Océ Technologies BV
COMMERCIAL
ST-Océ Smart Imager-
Security Target of the
Océ Smart Imager 10.3.5.68
as used in the Océ VP21x0 R4.1
Certification ID BSI-DSZ-CC-0510
Sponsor Océ Technologies BV
File name Oce Smart Imager Security_Target 3.2.doc
No of pages 58
This Security Target was prepared for:
Océ Technologies BV
P.O. Box 101,
5900 MA Venlo,
The Netherlands
by Brightsight.
 2008 Océ Technologies B.V., Brightsight. respectively
Version 3.3
Date 04th
July 2008
Océ Technologies BV
COMMERCIAL
Document information
Date of issue 04th
July 2008
Author(s) Rob Hunter, Denise Cater
Version number report 3.3
Certification ID BSI-DSZ-CC-0510
Scheme BSI
Sponsor Océ Technologies BV
P.O. Box 101,
5900 MA Venlo,
The Netherlands
Evaluation Lab Brightsight.
IT Security Evaluation Facility
Delftechpark 1
2628XJ Delft
The Netherlands
Sponsor Project leader
Vincent Leymarie
Target of Evaluation (TOE)
Océ Smart Imager 10.3.5.68
as used in the Océ VP21x0 R4.1
TOE reference name Océ Smart Imager
CC-EAL number 2+ (augmented with ALC_FLR.1)
Classification Commercial
Report title
Security Target of the
Océ Smart Imager 10.3.5.68
as used in the Océ VP21x0 R4.1
Report reference name ST-Océ Smart Imager-3.3
COMMERCIAL
04th
July 2008 Page 3 of 57 Commercial BSI-DSZ-CC-0510
Document history
Version Date Comment
0.1 14-04-05 Initial draft
0.2 17-05-05 Incorporated Océ comments
0.3 30-05-05 Incorporated Océ and BSI comments
0.4 24-11-05 Incorporated Océ comments
1.0 06-02-06 Incorporated BSI comments
2.0 10-02-06 Incorporated BSI comments
2.1 16-02-06 Incorporated BSI comments
3.0 13-12-07 Updated for 21x0
3.1 31-1-08 Correction small error in Appendix D.
3.2 10-06-08 Adaptation to comments from BSI
3.3 04-07-08 Adaptation to comments ZK_0510_ASE_03.rtf
Signature
The sponsor project leader has signed for technical correctness.
Vincent Leymarie
Sponsor Project leader
COMMERCIAL
04th
July 2008 Page 4 of 57 Commercial BSI-DSZ-CC-0510
Contents
DOCUMENT INFORMATION........................................................................................... 2
DOCUMENT HISTORY ...................................................................................................... 3
1. SECURITY TARGET INTRODUCTION................................................................. 7
1.1 ST Identification..................................................................................................... 7
1.2 ST Overview........................................................................................................... 8
1.3 CC Conformance.................................................................................................... 9
2. TOE DESCRIPTION..................................................................................................10
2.1 TOE Overview......................................................................................................10
2.1.1 TOE physical scope and boundary..................................................................10
2.1.2 TOE logical scope and boundary....................................................................14
3. TOE SECURITY ENVIRONMENT ........................................................................20
3.1 Definition of subjects, objects and operations.....................................................20
3.1.1 Non-human subjects.........................................................................................20
3.1.2 Human subjects................................................................................................20
3.1.3 Objects..............................................................................................................21
3.1.4 Operations........................................................................................................22
3.2 Assumptions .........................................................................................................22
3.3 Threats ..................................................................................................................24
3.4 Organisational Security Policies..........................................................................24
4. SECURITY OBJECTIVES........................................................................................25
4.1 TOE Security Objectives......................................................................................25
4.1.1 Functional Security Objectives for the TOE ...................................................25
4.1.2 Assurance Security Objectives for the TOE ....................................................25
4.2 Security Objectives for the environment .............................................................26
5. IT SECURITY REQUIREMENTS...........................................................................27
5.1 TOE Security Functional Requirements..............................................................27
5.1.1 SFRs for Filtering ............................................................................................27
5.1.2 SFRs for Shredding..........................................................................................27
5.1.3 SFRs for Management .....................................................................................28
5.1.4 SFRs for Protection of the TSF itself...............................................................30
5.1.5 Strength-of-function claim...............................................................................31
5.2 TOE Security Assurance Requirements ..............................................................31
5.3 Security Requirements for the IT Environment...................................................31
5.4 Explicitly stated requirements..............................................................................32
6. TOE SUMMARY SPECIFICATION.......................................................................33
6.1 IT Security Functions...........................................................................................33
6.1.1 Probabilistic functions and mechanisms.........................................................33
COMMERCIAL
04th
July 2008 Page 5 of 57 Commercial BSI-DSZ-CC-0510
6.1.2 Strength of function claim................................................................................34
6.2 Assurance Measures.............................................................................................35
7. PP CLAIMS .................................................................................................................37
8. RATIONALE...............................................................................................................38
8.1 Security Objectives Rationale..............................................................................38
A.DIGITAL_COPIER....................................................................................................38
A.ENVIRONMENT........................................................................................................39
A.SECURITY_POLICY .................................................................................................39
A.SLA .............................................................................................................................40
T.RESIDUAL_DATA.....................................................................................................40
T.MALWARE .................................................................................................................40
P.JOB_DELETE............................................................................................................41
P.TOE_ADMINISTRATION .........................................................................................41
8.2 Security Requirements Rationale.........................................................................42
8.2.1 The SFRs meet the Security Objectives for the TOE.......................................42
O.F.INBOUND_FILTER...............................................................................................42
O.F.JOB_SHRED..........................................................................................................43
O.F.AUTHENTICATE...................................................................................................43
8.2.2 The security requirements for the IT environment meet the security objectives
for the environment .......................................................................................................44
8.2.3 The Assurance Requirements and Strength of Function Claim are appropriate
45
8.2.4 All dependencies have been met......................................................................46
8.2.5 The requirements are internally consistent.....................................................46
8.2.6 The requirements are mutually supportive......................................................46
8.3 TOE Summary Specification Rationale...............................................................47
8.3.1 The functions meet the SFRs............................................................................47
8.3.2 The assurance measures meet the SARs..........................................................50
8.3.3 The SOF-claims for functions meet the SOF-claims for the SFRs .................50
8.3.4 The functions are mutually supportive............................................................50
8.4 PP Claims Rationale.............................................................................................50
APPENDIX A ABBREVIATIONS...............................................................................51
APPENDIX B REFERENCES......................................................................................52
APPENDIX C GLOSSARY OF TERMS.....................................................................53
APPENDIX D FIREWALL RULE TABLE................................................................54
APPENDIX E SECURITY RELATED ADMINISTRATION FUNCTIONS..............55
S.SERVICE_ENGINEER...............................................................................................55
S.REMOTE_SYSADMIN & S.SERVICE_ENGINEER .................................................55
APPENDIX F XP PATCHES APPLIED ..........................................................................56
COMMERCIAL
04th
July 2008 Page 6 of 57 Commercial BSI-DSZ-CC-0510
DISTRIBUTION LIST........................................................................................................57
COMMERCIAL
04th
July 2008 Page 7 of 57 Commercial BSI-DSZ-CC-0510
1. Security Target Introduction
1.1 ST Identification
Name of the TOE:
Océ Smart Imager 10.3.5.68
as used in the Océ VP21x0 R4.1
Name of the Security Target:
Security Target of the
Océ Smart Imager 10.3.5.68
as used in the Océ VP21x0 R4.1
ST evaluation status: Non-evaluated release
ST version number: 3.3
ST publication date: 04th
July 2008
ST authors: Rob Hunter, Denise Cater
This Security Target was prepared for:
Océ Technologies BV
P.O. Box 101,
5900 MA Venlo,
The Netherlands
by Brightsight. IT Security Evaluation Facility
Delftechpark 1
2628XJ Delft
The Netherlands
COMMERCIAL
04th
July 2008 Page 8 of 57 Commercial BSI-DSZ-CC-0510
1.2 ST Overview
The firm Océ produces a wide range of multifunctional devices for copying, printing
and scanning (MFDs) for various purposes. One of these MFD seriess: the VP21x0
(VP2100 and VP2110), uses PC hardware based controller, the Smart Imager.
• The Océ Smart Imager v10.3.5.68, is used with the Océ VP21x0 R4.1
These VarioPrint products are referred to collectively in this Security Target as
MFDs
A Océ
VP21x0
with
embedded
Smart
Imager
controller.
The Smart Imager is a PC-based MFD-controller. The Smart Imager provides a
wide range of printing, scanning and copying functionality to the MFD peripherals
to which it is connected. The Smart Imager provides security functionality to the
MFD.
This Security Target describes the Smart Imager and the specific security problem
that it addresses. The Target of Evaluation (TOE) is a collection of software
components (Océ developed software, 3rd
party printer language interpreters,
Operating System) that use the underlying hardware platform. The TOE is a subset
of the complete Smart Imager.
COMMERCIAL
04th
July 2008 Page 9 of 57 Commercial BSI-DSZ-CC-0510
1.3 CC Conformance
The evaluation is based upon:
• Common Criteria for Information Technology Security Evaluation, Version
2.3, Part 1: General model, August 2005.
