Page 1 of 32
Copyright (c) 2006, 2007 RICOH COMPANY, LTD. All Rights Reserved.
Security Target for
imagio Security Card Type F,
Data OverWriteSecurity Unit F
Author: Haruyuki HIRABAYASHI, RICOH COMPANY, LTD.
Date: 2007-01-17
Version: 1.00
This document is a translation of the evaluated and certified security target
written in Japanese
Page 2 of 32
Copyright (c) 2006, 2007 RICOH COMPANY, LTD. All Rights Reserved.
Revision history
Version Date Author Description
0.01 2006-12-08 Haruyuki
HIRABAYASHI
First draft.
0.02 2006-12-27 Haruyuki
HIRABAYASHI
Add product names in other country in Table 1.
1.00 2007-01-17 Atsushi SATOH Revise typos.
Page 3 of 32
Copyright (c) 2006, 2007 RICOH COMPANY, LTD. All Rights Reserved.
Table of Contents
1 ST introduction ............................................................................................................................................. 6
1.1 ST identification .................................................................................................................................. 6
1.2 ST overview.......................................................................................................................................... 6
1.3 CC conformance.................................................................................................................................. 7
1.4 Reference.............................................................................................................................................. 7
2 TOE description............................................................................................................................................ 8
2.1 TOE overview ...................................................................................................................................... 8
2.1.1 Product type ...................................................................................................................................... 8
2.1.2 Positioning of the TOE...................................................................................................................... 8
2.1.3 Operational environment of MFP on which TOE is mounted........................................................... 8
2.2 Physical boundary of the TOE ......................................................................................................... 10
2.3 Logical boundary of the TOE........................................................................................................... 12
2.3.1 TOE functionality............................................................................................................................ 13
2.3.2 MFP functionality ........................................................................................................................... 14
2.4 Terminology ....................................................................................................................................... 15
3 TOE security environment.......................................................................................................................... 18
3.1 Assumptions....................................................................................................................................... 18
3.2 Threats................................................................................................................................................ 18
3.3 Organisational security policies ....................................................................................................... 18
4 Security objectives....................................................................................................................................... 19
4.1 Security objectives for the TOE ....................................................................................................... 19
4.2 Security objectives for the environment.......................................................................................... 19
4.2.1 Security objectives for the IT environment..................................................................................... 19
4.2.2 Security objectives for the non-IT environment.............................................................................. 19
5 IT security requirements............................................................................................................................. 20
5.1 TOE security functional requirements ............................................................................................ 20
5.2 Minimum strength of function claim............................................................................................... 20
5.3 TOE security assurance requirements............................................................................................. 20
5.4 Explicitly stated TOE security functional requirements................................................................ 21
5.5 Security requirements for the IT environment ............................................................................... 21
6 TOE summary specification ....................................................................................................................... 22
6.1 TOE security functions ..................................................................................................................... 22
6.2 Strength of function claim................................................................................................................. 23
6.3 Assurance measures .......................................................................................................................... 23
7 PP claims..................................................................................................................................................... 25
8 Rationale ..................................................................................................................................................... 26
Page 4 of 32
Copyright (c) 2006, 2007 RICOH COMPANY, LTD. All Rights Reserved.
8.1 Security objectives rationale............................................................................................................. 26
8.2 Security requirements rationale....................................................................................................... 27
8.2.1 Rationale for functional requirements............................................................................................. 27
8.2.2 Rationale for minimum strength of function................................................................................... 27
8.2.3 Dependency of security functional requirements............................................................................ 27
8.2.4 Rationale for assurance requirements.............................................................................................. 28
8.2.5 Mutual support of security requirements......................................................................................... 28
8.2.6 Rationale for explicitly stated security requirements ...................................................................... 28
8.3 TOE summary specification rationale............................................................................................. 30
8.3.1 Rationale for TOE security functions.............................................................................................. 30
8.3.2 Rationale for Strength of function claim......................................................................................... 30
8.3.3 Rationale for combination of security functions ............................................................................. 30
8.3.4 Rationale for assurance measures.................................................................................................... 30
8.4 PP claims rationale............................................................................................................................ 31
9 Annex .......................................................................................................................................................... 32
9.1 References .......................................................................................................................................... 32
9.2 Abbreviations..................................................................................................................................... 32
Page 5 of 32
Copyright (c) 2006, 2007 RICOH COMPANY, LTD. All Rights Reserved.
List of Figures
Figure 1: Environment for the usage of MFP ................................................................................................. 9
Figure 2: Structure of MFP hardware ........................................................................................................... 11
Figure 3: Structure of MFP software............................................................................................................. 12
Figure 4: MFP and the TOE functions and its relations................................................................................ 13
List of Tables
Table 1: Target MFP of the TOE................................................................................................................... 10
Table 2: Terminology related to DOMS........................................................................................................ 15
Table 3: TOE security assurance requirement (EAL3) ................................................................................. 21
Table 4: Assurance requirements for EAL3 and assurance measures ........................................................... 23
Table 5: Relation between security needs and objectives ............................................................................. 26
Table 6: Relation between security objective and functional requirements .................................................. 27
Table 7: Dependencies of TOE security functional requirements................................................................. 27
Table 8: Mutual support of security requirement.......................................................................................... 28
Table 9: Relation between TOE security functional requirements and TOE security function..................... 30
Page 6 of 32
Copyright (c) 2006, 2007 RICOH COMPANY, LTD. All Rights Reserved.
