CRP-C0222-01
Certification Report
Koji Nishigaki, Chairman
Information-technology Promotion Agency, Japan
Target of Evaluation
Application date/ID 2008-03-28 (ITC-8220)
Certification No. C0222
Sponsor Konica Minolta Business Technologies, Inc.
Name of TOE Japan: bizhub PRO 1200 / 1200P / 1051 zentai
seigyo software
Overseas: bizhub PRO 1200 / 1200P / 1051 control
software
Version of TOE Image control program (Image control I1) :
00I1-G00-10
Controller control program (IC control P) :
00P1-G00-10
PP Conformance None
Conformed Claim EAL3
Developer Konica Minolta Business Technologies, Inc.
Evaluation Facility Information Technology Security Center
Evaluation Department
This is to report that the evaluation result for the above TOE is certified as
follows.
2009-07-15
Takumi Yamasato, Technical Manager
Information Security Certification Office
IT Security Center
Evaluation Criteria, etc.: This TOE is evaluated in accordance with the following
criteria prescribed in the "IT Security Evaluation and
Certification Scheme".
- Common Criteria for Information Technology Security Evaluation Version 2.3
(ISO/IEC 15408:2005)
- Common Methodology for Information Technology Security Evaluation
Version 2.3 (ISO/IEC 18045:2005)
Evaluation Result: Pass
" Japan : bizhub PRO 1200 / 1200P / 1051 zentai seigyo software (Gazou seigyo
program(Gazou seigyo I1) : 00I1-G00-10, Controller seigyo program(IC control
CRP-C0222-01
P) : 00P1-G00-10), Overseas : bizhub PRO 1200 / 1200P / 1051 control software
(Image control program(Image control I1) : 00I1-G00-10, Controller control
program (IC control P) : 00P1-G00-10)" has been evaluated in accordance with
the provision of the "IT Security Certification Procedure" by
Information-technology Promotion Agency, Japan, and has met the specified
assurance requirements.
CRP-C0222-01
Notice:
This document is the English translation version of the Certification Report
published by the Certification Body of Japan Information Technology Security
Evaluation and Certification Scheme.
CRP-C0222-01
Table of Contents
1. Executive Summary ............................................................................... 1
1.1 Introduction ..................................................................................... 1
1.2 Evaluated Product ............................................................................ 1
1.2.1 Name of Product ......................................................................... 1
1.2.2 Product Overview ........................................................................ 1
1.2.3 Scope of TOE and Overview of Operation....................................... 3
1.2.4 TOE Functionality ....................................................................... 3
1.3 Conduct of Evaluation....................................................................... 5
1.4 Certificate of Evaluation .................................................................... 6
1.5 Overview of Report ............................................................................ 6
1.5.1 PP Conformance.......................................................................... 6
1.5.2 EAL ........................................................................................... 6
1.5.3 SOF ........................................................................................... 6
1.5.4 Security Functions ...................................................................... 6
1.5.5 Threat ........................................................................................ 9
1.5.6 Organisational Security Policy ..................................................... 9
1.5.7 Configuration Requirements ........................................................ 9
1.5.8 Assumptions for Operational Environment .................................... 9
1.5.9 Documents Attached to Product ................................................. 10
2. Conduct and Results of Evaluation by Evaluation Facility....................... 11
2.1 Evaluation Methods ........................................................................ 11
2.2 Overview of Evaluation Conducted ................................................... 11
2.3 Product Testing .............................................................................. 12
2.3.1 Developer Testing...................................................................... 12
2.3.2 Evaluator Testing...................................................................... 13
2.4 Evaluation Result ........................................................................... 14
3. Conduct of Certification ....................................................................... 15
4. Conclusion.......................................................................................... 16
4.1 Certification Result ......................................................................... 16
4.2 Recommendations ........................................................................... 16
5. Glossary ............................................................................................. 17
6. Bibliography ....................................................................................... 19
CRP-C0222-01
1. Executive Summary
1.1 Introduction
This Certification Report describes the content of certification result in relation to IT
Security Evaluation of " Japan : bizhub PRO 1200 / 1200P / 1051 zentai seigyo software
(Gazou seigyo program(Gazou seigyo I1) : 00I1-G00-10, Controller seigyo program(IC
control P) : 00P1-G00-11), Overseas : bizhub PRO 1200 / 1200P / 1051 control software
(Image control program(Image control I1) : 00I1-G00-10, Controller control program
(IC control P) : 00P1-G00-10)" (hereinafter referred to as "the TOE") conducted by
Information Technology Security Center, Evaluation Department (hereinafter
referred to as "Evaluation Facility"), and it reports to the sponsor, Konica Minolta
Business Technologies, Inc.
