copy function and the print data
transmitted sent by the print function from a user client to MFD. Bitmap data is
stored to the internal HDD after being compressed in a unique process.
Original document Texts, images and photos to be read on IIT by the copy function.
TOE setting data
The data created by the TOE or for the TOE and may affect the TOE security
functions. Included in the TSF data.
Cryptographic key
256-bit data which is automatically generated. When document data is stored to
the storage device, it is encrypted with the cryptographic key.
Network A general term to indicate both external and internal networks.
External network
The network which cannot be managed by the organization that manages the
TOE. This does not include the internal network.
Internal network
Channels between the MFD and the trusted remote servers and client computers.
The channels are located in the network of the organization that owns the TOE.
Fuji Xerox VII C7773/C6673/C5573/C4473/C3373/C3372/C2273 Security Target
- 78 - Copyright
2019 by Fuji Xerox Co., Ltd
The network is protected from the security risks coming from the external
network.
Public telephone
line/network
Line/network for sending/receiving fax data.
Fax data Sent/received data in the public telephone line for faxes.
Certificate Defined in ITU-T recommendation X.509. A certificate includes the data for user
authentication (name, distinguished name, organization which the user belongs
to, etc.), public key, expiry date, serial number, signature, etc.
Data on minimum
user password
length
Minimum user password length to set the user password on the MFD control
panel.
Included in the TOE setting data.
Key Operator
password
Password data for Key Operator authentication. Included in the TOE setting data.
SA password Password data for SA authentication. Included in the TOE setting data.
U.Normal
password
Password data for general user (U.NORMAL) authentication. Included in the TOE
setting data.
Data on access
denial due to
authentication
failures
The data on whether to enable/disable access denial due to authentication
failure. They also incorporate the data on the allowable number of the failures
before access denial. Included in the TOE setting data.
Data on auditing The data on whether to enable/disable the function to trace/record auditable
events including important events of the TOE, such as device failure,
configuration change, and user operation based on when and who operated
what function. Included in the TOE setting data.
Data on user
authentication
The data on whether to enable/disable the authentication function. The
authentication function is performed using the user authentication information
when copy, scan, fax, and print functions of MFD are performed. It also
incorporates the data on the authentication method. Included in the TOE setting
data.
Data on use of
password
entered from MFD
control panel in
user
authentication
The data on whether to enable/disable the use of password when the user
authentication is performed on the control panel. Included in the TOE setting
data.
Data on Store Print The setting data on whether to store the received print data to Private Print area
or print it out. Included in the TOE setting data.
Data on trusted
communications
Data on whether the general encrypted communication protocols (TLS/HTTPS
and TLS) are enabled/disabled and their detailed settings and certificate,
authentication passwords, encryption keys, and shared keys to protect
communication data in the internal network such as document data, job
information, security audit log data, and TOE setting data. Included in the TOE
setting data.
Fuji Xerox VII C7773/C6673/C5573/C4473/C3373/C3372/C2273 Security Target
- 79 - Copyright
2019 by Fuji Xerox Co., Ltd
Data on Customer
Engineer operation
restriction
The data on whether to enable/disable the Customer Engineer Operation
Restriction function and the data on the maintenance password. Included in the
TOE setting data.
Data on Hard Disk
Data Cleaning
The data on whether to enable/disable the functions related to Hard Disk Data
Overwrite. Included in the TOE setting data.
Data on storage
data encryption
The data on whether to enable/disable the functions related to storage data
encryption. Included in the TOE setting data.
Data on date and
time
The time zone / summer time information and the present time data. Included in
the TOE setting data.
Data on Auto Clear The data on whether to enable/disable the functions of Auto Clear and the
timing to clear on the control panel / Embedded Web Server. Included in the TOE
setting data.
Data on Self Test The data on whether to enable/disable the Self Test function. Included in the TOE
setting data.
Data on Report
Print
The data on whether to enable/disable the Report Print function. Included in the
TOE setting data.
Data on
Firmwareupdate
The setting data on firmware update functions. Setting data of Firmware
Update. Included in the TOE setting data.
Fuji Xerox VII C7773/C6673/C5573/C4473/C3373/C3372/C2273 Security Target
- 80 - Copyright
2019 by Fuji Xerox Co., Ltd
9. REFERENCES
[1] E. Barker , J. Kelsey, “SP 800-90A Rev.1 Recommendation for Random Number Generation
UsingDeterministic Random Bit Generators,” June 2015.
[2] National Institute of Standards and Technology, “FIPS 186-4 Digital Signature Standard (DSS),” July
2013.
[3] E. Barker, L. Chen, A. Roginsky, A. Vassilev , R. Davis, “SP 800-56A Rev. 3 Recommendation for Pair-Wise
Key-Establishment Schemes Using Discrete Logarithm Cryptography,” April 2018.
[4] E. Barker, L. Chen, A. Roginsky, A. Vassilev, R. Davis , S. Simon, “SP 800-56B Rev. 2 Recommendation for
Pair-Wise Key-Establishment Using Integer Factorization Cryptography,” March 2019.
[5] M. Dworkin, “SP 800-38A Recommendation for Block Cipher Modes of Operation: Methods and
Techniques,” December 2001.
[6] M. Dworkin, “SP 800-38D Recommendation for Block Cipher Modes of Operation: Galois/Counter Mode
(GCM) and GMAC,” November 2007.
[7] National Institute of Standards and Technology, “FIPS 197 Announcing the ADVANCED ENCRYPTION
STANDARD (AES),” November 2001.
[8] “ISO/IEC 10118-3:2004,” March 2004.
[9] “ISO/IEC 18033-3:2010,” December 2010.
[10] “ISO/IEC 10116:2017,” July 2017.
