CRP-C0167-01
Certification Report
Koji Nishigaki, Chairman
Information-technology Promotion Agency, Japan
Target of Evaluation
Application date/ID 2007-12-05 (ITC-7187)
Certification No. C0167
Sponsor Sharp Corporation
Name of TOE MX-FRX9
Version of TOE Version M.10
PP Conformance None
Conformed Claim EAL3 Augmented with ADV_SPM.1
Developer Sharp Corporation
Evaluation Facility Japan Electronics and Information Technology
Industries Association, Information Technology
Security Center (JEITA ITSC)
This is to report that the evaluation result for the above TOE is certified as
follows.
2008-05-30
Hideji Suzuki, Technical Manager
Information Security Certification Office
IT Security Center
Evaluation Criteria, etc.: This TOE is evaluated in accordance with the following
criteria prescribed in the "IT Security Evaluation and
Certification Scheme".
- Common Criteria for Information Technology Security Evaluation
Version 2.3
- Common Methodology for Information Technology Security Evaluation
Version 2.3
Evaluation Result: Pass
"MX-FRX9 Version M.10" has been evaluated in accordance with the provision of
the "IT Security Certification Procedure" by Information-technology Promotion
Agency, Japan, and has met the specified assurance requirements.
CRP-C0167-01
Notice:
This document is the English translation version of the Certification Report
published by the Certification Body of Japan Information Technology Security
Evaluation and Certification Scheme.
CRP-C0167-01
Table of Contents
1. Executive Summary............................................................................... 1
1.1 Introduction..................................................................................... 1
1.2 Evaluated Product ............................................................................ 1
1.2.1 Name of Product ......................................................................... 1
1.2.2 Product Overview........................................................................ 1
1.2.3 Scope of TOE and Security Functions ........................................... 2
1.3 Conduct of Evaluation ...................................................................... 5
1.4 Certification..................................................................................... 5
1.5 Overview of Report............................................................................ 5
1.5.1 PP Conformance ......................................................................... 5
1.5.2 EAL ........................................................................................... 6
1.5.3 SOF........................................................................................... 6
1.5.4 Security Functions ..................................................................... 6
1.5.5 Threat ....................................................................................... 9
1.5.6 Organisational Security Policy ..................................................... 9
1.5.7 Configuration Requirements ...................................................... 10
1.5.8 Assumptions for Operational Environment.................................. 10
1.5.9 Documents Attached to Product................................................. 10
2. Conduct and Results of Evaluation by Evaluation Facility ...................... 12
2.1 Evaluation Methods ........................................................................ 12
2.2 Overview of Evaluation Conducted ................................................... 12
2.3 Product Testing .............................................................................. 12
2.3.1 Developer Testing ..................................................................... 12
2.3.2 Evaluator Independent Testing .................................................. 15
2.4 Evaluation Result........................................................................... 16
3. Conduct of Certification....................................................................... 17
4. Conclusion ......................................................................................... 18
4.1 Certification Result ........................................................................ 18
4.2 Evaluator comments/Recommendations ........................................... 18
5. Glossary ............................................................................................. 19
6. Bibliography ....................................................................................... 22
CRP-C0167-01
1
1. Executive Summary
1.1 Introduction
This Certification Report describes the content of certification result in relation to
IT Security Evaluation of " MX-FRX9 Version M.10" (hereinafter referred to as
"the TOE") conducted by Japan Electronics and Information Technology Industries
Association, Information Technology Security Center (JEITA ITSC) (hereinafter
referred to as "Evaluation Facility"), and it reports to the sponsor, Sharp
Corporation and provides information to the users and system operators who are
interested in this TOE.
The reader of the Certification Report is advised to read the corresponding ST and
manuals (please refer to "1.5.9 Documents Attached to Product" for further
details) attached to the TOE together with this report. The assumed environment,
corresponding security objectives, security functional and assurance requirements
needed for its implementation and their summary specifications are specifically
described in ST. The operational conditions and functional specifications are also
described in the document attached to the TOE.
Note that the Certification Report presents the certification result based on
assurance requirements conformed to the TOE, and does not certify individual IT
product itself.
Note: In this Certification Report, IT Security Evaluation Criteria and IT
Security Evaluation Method prescribed by IT Security Evaluation and
Certification Scheme are named CC and CEM, respectively.
1.2 Evaluated Product
1.2.1 Name of Product
The target product by this Certificate is as follows;
Name of Product: MX-FRX9
Version: Version M.10
Developer: Sharp Corporation
1.2.2 Product Overview
The TOE consists of two parts that enhance security functions for a
Multi-Function Device (hereafter referred to as "MFD"); one part is an HDC, which
is a hardware part in the MFD, and the other is MFD firmware. It is provided as
an optional product. It replaces the MFD standard firmware by installing to the
MFD, and offers the security functions and controls the entire MFD. The TOE
primarily consists of the cryptographic operation function, data clear function and
confidential files function. These functions are intended to counter attempts to
steal image data in a MFD.
The cryptographic operation function encrypts image and other data that the MFD
handles, before storing them in the HDD or Flash memory (hereafter referred to as
"MSD") in the MFD. The data clear function writes random values or some fixed
value over the area of the encrypted data in the MSD in the MFD. The confidential
files functions make it possible that user stores the image data to the HDD with
CRP-C0167-01
2
password to prevent the others from reusing it without permission.
