CRP-C0198-01 Certification Report Koji Nishigaki, Chairman Information-technology Promotion Agency, Japan Target of Evaluation Application date/ID 2008-03-27 (ITC-8218) Certification No. C0198 Sponsor Canon Inc. Name of the TOE Canon iR3225/iR3230/iR3235/iR3245 Series HDD Data Erase Kit-B2 Version of the TOE Version 1.00 PP Conformance None Conformed Claim EAL3 Developer Canon Inc. Evaluation Facility Mizuho Information & Research Institute, Inc. Center for Evaluation of Information Security This is to report that the evaluation result for the above TOE is certified as follows. 2008-12-24 Hideji Suzuki, Technical Manager Information Security Certification Office IT Security Center Evaluation Criteria, etc.: This TOE is evaluated in accordance with the following standards prescribed in the "IT Security Evaluation and Certification Scheme". - Common Criteria for Information Technology Security Evaluation Version 2.3 (ISO/IEC 15408:2005) - Common Methodology for Information Technology Security Evaluation Version 2.3 (ISO/IEC 18045:2005) Evaluation Result: Pass "Canon iR3225/iR3230/iR3235/iR3245 Series HDD Data Erase Kit-B2 Version 1.00" has been evaluated in accordance with the provisions of the "IT Security Certification Procedure" by Information-technology Promotion Agency, Japan, and has met the specified assurance requirements. CRP-C0198-01 Notice: This document is the English translation version of the Certification Report published by the Certification Body of Japan Information Technology Security Evaluation and Certification Scheme. CRP-C0198-01 Table of Contents 1. Executive Summary ............................................................................... 1 1.1 Introduction ..................................................................................... 1 1.2 Evaluated Product ............................................................................ 1 1.2.1 Name of Product ......................................................................... 1 1.2.2 Product Overview ........................................................................ 1 1.2.3 Scope of TOE and Overview of Operation ....................................... 2 1.2.4 TOE Functionality ....................................................................... 3 1.3 Conduct of Evaluation....................................................................... 4 1.4 Certification ..................................................................................... 5 1.5 Overview of Report ............................................................................ 5 1.5.1 PP Conformance.......................................................................... 5 1.5.2 EAL ........................................................................................... 5 1.5.3 SOF ........................................................................................... 5 1.5.4 Security Functions ...................................................................... 5 1.5.5 Threat ........................................................................................ 6 1.5.6 Organisational Security Policy ..................................................... 6 1.5.7 Configuration Requirements ........................................................ 6 1.5.8 Assumptions for Operational Environment .................................... 7 1.5.9 Documents Attached to Product ................................................... 8 2. Conduct and Results of Evaluation by Evaluation Facility......................... 9 2.1 Evaluation Methods .......................................................................... 9 2.2 Overview of Evaluation Conducted ..................................................... 9 2.3 Product Testing ................................................................................ 9 2.3.1 Developer Testing........................................................................ 9 2.3.2 Evaluator Testing...................................................................... 12 2.4 Evaluation Result ........................................................................... 13 3. Conduct of Certification ....................................................................... 14 4. Conclusion.......................................................................................... 15 4.1 Certification Result ......................................................................... 15 4.2 Recommendations ........................................................................... 15 5. Glossary ............................................................................................. 16 6. Bibliography ....................................................................................... 