SHARP
MX-FR37
Security Target
Version 0.06
SHARP CORPORATION
This document is a translation of the evaluated and certified
security target written in Japanese.
�MX-FR37 Security Target
© 2012-2013, Sharp Corp., all rights reserved. 2
Revision history
Date Ver. Revision Author Reviewed Approved
2012-06-20 0.01 • Original Draft Nakagawa Iwasaki Nakahira
2012-08-01 0.02
• TOE Overview and TOE Description: Modified
erroneous descriptions relating to the physical
configuration and operation environment of TOE.
Nakagawa Sakamoto Nakahira
2012-10-15 0.03
• Response to the Observation Report ASE001-01:
Modified the descriptions in the following items:
Communication Data in Assets Protected by the TOE,
Communication Data Protection Function in TSF and
Operation Panel in Terminology.
Sakamoto Nakagawa Nakahira
2012-11-01 0.04
• Modified the scope of Physical Configuration of TOE
and Assets Protected by the TOE.
Nakagawa Sakamoto Nakahira
2012-11-13 0.05
• Modified the expressions about protected assets and
threats.
Nakagawa Sakamoto Nakahira
2012-12-03 0.06
• Response to the Observation Report ASE001-01: TOE
Overview and TOE Description: Modified erroneous
descriptions relating to HDD Clear.
Nakagawa Sakamoto Nakahira
�MX-FR37 Security Target
© 2012-2013, Sharp Corp., all rights reserved. 3
Table of Contents
1 ST Introduction ...................................................................................................................6
1.1 ST Reference.......................................................................................................................................6
1.2 TOE Reference....................................................................................................................................6
1.3 TOE Overview....................................................................................................................................6
1.3.1 TOE Type....................................................................................................................................6
1.3.2 Required non-TOE hardware/software/firmware........................................................................6
1.3.3 Main Security Functions.............................................................................................................6
1.3.4 TOE Usage..................................................................................................................................7
1.3.5 Overview of the MFD Functions and Applications ....................................................................7
1.4 TOE Description.................................................................................................................................9
1.4.1 Physical Configuration of the TOE.............................................................................................9
1.4.2 Logical Configuration of the TOE ..............................................................................................9
1.4.3 Guidance Documents................................................................................................................11
1.4.4 Assets Protected by the TOE.....................................................................................................11
1.4.5 Related parties of the TOE........................................................................................................12
2 Conformance Claims ........................................................................................................13
2.1 CC Conformance Claim....................................................................................................................13
2.2 PP Claim ...........................................................................................................................................13
2.3 Package Claim ..................................................................................................................................13
3 Security Problem Definition .............................................................................................14
3.1 Threats ..............................................................................................................................................14
3.2 Organisational Security Policies.......................................................................................................14
3.3 Assumptions......................................................................................................................................14
4 Security Objectives...........................................................................................................15
4.1 Security Objectives for the TOE.......................................................................................................15
4.2 Security Objectives for the Operational Environment......................................................................15
4.3 Security Objectives Rationale...........................................................................................................16
4.3.1 Rationale Explaining Why Threats Are Countered...................................................................16
4.3.2 Rationale for Implementation of Organisational Security Policies...........................................18
4.3.3 Rationale for Satisfaction of Assumptions................................................................................18
5 Extended Components Definition.....................................................................................19
6 Security Requirements......................................................................................................20
6.1 Requirement Operations ...................................................................................................................20
6.2 Security Functional Requirements....................................................................................................20
6.2.1 Class FCS: Cryptographic Support...........................................................................................20
6.2.2 Class FDP: User Data Protection..............................................................................................21
6.2.3 Class FIA: Identification and Authentication............................................................................22
6.2.4 Class FMT: Security Management............................................................................................23
6.2.5 Class FTA: TOE Access............................................................................................................25
6.2.6 Class FTP: Trusted Path/Channels............................................................................................25
6.3 Security Assurance Requirements.....................................................................................................25
6.4 Security Requirements Rationale......................................................................................................26
6.4.1 Security Functional Requirements Rationale............................................................................26
6.4.2 TOE Security Assurance Requirements Rationale....................................................................32
�MX-FR37 Security Target
© 2012-2013, Sharp Corp., all rights reserved. 4
7 TOE Summary Specification ............................................................................................33
7.1 Cryptographic Key Generation (TSF_FKG).....................................................................................33
7.2 Cryptographic Operation (TSF_FDE) ..............................................................................................33
7.3 Data Clear (TSF_FDC).....................................................................................................................34
7.3.1 Overview of the Data Clear Function .......................................................................................34
7.3.2 Auto Clear at Job End...............................................................................................................34
7.3.3 Clear All Memory .....................................................................................................................34
7.3.4 Clear Address Book Data and Registered Data.........................................................................35
7.3.5 Clear Document Filing Data .....................................................................................................35
7.4 Authentication (TSF_AUT)..............................................................................................................35
7.5 Confidential files (TSF_FCF)...........................................................................................................36
7.6 Network Protection (TSF_FNP) .......................................................................................................37
7.6.1 Overview of Network Protection..............................................................................................37
7.6.2 Filter Function...........................................................................................................................37
7.6.3 Communication Data Protection Function................................................................................37
7.6.4 Network Settings Protection Function ......................................................................................38
7.7 Fax Flow Control (TSF_FFL)...........................................................................................................38
8 Appendix...........................................................................................................................39
8.1 Terminology......................................................................................................................................39
8.2 Acronyms..........................................................................................................................................41
�MX-FR37 Security Target
© 2012-2013, Sharp Corp., all rights reserved. 5
List of Tables
Table 1.1: Guidance Documents...................................................................................................................11
Table 3.1: Threats..........................................................................................................................................14
Table 3.2: Organisational Security Policies ..................................................................................................14
Table 3.3: Assumptions.................................................................................................................................14
Table 4.1: Security Objectives for the TOE..................................................................................................15
Table 4.2: Security Objectives for the Operational Environment .................................................................15
Table 4.3: Security Objectives Rationale......................................................................................................16
Table 6.1: Security Functional Requirements Rationale...............................................................................26
Table 6.2: Management Functions of the TOE .............................................................................................31
Table 6.3: Security Functional Requirement Dependencies .........................................................................32
Table 6.4: Justification of Unsatisfied Security Functional Requirement Dependencies .............................32
Table 7.1: Security Functional Requirements and TOE Security Functionalities.........................................33
Table 8.1: Terminology.................................................................................................................................39
Table 8.2: Acronyms in the CC.....................................................................................................................41
Table 8.3: Other Acronyms...........................................................................................................................42
List of Figures
Figure 1: Usage environment of the MFD......................................................................................................8
Figure 2: TOE and physical configuration of the MFD..................................................................................9
Figure 3: Logical configuration of the TOE .................................................................................................10
�MX-FR37 Security Target
© 2012-2013, Sharp Corp., all rights reserved. 6
1 ST Introduction
This document is Security Target (ST) stating the security of MX-FR37. MX-FR37 is the Target of
Evaluation (TOE) claiming conformance to this ST, in accordance with IT Security International Standard
(the Common Criteria, CC) identified in Section 2.1. See Sections 8.1 and 8.2 for terminology used in this
ST. This chapter presents ST reference, TOE reference, TOE overview and TOE description.
1.1 ST Reference
This section provides information needed to identify this Security Target (ST).
Title: MX-FR37 Security Target
Version: 0.06
Publication Date: 2012-12-03
Author: Sharp Corporation
1.2 TOE Reference
This section provides information needed to identify the Target of Evaluation (TOE) claiming conformance
to this ST.
Name: MX-FR37
Version: C.10
Developer: Sharp Corporation
1.3 TOE Overview
1.3.1 TOE Type
The TOE is an IT product to protect data in a Multi Function Device (MFD).
The main part of the TOE is the firmware in a ROM and a Flash memory for the MFD. By replacing the
MFD standard firmware, it offers the security functions and controls the entire MFD.
The HDC, part of the hardware in the MFD, is also a part of the TOE and is controlled by the firmware.
MFDs, Multi Function Devices, are office machines mainly with copier, printer, scanner and fax functions.
1.3.2 Required non-TOE hardware/software/firmware
The TOE operates on the MFD (hardware) made by Sharp Corporation, namely, MX-M264FP,
MX-M264N, MX-M264NJ, MX-M264U, MX-M314FP, MX-M314N, MX-M314NJ, MX-M314U,
MX-M354FP, MX-M354N, MX-M354NJ and MX-M354U. For MFD with “N†or “U†in the model name
among them, TOE is enabled to operate by installing Sharp genuine option including HDD.
1.3.3 Main Security Functions
The TOE security feature mainly provides the following functions aiming to counter unauthorized attempts
to steal image data in the MFD where the TOE is installed.
a)Cryptographic operation function: encrypts image data and other data that the MFD handles before it is
written to such as the HDD in the MFD.
b)Data clear function: overwrites an area where encrypted data is stored into the HDD in the MFD with a
random value.
c)Confidential file function: provides password protection for image data on the HDD stored by the user
to protect them from being reused by others without permission.
d)Network protection function: prevents unauthorized access over the network, wiretapping of
communication data between the user and the MFD and unauthorized modification of the network
settings.
e)Fax flow control function: prevents accesses from the telephone line connected to the MFD’s fax I/F to
the internal network through the MFD’s network I/F.
�MX-FR37 Security Target
© 2012-2013, Sharp Corp., all rights reserved. 7
1.3.4 TOE Usage
The TOE provides MFD functions such as copier, printer, scanner, fax transmission and reception, and
PC-Fax in the same way as the standard firmware. This section describes an overview of how to invoke the
security functions described in the previous section. Descriptions on MFD functions are discussed later.
a)Users’ operation of MFD functions such as copier triggers an automatic operation of the cryptographic
operation function and the data clear function of the TOE. The MFD temporality spools image data into
the HDD in the MFD while a job such as copying is in the process. The MFD reads out the image data
to process the job and deletes the image data when the job is completed. The TOE encrypts image data
to be spooled using the cryptographic operation function and decrypts when it reads it out. The TOE
overwrites image data to be deleted using the data clear function.
b)Using the confidential file function of the TOE, users can save image data as a “confidential file†(with
password protection) into the HDD in the MFD. Later they can reuse the confidential file (for printing,
fax transmission, transferring the image file to a client and other proposes) and prevent the confidential
file from being reused by others with the password.
• When users give a job such as copy into the MFD, they select to save the image data and specify a
password. This allows the TOE to save the image data of the job into the HDD along with the
password after job completion.
• Users set an original on the MFD, specify a password and perform “Scan to HDDâ€. This allows the
TOE to scan the original and obtain its image data from the MFD scanner unit, and save the image
data into the HDD along with the password.
• Users select a confidential file saved into the HDD, enter the password and specify a file manipulation
(including print, send, preview and delete). The TOE checks the password entered and, when the
password is verified, performs the file manipulation. The TOE disables the file manipulation if an
incorrect password is entered three times in a row.
c)When users save a confidential file using the confidential file function of the TOE and when they reuse
it, the cryptographic operation function automatically operates. The TOE encrypts the image data and
the password to be saved into the HDD using the cryptographic operation function. When the TOE
checks a password entered to reuse a confidential file, the TOE reads out the password from the HDD
and decrypts it. When a print job, a send job or a preview is executed after verification of the password,
the TOE reads out the image data and decrypts it.
d)When users delete a confidential file using the confidential file function of the TOE, the data clear
function of the TOE automatically operates.
e)When users communicate with the MFD from a client over the network, the SSL function of the TOE
can be used. When a print job is sent from a client, the print image data is protected using the IPP-SSL
protocol from being wiretapped during transmission. When users access the Web page provided by the
MFD for remote operation such as reusing a confidential file, the SSL (HTTPS) protocol can be used to
protect information including the password from being wiretapped during transmission.
f)The administrator operates as necessary (including when the MFD is disposed) to execute “Clear All
Memoryâ€. Then, the TOE overwrites all image data in the MFD using the data clear function.
g)The administrator configures the filter settings. The administrator can specify IP address ranges to
accept or reject communication with the MFD, and specify MAC addresses to accept communication
with the MFD. When the filter settings are configured, the TOE does not respond to communication
from IP addresses other than those specified to accept, IP addresses specified to reject and MAC
addresses other than those specified to accept.
1.3.5 Overview of the MFD Functions and Applications
The usage environment of the MFD that the TOE is installed to is shown in Figure 1.