The reader of the Certification Report is advised to read the corresponding ST and
manuals (please refer to "1.5.9 Documents Attached to Product" for further details)
attached to the TOE together with this report. The assumed environment,
corresponding security objectives, security functional and assurance requirements
needed for its implementation and their summary specifications are specifically
described in ST. The operational conditions and functional specifications are also
described in the document attached to the TOE.
Note that the Certification Report presents the certification result based on assurance
requirements conformed to the TOE, and does not certify individual IT product itself.
Note: In this Certification Report, IT Security Evaluation Criteria and IT
Security Evaluation Method prescribed by IT Security Evaluation and
Certification Scheme are named CC and CEM, respectively.
1.2 Evaluated Product
1.2.1 Name of Product
The target product by this Certificate is as follows:
Name of Product: Japan : bizhub PRO 1200 / 1200P / 1051 zentai seigyo software
Overseas : bizhub PRO 1200 / 1200P / 1051 control software
Version: Japan : Gazou seigyo program (Gazou seigyo I1) : 00I1-G00-10
Controller seigyo program (IC control P) : 00P1-G00-10
Overseas: Image control program (Image control I1): 00I1-G00-10
Controller control program(IC control P): 00P1-G00-10
Developer: Konica Minolta Business Technologies, Inc.
1.2.2 Product Overview
This product (it is called "bizhub PRO 1200 control software(*1)", hereafter.), that is
installed with digital MFP (it is called "bizhub PRO 1200 series") manufactured by
Konica Minolta Business Technologies, Inc., is a software product for the purpose of
reducing the danger for the disclosure of document data stored every user.
bizhub PRO 1200 control software prevents the document data from disclosing during
the use of functions such as copier and printer. To protect the document data, it has a
"User BOX" function and a variety of management capabilities, additional highly
confidential HDD (Hard Disk Drive) with lock system (*2) to store the document.
bizhub PRO 1200 control software is provided with bizhub PRO 1200 series.
1
CRP-C0222-01
Fig 1-1 shows the expected operating environment with bizhub PRO 1200 series in
office.
(*1) bizhub PRO 1200 control software indicates "bizhub PRO 1200 / 1200P / 1051
zentai seigyo software" for Japan and "bizhub PRO 1200 / 1200P / 1051 control
software" for overseas.
(*2) HDD has the password so that the hard disk cannot be removed and read in
another equipment. HDD lock password is set in the hard disk lock system.
Figure 1-1 Operating Environment of bizhub PRO 1200 series
bizhub PRO 1200 series including the TOE is connected with the internal network and
public telephone line network as shown in Figure 1.1. The internal network is
connected with the client PC of general user, mail server and FTP server, to which
bizhub PRO 1200 series sends the data. The TOE does not have the interface with the
external network. The TOE is connected with the external network only through
Firewall, so as to protect each of equipments on the internal network.
2
CRP-C0222-01
1.2.3 Scope of TOE and Overview of Operation
Figure 1-2 shows the structure of bizhub PRO 1200 series including the TOE.
Figure 1-2 TOE Structure
bizhub PRO 1200 series consists of the hardware and bizhub PRO 1200 control
software. The components of bizhub PRO 1200 control software are the image control
program and the controller control program. The hardware consists of bizhub PRO
1200 series main unit, print controller, HDD1, HDD2, operation panel, and network
card. The HDD1 is the storage device that stores the data (temporary storage is also
possible.). The HDD2 is the storage device that stores temporarily the data. The TOE
is bizhub PRO 1200 control software and it operates with OS.
The hatching parts in Fig.1-2 show the control range of TOE, namely, each function
included in the TOE and the area of data extension created by the TOE.
