Ärendetyp: 6 Diarienummer: 15FMV10417-63:1
Dokument ID FMVID-297-738
Template:
CSEC_mall_doc.dot,
7.0
Öppen
enligt Offentlighets- och sekretesslagen
(2009:400)
2016-06-09
Country of origin: Sweden
Försvarets materielverk
Swedish Certification Body for IT Security
Certification Report HP BBC
Issue: Draft, 1.0, 2016-jun-09
Swedish Certification Body for IT Security
Certification Report HP BBC
15FMV10417-63:1 1.0 2016-06-09
FMVID-297-738 2 (21)
Table of Contents
1 Executive Summary 3
2 Identification 4
3 Security Policy 6
3.1 Auditing 6
3.2 Cryptography 6
3.3 Identification and Authentication 6
3.4 Data Protection and Access Control 7
3.5 Protection of the TSF 8
3.6 TOE Access Protection 8
3.7 Trusted Channel Communication and Certificate Management 9
3.8 User and Access Management 9
4 Assumptions and Clarifications of Scope 10
4.1 Usage Assumptions 10
4.2 Environmental Assumptions 10
4.3 Clarification of Scope 10
5 Architectural Information 11
6 Documentation 14
7 IT Product Testing 15
7.1 Developer Testing 15
7.2 Evaluator Testing 15
7.3 Evaluator Penetration Testing 15
8 Evaluated Configuration 16
9 Results of the Evaluation 17
10 Evaluator Comments and Recommendations 18
11 Glossary 19
12 Bibliography 20
Appendix A - QMS Consistency 21
Swedish Certification Body for IT Security
Certification Report HP BBC
15FMV10417-63:1 1.0 2016-06-09
FMVID-297-738 3 (21)
1 Executive Summary
The Target of Evaluation, TOE, is the firmware of a multifunction printer (MFP), with
the exception of the operating system and the cryptographic module implementation.
Three versions of the MFP are included in the scope of the evaluation: the LaserJet
Enterprise MFP M527 Series, the Color LaserJet Enterprise MFP M577 Series, and
the PageWide Enterprise Color MFP 586 Series.
These MFPs provide network printing, copying, faxing and scanning functionality,
and jobs can be stored and printed from the console. The network connections are en-
crypted, password protected non-fax jobs are encrypted, PIN protected non-fax jobs
are protected by access control, and stored jobs may be printed from the MFP console.
The evaluated security features include administrator and user identification and au-
thentication, PIN or password protected encryption of jobs, and IPSec protected net-
work communication.
The implementation of the cryptographic module used for IPSec is outside the scope
of the evaluation, but the effect of cryptographic function calls from the TOE has been
verified. Other cryptographic implementations are within the scope of TOE.
The USB interface is disabled in the evaluated configuration.
The ST claims conformance to:
IEEE Std 2600.2-2009 Protection Profile for Hardcopy Devices, Operational Envi-
ronment B; December 2009, in accordance with the NIAP CCEVS Policy Letter #20.
The claim includes the following packagesfrom the PP:
2600.2-CPY, SFR Package for Hardcopy Device Copy (CPY) Functions
2600.2-DSR, SFR Package for Hardcopy Device Document Storage and Retrieval
(DSR) Functions
2600.2-FAX, SFR Package for Hardcopy Device Fax (FAX) Functions
2600.2-PRT, SFR Package for Hardcopy Device Print (PRT) Functions
2600.2-SCN, SFR Package for Hardcopy Device Scan (SCN) Functions
2600.2-SMI, SFR Package for Hardcopy Device Shared-Medium Interface (SMI)
Functions
The evaluation has verified demonstrable conformance to the PP and conformance to
the package claims stated above.
The evaluation has been performed by atsec information security AB in their premises
in Danderyd, Sweden, and to some extent in the approved foreign location in Austin,
Texas, USA, and was completed on the 27th of May 2016.