�MX-FR37 Security Target
© 2012-2013, Sharp Corp., all rights reserved. 8
Client (1)
Internal network
Facsimile
Mail
server
FTP
server
Network I/F
External network
Telephone network
Client (2)
Firewall
Fax line
USB I/F
(Type B)
USB memory
device
USB I/F
(Type A)
MFD
MFD
Figure 1: Usage environment of the MFD
Each MFD function of the TOE is explained below. Most functions are invoked by the operation from the
operation panel of the MFD. Some functions are invoked when receiving data. Moreover, some functions
are invoked by the operation of MFD Web site, that is, a Web site that the MFD offers for remote
operation.
1.3.5.1 Job function
The job function receives image data from the MFD’s scanner unit or from outside of the MFD, spools the
image data into the HDD in the MFD, and sends the image data to the MFD’s engine unit (printing) or to
the outside of the MFD (transmission). The job control function and the MFD control function implement
the job function.
a)Copier: reads the original and prints that image by the operation from the operation panel. If Tandem
Copy mode is selected, it sends the image data to the MFD that the administrator specified beforehand.
b)Printer: prints data received from the outside of the MFD.
• Printer driver: generates print data at a client and sends it to the MFD via network or USB. If Tandem
Print mode is selected, the printer driver sends the image data to two MFDs.
• Push print: is to send print data from a client to the MFD via E-mail, FTP or Web. Received data by
the internet fax and tandem print requests from another MFD are printed in the same manner.
• Pull print: acquires print data from an FTP server, a network folder or a USB memory device by
operations on the operation panel.
c)Network scanner: scans an original to obtain its image data through operations on the operation panel,
and transmits the image data in either of the following ways:
• E-mail: transmits it as an attachment to an E-mail.
• File server: transmits it to an FTP server.
• Desktop: transmits it via FTP to a client running software tool delivered together with the MFD or
provided separately.
• Network folder: transmits it into a shared folder of Microsoft Windows over the network.
• USB memory: puts it into a USB memory device plugged into the MFD.
• PC scan: transmits it via TWAIN to a client running the software tool delivered together with the
MFD.
• Internet Fax: transmits it as an attachment to an E-mail according to the Internet Fax standard
specification.
d)Fax transmission: scans an original to obtain its image data through operations on the operation panel,
and transmits the image data as a facsimile.
e)Fax reception: receives a facsimile from another fax machine and prints it.
f)PC-Fax: transmits image data from a client as a facsimile or an internet fax.
�MX-FR37 Security Target
© 2012-2013, Sharp Corp., all rights reserved. 9
1.3.5.2 Document filing function
The document filing function provides the following functions that allow users to save image data into the
HDD in the MFD and operate it from the operation panel or the client via Web later. This function is
implemented by the job control function.
â— File a job: when a user gives a job such as copy into the MFD, the image data of the job can optionally
be saved.
â— Scan to HDD: scans the original and does only store it, while neither prints nor transmits it.
â— Operation on saved files: calls up saved image data for operations including the following.
• Print: prints saved image data to the paper. If Tandem Print mode is selected, this function sends
image data to the MFD that the administrator specified beforehand.
• Send: transmits saved image data either by any medium available for the network scanner function or
by facsimile.
• Preview: displays the rough outline of saved image data.
• Password change: changes confidential file passwords.
• Delete: removes saved image data that the user no longer needs, and overwrites it.
• Backup (export): transfers saved image data to the client as binary data, from which the user can
restore (import) the image data later.
The printer driver allows its job to be saved without being printed. Similarly, Scan to HDD can be
considered as a network scanner job saved without being transmitted.
1.3.5.3 Address book function
The Address book function stores destination fax numbers and E-mail addresses. This simplifies the
operation for transmission. The data is stored into the HDD and storing, modifying and deleting it are
available by the operation from the operation panel or Web. This function is realized by the job control
function.
1.4 TOE Description
1.4.1 Physical Configuration of the
TOE
The physical scope of the TOE is shaded in Figure
2. The main part of the TOE is in the MFD’s
controller firmware and provided as “Data
Security Kit MX-FR37 (DSK)â€, an optional
product for Sharp MFDs to enhance security
coming with a ROM board and a USB memory
device. Part of the security functions is included in
the MFD’s HDC, which is also within the scope of
the TOE.
â— ROM: contains part of the controller firmware
and is mounted on the controller board.
â— MAIN: is part of the controller firmware and
installed from the USB memory device of the
DSK to the Flash memory in the MFD.
â— HDC: is part of an integrated circuit part that is mounted on the controller board in the MFD
beforehand.
1.4.2 Logical Configuration of the TOE
Figure 3 shows the logical configuration of the TOE. The thick-lined frame indicates the logical scope of
the TOE. Rounded boxes indicate hardware devices outside of the TOE. Rectangles indicate functions of
the TOE; and ones shaded indicate security functions. Among the data in the volatile memory, HDD, Flash
Controller
board
Engine unit
USB I/F (Type A) :
to other
facsimiles
to devices such as
a USB memory
device
to a client
(printer driver)
Fax line:
(clients and
mail/FTP
servers)
Fax I/F
Flash memory
To the internal
network
USB I/F (Type B) :
MFD
Scanner unit
NIC
EEPROM
ROM
HDC
HDD
MAIN
CPU
Volatile memory
Operation
panel
Figure 2: TOE and physical configuration of the MFD
�MX-FR37 Security Target
© 2012-2013, Sharp Corp., all rights reserved. 10
memory and EEPROM, the data that security functions handle (i.e. user data and TSF data) are also
shaded.
Arrows in the figure indicate data flows. Functions of the TOE usually put data in the volatile memory
temporarily to pass the data to each other. However, the figure omits every such detail except security
significance.
The large part of the TOE is the firmware for the MFD, providing security functions as well as control of
the entire MFD. Part of the TOE security functions (TSFs) is implemented in the HDC and invoked by the
TSFs in the firmware. The logical scope of the TOE includes the following functions:
a)Cryptographic operation function (TSF_FDE): encrypts user data and TSF data to be stored into the
MSD and decrypts user data and TSF data retrieved from the MSD. This function is invoked by job
control function (each job, address book and document filing functions). A part of this function is
implemented in the HDC and invoked by the main part of this function in the firmware.
b)Cryptographic key generation function (TSF_FKG): generates the cryptographic key for the
cryptographic operation function and stores the key into the volatile memory.
c)Data clear function (TSF_FDC): overwrites the HDD to prevent information leakage from the HDD. A
part of this function is implemented in HDC and invoked by the main part of this function in the
firmware. This function consists of Auto Clear at Job End, Clear All Memory, Clear Document Filing
Data and Clear Address Book Data and Registered Data. Auto Clear at Job End is invoked
automatically by job control function (each job and document filing functions). The others are invoked
by the administrator.
d)Authentication function (TSF_AUT): identifies and authenticates an administrator by means of the
administrator password. This function includes a management function that changes the administrator
password.
e)Confidential file function (TSF_FCF): provides password protection when a user saves image data into
the MFD using the document filing function (Section 1.3.5.2) and requires authentication by means of
that confidential file password to reuse the data. If an incorrect password for a confidential file is
entered three times in a row, this function locks that file. Only the administrator can release the locked
file.
f)Network protection function (TSF_FNP): consists of the following three functions:
• Filter function: restricts the other party to communicate by the terms of IP address or MAC address.
• Communication data protection function: protects the communication data between the user and the
MFD by SSL. This function is not available when the user uses a client and/or a protocol not
supporting SSL.
• Network settings protection function: provides the network management functions (see below) only to
the administrator and do not allow other users to use it.
g)Fax flow control function (TSF_FFL): prevents accesses through the telephone line connected to the
MFD’s fax I/F from accessing the internal network through the MFD’s network I/F.
h)Job control function: provides the UI and control the action for each MFD function; in other words each
job, address book function and document filing function.
i)MFD control function: controls MFD hardware. This also converts the data format between the data to
receive or transmit and the image data in the MFD for the jobs that require the communication.
Flash memory
TSF_FFL
Fax flow
control TSF_FNP
Network protection
TOE
Job control
TSF_FDC
Data clear
TSF_FKG
Cryptographic key
generation
TSF_AUT
Authentication
TSF_FCF
Confi-
dential
files
Scanner unit
Volatile memory
Cryptographic key
Engine unit
TSF_FDE
Cryptographic
operation
Network
I/F
USB I/F
(Type A)
USB I/F
(Type B)
Fax
I/F
MFD
control
Filing imagedata,
confidential file
password
Spool image data
Address book
Administrator
password
HDC Firmware
Operation panel
Net-
work
mgmt.
EEPROM
TSF settings
Network settings
Other MFD settings
HDD
Figure 3: Logical configuration of the TOE
�MX-FR37 Security Target
© 2012-2013, Sharp Corp., all rights reserved. 11
j)Network management functions: are for the administrator to query and modify the IP address to be
allocated for the MFD, the IP address of DNS servers that the TOE shall refer, port control (modifying
the port number or disabling for each network service) and other network settings for using the network
function. This function is invoked by the network protection function (TSF_FNP).
1.4.3 Guidance Documents
Guidance documents shown in the Table 1.1 accompany the firmware as part of the TOE. Versions of the
guidance documents are shown in brackets.
Table 1.1: Guidance Documents
1.4.4 Assets Protected by the TOE
The following user data are assets that are protected by the TOE.
a)Image data that the MFD functions spool to process jobs
b)Image data that users save as confidential files
c)Address book data
d)Network settings data
e)Data transmission over the internal network
Specifics of each clause above is described in the following each section.
1.4.4.1 Image data that the MFD functions spool to process jobs
The assets protected by the TOE include the image data that the TOE itself temporarily spools into the
HDD in the MFD for processing the jobs (mentioned in this chapter) without intent of the user to save
when the user uses the MFD functions of the TOE. These data possibly contain the users’ sensitive
information, such as the user’s own information and the information of the customers of the user.
MFDs “delete†these image data to deallocate resources when the jobs are finished or cancelled. To
“delete†here means just to make the storage area “unused†by marking it “deleted†in the allocation table.
This is to “delete†the image data that occupied the storage area, in the same way as data files on the hard
disk connected to a general personal computer are deleted; the deleted image data can remain in the cleared
area until the area is reused by other jobs. Thus, this ST includes into the assets the deleted image data
remaining on the HDD in the MFD.
1.4.4.2 Image data that users save as confidential files
The assets protected by the TOE include the image data that the user saves into the HDD as a confidential
file. As well as in the previous section, these data possibly contain the users’ sensitive information.
The user can delete these data. But, in the same way as the previous section, the image data can remain on
the HDD after this deletion. Thus, the deleted image data remaining on the HDD is also included in the
assets.
1.4.4.3 Address book data
The assets protected by the TOE include the address book data that the users store by the address book
function and is stored into the HDD. This data is the personal data (destination name, mail address, fax
number and others) that proper users share and possibly contain the organisation’s sensitive information.
There is not necessarily a threat to counter if there is no method for the improper user to read or modify the
address book data except standing in front of the operation panel and accessing every record in this data
one by one by seeing and operating manually. However, this data shall be protected from the possibility
that the improper user reads and modifies this data all at one time from the HDD directly or through the
internal network.
For Japan MX-FR37 Data Security Kit Operation Manual
(in Japanese) [1.0]
MX-FR37 Data Security Kit Notice (in
Japanese) [1.0]
For outside
Japan
MX-FR37 Data Security Kit Operation Manual
(in English) [1.0]
MX-FR37 Data Security Kit Notice (in
English) [1.0]
�MX-FR37 Security Target
© 2012-2013, Sharp Corp., all rights reserved. 12
1.4.4.4 Network Settings data
The assets protected by the TOE include the following network settings data that the administrator stored
into the EEPROM using the network management function. This data contains the organisation’s sensitive
information and may lead to the threat to the internal network. Moreover it may lead to the threat to other
assets if tampered improperly.
a)TCP/IP Settings: Enable TCP/IP, Enable DHCP, IP Address Settings
b)DNS Settings: Primary/Secondary DNS Server, Domain Name
c)WINS Settings: Enable WINS, Primary/Secondary WINS Server, WINS Scope ID
d)SMTP Settings: SMTP Server
e)LDAP Settings: Enable LDAP, LDAP Server
f)Tandem Connection Settings: IP Address of Slave Machine, Disabling of Master Machine Mode
g)Port Control: Enabling or the port number for each network service
1.4.4.5 Data transmission over the internal network
In this ST, the communication data being transmitted over the internal network to and from the MFD is
assumed to be the assets in consideration of threats of wiretapping.
