Security Target
Version 0.14
This document is a translation of the evaluated and
certified security target written in Japanese.
i
TABLE OF CONTENTS
1. ST INTRODUCTION.................................................................................................................1
1.1. ST Reference.............................................................................................................................................1
1.2. TOE Reference .........................................................................................................................................1
1.3. TOE Overview..........................................................................................................................................1
1.3.1. TOE Type ...........................................................................................................................................1
1.3.2. Usage and Major Security Features of the TOE..................................................................................1
1.3.3. Required Non-TOE Hardware and Software ......................................................................................2
1.4. TOE Description ......................................................................................................................................3
1.4.1. Physical Boundary...............................................................................................................................3
1.4.2. Guidance .............................................................................................................................................5
1.4.3. Logical Boundary.................................................................................................................................6
1.4.3.1. General Functions ..........................................................................................................................6
1.4.3.2. Security Function ...........................................................................................................................7
1.4.3.3. Terminology...................................................................................................................................8
2. CONFORMANCE CLAIM .......................................................................................................9
2.1. CC Conformance Claim ............................................................................................................................9
2.2. PP Conformance Claim.............................................................................................................................9
2.3. Package Conformance Claim.....................................................................................................................9
2.4. Conformance Rationale.............................................................................................................................9
3. SECURITY PROBLEM DEFINITION..................................................................................10
3.1. User ........................................................................................................................................................10
3.2. Assets......................................................................................................................................................10
3.2.1. User Data ..........................................................................................................................................10
3.2.2. TSF Data ...........................................................................................................................................10
3.3. Threats....................................................................................................................................................11
3.4. Organization Security Policies ................................................................................................................11
3.4.1. Definition of Organization Security Policies.....................................................................................11
3.5. Prerequisites ...........................................................................................................................................12
4. SECURITY OBJECTIVES......................................................................................................12
4.1. Security Objectives for Operational Environment ...................................................................................12
5. EXTENDED COMPONENT DEFINITIONS........................................................................13
5.1. FAU_STG_EXT Extended: External Audit Trail Storage......................................................................13
5.2. FCS_CKM_EXT Extended: Cryptographic Key Management...............................................................13
5.3. FCS_HTTPS_EXT Extended: HTTPS selected....................................................................................14
5.4. FCS_KDF_EXT Extended: Cryptographic Key Derivation ...................................................................15
5.5. FCS_KYC_EXT Extended: Cryptographic Operation (Key Chaining)..................................................15
5.6. FCS_RBG_EXT Extended: Cryptographic Operation (Random Bit Generation) .................................16
5.7. FCS_SMC_EXT Extended: Submask Combining..................................................................................17
ii
5.8. FCS_TLS_EXT Extended: TLS selected...............................................................................................18
5.9. FDP_DSK_EXT Extended: Protection of Data on Disk........................................................................19
5.10. FDP_FXS_EXT Extended: Fax Separation ...........................................................................................19
5.11. FIA_PMG_EXT Extended: Password Management..............................................................................20
5.12. FPT_KYP_EXT Extended: Protection of Key and Key Material ...........................................................21
5.13. FPT_SKP_EXT Extended: Protection of TSF Data..............................................................................21
5.14. FPT_TST_EXT Extended: TSF testing ................................................................................................22
5.15. FPT_TUD_EXT Extended: Trusted Update ........................................................................................23
6. SECURITY REQUIREMENTS ..............................................................................................24
6.1. Notation..................................................................................................................................................24
6.2. Class FAU: Security Audit ....................................................................................................................24
6.2.1. FAU_GEN.1 Audit data generation................................................................................................24
6.2.2. FAU_GEN.2 User identity association ...........................................................................................24
6.2.3. FAU_STG_EXT.1 Extended: External Audit Trail Storage............................................................24
6.3. Class FCS: Cryptographic Support..........................................................................................................25
