JISEC-CC-CRP-C0754-01-2022
Certification Report
TOMITA Tatsuo, Chairman
Information-technology Promotion Agency, Japan
2-28-8 Honkomagome, Bunkyo-ku, Tokyo
IT Product (TOE)
Reception Date of Application
(Reception Number)
2021-09-07 (ITC-1790)
Certification Identification JISEC-C0754
Product Name
RICOH IM C530F/C530FB,
SAVIN IM C530FB,
LANIER IM C530FB,
nashuatec IM C530F/C530FB,
Rex Rotary IM C530F/C530FB,
Gestetner IM C530F/C530FB
Version and Release Numbers E-1.00
Product Manufacturer RICOH COMPANY, LTD.
Conformance of Functionality
Product specific Security Target,
CC Part 2 Extended
Assurance Package EAL2
Name of IT Security Evaluation
Facility
ECSEC Laboratory Inc., Evaluation Center
This is to report that the evaluation result for the above TOE has been certified as follows.
2022-07-26
YANO Tatsuro, Technical Manager
IT Security Technology Evaluation Department
IT Security Center
Evaluation Criteria, etc.: This TOE is evaluated in accordance with the following standards
prescribed in the "IT Security Evaluation and Certification
Scheme Document."
- Common Criteria for Information Technology Security Evaluation Version 3.1 Release 5
- Common Methodology for Information Technology Security Evaluation Version 3.1 Release 5
Evaluation Result: Pass
"RICOH IM C530F/C530FB, SAVIN IM C530FB, LANIER IM C530FB, nashuatec IM
JISEC-CC-CRP-C0754-01-2022
C530F/C530FB, Rex Rotary IM C530F/C530FB, Gestetner IM C530F/C530FB version
E-1.00" has been evaluated based on the standards required, in accordance with the
provisions of the "Requirements for IT Security Certification" by Information-technology
Promotion Agency, Japan, and has met the specified assurance requirements.
Notice:
This document is the English translation version of the Certification Report published
by the Certification Body of Japan Information Technology Security Evaluation and
Certification Scheme.
JISEC-CC-CRP-C0754-01-2022
Table of Contents
1. Executive Summary.................................................................................................4
1.1 Product Overview..............................................................................................4
1.1.1 Protection Profile or Assurance Package........................................................4
1.1.2 TOE and Security Functionality...................................................................4
1.1.3 Disclaimers ................................................................................................5
1.2 Conduct of Evaluation .......................................................................................6
1.3 Certification......................................................................................................6
2. Identification...........................................................................................................7
3. Security Policy ........................................................................................................8
3.1 Security Function Policies..................................................................................9
3.1.1 Threats and Security Function Policies .........................................................9
3.1.2 Organisational Security Policies and Security Function Policies....................11
4. Assumptions and Clarification of Scope ...................................................................13
4.1 Usage Assumptions .........................................................................................13
4.2 Environmental Assumptions ............................................................................13
4.3 Clarification of Scope .......................................................................................15
5. Architectural Information ......................................................................................16
5.1 TOE Boundary and Components.......................................................................16
5.2 IT Environment ..............................................................................................17
6. Documentation......................................................................................................18
7. Evaluation conducted by Evaluation Facility and Results .........................................20
7.1 Evaluation Facility..........................................................................................20
7.2 Evaluation Approach .......................................................................................20
7.3 Overview of Evaluation Activity........................................................................20
7.4 IT Product Testing...........................................................................................21
7.4.1 Developer Testing......................................................................................21
7.4.2 Evaluator Independent Testing ..................................................................23
7.4.3 Evaluator Penetration Testing....................................................................24
7.5 Evaluated Configuration..................................................................................27
7.6 Evaluation Results ..........................................................................................28
7.7 Evaluator Comments/Recommendations............................................................28
8. Certification..........................................................................................................29
8.1 Certification Result .........................................................................................29
8.2 Recommendations ...........................................................................................29
9. Annexes................................................................................................................30
10. Security Target ..................................................................................................30
11. Glossary ............................................................................................................31
12. Bibliography ......................................................................................................32
JISEC-CC-CRP-C0754-01-2022
4
1. Executive Summary
This Certification Report describes the content of the certification result in relation to IT
Security Evaluation of "RICOH IM C530F/C530FB, SAVIN IM C530FB, LANIER IM
C530FB, nashuatec IM C530F/C530FB, Rex Rotary IM C530F/C530FB, Gestetner IM
C530F/C530FB version E-1.00" (hereinafter referred to as the "TOE") developed by RICOH
COMPANY, LTD., and the evaluation of the TOE was finished on 2022-07-19 by ECSEC
Laboratory Inc., Evaluation Center (hereinafter referred to as the "Evaluation Facility"). It
is intended to report to the sponsor, RICOH COMPANY, LTD., and provide security
information to procurement entities and consumers who are interested in the TOE.
Readers of the Certification Report are advised to read the Security Target (hereinafter
referred to as the "ST") described in Chapter 10. Especially, details of security functional
requirements, assurance requirements and rationale for sufficiency of these requirements
of the TOE are described in the ST.
This Certification Report assumes "general consumers and procurement entities who
purchase the TOE that is commercially available" to be readers. Note that the Certification
Report presents the certification result based on assurance requirements to which the TOE
conforms, and does not guarantee an individual IT product itself.
1.1 Product Overview
An overview of the TOE functions and operational conditions is described as follows. Refer
to Chapter 2 and subsequent chapters for details.