1.4.5 Related parties of the TOE
This chapter describes those related to the TOE and the TOE-equipped MFD.
â— Owner: an organisation which possesses the TOE and MFD and is in control of them.
â— Those in charge of the organisation: belongs to the owner and is in charge of management of the MFD.
â— Administrator: is assigned operation and management of the TOE and MFD by those in charge of the
organisation.
â— User: uses the MFD functions (Section 1.3.5) of the TOE and MFD.
â— User that stored a confidential file: The user that saved the image data as a confidential file.
�MX-FR37 Security Target
© 2012-2013, Sharp Corp., all rights reserved. 13
2 Conformance Claims
This ST satisfies the followings.
2.1 CC Conformance Claim
The versions of the CC to which this ST and the TOE claim conformance are as follows:
â— Part 1: Introduction and general model
July 2009 Version 3.1 Revision 3; Japanese Translation 1.0
â— Part 2: Security functional components
July 2009 Version 3.1 Revision 3; Japanese Translation 1.0
â— Part 3: Security assurance components
July 2009 Version 3.1 Revision 3; Japanese Translation 1.0
The conformance of this ST to CC Part 2 is CC Part 2 conformant.
The conformance of this ST to CC Part 3 is CC Part 3 conformant.
2.2 PP Claim
This ST does not claim conformance to any PP.
2.3 Package Claim
This ST claims conformance to EAL3.
�MX-FR37 Security Target
© 2012-2013, Sharp Corp., all rights reserved. 14
3 Security Problem Definition
This chapter defines security problems of the TOE.
3.1 Threats
Threats to the TOE are described in Table 3.1. Each of them assumes attackers who possess the basic
attack potential.
Table 3.1: Threats
3.2 Organisational Security Policies
Organisational security policies are described in Table 3.2.
Table 3.2: Organisational Security Policies
Identifier Definition
P.RESIDUAL
Upon completion or cancellation of a job, the area in the MSD where the user data has
been spooled shall be overwritten one or more times.
When a user deletes a job or file, the area in the MSD which stores the user data shall be
overwritten one or more times.
When the MFD is disposed of or its ownership changes, all the user areas in the MSD
shall be overwritten one or more times.
P.FAXTONET
Accesses through the telephone line connected to the MFD’s fax I/F shall be prevented
from accessing the internal network through the MFD’s network I/F.
3.3 Assumptions
Use and operation of the TOE requires the environment described in Table 3.3.
Table 3.3: Assumptions
Identifier Definition
T.RECOVER
An attacker removes the MSD from the MFD and installs it in other devices (than the
MFD where the MSD is originally installed) to read and leak the user data in the MSD.
T.REMOTE
An attacker who is not allowed to access to the MFD reads or modifies the address book
data in the MFD all at one time through the internal network.
T.SPOOF
An attacker who impersonates other user reads and leaks the image data that the user has
saved as confidential file from the operation panel or through the internal network.
T.TAMPER
An attacker who impersonates an administrator reads or modifies the network settings
data from the operation panel or through the internal network.
T.TAP
An attacker wiretaps communication data on the internal network when a proper user
communicates with the MFD.
Identifier Definition
A.NETWORK
The TOE-installed MFD is connected to a subnetwork in the internal network protected
against attacks from any external networks, where the subnetwork for the MFP connects
nothing other than devices allowed to communicate with the MFD.
A.OPERATOR
The administrator is a trustworthy person who does not take improper action with
respect to the TOE.
�MX-FR37 Security Target
© 2012-2013, Sharp Corp., all rights reserved. 15
4 Security Objectives
This chapter describes the measures to implement the security objective policies.
4.1 Security Objectives for the TOE
The security objectives for the TOE are shown in Table 4.1.
Table 4.1: Security Objectives for the TOE
4.2 Security Objectives for the Operational Environment
The security objectives for the operational environment are shown in Table 4.2.
Table 4.2: Security Objectives for the Operational Environment
Identifier Definition
OE.CIPHER
The administrator shall take necessary steps (examples are as follows.) to protect the
communication data from wiretapping on the internal network where the TOE is
installed.
â— The SSL functions of the TOE shall be used for the communication between the user
and the MFD; the administrator shall make sure that the users of the TOE and MFD
use software supporting the function. The administrator shall also configure the TOE
to perform the functions defined in O.TRP.
â— Communication devices (such as routers and switches) with cryptographic functions
shall be used.
â— The administrator shall provide physical protection (such as restricted areas) to the
network.
â— The administrator shall make the MFD users use USB memory device to input/output
the data.
OE.ERASEALL
When the MFD is disposed of or its ownership changes, the administrator shall
overwrite all the user data areas in the MSD one or more times using the TOE’s
function.
OE.FIREWALL
The administrator shall use the communication device having the function to protect the
internal network against the attack from external networks when the internal network
where the TOE is installed is connected to the external network.
OE.OPERATE
Those in charge of the organisation shall understand the role of the administrator and
select a suitable person with the utmost care.
Identifier Definition
O.FILTER
The TOE shall provide means to refuse attempts to access via the network to the MFD
from any devices that unauthorized users use.
O.MANAGE
The TOE shall provide the function that identifies and authenticates the proper
administrator.
O.REMOVE
The TOE shall encrypt the user data using a cryptographic key unique to the MFD when
the TOE writes them into the MSD.
O.RESIDUAL
The TOE shall overwrite the user data area spooled into the MSD one or more times when
a job is finished or cancelled.
The TOE shall overwrite a specific user data area in the MSD one or more times when the
user deletes a file.
The TOE shall provide the function to overwrite all the user data areas in the MSD one or
more times when the administrator operates to overwrite.
O.TRP
The TOE shall provide functions that protect communication data on the network between
the user and the MFD from being wiretapped.
O.USER
The TOE shall provide the function that identifies and authenticates the proper user that
stored the confidential files.
O.FAXTONET
The TOE shall prevent accesses through the telephone line connected to the MFD’s fax I/F
from accessing the internal network through the MFD’s network I/F.
�MX-FR37 Security Target
© 2012-2013, Sharp Corp., all rights reserved. 16
Identifier Definition
OE.PC-USER
On the devices allowed to connect to the MFD on the internal network, the
administrator shall run the identification and authentication function (such as logging in
the OS) so that only the proper MFD users be able to use such devices.
OE.SUBNET
The administrator shall connect only the devices that are allowed to communicate to the
MFD in the subnetwork where the TOE is installed, and keep and maintain that state.
OE.USER
The administrator shall make the users of the TOE and the MFD maintain their
confidential file password securely so that it will not leak.
4.3 Security Objectives Rationale
Table 4.3 demonstrates that the policies indicated in the security objectives are effective for the threats,
organisational security policies and assumptions indicated in the security problem definition. Table 4.3
shows the sections of this document that provide the rationale for the correspondences of threats,
organisational security policies and the assumptions.
Table 4.3: Security Objectives Rationale
4.3.1 Rationale Explaining Why Threats Are Countered
The following is the rationale explaining why all threats are countered when the security objectives are
achieved.
4.3.1.1 T.RECOVER
To counter T.RECOVER, the TOE encrypts user data using a unique cryptographic key for MFD before
the data is written to the MSD, as defined in O.REMOVE. Therefore, the attacker possessing the basic
attack potential cannot make out the data that is stored or remained after deleting in the MSD even if the
attacker could read it out.
When the volatile memory is removed from the MFD, all the storage data in volatile memory is lost by
intercepting the power distribution. There are no interfaces to read the data directly on the memory during
the run of MFD, and it requires a high level of technology like specifying the data area and under
Security
problem
Security
objective
T.RECOVER
T.REMOTE
T.SPOOF
T.TAMPER
T.TAP
P.RESIDUAL
P.FAXTONET
A.NETWORK
A.OPERATOR
O.FILTER 4.3.1.2
O.MANAGE 4.3.1.2 4.3.1.3 4.3.1.4 4.3.1.5 4.3.2.1
O.REMOVE 4.3.1.1
O.RESIDUAL 4.3.2.1
O.TRP 4.3.1.5
O.USER 4.3.1.3
O.FAXTONET 4.3.2.2
OE.CIPHER 4.3.1.5
OE.ERASEALL 4.3.2.1
OE.FIREWALL 4.3.3.1
OE.OPERATE 4.3.3.2
OE.PC-USER 4.3.1.2
OE.SUBNET 4.3.3.1
OE.USER 4.3.1.3
�MX-FR37 Security Target
© 2012-2013, Sharp Corp., all rights reserved. 17
transferring the data to read the data by attaching probes directly to the terminals or harness of MFD.
Therefore, it is impossible for attacker possessing the basic attack potential to read the data by attaching
probes directly to the terminals or harness of MFD. For this reason the cryptographic key that is stored into
the volatile memory cannot be read.
Therefore, it is possible to protect the information on HDD from the leak by following each objective
above.
4.3.1.2 T.REMOTE
The followings counter T.REMOTE.
â— According to O.FILTER, the TOE provides the method to deny accesses to the MFD from any devices
that unauthorized users use via the network. This denies accesses to the MFD from unauthorized
devices connected to the internal network while accepts accesses to the MFD from devices (including
clients and servers) connected to the internal network with the intention to be used by authorized users
of the MFD (including the administrator).
â— In support of the previous paragraph, as defined in O.MANAGE, the TOE provides the function to
identify and authenticate the administrator who configures settings required for the operation of the
TOE.
â— Accesses to the MFD from the devices (including clients and servers) connected to the internal network
with the intention to be used by authorized users of the MFD (including the administrator) shall be
permitted and are not subjected to the denial by O.FILTER. According to OE.PC-USER, an
identification and authentication function (including logging in the OS) shall be required to devices
allowed connections to the MFD and only the authorized users shall use the devices. This prevents
attackers from abusing the devices allowed connections to the MFD (those for authorized users of the
MFD) to access the address book data in the MFD (by impersonating authorised users).
Thus, O.FILTER and OE.PC-USER affect mutually and supplementary, and O.MANAGE supports
O.FILTER. These objectives above can prevent the attacker who is not allowed to access to the MFD from
accessing through the internal network and protect the address book data in the MFD.
4.3.1.3 T.SPOOF
The followings counter T.SPOOF.
â— The TOE provides the function that identifies and authenticates the proper user who has stored the
confidential file according to O.USER.
â— In support of the previous paragraph, as defined in O.MANAGE, the TOE provides the function to
identify and authenticate the administrator who configures settings required for the operation of the
TOE.
â— The confidential file password that is required for identification and authentication of the proper user
that stored the confidential file shall be maintained safely not to be leaked. The administrator makes the
users of the TOE and the MFD to follow OE.USER.
These objectives above can counter the threat that caused by an attacker’s impersonating other user.
4.3.1.4 T.TAMPER
To counter T.TAMPER, the TOE provides the function to identify and authenticate the proper
administrator according to O.MANAGE. Therefore, it is possible to protect the network settings data
against reading or modifying via the operation panel or an internal network by the attacker who
impersonates the administrator.
4.3.1.5 T.TAP
The followings counter T.TAP.
â— The TOE provides the functions that protect communication data on the network between the user and
the MFD from being wiretapped according to O.TRP.
â— In support of the previous paragraph, as defined in O.MANAGE, the TOE provides the function to
identify and authenticate the administrator who configures settings required for the operation of the
TOE.
�MX-FR37 Security Target
© 2012-2013, Sharp Corp., all rights reserved. 18
â— In the internal network where the TOE is installed, the administrator shall exercise due care for
preventing from being wiretapped, according to OE.CIPHER. Especially for the communication
between the user and MFD, functions defined in O.TRP may be used.
These objectives above can prevent the attacker from leaking communication data in the internal network
when an authorized user communicates with the MFD.
4.3.2 Rationale for Implementation of Organisational Security Policies
The following shows the rationale for all the organisational security policies to be implemented by
achieving all the security objectives.
4.3.2.1 P.RESIDUAL
P.RESIDUAL can be achieved by the following objectives.
â— Upon completion or cancellation of a job, the TOE overwrites the area in the MSD where the user data
spooled one or more times according to O.RESIDUAL.
â— According to O.RESIDUAL, the TOE overwrites a specific user data area in the MSD one or more
times when the user deletes a file.
â— When the MFD is disposed of or its ownership changes, the administrator overwrites all the user data
areas in the MSD one or more times by using the function of the TOE according to OE.ERASEALL.