6.3.1. FCS_CKM.1(a) Cryptographic Key Generation (for asymmetric keys) .........................................25
6.3.2. FCS_CKM.1(b) Cryptographic key generation (Symmetric Keys).................................................25
6.3.3. FCS_CKM.4(a) Cryptographic key destruction..............................................................................25
6.3.4. FCS_CKM.4(b) Cryptographic key destruction .............................................................................25
6.3.5. FCS_CKM_EXT.4 Extended: Cryptographic Key Material Destruction ........................................26
6.3.6. FCS_COP.1(a) Cryptographic Operation (Symmetric encryption/decryption) ............................26
6.3.7. FCS_COP.1(b) Cryptographic Operation (for signature generation/verification)........................26
6.3.8. FCS_RBG_EXT.1(a) Extended: Cryptographic Operation (Random Bit Generation)..................26
6.3.9. FCS_RBG_EXT.1(b) Extended: Cryptographic Operation (Random Bit Generation)..................26
6.3.10. FCS_COP.1(c) Cryptographic operation (Hash Algorithm)..........................................................27
6.3.11. FCS_COP.1(f) Cryptographic operation (Key Encryption) ...........................................................27
6.3.12. FCS_SMC_EXT.1 Extended: Submask Combining...........................................................................27
6.3.13. FCS_COP.1(g) Cryptographic Operation (for keyed-hash message authentication) ....................27
6.3.14. FCS_COP.1(h) Cryptographic Operation (for keyed-hash message authentication) ....................27
6.3.15. FCS_TLS_EXT.1 Extended: TLS selected .....................................................................................27
6.3.16. FCS_HTTPS_EXT.1 Extended: HTTPS selected ..........................................................................28
6.3.17. FCS_KDF_EXT Extended: Cryptographic Key Derivation ............................................................28
6.3.18. FCS_KYC_EXT.1 Extended: Key Chaining....................................................................................28
6.4. Class FDP: User Data Protection............................................................................................................28
6.4.1. FDP_ACC.1 Subset access control .................................................................................................28
6.4.2. FDP_ACF.1 Security attribute based access control ......................................................................31
6.4.3. FDP_FXS_EXT.1 Extended: Fax separation...................................................................................31
6.4.4. FDP_DSK_EXT.1 Extended: Protection of Data on Disk..............................................................31
6.5. Class FIA: Identification and Authentication...........................................................................................32
iii
6.5.1. FIA_AFL.1 Authentication failure handling ...................................................................................32
6.5.2. FIA_ATD.1 User attribute definition .............................................................................................32
6.5.3. FIA_PMG_EXT Extended: Password Management .......................................................................32
6.5.4. FIA_UAU.1 Timing of authentication............................................................................................32
6.5.5. FIA_UAU.7 Protected authentication feedback .............................................................................32
6.5.6. FIA_UID.1 Timing of identification...............................................................................................33
6.5.7. FIA_USB.1 User-subject binding ...................................................................................................33
6.6. Class FMT: Security Management ..........................................................................................................33
6.6.1. FMT_MOF.1 Management of security functions behavior ............................................................33
6.6.2. FMT_MSA.1 Management of security attributes ...........................................................................33
6.6.3. FMT_MSA.3 Static attribute initialization .....................................................................................34
6.6.4. FMT_MTD.1 Management of TSF data ........................................................................................34
6.6.5. FMT_SMF.1 Specification of Management Functions...................................................................35
6.6.6. FMT_SMR.1 Security roles ...............................................................................................................38
6.7. Class FPT: Protection of the TSF............................................................................................................38
6.7.1. FPT_SKP_EXT.1 Extended: Protection of TSF Data ....................................................................38
6.7.2. FPT_STM.1 Reliable time stamps..................................................................................................38
6.7.3. FPT_TST_EXT.1 Extended: TSF testing.......................................................................................38
6.7.4. FPT_TUD_EXT.1 Extended: Trusted Update...............................................................................38
6.7.5. FPT_KYP_EXT.1 Extended: Protection of Key and Key Material .................................................38
6.8. Class FTA: TOE Access ..........................................................................................................................39
6.8.1. FTA_SSL.3 TSF-initiated termination..............................................................................................39
6.9. Class FTP: Trusted Paths/Channels .......................................................................................................39
6.9.1. FTP_ITC.1 Inter-TSF trusted channel...........................................................................................39
6.9.2. FTP_TRP.1(a) Trusted path (for Administrators).........................................................................39
6.9.3. FTP_TRP.1(b) Trusted path (for Non-administrators).................................................................39
6.10. Security Assurance Requirements ...........................................................................................................40
6.11. Security Functional Requirements Rationale...........................................................................................40
6.11.1. Dependencies of Security Functional Requirements Documents .....................................................40
6.11.2. Security Assurance Requirements Rationale .....................................................................................42
7. TOE SUMMARY SPECIFICATION......................................................................................43
7.1. Audit.......................................................................................................................................................43
7.2. Cryptographic Support............................................................................................................................44
7.3. Storage Encryption (Conditionally mandatory).......................................................................................47