• Common Criteria for Information Technology Security Evaluation, Version
2.3, Part 2: Security functional requirements, August 2005.
• Common Criteria for Information Technology Security Evaluation, Version
2.3, Part 3: Security assurance requirements, August 2005.
• Common Methodology for Information Technology Security Evaluation,
Version 2.3, Part 2: Evaluation Methodology, August 2005.
The chosen level of assurance is:
EAL2 (Evaluation Assurance Level 2 augmented with ALC_FLR.1)
This Security Target claims the following conformance to the CC:
CC Part 2 conformant
CC Part 3 conformant
COMMERCIAL
04th
July 2008 Page 10 of 57 Commercial BSI-DSZ-CC-0510
2. TOE Description
2.1 TOE Overview
This section presents an overview of the TOE.
2.1.1 TOE physical scope and boundary
The firm Océ produces a wide range of multifunctional devices for copying,
printing and scanning (MFDs). For the purpose of this evaluation, the MFD
consists of two main parts: (1) the Smart Imager controller and (2) the Digital
Printer and Scanner/Copier and Local User Interface peripherals that together form
the VP21x0 product.
The Smart Imager is a PC-based MFD-controller that provides a wide range of
printing, scanning and copy functionality to the Digital Printer, Scanner and Copier
and Local User Interface peripherals to which the Smart Imager is connected. The
Smart Imager provides security functionality to the MFD.
The Smart Imager can operate in two different security modes: ‘High’ and
‘Normal’. This Security Target covers the Smart Imager operating in the security
mode ‘High’ as delivered by Océ to the customer. This mode provides a restricted
set of functionality that is configured to meet the Security Target claim. Changing
the operational mode invalidates the claims made in this Security Target.
COMMERCIAL
04th
July 2008 Page 11 of 57 Commercial BSI-DSZ-CC-0510
The Smart Imager is connected between a network and the MFD. This is depicted
in Figure 1.
Figure 1: Relation between the Smart Imager and MFD.
The Smart Imager is located internally in the MFD. This physical configuration is
depicted in Figure 2.
Figure 2: View of the Smart Imager controller in VP2090, VP2100 or VP2110 (open or
closed side)
MFD peripherals Smart Imager
MFD
Network
Copy Data
Flow
Scan Data
Flow
Output Tray of MFD
Input Glass Plate of MFD
Print Data
Flow
COMMERCIAL
04th
July 2008 Page 12 of 57 Commercial BSI-DSZ-CC-0510
Figure 3: Viewer of a separated Smart Imager controller
The internal configuration helps prevent theft of the Smart Imager, but prevention
of theft of the Smart Imager is outside the scope of this evaluation1. All logical
access points (network ports, USB/serial/parallel ports etc.) are protected from
physical access in the internal configuration by a metal casing.
The Smart Imager consists of:
1. A generic off-the-shelf PC comprising at a minimum a 1.8Ghz Pentium M
processor, 512MB internal RAM, a DVI output (graphical I/O), 80GB hard
drive, three USB ports and one serial port.
2. Generic graphics card and network card supporting 10/100/1000Mbs
Ethernet UTP.
3. Drivers for the PC, graphics card and network card.
4. The Microsoft Windows XP embedded operating system with service pack
2 plus the patches listed in Appendix F.
5. Océ Smart Imager-specific software release 10.3.5.68.
6. Third-party developed software: Adobe PS3-PDF Interpreter, Version
3017.102; PCL6 interpreter, Version IPS6.0.2; Microsoft IIS web server
with SSL support, Version 5.1.
Of these 6, the first three are not part of the TOE and together form the underlying
hardware platform that the TOE makes use of. The underlying hardware platform
does not provide any specific security related functionality for the TOE. The TSF is
mediated by the last three software components that are part of the TOE. This is
depicted in Figure 4.
1 Note that the SmartImager protects print, copy, and scan data stored in it against
theft through e-shredding, but the SmartImager itself may be stolen.
COMMERCIAL
04th
July 2008 Page 13 of 57 Commercial BSI-DSZ-CC-0510
Figure 4: Division of the Smart Imager into TOE and non-TOE.
The physical interfaces through which the TOE communicates are:
• A USB port through which a service engineer can administer the TOE.
• A network card through which print and scan jobs can pass and a remote
system administrator can administer the TOE.
• A RS-432 interface. The data that flows between the TOE and the MFD for
printing control purposes passes through this interface.
• A USB2 interface. The data that flows between the TOE and the MFD for
all printing, scanning and copying purposes (other than printer control)
passes through this interface.
• A USB port through which the Operator can communicate with the TOE
via the Local User Interface (LUI) to manage print jobs (but this interface
cannot be used to perform any security management operations).
Microsoft Windows 2000 (5)
Generic PC Hardware OceDP1 card
Generic PC Hardware Drivers (4)
Oce
SmartImager
specific
Software (6)
Third-party
Software (7)
Microsoft Windows XPe (4)
Generic PC Hardware and USB2 (1,2)
Generic PC Hardware Drivers (3)
Oce
SmartImager
specific
Software (5)
Third-party
Software (6)
TOE
Non TOE
COMMERCIAL
04th
July 2008 Page 14 of 57 Commercial BSI-DSZ-CC-0510
The operator2
guidance for the TOE consists of:
• Océ 2100/2110 User manual.
• Océ VP2100/VP2110 Common Criteria certified configuration of the SI
v10.3.5.68.
The administrator guidance for the TOE consists of:
• Océ VP2100/VP2110 Common Criteria certified configuration of the SI
v10.3.5.68.
• Océ VarioPrint 2100/2110 User manual (Chapter 9: Security).
• The Smart Imager administration guidance for the customer system
administrator takes the form of Online Help HTML pages. These are part
of the Océ Smart Imager-specific software, Version 10.3.5.68.
The Smart Imager administration guidance for the Océ service engineer takes the
form of an application called the Technical Service Manual that is installed on the
service engineer’s laptop. The guidance contains an appendix that is identified as:
• VP21x0 Smart Imager Security Service documents in the TSM:
Information concerning CCC for VP2090 and VP21X0.
and is a frozen version of the Océ service engineer application made at the time of
product release.
2.1.2 TOE logical scope and boundary
The TOE protects two assets: itself and the copy, print and scan job data that it
receives:
Firstly, the TOE protects it’s own integrity against threats from the LAN to which
it is attached through use of a firewall.
Secondly, the TOE protects the confidentiality of print, copy and scan job data
after they are no longer needed. The Smart Imager does this by shredding the data
after they are deleted.
In order to protect these two assets, it offers the following functionality:
The TOE controls printing from the network
The TOE accepts Postscript, PDF and PCL6 print jobs from remote users on the
network (lpr over TCP/IP) and provides these as images to the attached MFD
printing peripheral.
2
No guidance is necessary for the remote end user of the TOE.
COMMERCIAL
04th
July 2008 Page 15 of 57 Commercial BSI-DSZ-CC-0510
The TOE receives a print job from a remote end-user, and it is either put in the
print mailbox or in the print queue. Once this job becomes the first in the queue,
the TOE processes this print job into images, and sends these images to the
attached MFD peripheral for printing.
The remote end-users and interfaces they interact with are depicted in Figure 5.
Figure 5: End-users and interfaces for printing
The TOE is configured to destroy the data relating to print jobs3
and temporary
files4
.
This is achieved by writing over the job related data with other data, thereby
making it difficult to retrieve the original data.
The TOE administrators can select the number of write iterations. This 2-fold
mechanism is fully asynchronous. Shredding is performed in a separate process,
with different priorities depending on the overwriting iteration. The first iteration
starts after the data is deleted. The remaining iterations take place with low priority
in the background.
Additionally, the TOE is also configured to shred all data periodically. (Every day,
every week or every month or never.)5
.
The TOE operators scan jobs that are exported to the network
Operators can scan documents on the VP21x0 using the Local User Interface
(LUI), and the resulting images will then be submitted to the TOE. The TOE can
3
Also scan and copy jobs, see the next sub-section and Figure 6.
4
Job data is deleted when the job is completed or deleted from the mailbox.
Temporary files (swap file) are shredded during system restart.
5
The setting to shred the data at a particular time interval is set to everyday at 12am
by default.
MFD peripheral Smart Imager
MFD
Remote end-user
Network
COMMERCIAL
04th
July 2008 Page 16 of 57 Commercial BSI-DSZ-CC-0510
process the images to a variety of file formats and then transfer the resulting files
by ftp to an ftp-server, or by SMTP to an e-mail server on the network. The
Operator can also complete copy jobs through the LUI, with the resulting images
sent to the MFD.
The operators and interfaces they interact with (LUI6
and network) are depicted in
Figure 6.
Figure 6: Operators and interfaces for scanning
6
The operator is unable to access any of the TOE security functions through the LUI.
The LUI can only be used for scanning, coping, printing and managing print
queues.
