CRP-C0016-01 Certification Report Buheita Fujiwara, Chairman Information-Technology Promotion Agency, Japan Target of Evaluation Application date/ID December 22, 2003 (ITC-3017) Certification No. C0016 Sponsor Fuji Xerox Co., Ltd. Name of TOE Fuji Xerox DocuCentre 719/659/559 Series Data Security Kit Version of TOE DC system ROM Version 512 PESS system ROM Version 3.0.4 PP Conformance None Conformed Claim EAL2 TOE Developer Fuji Xerox Co., Ltd. Evaluation Facility Japan Electronics and Information Technology Industries Association, Information Technology Security Center This is to report that the evaluation result for the above TOE is certified as follows. September 15, 2004 Haruki Tabuchi, Technical Manager Information Security Certification Office IT Security Center Information-Technology Promotion Agency, Japan Evaluation Criteria, etc.: This TOE is evaluated in accordance with the following criteria prescribed in the “General Requirements for IT Security Evaluation Facility”. - Common Criteria for Information Technology Security Evaluation Version 2.1 (ISO/IEC 15408:1999) - Common Methodology for Information Technology Security Evaluation Version 1.0 - CCIMB Interpretations (as of 15 February 2002) Evaluation Result: Pass “Fuji Xerox DocuCentre 719/659/559 Series Data Security Kit” has been evaluated in accordance with the provision of the “General Rules for IT Product Security Certification” by Information-Technology Promotion Agency, Japan, and has met the specified assurance requirements. CRP-C0016-01 Notice: This document is the English translation version of the Certification Report published by the Certification Body of Japan Information Technology Security Evaluation and Certification Scheme. CRP-C0016-01 Table of Contents 1. Executive Summary ............................................................................... 1 1.1 Introduction ..................................................................................... 1 1.2 Evaluated Product ............................................................................ 1 1.2.1 Name of Product ......................................................................... 1 1.2.2 Product Overview ........................................................................ 1 1.2.3 Scope of TOE and Overview of Operation....................................... 2 1.2.4 TOE Functionality ....................................................................... 4 1.3 Conduct of Evaluation....................................................................... 4 1.4 Certificate of Evaluation .................................................................... 5 1.5 Overview of Report ............................................................................ 5 1.5.1 PP Conformance.......................................................................... 5 1.5.2 EAL ........................................................................................... 5 1.5.3 SOF ........................................................................................... 5 1.5.4 Security Functions ...................................................................... 6 1.5.5 Threat ........................................................................................ 6 1.5.6 Organisational Security Policy ..................................................... 6 1.5.7 Configuration Requirements ........................................................ 7 1.5.8 Assumptions for Operational Environment .................................... 7 1.5.9 Documents Attached to Product ................................................... 7 2. Conduct and Results of Evaluation by Evaluation Facility......................... 8 2.1 Evaluation Methods .......................................................................... 8 2.2 Overview of Evaluation Conducted ..................................................... 8 2.3 Product Testing ................................................................................ 8 2.3.1 Developer Testing........................................................................ 8 2.3.2 Evaluator Testing...................................................................... 10 2.4 Evaluation Result ........................................................................... 12 3. Conduct of Certification ....................................................................... 13 4. Conclusion.......................................................................................... 14 4.1 Certification Result ......................................................................... 14 4.2 Recommendations ........................................................................... 14 5. Glossary ............................................................................................. 