1.1.1 Protection Profile or Assurance Package
Assurance Package of the TOE is EAL2.
1.1.2 TOE and Security Functionality
The TOE is a Multifunction Product (hereinafter referred to as "MFP"), which provides the
functions of copy, printer, scanner and fax.
The TOE provides security functions in order to prevent unauthorised disclosure or
alteration of the documents processed by MFP and the setting information affecting
security.
For these security functionalities, the evaluation for the validity of the design policy and the
correctness of the implementation is conducted in the scope of the assurance package.
The next clause describes the assumed threats and assumptions in the TOE.
1.1.2.1 Threats and Security Objectives
The TOE assumes the following threats.
There are threats of unauthorised disclosure and alteration of assets such as documents
processed by the TOE and the setting information relevant to security functions due to
unauthorised access to the TOE or the communication data on the network.
JISEC-CC-CRP-C0754-01-2022
5
To counter such threats, the TOE provides security functions such as identification and
authentication, access control, encryption, etc.
1.1.2.2 Configuration and Assumptions
The TOE is assumed to be operated under the following assumptions.
It is assumed that the TOE is located in an environment where physical components and
interfaces of the TOE are protected from the unauthorised access. For the operation, the
TOE shall be properly configured, maintained, and managed according to the guidance
documents.
1.1.3 Disclaimers
The following operation is not ensured by this evaluation:
- Operational environments and configurations different from those described in "4.2
Environmental Assumptions"
- The TOE with settings different from those described in "7.5 Evaluated Configuration"
JISEC-CC-CRP-C0754-01-2022
6
1.2 Conduct of Evaluation
Under the IT Security Evaluation and Certification Scheme that the Certification Body
operates, the Evaluation Facility conducted IT security evaluation and completed in
2022-07, based on functional requirements and assurance requirements of the TOE
according to the publicised documents "IT Security Evaluation and Certification Scheme
Document"[1], "Requirements for IT Security Certification"[2], and "Requirements for
Approval of IT Security Evaluation Facility"[3] provided by the Certification Body.
1.3 Certification
The Certification Body verified the Evaluation Technical Report [13] prepared by the
Evaluation Facility as well as evaluation documentation, and confirmed that the TOE
evaluation was conducted in accordance with the prescribed procedure. The certification
oversight reviews were also prepared for those concerns found in the certification process.
The Certification Body confirmed that all the concerns were fully resolved, and that the
TOE evaluation had been appropriately conducted in accordance with the CC ([4][5][6] or
[7][8][9]) and the CEM (either of [10][11]). The Certification Body prepared this
Certification Report based on the Evaluation Technical Report and fully concluded
certification activities.
JISEC-CC-CRP-C0754-01-2022
7
2. Identification
The TOE is identified as follows:
TOE Name: RICOH IM C530F/C530FB,
SAVIN IM C530FB,
LANIER IM C530FB,
nashuatec IM C530F/C530FB,
Rex Rotary IM C530F/C530FB,
Gestetner IM C530F/C530FB
TOE Version: E-1.00
Developer: RICOH COMPANY, LTD.
The TOE consists of only the MFP. The TOE components are listed in Table 2-1.
Table 2-1 TOE Components
MFP
Product Name Model Code
IM C530F D0CT-27
IM C530FB D0CS-17
IM C530FB D0CS-27
The TOE version is a combination of multiple software and hardware versions in the TOE.
Refer to Chapter 1.2 of the ST for the TOE version in detail.
Users can verify that a product is the TOE, which is evaluated and certified, by the
following means.
- Confirm that the product name and model code displayed on the product exterior match
those listed in Table 2-1.
- Operate as described in the product guidance, and confirm that the software and
hardware names, versions and the part numbers displayed on the operation panel of the
product match those listed in Chapter 1.2 of the ST.
JISEC-CC-CRP-C0754-01-2022
8
3. Security Policy
This chapter describes security function policies that the TOE adopts to counter threats,
and organisational security policies.
The TOE provides the security functions to counter the unauthorised access to the stored
documents in the MFP, and to protect the communication data on the network.
For meeting the organisational security policies, the TOE provides the functions to encrypt
the stored data in the TOE, and to prevent the unauthorised access through telephone lines
via fax I/F.
For each setting that is relevant to the above security functions, only administrators are
allowed to set configurations in order to prevent the deactivation and unauthorised use of
the security functions.
Table 3-1 describes users of the TOE. The TOE users are classified into normal user and
administrator, and administrators are classified into supervisor and MFP administrator.
Table 3-1 TOE Users
User Definition Explanation
Normal user A user who is allowed to use the TOE. A
normal user is provided with a login user
name and can use normal functions of MFP.
Administrator Supervisor A user who is authorised to modify the login
password of the MFP administrator and to
release the lockout status of the MFP
administrator.
MFP
administrator
A user who is allowed to manage the TOE
and performs the management operations
such as normal user management, device
management, file management, and
network management.
Tables 3-2 and 3-3 describes assets to be protected by the security functions of the TOE.
Table 3-2 TOE Assets (user data)
Type Definition
User document
data
Information contained in the user's document in
electronic or hard copy format.
User job data Information related to the user's document or document
processing job.
JISEC-CC-CRP-C0754-01-2022
9
Table 3-3 TOE Assets (TSF data)
Type Definition
TSF confidential
data
Data that requires integrity and confidentiality
among the data used by security functions.
For the TOE, it includes Login password, audit log,
and eMMC cryptographic key.
TSF protected
data
Data that requires only integrity among the data used
by security functions.
