Copyright ©2018-2019, RICOH COMPANY LTD., All Rights Reserved. 1 2 Security Target for 3 RICOH IM C2000 / C2500 / C3000 / C3500 / 4 C4500 / C5500 / C6000, version JE-1.00-H 5 6 7 8 Author: RICOH COMPANY, LTD. 9 Date: 2019-12-19 10 Version: 1.0 11 12 RICOH IM C2000 / C2500 / C3000 / C3500 / C4500 / C5500 / C6000, version JE-1.00-H Security Target, 1.0 Copyright ©2020, RICOH COMPANY LTD., All Rights Reserved. Page 2 of 142 Table of Contents 13 1 ST Introduction (ASE_INT) ..................................................................................................................................7 14 1.1 ST Reference...............................................................................................................................................7 15 1.2 TOE Reference............................................................................................................................................7 16 1.3 TOE Variants ............................................................................................................................................ 19 17 1.3.1 Print speed variants......................................................................................................................... 19 18 1.3.2 Regional variants ............................................................................................................................. 19 19 1.3.3 Branding variants............................................................................................................................. 19 20 1.4 Evaluated and tested configurations....................................................................................................... 20 21 1.4.1 Required TOE components.............................................................................................................. 20 22 1.4.2 Optional TOE components .............................................................................................................. 20 23 1.4.3 Required non-TOE components ...................................................................................................... 20 24 1.4.4 Optional non-TOE components....................................................................................................... 20 25 1.5 TOE Overview .......................................................................................................................................... 21 26 1.5.1 TOE Type.......................................................................................................................................... 21 27 1.5.2 TOE Usage........................................................................................................................................ 21 28 1.5.3 Major Security Features of TOE....................................................................................................... 22 29 1.6 TOE Description....................................................................................................................................... 23 30 1.6.1 Physical Boundary of TOE................................................................................................................ 23 31 1.6.2 Hardware components.................................................................................................................... 24 32 1.6.3 Logical Boundary of the TOE ........................................................................................................... 26 33 1.6.4 Basic Functions ................................................................................................................................ 26 34 1.6.5 Security Functions ........................................................................................................................... 27 35 1.6.6 Functions supported but not evaluated.......................................................................................... 28 36 1.6.7 Guidance Documents ...................................................................................................................... 29 37 2 ST Conformance Claims (ASE_CCL).................................................................................................................. 30 38 2.1 Common Criteria (CC) conformance claims ............................................................................................ 30 39 2.2 Protection Profile (PP) conformance claims............................................................................................ 30 40 2.3 Conformance Claim Rationale................................................................................................................. 31 41 2.3.2 Consistency Claim with Security Problems and Security Objectives in PP...................................... 31 42 2.3.3 Consistency Claim with Security Requirements in PP ..................................................................... 31 43 3 SecurityProblemDefinitions (ASE_SPD).......................................................................................................... 32 44 3.1 Users........................................................................................................................................................ 32 45 3.2 Assets....................................................................................................................................................... 32 46 3.2.1 User Data......................................................................................................................................... 32 47 3.2.2 TSF Data........................................................................................................................................... 33 48 3.3 Threat definitions .................................................................................................................................... 33 49 3.4 Organizational Security Policies .............................................................................................................. 34 50 3.5 Assumptions ............................................................................................................................................ 34 51 4 Security Objectives (ASE_OBJ)......................................................................................................................... 35 52 4.1 Security Objectives for the TOE............................................................................................................... 35 53 4.2 Security Objectives for the Operational Environment ............................................................................ 35 54 4.3 Security Objectives rationale................................................................................................................... 36 55 5 Extended Component Definitions (ASE_ECD) ................................................................................................. 38 56 RICOH IM C2000 / C2500 / C3000 / C3500 / C4500 / C5500 / C6000, version JE-1.00-H Security Target, 1.0 Copyright ©2020, RICOH COMPANY LTD., All Rights Reserved. Page 3 of 142 6 Security Functional Requirements (ASE_REQ) ................................................................................................ 39 57 6.1 Notational conventions........................................................................................................................... 39 58 6.2 Class FAU: Security Audit......................................................................................................................... 39 59 6.2.1 FAU_GEN.1 Audit data generation.................................................................................................. 39 60 6.2.2 FAU_GEN.2 User identity association.............................................................................................. 40 61 6.2.3 FAU_SAR.1 Audit review.................................................................................................................. 41 62 6.2.4 FAU_SAR.2 Restricted audit review................................................................................................. 41 63 6.2.5 FAU_STG.1 Protected audit trail storage ........................................................................................ 42 64 6.2.6 FAU_STG_EXT.1 Extended: External Audit Trail Storage................................................................. 42 65 6.2.7 FAU_STG.4 Prevention of audit data loss........................................................................................ 43 66 6.3 Class FCO: Communication...................................................................................................................... 44 67 6.4 Class FCS: Cryptographic Support............................................................................................................ 44 68 6.4.1 FCS_CKM.1(a) Cryptographic Key Generation (for asymmetric keys)............................................. 44 69 6.4.2 FCS_CKM.1(b)[DAR] Cryptographic key generation (Symmetric Keys) [Data At Rest].................... 45 70 6.4.3 FCS_CKM.1(b)[DIM] Cryptographic key generation (Symmetric Keys) [Data In Motion] ............... 46 71 6.4.4 FCS_CKM_EXT.4 Extended: Cryptographic Key Material Destruction............................................. 46 72 6.4.5 FCS_CKM.4 Cryptographic key destruction..................................................................................... 47 73 6.4.6 FCS_COP.1(a) Cryptographic Operation (Symmetric encryption/decryption)................................ 50 74 6.4.7 FCS_COP.1(b) Cryptographic Operation (for signature generation/verification) ........................... 50 75 6.4.8 FCS_COP.1(c)[L1] Cryptographic operation (Hash Algorithm) ........................................................ 51 76 6.4.9 FCS_COP.1(c) [L2] Cryptographic operation (Hash Algorithm) ....................................................... 53 77 6.4.10 FCS_COP.1(d) Cryptographic operation (AES Data Encryption/Decryption)................................... 54 78 6.4.11 FCS_COP.1(f) Cryptographic operation (Key Encryption)................................................................ 57 79 6.4.12 FCS_COP.1(g) Cryptographic Operation (for keyed-hash message authentication)....................... 57 80 6.4.13 FCS_HTTPS_EXT.1 Extended: HTTPS selected ................................................................................. 58 81 6.4.14 FCS_IPSEC_EXT.1 Extended: IPsec selected .................................................................................... 58 82 6.4.15 FCS_KYC_EXT.1 Extended: Key Chaining ......................................................................................... 66 83 6.4.16 FCS_RBG_EXT.1 Extended: Cryptographic Operation (Random Bit Generation)............................ 67 84 6.4.17 FCS_TLS_EXT.1 Extended: TLS selected........................................................................................... 69 85 6.5 Class FDP: User Data Protection.............................................................................................................. 71 86 6.5.1 FDP_ACC.1 Subset access control.................................................................................................... 74 87 6.5.2 FDP_ACF.1 Security attribute based access control........................................................................ 75 88 6.5.3 FDP_DSK_EXT.1 Extended: Protection of Data on Disk................................................................... 75 89 6.5.4 FDP_FXS_EXT.1 Extended: Fax separation ...................................................................................... 77 90 6.5.5 FDP_RIP.1(a) Subset residual information protection .................................................................... 78 91 6.6 Class FIA: Identification and Authentication ........................................................................................... 79 92 6.6.1 FIA_AFL.1 Authentication failure handling...................................................................................... 79 93 6.6.2 FIA_ATD.1 User attribute definition................................................................................................ 80 94 6.6.3 FIA_PMG_EXT.1 Extended: Password Management....................................................................... 80 95 6.6.4 FIA_PSK_EXT.1 Extended: Pre-Shared Key Composition................................................................. 81 96 6.6.5 FIA_UAU.1 Timing of authentication............................................................................................... 83 97 6.6.6 FIA_UAU.7 Protected authentication feedback .............................................................................. 84 98 6.6.7 FIA_UID.1 Timing of identification .................................................................................................. 85 99 6.6.8 FIA_USB.1 User-subject binding...................................................................................................... 85 100 RICOH IM C2000 / C2500 / C3000 / C3500 / C4500 / C5500 / C6000, version JE-1.00-H Security Target, 1.0 Copyright ©2020, RICOH COMPANY LTD., All Rights Reserved. Page 4 of 142 6.7 Class FMT: Security Management ........................................................................................................... 86 101 6.7.1 FMT_MOF.1 Management of security functions behavior ............................................................. 86 102 6.7.2 FMT_MSA.1 Management of security attributes............................................................................ 87 103 6.7.3 FMT_MSA.3 Static attribute initialization ....................................................................................... 88 104 6.7.4 FMT_MTD.1 Management of TSF data............................................................................................ 88 105 6.7.5 FMT_SMF.1 Specification of Management Functions................................................................... 108 106 6.7.6 FMT_SMR.1 Security roles............................................................................................................. 110 107 6.8 Class FPR: Privacy .................................................................................................................................. 110 108 6.9 Class FPT: Protection of the TSF ............................................................................................................ 110 109 6.9.1 FPT_KYP_EXT.1 Extended: Protection of Key and Key Material.................................................... 110 110 6.9.2 FPT_SKP_EXT.1 Extended: Protection of TSF Data........................................................................ 111 111 6.9.3 FPT_STM.1 Reliable time stamps .................................................................................................. 111 112 6.9.4 FPT_TST_EXT.1 Extended: TSF testing........................................................................................... 112 113 6.9.5 FPT_TUD_EXT.1 Extended: Trusted Update.................................................................................. 112 114 6.10 Class FRU: Resource Utilization............................................................................................................. 113 115 6.11 Class FTA: TOE Access............................................................................................................................ 114 116 6.11.1 FTA_SSL.3 TSF-initiated termination ............................................................................................. 114 117 6.12 Class FTP: Trusted Paths/Channels........................................................................................................ 114 118 6.12.1 FTP_ITC.1[IPsec] Inter-TSF trusted channel .................................................................................. 114 119 6.12.2 FTP_TRP.1(a) Trusted path (for Administrators)........................................................................... 116 120 6.12.3 FTP_TRP.1(b) Trusted path (for Non-administrators) ................................................................... 117 121 7 Security Assurance Requirements (APE_REQ) .............................................................................................. 119 122 7.1 Class ASE: Security Target evaluation.................................................................................................... 119 123 7.2 Class ADV: Development....................................................................................................................... 119 124 7.2.1 ADV_FSP.1 Basic functional specification...................................................................................... 120 125 7.3 Class AGD: Guidance Documents.......................................................................................................... 121 126 7.3.1 AGD_OPE.1 Operational user guidance ........................................................................................ 121 127 7.3.2 AGD_PRE.1 Preparative procedures.............................................................................................. 122 128 7.4 Class ALC: Life-cycle Support................................................................................................................. 123 129 7.4.1 ALC_CMC.1 Labelling of the TOE................................................................................................... 123 130 7.4.2 ALC_CMS.1 TOE CM coverage....................................................................................................... 123 131 7.5 Class ATE: Tests ..................................................................................................................................... 124 132 7.5.1 ATE_IND.1 Independent testing - Conformance........................................................................... 124 133 7.6 Class AVA: Vulnerability Assessment..................................................................................................... 125 134 7.7 Security Assurance Requirements rationale ......................................................................................... 126 135 8 TOE Summary Specification (ASE_TSS).......................................................................................................... 127 136 8.1 Identification and Authentication, Use-of-Feature Authorization (TSF_FIA)........................................ 127 137 8.1.1 FIA_UAU.1 and FIA_UID.1 ............................................................................................................. 127 138 8.1.2 FIA_PMG_EXT.1............................................................................................................................. 127 139 8.1.3 FIA_UAU.7 ..................................................................................................................................... 127 140 8.1.4 FIA_AFL.1....................................................................................................................................... 127 141 8.1.5 FIA_USB.1 and FIA_ATD.1.............................................................................................................. 128 142 8.1.6 FTA_SSL.3....................................................................................................................................... 128 143 8.2 Access Control (TSF_FDP)...................................................................................................................... 128 144 RICOH IM C2000 / C2500 / C3000 / C3500 / C4500 / C5500 / C6000, version JE-1.00-H Security Target, 1.0 Copyright ©2020, RICOH COMPANY LTD., All Rights Reserved. Page 5 of 142 8.2.1 FDP_ACC.1 and FDP_ACF.1............................................................................................................ 128 145 8.3 Stored Data Encryption (TSF_FCS)......................................................................................................... 129 146 8.3.1 FCS_KYC_EXT.1, FPT_KYP_EXT.1, and FCS_COP.1(f) ..................................................................... 130 147 8.3.2 FCS_CKM.1(b)[DIM], FCS_CKM.1(b)[DAR], and FCS_RBG_EXT.1 .................................................. 130 148 8.3.3 FCS_CKM.4 and FCS_CKM_EXT.4 .................................................................................................. 130 149 8.3.4 FDP_DSK_EXT.1 and FCS_COP.1(d) ............................................................................................... 130 150 8.4 Trusted Communications (TSF_FTP)...................................................................................................... 131 151 8.4.1 FTP_TRP.1 (a), FTP_TRP.1 (b), FCS_HTTPS_EXT.1, and FCS_TLS_EXT.1......................................... 131 152 8.4.2 FCS_CKM.1 (a), FCS_RBG_EXT.1, FCS_COP.1 (a), FCS_COP.1(b)[DIM], FCS_COP.1(c) , and 153 FCS_COP.1(g)................................................................................................................................................. 131 154 8.4.3 FPT_SKP_EXT.1, FCS_CKM.4 and FCS_CKM_EXT.4........................................................................ 131 155 8.4.4 FCS_ITC.1[IPsec], FCS_IPSEC_EXT.1, FIA_PSK_EXT.1, and FCS_COP.1(g)...................................... 132 156 8.5 Administrative Roles (TSF_FMT)............................................................................................................ 133 157 8.5.1 FMT_SMR.1 ................................................................................................................................... 133 158 8.5.2 FMT_SMF.1, FMT_MOF.1, and FMT_MTD.1................................................................................. 133 159 8.5.3 FMT_MSA.1 and FMT_MSA.3........................................................................................................ 133 160 8.6 Audit Function (TSF_FAU)...................................................................................................................... 134 161 8.6.1 FAU_GEN.1 and FAU_GEN.2.......................................................................................................... 134 162 8.6.2 FAU_STG.1, FAU_STG_EXT.1, FAU_STG.4, FAU_SAR.1, and FAU_SAR.2....................................... 135 163 8.6.3 FPT_STM.1..................................................................................................................................... 135 164 8.7 Trusted Operation (TSF_FPT)................................................................................................................. 135 165 8.7.1 FPT_TST_EXT.1, FCS_COP.1(b), FCS_COP.1(c)[L1], and FCS_COP.1(c)[L2].................................... 135 166 8.7.2 FPT_TUD_EXT.1, FCS_COP.1(b), FCS_COP.1(c)[L1], and FCS_COP.1(c)[L2]................................... 136 167 8.8 PSTN Fax-Line Separation (TSF_FXS) ..................................................................................................... 137 168 8.8.1 FDP_FXS_EXT.1.............................................................................................................................. 137 169 8.9 Image Overwrite.................................................................................................................................... 137 170 8.9.1 FDP_RIP.1(a).................................................................................................................................. 137 171 A Terminology................................................................................................................................................... 139 172 A.1 Glossary ................................................................................................................................................. 139 173 A.2 Acronyms............................................................................................................................................... 142 174 175 List of Figures 176 Figure 1 Example of TOE Environment.................................................................................................................... 22 177 Figure 2 Hardware Configuration of the TOE.......................................................................................................... 24 178 Figure 3 Logical Boundary of the TOE ..................................................................................................................... 26 179 180 List of Tables 181 Table 1 Required TOE components......................................................................................................................... 20 182 Table 2 Optional TOE components.......................................................................................................................... 20 183 Table 3 Required non-TOE components.................................................................................................................. 20 184 Table 4 Optional non-TOE components .................................................................................................................. 21 185 RICOH IM C2000 / C2500 / C3000 / C3500 / C4500 / C5500 / C6000, version JE-1.00-H Security Target, 1.0 Copyright ©2020, RICOH COMPANY LTD., All Rights Reserved. Page 6 of 142 Table 5 Protection Profile claims............................................................................................................................. 30 186 Table 6 User categories ........................................................................................................................................... 32 187 Table 7 Asset categories.......................................................................................................................................... 32 188 Table 8 User Data types........................................................................................................................................... 32 189 Table 9 Document and Job Attributes..................................................................................................................... 32 190 Table 10 TSF Data types .......................................................................................................................................... 33 191 Table 11 Data in D.TSF.PROT................................................................................................................................... 33 192 Table 12 Data in D.TSF.CONF................................................................................................................................... 33 193 Table 13 Threats...................................................................................................................................................... 34 194 Table 14 Organizational Security Policies................................................................................................................ 34 195 Table 15 Assumptions ............................................................................................................................................. 34 196 Table 16 Security Objectives for the TOE................................................................................................................ 35 197 Table 17 Security Objectives for the Operational Environment ............................................................................. 35 198 Table 18 Security Objectives rationale.................................................................................................................... 37 199 Table 19 Auditable Events....................................................................................................................................... 40 200 Table 20 D.USER.DOC Access Control SFP............................................................................................................... 72 201 Table 21 D.USER.JOB Access Control SFP................................................................................................................ 73 202 Table 22 Authentication Events .............................................................................................................................. 79 203 Table 23 List of Actions for Authentication Failure................................................................................................. 79 204 Table 24 Rules for Initial Association of Attributes................................................................................................. 85 205 Table 25 User Roles for Security Attributes ............................................................................................................ 87 206 Table 26 List of Administrator-only TSF Data, Operations, and Roles .................................................................. 107 207 Table 27 List of Additional TSF Data, Operations, and Roles ................................................................................ 108 208 Table 28 TOE Security Assurance Requirements................................................................................................... 119 209 Table 29 Stored Documents Access Control Rules for Normal Users ................................................................... 129 210 Table 30 Keychain encryption ............................................................................................................................... 130 211 Table 31 Random Number Sources....................................................................................................................... 130 212 Table 32 Storage encryption cryptographic functions .......................................................................................... 130 213 Table 33 TLS/HTTPS cryptographic functions........................................................................................................ 131 214 Table 34 IPsec cryptographic functions................................................................................................................. 132 215 Table 35 List of Static Initialization for Security Attributes of Document Access Control SFP.............................. 134 216 Table 36 Roles allowed to override default values ............................................................................................... 134 217 Table 37 List of Audit Events ................................................................................................................................. 134 218 Table 38 Start-up integrity tests............................................................................................................................ 136 219 Table 39 Glossary of Terms ................................................................................................................................... 141 220 Table 40 Acronyms................................................................................................................................................ 142 221 222 RICOH IM C2000 / C2500 / C3000 / C3500 / C4500 / C5500 / C6000, version JE-1.00-H Security Target, 1.0 Copyright ©2020, RICOH COMPANY LTD., All Rights Reserved. Page 7 of 142 1 ST Introduction (ASE_INT) 223 1.1 ST Reference 224 The following are the identification information of this ST. 225 • Title: Security Target for RICOH IM C2000 / C2500 / C3000 / C3500 / C4500 / C5500 / C6000 version JE- 226 1.00-H 227 • Version: 1.0 228 • Date: 2020-01-05 229 • Author: RICOH COMPANY, LTD. 230 • Keywords: multifunction, hardcopy, MFD, MFP, HCD, printer, copier, scanner, facsimile, print, copy, 231 scan, fax, document server 232 1.2 TOE Reference 233 The identification information of the TOE is shown below. 234 TOE Name: RICOH IM C2000 / C2500 / C3000 / C3500 / C4500 / C5500 / C6000 235 TOE Version: JE-1.00-H 236 TOE Type: Digital Multi-Function Printer (hereafter "MFP") 237 Target MFP models: 238 • RICOH IM C2000, IM C2000A, IM C2000F, and IM C2000G 239 • RICOH IM C2500, IM C2500A, IM C2500F, and IM C2500G 240 • RICOH IM C3000, IM C3000A, IM C3000F, and IM C3000G 241 • RICOH IM C3500, IM C3500A, IM C3500F, and IM C3500G 242 • RICOH IM C4500, IM C4500A, IM C4500F, and IM C4500G 243 • RICOH IM C5500, IM C5500A, and IM C5500F 244 • RICOH IM C6000, IM C6000F, and IM C6000G 245 All of the above MFPs are equipped with Printer, Scanner, and Copy functions, support an optional Fax function, 246 and are upgraded to version JE-1.00-H software. 247 Additional options such as document feeders and finishers are available, but none affects the TSF. 248 The versions of the firmware and hardware corresponding to this version of the TOE are shown below. When 249 using an MFP, you can display the firmware and hardware versions. The machine’s serial number plate indicates 250 which Type the model belongs to: 251 Type 1: MFPs for “-27”, “-65”, “-17”, “-18” or “-29” models: 252 • RICOH IM C2000, RICOH IM C2000A, RICOH IM C2000G, 253 RICOH IM C2500, RICOH IM C2500A, RICOH IM C2500G, 254 RICOH IM C3000, RICOH IM C3000A, RICOH IM C3000G, 255 RICOH IM C3500, RICOH IM C3500A, RICOH IM C3500G, 256 • SAVIN IM C2000, SAVIN IM C2000G, 257 SAVIN IM C2500, SAVIN IM C2500G, 258 SAVIN IM C3000, SAVIN IM C3000G, 259 RICOH IM C2000 / C2500 / C3000 / C3500 / C4500 / C5500 / C6000, version JE-1.00-H Security Target, 1.0 Copyright ©2020, RICOH COMPANY LTD., All Rights Reserved. Page 8 of 142 SAVIN IM C3500, SAVIN IM C3500G, 260 • LANIER IM C2000, LANIER IM C2000G, 261 LANIER IM C2500, LANIER IM C2500G, 262 LANIER IM C3000, LANIER IM C3000G, 263 LANIER IM C3500, LANIER IM C3500G, 264 • nashuatec IM C2000, nashuatec IM C2000A, 265 nashuatec IM C2500, nashuatec IM C2500A, 266 nashuatec IM C3000, nashuatec IM C3000A, 267 nashuatec IM C3500, nashuatec IM C3500A, 268 • Rex Rotary IM C2000, Rex Rotary C2000A, 269 Rex Rotary C2500, Rex Rotary C2500A, 270 Rex Rotary C3000, Rex Rotary C3000A, 271 Rex Rotary C3500, Rex Rotary C3500A, 272 • Gestetner IM C2000, Gestetner IM C2000A, 273 Gestetner IM C2500, Gestetner IM C2500A, 274 Gestetner IM C3000, Gestetner IM C3000A, 275 Gestetner IM C3500, Gestetner IM C3500A, 276 277 Type 2: MFPs for “-27”, “-65”, “-17”, “-18”, “-57” or “-29” models 278 • RICOH IM C4500, RICOH IM C4500A, RICOH IM C4500G, 279 RICOH IM C5500, RICOH IM C5500A, 280 RICOH IM C6000, RICOH IM C6000G, 281 • SAVIN IM C4500, SAVIN IM C4500G, 282 SAVIN IM C6000, SAVIN IM C6000G, 283 • LANIER IM C4500, LANIER IM C4500G, 284 LANIER IM C6000, LANIER IM C6000G, 285 • nashuatec IM C4500, nashuatec IM C4500A, 286 nashuatec IM C5500, nashuatec IM C5500A, 287 nashuatec IM C6000, 288 • Rex Rotary C4500, Rex Rotary C4500A, 289 Rex Rotary C5500, Rex Rotary C5500A, 290 Rex Rotary C6000, 291 • Gestetner IM C4500, Gestetner IM C4500A, 292 Gestetner IM C5500, Gestetner IM C5500A, 293 Gestetner IM C6000 294 295 Type 3: MFPs for “-00” or “-01” models 296 • RICOH IM C2000, RICOH IM C2000F 297 RICOH IM C2500, RICOH IM C2500F 298 RICOH IM C3000, RICOH IM C3000F 299 RICOH IM C3500, RICOH IM C3500F 300 301 Type 4: MFPs for “-00”, “-01” or “-04” models 302 • RICOH IM C4500, RICOH IM C4500A, RICOH IM C4500F 303 RICOH IM C5500, RICOH IM C5500A, RICOH IM C5500F 304 RICOH IM C6000, RICOH IM C6000F 305 RICOH IM C2000 / C2500 / C3000 / C3500 / C4500 / C5500 / C6000, version JE-1.00-H Security Target, 1.0 Copyright ©2020, RICOH COMPANY LTD., All Rights Reserved. Page 9 of 142 306 Machine firmware and hardware for Type 1 307 Primary Classification Secondary Classification Version Firmware System/Copy 2.21 Network Support 18.56 Web Support 2.17 Fax 02.02.00 RemoteFax 02.01.00 Scanner 02.02 Web Uapl 2.01 NetworkDocBox 2.01 animation 2.01 Printer 2.13 RPCS 3.23.13 Font EXP 1.00 PCL 1.01 IRIPS PS3 1.00 IRIPS PDF 1.06 IRIPS Font 1.15 GraphicData 2.00 MovieData 1.00 MovieData2 1.00 MovieData3 1.00 Data Erase Onb 1.05 GWFCU3.8-22(WW) 04.00.00 PowerSaving Sys F.L3.23.1 M2a_System 2.03 M2a_BLEPlugin 4.0.1 RICOH IM C2000 / C2500 / C3000 / C3500 / C4500 / C5500 / C6000, version JE-1.00-H Security Target, 1.0 Copyright ©2020, RICOH COMPANY LTD., All Rights Reserved. Page 10 of 142 Primary Classification Secondary Classification Version M2a_BluetoothSe 1.01 M2a_cspf 3.00.00 M2a_DeviceHub 2.01 M2a_HelpService 6.01 M2a_ICCdDisptch 3.07.00 M2a_InstSetting 2.01 M2a_iWnn 2.8.201 M2a_iWnn_Hang 2.8.2 M2a_iWnn_Hans 2.8.2 M2a_iWnn_Hant 2.8.2 M2a_KrbServ 1.07.01 M2a_MeidaPrtScn 1.04 M2a_NFCPlugin 3.03.00 M2a_PrinterInfo 1.04 M2a_PrinterSJob 1.03 M2a_ProgramInfo 1.21 M2a_QRCode_SDC 4.0.3 M2a_QuickCdAuth 3.05.00 M2a_RemAssist 1.1 M2a_RemPnlOpe 1.2 M2a_RemSptSvc 1.2 M2a_SimpleWFD 1.17 M2a_SmartCopy 1.07 M2a_SmartFAX 5.08 M2a_SmartScan 1.06 M2a_SmartScanEx 2.02 M2a_USBCdPlugin 3.03.00 RICOH IM C2000 / C2500 / C3000 / C3500 / C4500 / C5500 / C6000, version JE-1.00-H Security Target, 1.0 Copyright ©2020, RICOH COMPANY LTD., All Rights Reserved. Page 11 of 142 Primary Classification Secondary Classification Version M2a_VoiceServ 2.01 M2a_WEcoInfo 2.01 M2a_WFaxInfo 2.00 M2a_WLanguage 2.01 M2a_WStopKey 2.00 M2a_WTonner 2.00 M2a_WTray 2.00 M2a_zoo 3.02.00 Engine 1.10:04 ADF 01.000:03 (*1) 01.030:02 (*2) Blank (*3) Hardware Ic Ctlr 03 Ic Key 01024704 (*1): When the MFP includes Auto Reverse Document Feeder 308 (*2): When the MFP includes One-Pass Duplex Scanning ADF 309 (*3): When the MFP includes Exposure Glass Cover 310 311 Machine firmware and hardware for Type 2 312 Primary Classification Secondary Classification Version Firmware System/Copy 2.21 Network Support 18.56 Web Support 2.17 Fax 02.02.00 RemoteFax 02.01.00 Scanner 02.02 Web Uapl 2.01 NetworkDocBox 2.01 RICOH IM C2000 / C2500 / C3000 / C3500 / C4500 / C5500 / C6000, version JE-1.00-H Security Target, 1.0 Copyright ©2020, RICOH COMPANY LTD., All Rights Reserved. Page 12 of 142 Primary Classification Secondary Classification Version animation 2.01 Printer 2.13 RPCS 3.23.13 Font EXP 1.00 PCL 1.01 IRIPS PS3 1.00 IRIPS PDF 1.06 IRIPS Font 1.15 GraphicData 2.00 MovieData 1.00 MovieData2 1.00 MovieData3 1.00 Data Erase Onb 1.05 GWFCU3.8-22(WW) 04.00.00 PowerSaving Sys F.L3.23.1 M2a_System 2.03 M2a_BLEPlugin 4.0.1 M2a_BluetoothSe 1.01 M2a_cspf 3.00.00 M2a_DeviceHub 2.01 M2a_HelpService 6.01 M2a_ICCdDisptch 3.07.00 M2a_InstSetting 2.01 M2a_iWnn 2.8.201 M2a_iWnn_Hang 2.8.2 M2a_iWnn_Hans 2.8.2 M2a_iWnn_Hant 2.8.2 RICOH IM C2000 / C2500 / C3000 / C3500 / C4500 / C5500 / C6000, version JE-1.00-H Security Target, 1.0 Copyright ©2020, RICOH COMPANY LTD., All Rights Reserved. Page 13 of 142 Primary Classification Secondary Classification Version M2a_KrbServ 1.07.01 M2a_MeidaPrtScn 1.04 M2a_NFCPlugin 3.03.00 M2a_PrinterInfo 1.04 M2a_PrinterSJob 1.03 M2a_ProgramInfo 1.21 M2a_QRCode_SDC 4.0.3 M2a_QuickCdAuth 3.05.00 M2a_RemAssist 1.1 M2a_RemPnlOpe 1.2 M2a_RemSptSvc 1.2 M2a_SimpleWFD 1.17 M2a_SmartCopy 1.07 M2a_SmartFAX 5.08 M2a_SmartScan 1.06 M2a_SmartScanEx 2.02 M2a_USBCdPlugin 3.03.00 M2a_VoiceServ 2.01 M2a_WEcoInfo 2.01 M2a_WFaxInfo 2.00 M2a_WLanguage 2.01 M2a_WStopKey 2.00 M2a_WTonner 2.00 M2a_WTray 2.00 M2a_zoo 3.02.00 Engine 1.10:04 RICOH IM C2000 / C2500 / C3000 / C3500 / C4500 / C5500 / C6000, version JE-1.00-H Security Target, 1.0 Copyright ©2020, RICOH COMPANY LTD., All Rights Reserved. Page 14 of 142 Primary Classification Secondary Classification Version ADF 01.000:03 (*1) 01.030:02 (*2) Blank (*3) Hardware Ic Ctlr 03 Ic Key 01024704 (*1): When the MFP includes Auto Reverse Document Feeder 313 (*2): When the MFP includes One-Pass Duplex Scanning ADF 314 (*3): When the MFP includes Exposure Glass Cover 315 316 Machine firmware and hardware for Type 3 317 Primary Classification Secondary Classification Version Firmware System/Copy 2.21 Network Support 18.56 Web Support 2.17 Fax 02.02.00 RemoteFax 02.01.00 Scanner 02.02 Web Uapl 2.01 NetworkDocBox 2.01 animation 2.01 Printer 2.13 RPCS 3.23.13 RPCS Font 1.00 IRIPS PS3 1.00 IRIPS PDF 1.06 IRIPS Font 1.21 PSFont JIS2004 1.04 Option MSIS 0.38 RICOH IM C2000 / C2500 / C3000 / C3500 / C4500 / C5500 / C6000, version JE-1.00-H Security Target, 1.0 Copyright ©2020, RICOH COMPANY LTD., All Rights Reserved. Page 15 of 142 Primary Classification Secondary Classification Version GraphicData 2.00 MovieData 1.00 MovieData2 1.00 MovieData3 1.00 Data Erase Onb 1.05 GWFCU3.8-22(WW) 04.00.00 PowerSaving Sys F.L3.23.1 M2a_System 2.03 M2a_BLEPlugin 4.0.1 M2a_BluetoothSe 1.01 M2a_cspf 3.00.00 M2a_DeviceHub 2.01 M2a_HelpService 6.01 M2a_ICCdDisptch 3.07.00 M2a_InstSetting 2.01 M2a_iWnn 2.8.201 M2a_iWnn_Hang 2.8.2 M2a_iWnn_Hans 2.8.2 M2a_iWnn_Hant 2.8.2 M2a_KrbServ 1.07.01 M2a_MeidaPrtScn 1.04 M2a_NFCPlugin 3.03.00 M2a_PrinterInfo 1.04 M2a_PrinterSJob 1.03 M2a_ProgramInfo 1.21 M2a_QRCode_SDC 4.0.3 M2a_QuickCdAuth 3.05.00 RICOH IM C2000 / C2500 / C3000 / C3500 / C4500 / C5500 / C6000, version JE-1.00-H Security Target, 1.0 Copyright ©2020, RICOH COMPANY LTD., All Rights Reserved. Page 16 of 142 Primary Classification Secondary Classification Version M2a_RemAssist 1.1 M2a_RemPnlOpe 1.2 M2a_RemSptSvc 1.2 M2a_SimpleWFD 1.17 M2a_SmartCopy 1.07 M2a_SmartFAX 5.08 M2a_SmartScan 1.06 M2a_SmartScanEx 2.02 M2a_USBCdPlugin 3.03.00 M2a_VoiceServ 2.01 M2a_WEcoInfo 2.01 M2a_WFaxInfo 2.00 M2a_WLanguage 2.01 M2a_WStopKey 2.00 M2a_WTonner 2.00 M2a_WTray 2.00 M2a_zoo 3.02.00 Engine 1.10:04 ADF 01.000:03 (*1) 01.030:02 (*2) Blank (*3) Hardware Ic Ctlr 03 Ic Key 01024704 318 Machine firmware and hardware for Type 4 319 Primary Classification Secondary Classification Version Firmware System/Copy 2.21 Network Support 18.56 RICOH IM C2000 / C2500 / C3000 / C3500 / C4500 / C5500 / C6000, version JE-1.00-H Security Target, 1.0 Copyright ©2020, RICOH COMPANY LTD., All Rights Reserved. Page 17 of 142 Primary Classification Secondary Classification Version Web Support 2.17 Fax 02.02.00 RemoteFax 02.01.00 Scanner 02.02 Web Uapl 2.01 NetworkDocBox 2.01 animation 2.01 Printer 2.13 RPCS 3.23.13 RPCS Font 1.00 IRIPS PS3 1.00 IRIPS PDF 1.06 IRIPS Font 1.21 PSFont JIS2004 1.04 Option MSIS 0.38 GraphicData 2.00 MovieData 1.00 MovieData2 1.00 MovieData3 1.00 Data Erase Onb 1.05 GWFCU3.8-22(WW) 04.00.00 PowerSaving Sys F.L3.23.1 M2a_System 2.03 M2a_BLEPlugin 4.0.1 M2a_BluetoothSe 1.01 M2a_cspf 3.00.00 M2a_DeviceHub 2.01 RICOH IM C2000 / C2500 / C3000 / C3500 / C4500 / C5500 / C6000, version JE-1.00-H Security Target, 1.0 Copyright ©2020, RICOH COMPANY LTD., All Rights Reserved. Page 18 of 142 Primary Classification Secondary Classification Version M2a_HelpService 6.01 M2a_ICCdDisptch 3.07.00 M2a_InstSetting 2.01 M2a_iWnn 2.8.201 M2a_iWnn_Hang 2.8.2 M2a_iWnn_Hans 2.8.2 M2a_iWnn_Hant 2.8.2 M2a_KrbServ 1.07.01 M2a_MeidaPrtScn 1.04 M2a_NFCPlugin 3.03.00 M2a_PrinterInfo 1.04 M2a_PrinterSJob 1.03 M2a_ProgramInfo 1.21 M2a_QRCode_SDC 4.0.3 M2a_QuickCdAuth 3.05.00 M2a_RemAssist 1.1 M2a_RemPnlOpe 1.2 M2a_RemSptSvc 1.2 M2a_SimpleWFD 1.17 M2a_SmartCopy 1.07 M2a_SmartFAX 5.08 M2a_SmartScan 1.06 M2a_SmartScanEx 2.02 M2a_USBCdPlugin 3.03.00 M2a_VoiceServ 2.01 M2a_WEcoInfo 2.01 M2a_WFaxInfo 2.00 RICOH IM C2000 / C2500 / C3000 / C3500 / C4500 / C5500 / C6000, version JE-1.00-H Security Target, 1.0 Copyright ©2020, RICOH COMPANY LTD., All Rights Reserved. Page 19 of 142 Primary Classification Secondary Classification Version M2a_WLanguage 2.01 M2a_WStopKey 2.00 M2a_WTonner 2.00 M2a_WTray 2.00 M2a_zoo 3.02.00 Engine 1.10:04 ADF 01.000:03 (*1) 01.030:02 (*2) Blank (*3) Hardware Ic Ctlr 03 Ic Key 01024704 (*1): When the MFP includes Auto Reverse Document Feeder 320 (*2): When the MFP includes One-Pass Duplex Scanning ADF 321 (*3): When the MFP includes Exposure Glass Cover 322 323 1.3 TOE Variants 324 The models listed in Section 1.2 correspond to differences in print speed, and regional markets / localization. In 325 addition, some models are also marketed under different Ricoh Family Group brand names. A complete list of all 326 certified models is provided in the Notes for Administrators document identified in section 1.6.7. 