7.4. Storage Encryption (Selective requirements) ..........................................................................................48
7.5. Communication Protection (Selective requirements)..............................................................................49
7.6. Trusted Update (Selective requirements) ...............................................................................................50
7.7. User Data Protection ..............................................................................................................................50
7.8. PSTN Fax-Network Separation...............................................................................................................56
iv
7.9. Identification and Authentication............................................................................................................56
7.10. Security Management..............................................................................................................................57
7.11. Protection of the TSF..............................................................................................................................59
7.12. TOE Access ............................................................................................................................................61
7.13. Trusted Path/Channel ............................................................................................................................61
APPENDIX.......................................................................................................................................63
v
List of Tables
Table 1 TOE Configuration Item.....................................................................................................................................1
Table 2 English Guidance................................................................................................................................................5
Table 3 Japanese Guidance..............................................................................................................................................5
Table 4 Terminology .......................................................................................................................................................8
Table 5 User Categories.................................................................................................................................................10
Table 6 User Data types.................................................................................................................................................10
Table 7 TSF Data types .................................................................................................................................................10
Table 8 Threats ..............................................................................................................................................................11
Table 9 Organization Security Policies..........................................................................................................................11
Table 10 Assumptions ...................................................................................................................................................12
Table 11 Security Objectives for the Operational Environment ....................................................................................12
Table 12 Auditable Events.............................................................................................................................................24
Table 13 D.USER.DOC Access Control SFP................................................................................................................29
Table 14 D.USER.JOB Access Control SFP .................................................................................................................30
Table 15 Other Available Characters.............................................................................................................................32
Table 16 Security Attributes List...................................................................................................................................33
Table 17 Management of TSF Data...............................................................................................................................34
Table 18 Management Functions...................................................................................................................................35
Table 19 Time Interval of User Inactivity.......................................................................................................................39
Table 20 TOE Security Assurance Requirements..........................................................................................................40
Table 21 Analysis Results of Dependencies for Security Functional Requirements .....................................................40
Table 22 Recorded Events and Audit Logs ...................................................................................................................43
Table 23 Print Access Control for D.USER.DOC.........................................................................................................51
Table 24 Scan Access Control for D.USER.DOC.........................................................................................................51
Table 25 Copy Access Control for D.USER.DOC ........................................................................................................52
Table 26 Fax Transmission Access Control for D.USER.DOC ....................................................................................52
Table 27 Fax Reception Access Control for D.USER.DOC..........................................................................................53
Table 28 Print Access Control for D.USER.JOB ..........................................................................................................53
Table 29 Scan Access Control for D.USER.JOB ..........................................................................................................54
Table 30 Copy Access Control for D.USER.JOB .........................................................................................................54
Table 31 Fax Transmission Access Control for D.USER.JOB......................................................................................55
Table 32 Fax Reception Access Control for D.USER.JOB ...........................................................................................55
Table 33 Definition of TSFI ..........................................................................................................................................62
Table 34 Definition of Acronyms..................................................................................................................................63
vi
List of Figures
Figure 1 Environment for the usage of the MFP .............................................................................................................2
Figure 2 Physical Boundary.............................................................................................................................................3
Figure 3 Logical Boundary..............................................................................................................................................6
Copyright© 2018 TOSHIBA TEC. All rights reserved.
