CRP-C0574-01 Certification Report Tatsuo Tomita, Chairman Information-technology Promotion Agency, Japan Target of Evaluation (TOE) Application Date/ID 2016-10-25 (ITC-6618) Certification No. C0574 Sponsor KONICA MINOLTA, INC. TOE Name bizhub C3851/bizhub C3351/bizhub C3851FS/ineo+ 3851/ineo+ 3351/ineo+ 3851FS TOE Version G00-11 PP Conformance U.S. Government Approved Protection Profile - U.S. Government Protection Profile for Hardcopy Devices Version 1.0 (IEEE Std. 2600.2™-2009) Assurance Package EAL2 augmented with ALC_FLR.2 Developer KONICA MINOLTA, INC. Evaluation Facility Mizuho Information & Research Institute, Inc. Information Security Evaluation Office This is to report that the evaluation result for the above TOE is certified as follows. 2017-10-02 Takumi Yamasato, Technical Manager Information Security Certification Office IT Security Center Technology Headquarters Evaluation Criteria, etc.: This TOE is evaluated in accordance with the following standards prescribed in the "IT Security Evaluation and Certification Scheme Document." - Common Criteria for Information Technology Security Evaluation Version 3.1 Release 4 - Common Methodology for Information Technology Security Evaluation Version 3.1 Release 4 Evaluation Result: Pass "bizhub C3851/bizhub C3351/bizhub C3851FS/ineo+ 3851/ineo+ 3351/ineo+ 3851FS" has been evaluated based on the standards required, in accordance with the provisions of the "Requirements for IT Security Certification" by Information-technology Promotion Agency, Japan, and has met the specified assurance requirements. CRP-C0574-01 Notice: This document is the English translation version of the Certification Report published by the Certification Body of Japan Information Technology Security Evaluation and Certification Scheme. CRP-C0574-01 Table of Contents 1. Executive Summary ............................................................................... 1 1.1 Product Overview ............................................................................ 1 1.1.1 Assurance Package ........................................................................ 1 1.1.2 TOE and Security Functionality ...................................................... 1 1.1.2.1 Threats and Security Objectives ................................................... 1 1.1.2.2 Configuration and Assumptions .................................................... 2 1.1.3 Disclaimers .................................................................................. 2 1.2 Conduct of Evaluation ...................................................................... 2 1.3 Certification ................................................................................... 2 2. Identification ....................................................................................... 3 3. Security Policy...................................................................................... 4 3.1 Security Function Policies ................................................................. 5 3.1.1 Threats and Security Function Policies ............................................ 5 3.1.1.1 Threats ..................................................................................... 5 3.1.1.2 Security Function Policies against Threats ..................................... 5 3.1.2 Organizational Security Policies and Security Function Policies .......... 6 3.1.2.1 Organizational Security Policies ................................................... 6 3.1.2.2 Security Function Policies to Organizational Security Policies .......... 7 4. Assumptions and Clarification of Scope .................................................... 9 4.1 Usage Assumptions .......................................................................... 9 4.2 Environmental Assumptions .............................................................. 9 4.3 Clarification of Scope ..................................................................... 11 5. Architectural Information .................................................................... 12 5.1 TOE Boundary and Components ....................................................... 12 5.2 IT Environment ............................................................................. 15 6. Documentation ................................................................................... 16 7. Evaluation conducted by Evaluation Facility and Results .......................... 17 7.1 Evaluation Facility ........................................................................ 17 7.2 Evaluation Approach ...................................................................... 17 7.3 Overview of Evaluation Activity ....................................................... 17 7.4 IT Product Testing ......................................................................... 18 7.4.1 Developer Testing ....................................................................... 18 7.4.2 Evaluator Independent Testing ..................................................... 21 7.4.3 Evaluator Penetration Testing ...................................................... 23 7.5 Evaluated Configuration ................................................................. 26 7.6 Evaluation Results......................................................................... 27 7.7 Evaluator Comments/Recommendations ............................................ 27 8. Certification ....................................................................................... 28 CRP-C0574-01 8.1 Certification Result........................................................................ 28 8.2 Recommendations .......................................................................... 28 9. Annexes ............................................................................................. 29 10. Security Target ................................................................................ 29 11. Glossary.......................................................................................... 30 12. Bibliography .................................................................................... 32 CRP-C0574-01 1 1. Executive Summary This Certification Report describes the content of the certification result in relation to IT Security Evaluation of "bizhub C3851/bizhub C3351/bizhub C3851FS/ineo+ 3851/ineo+ 3351/ineo+ 3851FS, Version G00-11" (hereinafter referred to as the "TOE") developed by KONICA MINOLTA, INC., and the evaluation of the TOE was finished on 2017-09-20 by Mizuho Information & Research Institute, Inc., Information Security Evaluation Office (hereinafter referred to as the "Evaluation Facility"). It is intended to report to the sponsor, KONICA MINOLTA, INC., and provide security information to procurement entities and consumers who are interested in the TOE. Readers of the Certification Report are advised to read the Security Target (hereinafter referred to as the "ST") described in Chapter 10. Especially, details of security functional requirements, assurance requirements and rationale for sufficiency of these requirements of the TOE are described in the ST. This Certification Report assumes "procurement entities who purchase the TOE" to be readers. Note that the Certification Report presents the certification result based on assurance requirements to which the TOE conforms, and does not guarantee an individual IT product itself. 1.1 Product Overview An overview of the TOE functions and operational conditions is described as follows. Refer to Chapter 2 and subsequent chapters for details. 1.1.1 Assurance Package Assurance Package of the TOE is EAL2 augmented with ALC_FLR.2. 