CRP-C0083-01 Certification Report Buheita Fujiwara, Chairman Information-technology Promotion Agency, Japan Target of Evaluation Application date/ID January 12, 2007 (ITC-7128) Certification No. C0083 Sponsor RICOH COMPANY, LTD. Name of TOE (for Japan) imagio Security Card Type F Software (for overseas) Data OverWriteSecurity Unit F Software Version of TOE V1.05 PP Conformance None Conformed Claim EAL3 TOE Developer RICOH COMPANY, LTD. Evaluation Facility Electronic Commerce Security Technology Laboratory Inc. Evaluation Center This is to report that the evaluation result for the above TOE is certified as follows. February 22, 2007 Haruki Tabuchi, Technical Manager Information Security Certification Office IT Security Center Information-technology Promotion Agency, Japan Evaluation Criteria, etc.: This TOE is evaluated in accordance with the following criteria prescribed in the “IT Security Evaluation and Certification Scheme”. - Common Criteria for Information-technology Security Evaluation Version 2.3 - Common Methodology for Information Technology Security Evaluation Version 2.3 Evaluation Result: Pass “imagio Security Card Type F Software, Data OverWriteSecurity Unit F Software V1.05” has been evaluated in accordance with the provision of the “IT Security Certification Procedure” by Information-technology Promotion Agency, Japan, and has met the specified assurance requirements. CRP-C0083-01 Notice: This document is the English translation version of the Certification Report published by the Certification Body of Japan Information Technology Security Evaluation and Certification Scheme. CRP-C0083-01 Table of Contents 1. Executive Summary ............................................................................... 1 1.1 Introduction ..................................................................................... 1 1.2 Evaluated Product ............................................................................ 1 1.2.1 Name of Product ......................................................................... 1 1.2.2 Product Overview ........................................................................ 1 1.2.3 Scope of TOE and Overview of Operation....................................... 1 1.2.4 TOE Functionality ....................................................................... 4 1.3 Conduct of Evaluation....................................................................... 4 1.4 Certificate of Evaluation .................................................................... 5 1.5 Overview of Report ............................................................................ 5 1.5.1 PP Conformance.......................................................................... 5 1.5.2 EAL ........................................................................................... 5 1.5.3 SOF ........................................................................................... 5 1.5.4 Security Functions ...................................................................... 5 1.5.5 Threat ........................................................................................ 6 1.5.6 Organisational Security Policy ..................................................... 6 1.5.7 Configuration Requirements ........................................................ 6 1.5.8 Assumptions for Operational Environment .................................... 6 1.5.9 Documents Attached to Product ................................................... 7 2. Conduct and Results of Evaluation by Evaluation Facility......................... 8 2.1 Evaluation Methods .......................................................................... 8 2.2 Overview of Evaluation Conducted ..................................................... 8 2.3 Product Testing ................................................................................ 8 2.3.1 Developer Testing........................................................................ 8 2.3.2 Evaluator Testing........................................................................ 9 2.4 Evaluation Result ........................................................................... 10 3. Conduct of Certification ....................................................................... 11 4. Conclusion.......................................................................................... 12 4.1 Certification Result ......................................................................... 12 4.2 Recommendations ........................................................................... 12 5. Glossary ............................................................................................. 13 6. Bibliography ....................................................................................... 