For the TOE, it includes login user name, minimum
character number of password, access control related
settings, etc., which are setting values for security
functions, excluding the TSF confidential data.
3.1 Security Function Policies
The TOE possesses the security functions to counter the threats described in Section 3.1.1
and to satisfy the organisational security policies described in Section 3.1.2.
3.1.1 Threats and Security Function Policies
3.1.1.1 Threats
The TOE assumes the threats described in Table 3-4 and provides the security functions to
counter them.
Table 3-4 Assumed Threats
Identifier Threat
T.DOCUMENT_DATA_DIS
(User document data
disclosure)
User document data under the TOE management may
be disclosed by persons without a login user name, or by
persons with a login user name but without an access
permission to the document.
T.DOCUMENT_DATA_ALT
(User document data
alteration)
User document data under the TOE management may
be altered by persons without a login user name, or by
persons with a login user name but without an access
permission to the document.
T.JOB_ALT
(User job data alteration)
User job data under the TOE management may be
altered by persons without a login user name, or by
persons with a login user name but without an access
permission to the user job data.
T.PROTECT_DATA_ALT
(Alteration of TSF protected
data)
TSF Protected Data under the TOE management may
be altered by persons without a login user name, or by
persons with a login user name but without an access
permission to the TSF Protected Data.
JISEC-CC-CRP-C0754-01-2022
10
T.CONFIDENTIAL_DATA_DIS
(Disclosure of TSF confidential
data)
TSF Confidential Data under the TOE management
may be disclosed to persons without a login user name,
or to persons with a login user name but without an
access permission to the TSF Confidential Data.
T.CONFIDENTIAL_DATA_ALT
(Alteration of TSF confidential
data)
TSF Confidential Data under the TOE management
may be altered by persons without a login user name, or
by persons with a login user name but without an access
permission to the TSF Confidential Data.
* "Persons with a login user name" mean persons who are allowed to use the TOE.
3.1.1.2 Security Function Policies against Threats
The TOE counters the threats described in Table 3-4 with the following security function
policies. The details of each security function are described in Chapter 5.
1) Countermeasure against the threats "T.DOCUMENT_DATA_DIS", "T.
DOCUMENT_DATA_ALT" and "T.JOB_ALT"
These are threats to the user data described in Table 3-2. The TOE counters the threats
with "Identification and Authentication Function", "Document Access Control Function"
and "Network Protection Function".
"Identification and Authentication Function" allows only users who have succeeded in the
identification and authentication to use the TOE.
"Document Access Control Function" performs access control when users try to access the
user data and allows only authorised users to access the user data.
"Network Protection Function" performs encrypted communications to protect
communication data when the TOE communicates to client computers and various
servers.
With the above functions, the TOE prevents unauthorised disclosure and alteration of the
user data due to unauthorised use of the TOE or unauthorised access to the
communication data.
2) Countermeasure against the threats "T.PROTECT_DATA_ALT",
"T.CONFIDENTIAL_DATA_DIS" and "T.CONFIDENTIAL_DATA_ALT"
These are threats to the TSF data described in Table 3-3. The TOE counters the threats
with "Identification and Authentication Function", "Security Management Function" and
"Network Protection Function".
"Identification and Authentication Function" and "Security Management Function" allow
only authorised users to access the TSF data.
"Network Protection Function" performs encrypted communications to protect
communication data when the TOE communicates to client computers and various
servers.
JISEC-CC-CRP-C0754-01-2022
11
With the above functions, the TOE prevents unauthorised disclosure and alteration of the
TSF data due to unauthorised use of the TOE or unauthorised access to the
communication data.
3.1.2 Organisational Security Policies and Security Function Policies
3.1.2.1 Organisational Security Policies
Organisational security policies required for the TOE are described in Table 3-5.
Table 3-5 Organisational Security Policies
Identifier Organisational Security Policy
P.AUTHORIZATION
(User identification and
authentication)
Only users with operation permission of the TOE shall
be authorised to use the TOE.
P.VALIDATION
(Software verification)
The TOE shall have procedures to self-verify executable
code in the TSF.
P.AUDIT
(Management of audit log
records)
To maintain operational accountability and security,
records that provide an audit trail of TOE security-
relevant events shall be created, maintained, protected
from disclosure or alteration by unauthorised persons,
and shall be confirmed by authorised persons.
P.FAX
(Management of external
interfaces)
For provision of the fax function over the telephone line
by the TOE, the separation between the telephone line
and the LAN shall be ensured.
P.ENCRYPTION
(eMMC encryption)
The data recorded in the TOE's eMMC shall be
encrypted.
3.1.2.2 Security Function Policies to Organisational Security Policies
The TOE provides the following security functions to meet the organisational security
policies described in Table 3-5. The details of each security function are described in
Chapter 5.
1) Means to support Organisational Security Policy, "P.AUTHORIZATION"
The TOE implements this policy by "Identification and Authentication Function".
"Identification and Authentication Function" allows only users who have succeeded in the
identification and authentication to use the TOE.
2) Means to support Organisational Security Policy, "P.VALIDATION"
The TOE implements this policy by "Integrity Verification Function".
"Integrity Verification Function" verifies the integrity of the executable codes of security
JISEC-CC-CRP-C0754-01-2022
12
functions at the TOE start up.
3) Means to support Organisational Security Policy, "P.AUDIT"
The TOE implements this policy by "Audit Function".
"Audit Function" records events relevant to security functions as an audit log. The audit
log stored in the TOE can be read and deleted only by identified and authenticated
administrators.