1.1.2 TOE and Security Functionality The TOE is a Multi-Function Printer (hereinafter referred to as "MFP") that offers basic functions such as Copy, Scan, Print, Fax, and Document storage and retrieval functions. In addition to those MFP basic functions, the TOE provides security functions to prevent the document data used for the basic functions and the setting data relevant to security, from unauthorized disclosure and alteration. Regarding these security functionalities, the validity of the design policy and the accuracy of the implementation were evaluated within the scope of the assurance package. Threats and assumptions that the TOE assumes are described in the following sections. 1.1.2.1 Threats and Security Objectives The TOE assumes the following threats and provides the security functions to counter them. For protected assets such as the user's document data and the setting data relevant to security, there are threats of unauthorized disclosure and alteration caused by unauthorized operation of the TOE and by unauthorized access to the communication data on the network that the TOE is installed. To counter those threats, the TOE provides the security functions, such as identification and authentication, access control, and encryption. CRP-C0574-01 2 1.1.2.2 Configuration and Assumptions The evaluated product is assumed to be operated under the following configuration and assumptions. It is assumed that the TOE is located in an environment where physical components and interfaces of the TOE are protected from unauthorized access. For the operation of the TOE, it shall be properly configured, maintained, and managed according to the guidance documents. 1.1.3 Disclaimers Operations and functions indicated below are not included in the assurance of this evaluation. The TOE claims PP conformance including Fax function. The subject of this evaluation is the configuration that an optional FAX kit is installed in the MFP, which is the TOE. The configuration without FAX kit is not included in the assurance of this evaluation. In this evaluation, only the configuration which applies the configuration conditions of "7.5 Evaluated Configuration" is evaluated as the TOE. The operations that the TOE is operated with these configuration conditions changed are not included in the assurance provided by this evaluation. 1.2 Conduct of Evaluation Under the IT Security Evaluation and Certification Scheme that the Certification Body operates, the Evaluation Facility conducted IT security evaluation and completed on 2017-09, based on functional requirements and assurance requirements of the TOE according to the publicized documents "IT Security Evaluation and Certification Scheme Document"[1], "Requirements for IT Security Certification"[2], and "Requirements for Approval of IT Security Evaluation Facility"[3] provided by the Certification Body. 1.3 Certification The Certification Body verified the Evaluation Technical Report [13] and the Observation Reports prepared by the Evaluation Facility as well as evaluation documentation, and confirmed that the TOE evaluation was conducted in accordance with the prescribed procedure. The certification oversight review was also prepared for those concerns found in the certification process. Those concerns pointed out by the Certification Body were fully resolved, and the Certification Body confirmed that the TOE evaluation had been appropriately conducted in accordance with the CC ([4][5][6] or [7][8][9]) and the CEM (either of [10][11]). The Certification Body prepared this Certification Report based on the Evaluation Technical Report submitted by the Evaluation Facility and fully concluded certification activities. CRP-C0574-01 3 2. Identification The TOE is identified as follows: TOE Name: bizhub C3851/bizhub C3351/bizhub C3851FS/ ineo+ 3851/ineo+ 3351/ineo+ 3851FS TOE Version: G00-11 Developer: KONICA MINOLTA, INC. The TOE version is the generic term for the version of MFP board, eMMC board and firmware. Details of TOE version are shown in Table 2-1. Table 2-1 Details of TOE version Name Version MFP board A92EH020-02 eMMC board A92EH02D-00 Firmware A92E0Y0-F000-G00-11 Users can verify that a product is the TOE, which is evaluated and certified, by following means. The TOE name can be confirmed with the model name printed on the surface of the MFP body. The TOE version can be confirmed with the part numbers which are the versions of MFP board and eMMC board, and the version of firmware which is displayed on the operation panel, by requesting to a service engineer. CRP-C0574-01 4 3. Security Policy This chapter describes security function policies that the TOE adopts to counter threats, and organizational security policies. The TOE provides MFP basic functions such as Copy, Scan, Print, Fax, and Document storage and retrieval functions. The TOE also has the functions to accumulate user's document data in the HDD of the TOE, and to transfer them to and from user's devices and various servers via the network. When those functions are used, the TOE provides security functions that satisfy security functional requirements required by the Protection Profile for MFP, U.S. Government Approved Protection Profile - U.S. Government Protection Profile for Hardcopy Devices Version 1.0 (IEEE Std. 2600.2TM-2009) [14][15] (hereinafter referred to as the "PP"). Security functions that the TOE provides include identification and authentication of users, access control, encryption of document data accumulated in the HDD, overwrite deletion at the time of deleting document data, and encrypted communication. Those functions prevent user's document data and setting data relevant to security, which are the protected assets, from unauthorized disclosure and alteration. The TOE assumes the following user roles. - Normal user A user of MFP basic functions, such as Copy, Scan, Print, Fax, and Document storage and retrieval functions, which are provided by the TOE. - Administrator A TOE user who has special authority to configure the settings of the TOE security functions. Administrator includes "Built-in Administrator" that is a role implemented in the TOE beforehand, and "User Administrator" that is a role of the normal user given the authority of the administrator. - TOE Owner A person or organization that has responsibility to protect the TOE assets and to realize security objectives of the TOE operational environment. The protected assets of the TOE are also defined as follows. - User Document Data Document data of users. - User Function Data Document data of users and information relevant to jobs that are handled by the TOE. For the TOE, this includes various parameters for printing. - TSF Confidential Data The data used by security functions, whose integrity and confidentiality are required. For the TOE, this includes login passwords, passwords for user boxes that accumulate document data, passwords of document data with password, encryption passphrase used for generating encryption key, and audit log. - TSF Protected Data The data used by security functions, whose integrity only are required. For the TOE, this includes various setting values of security functions, such as user ID, user authority, and network settings, excluding TSF Confidential Data. CRP-C0574-01 5 3.1 Security Function Policies The TOE possesses the security functions to counter the threats shown in Section 3.1.1, and to satisfy the organizational security policies shown in Section 3.1.2. 