1 ST introduction
1.1ST identification
The information to identify this document and the TOE is shown below.
ST title: Security Target for
imagio Security Card Type F,
Data OverWriteSecurity Unit F
ST version: 1.00
Date: 2007-01-17
Author: Haruyuki HIRABAYASHI, RICOH COMPANY, LTD.
Product: imagio Security Card Type F,
Data OverWriteSecurity Unit F
Note: Hereafter these products are called with a generic name “Data Overwrite Module”.
“imagio Security Card Type F” is a name in Japan.
“Data OverWriteSecurity Unit F” is a name in other countries.
The TOE is applied to the MFP with x86 type CPU.
TOE: Software of Data Overwrite Module
TOE version: 1.05
CC version: CC version 2.3, ISO/IEC 15408:2005
Note: The following documents are used as the Japanese translations.
-Common Criteria for Information Technology Security Evaluation Part 1: Introduction and general
model Version 2.3 August 2005 CCIMB-2005-08-001
-Common Criteria for Information Technology Security Evaluation Part 2: Security functional
requirements Version 2.3 August 2005 CCIMB-2005-08-002
-Common Criteria for Information Technology Security Evaluation Part 3: Security assurance
requirements Version 2.3 August 2005 CCIMB-2005-08-003
-Interpretations-0512
Keywords: Digital MFP, document, copier, printer, scanner, network, office, hard disk, security,
overwrite, protection for residual information
1.2ST overview
This ST describes the data overwrite module software (hereinafter: DOMS) mounted in Multi Function
Product (hereinafter: MFP) produced by Ricoh Co., Ltd. The MFP is an OA device consisting of a copy
function, print function and scan function. This TOE is an option kit, which is installed in the MFP for
safer use, and its function is to overwrite designated areas of the HDD for erasing by the MFP.
Page 7 of 32
Copyright (c) 2006, 2007 RICOH COMPANY, LTD. All Rights Reserved.
1.3CC conformance
This document meets the followings:
- CC part 2 extended
- CC part 3 conformant
- EAL3 conformant
There are no Protection Profiles claimed to which this ST is conformant.
1.4Reference
The following documents are referred to write this document.
- Common Criteria for Information Technology Security Evaluation Part 1: Introduction and general
model
August 2005 Version 2.3 CCIMB-2005-08-001
(December 2005 1.0 edition of Japanese translation, Information technology Promotion Agency,
Security Center)
- Common Criteria for Information Technology Security Evaluation Part 2: Security functional
requirements
August 2005 Version 2.3 CCIMB-2005-08-002
(December 2005 1.0 edition of Japanese translation, Information technology Promotion Agency,
Security Center)
- Common Criteria for Information Technology Security Evaluation Part 2: Security assurance
requirements
August 2005 Version 2.3 CCIMB-2005-08-003
(December 2005 1.0 edition of Japanese translation, Information technology Promotion Agency,
Security Center)
- Interpretations-0512
(December 2005, Information technology Promotion Agency, Security Center)
Page 8 of 32
Copyright (c) 2006, 2007 RICOH COMPANY, LTD. All Rights Reserved.
2 TOE description
2.1TOE overview
2.1.1 Product type
The product classification of this TOE is a software product attached as an option of the MFP. This
software product is installed at the location of the customer.
2.1.2 Positioning of the TOE
The TOE is used for the purpose of overwriting area of the HDD for erasing information to prevent reuse of
information in the area designated by the MFP.
The HDD used by the MPF is divided into the RAW area and UNIX area. The TOE monitors the
managed information of the RAW area of the HDD in the shared memory of the MFP. If an area is
discovered for which there has been a direction from the MFP to carry out overwrite and erasing, that area
is overwritten and erased. In addition, the TOE receives an instruction from the MFP to overwrite for
erasing information of the UNIX area and carry out the instruction. Moreover, in order to prevent leaking
of confidential information from the information recorded in the HDD housed in the MFP, it has a function
to overwrite for erasing all information on the HDD in the case of return, assignment to another department
or disposal due to termination of the lease/rental agreement.
The MFP determines what information to be overwritten and indicates the information to the TOE.
The MFP composes temporary image data on the HDD for operational use. When copying, printing and
scanning has finished; the MFP erases the above-mentioned temporarily composed image data.
In addition, if the user indicates storage of image data, the MFP stores the image data on the HDD. If the
user indicates erasing of stored image data, the MFP erases the above-mentioned stored image data.
When the data is erased, the information that is no longer necessary for the copy, printer, scanner and
document box functions are treated as non-existent from the standpoint of those functions. Although the
image data erased by the MFP can no longer be used by these functions, its contents actually exist on the
HDD. If the information stored as image data is erased, the MFP manages that data as residual
information. By means of that function, the MFP stores the data either in the RAW area or in the UNIX
area. In order that the MFP can inform the TOE of the presence/absence of residual information in the
RAW area, it stores that management information in the shared memory. If residual information exists in
the UNIX area, the MFP indicates overwrite for erasing to the TOE.
