CRP-C0479-01 Certification Report Kazumasa Fujie, Chairman Information-technology Promotion Agency, Japan Target of Evaluation (TOE) Application Date/ID 2014-05-21 (ITC-4507) Certification No. C0479 Sponsor KONICA MINOLTA, INC. TOE Name bizhub 4750 / bizhub 4050 PKI Card System Control Software TOE Version A6F730G0273999P PP Conformance None Assurance Package EAL3 Developer KONICA MINOLTA, INC. Evaluation Facility Mizuho Information & Research Institute, Inc. Information Security Evaluation Office This is to report that the evaluation result for the above TOE is certified as follows. 2015-08-26 Takumi Yamasato, Technical Manager Information Security Certification Office IT Security Center Technology Headquarters Evaluation Criteria, etc.: This TOE is evaluated in accordance with the following standards prescribed in the "IT Security Evaluation and Certification Scheme Document." - Common Criteria for Information Technology Security Evaluation Version 3.1 Release 4 - Common Methodology for Information Technology Security Evaluation Version 3.1 Release 4 Evaluation Result: Pass "bizhub 4750 / bizhub 4050 PKI Card System Control Software" has been evaluated based on the standards required, in accordance with the provisions of the "Requirements for IT Security Certification" by Information-technology Promotion Agency, Japan, and has met the specified assurance requirements. CRP-C0479-01 Notice: This document is the English translation version of the Certification Report published by the Certification Body of Japan Information Technology Security Evaluation and Certification Scheme. CRP-C0479-01 Table of Contents 1. Executive Summary ............................................................................... 1 1.1 Product Overview ............................................................................ 1 1.1.1 Assurance Package ........................................................................ 1 1.1.2 TOE and Security Functionality ...................................................... 1 1.1.2.1 Threats and Security Objectives ................................................... 2 1.1.2.2 Configuration and Assumptions .................................................... 2 1.1.3 Disclaimers .................................................................................. 2 1.2 Conduct of Evaluation ...................................................................... 3 1.3 Certification ................................................................................... 3 2. Identification ....................................................................................... 4 3. Security Policy...................................................................................... 5 3.1 The Roles related to the TOE ............................................................. 5 3.2 Security Function Policies ................................................................. 5 3.2.1 Threats and Security Function Policies ............................................ 5 3.2.1.1 Threats ..................................................................................... 6 3.2.1.2 Security Function Policies against Threats ..................................... 6 3.2.2 Organizational Security Policies and Security Function Policies .......... 7 3.2.2.1 Organizational Security Policies ................................................... 7 3.2.2.2 Security Function Policies to Organizational Security Policies .......... 7 4. Assumptions and Clarification of Scope .................................................... 9 4.1 Usage Assumptions .......................................................................... 9 4.2 Environmental Assumptions .............................................................. 9 4.3 Clarification of Scope ..................................................................... 10 5. Architectural Information .................................................................... 11 5.1 TOE Boundary and Components ....................................................... 11 5.2 TOE Operating Environment ........................................................... 11 6. Documentation ................................................................................... 14 7. Evaluation conducted by Evaluation Facility and Results .......................... 15 7.1 Evaluation Facility ........................................................................ 15 7.2 Evaluation Approach ...................................................................... 15 7.3 Overview of Evaluation Activity ....................................................... 15 7.4 IT Product Testing ......................................................................... 16 7.4.1 Developer Testing ....................................................................... 16 7.4.2 Evaluator Independent Testing ..................................................... 21 7.4.3 Evaluator Penetration Testing ...................................................... 22 7.5 Evaluated Configuration ................................................................. 25 7.6 Evaluation Results......................................................................... 25 7.7 Evaluator Comments/Recommendations ............................................ 25 CRP-C0479-01 8. Certification ....................................................................................... 26 8.1 Certification Result........................................................................ 26 8.2 Recommendations .......................................................................... 26 9. Annexes ............................................................................................. 27 10. Security Target ................................................................................ 27 11. Glossary.......................................................................................... 28 12. Bibliography .................................................................................... 30 CRP-C0479-01 1 1. Executive Summary This Certification Report describes the content of the certification result in relation to IT Security Evaluation of "bizhub 4750 / bizhub 4050 PKI Card System Control Software, Version A6F730G0273999P" (hereinafter referred to as the "TOE") developed by KONICA MINOLTA, INC., and the evaluation of the TOE was finished on 2015-07 by Mizuho Information & Research Institute, Inc., Information Security Evaluation Office (hereinafter referred to as the "Evaluation Facility"). It is intended to report to the sponsor, KONICA MINOLTA, INC., and provide security information to procurement entities and consumers who are interested in this TOE. Readers of the Certification Report are advised to read the Security Target (hereinafter referred to as the "ST") that is provided along with this report. Especially, details of security functional requirements, assurance requirements and rationale for sufficiency of these requirements of the TOE are described in the ST. This Certification Report assumes "procurement entities who purchase the TOE that is commercially available" to be readers. Note that the Certification Report presents the certification result based on assurance requirements to which the TOE conforms, and does not guarantee an individual IT product itself. 