The evaluation was conducted in accordance with the requirements of Common Crite-
ria, version 3.1, release 4, and the Common Methodology for IT Security Evaluation,
version 3.1, release 4. The evaluation was performed at the evaluation assurance level
EAL 2, augmented by ALC_FLR.2 Flaw reporting procedures.
atsec information security AB is a licensed evaluation facility for Common Criteria
under the Swedish Common Criteria Evaluation and Certification Scheme. atsec in-
formation security AB is is also accredited by the Swedish accreditation body
SWEDAC according to ISO/IEC 17025 for Common Criteria evaluation.
Swedish Certification Body for IT Security
Certification Report HP BBC
15FMV10417-63:1 1.0 2016-06-09
FMVID-297-738 4 (21)
The certifier monitored the activities of the evaluator by reviewing all successive ver-
sions of the evaluation reports. The certifier determined that the evaluation results
confirm the security claims in the Security Target [ST], and have been reached in
agreement with the requirements of the Common Criteria and the Common Methodol-
ogy for evaluation assurance level:
EAL 2 + ALC_FLR.2.
The invocation of cryptographic primitives has been included in the scope of this
evaluation, while correcness of the implementation of cryptographic primitives
has been excluded, and their implementation is outside the scope of TOE.
Correctness of the implementation of the cryptographic primitives is affirmed by
the vendor of the cryptographic library. Users of this product are advised to con-
sider their acceptance of this affirmation.
The certification results only apply to the versions of the products indicated in the
certificate, and on the condition that all the stipulations in the Security Target [ST]
are met.
This certificate is not an endorsement of the IT product by CSEC or any other
organization that recognizes or gives effect to this certificate, and no warranty of
the IT product by CSEC or any other organization that recognizes or gives effect
to this certificate is either expressed or implied.
Swedish Certification Body for IT Security
Certification Report HP BBC
15FMV10417-63:1 1.0 2016-06-09
FMVID-297-738 5 (21)
2 Identification
Certification Identification
Certification ID CSEC2015012
Name and version of the HP LaserJet Enterprise MFP M527 Series
certified IT product and (MFP M527dn, Flow MFP M527c, MFP M527f,
the TOE and Flow MFP M527z)
MFP firmware version 2307781_551187
JetDirect firmware version JSI23700101
HP Color LaserJet Enterprise MFP M577 Series
(MFP M577dn, MFP M577f, Flow MFP M577c,
Flow MFP M577z)
MFP firmware version 2307781_551183
JetDirect firmware version JSI23700101
HP Pagewide Enterprise Color 586 Series
(MFP 586dn, MFP 586f, Flow MFP 586z)
MFP firmware version 2307781_551192
JetDirect firmware version JSI23700101
Security Target HP LaserJet Enterprise MFP M527 Series
Color LaserJet Enterprise MFP M577 Series, and
PageWide Enterprise Color MFP 586 Series Firmware
with Jetdirect Inside Security Target
HP Inc. 2016-06-07, document version 2.0
Assurance level EAL 2 + ALC_FLR.2
Sponsor HP Inc.
Developer HP Inc.
ITSEF atsec information security AB
Common Criteria version 3.1 release 4
CEM version 3.1 release 4
Certification date 2016-06-15
Swedish Certification Body for IT Security
Certification Report HP BBC
15FMV10417-63:1 1.0 2016-06-09
FMVID-297-738 6 (21)
3 Security Policy
The TOE provides the following security services:
- Auditing
- Cryptography
- Identification and Authentication
- Data Protection and Access Control
- Protection of the TSF
- TOE Access Protection
- Trusted Channel Communication and Certificate Management
- User and Access Management
3.1 Auditing
The TOE performs auditing of security relevant functions. Both the Jetdirect Inside
and HCD System firmware generate audit records. The TOE connects and sends audit
records to a syslog server for long-term storage and audit review. (The syslog server is
part of the Operational Environment.).
3.2 Cryptography
The external communication channels are protected with IPSec (the IPSec implemen-
tation is part of the operational environment), and non-fax jobs can be encrypted based
on a password (the implementation of job decryption is part of the TOE).