15 6. Bibliography ....................................................................................... 19 CRP-C0016-01 1 1. Executive Summary 1.1 Introduction This Certification Report describes the content of certification result in relation to IT Security Evaluation of “Fuji Xerox DocuCentre 719/659/559 Series Data Security Kit” (hereinafter referred to as “the TOE”) conducted by Japan Electronics and Information Technology Industries Association, Information Technology Security Center (hereinafter referred to as “Evaluation Facility”), and it reports to the sponsor, Fuji Xerox Co., Ltd. The reader of the Certification Report is advised to read the corresponding ST and manuals (please refer to “1.5.9 Documents Attached to Product” for further details) attached to the TOE together with this report. The assumed environment, corresponding security objectives, security functional and assurance requirements needed for its implementation and their summary specifications are specifically described in ST. The operational conditions and functional specifications are also described in the document attached to the TOE. Note that the Certification Report presents the certification result based on assurance requirements conformed to the TOE, and does not certify individual IT product itself. Note: In this Certification Report, IT Security Evaluation Criteria and IT Security Evaluation Method prescribed by IT Security Evaluation and Certification Scheme are named CC and CEM, respectively. 1.2 Evaluated Product 1.2.1 Name of Product The target product by this Certificate is as follows: Name of Product: Fuji Xerox DocuCentre 719/659/559 Series Data Security Kit Version: DC system ROM Version 512 PESS system ROM Version 3.0.4 Developer: Fuji Xerox Co., Ltd. 1.2.2 Product Overview This product is a Data Security Kit that is an optional product of digital multifunction machines with digital copy, printer, and scanner functions (“DocuCentre 719CP,” “DocuCentre 659CP,” and “DocuCentre 559CP”), and digital copy machines (“DocuCentre 719,” “DocuCentre 659,” and “DocuCentre 559”). Data Security Kit is a firmware product to protect document data that is stored on the hard disk drive after being processed by “DocuCentre 719CP,” “DocuCentre 659CP,” “DocuCentre 559CP,” “DocuCentre 719,” “DocuCentre 659,” or “DocuCentre 559” (hereafter “used document data”) from being disclosed illicitly. This product provides the following security functions: - HDD overwrite function for copy residual data - HDD overwrite function for print and scan residual data - Data encryption function for print and scan CRP-C0016-01 2 1.2.3 Scope of TOE and Overview of Operation Each unit in DocuCentre and physical boundaries within TOE are shown in Figure 1-1. DocuCentre consists of four board-units: digital-copy control system (DC-SYS/IPS), printer subsystem (PESS), multifunction control system (MF-SYS), and control panel. TOE is a set of programs for digital-copy control function, which are recorded in the DC system ROM mounted on DC-SYS/IPS, and programs for printer/scanner control function, which are recorded in the PESS system ROM mounted on PESS. Programs recorded in each ROM, which is a physical configuration item of TOE, are shown in Table 1-1. Table 1-1: Physical Configuration Items of TOE Configuration item Stored program DC system ROM Programs for digital-copy control function are recorded in this ROM, and the following function is provided: - HDD overwrite function for copy residual data PESS system ROM Programs for printer/scanner control function are recorded in this ROM, and the following functions are provided: - HDD overwrite function for print and scan residual data - Data encryption function for print and scan - Decomposing function When general user uses digital copy, printer, and scanner functions of DocuCentre, used document data are stored on the hard disk drive for DC and that for PESS. Security functions of TOE operate for these stored used document data according to the system-administrator’s setting before general user knows. System administrator must operate TOE in the condition where the “HDD overwrite function,” “data encryption function,” and “customer-engineer access restriction function” are set to operate. CRP-C0016-01 3 TOE Hard Disk Drive for DC DC System ROM DC-SYS/IPS Digital-copy Control Function IIT IOT NVRAM for DC DocuCentre Hard Disk Drive for PESS PESS System ROM PESS Printer/Scanner Control Function SEEPROM for PESS IEEE1284 Ethernet USB User’s Client MF-SYS Function to Control Multifunction MF System ROM Control Panel UI ROM Button Lamp Touch-panel Display HDD Overwrite Function for Copy Residual Data HDD Overwrite Function for Print and Scan Residual Data Data Encryption Function for Print and Scan RAM for UI CPU UI Control Function System-administratorAuthentication Function RAM for MF CPU NVRAM for PESS CPU RAM for DC RAM for