4) Means to support Organisational Security Policy, "P.FAX"
The TOE implements this policy by "Fax Line Separation Function".
"Fax Line Separation Function" prohibits communication via the fax interface except for
the transmission and reception of user data using the fax protocol.
5) Means to support Organisational Security Policy, "P.ENCRYPTION"
The TOE implements this policy by "Stored Data Protection Function".
"Stored Data Protection Function" encrypts the data stored in the TOE's internal storage
(eMMC).
JISEC-CC-CRP-C0754-01-2022
13
4. Assumptions and Clarification of Scope
This chapter describes the assumptions and the operational environment to operate the
TOE as useful information for the assumed readers to determine whether to use the TOE.
4.1 Usage Assumptions
Table 4-1 describes assumptions to operate the TOE. The effective performances of the TOE
security functions are not assured unless these assumptions are satisfied.
Table 4-1 Assumptions in Use of the TOE
Identifier Assumptions
A.PHYSICAL_PROTECTION
(Access management)
The MFP administrator shall install the TOE in a
secure and monitored area in accordance with the
guidance documents and restrict a chance of physical
access by unspecified number of persons.
A.NETWORK_PROTECTION
(Network management)
The MFP administrator shall install the TOE in an
operational environment protected from any external
attempt to directly access the TOE's LAN interfaces.
A.USER
(User training)
The MFP administrator shall train normal users
according to the guidance documents and ensure that
normal users are aware of the security policies and
procedures of their organisation and have the
competence to follow those policies and procedures.
A.ADMIN
(Administrator training)
The MFP administrator shall be aware of the security
policies and procedures of their organisation and have
the competence to correctly configure and operate the
TOE in accordance with the guidance documents
following those policies and procedures.
A.TRUSTED_ADMIN
(Trusted administrator)
Persons who do not use their privileged access rights for
malicious purposes according to the guidance
documents shall be appointed as administrators.
4.2 Environmental Assumptions
Figure 4-1 shows the assumed operational environment of the TOE. The TOE is installed in
a general office and connected to a local area network (hereinafter referred to as "LAN")
and the telephone line to use. Users use the TOE through the operation panel of the TOE
itself and client computers that are also connected to the LAN.
JISEC-CC-CRP-C0754-01-2022
14
LAN (TCP/IP)
SMTP
server
syslog
server
Client computer
•Printer driver
•Fax driver
•Web browser
Firewall
Internet
(External network)
MFP
(TOE)
▶
Telephone line
Figure 4-1 Operational Environment of the TOE
The components of the operational environment of the TOE are as follows:
1) Client computer
It is a general-purpose computer used by users. Web browser, PCL6 Driver (version
1.1.0.0 or later) and LAN Fax Driver (version 9.5.0.0 or later) provided by Ricoh are
required. The following software is used in this evaluation.
- OS: Windows 8.1, Windows 10
- Web browser: Internet Explorer 11, Microsoft Edge 44
- Printer driver: PCL6 Driver 1.1.0.0
- Fax driver: LAN Fax Driver 9.5.0.0
2) SMTP server
It is a server used to send the user document data scanned by the TOE. Software that
supports SMTP protocol with TLS is required. The following software is used in this
evaluation.
- OS: Linux (Ubuntu 18.04.3 LTS)
- SMTP software: postfix 3.3.0
3) syslog server
It is a server to store the audit logs generated by the TOE. It is used when audit log
transfer is enabled in the TOE settings. Software that supports syslog protocol with TLS
is required. The following software is used in this evaluation.
- OS: Linux (Ubuntu 18.04.2 LTS)
- syslog software: rsyslogd 8.32.0
JISEC-CC-CRP-C0754-01-2022
15
Although the reliability of hardware and software other than the TOE shown in this
configuration is outside the scope of this evaluation, it is assumed to be trustworthy.
4.3 Clarification of Scope
There are the following restrictions on the functions provided by the TOE or ensured by this
evaluation.
1) Servers and client computers
The secure operation of servers and client computers cooperating with the TOE is the
responsibility of the administrators of these devices.
2) Residual Data Overwrite Function
The Residual Data Overwrite Function that overwrites and deletes the data stored in the
TOE's internal storage (eMMC) is not ensured by this evaluation.
JISEC-CC-CRP-C0754-01-2022
16
5. Architectural Information
This chapter explains the scope and the main components of the TOE.
5.1 TOE Boundary and Components
Figure 5-1 shows the composition of the TOE. The TOE is the entire MFP product.
Figure 5-1 TOE Components
The TOE functions consist of security functions and basic functions. The TOE security
functions are described below. Refer to Chapter 11 for the basic functions.
1) Identification and Authentication Function
This function is to identify and authenticate a user by the login user name and login
password when the user uses the TOE from the TOE operation panel or a client computer
(Web browser, printer driver, or fax driver).
In addition, the following functionalities are provided to reinforce the identification and
authentication.
- Account lockout after consecutive failed authentication attempts
- Restriction on minimum number of password characters and mandatory character types
- Session termination when no operation is performed for a certain period of time after
successful authentication
Integrity Verification
Function
eMMC
External fax
Fax driver
Printer driver
Web browser
Security Function
Basic Function
Security Management
Function
Web browser
Normal user
MFP administrator
Supervisor
TOE scope
Web Image Monitor Function
syslogserver
SMTP server
Network
Protection
Function
Operation Panel
Network Protection Function
(*1): The performed events are
notified by each Security Function.