1.2.3 Scope of TOE and Security Functions
The TOE is provided by two ROM boards which are firmware upgrade kit for the
MFD and HDC. Relation between the TOE and the MFD is shown in the Figure 1-1.
The TOE is shown as shaded areas in the Figure 1-1.
MFD
Controller
board
Engine unit: prints the image to the paper.
Fax I/F
NIC
Scanner unit: scans the original and gets the image.
Operation panel
USB I/F (Type A)
USB I/F (Type B)
Internal network
Fax line
TOE (controller
firmware)
EEPROM
Microprocessor
Volatile
memory
HDD Flash memory
TOE
(HDC)
To USB memory device
To client (printer driver)
To client, mail server or FTP
server
To other facsimile
Figure 1-1: Physical configuration of the MFD and physical scope of the TOE
The logical configuration of the TOE is shown in Figure 1-2. In the Figure 1-2, the
area in the thick-lined frame indicates the TOE. The rectangles indicate the TOE's
functions and the rounded boxes indicate hardware devices. Among the TOE
functions, the security functions and the data that security functions handle are
shaded. The arrow indicates the data flow.
TOE
Job
control
TSF_FDC
Data clear
TSF settings
Network settings Other MFD settings
TSF_FKG
Cryptographic
key generation
TSF_AUT
Authentication
TSF_FCF
Confidential
files
Scanner
unit
Volatile memory
Cryptographic key
TSF_FDE
Cryptographc
operation
Jobs completed list
HDD
Filing image data,
confidential file
pasword
Spool image data
Address book
Administrator
password
HDC Firmware
Operation
panel
Network
manage-
ment
Engine unit Network
I/F
USB I/F
(Type A)
USB I/F
(Type B)
Fax
I/F
Flash
memory
MFD control
Spool
image data
TSF_FNP
Network protecton
EEPROM
Figure 1-2: Logical configuration of the TOE
As well as the standard MFD firmware, the TOE has the MFD functions, which are
copy, printer, scanner, fax transmission, fax reception, and PC-Fax.
The TOE executes security functions automatically while each of these MFD
functions is being executed. Functions of the TOE and MFD functions are shown
below.
CRP-C0167-01
3
1.2.3.1 TOE Functionality
The following functions are included within the logical scope of the TOE.
a) Cryptographic operation function (TSF_FDE):
encrypts the user data and TSF data that is stored to the MSD in the MFD and
decrypts the user data and TSF data that is retrieved from the MSD.
b) Cryptographic key generation function (TSF_FKG):
generates the cryptographic key for the cryptographic operation function. The
generated key is stored to the volatile memory in the MFD. A seed of the
cryptographic key is generated once when the TOE is installed. From then on, a
cryptographic key is always generated from the seed for the MFD whenever
powered on.
c) Data clear function (TSF_FDC):
overwrites the data to prevent the leak of information from the MSD in the MFD.
This function consists of each data clear program (Auto Clear at Job End, Clear
All Memory, Clear Address Book Data and Registered Data in MFP, Clear
Document Filing Data, Clear All Data in Job Status Jobs Completed List and
Power Up Auto Clear) and setting function for them (Data Clearance Settings).
"Auto Clear at Job End" is invoked by each job and document filing function in the
MFD functions.
d) Authentication function (TSF_AUT):
identifies and authenticates an administrator by means of the administrator
password. The administrator can manage the TSF data that contains the
administrator password by this authentication.
e) Confidential files function (TSF_FCF):
requires the authentication by means of the confidential file password to print or
transmit the image data (confidential file) that is stored to the MFD using the
document filing function. If an incorrect password for a confidential file is entered
three times in a row, this function locks that file. Only the administrator can
release the locked file.
f) Network protection function (TSF_FNP):
consists of the following three functions.
1. Filter function: restricts the other party to communicate by the terms of IP
address or MAC address.
2. Communication data protection function: protects the communication data by
SSL. If the client or protocol that is not supported to use SSL is used, this
function is not available.
3. Network settings protection: provides the following network management
function only to the administrator and do not allow other user to uses it.
g) Job control function:
provides the user interface and control the action for each MFD function such as
job function, address book function and document filing function. This also
manages the job as queue and keeps the jobs completed list to the HDD.
h) MFD control function:
controls MFD hardware. This also converts the data format between the data to
receive or transfer and the image data in the MFD for the jobs that require the
communication.
i) Network management function:
the function for the administrator to query and modify the address, the port and
CRP-C0167-01
4
DNS for using the network function of the MFD. This function is invoked by the
network protection function (TSF_FNP).
1.2.3.2 MFD Functionality
The most MFD functions are invoked by the operation from the operation panel of
the MFD. A part of them are invoked by the operation from the Web for the remote
operation or receiving the data.
a) Job function:
receives the image data from the MFD's scanner unit, FTP, USB memory device or
fax reception, spools the image data to the MSD in the MFD. The spooled image
data are printed or transferred to the outside through the network. This function
is realized by the job control function and the MFD control function.
b) Document filing function:
files the job's image data to the HDD in the MFD to operate it later.
c) Address book function:
stores the destination fax number or the E-mail address. The address book is
available for entering the destination for transferring. The address book data is
stored to the HDD and storing, modifying and deleting are available by the
operation from the operation panel or the Web for remote operation. This function
is invoked by the job control function.