This requires the support of the TOE and the function described in next paragraph is available.
â— The TOE provides the function to overwrite all the user areas in the MSD one or more times by the
administrator’s operation according to O.RESIDUAL.
â— In support of the previous paragraph, as defined in O.MANAGE, the TOE provides the function to
identify and authenticate the administrator who configures settings required for the operation of the
TOE.
These objectives above can achieve P.RESIDUAL.
4.3.2.2 P.FAXTONET
To implement P.FAXTONET, as defined in O.FAXTONET, the TOE shall prevent accesses through the
telephone line connected to the MFD’s fax I/F from accessing the internal network through the MFD’s
network I/F. Thus, P.FAXTONET can be achieved.
4.3.3 Rationale for Satisfaction of Assumptions
The following is the rationale explaining why all assumptions are satisfied when the security objectives are
achieved.
4.3.3.1 A.NETWORK
The assumption A.NETWORK requires that the MFD that the TOE is installed to is connected to an
internal network, the internal network is protected against attacking from any external networks and only
the devices that are allowed to communicate to the MFD are connected to at least the same subnetwork as
MFD in the internal network. This is realized by the combination of OE.FIREWALL and OE.SUBNET.
4.3.3.2 A.OPERATOR
The assumption A.OPERATOR requires that the administrator is a trustworthy person. OE.OPERATE
satisfies it by enforcing strict selection of the person to be the administrator based on an understanding of
the role of administrator on the part of those in charge of the organisation that owns the TOE-equipped
MFD. Therefore, A.OPERATOR can be achieved.
�MX-FR37 Security Target
© 2012-2013, Sharp Corp., all rights reserved. 19
5 Extended Components Definition
This ST does not define any extended components.
�MX-FR37 Security Target
© 2012-2013, Sharp Corp., all rights reserved. 20
6 Security Requirements
This chapter describes the security requirements.
6.1 Requirement Operations
This section defines the operations of CC functional and assurance components.
â— Iteration operation: used to cover different aspects of the same requirements.
• Component names, component labels and element labels are used as unique identifiers, with each
followed by a lowercase character such as a, b, c,...
â— Assignment operation: used to assign specified values to undetermined parameters such as the length of
a password in the components.
• A value assigned to a parameter is shown in brackets. Values, even if they are a part of a list of all, are
comma-delimited or itemized.
• Information in parentheses identifying each value such as its parameter name is added to the value as
necessary.
â— Selection operation: used to select one or more items from those given in the components.
• Selected items are shown in italic brackets, with being underlined and in italics.
â— Refinement operation: used to further refine the TOE by adding details to the components.
• Additional text is shown in bold.
• If a part of the original text is deleted, the part is shown in parentheses.
• If a part of the original text is replaced with new text, the new text in bold is shown immediately
before the original text in parentheses.
â— Simple Italics do not indicate requirement operations. They are only used to emphasize text throughout
the ST.
6.2 Security Functional Requirements
This section describes the Security Functional Requirements (SFRs) that the TOE shall satisfy, based on
the classes of CC Part 2.
6.2.1 Class FCS: Cryptographic Support
FCS_CKM.1 Cryptographic key generation
Hierarchical to: No other components.
Dependencies: [FCS_CKM.2 Cryptographic key distribution, or
FCS_COP.1 Cryptographic operation]
FCS_CKM.4 Cryptographic key destruction
FCS_CKM.1.1. The TSF shall generate the cryptographic key that is unique to the MFD in accordance
with a specified cryptographic key generation algorithm [MSN-R3 expansion algorithm]
and specified cryptographic key size [256 bits] that meet the following: [Data Security
Kit Encryption Standard]
FCS_COP.1 Cryptographic operation
Hierarchical to: No other components.
Dependencies: [FDP_ITC.1 Import of user data without security attributes, or
FDP_ITC.2 Import of user data with security attributes, or
FCS_CKM.1 Cryptographic key generation]
FCS_CKM.4 Cryptographic key destruction
FCS_COP.1.1 The TSF shall perform [
â— Encrypting spool image data that will be written to the HDD
â— Encrypting filing image data that will be written to the HDD
â— Encrypting the address book data that will be written to the HDD
â— Encrypting confidential file passwords that will be written to the HDD
�MX-FR37 Security Target
© 2012-2013, Sharp Corp., all rights reserved. 21
â— Encrypting the administrator password that will be written to the Flash memory
â— Decrypting spool image data that was read from the HDD
â— Decrypting filing image data that was read from the HDD
â— Decrypting the address book data that was read from the HDD
â— Decrypting confidential file passwords that was read from the HDD
â— Decrypting confidential file passwords that was read from the Flash memory
] in accordance with a specified cryptographic algorithm [AES Rijndael Algorithm] and
cryptographic key size [256 bits] that meet the following: [FIPS PUB 197].
6.2.2 Class FDP: User Data Protection
FDP_IFC.1 Subset information flow control
Hierarchical to: No other components.
Dependencies: FDP_IFF.1 Simple security attributes
FDP_IFC.1.1 The TSF shall enforce the [fax information flow control SFP] on [
â— Reception at the fax I/F from the fax line and transmission from the network I/F to the
internal network (subject)
â— Data received at the fax I/F from the fax line (information)
â— Relay from the fax I/F to the network I/F (operation)
].
FDP_IFF.1 Simple security attributes
Hierarchical to: No other components.
Dependencies: FDP_IFC.1 Subset information flow control
FMT_MSA.3 Static attributes initialization
FDP_IFF.1.1 The TSF shall enforce the [fax information flow control SFP] based on the following
types of subjects and information security attributes: [
â— Reception at the fax I/F from the fax line (subject): No security attributes
â— Transmission from the network I/F to the internal network (subject): No security
attributes
â— Data received at the fax I/F from the fax line (information): No security attributes
].
FDP_IFF.1.2 The TSF shall permit an information flow between a controlled subject and controlled
information via a controlled operation if the following rules hold: [Never permits].
FDP_IFF.1.3 The TSF shall enforce the [None (additional information flow control SFP rules)].
FDP_IFF.1.4 The TSF shall explicitly authorise an information flow based on the following rules:
[None (rules, based on security attributes, that explicitly authorise information flows)].
FDP_IFF.1.5 The TSF shall explicitly deny an information flow based on the following rules: [None
(rules, based on security attributes, that explicitly deny information flows)].
FDP_RIP.1 Subset residual information protection
Hierarchical to: No other components.
Dependencies: No dependencies.
FDP_RIP.1.1 The TSF shall ensure that any previous information content of a resource is made
unavailable by overwriting one or more times upon the [deallocation of the resource
from] the following objects: [
â— The spool image data file on the HDD
â— The filing image data file on the HDD
â— The address book data file on the HDD
].
�MX-FR37 Security Target
© 2012-2013, Sharp Corp., all rights reserved. 22
6.2.3 Class FIA: Identification and Authentication
FIA_AFL.1a Authentication failure handling a
Hierarchical to: No other components.
Dependencies: FIA_UAU.1 Timing of authentication
FIA_AFL.1.1a The TSF shall detect when [ [3 (positive integer number)] ] unsuccessful authentication
attempts occur related to [the unsuccessful administrator authentication attempts
following the last successful authentication].
FIA_AFL.1.2a When the defined number of unsuccessful authentication attempts has been [met], the
TSF shall [
â— Unsuccessful authentication reached three times: Reception of authentication trials
stops for five minutes
â— Five minutes later after stopping: the number of times authentication was unsuccessful
is cleared, and the reception of authentication trials is recovered
].
FIA_AFL.1b Authentication failure handling b
Hierarchical to: No other components.
Dependencies: FIA_UAU.1 Timing of authentication
FIA_AFL.1.1b The TSF shall detect when [ [3 (positive integer number)] ] unsuccessful authentication
attempts occur related to [the unsuccessful authentication attempts for a confidential file
following the last successful authentication for that confidential file].
FIA_AFL.1.2b When the defined number of unsuccessful authentication attempts has been [met], the
TSF shall [
â— Unsuccessful authentication reached three times: Reception of authentication trials
stops and the confidential file is locked
â— Release operation of the confidential file by the administrator: the number of times
authentication was unsuccessful is cleared, and the reception of authentication trials is
recovered
].
FIA_SOS.1a Verification of secrets a
Hierarchical to: No other components.
Dependencies: No dependencies.
FIA_SOS.1.1a The TSF shall provide a mechanism to verify that the administrator password (secrets)
meets (meet) [5 or more characters].
FIA_SOS.1b Verification of secrets b
Hierarchical to: No other components.
Dependencies: No dependencies.
FIA_SOS.1.1b The TSF shall provide a mechanism to verify that the confidential file password
(secrets) meets (meet) [5 or more characters].
FIA_UAU.2a User authentication before any action a
Hierarchical to: FIA_UAU.1 Timing of authentication
Dependencies: FIA_UID.1 Timing of identification
FIA_UAU.2.1a The TSF shall require each administrator (user) to be successfully authenticated before
allowing any other TSF-mediated actions on behalf of that administrator (user).
FIA_UAU.2b User authentication before any action b
Hierarchical to: FIA_UAU.1 Timing of authentication
Dependencies: FIA_UID.1 Timing of identification
�MX-FR37 Security Target
© 2012-2013, Sharp Corp., all rights reserved. 23
FIA_UAU.2.1b The TSF shall require each user that stored a confidential file to be successfully
authenticated before allowing any other TSF-mediated actions on behalf of that user.
FIA_UAU.7a Protected authentication feedback a
Hierarchical to: No other components.
Dependencies: FIA_UAU.1 Timing of authentication
FIA_UAU.7.1a The TSF shall provide only [substitute characters as many as ones that are provided] to
the administrator (user) while the authentication of the administrator is in progress.
FIA_UAU.7b Protected authentication feedback b
Hierarchical to: No other components.
Dependencies: FIA_UAU.1 Timing of authentication
FIA_UAU.7.1b The TSF shall provide only [substitute characters as many as ones that are provided] to
the user that stored a confidential file while the authentication of the user is in
progress.
FIA_UID.2a User identification before any action a
Hierarchical to: FIA_UID.1 Timing of identification
Dependencies: No dependencies.
FIA_UID.2.1a The TSF shall require each administrator (user) to be successfully identified before
allowing any other TSF-mediated actions on behalf of that administrator (user).
FIA_UID.2b User identification before any action b
Hierarchical to: FIA_UID.1 Timing of identification
Dependencies: No dependencies.
FIA_UID.2.1b The TSF shall require each user that stored a confidential file to be successfully
identified before allowing any other TSF-mediated actions on behalf of that user.
6.2.4 Class FMT: Security Management
FMT_MOF.1a Management of security functions behaviour a
Hierarchical to: No other components.
Dependencies: FMT_SMR.1 Security roles
FMT_SMF.1 Specification of Management Functions
FMT_MOF.1.1a The TSF shall restrict the ability to [enable] the functions [Clear All Memory, Clear
Document Filing Data and Clear Address Book Data and Registered Data] to
[administrator].
FMT_MOF.1b Management of security functions behaviour b
Hierarchical to: No other components
Dependencies: FMT_SMR.1 Security roles
FMT_SMF.1 Specification of Management Functions
FMT_MOF.1.1b The TSF shall restrict the ability to [disable] the functions [Clear All Memory and Clear
Document Filing Data] to [administrator].
FMT_MOF.1c Management of security functions behaviour c
Hierarchical to: No other components
Dependencies: FMT_SMR.1 Security roles
FMT_SMF.1 Specification of Management Functions
FMT_MOF.1.1c The TSF shall restrict the ability to [modify the behaviour of] the functions [Document
Filing and Network Protection] to [administrator].
�MX-FR37 Security Target
© 2012-2013, Sharp Corp., all rights reserved. 24
FMT_MTD.1a Management of TSF data a
Hierarchical to: No other components.
Dependencies: FMT_SMR.1 Security roles
FMT_SMF.1 Specification of Management Functions
FMT_MTD.1.1aThe TSF shall restrict the ability to [modify] the [administrator password] to
[administrator].
FMT_MTD.1b Management of TSF data b
Hierarchical to: No other components.
Dependencies: FMT_SMR.1 Security roles
FMT_SMF.1 Specification of Management Functions
FMT_MTD.1.1bThe TSF shall restrict the ability to [modify] the [confidential file password] to [the user
that stored the confidential file].
FMT_MTD.1c Management of TSF data c
Hierarchical to: No other components.
