JISEC-CC-CRP-C0631-01-2019 Certification Report Tatsuo Tomita, Chairman Information-technology Promotion Agency, Japan 2-28-8 Honkomagome, Bunkyo-ku, Tokyo IT Product (TOE) Reception Date of Application (Reception Number) 2018-09-27 (ITC-8692) Certification Identification JISEC-C0631 Product Name TOSHIBA e-STUDIO2018A/2518A/3018A/3518A/ 4518A/5018A all of the above with FAX Unit(GD-1370J/GD-1370NA/GD-1370EU) and FIPS Hard Disk Kit(GE-1230) Version and Release Numbers SYS V1.0 Product Manufacturer TOSHIBA TEC CORPORATION Conformance of Functionality PP conformant functionality, CC Part 2 Extended Protection Profile Conformance Protection Profile for Hardcopy Devices 1.0 dated September 10, 2015 (Certification Identification: JISEC-C0553) Name of IT Security Evaluation Facility Information Technology Security Center Evaluation Department This is to report that the evaluation result for the above TOE has been certified as follows. 2019-03-13 Tatsuro Yano, Technical Manager IT Security Technology Evaluation Department IT Security Center Evaluation Criteria, etc.: This TOE is evaluated in accordance with the following standards prescribed in the "IT Security Evaluation and Certification Scheme Document." - Common Criteria for Information Technology Security Evaluation Version 3.1 Release 5 - Common Methodology for Information Technology Security Evaluation Version 3.1 Release 5 JISEC-CC-CRP-C0631-01-2019 Evaluation Result: Pass "TOSHIBA e-STUDIO2018A/2518A/3018A/3518A/4518A/5018A all of the above with FAX Unit(GD-1370J/GD-1370NA/GD-1370EU) and FIPS Hard Disk Kit(GE-1230)" has been evaluated based on the standards required, in accordance with the provisions of the "Requirements for IT Security Certification" by Information-technology Promotion Agency, Japan, and has met the specified assurance requirements. Notice: This document is the English translation version of the Certification Report published by the Certification Body of Japan Information Technology Security Evaluation and Certification Scheme. JISEC-CC-CRP-C0631-01-2019 Table of Contents 1. Executive Summary ................................................................................................................ 1 1.1 Product Overview............................................................................................................. 1 1.1.1 Protection Profile or Assurance Package ................................................................ 1 1.1.2 TOE and Security Functionality.............................................................................. 1 1.1.3 Disclaimers................................................................................................................ 2 1.2 Conduct of Evaluation ..................................................................................................... 2 1.3 Certification...................................................................................................................... 2 2. Identification............................................................................................................................ 3 3. Security Policy ......................................................................................................................... 5 3.1 User Roles......................................................................................................................... 5 3.2 Protected Assets ............................................................................................................... 6 3.3 Threats.............................................................................................................................. 7 3.4 Organisational Security Policy ....................................................................................... 7 4. Assumptions and Clarification of Scope ................................................................................ 9 4.1 Usage Assumptions.......................................................................................................... 9 4.2 Environmental Assumptions......................................................................................... 10 4.3 Clarification of Scope ......................................................................................................11 5. Architectural Information..................................................................................................... 12 5.1 TOE Boundary and Components .................................................................................. 12 5.1.1 Security Functions.................................................................................................. 13 5.2 IT Environment.............................................................................................................. 14 6. Documentation....................................................................................................................... 15 7. Evaluation conducted by Evaluation Facility and Results................................................ 16 7.1 Evaluation Facility......................................................................................................... 16 7.2 Evaluation Approach...................................................................................................... 16 7.3 Overview of Evaluation Activity ................................................................................... 16 7.4 IT Product Testing.......................................................................................................... 17 7.4.1 Developer Testing.................................................................................................... 17 7.4.2 Evaluator Independent Testing ............................................................................. 17 7.4.3 Evaluator Penetration Testing .............................................................................. 