14 CRP-C0083-01 1 1. Executive Summary 1.1 Introduction This Certification Report describes the content of certification result in relation to IT Security Evaluation of “imagio Security Card Type F Software, Data OverWriteSecurity Unit F Software V1.05” (hereinafter referred to as “the TOE”) conducted by Electronic Commerce Security Technology Laboratory Inc. Evaluation Center (hereinafter referred to as “Evaluation Facility”), and it reports to the sponsor, RICOH COMPANY, LTD. The reader of the Certification Report is advised to read the corresponding ST and manuals (please refer to “1.5.9 Documents Attached to Product” for further details) attached to the TOE together with this report. The assumed environment, corresponding security objectives, security functional and assurance requirements needed for its implementation and their summary specifications are specifically described in ST. The operational conditions and functional specifications are also described in the document attached to the TOE. Note that the Certification Report presents the certification result based on assurance requirements conformed to the TOE, and does not certify individual IT product itself. Note: In this Certification Report, IT Security Evaluation Criteria and IT Security Evaluation Method prescribed by IT Security Evaluation and Certification Scheme are named CC and CEM, respectively. 1.2 Evaluated Product 1.2.1 Name of Product The target product by this Certificate is as follows: Name of Product: (for Japan) imagio Security Card Type F (for overseas) Data OverWriteSecurity Unit F Version: V1.05 Developer: RICOH COMPANY, LTD. 1.2.2 Product Overview This TOE is the data overwrite module software (hereinafter: DOMS) mounted in Multi-functional printers (hereinafter: MFP) produced by Ricoh Co., Ltd., and is provided as a recorded state in SD memory card. This TOE is an option kit, which is available for safer use of MFP, and its function is to overwrite designated areas of the HDD for erasing by the MFP. 1.2.3 Scope of TOE and Overview of Operation 1.2.3.1 TOE scope This TOE is the software that is recorded state in SD memory card, and the SD memory card is attached to the controller board. Figure1-1 shows the TOE and the structure of the MFP, which is operational environment of the TOE. CRP-C0083-01 2 Controler board HDD RAM Processor SDmemory card Operation panel Scanner unit Printengine DOMS TOE NV-RAM Host interface ROM Figure1-1: Structure of TOE and MFP hardware The explanations of each element in Figure1-1 are as follows. z The print engine prints out data from printer and copier functions and received data by the facsimile unit while controlling paper feed and paper eject. z The scanner unit takes image data from paper documents into MFP. It is used for taking image data from the copier, scanner and facsimile transmission functions into controller board. z The operation panel displays the information to MFP users and administrator and also received instructions input by MFP users and administrator. MFP users and administrator operate the operation panel to use the functions of the MFP. z The HDD is used for storing image data. During printing, copying, scanning or facsimile transmission/reception, the MFP temporarily stores image data for working. Also general users use the HDD to keep their data until making use of the data. z The controller board controls whole of the MFP. In the MFP, the controller board is equipped with the processor and RAM to execute software, ROM on which the software such as operating system (OS) and the various application modules are stored, NV-RAM on which setting information for MFP is recorded, and the host interface to connect to the user PC and servers. TOE is recorded in SD memory card, and the SD memory card is attached the controller board. 1.2.3.2 Operation overview of the TOE CRP-C0083-01 3 Ending Notification of each overwriting operation HDD of MFP UNIX area/RAW area OS of MFP TOE MFP Control software Writing the request of overwriting operation of RAW area Execution of the indicated overwriting operation Shared memory Request of Start/Suspend of overwriting operation of the whole HDD Confirmation of the permitting of overwriting operation of RAW area Request of overwriting operation of UNIX area Watching the request of overwriting operation of RAW area Figure1-2: Operational overview of the TOE Figure1-2 shows operating overview of the TOE. Control software of the MFP and the OS of the MFP are software existed on ROM on Controller board of Figure1-1. The HDD of the MFP is HDD of Figure1-1, and it is divided into UNIX area and RAW area. The shared memory is an area defined in RAM on Controller board of Figure1-1. By instructions from control software of the MFP, the TOE overwrites the specified area on HDD of the MFP with a specified method. There are following three operations that the TOE overwrites the