Dependencies: FMT_SMR.1 Security roles
FMT_SMF.1 Specification of Management Functions
FMT_MTD.1.1cThe TSF shall restrict the ability to [query, modify] the [
â— Values of the IP address filter settings
â— Values of the MAC address filter settings
â— Values of the SSL Settings
â— Values of Disabling of Document Filing
â— Values of Disabling of Print Jobs Other Than Print Hold Job
] to [administrator].
FMT_SMF.1 Specification of Management Functions
Hierarchical to: No other components.
Dependencies: No dependencies.
FMT_SMF.1.1 The TSF shall be capable of performing the following management functions: [
â— Enable and Disable “Clear All Memoryâ€
â— Enable and Disable “Clear Document Filing Dataâ€
â— Enable “Clear Address Book Data and Registered Dataâ€
â— Lock releasing “confidential filesâ€
â— Modify “the administrator passwordâ€
â— Modify “confidential file passwordsâ€
â— Query and Modify “Disabling of Document Filingâ€
â— Query and Modify “Disabling of Print Jobs Other Than Print Hold Jobâ€
â— Query and Modify “IP address filter settings†and “MAC address filter settingsâ€
â— Manage SSL-protected services
].
Note: Consideration for management requirement is described in Section 6.4.1.9.
FMT_SMR.1a Security roles a
Hierarchical to: No other components.
Dependencies: FIA_UID.1 Timing of identification
FMT_SMR.1.1a The TSF shall maintain the roles [administrator].
FMT_SMR.1.2a The TSF shall be able to associate users with roles.
FMT_SMR.1b Security roles b
Hierarchical to: No other components.
�MX-FR37 Security Target
© 2012-2013, Sharp Corp., all rights reserved. 25
Dependencies: FIA_UID.1 Timing of identification
FMT_SMR.1.1b The TSF shall maintain the roles [each user that stored a confidential file].
FMT_SMR.1.2b The TSF shall be able to associate users with roles.
6.2.5 Class FTA: TOE Access
FTA_TSE.1 TOE session establishment
Hierarchical to: No other components.
Dependencies: No dependencies.
FTA_TSE.1.1 The TSF shall be able to deny session establishment based on [IP address and MAC
address].
6.2.6 Class FTP: Trusted Path/Channels
FTP_TRP.1 Trusted path
Hierarchical to: No other components.
Dependencies: No dependencies.
FTP_TRP.1.1 The TSF shall provide a communication path between itself and [remote] users that is
logically distinct from other communication paths and provides assured identification of
its end points and protection of the communicated data from [disclosure].
FTP_TRP.1.2 The TSF shall permit [remote users] to initiate communication via HTTPS or IPP-SSL
(the trusted path).
FTP_TRP.1.3 The TSF shall require the use of the trusted path for [[
â— Administrator authentication, manipulation of confidential files, reading out the address
book data, modification of the address book, filter settings and network settings via the
TOE Web
â— Image data reception from the printer driver in the print function
(other services for which trusted path is required)]].
6.3 Security Assurance Requirements
The EAL3 security assurance requirements (SAR) to which this ST claims conformance are shown by
assurance class of CC Part 3. This ST uses the security assurance components defined in CC Part 3 without
changes as the SAR.
â— Class ADV: Development
• Security architecture: ADV_ARC.1 — Security architecture description
• Functional specification: ADV_FSP.3 — Functional specification with complete summary
• TOE design: ADV_TDS.2 — Architectural design
â— Class AGD: Guidance documents
• Operational user guidance: AGD_OPE.1 — Operational user guidance
• Preparative procedures: AGD_PRE.1 — Preparative procedures
â— Class ALC: Life-cycle support
• CM capability: ALC_CMC.3 — Authorisation controls
• CM scope: ALC_CMS.3 — Implementation representation CM coverage
• Delivery: ALC_DEL.1 — Delivery procedures
• Development security: ALC_DVS.1 — Identification of security measures
• Life-cycle definition: ALC_LCD.1 — Developer defined life-cycle model
â— Class ASE: Security Target evaluation
• Conformance claims: ASE_CCL.1 — Conformance claims
• Extended components definition: ASE_ECD.1 — Extended components definition
• ST introduction: ASE_INT.1 — ST introduction
�MX-FR37 Security Target
© 2012-2013, Sharp Corp., all rights reserved. 26
• Security objectives: ASE_OBJ.2 — Security objectives
• Security requirements: ASE_REQ.2 — Derived Security requirements
• Security problem definition: ASE_SPD.1 — Security problem definition
• TOE summary specification: ASE_TSS.1 — TOE summary specification
â— Class ATE: Tests
• Coverage: ATE_COV.2 — Analysis of coverage
• Depth: ATE_DPT.1 — Testing: basic design
• Functional tests: ATE_FUN.1 — Functional testing
• Independent testing: ATE_IND.2 — Independent testing - sample
â— Class AVA: Vulnerability assessment
• Vulnerability analysis: AVA_VAN.2 — Vulnerability analysis
6.4 Security Requirements Rationale
This section demonstrates that the security requirements are effective to meet the security objectives.
6.4.1 Security Functional Requirements Rationale
The correspondences between security functional requirements (SFRs) and security objectives are shown
in Table 6.1. Table 6.1 shows the sections that provide the rationale for the correspondences between the
security functional requirements and the security objectives.
Table 6.1: Security Functional Requirements Rationale
Objective
Requirement
O.FILTER
O.MANAGE
O.REMOV
O.RESIDUAL
O.TRP
O.USER
O.FAXTONET
FCS_CKM.1 6.4.1.2 6.4.1.3 6.4.1.6
FCS_COP.1 6.4.1.2 6.4.1.3 6.4.1.6
FDP_IFC.1 6.4.1.7
FDP_IFF.1 6.4.1.7
FDP_RIP.1 6.4.1.4
FIA_AFL.1a 6.4.1.2
FIA_AFL.1b 6.4.1.6
FIA_SOS.1a 6.4.1.2
FIA_SOS.1b 6.4.1.6
FIA_UAU.2a 6.4.1.2
FIA_UAU.2b 6.4.1.6
FIA_UAU.7a 6.4.1.2
FIA_UAU.7b 6.4.1.6
FIA_UID.2a 6.4.1.2
FIA_UID.2b 6.4.1.6
FMT_MOF.1a 6.4.1.4
FMT_MOF.1b 6.4.1.4
FMT_MOF.1c 6.4.1.2 6.4.1.5 6.4.1.6
FMT_MTD.1a 6.4.1.2
FMT_MTD.1b 6.4.1.6
FMT_MTD.1c 6.4.1.1 6.4.1.2 6.4.1.5 6.4.1.6
FMT_SMF.1 6.4.1.1 6.4.1.2 6.4.1.4 6.4.1.5 6.4.1.6
FMT_SMR.1a 6.4.1.2
FMT_SMR.1b 6.4.1.6
FTA_TSE.1 6.4.1.1
FTP_TRP.1 6.4.1.2 6.4.1.5 6.4.1.6
�MX-FR37 Security Target
© 2012-2013, Sharp Corp., all rights reserved. 27
6.4.1.1 O.FILTER
O.FILTER can be met by the combination of SFRs as follows.
â— The TOE is able to deny session establishment based on IP address or MAC address according to
FTA_TSE.1.
â— The TOE provides the capability of performing the management of the IP address filter and MAC
address filter settings that is required for operating the previous paragraph according to FMT_SMF.1.
â— The ability to query or modify the values of the IP address filter settings and MAC address filter
settings described in the previous paragraph is restricted to the administrator by FMT_MTD.1c.
FMT_SMF.1 and FMT_MTD.1c provide the management of FTA_TSE.1 consistently and do not conflict
among them.
As explained above, SFRs do not conflict to meet O.FILTER.
6.4.1.2 O.MANAGE
O.MANAGE can be met by the combination of SFRs as follows.
a)The administrator is identified and authenticated by FIA_AFL.1a, FIA_UAU.2a, FIA_UAU.7a and
FIA_UID.2a.
b)The TOE provides the capability to modify the administrator password that is required for
authentication of the administrator described above according to FMT_SMF.1.
c)It is ensured that the administrator password meets 5 or more characters when the administrator
password is modified according to FIA_SOS.1a.
d)The capability to modify the administrator password that is the TSF data to achieve O.MANAGE is
restricted to the administrator by FMT_MTD.1a.
e)The role of the administrator is maintained and the administrator is associated with the roles by
FMT_SMR.1a.
f)According to FCS_COP.1, the administrator password to be written to the Flash memory is encrypted.
Therefore, even if the Flash memory is connected to a device which is not the MFD having originally
stored the administrator password into the Flash memory, the encryption protects the administrator
password from being regenerated. Thus, a secondary threat can be prevented of the disabling of
O.MANAGE caused by regenerating the administration password.
g)FCS_CKM.1 generates a unique cryptographic key for each MFD to achieve FCS_COP.1.
h)FTP_TRP.1 provides the function to protect the administrator password over the network between the
user and MFD from being wiretapped. Thus, a secondary threat can be prevented of the disabling of
O.MANAGE caused by wiretapping the administration password.
i)The capability to modify the behaviour of the TSF defined by FTP_TRP.1, that is, Network Protection
function is restricted to the administrator by FMT_MOF.1c.
j)The capability to query or modify the TSF data relating to FTP_TRP.1, that is, the values of the SSL
settings is restricted to the administrator by FMT_MTD.1c.
k)Operation and management can be implemented as FMT_SMF.1 requires.
a) is related to the event about the identification and authentication of the administrator. b), c) and d) are
related to the event about the modification of the administrator password. f) and g) are related to the event
about the encryption operation of the administrator password. h), i), j) and k) are related to the event about
the transmission of the administrator password from the administrator to TOE
These four events occur independently of each other, and do not conflict mutually.
Conflict does not occur in a) because the four SFRs in a) affect mutually and supplementary to achieve the
identification and authentication of the administrator.
Conflict does not occur in b), c) and d) because the three SFRs in b), c) and d) affect mutually and
supplementary to achieve the modification of the administrator password.
Conflict does not occur in e) because e) is a requirement for the dependency of d), and it is supported to a).
Conflict does not occur in f) and g) because f) and g) depend on each other to achieve the encryption
operation of the administrator password to be written to the Flash memory.
�MX-FR37 Security Target
© 2012-2013, Sharp Corp., all rights reserved. 28
Conflict does not occur in i), j) and k) because i), j) and k) defines mutually and supplementary the
management of h).
Thus, these SFRs do not conflict to meet O.MANAGE.
6.4.1.3 O.REMOVE
The intent of O.REMOVE is to counter T.RECOVER; to prevent the user data stored into the MSD from
being regenerated even if the MSD is removed from the MFD. This can be met by the combination of
SFRs as follows.
â— According to FCS_COP.1, the user data to be written to the MSD is encrypted. Therefore, even if the
MSD is connected to a device which is not the MFD having originally stored the data into the HDD, the
encryption protects the data from being regenerated.
â— FCS_CKM.1 generates a unique cryptographic key for each MFD that satisfies FCS_COP.1.
FCS_COP.1 and FCS_CKM.1 depend mutually and do not conflict mutually. Thus, these SFRs do not
conflict to meet O.REMOVE as above.
6.4.1.4 O.RESIDUAL
O.RESIDUAL can be met by the combination of SFRs as follows:
a)FDP_RIP.1 requires to overwrite the following objects’ area one or more times upon the deallocation of
the resource from the following objects.
• The target objects are the spool image data file, filing image data file and address book data file on the
HDD.
• The resource from these objects is deallocated when the jobs are completed or cancelled, the user
deletes the confidential file and the specific data clear function is invoked by the operation made by
the administrator.
• Specific data clear functions described in the previous paragraph include Clear All Memory, Clear
Document Filing Data and Clear Address Book Data and Registered Data.
b)According to FMT_SMF.1, the management capability defined in FDP_RIP.1 is provided.
c)In each of the following SFRs, the management capability defined in FDP_RIP.1 is restricted to the
administrator.
• According to FMT_MOF.1a, the capability is restricted to the administrator to enable each of the
functions of Clear All Memory, Clear Document Filing Data and Clear Address Book Data and
Registered Data included in the TSF relating to FDP_RIP.1.
• According to FMT_MOF.1b, the capability is restricted to the administrator to disable each of the
functions of Clear All Memory and Clear Document Filing Data included in the TSF relating to
FDP_RIP.1.
Conflict does not occur in c) because each SFR in c) is independent. Conflict does not occur in b) and c)
because b) and c) defines the management of a) mutually and supplementarily.