1/64
1. ST INTRODUCTION
ST Reference, TOE Reference, TOE Overview, and TOE Description are described in this Chapter.
1.1. ST Reference
The identity of the ST is described below.
Title: TOSHIBA e-STUDIO2018A/2518A/3018A/3518A/4518A/5018A Security Target
Version; 0.14
Date Created: November 21, 2018
Author: TOSHIBA TEC CORPORATION
1.2. TOE Reference
The identity of the TOE is described below.
TOE Name: TOSHIBA e-STUDIO2018A/2518A/3018A/3518A/4518A/5018A all of the above with FAX
Unit(GD-1370J/GD-1370NA/GD-1370EU) and FIPS Hard Disk Kit(GE-1230)
Version: SYS V1.0
TOE Type: Digital Multi-functional Peripherals
Developer Name: TOSHIBA TEC CORPORATION
The TOE shown above is consists of the MFP and required option as shown in Table 1.
Table 1 TOE Configuration Item
Model Required Option Sales Area
e-STUDIO2518A, e-STUDIO3518A,
e-STUDIO4518A, e-STUDIO5018A,
GD-1370J, and GE-1230 Japan
e-STUDIO2018A, e-STUDIO2518A,
e-STUDIO3018A, e-STUDIO3518A,
e-STUDIO4518A, e-STUDIO5018A,
GD-1370NA, and GE-1230 North America
e-STUDIO2518A, e-STUDIO 3018A,
e-STUDIO3518A, e-STUDIO4518A,
e-STUDIO5018A,
GD-1370EU, and GE-1230 Europe
1.3. TOE Overview
1.3.1. TOE Type
The TOE is the Multi-function al Peripherals that work in a network environment and provide capabilities of print,
copy, scan, and fax.
1.3.2. Usage and Major Security Features of the TOE
The TOE defined in the ST is the Digital Multi-functional Peripherals with the following basic functions.
・ Copy function
・ Printer function
・ Scan function
・ Fax function
・ TOE setting function
The Fax function will be available by installing the option, GD-1370J, GD-1370NA, or GD-1370EU.
The TOE provides the following security features.
・ Authorization for using the identification, authentication, and HCD functions
・ Audit
・ Access control
・ Encryption
・ Reliable communication
・ Administrator’s role
・ Reliable operation
・ Separation of PSTN fax and network
Copyright© 2018 TOSHIBA TEC. All rights reserved.
2/64
1.3.3. Required Non-TOE Hardware and Software
The TOE is assumed to be installed in a general office and used in a network environment. Also, it is assumed to be
used by being connected with the client PC and the server within the network (LAN) that is protected from
unauthorized access from the external network by a firewall. Figure 1 shows the hardware other than the TOE and the
operational environment.
FTP
Server
Client PC
LAN
Firewall
Internet
Communication
Network
Mail
Server
SYSLOG
Server
Public Switched
Telephone
Networks
Fax unit
(Option)
Figure 1 Environment for the usage of the MFP
 Client PC
The U.NORMAL can request printing of the document data through the LAN to the TOE. The
U.ADMINISTRATOR can refer to or change the setting data in the MFP using the Web browser.
The configuration of browser and Client Utility Software is as follows:
‒ Web browser: Internet Explorer 11
‒ Printer Driver: TOSHIBA Universal Printer Driver2 (Version 7.204.4408.17)
 Mail Server
The Mail Server is a server which transmits email using SMTP. The TOE and the Mail Server is connected with
TLS communication.
 Fire Wall
When internal network accesses the external network, the connection must be made via Fire Wall so as to prevent
unauthorized access from the external network.
 FTP Server
The FTP Server is a server which activates the File Transfer Protocol Server Software. The TOE and the FTP
Server is connected with TLS communication.
 SYSLOG Server
The SYSLOG Server is a server which transmits/receives TOE log data which is transferred using the Syslog
protocol. The TOE and the SYSLOG Server is connected with TLS communication.
 Printer Driver
The Printer Driver is a software which is installed to the computer to enable printing from an application.