MFD Peripheral Smart Imager
MFD
Operators
LUI
FTP-server
E-mail server
Network
COMMERCIAL
04th
July 2008 Page 17 of 57 Commercial BSI-DSZ-CC-0510
The TOE can be managed
As indicated in the previous sections, the MFD (of which the TOE is a part)
supports remote end-users and Operators. The MFD also supports various
administrators, which are described briefly here:
Remote Key Operator: These are typically administrators or secretaries from the
organization owning/renting the TOE. They can interact with the Smart Imager
through a Web interface that communicates with the TOE via the LAN. Through
this interaction they have access to a limited amount of non-security related
settings of the TOE.
Remote System administrator (HTTPS): These are remote administrators, typically
a network administrator from the organization owning/renting the TOE. They can
read and write a limited set of settings of the TOE through an SSL over HTTP
connection (HTTPS). The remote administrator can identify the TOE via a
certificate. Help files for the administrator are also delivered via the HTTPS
connection. Web pages that are delivered via the HTTPS connection are ‘non-
cacheable’.
Remote System administrator (SNMP): These are remote administrators, typically a
network administrator from the organization owning/renting the TOE. They can
read and write a limited set of settings of the TOE through a SNMP connection.
None of the settings that the remote system administrator can access through
SNMP are security related in the sense that they provide access to the assets that
the TOE protects or allow changes to be made to the TOE security functionality.
Service engineer: These are local administrators, and are typically employed by
Océ. They have access through an USB connection to a wide range of settings on
the TOE. The TOE connection is PIN code protected and service license protected
and access to the management functions provided to the Service engineer require
specific hardware and software. It is not possible to access the management
functions made available to the service engineer without the software that is
installed on the service engineer laptop.
COMMERCIAL
04th
July 2008 Page 18 of 57 Commercial BSI-DSZ-CC-0510
The various administrators and the interfaces through which they interact with the
TOE are depicted in Figure 7.
Figure 7: MFD Administrators and interfaces
The TOE has minimized all other functionality
The TOE supports the following network protocols:
• TCP/IP, UDP/IP and ICMP.
No other network protocols are enabled. The TOE manufacturer has filtered all
network ports so that only data that is essential to the operation of the TOE can
enter the TOE through the network interface. The TOE has further restricted the
functionality behind each open network port to that which is absolutely necessary
to its functioning. This is done to maximize the integrity of the TOE itself and
minimize the risk of the TOE being infected or hacked and subsequently being
used as a stepping-stone to damage the network.
The availability of security related functionality
As depicted in Figure 7, The Remote Key Operator is not able to influence the
security of the TOE as they have no access to security settings via the Smart
Imager LUI.
MFD Peripheral Smart Imager
MFD
Remote system
administrator
Service
Engineer
Remote Key-operator
USB
USB
Network
Network
Network
COMMERCIAL
04th
July 2008 Page 19 of 57 Commercial BSI-DSZ-CC-0510
Because the Remote Key Operator and TOE Operator cannot access security
related settings on the Smart Imager LUI, they cannot affect the TOE. For the sake
of clarity, Figure 8 shows the interfaces to the TOE and the subjects that can access
and manage TOE security settings.
Figure 8: TOE Administrators and interfaces
Smart Imager
Remote system
administrator
USB
USB
Network
Network
Network
Service
Engineer
COMMERCIAL
04th
July 2008 Page 20 of 57 Commercial BSI-DSZ-CC-0510
3. TOE Security Environment
The TOE is intended to provide scan, print and copy functionality to users
requiring a low to moderate level of security assurance. Additional environmental
and organisational requirements support the security functionality provided by the
TOE.
3.1 Definition of subjects, objects and operations
To facilitate definition of threats, OSPs, assumptions, security objectives and
security requirements, we define the subjects, objects and operations to be used in
the ST first.
3.1.1 Non-human subjects
The system (equipment) that will be interacting with the TOE (in alphabetical
order):
S.DIGITAL_PRINTER A device that is part of the MFD peripheral that
physically renders a print job and is attached to the
TOE via a cable.
S.DIGITAL_SCANNER A device that is part of the MFD peripheral that scans in
a copy or scan job and is attached to the TOE via a
cable.
S.LUI A device that provides a User Interface to
S.OPERATOR for non-security related operations, such
as local copying/printing/scanning/queue management.
S.NETWORK_DEVICE An unspecified network device that is logically
connected to the TOE and is located in the same
operating environment (office building).
3.1.2 Human subjects
The users (or subject acting on behalf of that user) that will be interacting with the
TOE are:
S.REMOTE_USER A person who interacts with the TOE indirectly,
sending creating print jobs and sending them to
S.OPERATOR to be forwarded to the TOE. They are
not malicious towards the TOE. S.REMOTE_USER
typically sends print jobs from their desktop PC.
S.OPERATOR A person with access to the operational environment of
the TOE who is aware of how the TOE should be used.
COMMERCIAL
04th
July 2008 Page 21 of 57 Commercial BSI-DSZ-CC-0510
They are not malicious towards the TOE.
S.OPERATOR typically interacts indirectly with the
TOE via S.LUI or over the network. S.OPERATOR
receives print jobs from S.REMOTE_USER and places
the jobs in the TOE print queue as appropriate to be
processed by the TOE.
S.REMOTE_SYSADMIN A person who can change some TOE settings using a
Océ supplied interface accessed remotely over a
network connection. They are trusted by the customer
and are adequately trained. They are capable of making
mistakes. They access the TOE via its network card
from a remote location on the customer LAN. They do
not access the TOE locally via a USB connection.
S.SERVICE_ENGINEER A person with elevated privileges above those of
S.OPERATOR and S.REMOTE_SYSADMIN. This
person is an Océ representative and accesses the TOE
locally through a USB interface that is separate to the
customer LAN interface. They do not access the TOE
remotely via the customer LAN interface. They are not
malicious towards the TOE but are capable of making
mistakes when operating it.
S.THIEF S.THIEF (cleaning staff, burglar, visitor, in rare cases a
user) will have no moral issues in stealing the TOE or
parts of it. Once S.THIEF has stolen the TOE or parts
of it he may attempt to retrieve earlier print, scan and
copy jobs from the TOE. S.THIEF is opportunistic and
is not a recurring visitor to the environment in which
the TOE operates.
3.1.3 Objects
The (data) objects for the TOE that the TOE will operate upon are:
D.PRINT_JOB A print job received by S.OPERATOR from
S.REMOTE_USER, and submitted to the TOE.
D.SCAN_JOB Data that is scanned in via the S.DIGITAL_SCANNER
peripheral attached to the Smart Imager. Data is sent
from the TOE to a FTP or e-mail server located
elsewhere on the network.
D.COPY_JOB Data that is scanned in via the S.DIGITAL_SCANNER
peripheral attached to the Smart Imager. Data is
returned from the TOE to the printer peripheral for
rendering.
COMMERCIAL
04th
July 2008 Page 22 of 57 Commercial BSI-DSZ-CC-0510
D.INBOUND_TRAFFIC TCP/IP, UDP/IP or ICMP network packets received by
the TOE. D.INBOUND_TRAFFIC has the Security
Attributes Port and Protocol associated with it.
3.1.4 Operations
The operations that are performed by the TOE are:
R.PRINT_JOB The TOE processes and releases a D.PRINT_JOB to the
attached S.DIGITAL_PRINTER peripheral.
R.SCAN_JOB The TOE processes and releases a D.SCAN_JOB to the
attached network though S.NETWORK_DEVICE.
R.COPY_JOB The TOE processes and releases a D.COPY_JOB to the
attached S.DIGITAL_PRINTER peripheral.
R.SHRED_JOB The TOE shreds released D.PRINT_JOB,
D.SCAN_JOB and D_COPY_JOB data objects from
the TOE’s hard disk.
R.ENTER_TOE The TOE allows D.INBOUND_TRAFFIC from
S.NETWORK_DEVICE to enter its boundary.
3.2 Assumptions
A.DIGITAL_PRINTER It is assumed that the TOE has a
S.DIGITAL_PRINTER device attached to it.
S.DIGITAL_PRINTER is part of the Océ VP21x0
MFD. It is assumed that for EAL2, that the interface
from the Smart Imager to the S.DIGITAL_PRINTER
will not be used to mount an attack and that the
interface is only used for the purposes of printing.
A.DIGITAL_SCANNER It is assumed that the TOE has a
S.DIGITAL_SCANNER device attached to it.
S.DIGITAL_SCANNER is part of the Océ VP21x0
MFD. It is assumed that for EAL2, that the interface
from the Smart Imager to the S.DIGITAL_SCANNER
will not be used to mount an attack and that the
interface is only used for the purposes of scanning.
A.LUI It is assumed that the TOE has a S.LUI device attached
to it. S.LUI is part of the Océ VP21x0 MFD. It is
assumed that for EAL2, that the interface from the LUI
to the Smart Imager will not be used to mount an attack
COMMERCIAL
04th
July 2008 Page 23 of 57 Commercial BSI-DSZ-CC-0510
as the TOE security functions cannot be accessed via
this interface and the interface is only used for the
purposes of printing, scanning and copying.