1.2.3.3 Assets protected by the TOE
The following user data are assets that are protected by the TOE.
a) Image data that the MFD functions spool to process jobs:
the image data that the TOE itself temporarily spools to the MSD in the MFD for
processing jobs when the user uses the MFD functions. The image data that is
logically deleted but remains physically in the MSD when the jobs are finished or
cancelled is also included in this data.
These data possibly contain the users' sensitive information.
b) Image data that users stored as a confidential files:
the image data that users stored to the HDD as a confidential file. The image data
that is logically deleted but remains physically in the HDD when the user deleted
is also included in this data.
These data possibly contain the users' sensitive information.
c) Address book data:
the address book data that users store by the address book function and is stored
to the HDD. This data is the personal data (destination name, mail address, fax
number and others) that proper users of the MFD use in cooperation. It is allowed
to see every record in this data one by one from the operation panel.
d) Jobs completed list data:
the data of completed jobs as which the job control function keeps such as user
name or document name of jobs from the printer driver, destination for fax
transmission or reception and others to the HDD. It is allowed to see every record
in this data one by one from the operation panel.
e) Network settings data:
the information about network settings that the MFD requires to connect to the
network. If this data has been modified dishonesty, it is possibly leaking of the
assets to the network without intent or it would be the threat for other TSF
functions.
The network settings data is TCP/IP settings (Enable TCP/IP, Enable DHCP, IP
CRP-C0167-01
5
Address Settings), DNS Settings (Primary/Secondary DNS Server, Domain Name),
WINS Settings (Enable WINS, Primary/Secondary WINS Server, WINS Scope ID),
SMTP Settings (SMTP Server), LDAP Settings (Enable LDAP, LDAP Server),
Tandem Settings (IP Address of Slave Machine, Disabling of Master Machine
Mode), Port Control (Enabling or the port number for each network service).
1.3 Conduct of Evaluation
Based on the IT Security Evaluation/Certification Program operated by the
Certification Body, TOE functionality and its assurance requirements are being
evaluated by Evaluation Facility in accordance with those publicized documents
such as "IT Security Evaluation and Certification Scheme"[2], "IT Security
Certification Procedure"[3] and "Evaluation Facility Approval Procedure"[4].
Scope of the evaluation is as follow;
- Security design of the TOE shall be adequate;
- Security functions of the TOE shall be satisfied with security functional
requirements described in the security design;
- This TOE shall be developed in accordance with the basic security design;
- Above mentioned three items shall be evaluated in accordance with the CC Part
3 and CEM.
More specific, the Evaluation Facility examined "MX-FRX9 Security Target" as the
basis design of security functions for the TOE (hereinafter referred to as "the
ST")[1], the evaluation deliverables in relation to development of the TOE and the
development, manufacturing and shipping sites of the TOE. The evaluation
facility evaluated if the TOE is satisfied both Annex A of CC Part 1 (either of [5],
[8] or [11]) and Functional Requirements of CC Part 2 (either of [6], [9] or [12]) and
also evaluated if the development, manufacturing and shipping environments for
the TOE is also satisfied with Assurance Requirements of CC Part 3 (either of [7],
[10] or [13]) as its rationale. Such evaluation procedure and its result are
presented in "MX-FRX9 Version M.10 Evaluation Technical Report" (hereinafter
referred to as "the Evaluation Technical Report") [17]. Further, evaluation
methodology shall comply with the CEM (either of [14], [15] or [16]).
1.4 Certification
The Certification Body verifies the Evaluation Technical Report and Observation
Report prepared by the Evaluation Facility and evaluation evidence materials,
and confirmed that the TOE evaluation is conducted in accordance with the
prescribed procedure. Certification review is also prepared for those concerns
found in the certification process. Evaluation is completed with the Evaluation
Technical Report dated 2008-05 submitted by the evaluation facility and those
problems pointed out by the Certification Body are fully resolved and confirmed
that the TOE evaluation is appropriately conducted in accordance with CC and
CEM. The Certification Body prepared this Certification Report based on the
Evaluation Technical Report submitted by the evaluation facility and concluded
fully certification activities.
1.5 Overview of Report
1.5.1 PP Conformance
There is no PP to be conformed.
CRP-C0167-01
6
1.5.2 EAL
Evaluation Assurance Level of TOE defined by this ST is EAL3 augmented with
ADV_SPM.1.
1.5.3 SOF
This ST claims "SOF-basic" as its minimum strength of function.
The TOE is assumed to be used in general office environment that is protected
against attacks from any external networks. Since the attack with direct access to
the TOE or within the internal network is under observation of the administrator,
no complicated attack should be assumed.
Therefore it is rational for the TOE to assume the attackers with low attack
potential, and it is enough by the SOF-basis that minimum strength of function
can be opposed to low-level.
1.5.4 Security Functions
Security functions of the TOE are as follow.
(1) Cryptographic key generation function (TSF_FKG):
The TOE generates a cryptographic key (common key) to support the encryption
function of the user data and the TSF data. When the MFD is powered on, a
cryptographic key (common key) is always generated from the seed that is
generated from the random number. A 128-bit secure key is generated using the
MSN-R Expansion algorithm for the AES Rijndael cryptogram. The MSN-R
Expansion algorithm is a cryptographic key generation algorithm conformant to
the Data Security Kit Encryption Standard. When installed, the TOE generates a
seed that differs from an MFD to another. The key generated is held in the volatile
memory.