327 All variants use the same hardware and the same versions of firmware for TOE security functions. All are 328 included in the scope of this Common Criteria certification, but only one representative model is tested (see 329 Section 1.4). 330 1.3.1 Print speed variants 331 The first two numeric digits correspond to copy speed, e.g. C2000 performs 20 copies per minute, C2500 332 performs 25, and so on. Differences between models with different printing speeds are limited to print engine 333 components that do not affect the TSF. 334 1.3.2 Regional variants 335 An alphabetic suffix corresponds to regional variations for default user interface languages and other 336 localization settings, and regional fonts and printer languages. There are no security-relevant differences 337 between regional variants. 338 1.3.3 Branding variants 339 In addition to RICOH models (with no suffix or “A”, “F”, or “G” suffix), some models are marketed under the 340 following brand names; however, they have not been tested as part of the certification: 341 RICOH IM C2000 / C2500 / C3000 / C3500 / C4500 / C5500 / C6000, version JE-1.00-H Security Target, 1.0 Copyright ©2020, RICOH COMPANY LTD., All Rights Reserved. Page 20 of 142 • SAVIN and LANIER (with no suffix or with “G” suffix) 342 • nashuatec, RexRotary, and Gestetner (with no suffix or with “A” suffix). 343 Differences between branding variants are limited to labels, displays, packaging materials, and documentation. 344 None of these differences affects the TSF. 345 1.4 Evaluated and tested configurations 346 The evaluated configuration comprises all of the required and optional TOE and non-TOE components listed in 347 the first two columns of the tables in subsections below. The specific components used for testing are identified 348 in the third column. 349 The tested configuration is equivalent to evaluated configurations because none of the variants for branding, 350 marketing region, paper speed, or paper feed, affects the TSF, and all variants employ the same TSF-enforcing 351 hardware and software. 352 The representative model selected for Common Criteria evaluation is a RICOH IM C4500, fitted with Fax Option 353 M37 for testing of fax-related security functions. The IM C4500 model was chosen because it is a high-speed 354 model that is marketed in all regions. 355 1.4.1 Required TOE components 356 The following TOE components are required to perform basic security functions of a hardcopy device. 357 Function Required TOE component(s) Tested TOE components Hardware Any of the models specified in Section 1.2 and 1.3 RICOH IM C4500 D0BN-17 Software Version JE-1.00-H software upgrade Version JE-1.00-H software upgrade Table 1 Required TOE components 358 1.4.2 Optional TOE components 359 Optional security functions require additional TOE components, listed in Table 2: 360 Security function Optional TOE components Tested TOE components Fax-network separation Fax Control Unit (FCU) Fax Control Unit Type M37 Table 2 Optional TOE components 361 1.4.3 Required non-TOE components 362 The following non-TOE components are required for the TOE to perform basic security functions of a hardcopy 363 device. 364 Security function Required non-TOE component(s) Tested TOE components Trusted communications Connection to a local area network Yes Audit log collection Connection to an audit log server on the LAN syslog server Table 3 Required non-TOE components 365 1.4.4 Optional non-TOE components 366 Optional security functions require additional non-TOE components, listed in Table 4: 367 Security function Optional non-TOE component(s) Tested TOE components Fax-network separation, fax-related security functions Connection to a telephone line PSTN emulator, PC with fax driver for sending, fax machine for receiving RICOH IM C2000 / C2500 / C3000 / C3500 / C4500 / C5500 / C6000, version JE-1.00-H Security Target, 1.0 Copyright ©2020, RICOH COMPANY LTD., All Rights Reserved. Page 21 of 142 Security function Optional non-TOE component(s) Tested TOE components Network-based identification and authentication Connection to an authentication server on the LAN LDAP server Protection of scanner output on network Connection to an SMTP server on the LAN SMTP server Table 4 Optional non-TOE components 368 1.5 TOE Overview 369 This section defines TOE Type, TOE Usage and Major Security Features of TOE. 370 1.5.1 TOE Type 371 This TOE is a Digital Multi-Function Printer (MFP), which is an IT device that inputs, stores, and outputs 372 electronic and hardcopy documents. 373 1.5.2 TOE Usage 374 The operational environment of the TOE is illustrated below and the usage of the TOE is outlined in this section. 375 As shown in Figure 1, the TOE is connected to its operational environment through a local area network 376 (hereafter "LAN") and the public switched telephone network (PSTN). Other elements of the TOE’s operational 377 environment include a remote fax machine, an SMTP server, an Audit Server, and a user’s client computer. Users 378 can operate the TOE from the Operation Panel of the TOE or through LAN communications. Each element is 379 described in this section. 380 Operational Environment SMTP server Firewall • Printer driver • Fax driver • Web browser Client computer syslog server LDAP server Internet Target of Evaluation MultiFunction Printer Local Area Network (LAN) Remote fax machine PSTN (public switched telephone network) NTP server FTP server 381 RICOH IM C2000 / C2500 / C3000 / C3500 / C4500 / C5500 / C6000, version JE-1.00-H Security Target, 1.0 Copyright ©2020, RICOH COMPANY LTD., All Rights Reserved. Page 22 of 142 Figure 1 Example of TOE Environment 382 1.5.2.1 Multifunction Printer (MFP) 383 It is the TOE. Users can perform the following operations from the Operation Panel of the MFP: 384 • Configuration of the MFP, 385 • Copying, faxing, storage, and network transmission of paper documents, 386 • Printing, faxing, network transmission, and deletion of the stored documents. 387 • Receiving fax documents via telephone lines and storing them as documents. 388 1.5.2.2 LAN 389 Network used in the TOE environment. 390 1.5.2.3 Client computer 391 A computer that performs as a client of the TOE via the LAN. Users can remotely operate the MFP from the 392 client computer: 393 • Various settings for the MFP using a Web browser installed on the client computer, 394 • Operation of stored documents using a Web browser installed on the client computer, 395 • Storage and/or printing of documents using the printer driver installed on the client computer, 396 • Faxing documents using the fax driver installed on the client computer. 397 1.5.2.4 PSTN line 398 A connection to a public switched telephone network for the TOE to communicate with external fax machines. 399 1.5.2.5 Firewall 400 A device to protect the LAN from Internet threats. 401 1.5.2.6 SMTP Server 402 An external IT entity used by the TOE for e-mail transmission. 403 1.5.2.7 syslog Server 404 An external IT entity used by the TOE for audit log storage. 405 1.5.2.8 LDAP server 406 An external IT entity used by the TOE for network authentication of users. 407 1.5.2.9 FTP server 408 An external IT entity used by the TOE to receive and store user documents. 409 1.5.3 Major Security Features of TOE 410 The TOE stores documents in it, and sends and receives documents to and from the IT devices connected to the 411 LAN. To ensure provision of confidentiality and integrity for those documents, the TOE has the following security 412 features: 413 • Identification and Authentication 414 • Use-of-Feature Authorization 415 • Access Control 416 • Stored Data Encryption 417 • Trusted Communications 418 RICOH IM C2000 / C2500 / C3000 / C3500 / C4500 / C5500 / C6000, version JE-1.00-H Security Target, 1.0 Copyright ©2020, RICOH COMPANY LTD., All Rights Reserved. Page 23 of 142 • Administrative Roles 419 • Auditing 420 • Trusted Operation 421 • PSTN Fax-Network Separation 422 1.6 TOE Description 423 This section describes the Physical Boundary of TOE, Hardware components, Logical Boundary of TOE, TOE 424 Functions, and Guidance Documents. 425 1.6.1 Physical Boundary of TOE 426 The physical boundary of the TOE is the MFP, which consists of the following hardware components (shown in 427 Figure 2): Operation Panel Unit, Engine Unit, (optional) Fax Controller Unit, Controller Board, HDD, Ic Ctlr, 428 Network Unit, USB Port, and SD Card Slot. The MFP also consists of software components. These components 429 comprise a physically large product that is delivered at once by a delivery company to users, and it is often set 430 up with the assistance of a customer engineer. 431 RICOH IM C2000 / C2500 / C3000 / C3500 / C4500 / C5500 / C6000, version JE-1.00-H Security Target, 1.0 Copyright ©2020, RICOH COMPANY LTD., All Rights Reserved. Page 24 of 142 TOE (shaded area) Fax document via PSTN User interaction Paper document Paper document Operation Panel Unit Fax Control Unit Engine Unit Operation Panel Control Board Scanner Engine Printer Engine Engine Control Board Controller Board Processor RAM NVRAM Ic Key Flash ROM HDD Ic Ctlr Network Unit SD Card Interface USB Port 432 Figure 2 Hardware Configuration of the TOE 433 1.6.2 Hardware components 434 1.6.2.1 Controller Board 435 The Controller Board is a device that contains Processors, RAM, NVRAM, Ic Key, and FlashROM. The Controller 436 Board sends and receives information to control the MFP. The information is processed by the MFP Control 437 Software. The following describes the components of the Controller Board: 438 1.6.2.1.1 Processor 439 A semiconductor chip that performs basic computer processing for MFP operations. 440 1.6.2.1.2 RAM 441 A volatile memory medium which is used as a working area for image processing such as 442 compressing/decompressing the image data. It is also used to temporarily read and write internal information. 443 RICOH IM C2000 / C2500 / C3000 / C3500 / C4500 / C5500 / C6000, version JE-1.00-H Security Target, 1.0 Copyright ©2020, RICOH COMPANY LTD., All Rights Reserved. Page 25 of 142 1.6.2.1.3 NVRAM 444 A non-volatile memory medium in which TSF data for configuring MFP operations is stored. The NVRAM is a 445 field-replaceable non-volatile storage device, and is claimed as such in this document. 446 1.6.2.1.4 Ic Key 447 A hardware security module which provides true random number generation and protected storage. 448 1.6.2.1.5 FlashROM 449 A non-volatile memory medium in which the MFP Control Software is installed. 450 1.6.2.2 Operation Panel 451 The Operation Panel consists of an LCD touch screen user interface and LED indicators that are controlled by 452 Operation Panel Control Software installed on the Operation Panel Control Board. The Operation Panel Control 453 Software performs the following: 454 1. Transfers operation instructions from the LCD touch screen to the Controller Board. 455 2. Controls the LED indicators and displays information on the LCD touch screen according to display 456 instructions from the MFP Control Software. 457 The Operation Panel utilizes Linux 3.18 on an ARM Cortex-A9 Quad Core processor. 458 1.6.2.3 Engine Unit 459 The Engine Unit consists of a Scanner Engine which scans paper documents, and a Printer Engine that prints and 460 ejects paper documents, both controlled by the Engine Control Software installed on the Engine Control Board. 461 The Engine Control Software sends status information about the Scanner Engine and Printer Engine to the 462 Controller Board, and operates the Scanner Engine or Printer Engine according to instructions from the MFP 463 Control Software. 464 1.6.2.4 Fax Controller Unit (FCU) 465 The Fax Controller Unit consists of a modem which sends and receives fax data to and from other fax devices 466 using the G3 standard for communication. FCU Control Software is installed on the Fax Controller Unit operates 467 the modem and exchanges fax data according to instructions from the MFP Control Software. The Fax Controller 468 Unit type M37 utilizes the RU30 processor in its operation. 469 1.6.2.5 HDD 470 The HDD is a hard disk drive that is a non-volatile memory medium. It stores documents, login user names and 471 login passwords of Normal Users. The HDD is a field-replaceable non-volatile storage device, and is claimed as 472 such in this document. 473 1.6.2.6 Ic Ctlr 474 The Ic Ctlr is a board that implements data encryption and decryption functions for data stored on the HDD. 475 1.6.2.7 Network Unit 476 The Network Unit is an external interface to an Ethernet LAN. 477 1.6.2.8 USB Port 478 The USB Port is an external interface to connect a client computer to the TOE for printing directly from the client 479 computer. During installation, this interface is disabled. 480 RICOH IM C2000 / C2500 / C3000 / C3500 / C4500 / C5500 / C6000, version JE-1.00-H Security Target, 1.0 Copyright ©2020, RICOH COMPANY LTD., All Rights Reserved. Page 26 of 142 1.6.2.9 SD Card Slot 481 There are two SD Card Slots, one for customer engineers and one for users. 482 The SD Card Slot for customer engineer is used when the customer engineer installs the TOE. A cover is placed 483 on the SD Card Slot during the TOE operation so that an SD Card cannot be inserted into or removed from the 484 slot. 485 The SD Card Slot for users is used by users to print documents in the SD Card. The slot is set to disabled at the 486 installation. 487 1.6.3 Logical Boundary of the TOE 488 The Basic Functions and Security Functions are described as follows: 489 TOE Basic Functions HDD Access Control Supervisor Administrator Normal User Management Functions Security Management Copy Document Server Printer Fax Scanner Normal User Print orFax Driver Normal User Web Browser Supervisor Web Browser Stored Data Encryption Audit Trusted Operation Operation Panel Administrator Web Browser SMTP server syslog server LDAP server Remote fax machine Trusted Communications Identification and Authentication Trusted Communications Use-of-Feature Authorization Security functions Basic functions Logical TOE boundary Legend: PSTN Fax Line Separation Web Image Monitor NTP server FTP server 490 Figure 3 Logical Boundary of the TOE 491 1.6.4 Basic Functions 492 1.6.4.1 Copy Function 493 The Copy Function scans paper documents to be printed. 494 RICOH IM C2000 / C2500 / C3000 / C3500 / C4500 / C5500 / C6000, version JE-1.00-H Security Target, 1.0 Copyright ©2020, RICOH COMPANY LTD., All Rights Reserved. Page 27 of 142 1.6.4.2 Printer Function 495 The Printer Function prints or stores documents received from a printer driver installed on the client computer, 496 and prints or deletes previously-stored documents from commands from the Operation Panel or the client 497 computer’s web browser. 498 1.6.4.3 Scanner Function 499 The Scanner Function scans paper documents and then transmits and deletes the scanned images, on command 500 from the Operation Panel. 501 1.6.4.4 Fax Function 502 The Fax Function consists of a Fax Transmission Function and a Fax Reception Function. Both functions exchange 503 documents according to the Group 3 standard over a Public Switch Telephone Network (PSTN). 504 The Fax Transmission Function sends scanned images of paper documents, or images of electronic documents 505 from a client computer, to external fax devices. 506 The Fax Reception Function receives documents from external fax devices, and stores them in the TOE. 507 1.6.4.5 Document Server Function 508 The Document Server Function is to perform operations on persistently-stored documents in the TOE. 509 From the Operation Panel, users can store, print and delete Document Server documents. 510 From a client computer, users can print and delete Document Server documents. 511 1.6.4.6 Management Function 512 The Management Function allows authorized users to configure the TOE's operation. The management function 513 can be accessed from the Operation Panel or a client computer. Security Management functions can be 514 accessed only by Administrators. 515 1.6.4.7 Web Image Monitor Function 516 The Web Image Monitor Function (hereafter "WIM") allows authorized users to remotely control the TOE from a 517 web browser on a client computer. 518 1.6.5 Security Functions 519 The Security Functions are described as follows: 520 1.6.5.1 Identification and Authentication 521 User identification, authentication, and authorization ensure that functions of the TOE are accessible only to 522 Users who have been authorized by an Administrator. User identification and authentication is also used as the 523 basis for access control and administrative roles and helps associate security-relevant events and TOE use with 524 specific Users. Identification and authentication is performed by the TOE. User’s credentials can be entered 525 locally on the Operation Panel, through WIM login, through print or fax drivers, or using network authentication 526 services. 527 1.6.5.2 Use-of-Feature Authorization 528 The Use-of-Feature Restriction Function authorizes authenticated users to perform the operations of Copy 529 Function, Printer Function, Scanner Function, Document Server Function and Fax Function, based on the user 530 role and the permissions set by an Administrator for each user. 531 RICOH IM C2000 / C2500 / C3000 / C3500 / C4500 / C5500 / C6000, version JE-1.00-H Security Target, 1.0 Copyright ©2020, RICOH COMPANY LTD., All Rights Reserved. Page 28 of 142 1.6.5.3 Access Control 532 Access controls ensure that documents, document processing job information, and security-relevant data, are 533 accessible only to authenticated users who have appropriate access permissions. 534 1.6.5.4 Stored Data Encryption 535 The Stored Data Protection Function encrypts data on the HDD and in NVRAM to protect documents and 536 confidential system information if those devices are removed from the TOE. Keychains for both devices are 537 described in this document. 538 1.6.5.5 Trusted Communications 539 Trusted communication paths are established to ensure that communications with the TOE are performed with 540 known endpoints. Data encryption ensures that data assets cannot be accessed while in transit on the LAN. 541 1.6.5.6 Administrative Roles 542 Role-based access controls ensure that the ability to configure the security settings of the TOE is available only 543 to Users who have been authorized with an Administrator role. 544 1.6.5.7 Auditing 545 Audit logs are generated by the TOE to ensure that security-relevant events and TOE use can be monitored by 546 authorized personnel. The TOE generates audit logs and securely transmits them to an External IT entity for 547 storage. While stored in the TOE, audit logs are protected from unauthorized access and modification. 548 1.6.5.8 Trusted Operation 549 The Software Verification Function verifies the integrity and authenticity of MFP Control Software, FCU Control 550 Software, and Operation Panel Control Software, before applying updates. Power-on self-tests are performed to 551 ensure that TOE operation is not disrupted by detectable malfunction. 552 1.6.5.9 PSTN Fax-Line Separation 553 The Fax Line Separation Function restricts information received from or transmitted to the telephone network to 554 only fax data and fax protocols. It ensures that the fax modem cannot be used to bridge to the LAN. 555 1.6.5.10 Image Overwrite 556 The Image Overwrite Function actively overwrites residual image data stored on the HDD after a Document 557 Processing job has been completed or cancelled. 558 1.6.6 Functions supported but not evaluated 559 The following functions supported by the TOE are not included in this evaluation: 560 • Fax over IP 561 • Store while copying documents 562 • Store while sending documents by fax 563 • Menu Protect 564 • PDF Group Passwords 565 • SMTP Authentication 566 • File Transfer Authentication 567 • Erase All Memory 568 RICOH IM C2000 / C2500 / C3000 / C3500 / C4500 / C5500 / C6000, version JE-1.00-H Security Target, 1.0 Copyright ©2020, RICOH COMPANY LTD., All Rights Reserved. Page 29 of 142 1.6.7 Guidance Documents 569 A common set of guidance documents is provided for the TOE. Selection of a particular guidance document set 570 depends on the print speed and sales region, and they are identified in the Notes for Administrators document. 571 Paper manuals supplied with the TOE: 572 • Safe Use of This Machine 573 • For Users of This Product 574 • Notes for Users 575 • Software License Agreement 576 Online manuals available for the TOE: 577 • Safety Information 578 • User Guide 579 o Setup 580 o Introduction and Basic Operations 581 o Copy 582 o Document Server 583 o Fax 584 o Scan 585 o Printer 586 o Maintenance 587 o Troubleshooting 588 o Settings 589 o Specifications 590 o Security 591 o Driver Installation Guide 592 • Security Reference 593 • Notes for Administrators v1.0: Using This Machine in a Network Environment Compliant with Protection 594 Profile for Hardcopy Devices PP_HCD_V1.0 595 A complete list of manuals as they apply to all TOE variants is provided in the Notes for Administrators 596 document. URLs for online manuals are provided in the paper manual, Safe Use of This Machine, which is 597 supplied with the TOE. 598 RICOH IM C2000 / C2500 / C3000 / C3500 / C4500 / C5500 / C6000, version JE-1.00-H Security Target, 1.0 Copyright ©2020, RICOH COMPANY LTD., All Rights Reserved. Page 30 of 142 2 ST Conformance Claims (ASE_CCL) 599 2.1 Common Criteria (CC) conformance claims 600 The CC conformance claim of this ST and TOE is as follows: 601 • Part 1: Introduction and general model Version 3.1 Revision 5 CCMB-2017-04-001 602 • Part 2: Security functional components Version 3.1 Revision 5 CCMB-2017-04-002 extended 603 • Part 3: Security assurance components Version 3.1 Revision 5 CCMB-2017-04-003 conformant (EAL1) 604 2.2 Protection Profile (PP) conformance claims 605 The PP to which this ST and TOE are strictly conformant and exactly compliant is: 606 • PP Name: Protection Profile for Hardcopy Devices 607 • PP Version: 1.0, dated 2015-09-11 608 The ST and TOE also address all of the NIAP Technical Decisions that apply to the PP: 609 • TD0074 FCS_CKM.1(a) Requirement in HCD PP v1.0 610 • TD0157 FCS_IPSEC_EXT.1.1 - Testing SPDs 611 • TD0176 FDP_DSK_EXT.1.2 - SED Testing 612 • TD0219 NIAP Endorsement of Errata for HCD PP v1.0 (Errata #1, June 2017) 613 • TD0253 Assurance Activities for Key Transport 614 • TD0261 Destruction of CSPs in flash 615 • TD0299 Update to FCS_CKM.4 Assurance Activities 616 • TD0393 Require FTP_TRP.1(b) only for printing 617 • TD0474 Removal of Mandatory Cipher Suite in FCS_TLS_EXT.1 618 Hereafter, the PP and applicable Technical Decisions are referred to collectively as “HCD PP v1.0”. 619 The TOE claims conformance with the following essential, additional, and optional uses as specified in the PP: 620 Category Features Conformance Essential Uses Scanning Claimed Printing Claimed Copying Claimed Network Communications Claimed Administration Claimed Additional Uses PSTN Faxing Claimed Storage and Retrieval Claimed Field-Replaceable Nonvolatile Storage Claimed Optional Uses Internal Audit Log Storage Claimed Image Overwrite Claimed Purge Data Not Claimed Table 5 Protection Profile claims 621 RICOH IM C2000 / C2500 / C3000 / C3500 / C4500 / C5500 / C6000, version JE-1.00-H Security Target, 1.0 Copyright ©2020, RICOH COMPANY LTD., All Rights Reserved. Page 31 of 142 2.3 Conformance Claim Rationale 622 2.3.1.1 Consistency Claim with TOE Type in this PP 623 In this PP, a conforming product must support at least one of the job functions printing, scanning, or copying 624 and must support the functions network communications and administration. 625 The TOE is a product that supports printing, scanning, copying, network communications, and administration 626 functions, as required by the PP. 627 2.3.2 Consistency Claim with Security Problems and Security Objectives in PP 628 The TOE is exactly compliant with the Security Problems and Security Objectives in this PP. 629 2.3.3 Consistency Claim with Security Requirements in PP 630 The TOE is exactly compliant with the Security Requirements in this PP. 631 RICOH IM C2000 / C2500 / C3000 / C3500 / C4500 / C5500 / C6000, version JE-1.00-H Security Target, 1.0 Copyright ©2020, RICOH COMPANY LTD., All Rights Reserved. Page 32 of 142 3 SecurityProblem Definitions (ASE_SPD) 632 This section describes Threats, Organizational Security Policies and Assumptions. 633 3.1 Users 634 There are two categories of Users defined in this ST, Normal and Admin. There are two Admin sub-roles. 635 Designation Name Definition U.NORMAL Normal User A User who has been identified and authenticated and does not have an administrative role U.ADMIN Administrator A User who has been identified and authenticated and has an administrative role U.ADMIN.SUP MFP Supervisor U.ADMIN.MFP MFP Administrator Table 6 User categories 636 A pseudo-user role, Customer Engineer, can be enabled by an Administrator for use by an authorized service 637 representative. It is normally disabled, as it is in the evaluated configuration. 638 3.2 Assets 639 Assets are passive entities in the TOE that contain or receive information. In this PP, Assets are Objects (as 640 defined by the CC). There are two categories of Assets defined in this PP: 641 Designation Asset category Definition D.USER User Data Data created by and for Users that do not affect the operation of the TSF D.TSF TSF Data Data created by and for the TOE that might affect the operation of the TSF Table 7 Asset categories 642 There are no additional Asset categories defined in this ST. 643 3.2.1 User Data 644 User Data are composed of two types: 645 Designation User Data type Definition D.USER.DOC User Document Data Information contained in a User’s Document, in electronic or hardcopy form D.USER.JOB User Job Data Information related to a User’s Document or Document Processing Job Table 8 User Data types 646 There are no additional types of User Data defined in this ST. Attributes associate documents and document 647 processing jobs with the document processing functions of the TOE: 648 Document processing function Attribute Printing +PRT Copying +CPY Scanning +SCN Document Storage/Retrieval +DSR Fax (reception) +FAXIN Fax (transmission) +FAXOUT Table 9 Document and Job Attributes 649 RICOH IM C2000 / C2500 / C3000 / C3500 / C4500 / C5500 / C6000, version JE-1.00-H Security Target, 1.0 Copyright ©2020, RICOH COMPANY LTD., All Rights Reserved. Page 33 of 142 3.2.2 TSF Data 650 TSF Data are composed of two types: 651 Designation TSF Data type Definition D.TSF.PROT Protected TSF Data TSF Data for which alteration by a User who is neither the data owner nor in an Administrator role might affect the security of the TOE, but for which disclosure is acceptable D.TSF.CONF Confidential TSF Data TSF Data for which either disclosure or alteration by a User who is neither the data owner nor in an Administrator role might affect the security of the TOE Table 10 TSF Data types 652 There are no additional types of TSF Data defined in this ST. 653 3.2.2.1 Protected TSF Data 654 D.TSF.PROT is composed of the following data: 655 Data item Login user name Number of Attempts before Lockout Settings for Lockout Release Timer Lockout time Date settings (year/month/day) Time settings Minimum Character No. Password Complexity Setting Operation Panel auto logout time WIM auto logout time Stored Reception File User Document user list Available function list User authentication method Device Certificate Network settings Audit transfer settings TOE Software Table 11 Data in D.TSF.PROT 656 3.2.2.2 Confidential TSF Data 657 In this ST, D.TSF.CONF is composed of the following data: 658 Data item Login password Audit log HDD cryptographic key Table 12 Data in D.TSF.CONF 659 3.3 Threat definitions 660 The following threats are mitigated by this TOE: 661 RICOH IM C2000 / C2500 / C3000 / C3500 / C4500 / C5500 / C6000, version JE-1.00-H Security Target, 1.0 Copyright ©2020, RICOH COMPANY LTD., All Rights Reserved. Page 34 of 142 Designation Definition T.UNAUTHORIZED_ACCESS An attacker may access (read, modify, or delete) User Document Data or change (modify or delete) User Job Data in the TOE through one of the TOE’s interfaces. T.TSF_COMPROMISE An attacker may gain Unauthorized Access to TSF Data in the TOE through one of the TOE’s interfaces. T.TSF_FAILURE A malfunction of the TSF may cause loss of security if the TOE is permitted to operate. T.UNAUTHORIZED_UPDATE An attacker may cause the installation of unauthorized software on the TOE. T.NET_COMPROMISE An attacker may access data in transit or otherwise compromise the security of the TOE by monitoring or manipulating network communication. Table 13 Threats 662 3.4 Organizational Security Policies 663 The following Organizational Security Policies (OSPs) are enforced by this TOE: 664 Designation Definition P.AUTHORIZATION Users must be authorized before performing Document Processing and administrative functions. P.AUDIT Security-relevant activities must be audited and the log of such actions must be protected and transmitted to an External IT Entity. P.COMMS_PROTECTION The TOE must be able to identify itself to other devices on the LAN. P.STORAGE_ENCRYPTION (conditionally mandatory) If the TOE stores User Document Data or Confidential TSF Data on Field-Replaceable Nonvolatile Storage Devices, it will encrypt such data on those devices. P.KEY_MATERIAL (conditionally mandatory) Cleartext keys, submasks, random numbers, or any other values that contribute to the creation of encryption keys for Field-Replaceable Nonvolatile Storage of User Document Data or Confidential TSF Data must be protected from unauthorized access and must not be stored on that storage device. P.FAX_FLOW (conditionally mandatory) If the TOE provides a PSTN fax function, it will ensure separation between the PSTN fax line and the LAN. P.IMAGE_OVERWRITE (optional) Upon completion or cancellation of a Document Processing job, the TOE shall overwrite residual image data from its Field-Replaceable Nonvolatile Storage Device. Table 14 Organizational Security Policies 665 3.5 Assumptions 666 The following assumptions must be satisfied in order for the Security Objectives and Security Functional 667 Requirements to be effective: 668 Designation Definition A.PHYSICAL Physical security, commensurate with the value of the TOE and the data it stores or processes, is assumed to be provided by the environment. A.NETWORK The Operational Environment is assumed to protect the TOE from direct, public access to its LAN interface. A.TRUSTED_ADMIN TOE Administrators are trusted to administer the TOE according to site security policies. A.TRAINED_USERS Authorized Users are trained to use the TOE according to site security policies. Table 15 Assumptions 669 RICOH IM C2000 / C2500 / C3000 / C3500 / C4500 / C5500 / C6000, version JE-1.00-H Security Target, 1.0 Copyright ©2020, RICOH COMPANY LTD., All Rights Reserved. Page 35 of 142 4 Security Objectives (ASE_OBJ) 670 4.1 Security Objectives for the TOE 671 The following Security Objectives are satisfied by this TOE: 672 Designation Definition O.USER_I&A The TOE shall perform identification and authentication of Users for operations that require access control, User authorization, or Administrator roles. O.ACCESS_CONTROL The TOE shall enforce access controls to protect User Data and TSF Data in accordance with security policies. O.USER_AUTHORIZATION The TOE shall perform authorization of Users in accordance with security policies. O.ADMIN_ROLES The TOE shall ensure that only authorized Administrators are permitted to perform administrator functions. O.UPDATE_VERIFICATION The TOE shall provide mechanisms to verify the authenticity of software updates. O.TSF_SELF_TEST The TOE shall test some subset of its security functionality to help ensure that subset is operating properly. O.COMMS_PROTECTION The TOE shall have the capability to protect LAN communications of User Data and TSF Data from Unauthorized Access, replay, and source/destination spoofing. O.AUDIT The TOE shall generate audit data, and be capable of sending it to a trusted External IT Entity. Optionally, it may store audit data in the TOE. O.STORAGE_ENCRYPTION (conditionally mandatory) If the TOE stores User Document Data or Confidential TSF Data in Field-Replaceable Nonvolatile Storage devices, then the TOE shall encrypt such data on those devices. O.KEY_MATERIAL (conditionally mandatory) The TOE shall protect from unauthorized access any cleartext keys, submasks, random numbers, or other values that contribute to the creation of encryption keys for storage of User Document Data or Confidential TSF Data in Field-Replaceable Nonvolatile Storage Devices; The TOE shall ensure that such key material is not stored in cleartext on the storage device that uses that material. O.FAX_NET_SEPARATION (conditionally mandatory) If the TOE provides a PSTN fax function, then the TOE shall ensure separation of the PSTN fax telephone line and the LAN, by system design or active security function. O.IMAGE_OVERWRITE (optional) Upon completion or cancellation of a Document Processing job, the TOE shall overwrite residual image data in its Field-Replaceable Nonvolatile Storage Devices. Table 16 Security Objectives for the TOE 673 4.2 Security Objectives for the Operational Environment 674 The following Security Objectives must be satisfied by the TOE’s Operational Environment. 675 Designation Definition OE.PHYSICAL_PROTECTION The Operational Environment shall provide physical security, commensurate with the value of the TOE and the data it stores or processes. OE.NETWORK_PROTECTION The Operational Environment shall provide network security to protect the TOE from direct, public access to its LAN interface. OE.ADMIN_TRUST The TOE Owner shall establish trust that Administrators will not use their privileges for malicious purposes. OE.USER_TRAINING The TOE Owner shall ensure that Users are aware of site security policies and have the competence to follow them. OE.ADMIN_TRAINING The TOE Owner shall ensure that Administrators are aware of site security policies and have the competence to use manufacturer’s guidance to correctly configure the TOE and protect passwords and keys accordingly. Table 17 Security Objectives for the Operational Environment 676 RICOH IM C2000 / C2500 / C3000 / C3500 / C4500 / C5500 / C6000, version JE-1.00-H Security Target, 1.0 Copyright ©2020, RICOH COMPANY LTD., All Rights Reserved. Page 36 of 142 4.3 Security Objectives rationale 677 The following table maps threats, OSPs, and assumptions, to their respective Security Objectives. 