21 7.5 Evaluated Configuration ............................................................................................... 23 7.6 Evaluation Results......................................................................................................... 23 7.7 Evaluator Comments/Recommendations ..................................................................... 23 8. Certification ........................................................................................................................... 24 8.1 Certification Result........................................................................................................ 24 JISEC-CC-CRP-C0631-01-2019 8.2 Recommendations .......................................................................................................... 24 9. Annexes .................................................................................................................................. 25 10. Security Target ...................................................................................................................... 25 11. Glossary.................................................................................................................................. 26 12. Bibliography........................................................................................................................... 28 JISEC-CC-CRP-C0631-01-2019 1 Executive Summary 1. This Certification Report describes the content of the certification result in relation to IT Security Evaluation of "TOSHIBA e-STUDIO2018A/2518A/3018A/3518A/4518A/5018A all of the above with FAX Unit(GD-1370J/GD-1370NA/GD-1370EU) and FIPS Hard Disk Kit(GE-1230), Version SYS V1.0" (hereinafter referred to as the "TOE") developed by TOSHIBA TEC CORPORATION, and the evaluation of the TOE was finished on 2019-01-31 by Information Technology Security Center Evaluation Department (hereinafter referred to as the "Evaluation Facility"). It is intended to report to the sponsor, TOSHIBA TEC CORPORATION, and provide security information to procurement entities and consumers who are interested in this TOE. Readers of the Certification Report are advised to read the Security Target (hereinafter referred to as the "ST") described in Chapter 10. Especially, details of security functional requirements, assurance requirements and rationale for sufficiency of these requirements of the TOE are described in the ST. This Certification Report assumes procurement entities who purchase this TOE to be readers. Note that the Certification Report presents the certification result based on assurance requirements to which the TOE conforms, and does not guarantee an individual IT product itself. Product Overview 1.1 An overview of the TOE functions and operational conditions is described as follows. Refer to Chapter 2 and subsequent chapters for details. Protection Profile or Assurance Package 1.1.1 The TOE conforms to the following protection profiles [14][15] (hereinafter, referred to as “Conformance PP”). Protection Profile for Hardcopy Devices 1.0 dated September 10, 2015 (Certification Identification: JISEC-C0553) TOE and Security Functionality 1.1.2 The TOE is an IT product and a multifunctional digital system (hereinafter referred to as “MFP”) which has the copy, print, scan, and fax functions. The TOE provides security functions which are required by the Conformance PP that is the protection profile for the MFP, to protect the data handled by the MFP from being disclosed or altered. Regarding such security functionality, the validity of the design policy and the accuracy of implementation have been evaluated in the scope of the assurance requirements requested by the Conformance PP. The threats and the assumptions that the TOE assumes are as follows: Threats 1.1.2.1 The following are assumed as Threats against the TOE. There is a threat of unauthorized exposure or alteration of the user document data and the data affecting the security functions which are the TOE assets to be protected in TOE operation and access to the network to which the TOE is connected. There is also a threat of damaging the security functions of the TOE due to the failure of the TOE itself or installation of unauthorized software. JISEC-CC-CRP-C0631-01-2019 2 Configuration and Assumptions 1.1.2.2 The evaluated product is assumed to be operated under the following configuration and assumptions. It is assumed that the TOE is used in an environment where the LAN is protected from unauthorized physical access and internet. For the operation of the TOE, the TOE shall be properly configured, managed and maintained according to the guidance documents. Users of the TOE shall be trained to use the TOE safely. Disclaimers 1.1.3 Operations indicated below are not included in the assurance of this evaluation.  Operations with the TOE environment described in “4.3 Clarification of Scope” is unsecure.  Operations of the TOE under the conditions other than the ones described in “7.5 Evaluated Configuration”. Conduct of Evaluation 1.2 Under the IT Security Evaluation and Certification Scheme that the Certification Body operates, the Evaluation Facility conducted IT security evaluation and completed in 2019-01, based on functional requirements and assurance requirements of the TOE according to the publicised documents "IT Security Evaluation and Certification Scheme Document"[1], "Requirements for IT Security Certification"[2], and "Requirements for Approval of IT Security Evaluation Facility"[3] provided by the Certification Body. Certification 1.3 The Certification Body verified the Evaluation Technical Report [13] and the Observation Report prepared by the Evaluation Facility as well as evaluation documentation, and confirmed that the TOE evaluation was conducted in accordance with the prescribed procedure. The certification