Thus, these SFRs do not conflict to meet O.RESIDUAL.
6.4.1.5 O.TRP
O.TRP can be met by the combination of SFR as follows.
â— FTP_TRP.1 provides the function to protect communication data over the network between the user and
MFD.
â— The capability to modify the behaviour of the TSF defined by FTP_TRP.1, that is, Network Protection
function is restricted to the administrator by FMT_MOF.1c.
â— The capability to query or modify the TSF data relating to FTP_TRP.1, that is, the values of the SSL
Settings is restricted to the administrator by FMT_MTD.1c.
â— Operation and management can be implemented as FMT_SMF.1 requires.
Conflict does not occur between FMT_MOF.1c, FMT_MTD.1c and FMT_SMF.1 because they define the
management of FTP_TRP.1 mutually and complementary. Thus, these SFRs do not conflict to meet
O.TRP.
�MX-FR37 Security Target
© 2012-2013, Sharp Corp., all rights reserved. 29
6.4.1.6 O.USER
O.USER can be met by the combination of SFRs as follows.
a)The user that stored a confidential file is identified and authenticated by FIA_AFL.1b, FIA_UAU.2b,
FIA_UAU.7b and FIA_UID.2b. Thus, only the user that stored the confidential file can access the
confidential file (including the management of the confidential file password).
b)It is ensured that a confidential file password meets 5 or more characters according to FIA_SOS.1b.
c)The capability to modify the TSF defined by FIA_AFL.1b, FIA_UAU.2b, FIA_UAU.7b and
FIA_UID.2b, that is Document Filing function, is restricted to the administrator by FMT_MOF.1c.
d)The capability to modify a confidential file password is restricted to the user that stored the confidential
file by FMT_MTD.1b.
e)The capability to query or modify the TSF data relating to the effectiveness of protection obtained by
using the confidential file function, that is, the values of Disabling of Document Filing and Disabling of
Print Jobs Other Than Print Hold Job is restricted to the administrator by FMT_MTD.1c.
f)The role of the user that stored a confidential file is maintained and the user that stored a confidential
file is associated with the role by FMT_SMR.1b.
g)Management and operation of confidential passwords are implemented as FMT_SMF.1 requires.
h)According to FCS_COP.1, confidential file passwords to be written to the HDD are encrypted.
Therefore, even if the HDD is connected to a device which is not the MFD having originally stored the
confidential file password into the HDD, the encryption protects the confidential file password from
being regenerated. Thus, a secondary threat can be prevented of the disabling of O.USER caused by
regenerating the confidential file password.
i)FCS_CKM.1 generates a unique cryptographic key for each MFD to achieve FCS_COP.1.
j)FTP_TRP.1 provides the function to protect confidential file passwords over the network between the
user and MFD from being wiretapped. Thus, a secondary threat can be prevented of the disabling of
O.USER caused by wiretapping confidential file passwords.
k)The capability to modify the behaviour of the TSF defined by FTP_TRP.1, that is, Network Protection
function is restricted to the administrator by FMT_MOF.1c.
l)The capability to query or modify the TSF data relating to FTP_TRP.1, that is, the values of the SSL
Settings is restricted to the administrator by FMT_MTD.1c.
m)Operation and management can be implemented as FMT_SMF.1 requires.
a) is related to the event about the identification and authentication of the user that stored a confidential file.
b), d) and g) are related to the event about the modification of confidential file passwords. c) and e) are
related to the event about the management by the administrator. h) and i) are related to the event of the
encryption of confidential file passwords. j), k), l) and m) are related to the event of transmitting a
confidential file password from the user to TOE.
These five events occur independently of each other, and do not conflict mutually.
Conflict does not occur in a) because the four SFRs affect mutually and supplementary to identify and
authenticate the user that stored a confidential file.
Conflict does not occur in b), d) and g) because the three SFRs affect mutually and supplementary to
modify confidential file passwords.
Conflict does not occur in c) and e) because the two SFRs affect mutually and supplementary to achieve
management by the administrator.
f) does not conflict because it is depended on by d) and supported by a).
h) and i) are mutually dependent in encrypting confidential file passwords to be written to the HDD.
Conflict does not occur in k), l) and m) because they defines the management of j) mutually and
supplementary.
Thus, these SFRs do not conflict to meet O.USER.
6.4.1.7 O.FAXTONET
O.FAXTONET can be met by the combination of the SFRs of FDP_IFC.1 and FDP_IFF.1.
�MX-FR37 Security Target
© 2012-2013, Sharp Corp., all rights reserved. 30
These two SFRs implements a data flow control that never allows the data received from the fax line to be
relayed to the internal network. This prevents accesses from the telephone line connected to the MFD’s fax
I/F from being relayed to the internal network through the MFD’s network I/F.
Conflict does not occur in the two SFRs which meet O.FAXTONET, because they depend on each other.
6.4.1.8 Rationale for consistency of the entire security functional requirements
As described in Sections 6.4.1.1 through 6.4.1.7, conflict does not occur between each of the SFRs which
implement the TOE security objectives, eliminating any inconsistency.
Furthermore, as shown in Table 4.1, each of the TOE security objectives is independent and does not
conflict against each other; no conflict occurs between the TOE security objectives and they are consistent.
Thus, no conflict occurs among the whole SFRs which meet the TOE security objectives and the entire
SFRs are consistent.
6.4.1.9 Rationale for consistency of TOE security management functions
Some of the SFRs require the security management function. CC Part 2 suggests the management activities
foreseen to each functional component as the management requirements of each component.
The management functions required for all the SFR components are shown in Table 6.2 with the
consideration for management requirement. The management functions specified by FMT_SMF.1 agree
with the required management functions shown in the table.
Thus, the SFRs are internally consistent in terms of security management functions.
�MX-FR37 Security Target
© 2012-2013, Sharp Corp., all rights reserved. 31
6.4.1.10 Rationale for security functional requirement dependencies
Table 6.3 shows the dependencies that the SFRs must satisfy according to the CC, the ones that the TOE
satisfies and the ones that the TOE does not satisfy. The dependency that is marked with “*†in the table is
satisfied by the hierarchically upper component. Table 6.4 shows the justification for the TOE not
satisfying certain dependencies. Correspondences between the following two tables are indicated by
common identifiers (such as J1).
Table 6.2: Management Functions of the TOE
Management
Function
Origin
Management Function required
Consideration for management
requirement
FCS_CKM.1 — (no management requirements)
FCS_COP.1 — (no management requirements)
FDP_IFC.1 — (no management requirements)
FDP_IFF.1 — No attributes.
FDP_RIP.1
• Enable and Disable “Clear All Memoryâ€
• Enable and Disable “Clear Document Filing Dataâ€
• Enable “Clear Address Book Data and Registered
Dataâ€
The timing to perform
protection is fixed to the
release of allocation.
FIA_AFL.1a —
The threshold and action are
fixed.
FIA_AFL.1b • Lock releasing “confidential filesâ€
The threshold and action are
fixed.
FIA_SOS.1a — The quality metric is fixed.
FIA_SOS.1b — The quality metric is fixed.
FIA_UAU.2a • Modify “the administrator passwordâ€
Management Function required
agrees with management
requirement.
FIA_UAU.2b
• Modify “confidential file passwordsâ€
• Query and Modify “Disabling of Document Filingâ€
• Query and Modify “Disabling of Print Jobs Other Than
Print Hold Jobâ€
Management Function required
agrees with management
requirement.
FIA_UAU.7a — (no management requirements)
FIA_UAU.7b — (no management requirements)
FIA_UID.2a —
Identification of the
administrator is fixed.
FIA_UID.2b —
Identification of each user that
stored a confidential file is
fixed.
FMT_MOF.1a — No role groups
FMT_MOF.1b — No role groups
FMT_MOF.1c — No role groups
FMT_MTD.1a — No role groups
FMT_MTD.1b — No role groups
FMT_MTD.1c — No role groups
FMT_SMF.1 — (no management requirements)
FMT_SMR.1a — No user groups
FMT_SMR.1b — No user groups
FTA_TSE.1
• Query and Modify “IP address filter settings†and
“MAC address filter settingsâ€
Management Function required
agrees with management
requirement.
FTP_TRP.1 • Manage SSL-protected services
Management Function required
agrees with management
requirement.
�MX-FR37 Security Target
© 2012-2013, Sharp Corp., all rights reserved. 32
Table 6.3: Security Functional Requirement Dependencies
Table 6.4: Justification of Unsatisfied Security Functional Requirement Dependencies
Unsatisfied Justification Rationale
J1 FCS_CKM.4
The cryptographic key is unique for each MFD; the same cryptographic key is
generated and stored into the volatile memory every time each MFD is turned on.
The cryptographic key is destroyed by discharging the electrical charge in the
volatile memory which occurs every time the MFD is turned off. Therefore, there is
no need to implement the TSF that performs the standard key destruction method,
and FCS_CKM.4 is not required to specify standards.
J2 FMT_MSA.3
Fax information flow control SFP never permits the target information flow.
Therefore, security attributes need not to be dealt with in implementing SFP;
FMT_MSA.3 is not required which defines the default values of the security
attributes.
6.4.2 TOE Security Assurance Requirements Rationale
The TOE is a part of the MFD and an optional product for the MFD that is sold separately, which is a
commercial product. The major threat is that an attacker uses physical means to remove the MSD from the
MFD and installs it in other devices to read and leak the user data in the MSD. Therefore, the Evaluation
Assurance Level of the TOE is EAL 3 which is sufficient for commercial products.
Since the SARs conform to EAL3, all SARs meet the dependencies.
Dependencies
Requirement
Stipulated Satisfied Unsatisfied
Justific
ation
FCS_CKM.1
[FCS_CKM.2 or FCS_COP.1],
FCS_CKM.4
FCS_COP.1 FCS_CKM.4 J1
FCS_COP.1
[FDP_ITC.1 or FDP_ITC.2
or FCS_CKM.1],
FCS_CKM.4
FCS_CKM.1 FCS_CKM.4 J1
FDP_IFC.1 FDP_IFF.1 FDP_IFF.1 — —
FDP_IFF.1 FDP_IFC.1, FMT_MSA.3 FDP_IFC.1 FMT_MSA.3 J2
FDP_RIP.1 — — — —
FIA_AFL.1a FIA_UAU.1 * FIA_UAU.2a — —
FIA_AFL.1b FIA_UAU.1 * FIA_UAU.2b — —
FIA_SOS.1a — — — —
FIA_SOS.1b — — — —
FIA_UAU.2a FIA_UID.1 * FIA_UID.2a — —
FIA_UAU.2b FIA_UID.1 * FIA_UID.2b — —
FIA_UAU.7a FIA_UAU.1 * FIA_UAU.2a — —
FIA_UAU.7b FIA_UAU.1 * FIA_UAU.2b — —
FIA_UID.2a — — — —
FIA_UID.2b — — — —
FMT_MOF.1a FMT_SMF.1, FMT_SMR.1 FMT_SMF.1, FMT_SMR.1a — —
FMT_MOF.1b FMT_SMF.1, FMT_SMR.1 FMT_SMF.1, FMT_SMR.1a — —
FMT_MOF.1c FMT_SMF.1, FMT_SMR.1 FMT_SMF.1, FMT_SMR.1a — —
FMT_MTD.1a FMT_SMF.1, FMT_SMR.1 FMT_SMF.1, FMT_SMR.1a — —
FMT_MTD.1b FMT_SMF.1, FMT_SMR.1 FMT_SMF.1, FMT_SMR.1b — —
FMT_MTD.1c FMT_SMF.1, FMT_SMR.1 FMT_SMF.1, FMT_SMR.1a — —
FMT_SMF.1 — — — —
FMT_SMR.1a FIA_UID.1 * FIA_UID.2a — —
FMT_SMR.1b FIA_UID.1 * FIA_UID.2b — —
FTA_TSE.1 — — — —
FTP_TRP.1 — — — —
�MX-FR37 Security Target
© 2012-2013, Sharp Corp., all rights reserved. 33
7 TOE Summary Specification
By describing a summary specification of the TOE security functions (TSFs), this chapter shows that the
security functional requirements (SFRs) are satisfied. Table 7.1 shows correspondences between the
SFRs and the TSFs. The section numbers in the table show where each description is.