Stored Data Protection Function
Document Access Control Function
Audit
Function
(*1)
Scanner
Function
Copy
Function
Printer
Function
Fax
Function
Fax Line
Separation
Function
Identification and Authentication Function
JISEC-CC-CRP-C0754-01-2022
17
2) Document Access Control Function
This function is to control access to data when a user operates user document data and
user job data with any of the basic MFP functions. Access control is performed based on
the owner information of the user document data and the user job data, as well as user's
identification information and role.
3) Stored Data Protection Function
This function is to encrypt the data stored in the TOE's internal storage (eMMC). The
encryption algorithm uses AES with a key length of 256 bits.
4) Network Protection Function
This function is to protect communication data between the TOE and IT devices with the
cryptographic communication protocol TLS 1.2.
5) Fax Line Separation Function
This function is to prohibit communications via the fax interface except for the
transmission and reception of user data using the fax protocol.
6) Security Management Function
This function is to restrict the settings, etc. of the security functions to the MFP
administrator. However, all users can change their own login password, and the
supervisor can change the login password of the MFP administrator.
7) Integrity Verification Function
This function is to verify the integrity of the executable codes of the security functions at
the time of TOE start-up. The verification uses hash values or digital signatures of
various software in the TOE.
8) Audit Function
This function is to record audit events relevant to security functions as an audit log. The
audit log stored in the TOE can be read or deleted only by the identified and
authenticated MFP administrator. The audit log can be sent to the syslog server by the
TOE settings.
5.2 IT Environment
The TOE communicates with servers and client computers via the LAN. The network
protection function of the TOE works in cooperation with those IT devices and uses the
following protocols:
- Client computer (Web browser): HTTP over TLS
- Client computer (printer driver): IPP over TLS
- Client computer (Fax driver): IPP over TLS
- SMTP server: SMTP over TLS
- syslog server: Syslog over TLS
JISEC-CC-CRP-C0754-01-2022
18
6. Documentation
The identification of documents attached to the TOE is listed in Table 6-1 to Table 6-2.
There are two sets of the guidance documents depending on the sales area. TOE users are
required to fully understand and comply with the following documents in order to satisfy
the assumptions.
Table 6-1 Product-attached documents (English 1)
Document Name Version
Product Warranty Registration D0BW-7035
For Users of This Product D0BW-7050A
IM C530FB / IM C530F MULTIFUNCTION PRINTER
LIMITED WARRANTY - FOR U.S. ONLY
D0CS-7015
Notes for Users D0CS-7017
Notes for Users D0CS-7118
Notes for Using This Machine Safely D256-7819A
SOFTWARE LICENSE AGREEMENT D256-7840A
Safety Information D0CS-7307
User Guide Selected Version D0CS-7303
Security Reference D0CS7305
Setup D0CS7291
Introduction and Basic Operations D0CS7292
Copy D0CS7293
Fax D0CS7294
Scan D0CS7295
Printer D0CS7296
Maintenance D0CS7297
Troubleshooting D0CS7298
Settings D0CS7299
Specifications D0CS7300
Security D0CS7301
Driver Installation Guide D0CS7302
Notes on Security Functions D0CS-7027
2022.03.02
Notes for Administrators: Using This Machine in a Network
Environment Compliant with Common Criteria
D0CS-7025
2022.07.14
Help 83NHENENZ1
.10 v228
JISEC-CC-CRP-C0754-01-2022
19
Table 6-2 Product-attached documents (English 2)
Document Name Version
For Users of This Product D0BW-7050A
Notes for Users D0CS-7017
Notes for Users D0CS-7116
Notes for Users D0CS-7117
Notes for Users D0CS-7290
Notes for Using This Machine Safely D256-7819A
SOFTWARE LICENSE AGREEMENT D256-7840A
Safety Information D0CS-7306
User Guide Selected Version D0CS-7303
Security Reference D0CS7305
Setup D0CS7291
Introduction and Basic Operations D0CS7292
Copy D0CS7293
Fax D0CS7294
Scan D0CS7295
Printer D0CS7296
Maintenance D0CS7297
Troubleshooting D0CS7298
Settings D0CS7299
Specifications D0CS7300
Security D0CS7301
Driver Installation Guide D0CS7302
Notes on Security Functions D0CS-7027
2022.03.02
Notes for Administrators: Using This Machine in a Network
Environment Compliant with Common Criteria
D0CS-7025
2022.07.14
Help 83NHENENZ1
.10 v228
JISEC-CC-CRP-C0754-01-2022
20
7. Evaluation conducted by Evaluation Facility and Results
7.1 Evaluation Facility
ECSEC Laboratory Inc., Evaluation Center that conducted the evaluation as the
Evaluation Facility is approved under JISEC and is accredited by NITE (National
Institute of Technology and Evaluation), the Accreditation Body, which joins Mutual
Recognition Arrangement of ILAC (International Laboratory Accreditation Cooperation). It
is periodically confirmed that the above Evaluation Facility meets the requirements on the
appropriateness of the management and evaluators for maintaining the quality of
evaluation.
7.2 Evaluation Approach
Evaluation was conducted by using the evaluation methods prescribed in the CEM in
accordance with the assurance requirements in the CC Part 3. Details for evaluation
activities were reported in the Evaluation Technical Report. The Evaluation Technical
Report explains the summary of the TOE as well as the content of the evaluation and the
verdict of each work unit in the CEM.
7.3 Overview of Evaluation Activity
The history of the evaluation conducted is described in the Evaluation Technical Report as
follows.