2.1.3 Operational environment of MFP on which TOE is mounted
The TOE is software that operates on the MFP, and is provided as an option to extend the functions of the
MFP. The MFP does not only consist of the basic copy function. It has several varieties of functions on
Page 9 of 32
Copyright (c) 2006, 2007 RICOH COMPANY, LTD. All Rights Reserved.
a single unit, including printer and scanner. This TOE has been conceived for mounting and use on an
MFP used in a conventional office setting. The MFP contains an internal HDD. The HDD is used for
storing image data of the copier and printer. During office operational times, the MFP is under the
supervision of the concerned parties in the office. However, at night or on holidays, there is a possibility
of an outsider entering the deserted office and removing the HDD.
The conceived operational environment of the MFP has been shown as a diagram (Figure 1).
Firewall
MFP
External network
Internal network
Mail Server FTP Server NetWare
User PC
TOE
Figure 1: Environment for the usage of MFP
The following items are connected to the operational environment of the MFP.
- User PC:
Requests that the MFP print documents. It can also received scanned data and image data stored to
the MFP.
- Mail server, FTP server, NetWare server:
It is possible to send image data scanned by the MFP to a mail server, FTP server or NetWare server.
A firewall is installed between the internal network and the external network in order to protect the
devices connected to the internal network.
This TOE has been conceived for mounting and using in the MFP models shown in the Table (Table 1).
Page 10 of 32
Copyright (c) 2006, 2007 RICOH COMPANY, LTD. All Rights Reserved.
Table 1: Target MFP of the TOE
Product names in Japan Product names in other country
Model
1
Ricoh imagio MP 9000
Ricoh imagio MP 1100
Ricoh imagio MP 1350
RICOH Aficio MP 9000/MP 1100/MP 1350
LANIER LD190/LD1110/LD1135
LANIER MP 9000/MP 1100/MP 1350
SAVIN 8090/8110/8135
Nashuatec MP 9000/MP 1100/MP 1350
Rex Rotary MP 9000/MP 1100/MP 1350
Gestetner DSm790/DSm7110/DSm7135
Gestetner MP 9000/MP 1100/MP 1350
infotec IS 3090/IS 3110/IS 3135
2.2Physical boundary of the TOE
The Ricoh MFP is composed of hardware and software.
The hardware is composed of the printer engine, scanner unit, operation panel, HDD and controller board.
The print engine prints out data from printer and copier functions while controlling paper feed and paper
eject.
The scanner unit takes image data from paper documents into MFP. It is used for take image data from
the copier and scanner functions into controller board.
The operation panel displays the information to general users and administrator and also received
instructions input by general users and administrator. General users and administrator operate the
operation panel to use the functions of the MFP.
The HDD is used for storing image data. During printing, copying or scanning, the MFP temporarily
stores image data for working. Also general users use the HDD to keep their data until making use of the
data.
The controller board controls whole of the MFP. In the MFP, the controller board is equipped with the
processor and RAM to execute software, ROM on which the software such as operating system (OS) and
the various application modules are stored, NV-RAM on which setting information for MFP is recorded,
and the host interface to connect to the user PC and servers. DOMS is saved in the SD memory card, and
the SD memory card is attached the controller board.
Figure 2 shows the structure of the MFP hardware.
Page 11 of 32
Copyright (c) 2006, 2007 RICOH COMPANY, LTD. All Rights Reserved.
Controler board
HDD
RAM
Processor
SDmemory
card
Operation
panel
Scanner unit
Printengine
DOMS
TOE
NV-RAM
Host
interface
ROM
Figure 2: Structure of MFP hardware
The software is composed of the OS, common service module (CSM), and application modules.
The OS manages the HDD and other hardware and provides the interfaces for operation of these hardware
resources. The OS is an original Ricoh OS with NetBSD as its basis.
The application modules supply such functions as copying, printing and scanning to general users. These
modules receive controls from general users and request the required processes from the CSM to realize the
various functions.
The CSM supplies the common functions that are used by the application modules. The CSM supplies
such functions as management of the areas of the HDD on which image data and residual information exist,
and display on the operation panel of the condition of residual information.
The SCS is a type of CSM. It grasps the applications operating on the MFP to manage setting information.
Moreover, in case of requests from general users, it starts the DOMS general erasure function.
The HDD is divided into the RAW area and UNIX area, storing data in one of these areas according to
MFP functions.
The IMH is a type of CSM. It uses the OS to control transfer of image data between the scanner unit and
the controller board. The IMH also manages the existence or non-existence of image data and residual
information in the RAW area of the HDD, storing that management information to the shared memory.
The ZFSD is a type of CSM. It monitors the UNIX area of the HDD and informs the DOMS when files
that are no longer used.
DOMS includes three modules (HSM, ZFE, HDE) that are used to extend the functions of the CSM.
The HSM monitors the management information of the RAW area in the HDD recorded in the shared
memory. When the HSM finds a record, which indicates that the information has been erased by the MFP,
it overwrites for erasing the area of the HDD indicated by the record via the OS.
When the ZFE receives a notice of a discarded file in the UNIX area from the ZFSD, the ZFE overwrites
for erasing that file.
When the HDE is called by the SCS due to a request from the administrator, the HDE overwrites for
erasing all areas on the HDD. Figure 3 shows the structure of the MFP software.