1.2.4 TOE Functionality
The TOE consists of "basic function" that operates the document data stored in the
document data file of User BOX, "management function" that sets the TOE by the
administrator, and "CE function" that executes the initial setting of TOE (Registration
of administrator and Installation of TOE) by CE(*3).
(*3) Customer Engineer is a person who is enrolled at the company undertaken the
maintenance of bizhub PRO 1200 series, and carries out the maintenance of
bizhub PRO 1200 series.
3
CRP-C0222-01
1.2.4.1 Basic function of TOE
Basic functions are used to operate the document data. The User BOX is identified by
the User BOX identifier, and the User BOX password is set for every User BOX so as to
confirm the validity as the owner (general user) of each User BOX. The valid owner of
User BOX can access all the document data in his/her User BOX. Fig 1-3 shows the
processing overview of basic functions.
The Sub BOX is created in the User BOX, and the document data is stored together
into the Sub BOX.
Figure 1-3 Processing Architecture of Basic Function
The followings are the details of each function.
(1) Scanning function
By operating from the operation panel, the information of paper document is read
from the scanner, converted to the document data, and stored into the HDD1
temporary storage or DRAM temporary storage.
(2) PC data receiving function
The document data from the client PC is stored into the HDD2 temporary storage,
executed the data exchange, and stored into the HDD1 temporary storage or
DRAM temporary storage.
(3) BOX storage function
The temporary document data in the HDD1 temporary storage or in the DRAM
temporary storage is stored into the User BOX additionally.
(4) BOX readout function
The document data in the User BOX is temporarily read out to the HDD1
temporary storage or DRAM temporary storage.
(5) Printing function
The temporary document data in the HDD1 temporary storage or in the DRAM
4
CRP-C0222-01
temporary storage is printed out.
(6) Email function
The document data gotten by the scanning function, which is stored temporarily
into the HDD1 temporary storage or DRAM temporary storage, is attached to a
mail via the HDD2 temporary storage, and sent to the mail server.
(7) FTP function
The document data gotten by the scanning function, which is stored temporarily
into the HDD1 temporary storage or DRAM temporary storage, is sent to the FTP
server via the HDD2 temporary storage.
(8) SMP function
The document data gotten by the scanning function, which is stored temporarily
into the HDD1 temporary storage or DRAM temporary storage, is sent to the
shared folder of PC that is connected with the internal network via the HDD2
temporary storage.
(9) Deletion function
The document data in the use BOX, associated with the User BOX identifier is
deleted.
1.2.4.2 Management function
The administrator conducts the operational setting for the TOE functions through this
management function. Moreover the management function controls the related
information for the operation of digital MFP, such as the creation/attribution
change/deletion of User BOX, the printing of audit information, the initialization
process of HDD1 and HDD2 (setting of HDD lock password), the management of
troubleshooting/toner/number of prints.
1.2.4.3 CE function
The following function is provided so that the CE can execute the initial setting and
the maintenance for the TOE.
- Service setting mode
By operating from the operation panel, the CE executes the registration and change
of the administrator password by using the function of service setting mode.
1.3 Conduct of Evaluation
Based on the IT Security Evaluation/Certification Program operated by the
Certification Body, TOE functionality and its assurance requirements are being
evaluated by evaluation facility in accordance with those publicized documents such as
"IT Security Evaluation and Certification Scheme"[2], "IT Security Certification
Procedure"[3] and "Evaluation Facility Approval Procedure"[4].
Scope of the evaluation is as follow.
- Security design of the TOE shall be adequate;
- Security functions of the TOE shall be satisfied with security functional
requirements described in the security design;
- This TOE shall be developed in accordance with the basic security design;
- Above mentioned three items shall be evaluated in accordance with the CC Part 3
and CEM.
More specific, the evaluation facility examined "Multi functional printer bizhub PRO
5
CRP-C0222-01
1200 series Security Target" as the basic design of security functions for the TOE
(hereinafter referred to as "the ST") [1], the evaluation deliverables in relation to
development of the TOE and the development, manufacturing and shipping sites of the
TOE. The evaluation facility evaluated if the TOE is satisfied both Annex B of CC Part
1 (either of [5], [8] or [11]) and Functional Requirements of CC Part 2 (either of [6], [9]
or [12]) and also evaluated if the development, manufacturing and shipping
environments for the TOE is also satisfied with Assurance Requirements of CC Part 3
(either of [7], [10] or [13]) as its rationale. Such evaluation procedure and its result are
presented in "bizhub PRO 1200 / 1200P / 1051 zentai seigyo software Evaluation
Technical Report" (hereinafter referred to as "the Evaluation Technical Report") [17].