18 CRP-C0198-01 1 1. Executive Summary 1.1 Introduction This Certification Report describes the content of certification result in relation to IT Security Evaluation of "Canon iR3225/iR3230/iR3235/iR3245 Series HDD Data Erase Kit-B2 Version 1.00" (hereinafter referred to as the “TOE") conducted by Mizuho Information & Research Institute, Inc. Center for Evaluation of Information Security (hereinafter referred to as the "Evaluation Facility"), and it reports to the sponsor, Canon Inc. Readers of the Certification Report are advised to read the corresponding ST and manuals attached to the TOE (please refer to "1.5.9 Documents Attached to Product" for further details) together with this report. The assumed environment, corresponding security objectives, security functional and assurance requirements needed for its implementation and their summary specifications are specifically described in the ST. The operational conditions and functional specifications are also described in the documents attached to the TOE. Note that the Certification Report presents the certification result based on assurance requirements conformed to the TOE, and does not certify an individual IT product itself. Note: In this Certification Report, IT Security Evaluation Criteria and IT Security Evaluation Method prescribed by IT Security Evaluation and Certification Scheme are named the CC and the CEM, respectively. 1.2 Evaluated Product 1.2.1 Name of Product The target product of this Certificate is as follows: Name of Product: iR3225/iR3230/iR3235/iR3245Series HDD Data Erase Kit-B2 Version: 1.00 Developer: Canon Inc. 1.2.2 Product Overview This product is optional software which adds security features to the Canon multifunction product series iR3225/iR3230/iR3235/iR3245 (hereafter referred to as "MFP"). By installing the TOE on the MFP, the MFP's system software (e.g., control software) is replaced by the TOE. As a basic function of the TOE, it controls functions of the MFP, such as Copy, Print, Fax Reception, User Box, and temporarily stores image data on the HDD that are created during copying, printing, and other document handling operations. In most standard multifunction products, such temporary image data are just logically deleted after use, i.e., upon completion of copying or printing, and residual information of the deleted image data is not erased; thus, there was a possibility that the information left might be exposed to the risk of unauthorized reuse. This TOE comes with a security feature called the HDD Data Erase function, which completely deletes data on the HDD, thereby eliminating any risk of the residual information of temporary image data from being reused. The TOE additionally CRP-C0198-01 2 possesses the System Administrator Identification and Authentication function and the System Management function as security functions for managing the HDD Data Erase function. 1.2.3 Scope of TOE and Overview of Operation Figure 1-1 illustrates the physical scope and logical scope of the TOE System Software (software: TOE) Remote UI Contents (software: TOE) Pre-installed MEAP App. (software: TOE) Optional MEAP App. (software: outside the TOE) Controller (hardware: outside the TOE) Scan Engine/ADF (hardware: outside the TOE) Printer Engine (hardware: outside the TOE) Operation Panel (hardware: outside the TOE) Note: The shaded area indicates the scope of the TOE. Figure 1-1: TOE physical composition As shown in Figure 1-1, the physical scope of the TOE includes: the whole of the software program that controls the functions of the Multifunction Product, the Web browser contents of the Remote UI, and the MEAP Authentication Application that is equipped with the Multifunction Product as standard feature. These are all pre-installed on the HDD of the Multifunction Product. The hardware components of the Multifunction Product, including the Controller and the HDD, are outside the scope of the TOE. In addition, outside of the TOE scope includes the hardware components of a user’s PC and its installed operating system, Web browser, printer drivers, fax drivers, and image viewer plug-ins. The TOE allows MEAP applications to run on top of it. Note that the physical scope of the TOE includes the MEAP Authentication Application that comes pre-installed on the Multifunction Product’s built-in HDD, but excludes any other optionally installed MEAP applications. The Multifunction Product installed with the TOE is intended for general use in general office environments. An example of the MFP's usage environment is shown in Figure 1-2. Aside from using the full functionality of the TOE as illustrated in figure 1-2, the MFP is also expected to be used stand-alone as a printer, or connected to the phone line only for use of the fax feature. CRP-C0198-01 3 Figure 1-2: Assumed operating environment for the MFP 1.2.4 TOE Functionality The functions of the TOE are described below. (1) Security Functions The TOE has the following security functions.  HDD Data Complete Erase A function that, upon the deletion of temporary image data, erases residual information of temporary image data from the HDD by overwriting the corresponding disk space with meaningless data.  System Manager Identification and Authentication A function that identifies and authenticates the claimed identity of an authorized System Manager via the System Manager ID and System Password, prior to permitting entry into System Management mode.  System Manager Management A function that allows registration of a System Manager ID and System Password as well as the various settings of the HDD Data Complete Erase function. (2) MFP Control The TOE controls the following functions of the Multifunction Product.  Copy A function that creates copies of paper documents by scanning and printing.  