678 Threat/Policy/Assumption Rationale T.UNAUTHORIZED_ACCESS An attacker may access (read, modify, or delete) User Document Data or change (modify or delete) User Job Data in the TOE through one of the TOE’s interfaces. O.ACCESS_CONTROL restricts access to User Data in the TOE to authorized Users. O.USER_I&A provides the basis for access control. O.ADMIN_ROLES restricts the ability to authorize Users and set access controls to authorized Administrators. T.TSF_COMPROMISE An attacker may gain Unauthorized Access to TSF Data in the TOE through one of the TOE’s interfaces. O.ACCESS_ CONTROL restricts access to TSF Data in the TOE to authorized Users. O.USER_I&A provides the basis for access control. O.ADMIN_ROLES restricts the ability to authorize Users and set access controls to authorized Administrators. T.TSF_FAILURE A malfunction of the TSF may cause loss of security if the TOE is permitted to operate. O.TSF_SELF_TEST prevents the TOE from operating if a malfunction is detected. T.UNAUTHORIZED_UPDATE An attacker may cause the installation of unauthorized software on the TOE. O.UPDATE_VERIFICATION verifies the authenticity of software updates. T.NET_COMPROMISE An attacker may access data in transit or otherwise compromise the security of the TOE by monitoring or manipulating network communication. O.COMMS_PROTECTION protects LAN communications from sniffing, replay, and man-in-the-middle attacks. P.AUTHORIZATION Users must be authorized before performing Document Processing and administrative functions. O.USER_AUTHORIZATION restricts the ability to perform Document Processing and administrative functions to authorized Users. O.USER_I&A provides the basis for authorization. O.ADMIN_ROLES restricts the ability to authorize Users to authorized Administrators. P.AUDIT Security-relevant activities must be audited and the log of such actions must be protected and transmitted to an External IT Entity. O.AUDIT requires the generation of audit data. O.ACCESS_CONTROL restricts access to audit data in the TOE to authorized Users. O.USER_AUTHORIZATION provides the basis for authorization. P.COMMS_PROTECTION The TOE must be able to identify itself to other devices on the LAN. O.COMMS_PROTECTION protects LAN communications from man-in-the-middle attacks. P.STORAGE_ENCRYPTION (conditionally mandatory) If the TOE stores User Document Data or Confidential TSF Data on Field-Replaceable Nonvolatile Storage Devices, it will encrypt such data on those devices. O.STORAGE_ENCRYPTION protects User Document Data and Confidential TSF Data stored in Field-Replaceable Nonvolatile Storage Devices from exposure if a device has been removed from the TOE and its Operational Environment. P.KEY_MATERIAL (conditionally mandatory) Cleartext keys, submasks, random numbers, or any other values that contribute to the creation of encryption keys for Field-Replaceable Nonvolatile Storage of User Document Data or Confidential TSF Data must be protected from unauthorized access and must not be stored on that storage device. O.KEY_MATERIAL protects keys and key materials from unauthorized access and ensures that they any key materials are not stored in cleartext on the device that uses those materials for its own encryption. P.FAX_FLOW (conditionally mandatory) If the TOE provides a PSTN fax function, it will ensure separation between the PSTN fax line and the LAN. O.FAX_NET_SEPARATION requires a separation between the PSTN fax line and the LAN. RICOH IM C2000 / C2500 / C3000 / C3500 / C4500 / C5500 / C6000, version JE-1.00-H Security Target, 1.0 Copyright ©2020, RICOH COMPANY LTD., All Rights Reserved. Page 37 of 142 Threat/Policy/Assumption Rationale P.IMAGE_OVERWRITE (optional) Upon completion or cancellation of a Document Processing job, the TOE shall overwrite residual image data from its Field-Replaceable Nonvolatile Storage Device. O.IMAGE_OVERWRITE overwrites residual image data from Field-Replaceable Nonvolatile Storage Devices after Document Processing jobs are completed or cancelled. A.PHYSICAL Physical security, commensurate with the value of the TOE and the data it stores or processes, is assumed to be provided by the environment. OE.PHYSICAL_PROTECTION establishes a protected physical environment for the TOE. A.NETWORK The Operational Environment is assumed to protect the TOE from direct, public access to its LAN interface. OE.NETWORK_PROTECTION establishes a protected LAN environment for the TOE. A.TRUSTED_ADMIN TOE Administrators are trusted to administer the TOE according to site security policies. OE.ADMIN_TRUST establishes responsibility of the TOE Owner to have a trusted relationship with Administrators. A.TRAINED_USERS Authorized Users are trained to use the TOE according to site security policies. OE.ADMIN_TRAINING establishes responsibility of the TOE Owner to provide appropriate training for Administrators. OE.USER_TRAINING establishes responsibility of the TOE Owner to provide appropriate training for Users. Table 18 Security Objectives rationale 679 RICOH IM C2000 / C2500 / C3000 / C3500 / C4500 / C5500 / C6000, version JE-1.00-H Security Target, 1.0 Copyright ©2020, RICOH COMPANY LTD., All Rights Reserved. Page 38 of 142 5 Extended Component Definitions (ASE_ECD) 680 This ST uses extended components that are defined in HCD PP v1.0 and in the claimed Technical Decisions and 681 Errata. No additional extended components are defined for this ST. 682 RICOH IM C2000 / C2500 / C3000 / C3500 / C4500 / C5500 / C6000, version JE-1.00-H Security Target, 1.0 Copyright ©2020, RICOH COMPANY LTD., All Rights Reserved. Page 39 of 142 6 Security Functional Requirements (ASE_REQ) 683 6.1 Notational conventions 684 Bold typeface indicates the portion of an SFR that has been completed or refined in the Protection Profile, 685 relative to the original SFR definition in Common Criteria Part 2 or an Extended Component Definition. 686 Italic typeface indicates the portion of an SFR that has been completed for this Security Target. 687 Bold italic typeface indicates the portion of an SFR that has been partially completed or refined in the Protection 688 Profile, relative to the original SFR definition in Common Criteria Part 2 or an Extended Component Definition, 689 and which also has been completed for this Security Target. 690 SFR components that are followed by a letter in parentheses, e.g., (a), (b), …, represent required iterations. This 691 Security Target uses the iteration identifiers that are used in the Protection Profile; therefore, they may not be 692 sequential in this Security Target. 693 SFR components that are followed by an identifier in square brackets, e.g., [1], [2]…, represent iterations that 694 have been added for this Security Target. In some cases, they may be combined with the (letter) designation of 695 required iterations, e.g., FCS_COP.1 (d)[1], FCS_COP.1 (d)[2], ... . 696 Extended components are identified by “_EXT” following the SFR name. 697 6.2 Class FAU: Security Audit 698 6.2.1 FAU_GEN.1 Audit data generation 699 (for O.AUDIT) 700 Hierarchical to: No other components. 701 Dependencies: FPT_STM.1 Reliable time stamps 702 FAU_GEN.1.1 The TSF shall be able to generate an audit record of the following auditable events: 703 a) Start-up and shutdown of the audit functions; 704 b) All auditable events for the not specified level of audit; and 705 c) All auditable events specified in Table 19, [no other specifically defined auditable events]. 706 FAU_GEN.1.2 The TSF shall record within each audit record at least the following information: 707 a) Date and time of the event, type of event, subject identity (if applicable), and the outcome (success or 708 failure) of the event; and 709 b) For each audit event type, based on the auditable event definitions of the functional components 710 included in the PP/ST, additional information specified in Table 19, [no other audit 711 relevant information]. 712 Auditable event Relevant SFR Additional information Job completion FDP_ACF.1 Type of job Unsuccessful User authentication FIA_UAU.1 None Unsuccessful User identification FIA_UID.1 None Use of management functions FMT_SMF.1 None Modification to the group of Users that are part of a role FMT_SMR.1 None Changes to the time FPT_STM.1 None RICOH IM C2000 / C2500 / C3000 / C3500 / C4500 / C5500 / C6000, version JE-1.00-H Security Target, 1.0 Copyright ©2020, RICOH COMPANY LTD., All Rights Reserved. Page 40 of 142 Auditable event Relevant SFR Additional information Failure to establish session. FTP_ITC.1, FTP_TRP.1(a), FTP_TRP.1(b) Reason for failure. Table 19 Auditable Events 713 Application Note: 714 In cases where user identification events are inseparable from user authentication events, they may be 715 considered to be a single event for audit purposes. 716 Regarding FMT_SMR.1, if the relationship between users and roles is not modifiable, its auditable event 717 cannot be generated and the requirement to generate an audit record can be ignored. 718 The ST author can include other auditable events directly in the table; they are not limited to the list 719 presented. 720 Assurance Activity: 721 TSS: 722 The evaluator shall check the TOE Summary Specification (TSS) to ensure that auditable events and its 723 recorded information are consistent with the definition of the SFR. 724 Operational Guidance: 725 The evaluator shall check the guidance documents to ensure that auditable events and its recorded 726 information are consistent with the definition of the SFRs. 727 Test: 728 The evaluator shall also perform the following tests: 729 The evaluator shall check to ensure that the audit record of each of the auditable events described in 730 Table 19 is appropriately generated. 731 The evaluator shall check a representative sample of methods for generating auditable events, if there are 732 multiple methods. 733 The evaluator shall check that FIA_UAU.1 events have been generated for each mechanism, if there are 734 several different I&A mechanisms. 735 6.2.2 FAU_GEN.2 User identity association 736 (for O.AUDIT) 737 Hierarchical to: No other components. 738 Dependencies: FAU_GEN.1 Audit data generation 739 FIA_UID.1 Timing of identification 740 FAU_GEN.2.1 For audit events resulting from actions of identified users, the TSF shall be able to associate each 741 auditable event with the identity of the user that caused the event. 742 Assurance Activity: 743 RICOH IM C2000 / C2500 / C3000 / C3500 / C4500 / C5500 / C6000, version JE-1.00-H Security Target, 1.0 Copyright ©2020, RICOH COMPANY LTD., All Rights Reserved. Page 41 of 142 The Assurance Activities for FAU_GEN.1 address this SFR. 744 6.2.3 FAU_SAR.1 Audit review 745 (for O.AUDIT) 746 Hierarchical to: No other components. 747 Dependencies: FAU_GEN.1 Audit data generation 748 FAU_SAR.1.1 The TSF shall provide [U.ADMIN] with the capability to read all records from the audit records. 749 FAU_SAR.1.2 The TSF shall provide the audit records in a manner suitable for the user to interpret the 750 information. 751 Assurance Activity: 752 The following assurance activities are required when storing audit records inside the TOE. 753 TSS: 754 The evaluator shall check to ensure that the TSS contains a description that audit records can be viewed 755 only by authorized users and functions to view audit records. 756 The evaluator shall check to ensure that the TSS contains a description of the methods of using interfaces 757 that retrieve audit records (e.g., methods for user identification and authentication, authorization, and 758 retrieving audit records). 759 Operational Guidance: 760 The evaluator shall check to ensure that the operational guidance appropriately describes the ways of 761 viewing audit records and forms of viewing. 762 Test: 763 The evaluator shall also perform the following tests: 764 1. The evaluator shall check to ensure that the forms of audit records are provided as specified in 765 the operational guidance by retrieving audit records in accordance with the operational guidance. 766 2. The evaluator shall check to ensure that no users other than authorized users can retrieve audit 767 records. 768 3. The evaluator shall check to ensure that all audit records are retrieved by the operation of 769 retrieving audit records. 770 6.2.4 FAU_SAR.2 Restricted audit review 771 (for O.AUDIT) 772 Hierarchical to: No other components. 773 Dependencies: FAU_SAR.1 Audit review 774 FAU_SAR.2.1 The TSF shall prohibit all users read access to the audit records, except those users that have been 775 granted explicit read-access. 776 Assurance Activity: 777 RICOH IM C2000 / C2500 / C3000 / C3500 / C4500 / C5500 / C6000, version JE-1.00-H Security Target, 1.0 Copyright ©2020, RICOH COMPANY LTD., All Rights Reserved. Page 42 of 142 Test: 778 The evaluator shall include tests related to this function in the set of tests performed in FMT_SMF.1. 779 6.2.5 FAU_STG.1 Protected audit trail storage 780 (for O.AUDIT) 781 Hierarchical to: No other components. 782 Dependencies: FAU_GEN.1 Audit data generation 783 FAU_STG.1.1 The TSF shall protect the stored audit records in the audit trail from unauthorised deletion. 784 FAU_STG.1.2 The TSF shall be able to prevent unauthorised modifications to the stored audit records in the 785 audit trail. 786 Assurance Activity: 787 The following assurance activities are required when storing audit records inside the TOE. 788 TSS: 789 The evaluator shall check to ensure that the TSS contains a description of the means of preventing audit 790 records from unauthorized access (modification, deletion). 791 Operational Guidance: 792 The evaluator shall check to ensure that the TSS and operational guidance contain descriptions of the 793 interfaces to access to audit records, and if the descriptions of the means of preventing audit records 794 from unauthorized access (modification, deletion) are consistent. 795 Test: 796 The evaluator shall also perform the following test: 797 1. The evaluator shall test that an authorized user can access the audit records. 798 2. The evaluator shall test that a user without authorization for the audit data cannot access the audit 799 records. 800 6.2.6 FAU_STG_EXT.1 Extended: External Audit Trail Storage 801 (for O.AUDIT) 802 Hierarchical to: No other components. 803 Dependencies: FAU_GEN.1 Audit data generation, 804 FTP_ITC.1 Inter-TSF trusted channel. 805 FAU_STG_EXT.1.1 The TSF shall be able to transmit the generated audit data to an External IT Entity using a 806 trusted channel according to FTP_ITC.1. 807 Assurance Activity: 808 TSS: 809 RICOH IM C2000 / C2500 / C3000 / C3500 / C4500 / C5500 / C6000, version JE-1.00-H Security Target, 1.0 Copyright ©2020, RICOH COMPANY LTD., All Rights Reserved. Page 43 of 142 The evaluator shall examine the TSS to ensure it describes the means by which the audit data are 810 transferred to the external audit server, and how the trusted channel is provided. Testing of the trusted 811 channel mechanism will be performed as specified in the associated assurance activities for the particular 812 trusted channel mechanism. 813 The evaluator shall examine the TSS to ensure it describes the amount of audit data that are stored 814 locally; what happens when the local audit data store is full; and how these records are protected against 815 unauthorized access. The evaluator shall also examine the operational guidance to determine that it 816 describes the relationship between the local audit data and the audit data that are sent to the audit log 817 server. For example, when an audit event is generated, is it simultaneously sent to the external server and 818 the local store, or is the local store used as a buffer and “cleared” periodically by sending the data to the 819 audit server. 820 Operational Guidance: 821 The evaluator shall also examine the operational guidance to ensure it describes how to establish the 822 trusted channel to the audit server, as well as describe any requirements on the audit server (particular 823 audit server protocol, version of the protocol required, etc.), as well as configuration of the TOE needed 824 to communicate with the audit server. 825 Test: 826 The evaluator shall perform the following test for this requirement: 827 Test 1: The evaluator shall establish a session between the TOE and the audit server according to the 828 configuration guidance provided. The evaluator shall then examine the traffic that passes between the 829 audit server and the TOE during several activities of the evaluator’s choice designed to generate audit 830 data to be transferred to the audit server. The evaluator shall observe that these data are not able to be 831 viewed in the clear during this transfer, and that they are successfully received by the audit server. The 832 evaluator shall record the particular software (name, version) used on the audit server during testing. 833 6.2.7 FAU_STG.4 Prevention of audit data loss 834 (for O.AUDIT) 835 Hierarchical to: FAU_STG.3 Action in case of possible audit data loss 836 Dependencies: FAU_STG.1 Protected audit trail storage 837 FAU_STG.4.1 Refinement: The TSF shall [overwrite the oldest stored audit records] and [no other actions] if the 838 audit trail is full. 839 Assurance Activity: 840 The following assurance activities are required when storing audit records inside the TOE. 841 TSS: 842 The evaluator shall check to ensure that the TSS contains a description of the processing performed when 843 the capacity of audit records becomes full, which is consistent with the definition of the SFR. 844 Operational Guidance: 845 RICOH IM C2000 / C2500 / C3000 / C3500 / C4500 / C5500 / C6000, version JE-1.00-H Security Target, 1.0 Copyright ©2020, RICOH COMPANY LTD., All Rights Reserved. Page 44 of 142 The evaluator shall check to ensure that the operational guidance contains a description of the processing 846 performed (such as informing the authorized users) when the capacity of audit records becomes full. 847 Test: 848 The evaluator shall also perform the following tests: 849 1. The evaluator generates auditable events after the capacity of audit records becomes full by 850 generating auditable events in accordance with the operational guidance. 851 2. The evaluator shall check to ensure that the processing defined in the SFR is appropriately 852 performed to audit records. 853 6.3 Class FCO: Communication 854 There are no class FCO requirements. 855 6.4 Class FCS: Cryptographic Support 856 6.4.1 FCS_CKM.1(a) Cryptographic Key Generation (for asymmetric keys) 857 (for O.COMMS_PROTECTION) 858 Hierarchical to: No other components. 859 Dependencies: [FCS_COP.1(b) Cryptographic Operation (for signature generation/ verification)] 860 FCS_CKM_EXT.4 Extended: Cryptographic Key Material Destruction 861 FCS_CKM.1.1(a) Refinement: The TSF shall generate asymmetric cryptographic keys used for key establishment 862 in accordance with [NIST Special Publication 800-56A, “Recommendation for Pair-Wise Key Establishment 863 Schemes Using Discrete Logarithm Cryptography” for finite field-based key establishment schemes] and 864 specified cryptographic key sizes equivalent to, or greater than, a symmetric key strength of 112 bits. 865 Application Note: 866 The ST author selects the key generation scheme used for key establishment and device authentication. If 867 multiple schemes are supported, then the ST author should iterate this component to capture this 868 capability. When key generation is used for device authentication, the public key is expected to be 869 associated with an X.509v3 certificate. If the TOE acts as a receiver in the RSA key establishment scheme, 870 the TOE does not need to implement RSA key generation. 871 Since the domain parameters to be used are specified by the requirements of the protocol in this PP, it is 872 not expected that the TOE will generate domain parameters, and therefore there is no additional domain 873 parameter validation needed when the TOE complies with the protocols specified in this PP. 874 SP 800-56B references (but does not mandate) key generation according to FIPS 186-3. For purposes of 875 compliance in this version of the HCD PP, RSA key pair generation according to FIPS 186-4 is allowed in 876 order for the TOE to claim conformance to SP 800-56B. 877 The generated key strength of 2048-bit DSA and rDSA keys need to be equivalent to, or greater than, a 878 symmetric key strength of 112 bits. See NIST Special Publication 800-57, “Recommendation for Key 879 Management” for information about equivalent key strengths. 880 Assurance Activity: 881 RICOH IM C2000 / C2500 / C3000 / C3500 / C4500 / C5500 / C6000, version JE-1.00-H Security Target, 1.0 Copyright ©2020, RICOH COMPANY LTD., All Rights Reserved. Page 45 of 142 TSS: 882 The evaluator shall ensure that the TSS contains a description of how the TSF complies with 800-56A 883 and/or 800-56B, depending on the selections made. This description shall indicate the sections in 800-56A 884 and/or 800-56B that are implemented by the TSF, and the evaluator shall ensure that key establishment is 885 among those sections that the TSF claims to implement. 886 Any TOE-specific extensions, processing that is not included in the documents, or alternative 887 implementations allowed by the documents that may impact the security requirements the TOE is to 888 enforce shall be described in the TSS. 889 The TSS may refer to the Key Management Description (KMD), described in Appendix F , that may not be 890 made available to the public. 891 Test: 892 The evaluator shall use the key pair generation portions of "The FIPS 186-4 Digital Signature Algorithm 893 Validation System (DSA2VS)", "The FIPS 186-4 Elliptic Curve Digital Signature Algorithm Validation System 894 (ECDSA2VS)", and “The 186-4 RSA Validation System (RSA2VS)” as a guide in testing the requirement 895 above, depending on the selection performed by the ST author. This will require that the evaluator have a 896 trusted reference implementation of the algorithms that can produce test vectors that are verifiable 897 during the test. 898 6.4.2 FCS_CKM.1(b)[DAR] Cryptographic key generation (Symmetric Keys) [Data At Rest] 899 (for O.STORAGE_ENCRYPTION) 900 Hierarchical to: No other components. 901 Dependencies: [FCS_COP.1(f) Cryptographic Operation (Key Encryption)] 902 FCS_CKM_EXT.4 Extended: Cryptographic Key Material Destruction 903 FCS_RBG_EXT.1 Extended: Cryptographic Operation (Random Bit Generation) 904 FCS_CKM.1.1(b)[DAR] Refinement: The TSF shall generate symmetric cryptographic keys using a Random Bit 905 Generator as specified in FCS_RBG_EXT.1 and specified cryptographic key sizes [256 bit] that meet the 906 following: No Standard. 907 Application Note: 908 Symmetric keys may be used to generate keys along the key chain. 909 Assurance activity: 910 TSS: 911 The evaluator shall review the TSS to determine that it describes how the functionality described by 912 FCS_RBG_EXT.1 is invoked. 913 KMD: 914 If the TOE is relying on random number generation from a third-party source, the KMD needs to describe 915 the function call and parameters used when calling the third-party DRBG function. Also, the KMD needs 916 to include a short description of the vendor's assumption for the amount of entropy seeding the third- 917 RICOH IM C2000 / C2500 / C3000 / C3500 / C4500 / C5500 / C6000, version JE-1.00-H Security Target, 1.0 Copyright ©2020, RICOH COMPANY LTD., All Rights Reserved. Page 46 of 142 party DRBG. The evaluator uses the description of the RBG functionality in FCS_RBG_EXT or the KMD to 918 determine that the key size being requested is identical to the key size and mode to be used for the 919 encryption/decryption of the user data (FCS_COP.1(d)). 920 6.4.3 FCS_CKM.1(b)[DIM] Cryptographic key generation (Symmetric Keys) [Data In Motion] 921 (for O.COMMS_PROTECTION) 922 Hierarchical to: No other components. 923 Dependencies: [FCS_COP.1(a) Cryptographic Operation (Symmetric encryption/decryption) 924 FCS_COP.1(g) Cryptographic Operation (for keyed-hash message authentication)] 925 FCS_CKM_EXT.4 Extended: Cryptographic Key Material Destruction 926 FCS_RBG_EXT.1 Extended: Cryptographic Operation (Random Bit Generation) 927 FCS_CKM.1.1(b)[DIM] Refinement: The TSF shall generate symmetric cryptographic keys using a Random Bit 928 Generator as specified in FCS_RBG_EXT.1 and specified cryptographic key sizes [128 bit, 256 bit] that meet 929 the following: No Standard. 930 Application Note: 931 Symmetric keys may be used to generate keys along the key chain. 932 Assurance activity: 933 TSS: 934 The evaluator shall review the TSS to determine that it describes how the functionality described by 935 FCS_RBG_EXT.1 is invoked. 936 KMD: 937 If the TOE is relying on random number generation from a third-party source, the KMD needs to describe 938 the function call and parameters used when calling the third-party DRBG function. Also, the KMD needs 939 to include a short description of the vendor's assumption for the amount of entropy seeding the third- 940 party DRBG. The evaluator uses the description of the RBG functionality in FCS_RBG_EXT or the KMD to 941 determine that the key size being requested is identical to the key size and mode to be used for the 942 encryption/decryption of the user data (FCS_COP.1(d)). 943 6.4.4 FCS_CKM_EXT.4 Extended: Cryptographic Key Material Destruction 944 (for O.COMMS_PROTECTION, O.STORAGE_ENCRYPTION) 945 Hierarchical to: No other components. 946 Dependencies: [FCS_CKM.1(a) Cryptographic Key Generation (for asymmetric keys), or 947 FCS_CKM.1(b) Cryptographic key generation (Symmetric Keys)], 948 FCS_CKM.4 Cryptographic key destruction 949 FCS_CKM_EXT.4.1 The TSF shall destroy all plaintext secret and private cryptographic keys and cryptographic 950 critical security parameters when no longer needed. 951 Application Note: 952 RICOH IM C2000 / C2500 / C3000 / C3500 / C4500 / C5500 / C6000, version JE-1.00-H Security Target, 1.0 Copyright ©2020, RICOH COMPANY LTD., All Rights Reserved. Page 47 of 142 “Cryptographic Critical Security Parameters” are defined in FIPS 140-2 as “security-related information 953 (e.g., secret and private cryptographic keys, and authentication data such as passwords and PINs) whose 954 disclosure or modification can compromise the security of a cryptographic module”. 955 Keys, including intermediate keys and key material that are no longer needed are destroyed by using an 956 approved method, FCS_CKM.4.1. Examples of keys are intermediate keys, submasks, and BEV. There may 957 be instances where keys or key material that are contained in persistent storage are no longer needed and 958 require destruction. Based on their implementation, vendors will explain when certain keys are no longer 959 needed. There are multiple situations in which key material is no longer necessary, for example, a 960 wrapped key may need to be destroyed when a password is changed. However, there are instances when 961 keys are allowed to remain in memory, for example, a device identification key. 962 Assurance activity: 963 TSS: 964 The evaluator shall verify the TSS provides a high level description of what it means for keys and key 965 material to be no longer needed and when then should be expected to be destroyed. 966 KMD: 967 The evaluator shall verify the Key Management Description (KMD) includes a description of the areas 968 where keys and key material reside and when the keys and key material are no longer needed. 969 The evaluator shall verify the KMD includes a key lifecycle, that includes a description where key material 970 reside, how the key material is used, how it is determined that keys and key material are no longer 971 needed, and how the material is destroyed once it is not needed and that the documentation in the KMD 972 follows FCS_CKM.4 for the destruction. 973 6.4.5 FCS_CKM.4 Cryptographic key destruction 974 (for O.COMMS_PROTECTION, O.STORAGE_ENCRYPTION) 975 Hierarchical to: No other components. 976 Dependencies: [FCS_CKM.1(a) Cryptographic Key Generation (for asymmetric keys), or 977 FCS_CKM.1(b) Cryptographic key generation (Symmetric Keys)] 978 FCS_CKM.4.1 Refinement: The TSF shall destroy cryptographic keys in accordance with a specified cryptographic 979 key destruction method [For volatile memory, the destruction shall be executed by [removal of power to 980 the memory]; For nonvolatile storage, the destruction shall be executed by a [single] overwrite of key data 981 storage location consisting of [a new value of a key of the same size]] that meets the following: [no 982 standard]. 983 Application Note: 984 In the first selection, the ST Author is presented options for destroying disused cryptographic keys based on 985 whether they are in volatile memory or non-volatile memory within the TOE. 986 The selection of block erase for non-volatile memory applies only to flash memory. 987 RICOH IM C2000 / C2500 / C3000 / C3500 / C4500 / C5500 / C6000, version JE-1.00-H Security Target, 1.0 Copyright ©2020, RICOH COMPANY LTD., All Rights Reserved. Page 48 of 142 Within the selections is the option to overwrite the memory location with a new value of a key. The intent 988 is that a new value of a key (as specified in another SFR within the PP) can be used to “replace” an existing 989 key. 990 Several selections allow assignment of a ‘value that does not contain any CSP’. This means that the TOE 991 uses some other specified data not drawn from a source that may contain key material or reveal 992 information about key material, and not being any of the particular values listed as other selection 993 options. The point of the phrase ‘does not contain any CSP’ is to ensure that the overwritten data is 994 carefully selected, and not taken from a general ‘pool’ that might contain current or residual data that 995 itself requires confidentiality protection. 996 Assurance activity: 997 TSS: 998 The evaluator shall verify the TSS provides a high level description of how keys and key material are 999 destroyed. 1000 If the ST makes use of the open assignment and fills in the type of pattern that is used, the evaluator 1001 examines the TSS to ensure it describes how that pattern is obtained and used. The evaluator shall verify 1002 that the pattern does not contain any CSPs. 1003 The evaluator shall check that the TSS identifies any configurations or circumstances that may not strictly 1004 conform to the key destruction requirement. 1005 KMD: 1006 The evaluator examines the KMD to ensure it describes how the keys are managed in volatile memory. 1007 This description includes details of how each identified key is introduced into volatile memory (e.g. by 1008 derivation from user input, or by unwrapping a wrapped key stored in non-volatile memory) and how 1009 they are overwritten. 1010 The evaluator shall check to ensure the KMD lists each type of key that is stored in non-volatile memory, 1011 and identifies the memory type (volatile or non-volatile) where key material is stored. 1012 The KMD identifies and describes the interface(s) that is used to service commands to read/write 1013 memory. The evaluator examines the interface description for each different media type to ensure that 1014 the interface supports the selection(s) made by the ST Author. 1015 Test: 1016 For these tests the evaluator shall utilize appropriate development environment (e.g. a Virtual Machine) 1017 and development tools (debuggers, simulators, etc.) to test that keys are cleared, including all copies of 1018 the key that may have been created internally by the TOE during normal cryptographic processing with 1019 that key. 1020 Test 1: Applied to each key held as in volatile memory and subject to destruction by overwrite by the TOE 1021 (whether or not the value is subsequently encrypted for storage in volatile or non-volatile memory). In the 1022 case where the only selection made for the destruction method key was removal of power, then this test 1023 is unnecessary. The evaluator shall: 1024 RICOH IM C2000 / C2500 / C3000 / C3500 / C4500 / C5500 / C6000, version JE-1.00-H Security Target, 1.0 Copyright ©2020, RICOH COMPANY LTD., All Rights Reserved. Page 49 of 142 1. Record the value of the key in the TOE subject to clearing. 1025 2. Cause the TOE to perform a normal cryptographic processing with the key from Step #1. 1026 3. Cause the TOE to clear the key. 1027 4. Cause the TOE to stop the execution but not exit. 1028 5. Cause the TOE to dump the entire memory of the TOE into a binary file. 1029 6. Search the content of the binary file created in Step #5 for instances of the known key value from 1030 Step #1. 1031 Steps 1-6 ensure that the complete key does not exist anywhere in volatile memory. If a copy is found, 1032 then the test fails. 1033 Test 2: Applied to each key help in non-volatile memory and subject to destruction by the TOE, except for 1034 replacing a key using the selection [a new value of a key of the same size]. The evaluator shall use special 1035 tools (as needed), provided by the TOE developer if necessary, to ensure the tests function as intended. 1036 1. Identify the purpose of the key and what access should fail when it is deleted. (e.g. the data 1037 encryption key being deleted would cause data decryption to fail.) 1038 2. Cause the TOE to clear the key. 1039 3. Have the TOE attempt the functionality that the cleared key would be necessary for. The test 1040 succeeds if step 3 fails. 1041 Test 3: Applied to each key held in non-volatile memory and subject to destruction by overwrite by the 1042 TOE. The evaluator shall use special tools (as needed), provided by the TOE developer if necessary, to 1043 view the key storage location: 1044 1. Record the value of the key in the TOE subject to clearing. 1045 2. Cause the TOE to perform a normal cryptographic processing with the key from Step #1. 1046 3. Cause the TOE to clear the key. 1047 4. Search the non-volatile memory the key was stored in for instances of the known key value from 1048 Step #1. If a copy is found, then the test fails. 1049 Test 4: Applied to each key held as non-volatile memory and subject to destruction by overwrite by the 1050 TOE. The evaluator shall use special tools (as needed), provided by the TOE developer if necessary, to 1051 view the key storage location: 1052 1. Record the storage location of the key in the TOE subject to clearing. 1053 2. Cause the TOE to perform a normal cryptographic processing with the key from Step #1. 1054 3. Cause the TOE to clear the key. 1055 4. Search the storage location in Step #1 of non-volatile memory to ensure the appropriate pattern 1056 is utilized. 1057 RICOH IM C2000 / C2500 / C3000 / C3500 / C4500 / C5500 / C6000, version JE-1.00-H Security Target, 1.0 Copyright ©2020, RICOH COMPANY LTD., All Rights Reserved. Page 50 of 142 The test succeeds if correct pattern is used to overwrite the key in the memory location. If the pattern is 1058 not found the test fails. 1059 6.4.6 FCS_COP.1(a) Cryptographic Operation (Symmetric encryption/decryption) 1060 (for O.COMMS_PROTECTION) 1061 Hierarchical to: No other components. 1062 Dependencies: [FCS_CKM.1(b) Cryptographic key generation (Symmetric Keys)] 1063 FCS_CKM_EXT.4 Extended: Cryptographic Key Material Destruction 1064 FCS_COP.1.1(a) Refinement: The TSF shall perform encryption and decryption in accordance with a specified 1065 cryptographic algorithm AES operating in [CBC] and cryptographic key sizes 128-bits and 256-bits that meets 1066 the following: 1067 ▪ FIPS PUB 197, “Advanced Encryption Standard (AES)” 1068 ▪ [NIST SP 800-38A] 1069 Application Note: 1070 For the assignment, the ST author should assign the mode or modes in which AES operates to support the 1071 cryptographic protocols chosen for FTP_ITC and FTP_TRP. 1072 For the selection, the ST author should choose the standards that describe the modes specified in the 1073 assignment. 1074 Assurance Activity: 1075 Test: 1076 The evaluator shall use tests appropriate to the modes selected in the above requirement from "The 1077 Advanced Encryption Standard Algorithm Validation Suite (AESAVS)", The CMAC Validation System 1078 (CMACVS)", "The Counter with Cipher Block Chaining-Message Authentication Code (CCM) Validation 1079 System (CCMVS)", and "The Galois/Counter Mode (GCM) and GMAC Validation System (GCMVS)" (these 1080 documents are available from http://csrc.nist.gov/groups/STM/cavp/index.html) as a guide in testing the 1081 requirement above. This will require that the evaluator have a reference implementation of the 1082 algorithms known to be good that can produce test vectors that are verifiable during the test. 1083 6.4.7 FCS_COP.1(b) Cryptographic Operation (for signature generation/verification) 1084 (for O.UPDATE_VERIFICATION, O.COMMS_PROTECTION) 1085 Hierarchical to: No other components. 1086 Dependencies: [FCS_CKM.1(a) Cryptographic Key Generation (for asymmetric keys)] 1087 FCS_CKM_EXT.4 Extended: Cryptographic Key Material Destruction 1088 FCS_COP.1.1(b) Refinement: The TSF shall perform cryptographic signature services in accordance with a [RSA 1089 Digital Signature Algorithm (rDSA) with key sizes (modulus) of [2048 bits]] that meets the following FIPS 1090 PUB 186-4, “Digital Signature Standard”]. 1091 Application Note: 1092 RICOH IM C2000 / C2500 / C3000 / C3500 / C4500 / C5500 / C6000, version JE-1.00-H Security Target, 1.0 Copyright ©2020, RICOH COMPANY LTD., All Rights Reserved. Page 51 of 142 The ST Author should choose the algorithm implemented to perform digital signatures; if more than one 1093 algorithm is available, this requirement (and the corresponding FCS_CKM.1 requirement) should be 1094 iterated to specify the functionality. For the algorithm chosen, the ST author should make the appropriate 1095 assignments/selections to specify the parameters that are implemented for that algorithm. 1096 For elliptic curve-based schemes, the key size refers to the log2 of the order of the base point. 1097 Assurance Activity: 1098 Test: 1099 The evaluator shall use the signature generation and signature verification portions of "The Digital 1100 Signature Algorithm Validation System” (DSA2VS), "The Elliptic Curve Digital Signature Algorithm 1101 Validation System” (ECDSA2VS), and "The RSA Validation System” RSA2VS as a guide in testing the 1102 requirement above. The Validation System used shall comply with the conformance standard identified in 1103 the ST (i.e., FIPS PUB 186-4). This will require that the evaluator have a reference implementation of the 1104 algorithms known to be good that can produce test vectors that are verifiable during the test. 1105 6.4.8 FCS_COP.1(c)[L1] Cryptographic operation (Hash Algorithm) 1106 (selected in FPT_TUD_EXT.1.3, or with FCS_SNI_EXT.1.1) 1107 Hierarchical to: No other components. 1108 Dependencies: No dependencies. 1109 FCS_COP.1.1(c)[L1] Refinement: The TSF shall perform cryptographic hashing services in accordance with [SHA- 1110 1] that meet the following: [ISO/IEC 10118-3:2004]. 1111 Application Note (for O.STORAGE_ENCRYPTION): 1112 The hash selection should be consistent with the overall strength of the algorithm used for FCS_COP.1(d). 1113 (SHA 256 should be chosen for AES 128-bit keys, SHA 512 should be chosen for AES-256-bit keys) The 1114 selection of the standard is made based on the algorithms selected. 1115 Vendors are strongly encouraged to implement updated protocols that support the SHA-2 family; until 1116 updated protocols are supported, this PP allows support for SHA-1 implementations in compliance with SP 1117 800-131A. 1118 Assurance activity: 1119 TSS: 1120 The evaluator shall check that the association of the hash function with other TSF cryptographic functions 1121 (for example, the digital signature verification function) is documented in the TSS. 1122 Operational Guidance: 1123 The evaluator checks the operational guidance documents to determine that any configuration that is 1124 required to be done to configure the functionality for the required hash sizes is present. 1125 Test: 1126 RICOH IM C2000 / C2500 / C3000 / C3500 / C4500 / C5500 / C6000, version JE-1.00-H Security Target, 1.0 Copyright ©2020, RICOH COMPANY LTD., All Rights Reserved. Page 52 of 142 The TSF hashing functions can be implemented in one of two modes. The first mode is the byte-oriented 1127 mode. In this mode the TSF only hashes messages that are an integral number of bytes in length; i.e., the 1128 length (in bits) of the message to be hashed is divisible by 8. The second mode is the bit-oriented mode. In 1129 this mode the TSF hashes messages of arbitrary length. As there are different tests for each mode, an 1130 indication is given in the following sections for the bit-oriented vs. the byte-oriented test mode. 1131 The evaluator shall perform all of the following tests for each hash algorithm implemented by the TSF and 1132 used to satisfy the requirements of this PP. 1133 Short Messages Test - Bit-oriented Mode 1134 The evaluators devise an input set consisting of m+1 messages, where m is the block length of the hash 1135 algorithm. The length of the messages range sequentially from 0 to m bits. The message text shall be 1136 pseudorandomly generated. The evaluators compute the message digest for each of the messages and 1137 ensure that the correct result is produced when the messages are provided to the TSF. 1138 Short Messages Test - Byte-oriented Mode 1139 The evaluators devise an input set consisting of m/8+1 messages, where m is the block length of the hash 1140 algorithm. The length of the messages range sequentially from 0 to m/8 bytes, with each message being 1141 an integral number of bytes. The message text shall be pseudorandomly generated. The evaluators 1142 compute the message digest for each of the messages and ensure that the correct result is produced 1143 when the messages are provided to the TSF. 1144 Selected Long Messages Test - Bit-oriented Mode 1145 The evaluators devise an input set consisting of m messages, where m is the block length of the hash 1146 algorithm. For SHA-256, the length of the i-th message is 512 + 99*i, where 1 ≤ i ≤ m. For SHA-512, the 1147 length of the i-th message is 1024 + 99*i, where 1 ≤ i ≤ m. The message text shall be pseudorandomly 1148 generated. The evaluators compute the message digest for each of the messages and ensure that the 1149 correct result is produced when the messages are provided to the TSF. 1150 Selected Long Messages Test - Byte-oriented Mode 1151 The evaluators devise an input set consisting of m/8 messages, where m is the block length of the hash 1152 algorithm. For SHA-256, the length of the i-th message is 512 + 8*99*i, where 1 ≤ i ≤ m/8. For SHA-512, 1153 the length of the i-th message is 1024 + 8*99*i, where 1 ≤ i ≤ m/8. The message text shall be 1154 pseudorandomly generated. The evaluators compute the message digest for each of the messages and 1155 ensure that the correct result is produced when the messages are provided to the TSF. 1156 Pseudorandomly Generated Messages Test 1157 This test is for byte-oriented implementations only. The evaluators randomly generate a seed that is n bits 1158 long, where n is the length of the message digest produced by the hash function to be tested. The 1159 evaluators then formulate a set of 100 messages and associated digests by following the algorithm 1160 provided in Figure 1 of The Secure Hash Algorithm Validation System (SHAVS). The evaluators then ensure 1161 that the correct result is produced when the messages are provided to the TSF. 1162 RICOH IM C2000 / C2500 / C3000 / C3500 / C4500 / C5500 / C6000, version JE-1.00-H Security Target, 1.0 Copyright ©2020, RICOH COMPANY LTD., All Rights Reserved. Page 53 of 142 6.4.9 FCS_COP.1(c) [L2] Cryptographic operation (Hash Algorithm) 1163 (selected in FPT_TUD_EXT.1.3, or with FCS_SNI_EXT.1.1) 1164 Hierarchical to: No other components. 