(2) Cryptographic operation function (TSF_FDE):
This function always encrypts the user data and the TSF data when these data are
written to the MSD and decrypts them when these data are used.
The user data that are the target are the image data that is spooled to the HDD or
the Flash memory, image data that is stored to the HDD, address book data and
job completed list data that are stored to the HDD. The TSF data that are the
target are the confidential file password and administrator password.
The data is encrypted and decrypted by the AES Rijndael algorithm that is based
on FIPS PUBS 197 with the 128 bits cryptographic key that is generated by the
cryptographic key generation function (TSF_FKG).
(3) Data clear function (TSF_FDC):
The TOE provides the data clear function that clears image data files that are
spooled and stored, the address book data file and the jobs completed list data file.
This function is invoked by the following each MFD program.
Every clear program overwrites the HDD as many times as specified in Data
Clearance Settings with random values and the Flash memory once with a fixed
value.
a) Auto Clear at Job End program:
This program overwrites the image data that has been spooled to the MSD in
order to process a job, when the job ends, and stored to the HDD using the
document filing function (include the confidential files function), when the user
deletes the data.
CRP-C0167-01
7
b) Clear All Memory program:
This program is invoked from the operation panel by the administrator who is
identified and authenticated by the authentication function (TSF_AUT) and
overwrites the spool image data, the filing image data, the jobs completed list
data in the HDD, and the spool image data in the Flash memory. The address
book data is cleared by the c) described below.
Before allowing cancelling Clear All Memory program while running, this TSF
always requires authentication of the administrator who called this program
whenever a cancel operation is taken.
If an incorrect administrator password is entered three times in a row while
entering for authentication of cancel operation, this program stops accepting
further authentication attempts for five minutes.
c) Clear Address Book Data and Registered Data in MFP program:
This program is invoked from the operation panel by the administrator who is
identified and authenticated by the authentication function (TSF_AUT) and
overwrites the address book data in the HDD.
This program does not accept the cancel operation.
d) Clear Document Filing Data program:
This program is invoked from the operation panel by the administrator who is
identified and authenticated by the authentication function (TSF_AUT) and
overwrites the specified spool image data or the filing image data in the HDD.
This program accepts the cancel operation as well as Clear All Memory
program.
e) Clear All Data in Job Status Jobs Completed List program:
This program is invoked from the operation panel by the administrator who is
identified and authenticated by the authentication function (TSF_AUT) and
overwrites the jobs completed list data in the HDD.
This program does not accept the cancel operation.
f) Power Up Auto Clear program:
This program overwrites and clears the target data to be cleared automatically
when the TOE is powered on, unless the TOE has any reserved transmission
jobs or any Fax/Internet fax reception jobs not yet printed out. The guidance
calls users' attention to this.
The settings that are configured beforehand determine that this program is run
or not when the TOE is powered on. The data to be cleared by this program is
also according to those settings.
This program clears every data as well as the Clear All Memory program above,
or the specified data in the HDD. The data in the HDD can be specified among
the spool image data, filing image data or jobs completed list data.
This program accepts the cancel operation as well as Clear All Memory
program.
g) Data Clearance Settings:
This TSF provides the following configuration functions below (querying and
modifying) for the every program above only to the administrator identified
and authenticated by the authentication function (TSF_AUT).
- Number of Times Auto Clear at Job End Program is Repeated:
[accepts any integer between 1 and 7 inclusive. The default is 1.]
The number of times overwriting the data on the HDD for the Auto Clear at
Job End program.
- Number of Times Data Clear is Repeated:
[Accept any integer between 1 and 7 inclusive. The default is 1.]
The number of times overwriting the data on the HDD for the Clear All
CRP-C0167-01
8
Memory program, the Clear Address Book Data and Registered Data in MFP
program, the Clear Document Filing Data program and the Clear All Data in
Job Status Jobs Completed List program.
- Power Up Auto Clear:
[Enable or disable for each data. The default is that Power Up Auto Clear
program is disabled for every data (no data is specified).]
The data to be cleared by Power Up Auto Clear program.
- Number of Times Power Up Auto Clear Program is Repeated:
[Accept any integer between 1 and 7 inclusive. The default is 1.]
The number of times overwriting the data on the HDD for the Power Up Auto
Clear program.
(4) Authentication function (TSF_AUT):
This TSF enforces the identification and authentication of the administrator by
the administrator password. The administrator password is allowed to use only 5
to 32 alphanumeric and/or symbol characters. This function provides the
interfaces of the function for the administrator such as the Data Clearance
Settings or Change Administrator Password when the authentication of the
administrator is successful.
The administrator is identified by invoking administration function or the login
operation of the administrator from the operation panel or the Web and
authenticated by entering the password. The entered character is hidden when the
password is entered. If an incorrect administrator password is entered three times
in a row while entering for authentication of the administrator password, this
program stops accepting further authentication attempts for five minutes.
(5) Confidential files function (TSF_FCF):
This TSF provides the function to protect the data that is stored by the document
filing function by the password that the user who stored the data specified. The
confidential file password is allowed to use only 5 to 8 numeric characters.