Fax Reception A function that automatically prints or forwards incoming faxes/I-faxes.  User Inbox A function that automatically saves scanned documents and documents received from external PCs for saving to a User Inbox to their respective destination inboxes in the form of image data.Image data stored in a User Inbox can be edited, CRP-C0198-01 4 e.g., to be merged with other documents or overlaid with form images, before printing.  Print A function that turns the Multifunction Product into a network printer for printing documents from remote PCs.  Universal Send (document transfer) A function that allows sending scanned documents or documents in a User Inbox/Memory Reception Inbox as faxes, or as TIFF or PDF files to outside e-mail addresses or shared folders on external PCs. This function also allows network faxing from a user’s PC using a fax driver.  Memory Media Function A function that takes a scanned document image (ScanToMemory) or a document stored in the inbox (BoxToMemory), converts to a format such as PDF, and stores on the memory media inserted by users. This function also prints documents stored in the memory media.  Remote UI The Multifunction Product can be operated not only via the Operation Panel but also via the Remote UI software. The Remote UI allows users to access the MFP through their Web browser and network connection, enabling them to view device status information, to manipulate jobs, to perform inbox management operations, and to configure various device settings.  MEAP A function that executes the applications for supporting MEAP. In addition to the provided MEAP applications, users can also install optional MEAP applications to add new functions to the MFP. 1.3 Conduct of Evaluation Based on the IT Security Evaluation/Certification Program operated by the Certification Body, TOE functionality and its assurance requirements were evaluated by the Evaluation Facility in accordance with those publicized documents such as "IT Security Evaluation and Certification Scheme"[2], "IT Security Certification Procedure"[3] and "Evaluation Facility Approval Procedure"[4]. The scope of the evaluation is as follow. - Security design of the TOE shall be adequate; - Security functions of the TOE shall satisfy security functional requirements described in the security design; - This TOE shall be developed in accordance with the basic security design; - Above-mentioned three items shall be evaluated in accordance with the CC Part 3 and the CEM. More specifically, the Evaluation Facility examined "Canon iR3225/iR3230/iR3235/iR3245 Series HDD Data Erase Kit-B2 Security Target" as the basic design of security functions for the TOE (hereinafter referred to as the "ST")[1], the evaluation deliverables in relation to the development of the TOE, and the development, manufacturing and shipping sites of the TOE. The Evaluation Facility evaluated if the TOE satisfies both Annex B of the CC Part 1 (either of [5], [8] or [11]) and Functional Requirements of the CC Part 2 (either of [6], [9] or [12]) and also evaluated if the development, manufacturing and shipping environments for the TOE satisfy Assurance Requirements of the CC Part 3 (either of [7], [10] or [13]) as its CRP-C0198-01 5 rationale. Such evaluation procedure and its result are presented in "Canon iR3225/iR3230/iR3235/iR3245 Series HDD Data Erase Kit-B2 Evaluation Technical Report" (hereinafter referred to as the " Evaluation Technical Report") [17]. Further, evaluation methodology should comply with the CEM (either of [14], [15] or [16]). 1.4 Certification The Certification Body verified the Evaluation Technical Report prepared by the Evaluation Facility and evaluation evidential materials, and confirmed that the TOE evaluation was conducted in accordance with the prescribed procedure. Certification review was also prepared for those concerns found in the certification process. Evaluation was completed with the Evaluation Technical Report dated 2008-12 submitted by the Evaluation Facility, and those problems pointed out by the Certification Body were fully resolved and confirmed that the TOE evaluation was appropriately conducted in accordance with the CC and the CEM. The Certification Body prepared this Certification Report based on the Evaluation Technical Report submitted by the Evaluation Facility and fully concluded certification activities. 1.5 Overview of Report 1.5.1 PP Conformance There is no PP to be conformed. 1.5.2 EAL Evaluation Assurance Level of the TOE defined by this ST is EAL3 conformance. 1.5.3 SOF This ST claims "SOF-basic" as its minimum strength of function. The TOE is software for the Multifunction Product that is a commercial product, and is intended for use in general offices. Therefore, the claim for SOF-basic as the minimum function strength of the TOE is appropriate. 1.5.4 Security Functions The security functions of the TOE are described below.  