area. z Operation overview of overwrites RAW area The instruction to overwrite information on RAW area to the TOE is executed via shared memory on which the control software of the MFP specify an area to overwrite, and responds to a confirmation of permission from TOE that overwrite for erasing RAW area. At this time one overwriting method for erasing is specified, too. The TOE monitors the overwrite information of RAW area that recorded in the shared memory. When the TOE finds the record for overwriting, the TOE requests permission to overwrite for erasing the HDD RAW area to the control software of the MFP. The TOE overwrites for erasing the RAW area indicated by the record via the OS, after the control software of the MFP permits the requests. At the end of overwriting, the TOE notifies the control software of the MFP of completion. z Operation overview of overwrites UNIX area The instruction to overwrite information on UNIX area to the TOE is executed by the control software of the MFP that specifies a discarded file on UNIX area and one method of overwrite for erasing and gives instructions to overwrite. When the TOE receives a notice of the discarded file in the UNIX area from the MFP, the TOE overwrites for erasing the file via the OS. CRP-C0083-01 4 At the end of overwriting, the TOE notifies the control software of the MFP of completion. z Operation overview of overwrite all area of the HDD When TOE receives the order of overwrite of the whole HDD, the TOE overwrites for erasing all areas of the HDD via the OS. One method of overwrite for erasing is specified with the order of overwrite for erasing of the whole HDD. At the end of overwriting, the TOE notifies the control software of the MFP of completion. The TOE can receive the cancellation for overwriting from the MFP during operation of overwriting all area of the HDD, and the operation is aborted if the cancelling order comes from the MFP. 1.2.4 TOE Functionality The TOE provides the functions of overwrite for each area on HDD. Those areas are as follows. z The specified area on RAW area z The specified files on UNIX area z All area of the HDD The method of overwrites for erasing can be specified as one of following three methods. z NSA method NSA method overwrites data in following procedure. - Overwrite twice with random numbers, - Overwrite once with Null (0). z DoD method DoD method overwrites data in following procedure. - Overwrite once with fixed numbers, - Overwrite once with complement of above fixed numbers, - Overwrite once with random numbers, - Carry out final verification. z Random Numbers method Random Numbers method overwrites specified number of times (from one to nine times) with random numbers. 1.3 Conduct of Evaluation Based on the IT Security Evaluation/Certification Program operated by the Certification Body, TOE functionality and its assurance requirements are being evaluated by evaluation facility in accordance with those publicized documents such as “IT Security Evaluation and Certification Scheme”[2], “IT Security Certification Procedure”[3] and “Evaluation Facility Approval Procedure”[4]. Scope of the evaluation is as follow. - Security design of the TOE shall be adequate; - Security functions of the TOE shall be satisfied with security functional requirements described in the security design; - This TOE shall be developed in accordance with the basic security design; - Above mentioned three items shall be evaluated in accordance with the CC Part 3 and CEM. CRP-C0083-01 5 More specific, the evaluation facility examined “Security Target for imagio Security Card Type F, Data OverWriteSecurity Unit F” as the basis design of security functions for the TOE (hereinafter referred to as “the ST”)[1], the evaluation deliverables in relation to development of the TOE and the development, manufacturing and shipping sites of the TOE. The evaluation facility evaluated if the TOE is satisfied both Annex C of CC Part 1 (either of [5], [8] or [11]) and Functional Requirements of CC Part 2 (either of [6], [9] or [12]) and also evaluated if the development, manufacturing and shipping environments for the TOE is also satisfied with Assurance Requirements of CC Part 3 (either of [7], [10] or [13]) as its rationale. Such evaluation procedure and its result are presented in “imagio Security Card Type F, Data OverWriteSecurity Unit F Evaluation Technical Report” (hereinafter referred to as “the Evaluation Technical Report”) [17]. Further, evaluation methodology should comply with the CEM (either of [14], [15] or [16]). 