A.ENVIRONMENT The TOE assumes that its operational environment is a
repro-room contained within a regular office
environment. Physical access to the operational
environment is restricted to S.OPERATOR and
S.SERVICE_ENGINEER. The office environment also
contains non-threatening office personnel
(S.OPERATOR, S.REMOTE_USER,
S.REMOTE_SYSADMIN and
S.SERVICE_ENGINEER). S.THIEF is only rarely
present in this environment and not on a recurring basis.
A.SECURITY_POLICY It is assumed that the customer will have a Security
Policy governing the use of IT products by employees
in the customer organisation. The TOE assumes that the
network to which it is attached is protected by security
measures that are intended to prevent mal-ware, viruses
and network traffic, not related to the working of the
operational environment, entering the network to which
it is attached. Although the Virus database files and
various patches are kept up to date, the policy
recognises that new threats emerge over time and that
occasionally they may enter the environment from
outside and provides measures to help limit the damage.
The Policy will define how IT products are protected
against threats originating from outside the customer
organisation. The organisation’s employees are aware
of, are trained in and operate according to the terms and
conditions of the policy. The policy also covers
physical security and the need for employees to work in
a security aware manner including the usage of the
TOE. The Security Policy describes and requires a low
to medium level of assurance (EAL2) for the TOE.
A.SLA It is assumed that any security flaws discovered in the
TOE will be repaired by Océ (possibly as part of an
agreed service level agreement).
COMMERCIAL
04th
July 2008 Page 24 of 57 Commercial BSI-DSZ-CC-0510
3.3 Threats
T.RESIDUAL_DATA S.THIEF steals the TOE or parts thereof and retrieves
stored or deleted D.PRINT_JOB, D.SCAN_JOB and
D.COPY_JOB. The motivation for S.THIEF to attack
the TOE is low because it requires sophisticated data
recovery equipment that can recover data even after the
shredding mechanism has executed to recover data that
has little value to the attacker.
T.MALWARE A S.NETWORK_DEVICE is used by malware that
may have entered the TOE’s operational environment to
launch an attack on the integrity of the TOE. The
motivation to carry out this attack is low.
3.4 Organisational Security Policies
P.JOB_DELETE When D.PRINT_JOB, D.SCAN_JOB and
D.COPY_JOB objects are no longer needed by the
TOE, they will be deleted by the TOE at the earliest
available opportunity in a manner that meets a
recognised standard.
P.TOE_ADMINISTRATION The modification of TOE security settings shall be
restricted to S.SERVICE_ENGINEER and
S.REMOTE_SYSADMIN.
COMMERCIAL
04th
July 2008 Page 25 of 57 Commercial BSI-DSZ-CC-0510
4. Security Objectives
4.1 TOE Security Objectives
This section consists of two groups of objectives:
• Functional Security Objectives for the TOE, that deal with what the TOE must
do;
• Assurance Security Objectives for the TOE, that deal with how much
assurance one should have in that the TOE does what it is expected to.
4.1.1 Functional Security Objectives for the TOE
O.F.INBOUND_FILTER The TOE will only support TCP/IP, UDP/IP and ICMP
as a network protocol. D.INBOUND_TRAFFIC shall
only enter the TOE (R.ENTER_TOE) if its Port is
specified as being open in Appendix D.
O.F.JOB_SHRED The TOE shall delete all D.PRINT_JOB,
D.SCAN_JOB and D.COPY_JOB data as soon as it is
no longer required. During the start-up procedure, any
residual D.PRINT_JOB, D.SCAN_JOB and
D.COPY_JOB located in the TOE’s hard disk
(including the swap file) is deleted. The first write cycle
occurs after the job has been deleted and the other
remaining cycles occur once the TOE enters an idle
state. The data shall be deleted according to a
recognised standard so that it cannot be reconstituted.
O.F.AUTHENTICATE The TOE ensures that S.REMOTE_SYSADMIN and
S.SERVICE_ENGINEER must authenticate themselves
to the TOE before allowing them to modify the TOE
security settings.
4.1.2 Assurance Security Objectives for the TOE
O.A.SLA The TOE shall be evaluated to ALC_FLR.1
COMMERCIAL
04th
July 2008 Page 26 of 57 Commercial BSI-DSZ-CC-0510
4.2 Security Objectives for the environment
O.E.ENVIRONMENT The environment into which the TOE will be
introduced is protected by physical measures that limit
access to S.OPERATOR, and
S.SERVICE_ENGINEER. The physical measures are
adequate to prevent all other persons but not a
determined S.THIEF who deliberately wants to steal
part of or all of the TOE by methodically planning an
attack on the TOE over a period of time.
O.E.NETWORK_POLICY The network to which the TOE is attached shall be
adequately protected so that the TOE is not visible
outside the network. In addition, measures shall be
implemented to only allow connections to the TOE
from devices situated on the same network. No inbound
connections from external networks are allowed. The
network scans data for mal-ware (viruses and worms).
This type of data may originate from either inside or
outside the network to which the TOE is attached and
includes the TOE itself.
O.E.DEPLOYMENT The network (LAN) to which the TOE is attached is
well managed with established procedures for
introducing and attaching new devices to the network.
O.E.LOCAL_INTERFACE The environment into which the TOE will be
introduced shall contain an Océ VP21x0 MFD that
provides a Local User Interface and Glass Plate through
which S.OPERATOR can interact easily with the TOE
to manage the print queue. When sending a
D.PRINT_JOB to the Smart Imager, S.OPERATOR
will ensure the print job is deleted from the TOE during
the same working day either by printing not using the
TOE mailbox, or deleting the jobs manually from the
queue or mailbox. Additionally,
S.REMOTE_SYSADMIN can also set automatic delete
from mailbox everyday at a fixed hour. The Smart
Imager MFD peripheral provides a glass plate and LUI
with which S.OPERATOR can perform print, scan and
copy jobs. The ST claim is not valid when the TOE is
used with any other type of Océ MFD. The TOE will
not work with any other device (including Digital MFD
Products from any other manufacturers).
COMMERCIAL
04th
July 2008 Page 27 of 57 Commercial BSI-DSZ-CC-0510
5. IT Security Requirements
5.1 TOE Security Functional Requirements
5.1.1 SFRs for Filtering
FDP_ACC.1 Subset access control
FDP_ACC1.1 The TSF shall enforce the NETWORK_POLICY on:
• D.INBOUND_TRAFFIC
Dependencies: FDP_ACF.1 (included)
FDP_ACF.1 Security attribute based access control
FDP_ACF1.1 The TSF shall enforce the NETWORK_POLICY to
objects based on the following:
• Port;
• Protocol.
FDP_ACF.1.2 The TSF shall enforce the following rules to determine if an
operation among controlled subjects and controlled objects is allowed:
• The TOE shall perform R.ENTER_TOE on
D.INBOUND_TRAFFIC only if Port(D.INBOUND_TRAFFIC) =
ICMP, LPR, HTTP, HTTPS, SNMP and Protocol = TCP/IP or
UDP/IP
FDP_ACF.1.3 The TSF shall explicitly authorise access of subjects to
objects based on the following additional rules:
• none
FDP_ACF.1.4 The TSF shall explicitly deny access of subjects to objects
based on the following additional rules:
• none
Dependencies: FDP_ACC.1 (included)
FMT_MSA.3 (included)
5.1.2 SFRs for Shredding
FDP_RIP.1 Subset residual; information protection
COMMERCIAL
04th
July 2008 Page 28 of 57 Commercial BSI-DSZ-CC-0510
FDP_RIP.1.17 The TSF shall ensure that any previous information content
of a resource is made unavailable upon the
deallocation of the resource from the following objects:
D.PRINT_JOB, D.SCAN_JOB, D_COPY_JOB
• on deletion of R.PRINT_JOB, R.COPY_JOB and R.SCAN_JOB
by S.OPERATOR, S.REMOTE_SYSADMIN or
S.SERVICE_ENGINEER
• on start-up or reboot of the TOE.8
Dependencies: No dependencies.
5.1.3 SFRs for Management
FIA_UID.2 User identification before any action
FIA_UID.2.1 The TSF shall require S.REMOTE_SYSADMIN and
S.SERVICE_ENGINEER to identify themselves before allowing any
other TSF-mediated actions on the behalf of that user.
Dependencies: No dependencies.
FIA_UAU.2 User authentication before any action
FIA_UAU.2.1 The TSF shall require S.REMOTE_SYSADMIN and
S.SERVICE_ENGINEER to be successfully authenticated before
allowing any other TSF-mediated actions on the behalf of that user.
Dependencies: FIA_UID.1 (hierarchical component included)
FMT_MOF.1 Management of security functions behaviour
(S.REMOTE_SYSADMIN)9
7 This is a refinement to show when the de-allocation is to take place. When you
delete a file, the OS modifies the relevant entry from the file allocation table. The
data remains on the hard disk and can be retrieved with suitable tools. This is why
the TOE shreds the data. What is happening is that:
• When the job manager discards data, it moves the data reference
in the file allocation table to a location that is dedicated to the E-shred
subsystem.
• The E-shred subsystem then erases the data (makes the data
unavailable) by overwriting the data several times.
• The E-shred service then removes the reference to the erased data
from the file allocation table so that the erased disk resources can be re-
used.