Further, evaluation methodology should comply with the CEM (either of [14], [15] or
[16]).
1.4 Certification
The Certification Body verifies the Evaluation Technical Report and Observation
Report prepared by the evaluation facility and evaluation evidence materials, and
confirmed that the TOE evaluation is conducted in accordance with the prescribed
procedure. Certification review is also prepared for those concerns found in the
certification process. Evaluation is completed with the Evaluation Technical Report
dated 2009-07 submitted by the evaluation facility and those problems pointed out by
the Certification Body are fully resolved and confirmed that the TOE evaluation is
appropriately conducted in accordance with CC and CEM. The Certification Body
prepared this Certification Report based on the Evaluation Technical Report submitted
by the evaluation facility and concluded fully certification activities.
1.5 Overview of Report
1.5.1 PP Conformance
There is no PP to be conformed.
1.5.2 EAL
Evaluation Assurance Level of TOE defined by this ST is EAL3.
1.5.3 SOF
This ST claims "SOF-basic" as its minimum strength of function.
This TOE assumes the attack capability of general user to be low level. It is assumed
that this TOE is operated under the condition that secures the adequate security in
terms of physical and human. Therefore, SOF-Basic that can adequately resist for
attacking from the threat agent with the attack capability of low level is valid for the
security strength.
1.5.4 Security Functions
The security functions of the TOE are as follows:
6
CRP-C0222-01
(1) Identification and authentication
Function title Security function
IA.ADM_ADD
Registration of
administrator
Only the CE can operate it. The administrator is
registered in the TOE by registering the
administrator password.
The administrator is registered if the password
obeys the specification, and it is rejected if not
so.
IA.ADM_AUTH
Identification and
authentication of
administrator
Before the operator uses the TOE, he/she is
identified to be the registered administrator in
the TOE and authenticated to be the valid
administrator.
The operations of all the management functions
are not permitted before the identification and
authentication of administrator.
By accessing the interface for the authentication
of administrator by the operator, he/she is
identified to be the administrator, and
authenticated to the valid administrator using
the entered password.
In case of unsuccessful authentication, the
access is prohibited for five seconds.
IA.CE_AUTH
Identification and
authentication of CE
Before the operator uses the TOE, he/she is
identified to be the registered CE in the TOE and
authenticated to be the valid CE.
The operations of all the CE functions are not
permitted before the identification and
authentication of CE.
By using the interface for the authentication of
CE and the entered password by the operator,
he/she is authenticated to be the valid CE.
In case of unsuccessful authentication, the
access is prohibited for five seconds.
IA.PASS
Change of password
The passwords of administrator, CE, and User
BOX are changed.
The interface for password change is provided
and entering the new password is required.
The following shows the changeable passwords
by the type of user.
CE : CE password, Administrator password
Administrator : User BOX password,
Administrator password
General user who owns User BOX : User BOX
password of his/ her own User BOX
The password is changed if it obeys the
specification, and it is rejected if not so.
(2) Access control
Function title Security function
ACL.USR
Access rule and
control to general user
The general user who owns User BOX is
identified and authenticated. After he/she is
authenticated to be the valid user, the
operatable coverage for the general user is
limited according to the following access rules.
The general user who owns User BOX is
7
CRP-C0222-01
identified and authenticated by the User BOX
identifier and User BOX password. The following
operation is permitted for only the User BOX
that corresponds to the User BOX identifier of
the general user who owns User BOX.
- Reading out and printing of document
In case of unsuccessful identification and
authentication, the identification and
authentication trials are prohibited for five
seconds.
(3) Audit
Function title Security function
AUD.LOG
Record of audit
information
The audit information regarding the action of
security functions is recorded.
Auditable events are as follows.