1.1 Product Overview An overview of the TOE functions and operational conditions is described as follows. Refer to Chapter 2 and subsequent chapters for details. 1.1.1 Assurance Package Assurance Package of the TOE is EAL3. 1.1.2 TOE and Security Functionality bizhub 4750 / bizhub 4050, which the TOE is installed, are digital Multi Functional Peripherals (hereinafter referred to as the "MFP"), provided by KONICA MINOLTA, INC., composed by selecting and combining functions of copy, print, scan and FAX. The TOE is "bizhub 4750 / bizhub 4050 PKI Card System Control Software" that controls the entire operation of the MFP, including the operation control processing and the image data management triggered by the panel of the MFP main body or through the network. The TOE provides the protection function against the disclosure of the highly confidential documents stored in the MFP. Note that the TOE does not possess the audit log function. Moreover, against the risk of illegally taking out the HDD that is the medium to store image data in the MFP, the TOE can prevent unauthorized access by encrypting image data to be written in the HDD. Besides, the TOE provides the function to completely delete data area including image data stored in the HDD by a deletion method compliant with various overwrite deletion standards. Regarding these security functionalities, the validity of the design policy and the accuracy of the implementation were evaluated within the scope of the assurance package. Threats and assumptions that the TOE assumes are described in the next sections. CRP-C0479-01 2 1.1.2.1 Threats and Security Objectives The TOE counters each threat with the following security functions. - It is assumed as threat that information is leaked from the MFP after lease-return or discard of the MFP. To counter this threat, the TOE has the function to delete the information in the storage medium. - It is assumed as threat that the HDD is illegally stolen from the MFP, and information is leaked from the stolen HDD by accessing it. To counter this threat, the TOE encrypts and writes information in the HDD by using the encryption function. 1.1.2.2 Configuration and Assumptions The evaluated product is assumed to be operated under the following configuration and assumptions. It is assumed that the MFP including the TOE is installed in an office which is managed by an organization such as a company or its section, and is connected to the intra-office LAN. It is assumed that IC card reader is usable with the MFP and a client PC, while Active Directly and the SMTP server are usable at the LAN. In this usage environment, the MFP is managed not to be accessed from an external network even when the LAN is connected to an external network (outside of the organization such as Internet). Administrators and service engineers are assumed to be reliable. For example, it is assumed that they can keep the secret about their passwords and encryption passphrases. It is assumed that an IC card used in the use of the TOE is limited to its authorized user only. It is assumed that the TOE is used in a state where the setting of the enhanced security function is enabled. 1.1.3 Disclaimers - The encryption of the communications of image files, a digital signature, the IC card used for authentication, IC card reader, exclusive driver, and the function of Active Directory are not assured in this evaluation. - The TOE supports the information deletion function of the storage medium for the measure against the leakage of information when the MFP is discarded or returned. However, it is not assured in this evaluation that the information of setting values such as passwords does not remain in the eMMC area where it is unable to access from the TOE (this kind of area might exist by the characteristics of the eMMC.) - It is necessary to activate the setting of the enhanced security function. When it is activated, a part of MFP functions cannot be used. Refer to the description of each setting described in "1.4.3.5 Enhanced Security Function" of the ST. CRP-C0479-01 3 1.2 Conduct of Evaluation Under the IT Security Evaluation and Certification Scheme that the Certification Body operates, the Evaluation Facility conducted IT security evaluation and completed on 2015-07, based on functional requirements and assurance requirements of the TOE according to the publicized documents "IT Security Evaluation and Certification Scheme Document"[1], "Requirements for IT Security Certification"[2], and "Requirements for Approval of IT Security Evaluation Facility"[3] provided by the Certification Body. 1.3 Certification The Certification Body verified the Evaluation Technical Report [13] and the Observation Report prepared by the Evaluation Facility as well as evaluation documentation, and confirmed that the TOE evaluation was conducted in accordance with the prescribed procedure. The certification oversight reviews were also prepared for those concerns found in the certification process. Those concerns pointed out by the Certification Body were fully resolved, and the Certification Body confirmed that the TOE evaluation had been appropriately conducted in accordance with the CC ([4][5][6] or [7][8][9]) and the CEM (either of [10][11]). The Certification Body prepared this Certification Report based on the Evaluation Technical Report submitted by the Evaluation Facility and fully concluded certification activities. CRP-C0479-01 4 2. Identification The TOE is identified as follows: TOE Name: bizhub 4750 / bizhub 4050 PKI Card System Control Software TOE Version: A6F730G0273999P Developer: KONICA MINOLTA, INC. Administrators and users can ask service engineers as below to confirm that the product is the evaluated and certified TOE. TOE version, including TOE identification information, is displayed by the panel operation of service engineers. Administrators and users can confirm that the installed MFP is equipped with the evaluated and certified TOE, by confirming that TOE version is the same as the one described in a service manual. CRP-C0479-01 5 3. Security Policy This chapter describes security function policies that the TOE adopts to counter threats, and organizational security policies. The TOE provides the encryption function and the overwrite deletion function to prevent the leakage of information when the MFP is returned or discarded, or the HDD is illegally taken out. The TOE also realizes the following for customer's demand. - A mechanism to encrypt when sending and receiving highly confidential image files, to give a digital signature when sending the files from the TOE, and to print them out by only a user who sent the files when the TOE received. 