HDD Data Complete Erase When deleting temporary image data from the HDD, the TOE overwrites the corresponding disk space with meaningless data in order to ensure that no residual information remains on the HDD. The HDD Data Complete Erase function runs at the following times: (1) Upon completion of copying, printing, fax reception, or sending (Universal Send), any residual information of temporary image data created on the HDD is completely erased. (2) Upon startup of the TOE, any residual information of temporary image data detected on the HDD is completely erased. (3) Upon restart of the TOE after the System Manager having executed the Initialize All Data/Settings function of the Multifunction Product, any residual information CRP-C0198-01 6 of temporary image data detected on the HDD is completely erased.  System Manager Identification and Authentication The TOE requires any user accessing the System Manager Management function to enter the System Manager ID and System Password in order to restrict the System Manager Management function to the authentic System Manager only. The TOE identifies and authenticates the accessing user as System Manager only if both the entered System Manager ID and System Password match with the pre-registered System Manager ID and System Password. If the entered System Manager ID or System Password does not match with the pre-registered System Manager ID or System Password, the TOE does not identify nor authenticate the accessing user as System Manager and imposes a 1-second wait time before allowing a retry.  System Manager Management The TOE grants the following privileges only to the System Manager: (1) The System Manager can modify or delete the System Manager ID and System Password. (2) The following settings can be made for the HDD Data Complete Erase function. a) Enabling or disabling the function itself b) Changing the Erase mode 1. Single write operation of 0 data 2. Single write operation of random data 3. Triple write operation of random data 1.5.5 Threat This TOE assumes the threats identified in Table 1-1 and provides functions to counter them. Table 1-1: Assumed Threats Identifier Threat T.HDD_ACCESS Direct Access to HDD Data A malicious individual may attempt to remove the HDD of the Multifunction Product and reuse residual information of temporary image data by directly accessing the HDD using disk editor tools, etc. 1.5.6 Organisational Security Policy There are no organisational security policies required for using the TOE. 1.5.7 Configuration Requirements The TOE can be put into action by installing it on the Canon multifunction product series iR3225/iR3230/iR3235/iR3245. In order to perform the operations of the TOE described below, additional servers and software are required. CRP-C0198-01 7 Operating the Multifunction Product via the Remote UI requires the installation of a Web browser on a user’s PC to use. Desktop printing or faxing requires the installation of an appropriate printer driver or fax driver on a user’s PC to use. Sending I-faxes or documents using the Universal Send function requires an appropriate mail server, an FTP server, and a file server. In terms of this evaluation, when using the TOE from the user's PC, the evaluation configuration consists of the following software.  Operating system: Microsoft Windows XP Professional SP2  Web browser: Microsoft Internet Explorer Version 6.0 SP2 1.5.8 Assumptions for Operational Environment Table 1-2 identifies the assumptions for the operational environment of the TOE. The TOE security functions are not guaranteed to work effectively unless these assumptions are satisfied. Table 1-2: Assumptions for Using the TOE Identifier Assumption A.ADMIN Trusted System Manager The System Manager shall be trusted not to abuse his privileges. A.ADMIN_PWD System Password The System Manager shall set a non-guessable 7-digit number as the System Password. A.NETWORK Connection of the Multifunction Product The Multifunction Product running the TOE, upon connection to a network, shall be connected to the internal network that is not accessible directly from outside networks such as the Internet. CRP-C0198-01 8 1.5.9 Documents Attached to Product Documents attached to the TOE are listed below. • HDD Data Erase Kit-B2 Reference Guide • HDD Data Erase Kit-B2 Installation Procedure • iR Series User Documentation The “iR Series User Documentation” consists of the following 6 kinds of guides: • imageRUNNER 3225/3230/3235/3245 Reference Guide • imageRUNNER 3225/3230/3235/3245 Copying and Mail Box Guide • imageRUNNER 3225/3230/3235/3245 Sending and Facsimile Guide • imageRUNNER 3225/3230/3235/3245 Remote UI Guide • imageRUNNER 3225/3230/3235/3245 Network Guide • MEAP SMS Administrator Guide CRP-C0198-01 9 2. Conduct and Results of Evaluation by Evaluation Facility 2.1 Evaluation Methods Evaluation was conducted by using the evaluation methods prescribed in the CEM in accordance with the assurance requirements in the CC Part 3. Details for evaluation activities were reported in the Evaluation Technical Report. It describes the overview of the TOE as well as the contents and the verdict of the evaluation by each work unit prescribed in the CEM. 2.2 Overview of Evaluation Conducted The history of evaluation conducted is presented in the Evaluation Technical Report as follows. Evaluation has started on 2008-04 and concluded upon completion the Evaluation Technical Report dated 2008-12. The Evaluation Facility received a full set of evaluation deliverables necessary for evaluation provided by the developer, and examined the evidence in relation to a series of