PESS Decomposing Function Customer-engineerAccess Restriction Function RS232C IEEE1284 Client for Maintenance User’s Client User’s Client Figure 1-1: Each Unit in DocuCentre and Physical Boundaries within TOE CRP-C0016-01 4 1.2.4 TOE Functionality DocuCentre provides digital copy, printer, and scanner functions for general user. Digital copy function is a function to scan an original in IIT (Image Input Terminal) and print out from IOT (Image Output Terminal) according to the general-user’s instruction from the control panel. Printer function is a function to parse print data sent from user’s client, convert it to bitmap data (decompose), and print it out from IOT. Scanner function is a function to scan an original in IIT and store the data on the internal hard disk drive of DocuCentre according to the general-user’s instruction from the control panel. DocuCentre has two internal hard disk drives, hard disk drive for DC and that for PESS. Hard disk drive for DC is used for storing document data that is to be printed out from IOT in copy by digital copy function or print by printer function. Hard disk drive for PESS is used for storing document data in spool-method print by printer function, storage print by printer function, or scan by scanner function. When the document data stored on these hard disk drives are to be deleted after being used, only the administrative information is deleted and the stored data themselves are not cleared. Therefore, such data remain on these hard disk drives as used document data. TOE provides the following security functions for the used document data stored on these hard disk drives: - HDD overwrite function for copy residual data This function overwrites and erases used document data stored on the hard disk drive for DC. - HDD overwrite function for print and scan residual data This function overwrites and erases used document data stored on the hard disk drive for PESS. - Data encryption function for print and scan Used document data stored on the hard disk drive for DC is difficult to be parsed because it is bitmap data compressed using the Fuji Xerox’s unique method. However, used document data stored on the hard disk drive for PESS is relatively easy to be parsed because it is sometimes described in text format. Therefore, this function encrypts document data stored on the hard disk drive for PESS. TOE uses the following functions of IT environment: - System-administrator authentication function When system administrator accesses DocuCentre for using management functions, this function confirms that he or she is a true system-administrator with 7- to 12-digit system-administrator’s password entered by him or her. - Customer-engineer access restriction function This function limits the person to change TOE setting data to system administrator. When TOE security functions are not used, customer engineer also becomes able to change TOE setting data when the “setting for customer-engineer access restriction function” is set to “Not perform.” 1.3 Conduct of Evaluation Based on the IT Security Evaluation/Certification Program operated by the Certification Body, TOE functionality and its assurance requirements are being evaluated by evaluation facility in accordance with those publicized documents such as “Guidance for IT Security Certification Application, etc.”[2], “General Requirements for IT Security Evaluation Facility”[3] and “General Requirements for Sponsors and Registrants of IT Security Certification”[4]. CRP-C0016-01 5 Scope of the evaluation is as follow. - Security design of the TOE shall be adequate; - Security functions of the TOE shall be satisfied with security functional requirements described in the security design; - This TOE shall be developed in accordance with the basic security design; - Above mentioned three items shall be evaluated in accordance with the CC Part 3 and CEM. More specific, the evaluation facility examined “DocuCentre 719/659/559 Series Data Security Kit Security Target Version 1.12” as the basis design of security functions for the TOE (hereinafter referred to as “the ST”)[1], the evaluation deliverables in relation to development of the TOE and the development, manufacturing and shipping sites of the TOE. The evaluation facility evaluated if the TOE is satisfied both Annex C of CC Part 1 (either of [5], [8], [11] or [14]) and Functional Requirements of CC Part 2 (either of [6], [9], [12] or [15]) and also evaluated if the development, manufacturing and shipping environments for the TOE is also satisfied with Assurance Requirements of CC Part 3 (either of [7], [10], [13] or [16]) as its rationale. Such evaluation procedure and its result are presented in “Fuji Xerox DocuCentre 719/659/559 Series Data Security Kit Evaluation Technical Report” (hereinafter referred to as “the Evaluation Technical Report”)[22]. Further, evaluation methodology should comply with the CEM Part 2 (either of [17], [18] or [19]). In addition, the each part of CC and CEM shall include contents of interpretations (either of [20] and [21]). 