8 The SmartImager can experience errors and sometimes require restarting to
handle these errors (or users restart the photocopier anyway in an attempt to
handle these errors). It is therefore important that the photocopier also deletes data
whenever it is restarted.
9 Note that this SFR relates to administration via the HTTPS connection. There are
no TSF mediated actions that can be managed via the SNMP connection.
COMMERCIAL
04th
July 2008 Page 29 of 57 Commercial BSI-DSZ-CC-0510
FMT_MOF.1.1 The TSF shall restrict the ability to modify the behaviour
of the functions described in appendix E for S.REMOTE_SYSADMIN
to S.REMOTE_SYSADMIN.
Dependencies: FMT_SMF.1 (included)
FMT_SMR.1 (included)
FMT_MOF.1 Management of security functions behaviour
(S.SERVICE_ENGINEER)
FMT_MOF.1.1 The TSF shall restrict the ability to modify the behaviour
of the functions described in appendix E for S.SERVICE_ENGINEER
to S.SERVICE_ENGINEER.
Dependencies: FMT_SMF.1 (included)
FMT_SMR.1 (included)
FMT_MSA.1 Management of security attributes
FMT_MSA.1.1 The TSF shall enforce the NETWORK_POLICY to
restrict the ability to change the default 10 security attributes Port and
Protocol to nobody.11
Dependencies: FDP_ACC.1 (included)
FMT_SMF.1 (included)
FMT_SMR.1 (included)
FMT_MSA.3 Static Attribute initialisation
FMT_MSA.3.1 The TSF shall enforce the NETWORK_POLICY to
provide restrictive default values for security attributes that are used to
enforce the SFP.
FMT_MSA.3.2 The TSF shall allow nobody12 to specify alternative initial
values to override the default values when an object or information is
created.
Dependencies: FMT_MSA.1 (included)
FMT_SMR.1 (included)
FMT_SMF.1 Specification of Management Functions
10 For grammatical and clarity reasons, the underscore between change and default
was removed and the word ‘the’ before security attributes was moved to between
’change’ and ‘default’.
11 The TOE does not allow any users to change any security attributes in the
evaluated configuration.
12 The word ‘the’ before ‘nobody’ was removed for grammatical reasons.
COMMERCIAL
04th
July 2008 Page 30 of 57 Commercial BSI-DSZ-CC-0510
FMT_SMF.1.1 The TSF shall be capable of performing the following
security management functions as described in appendix E:
Functions related to R.SHRED_JOB that are available to
S.REMOTE_SYSADMIN and S.SERVICE_ENGINEER
• Set the number of shred runs13
Dependencies: No dependencies.
FMT_SMR.1 Security roles
FMT_SMR.1.1 The TSF shall maintain the roles
S.REMOTE_SYSADMIN, S.SERVICE_ENGINEER,
S.REMOTE_USER and S.OPERATOR.
FMT_SMR.1.2 The TSF shall be able to associate users with roles.
Dependencies: FIA_UID.1 (hierarchical component included)
5.1.4 SFRs for Protection of the TSF itself
FPT_SEP.1 TSF domain separation
FPT_SEP1.1 The TSF shall maintain a security domain for its own
execution that protects it from interference and tampering by untrusted
subjects.
FPT_SEP.1.2 The TSF shall enforce separation between the security
domains of subjects in the TSC.
Dependencies: No dependencies.
FPT_RVM.1 Non-bypassability of the TSP
FPT_RVM.1.1 The TSF shall ensure that TSP enforcement functions are
invoked and succeed before each function within the TSC is allowed to
proceed.
Dependencies: No dependencies
13 Note that this is the only setting which is available in security mode high, the
evaluated configuration.
COMMERCIAL
04th
July 2008 Page 31 of 57 Commercial BSI-DSZ-CC-0510
5.1.5 Strength-of-function claim
The Strength of function claim for all the probabilistic functions and mechanisms
provided by the TOE is SOF-basic.
5.2 TOE Security Assurance Requirements
The TOE security assurance requirements are conformant to the CC Evaluation
Assurance Level EAL2 +ALC_FLR.1. In detail the following Security Assurance
Requirements are chosen for the TOE:
Components for Configuration management (Class ACM)
ACM_CAP.2 Configuration Items
Components for Delivery and operation (Class ADO)
ADO_DEL.1 Delivery procedures
ADO_IGS.1 Installation, generation, and start-up procedures
Components for Development (Class ADV)
ADV_FSP.1 Informal functional specification
ADV_HLD.1 Descriptive high-level design
ADV_RCR.1 Informal correspondence demonstration
Components for Guidance documents (Class AGD)
AGD_ADM.1 Administrator guidance
AGD_USR.1 User guidance
Components for Life cycle support (Class ALC)
ALC_FLR.1 Basic flaw remediation
Components for Tests (Class ATE)
ATE_COV.1 Evidence of coverage
ATE_FUN.1 Functional testing
ATE_IND.2 Independent testing – sample
Components for Vulnerability assessment (Class AVA)
AVA_SOF.1 Strength of TOE security function evaluation
AVA_VLA.1 Developer vulnerability analysis
5.3 Security Requirements for the IT Environment
None14.
14 The ST defines security objectives for the IT environment in which the TOE will
operate. In accordance with the Common Criteria Standard, these objectives are
not mapped to Security Requirements for the IT Environment.
COMMERCIAL
04th
July 2008 Page 32 of 57 Commercial BSI-DSZ-CC-0510
5.4 Explicitly stated requirements
None.
COMMERCIAL
04th
July 2008 Page 33 of 57 Commercial BSI-DSZ-CC-0510
6. TOE Summary Specification
6.1 IT Security Functions
SF.FILTERING
The TOE uses a built-in firewall to block ports that are not needed for the operation
of the TOE. In addition no network protocols that are not supported by the
evaluated configuration are enabled.
By default no traffic is permitted to enter the TOE from the network to which it is
attached, except for the supported network packets via the ports defined in the rule
table described in Appendix D.
SF.SHREDDING
Once a print, copy or scan job has been deleted, the data is overwritten. It is
possible to perform multiple write cycles, with various patterns being applied. At
least three write cycles will always take place. The first write cycle starts after the
job has been deleted and to improve job throughput performance, all other
remaining cycles are done once the TOE enters an idle state. The shredding
mechanism supports US DOD 5220-22m and Gutmann algorithms15.
SF.MANAGEMENT
The TOE can be managed in relation to SF.SHREDDING. In order to gain access,
the S.REMOTE_SYSADMIN or S.SERVICE_ENGINEER must authenticate
themselves to the TOE. S.SERVICE_ENGINEER does this by entering a PIN.
S.REMOTE_SYSADMIN authenticates himself by entering a password. The TOE
is delivered by Océ with the most restrictive set of operational settings.
6.1.1 Probabilistic functions and mechanisms
The TOE contains probabilistic functions and mechanisms in the form of
passwords and PIN numbers that are used for the authentication of
S.REMOTE_SYSADMIN and S.SERVICE_ENGINEER respectively.
15 See Appendix B – References for more information relating to these algorithms
COMMERCIAL
04th
July 2008 Page 34 of 57 Commercial BSI-DSZ-CC-0510
Subject Function Mechanism
S.REMOTE_SYSADMIN SF.MANAGEMENT,
SF.SHREDDING
For the HTTPS connection,
an alpha-numeric password
(ASCII characters 32-127)
ranging in length between 8
and 50 characters is required.
After the first failed attempt,
a delay mechanism is
invoked.
There are no security
management functions or
access to the assets that the
TOE protects that are
accessible via the SNMP
connection.
S.SERVICE_ENGINEER SF.MANAGEMENT,
SF.SHREDDING
A fixed length numeric pin
code of 6 digits.
6.1.2 Strength of function claim
The SFRs FIA_UID.2 and FIA_UAU.2 require the TOE to provide security
functions that provide identification/authentication functionality that meets a SOF
claim of ‘SOF basic’.
A strength of function claim of ‘SOF basic’ is made for the security function
SF.MANAGEMENT. This is the security function that implements FIA_UID.2
and FIA_UAU.2.
COMMERCIAL
04th
July 2008 Page 35 of 57 Commercial BSI-DSZ-CC-0510
6.2 Assurance Measures
Appropriate assurance measures are employed to satisfy the security assurance
requirements. The following list gives a mapping between the assurance
requirements and the documents containing the information needed for the
fulfillment of the respective requirement.
Configuration Management (ACM) assurance measures
The documents containing the description of the configuration management system
as required by ACM and how it is used are is:
• Configuration Management List for the Océ Smart Image Controller (SI)
R10.3.5.68 as used in the Océ VarioPrint 21X0 R 4.1 product
Delivery and Operation (ADO) assurance measures
The document containing the description of all steps necessary for secure
installation, generation and start-up of the TOE is:
• Software development and delivery for the Océ Smart Image Controllers
(SI)
Development (ADV) assurance measures
The developer documentation for ADV functional specifications can be found in:
• Functional Specification for the Océ Smart Imager 10.3.5.68 as used in the
Océ VP 21X0 4.1
• High Level Design for the Océ Smart Imager 10.3.5.68 as used in the Océ
VP 21X0 4.1
Guidance (AGD) assurance measures
The document containing the guidance for Océ service engineers is maintained on
the service engineers laptop with the reference:
• VP21x0 Smart Imager Security Service documents in the TSM:
Information concerning CCC for VP2090 and VP21X0
and is not a publicly available document.