evaluation conducted. Additionally, the Evaluation Facility directly visited the development and manufacturing sites on 2008-08 and 2008-09 and examined procedural status conducted in relation to each work unit for configuration management, delivery, operation, and lifecycle by investigating records and interviewing staff. Further, the Evaluation Facility executed sampling check of the conducted testing by the developer and the evaluator testing by using developer testing environment at developer site on 2008-11. No concerns were found in evaluation activities for each work unit and no Observation Reports were issued. As for concerns indicated during the evaluation process by the Certification Body, the certification reviews were sent to the Evaluation Facility. These were reflected to evaluation after investigation conducted by the Evaluation Facility and the developer. 2.3 Product Testing This section overviews the developer testing effort reviewed by the evaluator as well as the evaluator testing effort. 2.3.1 Developer Testing (1) Developer Test Environment Figure 2-1 shows the test configuration used by the developer. CRP-C0198-01 10 Figure 2-1: Developer test configuration Developer testing was conducted in the environment/configuration shown in Figure 2-1 using the components (hardware, hardware tools, and software) listed in Table 2-1 below. Table 2-1: The list of components Equipment Description Multifunction Product A digital copier with the combined functionality of copying, faxing, printing, document transmission (Universal Send), and so on. The Multifunction Product has a large-capacity HDD to perform these functions, allowing the TOE to run thereon. In the testing, iR3245 was used.  Since the controller on which the TOE operates is the same in all of the target devices (Canon iR3225/iR3230/iR3235/ iR3245 Series), testing was performed on one model only. To test the FAX transmission function, two devices of the same model (iR3245) were used. TOE Canon iR3225/iR3230/iR3235/iR3245 Series HDD Data Erase Kit-B2 Version 1.00 Optional Software installed on the Multifunction Product (Outside the TOE) The following options were installed on iR3245: Universal Send (software) that provides the Send capability; Web Access Software (software) that enables Web access from the device’s UI; USB Memory Connectivity (software) that enables the Memory Media function; PS (software) that adds support for the “PostScript” page description language; PCL (software) that adds support for the “Printer Control Language” page description language; UFR II (software) that adds support for the “Ultra Fast Rendering II” page CRP-C0198-01 11 description language; and Direct Printing (software) that allows direct printing from a Web browser.  These options (not listed in "1.5.7 Configuration Requirements") are installed together with the installation procedure of MFP, including TOE installation, by a service engineer.(Options may be selectively installed according to user needs.) SATA Analyzer A device that makes it possible to capture and analyze packets of the ATA Write Command. PC A Windows PC that supports serial cable and network connections. One terminal PC was used. RS232c board A serial interface board, connected to the controller inside the Multifunction Product. Serial cable A cross-over cable with DSUB-9 connectors was used between PC and the Multifunction Product. Serial ATA Cable A cable that connects the HDD controller to the HDD. HUB A connectivity device, used to create a LAN. A TCP/IP 100 Mbps switching HUB was used. Network cables UTP cables (Category 5) were used to connect between the Multifunction Product and the HUB, and between the terminal PC and the HUB. Three cables were used in total. Central Office simulator A device that is used to connect MFP with FAX (another MFP: iR3245) through simulated telephone line. OS Microsoft Windows XP Professional Service Pack 2. Terminal software Windows-compatible terminal software was used on PC to monitor the status of the TOE on the Multifunction Product. Tera Term Pro was used. Web browser Standard browser software, used to run the Remote UI on the secondary test PC. Microsoft Internet Explorer 6.0 SP2 was used. Printing software A Windows-based software that allows printing with standard Windows printing settings. Printer driver PCL5e driver, which is a dedicated printer driver software contained in the bundled CD-ROM of iR3245, was used. SATA Analyzer software A dedicated software for analyzing data captured by the SATA Analyzer, on the PC. MEAP test Test programs created by the developer for testing the CRP-C0198-01 12 programs MEAP_API.These programs allow checking the behavior of TSFs through MEAP_API calls that are made by operating the UI in exactly the same fashion as in commercial MEAP applications. The MEAP test programs were installed on the Multifunction Product in accordance with the MEAP_SDK and SMS manuals. The test programs used for the testing are as follows. • SC040SimplePDLPrint2.jar • SC049CopyJobManager.jar • SC029DepartmentManage3.jar (2) Outline of the Developer Testing An outline of the developer testing is as follows. a. Test configuration Figure 2-1 shows the developer test configuration. The developer testing was conducted