Page 12 of 32
Copyright (c) 2006, 2007 RICOH COMPANY, LTD. All Rights Reserved.
MFP software
Operating system
TOE
HDD
UNIX area/RAW area
create
residual
information
check
RAW area
Erase All
Memory
Printer
application
Scanner
application
Copy
application
Document
box
application
Application modules
configure
start Erase All Memory
Shared
memory
record RAW
area
condition
Common service
modules
IMH
SCS ZFSD
check UNIX
area
notify about UNIX
area
DOMS
HSM ZFE HDE
RAW area
Auto Erase
Memory
UNIX area
Auto Erase
Memory
request for
permission to
overwrite
Figure 3: Structure of MFP software
2.3Logical boundary of the TOE
[Logical boundary of the TOE]
The TOE provides RAW area Auto Erase Memory function that monitors management information of
HDD RAW area on the shared memory, finds the area ordered to overwrite by the MFP, and overwrites the
area. Also, the TOE provides UNIX area Auto Erase Memory function to overwrite the area in response to
the order from the MFP to overwrite information on UNIX area. Furthermore, the TOE provides Erase All
Memory function to make all information on HDD unavailable.
[Logical boundary of the MFP]
The MFP provides printer, copier and scanner functions to users. These functions store working data on the
HDD. When the operation is finished, the data becomes disused, and remains as residual information.
The MFP also provides document box function. This function stores image data on the HDD by user’s
operation. When the stored image data becomes not needed, the data is deleted by user’s operation, and
remains as residual information.
Page 13 of 32
Copyright (c) 2006, 2007 RICOH COMPANY, LTD. All Rights Reserved.
The MFP manages existence or non-existence of residual information on the HDD RAW area and UNIX
area. The MFP records management information of residual information to the shared memory to notify the
TOE of existence of residual information on RAW area. Also, The MFP orders the TOE to overwrite the
information when the MFP finds existence of residual information on UNIX area.
Furthermore, the MFP provides the configuration function to control the behaviour of Auto Erase Memory
of the TOE. Also, the MFP provides the configuration function to control the behaviour of Erase All
Memory of the TOE. The MFP provides also the function indicating condition of residual information for
users to be able to check residual information.
Figure 4 shows the MFP and the TOE functions and its relations.
MFP
Start Erase
All Memory
Configure
Auto Erase
Memory
Indicate
condition of
residual
information
Printer
Copy
Scanner
Document
box
TOE
HDD
create residual information
overwrite
indicate
condition
configure
Manage
residual
information
notify
DOMS
Auto Erase Memory
RAW area
Auto Erase
Memory
Erase All
Memory
UNIX area
Auto Erase
Memory
start
Figure 4: MFP and the TOE functions and its relations
2.3.1 TOE functionality
The following describes details of the functions provided by the TOE.
[Auto Erase Memory]
HSM monitors management information of HDD RAW area recorded in the shared memory, and requests
permission to overwrite the HDD area designated by the management information to IMH. When IMH
permits, HSM overwrites the area with specified method. At the end of overwriting, HSM notifies IMH of
end of overwriting the area, and restarts to monitor management information of HDD RAW area.
When notified of existence of disused file on UNIX area by ZFSD, ZFE overwrites the area by specified
method.
There are following three methods for Auto Erase Memory.
Page 14 of 32
Copyright (c) 2006, 2007 RICOH COMPANY, LTD. All Rights Reserved.
- NSA method
overwrite twice with random numbers, and once with Null (0).
- DoD method
overwrite once with fixed numbers, once with complement of the fixed numbers, once with random
numbers, and check at last.
- Random Numbers method
overwrite specified times (from one to nine times) with random numbers.
[Erase All Memory]
When called by the MFP, HDE overwrites all the area of the HDD by specified overwriting method. Erase
All Memory can be cancelled by the order from the MFP.
There are following three methods for Erase All Memory.
- NSA method
- DoD method
- Random Numbers method
2.3.2 MFP functionality
The MFP provides functions out of the TOE but related to the TOE as below.
[Management of residual information]
The MFP manages existence of residual information on HDD RAW area, and records the management
information on the shared memory to notify HSM. Also, the MFP monitors UNIX area, and notifies ZFE
when disused file is found.
[Configuration of Auto Erase Memory]
Only the administrator can control the behaviour of Auto Erase Memory function of the TOE through the
operation panel of the MFP. The administrator can control following items by this function.
- activate or deactivate Auto Erase Memory.
- select one of three methods, NSA method, DoD method, and Random Numbers method for Auto Erase
Memory.
- specify number of times from one to nine for overwriting when Random Numbers method is selected.
[Start / Cancel of Erase All Memory]
Only the administrator can start Erase All Memory function of the TOE through the operation panel of the
MFP. The MFP resets the configuration values recorded in NV-RAM to factory default. Thereby the Auto
Erase Memory of the TOE is deactivated, overwriting method is set to NSA method, and the number of
times for Random Numbers method is set to three. Then, the MFP stops all jobs other than Erase All
Memory, and starts Erase All Memory. When starting Erase All Memory, those following behaviours are
specified.
Page 15 of 32
Copyright (c) 2006, 2007 RICOH COMPANY, LTD. All Rights Reserved.
- select one of three methods, NSA method, DoD method, and Random Numbers method for Erase All
Memory.