The evaluation started in 2021-09 and concluded upon completion of the Evaluation
Technical Report dated 2022-07. The Evaluation Facility received a full set of evaluation
deliverables necessary for evaluation provided by the developer, and examined the evidence
in relation to a series of evaluation conducted. Additionally, the evaluator examined
implementation status of the requirements for each work unit of configuration
management and delivery by visiting the development site and remote inspection to the
manufacturing sites from 2021-11 to 2022-02.
Furthermore, the evaluator conducted the sampling check of the developer testing and the
evaluator testing by using the developer testing environment at the Evaluation Facility or
the developer site from 2021-12 to 2022-07.
Concerns in the evaluation process that the Certification Body found were described as the
certification oversight reviews, and they were sent to the Evaluation Facility. After the
Evaluation Facility and the developer examined them, those were reflected in the
Evaluation Technical Report.
JISEC-CC-CRP-C0754-01-2022
21
PSTN PSTN
Internal Network
7.4 IT Product Testing
The evaluator confirmed the validity of the testing that the developer had performed. As
the verification results of the evidence shown in the evaluation process and the testing
performed by the developer, the evaluator performed the reproducibility testing, additional
testing and penetration testing based on vulnerability assessments judged to be necessary.
7.4.1 Developer Testing
The evaluator evaluated the integrity of the developer testing that the developer had
performed and the documentation of actual test results. The content of the developer
testing evaluated by the evaluator is explained as follows.
1) Developer Testing Environment
Figure 7-1 shows the testing configuration performed by the developer, and Table 7-1 lists
the main configuration items.
Figure 7-1 Configuration of the Developer Testing
Table 7-1 Test Configurations
Configuration Item Detail
TOE - IM C530FB (D0CS-17)
- IM C530F (D0CT-27)
Client computer OS: Windows 8.1, Windows 10
Web browser: Internet Explorer 11, Microsoft Edge 44
Printer driver: PCL6 Driver 1.1.0.0
FAX driver: LAN Fax Driver 9.5.0.0
TOE Fax machine
Client
computer
SMTP
server
syslog
server
Telephone
switchboard
simulator
JISEC-CC-CRP-C0754-01-2022
22
Configuration Item Detail
SMTP server OS: Linux (Ubunts18.04.3 LTS)
SMTP server: postfix 3.3.0
syslog server OS: Linux (Ubunts18.04.2 LTS)
syslog server: rsyslogd 8.32.0
Telephone
switchboard
simulator
XF-A150 (Panasonic Corporation),
X-1008 (Ad Systems Inc.),
TELEPHONE LINE SIMULATOR BELLKKO Type B
(Let's Corporation, Ltd.)
Fax machine RICOH IM C5500, RICOH IM C6000F
The TOE items tested by the developer are part of the multiple models included in the
TOE. The evaluator judged that the security functions of the all TOE models could be
deemed to have been tested by testing the representative models considering differences in
sales regions and the capability of finisher attachment.
Therefore, the evaluator judged that the developer testing was performed in the TOE
testing environment consistent with the TOE configuration identified in the ST.
2) Summary of the Developer Testing
A summary of the developer testing is as follows.
a. Developer Testing Outline
An outline of the developer testing is as follows.
<Developer Testing Approach>
The external interfaces of the TOE are stimulated by operating the operation panel of the
TOE or the client computer, and the response, the behaviour of the TOE, the
communication data and the audit log are confirmed. For behaviours that cannot be
confirmed on the external interface of the TOE, the developer interface of the TOE is used
to confirm the internal operation of the TOE.
<Content of the Performed Developer Testing>
The expected values of testing results described in testing specifications which are provided
in advance by the developer were compared to the values of the actual developer testing
results described in the testing result reports which are also provided by the developer. As a
result, it was found that the values of the actual testing results are in conformity to those of
the expected testing results.
b. Scope of the Performed Developer Testing
The developer testing was performed on 253 items by the developer.
By the coverage analysis, it was verified that all security functions and external interfaces
described in the functional specification had been tested.
c. Result
JISEC-CC-CRP-C0754-01-2022
23
The evaluator confirmed the approach of the performed developer testing and the validity of
tested items, and confirmed consistencies between the testing approach described in the
testing plan and the actual testing approach.
The evaluator confirmed consistencies between the expected test results by the developer
and the actual test results performed by the developer.
7.4.2 Evaluator Independent Testing
The evaluator performed the sample testing to reconfirm the implementation of security
functions using the test items extracted from the developer testing. In addition, the
evaluator performed the evaluator independent testing (hereinafter referred to as the
"independent testing") to gain further confidence that security functions are certainly
implemented, based on the evidence shown in the process of the evaluation.
The independent testing performed by the evaluator is explained as follows.
1) Independent Testing Environment
The configuration of the independent testing performed by the evaluator was the same as
the configuration of the developer testing as shown in Figure 7-1.
2) Summary of the Independent Testing
A summary of the independent testing is as follows.
a. Viewpoints of the Independent Testing
Viewpoints of the independent testing are described below, which are devised by the
evaluator based on the analysis of developer testing and the evaluation documentation
provided.
<Independent Testing Viewpoints>
1. Confirm variations of input data and operations that are different from the developer
testing.
2. Confirm execution timing of several TSFs and execution combinations that are not
tested by the developer.
3. Select the testing items for the sampling testing from the following viewpoints:
- The testing items are selected to include all of security functions and TSF interfaces.
- The testing items are selected to cover the different testing approaches and testing
environments.
- The testing items that contribute to the vulnerability evaluation are selected.
b. Independent Testing Outline
An outline of the independent testing that the evaluator performed is as follows.