1165 Dependencies: No dependencies. 1166 FCS_COP.1.1(c)[L2] Refinement: The TSF shall perform cryptographic hashing services in accordance with [SHA- 1167 256, SHA-384, SHA-512] that meet the following: [ISO/IEC 10118-3:2004]. 1168 Application Note (for O.STORAGE_ENCRYPTION): 1169 The hash selection should be consistent with the overall strength of the algorithm used for FCS_COP.1(d). 1170 (SHA 256 should be chosen for AES 128-bit keys, SHA 512 should be chosen for AES-256-bit keys) The 1171 selection of the standard is made based on the algorithms selected. 1172 Vendors are strongly encouraged to implement updated protocols that support the SHA-2 family; until 1173 updated protocols are supported, this PP allows support for SHA-1 implementations in compliance with SP 1174 800-131A. 1175 Assurance activity: 1176 TSS: 1177 The evaluator shall check that the association of the hash function with other TSF cryptographic functions 1178 (for example, the digital signature verification function) is documented in the TSS. 1179 Operational Guidance: 1180 The evaluator checks the operational guidance documents to determine that any configuration that is 1181 required to be done to configure the functionality for the required hash sizes is present. 1182 Test: 1183 The TSF hashing functions can be implemented in one of two modes. The first mode is the byte-oriented 1184 mode. In this mode the TSF only hashes messages that are an integral number of bytes in length; i.e., the 1185 length (in bits) of the message to be hashed is divisible by 8. The second mode is the bit-oriented mode. In 1186 this mode the TSF hashes messages of arbitrary length. As there are different tests for each mode, an 1187 indication is given in the following sections for the bit-oriented vs. the byte-oriented test mode. 1188 The evaluator shall perform all of the following tests for each hash algorithm implemented by the TSF and 1189 used to satisfy the requirements of this PP. 1190 Short Messages Test - Bit-oriented Mode 1191 The evaluators devise an input set consisting of m+1 messages, where m is the block length of the hash 1192 algorithm. The length of the messages range sequentially from 0 to m bits. The message text shall be 1193 pseudorandomly generated. The evaluators compute the message digest for each of the messages and 1194 ensure that the correct result is produced when the messages are provided to the TSF. 1195 Short Messages Test - Byte-oriented Mode 1196 RICOH IM C2000 / C2500 / C3000 / C3500 / C4500 / C5500 / C6000, version JE-1.00-H Security Target, 1.0 Copyright ©2020, RICOH COMPANY LTD., All Rights Reserved. Page 54 of 142 The evaluators devise an input set consisting of m/8+1 messages, where m is the block length of the hash 1197 algorithm. The length of the messages range sequentially from 0 to m/8 bytes, with each message being 1198 an integral number of bytes. The message text shall be pseudorandomly generated. The evaluators 1199 compute the message digest for each of the messages and ensure that the correct result is produced 1200 when the messages are provided to the TSF. 1201 Selected Long Messages Test - Bit-oriented Mode 1202 The evaluators devise an input set consisting of m messages, where m is the block length of the hash 1203 algorithm. For SHA-256, the length of the i-th message is 512 + 99*i, where 1 ≤ i ≤ m. For SHA-512, the 1204 length of the i-th message is 1024 + 99*i, where 1 ≤ i ≤ m. The message text shall be pseudorandomly 1205 generated. The evaluators compute the message digest for each of the messages and ensure that the 1206 correct result is produced when the messages are provided to the TSF. 1207 Selected Long Messages Test - Byte-oriented Mode 1208 The evaluators devise an input set consisting of m/8 messages, where m is the block length of the hash 1209 algorithm. For SHA-256, the length of the i-th message is 512 + 8*99*i, where 1 ≤ i ≤ m/8. For SHA-512, 1210 the length of the i-th message is 1024 + 8*99*i, where 1 ≤ i ≤ m/8. The message text shall be 1211 pseudorandomly generated. The evaluators compute the message digest for each of the messages and 1212 ensure that the correct result is produced when the messages are provided to the TSF. 1213 Pseudorandomly Generated Messages Test 1214 This test is for byte-oriented implementations only. The evaluators randomly generate a seed that is n bits 1215 long, where n is the length of the message digest produced by the hash function to be tested. The 1216 evaluators then formulate a set of 100 messages and associated digests by following the algorithm 1217 provided in Figure 1 of The Secure Hash Algorithm Validation System (SHAVS). The evaluators then ensure 1218 that the correct result is produced when the messages are provided to the TSF. 1219 6.4.10 FCS_COP.1(d) Cryptographic operation (AES Data Encryption/Decryption) 1220 (for O. STORAGE_ENCRYPTION) 1221 Hierarchical to: No other components. 1222 Dependencies: [FCS_CKM.1(b) Cryptographic key generation (Symmetric Keys)] 1223 FCS_CKM_EXT.4 Extended: Cryptographic Key Material Destruction 1224 FCS_COP.1.1(d) The TSF shall perform data encryption and decryption in accordance with a specified 1225 cryptographic algorithm AES used in [CBC] mode and cryptographic key sizes [256 bits] that meet the 1226 following: AES as specified in ISO/IEC 18033-3, [CBC as specified in ISO/IEC 10116]. 1227 Application Note: 1228 This PP allows for software encryption or hardware encryption. 1229 If XTS Mode is selected, a cryptographic key of 256-bit or of 512-bit is allowed as specified in IEEE 1619. 1230 XTS-AES key is divided into two AES keys of equal size - for example, AES-128 is used as the underlying 1231 algorithm, when 256-bit key and XTS mode are selected. AES-256 is used when a 512-bit key and XTS 1232 mode are selected. 1233 RICOH IM C2000 / C2500 / C3000 / C3500 / C4500 / C5500 / C6000, version JE-1.00-H Security Target, 1.0 Copyright ©2020, RICOH COMPANY LTD., All Rights Reserved. Page 55 of 142 The intent of this requirement is to specify the approved AES modes that the ST Author may select for AES 1234 encryption of the appropriate information on the Field-Replaceable Nonvolatile Storage Device. For the 1235 first selection, the ST author should indicate the mode or modes supported by the TOE implementation. 1236 The second selection indicates the key size to be used, which is identical to that specified for 1237 FCS_CKM.1(b). The third selection must agree with the mode or modes chosen in the first selection. If 1238 multiple modes are supported, it may be clearer in the ST if this component was iterated. 1239 Assurance activity: 1240 TSS: 1241 The evaluator shall verify the TSS includes a description of the key size used for encryption and the mode 1242 used for encryption. 1243 Operational Guidance: 1244 If multiple encryption modes are supported, the evaluator examines the guidance documentation to 1245 determine that the method of choosing a specific mode/key size by the end user is described. 1246 Test: 1247 The following tests are conditional based upon the selections made in the SFR. 1248 AES-CBC Tests 1249 AES-CBC Known Answer Tests 1250 There are four Known Answer Tests (KATs), described below. In all KATs, the plaintext, ciphertext, and IV 1251 values shall be 128-bit blocks. The results from each test may either be obtained by the evaluator directly 1252 or by supplying the inputs to the implementer and receiving the results in response. To determine 1253 correctness, the evaluator shall compare the resulting values to those obtained by submitting the same 1254 inputs to a known good implementation. 1255 KAT-1. To test the encrypt functionality of AES-CBC, the evaluator shall supply a set of 10 plaintext values 1256 and obtain the ciphertext value that results from AES-CBC encryption of the given plaintext using a key 1257 value of all zeros and an IV of all zeros. Five plaintext values shall be encrypted with a 128-bit all-zeros 1258 key, and the other five shall be encrypted with a 256-bit all-zeros key. 1259 To test the decrypt functionality of AES-CBC, the evaluator shall perform the same test as for encrypt, 1260 using 10 ciphertext values as input and AES-CBC decryption. 1261 KAT-2. To test the encrypt functionality of AES-CBC, the evaluator shall supply a set of 10 key values and 1262 obtain the ciphertext value that results from AES-CBC encryption of an all-zeros plaintext using the given 1263 key value and an IV of all zeros. Five of the keys shall be 128-bit keys, and the other five shall be 256-bit 1264 keys. 1265 To test the decrypt functionality of AES-CBC, the evaluator shall perform the same test as for encrypt, 1266 using an all-zero ciphertext value as input and AES-CBC decryption. 1267 KAT-3. To test the encrypt functionality of AES-CBC, the evaluator shall supply the two sets of key values 1268 described below and obtain the ciphertext value that results from AES encryption of an all-zeros plaintext 1269 RICOH IM C2000 / C2500 / C3000 / C3500 / C4500 / C5500 / C6000, version JE-1.00-H Security Target, 1.0 Copyright ©2020, RICOH COMPANY LTD., All Rights Reserved. Page 56 of 142 using the given key value and an IV of all zeros. The first set of keys shall have 128 128-bit keys, and the 1270 second set shall have 256 256-bit keys. Key i in each set shall have the leftmost i bits be ones and the 1271 rightmost N-i bits be zeros, for i in [1,N]. 1272 To test the decrypt functionality of AES-CBC, the evaluator shall supply the two sets of key and ciphertext 1273 value pairs described below and obtain the plaintext value that results from AES-CBC decryption of the 1274 given ciphertext using the given key and an IV of all zeros. The first set of key/ciphertext pairs shall have 1275 128 128-bit key/ciphertext pairs, and the second set of key/ciphertext pairs shall have 256 256-bit 1276 key/ciphertext pairs. Key i in each set shall have the leftmost i bits be ones and the rightmost N-i bits be 1277 zeros, for i in [1,N]. The ciphertext value in each pair shall be the value that results in an all-zeros plaintext 1278 when decrypted with its corresponding key. 1279 KAT-4. To test the encrypt functionality of AES-CBC, the evaluator shall supply the set of 128 plaintext 1280 values described below and obtain the two ciphertext values that result from AES-CBC encryption of the 1281 given plaintext using a 128-bit key value of all zeros with an IV of all zeros and using a 256-bit key value of 1282 all zeros with an IV of all zeros, respectively. Plaintext value i in each set shall have the leftmost i bits be 1283 ones and the rightmost 128-i bits be zeros, for i in [1,128]. 1284 To test the decrypt functionality of AES-CBC, the evaluator shall perform the same test as for encrypt, 1285 using ciphertext values of the same form as the plaintext in the encrypt test as input and AES-CBC 1286 decryption. 1287 AES-CBC Multi-Block Message Test 1288 The evaluator shall test the encrypt functionality by encrypting an i-block message where 1 < i <=10. The 1289 evaluator shall choose a key, an IV and plaintext message of length i blocks and encrypt the message, 1290 using the mode to be tested, with the chosen key and IV. The ciphertext shall be compared to the result of 1291 encrypting the same plaintext message with the same key and IV using a known good implementation. 1292 The evaluator shall also test the decrypt functionality for each mode by decrypting an i-block message 1293 where 1 < i <=10. The evaluator shall choose a key, an IV and a ciphertext message of length i blocks and 1294 decrypt the message, using the mode to be tested, with the chosen key and IV. The plaintext shall be 1295 compared to the result of decrypting the same ciphertext message with the same key and IV using a 1296 known good implementation. 1297 AES-CBC Monte Carlo Tests 1298 The evaluator shall test the encrypt functionality using a set of 200 plaintext, IV, and key 3-tuples. 100 of 1299 these shall use 128 bit keys, and 100 shall use 256 bit keys. The plaintext and IV values shall be 128-bit 1300 blocks. For each 3-tuple, 1000 iterations shall be run as follows: 1301 # Input: PT, IV, Key 1302 for i = 1 to 1000: 1303 if i == 1: 1304 CT[1] = AES-CBC-Encrypt(Key, IV, PT) 1305 PT = IV 1306 RICOH IM C2000 / C2500 / C3000 / C3500 / C4500 / C5500 / C6000, version JE-1.00-H Security Target, 1.0 Copyright ©2020, RICOH COMPANY LTD., All Rights Reserved. Page 57 of 142 else: 1307 CT[i] = AES-CBC-Encrypt(Key, PT) 1308 PT = CT[i-1] 1309 The ciphertext computed in the 1000th iteration (i.e., CT[1000]) is the result for that trial. This result shall 1310 be compared to the result of running 1000 iterations with the same values using a known good 1311 implementation. 1312 The evaluator shall test the decrypt functionality using the same test as for encrypt, exchanging CT and PT 1313 and replacing AES-CBC-Encrypt with AES-CBC-Decrypt. 1314 6.4.11 FCS_COP.1(f) Cryptographic operation (Key Encryption) 1315 (selected from FCS_KYC_EXT.1.1) 1316 Hierarchical to: No other components. 1317 Dependencies: [FCS_CKM.1(b) Cryptographic key generation (Symmetric Keys)] 1318 FCS_CKM_EXT.4 Extended: Cryptographic Key Material Destruction 1319 FCS_COP.1.1(f) Refinement: The TSF shall perform key encryption and decryption in accordance with a 1320 specified cryptographic algorithm AES used in [[CBC] mode] and cryptographic key sizes [256 bits] that meet 1321 the following: AES as specified in ISO /IEC 18033-3, [CBC as specified in ISO/IEC 10116]. 1322 Application Note: 1323 This requirement is used in the body of the ST if the ST Author chooses to use AES encryption/decryption 1324 for protecting the keys as part of the key chaining approach that is specified in FCS_KYC_EXT.1. 1325 Assurance activity: 1326 TSS: 1327 The evaluator shall verify the TSS includes a description of the key encryption function(s) and shall verify 1328 the key encryption uses an approved algorithm according to the appropriate specification. 1329 KMD: 1330 The evaluator shall review the KMD to ensure that all keys are encrypted using the approved method and 1331 a description of when the key encryption occurs is provided. 1332 Test: 1333 The evaluator shall use tests in FCS_COP.1(d) to verify encryption. 1334 6.4.12 FCS_COP.1(g) Cryptographic Operation (for keyed-hash message authentication) 1335 (selected with FCS_IPSEC_EXT.1.4) 1336 Hierarchical to: No other components. 1337 Dependencies: [FDP_ITC.1 Import of user data without security attributes, or 1338 FDP_ITC.2 Import of user data with security attributes, or 1339 FCS_CKM.1(b) Cryptographic key generation (Symmetric Keys)] 1340 RICOH IM C2000 / C2500 / C3000 / C3500 / C4500 / C5500 / C6000, version JE-1.00-H Security Target, 1.0 Copyright ©2020, RICOH COMPANY LTD., All Rights Reserved. Page 58 of 142 FCS_CKM_EXT.4 Extended: Cryptographic Key Material Destruction 1341 FCS_COP.1.1(g) Refinement: The TSF shall perform keyed-hash message authentication in accordance with a 1342 specified cryptographic algorithm Hash-[SHA-256, SHA-384, SHA-512], key size [64 (when using SHA-256), 1343 128 (when using SHA-384 or SHA-512)], and message digest sizes [256, 384, 512] bits that meet the 1344 following: FIPS PUB 198-1, "The Keyed-Hash Message Authentication Code, and FIPS PUB 180-3, “Secure 1345 Hash Standard.” 1346 Assurance Activity: 1347 Test: 1348 The evaluator shall use "The Keyed-Hash Message Authentication Code (HMAC) Validation System 1349 (HMACVS)" as a guide in testing the requirement above. This will require that the evaluator have a 1350 reference implementation of the algorithms known to be good that can produce test vectors that are 1351 verifiable during the test. 1352 6.4.13 FCS_HTTPS_EXT.1 Extended: HTTPS selected 1353 (selected in FTP_TRP.1.1) 1354 Hierarchical to: No other components. 1355 Dependencies: FCS_TLS_EXT.1 Extended: TLS selected. 1356 FCS_HTTPS_EXT.1.1 The TSF shall implement the HTTPS protocol that complies with RFC 2818. 1357 Application Note: 1358 The ST author must provide enough detail to determine how the implementation is complying with the 1359 standard(s) identified; this can be done either by adding elements to this component, or by additional 1360 detail in the TSS. 1361 FCS_HTTPS_EXT.1.2 The TSF shall implement HTTPS using TLS as specified in FCS_TLS_EXT.1. 1362 Assurance Activity: 1363 TSS: 1364 The evaluator shall check the TSS to ensure that it is clear on how HTTPS uses TLS to establish an 1365 administrative session, focusing on any client authentication required by the TLS protocol vs. security 1366 administrator authentication which may be done at a different level of the processing stack. 1367 Test: 1368 Testing for this activity is done as part of the TLS testing; this may result in additional testing if the TLS 1369 tests are done at the TLS protocol level. 1370 6.4.14 FCS_IPSEC_EXT.1 Extended: IPsec selected 1371 (selected in FTP_ITC.1.1, FTP_TRP.1.1) 1372 Hierarchical to: No other components. 1373 Dependencies: FIA_PSK_EXT.1 Extended: Pre-Shared Key Composition 1374 FCS_CKM.1(a) Cryptographic Key Generation (for asymmetric keys) 1375 RICOH IM C2000 / C2500 / C3000 / C3500 / C4500 / C5500 / C6000, version JE-1.00-H Security Target, 1.0 Copyright ©2020, RICOH COMPANY LTD., All Rights Reserved. Page 59 of 142 FCS_COP.1(a) Cryptographic Operation (Symmetric encryption/decryption) 1376 FCS_COP.1(b) Cryptographic Operation (for signature generation/verification) 1377 FCS_COP.1(c)[L2] Cryptographic Operation (Hash Algorithm) 1378 FCS_COP.1(g) Cryptographic Operation (for keyed-hash message authentication) 1379 FCS_RBG_EXT.1 Extended: Cryptographic Operation (Random Bit Generation) 1380 Application Note: 1381 In order to show that the TSF implements the RFCs in accordance with the requirements of this PP, the 1382 evaluator shall perform the assurance activities listed below. 1383 The TOE is required to use the IPsec protocol to establish connections used to communicate with an IPsec 1384 Peer. 1385 Traffic generator Packet capture device TOE IPsec Peer 1386 The evaluators shall minimally create a test environment equivalent to the test environment illustrated 1387 above. It is expected that the traffic generator is used to construct network packets and will provide the 1388 evaluator with the ability manipulate fields in the ICMP, IPv4, IPv6, UDP, and TCP packet headers. The 1389 evaluators must provide justification for any differences in the test environment. 1390 FCS_IPSEC_EXT.1.1 The TSF shall implement the IPsec architecture as specified in RFC 4301. 1391 Application Note: 1392 RFC 4301 calls for an IPsec implementation to protect IP traffic through the use of a Security Policy 1393 Database (SPD). The SPD is used to define how IP packets are to be handled: PROTECT the packet (e.g., 1394 encrypt the packet), BYPASS the IPsec services (e.g., no encryption), or DISCARD the packet (e.g., drop the 1395 packet). The SPD can be implemented in various ways, including router access control lists, firewall 1396 rulesets, a “traditional” SPD, etc. Regardless of the implementation details, there is a notion of a “rule” 1397 that a packet is “matched” against and a resulting action that take place. 1398 RICOH IM C2000 / C2500 / C3000 / C3500 / C4500 / C5500 / C6000, version JE-1.00-H Security Target, 1.0 Copyright ©2020, RICOH COMPANY LTD., All Rights Reserved. Page 60 of 142 While there must be a means to order the rules, a general approach to ordering is not mandated, as long 1399 as the SPD can distinguish the IP packets and apply the rules accordingly. There may be multiple SPDs (one 1400 for each network interface), but this is not required. 1401 Assurance Activity: 1402 TSS: 1403 The evaluator shall examine the TSS and determine that it describes what takes place when a packet is 1404 processed by the TOE, e.g., the algorithm used to process the packet. The TSS describes how the SPD is 1405 implemented and the rules for processing both inbound and outbound packets in terms of the IPsec 1406 policy. The TSS describes the rules that are available and the resulting actions available after matching a 1407 rule. The TSS describes how those rules and actions form the SPD in terms of the BYPASS (e.g., no 1408 encryption), DISCARD (e.g., drop the packet) and PROTECT (e.g., encrypt the packet) actions defined in 1409 RFC 4301. 1410 As noted in section 4.4.1 of RFC 4301, the processing of entries in the SPD is non-trivial and the evaluator 1411 shall determine that the description in the TSS is sufficient to determine which rules will be applied given 1412 the rule structure implemented by the TOE. For example, if the TOE allows specification of ranges, 1413 conditional rules, etc., the evaluator shall determine that the description of rule processing (for both 1414 inbound and outbound packets) is sufficient to determine the action that will be applied, especially in the 1415 case where two different rules may apply. This description shall cover both the initial packets (that is, no 1416 SA is established on the interface or for that particular packet) as well as packets that are part of an 1417 established SA. 1418 Operational Guidance: 1419 The evaluator shall examine the guidance documentation to verify it instructs the Administrator how to 1420 construct entries into the SPD that specify a rule for processing a packet. The description includes all three 1421 cases – a rule that ensures packets are encrypted/decrypted, dropped, and flow through the TOE without 1422 being encrypted. The evaluator shall determine that the description in the guidance documentation is 1423 consistent with the description in the TSS, and that the level of detail in the guidance documentation is 1424 sufficient to allow the administrator to set up the SPD in an unambiguous fashion. This includes a 1425 discussion of how ordering of rules impacts the processing of an IP packet. 1426 Test: 1427 The evaluator uses the guidance documentation to configure the TOE to carry out the following tests: 1428 a) Test 1: The evaluator shall configure the SPD such that there is a rule for dropping a packet, encrypting 1429 a packet, and (if configurable) allowing a packet to flow in plaintext. The selectors used in the construction 1430 of the rule shall be different such that the evaluator can generate a packet and send packets to the 1431 gateway with the appropriate fields (fields that are used by the rule - e.g., the IP addresses, TCP/UDP 1432 ports) in the packet header. The evaluator performs both positive and negative test cases for each type of 1433 rule (e.g. a packet that matches the rule and another that does not match the rule). The evaluator 1434 observes via the audit trail, and packet captures that the TOE exhibited the expected behavior: 1435 appropriate packets were dropped, allowed to flow without modification, encrypted by the IPsec 1436 implementation. 1437 RICOH IM C2000 / C2500 / C3000 / C3500 / C4500 / C5500 / C6000, version JE-1.00-H Security Target, 1.0 Copyright ©2020, RICOH COMPANY LTD., All Rights Reserved. Page 61 of 142 b) Test 2: The evaluator shall devise several tests that cover a variety of scenarios for packet processing. 1438 As with Test 1, the evaluator ensures both positive and negative test cases are constructed. These 1439 scenarios must exercise the range of possibilities for SPD entries and processing modes as outlined in the 1440 TSS and guidance documentation. Potential areas to cover include rules with overlapping ranges and 1441 conflicting entries, inbound and outbound packets, and packets that establish SAs as well as packets that 1442 belong to established SAs. The evaluator shall verify, via the audit trail and packet captures, for each 1443 scenario that the expected behavior is exhibited, and is consistent with both the TSS and the guidance 1444 documentation. 1445 FCS_IPSEC_EXT.1.2 The TSF shall implement [transport mode]. 1446 Assurance Activity: 1447 TSS: 1448 The evaluator checks the TSS to ensure it states that the VPN can be established to operate in tunnel 1449 mode and/or transport mode (as selected). 1450 Operational Guidance: 1451 The evaluator shall confirm that the operational guidance contains instructions on how to configure the 1452 connection in each mode selected. 1453 Test: 1454 The evaluator shall perform the following test(s) based on the selections chosen: 1455 1. (conditional): If tunnel mode is selected, the evaluator uses the operational guidance to configure the 1456 TOE to operate in tunnel mode and also configures an IPsec Peer to operate in tunnel mode. The 1457 evaluator configures the TOE and the IPsec Peer to use any of the allowable cryptographic algorithms, 1458 authentication methods, etc. to ensure an allowable SA can be negotiated. The evaluator shall then 1459 initiate a connection from the client to connect to the IPsec Peer. The evaluator observes (for example, in 1460 the audit trail and the captured packets) that a successful connection was established using the tunnel 1461 mode. 1462 2. (conditional): If transport mode is selected, the evaluator uses the operational guidance to configure 1463 the TOE to operate in transport mode and also configures an IPsec Peer to operate in transport mode. The 1464 evaluator configures the TOE and the IPsec Peer to use any of the allowed cryptographic algorithms, 1465 authentication methods, etc. to ensure an allowable SA can be negotiated. The evaluator then initiates a 1466 connection from the TOE to connect to the IPsec Peer. The evaluator observes (for example, in the audit 1467 trail and the captured packets) that a successful connection was established using the transport mode. 1468 FCS_IPSEC_EXT.1.3 The TSF shall have a nominal, final entry in the SPD that matches anything that is otherwise 1469 unmatched, and discards it. 1470 Assurance Activity: 1471 TSS: 1472 RICOH IM C2000 / C2500 / C3000 / C3500 / C4500 / C5500 / C6000, version JE-1.00-H Security Target, 1.0 Copyright ©2020, RICOH COMPANY LTD., All Rights Reserved. Page 62 of 142 The evaluator shall examine the TSS to verify that the TSS provides a description of how a packet is 1473 processed against the SPD and that if no “rules” are found to match, that a final rule exists, either 1474 implicitly or explicitly, that causes the network packet to be discarded. 1475 Operational Guidance: 1476 The evaluator checks that the operational guidance provides instructions on how to construct the SPD and 1477 uses the guidance to configure the TOE for the following tests. 1478 Test: 1479 The evaluator shall perform the following test: 1480 The evaluator shall configure the SPD such that it has entries that contain operations that DISCARD, 1481 BYPASS, and PROTECT network packets. The evaluator may use the SPD that was created for verification 1482 of FCS_IPSEC_EXT.1.1. The evaluator shall construct a network packet that matches a BYPASS entry and 1483 send that packet. The evaluator should observe that the network packet is passed to the proper 1484 destination interface with no modification. The evaluator shall then modify a field in the packet header; 1485 such that it no longer matches the evaluator-created entries (there may be a “TOE created” final entry 1486 that discards packets that do not match any previous entries). The evaluator sends the packet, and 1487 observes that the packet was not permitted to flow to any of the TOE’s interfaces. 1488 FCS_IPSEC_EXT.1.4 The TSF shall implement the IPsec protocol ESP as defined by RFC 4303 using [the 1489 cryptographic algorithms AES-CBC-128 (as specified by RFC 3602) together with a Secure Hash Algorithm 1490 (SHA)-based HMAC, AES-CBC-256 (as specified by RFC 3602) together with a Secure Hash Algorithm (SHA)- 1491 based HMAC]. 1492 Assurance Activity: 1493 TSS: 1494 The evaluator shall examine the TSS to verify that the symmetric encryption algorithms selected (along 1495 with the SHA-based HMAC algorithm, if AES-CBC is selected) are described. If selected, the evaluator 1496 ensures that the SHA-based HMAC algorithm conforms to the algorithms specified in FCS_COP.1(g) 1497 Cryptographic Operations (for keyed-hash message authentication). 1498 Operational Guidance: 1499 The evaluator checks the operational guidance to ensure it provides instructions on how to configure the 1500 TOE to use the algorithms selected by the ST author. 1501 Test: 1502 The evaluator shall also perform the following tests: 1503 The evaluator shall configure the TOE as indicated in the operational guidance configuring the TOE to 1504 using each of the selected algorithms, and attempt to establish a connection using ESP. The connection 1505 should be successfully established for each algorithm. 1506 RICOH IM C2000 / C2500 / C3000 / C3500 / C4500 / C5500 / C6000, version JE-1.00-H Security Target, 1.0 Copyright ©2020, RICOH COMPANY LTD., All Rights Reserved. Page 63 of 142 FCS_IPSEC_EXT.1.5 The TSF shall implement the protocol: [IKEv1, using Main Mode for Phase 1 exchanges, as 1507 defined in RFCs 2407, 2408, 2409, RFC 4109, [no other RFCs for extended sequence numbers], and [RFC 4868 1508 for hash functions];]. 1509 Application Note: 1510 Either IKEv1 or IKEv2 support must be provided, although conformant TOEs can provide both; the first 1511 selection is used to make this choice. For IKEv1, the requirement is to be interpreted as requiring the IKE 1512 implementation conforming to RFC 2409 with the additions/modifications as described in RFC 4109. RFC 1513 4304 identifies support for extended sequence numbers, which compliant TOEs can specify using the 1514 second selection. RFC 4868 identifies additional hash functions for use with both IKEv1 and IKEv2; if these 1515 functions are implemented, the third (for IKEv1) and fourth (for IKEv2) selection can be used. 1516 Assurance Activity: 1517 TSS: 1518 The evaluator shall examine the TSS to verify that IKEv1 and/or IKEv2 are implemented. 1519 Operational Guidance: 1520 The evaluator shall check the operational guidance to ensure it instructs the administrator how to 1521 configure the TOE to use IKEv1 and/or IKEv2 (as selected), and uses the guidance to configure the TOE to 1522 perform NAT traversal for the following test if IKEv2 is selected. 1523 Test: 1524 (conditional): If IKEv2 is selected, the evaluator shall configure the TOE so that it will perform NAT 1525 traversal processing as described in the TSS and RFC 5996, section 2.23. The evaluator shall initiate an 1526 IPsec connection and determine that the NAT is successfully traversed. 1527 FCS_IPSEC_EXT.1.6 The TSF shall ensure the encrypted payload in the [IKEv1] protocol uses the cryptographic 1528 algorithms AES-CBC-128, AES-CBC-256 as specified in RFC 3602 and [no other algorithm]. 1529 Assurance Activity: 1530 TSS: 1531 The evaluator shall ensure the TSS identifies the algorithms used for encrypting the IKEv1 and/or IKEv2 1532 payload, and that the algorithms AES-CBC-128, AES-CBC-256 are specified, and if others are chosen in the 1533 selection of the requirement, those are included in the TSS discussion. 1534 Operational Guidance: 1535 The evaluator ensures that the operational guidance describes the configuration of the mandated 1536 algorithms, as well as any additional algorithms selected in the requirement. The guidance is then used to 1537 configure the TOE to perform the following test for each ciphersuite selected. 1538 Test: 1539 The evaluator shall configure the TOE to use the ciphersuite under test to encrypt the IKEv1 and/or IKEv2 1540 payload and establish a connection with a peer device, which is configured to only accept the payload 1541 RICOH IM C2000 / C2500 / C3000 / C3500 / C4500 / C5500 / C6000, version JE-1.00-H Security Target, 1.0 Copyright ©2020, RICOH COMPANY LTD., All Rights Reserved. Page 64 of 142 encrypted using the indicated ciphersuite. The evaluator will confirm the algorithm was that used in the 1542 negotiation. 1543 FCS_IPSEC_EXT.1.7 The TSF shall ensure that IKEv1 Phase 1 exchanges use only main mode. 1544 Assurance Activity: 1545 TSS: 1546 The evaluator shall examine the TSS to ensure that, in the description of the IPsec protocol supported by 1547 the TOE, it states that aggressive mode is not used for IKEv1 Phase 1 exchanges, and that only main mode 1548 is used. It may be that this is a configurable option. 1549 Operational Guidance: 1550 If the mode requires configuration of the TOE prior to its operation, the evaluator shall check the 1551 operational guidance to ensure that instructions for this configuration are contained within that guidance. 1552 Test: 1553 The evaluator shall also perform the following test: 1554 (conditional): The evaluator shall configure the TOE as indicated in the operational guidance, and attempt 1555 to establish a connection using an IKEv1 Phase 1 connection in aggressive mode. This attempt should fail. 1556 The evaluator should then show that main mode exchanges are supported. This test is not applicable if 1557 IKEv1 is not selected above in the FCS_IPSEC_EXT.1.5 protocol selection. 1558 FCS_IPSEC_EXT.1.8 The TSF shall ensure that [IKEv1 SA lifetimes can be established based on [length of time, 1559 where the time values can be limited to: 24 hours for Phase 1 SAs and 8 hours for Phase 2 SAs]]. 1560 Application Note: 1561 The ST Author is afforded a selection based on the version of IKE in their implementation. If the lifetime 1562 limitations are configurable, then the evaluator verifies that the appropriate instructions for configuring 1563 these values are included in the operational guidance. 1564 As far as SA lifetimes are concerned, the TOE can limit the lifetime based on the number of bytes 1565 transmitted, or the number of packets transmitted. Either packet-based or volume-based SA lifetimes are 1566 acceptable; the ST author makes the appropriate selection to indicate which type of lifetime limits are 1567 supported. 1568 Assurance Activity: 1569 Operational Guidance: 1570 The evaluator verifies that the values for SA lifetimes can be configured and that the instructions for doing 1571 so are located in the operational guidance. If time-based limits are supported, the evaluator ensures that 1572 the values allow for Phase 1 SAs values for 24 hours and 8 hours for Phase 2 SAs. Currently there are no 1573 values mandated for the number of packets or number of bytes, the evaluator just ensures that this can 1574 be configured if selected in the requirement. 1575 RICOH IM C2000 / C2500 / C3000 / C3500 / C4500 / C5500 / C6000, version JE-1.00-H Security Target, 1.0 Copyright ©2020, RICOH COMPANY LTD., All Rights Reserved. Page 65 of 142 When testing this functionality, the evaluator needs to ensure that both sides are configured 1576 appropriately. From the RFC “A difference between IKEv1 and IKEv2 is that in IKEv1 SA lifetimes were 1577 negotiated. In IKEv2, each end of the SA is responsible for enforcing its own lifetime policy on the SA and 1578 rekeying the SA when necessary. If the two ends have different lifetime policies, the end with the shorter 1579 lifetime will end up always being the one to request the rekeying. If the two ends have the same lifetime 1580 policies, it is possible that both will initiate a rekeying at the same time (which will result in redundant 1581 SAs). To reduce the probability of this happening, the timing of rekeying requests SHOULD be jittered.” 1582 Test: 1583 Each of the following tests shall be performed for each version of IKE selected in the FCS_IPSEC_EXT.1.5 1584 protocol selection: 1585 1. (Conditional): The evaluator shall configure a maximum lifetime in terms of the # of packets (or bytes) 1586 allowed following the operational guidance. The evaluator shall establish an SA and determine that once 1587 the allowed # of packets (or bytes) through this SA is exceeded, the connection is renegotiated. 1588 2. (Conditional): The evaluator shall construct a test where a Phase 1 SA is established and attempted to 1589 be maintained for more than 24 hours before it is renegotiated. The evaluator shall observe that this SA is 1590 closed or renegotiated in 24 hours or less. If such an action requires that the TOE be configured in a 1591 specific way, the evaluator shall implement tests demonstrating that the configuration capability of the 1592 TOE works as documented in the operational guidance. 1593 3. (Conditional): The evaluator shall perform a test similar to Test 1 for Phase 2 SAs, except that the 1594 lifetime will be 8 hours instead of 24. 1595 FCS_IPSEC_EXT.1.9 The TSF shall ensure that all IKE protocols implement DH Groups 14 (2048-bit MODP), and 1596 [[DH groups 1 and 2]]. 1597 Application Note: 1598 The above requires that the TOE support DH Group 14. If other groups are supported, then those should 1599 be selected (for groups 24, 19, 20, and 5) or specified in the assignment above; otherwise “no other DH 1600 groups” should be selected. This applies to IKEv1/IKEv2 exchanges. 1601 Assurance Activity: 1602 TSS: 1603 The evaluator shall check to ensure that the DH groups specified in the requirement are listed as being 1604 supported in the TSS. If there is more than one DH group supported, the evaluator checks to ensure the 1605 TSS describes how a particular DH group is specified/negotiated with a peer. 1606 Test: 1607 The evaluator shall also perform the following test (this test may be combined with other tests for this 1608 component, for instance, the tests associated with FCS_IPSEC_EXT.1.1): 1609 For each supported DH group, the evaluator shall test to ensure that all IKE protocols can be successfully 1610 completed using that particular DH group. 1611 RICOH IM C2000 / C2500 / C3000 / C3500 / C4500 / C5500 / C6000, version JE-1.00-H Security Target, 1.0 Copyright ©2020, RICOH COMPANY LTD., All Rights Reserved. Page 66 of 142 FCS_IPSEC_EXT.1.10 The TSF shall ensure that all IKE protocols perform Peer Authentication using the [RSA] 1612 algorithm and Pre-shared Keys. 1613 Application Note: 1614 The selected algorithm should correspond to an appropriate selection for FCS_COP.1(b). If IPsec is 1615 included in the TOE, the ST author also includes FIA_PSK_EXT from Appendix D.2.6. 1616 Assurance Activity: 1617 TSS: 1618 The evaluator shall check that the TSS contains a description of the IKE peer authentication process used 1619 by the TOE, and that this description covers the use of the signature algorithm or algorithms specified in 1620 the requirement. 1621 Test: 1622 The evaluator shall also perform the following test: 1623 For each supported signature algorithm, the evaluator shall test that peer authentication using that 1624 algorithm can be successfully achieved and results in the successful establishment of a connection. 1625 6.4.15 FCS_KYC_EXT.1 Extended: Key Chaining 1626 (for O.STORAGE_ENCRYPTION) 1627 Hierarchical to: No other components. 