- specify number of times from one to nine for overwriting when Random Numbers method is selected.
Also, the administrator can cancel Erase All Memory during overwriting.
[Indicating condition of residual information]
When the DOMS is active, the icon indicating condition of residual information is shown on the operation
panel of the MFP. When the residual information exists on the HDD, the icon indicating existence of
residual information is shown on the operation panel. During overwriting the residual information, the icon
blinks. When the residual information does not exist on the HDD, the icon indicating non-existence of
residual information is shown. Thereby, users and the administrator can confirm easily the existence of
residual information. Showing the icon indicates that the DOMS is installed correctly and overwrite
function is activated.
[General functions of MFP]
The MFP has the copier/printer/scanner/document box functions. Those functions create working data or
store image data on HDD RAW area or UNIX area. Those data becomes disused, the MFP manages those
data as residual information, and orders the TOE to overwrite them.
[Miscellaneous]
If the power is turned off during overwriting, the MFP restarts overwriting process of the TOE after the
power is turned on. The job of copier/printer/scanner/document box has high priority over the TOE. When
the other job is started at the same time with the TOE overwriting, the TOE waits for the end of the job and
start overwriting. When the other job is started during overwriting, the TOE is suspended and restarted after
the end of the job.
If the writing on the HDD is failed during the TOE overwriting, the MFP is aborted.
2.4Terminology
For clear understanding of this ST, the meaning of terminology is defined in Table 2.
Table 2: Terminology related to DOMS
Term Definition
MFP Multi Function Product.
It is the printer that has multiple functions such as copier, printer in a single
machine. The TOE of this ST is used in the MFP manufactured by Ricoh.
DOMS Data Overwrite Modules. It has the function to overwrite HDD area for
preventing analysis of a footprint of data. DOMS overwrites target area with
NSA method, DoD method, or Random Numbers method.
Page 16 of 32
Copyright (c) 2006, 2007 RICOH COMPANY, LTD. All Rights Reserved.
HSM One of modules composing DOMS. It automatically overwrites the data on
RAW area specified by the MFP.
ZFE One of modules composing DOMS. It automatically overwrites the data on
UNIX area specified by the MFP.
HDE One of modules composing DOMS. It performs Erase All Memory.
CSM Common Service Modules.
They provide common services used by applications such as copier or printer.
The management function of image data is also included in the CSM.
SCS One of CSM. It perceives applications running on the MFP, and manages
configuration information. Also, it starts Erase All Memory function of
DOMS in response to the administrator's request.
IMH One of CSM. It controls transmission of image data between the controller
board and the print engine or the scanner unit. Also, it manages existence of
image data and residual data information on RAW area, and records the
management information on the shared memory.
ZFSD One of CSM. It monitors UNIX area on the HDD, and notifies DOMS of
existence of disused files.
Residual
information
The residual information is the disused information generated with deletion of
image data by the MFP. Generally, “delete” process logically removes image
data, but residual of deleted data actually exists. Those footprints are residual
information.
UNIX area HDD area managed by OS file system. The data that exists on the area can be
accessed by normal file operation.
RAW area HDD area not managed by OS file system. The data that exists on the area is
managed by CSM in its way without OS file operation.
Document box It is the logical box in which the electronic files of documents are stored. It
can be used when the document box option is attached.
NetBSD UNIX compatible OS. It is the free software and has high portability.
SD memory
card
SD memory card is the secure digital memory card. It is a memory device with
high functionality, small as postage stamps. It is used to provide the TOE or
other applications to the MFP.
NSA method NSA method overwrites with following process:
- overwrite twice with random numbers.
- overwrite once with NULL (0).
DoD method DoD method overwrites by following process:
- overwrite once with fixed numbers.
- overwrite once with complement of the fixed numbers.
- overwrite once with random numbers.
- Furthermore, carrying out final verification.
Random
numbers
method
overwrite specified times (from one to nine times) with random numbers.
overwriting
method
There are three overwriting methods as follows :
- NSA method.
Page 17 of 32
Copyright (c) 2006, 2007 RICOH COMPANY, LTD. All Rights Reserved.
- DoD method.
- Random Numbers method.
Those above methods can be selected for each function, Auto Erase Memory
and Erase All Memory.
Page 18 of 32
Copyright (c) 2006, 2007 RICOH COMPANY, LTD. All Rights Reserved.
3 TOE security environment
3.1Assumptions
In this section, the assumptions concerning the environment of the TOE are identified and described.
A.BREAK It is assumed that the execution of the TOE is not aborted.
The execution of the TOE is not aborted by turning off the power of the MFP before
the TOE finishes overwriting.
A.CANCEL It is assumed that the execution of Erase All Memory is not cancelled.
The execution of Erase All Memory is not cancelled without user’s intent before the
function is finished.
3.2Threats
There are no threats countered by the TOE or the environment.
3.3Organisational security policies
In this section, the organisational security policy with which the TOE shall comply is identified and
described.
OSP.RESIDUAL The TOE shall prevent from retrieving information on the HDD area specified by
the MFP.
The TOE shall prevent from retrieving information on the HDD area specified by the
MFP.
Page 19 of 32
Copyright (c) 2006, 2007 RICOH COMPANY, LTD. All Rights Reserved.