- Startup and shutdown of audit functions
- Success and failure in identifying and
authenticating of administrator, CE, general
user who owns User BOX
- Success in registering password of
administrator and general user who owns User
BOX
- Success in changing password and HDD lock
password of administrator, CE, and general
user who owns User BOX
- Success in reading out of document data
AUD.MNG
Management of audit
area
The area of audit storage is controlled by ring
buffer format in order to create and store the
audit information.
(4) Management support
Function title Security function
MNG.MODE
Setting of security
reinforcement mode
Only the administrator is permitted the function
to stop the security reinforcement mode.
MNG.ADM
Management support
function
(Administrator)
The following operations are permitted and
executed by only the administrator.
- Creation of User BOX, registration of User BOX
identifier, and setting of User BOX password
- Inquiry of audit information
The registration is executed if the User BOX
password obeys the specification, it is not
rejected if not so.
MNG.HDD
HDD lock password
function
The following operations are permitted and
executed by only the administrator.
- Change of HDD lock password
The HDD lock password is set and changed to
HDD device if the User BOX password obeys the
specification, they are rejected if not so.
8
CRP-C0222-01
1.5.5 Threat
This TOE assumes the threats shown in Table 1-1 and has functions to counteract
them.
Table 1-1 Assumed Threats
Identifier Threat
T.ACCESS
(Unauthenticated
access to the BOX)
When a general user uses the user function from
the operation panel, there is a possible threat of
disclosing the document data that the other
general user owns in his/her User BOX.
T.HDDACCESS
(Unauthenticated
access to the HDD)
- When a general user connects the HDD1 with an
illegal device, there is a possible threat of
disclosing the document data in the HDD1.
- When a general user connects the HDD2 with an
illegal device, there is a possible threat of
disclosing the document data in the HDD2.
T.IMPADMIN
(Impersonation of the
CE and
administrator)
- When a general user uses illegally the interfaces
for CE function and administrator function,
there is a possible threat of disclosing the
document data.
1.5.6 Organizational Security Policy
There is no the required security policy of the organization upon use of the TOE.
1.5.7 Configuration Requirements
The TOE is a software product installed to bizhub PRO 1200 series.
The TOE is installed as a security function at time of bizhub PRO 1200 series shipping
or built-in configuration on user site by Web downloading from CE.
1.5.8 Assumptions for Operational Environment
Table 1-2 shows the assumptions in the environment where this TOE is used.
When these assumptions are not fulfilled, effective operation of the security functions
for the TOE is not assured.
Table 1-3 Assumptions in Use of the TOE
Identifier Assumptions
ASM.PLACE
(Installation
condition for the
TOE)
The TOE shall be installed in the area where only
the product-
Related person can operate.
ASM.NET
(Setting condition for
the internal network)
The TOE shall be connected with the internal
network that the disclosure of document data will
not occur.
ASM.ADMIN
(Reliable
administrator)
The administrator shall not carry out an illegal
act.
9
CRP-C0222-01
ASM.CE
(Personal condition
for the CE)
The CE shall not carry out an illegal act.
ASM.USR
(Management of the
general user)
The general user shall not disclose his/her own
User BOX password.
1.5.9 Documents Attached to Product
The documents attached to this TOE are shown as follows.
* Japanese version
<Manuals for CE>
- bizhub PRO 1200/1051 Installation Manual Vol.1
- bizhub PRO 1200P Installation Manual Vol.1
- bizhub PRO 1200/1200P/1051 Service Manual Field Service Vol.1
<Manuals for Administrator and General User>
- bizhub PRO 1200/1051 User's Guide Copier Vol.1
- bizhub PRO 1200/1051 User's Guide Network Scanner Vol.1
- bizhub PRO 1200/1051 User's Guide POD Administrator's Reference Vol.1
- bizhub PRO 1200/1051 User's Guide Security Vol.1
- bizhub PRO 1200P User's Guide Main Copier Vol.1
- bizhub PRO 1200P User's Guide Security Vol.1
* Overseas version
<Manuals for CE>
- bizhub PRO 1200/1051 INSTALLATION MANUAL Vol.1
- bizhub PRO 1200P INSTALLATION MANUAL Vol.1
- bizhub PRO 1200/1200P/1051 SERVICE MANUAL Field Service Vol.1
<Manuals for Administrator and General User>
- bizhub PRO 1200/1051 User's Guide Copier Vol.1
- bizhub PRO 1200/1051 User's Guide Network Scanner Vol.1
- bizhub PRO 1200/1051 User's Guide POD Administrator's Reference Vol.1
- bizhub PRO 1200/1051 User's Guide Security Vol.1
- bizhub PRO 1200P User's Guide Main Copier Vol.1
- bizhub PRO 1200P User's Guide Security Vol.1
10
CRP-C0222-01
2. Conduct and Results of Evaluation by Evaluation Facility
2.1 Evaluation Methods
Evaluation was conducted by using the evaluation methods prescribed in CEM in
accordance with the assurance requirements in CC Part 3. Details for evaluation
activities are report in the Evaluation Technical Report. It described the description of
overview of the TOE, and the contents and verdict evaluated by each work unit
prescribed in CEM.