in the same TOE test environment as the TOE configuration identified in the ST. b. Testing approach The functions with a user-operable external interface were tested by executing the functions manually and observing the resulting behavior, whereas the function without a user-operable external interface (namely, the HDD Data Complete Erase function) was tested by capturing and analyzing packet data using the SATA Analyzer. c. Coverage of testing The developer tested on 44 items. A coverage analysis was performed and verified that the security functions and external interfaces described in the functional specification were thoroughly tested.A depth analysis was performed and verified that the subsystems and subsystem interfaces described in the high-level design were all thoroughly tested. d. Testing results The results of the tests by the developer provide evidence that the expected test results match the actual test results. The evaluator confirmed the legitimacy of the developer testing approach and tested items, and consistencies between the testing approach described in the test plan and the actual test results. 2.3.2 Evaluator Testing (1) Evaluator Test Environment The evaluator used the same test configuration used by the developer. (2) Outline of the Evaluator Testing An outline of the evaluator testing is as follows: a. Test configuration Figure 2-1 shows the evaluator test configuration. The evaluator testing was conducted in the same TOE test environment as the TOE configuration identified in the ST. CRP-C0198-01 13 b. Testing approach For the testing approach, as is the case with the developer testing, the functions with a user-operable external interface were tested by executing the functions manually and observing the resulting behavior, whereas the function without a user-operable external interface (namely, the HDD Data Complete Erase function) was tested by capturing and analyzing packet data using the SATA Analyzer. c. Coverage of testing The evaluator performed 15 tests in total: 5 independent tests and 10 sampled developer tests. (Sampling rate: Approximately 23%) The evaluator has taken into account the following testing items as selection criteria. (1) Coverage of all security functions (2) Coverage of all user-operable interfaces(Operation Panel, Remote UI, MEAP, Network) (3) Coverage of all sub-systems (4) Testing of the impact of concurrent operations (5) Testing of the impact of parameter input (6) Testing newly added functions (specifically, changing the Erase mode in the "HDD Data Complete Erase function”, and executing the "HDD Data Complete Erase function" when used together with the Memory Media function) d. Testing results The evaluator successfully completed all the tests and observed the behavior of the TOE security functions. The evaluator confirmed that the actual test results match the expected test results, and that there are no obvious exploitable vulnerabilities in the TOE. 2.4 Evaluation Result The evaluator confirmed in the Evaluation Technical Report that the TOE satisfies all work units prescribed in the CEM. CRP-C0198-01 14 3. Conduct of Certification The following certification was conducted based on the materials submitted by the Evaluation Facility during the evaluation process. 1. Evidential materials submitted were sampled, its contents were examined, and related work units shall be evaluated as presented in the Evaluation Technical Report. 2. Rationale of evaluation verdict by the evaluator presented in the Evaluation Technical Report shall be adequate. 3. The Evaluator's evaluation methodology presented in the Evaluation Technical Report shall conform to the CEM. Concerns found in the certification process were prepared as certification reviews, which were sent to the Evaluation Facility. The Certification Body confirmed such concerns pointed out in certification reviews were solved in the ST and the Evaluation Technical Report. Further, no Observation Reports were issued by the Evaluation Facility. CRP-C0198-01 15 4. Conclusion 4.1 Certification Result The Certification Body verified the Evaluation Technical Report and the related evaluation evidential materials submitted and confirmed that all evaluator action elements required in the CC Part 3 are conducted appropriately to the TOE. The Certification Body verified the TOE satisfies EAL3 assurance requirements prescribed in the CC Part 3. 4.2 Recommendations None CRP-C0198-01 16 5. Glossary The abbreviations used in this document are listed below. CC Common Criteria for Information Technology Security Evaluation CEM Common Methodology for Information Technology Security Evaluation EAL Evaluation Assurance Level PP Protection Profile SOF Strength of Function ST Security Target TOE Target of Evaluation TSF TOE Security Functions The terms used in this document are described below. Box A storage space in a multifunction product for scanned documents, print jobs, and incoming faxes. Three types of storage inboxes are available: User Inbox, Confidential Fax Inbox, and Memory Reception Inbox. Controller The TOE’s operating platform. A hardware device with a CPU and memory. Department ID A unique ID assigned to each multifunction product user, who can be an individual or a department. A