oversight reviews were also prepared for those concerns found in the certification process. The Certification Body confirmed that all the concerns were fully resolved, and that the TOE evaluation had been appropriately conducted in accordance with the CC ([4][5][6] or [7][8][9]) and the CEM (either of [10][11]). The Certification Body prepared this Certification Report based on the Evaluation Technical Report and fully concluded certification activities. JISEC-CC-CRP-C0631-01-2019 3 Identification 2. The TOE is identified as follows. TOE Name: TOSHIBA e-STUDIO2018A/2518A/3018A/3518A/4518A/5018A all of the above with FAX Unit(GD-1370J/GD-1370NA/GD-1370EU) and FIPS Hard Disk Kit(GE-1230) TOE Version: SYS V1.0 Developer: TOSHIBA TEC CORPORATION The TOE consists of the main body of the MFP and mandatory options. Details of the TOE components are shown in Table 2-1. Table 2-1 TOE Components Model Number Mandatory Options Sales Area One of the following models: • e-STUDIO2518A • e-STUDIO3518A • e-STUDIO4518A • e-STUDIO5018A GD-1370J and GE-1230 Japan One of the following models: • e-STUDIO2018A • e-STUDIO2518A • e-STUDIO3018A • e-STUDIO3518A • e-STUDIO4518A • e-STUDIO5018A GD-1370NA and GE-1230 North America One of the following models: • e-STUDIO2518A • e-STUDIO3018A • e-STUDIO3518A • e-STUDIO4518A • e-STUDIO5018A GD-1370EU and GE-1230 Europe Users can verify that a product is the evaluated and certified TOE by the following means. Users confirm the following information indicated in the body, control panel, and package of the TOE according to the guidance of the product. JISEC-CC-CRP-C0631-01-2019 4 ・Model Number The name of the MFP indicated in the main body should be included in “Model Number” in Table 2-1. ・Mandatory options The name of the options indicated in the package should be the ones indicated in “Mandatory Options” in Table 2-1. ・TOE version The TOE version displayed on the control panel should match the identification version. JISEC-CC-CRP-C0631-01-2019 5 Security Policy 3. The TOE provides the MFP basic functions such as Copy, Print, Scan, and Fax functions. The TOE also has the functions to store user document data inside the TOE and transfer them to and from users’ devices and various servers via the network. The TOE provides the following security functions that satisfy the requirements required by the Conformance PP. ・Function which identifies and authenticates users ・Function which controls access of the users’ data ・Function which encrypts and stores users’ data and such ・Function which protects users’ data on the communication path while using the LAN ・Function which limits the security management to the identified and authorized user ・Function which records the logs of the security-related events ・Function which verifies and installs the update firmware ・Function which verifies that the security function operates normally at startup ・Function which separates the Public Switched Telephone Networks from the LAN Details of the security functions of the TOE are described in Section 5.1. Details of the user roles, protected assets, threats, and security policies of the organisation are described in Section 3.1 through Section 3.4. 3.1 User Roles The TOE assumes the user roles shown in Table 3-1. Table 3-1 User Roles Name Definition U.NORMAL (a normal user) A User who has been identified and authenticated and does not have an administrative role. U.ADMIN (an administrator) A User who has been identified and authenticated and has an administrative role. JISEC-CC-CRP-C0631-01-2019 6 3.2 Protected Assets The protected assets of the TOE can be grouped into 2 categories as shown in Table 3-2. The User data and TSF data are composed of 2 types of the protected assets as shown in Table 3-3 and Table 3-4 respectively. Table 3-2 Protected Assets of the TOE Name Type Definition D.USER User Data Data created by and for Users that do not affect the operation of the TSF. D.TSF TSF Data Data created by and for the TOE that might affect the operation of the TSF. Table 3-3 Protected Assets (User Data) Name Type Definition D.USER.DOC User Document Data Information contained in a User’s Document, in electronic or hardcopy form. D.USER.JOB User Job Data Information related to a User’s Document or Document Processing Job. Table 3-4 Protected Assets (TSF Data) Name Type Definition D.TSF.PROT Protected TSF Data TSF Data for which alteration by a User who is neither the data owner nor in an Administrator role might affect the security of the TOE, but for which disclosure is acceptable. D.TSF.CONF Confidential TSF Data TSF Data for which either disclosure or alteration by a User who is neither the data owner nor in an Administrator role might affect the security of the TOE. JISEC-CC-CRP-C0631-01-2019 7 3.3 Threats Table 3-5 shows threats. Table 3-5 Threats Name Definition T.UNAUTHORIZED_ACCESS An attacker may access (read, modify, or delete) User Document Data or change (modify or delete) User Job Data in the TOE through one of the TOE’s interfaces. T.TSF_COMPROMISE An attacker may gain Unauthorized Access to TSF Data in the TOE through one of the TOE’s interfaces. T.TSF_FAILURE A malfunction of the TSF may cause loss of security if the TOE is permitted to operate. T.UNAUTHORIZED_UPDATE An attacker may cause the installation of unauthorized software on the TOE. T.NET_COMPROMISE An attacker may access data in transit or otherwise compromise the security of the TOE by monitoring or manipulating network communication. 