1.4 Certification The Certification Body verifies the Evaluation Technical Report and Observation Report prepared by the evaluation facility and evaluation evidence materials, and confirmed that the TOE evaluation is conducted in accordance with the prescribed procedure. Certification review is also prepared for those concerns found in the certification process. Evaluation is completed with the Evaluation Technical Report dated August, 2004 submitted by the evaluation facility and those problems pointed out by the Certification Body are fully resolved and confirmed that the TOE evaluation is appropriately conducted in accordance with CC and CEM. The Certification Body prepared this Certification Report based on the Evaluation Technical Report submitted by the evaluation facility and concluded fully certification activities. 1.5 Overview of Report 1.5.1 PP Conformance There is no PP to be conformed. 1.5.2 EAL Evaluation Assurance Level of TOE defined by this ST is EAL2 conformance. 1.5.3 SOF This ST claims “SOF-basic” as its minimum strength of function. Attack capability of the attackers assumed for this TOE is low level. Therefore, CRP-C0016-01 6 “SOF-basic” being the minimum function strength level is appropriate. However, this TOE has no mechanism that is related to the function strength. 1.5.4 Security Functions Security functions of the TOE are as follow. (1) HDD overwrite function for copy residual data Function to perform specific-pattern overwriting and erasing of the used document data stored on the DocuCentre’s hard disk drive for DC. When the used document data remains on the hard disk drive because overwriting of the data is not finished such as due to power shutdown, the entire data on the hard disk drive is automatically overwritten and erased according to the “setting for HDD overwrite function” at the next power-on. (2) HDD overwrite function for print and scan residual data Function to perform specific-pattern overwriting and erasing of the used document data stored on the DocuCentre’s hard disk drive for PESS. When the overwriting of the used document data is not finished such as due to power shutdown, the used document data is automatically overwritten and erased according to the “setting for HDD overwrite function” at the next power-on. (3) Data encryption function for print and scan Function to encrypt document data stored on the DocuCentre’s hard disk drive for PESS. Even when used document data remains because the overwriting of the data is not finished such as due to power shutdown, the data is protected from being disclosed such as by removing the hard disk drive and connecting it directly to a tool. 1.5.5 Threat This TOE assumes such threats presented in Table 1-1 and provides functions for countermeasure to them. Table 1-1 Assumed Threats Identifier Threat T.RECOVER General user and the person who is not related to TOE might recover used document data such as by removing the hard disk drive and connecting it directly to a tool. T.CONFDATA General user and the person who is not related to TOE might change settings by accessing TOE setting data from the control panel. This setting data is allowed to be accessed only by system administrator. 1.5.6 Organisational Security Policy No organisational security policies to comply with are required of the TOE utilized in CRP-C0016-01 7 organisations. 1.5.7 Configuration Requirements This TOE is offered as an optional product that is installed on Fuji Xerox’s digital multifunction machines (“DocuCentre 719CP,” “DocuCentre 659CP,” and “DocuCentre 559CP”), and digital copy machines (“DocuCentre 719,” “DocuCentre 659,” and ”DocuCentre 559”). 1.5.8 Assumptions for Operational Environment Assumptions required in environment using this TOE presents in the Table 1-3. The effective performance of the TOE security functions are not assured unless these preconditions are satisfied. Table 1-3 Assumptions in Use of the TOE Identifier Assumptions A.SECMODE System administrator operates TOE in the condition where the “system-administrator’s password” is set to 7- to 12-digit value and the “customer-engineer access restriction function” is set to operate. A.ADMIN System administrator has knowledge necessary to fulfill the assigned role and does not conduct improperly with malicious intention. 