3.3 Identification and Authentication
Control Panel I&A
The Control Panel interface supports both local and remote sign in methods. The fol-
lowing sign in methods are allowed with the evaluated configuration:
Local sign in method:
- Local Device Sign In
Remote sign in methods:
- LDAP Sign In
- Windows Sign In (via Kerberos)
Local Device Sign In is only available through the Control Panel. The TOE contains a
local user database for defining non-administrative (U.NORMAL, by default) device
user
accounts and administrative (U.ADMINISTRATOR) device user accounts used to
support the Local Device Sign In mechanism. Each device user account contains the
following security attributes:
- Access Code (8 digits)
- Display Name
- Permission Set
The Access Code is a number that serves as both the login user identifier and the au-
thentication secret. Each user's Access Code is unique from all other Local Device us-
ers. In the evaluated configuration, the Access Code length must be 8 digits.
The Display Name is a unique name assigned to the account by the administrator. This
name is a security attribute because it is used in audit records to identify the user. (The
Access Code is not written in the audit records.).
Swedish Certification Body for IT Security
Certification Report HP BBC
15FMV10417-63:1 1.0 2016-06-09
FMVID-297-738 7 (21)
The Permission Set defines/determines a user's access to many of the TOE's functions.
Like Local Device Sign In, the remote sign in methods are only used by the Control
Panel.The TOE receives authentication credentials from the Control Panel users and
passes the credentials to the remote sign in method. The remote sign in method returns
an authentication decision to the TOE. This decision is then enforced by the TOE by
granting or denying access to the Control Panel user.
In the case of LDAP, the user name and password entered at the Control Panel are
used to bind to the LDAP server. The user must have a valid and active LDAP account
in order to successfully bind using this method.
In the case of Kerberos, the user name and password entered at the Control Panel are
used to authenticate with the Windows domain controller. The user must have a valid
and active Windows domain account in order to successfully bind using this method.
The TOE contains a feature called Simplified Account Lockout to help protect against
brute-force attacks at the Control Panel. Each Control Panel sign in method performs
its Simplified Account Lockout independent of the other Control Panel sign in meth-
ods.
- The Administrator Access Code method inserts a 10 second delay between each
Administrator Access Code authentication attempt upon reaching 6 failed
attempts.
- The User Access Code method inserts a 10 second delay between each User
Access Code authentication attempt upon reaching 6 failed attempts.
- The LDAP/Windows Sign In method inserts a 10 second delay between each
authentication attempt by the same LDAP/Windows user upon reaching 6 failed
attempts.
IPsec I&A - The TOE uses IPsec to identify and mutually authenticate the following
user types:
- Administrative Computer (U.ADMINISTRATOR)
- Network Client Computers (U.NORMAL)
IPsec uses IP addresses and X.509v3 certificates via the IKE protocols (IKEv1 and
IKEv2) to identify and authenticate, respectively, a remote computer.
The User Identity of a remote computer is its IP address. The TOE's internal firewall
maintains lists (IPsec/Firewall address templates) of IP addresses of client computers
that can connect to the TOE as a Network Client Computer and as the Administrative
Computer. If a client computer has an unrecognized IP address that is not defined in
the IPsec/Firewall as either the Administrative Computer or a Network Client Com-
puter, then the remote computer is not allowed to connect to the TOE. Similarly, if the
remote computer presents an invalid or unknown (unrecognized CA) X.509v3 certifi-
cate, the IPsec mutual authentication mechanism will fail.
The TOE also uses IP addresses and X.509v3 certificates via the IKE protocols to
connect to and identify other trusted IT products.
Both the Administrative Computer and the Network Client Computers can access the
PJL Interface on port 9100, but only the Administrative Computer can access the EWS
(HTTP) interface, Web Services interface (OXPd and WS-*), and SNMP interface.
3.4 Data Protection and Access Control
- Permission Sets - For Control Panel users, the TOE uses a user's User Role (as de-
termined by each user's Permission Set) to determine a user's access to many TOE
functions. Only U.ADMINISTRATOR can create, modify, and delete Permission
Sets.
Swedish Certification Body for IT Security
Certification Report HP BBC
15FMV10417-63:1 1.0 2016-06-09
FMVID-297-738 8 (21)
- Job PINs - Users can control access to each stored print and stored copy job that they
place under the TOE's control by assigning a Job PIN to each job. A Job PIN limits
access to a stored print or stored copy job while the job resides under the TOE's con-
trol and allows a user to control when the job is printed so that physical access to the
hard copies can be controlled by the user. A Job PIN must be 4 digits (0000-9999) in
length. Only one Job PIN is permitted per job.