2.2 Overview of Evaluation Conducted
The history of evaluation conducted was present in the Evaluation Technical Report as
follows.
Evaluation has started on 2008-04 and concluded by completion the Evaluation
Technical Report dated 2009-07. The evaluation facility received a full set of
evaluation deliverables necessary for evaluation provided by developer, and examined
the evidences in relation to a series of evaluation conducted. Additionally, the
evaluation facility directly visited the development and manufacturing sites on
2009-06 and examined procedural status conducted in relation to each work unit for
configuration management, delivery and operation and lifecycle by investigating
records and staff hearing. Further, the evaluation facility executed sampling check of
conducted testing by developer and evaluator testing by using developer testing
environment at developer site on 2009-06.
As for concerns indicated during evaluation process by the Certification Body, the
certification reviews were sent to the evaluation facility. These were reflected to
evaluation after investigation conducted by the evaluation facility and the developer.
11
CRP-C0222-01
2.3 Product Testing
An outline of the developer test evaluated by the evaluators and the evaluator test
executed by the evaluator is shown as follows.
2.3.1 Developer Testing
1) Developer Test Environment
Figure 2-1 shows the structure of the test system executed by the developer.
bizhub PRO 1200
Testing penetration
PC
Mail server
WindowsXP(SP3)
FTP server
WindowsXP(SP3)
SMB server
WindowsXP(SP3)
CSRC Terminal
Client PC
Controller NIC
Main body NIC
Internal network
Figure 2-1 Structural Diagram of the Developer Testing System
2) Outlining of Developer Test
The outline of the test executed by the developer is as follows.
a. Test structure
Figure 2-1 shows the test structure executed by the developer.
- TOE (bizhub PRO 1200 control software (Image control program (Image control
I1) 00I1-G00-10, Controller control program (IC control P) 00P1-G00-10)) is
installed to bizhub PRO 1200 series.
- bizhub PRO 1200 is connected to the internal network (100baseT).
- bizhub PRO 1200 is connected to client PC, mail server, FTP server, SMB
server and CSRC terminal through the internal network.
CSRC is connected only by LAN in the test structure, however, it does not have
an influence on the test results of security functions because it is non security
function.
Therefore, it can be judged that the developer test is executed in the same TOE
testing environment with the TOE structure identified in the ST.
12
CRP-C0222-01
b. Test method
The following methods are used for the test.
(1) The operation of security functions is confirmed by the operation of TSFI.
(2) If testing of TSFI and subsystem interface cannot be performed by the
operation through the external interface directly connected to bizhub PRO
1200 series, it is performed with methods by indirectly stimulating the
interface.
(3) For the observation of test behavior, the direct confirmation is performed if it
can be confirmed by the external TSFI, the behavior of test results is
confirmed by using a measuring equipment (bizhub PRO 1200) if it can not
be observed.
(4) By comparing the expected behavior with the actual test results obtained at
test execution, whether the test objects are achieved or not, are determined.
c. Scope of Testing Performed
The developer tests are set for 26 test items.
The coverage analysis has been executed and it was verified that all the security
functions and external interfaces stipulated in the function specifications have
been adequately tested. The depth analysis has been executed and it was
verified that all the subsystems and subsystem interfaces stipulated in the high
level design have been adequately tested.
d. Result
The test results by the developer confirmed that the expected test results and
the actual test results are consistent. The evaluator confirmed the execution
method of the developer test and the legitimacy of the executed items, and
confirmed that the execution method and execution results are consistent with
those shown in the test plan.