3.1 The Roles related to the TOE The roles related to the TOE are defined as follows. (1) User An MFP user who owns an IC card. (In general, an employee in the office is assumed.) (2) Administrator An MFP user who manages the MFP operation. An administrator manages MFP's mechanical operations and users. (In general, a person who is elected among the employees in the office is assumed to play this role.) (3) Service engineer A user, who manages the maintenance of the MFP, performs the repair and adjustment of the MFP. (In general, a person in charge of the maintenance service of the MFP at a sales company in cooperation with KONICA MINOLTA, INC., is assumed.) (4) Responsible person of the organization that uses the MFP A responsible person of the organization that manages the office where the MFP is installed. An administrator who manages the MFP operation is assigned. (5) Responsible person of the organization that manages the maintenance of the MFP A responsible person of the organization that manages the maintenance of the MFP. A service engineer who manages the maintenance of the MFP is assigned. Besides these, though not a TOE user, those who go in and out the office are assumed to be accessible persons to the TOE. 3.2 Security Function Policies The TOE possesses the security functions to counter the threats shown in Section 3.2.1, and to satisfy the organizational security policies shown in Section 3.2.2. 3.2.1 Threats and Security Function Policies CRP-C0479-01 6 3.2.1.1 Threats The TOE assumes the threats shown in Table 3-1 and provides the security functions to counter them. Table 3-1 Assumed Threats Identifier Threat T.DISCARD-MFP (Lease-return and discard of the MFP) When leased MFPs are returned or when discarded MFPs are collected, encrypted print files, scanned image files, and stored image files can be leaked by a person with malicious intent when he/she analyzes the HDD in the MFP. In addition, administrator passwords and encryption passphrases can be leaked by a person with malicious intent when he/she analyzes the eMMC in the MFP. T.ACCESS-HDD (Unauthorized access to the HDD) Data stored on the HDD such as all image files and passwords can be leaked by a person or a user with malicious intent when he/she illegally accesses to the HDD installed on the MFP (such as removing the HDD and connecting it to PC to analyze) without using the MFP. 3.2.1.2 Security Function Policies against Threats The TOE counters the threats shown in Table 3-1 by the following security function policies. (1) Security function to counter the threat [T.DISCARD-MFP (Lease-return and discard of the MFP)] This threat assumes the possibility of leaking information from the eMMC and the HDD of the MFP collected from users. The TOE provides the function to overwrite data for the deletion of data area including image data in the HDD and the function to initialize information stored in the eMMC, so they prevent the leakage of the protected assets stored in the eMMC and the HDD of the MFP collected from users. The following methods can be chosen as the HDD overwrite deletion methods. (For example, it indicates that the first one overwrites once by 0x00 and that the second one overwrites in the order of Random numbers, Random numbers, and 0x00. "Verification" means to check that the last overwriting was correctly performed by actually reading the HDD. ) - 0x00 - Random numbers => Random numbers => 0x00 - 0x00 => 0xFF => Random numbers => Verification - Random numbers => 0x00 => 0xFF - 0x00 => 0xFF => 0x00 => 0xFF - 0x00 => 0xFF => 0x00 => 0xFF => 0x00 => 0xFF => Random numbers - 0x00 => 0xFF => 0x00 => 0xFF => 0x00 => 0xFF => 0xAA - 0x00 => 0xFF => 0x00 => 0xFF => 0x00 => 0xFF => 0xAA => Verification CRP-C0479-01 7 (2) Security function to counter the threat [T.ACCESS-HDD (Unauthorized access to the HDD)] This threat assumes the possibility of disclosure of the protected assets stored in the HDD by unauthorized access without using the MFP. The TOE counters the threat by encrypting TSF data and image data stored in the HDD. 3.2.2 Organizational Security Policies and Security Function Policies 3.2.2.1 Organizational Security Policies Organizational security policies required in use of the TOE are shown in Table 3-2. Table 3-2 Organizational Security Policies Identifier Organizational Security Policy P.COMMUNICATION-CRYPTO (Encrypted communication of image files) Highly confidential image files (encrypted print files, scanned image files) which are transmitted or received between IT devices must be encrypted. P.COMMUNICATION-SIGN (Signature of image files) A digital signature must be added to a mail that contains highly confidential image files (scanned image files). P.DECRYPT-PRINT (Decryption of image files) Highly confidential image files (encrypted print files) received by the MFP are permitted to print only to a user who generated those files. The term "between IT devices" here indicates between the MFP and client PC that a user uses. 3.2.2.2 Security Function Policies to Organizational Security Policies The TOE provides the security functions to satisfy the organizational security policies shown in Table 3-2. (1) Security function to satisfy the organizational security policy [P.COMMUNICATION- CRYPTO (Encrypted communication of image files)] This organizational security policy regulates that image files which flow on the network are encrypted to ensure confidentiality. Because it only needs to be available upon request, it does not need to encrypt all image files, except that encrypted print files and scanned image files need to be encrypted between the MFP and user's client PC in handling. In the TOE, by supporting the function to encrypt scanned image files sent by e-mail from the MFP to user's own client PC (referred to as the "S/MIME encryption function") CRP-C0479-01 8 and by encrypting the encrypted print files sent from the client PC to the MFP using the IC card and the exclusive driver, which are outside the TOE scope, it is possible to send and receive image files over the network in a confidential manner. (2) Security function to satisfy the organizational security policy [P.COMMUNICATION- SIGN (Signature of image files)] This organizational security policy regulates that a signature is appended to image files to be transmitted or received by e-mail in order to ensure the integrity of the files. Because this function only needs to be available upon request, a signature does not need to be appended to all image files, except that any scanned image files need to have a signature in handling. The TOE has a function to interlock with an IC card, which is outside the TOE scope, for scanned image files to be sent by e-mail from the MFP to user's own client PC (referred to as "IC card operation support function") and a function to append a signature to those scanned image files on its own (referred to as "S/MIME signature function"). With these functions, the TOE allows image files to be sent by e-mail while maintaining the integrity of those files. (3) Security function to satisfy the organizational security policy [P.DECRYPT-PRINT (Decryption of image files)] This organizational security policy regulates that only a user who generated encrypted print files can decrypt and