- Job Encryption Passwords - The TOE can store and decrypt encrypted stored print
jobs received from a client computer. A stored print job is first encrypted by the client
computer using a user-specified Job Encryption Password and AES-256 in CBC code.
The job is then sent encrypted to the TOE and stored encrypted by the TOE. To de-
crypt the job, a Control Panel user must enter the correct Job Encryption Password
used to encrypt the job.
- Common access control - The TOE protects each non-fax job in Job Storage from
non-administrative users through the use of a user identifier and a Job PIN or through
the use of a Job Encryption Password. The user identifier for a print job received from
a client computer is either assigned by that client computer or assigned by the user
sending the print job from the client computer. For all other types of jobs, the user
identifier is assigned by the TOE. Every non-fax job in Job Storage is assigned either a
Job PIN or a Job Encryption Password by the user at job creation time. The TOE pro-
tects each fax job in Job Storage through the Permission Set mechanism. Scan jobs are
ephemeral and not stored in Job Storage. Only the user performing the scan can access
the job on the TOE.
- TOE function access control - The TOE controls Control Panel access to TOE func-
tions through the use of Permission Sets. The home screen sign in process assigns the
Permission Set to the authenticated user's session. This session Permission Set be-
comes the user's User Role. Access to each TOE device function is configurable in a
Permission Set by an administrator. A user can perform any function permitted in the
session Permission Set. Control Panel applications use the user's Permission Set to de-
termine which of the application's functions should be allowed or disallowed for the
user.
- Residual Information Protection - Objects that are deleted in the TOE are made una-
vailable to TOE users preventing TOE users from recovering the contents of deleted
objects.
3.5 Protection of the TSF
- Restricted forwarding of data to external interfaces (including fax separation)
- The TOE allows an administrator to enable / disable the forwarding of data received
from an External Interface to the Shared-medium interface.
- TSF Self-Testing - The EWS interface allows an administrator
U.ADMINISTRATOR) to execute a set of correct operations tests, TSF Data integrity
tests, and integrity tests of TSF executable code.
- Reliable Timestamps - The TOE contains a system clock which is used to generate
reliable time stamps.
3.6 TOE Access Protection
- Inactivity Timeout - The TOE supports an inactivity timeout for Control Panel ses-
sions. If a logged in user is inactive for longer than the specified period, the user is au-
tomatically logged off of the system. The inactivity period is managed by the adminis-
trator via EWS (HTTP) or with WS-* web services.
Swedish Certification Body for IT Security
Certification Report HP BBC
15FMV10417-63:1 1.0 2016-06-09
FMVID-297-738 9 (21)
- Automatic logout - The administrator can optionally configure the TOE to automati-
cally sign users out after starting a job.
3.7 Trusted Channel Communication and Certificate Man-
agement
The TOE supports IPsec with X509v3 certificates to protect data transferred over the
Shared-medium interface, along with certificate management for adding, replacing,
and deleting certificates.
3.8 User and Access Management
The TOE supports the following types of users; administrators and users. These users
have the following management capabilities:
- Administrators - manage the security functionality of the device and manage users.
- Users - manage user data which they have access to.
Swedish Certification Body for IT Security
Certification Report HP BBC
15FMV10417-63:1 1.0 2016-06-09
FMVID-297-738 10 (21)
4 Assumptions and Clarifications of Scope
4.1 Usage Assumptions
The Security Target [ST] makes three assumptions on the usage of the TOE.
A.USER.TRAINING - TOE users are aware of the security policies and the proce-
dures of their organization, and are trained and competent to follow those policies and
procedures.
A.ADMIN.TRAINING - Administrators are aware of the security policies and proce-
dures of their organization, are trained and competent to follow the manufacturer's
guidance and documentation, and correctly configure and operate the TOE in accord-
ance with those policies and procedures.
A.ADMIN.TRUST - Administrators do not use their privileged access rights for mali-
cious purposes.
4.2 Environmental Assumptions
Four assumptions on the environment are made in the Security Target.