3.4 Organisational Security Policy Table 3-6 shows organisational security policies required for use of the TOE. Table 3-6 Organisational Security Policies Name Definition P.AUTHORIZATION Users must be authorized before performing Document Processing and administrative functions. P.AUDIT Security-relevant activities must be audited and the log of such actions must be protected and transmitted to an External IT Entity. P.COMMS_PROTECTION The TOE must be able to identify itself to other devices on the LAN. P.STORAGE_ENCRYPTION If the TOE stores User Document Data or Confidential TSF Data on Field-Replaceable Nonvolatile Storage Devices, it will encrypt such data on those devices. JISEC-CC-CRP-C0631-01-2019 8 Name Definition P.KEY_MATERIAL Cleartext keys, submasks, random numbers, or any other values that contribute to the creation of encryption keys for Field-Replaceable Nonvolatile Storage of User Document Data or Confidential TSF Data must be protected from unauthorized access and must not be stored on that storage device. P.FAX_FLOW If the TOE provides a PSTN fax function, it will ensure separation between the PSTN fax line and the LAN. JISEC-CC-CRP-C0631-01-2019 9 Assumptions and Clarification of Scope 4. This chapter describes the assumptions and the operational environment to operate the TOE as useful information for the assumed readers to determine the use of the TOE. 4.1 Usage Assumptions Table 4-1 shows assumptions to operate the TOE. The effective performances of the TOE security functions are not ensured unless these assumptions are satisfied. Table 4-1 Assumptions in Use of the TOE Name Definition A.PHYSICAL Physical security, commensurate with the value of the TOE and the data it stores or processes, is assumed to be provided by the environment. A.NETWORK The Operational Environment is assumed to protect the TOE from direct, public access to its LAN interface. A.TRUSTED_ADMIN TOE Administrators are trusted to administer the TOE according to site security policies. A.TRAINED_USERS Authorized Users are trained to use the TOE according to site security policies. JISEC-CC-CRP-C0631-01-2019 10 4.2 Environmental Assumptions The TOE is installed in general offices and connected to the public telephone network and internal LAN of the organisation, and is used from the client PC and various servers connected to the LAN. Figure 4-1 shows the general operational environment as assumptions of the TOE. Users use the TOE by operating the control panel of the TOE and the PC connected to the LAN. FTP Server Client PC LAN Firewall Internet Communication Network Mail Server SYSLOG Server Public Switched Telephone Networks Fax unit (Option) Figure 4-1 Operational Environment of the TOE The following shows the components under the operational environment of the TOE. (1) Client PC The client PC is the general PC used by users. The following software is required to use the TOE. ・Printer driver TOSHIBA Universal Printer Driver2 (Version: 7.204.4408.17) ・Web browser Internet Explorer 11 (2) SYSLOG Server (Audit server) The SYSLOG server is the audit server which stores the audit log generated by the TOE. It is required to support TLS v1.2 by using the syslog protocol. It is essential to install the SYSLOG server. JISEC-CC-CRP-C0631-01-2019 11 (3) Mail Server The mail server is required when the user document data scanned by the“scan function” is sent as an attachment of an email. The mail server must support TLS v1.2. (4) FTP Server The FTP server is required when the user document data scanned by the“scan function” is sent to the specified FTP server. The FTP server must support TLS v1.2. Reliability of hardware and cooperative software indicated in this structure is not the scope of the evaluation (It should be thoroughly reliable.) 4.3 Clarification of Scope Secure operation is required so that the communication protocol operates correctly in the client PC and various servers in order to protect the data on the communication path between the TOE and client PC, and the TOE and various servers. Operators have responsibility for the client PC and various servers to be operated securely. JISEC-CC-CRP-C0631-01-2019 12 Architectural Information 5. This chapter explains the scope and the main components (subsystems) of the TOE. 5.1 TOE Boundary and Components Figure 5-1 shows the composition of the TOE. The TOE is the area surrounded by the frame indicated as TOE in Figure 5-1. Logical Boudary TOE TSF Self Protection Function TSF Self Protection Function User Operation Panel Unit TSF Data Protection Function Secure Channel Function Mail Server User Authentication Function FTP Server Client PC Public Switched Telephone Networks SYSLOG Server HDD D.USER.DOC D.TSF.PROT D.TSF.CONF D.USER.JOB Encryption Function General Function Copy Function Scan Function Print Function FAX Function User Access Control Function FROM D.TSF.PROT D.TSF.CONF NVRAM D.TSF.PROT D.TSF.CONF Fax Separation Function Figure 5-1 TOE Boundary The TOE functions are composed of the functions surrounded by the colored frame indicated in Figure 5-1. The security functions are described below. Refer to Chapter 11 for general functions. JISEC-CC-CRP-C0631-01-2019 13 5.1.1 Security Functions (1) User identification and authentication function This function is the function to identify and authenticate the TOE users by the user ID and login password when the TOE is used from the control panel or web browser of the client PC. In the case the TOE receives the user document data transmitted from the printer driver of the client PC, the user ID is identified. (2) User access control function This function controls access of the user document data when a user operates the user document data by using the general functions of the TOE. ・ Access to the user data is controlled based on the policies defined for each user type such as an owner of the user document data or user role. (3) Encryption function This function stores the user document data or such in the self-encryption drive in the TOE. The self-encryption drive has been validated by JCMVP. (4) Secure channel function This function protects the user document data or such on the communication path by encrypted communication with TLS v1.2 while using the LAN. (5) TSF data protection function This