print those encrypted print files. The TOE has a function to interlock with an IC card, which is outside the TOE scope, for encrypted print files (referred to as "IC card operation support function") and a function that those encrypted print files can be accepted to decrypt and print when the IC card which generated the encrypted print files is used (referred to as "encrypted print file decryption function"). Only a user who generated the encrypted print files can decrypt and print those files. CRP-C0479-01 9 4. Assumptions and Clarification of Scope This chapter describes the assumptions and the operational environment to operate the TOE as useful information for the assumed readers to determine the use of the TOE. 4.1 Usage Assumptions Table 4-1 shows assumptions to operate the TOE. The effective performances of the TOE security functions are not assured unless these assumptions are satisfied. Table 4-1 Assumptions in Use of the TOE Identifier Assumptions A.ADMIN (Personnel conditions to be administrators) Administrators, in the role given to them, will not carry out a malicious act during the series of permitted operations given to them. A.SERVICE (Personnel conditions to be service engineers) Service engineers, in the role given to them, will not carry out a malicious act during series of permitted operations given to them. A.NETWORK (Network connection conditions for the MFP) When the intra-office LAN, where the MFP with the TOE equipped will be installed, is connected to an external network, access from the external network to the MFP is not allowed. A.SECRET (Operational conditions on secret information) Each password and encryption passphrase used shall not be leaked from each user in the use of the TOE. A.IC-CARD (Operational condition on IC card) The IC card used is owned by the authorized user in the use of the TOE. 4.2 Environmental Assumptions The TOE is installed in either bizhub 4750 or bizhub 4050, which is the MFP provided by KONICA MINOLTA, INC. It is assumed that the IC card reader is connected to the MFP. It is assumed that the MFP including the TOE is installed in an office which is managed by an organization such as a company or its section, and is connected to the intra-office LAN. It is assumed that Active Directory is connected to the intra-office LAN to authenticate user's IC card. It is assumed that a client PC with the exclusive printer driver installed and connected to the IC card reader is connected to the intra-office LAN. The SMTP server is assumed to be connected to the intra-office LAN. It is optional whether DNS server is used in the intra-office LAN. CRP-C0479-01 10 It should be noted that the reliability of the hardware and the cooperating software shown in this configuration is out of the scope in the evaluation. Those are assumed to be trustworthy. 4.3 Clarification of Scope The reliability of the IC card, IC card reader, exclusive driver, Active Directory, and eMMC in the following case is not within the scope of this evaluation. - The encryption of communication of image files, digital signature, and authentication are necessary in order to realize the organizational security policies. Though the TOE cooperates with the IC card, IC card reader, exclusive driver, and Active Directory, these are outside the TOE scope and are not within the scope of this evaluation. - There is a possibility that information on setting values such as passwords might remain in the eMMC area where it is unable to access from the TOE. (This kind of area might exist by the characteristics of the eMMC.) Such remaining information is protected by the difficulty of obtaining the remaining information from the eMMC. The eMMC is outside the TOE scope, and the difficulty of obtaining the remaining information is not within the scope of this evaluation. CRP-C0479-01 11 5. Architectural Information This chapter explains the scope and the main components (subsystems) of the TOE. 5.1 TOE Boundary and Components The physical scope of the TOE is the following software: - Controller firmware (existing in the eMMC) The controller firmware is the software that controls the entire operation of the MFP, including the OS. The software provides a series of functions (basic functions) for office work such as copy, print, scan and FAX, as well as security functions. 5.2 TOE Operating Environment Figure 5-1 shows the composition of the hardware environment in the MFP that the TOE needs for the operation. The MFP controller is installed in the MFP main body, and a controller firmware exists in the eMMC on the MFP controller, and it is loaded onto the volatile RAM (referred to as the “RAM” in Figure 5-1) and operates when the MFP is turned on. The following Figure 5-1 shows characteristic hardware on the MFP controller and the hardware having MFP controller and interfaces. mfp CPU RAM ASIC HDD Panel Power Source FAX Unit - Scanner Unit - Automatic Document Feeder Printer Unit mfp Controller Public Line Operator Operator Paper Paper eMMC - Controller Firmware (OS) - Firmware other than TOE (Engine, Panel, Scanner, FAX and Boot controller) - IC card reader driver - Message data etc IC Card Reader ■ IC Card Device USB Host USB Ethernet Figure 5-1 Hardware composition relevant to the TOE CRP-C0479-01 12 - HDD (Hard Disk Drive) Image data as well as IC card ID are stored. - Panel An exclusive control device for the MFP operation, equipped with a touch panel of a liquid crystal monitor, numeric keypad, start key, stop key, screen switch key, etc. - Power Source Power switches for activating the MFP. - Ethernet Ethernet connection interface device, supporting 10BASE-T, 100BASE-TX, and Gigabit Ethernet. - Device USB A port on the back of the MFP main body for local printing. - Host USB A USB port on the panel side of the MFP for connecting the IC card reader. A user can access to the MFP using the IC card. It can be used for TOE update, printing from the USB flash drive connected to the USB interface, or storing scanned data. Note that the encryption print and S/MIME encryption processing functions are not included in this printing and scanning. - FAX Unit A device that is used for FAX communications via the public line. - Scan Unit / Automatic Document Feeder A device that scans images and photos from paper and converts them into digital data. - Printer Unit A device to actually print image data which were converted for printing when receiving a print request from the MFP controller. - eMMC (Embedded MultiMedia Card) An NAND type flash memory storing the following information: > Object code of controller firmware for overall control software, which is the TOE > Object code of firmware other than the TOE, such as Engine, Panel, Scanner and FAX, as well as IC card reader driver, and object code of Boot controller, etc. > Message data in supporting languages to display responses for access from the panel or network > Various setting values used in the TOE processing, which are required for the MFP operation. Administrator passwords, CE passwords and encryption passphrases are included. - ASIC (Application