A.ACCESS.MANAGED - The TOE is located in a restricted or monitored environ-
ment that provides protection from unmanaged access to the physical components and
data interfaces of the TOE.
A.ADMIN.PC.SECURE - The administrative computer is in a physically secured and
managed environment and only the authorized administrator has access to it.
A.USER.PC.POLICY - User computers are configured and used in conformance with
the organization's security policies.
A.SERVICES.RELIABLE - When the TOE uses any of the network services SMB,
FTP, DNS, Kerberos, LDAP, SMTP, SharePoint, syslog, and/or WINS, these services
provide reliable information and responses to the TOE.
4.3 Clarification of Scope
The Security Target [ST] contains six threats, which have been considered during the
evaluation.
T.DOC.DIS - User Document Data may be disclosed to unauthorized persons.
T.DOC.ALT - User Document Data may be altered by unauthorized persons.
T.FUNC.ALT - User Function Data may be altered by unauthorized persons.
T.PROT.ALT - TSF Protected Data may be altered by unauthorized persons.
T.CONF.DIS - TSF Confidential Data may be disclosed to unauthorized persons.
T.CONF.ALT - TSF Confidential Data may be altered by unauthorized persons.
Swedish Certification Body for IT Security
Certification Report HP BBC
15FMV10417-63:1 1.0 2016-06-09
FMVID-297-738 11 (21)
5 Architectural Information
The TOE is the firmware of an enterprise MFP designed to be shared by many client
computers and human users. It performs the functions of printing, copying, scanning,
faxing, and storing of documents. It can be connected to a local network through the
embedded Jetdirect Inside's built-in Ethernet, to an analog telephone line using its in-
ternal analog fax modem, or to a USB device using its USB port (but the use of which
must be disabled in the evaluated configuration).
Figure 1: HCD physical diagram
Figure 1 shows a high-level physical diagram of a Hardcopy Device (HCD) with the
unshaded areas representing the TOE and the shaded areas indicating components that
are part of the Operational Environment.
Swedish Certification Body for IT Security
Certification Report HP BBC
15FMV10417-63:1 1.0 2016-06-09
FMVID-297-738 12 (21)
At the top of this figure is the Administrative Computer which connects to the TOE
using Internet Protocol Security (IPsec) with X.509v3 certificates for both mutual au-
thentication and for protection of data from disclosure and alteration. This computer
can administer the TOE using the following interfaces over the IPsec connection:
● Embedded Web Server (EWS)
● Simple Network Management Protocol (SNMP)
● Web Services:
- Open Extensibility Platform device (OXPd) Web Services
- WS* Web Services
The HTTP-based EWS administrative interface allows administrators to remotely
manage the features of the TOE using a web browser.
The Web Services allow administrators to manage the TOE using HP's Web Jetadmin
application, which is part of the Operational Environment. The TOE supports both
HP's Open Extensibility Platform device (OXPd) Web Services and certain WS-*
Web Services (conforming to the WS-* standards defined by w3.org) accessed via the
Simple Object Access Protocol (SOAP) and Extensible Markup Language (XML).
The SNMP network interface allows administrators to remotely manage the TOE us-
ing external SNMP-based administrative applications like the HP Web Jetadmin ad-
ministrative tool.
Printer Job Language (PJL) is used in a non-administrative capacity by the Adminis-
trative Computer. The Administrative Computer uses PJL to send print jobs to the
TOE as well as to receive job status. In general, PJL supports password-protected ad-
ministrative commands, but in the evaluated configuration these commands are disa-
bled.
Web Jetadmin uses the HTTP, OXPd, PJL, SOAP/XML, WS-*, and SNMP protocols
to manage the TOE. Remote applications such as web browsers and Web Jetadmin are
part of the Operational Environment, not part of the TOE.
The TOE protects all network communications with Internet Protocol Security (IPsec),
which is part of the embedded Jetdirect Inside firmware. Though IPsec supports mul-
tiple authentication methods, in the evaluated configuration, both ends of the IPsec
connection are authenticated using X.509v3 certificates. An identity certificate for the
TOE must be created outside the TOE, signed by a Certificate Authority (CA), and
imported (added) into the TOE with the Certificate Authority's CA certificate.