2.3.2 Evaluator Testing
1) Evaluator test environment
The system structure of the test executed by the evaluator has the same structure
as the developer test.
2) Outlining of the evaluator test
The outline of the test executed by the evaluator is as follows.
a. Test structure
Figure 2-1 shows the test structure executed by the evaluator. The evaluator
test executed at test environment that was same configuration as the TOE
configured following ST.
The penetration test executed by the evaluator executed at the test
configuration of Figure 2-1 and a part of penetration test was executed at bizhub
PRO 1200 installed TOE that was connected ISW by USB cable. Furthermore
the evaluator confirmed test environment that was same configuration as the
TOE configured following ST.
13
CRP-C0222-01
b. Testing Approach
The following methods are used for the sampling test.
(1) Test items selected more than 50% items from developer test.
(2) Test items more than one selected for each of TSFI with each developer test.
(3) Test items related all user interface selected at least more than one with
developer test.
(4) A set of closed test items selected with developer test.
The following methods are used for the independent test.
(1) This operation of security functions is confirmed by the operation of TSFI.
(2) The subsystem interface is tested by the operation through the external
interface connected to bizhub PRO 1200 series.
(3) If test behavior cannot be checked by TSFI, it is tested with methods by
indirectly stimulating the interface.
(4) By comparing the expected behavior with the actual test results obtained at
test execution, whether the test objects is achieved or not, is determined.
The penetration test is executed by the following policy.
Penetration test is executed to confirm that there is no vulnerability possible to
be abused by attacker of low level in the TOE or whether there is the remaining
vulnerability in the operating environment regulated in the ST.
c. Range of the executed test
The tests are set for the following test volume/coverage.
Original test created by evaluator is 10 items, sampling test from developer test
is 18 items, penetration test created by evaluator is 6 items and total volume is
34 items.
d. Result
All the executed evaluator tests have been properly completed and the behavior
of the TOE was confirmed. The evaluator confirmed that all of the test results
were consistent with the expected behavior.
2.4 Evaluation Result
The evaluator had the conclusion that the TOE satisfies all work units prescribed in
CEM by submitting the Evaluation Technical Report.
14
CRP-C0222-01
3. Conduct of Certification
The following certification was conducted based on each materials submitted by
evaluation facility during evaluation process.
1. Contents pointed out in the Observation Report shall be adequate.
2. Contents pointed out in the Observation Report shall properly be reflected.
3. Evidential materials submitted were sampled, its contents were examined, and
related work units shall be evaluated as presented in the Evaluation Technical
Report.
4. Rationale of evaluation verdict by the evaluator presented in the Evaluation
Technical Report shall be adequate.
5. The Evaluator's evaluation methodology presented in the Evaluation Technical
Report shall conform to the CEM.
Concerns found in certification process were prepared as certification review, which
were sent to evaluation facility.
The Certification Body confirmed such concerns pointed out in Observation Reports
and certification reviews were solved in the ST and the Evaluation Technical Report.
15
CRP-C0222-01
4. Conclusion
4.1 Certification Result
The Certification Body verified the Evaluation Technical Report, the Observation
Report and the related evaluation evidential materials submitted and confirmed that
all evaluator action elements required in CC Part 3 are conducted appropriately to the
TOE. The Certification Body verified the TOE is satisfied the EAL3 assurance
requirements prescribed in CC Part 3.
4.2 Recommendations
OE.WATCH [Administrator is monitoring to TOE not to do irregular access and forbid
to enter to the TOE setting place when administrator being absent.] being security
policy of environment to use TOE in secure condition is another charge of protecting to
expose protected assets against attacking by HDD password made out by analysis
service.
16
CRP-C0222-01
5. Glossary
The abbreviations used in this report are listed below.
CC: Common Criteria for Information Technology Security
Evaluation
CEM: Common Methodology for Information Technology Security
Evaluation
EAL: Evaluation Assurance Level
PP: Protection Profile
SOF: Strength of Function
ST: Security Target
TOE: Target of Evaluation
TSF: TOE Security Functions
The glossaries used in this report are listed below.