Table 7.1: Security Functional Requirements and TOE Security Functionalities
Function
Requirement TSF_FKGTSF_FDETSF_FDC TSF_AUTTSF_FCFTSF_FNPTSF_FFL
FCS_CKM.1 7.1
FCS_COP.1 7.2
FDP_IFC.1 7.7
FDP_IFF.1 7.7
FDP_RIP.1 7.3
FIA_AFL.1a 7.3 7.4 7.6
FIA_AFL.1b 7.5
FIA_SOS.1a 7.4
FIA_SOS.1b 7.5
FIA_UAU.2a 7.3 7.4 7.6
FIA_UAU.2b 7.5
FIA_UAU.7a 7.3 7.4 7.6
FIA_UAU.7b 7.5
FIA_UID.2a 7.3 7.4 7.6
FIA_UID.2b 7.5
FMT_MOF.1a 7.3
FMT_MOF.1b 7.3
FMT_MOF.1c 7.5 7.6
FMT_MTD.1a 7.4
FMT_MTD.1b 7.5
FMT_MTD.1c 7.5 7.6
FMT_SMF.1 7.3 7.4 7.5 7.6
FMT_SMR.1a 7.4
FMT_SMR.1b 7.5
FTA_TSE.1 7.6
FTP_TRP.1 7.6
7.1 Cryptographic Key Generation (TSF_FKG)
This TOE generates a cryptographic key (common key) to support the cryptographic operation function for
user data and TSF data. The cryptographic key (common key) that is unique to the MFD is generated every
time the MFD is powered on.
The TOE generates a 256-bit secure key using the MSN-R3 expansion algorithm and stores the key into
the volatile memory to use it for the AES Rijndael, a cryptographic algorithm. The MSN-R3 expansion
algorithm is an algorithm for generating a cryptographic key which conforms to the Data Security Kit
Encryption Standard. Therefore, the TOE satisfies FCS_CKM.1.
7.2 Cryptographic Operation (TSF_FDE)
The TSF always encrypts user data and TSF data before writing them to the MSD. When necessary, the
TSF reads the data from the MSD and decrypts them for further use.
The following user data are the targets of cryptographic operation:
â— Spool image data on the HDD
â— Filing image data on the HDD
â— Address book data on the HDD
�MX-FR37 Security Target
© 2012-2013, Sharp Corp., all rights reserved. 34
The following TSF data are the target of cryptographic operation:
â— Confidential file passwords on the HDD
â— Administrator password on the Flash memory
For the encryption and decryption of the user data and TSF data above, the AES Rijndael algorithm that is
based on FIPS PUB 197 and the 256 bits cryptographic key that is generated by cryptographic key
generation function (TSF_FKG) are used. Therefore, the TOE satisfies FCS_COP.1.
7.3 Data Clear (TSF_FDC)
In the following, first the TSF overview and then each component are described.
7.3.1 Overview of the Data Clear Function
The whole picture of this TSF and its correspondences between SFRs are described.
The TOE provides data clear functions that clear image data files that are spooled or stored and the address
book data file. Each of the following functions is contained in the TSF:
a)Auto Clear at Job End
b)Clear All Memory
c)Clear Address Book Data and Registered Data
d)Clear Document Filing Data
Each of the above functions makes up the TSF and corresponds to the SFRs as follows.
â— Each function overwrites the HDD one or more times with a random value. Each function disables
regeneration of the information (such as image data) stored in objects (such as image data files)
associated with the function by overwriting the objects to deallocate their areas. Thus, the TOE satisfies
FDP_RIP.1.
â— This TSF has management functions to invoke the above b), c) and d) according to FMT_SMF.1. This
TSF allows only the administrator who has been identified and authenticated according to TSF_AUT to
use these management functions according to FMT_MOF.1a.
â— The above b) and d) have the cancel operation (Section 7.3.3) to stop in accordance with FMT_SMF.1
and satisfy FIA_AFL.1a, FIA_UAU.2a, FIA_UAU.7a and FIA_UID.2a in cooperation with TSF_AUT
and TSF_FNP which are later discussed. The cancel operation requires the administrator to be
identified and authenticated according to FIA_UID.2a and FIA_UAU.2a. For authentication, the
protected feedback by FIA_UAU.7a and the failure handling by FIA_AFL.1a are provided. This allows
only the administrator to cancel ongoing data clear functions as defined in FMT_MOF.1b.
The following sections elaborate upon each function:
7.3.2 Auto Clear at Job End
This function overwrites the image data that has been:
â— Spooled into the HDD in order to process a job, when the job is completed or cancelled, and
â— Stored into the HDD using the document filing function (including the confidential file function), when
the user deletes the data.
The TOE always invokes this function at the specified timing in both cases and does not provide any
means to deactivate this function.
7.3.3 Clear All Memory
This function is invoked from the operation panel by the administrator who has been identified and
authenticated by TSF_AUT and overwrites the following data:
â— All of the spool image data on the HDD
â— All of the filing image data on the HDD
This function does not clear the address book data.
�MX-FR37 Security Target
© 2012-2013, Sharp Corp., all rights reserved. 35
This function can be cancelled. To cancel this function, the administrator is required to select a cancellation
and then the TSF requires the administrator who has invoked the function to enter the administrator
password. The cancel operation serves as identification of the administrator defined in FIA_UID.2a and
entering the administrator password serves as authentication of the administrator defined in FIA_UAU.2a.
While entering the password for authentication, the TOE shows as many asterisks as characters entered
according to FIA_UAU.7a, however does not show the characters entered. The overwrite operation is only
cancelled if entering the password for authentication is successful.
If an incorrect password is entered three times in a row in an authentication process required for cancelling
the function, the reception of further authentication attempts stops as defined in FIA_AFL.1a; the
administrator password is locked. In five minutes after the locking, the function unlocks the administrator
password automatically; the number of times authentication was unsuccessful is cleared, and the reception
of authentication trials is recovered.
7.3.4 Clear Address Book Data and Registered Data
This function is invoked from the operation panel by the administrator who has been identified and
authenticated by TSF_AUT and overwrites the address book data on the HDD.
This function cannot be cancelled because the function completes in a relatively short time.
7.3.5 Clear Document Filing Data
This function is invoked from the operation panel by the administrator who has been identified and
authenticated by TSF_AUT and overwrites image data on the HDD. The data to be cleared by this function
is specified one or more from the following choices by the administrator when this function is invoked.
â— All of the spool image data on the HDD
â— All of the filing image data on the HDD
This function can be cancelled the same way the Clear All Memory function can.
7.4 Authentication (TSF_AUT)
This TSF enforces the identification and authentication of the administrator by the administrator password.
According to FMT_SMF.1, this TSF has a management function to modify the administrator password.
This TSF allows only the administrator who has been identified and authenticated by the TSF to use this
management function according to FMT_MTD.1a. According to FIA_SOS.1a, the TSF only accepts a
password which is 5 or more characters.
The functions not for the administrator are available without identification and authentication of the
administrator.
In cooperation with TSF_FDC and TSF_FNP, this TSF satisfies FIA_AFL.1a, FIA_UAU.2a, FIA_UAU.7a
and FIA_UID.2a.
This function provides the interfaces of the function for the administrator when the administrator is
identified by the operations to run the management functions or the login operation of the administrator
according to FIA_UID.2a, and the authentication of the administrator is successful by the correct
administrator password according to FIA_UAU.2a. The login operation of the administrator includes both
identification of administrator and authentication of the administrator password from the operation panel or
via the TOE Web.
When the administrator password is entered from the operation panel, this TSF, according to FIA_UAU.7a,
shows as many asterisk characters as characters entered, however does not show the characters entered.
When the administrator password is entered via the TOE Web, this TSF specifies the input type as a
password to the client. This requires the client to hide the character that the user entered such as a
substitute character.
If an incorrect password is entered three times in a row in an authentication process of the administrator
password, the reception of further authentication attempts stops as defined in FIA_AFL.1a; the
administrator password is locked. In five minutes after the locking, the function unlocks the administrator
password automatically; the number of times authentication was unsuccessful is cleared, and the reception
of authentication trials is recovered.
�MX-FR37 Security Target
© 2012-2013, Sharp Corp., all rights reserved. 36
The TSF identifies the administrator by the authentication function and relates him/her to the role. By
providing only the administrator with the management function to change (modify) the administrator
password, the secure maintenance of the role is achieved. Thus, the TOE satisfies FMT_SMR.1a.
7.5 Confidential files (TSF_FCF)
When a user saves image data into the MFD as a confidential file, the data is protected by a password and
authentication is required before calling it up and using it.
This TSF provides an interface for creating confidential files to each of the copier, printer driver, PC-fax
and Scan to HDD and, according to FIA_SOS.1b, verifies that confidential file passwords meet the quality
metric of 5 or more characters.
This TSF provides functions to operate saved confidential files from the operation panel or via the TOE
Web. According to FIA_UID.2b, the TSF identifies the user that stored a confidential file when the user
selects his/her confidential file and, according to FIA_UAU.2b, provides the interface for file manipulation
only when authentication is successful with the correct confidential file password. During the
authentication, the TSF does not disclose any information other than the number of characters typed
according to FIA_UAU.7b.
Whenever a user attempts some operation on his/her saved confidential file from the operation panel, the
TSF requests the user to enter the confidential file password. This TSF shows as many asterisks as the
characters entered, however does not show the characters themselves.
When a user attempts some operation on his/her saved confidential file via the TOE Web, this TSF
specifies the input type as a password to the client when the confidential file password is entered. This
requires the browser of the client to hide the characters that the user entered by replacing them with
substitute characters.
If an incorrect confidential file password is entered three times in a row during the authentication before
reusing a saved confidential file, the TSF stops accepting further authentication attempts and locks the file
to prohibit any operations according to FIA_AFL.1b. The number of authentication failures is counted for
each file. When authentication is successful, the authentication failure count of the file is reset to zero. The
release operation of the confidential file by the administrator clears the number of times authentication was
unsuccessful and recovers the reception of authentication trials.
According to FMT_SMF.1, this TSF has a management function to change the password, as one of the
operations on a saved confidential file. This TSF allows only the user who stored the confidential file and
has been identified and authenticated by this TSF to use this management function according to
FMT_MTD.1b. According to FIA_SOS.1b, this TSF verifies the new confidential password meets the
quality metric of 5 or more characters.
This TSF identifies the user that stored a confidential file prior to reusing the file by identification and
authentication of the user and relates him/her to the role. In addition, by providing only the user that stored
the confidential file with the function to change (modify) the confidential file password, the secure
maintenance of the role is achieved. Thus, the TOE satisfies FMT_SMR.1b.
This TSF exports the encrypted data to the Web browser of the client. This TSF also imports both
encrypted and not encrypted data from the Web browser of the client.
According to FMT_SMF.1, FMT_MOF.1c and FMT_MTD.1c, this TSF provides the following
management functions for the document filing function and allows the administrator whom TFS_AUT has
identified and authenticated to execute them:
â— Management functions for improving the effectiveness of protection obtained by using the confidential
file:
• Disabling of Document Filing: disables each mode of saving for each job type. The default and
recommended value is that the non-confidential mode (where files are saved without password
protection) is disabled for all job types.
• Disabling of Print Jobs Other Than Print Hold Job: disables the job to print out on the spot from the
printer driver. This function denies the job without Holding and holds the Hold job by ignoring that
the job is printed out or not. This function is recommended to use in the environment where there is a
high risk that the third person takes away the output paper.
â— Management function for locking confidential files:
�MX-FR37 Security Target
© 2012-2013, Sharp Corp., all rights reserved. 37
• Release the lock of confidential files: releases the lock of confidential files which have been locked by
the failure of the authentication for the confidential file password. This management function is
provided as “Release the Lock on File/Folder Manipulationâ€.
7.6 Network Protection (TSF_FNP)
In the following, first the TSF overview and then each component are as follows.
7.6.1 Overview of Network Protection
Components of this TSF and their correspondences between SFRs are as follows.
This TSF consists of the following functions.
a)Filter function
b)Communication data protection function
c)Network settings protection function
Each of the above components satisfies the SFRs as follows:
â— The above a) satisfies FTA_TSE.1
â— The above b) satisfies FTP_TRP.1
â— In cooperation with TSF_FDC and TFS_AUT, the above c) satisfies FIA_AFL.1a, FIA_UAU.2a,
FIA_UAU.7a and FIA_UID.2a
â— In cooperation with TSF_FDC and TSF_FCF, the above a) and b) satisfy FMT_SMF.1.
â— In cooperation with TSF_FCF, the above a) and b) satisfy FMT_MTD.1c.