1.5.9 Documents Attached to Product Documents attached to the TOE are listed below. - Delivery, Introduction, and Operation Procedure Description (K1.3) - User Guide for DocuCentre 719/659/559 Series (Data Security Kit) Edition 2.2 CRP-C0016-01 8 2. Conduct and Results of Evaluation by Evaluation Facility 2.1 Evaluation Methods Evaluation was conducted by using the evaluation methods prescribed in CEM Part 2 in accordance with the assurance requirements in CC Part 3. Details for evaluation activities are report in the Evaluation Technical Report. It described the description of overview of the TOE, and the contents and verdict evaluated by each work unit prescribed in CEM Part 2. 2.2 Overview of Evaluation Conducted The history of evaluation conducted was present in the Evaluation Technical Report as follows. Evaluation has started on October, 2003 and concluded by completion the Evaluation Technical Report dated August, 2004. The evaluation facility received a full set of evaluation deliverables necessary for evaluation provided by developer, and examined the evidences in relation to a series of evaluation conducted. Additionally, the evaluation facility directly visited the development and manufacturing sites on December, 2003 and examined procedural status conducted in relation to each work unit for configuration management, delivery and operation by investigating records and staff hearing. Further, the evaluation facility executed sampling check of conducted testing by developer and evaluator testing by using developer testing environment at developer site on March, 2004. Concerns found in evaluation activities for each work unit were all issued as Observation Report and were reported to developer. These concerns were reviewed by developer and all problems were solved eventually. As for concerns indicated during evaluation process by the Certification Body, the certification review was sent to the evaluation facility. These were reflected to evaluation after investigation conducted by the evaluation facility and the developer. 2.3 Product Testing Overview of developer testing evaluated by evaluator and evaluator testing conducted by evaluator are as follows. 2.3.1 Developer Testing 1) Developer Test Environment Test configuration performed by the developer is showed in the Table 2-1. CRP-C0016-01 9 General User (Tester) Printer Driver User’s Client (PC-b) General User (Tester) Network Scanner Utility DocuCentre Multifunction Machine User’s Client (PC-a) IDEMonitor Debug Serial Network for Test PC for Checking DC (PC-c) (PC-d) (PC-e) General User (Tester) Figure 2-1 Configuration of Developer Testing 2) Outlining of Developer Testing Outlining of the testing performed by the developer is as follow. a. Test configuration Test configuration performed by the developer is showed in the Figure 2-1. Developer testing was performed at the same TOE testing environment with the TOE configuration identified in ST. b. Testing Approach For the testing, following approach was used. User clients PC-a and PC-b were used mainly for the test related to printer function and the test related to scanner function respectively. PC-c was serially connected via specialized connection cable to the DC board in DocuCentre multifunction machine. This PC was used for checking the final condition of the data on the hard disk drive for DC after the “HDD overwrite function for copy residual data” was performed for the data. Debug serial (PC-d) was serially connected via specialized connection cable to the PESS board in DocuCentre multifunction machine. This debug serial was used for checking the final condition of the data on the hard disk drive for PESS after the “HDD overwrite function for print and scan residual data” and “data encryption function for print and scan” were performed for the data. IDE monitor (PC-e) was connected between the PESS board and the hard disk drive for PESS that are in DocuCentre multifunction machine. This monitor was used for checking the contents of the data communicated between the board and the hard disk drive by monitoring while the “HDD overwrite function for print and scan residual data” and “data encryption function for print and scan” were being performed for the data. CRP-C0016-01 10 c. Scope of Testing Performed Testing is performed 100 items by the developer. The number of test items for testing each security function was as follows: 1. HDD overwrite function for copy residual data: 85 items - Checking of the settings for overwriting and erasing: 8 items - Overwriting and erasing when the power is turned on: 28 items - Overwriting and erasing when printing is finished: 26 items - Checking of concurrent processing being forbidden: 23 items 2. HDD overwrite function for print and scan residual data: 10 items 3. Data encryption function for print and scan: 5 items The test covered the behavior of each function, and the overall test volume and scope were appropriate. d. Result The evaluator confirmed consistencies between the expected test results and the actual test results provided by the developer. The Evaluator confirmed the developer testing approach performed and legitimacy of items performed, and confirmed consistencies between the testing approach described in the test plan and the actual test results. 