1628 Dependencies: [FCS_COP.1(e) Cryptographic operation (Key Wrapping), 1629 FCS_SMC_EXT.1 Extended: Submask Combining, 1630 FCS_COP.1(f) Cryptographic operation (Key Encryption), 1631 FCS_KDF_EXT.1 Cryptographic Operation (Key Derivation), and/or 1632 FCS_COP.1(i) Cryptographic operation (Key Transport)] 1633 Application Note: 1634 This SFR forms a keychain that terminates either with a DEK or a BEV to unlock a self-encrypting drive. If 1635 passwords are not used, it can be a keychain of one, with no intermediate keys forming the DEK or BEV, 1636 provided that key is protected. For example, if the DEK for an SED is not stored on the SED and is released 1637 on power-up, a keychain of one is allowed. 1638 FCS_KYC_EXT.1.1 The TSF shall maintain a key chain of: [intermediate keys originating from one or more 1639 submask(s) to the BEV or DEK using the following method(s): [key encryption as specified in FCS_COP.1(f)]] 1640 while maintaining an effective strength of [256 bits]. 1641 Application Note: 1642 Key Chaining is the method of using multiple layers of encryption keys to ultimately secure the BEV (Border 1643 Encryption Value). The number of intermediate keys will vary – from one (e.g., taking the conditioned 1644 password authorization factor and directly using it as the BEV) to many. This applies to all keys that 1645 RICOH IM C2000 / C2500 / C3000 / C3500 / C4500 / C5500 / C6000, version JE-1.00-H Security Target, 1.0 Copyright ©2020, RICOH COMPANY LTD., All Rights Reserved. Page 67 of 142 contribute to the ultimate wrapping or derivation of the BEV; including those in areas of protected storage 1646 (e.g. TPM stored keys, comparison values). 1647 Multiple key chains to the BEV are allowed, as long as all chains meet the key chain requirement. 1648 Once the ST Author has selected a method to create the chain (either by unwrapping or encrypting keys), 1649 they pull the appropriate requirement out of this appendix. It is allowable for an implementation to use for 1650 any or all methods. 1651 The method the TOE uses to chain keys and manage/protect them is described in the Key Management 1652 Description; see Key Management Description for more information. 1653 Assurance activity: 1654 TSS: 1655 The evaluator shall verify the TSS contains a high-level description of the BEV sizes – that it supports BEV 1656 outputs of no fewer 128 bits for products that support only AES-128, and no fewer than 256 bits for 1657 products that support AES-256. 1658 KMD: 1659 The evaluator shall examine the KMD to ensure that it describes a high level description of the key 1660 hierarchy for all accepted BEVs. The evaluator shall examine the KMD to ensure it describes the key chain 1661 in detail. The description of the key chain shall be reviewed to ensure it maintains a chain of keys using 1662 key wrap, submask combining, or key encryption. 1663 The evaluator shall examine the KMD to ensure that it describes how the key chain process functions, 1664 such that it does not expose any material that might compromise any key in the chain. (e.g. using a key 1665 directly as a compare value against a TPM) This description must include a diagram illustrating the key 1666 hierarchy implemented and detail where all keys and keying material is stored or what it is derived from. 1667 The evaluator shall examine the key hierarchy to ensure that at no point the chain could be broken 1668 without a cryptographic exhaust or the initial authorization value and the effective strength of the BEV is 1669 maintained throughout the Key Chain. 1670 The evaluator shall verify the KMD includes a description of the strength of keys throughout the key chain. 1671 6.4.16 FCS_RBG_EXT.1 Extended: Cryptographic Operation (Random Bit Generation) 1672 (for O.STORAGE_ENCRYPTION and O.COMMS_PROTECTION) 1673 Hierarchical to: No other components. 1674 Dependencies: No dependencies. 1675 FCS_RBG_EXT.1.1: The TSF shall perform all deterministic random bit generation services in accordance with 1676 [NIST SP 800-90A] using [Hash_DRBG (refinement: SHA-256)]. 1677 FCS_RBG_EXT.1.2 The deterministic RBG shall be seeded by at least one entropy source that accumulates 1678 entropy from [[one (1)] hardware-based noise source(s)] with a minimum of [256 bits] of entropy at least 1679 equal to the greatest security strength, according to ISO/IEC 18031:2011 Table C.1 “Security Strength Table 1680 for Hash Functions”, of the keys and hashes that it will generate. 1681 RICOH IM C2000 / C2500 / C3000 / C3500 / C4500 / C5500 / C6000, version JE-1.00-H Security Target, 1.0 Copyright ©2020, RICOH COMPANY LTD., All Rights Reserved. Page 68 of 142 Application Note: 1682 ISO/IEC 18031:2011 contains different methods of generating random numbers; each of these, in turn, 1683 depends on underlying cryptographic primitives (hash functions/ciphers). The ST author will select the 1684 function used and include the specific underlying cryptographic primitives used in the requirement. While 1685 any of the identified hash functions (SHA-1, SHA-224, SHA-256, SHA-384, SHA-512) are allowed for 1686 Hash_DRBG or HMAC_DRBG, only AES-based implementations for CTR_DRBG are allowed. Table C.2 in 1687 ISO/IEC 18031:2011 provides an identification of Security strengths, Entropy and Seed length requirements 1688 for the AES-128 and 256 Block Cipher. 1689 The CTR_DRGB in ISO/IEC 18031:2011 requires using derivation function, whereas NIST SP 800-90A does 1690 not. Either model is acceptable. In the first selection in FCS_RBG_EXT.1.1, the ST Author chooses the 1691 standard with which they are compliant. 1692 The first selection in FCS_RBG_EXT.1.2 the ST author fills in how many entropy sources are used for each 1693 type of entropy source they employ. It should be noted that a combination of hardware and software 1694 based noise sources is acceptable. 1695 It should be noted that the entropy source is considered to be a part of the RBG and if the RBG is included 1696 in the TOE, the developer is required to provide the entropy description outlined in Appendix E. The 1697 documentation *and tests* required in the Evaluation Activity for this element necessarily cover each 1698 source indicated in FCS_RBG_EXT.1.2. 1699 Assurance activity: 1700 TSS: 1701 For any RBG services provided by a third party, the evaluator shall ensure the TSS includes a statement 1702 about the expected amount of entropy received from such a source, and a full description of the 1703 processing of the output of the third-party source. The evaluator shall verify that this statement is 1704 consistent with the selection made in FCS_RBG_EXT.1.2 for the seeding of the DRBG. If the ST specifies 1705 more than one DRBG, the evaluator shall examine the TSS to verify that it identifies the usage of each 1706 DRBG mechanism. 1707 Entropy Description: 1708 The evaluator shall ensure the Entropy Description provides all of the required information as described in 1709 Appendix E. The evaluator assesses the information provided and ensures the TOE is providing sufficient 1710 entropy when it is generating a Random Bit String. 1711 Operational Guidance: 1712 The evaluator shall verify that the AGD guidance instructs the administrator how to configure the TOE to 1713 use the selected DRBG mechanism(s), if necessary. 1714 Test: 1715 The evaluator shall perform 15 trials for the RBG implementation. If the RBG is configurable by the TOE, 1716 the evaluator shall perform 15 trials for each configuration. The evaluator shall verify that the instructions 1717 in the operational guidance for configuration of the RBG are valid. 1718 RICOH IM C2000 / C2500 / C3000 / C3500 / C4500 / C5500 / C6000, version JE-1.00-H Security Target, 1.0 Copyright ©2020, RICOH COMPANY LTD., All Rights Reserved. Page 69 of 142 If the RBG has prediction resistance enabled, each trial consists of (1) instantiate DRBG, (2) generate the 1719 first block of random bits (3) generate a second block of random bits (4) uninstantiate. The evaluator 1720 verifies that the second block of random bits is the expected value. The evaluator shall generate eight 1721 input values for each trial. The first is a count (0 – 14). The next three are entropy input, nonce, and 1722 personalization string for the instantiate operation. The next two are additional input and entropy input 1723 for the first call to generate. The final two are additional input and entropy input for the second call to 1724 generate. These values are randomly generated. “Generate one block of random bits” means to generate 1725 random bits with number of returned bits equal to the Output Block Length (as defined in NIST SP800- 1726 90A). 1727 If the RBG does not have prediction resistance, each trial consists of (1) instantiate DRBG, (2) generate the 1728 first block of random bits (3) reseed, (4) generate a second block of random bits (5) uninstantiate. The 1729 evaluator verifies that the second block of random bits is the expected value. The evaluator shall generate 1730 eight input values for each trial. The first is a count (0 – 14). The next three are entropy input, nonce, and 1731 personalization string for the instantiate operation. The fifth value is additional input to the first call to 1732 generate. The sixth and seventh are additional input and entropy input to the call to reseed. The final 1733 value is additional input to the second generate call. 1734 The following paragraphs contain more information on some of the input values to be generated/selected 1735 by the evaluator. 1736 Entropy input: the length of the entropy input value must equal the seed length. 1737 Nonce: If a nonce is supported (CTR_DRBG with no Derivation Function does not use a nonce), the nonce 1738 bit length is one-half the seed length. 1739 Personalization string: The length of the personalization string must be <= seed length. If the 1740 implementation only supports one personalization string length, then the same length can be used for 1741 both values. If more than one string length is support, the evaluator shall use personalization strings of 1742 two different lengths. If the implementation does not use a personalization string, no value needs to be 1743 supplied. 1744 Additional input: the additional input bit lengths have the same defaults and restrictions as the 1745 personalization string lengths. 1746 6.4.17 FCS_TLS_EXT.1 Extended: TLS selected 1747 (selected in FTP_TRP.1.1) 1748 Hierarchical to: No other components. 1749 Dependencies: FCS_CKM.1(a) Cryptographic Key Generation (for asymmetric keys) 1750 FCS_COP.1(a) Cryptographic Operation (Symmetric encryption/decryption) 1751 FCS_COP.1(b) Cryptographic Operation (for signature generation/verification) 1752 FCS_COP.1(c) Cryptographic Operation (Hash Algorithm) 1753 FCS_COP.1(g) Cryptographic Operation (for keyed-hash message authentication) 1754 FCS_RBG_EXT.1 Extended: Cryptographic Operation (Random Bit Generation) 1755 FCS_TLS_EXT.1.1 The TSF shall implement one or more of the following protocols [TLS 1.2 (RFC 5246)] 1756 supporting the following ciphersuites: 1757 RICOH IM C2000 / C2500 / C3000 / C3500 / C4500 / C5500 / C6000, version JE-1.00-H Security Target, 1.0 Copyright ©2020, RICOH COMPANY LTD., All Rights Reserved. Page 70 of 142 1758 [TLS_DHE_RSA_WITH_AES_128_CBC_SHA 1759 TLS_DHE_RSA_WITH_AES_256_CBC_SHA 1760 TLS_DHE_RSA_WITH_AES_128_CBC_ SHA256 1761 TLS_DHE_RSA_WITH_AES_256_CBC_ SHA256 1762 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 1763 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 1764 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 1765 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384]. 1766 Application Note: 1767 The ST author must make the appropriate selections and assignments to reflect the TLS implementation. 1768 The ciphersuites to be tested in the evaluated configuration are limited by this requirement. The ST author 1769 should select the ciphersuites that are supported. If administrative steps need to be taken so that the 1770 suites negotiated by the implementation are limited to those in this requirement, the appropriate 1771 instructions need to be contained in the guidance called for by AGD_OPE. 1772 The Suite B algorithms (RFC 5430) listed above are the preferred algorithms for implementation. The TLS 1773 requirement may be changed in the next version of the HCD PP to comply with CNSSP 15 and NIST SP 800- 1774 131A. 1775 Assurance Activity: 1776 TSS: 1777 The evaluator shall check the description of the implementation of this protocol in the TSS to ensure that 1778 the ciphersuites supported are specified. The evaluator shall check the TSS to ensure that the ciphersuites 1779 specified are identical to those listed for this component. The evaluator shall also check the operational 1780 guidance to ensure that it contains instructions on configuring the TOE so that TLS conforms to the 1781 description in the TSS (for instance, the set of ciphersuites advertised by the TOE may have to be 1782 restricted to meet the requirements). 1783 Test: 1784 The evaluator shall also perform the following test: 1785 1. The evaluator shall establish a TLS connection using each of the ciphersuites specified by the 1786 requirement. This connection may be established as part of the establishment of a higher-level 1787 protocol, e.g., as part of a HTTPS session. It is sufficient to observe the successful negotiation of a 1788 ciphersuite to satisfy the intent of the test; it is not necessary to examine the characteristics of 1789 the encrypted traffic in an attempt to discern the ciphersuite being used (for example, that the 1790 cryptographic algorithm is 128-bit AES and not 256-bit AES). 1791 2. The evaluator shall setup a man-in-the-middle tool between the TOE and the TLS Peer and shall 1792 perform the following modifications to the traffic: 1793 RICOH IM C2000 / C2500 / C3000 / C3500 / C4500 / C5500 / C6000, version JE-1.00-H Security Target, 1.0 Copyright ©2020, RICOH COMPANY LTD., All Rights Reserved. Page 71 of 142 a. [Conditional: TOE is a server] Modify at least one byte in the server’s nonce in the Server 1794 Hello handshake message, and verify that the server denies the client’s Finished 1795 handshake message. 1796 b. [Conditional: TOE is a client] Modify the server’s selected ciphersuite in the Server Hello 1797 handshake message to be a ciphersuite not presented in the Client Hello handshake 1798 message. The evaluator shall verify that the client rejects the connection after receiving 1799 the Server Hello. 1800 c. [Conditional: TOE is a client] If a DHE or ECDHE ciphersuite is supported, modify the 1801 signature block in the Server’s KeyExchange handshake message, and verify that the client 1802 rejects the connection after receiving the Server KeyExchange. 1803 d. [Conditional: TOE is a client] Modify a byte in the Server Finished handshake message, 1804 and verify that the client sends a fatal alert upon receipt and does not send any 1805 application data. 1806 1807 6.5 Class FDP: User Data Protection 1808 Application Note: 1809 The User Data Access Control SFP is composed of Table 20, Table 21, FDP_ACC.1, FDP_ACF.1, FMT_MSA.1, 1810 and FMT_MSA.3. 1811 "Create" "Read" "Modify" "Delete" Print (+PRT) Operation: Submit a document to be printed View image or Release printed output Modify stored document Delete stored document Job owner Allowed (note 1) View: no function Release: allowed No function Allowed U.ADMIN No function View: no function Release: allowed No function Allowed U.NORMAL Allowed Denied Denied Denied Unauthenticated (condition 1) Denied Denied Denied Scan (+SCN) Operation: Submit a document for scanning View scanned image Modify stored image Delete stored image Job owner Allowed (note 2) No function No function Allowed U.ADMIN No function No function No function Allowed U.NORMAL Allowed Denied Denied (No function) Denied (No function) Unauthenticated Denied Denied Denied (No function) Denied (No function) RICOH IM C2000 / C2500 / C3000 / C3500 / C4500 / C5500 / C6000, version JE-1.00-H Security Target, 1.0 Copyright ©2020, RICOH COMPANY LTD., All Rights Reserved. Page 72 of 142 "Create" "Read" "Modify" "Delete" Copy (+CPY) Operation: Submit a document for copying View scanned image or Release printed copy output Modify stored image Delete stored image Job owner Allowed (note 2) View: no function Release: no function No function Allowed U.ADMIN No function View: no function Release: no function No function Allowed U.NORMAL Allowed Denied Denied (No function) Denied (No function) Unauthenticated Denied Denied Denied (No function) Denied (No function) Fax send (+FAXOUT) Operation: Submit a document to send as a fax View scanned image Modify stored image Delete stored image Job owner Allowed (note 2) No function No function Allowed U.ADMIN No function No function No function Allowed U.NORMAL Allowed Denied Denied (No function) Denied (No function) Unauthenticated Denied Denied Denied (No function) Denied (No function) Fax receive (+FAXIN) Operation: Receive a fax and store it View fax image or Release printed fax output Modify image of received fax Delete image of received fax Fax owner Allowed (note 3) View: allowed Release: allowed No function Allowed U.ADMIN Allowed (note 4) View: no function Release: no function No function No function U.NORMAL Allowed (note 4) Denied Denied Denied Unauthenticated Allowed Denied Denied Denied Storage / retrieval (+DSR) Operation: Store document Retrieve stored document Modify stored document Delete stored document Job owner Allowed (note 1) Allowed Allowed Allowed U.ADMIN No function Denied Allowed Allowed U.NORMAL Allowed Denied Denied Denied Unauthenticated (condition 1) Denied Denied Denied Table 20 D.USER.DOC Access Control SFP 1812 1813 RICOH IM C2000 / C2500 / C3000 / C3500 / C4500 / C5500 / C6000, version JE-1.00-H Security Target, 1.0 Copyright ©2020, RICOH COMPANY LTD., All Rights Reserved. Page 73 of 142 "Create" * "Read" "Modify" "Delete" Print (+PRT) Operation: Create print job View print queue / log Modify print job Cancel print job Job owner (note 1) Allowed No function Allowed U.ADMIN No function Allowed No function Allowed U.NORMAL Allowed Allowed Denied Denied Unauthenticated Allowed Allowed Denied Denied Scan (+SCN) Operation: Create scan job View scan status / log Modify scan job Cancel scan job Job owner (note 2) Allowed No function Allowed U.ADMIN No function Allowed No function Allowed U.NORMAL Allowed Allowed Denied Denied Unauthenticated Denied Denied Denied Denied Copy (+CPY) Operation: Create copy job View copy status / log Modify copy job Cancel copy job Job owner (note 2) Allowed No function Allowed U.ADMIN No function Allowed No function Allowed U.NORMAL Allowed Allowed Denied Denied Unauthenticated Denied Denied Denied Denied Fax send (+FAXOUT) Operation: Create fax send job View fax job queue / log Modify fax send job Cancel fax send job Job owner (note 2) Allowed Allowed Allowed U.ADMIN No function Allowed No function Allowed U.NORMAL Allowed Allowed Denied Denied Unauthenticated Denied Denied Denied Denied Fax receive (+FAXIN) Operation: Create fax receive job View fax receive status / log Modify fax receive job Cancel fax receive job Fax owner (note 3) Allowed No function Allowed U.ADMIN (note 4) Allowed No function Allowed U.NORMAL (note 4) Allowed Denied Denied Unauthenticated Allowed Denied Denied Denied Storage / retrieval (+DSR) Operation: Create storage / retrieval job View storage / retrieval log Modify storage / retrieval job Cancel storage / retrieval job Job owner (note 1) Allowed No function No function U.ADMIN No function Allowed No function No function U.NORMAL Allowed Allowed Denied Denied Unauthenticated (condition 1) Denied Denied Denied Table 21 D.USER.JOB Access Control SFP 1814 Application note: 1815 RICOH IM C2000 / C2500 / C3000 / C3500 / C4500 / C5500 / C6000, version JE-1.00-H Security Target, 1.0 Copyright ©2020, RICOH COMPANY LTD., All Rights Reserved. Page 74 of 142 In general, the ST Author may modify this SFP provided that any changes are more restrictive. As 1816 examples, the ST Author may: remove the rules related to Document Processing functions that are not 1817 present in a TOE, add or modify rules to further deny access, or subdivide User Data to further restrict 1818 access for some data (e.g., D.USER.JOB.PROT and D.USER.JOB.CONF). Empty cells in the table indicate that 1819 the operation may be permitted, but it is not required to be permitted. 1820 In particular, referring to Table 20 and Table 21: 1821 A cell marked “Denied” indicates that the user (row) must not be permitted to perform the operation 1822 (column). The ST Author cannot override this. 1823 A cell that is blank indicates that the user may be permitted to perform the operation. However, the ST 1824 author may add conditions or restrictions, or deny permission entirely. 1825 A cell that is marked with a Condition means that the user can be permitted to perform the operation, 1826 provided that it meets that Condition as specified below. As with blank cells, the ST author can make it 1827 more restrictive. 1828 Condition 1: Jobs submitted by unauthenticated users must contain a credential that the TOE can use to 1829 identify the Job Owner. 1830 See also the following Notes that are referenced in Table 20 and Table 21: 1831 Note 1: Job Owner is identified by a credential or assigned to an authorized User as part of the process of 1832 submitting a print or storage Job. 1833 Note 2: Job Owner is assigned to an authorized User as part of the process of initiating a scan, copy, fax 1834 send, or retrieval Job. 1835 Note 3: Job Owner of received faxes is assigned by default or configuration. Minimally, ownership of 1836 received faxes is assigned to a specific user or U.ADMIN role. 1837 Note 4: PSTN faxes are received from outside of the TOE, they are not initiated by Users of the TOE. 1838 6.5.1 FDP_ACC.1 Subset access control 1839 (for O.ACCESS_CONTROL and O.USER_AUTHORIZATION) 1840 Hierarchical to: No other components. 1841 Dependencies: FDP_ACF.1 Security attribute based access control 1842 FDP_ACC.1.1 Refinement: The TSF shall enforce the User Data Access Control SFP on subjects, objects, and 1843 operations among subjects and objects specified in Table 20 and Table 21. 1844 Application note: 1845 Refer to the Application Note associated with Table 20 and Table 21. 1846 Assurance Activity: 1847 It is covered by assurance activities for FDP_ACF.1. 1848 RICOH IM C2000 / C2500 / C3000 / C3500 / C4500 / C5500 / C6000, version JE-1.00-H Security Target, 1.0 Copyright ©2020, RICOH COMPANY LTD., All Rights Reserved. Page 75 of 142 6.5.2 FDP_ACF.1 Security attribute based access control 1849 (for O.ACCESS_CONTROL and O.USER_AUTHORIZATION) 1850 Hierarchical to: No other components. 1851 Dependencies: FDP_ACC.1 Subset access control 1852 FMT_MSA.3 Static attribute initialization 1853 FDP_ACF.1.1 Refinement: The TSF shall enforce the User Data Access Control SFP to objects based on the 1854 following: subjects, objects, and attributes specified in Table 20 and Table 21. 1855 FDP_ACF.1.2 Refinement: The TSF shall enforce the following rules to determine if an operation among 1856 controlled subjects and controlled objects is allowed: [rules governing access among controlled subjects and 1857 controlled objects using controlled operations on controlled objects specified in Table 20 and Table 21]. 1858 FDP_ACF.1.3 Refinement: The TSF shall explicitly authorize access of subjects to objects based on the following 1859 additional rules: [no additional rules]. 1860 FDP_ACF.1.4 Refinement: The TSF shall explicitly deny access of subjects to objects based on the following 1861 additional rules: [all controlled operations on controlled objects specified in Table 20 and Table 21 are 1862 explicitly denied to U.ADMIN.SUP]. 1863 Assurance Activity: 1864 TSS: 1865 The evaluator shall check to ensure that the TSS describes the functions to realize SFP defined in Table 20 1866 and Table 21 by providing specific details so that ST readers can understand without being 1867 misunderstood. 1868 Operational Guidance: 1869 The evaluator shall check to ensure that the operational guidance contains a description of the operation 1870 to realize the SFP defined in Table 20 and Table 21, which is consistent with the description in the TSS. 1871 Test: 1872 The evaluator shall perform tests to confirm the functions to realize the SFP defined in Table 20 and Table 1873 21 with each type of interface (e.g., operation panel, Web interfaces) to the TOE. 1874 The evaluator testing should include the following viewpoints: 1875 • representative sets of the operations against all the object types defined in Table 20 and Table 21 1876 (including some cases where operations are either permitted or denied) 1877 • representative sets for the combinations of the setting for security attributes that are used in 1878 access control 1879 6.5.3 FDP_DSK_EXT.1 Extended: Protection of Data on Disk 1880 (for O.STORAGE_ENCRYPTION) 1881 Hierarchical to: No other components. 1882 Dependencies: FCS_COP.1(d) Cryptographic operation (AES Data Encryption/Decryption). 1883 RICOH IM C2000 / C2500 / C3000 / C3500 / C4500 / C5500 / C6000, version JE-1.00-H Security Target, 1.0 Copyright ©2020, RICOH COMPANY LTD., All Rights Reserved. Page 76 of 142 FDP_DSK_EXT.1.1 The TSF shall [perform encryption in accordance with FCS_COP.1(d)], such that any Field- 1884 Replaceable Nonvolatile Storage Device contains no plaintext User Document Data and no plaintext 1885 Confidential TSF Data. 1886 Application Note: 1887 If the self-encrypting device option is selected, the device must be certified in conformance to the current 1888 Full Disk Encryption Protection Profile. The ST Author should consult with a CC Scheme for advice on 1889 approved Protection Profiles. 1890 FDP_DSK_EXT.1.2 The TSF shall encrypt all protected data without user intervention. 1891 Application Note: 1892 The intent of this requirement is to specify that encryption of any confidential data will not depend on a 1893 user electing to protect that data. The encryption specified in FDP_DSK_EXT.1 occurs transparently to the 1894 user and the decision to protect the data is outside the discretion of the user. 1895 Assurance activity: 1896 In the assurance activities, below, “Device” refers to the Field-Replaceable Nonvolatile Storage Device 1897 from FDP_DSK_EXT.1. If the TOE contains more than one applicable Device, then the assurance activities 1898 are performed as necessary on each such Device. 1899 TSS: 1900 The evaluator shall examine the TSS to ensure that the description is comprehensive in how the data is 1901 written to the Device and the point at which the encryption function is applied. 1902 For the cryptographic functions that are provided by the Operational Environment, the evaluator shall 1903 check the TSS to ensure it describes the interface(s) used by the TOE to invoke this functionality. 1904 The evaluator shall verify that the TSS describes the initialization of the Device at shipment of the TOE, or 1905 by the activities the TOE performs to ensure that it encrypts all the storage devices entirely when a user 1906 or administrator first provisions the Device. The evaluator shall verify the TSS describes areas of the 1907 Device that it does not encrypt (e.g., portions that do not contain confidential data boot loaders, partition 1908 tables, etc.). If the TOE supports multiple Device encryptions, the evaluator shall examine the 1909 administration guidance to ensure the initialization procedure encrypts all Devices. 1910 Operational Guidance: 1911 The evaluator shall review the AGD guidance to determine that it describes the initial steps needed to 1912 enable the Device encryption function, including any necessary preparatory steps. The guidance shall 1913 provide instructions that are sufficient to ensure that all Devices will be encrypted when encryption is 1914 enabled or at shipment of the TOE. 1915 KMD: 1916 The evaluator shall verify the KMD includes a description of the data encryption engine, its components, 1917 and details about its implementation (e.g. for hardware: integrated within the device’s main SOC or 1918 separate co-processor, for software: initialization of the Device, drivers, libraries (if applicable), logical 1919 RICOH IM C2000 / C2500 / C3000 / C3500 / C4500 / C5500 / C6000, version JE-1.00-H Security Target, 1.0 Copyright ©2020, RICOH COMPANY LTD., All Rights Reserved. Page 77 of 142 interfaces for encryption/decryption, and areas which are not encrypted (e.g. boot loaders, portions that 1920 do not contain confidential data, partition tables, etc.)). The evaluator shall verify the KMD provides a 1921 functional (block) diagram showing the main components (such as memories and processors) and the 1922 data path between, for hardware, the Device’s interface and the Device’s persistent media storing the 1923 data, or for software, the initial steps needed to the activities the TOE performs to ensure it encrypts the 1924 storage device entirely when a user or administrator first provisions the product. The hardware 1925 encryption diagram shall show the location of the data encryption engine within the data path. The 1926 evaluator shall validate that the hardware encryption diagram contains enough detail showing the main 1927 components within the data path and that it clearly identifies the data encryption engine. 1928 The evaluator shall verify the KMD provides sufficient instructions to ensure that when the encryption is 1929 enabled, the TOE encrypts all applicable Devices. The evaluator shall verify that the KMD describes the 1930 data flow from the interface to the Device’s persistent media storing the data. The evaluator shall verify 1931 that the KMD provides information on those conditions in which the data bypasses the data encryption 1932 engine (e.g. read-write operations to an unencrypted area). 1933 The evaluator shall verify that the KMD provides a description of the boot initialization, the encryption 1934 initialization process, and at what moment the product enables the encryption. If encryption can be 1935 enabled and disabled, the evaluator shall validate that the product does not allow for the transfer of 1936 confidential data before it fully initializes the encryption. The evaluator shall ensure the software 1937 developer provides special tools which allow inspection of the encrypted drive either in-band or out-of- 1938 band, and may allow provisioning with a known key. 1939 Test: 1940 The evaluator shall perform the following tests: 1941 Test 1. Write data to Storage device: Perform writing to the storage device with operating TSFI which 1942 enforce write process of User documents and Confidential TSF data. 1943 Test 2. Confirm that written data are encrypted: Verify there are no plaintext data present in the 1944 encrypted range written by Test 1; and, verify that the data can be decrypted by proper key and key 1945 material. 1946 All TSFIs for writing User Document Data and Confidential TSF data should be tested by above Test 1 and 1947 Test 2. 1948 6.5.4 FDP_FXS_EXT.1 Extended: Fax separation 1949 (for O.FAX_NET_SEPARATION) 1950 Hierarchical to: No other components. 1951 Dependencies: No dependencies. 1952 FDP_FXS_EXT.1.1 The TSF shall prohibit communication via the fax interface, except transmitting or receiving 1953 User Data using fax protocols. 1954 Application note: 1955 FDP_FXS.EXT.1 is required if fax-net separation is performed by the TSF. 1956 RICOH IM C2000 / C2500 / C3000 / C3500 / C4500 / C5500 / C6000, version JE-1.00-H Security Target, 1.0 Copyright ©2020, RICOH COMPANY LTD., All Rights Reserved. Page 78 of 142 Assurance Activity: 1957 The following assurance activities are required when the TOE has a fax communication function to 1958 transmit and receive via PSTN. 1959 TSS: 1960 The evaluator shall check the TSS to ensure that it describes: 1961 1. The fax interface use cases 1962 2. The capabilities of the fax modem and the supported fax protocols 1963 3. The data that is allowed to be sent or received via the fax interface 1964 4. How the TOE can only be used transmitting or receiving User Data using fax protocols 1965 Operational Guidance: 1966 The evaluator shall check to ensure that the operational guidance contains a description of the fax 1967 interface in terms of usage and available features. 1968 Test: 1969 The evaluator shall test to ensure that the fax interface can only be used transmitting or receiving User 1970 Data using fax protocols. Testing will be dependent upon how the TOE enforces this requirement. The 1971 following tests shall be used and supplemented with additional testing or a rationale as to why the 1972 following tests are sufficient: 1973 1. Verify that the TOE accepts incoming calls using fax carrier protocols and rejects calls that use 1974 data carriers. For example, this may be achieved using a terminal application to issue modem 1975 commands directly to the TOE from a PC modem (issue terminal command: ‘ATDT ’) – the TOE should answer the call and disconnect. 1977 2. Verify TOE negotiates outgoing calls using fax carrier protocols and rejects negotiation of data 1978 carriers. For example, this may be achieved by using a PC modem to attempt to receive a call from 1979 the TOE (submit a fax job from the TOE to , at PC issue terminal command: 1980 ‘ATA’) – the TOE should disconnect without negotiating a carrier. 1981 6.5.5 FDP_RIP.1(a) Subset residual information protection 1982 (for O.IMAGE_OVERWRITE) 1983 Hierarchical to: No other components. 1984 Dependencies: No dependencies. 1985 FDP_RIP.1.1(a) Refinement: The TSF shall ensure that any previous information content of a resource is made 1986 unavailable by overwriting data upon the deallocation of the resource from the following objects: 1987 D.USER.DOC. 1988 Assurance activity: 1989 TSS: 1990 RICOH IM C2000 / C2500 / C3000 / C3500 / C4500 / C5500 / C6000, version JE-1.00-H Security Target, 1.0 Copyright ©2020, RICOH COMPANY LTD., All Rights Reserved. Page 79 of 142 The evaluator shall examine the TSS to ensure that the description is comprehensive in describing where 1991 image data is stored and how and when it is overwritten. 1992 Operational Guidance: 1993 The evaluator shall check to ensure that the operational guidance contains instructions for enabling the 1994 Image Overwrite function. 1995 Test: 1996 The evaluator shall include tests related to this function in the set of tests performed in FMT_SMF.1. 1997 6.6 Class FIA: Identification and Authentication 1998 6.6.1 FIA_AFL.1 Authentication failure handling 1999 (for O.USER_I&A) 2000 Hierarchical to: No other components. 2001 Dependencies: FIA_UAU.1 Timing of authentication 2002 FIA_AFL.1.1 The TSF shall detect when [an administrator configurable positive integer within [1 to 5]] 2003 unsuccessful authentication attempts occur related to [list of authentication events shown in Table 22]. 2004 Authentication Events User authentication using the Operation Panel User authentication using WIM from the client computer User authentication when printing from the client computer User authentication when using LAN Fax from the client computer Table 22 Authentication Events 2005 FIA_AFL.1.2 When the defined number of unsuccessful authentication attempts has been [met], the TSF shall 2006 [perform actions shown in Table 23]. 2007 Unsuccessfully Authenticated Users Actions for Authentication Failure Normal user The lockout for the Normal User is released by the lockout time set by the MFP Administrator, or release operation by the MFP Administrator. MFP Supervisor The lockout for a MFP Supervisor is released by the lockout time set by the MFP Administrator, release operation by the MFP Administrator, or elapse of a given time after the TOE's restart. MFP Administrator The lockout for the MFP Administrator is released by the lockout time set by the MFP Administrator, release operation by a MFP Supervisor, or elapse of a given time after the TOE's restart. Table 23 List of Actions for Authentication Failure 2008 Application note: 2009 This SFR applies only to internal identification and authentication. 2010 Assurance Activity: 2011 TSS: 2012 RICOH IM C2000 / C2500 / C3000 / C3500 / C4500 / C5500 / C6000, version JE-1.00-H Security Target, 1.0 Copyright ©2020, RICOH COMPANY LTD., All Rights Reserved. Page 80 of 142 The evaluator shall check to ensure that the TSS contains a description of the actions in the case of 2013 authentication failure (types of authentication events, the number of unsuccessful authentication 2014 attempts, actions to be conducted), which is consistent with the definition of the SFR. 2015 Operational Guidance: 2016 The evaluator shall check to ensure that the administrator guidance describes the setting for actions to be 2017 taken in the case of authentication failure, if any are defined in the SFR. 2018 Test: 2019 The evaluator shall also perform the following tests: 2020 1. The evaluator shall check to ensure that the subsequent authentication attempts do not succeed 2021 by the behavior according to the actions defined in the SFR when unsuccessful authentication 2022 attempts reach the status defined in the SFR. 2023 2. The evaluator shall check to ensure that authentication attempts succeed when conditions to re- 2024 enable authentication attempts are defined in the SFR and when the conditions are fulfilled. 2025 3. The evaluator shall perform the tests 1 and 2 described above for all the targeted authentication 2026 methods when there are multiple Internal Authentication methods (e.g., password 2027 authentication, biometric authentication). 2028 4. The evaluator shall perform the tests 1 and 2 described above for all interfaces when there are 2029 multiple interfaces (e.g., operation panel, Web interfaces) that implement authentication 2030 attempts. 2031 6.6.2 FIA_ATD.1 User attribute definition 2032 (for O.USER_AUTHORIZATION) 2033 Hierarchical to: No other components. 2034 Dependencies: No dependencies. 2035 FIA_ATD.1.1 The TSF shall maintain the following list of security attributes belonging to individual users: [Login 2036 User Name, User Role, Available Functions List]. 2037 Application note: 2038 The list of security attributes should be the union of all attributes for each of the supported authentication 2039 methods. 2040 Assurance Activity: 2041 TSS: 2042 The evaluator shall check to ensure that the TSS contains a description of the user security attributes that 2043 the TOE uses to implement the SFR, which is consistent with the definition of the SFR. 2044 6.6.3 FIA_PMG_EXT.1 Extended: Password Management 2045 (for O.USER_I&A) 2046 Hierarchical to: No other components. 2047 RICOH IM C2000 / C2500 / C3000 / C3500 / C4500 / C5500 / C6000, version JE-1.00-H Security Target, 1.0 Copyright ©2020, RICOH COMPANY LTD., All Rights Reserved. Page 81 of 142 Dependencies: No dependencies. 2048 FIA_PMG_EXT.1.1 The TSF shall provide the following password management capabilities for User passwords: 2049 ▪ Passwords shall be able to be composed of any combination of upper and lower case letters, numbers, 2050 and the following special characters: [“!”, “@”, “#”, “$”, “%”, “^”, “&”, “*”, “(“, “)”, [“"", “'", “+", “,", “-", 2051 “.", “/", “:", “;", “<", “=", “>", “?", “[", “\", “]", “_", “`", “{", “|", “}", “~"]]; 2052 ▪ Minimum password length shall be settable by an Administrator, and have the capability to require 2053 passwords of 15 characters or greater; 2054 Application Note: 2055 This SFR applies only to password-based single-factor Internal Authentication. 2056 Assurance Activity: 2057 Operational Guidance: 2058 The evaluator shall examine the operational guidance to determine that it provides guidance to security 2059 administrators on the composition of passwords, and that it provides instructions on setting the minimum 2060 password length. 2061 Test: 2062 The evaluator shall also perform the following test: 2063 The evaluator shall compose passwords that either meet the requirements, or fail to meet the 2064 requirements, in some way. For each password, the evaluator shall verify that the TOE supports the 2065 password. While the evaluator is not required (nor is it feasible) to test all possible compositions of 2066 passwords, the evaluator shall ensure that all characters, rule characteristics, and a minimum length listed 2067 in the requirement are supported, and justify the subset of those characters chosen for testing. 