multifunction product running with the Department ID Management function enabled requires any user to be identified and authenticated before operating the multifunction product. The System Manager is a user who is granted a special department ID called System Manager ID. HDD The hard disk drive of a multifunction product. It is the storage place for the TOE and its assets. I-fax An Internet faxing service that allows transmission and reception of faxes using the Internet instead of telephone lines. Image data Image data that are created on the HDD of a multifunction product through document scanning, printing, or fax reception. MEAP Short for Multifunctional Embedded Application Platform; a platform for writing applications that run on Canon’s multifunction products. It allows the execution of special “MEAP applications” developed in the Java language. MEAP A special application developed in the Java language to run on multifunction products. A MEAP application can be used in CRP-C0198-01 17 application conjunction with the basic functions of a multifunction product, e.g., printing, copying, faxing, and scanning, to customize the user interface, simplify the document flow, and automate routine tasks. MEAP Authentication Application A MEAP application that allows authentication of regular users of a multifunction product as well as integration with Active Directory. Operation Panel A hardware component of a multifunction product, comprising operation keys and a touch panel display, which is used for operation of the multifunction product. Remote UI An interface that allows remote access to a multifunction product from a desktop Web browser for viewing device status information, manipulating jobs, configuring Mail Box settings, and customizing various device settings. System Management mode Operational mode of a multifunction product in which System Manager privileges are maintained on the multifunction product. Any operations performed in this mode are executed as System Manager actions. Entry into this mode requires the System Manager ID and System Password. System Management mode is finished when the ID key is pressed down on the multifunction product’s Operation Panel. System Manager An administrator of a multifunction product who is responsible for device configuration and management and who optionally manages inboxes, on behalf of inbox users. A multifunction product identifies a user who logs in with the System Manager ID as System Manager. Universal Send A function that allows sending scanned documents or documents in a User Inbox/Memory Reception Inbox as faxes, or as TIFF or PDF files to outside e-mail addresses or shared folders on external PCs. CRP-C0198-01 18 6. Bibliography [1] Canon iR3225/iR3230/iR3235/iR3245 Series HDD Data Erase Kit-B2 Security Target Version 1.01 (August 8, 2008) Canon Inc. [2] IT Security Evaluation and Certification Scheme, May 2007, Information-technology Promotion Agency, Japan CCS-01 [3] IT Security Certification Procedure, May 2007, Information-technology Promotion Agency, Japan CCM-02 [4] Evaluation Facility Approval Procedure, May 2007, Information-technology Promotion Agency, Japan CCM-03 [5] Common Criteria for Information Technology Security Evaluation Part 1: Introduction and general model Version 2.3 August 2005 CCMB-2005-08-001 [6] Common Criteria for Information Technology Security Evaluation Part 2: Security functional requirements Version 2.3 August 2005 CCMB-2005-08-002 [7] Common Criteria for Information Technology Security Evaluation Part 3: Security assurance requirements Version 2.3 August 2005 CCMB-2005-08-003 [8] Common Criteria for Information Technology Security Evaluation Part 1: Introduction and general model Version 2.3 August 2005 CCMB-2005-08-001 (Translation Version 1.0 December 2005) [9] Common Criteria for Information Technology Security Evaluation Part 2: Security functional requirements Version 2.3 August 2005 CCMB-2005-08-002 (Translation Version 1.0 December 2005) [10] Common Criteria for Information Technology Security Evaluation Part 3: Security assurance requirements Version 2.3 August 2005 CCMB-2005-08-003 (Translation Version 1.0 December 2005) [11] ISO/IEC 15408-1:2005 - Information Technology - Security techniques - Evaluation criteria for IT security - Part 1: Introduction and general model [12] ISO/IEC 15408-2:2005 - Information Technology - Security techniques - Evaluation criteria for IT security - Part 2: Security functional requirements [13] ISO/IEC 15408-3:2005 - Information Technology - Security techniques - Evaluation criteria for IT security - Part 3: Security assurance requirements [14] Common Methodology for Information Technology Security Evaluation: Evaluation Methodology Version 2.3 August 2005 CCMB-2005-08-004 [15] Common Methodology for Information Technology Security Evaluation: Evaluation Methodology Version 2.3 August 2005 CCMB-2005-08-004 (Translation Version 1.0 December 2005) [16] ISO/IEC 18045:2005 Information Technology - Security techniques - Methodology for IT security evaluation [17] Canon iR3225/iR3230/iR3235/iR3245 Series HDD Data Erase Kit-B2 Evaluation Technical Report Version 3, December 9, 2008, Mizuho Information & Research Institute, Inc. Center for Evaluation of Information Security