Specific Integrated Circuit) An integrated circuit designed for overall image processing. It also processes image development and color adjustment when the image is printed. - IC Card An IC card that supports the standard specification of Common Access Card (CAC) and CRP-C0479-01 13 Personal ID Verification (PIV). - IC Card Reader A device to read IC cards. - IC Card Reader Driver A driver to access to an IC card reader. CRP-C0479-01 14 6. Documentation The identification of documents attached to the TOE is listed below. TOE users are required to fully understand and comply with the following documents in order to satisfy the assumptions. - bizhub 4750/4050 for PKI Card System User’s Guide [Security Operations] Ver.1.04 - bizhub 4750/4050 for PKI Card System User’s Guide [Security Operations] Ver.1.04 - bizhub 4750/4050 for PKI Card System SERVICE MANUAL [SECURITY FUNCTION] Ver.1.03 - bizhub 4750/4050 for PKI Card System SERVICE MANUAL [SECURITY FUNCTION] Ver.1.03 CRP-C0479-01 15 7. Evaluation conducted by Evaluation Facility and Results 7.1 Evaluation Facility Mizuho Information & Research Institute, Inc., Information Security Evaluation Office that conducted the evaluation as the Evaluation Facility is approved under JISEC and is accredited by NITE (National Institute of Technology and Evaluation), the Accreditation Body, which is agreed on mutual recognition with ILAC (International Laboratory Accreditation Cooperation). It is periodically confirmed that the above Evaluation Facility meets the requirements on the appropriateness of the management and evaluators for maintaining the quality of evaluation. 7.2 Evaluation Approach Evaluation was conducted by using the evaluation methods prescribed in the CEM in accordance with the assurance components in the CC Part 3. Details for evaluation activities were reported in the Evaluation Technical Report. The Evaluation Technical Report explains the summary of the TOE as well as the content of the evaluation and the verdict of each work unit in the CEM. 7.3 Overview of Evaluation Activity The history of the evaluation conducted is described in the Evaluation Technical Report as follows. The evaluation has started on 2014-05 and concluded upon completion of the Evaluation Technical Report dated 2015-07. The Evaluation Facility received a full set of evaluation deliverables necessary for evaluation provided by the developer, and examined the evidence in relation to a series of evaluation conducted. Additionally, for site inspections, considering the previous inspections for the same series of the TOE, the evaluator directly visited the development and manufacturing sites on 2014-10, 2015-01 and 2015-04 and examined procedural status of configuration management, delivery, and security measures, focusing on the different parts of those from the same series of the TOE, by investigating records and interviewing staff. Furthermore, the evaluator conducted the sampling check of the developer testing and the evaluator testing by using the developer testing environment at the developer site on 2015-04. Concerns found in evaluation activities for each work unit were all issued as the Observation Report, and it was reported to the developer. Those concerns were reviewed by the developer, and all the concerns were solved eventually. Concerns that the Certification Body found in the evaluation process were described as the certification oversight reviews, and those were sent to the Evaluation Facility. After the Evaluation Facility and the developer examined them, those concerns were reflected in the Evaluation Technical Report. CRP-C0479-01 16 7.4 IT Product Testing The evaluator confirmed the validity of the testing that the developer had performed. As a result of the evidence shown in the process of the evaluation and those confirmed validity, the evaluator performed the reproducibility testing, additional testing and penetration testing based on vulnerability assessments judged to be necessary. 7.4.1 Developer Testing The evaluator evaluated the integrity of the developer testing that the developer performed and the documentation of actual testing results. The content of the developer testing evaluated by the evaluator is explained as follows. 1) Developer Testing Environment Figure 7-1 shows the testing configuration performed by the developer, and Table 7-1 shows a list of main components. MFP External authentication /DNS/NTP server Hub XMail server RJ45 Supplementary PC RJ45 PKI card reader PKI card reader RJ45 CSRC center PC PC for terminal RS232C cable SATA analyzer SATA HDD SATA cable SATA cable RJ11 RJ11 USB cable SATA HDD USB-SATA USB-serial KM original debug board Pseudo-exchange USB cable Figure 7-1 Configuration of the Developer Testing It has been confirmed by the evaluator that the developer testing was performed in the same TOE testing environment as the TOE configuration identified in the ST. CRP-C0479-01 17 The specific rationales are described as follows: - The TOE is installed to the same MFP (bizhub 4750 / bizhub 4050) as identified in the ST. - Although the CSRC center PC (CSRC is a maintenance service to remotely control MFP device status), a device for debug, and a device to capture data that the MFP writes onto the HDD are connected, they do not affect the operation of TOE security functions and testing results. Table 7-1 Main Components of the Developer Testing No. Name of Component Outline and Purpose of Use 1 bizhub 4750/ bizhub 4050 (MFP) The MFPs for testing with the TOE installed for firmware. - TOE reference Name: bizhub C4750 / bizhub 4050 PKI Card System Control Software Version: A6F730G0273999P 2 IC card reader (AU-211P / Identive SCR-3310 / SCR-3310v2) It reads IC card information from an IC card. It is connected to the MFP and supplementary PC. 3 IC card (PIV/CAC) IC card to achieve the PKI function. It is used for "Card authentication," "encryption print," and "S/MIME sending and receiving," etc. 4 Supplementary PC It is a network-connected PC which runs on Windows 7 Professional SP1. It is used for tests that require the network access, such as the SNMP, encryption print, and S/MIME e-mail receiving. 5 External Authentication / DNS / NTP Server A server which runs on WindowsServer2003R2 SP2 or WindowsServer2003 SP2. It provides the following server functions: - External Authentication (managing access authority (of owner) using Active Directory) - DNS server (translating domain names into IP addresses) - NTP server (adjusting the time of the supplementary PC) 6 XMail Server A server used to send and receive e-mail on the Internet. It performs operation tests based on the network setting of the MFP. 7 HUB A connection device for building the LAN. It uses a HUB that can achieve TCP/IP connection of 100BASE-T specification. CRP-C0479-01 18 No. Name of Component Outline and Purpose of Use 8 RJ45 (LAN cable) A communication cable, which is 10BASE / 100BASE-T compliant, for connecting the MFP to the HUB, or connecting the backbone network connected to the supplementary PC, external authentication server, and XMail server, to the HUB. 9 USB cable A cable for connecting the MFP to the supplementary PC. 10 SATA Protocol Analyzer A tool to capture the HDD write processing. 