1.4 Certification The Certification Body verifies the Evaluation Technical Report and Observation Report prepared by the evaluation facility and evaluation evidence materials, and confirmed that the TOE evaluation is conducted in accordance with the prescribed procedure. Certification review is also prepared for those concerns found in the certification process. Evaluation is completed with the Evaluation Technical Report dated February, 2007 submitted by the evaluation facility and those problems pointed out by the Certification Body are fully resolved and confirmed that the TOE evaluation is appropriately conducted in accordance with CC and CEM. The Certification Body prepared this Certification Report based on the Evaluation Technical Report submitted by the evaluation facility and concluded fully certification activities. 1.5 Overview of Report 1.5.1 PP Conformance There is no PP to be conformed. 1.5.2 EAL Evaluation Assurance Level of TOE defined by this ST is EAL3 conformance. 1.5.3 SOF The minimum strength level claimed for the TOE is SOF-Basic in this ST. It is assumed that the MFP, which is operation environment of the TOE, is used in general offices. Therefore it is appropriate that minimum strength of function for the TOE is SOF-Basic. 1.5.4 Security Functions Security functions of the TOE are as follow. The TOE provides the functions of overwrite for each area on HDD. Those areas are as follows. z The specified area on RAW area CRP-C0083-01 6 z The specified files on UNIX area z All area of the HDD The method of overwrites for erasing can be specified as one of following three methods. z NSA method NSA method overwrites data in following procedure. - Overwrite twice with random numbers, - Overwrite once with Null (0). z DoD method DoD method overwrites data in following procedure. - Overwrite once with fixed numbers, - Overwrite once with complement of above fixed numbers, - Overwrite once with random numbers, - Carry out final verification. z Random Numbers method Random Numbers method overwrites specified number of times (from one to nine times) with random numbers. 1.5.5 Threat There are no threats countered by the TOE. 1.5.6 Organisational Security Policy Organisational security policy required in use of the TOE is presented in Table 1-1. Table 1-1 Organisational Security Policy Identifier Organisational Security Policy OSP.RESIDUAL The TOE shall prevent from retrieving information on the HDD area specified by the MFP. 1.5.7 Configuration Requirements Target MFP of the TOE are listed inTable1-2. Table1-2: Target MFP of the TOE Product names in Japan Product names in other country Model 1 Ricoh imagio MP 9000 Ricoh imagio MP 1100 Ricoh imagio MP 1350 RICOH Aficio MP 9000/MP 1100/MP 1350 LANIER LD190/LD1110/LD1135 LANIER MP 9000/MP 1100/MP 1350 SAVIN 8090/8110/8135 Nashuatec MP 9000/MP 1100/MP 1350 Rex Rotary MP 9000/MP 1100/MP 1350 Gestetner DSm790/DSm7110/DSm7135 Gestetner MP 9000/MP 1100/MP 1350 infotec IS 3090/IS 3110/IS 3135 1.5.8 Assumptions for Operational Environment CRP-C0083-01 7 Assumptions required in environment using this TOE presents in the Table 1-3. The effective performance of the TOE security functions are not assured unless these preconditions are satisfied. Table 1-3 Assumptions in Use of the TOE Identifier Assumptions A.BREAK It is assumed that the execution of the TOE is not aborted. The execution of the TOE is not aborted by turning off the power of the MFP before the TOE finishes overwriting. A.CANCEL It is assumed that the execution of Erase All Memory is not cancelled. The execution of Erase All Memory is not cancelled without user’s intent before the function is finished. 1.5.9 Documents Attached to Product Documents attached to the TOE are listed below. Documents for Japan; z imagio Security Card Type F Operating Instructions Version B735-8512 Documents for overseas; z Data OverWriteSecurity Unit F Operating Instructions Version B735-8529 CRP-C0083-01 8 2. Conduct and Results of Evaluation by Evaluation Facility 2.1 Evaluation Methods Evaluation was conducted by using the evaluation methods prescribed in CEM in accordance with the assurance requirements in CC Part 3. Details for evaluation activities are report in the Evaluation Technical Report. It described the description of overview of the TOE, and the contents and verdict evaluated by each work unit prescribed in CEM. 2.2 Overview of Evaluation Conducted The history of evaluation conducted was present in the Evaluation Technical Report as follows. Evaluation has started on January, 2007 and concluded by completion the Evaluation Technical Report dated February, 2007. The evaluation facility received a full set of evaluation deliverables necessary for evaluation provided by developer, and examined the evidences in relation to a series of evaluation conducted. During an evaluation of another TOE, assurance level of which is same as the TOE, the evaluation facility directly visited the development and manufacturing sites on October, 2006 and examined procedural status conducted in relation to each work unit for configuration management, delivery and operation and lifecycle by