Whenever a user attempts some operations (preview, print and others) on a stored
confidential file, this TSF requires the user to enter the confidential file password
on the operation panel or the Web and allows operations only when a confidential
file password is given and it is identical to the confidential file password during
the storing of the file. The entered character is hidden when the password is
entered. If an incorrect confidential file password is entered three times in a row
during the authentication before an operation on a stored confidential file, this
TSF stops accepting further authentication attempts and locks the file to prohibit
any operation.
This TSF provides the following management functions. Only the administrator
identified and authenticated by TSF_AUT is allowed to execute these functions.
a) Disabling of Document Filing:
disables to save the image data as the non-confidential file, which is saved with
no password. The settings can be done for each job type. The default and
recommended value is that all non-confidential modes are disabled.
b) Disabling of Print Jobs Other Than Print Hold Job:
disables the job to print out on the spot from the printer driver. This function
denies the job without Holding and holds the Hold job by ignoring that the job
is printed out or not. This function is recommended to use in the environment
that has the high risk that the third person takes away the output paper.
c) Release the lock of confidential files:
releases locked confidential files by the failure of the authentication for the
confidential file password.
CRP-C0167-01
9
(6) Network protection function (TSF_FNP):
This TSF consists of the following three functions that are related to the network.
a) Filter function:
This function restricts the communication according to the IP address and MAC
address. The terms of address that are allowed or denied to communicate are
configured by the administrator beforehand and this function allows or denies
the communication with packet that has the address that coincides with the
terms.
b) Communication data protection function:
This function provides the HTTPS communication function to keep the
confidentiality of the Web communication between the client and the TOE. This
function also provides the IPP-SSL communication function to keep the
confidentiality of the data that is sent from the printer driver of the client.
c) Network settings protection:
This function provides the interfaces to manage the network settings data that
is required for the communication of the MFD at the operation panel and the
TOE Web. This function enforces the identification and authentication of the
administrator same as TSF_AUT before providing the interfaces that manage
the network settings data.
1.5.5 Threat
This TOE assumes such threats presented in Table 1-1 and provides functions for
countermeasure to them.
Table 1-1 Assumed Threats
Identifier Threat
T.RECOVER
An attacker removes the MSD from the MFD to
read the MSD, reads and leaks the user data
stored in it (include the data that is remained
after deleting).
T.REMOTE
An attacker who is not allowed to access to the
MFD reads and modifies the address book data in
the MFD through the internal network together.
T.SPOOF
An attacker impersonates other user reads and
leaks the image data that the user has saved as
confidential file from the operation panel or
through the internal network.
T.TAMPER
An attacker impersonates an administrator reads
or modifies the network settings data from the
operation panel or through the internal network.
T.TAP
An attacker wiretaps the user data on the internal
network when a proper user communicates with
the MFD.
1.5.6 Organisational Security Policy
Organisational security policy required in use of the TOE is presented in Table
1-2.
Table 1-2 Organisational Security Policy
CRP-C0167-01
10
Identifier Organisational security policy
P.RESIDUAL Upon completion or interruption of a job, the user
data area spooled to the MSD shall be overwritten
one or more times.
The user data area in the MSD that is deleted by
user shall be overwritten one or more times.
When the MFD is disposed of or its ownership
changes, all user data areas in the MSD shall be
overwritten one or more times.
1.5.7 Configuration Requirements
This TOE runs on MX-6201N, MX-7001N, MX-6201NJ and MX-7001NJ, the MFD
manufactured by SHARP.
1.5.8 Assumptions for Operational Environment
Assumptions required in environment using this TOE presents in the Table 1-3.
The effective performance of the TOE security functions are not assured unless
these assumptions are satisfied.
Table 1-3 Assumptions in Use of the TOE
Identifier Assumptions
A.NETWORK The MFD is connected to a subnetwork in the
internal network protected against attacks from
any external networks, where the subnetwork for
the MFD connects nothing other than devices
allowed to communicate with the MFD.
A.OPERATOR The administrator is a trustworthy person who
does not take improper action with respect to the
TOE.
1.5.9 Documents Attached to Product
Documents attached to the TOE are listed below.
(1) For Japan:
MX-FRX9 Data Security Kit Operation Manual
Version: CINSJ4101FC51
Intended reader: administrator, user
Contents: (Written in Japanese)
This document is provided as the guidance of use the TOE. The items
necessary for managing and operating the TOE such as usage of
security function or setting method are described.
MX-FRX9 Data Security Kit Notice
Version: TCADZ1958FCZZ
Intended reader: administrator, user
Contents: (Written in Japanese)
CRP-C0167-01
11
The items necessary for managing operating the TOE in a secure
manner are described.
MX-FRX9 Installation Manual
Version: TCADZ1960FCZZ
Intended reader: administrator and service person
(a maintenance personnel from the sales company)
Contents: (Written in Japanese)
The work procedures for installation of the TOE on the main frame of
MFD and the items that service person and administrator are
required to perform for the secure management and operations of
TOE are described to help install TOE.
(2) For markets outside Japan:
MX-FRX9 Data Security Kit Operation Manual
Version: CINSE4102FC51
Intended reader: administrator, user
Contents: (Written in English)
This document is offered as the guidance to use the TOE. The items
necessary for managing and operating the TOE such as usage of
security function or setting method are described.
MX-FRX9 Data Security Kit Notice
Version: TCADZ1959FCZZ
Intended reader: administrator, user
Contents: (Written in English)
The items necessary for managing operating the TOE in a secure
manner are described.