User BOX: Directory being stored for documents data
Documents data:
Computerized data for text and graphic.
Paper documents:
Documents were written on a paper.
Operating panel:
Operating Unit for using bizhub PRO 1200 series by touch panel
display.
Internal network:
This is LAN in an office which introduces bizhub PRO 1200
series, and is connected with the client PC and several servers
such as mail server and FTP server.
External network:
Network except internal network such as the Internet
SMB: This is the application protocol to communicate between the
computers on the network under Microsoft-OS series.
CSRC: CS Remote Care for short-Remote Management system of
machine send and receive machine management data with using
E-mail and phone line from machine to CS Remote Center PC. Be
able to call Center PC in case of trouble occurred.
17
CRP-C0222-01
Hard Disk Lock Function:
The HDD for storing the document data shall prevent the
unauthenticated access by means of the HDD lock password.
HDD lock password:
Password that releases the forbidden state to read and write on
HDD.
General User: Enrollment of organization being purchased bizhub PRO 1200.
He/she use copier/printer/fax.
Administrator: A Person is charged of machine management. He/she belongs to
enrollment of organization being purchased bizhub PRO 1200.
CE: Enrollment of company being charged bizhub PRO 1200
maintenance. CE shall execute the maintenance for bizhub PRO
1200 and enter into the maintenance contract of bizhub PRO
1200 with Administrator or responsible person.
Responsible person:
A person belongs to organization being purchased bizhub PRO
1200. He/she shall decide administrator of bizhub PRO 1200.
The product-related persons:
The general user, administrator, and CE.
18
CRP-C0222-01
6. Bibliography
[1] Multi functional printer bizhub PRO 1200 Series Security Target Version 6 (June
5, 2009) Konica Minolta Business Technologies, Inc.
[2] IT Security Evaluation and Certification Scheme, May 2007,
Information-technology Promotion Agency, Japan CCS-01
[3] IT Security Certification Procedure, May 2007, Information-technology
Promotion Agency, Japan CCM-02
[4] Evaluation Facility Approval Procedure, May 2007, Information-technology
Promotion Agency, Japan CCM-03
[5] Common Criteria for Information Technology Security Evaluation Part 1:
Introduction and general model Version 2.3 August 2005 CCMB-2005-08-001
[6] Common Criteria for Information Technology Security Evaluation Part 2:
Security functional requirements Version 2.3 August 2005 CCMB-2005-08-002
[7] Common Criteria for Information Technology Security Evaluation Part 3:
Security assurance requirements Version 2.3 August 2005 CCMB-2005-08-003
[8] Common Criteria for Information Technology Security Evaluation Part 1:
Introduction and general model Version 2.3 August 2005 CCMB-2005-08-001
(Translation Version 1.0 December 2005)
[9] Common Criteria for Information Technology Security Evaluation Part 2:
Security functional requirements Version 2.3 August 2005 CCMB-2005-08-002
(Translation Version 1.0 December 2005)
[10] Common Criteria for Information Technology Security Evaluation Part 3:
Security assurance requirements Version 2.3 August 2005 CCMB-2005-08-003
(Translation Version 1.0 December 2005)
[11] ISO/IEC 15408-1:2005 - Information Technology - Security techniques -
Evaluation criteria for IT security - Part 1: Introduction and general model
[12] ISO/IEC 15408-2:2005 - Information technology - Security techniques -
Evaluation criteria for IT security - Part 2: Security functional requirements
[13] ISO/IEC 15408-3:2005 - Information technology - Security techniques -
Evaluation criteria for IT security - Part 3: Security assurance requirements
[14] Common Methodology for Information Technology Security Evaluation:
Evaluation Methodology Version 2.3 August 2005 CCMB-2005-08-004
[15] Common Methodology for Information Technology Security Evaluation:
Evaluation Methodology Version 2.3 August 2005 CCMB-2005-08-004
(Translation Version 1.0 December 2005)
[16] ISO/IEC 18045:2005 Information technology - Security techniques - Methodology
for IT security evaluation
[17] bizhub PRO 1200 / 1200P / 1051 zentai seigyo software Evaluation Technical
19
CRP-C0222-01
20
Report Version 1.2, July 3, 2009, Information Technology Security Center
Evaluation Department