3.1.1 Threats and Security Function Policies 3.1.1.1 Threats The TOE assumes the threats shown in Table 3-1 and provides the security functions to counter them. These threats are the same as the ones written in the PP. Table 3-1 Assumed Threats Identifier Threat T.DOC.DIS User Document Data may be disclosed to unauthorized persons T.DOC.ALT User Document Data may be altered by unauthorized persons T.FUNC.ALT User Function Data may be altered by unauthorized persons T.PROT.ALT TSF Protected Data may be altered by unauthorized persons T.CONF.DIS TSF Confidential Data may be disclosed to unauthorized persons T.CONF.ALT TSF Confidential Data may be altered by unauthorized persons 3.1.1.2 Security Function Policies against Threats The TOE counters the threats shown in Table 3-1 by the following security function policies. The details of each security function are described in Chapter 5. 1) Countermeasures against the threats "T.DOC.DIS", "T.DOC.ALT", and "T.FUNC.ALT" These are the threats to user data (User Document Data and User Function Data). The TOE counters the threats with "Identification and authentication function," "User restriction control function," "Accumulated documents access control function," "Residual information deletion function" and "Network communication protection function." "Identification and authentication function" of the TOE permits only the users who succeeded at the identification and authentication to use the TOE. "User restriction control function" of the TOE checks the operation authority given to the users and permits only the authorized users to perform the basic functions, when CRP-C0574-01 6 identified and authenticated users use the MFP basic functions such as Copy, Scan, Print, Fax, and Document storage and retrieval functions. In such cases, the access control to user data is also performed, and only those users who have the access authority to user data are permitted to access. However, the following "accumulated documents access control function" is applied to the document data accumulated in the user box. "Accumulated documents access control function" of the TOE performs access control and permits the operation only to the authorized users, when users operate the accumulated document data in the user box. "Residual information deletion function" of the TOE prevents the residual information from being referred to by overwriting and deleting the HDD area where the document data were stored, when deleting the document data. "Network communication protection function" of the TOE applies the encrypted communication protocol to encrypt the communication data, when the TOE communicates to client PC and various servers. With the above functions, the TOE prevents the user data to be protected from unauthorized disclosure and alteration by unauthorized use of the TOE and unauthorized access to the communication data. 2) Countermeasures against the threats "T.PROT.ALT", "T.CONF.DIS", and "T.CONF.ALT" These are the threats to the data used for the security functions. The TOE counters the threats with "Identification and authentication function," "Security management function," and "Network communication protection function." "Identification and authentication function" and "Security management function" of the TOE permit only the identified and authenticated administrators to set up, refer to, and change the data used for the security functions. However, normal users can change their own login passwords. "Network communication protection function" of the TOE applies the encrypted communication protocol to encrypt the communication data, when the TOE communicates to client PC and various servers. With the above functions, the TOE prevents the data to be protected from unauthorized disclosure and alteration by unauthorized use of the TOE and unauthorized access to the communication data. 3.1.2 Organizational Security Policies and Security Function Policies 3.1.2.1 Organizational Security Policies Organizational security policies required in use of the TOE are shown in Table 3-2. These organizational security policies are the same as the ones written in the PP except for P.HDD.CRYPTO being added. CRP-C0574-01 7 Table 3-2 Organizational Security Policies Identifier Organizational Security Policy P.USER.AUTHORIZATION To preserve operational accountability and security, Users will be authorized to use the TOE only as permitted by the TOE Owner. P.SOFTWARE.VERIFICATION To detect corruption of the executable code in the TSF, procedures will exist to self-verify executable code in the TSF. P.AUDIT.LOGGING To preserve operational accountability and security, records that provide an audit trail of TOE use and security-relevant events will be created, maintained, and protected from unauthorized disclosure or alteration, and will be reviewed by authorized personnel. P.INTERFACE.MANAGEMENT To prevent unauthorized use of the external interfaces of the TOE, operation of those interfaces will be controlled by the TOE and its IT environment. P.HDD.CRYPTO The Data stored in an HDD must be encrypted to improve the secrecy. 3.1.2.2 Security Function Policies to Organizational Security Policies The TOE provides the following security functions to satisfy the organizational security policies shown in Table 3-2. The details of each security function are described in Chapter 5. 1) Means of the organizational security policy "P.USER.AUTHORIZATION" The TOE implements this policy by "Identification and authentication function" and "User restriction control function." "Identification and authentication function" of the TOE permits only the users who succeeded at the identification and authentication to use the TOE. "User restriction control function" of the TOE checks the user authority given and permits only the identified and authorized users to perform the basic functions, when authenticated users use the MFP basic functions such as Copy, Scan, Print, Fax, and Document storage and retrieval functions. 2) Means of the organizational security policy "P.SOFTWARE.VERIFICATION" The TOE implements this policy by "Self-test function." "Self-test function" of the TOE verifies that the HDD encryption function, encryption passphrase and TSF executable code are normal at the time of startup. CRP-C0574-01 8 3) Means of the organizational security policy "P.AUDIT.LOGGING" The TOE implements this policy by "Audit log function." "Audit log function" of the TOE records the events relevant to security functions as the audit log. Only the identified and authenticated administrators are permitted to read out and delete the audit log stored in the TOE. However, audit log cannot be modified. 4) Means of the organizational security policy "P.INTERFACE.MANAGEMENT" The TOE implements this policy by "Identification and authentication function" and "External interface separation function." "Identification and authentication function" of the TOE permits only the users who succeeded at the identification and authentication to use the TOE. It also terminates the session after a certain time of no operation by user. In addition, "External interface separation function" of the TOE prevents the data received from the external interfaces of the TOE, from unauthorized transfer to LAN from the external interfaces, including the telephone line, by means of the TOE processing to mediate. 