The guidance for the customer administrators and users is in:
• On-line Help Océ VarioPrint 2100/2110, Settings Editor, Version 2007-10.
(This part takes the form of HTML pages within the Smart Imager
application in administrator interface)
• Océ VP2100/VP2110 Common Criteria certified configuration of the SI
v10.3.5.68.
• Océ VarioPrint 2100/2110 User manual, version 2007-11
COMMERCIAL
04th
July 2008 Page 36 of 57 Commercial BSI-DSZ-CC-0510
Life Cycle (ALC) assurance measures
The physical, procedural, personnel and other security measures applied by the
developer can be found in:
• Flaw remediation for Océ printer/copier/scanner/products
Test (ATE) assurance measures
The developer test documentation can be A test analysis showing that the tests
cover the entire functional specification can be found in:
• Test Specification for the Common Criteria Evaluated Security
Functionality implemented in the Océ SmartImager Controller (SI)
• E-Shredding functional test in High Security mode
• SI R10.3.5.68: Results of the Common Criteria Evaluated Security
Functionality Tests
Vulnerability Assessment (AVA) assurance measures
An analysis of vulnerabilities can be found in:
• Strength of function analysis the Océ Smart Imager 10.3.5.68 as used in
the Océ VP 21X0 4.1
• Vulnerability analysis for the Océ Smart Imager 10.3.5.68 as used in the
Océ VarioPrint 21X0 printer/copier/scanner products
• SI Vulnerability Analysis, Internal Report
• SI Penetration Tests, Internal Report
• SI Common Criteria Security test results, Internal Report
COMMERCIAL
04th
July 2008 Page 37 of 57 Commercial BSI-DSZ-CC-0510
7. PP Claims
This Security Target TOE does not claim compliance to a Protection Profile.
COMMERCIAL
04th
July 2008 Page 38 of 57 Commercial BSI-DSZ-CC-0510
8. Rationale
8.1 Security Objectives Rationale
For each assumption, threat and OSP we demonstrate that it is met by the security
objectives. The tracings are provided in the following table.
The individual rationales demonstrating that the threats, assumptions and
organizational security policies are met are described as follows:
A.DIGITAL_COPIER
The assumption is met by the following TOE assurance objective:
O.E.LOCAL_INTERFACE - The environment into which the TOE will be
introduced shall contain an Océ VP21x0 MFD that provides a Local User Interface
and Glass Plate through which S.OPERATOR can interact easily with the TOE to
O.F.INBOUND_FILTER
O.F.JOB_SHRED
O.F.AUTHENTICATE
O.A.SLA
O.E.ENVIRONMENT
O.E.NETWORK_POLICY
O.E.DEPLOYMENT
O.E.LOCAL_INTERFACE
A.DIGITAL_COPIER X
A.ENVIRONMENT X
A.SLA X
T.MALWARE X
P.TOE_ADMINISTRATION X
P.JOB_DELETE X
COMMERCIAL
04th
July 2008 Page 39 of 57 Commercial BSI-DSZ-CC-0510
manage the print queues. When sending a D.PRINT_JOB to the Smart Imager,
S.OPERATOR is aware that they must delete the job on the same workday that it is
sent to the TOE, whether or not it is used. Requiring job data to be deleted from the
TOE on the same workday it is sent reduces the time available to an attacker in
which the data object is vulnerable. The MFD provides a glass plate and LUI with
which S.OPERATOR can perform print/copy/scan jobs. The ST claim is not valid
when the TOE is used with any other type of Océ MFD. The TOE will not work
with any other device (including Digital MFD Products from any other
manufacturers).
Although the assumption states that a VP21x0 MFD from Océ will be used, the
MFD is an un-trusted device.
A.ENVIRONMENT
The assumption is met by the following objectives for the environment:
O.E.ENVIRONMENT - The environment into which the TOE will be introduced is
protected by physical measures that limit access to S.OPERATOR, and
S.SERVICE_ENGINEER. The physical measures are adequate to prevent all other
persons but a determined S.THIEF who deliberately wants to steal part of or all of
the TOE by methodically planning an attack on the TOE over a period of time.
A.SECURITY_POLICY
The assumption is met by the following objectives for the environment:
O.E.NETWORK_POLICY - The network to which the TOE is attached shall be
adequately protected so that the TOE is not visible outside the network. In addition,
measures shall be implemented to only allow connections to the TOE from devices
situated on the same network. No inbound connections from external networks are
allowed. The network scans data for mal-ware (viruses and worms). This type of
data may originate from either inside or outside the network to which the TOE is
attached and includes the TOE itself.
O.E.DEPLOYMENT - The network (LAN) to which the TOE is attached is well
managed with established procedures for introducing and attaching new devices to
the network.
O.E.LOCAL_INTERFACE - The environment into which the TOE will be
introduced shall contain an Océ VP21x0 that provides a Local User Interface and
Glass Plate through which S.OPERATOR can interact easily with the TOE to
manage the print queues. When sending a D.PRINT_JOB to the Smart Imager,
S.OPERATOR is aware that they must delete the job on the same workday that it is
sent to the TOE, whether or not it is printed. The MFD provides a glass plate and
LUI with which S.OPERATOR can perform print/copy/scan jobs. The ST claim is
COMMERCIAL
04th
July 2008 Page 40 of 57 Commercial BSI-DSZ-CC-0510
not valid when the TOE is used with any other type of Océ MFD. The TOE will
not work with any other device (including Digital MFD Products from any other
manufacturers).
A.SLA
The assumption is met by the following TOE assurance objective:
O.A.SLA - The TOE shall be evaluated to ALC_FLR.1.There are measures in
place to repair faults in the TOE when they occur.
T.RESIDUAL_DATA
The threat is met by the following TOE functional objective:
O.F.JOB_SHRED - The TOE shall delete all D.PRINT_JOB, D.SCAN_JOB and
D.COPY_JOB data as soon as it is no longer required or during the start-up
procedure if residual D.PRINT_JOB, D.SCAN_JOB or D.COPY_JOB are found
on the TOE’s hard disk (including the swap file). The first write cycle starts
immediately after the job has deleted and the rest are completed once the TOE
enters an idle state. The data shall be deleted according to a recognised standard so
that it cannot be reconstituted.
‘Scrubbing’ the data from the hard disk when it is no longer needed helps prevent
the data been accessed by unauthorised persons.
T.MALWARE
The threat is met by the following objectives for the environment:
O.F.INBOUND_FILTER - The TOE will only support TCP/IP, UDP/IP and ICMP
as a network protocol. D.INBOUND_TRAFFIC shall only enter the TOE
(R.ENTER_TOE) if the Port is specified as being open in Appendix D.
The chances of mal-ware being accidentally sent to the TOE and causing a security
violation is limited by only opening the ports and enabling the protocols that are
absolutely necessary for the operation of the TOE.
Although the TOE is designed, tested and configured with security as a main
concern, it is possible that vulnerabilities will be discovered in the future that could
be exploited in order to use the TOE as a launch pad for an attack. By only opening
the ports and enabling the protocols that are absolutely necessary for the operation
of the TOE, the chances of a successful attack launch are limited.
COMMERCIAL
04th
July 2008 Page 41 of 57 Commercial BSI-DSZ-CC-0510
P.JOB_DELETE
The policy requirement is met by the following TOE functional objective:
O.F.JOB_SHRED - The TOE shall delete all D.PRINT_JOB, D.SCAN_JOB and
D.COPY_JOB data as soon as it is no longer required or if during the start-up
procedure residual D.PRINT_JOB, D.SCAN_JOB and D.COPY_JOB are found
on the TOE’s hard disk (including the swap file). The first write cycle starts
immediately after the job has deleted and the remaining cycles are completed once
the TOE enters an idle state. The data shall be deleted according to a recognised
standard so that it cannot be reconstituted.
‘Scrubbing’ the data from the hard disk when it is no longer needed helps prevent
the data been accessed by unauthorised persons.
P.TOE_ADMINISTRATION
The policy requirement is met by the following TOE functional objective:
O.F.AUTHENTICATE - The TOE ensures that S.REMOTE_SYSADMIN and
S.SERVICE_ENGINEER must identify and authenticate themselves to the TOE
before allowing them to modify the TOE security settings.
COMMERCIAL
04th
July 2008 Page 42 of 57 Commercial BSI-DSZ-CC-0510
8.2 Security Requirements Rationale
The purpose of the Security Requirements Rationale is to demonstrate that the
security requirements are suitable to meet the Security Objectives.
8.2.1 The SFRs meet the Security Objectives for the TOE
For each Security Objective for the TOE we demonstrate that it is met by the
SFRs. The tracings are provided implicitly by the rationales.
FDP_ACC1.