Because IPsec authenticates the computers (IPsec authenticates the computer itself;
IPsec does not authenticate the individual users of the computer), access to the Admin-
istrative Computer should be restricted to TOE administrators only.
The TOE distinguishes between the Administrative Computer and Network Client
Computers by using IP addresses, IPsec, and the embedded Jetdirect Inside's internal
firewall. In the evaluated configuration, the number of Administrative Computers used
to manage the TOE is limited to one and the Device Administrator Password must be
set.
The evaluated configuration supports the following SNMP versions:
- SNMPv1 read-only
- SNMPv2c read-only
- SNMPv3
Network Client Computers connect to the TOE using IPsec with X.509v3 certificates
to protect the communication and to mutually authenticate. These client computers can
send print jobs to the TOE using the PJL Interface as well as receive job status.
Swedish Certification Body for IT Security
Certification Report HP BBC
15FMV10417-63:1 1.0 2016-06-09
FMVID-297-738 13 (21)
The TOE supports an optional analog telephone line connection for sending and re-
ceiving faxes.
The TOE protects stored non-fax jobs with either a 4-digit Job PIN or by accepting
(and storing) an encrypted job from a client computer. Both protection mechanisms
are optional by default and are mutually exclusive of each other if used. In the evalu-
ated configuration, every stored non-fax job must either be assigned a 4-digit Job PIN
or be an encrypted job.
Each HCD contains a user interface called the Control Panel. The Control Panel con-
sists of a touchscreen LCD, and a physical home screen button that are attached to the
HCD. In addition, flow MFP models include a pull-out keyboard as part of the Control
Panel. The Control Panel is the physical interface that a user uses to communicate
with the TOE when physically using the HCD. The TOE’s Control Panel supports
both local and remote sign-in methods.
Swedish Certification Body for IT Security
Certification Report HP BBC
15FMV10417-63:1 1.0 2016-06-09
FMVID-297-738 14 (21)
6 Documentation
The following documents are included in the scope of the TOE:
HP LaserJet Enterprise MFP M527 User Guide
HP Color LaserJet Enterprise MFP M577 User Guide
PageWide Enterprise Color MFP 586 User Guide
Common Criteria Evaluated Configuration Guide for HP Multifunction Printers HP
Laserjet Enterprise MFP M527 Series Color Laserjet Enterprise MFP M577 Series
PageWide Enterprise Color MFP 586 Series
Swedish Certification Body for IT Security
Certification Report HP BBC
15FMV10417-63:1 1.0 2016-06-09
FMVID-297-738 15 (21)
7 IT Product Testing
7.1 Developer Testing
The developer performed testing of the security functionality, as described by the se-
curity functional requirements in the Security Target, covering both IP v.4 and IP v.6,
for all three hardcopy devices (M527, M577, and 586). The developer testing was per-
formed in the developer's premises in Boise, Idaho, USA. Both manual testing and au-
tomated testing was performed.
7.2 Evaluator Testing
The evaluator's independent testing conducted a sample of the test cases provided by
the developer, a re-execution of the developer's automated tests, and a set of test cases
devised by the evaluator to improve coverage of the security functions and the TSFI.
The evaluators focussed on testing the M527 and 586 models.
The evaluator testing was performed in the developer's premises in Boise, Idaho.
7.3 Evaluator Penetration Testing
The evaluators performed port scans of the network interface of the TOE, covering
TCP and UDP ports both for IP v.4 and IP v.6. Penetration testing was performed on
all models, M527, M577, and 586, in the developer's premises in Boise, Idaho.
Swedish Certification Body for IT Security
Certification Report HP BBC
15FMV10417-63:1 1.0 2016-06-09
FMVID-297-738 16 (21)
8 Evaluated Configuration
The TOE shall be configured in accordance with the Common Criteria Evaluated Con-
figuration Guide for HP Multifunction Printers HP Laserjet Enterprise MFP M527 Se-
ries Color Laserjet Enterprise MFP M577 Series PageWide Enterprise Color MFP 586
Series, i.e.