4 Security objectives
4.1Security objectives for the TOE
In this section, the security objective for the TOE is described. The security objective for the TOE covers
the organisational security policy described in section 3.3.
O.OVERWRITE The TOE shall ensure that the information on the area ordered by the MFP to
overwrite cannot be retrieved.
The TOE overwrites the information on the HDD specified by the MFP to prevent
from retrieving.
4.2Security objectives for the environment
4.2.1 Security objectives for the IT environment
There are no security objectives for the IT environment.
4.2.2 Security objectives for the non-IT environment
In this section, the security objectives for the non-IT environment are described. The security objectives for
the non-IT environment cover the assumptions or threats described in section 3.
OE.POWER User shall not turn off the power of the MFP before overwriting is finished.
When turning off the power of the MFP, user confirms the icon shown on the
operation panel and turns off the power on the condition that the overwriting is
finished.
OE.CANCEL User shall manage the MFP to prevent the function Erase All Memory from being
cancelled.
When performing Erase All Memory, user manages the MFP to prevent the function
from being cancelled without his/her intent.
Page 20 of 32
Copyright (c) 2006, 2007 RICOH COMPANY, LTD. All Rights Reserved.
5 IT security requirements
5.1TOE security functional requirements
In this section, the TOE security functional requirement to achieve the security objective described in
section 4.1 is identified and described. The parts against which the assignment and selection operations
defined in [CC] are performed are identified with [bold letters and brackets].
FPT_RVM.1 Non-bypassability of the TSP
Hierarchical to: No other components.
FPT_RVM.1.1 The TSF shall ensure that TSP enforcement functions are invoked and succeed before each
function within the TSC is allowed to proceed.
Dependencies: No dependencies
5.2Minimum strength of function claim
The minimum strength level claimed for the TOE is SOF-Basic.
5.3TOE security assurance requirements
The evaluation assurance level claimed for the TOE is EAL3. The assurance components for the TOE are
shown in Table 3. It is the set of components defined by the evaluation assurance level EAL3 and no other
requirements have been augmented.
Page 21 of 32
Copyright (c) 2006, 2007 RICOH COMPANY, LTD. All Rights Reserved.
Table 3: TOE security assurance requirement (EAL3)
Assurance class Assurance component
ACM_CAP.3 Authorisation controls
ACM:
Configuration management ACM_SCP.1 TOE CM coverage
ADO_DEL.1 Delivery procedures
ADO:
Delivery and operation ADO_IGS.1 Installation, generation, and start-up procedures
ADV_FSP.1 Informal functional specification
ADV_HLD.2 Security enforcing high-level design
ADV:
Development
ADV_RCR.1 Informal correspondence demonstration
AGD_ADM.1 Administrator guidance
AGD:
Guidance documents AGD_USR.1 User guidance
ALC:
Life cycle support
ALC_DVS.1 Identification of security measures
ATE_COV.2 Analysis of coverage
ATE_DPT.1 Testing: high-level design
ATE_FUN.1 Functional testing
ATE:
Tests
ATE_IND.2 Independent testing - sample
AVA_MSU.1 Examination of guidance
AVA_SOF.1 Strength of TOE security function evaluation
AVA:
Vulnerability assessment
AVA_VLA.1 Developer vulnerability analysis
5.4Explicitly stated TOE security functional requirements
In this section, an explicitly stated TOE security functional requirement that achieves the security objective
is described.
FDP_SIP.1 Specified information protection
Hierarchical to: No other components.
FDP_SIP.1.1 The TSF shall ensure that any previous information content of a specified resource is made
unavailable.
Dependencies: No dependencies
5.5Security requirements for the IT environment
There are no security requirements for the IT environment.
Page 22 of 32
Copyright (c) 2006, 2007 RICOH COMPANY, LTD. All Rights Reserved.
6 TOE summary specification
6.1TOE security functions
SF.OVERWRITE
The TSF has two types of overwriting functionality, Auto Erase Memory and Erase All Memory.
(1) Auto Erase Memory
The TSF monitors management information of HDD RAW area recorded on the shared memory, and
overwrite HDD area specified by the management information.
The TSF also overwrite HDD UNIX area specified by the MFP.
To overwrite the HDD, the after-mentioned methods are used.
(2) Erase All Memory
The TSF overwrites all data on the HDD. The TSF can cancel Erase All Memory by order of the MFP. To
overwrite the HDD, the after-mentioned methods are used.
[Methods of overwriting]
Auto Erase Memory and Erase All Memory described above use one of the following three methods to
overwrite the HDD.
- NSA method
- DoD method
- Random Numbers method
(a) NSA method
When NSA method is selected, the TSF overwrites data in following procedure.
- overwrite twice with random numbers,
- overwrite once with Null (0).
(b) DoD method
When DoD method is selected, the TSF overwrites data in following procedure.
- overwrite once with fixed numbers,
- overwrite once with complement of above fixed numbers,
- overwrite once with random numbers,
- carry out final verification.
(c) Random Numbers method
Page 23 of 32
Copyright (c) 2006, 2007 RICOH COMPANY, LTD. All Rights Reserved.
When Random Numbers method is selected, the TSF overwrites specified number of times (from one to
nine times) with random numbers.
In Random Numbers method, number of times is specified in the range from one to nine.
6.2Strength of function claim
There are no security functions realized by probabilistic or permutational mechanisms.