function controls access based on the policies for the TSF data type when operating the TSF data from the control panel or web browser of the client PC. (6) TSF self-protection function This function verifies the normal operation of the security functions at startup of the TOE. ・ This function verifies that the security functions operates normally by confirming that there is no damage in firmware. ・ If an error is detected during verification, the TOE stops operation and does not accept any operations. The TOE verifies firmware for update and enables installation of the normal firmware only. (7) Audit log function This function creates a log of events related to use and security of the TOE, and sends it to the SYSLOG server. JISEC-CC-CRP-C0631-01-2019 14 (8) Fax separation function Separate the public line and LAN. ・ Only the Fax transmission operates for communication via the public line in order to protect the LAN from attacks from the public line. 5.2 IT Environment The TOE communicates with the various servers and client PC through the LAN. The TOE transmits the created audit data to the audit server. An administrator reads the audit data from the audit server. The TOE can transmit the scanned user document data to the mail server and FTP server. JISEC-CC-CRP-C0631-01-2019 15 Documentation 6. The identification of documents attached to the TOE is listed below. Table 6-1 is for the guidance documents sold outside Japan, and Table 6-2 for those sold in Japan. TOE users are required to fully understand and comply with the following documents in order to satisfy the assumptions. Table 6-1 Attached Documents (Guidance for English Version) Document Name Identification Quick Start Guide OME17004400 Safety Information OME17005600 Copying Guide OME17006000 Scanning Guide OME17006600 MFP Management Guide OME17007400 Software Installation Guide OME17007200 Printing Guide OME17007000 TopAccess Guide OME17007600 Software Troubleshooting Guide OME17006200 Hardware Troubleshooting Guide OME17004800 High Security Mode Management Guide OME170078B0 Paper Preparation Guide OME17004600 Specifications Guide OME17005800 Fax Guide GD-1370 OME17008000 Table 6-2 Attached Documents (Guidance for Japanese Version) Document Name Identification かんたん操作ガイド OMJ17004300 安全にお使いいただくために OMJ17005500 コピーガイド OMJ17005900 スキャンガイド OMJ17006500 設定管理ガイド OMJ17007300 インストールガイド OMJ17007100 印刷ガイド OMJ17006900 TopAccess ガイド OMJ17007500 トラブルシューティングガイド[ソフトウェア編] OMJ17006100 トラブルシューティングガイド[ハードウェア編] OMJ17004700 ハイセキュリティモード管理ガイド OMJ170077B0 用紙準備ガイド OMJ17004500 仕様ガイド OMJ17005700 ファクスガイド GD-1370J OMJ17007900 JISEC-CC-CRP-C0631-01-2019 16 Evaluation conducted by Evaluation Facility and Results 7. 7.1 Evaluation Facility Evaluation Department, Information Technology Security Center that conducted the evaluation as the Evaluation Facility is approved under JISEC and is accredited by NITE (National Institute of Technology and Evaluation), the Accreditation Body, which joins Mutual Recognition Arrangement of ILAC (International Laboratory Accreditation Cooperation). It is periodically confirmed that the above Evaluation Facility meets the requirements on the appropriateness of the management and evaluators for maintaining the quality of evaluation. 7.2 Evaluation Approach The evaluation was conducted on the assurance requirements in the CC Part 3 required by the Conformance PP using the evaluation methods prescribed in the CEM and the assurance activities of the Conformance PP. Details for evaluation activities were reported in the Evaluation Technical Report. The Evaluation Technical Report explains the summary of the TOE as well as the content of the evaluation and the verdict for each work unit in the CEM and assurance activity of the Conformance PP. 7.3 Overview of Evaluation Activity The history of the evaluation conducted is described in the Evaluation Technical Report as follows. The evaluation started in 2018-09 and concluded upon completion of the Evaluation Technical Report dated 2019-01. The Evaluation Facility received a full set of evaluation deliverables necessary for evaluation provided by the developer, and examined the evidence in relation to a series of evaluation conducted. Furthermore, the evaluator conducted the evaluator testing at the developer site in 2018-10. Concerns found in evaluation activities were all issued as the Observation Report, and it was (they were) reported to the developer. All of the concerns were reviewed by the developer, and were solved eventually. JISEC-CC-CRP-C0631-01-2019 17 Concerns in the evaluation process that the Certification Body found were described as the certification oversight reviews, and they were sent to the Evaluation Facility. The Evaluation Facility and the developer examined them, which was reflected in the Evaluation Technical Report. 7.4 IT Product Testing The evaluator confirmed the validity of the testing that the developer had performed. As a result of the evidence shown in the process of the evaluation and those confirmed validity, the evaluator performed the evaluator independent testing and penetration testing based on vulnerability assessments judged to be necessary. 7.4.1 Developer Testing The TOE does not include the developer testing in the assurance requirements. 7.4.2 Evaluator Independent Testing The evaluator performed the evaluator independent testing (hereinafter referred to as the “independent testing”) to ensure that security functions are certainly implemented from the evidence shown in the process of the evaluation. The independent testing performed by the evaluator is explained below. (1) Independent Testing Environment The configuration of the independent testing conforms to the TOE operation environment shown in Figure 4-1 and the components are as shown in Figure 7-1. There are following differences. However, these configurations are the same as the ones identified by the ST, and it has been evaluated that there are no problems in confirmation of the TOE functions.  