- HP Digital Sending Software (DSS) must be disabled
- Device Administrator Password must be set as per P.ADMIN.PASSWORD
- Only one Administrative Computer is used to manage the TOE
- HP and third party applications cannot be installed on the TOE
- All non-fax stored jobs must be assigned a Job PIN or encrypted with a password
- All received faxes (excluding Fax Polling Receive jobs) must be stored in Job Stor-
age
- PC Fax Send must be disabled
- Type A and B ports must be disabled
- Remote Firmware Upgrade through any means other than EWS (e.g., PJL) and USB
must be disabled
- Jetdirect Inside management via telnet and FTP must be disabled
- Jetdirect XML Services must be disabled
- File System External Access must be disabled
- IPsec authentication using X.509v3 certificates must be enabled (IPsec authentica-
tion using Kerberos or Pre-Shared Key is not supported)
- IPsec Authenticated Headers (AH) must be disabled
- Full Authentication must be enabled (this disables the Guest account)
- SNMP support limited to:
- SNMPv1 read-only
- SNMPv2c read-only
- SNMPv3
- The Service PIN, used by a customer support engineer to access functions available
to HP support personnel, must be disabled
- Near Filed Communication (NFC) must be disabled
- Wireless Direct Print must be disabled
- PJL device access commands must be disabled
- When using Windows Sign In, the Windows domain must reject Microsoft NT LAN
Manager (NTLM) connections
- The “Save to HTTP” function is disallowed and must not be configured to func-
tion with an HTTP server
- Display Names for the Local Device Sign In method users and user names for the
LDAP and Windows Sign In method users must only contain the characters defined in
P.USERNAME.CHARACTER_SET.
- Remote Control-Panel use is disallowed as per
P.REMOTE_PANEL.DISALLOWED
Swedish Certification Body for IT Security
Certification Report HP BBC
15FMV10417-63:1 1.0 2016-06-09
FMVID-297-738 17 (21)
9 Results of the Evaluation
The evaluators applied each work unit of the Common Methodology [CEM] within
the scope of the evaluation, and concluded that the TOE meets the security objectives
stated in the Security Target [ST] for an attack potential of Basic.
The certifier reviewed the work of the evaluator and determined that the evaluation
was conducted in accordance with the Common Criteria [CC].
The evaluators overall verdict is PASS.
The verdicts for the respective assurance classes and components are summarised in
the following table:
Assurance Class/Family Short name Verdict
Development ADV PASS
Security Architecture ADV_ARC.1 PASS
Functional Specification ADV_FSP.2 PASS
TOE Design ADV_TDS.1 PASS
Guidance Documents AGD PASS
Operational User Guidance AGD_OPE.1 PASS
Preparative Procedures AGD_PRE.1 PASS
Life-cycle Support ALC PASS
CM Capabilities ALC_CMC.2 PASS
CM Scope ALC_CMS.2 PASS
Delivery ALC_DEL.1 PASS
Flaw Remediation ALC_FLR.2 PASS
Security Target Evaluation ASE PASS
ST Introduction ASE_INT.1 PASS
Conformance Claims ASE_CCL.1 PASS
Security Problem Definition ASE_SPD.1 PASS
Security Objectives ASE_OBJ.2 PASS
Extended Components Definition ASE_ECD.1 PASS
Security Requirements ASE_REQ.2 PASS
TOE Summary Specification ASE_TSS.1 PASS
Tests ATE PASS
Coverage ATE_COV.1 PASS
Functional Tests ATE_FUN.1 PASS
Independent Testing ATE_IND.2 PASS
Vulnerability Assessment AVA PASS
Vulnerability Analysis AVA_VAN.2 PASS
Swedish Certification Body for IT Security
Certification Report HP BBC
15FMV10417-63:1 1.0 2016-06-09
FMVID-297-738 18 (21)
10 Evaluator Comments and Recommendations
The evaluators do not have any comments or recommendations concerning the prod-
uct or using the product.