5) Means of the organizational security policy "P.HDD.CRYPTO" The TOE implements this policy by "HDD encryption function." "HDD encryption function" of the TOE encrypts the data stored in the HDD. Encryption algorithm is 256-bit AES. CRP-C0574-01 9 4. Assumptions and Clarification of Scope This chapter describes the assumptions and the operational environment to operate the TOE as useful information for the assumed readers to determine the use of the TOE. 4.1 Usage Assumptions Table 4-1 shows assumptions to operate the TOE. These assumptions are the same as the ones written in the PP. The effective performances of the TOE security functions are not assured unless these assumptions are satisfied. Table 4-1 Assumptions in Use of the TOE Identifier Assumptions A.ACCESS.MANAGED The TOE is located in a restricted or monitored environment that provides protection from unmanaged access to the physical components and data interfaces of the TOE. A.USER.TRAINING TOE Users are aware of the security policies and procedures of their organization, and are trained and competent to follow those policies and procedures. A.ADMIN.TRAINING Administrators are aware of the security policies and procedures of their organization, are trained and competent to follow the manufacturer's guidance and documentation, and correctly configure and operate the TOE in accordance with those policies and procedures. A.ADMIN.TRUST Administrators do not use their privileged access rights for malicious purposes. 4.2 Environmental Assumptions The TOE is installed in general offices and connected to the internal LAN, and it is used from the client PC connected to the internal LAN. The general operational environment of the TOE is shown in Figure 4-1. CRP-C0574-01 10 SMTP server External Authentication serer Internet Public line Client PC MFP(FAX kit) LAN DNS server Firewall Figure 4-1 Operational environment of the TOE The MFP is the TOE in Figure 4-1. However, FAX kit installed in the MFP is not included in the TOE. The following show the components other than the MFP, which is the TOE. 1) FAX kit It performs the sending and receiving of fax data and the communication of the remote diagnostic function via the public line. The following option for the MFP is necessary. - KONICA MINOLTA, INC. FK-517 2) Client PC It is used for users to use the functions provided by the TOE via the LAN. The software listed in Table 4-2 is necessary. Table 4-2 Software of Client PC Type Name and version Web browser - Microsoft Internet Explorer 11 Printer driver - KONICA MINOLTA C3851 Series PCL Ver. 1.1.0.0, PS Ver. 1.1.0.0, XPS Ver. 1.1.0.0 Administrator's tool - KONICA MINOLTA Data Administrator with Device Set-Up and Utilities Ver. 1.0.09000 (plugin: KONICA MINOLTA Data Administrator Ver. 4.1.38000) CRP-C0574-01 11 3) SMTP server It is necessary when using the function to send the document data in the TOE by e-mail. 4) External authentication sever This server identifies and authenticates TOE users by Kerberos protocol. It is necessary when the external server authentication method is selected in the TOE setting. The following software is used in this evaluation. - Active Directory installed in Microsoft Windows Server 2008 R2 Standard Service Pack 1 5) DNS server This server converts domain name into IP address. The following software is used in this evaluation. - Microsoft Windows Server 2008 R2 Standard Service Pack1 Note that the reliability of hardware and cooperative software other than the TOE shown in this configuration is outside the scope of this evaluation. (It is assumed to be trustworthy.) 4.3 Clarification of Scope The TOE has the function to terminate the session after a certain time of no operation by user in order to prevent user login status left unattended. On the operation panel of the TOE and the Web browser of the client PC, the value that administrator set is applied to the time to the session termination. However, the tools for administrator of the client PC have the fixed value of 60 minutes, and administrators need to pay attention since it is long. CRP-C0574-01 12 5. Architectural Information This chapter explains the scope and the main components (subsystems) of the TOE. 5.1 TOE Boundary and Components Figure 5-1 shows the composition of the TOE. FAX kit is not included in the TOE. Figure 5-1 Composition of the TOE The functions of the shaded box in Figure 5-1 are the security functions. TOE security functions are explained below. 1) Identification and authentication function This function is the function to identify and authenticate TOE users by the user ID and login password. Identification and authentication are applied to all of the user interfaces shown below. - Operation panel - Client PC (Web browser, printer driver, various tools) There are two kinds of authentication methods; "machine authentication" which uses the user ID and login password stored in the TOE, and "external server authentication" which uses Kerberos server outside of the TOE. CRP-C0574-01 13 In addition, it has the following functions for strengthening identification and authentication function. - Login passwords of 8 or more characters are required for the specified quality. - Authentication is suspended when the number of continuous authentication failures reaches the administrator setting value. - After identification and authentication, the session is terminated when no operation is performed for a certain period of time. In case of the machine authentication, the quality check of login passwords is performed at the time of changing the setting of login passwords. In case of the external server authentication, it is performed at the time of login, and login is not permitted if the login password, which is registered in the external authentication server, does not satisfy the quality of the TOE. 2) User restriction control function This function is the function to control the access to the operation of the identified and authenticated users and to the document data generated when using the TOE. However, the access control to the accumulated document data is performed with the "Accumulated document access control function." When a user uses the MFP basic functions such as Print, Copy, Scan, Fax and Document storage and retrieval functions, the authority that is set to the user is checked, and it permits the user to perform only the basic functions that have authority. When a user performs operations such as printing and preview of document data, only the owner of the document data is permitted to perform the operations. When deleting document data, only the owner of the document data and administrators are permitted to delete. For determining the owner of the document data, a password is used if the password is set on the document data. Otherwise, a user ID that is added to the document data is used. 3) Accumulated documents access control function This function is the function to control the access at the time of retrieving the document data that are accumulated in the user box of the TOE by Document storage and retrieval function, and it permits only the authorized users to retrieve document data. A password that administrators set for the user box is used for the access control. Note that administrators can delete all the document data accumulated in the user box. 4) Security management function This function is the function to permit only the identified and authenticated administrators to set up, refer to, and change the data used for the security functions. However, normal users can change their own login passwords. 5) Audit log function CRP-C0574-01 14 This function is the function to record the audit events relevant to security functions as the audit log. Only the identified and authenticated administrators can download the audit log stored in the TOE to client PC and delete it. The audit log cannot be modified. 6) HDD encryption function This function is the function to encrypt the data stored in the HDD. Encryption algorithm is 256-bit AES. An encryption key is generated by KONICA MINOLTA's proprietary algorithm based on the encryption passphrase of 20 characters that an administrator sets at the time of installation. 