The TOE which was tested by the evaluator is a part of the combinations of the components of the TOE (Refer to Figure 2-1) which was described in Chapter 2, Identification. Though there are following differences depending on the TOE components, they were judged that they do not impact the security functions. The test target was the combination of the TOE components from which it can be confirmed that the following differences do not impact the security functions. - Difference of the print speed due to difference of the MFP JISEC-CC-CRP-C0631-01-2019 18 - Difference of the language settings depending on the sales area (Japanese or English) - Difference of the fax units (GD-1370J, GD-1370NA or GD-1370EU)  The firewall which is installed to protect the TOE from unauthorized access from the external network does not exist in the test environment because it does not impact on the TOE operation.  The telephone line pseudo exchange which can emulate the fax communication protocol which is the same as the public telephone line is used instead of the public telephone line.  In the TLS test, communication is made between the TOE and the server/client PC via the TLS test tool which was created by the Evaluation agency. The TLS test tool alters the packet data required in the assurance activity of the Conformance PP. It is not used for other tests.  The program for testing is used which was created by the developer for calling for the encryption module test within the TOE in a part of the tests such as the encryption test. The module called at the test which uses the program for testing is appropriate for the TOE function test because it is the same as that of the TOE module. Table 7-1 Test Configurations Configuration item Detail TOE e-STUDIO2018A ・Language: English ・Option (Fax Unit): GD-1370NA ・Option (FIPS hard disk kit): GE-1230 e-STUDIO5018A ・Language: Japanese ・Option (Fax Unit): GD-1370J ・Option (FIPS hard disk kit): GE-1230 e-STUDIO5018A ・Language: English ・Option (Fax Unit): GD-1370EU ・Option (FIPS hard disk kit): GE-1230 SYSLOG Server Syslog-ng 3.14.1 Mail Server Sendmail 8.152 FTP Server ProFTPD 1.3.6 Client PC Web browser: ・Internet Explorer 11 ・Google Chrome 63.0.3239.108 (for cipher suite test) Printer driver: ・TOSHIBA Universal Printer Driver2 7.204.4408.17 JISEC-CC-CRP-C0631-01-2019 19 (2) Summary of Independent Testing The independent testing conducted by the evaluator is as follows. a) Independent Testing Viewpoints The viewpoints for the independent testing that the evaluator designed from the Conformance PP requirements and the provided evaluation documentation are shown below. 1. To confirm the security functions per SFR. 2. To confirm that the encryption implementation is correct. b) Independent Testing Outline An outline of the independent testing that the evaluator performed is as follows. The behaviour of the external interface of the TOE was confirmed by performing entry using the TOE control panel, client PC, and test tools by the following means: ・The external interface of the TOE is used when the behaviour can be confirmed by the external interface of the TOE. ・The logs in the audit server are studied and the network analyzer and program for testing are used when the behaviour cannot be confirmed by the external interface of the TOE. The evaluator performed 18 items of the independent testing. Table 7-2 shows viewpoints of the independent testing and the content of the testing corresponding to them. Table 7-2 Performed Independent Testing Viewpoint Outline of the Independent Testing (1) Confirmation of the security functions ・Confirm that all security functions are as specified in the specifications per SFR by using the assurance activity of the Conformance PP or the test items created from the SFR specifications. JISEC-CC-CRP-C0631-01-2019 20 Viewpoint Outline of the Independent Testing (2) Confirmation of the encryption implementation ・Confirm the implementation of the following encryption algorithms which are the target of the test by using the program for testing installed in the TOE. - RSA (Key generation, Signature generation/verification) - AES-CBC-128, AES-CBC-256 - SHA1, SHA256, SHA512 - HMAC-SHA-1, HMAC-SHA-256, HMAC-SHA-512 - Hash_DRBG, CTR_DRBG - KDF in Counter Mode c) Result All the independent testing performed by the evaluator was correctly completed, and the evaluator confirmed the behaviour of the TOE. The evaluator confirmed consistencies between the expected behaviour and all the testing results. JISEC-CC-CRP-C0631-01-2019 21 7.4.3 Evaluator Penetration Testing The evaluator devised and performed the necessary evaluator penetration testing (hereinafter referred to as the "penetration testing") on the potentially exploitable vulnerabilities of concern under the assumed environment of use and attack level from the evidence shown in the process of the evaluation. The penetration testing performed by the evaluator is explained as follows. (1) Summary of the Penetration Testing A summary of the penetration testing performed by the evaluator is described as follows. a) Vulnerability of Concern The evaluator searched into the provided documentation and the publicly available information for the potential vulnerabilities, and then identified the following vulnerabilities which require the penetration testing. 1. There is concern that an unintentionally open network port of the TOE or known vulnerabilities that may exist in the network service are exploited. 