MX-FRX9 Installation Manual
Version: TCADZ1961FCZZ
Intended reader: administrator and service person
(a maintenance personnel from the sales company)
Contents: (Written in 4 languages of English, French, German and Spanish)
The work procedures for installation of the TOE on the main frame of
MFD and the items that service person and administrator are
required to perform for the secure management and operations of
TOE are described to help install TOE.
CRP-C0167-01
12
2. Conduct and Results of Evaluation by Evaluation Facility
2.1 Evaluation Methods
Evaluation was conducted by using the evaluation methods prescribed in CEM in
accordance with the assurance requirements in CC Part 3. Details for evaluation
activities are reported in the Evaluation Technical Report. It described the
description of overview of the TOE, and the contents and verdict evaluated by each
work unit prescribed in CEM.
2.2 Overview of Evaluation Conducted
The history of evaluation conducted was present in the Evaluation Technical
Report as follows;
Evaluation has started on 2007-12 and concluded by completion the Evaluation
Technical Report dated 2008-05. The Evaluation Facility received a full set of
evaluation deliverables necessary for evaluation provided by developer, and
examined the evidences in relation to a series of evaluation conducted.
Additionally, the Evaluation Facility directly visited the development and
manufacturing sites on 2008-02 and examined procedural status conducted in
relation to each work unit for configuration management, delivery and operation
and lifecycle by investigating records and staff hearing. Further, the Evaluation
Facility executed sampling check of conducted testing by developer and evaluator
testing by using developer testing environment at developer site on 2008-02.
Concerns found in evaluation activities for each work unit were all issued as
Observation Report and were reported to developer. These concerns were reviewed
by developer and all problems were solved eventually.
As for concerns indicated during evaluation process by the Certification Body, the
certification review was sent to the Evaluation Facility. These were reflected to
evaluation after investigation conducted by the Evaluation Facility and the
developer.
2.3 Product Testing
Overview of developer testing evaluated by evaluator and evaluator testing
conducted by evaluator are as follows.
2.3.1 Developer Testing
1) Developer Test Environment
Test configuration performed by the developer is showed in the Figure 2-1.
CRP-C0167-01
13
(1)MFD
FAX
Option
(15)USB
memory
Controller PWB
(2)Testing ROM
or
(13)Product ROM
(3)HDC (4)HDD
(13)Product ROM
or
(14)Standard ROM
(8)MFD(B)
(5)
Serial
cable
(9)Pseudo
exchange
(10)HUB
(11)network
cable
(12)Telephone cable
(7)Client PC
(b)Web browser
(6)Debug terminal PC
(a)Serial terminal software
(b)Web browser
(c)check_msn_r.exe
(d)dechdd.exe
(e)TIFF file viewer
(f)JPEG file viewer
(g)File dumpsoftae
(h)FTP sever software
(i)FTP client software
(j)E-mail server software
(k)E-mail cleient software
(l)File server software
(m)HDD dump software
(n)ipconfig.exe
(o)md5.exe
(p)Printer driver
(q)PC-Fax driver
(r)PC-Internet Fax driver
(s)Sharpdesk
(t)TWAIN driver
(u)Template of Tiff file header
(v)jbig_dec_v2.exe
(w)Image file analysis software
Figure 2-1: Configuration of Developer Testing
2) Outlining of Developer Testing
Outlining of the testing performed by the developer is as follow;
a. Test outline
The testing configuration conducted by the developer is as showed in Figure
2-1. The developer testing was performed in a testing environment of a
hardware and software configuration equivalent to the TOE configuration
identified in the ST. About the part which does not completely agree with the
configuration that testing configuration is identified in this ST, it is the
reason to be able to consider to be equal as follows.
As for MFD of the Figure 2-1, one of MFD models (MX-6201N) that this ST
identifies as environment to be used by the TOE was employed when the
testing was performed. Since the HDC, a part of the TOE, is implemented in
every model that the TOE works and all the HDC implemented in every model
are the same parts, MFD in test configuration is equivalent to MFD that this
ST identifies as environment to be used by the TOE.
Testing ROM in the Figure 2-1 is different from TOE identified in ST. However,
CRP-C0167-01
14
the differences are only addition of the debug functions and modification of a
part of security functions by reason of convenience of testing. And the
modified security functions are tested for verifying that they are performed
appropriately using the product ROM in advance. Therefore, the testing
employed testing ROM and product ROM can be considered equivalent to the
testing with the TOE identified in the ST.
b. Testing Approach
All tests for TOE security function are performed under the TOE testing
environment configuration. The following two kinds of environments exist as
a test environment of TOE.
1) Environment using the product ROM
It is the same configuration that the user actually uses.
2) Environment using the testing ROM
In contrast to the ROM use environment for product, testing ROM is used
for reading the data before/after of overwriting to clear in MSD out to the
debug terminal through the serial cable.
The approach above is used properly in compliance with the characteristic
of the test. Environment using the product ROM is used in the test which
confirms with the input from and output to the standard external interface.
Environment using the testing ROM is used in the test which requires the
special interface to confirm the result of input and output.
c. Scope of Testing Performed
Testing is performed 50 items shown in Table 2-1 by the developer.
The coverage analysis was conducted and it was verified that all security
functions described in the functional specification and the external interface
were thoroughly-tested. Then, the depth analysis was conducted and it was
verified all the subsystems described in the high-level design and the
subsystem interfaces are thoroughly-tested.