[11] National Institute of Standards and Technology, “FIPS 180-3 Secure Hash Standard (SHS),” March 2012.
[12] National Institute of Standards and Technology, “FIPS 198-1 The Keyed-Hash Message Authentication
Code (HMAC),” July 2008.
[13] “RFC2818 HTTP Over TLS,” May 2000.
[14] “RFC5246 The Transport Layer Security (TLS) Protocol Version 1.2,” August 2008.
Fuji Xerox VII C7773/C6673/C5573/C4473/C3373/C3372/C2273 Security Target
- 81 - Copyright
2019 by Fuji Xerox Co., Ltd
10.Appendix 1. Target models configuration table
The table below shows the combinations of the MFD, fax option, and guidance that configure the TOE.
Destination MFD Fax Kit Guidance Product
Japan NC100559 - ME8355J1-2
ME8390J1-1_20191009
DocuCentre-VII C2273 PFS
with Data Security
Japan NC100559 - ME8355J1-2
ME8390J1-1_20191009
DocuCentre-VII C3373 PFS
with Data Security
Japan NC100559 - ME8355J1-2
ME8390J1-1_20191009
ApeosPort-VII C2273 PFS
with Data Security
Japan NC100559 - ME8355J1-2
ME8390J1-1_20191009
ApeosPort -VII C3373 PFS
with Data Security
Japan NC100560 - ME8355J1-2
ME8390J1-1_20191009
DocuCentre-VII C4473 PFS
with Data Security
Japan NC100560 - ME8355J1-2
ME8390J1-1_20191009
DocuCentre-VII C5573 PFS
with Data Security
Japan NC100560 - ME8355J1-2
ME8390J1-1_20191009
ApeosPort-VII C4473 PFS
with Data Security
Japan NC100560 - ME8355J1-2
ME8390J1-1_20191009
ApeosPort -VII C5573 PFS
with Data Security
Japan NC100561 - ME8355J1-2
ME8390J1-1_20191009
DocuCentre-VII C6673 PFS
with Data Security
Japan NC100561 - ME8355J1-2
ME8390J1-1_20191009
DocuCentre-VII C7773 PFS
with Data Security
Japan NC100561 - ME8355J1-2
ME8390J1-1_20191009
ApeosPort-VII C6673 PFS
with Data Security
Japan NC100561 - ME8355J1-2
ME8390J1-1_20191009
ApeosPort -VII C7773 PFS
with Data Security
Japan NC100562 - ME8355J1-2
ME8390J1-1_20191009
ApeosPort-VII C3373 PFS-
2TS with Data Security
Japan NC100563 - ME8355J1-2
ME8390J1-1_20191009
ApeosPort -VII C5573 PFS-2TS
with Data Security
Overseas TC101310 EC103747 ME8351E2-2
ME8390E2-1_20191009
ApeosPort-VII C2273 CPS w/
4TM with Fax
Overseas TC101311 EC103747 ME8351E2-2
ME8390E2-1_20191009
ApeosPort-VII C3372 CPS w/
4TM with Fax
Overseas TC101312 EC103747 ME8351E2-2
ME8390E2-1_20191009
ApeosPort-VII C3373 CPS w/
4TM with Fax
Overseas TC101313 EC103747 ME8351E2-2
ME8390E2-1_20191009
DocuCentre-VII C4473 CPS w/
4TM with Fax
Overseas TC101314 EC103747 ME8351E2-2
ME8390E2-1_20191009
DocuCentre-VII C5573 CPS w/
4TM with Fax
Fuji Xerox VII C7773/C6673/C5573/C4473/C3373/C3372/C2273 Security Target
- 82 - Copyright
2019 by Fuji Xerox Co., Ltd
Overseas TC101315 EC103747 ME8351E2-2
ME8390E2-1_20191009
ApeosPort-VII C4473 CPS w/
4TM with Fax
Overseas TC101316 EC103747 ME8351E2-2
ME8390E2-1_20191009
ApeosPort-VII C5573 CPS w/
4TM with Fax
Overseas TC101320 EC103747 ME8351E2-2
ME8390E2-1_20191009
ApeosPort-VII C2273 CPS w/
TTM with Fax
Overseas TC101321 EC103747 ME8351E2-2
ME8390E2-1_20191009
ApeosPort-VII C3372 CPS w/
TTM with Fax
Overseas TC101322 EC103747 ME8351E2-2
ME8390E2-1_20191009
ApeosPort-VII C3373 CPS w/
TTM with Fax
Overseas TC101323 EC103747 ME8351E2-2
ME8390E2-1_20191009
DocuCentre-VII C4473 CPS w/
TTM with Fax
Overseas TC101324 EC103747 ME8351E2-2
ME8390E2-1_20191009
DocuCentre-VII C5573 CPS w/
TTM with Fax
Overseas TC101325 EC103747 ME8351E2-2
ME8390E2-1_20191009
ApeosPort-VII C4473 CPS w/
TTM with Fax
Overseas TC101326 EC103747 ME8351E2-2
ME8390E2-1_20191009
ApeosPort-VII C5573 CPS w/
TTM with Fax
Overseas TC101327 EC103747 ME8351E2-2
ME8390E2-1_20191009
DocuCentre-VII C6673 CPS w/
TTM with Fax
Overseas TC101328 EC103747 ME8351E2-2
ME8390E2-1_20191009
DocuCentre-VII C7773 CPS w/
TTM with Fax
Overseas TC101329 EC103747 ME8351E2-2
ME8390E2-1_20191009
ApeosPort-VII C6673 CPS w/
TTM with Fax
Overseas TC101330 EC103747 ME8351E2-2
ME8390E2-1_20191009
ApeosPort-VII C7773 CPS w/
TTM with Fax