2. There is concern that the identification and authentication functions may be bypassed by directly specifying the URL through the web interface of the TOE or known vulnerabilities may exist such as XSS. 3. There is concern that print job operation, buffer overflow, or arbitrary code execution may occur due to wrong print data entered in the TOE. 4. There is concern that the identification and authentication functions may be bypassed by unauthorized entry from the control panel, printer driver or web interface. b) Penetration Testing Outline The evaluator performed the following penetration testing to identify potentially exploitable vulnerabilities. The penetration testing was performed in the same environment as the independent testing environment by installing the penetration testing tools shown in Table 7-3. Table 7-3 Penetration Testing Tools Name Outline/Purpose Port scanning tool nmap 7.60 It is used for searching the port. JISEC-CC-CRP-C0631-01-2019 22 Name Outline/Purpose Vulnerability scanning tool Nessus 6.11.1 It is used for detecting known vulnerabilities. Web vulnerability scanning tool OWASP ZAP 2.7.0 It is used for detecting general vulnerabilities in the web. Web application analyzing tool Fiddler 5.0.20173.50948 It is used for acquiring or issuing the communication data exchanged by the web applications. Printer security testing tool PRET 0.39 It is used for detecting vulnerabilities by using the printer language for the print device. TCP/UDP data communication tool Netcat 1.12 It is used for detecting vulnerabilities for identification and authentication. Penetration testing tool Metasploit Framework v4.6.2 It is used for creating a file for unauthorized printing. < Content of the Performed Penetration Testing > Table 7-4 shows vulnerabilities concerned and the content of the related penetration testing. Table 7-4 Outline of the Performed Penetration Testing Vulnerability Outline of the Testing (1) Confirm that no unexpected port is open and there is no known vulnerability in the available port by using the port scanning tool and vulnerability scanning tool. (2) Confirm that there is no known vulnerability in the web interface by using the web vulnerability scanning tool and web application analyzing tool. (3) Confirm that no unintended behaviour occurs by using the print data which is intended to generate wrong behaviour. (4) Confirm that no wrong behaviour occurs by character strings entered in the identification and authentication function. c) Result In the penetration testing performed by the evaluator, the evaluator did not find any exploitable vulnerabilities that attackers who have the assumed attack potential could exploit. JISEC-CC-CRP-C0631-01-2019 23 7.5 Evaluated Configuration The configuration conditions of the TOE, which are the assumptions of this evaluation, are described in the guidance documents shown in Chapter 6. The security functions of the TOE need to be activated and the TOE needs to be configured as described in the appropriate guidance documents for secure use. If these settings are not in accordance with the description of the guidance documents, such cases are not included in the assurance of this evaluation. 7.6 Evaluation Results The evaluator had concluded that the TOE satisfies all work units prescribed in the CEM and all assurance activities in the Conformance PP as per the Evaluation Technical Report. In the evaluation, the following were confirmed. - PP Conformance: Protection Profile for Hardcopy Devices 1.0 dated September 10, 2015 Protection Profile for Hardcopy Devices - v1.0 Errata #1, June 2017 Temporary treatment regarding FDP_DSK_EXT.1, Guideline for Certification Application with HCD-PP Conformance [16] - Security functional requirements: Common Criteria Part 2 Extended - Security assurance requirements: Common Criteria Part 3 Conformant As a result of the evaluation, the verdict "PASS" was confirmed for the following assurance components required by the Conformance PP: ASE_INT.1, ASE_CCL.1, ASE_SPD.1, ASE_OBJ.1, ASE_ECD.1, ASE_REQ.1, ASE_TSS.1, ADV_FSP.1, AGD_OPE.1, AGD_PRE.1, ALC_CMC.1, ALC_CMS.1, ATE_IND.1, AVA_VAN.1 The result of the evaluation is only applied to those which are composed by the TOE corresponding to the identification described in Chapter 2. 7.7 Evaluator Comments/Recommendations There is no evaluator recommendation to be addressed to consumers. JISEC-CC-CRP-C0631-01-2019 24 Certification 8. Based on the evidence submitted by the Evaluation Facility during the evaluation process, the Certification Body has performed certification by checking that the following requirements are satisfied: 1. Contents pointed out in the Observation Report shall be adequate. 2. Contents pointed out in the Observation Report shall properly be solved. 3. The submitted documentation was sampled, the content was examined, and the related work units in the CEM and assurance activities of the Conformance PP shall be evaluated as presented in the Evaluation Technical Report. 4. Rationale of the evaluation verdict by the evaluator presented in the Evaluation Technical Report shall be adequate. 5. The evaluator's evaluation methodology presented in the Evaluation Technical Report shall conform to the CEM and the assurance activities of the Conformance PP. Concerns found in the certification process were prepared as the certification oversight reviews, and they were sent to the Evaluation Facility. The Certification Body confirmed such concerns pointed out in the certification oversight reviews were solved in the ST and the Evaluation Technical Report and issued this Certification Report. 