11 USB-SATA Adaptor for connecting SATA HDD to the PC via the USB. 12 CSRC Center PC It is used for CSRC tests. 13 Terminal PC It is used for debug operation via the KM original debug board. 14 USB-Serial cable A USB to serial conversion cable. It adds a serial port to the supplementary PC. 15 RS232C cable A communication cable for connecting a serial port to the KM original debug board. 16 KM original debug board The KM original PCB for debugging. By connecting this board to the MFP with RS232C cable, it enables debug operation from the terminal PC. 17 Pseudo-exchange By connecting the modem in the PC to the MFP with a modular cable, it realizes pseudo-public line. 18 RJ11 (Modular cable) A telephone line cable of RJ11 type. Note: "SATA HDD" in Figure 7-1 indicates the HDD that is built in the MFP. 2) Summary of the Developer Testing A summary of the developer testing is as follows. a. Developer Testing Outline An outline of the developer testing is as follows. As an interface to stimulate security functions, panel operation of the MFP and operation from the supplementary PC which is connected to the MFP via network or USB were used. To confirm the operation results of the security functions, a method to visually confirm the panel display, display on the supplementary PC with network connection, and display on the terminal PC for output from the debug board, and a method to confirm the results captured by an analysis tool connected to the MFP were adopted. Concerning the HDD encryption function, a test on mounting the HDD and decryption test for encrypted files were conducted using the PC environment with equivalent functions. Concerning CRP-C0479-01 19 communication data on the network, the content is confirmed by capturing communication packets on the supplementary PC. Table 7-2 shows software and tools used in the developer testing. Table 7-2 Developer Testing Tools No. Name of device and software Outline and Purpose of use 1 KONICA MINOLTA 4750 Series PCL6 v1.1.5.0 Exclusive printer driver software for PKI Card System. 2 ActiveClient v7.0.2.25 Driver software for IC card. It is used as a driver for IC card in the supplementary PC. 3 WireShark Ver. 1.12.0 Software tool for monitoring and analyzing the communications on the LAN. It is used for acquiring communication logs. 4 Mozilla Thunderbird Ver. 31.0 General purpose mailer software. It is used as a confirmation tool of S/MIME mails on the supplementary PC. 5 Open SSL Ver.1.0.1h Software tool for the hash function and encryption / decryption function. It is used for verifying S/MIME signature. 6 Tera Term Pro Ver. 4.82 Terminal software executed in the terminal PC. It is used to connect with the MFP and to operate the terminal software installed in the MFP to monitor the state of the TOE. 7 Stirling Ver. 1.31 Binary editor software tool. It is used for confirming encryption keys, contents of decode S/MIME messages and editing print files. 8 Base64 encoder V4.41 Software tool to encode/decode Base64 encoder. It is used for decoding S/MIME messages. 9 XMail Ver.1.27 XMailCFG241b.zip It is used for the mail server function. 10 Apache 2.2.25 Software for Web server. It is used for managing Xmail (mail server). 11 ActivePerl 5.16.3.1603 perl interpreter software. It is used for mail server operation. 12 Internet Explorer Ver. 11 General purpose browser software. It is used for configuring the MFP setting. 13 LeCroy STX SATA Protocol Suite Ver.4.20 Build10 It is used to capture the HDD write processing when the HDD overwrite deletion is performed. CRP-C0479-01 20 No. Name of device and software Outline and Purpose of use 14 Knoppix7.0.2 LiveCD Software to temporarily change the OS of the supplementary PC to Linux to operate in order to prepare the encryption environment which is equivalent to that of the MFP. 15 CSRC Ver. 2.8.1 Rev.03 Application for the CSRC. It is used for confirming that the usage of the CSRC is restricted. 16 Fiddler.exe Ver.2.4.6.2 Software to monitor and analyze Web access such as http. It is used for performing IPP protocol tests between the MFP and supplementary PC. 17 IC card reader driver (for device/IC card reader) Ver.A3GN0Y0-A401-G00-00 It is used for reading IC card from IC card reader with the MFP. 18 MG-SOFT MIB Browser Professional SNMPv3 Edition Ver.12.20.0.5040 Exclusive browser software for the MIB. It is used for the SNMP related tests. The TOE security functions are performed by manual operation of the panel on the MFP or manual operation using a printer driver on the supplementary PC. The HDD encryption function is performed using Linux OS environment with the equivalent functions. The behavior and responses of the security functions are confirmed by visual check of the panel display, visual check of printing results, analyzing data on the input/output pathway of the HDD collected by analysis tools, visual check of results displayed on the supplementary PC, observing output from the debug board by a terminal PC, and analyzing data of the captured communication packets, in order to ensure that the observed testing results and the expected results are consistent. b. Scope of the Performed Developer Testing The developer testing was performed on 55 items by the developer. By the coverage analysis, it was verified that all security functions and external interfaces described in the functional specification had been tested. By the depth analysis, it was verified that all the subsystems and subsystem interfaces described in the TOE design had been sufficiently tested. c. Result The evaluator confirmed the approach of the performed developer testing and the legitimacy of tested items, and confirmed consistencies between the testing approach described in the testing plan and the actual testing approach. The evaluator confirmed consistencies between the testing results expected by the developer and the actual testing results performed by the developer. CRP-C0479-01 21 7.4.2 Evaluator Independent Testing The evaluator performed the sample testing to reconfirm the execution of security functions by the test items extracted from the developer testing. In addition, the evaluator performed the evaluator independent testing (hereinafter referred to as the "independent testing") to gain further assurance that security functions are certainly implemented, based on the evidence shown in the process of the evaluation. The independent testing performed by the evaluator is explained as follows. 1) Independent Testing Environment The configuration of the testing performed by the evaluator is the same configuration with the developer testing shown in Figure 7-1. It is regarded that the evaluator testing was performed in a TOE testing environment which is the same as the TOE configuration identified in the ST, for the same rationale as described in “7.4.1 Developer Testing.” 