investigating records and staff hearing. The evaluation facility confirmed that same procedure is applied to the TOE. Therefore, the result of the examination on October, 2006 was regarded as procedural status of the TOE. Further, the evaluation facility executed sampling check of conducted testing by developer and evaluator testing by using developer testing environment at developer site on January, 2007. No concerns were found in evaluation activities for each work unit. Therefore no Observation Report was reported to developer. As for concerns indicated during evaluation process by the Certification Body, the certification review was sent to the evaluation facility. These were reflected to evaluation after investigation conducted by the evaluation facility. 2.3 Product Testing Overview of developer testing evaluated by evaluator and evaluator testing conducted by evaluator are as follows. 2.3.1 Developer Testing 1) Developer Test Environment Developer’s testing was performed using TOE-installed MFP circumstances as follows. Ricoh imagio (Development Code: Bellini-C3, System version: 2.04.2) And the following devices were used for testing operation and observation of results: CRP-C0083-01 9 Testing PC Terminal software connected to MFP through RS232C/Ethernet communication was used. IDE Bus Analyser IDE-Pocket Ultra DMA/100 supported (TOYO Corporation) Others Boot server to start up the MFP in boot-mode. Mail server for sending messages to check out the mail-sending function. 2) Outlining of Developer Testing Outlining of the testing performed by the developer is as follow. a. Test configuration Some models of MFPs, which is distinguished in ST, were used as the testing environment. As the result of the investigation of the difference among the MFPs distinguished in ST, the evaluator assured that some models of MFPs used as the testing environment cover the difference among the MFPs distinguished in ST well. Therefore, the evaluator assured that developer's testing environment was equal to the TOE configurations distinguished in ST. b. Testing Approach Following methods were employed for stimulation testing of TSFI and observations. - Checking out the panel operation and its indication. - Checking out the logging body, which was displayed on PC monitor. The PC was connected to the testing MFP. - Monitoring data at the interface of HDD, using IDE bus analyser. c. Scope of Testing Performed Testing is performed 57 items by the developer. The coverage analysis is conducted and examined to testing satisfactorily all of the security functions described in the functional specification and the external interface. Then, the depth analysis is conducted and examined to testing satisfactorily all the subsystems described in the high-level design and the subsystem interfaces. d. Result The evaluator confirmed consistencies between the expected test results and the actual test results provided by the developer. The Evaluator confirmed the developer testing approach performed and legitimacy of items performed, and confirmed consistencies between the testing approach described in the test plan and the actual test results. 2.3.2 Evaluator Testing 1) Evaluator Test Environment Test configuration performed by the evaluator shall be the same configuration with developer testing. CRP-C0083-01 10 2) Outlining of Evaluator Testing Outlining of testing performed by the evaluator is as follow. a. Test configuration Evaluator’s testing was performed in the same TOE testing environment as the TOE configuration distinguished in ST. b. Testing Approach Following methods were employed for stimulation testing of TSFI and observations. - Checking out the panel operation and its indication. - Checking out the logging body, which was displayed on PC monitor. The PC was connected to the testing MFP. - Monitoring data at the interface of HDD, using IDE bus analyser. c. Scope of Testing Performed Total of 23 items of testing; namely 7 items from testing devised by the evaluator and 16 items from testing from sampling of developer testing was conducted. As for selection of the test subset, the following factors are considered. 1. The items shall cover the developer’s testing from the viewpoint of the TSF direction timing. 2. All security functions described in the functional specification and external interface shall be tested fully. d. Result All evaluator testing conducted is completes correctly and could confirm the behaviour of the TOE. The evaluator also confirmed that all the test results are consistent with the behaviour. 2.4 Evaluation Result The evaluator had the conclusion that the TOE satisfies all work units prescribed in CEM by submitting the Evaluation Technical Report. CRP-C0083-01 11 3. Conduct of Certification The following certification was conducted based on each materials submitted by evaluation facility during evaluation process. 