2.3.2 Evaluator Testing 1) Evaluator Test Environment Configuration of the system used for evaluator testing is shown in Figure 2-2. Hard Disk Drive for DC Control Panel DC PESS IDE Monitor Debug Serial User’s Client Multifunction Machine (DocuCentre 719CP) MF-SYS IIT/ IOT PC for DC Client for Maintenance Hard Disk Drive for PESS Figure 2-2: Configuration of System Used for Evaluator Testing CRP-C0016-01 11 2) Outlining of Evaluator Testing Outlining of testing performed by the evaluator is as follow. a. Test configuration Test configuration performed by the evaluator is showed in the Figure 2-2. Evaluator testing was performed at the same TOE testing environment with the TOE configuration identified in ST. b. Testing Approach For the testing, following approach was used. User’s client was used mainly for the test related to printer and scanner functions. PC for DC was serially connected via specialized connection cable to the DC board in DocuCentre multifunction machine. This PC was used for checking the final condition of the data on the hard disk drive for DC after the “HDD overwrite function for copy residual data” was performed for the data. Debug serial was serially connected via specialized connection cable to the PESS board in DocuCentre multifunction machine. This debug serial was used for checking the final condition of the data on the hard disk drive for PESS after the “HDD overwrite function for print and scan residual data” and “data encryption function for print and scan” were performed for the data. IDE monitor was connected between the PESS board and the hard disk drive for PESS that are in DocuCentre multifunction machine. This monitor was used for checking the contents of the data communicated between the board and the hard disk drive by monitoring while the “HDD overwrite function for print and scan residual data” and the “data encryption function for print and scan” were being performed for the data. c. Scope of Testing Performed Total of 32 items of testing; namely 6 items from testing devised by the evaluator and 26 items from testing from sampling of developer testing was conducted. As for selection of the test subset, the following factors are considered. 1. For devising test items by the evaluator. - All the security functions are covered. - As for the “HDD overwrite function for copy residual data,” the troubles are mainly checked from the user’s perspective more macroscopically. - As for the “HDD overwrite function for print and scan residual data,” the function is checked with the operations that were not conducted in developer testing. - As for the ”data encryption function for print and scan,” the encryption is checked using the methods different from those for developer testing. 2. For selecting test items determined by sampling - All the security functions are covered. - The number of samplings for each security function is determined based on the number of test items for each security function that were used by developer. CRP-C0016-01 12 d. Result All evaluator testing conducted is completes correctly and could confirm the behaviour of the TOE. The evaluator also confirmed that all the test results are consistent with the behaviour. 2.4 Evaluation Result The evaluator had the conclusion that the TOE satisfies all work units prescribed in CEM Part 2 by submitting the Evaluation Technical Report. CRP-C0016-01 13 3. Conduct of Certification The following certification was conducted based on each materials submitted by evaluation facility during evaluation process. 1. Contents pointed out in the Observation Report shall be adequate. 2. Contents pointed out in the Observation Report shall properly be reflected. 3. Evidential materials submitted were sampled, its contents were examined, and related work units shall be evaluated as presented in the Evaluation Technical Report. 4. Rationale of evaluation verdict by the evaluator presented in the Evaluation Technical Report shall be adequate. 5. The Evaluator’s evaluation methodology presented in the Evaluation Technical Report shall conform to the CEM. Concerns found in certification process were prepared as certification review, which were sent to evaluation facility. The Certification Body confirmed such concerns pointed out in Observation Report and certification review were solved in the ST and the Evaluation Technical Report. CRP-C0016-01 14 4. Conclusion 4.1 Certification Result The Certification Body verified the Evaluation Technical Report, the Observation Report and the related evaluation evidential materials submitted and confirmed that all evaluator action elements required in CC Part 3 are conducted appropriately to the TOE. The Certification Body verified the TOE is satisfied the EAL2 assurance requirements prescribed in CC Part 3. 