6.3Assurance measures
In this section, assurance measures for the TOE are identified. The assurance measures listed in Table 4
cover security assurance requirements listed in the section 5.3.
Table 4: Assurance requirements for EAL3 and assurance measures
Assurance class Assurance
component
Assurance measure
ACM_CAP.3
ACM:
Configuration Management ACM_SCP.1
Configuration Management Plan for
imagio Security Card Type F,
Data OverWriteSecurity Unit F
ADO_DEL.1 Delivery Procedure for
imagio Security Card Type F,
Data OverWriteSecurity Unit F
ADO:
Delivery and operation
ADO_IGS.1 Production Procedure for
imagio Security Card Type F,
Data OverWriteSecurity Unit F
imagio Security Card Type F
Service Manual
Data OverWriteSecurity Unit F
Service Manual
ADV_FSP.1
ADV:
Development ADV_HLD.2
Zoffy V3 system design
IMH design specification B0.HDD overwrite
functional specification
IMH design specification B0.HDD overwrite I/F:
command specification
LPUX specification 05 library HDD overwrite
library I/F specification
ZOFFY-V3 UNIX filesystem Auto Erase Memory
system basic design
ZOFFY-V2/V3 HDD Erase All Memory system
basic design
Page 24 of 32
Copyright (c) 2006, 2007 RICOH COMPANY, LTD. All Rights Reserved.
Assurance class Assurance
component
Assurance measure
ADV_RCR.1 Correspondence Analysis for
imagio Security Card Type F,
Data OverWriteSecurity Unit F
AGD_ADM.1
AGD:
Guidance documents AGD_USR.1
imagio Security Card Type F
Operating Instructions
Data OverWriteSecurity Unit F
Operating Instructions
ALC:
Life cycle support
ALC_DVS.1 Development Security Plan for
imagio Security Card Type F,
Data OverWriteSecurity Unit F
ATE_COV.2
ATE_COV.1
ATE_FUN.1
Test Document for
imagio Security Card Type F,
Data OverWriteSecurity Unit F
ATE:
Tests
ATE_IND.2 TOE
AVA_MSU.1
AVA_SOF.1
AVA:
Vulnerability assessment
AVA_VLA.1
Vulnerability Assessment for
imagio Security Card Type F,
Data OverWriteSecurity Unit F
Notes: The documents listed in Table 4 are written in Japanese except for the “Data OverWriteSecurity
Unit F Operating Instructions” and the TOE.
Page 25 of 32
Copyright (c) 2006, 2007 RICOH COMPANY, LTD. All Rights Reserved.
7 PP claims
There are no Protection Profiles claimed to which this ST is conformant.
Page 26 of 32
Copyright (c) 2006, 2007 RICOH COMPANY, LTD. All Rights Reserved.
8 Rationale
8.1Security objectives rationale
In this section, it is demonstrated that the security objectives stated in section 4 are appropriate and cover
all aspects of the security environment stated in section 3.
Table 5 shows that each security objective addresses at least one threat or assumption, and that each threat
and assumption is covered by at least one security objective.
Table 5: Relation between security needs and objectives
O.OVERWRITE
OE.POWER
OE.CANCEL
OSP.RESIDUAL X
A.BREAK X
A.CANCEL X
OSP.RESIDUAL is achieved by O.OVERWRITE, because O.OVERWRITE ensures that the information
on the HDD area specified by the MFP becomes unreadable by overwriting.
A.BREAK is achieved by OE.POWER, because it is assured that overwriting of the TOE is not interrupted
by waiting for finish of overwriting on shutting down the MFP.
A.CANCEL is achieved by OE.CANCEL, because it is prevented from cancelling Erase All Memory
against user’s intent to keep the MFP under watch.
Page 27 of 32
Copyright (c) 2006, 2007 RICOH COMPANY, LTD. All Rights Reserved.
8.2Security requirements rationale
8.2.1 Rationale for functional requirements
In this section, it is demonstrated that security functional requirements stated in section 5 achieve security
objectives for the TOE and IT environment identified in section 4.
Table 6 shows that TOE security functional requirements meet security objectives for the TOE and IT
environment.
Table 6: Relation between security objective and functional requirements
FDP_SIP.1
FPT_RVM.1
O.OVERWRITE X X
O.OVERWRITE is achieved by FDP_SIP.1, because this requirement ensures that the information
specified by the MFP becomes unavailable, i.e. no one can retrieve the information specified by the MFP.
Furthermore, it is ensured that the TSP cannot be bypassed with FPT_RVM.1.
8.2.2 Rationale for minimum strength of function
This TOE is the option of the MFP as products in the market. It is assumed that the MFP, which is
operating environment of the TOE, is used in general offices. So, it is appropriate that minimum strength of
function for the TOE is SOF-Basic.
8.2.3 Dependency of security functional requirements
Table 7 shows dependencies of TOE security functional requirements. The dependencies in this ST are
satisfied for interdependence of CC requirements.
Table 7: Dependencies of TOE security functional requirements
TOE security functional
requirement
Dependencies required
by CC
Dependencies satisfied in this
ST
FDP_SIP.1 None None
FPT_RVM.1 None None
As shown in Table 7 above, FDP_SIP.1 and FPT_RVM.1 have no dependencies required by CC. So, there
are no dependencies to be satisfied by TOE security functional requirements.