8.1 Certification Result As a result of verification of the received Evaluation Technical Report, Observation Reports and related evaluation documentation, the Certification Body determined that the TOE evaluation satisfies the assurance requirements required by the Conformance PP. 8.2 Recommendations It should be noted that the procurement personnel who are interested in the TOE need to refer to the descriptions of “4.3 Clarification of Scope” and “7.5 Evaluated Configuration” and to see whether or not the evaluated scope of the TOE and the operational requirements are consistent with the operational conditions that they assume. The old audit data will be lost in the case the audit data is not sent and the capacity of the storage area inside the TOE becomes full. Thus the operator has to periodically confirm whether the audit data is sent to the SYSLOG server. As explained in Chapter 2, it is required to confirm the packages of the options in addition to the indicated information of the TOE for confirming TOE identification. Be JISEC-CC-CRP-C0631-01-2019 25 careful not to throw away the packages because the TOE cannot be identified without them. Annexes 9. There is no annex. Security Target 10. The Security Target [12] of the TOE is provided as a separate document from this Certification Report. TOSHIBA e-STUDIO2018A/2518A/3018A/3518A/4518A/5018A Security Target, Version 0.14 (November 21, 2018) TOSHIBA TEC CORPORATION JISEC-CC-CRP-C0631-01-2019 26 Glossary 11. The abbreviations relating to the CC used in this report are listed below. CC Common Criteria for Information Technology Security Evaluation CEM Common Methodology for Information Technology Security Evaluation PP Protection Profile SFR Security Functional Requirement ST Security Target TOE Target of Evaluation TSF TOE Security Functionality The abbreviations relating to the TOE used in this report are listed below. AES Advanced Encryption Standard CBC Cipher Block Chaining DRBG Deterministic Random Bit Genera FTP File Transfer Protocol HMAC Keyed-Hash Message Authentication Code HTTP Hypertext Transfer Protocol MFP Multifunction Peripheral PSTN Public Switched Telephone Network SHA Secure Hash Algorithm TLS Transport Layer Security XSS Cross Site Scripting The definitions of terms used in this report are listed below. Assurance activity Evaluation operation which has to be operated by the evaluator for conformance to the PP. It is a supplemental to the CEM and described in the Conformance PP for Conformance PP [14]. Copy function A function to copy and print the scanned paper document data by user’s operation from the control panel. JISEC-CC-CRP-C0631-01-2019 27 FAX function A function to transmit/receive document data with the external fax machines which are connected to the public telephone line and compliant with the G3 standard. There are the fax transmission function, which scans the paper document and transmits the scanned data to the external fax machine, and the fax reception function, which prints out the document data received from the external fax machine by user’s operation. Field Replaceable (Unit) The smallest subassembly that can be swapped in the field to repair a fault. Hardcopy Device A system producing or utilizing a physical embodiment of an electronic document or image. These systems include printers, scanners, fax machines, digital copiers, MFPs (multifunction peripherals), MFDs (multifunction devices), “all-in-ones” and other similar products. JCMVP It is an abbreviation of Japan Cryptographic Module Validation Program. Print function A function to receive the user document data from the printer driver of the client PC via the LAN and prints the data out by user’s operation from the control panel. Scan function A function to transmit the scanned paper document data to the mail server and FTP server by user’s operation from the control panel. JISEC-CC-CRP-C0631-01-2019 28 Bibliography 12. [1] IT Security Evaluation and Certification Scheme Document, July 2018, Information-technology Promotion Agency, Japan, CCS-01 [2] Requirements for IT Security Certification, September 2018, Information-technology Promotion Agency, Japan, CCM-02 [3] Requirements for Approval of IT Security Evaluation Facility, September 2018, Information-technology Promotion Agency, Japan, CCM-03 [4] Common Criteria for Information Technology Security Evaluation Part1: Introduction and general model Version 3.1 Revision 5, April 2017, CCMB-2017-04-001 [5] Common Criteria for Information Technology Security Evaluation Part2: Security functional components Version 3.1 Revision 5, April 2017, CCMB-2017-04-002 [6] Common Criteria for Information Technology Security Evaluation Part3: Security assurance components Version 3.1 Revision 5, April 2017, CCMB-2017-04-003 [7] Common Criteria for Information Technology Security Evaluation Part 1: Introduction and general model, Version 3.1 Revision 5, April 2017, CCMB-2017-04-001, (Japanese Version 1.0, July 2017) [8] Common Criteria for Information Technology Security Evaluation Part 2: Security functional components, Version 3.1 Revision 5, April 2017,CCMB-2017-04-002, (Japanese Version 1.0, July 2017) [9] Common Criteria for Information Technology Security Evaluation Part 3:Security assurance components, Version 3.1 Revision 5, April 2017,CCMB-2017-04-003, (Japanese Version 1.0, July 2017) [10] Common Methodology for Information Technology Security Evaluation : Evaluation methodology Version 3.1 Revision 5, April 2017,CCMB-2017-04-004 [11] Common Methodology for Information Technology Security Evaluation: Evaluation methodology, Version 3.1 Revision 5, April 2017,CCMB-2017-04-004, (Japanese Version 1.0, July 2017 [12] TOSHIBA e-STUDIO2018A/2518A/3018A/3518A/4518A/5018A Security Target, Version 0.14, (November 21, 2018), TOSHIBA TEC CORPORATION [13] TOSHIBA e-STUDIO2018A/2518A/3018A/3518A/4518A/5018A all of the above with FAX Unit(GD-1370J/GD-1370NA/GD-1370EU) and FIPS Hard Disk Kit(GE-1230) Evaluation Technical Report, Version 1.2, January 31, 2019, Information Technology Security Center Evaluation Department [14] Protection Profile for Hardcopy Devices 1.0 dated September 10, 2015 (Certification Identification: JISEC-C0553) [15] Protection Profile for Hardcopy Devices - v1.0 Errata #1, June 2017 JISEC-CC-CRP-C0631-01-2019 29 [16] Guideline for Certification Application with HCD-PP Conformance, Version 1.4, January 10, 2019, Information-technology Promotion Agency, Japan