â— In cooperation with TSF_FCF, the above b) satisfies FMT_MOF.1c.
The following sections elaborate upon each function.
7.6.2 Filter Function
This function rejects attempts to communicate from parties who are not expected to do so according to the
settings that the administrator configured beforehand based on the condition of IP addresses and MAC
addresses. The TSF always cancels network packets from parties that do not meet the conditions and does
not respond to or process them.
Up to 4 ranges of IP addresses can be specified and it can be set whether to allow or deny the ranges (IP
address filter).
Up to 10 MAC addresses to allow communication can be specified (MAC address filter).
The TSF satisfies FTA_TSE.1 because it rejects communication to and from an unintended third party
based on the IP address and the MAC address. According to FMT_SMF.1, the TSF has a management
function to query and modify TSF data i.e. the values of the IP address filter settings and the MAC address
filter settings. This TSF allows only the administrator who has been identified and authenticated by
TSF_AUT to use this management function.
7.6.3 Communication Data Protection Function
This TSF provides the following communication data protection function.
â— According to FTP_TRP.1, this function provides the HTTPS communication function to prevent
wiretapping of communication data between the client and the TOE Web. HTTPS communication starts
when the remote user accesses the TOE Web from the client browser and the communication is kept
until disconnected.
â— According to FTP_TRP.1, this function also provides the IPP-SSL communication function to prevent
wiretapping of print data that is sent from the printer driver of the client. IPP-SSL communication starts
when the remote user accesses the MFD by sending a print job by the printer driver from applications
on the client and the communication is kept until disconnected.
The cryptographic algorithms used in HTTPS communication and IPP-SSL communication are RSA, DES,
Triple-DES, AES and SHA-1. The server private key and public key are installed by configuring of the
administrator.
�MX-FR37 Security Target
© 2012-2013, Sharp Corp., all rights reserved. 38
According to FMT_SMF.1, the TSF has a management function to query and modify the values of the SSL
settings which are a collection of the values relating to HTTPS communication and IPP-SSL
communication (TSF data). This TSF allows only the administrator who has been identified and
authenticated by TSF_AUT to use this management function according to FMT_MTD.1c.
According to FMT_SMF.1, the TSF has a management function in which by enabling or disabling each of
HTTPS and IPP-SSL communications, the behaviour of the network protection function can be changed.
When any of HTTPS or IPP-SSL communications is disabled, the network protection function behaves
with those communications disabled. The TSF only allows the administrator who has been identified and
authenticated by TSF_AUT to modify the behaviour according to FMT_MOF.1c.
7.6.4 Network Settings Protection Function
This function provides the interfaces to manage the network settings data described in Section 1.4.4.4 at
the operation panel and the TOE Web. These interfaces are provided only to the administrator to prevent
other users from accessing. So this TSF enforces the identification and authentication same as TSF AUT
before providing the interfaces to manage the network settings data. The identification and authentication
is executed according to FIA_UID.2a, FIA_UAU.2a, FIA_UAU.7a and FIA_AFL.1a in the same way as
TSF_AUT.
7.7 Fax Flow Control (TSF_FFL)
According to FDP_IFC.1 and FDP_IFF.1, this TSF performs a data flow control that never allows data
received from the fax line to be relayed to the internal network. This prevents accesses from the telephone
line connected to the MFD’s fax I/F from being relayed to the internal network through the MFD’s network
I/F.
�MX-FR37 Security Target
© 2012-2013, Sharp Corp., all rights reserved. 39
8 Appendix
This chapter describes the definitions of terms.
8.1 Terminology
Terminology used in this ST is defined in Table 8.1.
Table 8.1: Terminology
Term Definition
Administrator
password
A password to protect special functions for the administrator including the security
management functions which are important in operation and management of the TOE
and MFD from being used by those other than the administrator.
Auto Clear at Job
End
The function to overwrite image data of each job stored into some MSD of the MFD,
invoked when a job is finished or cancelled and when a user deletes a saved data file.
Board A printed circuit board on which components are mounted by soldering.
Clear Address Book
Data and Registered
Data
The function to overwrite address book data stored into the HDD. This function is
invoked by the operation of the administrator.
Clear All Memory
The function to overwrite all the image data stored into the MSD in the MFD. This
function is invoked by the operation of the administrator.
Clear Document
Filing Data
The function to overwrite the image data that are stored into the HDD. This function
is invoked by the operation of the administrator. The main objective is to clear the
image data that are stored, but it is also available to clear the image data that are
spooled.
Confidential file
The data that the user saved with password protection (confidential file password) to
prevent the others from manipulating.
Confidential file
password
The password to prevent others from reusing the confidential file without permission.
Controller board
The board that controls the whole MFD. This contains the CPU to execute firmware
of the TOE, volatile memory, HDC, HDD and others.
Controller firmware The firmware that controls the controller board in the MFD.
Data file
In this document, objects consisting of allocated MSD resources to store information
(including image data).
Data Security Kit
Encryption Standard
Sharp Corporation’s documentation intended for in-house use which defines the
standards for an algorithm for cryptographic operation and generation of a
cryptographic key used in the cryptographic operation for MFD’s Data Security Kit.
Disabling of
Document Filing
The management function to disable to save the image data for each job type and
mode. This is used to disable to save the image data without Confidential Mode.
Disabling of Print
Jobs Other Than
Print Hold Job
The management function to disable to print out jobs sent from a printer driver on
the spot. Print jobs are denied and only hold jobs and print hold jobs are accepted;
print hold jobs are only held without being printed out.
Document filing
The function that stores image data that the MFD handles into the HDD for users’
later operations. This is also called “Filing†in this document.
Engine
A device that forms print images on receiver papers, with mechanism of paper
feeding/ejection. Also called as “print engine†or “engine unitâ€.
External network
A network, not the internal network of an organisation, which the organisation does
not manage.
Fax I/F A physical I/F to be used for connecting the MFD to a fax line.
Fax line A physical transmission channel to send and receive fax messages.
Filter settings
The management function to screen parties on the other end of communication. The
filter settings contain IP address filter settings and MAC address filter settings.
File manipulation
An operation to manipulate image data saved as a file, such as printing, sending
previewing and deleting as mentioned in Section 1.3.5.2.
Filing
Stands for “Document filingâ€. This is also to store the image data by document filing
function.
Firmware
The software that is embedded to the machines to control the machine’s hardware. In
this document, firmware especially indicates the controller firmware.
�MX-FR37 Security Target
© 2012-2013, Sharp Corp., all rights reserved. 40
Term Definition
Flash memory
A type of non-volatile memory that allows erasing electrically in large blocks and
also allows rewriting to any part of memory.
Hold To store a job sent from a printer driver using the document filing function.
Image data
Digital data, especially in this document, of two-dimensional image that each
function of the MFD manages.
Internal network
The network that is inside the organisation and protected against the threat about
security from any external networks.
IP address A call sign, used for IP, to identify devices for communication.
IP address filter
A function to restrict devices for communication by determining to accept or not
communication based on their IP addresses.
IP address filter
settings
The management function for IP address filtering.
Job
The sequence from beginning to end of the use of an MFD function (copier, printer,
scanner, fax reception, fax transmission, or PC-Fax). In addition, the instruction for a
functional operation is sometimes called a job.
Lock The function to stop accepting passwords if wrong passwords are entered in a row.
MAC address A call sign to, used for MAC, identify devices of communication media.
MAC address filter
The function to restrict devices for communication by determining to accept or not
communication based on their MAC addresses.
MAC address filter
settings
The management function for MAC address filtering.
MFD Web site
The Web site offered by the Web server inside the MFD as the interface for remote
MFD operation.
MSN-R3 expansion
algorithm
Sharp Corporation’s original algorithm for generating a cryptographic key which is
defined in Data Security Kit Encryption Standard.
Memory A memory device; in particular a semiconductor memory device.
Network I/F A physical I/F used for connecting the MFD to a network.
Network settings
In this document, the management function to query or modify network settings data
which is an asset protected by the TOE.
Non-volatile
memory
The memory device that retains its contents even when the power is turned off.
Operation panel
The user interface unit in front of the MFD. This contains the start key, numeric key,
function key and liquid crystal display with touch operation system.
Print function The function to print data received from external devices.
Relay To pass data input at an interface to another interface.
Rijndael
A cryptographic algorithm adopted by the AES. The developers are Joan Daemen
and Vincent Rijmen from Belgium.
Scan to HDD
One of the filing functions. It scans the original to obtain image data, and does only
save a file of the image data into the HDD, while neither prints nor transmits it.
Scanner unit
The device that scans the original and gets the image data. This is used for copier,
scanner, fax transmission or scan to HDD.
Spool
Storing the job’s image data into the MSD temporarily to increase the input and
output efficiency.
SSL Settings
The management function to enable or disable the HTTPS communication or the
IPP-SSL communication.
SSL-protected
services
The following services are included:
• The following services which are protected with the HTTPS:
Administrator authentication, reuse of confidential files, reading out the address
book data, modification of the address book, filter settings and network settings via
the TOE Web
• The following IPP-SSL protected service:
Image data reception from a printer driver in the print function
Standard firmware
The controller firmware that is installed to the MFD that TOE is not installed to.
TOE contains the controller firmware, and standard firmware is replaced with the
TOE’s controller firmware when TOE is installed.
Subnetwork A part of internal network divided by router.
Tandem copy Tandem print in the MFD’s copier function.
�MX-FR37 Security Target
© 2012-2013, Sharp Corp., all rights reserved. 41
Term Definition
Tandem print
The function to print a large job twice faster than usual by halving that job among
two MFDs.
TOE Web
The MFD Web site is referred to as the TOE Web when the TOE is installed to the
MFD.
TWAIN A technical standard for PC to be input image data from devices such as scanners.
Unit
A substance provided standard that can be attached to or detached from a printed
circuit board; or an option that is installed and is ready for operation. This can also
be a system that includes a mechanism and is ready for operation.
Volatile memory A memory device, the contents of which vanish when the power is turned off.
8.2 Acronyms
Acronyms used in this ST are indicated in Table 8.2 and Table 8.3.
Table 8.2: Acronyms in the CC
Acronym Definition
CC Common Criteria
CM Configuration Management
EAL Evaluation Assurance Level
PP Protection Profile
SAR Security Assurance Requirement
SFR Security Functional Requirement
ST Security Target
TOE Target of Evaluation
TSF TOE Security Functionality
�MX-FR37 Security Target
© 2012-2013, Sharp Corp., all rights reserved. 42
Table 8.3: Other Acronyms
Acronym Definition
AES
Advanced Encryption Standard: established by NIST (National Institute of Standards and
Technology, United States of America)
CPU Central Processing Unit: the central processing unit of a computer.
DSK
Data Security Kit MX-FR37: an optional product sold separately for the MFD, including the
firmware part of the TOE.
EEPROM
Electrically Erasable Programmable ROM: a type of non-volatile memory that allows low
frequency of electrical rewriting at any address.
FIPS PUB
197
Federal Information Processing Standards Publication 197: the standard which defines the
AES specifications.
HDC Hard Disk Controller: the HDC in the MFD includes part of the TOE hardware.
HDD Hard Disk Drive
HTTP Hypertext Transfer Protocol: a communication protocol generally used for Web.
HTTPS HTTP over SSL, HTTP with protection of SSL.
I/F Interface
IP
Internet Protocol: a communication protocol to divide data in packets to deliver it to the
destination.
IPP Internet Printing Protocol: a communication protocol for printing.
IPP-SSL IPP over SSL, IPP with protection of SSL.
IT Information Technology
LDAP Lightweight Directory Access Protocol: a communication protocol for directory service.
MAC
Media Access Control: communication protocols to allow a number of communication
devices to share a single communication medium by identifying devices and mediating
communication to avoid collision.
MFD
Multi Function Device: a digital multifunctional device which is an office machine mainly
equipped with copier, printer, scanner and fax functions. In this document, only models listed
in Section 1.3.2.
MSD
Mass Storage Device: in this document, this especially indicates the HDD and Flash memory
in MFD.
NIC Network Interface Card or Network Interface Controller
OS Operating System
PC Personal Computer
ROM Read Only Memory
SSL Secure Socket Layer: a cryptographic communication protocol for computer network.
UI User Interface
USB Universal Serial Bus: a serial bus standard to connect between IT equipments.
SMTP Simple Mail Transfer Protocol: a communication protocol to transfer E-mails.
WINS Windows Internet Name Service: resolves a NetBIOS name into the IP address.