Page 28 of 32
Copyright (c) 2006, 2007 RICOH COMPANY, LTD. All Rights Reserved.
8.2.4 Rationale for assurance requirements
This TOE is the option of the MFP as products in the market. It is assumed that the MFP which is operating
environment of the TOE is used in general offices, and the attackers with moderate attack potential or over
is not assumed for the TOE.
Furthermore, the TOE realizes the security function with simple mechanism such as overwriting data,
which has no probabilistic or no permutational one. Implementation and analysis of developers test based
on the functional specification and high-level design of the security functions, which means the high-level
design evaluation (ADV_HLD.2), is sufficient to demonstrate the accuracy. Analysis of apparent
vulnerability (AVA_VLA.1) is sufficient for general needs. It is also important to achieve security
assurance from development security (ALC_DVS.1) by evaluating the development environment and
management of developed deliverables.
Checking operation of the TOE security function and external interfaces with functional specification level
test is appropriate to assure this security function. So, considering evaluation period and cost, EAL3 is
appropriate for the TOE.
8.2.5 Mutual support of security requirements
Table 8 shows mutual support of security requirements.
Table 8: Mutual support of security requirement
Functional requirement Bypass Deactivate Tamper
FDP_SIP.1 FPT_RVM.1 None None
[Bypass]
Once the TOE is started, FDP_SIP.1 is certainly executed. So, there is no bypass for FDP_SIP.1.
[Deactivate]
Once the TOE is started, FDP_SIP.1 is certainly executed. So, there is no deactivation for FDP_SIP.1.
[Tamper]
There is no illegal subject for the TOE. So, the TSF is not tampered.
8.2.6 Rationale for explicitly stated security requirements
The functional requirement FDP_SIP.1 used for the TOE is an explicitly stated security requirement. The
purpose of the TOE is to make residual information of the MFP unavailable in cooperation with the MFP.
So, FDP_RIP.1 seems to meet the purpose. But the MFP performs the management of residual information,
and the TOE overwrites the information according to the order of the MFP. Thereby, FDP_RIP.1 is not
applicable. So, the security requirement extended for the TOE based on FDP_RIP.1 is applied. Also, the
explicitly stated security requirement is stated in the same style as CC Part 2 security requirements and to a
comparable level of detail.
The explicitly stated security requirement is stated as the security function separated off the part
determining residual information from FDP_RIP.1.
Page 29 of 32
Copyright (c) 2006, 2007 RICOH COMPANY, LTD. All Rights Reserved.
FDP_RIP.1 basis of the requirement is not required any dependencies and particular assurance
requirements. So, the explicitly stated functional requirement does not need any dependencies and
assurance requirements.
Also, the assurance requirements of EAL3 package are sufficient to assure the explicitly stated security
requirement, because it is obvious that the evidences by special documents for the requirement are not
needed.
Page 30 of 32
Copyright (c) 2006, 2007 RICOH COMPANY, LTD. All Rights Reserved.
8.3TOE summary specification rationale
8.3.1 Rationale for TOE security functions
In this section, it is demonstrated that the TOE security function described in section 6.1 realizes TOE
security functional requirements stated in section 5.1.
Table 9 shows that the TOE security function meets TOE security functional requirements.
Table 9: Relation between TOE security functional requirements and TOE security function
SF.OVERWRITE
FDP_SIP.1 X
FPT_RVM.1 X
SF.OVERWRITE ensures that information specified by the MFP is unavailable by overwriting. Therefore,
FDP_SIP.1 is realized.
After executed, SF.OVERWRITE is surely performed. Therefore, FPT_RVM.1 is realized.
8.3.2 Rationale for Strength of function claim
As described in section 6.2, no security function has probabilistic or permutational mechanisms. So, SOF
claim is not needed for this ST.
8.3.3 Rationale for combination of security functions
As described in section 8.3.1, the TOE has one security function. This shows that the ST has no mutual
support of security functions. So, the security function performs to satisfy security functional requirements
by itself.
8.3.4 Rationale for assurance measures
In section 6.3, documents as assurance measures and the TOE meet all security assurance requirements
required for EAL3, and all evidences required for security assurance requirements are covered by those
documents and the TOE. So, TOE security assurance requirements are satisfied.
Page 31 of 32
Copyright (c) 2006, 2007 RICOH COMPANY, LTD. All Rights Reserved.
8.4PP claims rationale
There are no Protection Profiles claimed to which this ST is conformant.
Page 32 of 32
Copyright (c) 2006, 2007 RICOH COMPANY, LTD. All Rights Reserved.
9 Annex
9.1References
ISO/IEC 15408, Information technology – Security techniques – Evaluation criteria for IT security,
ISO/IEC 15408-1:2005(E), Part 1: Introduction and general model,
ISO/IEC 15408-2:2005(E), Part 2: Security functional requirements,
ISO/IEC 15408-3:2005(E), Part 3: Security assurance requirements.
9.2Abbreviations
CC Common Criteria
CE Customer Engineer
HDD Hard Disk Drive
MFP Multi Function Product
OS Operating System
PP Protection Profile
SF Security Function
ST Security Target
TOE Target of Evaluation
TSF TOE Security Function