<Independent Testing Approach>
The independent testing was performed using the same testing approach as the developer
testing.
JISEC-CC-CRP-C0754-01-2022
24
<Content of the Performed Independent Testing>
Based on the viewpoints of the independent testing, 15 items for the independent testing
and 38 items for the sampling testing were performed.
The outline of the main independent testing corresponding to the viewpoints is described in
Table 7-2.
Table 7-2 Outline of the Performed Independent Testing
Viewpoints for the
Independent Testing
Outline of the Independent Testing
1 - Confirm that the user account lock, the access control, fax
reception etc. are as specified under the changed
conditions.
- Confirm that the input character limit and display
customisation of the operation panel are as specified.
- Confirm that the disabled functions and interfaces are
actually disabled.
- Confirm that the TLS processing with expired certificates
is as specified.
- Confirm that the procedure and behaviour to reset the TOE
in the initial state is as specified.
2 - Confirm that the behaviour of the auto logout for multiple
logins and for changing its settings during login is as
specified.
- Confirm that the behaviour when operating the same data
from multiple interfaces is as specified.
c. Result
All the independent testing performed by the evaluator was correctly completed, and the
evaluator confirmed the behaviour of the TOE. The evaluator confirmed consistencies
between the expected behaviour and all the test results.
7.4.3 Evaluator Penetration Testing
The evaluator devised and performed the necessary evaluator penetration testing
(hereinafter referred to as the "penetration testing") on the potentially exploitable
vulnerabilities of concern under the assumed environment of use and attack level from the
evidence shown in the process of the evaluation.
The penetration testing performed by the evaluator is explained as follows.
1) Summary of the Penetration Testing
A summary of the penetration testing performed by the evaluator is as follows.
JISEC-CC-CRP-C0754-01-2022
25
a. Vulnerability of Concern
The evaluator searched into the provided documentation and the publicly available
information for the potential vulnerabilities, and then identified the following
vulnerabilities which require the penetration testing.
1. Unauthorised access to the TOE may be caused by unexpected interfaces.
2. Security functions may be bypassed in case of entering data, for interfaces, which have
the values and formats that are unintended by the TOE.
3. There may be some vulnerabilities when implementing secure channels, and
consequently the security functions of the TOE may be bypassed.
4. Security functions may be bypassed by maintaining the TOE overloaded.
b. Penetration Testing Outline
The evaluator performed the following penetration testing to identify potentially
exploitable vulnerabilities.
<Penetration Testing Environment>
The penetration testing configuration is identical with those of the developer testing shown
in Figure 7-1, and evaluator independent testing.
Table 7-3 lists key tools used in the penetration testing.
Table 7-3 Penetration Testing Tools
Name (Version) Outline
ZAP (2.7.0) Inspection tool of Web vulnerabilities with Proxy traffic
nmap (7.70) Port Scanning Tool
Nessus (8.8.0)
Plugin 202112010205
Vulnerability Scanning Tool
Burp Suite Professional
(1.7.37)
Inspection tool of Web vulnerabilities with Proxy traffic
Wireshark
(2.2.5, 3.0.11)
Packet Capture Tool
OpenSSL (1.0.1j) Software library that provides the SSL/TLS protocol
PRET (0.40) A tool to inspect various vulnerabilities in print
processing.
<Content of the Performed Penetration Testing>
Table 7-4 describes outline of the penetration testing corresponding to the vulnerabilities of
concern.
JISEC-CC-CRP-C0754-01-2022
26
Table 7-4 Outline of the Performed Penetration Testing
Vulnerability Outline of the Penetration Testing
1 - Confirm that there are no unexpected available interfaces by
using the port scanning tool, the vulnerability scanning tool,
etc.
2 - Confirm that there are no known vulnerabilities on Web
interfaces of the TOE by using Web browser and proxy tool.
- Confirm that there are no known vulnerabilities in the print
processing of the TOE using the inspection tool for the print
processing.
- Confirm that unintended behaviour is not observed even if
character strings that may cause unauthorized processing are
entered into the operation panel of the TOE.
3 - Confirm that there are no implementation-specific
vulnerabilities in the TLS processing of the TOE.
- Confirm that parameters are not easily predicted by verifying
the randomness of numbers as parameters used in Web
interfaces.
4 - Confirm that the TOE is not unsecured due to insufficient
resources.
c. Result
In the penetration testing performed by the evaluator, the evaluator did not find any
exploitable vulnerabilities that attackers who have the assumed attack potential could
exploit.
JISEC-CC-CRP-C0754-01-2022
27
7.5 Evaluated Configuration
The configuration conditions of the TOE, which are the prerequisites for this evaluation,
are described in the guidance documents listed in Chapter 6. In order to use the TOE
securely as ensured by the evaluation, the TOE must be set as described in the guidance
documents. Different settings from those described in the guidance documents are not
subject to the assurance of this evaluation.
JISEC-CC-CRP-C0754-01-2022
28
7.6 Evaluation Results
The evaluator had concluded that the TOE satisfies all work units prescribed in the CEM
as per the Evaluation Technical Report.
In the evaluation, the following were confirmed.
- Security functional requirements: Common Criteria Part 2 Extended
- Security assurance requirements: Common Criteria Part 3 Conformant
As a result of the evaluation, the verdict "PASS" was confirmed for the following assurance
components.
- All assurance components of EAL2 package
The result of the evaluation is only applied to those which are composed by the TOE
corresponding to the identification described in Chapter 2.