2068 6.6.4 FIA_PSK_EXT.1 Extended: Pre-Shared Key Composition 2069 (selected with FCS_IPSEC_EXT.1.4) 2070 Hierarchical to: No other components. 2071 Dependencies: FCS_RBG_EXT.1 Extended: Cryptographic Operation (Random Bit Generation) 2072 Application Note: 2073 The TOE must support pre-shared keys for use in the IPsec protocol. There are two types of pre-shared 2074 keys--text-based (which are required) and bit-based (which are optional)--supported by the TOE, as 2075 specified in the requirements below. The first type is referred to as “text-based pre-shared keys”, which 2076 refer to pre-shared keys that are entered by users as a string of characters from a standard character set, 2077 similar to a password. Such pre-shared keys must be conditioned so that the string of characters is 2078 transformed into a string of bits, which is then used as the key. 2079 The second type is referred to as “bit-based pre-shared keys” (for lack of a standard term); this refers to 2080 keys that are either generated by the TSF on a command from the administrator, or input in "direct form" 2081 by an administrator. "Direct form" means that the input is used directly as the key, with no "conditioning" 2082 as was the case for text-based pre-shared keys. An example would be a string of hex digits that represent 2083 the bits that comprise the key. 2084 RICOH IM C2000 / C2500 / C3000 / C3500 / C4500 / C5500 / C6000, version JE-1.00-H Security Target, 1.0 Copyright ©2020, RICOH COMPANY LTD., All Rights Reserved. Page 82 of 142 The requirements below mandate that the TOE must support text-based pre-shared keys and optionally 2085 support bit-based pre-shared keys, although generation of the bit-based pre-shared keys may be done 2086 either by the TOE or in the Operational Environment. 2087 FIA_PSK_EXT.1.1 The TSF shall be able to use pre-shared keys for IPsec. 2088 FIA_PSK_EXT.1.2 The TSF shall be able to accept text-based pre-shared keys that are: 2089 • 22 characters in length and [[1-32 characters]]; 2090 • composed of any combination of upper and lower case letters, numbers, and special characters (that 2091 include: “!”, “@”, “#”, “$”, “%”, “^”, “&”, “*”, “(“, and “)”). 2092 FIA_PSK_EXT.1.3 The TSF shall condition the text-based pre-shared keys by using [SHA-256] and be able to [use 2093 no other pre-shared keys]. 2094 Application Note: 2095 For the length of the text-based pre-shared keys, a common length (22 characters) is required to help 2096 promote interoperability. If other lengths are supported they should be listed in the assignment; this 2097 assignment can also specify a range of values (e.g., "lengths from 5 to 55 characters") as well. 2098 In the second selection for FIA_PSK_EXT.1.3, the ST author fills in the method by which the text string 2099 entered by the administrator is “conditioned” into the bit string used as the key. This can be done by using 2100 one of the specified hash functions, or some other method through the assignment statement. If “bit- 2101 based pre-shared keys” is selected, the ST author specifies whether the TSF merely accepts bit-based pre- 2102 shared keys, or is capable of generating them. If it generates them, the requirement specified that they 2103 must be generated using the RBG specified by the requirements. If the use of bit-based pre-shared keys is 2104 not supported, the ST author chooses “use no other pre-shared keys”. 2105 Assurance Activity: 2106 Operational Guidance: 2107 The evaluator shall examine the operational guidance to determine that it provides guidance on the 2108 composition of strong text-based pre-shared keys, and (if the selection indicates keys of various lengths 2109 can be entered) that it provides information on the merits of shorter or longer pre-shared keys. The 2110 guidance must specify the allowable characters for pre-shared keys, and that list must be a super-set of 2111 the list contained in FIA_PSK_EXT.1.2. 2112 TSS: 2113 The evaluator shall examine the TSS to ensure that it states that text-based pre-shared keys of 22 2114 characters are supported, and that the TSS states the conditioning that takes place to transform the text- 2115 based pre-shared key from the key sequence entered by the user (e.g., ASCII representation) to the bit 2116 string used by IPsec, and that this conditioning is consistent with the first selection in the FIA_PSK_EXT.1.3 2117 requirement. If the assignment is used to specify conditioning, the evaluator will confirm that the TSS 2118 describes this conditioning. 2119 If “bit-based pre-shared keys” is selected, the evaluator shall confirm the operational guidance contains 2120 instructions for either entering bit-based pre-shared keys for each protocol identified in the requirement, 2121 RICOH IM C2000 / C2500 / C3000 / C3500 / C4500 / C5500 / C6000, version JE-1.00-H Security Target, 1.0 Copyright ©2020, RICOH COMPANY LTD., All Rights Reserved. Page 83 of 142 or generating a bit-based pre-shared key (or both). The evaluator shall also examine the TSS to ensure it 2122 describes the process by which the bit-based pre-shared keys are generated (if the TOE supports this 2123 functionality), and confirm that this process uses the RBG specified in FCS_RBG_EXT.1. 2124 Test: 2125 The evaluator shall also perform the following tests: 2126 1. The evaluator shall compose at least 15 pre-shared keys of 22 characters that cover all allowed 2127 characters in various combinations that conform to the operational guidance, and demonstrates that a 2128 successful protocol negotiation can be performed with each key. 2129 2. [conditional]: If the TOE supports pre-shared keys of multiple lengths, the evaluator shall repeat Test 1 2130 using the minimum length; the maximum length; and an invalid length. The minimum and maximum 2131 length tests should be successful, and the invalid length must be rejected by the TOE. 2132 3. [conditional]: If the TOE supports bit-based pre-shared keys but does not generate such keys, the 2133 evaluator shall obtain a bit-based pre-shared key of the appropriate length and enter it according to the 2134 instructions in the operational guidance. The evaluator shall then demonstrate that a successful protocol 2135 negotiation can be performed with the key. 2136 4. [conditional]: If the TOE supports bit-based pre-shared keys and does generate such keys, the evaluator 2137 shall generate a bit-based pre-shared key of the appropriate length and use it according to the 2138 instructions in the operational guidance. The evaluator shall then demonstrate that a successful protocol 2139 negotiation can be performed with the key. 2140 6.6.5 FIA_UAU.1 Timing of authentication 2141 (for O.USER_I&A) 2142 Hierarchical to: No other components. 2143 Dependencies: FIA_UID.1 Timing of identification 2144 FIA_UAU.1.1 Refinement: The TSF shall allow [the viewing of the list of user jobs, WIM Help, system status, 2145 counter and information of inquiries, and creation of fax reception and print jobs] on behalf of the user to 2146 be performed before the user is authenticated. 2147 FIA_UAU.1.2 The TSF shall require each user to be successfully authenticated before allowing any other TSF- 2148 mediated actions on behalf of that user. 2149 Application note: 2150 User authentication may be performed internally by the TOE or externally by an External IT Entity. 2151 Assurance Activity: 2152 TSS: 2153 The evaluator shall check to ensure that the TSS describes all the identification and authentication 2154 mechanisms that the TOE provides (e.g., Internal Authentication and authentication by external servers). 2155 The evaluator shall check to ensure that the TSS identifies all the interfaces to perform identification and 2156 authentication (e.g., identification and authentication from operation panel or via Web interfaces). 2157 RICOH IM C2000 / C2500 / C3000 / C3500 / C4500 / C5500 / C6000, version JE-1.00-H Security Target, 1.0 Copyright ©2020, RICOH COMPANY LTD., All Rights Reserved. Page 84 of 142 The evaluator shall check to ensure that the TSS describes the protocols (e.g., LDAP, Kerberos, OCSP) used 2158 in performing identification and authentication when the TOE exchanges identification and authentication 2159 with External Authentication servers. 2160 The evaluator shall check to ensure that the TSS contains a description of the permitted actions before 2161 performing identification and authentication, which is consistent with the definition of the SFR. 2162 Operational Guidance: 2163 The evaluator shall check to ensure that the administrator guidance contains descriptions of identification 2164 and authentication methods that the TOE provides (e.g., External Authentication, Internal Authentication) 2165 as well as interfaces (e.g., identification and authentication from operation panel or via Web interfaces), 2166 which are consistent with the ST (TSS). 2167 Test: 2168 The evaluator shall also perform the following tests: 2169 1. The evaluator shall check to ensure that identification and authentication succeeds, enabling the 2170 access to the TOE when using authorized data. 2171 2. The evaluator shall check to ensure that identification and authentication fails, disabling the 2172 access to the TOE afterwards when using unauthorized data. 2173 The evaluator shall perform the tests described above for each of the authentication methods that the 2174 TOE provides (e.g., External Authentication, Internal Authentication) as well as interfaces (e.g., 2175 identification and authentication from operation panel or via Web interfaces). 2176 6.6.6 FIA_UAU.7 Protected authentication feedback 2177 (for O.USER_I&A) 2178 Hierarchical to: No other components. 2179 Dependencies: FIA_UAU.1 Timing of authentication 2180 FIA_UAU.7.1 The TSF shall provide only [displaying dummy characters as authentication feedback on the 2181 Operation Panel and through WIM] to the user while the authentication is in progress. 2182 Application note: 2183 FIA_UAU.7 applies only to authentication processes in which the User interacts with the TOE. 2184 Assurance Activity: 2185 TSS: 2186 The evaluator shall check to ensure that the TSS contains a description of the authentication information 2187 feedback provided to users while the authentication is in progress, which is consistent with the definition 2188 of the SFR. 2189 Test: 2190 The evaluator shall also perform the following tests: 2191 RICOH IM C2000 / C2500 / C3000 / C3500 / C4500 / C5500 / C6000, version JE-1.00-H Security Target, 1.0 Copyright ©2020, RICOH COMPANY LTD., All Rights Reserved. Page 85 of 142 1. The evaluator shall check to ensure that only the information defined in the SFR is provided for 2192 feedback by attempting identification and authentication. 2193 2. The evaluator shall perform the test 1 described above for all the interfaces that the TOE provides 2194 (e.g., operation panel, identification and authentication via Web interface). 2195 6.6.7 FIA_UID.1 Timing of identification 2196 (for O.USER_I&A and O.ADMIN_ROLES) 2197 Hierarchical to: No other components. 2198 Dependencies: No dependencies. 2199 FIA_UID.1.1 Refinement: The TSF shall allow [the viewing of the list of user jobs, WIM Help, system status, 2200 counter and information of inquiries, creation of fax reception jobs, and creation of print jobs] on behalf of 2201 the user to be performed before the user is identified. 2202 FIA_UID.1.2 The TSF shall require each user to be successfully identified before allowing any other TSF-mediated 2203 actions on behalf of that user. 2204 Application note: 2205 User identification may be performed internally by the TOE or externally by an External IT Entity. 2206 Assurance Activity: 2207 It is covered by assurance activities for FIA_UAU.1. 2208 6.6.8 FIA_USB.1 User-subject binding 2209 (for O.USER_I&A) 2210 Hierarchical to: No other components. 2211 Dependencies: FIA_ATD.1 User attribute definition 2212 FIA_USB.1.1 The TSF shall associate the following user security attributes with subjects acting on the behalf of 2213 that user: [login user name of Normal User, login user name of MFP Administrator, login user name of MFP 2214 Supervisor, available function list, and user role]. 2215 FIA_USB.1.2 The TSF shall enforce the following rules on the initial association of user security attributes with 2216 subjects acting on the behalf of users: [rules for the initial association of attributes listed in Table 24]. 2217 Users Subjects User Security Attributes Normal user Normal user process Login user name of Normal User User role Available functions list MFP Administrator MFP Administrator process Login user name of MFP Administrator User role Available functions list (none for Administrators) MFP Supervisor MFP Supervisor process Login user name of MFP Supervisor User role Available functions list (none for Administrators) Table 24 Rules for Initial Association of Attributes 2218 RICOH IM C2000 / C2500 / C3000 / C3500 / C4500 / C5500 / C6000, version JE-1.00-H Security Target, 1.0 Copyright ©2020, RICOH COMPANY LTD., All Rights Reserved. Page 86 of 142 FIA_USB.1.3 The TSF shall enforce the following rules governing changes to the user security attributes 2219 associated with subjects acting on the behalf of users: [none]. 2220 Assurance Activity: 2221 TSS: 2222 The evaluator shall check to ensure that the TSS contains a description of rules for associating security 2223 attributes with the users who succeed identification and authentication, which is consistent with the 2224 definition of the SFR. 2225 Test: 2226 The evaluator shall also perform the following test: 2227 The evaluator shall check to ensure that security attributes defined in the SFR are associated with the 2228 users who succeed identification and authentication (it is ensured in the tests of FDP_ACF) for each role 2229 that the TOE supports (e.g., User and Administrator). 2230 6.7 Class FMT: Security Management 2231 6.7.1 FMT_MOF.1 Management of security functions behavior 2232 (for O.ADMIN_ROLES) 2233 Hierarchical to: No other components. 2234 Dependencies: FMT_SMR.1 Security roles 2235 FMT_SMF.1 Specification of Management Functions 2236 FMT_MOF.1.1 Refinement: The TSF shall restrict the ability to [determine the behavior of, enable, disable, 2237 modify the behavior of] the functions [listed in Table 26] to U.ADMIN. 2238 Assurance Activity: 2239 TSS: 2240 The evaluator shall check to ensure that the TSS contains a description of the management functions that 2241 the TOE provides as well as user roles that are permitted to manage the functions, which is consistent 2242 with the definition of the SFR. 2243 The evaluator shall check to ensure that the TSS identifies interfaces to operate the management 2244 functions. 2245 Operational Guidance: 2246 The evaluator shall check to ensure that the administrator guidance describes the operation methods for 2247 users of the given roles defined in the SFR to operate the management functions. 2248 Test: 2249 The evaluator shall also perform the following tests: 2250 RICOH IM C2000 / C2500 / C3000 / C3500 / C4500 / C5500 / C6000, version JE-1.00-H Security Target, 1.0 Copyright ©2020, RICOH COMPANY LTD., All Rights Reserved. Page 87 of 142 1. The evaluator shall check to ensure that users of the given roles defined in the SFR can operate 2251 the management functions in accordance with the operation methods specified in the 2252 administrator guidance. 2253 2. The evaluator shall check to ensure that the operation results are appropriately reflected. 2254 3. The evaluator shall check to ensure that U.NORMAL is not permitted to operate the management 2255 functions. 2256 6.7.2 FMT_MSA.1 Management of security attributes 2257 (for O.ACCESS_CONTROL and O.USER_AUTHORIZATION) 2258 Hierarchical to: No other components. 2259 Dependencies: [FDP_ACC.1 Subset access control] 2260 FMT_SMR.1 Security roles 2261 FMT_SMF.1 Specification of Management Functions 2262 FMT_MSA.1.1 Refinement: The TSF shall enforce the User Data Access Control SFP to restrict the ability to 2263 [[perform operations specified in Table 25]] the security attributes [listed in Table 25] to [the roles identified 2264 in Table 25]. 2265 Security Attribute(s) Operation(s) User Role Document data attribute Document user list [when document data attributes are (+PRT), (+SCN), (+CPY), and (+FAXOUT)] No operation permitted None No operation permitted None Document user list [when document data attribute is (+DSR)] Query, modify MFP Administrator, applicable Normal User who created the document data Document user list [when document data attribute is (+FAXIN)] Query, modify MFP Administrator Table 25 User Roles for Security Attributes 2266 Assurance Activity: 2267 TSS: 2268 The evaluator shall check to ensure that the TSS contains a description of possible operations for security 2269 attributes and given roles to those security attributes, which is consistent with the definition of the SFR. 2270 Operational Guidance: 2271 The evaluator shall check to ensure that the administrator guidance contains a description of possible 2272 operations for security attributes and given roles to those security attributes, which is consistent with the 2273 definition of the SFR. 2274 The evaluator shall check to ensure that the administrator guidance describes the timing of modified 2275 security attributes. 2276 Test: 2277 The evaluator shall also perform the following tests: 2278 RICOH IM C2000 / C2500 / C3000 / C3500 / C4500 / C5500 / C6000, version JE-1.00-H Security Target, 1.0 Copyright ©2020, RICOH COMPANY LTD., All Rights Reserved. Page 88 of 142 1. The evaluator shall check to ensure that users of the given roles defined in the SFR can perform 2279 operations to the security attributes in accordance with the operation methods specified in the 2280 administrator guidance. 2281 2. The evaluator shall check to ensure that the operation results are appropriately reflected as 2282 specified in the administrator guidance. 2283 3. The evaluator shall check to ensure that a user that is not part of an authorized role defined in the 2284 SFR is not permitted to perform operations on the security attributes. 2285 6.7.3 FMT_MSA.3 Static attribute initialization 2286 (for O.ACCESS_CONTROL and O.USER_AUTHORIZATION) 2287 Hierarchical to: No other components. 2288 Dependencies: FMT_MSA.1 Management of security attributes 2289 FMT_SMR.1 Security roles 2290 FMT_MSA.3.1 Refinement: The TSF shall enforce the User Data Access Control SFP to provide [restrictive] 2291 default values for security attributes that are used to enforce the SFP. 2292 FMT_MSA.3.2 Refinement: The TSF shall allow the [U.ADMIN] to specify alternative initial values to override the 2293 default values when an object or information is created. 2294 Application note: 2295 FMT_MSA.3.2 applies only to security attributes whose default values can be overridden. 2296 Assurance Activity: 2297 TSS: 2298 The evaluator shall check to ensure that the TSS describes mechanisms to generate security attributes 2299 which have properties of default values, which are defined in the SFR. 2300 Test: 2301 If U.ADMIN is selected, then testing of this SFR is performed in the tests of FDP_ACF.1. 2302 6.7.4 FMT_MTD.1 Management of TSF data 2303 (for O.ACCESS CONTROL) 2304 Hierarchical to: No other components. 2305 Dependencies: FMT_SMR.1 Security roles 2306 FMT_SMF.1 Specification of Management Functions 2307 FMT_MTD.1.1 Refinement: The TSF shall restrict the ability to perform the specified operations on the 2308 specified TSF Data to the roles specified in Table 26 and Table 27. 2309 RICOH IM C2000 / C2500 / C3000 / C3500 / C4500 / C5500 / C6000, version JE-1.00-H Security Target, 1.0 Copyright ©2020, RICOH COMPANY LTD., All Rights Reserved. Page 89 of 142 Area TSF Data T y p e I n t e r f a c e ( s ) Operation Authorized role(s) Access control Document user list for stored document types +DSR and +FAXIN D . T S F . P R O T O p e r a t i o n P a n e l , W e b b r o w s e r Modify MFP Administrator RICOH IM C2000 / C2500 / C3000 / C3500 / C4500 / C5500 / C6000, version JE-1.00-H Security Target, 1.0 Copyright ©2020, RICOH COMPANY LTD., All Rights Reserved. Page 90 of 142 Area TSF Data T y p e I n t e r f a c e ( s ) Operation Authorized role(s) Default values of the document user list D . T S F . P R O T O p e r a t i o n P a n e l , W e b b r o w s e r Modify MFP Administrator RICOH IM C2000 / C2500 / C3000 / C3500 / C4500 / C5500 / C6000, version JE-1.00-H Security Target, 1.0 Copyright ©2020, RICOH COMPANY LTD., All Rights Reserved. Page 91 of 142 Area TSF Data T y p e I n t e r f a c e ( s ) Operation Authorized role(s) Available function list D . T S F . P R O T O p e r a t i o n P a n e l , W e b b r o w s e r Modify MFP Administrator Audit function Audit log D . T S F . C O N F W e b b r o w s e r Query, delete, export MFP Administrator RICOH IM C2000 / C2500 / C3000 / C3500 / C4500 / C5500 / C6000, version JE-1.00-H Security Target, 1.0 Copyright ©2020, RICOH COMPANY LTD., All Rights Reserved. Page 92 of 142 Area TSF Data T y p e I n t e r f a c e ( s ) Operation Authorized role(s) Audit transfer settings D . T S F . P R O T O p e r a t i o n P a n e l , W e b b r o w s e r Modify MFP Administrator RICOH IM C2000 / C2500 / C3000 / C3500 / C4500 / C5500 / C6000, version JE-1.00-H Security Target, 1.0 Copyright ©2020, RICOH COMPANY LTD., All Rights Reserved. Page 93 of 142 Area TSF Data T y p e I n t e r f a c e ( s ) Operation Authorized role(s) Date settings (year/month/day), Time D . T S F . P R O T O p e r a t i o n P a n e l , W e b b r o w s e r Modify MFP Administrator Identification and Authentication Minimum character number of password D . T S F . P R O T O p e r a t i o n P a n e l Modify MFP Administrator RICOH IM C2000 / C2500 / C3000 / C3500 / C4500 / C5500 / C6000, version JE-1.00-H Security Target, 1.0 Copyright ©2020, RICOH COMPANY LTD., All Rights Reserved. Page 94 of 142 Area TSF Data T y p e I n t e r f a c e ( s ) Operation Authorized role(s) Password complexity setting D . T S F . P R O T O p e r a t i o n P a n e l Modify MFP Administrator Operation Panel auto logout time D . T S F . P R O T O p e r a t i o n P a n e l Modify MFP Administrator WIM auto logout time D . T S F . P R O T W e b b r o w s e r Modify MFP Administrator RICOH IM C2000 / C2500 / C3000 / C3500 / C4500 / C5500 / C6000, version JE-1.00-H Security Target, 1.0 Copyright ©2020, RICOH COMPANY LTD., All Rights Reserved. Page 95 of 142 Area TSF Data T y p e I n t e r f a c e ( s ) Operation Authorized role(s) Login user names of Normal Users D . T S F . P R O T O p e r a t i o n P a n e l , W e b b r o w s e r Create, modify, delete MFP Administrator RICOH IM C2000 / C2500 / C3000 / C3500 / C4500 / C5500 / C6000, version JE-1.00-H Security Target, 1.0 Copyright ©2020, RICOH COMPANY LTD., All Rights Reserved. Page 96 of 142 Area TSF Data T y p e I n t e r f a c e ( s ) Operation Authorized role(s) Login user name of MFP Supervisor D . T S F . P R O T O p e r a t i o n P a n e l , W e b b r o w s e r Modify MFP Supervisor RICOH IM C2000 / C2500 / C3000 / C3500 / C4500 / C5500 / C6000, version JE-1.00-H Security Target, 1.0 Copyright ©2020, RICOH COMPANY LTD., All Rights Reserved. Page 97 of 142 Area TSF Data T y p e I n t e r f a c e ( s ) Operation Authorized role(s) Login user name of MFP Administrator D . T S F . P R O T O p e r a t i o n P a n e l , W e b b r o w s e r Modify MFP Administrator (Owner) RICOH IM C2000 / C2500 / C3000 / C3500 / C4500 / C5500 / C6000, version JE-1.00-H Security Target, 1.0 Copyright ©2020, RICOH COMPANY LTD., All Rights Reserved. Page 98 of 142 Area TSF Data T y p e I n t e r f a c e ( s ) Operation Authorized role(s) Login passwords of Normal Users D . T S F . C O N F O p e r a t i o n P a n e l , W e b b r o w s e r Modify MFP Administrator RICOH IM C2000 / C2500 / C3000 / C3500 / C4500 / C5500 / C6000, version JE-1.00-H Security Target, 1.0 Copyright ©2020, RICOH COMPANY LTD., All Rights Reserved. Page 99 of 142 Area TSF Data T y p e I n t e r f a c e ( s ) Operation Authorized role(s) Login password of MFP Supervisor D . T S F . C O N F O p e r a t i o n P a n e l , W e b b r o w s e r Modify MFP Supervisor RICOH IM C2000 / C2500 / C3000 / C3500 / C4500 / C5500 / C6000, version JE-1.00-H Security Target, 1.0 Copyright ©2020, RICOH COMPANY LTD., All Rights Reserved. Page 100 of 142 Area TSF Data T y p e I n t e r f a c e ( s ) Operation Authorized role(s) Login password of MFP Administrator D . T S F . C O N F O p e r a t i o n P a n e l , W e b b r o w s e r Modify MFP Supervisor RICOH IM C2000 / C2500 / C3000 / C3500 / C4500 / C5500 / C6000, version JE-1.00-H Security Target, 1.0 Copyright ©2020, RICOH COMPANY LTD., All Rights Reserved. Page 101 of 142 Area TSF Data T y p e I n t e r f a c e ( s ) Operation Authorized role(s) Login password of MFP Administrator D . T S F . C O N F O p e r a t i o n P a n e l , W e b b r o w s e r Modify MFP Administrator (Owner) RICOH IM C2000 / C2500 / C3000 / C3500 / C4500 / C5500 / C6000, version JE-1.00-H Security Target, 1.0 Copyright ©2020, RICOH COMPANY LTD., All Rights Reserved. Page 102 of 142 Area TSF Data T y p e I n t e r f a c e ( s ) Operation Authorized role(s) Login password of MFP Administrator D . T S F . C O N F O p e r a t i o n P a n e l , W e b b r o w s e r Modify MFP Administrator Number of Attempts before Lockout D . T S F . P R O T W e b b r o w s e r Modify MFP Administrator RICOH IM C2000 / C2500 / C3000 / C3500 / C4500 / C5500 / C6000, version JE-1.00-H Security Target, 1.0 Copyright ©2020, RICOH COMPANY LTD., All Rights Reserved. Page 103 of 142 Area TSF Data T y p e I n t e r f a c e ( s ) Operation Authorized role(s) Settings for Lockout Release Timer D . T S F . P R O T W e b b r o w s e r Modify MFP Administrator Lockout time D . T S F . P R O T W e b b r o w s e r Modify MFP Administrator RICOH IM C2000 / C2500 / C3000 / C3500 / C4500 / C5500 / C6000, version JE-1.00-H Security Target, 1.0 Copyright ©2020, RICOH COMPANY LTD., All Rights Reserved. Page 104 of 142 Area TSF Data T y p e I n t e r f a c e ( s ) Operation Authorized role(s) PSTN Fax-Line Separation Stored Reception File User D . T S F . P R O T O p e r a t i o n P a n e l , W e b b r o w s e r Modify MFP Administrator Stored Data Encryption HDD cryptographic key D . T S F . C O N F O p e r a t i o n P a n e l Create, delete MFP Administrator RICOH IM C2000 / C2500 / C3000 / C3500 / C4500 / C5500 / C6000, version JE-1.00-H Security Target, 1.0 Copyright ©2020, RICOH COMPANY LTD., All Rights Reserved. Page 105 of 142 Area TSF Data T y p e I n t e r f a c e ( s ) Operation Authorized role(s) Trusted communications Network Settings D . T S F . P R O T O p e r a t i o n P a n e l , W e b b r o w s e r Modify MFP Administrator RICOH IM C2000 / C2500 / C3000 / C3500 / C4500 / C5500 / C6000, version JE-1.00-H Security Target, 1.0 Copyright ©2020, RICOH COMPANY LTD., All Rights Reserved. Page 106 of 142 Area TSF Data T y p e I n t e r f a c e ( s ) Operation Authorized role(s) Device Certificate D . T S F . C O N F O p e r a t i o n P a n e l , W e b b r o w s e r Create, query, modify, delete MFP Administrator Trusted operations TOE Software D . T S F . P R O T W e b b r o w s e r Modify MFP Administrator RICOH IM C2000 / C2500 / C3000 / C3500 / C4500 / C5500 / C6000, version JE-1.00-H Security Target, 1.0 Copyright ©2020, RICOH COMPANY LTD., All Rights Reserved. Page 107 of 142 Area TSF Data T y p e I n t e r f a c e ( s ) Operation Authorized role(s) Multiple areas TOE configuration data D . T S F . P R O T W e b b r o w s e r Export, import MFP Administrator Table 26 List of Administrator-only TSF Data, Operations, and Roles 2310 Area TSF Data T y p e Interface(s) Operation Authorized role(s) Access control Document user list for stored document type +DSR D . T S F . P R O T Operation Panel, Web browser Modify MFP Administrator, Normal User (Owner) who stored the document Available function list D . T S F . P R O T Web browser Query Normal User (Owner) RICOH IM C2000 / C2500 / C3000 / C3500 / C4500 / C5500 / C6000, version JE-1.00-H Security Target, 1.0 Copyright ©2020, RICOH COMPANY LTD., All Rights Reserved. Page 108 of 142 Area TSF Data T y p e Interface(s) Operation Authorized role(s) Identification and Authentication Login passwords of Normal Users D . T S F . C O N F Operation Panel, Web browser Modify Normal User (Owner) Table 27 List of Additional TSF Data, Operations, and Roles 2311 Note for Evaluators: If a +PRT or +SCN document is stored in the document server, the act of storing is a +DSR 2312 job and the attribute of the stored document becomes +DSR. 2313 Assurance Activity: 2314 Operational Guidance: 2315 The evaluator shall check to ensure that the administrator guidance identifies the management 2316 operations and authorized roles consistent with the SFR. 2317 The evaluator shall check to ensure that the administrator guidance describes how the assignment of 2318 roles is managed. 2319 The evaluator shall check to ensure that the administrator guidance describes how security attributes are 2320 assigned and managed. 2321 The evaluator shall check to ensure that the administrator guidance describes how the security-related 2322 rules (e.g., access control rules, timeout, number of consecutive logon failures,) are configured. 2323 Test: 2324 The evaluator shall perform the following tests: 2325 • The evaluator shall check to ensure that users of the given roles defined in the SFR can perform 2326 operations to TSF data in accordance with the operation methods specified in the administrator 2327 guidance. 2328 • The evaluator shall check to ensure that the operation results are appropriately reflected as 2329 specified in the administrator guidance. 2330 • The evaluator shall check to ensure that no users other than users of the given roles defined in 2331 the SFR can perform operations to TSF data. 2332 6.7.5 FMT_SMF.1 Specification of Management Functions 2333 (for O.USER_AUTHORIZATION, O.ACCESS_CONTROL, and O.ADMIN_ROLES) 2334 Hierarchical to: No other components. 2335 RICOH IM C2000 / C2500 / C3000 / C3500 / C4500 / C5500 / C6000, version JE-1.00-H Security Target, 1.0 Copyright ©2020, RICOH COMPANY LTD., All Rights Reserved. Page 109 of 142 Dependencies: No dependencies. 2336 FMT_SMF.1.1: The TSF shall be capable of performing the following management functions: [management 2337 functions listed in Table 26]. 2338 Application note: 2339 Regarding “management functions provided by the TSF”, the ST Author should consider management 2340 functions that support the security objectives of this protection profile. 2341 The management functions should be restricted to the authorized identified role in FMT_MOF.1, 2342 FMT_MTD.1, FMT_MSA.1. 2343 The ST Author may identify cases where a security objective is fulfilled without explicit manageability. 2344 For example, the following management functions are categorized by security objectives: 2345 For O.USER_AUTHORIZATION, O.USER_I&A, O.ADMIN_ROLES, O.ACCESS_CONTROL: 2346 • User management (e.g., add/change/remove local user) 2347 • Role management (e.g., assign/deassign role relationship with user) 2348 • Configuring identification and authentication (e.g., selecting between local and external I&A) 2349 • Configuring authorization and access controls (e.g., access control lists for TOE resources) 2350 Configuring communication with External IT Entities 2351 For O.UPDATE_VERIFICATION: 2352 • Configuring software updates 2353 For O.COMMS_PROTECTION: 2354 • Configuring network communications 2355 • Configuring the system or network time source 2356 For O.AUDIT: 2357 • Configuring data transmission to audit server 2358 • Configuring the system or network time source 2359 • Configuring internal audit log storage 2360 For O.STORAGE_ENCRYPTION, O.KEY_MATERIAL: 2361 • Configuring and invoking encryption of Field-Replaceable Nonvolatile Storage Devices 2362 (Optional) For O.IMAGE_OVERWRITE, O.PURGE DATA: 2363 • Configuring and/or invoking image overwrite functions 2364 • Configuring and/or invoking data purging functions 2365 RICOH IM C2000 / C2500 / C3000 / C3500 / C4500 / C5500 / C6000, version JE-1.00-H Security Target, 1.0 Copyright ©2020, RICOH COMPANY LTD., All Rights Reserved. Page 110 of 142 Assurance Activity: 2366 TSS: 2367 The evaluator shall check the TSS to ensure that the management functions are consistent with the 2368 assignment in the SFR. 2369 Operational Guidance: 2370 The evaluator shall check the guidance documents to ensure that management functions are consistent 2371 with the assignment in the SFR, and that their operation is described. 2372 6.7.6 FMT_SMR.1 Security roles 2373 (for O.ACCESS_CONTROL, O.USER_AUTHORIZATION, and O.ADMIN_ROLES) 2374 Hierarchical to: No other components. 2375 Dependencies: FIA_UID.1 Timing of identification 2376 FMT_SMR.1.1 Refinement: The TSF shall maintain the roles U.ADMIN, U.NORMAL. 2377 FMT_SMR.1.2 The TSF shall be able to associate users with roles. 2378 Assurance Activity: 2379 TSS: 2380 The evaluator shall check to ensure that the TSS contains a description of security related roles that the 2381 TOE maintains, which is consistent with the definition of the SFR. 2382 Test: 2383 As for tests of this SFR, it is performed in the tests of FMT_MOF.1, FMT_MSA.1, and FMT_MTD.1. 2384 6.8 Class FPR: Privacy 2385 There are no class FPR requirements. 2386 6.9 Class FPT: Protection of the TSF 2387 6.9.1 FPT_KYP_EXT.1 Extended: Protection of Key and Key Material 2388 (for O.KEY_MATERIAL) 2389 Hierarchical to: No other components. 2390 Dependencies: No dependencies. 2391 FPT_KYP_EXT.1.1 Refinement: The TSF shall not store plaintext keys that are part of the keychain specified by 2392 FCS_KYC_EXT.1 in any Field-Replaceable Nonvolatile Storage Device. 2393 Assurance Activity: 2394 KMD: 2395 The evaluator shall examine the Key Management Description (KMD) for a description of the methods 2396 used to protect keys stored in nonvolatile memory. 2397 RICOH IM C2000 / C2500 / C3000 / C3500 / C4500 / C5500 / C6000, version JE-1.00-H Security Target, 1.0 Copyright ©2020, RICOH COMPANY LTD., All Rights Reserved. Page 111 of 142 The evaluator shall verify the KMD to ensure it describes the storage location of all keys and the 2398 protection of all keys stored in nonvolatile memory. 2399 6.9.2 FPT_SKP_EXT.1 Extended: Protection of TSF Data 2400 (for O.COMMS_PROTECTION) 2401 Hierarchical to: No other components. 2402 Dependencies: No dependencies. 2403 FPT_SKP_EXT.1.1 The TSF shall prevent reading of all pre-shared keys, symmetric keys, and private keys. 2404 Application Note: 2405 The intent of the requirement is that an administrator is unable to read or view the identified keys (stored 2406 or ephemeral) through “normal” interfaces. While it is understood that the administrator could directly 2407 read memory to view these keys, doing so is not a trivial task and may require substantial work on the part 2408 of an administrator. Since the administrator is considered a trusted agent, it is assumed they would not 2409 engage in such an activity. 2410 Assurance Activity: 2411 TSS: 2412 The evaluator shall examine the TSS to determine that it details how any pre-shared keys, symmetric keys, 2413 and private keys are stored and that they are unable to be viewed through an interface designed 2414 specifically for that purpose, as outlined in the application note. If these values are not stored in plaintext, 2415 the TSS shall describe how they are protected/obscured. 2416 6.9.3 FPT_STM.1 Reliable time stamps 2417 (for O.AUDIT) 2418 Hierarchical to: No other components. 2419 Dependencies: No dependencies. 2420 FPT_STM.1.1 The TSF shall be able to provide reliable time stamps. 2421 Application note: 2422 The time may be set by a trusted administrator or by a network service (e.g., NTP) from a trusted External 2423 IT Entity. 2424 Assurance Activity: 2425 TSS: 2426 The evaluator shall check to ensure that the TSS describes mechanisms that provide reliable time stamps. 2427 Operational Guidance: 2428 The evaluator shall check to ensure that the guidance describes the method of setting the time. 2429 Test: 2430 The evaluator shall also perform the following tests: 2431 RICOH IM C2000 / C2500 / C3000 / C3500 / C4500 / C5500 / C6000, version JE-1.00-H Security Target, 1.0 Copyright ©2020, RICOH COMPANY LTD., All Rights Reserved. Page 112 of 142 1. The evaluator shall check to ensure that the time is correctly set up in accordance with the 2432 guidance or external network services (e.g., NTP). 2433 2. The evaluator shall check to ensure that the time stamps are appropriately provided. 2434 6.9.4 FPT_TST_EXT.1 Extended: TSF testing 2435 (for O.TSF_SELF_TEST) 2436 Hierarchical to: No other components. 2437 Dependencies: No dependencies. 2438 FPT_TST_EXT.1.1 The TSF shall run a suite of self-tests during initial start-up (and power on) to demonstrate the 2439 correct operation of the TSF. 2440 Application note: 2441 Power-on self-tests may take place before the TSF is operational, in which case this SFR can be satisfied by 2442 verifying the TSF image by digital signature as specified in FCS_COP.1(b), or by hash specified in 2443 FCS_COP.1(c). 2444 Assurance Activity: 2445 TSS: 2446 The evaluator shall examine the TSS to ensure that it details the self-tests that are run by the TSF on start- 2447 up; this description should include an outline of what the tests are actually doing (e.g., rather than saying 2448 "memory is tested", a description similar to "memory is tested by writing a value to each memory location 2449 and reading it back to ensure it is identical to what was written" shall be used). The evaluator shall ensure 2450 that the TSS makes an argument that the tests are sufficient to demonstrate that the TSF is operating 2451 correctly. 2452 Operational Guidance: 2453 The evaluator shall also ensure that the operational guidance describes the possible errors that may result 2454 from such tests, and actions the administrator should take in response; these possible errors shall 2455 correspond to those described in the TSS. 2456 6.9.5 FPT_TUD_EXT.1 Extended: Trusted Update 2457 (for O.UPDATE_VERIFICATION) 2458 Hierarchical to: No other components. 2459 Dependencies: [FCS_COP.1(b) Cryptographic Operation (for signature generation/verification), or 2460 FCS_COP.1(c) Cryptographic Operation (Hash Algorithm)]. 2461 FPT_TUD_EXT.1.1 The TSF shall provide authorized administrators the ability to query the current version of the 2462 TOE firmware/software. 2463 FPT_TUD_EXT.1.2 The TSF shall provide authorized administrators the ability to initiate updates to TOE 2464 firmware/software. 2465 FPT_TUD_EXT.1.3 The TSF shall provide a means to verify firmware/software updates to the TOE using a digital 2466 signature mechanism and [no other functions] prior to installing those updates. 2467 RICOH IM C2000 / C2500 / C3000 / C3500 / C4500 / C5500 / C6000, version JE-1.00-H Security Target, 1.0 Copyright ©2020, RICOH COMPANY LTD., All Rights Reserved. Page 113 of 142 Application note: 2468 FPT_TUD_EXT.1.2 may be interpreted to allow an administrator to “pre-authorize” automatic updates, 2469 provided that they are verified according to FPT_TUD_EXT.1.3. 2470 The digital signature mechanism is specified in FCS_COP.1(b). The published hash is generated by one of 2471 the functions specified in FCS_COP.1(c). It is acceptable to implement both mechanisms. 2472 Assurance Activity: 2473 TSS: 2474 The evaluator shall check to ensure that the TSS contains a description of mechanisms that verify software 2475 for update when performing updates, which is consistent with the definition of the SFR. 2476 The evaluator shall check to ensure that the TSS identifies interfaces for administrators to obtain the 2477 current version of the TOE as well as interfaces to perform updates. 