7) Residual information deletion function This function is the function to overwrite and delete the HDD area that stores the document data at the time of deleting the document data. This function is performed at the following timing. - When the MFP basic functions are terminated and the document data became unnecessary; this includes the data temporarily generated in the TOE because of the TOE process. - When the document data are deleted by the user's command. - When the power is turned on; in case the process of overwriting is not completed when the power is turned off, it restarts at the time of turning on the power. The pattern of the data to overwrite can be selected from the multiple patterns by the administrator setting. However, the actual data written to the HDD are different from the selected data pattern, since the data written to the HDD are encrypting. 8) Self-test function This function is the function to perform the following self-tests at the time of the TOE start-up. - Verification of the encryption passphrase and encryption function by the data for verifying that are installed in the TOE. - Verification of the hash value of firmware. 9) Network communication protection function This function is the function to perform the following encrypted communication on the communications with IT devices. - Client PC: IPsec - External authentication server: IPsec - SMTP server: IPsec - DNS server: IPsec 10) External interface separation function This function is the function to prevent unauthorized transfer to LAN from external interfaces, including the telephone line. The data received from the external interfaces of the TOE are processed with mediating by the TOE. CRP-C0574-01 15 5.2 IT Environment The TOE identifies and authenticates users by using the external authentication server (Kerberos protocol) in case of the external server authentication method. Fax function of the TOE performs the sending and receiving of fax data through FAX kit which is not included in the TOE. However, the security functions, such as access control and unauthorized access prevention related to Fax function, are realized in the TOE. CRP-C0574-01 16 6. Documentation The identification of documents attached to the TOE is listed in Table 6-1. There are Japanese and 2 types of English guidance documents for the TOE, and they are distributed depending on the sales areas. TOE users are required to fully understand and comply with the documents listed in Table 6-1, in order to satisfy the assumptions. Table 6-1 Guidance Documents Language Name Version Japanese bizhub C3851 User's Guide 1.00 bizhub C3851 User's Guide Security Functions 1.02 English (a) bizhub C3851FS/C3851/C3351 User's Guide 1.00 bizhub C3851FS/C3851/C3351 User's Guide [Security Operations] 1.02 English (b) ineo+ 3851FS/3851/3351 User's Guide 1.00 ineo+ 3851FS/3851/3351 User's Guide [Security Operations] 1.02 CRP-C0574-01 17 7. Evaluation conducted by Evaluation Facility and Results 7.1 Evaluation Facility Mizuho Information & Research Institute, Inc., Information Security Evaluation Office that conducted the evaluation as the Evaluation Facility is approved under JISEC and is accredited by NITE (National Institute of Technology and Evaluation), the Accreditation Body, which joins Mutual Recognition Arrangement of ILAC (International Laboratory Accreditation Cooperation). It is periodically confirmed that the above Evaluation Facility meets the requirements on the appropriateness of the management and evaluators for maintaining the quality of evaluation. 7.2 Evaluation Approach Evaluation was conducted by using the evaluation methods prescribed in the CEM in accordance with the assurance components in the CC Part 3. Details for evaluation activities were reported in the Evaluation Technical Report. The Evaluation Technical Report explains the summary of the TOE as well as the content of the evaluation and the verdict of each work unit in the CEM. 7.3 Overview of Evaluation Activity The history of the evaluation conducted is described in the Evaluation Technical Report as follows. The evaluation has started on 2016-10 and concluded upon completion of the Evaluation Technical Report dated 2017-09. The Evaluation Facility received a full set of evaluation deliverables necessary for evaluation provided by the developer, and examined the evidence in relation to a series of evaluation conducted. Additionally, the evaluator directly visited the development sites on 2017-03, and examined procedural status of configuration management and delivery by investigating records and interviewing staff. Furthermore, the evaluator conducted the sampling check of the developer testing and the evaluator testing by using the developer testing environment at the developer site on 2017-03, 2017-06 and 2017-07. Concerns found in evaluation activities for each work unit were all issued as the Observation Reports, and those were reported to the developer. Those concerns were reviewed by the developer, and all the concerns were solved eventually. Concerns that the Certification Body found in the evaluation process were described as the certification oversight review, and it was sent to the Evaluation Facility. After the Evaluation Facility and the developer examined them, those concerns were reflected in the Evaluation Technical Report. CRP-C0574-01 18 7.4 IT Product Testing The evaluator confirmed the validity of the testing that the developer had performed. As a result of the evidence shown in the process of the evaluation and those confirmed validity, the evaluator performed the reproducibility testing, additional testing and penetration testing, based on vulnerability assessments judged to be necessary. 7.4.1 Developer Testing The evaluator evaluated the integrity of the developer testing that the developer performed and the documentation of actual testing results. The content of the developer testing evaluated by the evaluator is explained as follows. 1) Developer Testing Environment Figure 7-1 shows the testing configuration performed by the developer. Figure 7-1 Configuration of the Developer Testing CRP-C0574-01 19 Table 7-1 shows the components of the developer testing. Table 7-1 Components of the Developer Testing Name Detail MFP (TOE) bizhub C3851, bizhub C3351, bizhub C3851FS (Version G00-11) MFP built-in FAX kit KONICA MINOLTA FK-517 Supplementary PC (Client PC) - Windows 7 Professional SP1 PC (Web browser: Internet Explorer 11) * Various drivers and tools shown in the above Table 4-2, are installed on the above PCs. External Authentication Server - Windows Server 2008 R2 Standard SP1 PC - Kerberos software: Active Directory (OS attached) Mail server (SMTP server) - Windows Server 2008 R2 Standard SP1 PC - SMTP software: Black Jumbo Dog Ver.5.9.5 DNS server - Windows Server 2008 R2 Standard SP1 PC - DNS software : OS attached CSRC center server A server to provide the same function as the remote diagnostic service of KONICA MINOLTA, INC. - Windows Server 2008 R2 Standard SP1 PC - CSRC center software Ver.2.8.2 bizhub C3851 MFP (other device for FAX) It is used as the other device of Fax TX/RX of the TOE. Pseudo-exchange (public line) Line-exchange to realize pseudo-public line - CE-97 by Neix, Inc. USB memory (USB flash drive) It is used to check that Firmware update and USB memory function cannot be used. - I-O DATA ToteBag 1G USB keyboard, mouse It is used to check that USB keyboard and the mouse cannot be used. PC for terminal It is connected with the interface for the TOE developer via RS232C. - Windows 