Swedish Certification Body for IT Security
Certification Report HP BBC
15FMV10417-63:1 1.0 2016-06-09
FMVID-297-738 19 (21)
11 Glossary
AES Advanced Encryption Standard
AH Authentication Header (IPsec)
CBC Cipher Block Chaining
CIFS Common Internet File System
CRV Constrained Random Verification
CTS Cipher Text Stealing
DNS Domain Name System
ESP Encapsulating Security Payload (IPsec)
EWS Embedded Web Server
FTP File Transfer Protocol
HCD Hardcopy Device
HMAC Hashed Message Authentication Code
HTML Hypertext Markup Language
http Hypertext Transfer Protocol
IEEE Institute of Electrical and Electronics Engineers, Inc.
IKE Internet Key Exchange (IPsec)
IP Internet Protocol
IPsec Internet Protocol Security
ISAKMP Internet Security Association Key Management Protocol (IPsec)
LCD Liquid Crystal Display
LDAP Lightweight Directory Access Protocol
MAC Message Authentication Code
MFP Multifunction printer
NTP Network Time Protocol
OXP Open Extensibility Platform
OXPd OXP device layer
PIN Personal Identification Number
PJL Printer Job Language
PML Printer Management Language
PRF Pseudo-random Function
PSTN Public Switched Telephone Network
SFR Security Functional Requirement
SHA Secure Hash Algorithm
SMTP Simple Mail Transfer Protocol
SNMP Simple Network Management Protocol
SOAP Simple Object Access Protocol
TOE Target of Evaluation
USB Universal Serial Bus
WINS Windows Internet Name Service
XML Extensible Markup Language
Swedish Certification Body for IT Security
Certification Report HP BBC
15FMV10417-63:1 1.0 2016-06-09
FMVID-297-738 20 (21)
12 Bibliography
ST HP LaserJet Enterprise MFP M527 Series,
Color LaserJet Enterprise MFP M577 Series,
And PageWide Enterprise Color MFP 586 Series Firmware
with Jetdirect Inside Security Target,
HP Inc., 2016-06-07, document version 2.0
UG527 HP LaserJet Enterprise MFP M527 User Guide,
HP Inc., 2015-11, Edition 1
UG577 HP Color LaserJet Enterprise MFP M577 User Guide,
HP Inc., 2015-11, Edition 1
UG586 PageWide Enterprise Color MFP 586 User Guide,
HP Inc., 2016-05, Edition 1
CCcfg Common Criteria Evaluated Configuration Guide for HP
Multifunction Printers HP Laserjet Enterprise MFP M527 Series
Color Laserjet Enterprise MFP M577 Series PageWide Enterprise
Color MFP 586 Series, HP Inc., 2016-03, Edition 1
CCpart1 Common Criteria for Information Technology Security Evaluation,
Part 1, version 3.1 revision 4, CCMB-2012-09-001
CCpart2 Common Criteria for Information Technology Security Evaluation,
Part 2, version 3.1 revision 4, CCMB-2012-09-002
CCpart3 Common Criteria for Information Technology Security Evaluation,
Part 3, version 3.1 revision 4, CCMB-2012-09-003
CC CCpart1 + CCpart2 + CCpart3
CEM Common Methodology for Information Technology Security
Evaluation, version 3.1 revision 4, CCMB-2012-09-004
SP-002 SP-002 Evaluation and Certification, CSEC, 2016-04-28, document
version 23.0
SP-188 SP-188 Scheme Crypto Policy, CSEC, 2016-01-13, document
version 5.0
Swedish Certification Body for IT Security
Certification Report HP BBC
15FMV10417-63:1 1.0 2016-06-09
FMVID-297-738 21 (21)
Appendix A - QMS Consistency
During the certification project, the following versions of the quality management sys-
tem (QMS) have been applicable since the certification application was received
2015-10-27:
QMS 1.18.1 valid from 2015-08-21
QMS 1.19 valid from 2016-02-05
QMS 1.19.1 valid from 2016-03-07
QMS 1.19.2 valid from 2016-04-28
In order to ensure consistency in the outcome of the certification, the certifier has ex-
amined the changes introduced in each update of the quality management system.
The changes between consecutive versions are outlined in “Ändringslista CSEC QMS
1.19.2”.
The certifier concluded that, from QMS 1.18.1 to the current QMS 1.19.2, there are no
changes with impact on the result of the certification.