2478 Operational Guidance: 2479 The evaluator shall check to ensure that the administrator guidance contains descriptions of the 2480 operation methods to obtain the TOE version as well as the operation methods to start update 2481 processing, which are consistent with the description of the TSS. 2482 Test: 2483 The evaluator shall also perform the following tests: 2484 1. The evaluator shall check to ensure the current version of the TOE can be appropriately obtained by 2485 means of the operation methods specified by the administrator guidance. 2486 2. The evaluator shall check to ensure that the verification of the data for updates of the TOE succeeds 2487 using authorized data for updates by means of the operation methods specified by the administrator 2488 guidance. 2489 3. The evaluator shall check to ensure that only administrators can implement the application for 2490 updates using authorized data for updates. 2491 4. The evaluator shall check to ensure that the updates are correctly performed by obtaining the current 2492 version of the TOE after the normal updates finish. 2493 5. The evaluator shall check to ensure that the verification of the data for updates of the TOE fails using 2494 unauthorized data for updates by means of the operation methods specified by the administrator 2495 guidance. (The evaluator shall also check those cases where hash verification mechanism and digital 2496 signature verification mechanism fail.) 2497 6.10 Class FRU: Resource Utilization 2498 There are no class FRU requirements. 2499 RICOH IM C2000 / C2500 / C3000 / C3500 / C4500 / C5500 / C6000, version JE-1.00-H Security Target, 1.0 Copyright ©2020, RICOH COMPANY LTD., All Rights Reserved. Page 114 of 142 6.11 Class FTA: TOE Access 2500 6.11.1 FTA_SSL.3 TSF-initiated termination 2501 (for O.USER_I&A) 2502 Hierarchical to: No other components. 2503 Dependencies: No dependencies. 2504 FTA_SSL.3.1 The TSF shall terminate an interactive session after a [lapse of Operation Panel auto logout time, 2505 lapse of WIM auto logout time, completion of document data reception from the printer driver, and 2506 completion of document data reception from the fax driver]. 2507 Assurance Activity: 2508 TSS: 2509 The evaluator shall check to ensure that the TSS describes the types of user sessions to be terminated 2510 (e.g., user sessions via operation panel or Web interfaces) after a specified period of user inactivity. 2511 Operational Guidance: 2512 The evaluator shall check to ensure that the guidance describes the default time interval and, if it is 2513 settable, the method of setting the time intervals until the termination of the session. 2514 Test: 2515 The evaluator shall also perform the following tests: 2516 1. If it is settable, the evaluator shall check to ensure that the time until the termination of the 2517 session can be set up by the method of setting specified in the administrator guidance. 2518 2. The evaluator shall check to ensure that the session terminates after the specified time interval. 2519 3. The evaluator shall perform the tests 1 and 2 described above for all the user sessions identified 2520 in the TSS. 2521 6.12 Class FTP: Trusted Paths/Channels 2522 6.12.1 FTP_ITC.1[IPsec] Inter-TSF trusted channel 2523 (for O.COMMS_PROTECTION, O.AUDIT) 2524 Hierarchical to: No other components. 2525 Dependencies: [FCS_IPSEC_EXT.1 Extended: IPsec selected, or 2526 FCS_TLS_EXT.1 Extended: TLS selected, or 2527 FCS_SSH_EXT.1 Extended: SSH selected, or 2528 FCS_HTTPS_EXT.1 Extended: HTTPS selected]. 2529 FTP_ITC.1.1[IPsec] Refinement: The TSF shall use [IPsec] to provide a trusted communication channel between 2530 itself and authorized IT entities supporting the following capabilities: [LDAP, FTP, NTP, syslog, and SMTP] that 2531 is logically distinct from other communication channels and provides assured identification of its end points and 2532 protection of the channel data from disclosure and detection of modification of the channel data. 2533 RICOH IM C2000 / C2500 / C3000 / C3500 / C4500 / C5500 / C6000, version JE-1.00-H Security Target, 1.0 Copyright ©2020, RICOH COMPANY LTD., All Rights Reserved. Page 115 of 142 FTP_ITC.1.2[IPsec] Refinement: The TSF shall permit the TSF, or the authorized IT entities, to initiate 2534 communication via the trusted channel 2535 FTP_ITC.1.3[IPsec] Refinement: The TSF shall initiate communication via the trusted channel for 2536 [communication via the LAN of document data, function data, protected data, and confidential data]. 2537 Application note: 2538 The assignment in FTP_ITC.1.3 should address the confidentiality and/or integrity requirements for 2539 communication of User and TSF Data between the TOE and another IT entity. FTP_TRP.1 is intended to be 2540 used for interactive communication between the TOE and remote users. 2541 The intent of the above requirement is to use a cryptographic protocol to protect external communications 2542 with authorized IT entities that the TOE interacts with to perform its functions. Protection (by one of the 2543 listed protocols) is required at least for communications with the server that collects the audit information. 2544 If it communicates with an authentication server (e.g., RADIUS), then the ST author chooses 2545 “authentication server” in FTP_ITC.1.1 and this connection must be protected by one of the listed 2546 protocols. If other authorized IT entities (e.g., NTP server) are protected, the ST author makes the 2547 appropriate assignments (for those entities) and selections (for the protocols that are used to protect 2548 those connections). After the ST author has made the selections, they are to select the detailed 2549 requirements in Appendix D.2 of HCD PP v1.0 corresponding to their protocol selection to put in the ST. To 2550 summarize, the connection to an external audit collection server is required to be protected by one of the 2551 listed protocols. If an External Authentication server is supported, then it is required to protect that 2552 connection with one of the listed protocols. For any other external server, external communications are not 2553 required to be protected, but if protection is claimed, then it must be protected with one of the identified 2554 protocols. 2555 While there are no requirements on the party initiating the communication, the ST author lists in the 2556 assignment for FTP_ITC.1.3 the services for which the TOE can initiate the communication with the 2557 authorized IT entity. 2558 The requirement implies that not only are communications protected when they are initially established, 2559 but also on resumption after an outage. It may be the case that some part of the TOE setup involves 2560 manually setting up tunnels to protect other communication, and if after an outage the TOE attempts to 2561 re-establish the communication automatically with (the necessary) manual intervention, there may be a 2562 window created where an attacker might be able to gain critical information or compromise a connection. 2563 Assurance Activity: 2564 TSS: 2565 The evaluator shall examine the TSS to determine that, for all communications with authorized IT entities 2566 identified in the requirement, each communications mechanism is identified in terms of the allowed 2567 protocols for that IT entity. The evaluator shall also confirm that all protocols listed in the TSS are 2568 specified and included in the requirements in the ST. The evaluator shall confirm that the operational 2569 guidance contains instructions for establishing the allowed protocols with each authorized IT entity, and 2570 that it contains recovery instructions should a connection be unintentionally broken. 2571 Test: 2572 RICOH IM C2000 / C2500 / C3000 / C3500 / C4500 / C5500 / C6000, version JE-1.00-H Security Target, 1.0 Copyright ©2020, RICOH COMPANY LTD., All Rights Reserved. Page 116 of 142 The evaluator shall also perform the following tests: 2573 1. The evaluators shall ensure that communications using each protocol with each authorized IT entity is 2574 tested during the course of the evaluation, setting up the connections as described in the operational 2575 guidance and ensuring that communication is successful. 2576 2. For each protocol that the TOE can initiate as defined in the requirement, the evaluator shall follow 2577 the operational guidance to ensure that in fact the communication channel can be initiated from the 2578 TOE. 2579 3. The evaluator shall ensure, for each communication channel with an authorized IT entity, the channel 2580 data are not sent in plaintext. 2581 4. The evaluator shall ensure, for each protocol associated with each authorized IT entity tested during 2582 test 1, the connection is physically interrupted. The evaluator shall ensure that when physical 2583 connectivity is restored, communications are appropriately protected. 2584 Further assurance activities are associated with the specific protocols. 2585 6.12.2 FTP_TRP.1(a) Trusted path (for Administrators) 2586 (for O.COMMS_PROTECTION) 2587 Hierarchical to: No other components. 2588 Dependencies: [FCS_IPSEC_EXT.1 Extended: IPsec selected, or 2589 FCS_TLS_EXT.1 Extended: TLS selected, or 2590 FCS_SSH_EXT.1 Extended: SSH selected, or 2591 FCS_HTTPS_EXT.1 Extended: HTTPS selected]. 2592 FTP_TRP.1.1(a) Refinement: The TSF shall use [TLS/HTTPS] to provide a trusted communication path between 2593 itself and remote administrators that is logically distinct from other communication paths and provides 2594 assured identification of its end points and protection of the communicated data from disclosure and 2595 detection of modification of the communicated data. 2596 FTP_TRP.1.2(a) Refinement: The TSF shall permit remote administrators to initiate communication via the 2597 trusted path 2598 FTP_TRP.1.3(a) Refinement: The TSF shall require the use of the trusted path for initial administrator 2599 authentication and all remote administration actions. 2600 Application Note: 2601 This requirement ensures that authorized remote administrators initiate all communication with the TOE 2602 via a trusted path, and that all communications with the TOE by remote administrators is performed over 2603 this path. The data passed in this trusted communication path are encrypted as defined the protocol 2604 chosen in the first selection. The ST author chooses the mechanism or mechanisms supported by the TOE, 2605 and then ensures the detailed requirements in Appendix D.2 of HCD PP v1.0 corresponding to their 2606 selection are copied to the ST if not already present. 2607 Assurance Activity: 2608 RICOH IM C2000 / C2500 / C3000 / C3500 / C4500 / C5500 / C6000, version JE-1.00-H Security Target, 1.0 Copyright ©2020, RICOH COMPANY LTD., All Rights Reserved. Page 117 of 142 TSS: 2609 The evaluator shall examine the TSS to determine that the methods of remote TOE administration are 2610 indicated, along with how those communications are protected. The evaluator shall also confirm that all 2611 protocols listed in the TSS in support of TOE administration are consistent with those specified in the 2612 requirement, and are included in the requirements in the ST. 2613 Operational Guidance: 2614 The evaluator shall confirm that the operational guidance contains instructions for establishing the 2615 remote administrative sessions for each supported method. 2616 Test: 2617 The evaluator shall also perform the following tests: 2618 1. The evaluators shall ensure that communications using each specified (in the operational guidance) 2619 remote administration method is tested during the course of the evaluation, setting up the 2620 connections as described in the operational guidance and ensuring that communication is successful. 2621 2. For each method of remote administration supported, the evaluator shall follow the operational 2622 guidance to ensure that there is no available interface that can be used by a remote user to establish 2623 a remote administrative sessions without invoking the trusted path. 2624 3. The evaluator shall ensure, for each method of remote administration, the channel data are not sent 2625 in plaintext. 2626 Further assurance activities are associated with the specific protocols. 2627 6.12.3 FTP_TRP.1(b) Trusted path (for Non-administrators) 2628 (for O.COMMS_PROTECTION) 2629 Hierarchical to: No other components. 2630 Dependencies: [FCS_IPSEC_EXT.1 Extended: IPsec selected, or 2631 FCS_TLS_EXT.1 Extended: TLS selected, or 2632 FCS_SSH_EXT.1 Extended: SSH selected, or 2633 FCS_HTTPS_EXT.1 Extended: HTTPS selected]. 2634 FTP_TRP.1.1(b) Refinement: The TSF shall use [TLS/HTTPS] to provide a trusted communication path between 2635 itself and remote users that is logically distinct from other communication paths and provides assured 2636 identification of its end points and protection of the communicated data from disclosure and detection of 2637 modification of the communicated data. 2638 FTP_TRP.1.2(b) Refinement: The TSF shall permit [the TSF, remote users] to initiate communication via the 2639 trusted path 2640 FTP_TRP.1.3(b) Refinement: The TSF shall require the use of the trusted path for initial user authentication and 2641 all remote user actions. 2642 Application Note: 2643 RICOH IM C2000 / C2500 / C3000 / C3500 / C4500 / C5500 / C6000, version JE-1.00-H Security Target, 1.0 Copyright ©2020, RICOH COMPANY LTD., All Rights Reserved. Page 118 of 142 This requirement ensures that authorized remote users initiate all communication with the TOE via a 2644 trusted path, and that all communications with the TOE by remote users is performed over this path. The 2645 data passed in this trusted communication path are encrypted as defined the protocol chosen in the first 2646 selection. The ST author chooses the mechanism or mechanisms supported by the TOE, and then ensures 2647 the detailed requirements in Appendix D.2 of HCD PP v1.0 corresponding to their selection are copied to 2648 the ST if not already present. 2649 Assurance Activity: 2650 TSS: 2651 The evaluator shall examine the TSS to determine that the methods of remote TOE access for non- 2652 administrative users are indicated, along with how those communications are protected. 2653 The evaluator shall also confirm that all protocols listed in the TSS in support of remote TOE access are 2654 consistent with those specified in the requirement, and are included in the requirements in the ST. 2655 Operational Guidance: 2656 The evaluator shall confirm that the operational guidance contains instructions for establishing the 2657 remote user sessions for each supported method. 2658 Test: 2659 The evaluator shall also perform the following tests: 2660 1. The evaluators shall ensure that communications using each specified (in the operational guidance) 2661 remote user access method is tested during the course of the evaluation, setting up the connections 2662 as described in the operational guidance and ensuring that communication is successful. 2663 2. For each method of remote access supported, the evaluator shall follow the operational guidance to 2664 ensure that there is no available interface that can be used by a remote user to establish a remote 2665 user session without invoking the trusted path. 2666 3. The evaluator shall ensure, for each method of remote user access, the channel data are not sent in 2667 plaintext. 2668 Further assurance activities are associated with the specific protocols. 2669 2670 RICOH IM C2000 / C2500 / C3000 / C3500 / C4500 / C5500 / C6000, version JE-1.00-H Security Target, 1.0 Copyright ©2020, RICOH COMPANY LTD., All Rights Reserved. Page 119 of 142 7 Security Assurance Requirements (APE_REQ) 2671 This section describes Security Assurance Requirements (SARs) in the evaluations performed by the evaluator 2672 based on the CC. These are all common to the Security Functional Requirements (SFRs) in Section 5. Assurance 2673 activities to the individual SFRs are described in their respective sections. 2674 After the ST has been approved for evaluation, the Common Criteria IT Security Evaluation Facilities (ITSEF) will 2675 obtain the TOE, necessary IT environment, and the TOE guidance documents. The assurance activities described 2676 in the ST (which will be refined by the ITSEF to be TOE-specific, either within the ST or in a separate document) 2677 will be performed by the ITSEF. Although these activities were performed under the control of the ITSEF, it is 2678 allowed to obtain supports from the developer as well. The results of these activities will be documented and 2679 presented (along with the administrative guidance used) for validation. 2680 For each assurance family, “Developer Notes” are provided on the developer action elements to clarify what, if 2681 any, additional documentation/activity needs to be provided by the developer. 2682 The TOE security assurance requirements specified in Table 28 provides evaluative activities required to address 2683 the threats identified in Section 0 of this PP. 2684 Assurance Class Assurance Components Assurance Components Description Development ADV_FSP.1 Basic functional specification Guidance Documents AGD_OPE.1 Operational user guidance AGD_PRE.1 Preparative procedures Life-cycle support ALC_CMC.1 Labelling of the TOE ALC_CMS.1 TOE CM coverage Tests ATE_IND.1 Independent testing – Conformance Vulnerability assessment AVA_VAN.1 Vulnerability survey Table 28 TOE Security Assurance Requirements 2685 7.1 Class ASE: Security Target evaluation 2686 The ST is evaluated as per ASE activities defined in the CEM. In addition, there may be Assurance Activities 2687 specified within the PP that call necessary descriptions to be included in the TSS that are specific to the TOE 2688 technology type. 2689 Appendix E of HCD PP v1.0 provides a description of the information expected to be provided regarding the 2690 quality of entropy in the random bit generator. 2691 Given the criticality of the key management scheme, this PP requires the developer to provide a detailed 2692 description of their key management implementation. This information can be submitted as an appendix to the 2693 ST and marked proprietary, as this level of detailed information is not expected to be made publicly available. 2694 See Appendix F of HCD PP v1.0 for details on the expectation of the developer’s Key Management Description. 2695 7.2 Class ADV: Development 2696 For TOEs conforming to this PP, the information about the TOE is contained in the guidance documentation 2697 available to the end user as well as the TOE Summary Specification (TSS) portion of the ST. While it is not 2698 required that the TOE developer write the TSS, the TOE developer must concur with the description of the 2699 product that is contained in the TSS as it relates to the functional requirements. The Assurance Activities 2700 contained in Section 5 should provide the ST authors with sufficient information to determine the appropriate 2701 content for the TSS section. 2702 RICOH IM C2000 / C2500 / C3000 / C3500 / C4500 / C5500 / C6000, version JE-1.00-H Security Target, 1.0 Copyright ©2020, RICOH COMPANY LTD., All Rights Reserved. Page 120 of 142 7.2.1 ADV_FSP.1 Basic functional specification 2703 The functional specification describes the TSF Interfaces (TSFIs). At the level of assurance provided by this PP, it 2704 is not necessary to have a formal or complete specification of these interfaces. Additionally, because TOEs 2705 conforming to this PP will necessarily have interfaces to the Operational Environment that are not directly 2706 invokable by TOE users (to include administrative users), at this assurance level there is little point specifying 2707 that such interfaces be described in and of themselves since only indirect testing of such interfaces may be 2708 possible. The activities for this family for this PP should focus on understanding the interfaces presented in the 2709 TSS in response to the functional requirements, and the interfaces presented in the AGD documentation. No 2710 additional “functional specification” document should be necessary to satisfy the assurance activities specified. 2711 The interfaces that need to be evaluated are characterized through the information needed to perform the 2712 assurance activities listed, rather than as an independent, abstract list. 2713 Developer action elements: ADV_FSP.1.1D The developer shall provide a functional specification. ADV_FSP.1.2D The developer shall provide a tracing from the functional specification to the SFRs. Developer Note: The developer shall provide appropriate TSS description and guidance documents as the functional specification. The TSS description identifies TSFIs associated with each SFR in order to confirm the validity of interface design. The developer is required to provide a description at least at a confirmable level in which TSS description and contents of guidance documents are consistent with each other. In case of insufficient information for evaluation in TSS description and contents of guidance documents, additional documentation can be requested. For the SFRs that cannot be directly operated/confirmed from external interfaces, the developer may be requested to provide additional information. Content and presentation elements: ADV_FSP.1.1C The functional specification shall describe the purpose and method of use for each SFR- enforcing and SFR-supporting TSFI. ADV_FSP.1.2C The functional specification shall identify all parameters associated with each SFR- enforcing and SFR-supporting TSFI. ADV_FSP.1.3C The functional specification shall provide rationale for the implicit categorization of interfaces as SFR-non-interfering. ADV_FSP.1.4C The tracing shall demonstrate that the SFRs trace to TSFIs in the functional specification. Evaluator action elements: ADV_FSP.1.1E The evaluator shall confirm that the information provided meets all requirements for content and presentation of evidence. ADV_FSP.1.2E The evaluator shall determine that the functional specification is an accurate and complete instantiation of the SFRs. Assurance activity: 2714 TSS: 2715 The evaluator shall confirm identifiable external interfaces from guidance documents and examine that 2716 TSS description identifies all the interfaces required for realizing SFR. 2717 The evaluator shall confirm identification information of the TSFI associated with the SFR described in the 2718 TSS and confirm the consistency with the description related to each interface. 2719 RICOH IM C2000 / C2500 / C3000 / C3500 / C4500 / C5500 / C6000, version JE-1.00-H Security Target, 1.0 Copyright ©2020, RICOH COMPANY LTD., All Rights Reserved. Page 121 of 142 The evaluator shall check to ensure that the SFR defined in the ST is appropriately realized, based on 2720 identification information of the TSFI in the TSS description as well as on the information of purposes, 2721 methods of use, and parameters for each TSFI in the guidance documents 2722 The assurance activities specific to each SFR are described in Section 5 and the evaluator shall perform 2723 evaluations by adding to this assurance component. 2724 7.3 Class AGD: Guidance Documents 2725 The guidance documents will be provided with the developer’s security target. Guidance must include a 2726 description of how the administrator verifies that the Operational Environment can fulfill its role for the security 2727 functionality. The documentation should be in an informal style and readable by an administrator. 2728 Guidance must be provided for every Operational Environment that the product supports as claimed in the ST. 2729 This guidance includes 2730 • instructions to successfully install the TOE in that environment; and 2731 • instructions to manage the security of the TOE as a product and as a component of the larger 2732 Operational environment. 2733 Guidance pertaining to particular security functionality is also provided; requirements on such guidance are 2734 contained in the assurance activities specified in Section 5. 2735 7.3.1 AGD_OPE.1 Operational user guidance 2736 Developer action elements: AGD_OPE.1.1D The developer shall provide operational user guidance. Developer Note: The developer should review the assurance activities for this component to ascertain the specifics of the guidance that the evaluators will be checking for. This will provide the necessary information for the preparation of acceptable guidance. Content and presentation elements: AGD_OPE.1.1C The operational user guidance shall describe, for each user role, the user-accessible functions and privileges that should be controlled in a secure processing environment, including appropriate warnings. AGD_OPE.1.2C The operational user guidance shall describe, for each user role, how to use the available interfaces provided by the TOE in a secure manner. AGD_OPE.1.3C The operational user guidance shall describe, for each user role, the available functions and interfaces, in particular all security parameters under the control of the user, indicating secure values as appropriate. AGD_OPE.1.4C The operational user guidance shall, for each user role, clearly present each type of security-relevant event relative to the user-accessible functions that need to be performed, including changing the security characteristics of entities under the control of the TSF. RICOH IM C2000 / C2500 / C3000 / C3500 / C4500 / C5500 / C6000, version JE-1.00-H Security Target, 1.0 Copyright ©2020, RICOH COMPANY LTD., All Rights Reserved. Page 122 of 142 AGD_OPE.1.5C The operational user guidance shall identify all possible modes of operation of the TOE (including operation following failure or operational error), their consequences, and implications for maintaining secure operation. AGD_OPE.1.6C The operational user guidance shall, for each user role, describe the security measures to be followed in order to fulfill the security objectives for the operational environment as described in the ST. AGD_OPE.1.7C The operational user guidance shall be clear and reasonable. Evaluator action elements: AGD_OPE.1.1E The evaluator shall confirm that the information provided meets all requirements for content and presentation of evidence. Assurance activity: 2737 Operational Guidance: 2738 The contents of operational guidance are confirmed by the assurance activities in Section 5 and the TOE 2739 evaluation in accordance with the CEM. 2740 The evaluator shall check to ensure that the following guidance is provided: 2741 Procedures for administrators to confirm that the TOE returns to its evaluation configuration after the 2742 transition from the maintenance mode to the normal Operational Environment. 2743 Application note: 2744 During evaluation, the TOE returns to its evaluation configuration. In the field, the TOE may return to the 2745 configuration that was in force prior to entering maintenance mode. 2746 7.3.2 AGD_PRE.1 Preparative procedures 2747 Developer action elements: AGD_PRE.1.1D The developer shall provide the TOE, including its preparative procedures. Developer Note: As with the operational guidance, the developer should look to the assurance activities to determine the required content with respect to preparative procedures. Content and presentation elements: AGD_PRE.1.1C The preparative procedures shall describe all the steps necessary for secure acceptance of the delivered TOE in accordance with the developer’s delivery procedures. AGD_PRE.1.2C The preparative procedures shall describe all the steps necessary for secure installation of the TOE and for the secure preparation of the operational environment in accordance with the security objectives for the operational environment as described in the ST. Evaluator action elements: AGD_PRE.1.1E The evaluator shall confirm that the information provided meets all requirements for content and presentation of evidence. AGD_PRE.1.2E The evaluator shall apply the preparative procedures to confirm that the TOE can be prepared securely for operation. RICOH IM C2000 / C2500 / C3000 / C3500 / C4500 / C5500 / C6000, version JE-1.00-H Security Target, 1.0 Copyright ©2020, RICOH COMPANY LTD., All Rights Reserved. Page 123 of 142 7.4 Class ALC: Life-cycle Support 2748 At the assurance level provided for TOEs conformant to this PP, life-cycle support is limited to end-user-visible 2749 aspects of the life-cycle, rather than an examination of the TOE vendor’s development and configuration 2750 management process. This is not meant to diminish the critical role that a developer’s practices play in 2751 contributing to the overall trustworthiness of a product; rather, it’s a reflection on the information to be made 2752 available for evaluation at this assurance level. 2753 7.4.1 ALC_CMC.1 Labelling of the TOE 2754 This component is targeted at identifying the TOE such that it can be distinguished from other products or 2755 version from the same vendor and can be easily specified when being procured by an end user. 2756 Developer action elements: ALC_CMC.1.1D The developer shall provide the TOE and a reference for the TOE. Content and presentation elements: ALC_CMC.1.1C The TOE shall be labeled with its unique reference. Evaluator action elements: ALC_CMC.1.1E The evaluator shall confirm that the information provided meets all requirements for content and presentation of evidence. Assurance activity: 2757 Operational Guidance: 2758 The evaluator shall check the ST to ensure that it contains an identifier (such as a product name/version 2759 number) that specifically identifies the version that meets the requirements of the ST. The evaluator shall 2760 ensure that this identifier is sufficient for an acquisition entity to use in procuring the TOE (including the 2761 appropriate administrative guidance) as specified in the ST. Further, the evaluator shall check the AGD 2762 guidance and TOE samples received for testing to ensure that the version number is consistent with that 2763 in the ST. If the vendor maintains a web site advertising the TOE, the evaluator shall examine the 2764 information on the web site to ensure that the information in the ST is sufficient to distinguish the 2765 product. 2766 7.4.2 ALC_CMS.1 TOE CM coverage 2767 Given the scope of the TOE and its associated evaluation evidence requirements, this component’s assurance 2768 activities are covered by the assurance activities listed for ALC_CMC.1. 2769 Developer action elements: ALC_CMS.1.1D The developer shall provide a configuration list for the TOE. Content and presentation elements: ALC_CMS.1.1C The configuration list shall include the following: the TOE itself; and the evaluation evidence required by the SARs. ALC_CMS.1.2C The configuration list shall uniquely identify the configuration items. Evaluator action elements: ALC_CMS.1.1E The evaluator shall confirm that the information provided meets all requirements for content and presentation of evidence. Assurance activity: 2770 RICOH IM C2000 / C2500 / C3000 / C3500 / C4500 / C5500 / C6000, version JE-1.00-H Security Target, 1.0 Copyright ©2020, RICOH COMPANY LTD., All Rights Reserved. Page 124 of 142 Operational Guidance: 2771 The “evaluation evidence required by the SARs” in this PP is limited to the information in the ST coupled 2772 with the guidance provided to administrators and users under the AGD requirements. By ensuring that 2773 the TOE is specifically identified and that this identification is consistent in the ST and in the AGD guidance 2774 (as done in the assurance activity for ALC_CMC.1), the evaluator implicitly confirms the information 2775 required by this component. 2776 7.5 Class ATE: Tests 2777 Testing is specified for functional aspects of the system as well as aspects that take advantage of design or 2778 implementation weaknesses. The former is done through ATE_IND family, while the latter is through the 2779 AVA_VAN family. At the assurance level specified in this PP, testing is based on advertised functionality and 2780 interfaces as constrained by the availability of design information presented in the TSS. One of the primary 2781 outputs of the evaluation process is the test report as specified in the following requirements. 2782 7.5.1 ATE_IND.1 Independent testing - Conformance 2783 Testing is performed to confirm the functionality described in the TSS as well as the administrative (including 2784 configuration and operation) documentation provided. The focus of the testing is to confirm that the 2785 requirements specified in Section 5 are being met, although some additional testing is specified for SARs in 2786 Section 7. The Assurance Activities identify the minimum testing activities associated with these components. 2787 The evaluator produces a test report documenting the plan for and results of testing, as well as coverage 2788 arguments focused on the product models combinations that are claiming conformance to this PP. 2789 Developer action elements: ATE_IND.1.1D The developer shall provide the TOE for testing. Content and presentation elements: ATE_IND.1.1C The TOE shall be suitable for testing. Evaluator action elements: ATE_IND.1.1E The evaluator shall confirm that the information provided meets all requirements for content and presentation of evidence. ATE_IND.1.2E The evaluator shall test a subset of the TSF to confirm that the TSF operates as specified. Assurance activity: 2790 Test: 2791 The evaluator shall prepare a test plan and report documenting the testing aspects of the system. The test 2792 plan covers all of the testing actions contained in the body of this PP’s Assurance Activities. While it is not 2793 necessary to have one test case per test listed in an Assurance Activity, the evaluators must document in 2794 the test plan that each applicable testing requirement in the ST is covered. 2795 The Test Plan identifies the product models to be tested, and for those product models not included in 2796 the test plan but included in the ST, the test plan provides a justification for not testing the models. This 2797 justification must address the differences between the tested models and the untested models, and make 2798 an argument that the differences do not affect the testing to be performed. It is not sufficient to merely 2799 assert that the differences have no affect; rationale must be provided. In case the ST describes multiple 2800 models (product names) in particular, the evaluator shall consider the differences in language 2801 RICOH IM C2000 / C2500 / C3000 / C3500 / C4500 / C5500 / C6000, version JE-1.00-H Security Target, 1.0 Copyright ©2020, RICOH COMPANY LTD., All Rights Reserved. Page 125 of 142 specification as well as the influences, in which functions except security functions such as a printing 2802 function, may affect security functions when creating this justification. If all product models claimed in the 2803 ST are tested, then no rationale is necessary. 2804 The test plan describes the composition of each product model to be tested, and any setup that is 2805 necessary beyond what is contained in the AGD documentation. It should be noted that the evaluators 2806 are expected to follow the AGD documentation for installation and setup of each model either as part of a 2807 test or as a standard pre-test condition. This may include special test drivers or tools. For each driver or 2808 tool, an argument (not just an assertion) is provided that the driver or tool will not adversely affect the 2809 performance of the functionality by the TOE. 2810 The test plan identifies high-level test objectives as well as the test procedures to be followed to achieve 2811 those objectives. These procedures include the goal of the particular procedure, the test steps used to 2812 achieve the goal, and the expected results. The test report (which could just be an annotated version of 2813 the test plan) details the activities that took place when the test procedures were executed, and includes 2814 the actual results of the tests. This shall be a cumulative account, so if there was a test run that resulted in 2815 a failure; a fix installed; and then a successful re-run of the test, the report would show a “fail” and “pass” 2816 result (and the supporting details), and not just the “pass” result. 2817 7.6 Class AVA: Vulnerability Assessment 2818 For the first generation of this protection profile, the evaluation lab is expected to survey open sources to 2819 discover what vulnerabilities have been discovered in these types of products. In most cases, these 2820 vulnerabilities will require sophistication beyond that of a basic attacker. Until penetration tools are created and 2821 uniformly distributed to the evaluation labs, evaluators will not be expected to test for these vulnerabilities in 2822 the TOE. The labs will be expected to comment on the likelihood of these vulnerabilities given the 2823 documentation provided by the vendor. This information will be used in the development of penetration testing 2824 tools and for the development of future protection profiles. 2825 Developer action elements: AVA_VAN.1.1D The developer shall provide the TOE for testing. Content and presentation elements: AVA_VAN.1.1C The TOE shall be suitable for testing. Evaluator action elements: AVA_VAN.1.1E The evaluator shall confirm that the information provided meets all requirements for content and presentation of evidence. AVA_VAN.1.2E The evaluator shall perform a search of public domain sources to identify potential vulnerabilities in the TOE. AVA_VAN.1.3E The evaluator shall conduct penetration testing, based on the identified potential vulnerabilities, to determine that the TOE is resistant to attacks performed by an attacker possessing basic attack potential. Assurance activity: 2826 Test: 2827 As with ATE_IND, the evaluator shall generate a report to document their findings with respect to this 2828 requirement. This report could physically be part of the overall test report mentioned in ATE_IND, or a 2829 RICOH IM C2000 / C2500 / C3000 / C3500 / C4500 / C5500 / C6000, version JE-1.00-H Security Target, 1.0 Copyright ©2020, RICOH COMPANY LTD., All Rights Reserved. Page 126 of 142 separate document. The evaluator performs a search of public information to determine the 2830 vulnerabilities that have been found in printing devices and the implemented communication protocols in 2831 general, as well as those that pertain to the particular TOE. The evaluator documents the sources 2832 consulted and the vulnerabilities found in the report. 2833 For each vulnerability found, the evaluator either provides a rationale with respect to its non-applicability, 2834 or the evaluator formulates a test (using the guidelines provided in ATE_IND) to confirm the vulnerability, 2835 if suitable. Suitability is determined by assessing the attack vector needed to take advantage of the 2836 vulnerability. 2837 For example, if the vulnerability can be detected by pressing a key combination on boot-up, for example, 2838 a test would be suitable at the assurance level of this PP. If exploiting the vulnerability requires an 2839 electron microscope and liquid nitrogen, for instance, then a test would not be suitable and an 2840 appropriate justification would be formulated. 2841 7.7 Security Assurance Requirements rationale 2842 The rationale for choosing these security assurance requirements is that they define a minimum security 2843 baseline that is based on the anticipated threat level of the attacker, the security of the Operational 2844 Environment in which the TOE is deployed, and the relative value of the TOE itself. The assurance activities 2845 throughout the PP are used to provide tailored guidance on the specific expectations for completing the security 2846 assurance requirements. 2847 RICOH IM C2000 / C2500 / C3000 / C3500 / C4500 / C5500 / C6000, version JE-1.00-H Security Target, 1.0 Copyright ©2020, RICOH COMPANY LTD., All Rights Reserved. Page 127 of 142 8 TOE Summary Specification (ASE_TSS) 2848 This section provides a summary specification for each TOE security function. The security functions are 2849 described for each corresponding security functional requirement. 2850 8.1 Identification and Authentication, Use-of-Feature Authorization (TSF_FIA) 2851 The Identification and Authentication Function verifies that users are authorized to operate the TOE and access 2852 the TOE’s protected information. 