Table 2-1: Outlining of Developer Testing
Test classification TSF tested mainly Items
Pre-test nothing 1
Administrator authentication test TSF_AUT 4
Cryptographic key generation test TSF_FKG 1
Storing with encryption,
retrieving with decryption and
clearing test in the HDD
TSF_FDE, TSF_FDC
16
Storing with encryption,
retrieving with decryption and
clearing test in the Flash memory
TSF_FDE, TSF_FDC
7
Disabling of cancelling the data
clearance test
TSF_FDC
3
CRP-C0167-01
15
Document filing function test TSF_FCF 13
Network protection test TSF_FNP 5
d. Result
The evaluator confirmed the following items and the developer testing are
properly enforced.
The TOE testing configuration in the developer testing is consistent with the
TOE configuration defined in ST.
The test approach of the developer testing is proper to confirm the behaviour
of the TSF and TSFI.
The developer testing contains all the TSF, TSFI and sub systems about
quantity and scope.
The testing approach and the actual test results are consistent with the one
described in the test plan.
The entire test results indicate the behaviours that are expected and no
problems remain.
2.3.2 Evaluator Independent Testing
1) Evaluator Independent Test Environment
Test configuration performed by the evaluator is the same as the developer
testing.
2) Outlining of Evaluator Independent Testing
Outlining of the testing performed by the evaluator is as follow.
a. Test configuration
The testing configuration conducted by the evaluator is same as the developer
test.
b. Testing Approach
All tests for TOE security function is performed under the same circumstances
of developer testing by the evaluator. For the testing, following approach was
used.
1) Environment using the product ROM
It is the same configuration that the user actually uses.
2) Environment using the testing ROM
In contrast to the ROM use environment for product, testing ROM is used
for reading the data before/ after of overwriting to clear in MSD out to the
debug terminal through the serial cable.
The approach above is used properly in compliance with the characteristic
of the test. Environment using the product ROM is used in the test which
confirms with the input from and output to the standard external interface.
Environment using the testing ROM is used in the test which requires the
special interface to confirm the result of input and output.
CRP-C0167-01
16
c. Scope of testing performed
Testing devised by the evaluator and testing from sampling of developer
testing was conducted.
The security functions that are target of testing and the number of items are
shown in Table 2-2.
Table 2-2: Scope of Evaluator Testing
Test classification The number of TSF Items
Independent testing
devised by the evaluator
5 10
Testing from sampling
of developer testing
6 (all) 16
Total 11 26
It is considered that main security functions should be included and all the
external interfaces should be included as for the device of independent test
devised by the evaluator. The testing of cryptographic key generation function
(TSF_FKG) is only performed in the testing from sampling of developer
testing since only the powered on is the TSFI of this function and the use of
this security function while operating is infrequently.
It is considered that all the security functions and TSFI should be included as
for the testing from sampling of developer testing. Representative data are
extracted among the similar function. Over the 30% testing items of developer
testing are performed. 7 items of penetration testing are also performed on
the vulnerability assessment activity.
d. Result
All the evaluator testing conducted is completed correctly, and could confirm
the behaviour of the TOE. The evaluator also confirmed that all the test
results are consistent with the behaviour. The evaluator also confirmed that
there are no easily identifiable exploitable vulnerabilities from the result of
penetration testing.
2.4 Evaluation Result
The evaluator had the conclusion that the TOE satisfies all work units prescribed
in CEM by submitting the Evaluation Technical Report.
CRP-C0167-01
17
3. Conduct of Certification
The certification body conducted the following certification based on each
materials submitted by evaluation facility during evaluation process.
1. Contents pointed out in the Observation Report shall be adequate.
2. Contents pointed out in the Observation Report shall properly be reflected.
3. Evidential materials submitted were sampled, its contents were examined, and
related work units shall be evaluated as presented in the Evaluation Technical
Report.
4. Rationale of evaluation verdict by the evaluator presented in the Evaluation
Technical Report shall be adequate.
5. The Evaluator's evaluation methodology presented in the Evaluation Technical
Report shall conform to the CEM.
Concerns found in certification process were prepared as certification review and
were sent to evaluation facility.
The Certification Body confirmed such concerns pointed out in Observation Report
and certification review were solved in the ST and the Evaluation Technical
Report and issued this certification report.
CRP-C0167-01
18
4. Conclusion
4.1 Certification Result
The Certification Body verified the Evaluation Technical Report, the Observation
Report and the related evaluation evidential materials submitted and confirmed
that all evaluator action elements required in CC Part 3 are conducted
appropriately to the TOE. The Certification Body determined the TOE is satisfied
the assurance requirements of EAL3 augmented with ADV_SPM.1.components
prescribed in CC Part 3.
4.2 Evaluator comments/Recommendations
There are no recommendations to be advised to consumers.
CRP-C0167-01
19
5. Glossary
The abbreviations relating to CC used in this report are listed below.
CC: Common Criteria for Information Technology Security
Evaluation
CEM: Common Methodology for Information Technology Security
Evaluation
EAL: Evaluation Assurance Level
PP: Protection Profile
ST: Security Target
TOE: Target of Evaluation
TSF: TOE Security Functions
The abbreviations relating to TOE used in this report are listed below.