7 Professional SP1 PC - Terminal software: Tera Term Pro Ver.4.79 The MFPs tested by the developer are all models of bizhub series of the TOE. The ineo+ series of the TOE are the same product as the bizhub series except the difference of the name. Therefore, the configuration of the developer testing is considered to include all of the identified TOEs. The developer testing was performed in the same TOE testing environment as the TOE configuration identified in the ST. CRP-C0574-01 20 2) Summary of the Developer Testing A summary of the developer testing is described as follows. a. Developer Testing Outline An outline of the developer testing is described as follows. For the external interfaces of the TOE, the developer confirmed its behavior by using the TOE operation panel, PC and the testing tools to input. The following approach was used for the confirmation of the behavior. - For the behavior that can be checked by the interface provided by the TOE, the response to the input, the operation of the TOE, the audit log, and the communication data are checked by using the interface. - For the data inside the TOE and the data on the HDD that cannot be checked by the interface provided by the TOE, those are checked by using the developer interface. It is confirmed that the encryption algorithm is implemented to specification by comparing the data that were obtained by the above method, with the data encrypted by Open SSL. Furthermore, it is confirmed the behavior that cannot be confirmed by the above interfaces, such as the hash algorithm which is used for the self-test inside the TOE and for Web session information generation, is implemented to specification by reviewing the source codes. Table 7-2 shows the tools used in the developer testing. Table 7-2 Developer Testing Tools Tool Name Outline and Purpose of Use Fiddler Ver.2.4.5.6 It mediates the communications between Web browser and Web server (TOE), and refers to and changes the communication data between them. TamperIE Ver. 1.0.1.13 It mediates the communications between Web browser and Web server (TOE), and refers to and changes the communication data between them. Open API testing tool Ver. 7.9.9.13 A testing tool for the Open API of KONICA MINOLTA, INC. Open API is the network interface of the TOE used by Data Administrator, which is the tool on the client PC. Open SSL Ver.1.0.1e It is used for testing TLS and encryption algorithm. PC for terminal By using the developer interfaces, it refers to the HDD data and the memory contents inside the TOE, such as encryption key. CRP-C0574-01 21 WireShark Ver. 1.10.2 It monitors and analyzes the communication data on the LAN. By operating MFP basic functions and security management functions with various interfaces, it was confirmed that the security functions applied to various input parameters perform to specification. The variations of the input parameters include the rewrite of communication data between Web browser and the TOE, and power OFF/ON during the overwrite deletion. Regarding the security functions, the cases where the behavior differs depending on the TOE settings, such as authentication method, IPv4, and IPv6, are also confirmed. b. Scope of the Performed Developer Testing The developer testing was performed on 241 items by the developer. By the coverage analysis, it was verified that all security functions and external interfaces described in the functional specification had been tested. c. Result The evaluator confirmed the approach of the performed developer testing and the legitimacy of tested items, and confirmed consistencies between the testing approach described in the testing plan and the actual testing approach. The evaluator confirmed consistencies between the testing results expected by the developer and the actual testing results performed by the developer. 7.4.2 Evaluator Independent Testing The evaluator performed the sample testing to reconfirm the execution of security functions by the test items extracted from the developer testing. In addition, the evaluator performed the evaluator independent testing (hereinafter referred to as the "independent testing") to gain further assurance that security functions are certainly implemented based on the evidence shown in the process of the evaluation. The independent testing performed by the evaluator is explained as follows. 1) Independent Testing Environment The environment of the independent testing performed by the evaluator is the same configuration as the developer testing shown in Figure 7-1. The independent testing was performed in the same environment as the TOE configuration identified in the ST. The components and testing tools used in the independent testing were the same as those used in the developer testing. Although those include the ones independently developed by the developer, their validity confirmation and operation tests were performed by the evaluator. 2) Summary of the Independent Testing CRP-C0574-01 22 A summary of the independent testing performed by the evaluator is described as follows. a. Viewpoints of the Independent Testing Viewpoints of the independent testing that the evaluator designed from the developer testing and the provided evaluation documentation are shown below. (1) To confirm the behavior of the threshold limit value that is not tested by the developer. (2) To confirm the behavior of combining the multiple interfaces and operations that are not tested by the developer. (3) To confirm the variations of input data and operation environments to supplement the developer testing. (4) In the sampling testing, to select the items of the developer testing from the following viewpoints: - To confirm all the security functions and the external interfaces. - To confirm all the different testing approaches, such as testing tools. - To confirm the content of source code review performed by the developer. - To confirm those which contribute to the vulnerability measures, such as the rewrite of the communication data. b. Independent Testing Outline An outline of the independent testing that the evaluator performed is as follows. The independent testing was performed with the same testing approach as the developer testing. The tools used at the independent testing are the same as those used at the developer testing. The evaluator performed 53 items of sampling testing and 13 items of additional independent testing, based on the viewpoints of the independent testing. Table 7-3 shows viewpoints of the independent testing and the content of the main tests corresponding to them. Table 7-3 Viewpoints of Independent Testing Performed Viewpoints of Independent Testing Overview of Testing Viewpoint (1) - For login passwords, user box passwords, and encryption passphrases, confirm the behavior when inputting one long character string than the maximum number of characters at the time of changing. CRP-C0574-01 23 - Confirm that the error processing works as the specification, when the registration of the account information or print data reaches the upper limit. Viewpoint (2) - Confirm that the number of authentication failures until the account is locked is totaled when using different interfaces. - Confirm that the TOE behaves as the specification, when the login password is changed while the same user logs in from the operation panel and the Web browser. - Confirm that the access is controlled just like the changed multiple authorities when changing the multiple authorities of a user by one operation. Viewpoint (3) - Regarding the remote diagnostic function to use fax data, confirm that the unauthorized data are denied if the data are different from the developer testing. c. Result All the independent testing performed by the evaluator was correctly completed, and the evaluator confirmed the behavior of the TOE. The evaluator confirmed consistencies between the expected behavior and all the testing results. 