2853 8.1.1 FIA_UAU.1 and FIA_UID.1 2854 The TOE identifies and authenticates a user by checking credentials entered by the user. 2855 User credentials are checked against user authentication data stored in the TOE, or against an external network 2856 authentication service (LDAP). 2857 Users can be identified and authenticated through several interfaces: 2858 • Locally, manually entering a username and password using the Operation Panel. 2859 • Remotely, manually entering credentials using a client computer’s web browser to access the Web 2860 Image Monitor (WIM). 2861 • Remotely, using a client computer’s print driver or fax driver which has been configured to submit 2862 credentials on behalf of the user. 2863 When users are identified and authenticated via remote interfaces, their credentials are protected in transit 2864 using trusted paths. 2865 Certain functions may be performed without user identification and authentication: 2866 • Viewing user job lists, WIM Help, system status, the counter and information of inquiries, repair request 2867 notifications, and eco information of system. 2868 • Creation of fax reception jobs. 2869 • Creation of print jobs. 2870 8.1.2 FIA_PMG_EXT.1 2871 For authentication within the TOE, login passwords for users can be registered only if these passwords meet the 2872 conditions specified by the selections in FIA_PMG_EXT.1. 2873 8.1.3 FIA_UAU.7 2874 When users enter their passwords using the Operation Panel or using WIM from the client computer, the TOE 2875 displays a sequence of dummy characters whose length is the same as that of the entered password. 2876 8.1.4 FIA_AFL.1 2877 The TOE counts consecutive login failures for a given login name and locks out that user until the lockout is 2878 released. The TOE can lock out any user. 2879 Authentication events that are subject to lockout are listed with the SFR FIA_AFL.1.1 in Table 22, and the actions 2880 to release lockout are listed with the SFR FIA_AFL.1.2 in Table 23. 2881 RICOH IM C2000 / C2500 / C3000 / C3500 / C4500 / C5500 / C6000, version JE-1.00-H Security Target, 1.0 Copyright ©2020, RICOH COMPANY LTD., All Rights Reserved. Page 128 of 142 8.1.5 FIA_USB.1 and FIA_ATD.1 2882 After successful identification and authentication, users are authorized to perform functions according to the 2883 user role (Normal User, MFP Administrator, or MFP Supervisor) that is associated with their user registration. 2884 The user security attributes associated with each role are: 2885 • Login User Name 2886 • User Role 2887 • Available Functions List 2888 The User Role assigned to the user at login is maintained until the user is logged out. If user identification and 2889 authentication fails, use of the TOE is denied according to FIA_UAU.1 and FIA_UID.1. 2890 An Available Functions List is associated with each Normal User. It lists the basic hardcopy functions that the 2891 user is permitted to perform. 2892 8.1.6 FTA_SSL.3 2893 User sessions are terminated according to the type of user session: 2894 Operation Panel: the user is logged out of the TOE when inactivity reaches the Operation Panel auto logout time 2895 (settable from 10 to 999 seconds). 2896 WIM: the user is logged out of the TOE when inactivity reaches the WIM auto logout time (settable from 3 to 60 2897 minutes). 2898 Printer driver: the user is logged out of the TOE immediately after receiving the print data from the printer 2899 driver. 2900 Fax driver: the user is logged out of the TOE immediately after receiving the transmission information from the 2901 fax driver. 2902 Network login: the user is logged out of the TOE when inactivity reaches the Operation Panel auto logout time 2903 (settable from 10 to 999 seconds). 2904 8.2 Access Control (TSF_FDP) 2905 The Access Control Function permits authorized TOE users to operate document data and user jobs in 2906 accordance with the privileges allowed by their user role. 2907 8.2.1 FDP_ACC.1 and FDP_ACF.1 2908 The TOE controls user operations for document data and user jobs as specified in Table 20 and Table 21. 2909 8.2.1.1 Access control rule on document data 2910 The TOE provides users with the ability to perform operations on document data that are stored in the TOE. 2911 Normal Users are permitted to operate on document data if the ID of the user corresponds to the Document 2912 User List for that document (i.e., the user is the “Job Owner”). A Normal User is not permitted to operate on 2913 document data for which it is not the Job Owner. The privileges that allow users to edit the Document User List 2914 are described in section 8.5. 2915 As described in Table 29, a Normal User who is a Job Owner may print, download to client computers, send by 2916 fax, send by e-mail as attachments, and delete stored documents, using the Operation Panel or a web browser. 2917 RICOH IM C2000 / C2500 / C3000 / C3500 / C4500 / C5500 / C6000, version JE-1.00-H Security Target, 1.0 Copyright ©2020, RICOH COMPANY LTD., All Rights Reserved. Page 129 of 142 The TOE allows only the Job Owner to view and delete the document data handled as a user job while Copy 2918 Function, Printer Function, Scanner Function, Fax Function, or Document Server Function is being used. 2919 While no interface to change job owners is provided, an interface to cancel user jobs is provided. If a user job is 2920 cancelled, any document the cancelled job operates will be deleted. 2921 Function User interface Type of document Operations permitted for authorized users Printer Operation Panel +PRT Print Delete Printer Web browser +PRT Print Delete Scanner Operation Panel +SCN E-mail transmission Fax Operation Panel +FAXIN Print Delete Fax Web browser +FAXIN Print Download Delete (Operations above are permitted only if Normal Users are authorized to use Document Server Function) Document Server Operation Panel +DSR Print Delete Document Server Operation Panel +FAXOUT Print Delete Document Server Web browser +DSR Print Delete Document Server Web browser +FAXOUT Fax transmission Download Print Delete (Fax transmission is permitted for Normal Users who are authorized to use Fax Function) Table 29 Stored Documents Access Control Rules for Normal Users 2922 MFP Administrators are not permitted to print, download, or send stored documents. MFP Administrators may 2923 delete stored documents, using the Operation Panel, web browser, or indirectly by cancelling a job. 2924 The MFP Supervisor is not permitted to perform any document operations. 2925 8.2.1.2 Access control rule on user jobs 2926 The TOE displays on the Operation Panel a menu to cancel a user job only if the user who logs in from the 2927 Operation Panel is a Job Owner or MFP Administrator and a cancellation of a user job is attempted by the Job 2928 Owner or an MFP Administrator. Other users are not allowed to operate user jobs. 2929 When a user job is cancelled, any documents operated by the cancelled job will be deleted. However, if the 2930 document data operated by the cancelled user job is a stored document, the data will not be deleted and 2931 remain stored in the TOE. 2932 8.3 Stored Data Encryption (TSF_FCS) 2933 The Stored Data Protection Function encrypts data on the HDD and in NVRAM. 2934 RICOH IM C2000 / C2500 / C3000 / C3500 / C4500 / C5500 / C6000, version JE-1.00-H Security Target, 1.0 Copyright ©2020, RICOH COMPANY LTD., All Rights Reserved. Page 130 of 142 8.3.1 FCS_KYC_EXT.1, FPT_KYP_EXT.1, and FCS_COP.1(f) 2935 The keychain for encrypting field-replaceable non-volatile storage devices begins with a common Root 2936 Encryption Key (REK). The plaintext REK is stored in a hardware security module, Ic Key. 2937 The REK is used to encrypt and decrypt a Key Encryption Key (KEK). The KEK is used to encrypt and decrypt 2938 Device Encryption Keys (DEKs) for the HDD and NVRAM. All such operations use 256-bit AES keys to protect 256- 2939 bit AES data encryption on the target devices. 2940 Key En/decrypts Algorithm Length SFR Validation Root Encryption Key (REK) Key Encryption Key AES CBC 256 FCS_COP.1(f) CAVP AES #5364 Key Encryption Key (KEK) HDD Key NVRAM Key DevCert Key AES CBC 256 FCS_COP.1(f) CAVP AES #5364 Table 30 Keychain encryption 2941 Additional details about the keychain and device encryption are provided in the Key Management Description. 2942 8.3.2 FCS_CKM.1(b)[DIM], FCS_CKM.1(b)[DAR], and FCS_RBG_EXT.1 2943 The REK, KEK, HDD Key, and NVRAM Key, are created using a software-based DRBG that has been seeded by a 2944 third-party hardware-based TRNG and DRBG. 2945 RNG Method Standard Validation Hardware TRNG True RNG + DRBG AIS31 Class 2 CC #ANSSI-CC-2012/84 Software DRBG Hash_DRBG_SHA256 SP 800-90A CAVP HMAC #3552 CAVP SHS #4306 CAVP DRBG #2075 Table 31 Random Number Sources 2946 Additional details about key creation, the TRNG, and the DRBG, are provided in the Key Management 2947 Description and Entropy Description documents. 2948 8.3.3 FCS_CKM.4 and FCS_CKM_EXT.4 2949 Key destruction details are provided in the Key Management Description. 2950 8.3.4 FDP_DSK_EXT.1 and FCS_COP.1(d) 2951 Two field-replaceable non-volatile storage devices employ encryption: the HDD, and NVRAM. 2952 The entire HDD is encrypted. All HDD data is encrypted with AES 256 CBC encryption by a hardware component, 2953 Ic Ctrl. HDD encryption is enabled and initialized in the evaluated configuration, as described in the Notes for 2954 Administrators guidance document. 2955 Partition 3 of NVRAM is encrypted a software component, LPUX NVRAM Encryption Driver, with AES 256-bit 2956 encryption. It is enabled and initialized during manufacturing and cannot be disabled. Other partitions of 2957 NVRAM do not contain confidential User or TSF Data. 2958 The following algorithms are used: 2959 Function SFR Algorithm Validation HDD encryption FCS_COP.1(d) AES 256 CBC AES #3921 NVRAM encryption FCS_COP.1(d) AES 256 CBC AES #4560 Table 32 Storage encryption cryptographic functions 2960 RICOH IM C2000 / C2500 / C3000 / C3500 / C4500 / C5500 / C6000, version JE-1.00-H Security Target, 1.0 Copyright ©2020, RICOH COMPANY LTD., All Rights Reserved. Page 131 of 142 Keychain, key management, and other details are provided in the Key Management Description. 2961 8.4 Trusted Communications (TSF_FTP) 2962 The Trusted Communications Function provides trusted paths for communications between the TOE and remote 2963 users / external IT entities. 2964 8.4.1 FTP_TRP.1 (a), FTP_TRP.1 (b), FCS_HTTPS_EXT.1, and FCS_TLS_EXT.1 2965 The TOE employs TLS 1.2 to protect communications between the TOE and remote users’ client computers 2966 (print drivers, fax drivers, and WIM HTTPS sessions). 2967 The TOE supports these ciphersuites: 2968 • TLS_DHE_RSA_WITH_AES_128_CBC_SHA 2969 • TLS_DHE_RSA_WITH_AES_256_CBC_SHA 2970 • TLS_DHE_RSA_WITH_AES_128_CBC_ SHA256 2971 • TLS_DHE_RSA_WITH_AES_256_CBC_ SHA256 2972 • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 2973 • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 2974 • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 2975 • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 2976 8.4.2 FCS_CKM.1 (a), FCS_RBG_EXT.1, FCS_COP.1 (a), FCS_COP.1(b)[DIM], FCS_COP.1(c) , and 2977 FCS_COP.1(g) 2978 The TOE generates a self-signed Device Certificate according to FCS_CKM.1(a). Administrators may import a 2979 Device Certificate that is generated outside of the TOE. 2980 To establish a session key for TLS communications, the TOE employs a Diffie-Hellman-based key establishment 2981 scheme conforming to NIST SP 800-56A, and a Hash DRBG. The session key is used to encrypt communications 2982 with AES 128 or AES 256 CBC: 2983 Function SFR Algorithm Validation Key establishment FCS_CKM.1(a) FCS_COP.1(b)[DIM] FCS_COP.1(c) DSA KeyGen 186-4 KAS-FFC DSA #1385 Comp #1826 Random number generation FCS_RBG_EXT.1 Hash_DRBG_SHA256 HMAC #3552 DRBG #2075 SHS #4306 Encryption / decryption FCS_COP.1(a) AES 128 CBC AES 256 CBC AES #5364 Table 33 TLS/HTTPS cryptographic functions 2984 Per IG D.8, Scenario 6 – non-approved primitive only, a partial DH key agreement scheme is allowed in an 2985 approved FIPS mode of operation. No keys are established into the module using DH. Key establishment 2986 methodology provides 112 bits of encryption strength. 2987 8.4.3 FPT_SKP_EXT.1, FCS_CKM.4 and FCS_CKM_EXT.4 2988 All pre-shared keys, symmetric keys, and private keys are protected in storage and are not accessible to any user 2989 through TOE interfaces. A root encryption key is securely stored in IcKey (a Trusted Platform Module). No other 2990 plaintext keys are stored in non-volatile storage. The root encryption key is used to decrypt a key encryption key 2991 RICOH IM C2000 / C2500 / C3000 / C3500 / C4500 / C5500 / C6000, version JE-1.00-H Security Target, 1.0 Copyright ©2020, RICOH COMPANY LTD., All Rights Reserved. Page 132 of 142 which is used to decrypt symmetric keys for encrypted storage and the Device Certificate. The IPsec PSK is 2992 stored in an encrypted partition of NVRAM. Key destruction is described in the Key Management Description. 2993 8.4.4 FCS_ITC.1[IPsec], FCS_IPSEC_EXT.1, FIA_PSK_EXT.1, and FCS_COP.1(g) 2994 The TOE employs IPsec to protect communications between the TOE and external IT entities in the operational 2995 environment. In the evaluated configuration, it is used for communications with LDAP, syslog, NTP, SMTP, and 2996 FTP servers. 2997 IPsec is operated in transport mode, as set by the administrator. 2998 IPsec supports automatic key exchange or automatic key exchange by IKEv1. 2999 In Phase 1, peer authentication supports two types of authentication: pre-shared key authentication and digital 3000 certificate authentication. 3001 The pre-shared key can be any length from 1 to 32 characters, and composed of any combination of upper and 3002 lower case letters, numbers, and special characters (that include: “!”, “@”, “#”, “$”, “%”, “^”, “&”, “*”, “(“, and 3003 “)”). 3004 An administrator can select whether to use main mode or aggressive mode. In the evaluated configuration, only 3005 main mode is used. 3006 In IKEv1, supported DH groups are 1,2 and 14. The value set by the administrator is used. 3007 IKEv1 key lifetimes can be set by the administrator, from 300 seconds to 172,800 seconds. In the evaluated 3008 configuration, Phase 1 key lifetime is set to 86,400 seconds (24 hours), and Phase 2 lifetime is set to 28,800 3009 seconds (8 hours). 3010 As an SPD, four individual entries and one default entry can be set by an administrator. Beginning with the first 3011 entry the packet is compared, and if it matches the entry, IPsec communication is performed. If the packet does 3012 not match the first entry, subsequent entries are tested until there is a match. If no entries match the packet, 3013 the default entry will be compared, and if it does not match, the packet is discarded. 3014 The TOE supports these cryptographic algorithms: 3015 Function SFR Algorithm Validation IKEv1 FCS_CKM.1(a) FCS_COP.1(a) FCS_COP.1(b)[DIM] FCS_COP.1(g) FCS_RBG_EXT.1 RSA 186-4 AES 128 CBC AES 256 CBCHMAC-SHA256 HMAC-SHA384 HMAC-SHA512 RSA #2869 AES #5364 HMAC #3552 SHS #4306 ESP FCS_COP.1(a) FCS_COP.1(b)[DIM] FCS_COP.1(g) FCS_RBG_EXT.1 AES 128 CBC AES 256 CBC HMAC-SHA256 HMAC-SHA384 HMAC-SHA512 AES #5315 HMAC #3515 SHS #4269 Table 34 IPsec cryptographic functions 3016 RICOH IM C2000 / C2500 / C3000 / C3500 / C4500 / C5500 / C6000, version JE-1.00-H Security Target, 1.0 Copyright ©2020, RICOH COMPANY LTD., All Rights Reserved. Page 133 of 142 8.5 Administrative Roles (TSF_FMT) 3017 The Security Management Function consists of functions to 1) control operations for TSF data, 2) maintain user 3018 roles assigned to Normal Users, MFP Administrator, or MFP Supervisor to operate the Security Management 3019 Function, and 3) set appropriate default values to security attributes, all of which accord with user role privileges 3020 or user privileges that are assigned to Normal Users, MFP Administrator, or MFP Supervisor. 3021 8.5.1 FMT_SMR.1 3022 The TOE maintains U.NORMAL and U.ADMIN roles as described in Table 6. Normal Users are permitted to use 3023 document processing functions TOE and access their own data. Administrators do not initiate document 3024 processing jobs: the sub-role MFP Administrator can manage Normal Users’ jobs and data and configures the 3025 TOE, and the sub-role MFP Supervisor sets MFP Administrators’ passwords. 3026 8.5.2 FMT_SMF.1, FMT_MOF.1, and FMT_MTD.1 3027 The TOE provides management functions listed in Table 26 and the TOE restricts operations on TSF Data 3028 according to the rules described in Table 26. 3029 8.5.3 FMT_MSA.1 and FMT_MSA.3 3030 The TOE restricts operations on security attributes according to the rules described in Table 25. 3031 The TOE sets default values for objects/subjects according to the rules described in Table 35 when those 3032 objects/subjects are generated. 3033 Objects Security attributes Default values Document data Document data attribute +PRT: Documents printed from the client computer with direct print, locked print, hold print, and sample print. +SCN: Documents sent by e-mail as attachments from the MFP. +CPY: Documents copied using the MFP. +FAXOUT: Documents sent by fax from the MFP or client computer. +FAXIN: Documents received from a telephone line. +DSR: Documents stored in the TOE by using Copy Function, Scanner Function, Document Server Function and Fax Data Storage Function. Documents printed using Document Server printing or stored print from the client computer. Document data (stored document types are Document Server document, scanner document and fax transmission document) Document user list Default values of a document user list assigned to a Normal User who created the document data. Document data (stored document type is printer document) Document user list Login user name of a Normal User who stored the document data. Document data (stored document type is fax reception document) Document user list Login user name of a Normal User included in the Stored Reception File User list. RICOH IM C2000 / C2500 / C3000 / C3500 / C4500 / C5500 / C6000, version JE-1.00-H Security Target, 1.0 Copyright ©2020, RICOH COMPANY LTD., All Rights Reserved. Page 134 of 142 Objects Security attributes Default values User jobs Login user name of Normal User Login user name of a Normal User who newly creates a user job. Each MFP application (Copy Function, Printer Function, Scanner Function, Document Server Function and Fax Function) Function type The values specified for each function type is as follows: For Copy Function, values to identify Copy Function. For Document Server Function, values to identify Document Server Function. For Printer Function, values to identify Printer Function. For Scanner Function, values to identify Scanner Function. For Fax Function, values to identify Fax Function. Table 35 List of Static Initialization for Security Attributes of Document Access Control SFP 3034 The attributes which may be overridden are restricted to U.ADMIN, as described in Table 36 3035 Object Attribute Role that can override default value Document data when attribute is +DSR or +FAXIN Document user list MFP Administrator Table 36 Roles allowed to override default values 3036 8.6 Audit Function (TSF_FAU) 3037 The Audit Function is to generate the audit log of TOE use and security-relevant events (hereafter, "audit 3038 events"). This function provides the recorded audit log in a legible fashion for users to audit (audit log review). 3039 The recorded audit log can be accessed and deleted only by the MFP Administrator. 3040 8.6.1 FAU_GEN.1 and FAU_GEN.2 3041 The TOE records an audit log of events listed in Table 37. 3042 Auditable event requirements Auditable events satisfied Start-up and shutdown of the audit functions Start-up of the Audit Function Shutdown of the Audit Function Job completion Printing via networks LAN Fax via networks Scanning documents Copying documents Receiving incoming faxes Creating document data (storing) Reading document data (print, download, fax transmission) Deleting document data Unsuccessful User authentication, Unsuccessful User identification Failure of login operations Use of management functions Use of functions identified in FMT_SMF.1 Modification to the group of Users that are part of a role Modification of MFP Administrator roles Changes to the time Date settings (year/month/day), time settings (hour/minute) Failure to establish session Failure of communication with the audit server Failure of communication with the authentication server Failure of communication with the FTP server Failure of communication with the NTP server Failure of communication with print driver Failure of communication with fax driver Failure of communication with WIM Table 37 List of Audit Events 3043 RICOH IM C2000 / C2500 / C3000 / C3500 / C4500 / C5500 / C6000, version JE-1.00-H Security Target, 1.0 Copyright ©2020, RICOH COMPANY LTD., All Rights Reserved. Page 135 of 142 Audit log entries record the date and time of the event, type of event, subject identity (if applicable), and the 3044 outcome (success or failure) of the event. Additionally Job Completion events record the type of job, and Failure 3045 to Establish Session events record the reason for such failure. 3046 The complete list of audit log items, attributes, and content, can be found in the guidance documentation in 3047 “Logs That Can Be Managed Using Web Image Monitor”. 3048 8.6.2 FAU_STG.1, FAU_STG_EXT.1, FAU_STG.4, FAU_SAR.1, and FAU_SAR.2 3049 The TOE stores audit log data in a dedicated storage area of the HDD. Audit records are buffered in that storage 3050 area before transfer to an audit server or retrieval by an Administrator. 3051 Audit data is Confidential TSF Data. Audit records can be retrieved by: 3052 • An Administrator, using the WIM to initiate transfer of audit records. 3053 • An Administrator-configured transfer over a trusted channel (IPSec) to the Audit Server in the 3054 Operational Environment. 3055 Administrator-configuration can initiate transfers on a time schedule, when the log storage area is reaching its 3056 capacity, or whenever events are logged. 3057 There are three types of audit logs: Job logs, Access logs, and Ecology logs. The maximum number of records 3058 that can be stored in the TOE are: 3059 • Job log: 4,000 records 3060 • Access log: 12,000 records 3061 • Ecology log: 4,000 records 3062 If a maximum is reached, records are overwritten by new records according to the following order: 3063 1. Records that have been transferred and records that are not set for transfer, oldest first 3064 2. Records for completed events that are set for transfer but not yet transferred, oldest first 3065 3. Records that are in process, oldest first 3066 8.6.3 FPT_STM.1 3067 The date (year/month/day) and time (hour/minute/second) the TOE records for the audit log are derived from 3068 the system clock of the TOE. The system clock is also used for other time-related functions, including user 3069 lockout timing, idle session timeouts, and SA lifetimes. 3070 The system clock may be set locally or configured to use a network time server. Only an MFP Administrator can 3071 configure the system clock. 3072 8.7 Trusted Operation (TSF_FPT) 3073 The Software Verification Function is to verify the integrity of the executable codes of the MFP Control Software, 3074 FCU Control Software and Operation Panel Control Software, and confirm that these codes can be trusted. 3075 8.7.1 FPT_TST_EXT.1, FCS_COP.1(b), FCS_COP.1(c)[L1], and FCS_COP.1(c)[L2] 3076 During start-up, the TOE verifies the integrity of the TSF through a series of integrity tests, using the 3077 cryptographic functions listed below. 3078 Integrity test SFR Algorithm Validation RICOH IM C2000 / C2500 / C3000 / C3500 / C4500 / C5500 / C6000, version JE-1.00-H Security Target, 1.0 Copyright ©2020, RICOH COMPANY LTD., All Rights Reserved. Page 136 of 142 TPM FCS_COP.1(c)[L1] SHA-1 SHS #C715 MFP Control Software FCS_COP.1(b) FCS_COP.1(c)[L2] RSA 186-4 SHA-256 RSA #2002 SHS #3231 Fax Control Unit FCS_COP.1(c)[L1] SHA-1 SHS #2363 Operation Panel Software FCS_COP.1(b) FCS_COP.1(c)[L1] RSA 186-4 SHA-1 RSA #C582 SHS #C582 Operation Panel Applications FCS_COP.1(b) FCS_COP.1(c)[L1] RSA 186-4 SHA-1 RSA # C582 SHS # C582 Table 38 Start-up integrity tests 3079 TOE also performs Entropy testing as described in a separate Entropy Description document. 3080 3081 Testing the BIOS, MFP and Operation Panel operating systems, applications, and entropy source, demonstrates 3082 that the entire TSF is operating correctly. 3083 If any of these steps fails, the TOE displays a Service Call (SC) error code on the Operator Panel and the TOE 3084 becomes unavailable. In such cases, the Administrator should contact a Customer Engineer to service the TOE. 3085 If all steps succeed, then the TOE becomes available. 3086 8.7.2 FPT_TUD_EXT.1, FCS_COP.1(b), FCS_COP.1(c)[L1], and FCS_COP.1(c)[L2] 3087 TOE allows only the MFP Administrator to read the version of the MFP Control Software, Operation Panel 3088 Control Software, and FCU Control Software. The MFP Administrator can read these versions using the 3089 Operation Panel or WIM from the client computer. 3090 The MFP Administrator can prepare for installation of updated MFP Control Software, Operation Panel Software, 3091 or FCU Control Software, by uploading an installation package from the client computer using WIM. The package 3092 contains the TOE Software and a digital signature (DS) that was created using the SERES private key. Digital 3093 signatures for trusted updates are generated outside of the TOE, by the manufacturer. 3094 For MFP Control or FCU Software, the TOE performs the following verifications before the installing the package: 3095 1. Identifies the type of software (e.g., MFP Control, Operation Panel, FCU); 3096 2. Verifies that the software model name matches the TOE; 3097 3. Creates a SHA256 message digest (MD1) of the software, uses the SERES public key to decrypt DS (MD2), 3098 and then verifies that MD1 = MD2. 3099 For Operation Panel software, the TOE performs the following verifications before the installing the package: 3100 1. Identifies the type of software (e.g., MFP Control, Operation Panel, FCU); 3101 2. Verifies that the software model name matches the TOE; 3102 3. Creates a SHA256 message digest (MD1) of the index file, uses the SERES public key to decrypt DS 3103 (MD2), and then verifies that MD1 = MD2. 3104 4. Creates a SHA256 message digest (MD3) of the software image, uses an internal key to decrypt DS 3105 (MD4), and then verifies that MD3 = MD4. 3106 RICOH IM C2000 / C2500 / C3000 / C3500 / C4500 / C5500 / C6000, version JE-1.00-H Security Target, 1.0 Copyright ©2020, RICOH COMPANY LTD., All Rights Reserved. Page 137 of 142 The TOE performs the signature verification of the software to be updated using the encryption functions listed 3107 below when updating the software. 3108 Integrity test SFR Algorithm Validation MFP Control Software FCS_COP.1(b) FCS_COP.1(c)[L2] RSA 186-4 SHA-256 RSA #2002 SHS #3231 Operation Panel Software FCS_COP.1(b) FCS_COP.1(c)[L2] ECDSA SigVar 186-4 SHA-256 ECDSA # C629 SHS # C629 Operation Panel Applications FCS_COP.1(b) FCS_COP.1(c)[L2] RSA 186-4 ECDSA SigVar 186-4 SHA-256 RSA # C582 ECDSA # C582 SHS # C582 3109 8.8 PSTN Fax-Line Separation (TSF_FXS) 3110 The Fax Line Separation Function permits only fax transmissions as input information from telephone lines so 3111 that unauthorized intrusion from telephone lines can be prevented. 3112 8.8.1 FDP_FXS_EXT.1 3113 The fax interface use cases are below. 3114 • Sending faxes 3115 o The TOE receives documents from client PCs via the LAN, and using the fax interface, transmits 3116 them as fax documents via the PSTN line using the ITU-T T.30 protocol. 3117 o The TOE can transmit stored documents as faxes. 3118 • Receiving faxes 3119 o A remote fax machine establishes a connection to the TOE through the PSTN line using the ITU-T 3120 T.30 protocol, through which the TOE receives fax documents. 3121 • Fax-Line Separation 3122 o The fax modem accepts connections through the PSTN only if they conform to the ITU-T T.30 3123 protocol. 3124 o Data that is transmitted or received through the PSTN is fax-format, image data. 3125 8.9 Image Overwrite 3126 8.9.1 FDP_RIP.1(a) 3127 During the processing of jobs, image data is stored on the HDD. When such data is no longer needed by the user 3128 or the TOE, residual data can be overwritten using the Auto Erase Memory function. 3129 When enabled, the Auto Erase Memory function automatically overwrites the residual image data after each 3130 completion of the following processing jobs: 3131 • Copy jobs 3132 RICOH IM C2000 / C2500 / C3000 / C3500 / C4500 / C5500 / C6000, version JE-1.00-H Security Target, 1.0 Copyright ©2020, RICOH COMPANY LTD., All Rights Reserved. Page 138 of 142 • Print jobs 3133 • Sample Print/Locked Print/Hold Print 3134 • Stored Print jobs (after deletion of the job) 3135 • Spool printing jobs 3136 • LAN-Fax print data 3137 • Faxes sent/received using remote machines 3138 • Scanned files sent by e-mail 3139 • Files sent by Scan to Folder 3140 • Documents sent using Web Image Monitor 3141 • Documents deleted from the Document Server using the Copier, Printer, Fax or Scanner functions 3142 When the Auto Erase Memory function is enabled, such data is actively overwritten with values and repetition 3143 selected by the Administrator: 3144 • NSA: Temporary data is overwritten twice with random numbers and once with zeros. 3145 • DoD: Each item of data is overwritten by a random number, then by its complement, then by another 3146 random number, and is then verified. 3147 • Random Numbers: Temporary data is overwritten multiple times with random numbers. The number of 3148 overwrites can be selected from 1 to 9, default 3. 3149 RICOH IM C2000 / C2500 / C3000 / C3500 / C4500 / C5500 / C6000, version JE-1.00-H Security Target, 1.0 Copyright ©2020, RICOH COMPANY LTD., All Rights Reserved. Page 139 of 142 A Terminology 3150 A.1 Glossary 3151 Term Definition Source Address Book Electronic storage mechanism that equates names of persons or physical locations with machine-usable destinations (e.g., fax telephone numbers, email addresses, Uniform Resource Locators). Administrator A User who has been specifically granted the authority to manage some portion or all of the TOE and whose actions may affect the security policies of the TOE. Administrators may possess special privileges that provide capabilities to override portions of security policies. [2600.1] Asset Entities that the owner of the TOE presumably places value upon. [CC] Assumption Physical, technical, and administrative conditions or requirements of the Operational Environment that must be upheld in order for the TOE to provide security functionality. Border Encryption Value A secret value passed to a storage encryption component such as a self-encrypting storage device. [CPP_FDE_E E_V2.0] Commercial Off-The-Shelf Products that are both commercial and sold in substantial quantities in the commercial marketplace, and that can be procured or utilized under government contract in the same precise form as available to the general public. [FAR] Confidential (TSF) Data Assets for which either disclosure or alteration by a User who is not an Administrator or the owner of the data would have an effect on the operational security of the TOE. [2600.1] Create Assigning a value or content to data in a storage device. Note that in the case of document processing jobs, the outcome is that the job is initiated Credentials A form of authentication data that specifies basic identifying information about a User or application. Credentials may be bound in some way to the individual to whom they were issued, or they may be bearer Credentials. The former are necessary for identification, while the latter may be acceptable for some forms of authorization. [2600] Decommission The act of retiring an HCD from active use in the Operational Environment. It may also involve a change in geographic location and/or ownership. Delete Dereferencing or otherwise making unavailable data in a storage device. Note that in the case of document processing jobs, the outcome is that the job is terminated. Document A medium and the information recorded on it that generally has permanence and can be read by a person or a machine. [610.12] Document Processing Printing, scanning, or copying a Document. Document Processing Job A User request to the TOE to perform a Document Processing operation on a Document. Entropy Description A non-public document that is part of CC evaluation [HCDPP] External IT Entity An External Entity that is an IT device (not a human). [CC] defines “External Entity” RICOH IM C2000 / C2500 / C3000 / C3500 / C4500 / C5500 / C6000, version JE-1.00-H Security Target, 1.0 Copyright ©2020, RICOH COMPANY LTD., All Rights Reserved. Page 140 of 142 Term Definition Source Field-Replaceable (Unit) The smallest subassembly that can be swapped in the field to repair a fault. [IEEE] Intermediate key A key used in a point between the initial user authorization and the DEK [CPP_FDE_E E_V2.0] Job Owner A User who initiates or creates a document processing job. It may also refer to a User to whom ownership of a document or job has been delegated or otherwise permitted by the Job Owner. Hardcopy Device A system producing or utilizing a physical embodiment of an electronic document or image. These systems include printers, scanners, fax machines, digital copiers, MFPs (multifunction peripherals), MFDs (multifunction devices), “all-in-ones” and other similar products. [2600] Internal Authentication Identification and authentication function that is wholly contained within the TOE. Key Management Description A non-public document that is part of CC evaluation [HCDPP] Local Area Network A non-public data network in which serial transmission is used without store and forward techniques for direct data communication among data stations located on the User's premises. [8802-6] Local User A User who is physically present at the HCD. MFP Administrator An administrative user with control of one or more aspects of MFP operations. MFP Supervisor An administrative user with control of MFP Administrators Modify Changing the value / content of data in a storage device. Note that in the case of document processing jobs, the outcome is that the instructions or other parameters of the job are changed. Multifunction Printer A device that performs Document printing, scanning, and copying. It may also send and receive Documents over the PSTN using facsimile protocols. Network Printing Printing operation that has been initiated by a Network User. Network User A User who interacts with the HCD over a network. Nonvolatile Storage Device A device that provides computer storage of data that is not cleared when the power is turned off. Normal User A User who is authorized to perform functions that process User Document Data in the TOE. Operational Environment Environment in which the TOE is operated. [CC] Organizational Security Policy Set of security rules, procedures, or guidelines for an organization. [CC] Output Tray A receptacle for the TOE's printed output. Protected (TSF) Data Assets for which alteration by a User who is not an Administrator or the owner of the data would have an effect on the operational security of the TOE, but for which disclosure is acceptable. [2600.1] Protection Profile Implementation-independent statement of security needs for a TOE type. [CC] Read To access data from a storage device or data medium. (Note that in this case, the data medium may be a printed output, and therefore, release of a print job is a “read” operation) [610.12] Redeploy The act of moving an HCD from one Operational Environment to another Operational Environment. RICOH IM C2000 / C2500 / C3000 / C3500 / C4500 / C5500 / C6000, version JE-1.00-H Security Target, 1.0 Copyright ©2020, RICOH COMPANY LTD., All Rights Reserved. Page 141 of 142 Term Definition Source Security Assurance Requirement A description of how assurance is to be gained that the TOE meets the SFRs. [CC] Security Functional Requirement A translation of the Security Objectives for the TOE into a standardized language. [CC] Security Objective Statement of an intent to counter identified Threats and/or satisfy identified organization security policies and/or Assumptions. [CC] Security Target Implementation-dependent statement of security needs for a specific identified TOE. [CC] Servicing Performing repairs or preventative maintenance on the HCD. Standard Protection Profile A Protection Profile that is developed according to processes defined by NIAP. Submask A submask is a bit string that can be generated and stored in a number of ways, such as passphrases, tokens, etc. [CPP_FDE_E E_V2.0] Target of Evaluation Set of software, firmware and/or hardware possibly accompanied by guidance. [CC] Temporary Storage Storage of data that is not intentionally retained by the TOE after the completion of a Document Processing Job. Threat Capabilities, intentions, and attack methods of adversaries, or any circumstance or event, with the potential to violate the TOE security policy. [2600.1] TOE Owner A person or organizational entity responsible for protecting TOE Assets and establishing related security policies. [2600.1] TOE Security Functionality Combined functionality of all hardware, software, and firmware of a TOE that must be relied upon for the correct enforcement of the SFRs. [CC] TSF Data Data for the operation of the TOE upon which the enforcement of the SFR relies. [CC] Unauthorized Access Access to a resource that a User is not permitted to access. User Human or IT entity possibly interacting with the TOE from outside of the TOE boundary. [CC] User Data Data for the User that does not affect the operation of the TSF. [CC] User Document Data The Asset that consists of the information contained in a User’s Document. This includes the original Document itself in either hardcopy or electronic form, image data, or residually stored data created by the hardcopy device while processing an original Document and printed hardcopy output [2600.1] User Job Data The Asset that consists of the information about a User’s Document or job to be processed by the TOE. [2600.1] Table 39 Glossary of Terms 3152 Sources: 3153 [2600] IEEE Std. 2600™-2008 “IEEE Standard for Information Technology: Hardcopy Device and System Security” 3154 [2600.1] IEEE Std. 2600.1™-2009 “IEEE Standard for a Protection Profile in Operational Environment A” 3155 [610.12] IEEE Std 610.12-1990 “IEEE Standard Glossary of Software Engineering Terminology” 3156 [8802-6] ISO /IEC 8802-6:1994 “Information technology – Telecommunications and information exchange 3157 between systems – Local and metropolitan area networks – Specific requirements – Part 6” 3158 RICOH IM C2000 / C2500 / C3000 / C3500 / C4500 / C5500 / C6000, version JE-1.00-H Security Target, 1.0 Copyright ©2020, RICOH COMPANY LTD., All Rights Reserved. Page 142 of 142 [CC] ISO/IEC 15408-1:2009 "Information technology – Security techniques – Evaluation criteria for IT security – 3159 Part 1" 3160 [CPP_FDE_EE_V2.0] collaborative Protection Profile for Full Drive Encryption – Encryption 3161 Engine, Version 2.0, September 09, 2016 3162 [FAR] United States Federal Acquisition Regulations 3163 [HCDPP] “Protection Profile for Hardcopy Devices v1.0” 3164 [IEEE] IEEE Standards Dictionary (ISBN 973-0-7381-2601-2) 3165 A.2 Acronyms 3166 Acronym Definition BEV Border Encryption Value CC Common Criteria CCEVS Common Criteria Evaluation and Validation Service COTS Commercial Off-The-Shelf EAL Evaluation Assurance Level HCD Hardcopy Device IPA Information-technology Promotion Agency I&A Identification and Authentication IT Information Technology JISEC Japan Information technology Security Evaluation and Certification scheme KMD Key Management Description LAN Local Area Network LDAP Lightweight Directory Access Protocol MFP Multifunction Printer NIAP National Information Assurance Partnership OSP Organizational Security Policy PP Protection Profile PSTN Public Switched Telephone Network SAR Security Assurance Requirement SFR Security Functional Requirement SPP Standard Protection Profile TOE Target of Evaluation TSF TOE Security Functionality TSS TOE Summary Specification Table 40 Acronyms 3167 3168