FDP_ACF.1
FDP_RIP.1
FIA_UID.2
FIA_UAU.2
FMT_MOF.1
FMT_MSA.1
FMT_MSA.3
FMT_SMF.1
FMT_SMR.1
FPT_SEP.1
FPT_RVM.1
O.F.JOB_SHREAD X X X
O.F.AUTHENTICATE X X X X X X X
The individual rationales demonstrating the objectives are met are described as
follows:
O.F.INBOUND_FILTER
FDP_ACC.1 Subset access control
Inbound traffic is filtered so that only traffic relating to the operation of the TOE is
allowed to enter the TOE. This SFR supports the security objective by restricting
the TOE data flow to only that that is necessary for the operation of the TOE. This
reduces the number of vulnerable entry points.
FDP_ACF.1 Security attribute based access control
All ports that are not necessary for the operation of the TOE as described in this
document are blocked. This SFR supports the security objective by reducing the
number of entry points that could be vulnerable to attack.
FMT_MSA.1 Management of security attributes
The TOE is delivered pre-configured to the customer. This SFR supports the
objective by ensuring that it is not possible for any user (including
S.SERVICE_ENGINEER and S.REMOTE_SYSADMIN) to change the settings of
the firewall mechanism.
FMT_MSA.3 Static Attribute initialisation
In order to change the security attributes of the TOE the management interfaces
provided for S.SERVICE_ENGINEER and S.REMOTE_SYSADMIN must be
used. This SFR supports the objective by ensuring that the TOE provides restrictive
default security related settings that require no additional modification by
COMMERCIAL
04th
July 2008 Page 43 of 57 Commercial BSI-DSZ-CC-0510
SERVICE_ENGINEER or S.REMOTE_SYSADMIN. Nobody is allowed to create
new settings with alternative values.
FPT_RVM.1 Non-bypassability of the TSP
In order for data to enter or leave the TOE it must pass through the filtering
mechanism. This SFR supports the security objective by ensuring that TSF cannot
be bypassed, resulting in a direct line between the network to which the TOE is
attached and the TOE being created.
FPT_SEP.1 TSF domain separation
Filtering of network traffic occurs is an area of the TOE that is separate to non-TSF
related operation. This SFR supports the objective by ensuring that the filtering
mechanism is protected by it not being exposed to non TSF mechanisms from
which a possible attack could be made.
O.F.JOB_SHRED
FDP_RIP.1 Subset residual; information protection
This SFR supports the objective by ensuring that once print, copy or scan job is no
longer needed and during the startup procedure, if residual print or scan job data is
found then the related data will be electronically shredded from the hard disk. The
SFR has been refined to describe the moment when the data will be shredded.
FPT_RVM.1 Non-bypassability of the TSP
Print and scan jobs must pass through the shredding mechanism. This SFR
supports the objective by ensuring that print and scan jobs cannot leave the TOE
except in the authorised manner.
FPT_SEP.1 TSF domain separation
Shredding occurs is an area of the TOE that in separate to non-TSF related
operation. This SFR supports the objective by ensuring that the shredding
mechanism is protected by it not being exposed to other non TSF-mechanisms
from which a possible attack could be made.
O.F.AUTHENTICATE
FIA_UID.2 User identification before any action
S.REMOTE_SYSADMIN and S.SERVICE_ENGINEER must identify themselves
to the TOE before any TOE management actions can be performed.
FIA_UAU.2 User authentication before any action
S.REMOTE_SYSADMIN and S.SERVICE_ENGINEER must authenticate
themselves to the TOE before any TOE management actions can be performed.
FMT_SMF.1 Specification of Management Functions
COMMERCIAL
04th
July 2008 Page 44 of 57 Commercial BSI-DSZ-CC-0510
The functions that can be performed by either the S.REMOTE_SYSADMIN and
S.SERVICE_ENGINEER are defined.
FMT_MOF.1 Management of security functions behaviour
Only TOE administrators and Océ technicians can use security related functions.
FMT_SMR.1 Security roles
The TOE shall make a distinction between administrators and ordinary users.
FPT_RVM.1 Non-bypassability of the TSP
Users other than S.REMOTE_SYSADMIN and S.SERVICE_ENGINEER cannot
gain access to security management functions of the TOE without begin first
controlled by the mechanisms specified in this document.
FPT_SEP.1 TSF domain separation
Identification and authentication of users occurs in an area of the TOE that is
separate to non-security related operation.
8.2.2 The security requirements for the IT environment meet the security
objectives for the environment
The TOE does not make any security requirements on its environment.
COMMERCIAL
04th
July 2008 Page 45 of 57 Commercial BSI-DSZ-CC-0510
8.2.3 The Assurance Requirements and Strength of Function Claim are
appropriate
The Assurance Requirements consist of EAL 2 requirements components. The
TOE is a commercially available device produced by a well-known manufacturer
and most importantly, provides a limited set of security related functionality. The
TOE has been structurally tested by Océ and is suitable for environments that
require a low to moderate level of independently assured security. The developer
works in a consistent manner with good commercial practice.
Occasionally the TOE may develop a problem that requires
S.SERVICE_ENGINEER to make a visit to the customer location in order to repair
the TOE. Océ has procedures that support these processes and for this reason the
assurance requirements have been augmented with the following assurance classes
as the developer is able to meet them:
Components for Life cycle support (Class ALC)
• ALC_FLR.1 Basic Flaw Remediation
The evaluation of the TOE security mechanisms at AVA_VLA.1 is designed to
provide assurance the exploit of obvious vulnerabilities by an attacker with a low
attack potential. Therefore the SOF claim is SOF-basic. This strength of function
claim is consistent with the security objectives for the TOE and the defined TOE
assumptions that have been made.
EAL2+ ALC_FLR
Which comprises of:
ACM_CAP.2 Configuration Items
ADO_DEL.1 Delivery procedures
ADO_IGS.1 Installation, generation, and start-up procedures
ADV_FSP.1 Fully defined external interfaces
ADV_HLD.1 Security enforcing high-level design
ADV_RCR.1 Informal correspondence demonstration
AGD_ADM.1 Administrator Guidance
AGD_USR.1 User guidance
ALC_FLR.1 Basic Flaw remediation
ATE_COV.1 Analysis of coverage
ATE_FUN.1 Functional testing
ATE_IND.2 Independent testing – sample
AVA_SOF.1 Strength of TOE security function evaluation
AVA_VLA.1 Developer vulnerability analysis
O.A.SLA
COMMERCIAL
04th
July 2008 Page 46 of 57 Commercial BSI-DSZ-CC-0510
8.2.4 All dependencies have been met
The following dependencies are identified and met: FDP_ACF.1, FDP_ACC.1,
FMT_MSA.1, FMT_MSA.3, FIA_UID.2, FMT_SMF.1, FMT_SMR.1.
8.2.5 The requirements are internally consistent
Because the assurance requirements form a package (EAL 2) they are internally
consistent. The addition of ALC_FLR.1 does not cause inconsistencies with the
EAL 2 package.
The functional requirements and assurance requirements do not have any
dependencies between them, and are therefore completely independent of each
other. Because both functional and assurance requirements are internally
consistent, and they are independent, the requirements are internally consistent.
8.2.6 The requirements are mutually supportive
The requirements are complete and do not cause inconsistencies, therefore the
requirements are considered to be mutually supportive. (This argument has been
based on section 9.3.8 of Guide for the production of PPs and STs, PDTR 15446
N2449).
COMMERCIAL
04th
July 2008 Page 47 of 57 Commercial BSI-DSZ-CC-0510
8.3 TOE Summary Specification Rationale
8.3.1 The functions meet the SFRs
For each SFR we demonstrate that it is met by the Security Functions. The tracings
are provided implicitly by the rationales.
FDP_ACC1.
FDP_ACF.1
FDP_RIP.1
FIA_UID.2
FIA_UAU.2
FMT_MOF.1
FMT_MSA.1
FMT_MSA.3
FMT_SMF.1
FMT_SMR.1
FPT_SEP.1
FPT_RVM.1
SF.FILTERING X X X X X X
SF.SHREDDING X X X
SF.MANAGEMENT X X X X X X X X X
FDP_ACC.1
This Security Functional Requirement ensures that only traffic is allowed to enter
the TOE that is relevant to its operation. This SFR is supported by SF.FILTERING
that restricts flow of network traffic and limits the supported network protocols.
FDP_ACF.1
This Security Functional Requirement ensures that all ports that are non-essential
to the operation of the TOE are blocked. This SFR is supported by
SF.FILTERING. SF.FILTERING expands on the restricted flow of network traffic
and supported network protocols by defining which ports are open and which
protocols are supported.
FDP_RIP.1
This Security Functional Requirement ensures requires that residual information
relating to D.PRINT_JOB, D.COPY_JOB and D.SCAN_JOB is deleted once they
are no longer needed or during the startup procedure, if residual print or scan job
data is found on the hard disk (including the swap file). The SFR has been refined
to describe the moment when the data will be shredded. This SFR is supported by
SF.SHREDDING that provides functionality that ensures the data objects detailed
above are shredded in accordance with known standards. This SFR helps to reduce
the amount of sensitive data present on the hard disk in the event of it being stolen.