7.4.3 Evaluator Penetration Testing The evaluator devised and performed the necessary evaluator penetration testing (hereinafter referred to as the "penetration testing") on the potentially exploitable vulnerabilities of concern under the assumed environment of use and attack level from the evidence shown in the process of the evaluation. The penetration testing performed by the evaluator is explained as follows. 1) Summary of the Penetration Testing A summary of the penetration testing performed by the evaluator is described as follows. a. Vulnerability of Concern The evaluator searched into the provided documentation and the publicly available information for the potential vulnerabilities, and then identified the following vulnerabilities which require the penetration testing. (1) There is concern that known vulnerabilities may exist in the network interfaces. (2) There is concern that known vulnerabilities may exist in the print processing. (3) If confidential information such as secret login accounts is included in the TOE, there is concern that it may be exploited. CRP-C0574-01 24 (4) When the power of the TOE is turned off during the operation of the TOE from Web browser, there is concern that it may be exploited while keeping the authentication status. (5) There is concern that the attacks, such as buffer over-flow or bypass of identification and authentication and of the access control, may succeed by transferring the unauthorized communication data to the TOE. b. Penetration Testing Outline The evaluator performed the following penetration testing to identify potentially exploitable vulnerabilities. The penetration testing was performed in the same environment as the independent testing environment by installing the penetration testing tools in the inspection PC. Table 7-4 shows the tools used for the penetration testing. Table 7-4 Penetration Testing Tools Tool Name Outline / Purpose Nessus Version 6.10.2 Security scanner of various communication protocols. (The latest vulnerability database as of February 27, 2017, is referred.) Nikto Version 2.1.5 Security scanner for the Web. (The latest vulnerability database as of February 27, 2017, is referred.) nmap Version 7.31 A tool for detecting available network port. Fiddler Version 4.6.20171.9220 Web debugger that mediates the communications between Web browser and Web server (TOE), and refers to and change the communication data between them. * The evaluator uses any of the three types of tools for the concerned test items. TamperIE Version 1.0.1.13 Burp Suite Version 1.7.17 extrstr Version 0.2 A binary analysis tool developed by the Evaluation Facility. It is used for extracting character strings that are included in the binary files. Metasploit Version 4.13.7 It is used for creating the inspection data for inspecting vulnerabilities in the PDF. PRET Version 0.36 A tool to inspect various vulnerabilities in print processing. Table 7-5 shows vulnerabilities of concern and the content of the penetration testing corresponding to them. CRP-C0574-01 25 Table 7-5 Outline of the Penetration Testing Vulnerabilities Outline of Testing Vulnerability (1) - By performing nmap, Nessus, and Nikto to the TOE, it was confirmed that there is no known vulnerability. Vulnerability (2) - It was confirmed that the unauthorized processing is not performed even if the print job command and print files that include unauthorized processing are input to the TOE. Vulnerability (3) - By analyzing the binary that is stored in the updated media of the TOE using extrstr, it was confirmed that the secret character strings that can be exploited, such as secret login accounts, are not included. Vulnerability (4) - While operating the TOE by the TOE operation panel, Web browser on PC, and various tools, even if the power of the TOE is turned OFF/ON, it was confirmed that the authentication status is not maintained and the re-login is required to use. Vulnerability (5) - It was confirmed that unexpected operations cannot be performed, such as bypass of the identification and authentication or access control, and the buffer over-flow, even if the communication data from Web browser to the TOE is altered by using Web debugger. - Regarding the individual interfaces besides the Web, the equivalent confirmation was performed by using the developer testing tools, as is the case with the Web. c. Result In the penetration testing performed by the evaluator, the evaluator did not find any exploitable vulnerabilities that attackers who have the assumed attack potential could exploit. CRP-C0574-01 26 7.5 Evaluated Configuration The configuration conditions of the TOE, which are the assumptions of this evaluation, are described in the guidance documents shown in Chapter 6. TOE administrators need to activate the security functions of the TOE and to configure the TOE as described in the appropriate guidance documents for secure use. If these setting values are changed to the different values from those described in the guidance documents, such cases are not included in the assurance of this evaluation. Among the configuration conditions of the TOE, in addition to the "Enhanced Security Setting" that configures secure values collectively to the various settings of the security functions, there are also setting values that need to configure individually. Note that the configuration conditions of the TOE also include those settings which prohibit the use of the functions provided by the TOE. For example, the following setting values are also included: - Invalidation of Internet Fax function - Invalidation of print protocol other than IPP - Invalidation of USB flash drive function and Print function by USB interface (Notice: This setting is set by "Enhanced Security Setting" collectively.) - Invalidation of SNMP - Invalidation of TCPsocket (Notice: By this setting, a scanner driver for the client PC and tools such as Box Operator and HDD BackUp Utility cannot be used.) - Invalidation of User box creation function (Notice: By this setting, user box for each user and public user box cannot be used.) TOE administrators should be noted that if the setting values of the TOE's configuration condition are changed to the different values from the guidance, including the settings to disable some functions as described above, the configuration will not be assured by this evaluation. The guidance also describes a method to restore the changed configuration to the evaluated configuration which is assured in this evaluation. CRP-C0574-01 27 7.6 Evaluation Results The evaluator had concluded that the TOE satisfies all work units prescribed in the CEM by submitting the Evaluation Technical Report. In the evaluation, the following were confirmed. - PP Conformance: U.S. Government Approved Protection Profile - U.S. Government Protection Profile for Hardcopy Devices Version 1.0 (IEEE Std. 2600.2TM-2009) The TOE also conforms to the following SFR packages defined in the above PP. - 2600.2-PRT, SFR Package for Hardcopy Device Print Functions, Operational Environment B - 2600.2-SCN, SFR Package for Hardcopy Device Scan Functions, Operational Environment B - 2600.2-CPY, SFR Package for Hardcopy Device Copy Functions, Operational Environment B - 2600.2-FAX, SFR Package for Hardcopy Device Fax Functions, Operational Environment B - 2600.2-DSR, SFR Package for Hardcopy Device Document Storage and Retrieval (DSR) Functions, Operational Environment B - 2600.2-SMI, SFR Package for Hardcopy Device Shared-medium Interface Functions, Operational Environment B - Security functional requirements: Common Criteria Part 2 Extended - Security assurance requirements: Common Criteria Part 3 Conformant As a result of the evaluation, the verdict "PASS" was confirmed for the following assurance components. - All assurance components of EAL2 package - Additional assurance component ALC_FLR.2 The result of the evaluation is only applied to those which are composed by the TOE corresponding to the identification described in Chapter 2. 