2) Summary of the Independent Testing A summary of the independent testing performed by the evaluator is described as follows. a. Viewpoints of the Independent Testing Viewpoints of the independent testing that the evaluator designed from the developer testing and the provided evaluation documentation are shown below. (1) The testing is performed by adding types and combinations of operation cases and input parameters in regard to the TSFs that are judged to be insufficient in the developer testing from the viewpoints of completeness of operation cases and input parameters. (2) In regard to the types of interfaces to input parameters, the testing is performed by adding other combinations which are different from the developer testing in order to confirm the TSF behavior and its interaction more strictly. (3) To cover all security functions which are provided by the TOE, it should be considered by conducting the independent testing and sampling tests. b. Independent Testing Outline An outline of the independent testing that the evaluator performed is as follows. The same testing approach as that of the developer testing was used. The same testing tools as those used in the developer testing shown in Table 7-2 were used. Checking these specifications, operation tests and calibration were performed by the evaluator. CRP-C0479-01 22 Based on the viewpoints of the independent testing, the evaluator performed 7 items of the independent testing and 20 items of sampling tests. Table 7-3 shows the contents of the main testing performed and the viewpoints of the independent testing corresponding to them. Table 7-3 Main Independent Testing Performed Viewpoints of Independent Testing Overview of Testing (1) Testing was performed for encryption passphrase settings and various password settings by adding irregular input values. (1) Against the developer testing performed with one encrypted print file registered, i.e., testing with normal operation and power-off operation, testing was added with multiple encrypted print files registered. (1) (2) Against the developer testing performed using the CAC card (S/MIME encryption), testing was added using the PIV card. (1) Testing was performed to input unacceptable values with the enhanced security function being enabled against parameters of password protocols. c. Result All the independent testing performed by the evaluator was correctly completed, and the evaluator confirmed the behavior of the TOE. The evaluator confirmed consistencies between the expected behavior and all the testing results. 7.4.3 Evaluator Penetration Testing The evaluator devised and performed the necessary evaluator penetration testing (hereinafter referred to as the "penetration testing") on the potentially exploitable vulnerabilities of concern under the assumed environment of use and attack level from the evidence shown in the process of the evaluation. The penetration testing performed by the evaluator is explained as follows. 1) Summary of the Penetration Testing A summary of the penetration testing performed by the evaluator is as follows. a. Vulnerability of Concern The evaluator searched into the provided documentation and the publicly available information for the potential vulnerabilities, and then identified the following vulnerabilities which require the penetration testing. CRP-C0479-01 23 (1) There is a risk that an unexpected network port interface exists and the TOE can be accessed from it, or there is a risk that protected assets are disclosed by the unauthorized data transmission to open ports. (2) There is a risk of classified information being leaked and security functions being bypassed by analyzing or falsifying the TOE itself. (3) There is a risk of security functions being bypassed by the unexpected user operation. (4) There is a risk of security functions being bypassed by inputting unexpected values to the interface. (5) There is a risk of security functions being bypassed by operating with the TOE resource depletion. (6) There is a risk of TSF data and assets being leaked by the interception of communication paths at the time of IC card authentication. b. Penetration Testing Outline The evaluator performed the following penetration testing to identify potentially exploitable vulnerabilities. The penetration testing was conducted with the same testing configuration as that of the evaluator independent testing. (Only a test PC, on which tools for the penetration testing were installed, was added.) In addition to the tools used for the developer testing shown in Table 7-2, the tools shown in Table 7-4 were used in the penetration testing. Table 7-4 Penetration Testing Tools No. Name of tool and software Outline and purpose of use 1 nmap Version 6.47 Port scan tool 2 snmpwalk Version 3.6.1 MIB information acquisition tool 3 Nessus Version 6.3.3 Security scanner 4 Nikto Version 2.1.5 Security scanner 5 Extrstr Version 0.2 Binary analysis tool 6 USB Explorer Model 200 USB analyzer 7 USB Analysis Software Version 3.3.4015.1 USB analyzer software CRP-C0479-01 24 Table 7-5 shows vulnerabilities of concern which are identified in searching potential vulnerabilities and the content of the penetration testing corresponding to them. The evaluator conducted the following penetration testing on 9 items in order to identify the risk of potential vulnerabilities being exploited. Table 7-5 Overview of the Penetration Testing Vulnerabilities of Concern Overview of Testing (1) Testing was performed by using port scan tools to confirm that there is no unexpected network port. It is also confirmed that there is no vulnerability against unauthorized inputs in the ports in use by using security scanner, etc. (2) Testing was performed to confirm that the acquisition or falsification of classified information cannot be performed by analyzing the TOE binary. (3) Testing was performed to confirm that the TOE does not behave in an unexpected way by operating power source with irregular timings that are different from the normal operation. (4) Testing was performed to confirm that there is no unexpected behavior caused by unauthorized data received from the client PC or input data from USB devices. (5) Testing was performed to confirm that the TOE does not behave in an unexpected way when it is operated with the TOE resource depletion such as HDD capacity. (6) Testing was performed to observe communications via the USB cable between IC card and the TOE as well as communications via the LAN cable between the TOE and the external authentication server during the IC card authentication, and to confirm that there is no data which easily result in a leakage of TSF data and assets. c. Result In the penetration testing performed by the evaluator, the evaluator did not find any exploitable vulnerabilities that attackers who have the assumed attack potential could exploit. CRP-C0479-01 25 7.5 Evaluated Configuration (1) Operating model It is assumed that the TOE is installed in either bizhub 4750 or bizhub 4050, which is the MFP provided by KONICA MINOLTA, INC. The evaluation was performed using these two models. (2) TOE Setting The evaluation was performed with the setting of the "enhanced security function" activated. This setting is as the setting shown in the ST. 7.6 Evaluation Results The evaluator had concluded that the TOE satisfies all work units prescribed in the CEM by submitting the Evaluation Technical Report. In the evaluation, the following were confirmed. - PP Conformance: None - Security functional requirements: Common Criteria Part 2 Extended - Security assurance requirements: Common Criteria Part 3 Conformant As a result of the evaluation, the verdict "PASS" was confirmed for the following assurance components. - All assurance components of EAL3 package The result of the evaluation is only applied to those which are composed by the TOE corresponding to the identification described in Chapter 2. 