FIA_UID.2
This Security Functional Requirement ensures that administrators correctly identify
themselves to the TOE before security management functions can be used. This
COMMERCIAL
04th
July 2008 Page 48 of 57 Commercial BSI-DSZ-CC-0510
SFR is supported by SF.MANAGEMENT and provides functionality whereby
administrators (S.REMOTE_SYSADMIN and S.SERVICE_ENGINEER) can
identify themselves to the TOE. This helps to restrict access to security
management functions and thereby reduces the risk of modification being made to
the TOE settings by unauthorised users.
FIA_UAU.2
This Security Functional Requirement ensures that administrators correctly
authenticate themselves to the TOE before security management functions can be
used. This SFR is supported by SF.MANAGEMENT and provides functionality
whereby administrators (S.REMOTE_SYSADMIN and S.SERVICE_ENGINEER)
can authenticate themselves to the TOE. This helps to restrict access to security
management functions and thereby reduces the risk of modification being made to
the TOE settings by unauthorised users.
FMT_MOF.1
This Security Functional Requirement ensures that the TOE management functions
are only used by either the Océ technician (S.SERVICE_ENGINEER) or customer
system administrator (S.REMOTE_SYSADMIN). This SFR is supported by
SF.MANAGEMENT and ensures that non-administrators cannot administer the
TOE.
FMT_MSA.1
This Security Functional Requirement ensures that the TOE management functions
related to the filter mechanism settings cannot be changed. This SFR is supported
by SF.MANGEMENT that ensures that filter related settings cannot be changed by
administrators.
FMT_MSA.3
This Security Functional Requirement ensures that the TOE management functions
related to the filter mechanism settings are given default values. This SFR is
supported by SF.MANAGEMENT that ensures that the filter related settings are
pre-configured before delivery to the customer.
FMT_SMF.1
This Security Functional Requirement ensures that the TOE management functions
are defined. This SFR is supported by functions made available by
SF.MANAGEMENT and defines the set of operations that are available to the Océ
technician (S.SERVICE_ENGINEER) or customer system administrator
(S.REMOTE_SYSADMIN) that are needed to administrate the TOE.
FMT_SMR.1
This Security Functional Requirement ensures that the TOE makes a distinction
between security related roles and normal users. This SFR is supported by
COMMERCIAL
04th
July 2008 Page 49 of 57 Commercial BSI-DSZ-CC-0510
SF.MANAGEMENT. This SFR is supported by SF.MANAGEMENT and ensures
that non-administrators cannot administer the TOE.
FPT_SEP.1
This Security Functional Requirement ensures that the TSF operates in its own
domain and cannot be influenced by external sources. This requirement is met by
the physical characteristics of the TOE that comprises software that uses a generic
PC hardware platform. The Smart Imager only provides functionality related to the
operation of the TOE and does not have dual function, for example, as an office
file server. The nature of the TOE is such that evaluation at EAL2 provides a
suitable level of assurance that the TSF operates in its own domain.
The operation of the TSF in its own domain provides the following:
1. The filtering mechanisms are in a separate domain to the rest of the non-
security related operations that the TOE performs. This SFR is supported
by SF.FILTERING. This protects the integrity of the filtering mechanism
against un-authorised subjects and threat attacks.
2. The shredding mechanisms are in a separate domain to the rest of the non-
security related operations that the TOE performs. This SFR is supported
by SF.SHREDDING. This protects the integrity of the shredding
mechanism against un-authorised subjects and threat attacks.
3. The TOE security management mechanisms are in a separate domain to
the rest of the non-security related operations that the TOE performs. This
SFR is supported by SF.MANAGEMENT. This protects the integrity of
the security management mechanisms against un-authorised subjects and
threat attacks.
FPT_RVM.1
This Security Functional Requirement ensures that no security related operations
can be performed without being controlled by the TOE’s security mechanisms. The
Smart Imager provides a limited set of security functionality that is related to the
operation of the TOE. The nature of the TOE is such that evaluation at EAL2
provides a suitable level of assurance that the only the TSF can perform security
related operations.
This SFR is supported by SF.MANAGEMENT.
This Security Functional Requirement ensures that:
1. No filtering mechanisms can be performed without being controlled by
the TOE’s security mechanisms. This SFR is supported by
SF.FILTERING.
2. No shredding mechanisms can be performed without being controlled by
the TOE’s security mechanisms. This SFR is supported by
SF.SHREDDING.
COMMERCIAL
04th
July 2008 Page 50 of 57 Commercial BSI-DSZ-CC-0510
3. No security related operations can be performed without being controlled
by the TOE’s security mechanisms. This SFR is supported by
SF.MANAGEMENT.
8.3.2 The assurance measures meet the SARs
The statement of assurance measures has been presented in the form of a reference
to the documents that show that the assurance measures have been met (CC Part 3
paragraph 188). This statement can be found in section 6.2.
8.3.3 The SOF-claims for functions meet the SOF-claims for the SFRs
The SFRs FIA_UAU.2, and FIA_UID.2 require the TOE to provide security
functions that provide identification/authentication functionality that meets a SOF
claim of ‘SOF basic’.
This rational for this is that the claim must adequate to defend against the identified
threats to the TOE that are identified in the TOE Security Environment for which a
low attack potential exists.
The Security Function that is realised by probabilistic or permutational
mechanisms is:
• SF.MANAGEMENT
The claim for this Security Function is ‘SOF basic’. These Security Function is
traced back to the TOE SFRs it implements in 8.3.1.
As the SOF claim for the Security Function is equal to the SOF claims for the TOE
SFRs it implements, the SOF claims are consistent.
8.3.4 The functions are mutually supportive
The requirements are mutually supportive (see section 8.2.6) and the functions that
implement theses requirements are complete (see section 8.3.1). The functions are
mutually supportive. (This argument has been based on section 9.3.8 of Guide for
the production of PPs and STs, PDTR 15446 N2449).
8.4 PP Claims Rationale
This Security Target TOE does not claim conformance to any Protection Profile.
COMMERCIAL
04th
July 2008 Commercial BSI-DSZ-CC-0510
Appendix A Abbreviations
BSI Bundesamt für Sicherheit in der Informationtechnik
ITSEF IT Security Evaluation Facility
LUI Local User Interface (attached to the Smart Imager via a USB
connection) non-security related interface used to manage the
print queues
MFD Multifunctional device for copying, printing and scanning,
connected to a network
COMMERCIAL
04th
July 2008 Commercial BSI-DSZ-CC-0510
Appendix B References
1. Secure Deletion of Data from Magnetic and Solid State Memory, Peter
Guttman 1996
(http://www.cs.auckland.ac.nz/~pgut001/pubs/secure_del.html)
2. US Department of Defence Military Standard DOD 5220-22m
(http://www.dss.mil/isecnispom_0195.htm)
.
53 of 57
04th
July 2008 Commercial BSI-DSZ-CC-0510
Appendix C Glossary of Terms
Repro-room Reprographics room.
54 of 57
04th
July 2008 Commercial BSI-DSZ-CC-0510
Appendix D Firewall rule table
The firewall rule table that is used by the Smart Imager for controlling the inbound
flow of data is given below:
By default no traffic is permitted to enter the TOE except for the ports defined in
the rule tables below.
ICMP(administration)
Protocol Destination Port
ICMP any
LPR (accepting print jobs)
Protocol Destination Port
TCP 515
Web HTTPS server with HTTP redirect (administration)
Protocol Destination Port
TCP 443
TCP 80
SNMP (non security functionality related administration)
Protocol Destination Port
UDP 161
COMMERCIAL
04th
July 2008 Commercial BSI-DSZ-CC-0510
Appendix E Security Related Administration Functions
In this appendix the security related administration functions that are available to
S.SERVICE_ENGINEER and S.REMOTE_SYSADMIN are detailed. The tables
give the administration function name and a short description.
S.SERVICE_ENGINEER
Administration Function Description
ResetSASPassword Resets the S.REMOTE_SYSADMIN
password to its default value
S.REMOTE_SYSADMIN & S.SERVICE_ENGINEER
Administration Function Description
Security\Security level\enable high level Enable/disable switch for high security
level16
(This must not be changed if the
customer requires the CC evaluated
configuration)
Security\E-shredding\Method Shredding method (Dod, Guttmann,
custom)
Security\E-shredding\Number of runs Number of runs can be set from 3 to 35
when the ‘Custom’ shredding method is
selected17
System\System administrator PIN Change S.REMOTE_SYSADMIN
password
16
In high security mode shredding cannot be turned off.
17
When "DoD" is chosen, the number of passes is fixed to 3, and cannot be changed.
When "Gutmann" is chosen, the number of passes is fixed to 35, and cannot be
changed.
COMMERCIAL
04th
July 2008 Commercial BSI-DSZ-CC-0510
Appendix F XP Patches applied
KB918118
KB921503
KB924270
KB924667
KB925454
KB925902
KB926247
KB926255
KB926436
KB927779
KB928090
KB928255
KB928388
KB930178
KB931784
KB931836
KB933360
KB933566
KB935839
KB935840
KB936021
KB937143
KB938829
KB939373
COMMERCIAL
04th
July 2008 Commercial BSI-DSZ-CC-0510
Distribution list
1. BSI
2. Océ Technologies BV
3. Brightsight