4.2 Recommendations None CRP-C0016-01 15 5. Glossary The abbreviations used in this report are listed below. CC: Common Criteria for Information Technology Security Evaluation CEM: Common Methodology for Information Technology Security Evaluation DC: Digital Copire DC-SYS/IPS: DC Control System/Image Processing System EAL: Evaluation Assurance Level HDD: Hard Disk Drive IIT: Image Input Terminal IOT: Image Output Terminal MF-SYS: Multi Function Control System NVRAM: Non Volatile Random Access Memory PP: Protection Profile PESS: Printer Electorical Sub System SEEPROM: Serial Electronically Erasable and Programmable Read Only Memory SOF: Strength of Function ST: Security Target TOE: Target of Evaluation TSF: TOE Security Functions UI: User Interface The glossaries used in this report are listed below. DocuCentre: “DocuCentre 719CP,” “DocuCentre 659CP,” “DocuCentre 559CP,” “DocuCentre 719,” ”DocuCentre 659,” and “DocuCentre 559” are generically described as DocuCentre. General User: One who uses digital copy, printer, and scanner functions of DocuCentre. CRP-C0016-01 16 System Administrator: One who manages DocuCentre. Customer engineer: Fuji Xerox’s engineer who maintains and repairs DocuCentre. Attacker: One who uses TOE with malicious intention. Control Panel: Panel on which the buttons, lamps, and touch panel display that are necessary for operating DocuCentre are arranged. User’s Client: Client that is used by general user. General user uses printer and scanner functions of DocuCentre by using printer driver and network scanner utility that are installed on user’s client. Client for Maintenance: Client that is used by customer engineer. Customer engineer maintains DocuCentre using the Fuji Xerox’s unique software by connecting the client for maintenance to the DocuCentre’s local interface for maintenance. This software is only for maintenance and installed on client for maintenance. Local Interface for Maintenance: Only-for-maintenance interface for connecting DocuCentre and client for maintenance. There are two types of interfaces; one is serial port for regular maintenance and the other is parallel port for program download. Maintenance cannot be performed by connecting general computer because the protocol is unique and closed. Printer Driver: Software that converts data on user’s client to print data described in page description language (PDL) that can be interpreted by DocuCentre. Used on user’s client. Print Data: Data described in page description language (PDL) that can be interpreted by DocuCentre. Print data is converted to bitmap data by decomposing function of TOE. Bitmap Data: Data that is converted by decomposing function from the data scanned in digital copy or scanner functions or the print data sent from user’s client in printer function. Bitmap data is compressed using the Fuji Xerox’s unique method and stored on the hard disk drive. Decomposing Function: Function to parse print data described in page description language (PDL) and convert it to bitmap data. Network Scanner Utility: Software to access document data stored on the internal hard disk drive of DocuCentre. Used on user’s client. Printer Function: Function to decompose and print out print data sent from user’s client. CRP-C0016-01 17 Storage Print: Print method in printer function. In this method, bitmap data created by decomposing print data is once stored on the internal hard disk drive of DocuCentre, and printed according to the general-user’s instruction from the control panel. There are following three methods: - Security print - Sample print - Print that uses expanded mailbox Security Print: Storage print method, in which the print is enabled by setting a password from the printer driver on user’s client and entering the password at the control panel. Sample Print: Storage print method, in which the first copy is normally printed out for checking the print result and then the remaining copies are printed according to the instruction from the control panel. Print that uses Expanded Mailbox: Storage print method, in which decomposed bitmap data is stored in an expanded mailbox and printed according to the instruction from the control panel. Compared to security print and sample print, functions to make settings on stapling, punching, and paper size when printing are added. Spool: Method used in printer function, in which decomposing is started after all the print data sent from user’s client is received in the internal memory. Print data from multiple user’s-clients can be received simultaneously using this method. Original: Texts, pictures, photographs, and others that are scanned in IIT in digital copy or scanner function. Digital Copy Function: Function to scan an original in IIT and print out from IOT, according to the general-user’s