7.7 Evaluator Comments/Recommendations There is no evaluator recommendation to be addressed to consumers. CRP-C0479-01 26 8. Certification The Certification Body conducted the following certification based on the materials submitted by the Evaluation Facility during the evaluation process. 1. Contents pointed out in the Observation Report shall be adequate. 2. Contents pointed out in the Observation Report shall properly be solved. 3. The submitted documentation was sampled, the content was examined, and the related work units shall be evaluated as presented in the Evaluation Technical Report. 4. Rationale of the evaluation verdict by the evaluator presented in the Evaluation Technical Report shall be adequate. 5. The evaluator's evaluation methodology presented in the Evaluation Technical Report shall conform to the CEM. Concerns found in the certification process were prepared as the certification oversight reviews, and those were sent to the Evaluation Facility. The Certification Body confirmed such concerns pointed out in the certification oversight reviews were solved in the ST and the Evaluation Technical Report and issued this Certification Report. 8.1 Certification Result As a result of verification of the submitted Evaluation Technical Report, Observation Report and related evaluation documentation, the Certification Body determined that the TOE satisfies all assurance requirements for EAL3 in the CC Part 3. 8.2 Recommendations - The TOE depends on the following functions to counter threats and to fulfill the organizational security policies. (Refer to Section 4.3.) > IC card, IC card reader, exclusive driver > Active Directory > Difficulty of obtaining the information of setting values, such as passwords, which remains in the eMMC The reliability of these functions is not assured in this evaluation, and it depends on procurement entities’ judgment. - The information to authenticate an IC card with Active Directory server is registered to Active Directory at the time of issuing the IC card by a corporation which issues the IC card. CRP-C0479-01 27 9. Annexes There is no annex. 10. Security Target The Security Target [12] of the TOE is provided as a separate document along with this Certification Report. bizhub 4750 / bizhub 4050 PKI Card System Control Software Security Target Version 1.09 (July 24, 2015) KONICA MINOLTA, INC. CRP-C0479-01 28 11. Glossary The abbreviations relating to the CC used in this report are listed below. CC Common Criteria for Information Technology Security Evaluation CEM Common Methodology for Information Technology Security Evaluation EAL Evaluation Assurance Level PP Protection Profile ST Security Target TOE Target of Evaluation TSF TOE Security Functionality The abbreviations relating to the TOE used in this report are listed below. CAC Common Access Card DNS Domain Name System eMMC Embedded MultiMedia Card HDD Hard Disk Drive MFP Multiple Function Peripheral MIB Management Information Base PIV Personal ID Verification RAM Random Access Memory SMTP Simple Mail Transfer Protocol SNMP Simple Network Management Protocol SSL Secure Socket Layer S/MIME Secure Multipurpose Internet Mail Extensions USB Universal Serial Bus CRP-C0479-01 29 The definitions of terms used in this report are listed below. CAC IC card which is issued by the certification authority in the US Department of Defense. External network Network where access is restricted with the intra-office LAN that is connected to the TOE, by firewall, etc. Intra-office LAN Network to which the TOE is connected, and which is connected to the external network through firewall, etc. MIB Various setting information, which the various devices that are managed using the SNMP release to the public. PIV Personal identity verification method to carry out using a certificate issued by a federal office or using related information. S/MIME Standard of e-mail encryption method. Transmitting and receiving the encrypted messages using RSA public key encryption method. An electric certificate issued by the certification authority is necessary. SNMP Protocol to manage various devices via network. SSL Protocol to transmit information by encrypting via the Internet. CRP-C0479-01 30 12. Bibliography [1] IT Security Evaluation and Certification Scheme Documentation, June 2015, Information-technology Promotion Agency, Japan, CCS-01 [2] Requirements for IT Security Certification, June 2015, Information-technology Promotion Agency, Japan, CCM-02 [3] Requirements for Approval of IT Security Evaluation Facility, June 2015, Information-technology Promotion Agency, Japan, CCM-03 [4] Common Criteria for Information Technology Security Evaluation Part 1: Introduction and general model, Version 3.1 Revision 4, September 2012, CCMB-2012-09-001 [5] Common Criteria for Information Technology Security Evaluation Part 2: Security functional components, Version 3.1 Revision 4, September 2012, CCMB-2012-09-002 [6] Common Criteria for Information Technology Security Evaluation Part 3: Security assurance components, Version 3.1 Revision 4, September 2012, CCMB-2012-09-003 [7] Common Criteria for Information Technology Security Evaluation Part 1: Introduction and general model, Version 3.1 Revision 4, September 2012, CCMB-2012-09-001 (Japanese Version 1.0, November 2012) [8] Common Criteria for Information Technology Security Evaluation Part 2: Security functional components, Version 3.1 Revision 4, September 2012, CCMB-2012-09-002 (Japanese Version 1.0, November 2012) [9] Common Criteria for Information Technology Security Evaluation Part 3: Security assurance components, Version 3.1 Revision 4, September 2012, CCMB-2012-09-003 (Japanese Version 1.0, November 2012) [10] Common Methodology for Information Technology Security Evaluation: Evaluation methodology, Version 3.1 Revision 4, September 2012, CCMB-2012-09-004 [11] Common Methodology for Information Technology Security Evaluation: Evaluation methodology, Version 3.1 Revision 4, September 2012, CCMB-2012-09-004 (Japanese Version 1.0, November 2012) [12] bizhub 4750 / bizhub 4050 PKI Card System Control Software Security Target Version 1.09 (July 24, 2015) KONICA MINOLTA, INC. [13] bizhub 4750 / bizhub 4050 PKI Card System Control Software Evaluation Technical Report, Version 4 (130786-01-R003-04), July 27, 2015, Mizuho Information & Research Institute, Inc. Information Security Evaluation Office