7.7 Evaluator Comments/Recommendations There is no evaluator recommendation to be addressed to procurement entities. CRP-C0574-01 28 8. Certification The Certification Body conducted the following certification based on the materials submitted by the Evaluation Facility during the evaluation process. 1. Contents pointed out in the Observation Reports shall be adequate. 2. Contents pointed out in the Observation Reports shall properly be solved. 3. The submitted documentation was sampled, the content was examined, and the related work units shall be evaluated as presented in the Evaluation Technical Report. 4. Rationale of the evaluation verdict by the evaluator presented in the Evaluation Technical Report shall be adequate. 5. The evaluator's evaluation methodology presented in the Evaluation Technical Report shall conform to the CEM. Concerns found in the certification process were prepared as the certification oversight review, and it was sent to the Evaluation Facility. The Certification Body confirmed such concerns pointed out in the certification oversight review were solved in the ST and the Evaluation Technical Report and issued this Certification Report. 8.1 Certification Result As a result of verification of the submitted Evaluation Technical Report, Observation Reports, and related evaluation documentation, the Certification Body determined that the TOE satisfies all assurance requirements for EAL2 augmented with ALC_FLR.2 in the CC Part 3. 8.2 Recommendations It should be noted that the procurement entities who are interested in the TOE need to refer to the descriptions of "1.1.3 Disclaimers," "4.3 Clarification of Scope," and "7.5 Evaluated Configuration" and to see whether or not the evaluated scope of the TOE and the operational requirements are consistent with the operational conditions that they assume. Especially, in this evaluation, it should be noted that user box for each user and public user box are not able to be used. CRP-C0574-01 29 9. Annexes There is no annex. 10. Security Target The Security Target [12] of the TOE is provided as a separate document along with this Certification Report. bizhub C3851/bizhub C3351/bizhub C3851FS/ineo+ 3851/ineo+ 3351/ineo+ 3851FS Security Target, Version 2.00, September 19, 2017, KONICA MINOLTA, INC. CRP-C0574-01 30 11. Glossary The abbreviations relating to the CC used in this report are listed below. CC Common Criteria for Information Technology Security Evaluation CEM Common Methodology for Information Technology Security Evaluation EAL Evaluation Assurance Level PP Protection Profile ST Security Target TOE Target of Evaluation TSF TOE Security Functionality The abbreviation relating to the TOE used in this report is listed below. MFP Multi-Function Printer eMMC embedded Multi Media Card The definitions of terms used in this report are listed below. Copy function: A function to read paper documents and to print the copy by the operation of the operation panel. Document storage and retrieval function: A function to accumulate document data in the TOE and retrieve the accumulated document data. Encryption passphrase: A string of 20 characters used for generating the encryption key of HDD encryption. Fax function: Fax TX function is a function to read paper documents and send them to the external fax device via the telephone line by the operation of the operation panel. Fax RX function is a function to receive the document data via the telephone line from the external fax device. The received data are retrieved with the Document storage and retrieval function. Print function: A function to print the document data received by the TOE from the client PC via the LAN. The received document data by the TOE is once saved in the TOE, and it is output with the command from the operation panel. CRP-C0574-01 31 Remote diagnostic function: A function to connect to Konica Minolta support center via the public line for the maintenance of the MFP and to communicate the device information, such as MFP operation status and the number of printings, etc. Scan function: A function to read the paper documents and to generate the document data by the operation of the operation panel. The generated document data are retrieved with the E-mail send or the Document storage and retrieval function. User box: A directory to accumulate document data in the TOE. There are several types of user box, such as user box to save document data by print function, and user box to accumulate document data by Document storage and retrieval function, etc. CRP-C0574-01 32 12. Bibliography [1] IT Security Evaluation and Certification Scheme Document, June 2015, Information-technology Promotion Agency, Japan, CCS-01 [2] Requirements for IT Security Certification, October 2015, Information-technology Promotion Agency, Japan, CCM-02 [3] Requirements for Approval of IT Security Evaluation Facility, October 2015, Information-technology Promotion Agency, Japan, CCM-03 [4] Common Criteria for Information Technology Security Evaluation Part 1: Introduction and general model, Version 3.1 Revision 4, September 2012, CCMB-2012-09-001 [5] Common Criteria for Information Technology Security Evaluation Part 2: Security functional components, Version 3.1 Revision 4, September 2012, CCMB-2012-09-002 [6] Common Criteria for Information Technology Security Evaluation Part 3: Security assurance components, Version 3.1 Revision 4, September 2012, CCMB-2012-09-003 [7] Common Criteria for Information Technology Security Evaluation Part 1: Introduction and general model, Version 3.1 Revision 4, September 2012, CCMB-2012-09-001 (Japanese Version 1.0, November 2012) [8] Common Criteria for Information Technology Security Evaluation Part 2: Security functional components, Version 3.1 Revision 4, September 2012, CCMB-2012-09-002 (Japanese Version 1.0, November 2012) [9] Common Criteria for Information Technology Security Evaluation Part 3: Security assurance components, Version 3.1 Revision 4, September 2012, CCMB-2012-09-003 (Japanese Version 1.0, November 2012) [10] Common Methodology for Information Technology Security Evaluation: Evaluation methodology, Version 3.1 Revision 4, September 2012, CCMB-2012-09-004 [11] Common Methodology for Information Technology Security Evaluation: Evaluation methodology, Version 3.1 Revision 4, September 2012, CCMB-2012-09-004 (Japanese Version 1.0, November 2012) [12] bizhub C3851/bizhub C3351/bizhub C3851FS/ineo+ 3851/ineo+ 3351/ineo+ 3851FS Security Target, Version 2.00, September 19, 2017, KONICA MINOLTA, INC. [13] bizhub C3851/bizhub C3351/bizhub C3851FS/ineo+ 3851/ineo+ 3351/ineo+ 3851FS Evaluation Technical Report, Version 5, September 20, 2017, Mizuho Information & Research Institute, Inc. Information Security Evaluation Office [14] U.S. Government Approved Protection Profile - U.S. Government Protection Profile for Hardcopy Devices Version 1.0 (IEEE Std. 2600.2TM-2009) [15] CCEVS Policy Letter #20, 15 November 2010, National Information Assurance Partnership