7.7 Evaluator Comments/Recommendations
There is no evaluator recommendation to be addressed to procurement entities.
JISEC-CC-CRP-C0754-01-2022
29
8. Certification
The Certification Body performed the certification from the following viewpoints based on
the materials submitted by the Evaluation Facility during the evaluation process.
1. The submitted documentation was sampled, the content was examined, and the related
work units shall be evaluated as presented in the Evaluation Technical Report.
2. Rationale of the evaluation verdict by the evaluator presented in the Evaluation
Technical Report shall be adequate.
3. The evaluator's evaluation methodology presented in the Evaluation Technical Report
shall conform to the CEM.
Concerns found in the certification process were prepared as the certification oversight
reviews, and they were sent to the Evaluation Facility.
The Certification Body confirmed such concerns pointed out in the certification oversight
reviews were solved in the ST and the Evaluation Technical Report and issued this
Certification Report.
8.1 Certification Result
As a result of verification of the Evaluation Technical Report and related evaluation
documentation submitted by the Evaluation Facility, the Certification Body determined
that the TOE evaluation satisfies all assurance requirements for EAL2 in the CC Part 3.
8.2 Recommendations
Procurement entities who are interested in the TOE are advised to refer to the description
of "4.2 Environmental Assumptions" and "7.5 Evaluated Configuration" and to see whether
or not the evaluated scope of the TOE and the operational requirements meet the
operational conditions assumed by each individual.
JISEC-CC-CRP-C0754-01-2022
30
9. Annexes
There is no annex.
10. Security Target
The Security Target [12] of the TOE is provided as a separate document from this
Certification Report.
RICOH IM C530F/C530FB, SAVIN IM C530FB, LANIER IM C530FB, nashuatec IM
C530F/C530FB, Rex Rotary IM C530F/C530FB, Gestetner IM C530F/C530FB Security
Target, Version 1.00, July 15, 2022, RICOH COMPANY, LTD.
JISEC-CC-CRP-C0754-01-2022
31
11. Glossary
The abbreviations relating to the CC used in this report are listed below.
CC Common Criteria for Information Technology Security
Evaluation
CEM Common Methodology for Information Technology Security
Evaluation
EAL Evaluation Assurance Level
ST Security Target
TOE Target of Evaluation
TSF TOE Security Functionality
The abbreviations relating to the TOE used in this report are listed below.
eMMC Embedded Multi-Media Card
MFP Multifunction Product
The definitions of terms used in this report are listed below.
Copy function A function to scan paper documents by the operation of the
TOE operation panel and duplicate them.
Fax function A function to send and receive faxes using the telephone line.
Printer function A function to receive user document data sent from the
printer driver of a client computer and print them by
operating the TOE operation panel.
Scanner function A function to scan paper documents by the operation of the
TOE operation panel and send the scanned user document
data by E-mail.
Web Image Monitor
function
A function to operate the TOE from a Web browser of a client
computer.
JISEC-CC-CRP-C0754-01-2022
32
12. Bibliography
[1] IT Security Evaluation and Certification Scheme Document, October 2020,
Information-technology Promotion Agency, Japan, CCS-01
[2] Requirements for IT Security Certification, October 2020,
Information-technology Promotion Agency, Japan, CCM-02
[3] Requirements for Approval of IT Security Evaluation Facility, October 2020,
Information-technology Promotion Agency, Japan, CCM-03
[4] Common Criteria for Information Technology Security Evaluation Part 1:
Introduction and general model, Version 3.1 Revision 5, April 2017,
CCMB-2017-04-001
[5] Common Criteria for Information Technology Security Evaluation Part 2:
Security functional components, Version 3.1 Revision 5, April 2017,
CCMB-2017-04-002
[6] Common Criteria for Information Technology Security Evaluation Part 3:
Security assurance components, Version 3.1 Revision 5, April 2017,
CCMB-2017-04-003
[7] Common Criteria for Information Technology Security Evaluation Part 1:
Introduction and general model, Version 3.1 Revision 5, April 2017,
CCMB-2017-04-001, (Japanese Version 1.0, July 2017)
[8] Common Criteria for Information Technology Security Evaluation Part 2:
Security functional components, Version 3.1 Revision 5, April 2017,
CCMB-2017-04-002, (Japanese Version 1.0, July 2017)
[9] Common Criteria for Information Technology Security Evaluation Part 3:
Security assurance components, Version 3.1 Revision 5, April 2017,
CCMB-2017-04-003, (Japanese Version 1.0, July 2017)
[10] Common Methodology for Information Technology Security Evaluation:
Evaluation methodology, Version 3.1 Revision 5, April 2017,
CCMB-2017-04-004
[11] Common Methodology for Information Technology Security Evaluation:
Evaluation methodology, Version 3.1 Revision 5, April 2017,
CCMB-2017-04-004, (Japanese Version 1.0, July 2017)
[12] RICOH IM C530F/C530FB, SAVIN IM C530FB, LANIER IM C530FB, nashuatec IM
C530F/C530FB, Rex Rotary IM C530F/C530FB, Gestetner IM C530F/C530FB
Security Target, Version 1.00, July 15, 2022, RICOH COMPANY, LTD.
[13] RICOH IM C530F/C530FB, SAVIN IM C530FB, LANIER IM C530FB, nashuatec IM
C530F/C530FB, Rex Rotary IM C530F/C530FB, Gestetner IM C530F/C530FB
Evaluation Technical Report, Version 1.3, July 19, 2022,
ECSEC Laboratory Inc., Evaluation Center