AES Advanced Encryption Standard, established by NIST (National
Institute of Standards and Technology, United States of
America)
HDD Hard Disk Drive
IPP Internet Printing Protocol, a communication protocol for
printing.
IPP-SSL IPP over SSL, IPP with protection of SSL.
LDAP Lightweight Directory Access Protocol, a communication
protocol for directory service.
MSD Mass Storage Device, referring particularly to the HDD and
flash memory in the MFD in this report.
SMTP Simple Mail Transfer Protocol, a communication protocol to
transfer E-mails.
WINS Windows Internet Name Service, resolves a NetBIOS name into
the IP address.
The glossaries used in this report are listed below.
Confidential file: The data that the user saved with the protection of a
password to prevent from the manipulation by others.
CRP-C0167-01
20
Controller board: The board that controls the whole MFD. This contains the
microprocessor to execute firmware of the TOE, volatile
memory, HDC, HDD and others.
Document filing: The function that stores image data handled by the MFD
into the HDD, for users' later operations. This is also called
"Filing" in this document.
External network: A network, not the internal network of an organization,
which the organization does not manage.
File manipulation: An operation to manipulate image data saved as a file.
Flash Memory: A type of non-volatile memory that allows the entire
memory to be erased electrically all at once and also allows
rewriting to any part of memory.
Hold: To store the job from printer driver by filing.
Image data: The digital data that results from scanning an original on
the MFD for a copy, print, scan, or fax transmission job.
This is the data that is transmitted over or received from
the telephone line during a PC FAX operation, fax
transmission, or fax reception. Image data also refers to the
data after it has been converted into a format that can be
handled by the MFD.
Internal network: The network that is inside the organization and protected
against the threat about security from any external
networks.
Job: The sequence from beginning to end of the use of an MFD
function (copy, print, scan send, fax reception, fax
transmission, or PC-Fax). In addition, the instruction for a
functional operation is sometimes called a job.
Memory:
A memory device; in particular a semiconductor memory
device.
Operation panel:
The user interface unit in front of the MFD. This contains
the start key, numeric key, function key and liquid crystal
display with touch operation system.
Spool: Storing the job's image data to the MSD temporary to
increase the input and output efficiency.
Standard firmware: The controller firmware that is installed to the MFD that
TOE is not installed to. TOE contains the controller
firmware and standard firmware is removed when TOE is
installed.
Subnetwork: A monolithic network that does not contain routers inside.
Tandem: Halving a job between two MFDs for efficient printing.
CRP-C0167-01
21
Unit: A substance provided standard that can be attached to or
detached from a printed circuit board; or an option that is
installed and is ready for operation. This can also be a
system that includes a mechanism and is ready for
operation.
Volatile memory: A memory device, the contents of which vanish when the
power is turned off.
CRP-C0167-01
22
6. Bibliography
[1] MX-FRX9 Security Target Version 0.02 (January 22, 2008)
Sharp Corporation
[2] IT Security Evaluation and Certification Scheme, May 2007,
Information-technology Promotion Agency, Japan CCS-01
[3] IT Security Certification Procedure, May 2007,
Information-technology Promotion Agency, Japan CCM-02
[4] Evaluation Facility Approval Procedure, May 2007,
Information-technology Promotion Agency, Japan CCM-03
[5] Common Criteria for Information Technology Security Evaluation Part 1:
Introduction and general model Version 2.3, August 2005,
CCMB-2005-08-001
[6] Common Criteria for Information Technology Security Evaluation Part 2:
Security functional components Version 2.3, September 2005,
CCMB-2005-08-002
[7] Common Criteria for Information Technology Security Evaluation Part 3:
Security assurance components Version 2.3, September 2005,
CCMB-2005-08-003
[8] Common Criteria for Information Technology Security Evaluation Part 1:
Introduction and general model Version 2.3, August 2005,
CCMB-2005-08-001 (Japanese Version 1.0, December 2005)
[9] Common Criteria for Information Technology Security Evaluation Part 2:
Security functional components Version 2.3, August 2005,
CCMB-2005-08-002 (Japanese Version 1.0, December 2005)
[10] Common Criteria for Information Technology Security Evaluation Part 3:
Security assurance components Version 2.3, August 2005,
CCMB-2005-08-003 (Japanese Version 1.0, December 2005)
[11] ISO/IEC 15408-1:2005 Information technology - Security techniques -
Evaluation criteria for IT security - Part 1: Introduction and general model
[12] ISO/IEC 15408-2:2005 Information technology - Security techniques -
Evaluation criteria for IT security - Part 2: Security functional requirements
[13] ISO/IEC 15408-3:2005 Information technology - Security techniques –
Evaluation criteria for IT security - Part 3: Security assurance requirements
[14] Common Methodology for Information Technology Security Evaluation:
Evaluation Methodology Version 2.3 August 2005 CCMB-2005-08-004
[15] Common Methodology for Information Technology Security Evaluation:
Evaluation Methodology Version 2.3 August 2005 CCMB-2005-08-004
(Japanese Version 1.0, December 2005)
[16] ISO/IEC 18045:2005 Information technology - Security techniques -
Methodology for IT security evaluation
CRP-C0167-01
23
[17] MX-FRX9 Version M.10 Evaluation Technical Report, Version2.3
May 14, 2008
Japan Electronics and Information Technology Industries Association,
Information Technology Security Center (JEITA ITSC)