1. Evidential materials submitted were sampled, its contents were examined, and related work units shall be evaluated as presented in the Evaluation Technical Report. 2. Rationale of evaluation verdict by the evaluator presented in the Evaluation Technical Report shall be adequate. 3. The Evaluator’s evaluation methodology presented in the Evaluation Technical Report shall conform to the CEM. Concerns found in certification process were prepared as certification review, which were sent to evaluation facility. The Certification Body confirmed such concerns pointed out in certification review were solved in the ST and the Evaluation Technical Report. CRP-C0083-01 12 4. Conclusion 4.1 Certification Result The Certification Body verified the Evaluation Technical Report, the Observation Report and the related evaluation evidential materials submitted and confirmed that all evaluator action elements required in CC Part 3 are conducted appropriately to the TOE. The Certification Body verified the TOE is satisfied the EAL3 assurance requirements prescribed in CC Part 3. 4.2 Recommendations None CRP-C0083-01 13 5. Glossary The abbreviations used in this report are listed below. CC: Common Criteria for Information Technology Security Evaluation CEM: Common Methodology for Information Technology Security Evaluation EAL: Evaluation Assurance Level PP: Protection Profile SOF: Strength of Function ST: Security Target TOE: Target of Evaluation TSF: TOE Security Functions OS Operating System RAM Random Access Memory ROM Read Only Memory HDD Hard Disk Drive The glossaries used in this report are listed below. MFP Multi Functional Product It is the printer that has multiple functions such as copier, printer in a single machine. NV-RAM Non-volatile random access memory Semiconductor memory that can maintain memory content without supply of power UNIX area HDD area managed by OS file system The data that exists on the area can be accessed by normal file operation. RAW area HDD area not managed by OS file system The data that exists on the area is managed by CSM in its way without OS file operation. SD memory card Secure Digital memory card It is a stamp-size memory device with the copyright protection function. CRP-C0083-01 14 6. Bibliography [1] Security Target for imagio Security Card Type F, Data OverWriteSecurity Unit F Version 1.00 (January 17, 2007) RICOH COMPANY, LTD. [2] IT Security Evaluation and Certification Scheme, September 2006, Information-technology Promotion Agency, Japan EC-01 [3] IT Security Certification Procedure, September 2006, Information-technology Promotion Agency, Japan EC-03 [4] Evaluation Facility Approval Procedure, September 2006, Information-technology Promotion Agency, Japan EC-05 [5] Common Criteria for Information Technology Security Evaluation Part 1: Introduction and general model Version 2.3 August 2005 CCMB-2005-08-001 [6] Common Criteria for Information Technology Security Evaluation Part 2: Security functional requirements Version 2.3 August 2005 CCMB-2005-08-002 [7] Common Criteria for Information Technology Security Evaluation Part 3: Security assurance requirements Version 2.3 August 2005 CCMB-2005-08-003 [8] Common Criteria for Information Technology Security Evaluation Part 1: Introduction and general model Version 2.3 August 2005 CCMB-2005-08-001 (Translation Version 1.0 December 2005) [9] Common Criteria for Information Technology Security Evaluation Part 2: Security functional requirements Version 2.3 August 2005 CCMB-2005-08-002 (Translation Version 1.0 December 2005) [10] Common Criteria for Information Technology Security Evaluation Part 3: Security assurance requirements Version 2.3 August 2005 CCMB-2005-08-003 (Translation Version 1.0 December 2005) [11] ISO/IEC 15408-1:2005 - Information Technology - Security techniques - Evaluation criteria for IT security - Part 1: Introduction and general model [12] ISO/IEC 15408-2:2005 - Information technology - Security techniques - Evaluation criteria for IT security - Part 2: Security functional requirements [13] ISO/IEC 15408-3:2005 - Information technology - Security techniques - Evaluation criteria for IT security - Part 3: Security assurance requirements [14] Common Methodology for Information Technology Security Evaluation: Evaluation Methodology Version 2.3 August 2005 CCMB-2005-08-004 [15] Common Methodology for Information Technology Security Evaluation: Evaluation Methodology Version 2.3 August 2005 CCMB-2005-08-004 (Translation Version 1.0 December 2005) [16] ISO/IEC 18045:2005 Information technology - Security techniques - Methodology for IT security evaluation [17] imagio Security Card Type F, Data OverWriteSecurity Unit F Evaluation Technical Report Version 2.0, February 14, 2007, Electronic Commerce Security Technology Laboratory Inc. Evaluation Center