instruction from the control panel. When multiple copies of the same original are instructed to be printed, the document data is 1) scanned in IIT, 2) stored on the internal hard disk drive of DocuCentre, 3) read from the internal hard disk drive for the same number of times as the number of designated copies, and printed out. Scanner Function: According to the general-user’s instruction from the control panel, scans an original in IIT and stores it in an expanded mailbox created in the internal hard disk drive of DocuCentre. The stored document data is retrieved by network scanner utility on user’s client. Expanded Mailbox: Logical box created in the hard disk drive of DocuCentre. The following can be stored in this box: the document data scanned by scanner function and the document data for the print that uses an expanded mailbox. CRP-C0016-01 18 Document Data: In this ST, “document data” is used as a generic term for the data including all the image information that pass the inside of DocuCentre when general user uses digital copy, printer, and scanner functions of DocuCentre. The following are included: - Bitmap data that is printed in IOT when using digital copy function. - Print data sent from user’s client and bitmap data created by decomposing the data, when using printer function. - Bitmap data that is stored on the internal hard disk drive when using scanner function. Used Document Data: Document data that becomes “used” after being stored on the internal hard disk drive of DocuCentre. To Overwrite and Erase: To overwrite the data area with the specific data when document data stored on the hard disk drive is to be deleted. CRP-C0016-01 19 6. Bibliography [1] DocuCentre 719/659/559 Series Data Security Kit Security Target Version 1.12 (August 6, 2004), Fuji Xerox Co., Ltd. [2] Guidance for IT Security Certification Application, etc. April 2004, Information-Technology Promotion Agency, ITQM-23 (Revised on November 5, 2004) [3] General Requirements for IT Security Evaluation Facility, April 2004, Information-Technology Promotion Agency, ITQM-07 [4] General Requirements for Sponsors and Registrants of IT Security Certification, April 2004, Information-Technology Promotion Agency, ITQM-08 (Revised on November 5, 2004) [5] Common Criteria for Information Technology Security Evaluation Part 1: Introduction and general model Version 2.1 August 1999 CCIMB-00-031 [6] Common Criteria for Information Technology Security Evaluation Part 2: Security functional requirements Version 2.1 August 1999 CCIMB-99-032 [7] Common Criteria for Information Technology Security Evaluation Part 3: Security assurance requirements Version 2.1 August 1999 CCIMB-99-033 [8] Common Criteria for Information Technology Security Evaluation Part 1: Introduction and general model Version 2.1 August 1999 CCIMB-99-031 (Translation Version 1.2 January 2001) [9] Common Criteria for Information Technology Security Evaluation Part 2: Security functional requirements Version 2.1 August 1999 CCIMB-99-032 (Translation Version 1.2 January 2001) [10] Common Criteria for Information Technology Security Evaluation Part 3: Security assurance requirements Version 2.1 August 1999 CCIMB-99-033 (Translation Version 1.2 January 2001) [11] ISO/IEC15408-1: 1999 - Information Technology - Security techniques - Evaluation criteria for IT security - Part 1: Introduction and general model JIS [12] ISO/IEC 15408-2: 1999 - Information technology - Security techniques - Evaluation criteria for IT security - Part 2: Security functional requirements [13] ISO/IEC 15408-3:1999 - Information technology - Security techniques – Evaluation criteria for IT security - Part 3: Security assurance requirements [14] JIS X 5070-1: 2000 - Security techniques - Evaluation criteria for IT security - Part 1: General Rules and general model [15] JIS X 5070-2: 2000 - Security techniques - Evaluation criteria for IT security - Part 2: Security functional requirements [16] JIS X 5070-3: 2000 - Security techniques - Evaluation criteria for IT security - Part 3: Security assurance requirements CRP-C0016-01 20 [17] Common Methodology for Information Technology Security Evaluation CEM-99/045 Part 2: Evaluation Methodology Version 1.0 August 1999 [18] Common Methodology for Information Technology Security Evaluation CEM-99/045 Part 2: Evaluation Methodology Version 1.0 August 1999 (Translation Version 1.0 February 2001) [19] JIS TR X 0049: 2001 – Common Methodology for Information Technology Security Evaluation [20] CCIMB Interpretations (as of 15 February 2002) [21] CCIMB Interpretations (as of 15 February 2002) (Translation Version 1.0) [22] Fuji Xerox DocuCentre 719/659/559 Series Data Security Kit Evaluation Technical Report Version 4.1, August 6, 2004, Japan Electronics and Information Technology Industries Association, Information Technology Security Center