Copyright© 2018 TOSHIBA TEC. All rights reserved.
3/64
Advanced print functionalities, such as document layout and page formatting, that cannot be set with an
application are supplied.
1.4. TOE Description
1.4.1. Physical Boundary
The TOE is the Digital Multi-functional Peripherals (e-STUDIO2018A, e-STUDIO2518A, e-STUDIO3018A,
e-STUDIO3518A, e-STUDIO4518A, e-STUDIO5018A) consists of hardware and software. The physical boundary is
as shown below. The MFP is delivered to users by a transport service provider with being packed in a cardboard box.
Hardware Construction
MFP
TOE
Boundary
Scanner Unit
Printer Unit
Operation Panel Unit
User
Network
Public Switched
Telephone
Networks
Paper Original
Paper printed
Document
FAX Unit
NCU
FROM
System control unit
SOC
CPU
DRAM
FROM
NIC
FRAM
HDD
Figure 2 Physical Boundary
Software Construction
・ SYSTEM FIRMWARE: Ver. TG01SF0W1123
・ SYSTEM SOFTWARE: Ver. TG01HD0W1123
・ ENGINE FIRMWARE: Ver. TK120MWW02
・ SCANNER FIRMWARE: Ver. TK100SLGWW03
・ FAX1 FIRMWARE: Ver. FAXH625TA10
 Control Panel Unit
The Control Panel Unit is a user interface by which a U.USER operates the MFP. Hardware construction is
operation buttons, LEDs, and LCD with a touch panel. Information from the MFP is displayed on the LCD and
each operation such as copy start is executed by communicating with the System Control Unit.
 Scanner Unit
The Scanner Unit is an input device which scans paper original and transmits the image data to the System Control
Unit. Firmware (SCANNER FIRMWARE) which controls communication between the Scanner Unit and the
System Control Unit is stored in the HDD.
 System Control Unit
The System Control Unit is a unit which achieves each function by controlling the entire MFP. The control
software consists of the SYSTEM FIRMWARE and SYSTEM SOFTWARE stored in the FROM and HDD
respoectively in the System Control Unit.
Copyright© 2018 TOSHIBA TEC. All rights reserved.
4/64
 Printer Unit
The Printer Unit is a unit which receives a print request from the System Control Unit and prints the print data on
the paper. Firmware (ENGINE FIRMWARE) which controls communication between the Printer Unit and the
System Control Unit is stored in the FROM in the Printer Unit.
 HDD (FIPS Hard Disk Kit: GE-1230)
The HDD is a Hard Disk Drive with the self-encryption function complies with the Federal Information
Processing Standard (FIPS140-2) in the US and a required Option Unit with JCMVP authentication (JCMVP
authentication No.: F0022). Not only a part of software (SYSTEM SOFTWARE) that controls the MFP, but also
image data and document data is stored. The protection assets data is saved to an encrypted partition. The FIPS
Hard Disk Kit is delivered to a user by a transport service provider with being packed in a cardboard box.
 FROM (Flash Memory)
The FROM is a nonvolatile storage memory. A part of software (SYSTEM FIRMWARE) that controls the MFP
is stored.
 FRAM
The FRAM is a nonvolatile storage memory. This is a memory device which saves setup values required for
controlling the MFP.
 SoC
SoC is a LSI in which a device controller circuit is integrated with a microprocessor at the core, and is a
semiconductor chip which performs basic control of the MFP behavior.
 DRAM
The DRAM is a volatile memory. This is a memory which loads and executes a program which controls the
MFP.
 NIC (Network Interface Card)
The NIC is a device for network-connection interface. It supports 10Base-T/100Base-TX/Gigabit Ethernet.
 Fax Unit (GD-1370J/GD-1370NA/GD-1370EU)
The Fax Unit is a required option unit which connects to the PSTN and transmits/receives fax documents between
the Fax devices which comply with G3. The PSTN circuit standard differs depending on the sales countries and
areas. So, an appropriate fax option is selected for each area. The identifier is distinguished by the trailing
alphabet (J, NA, EU) of the model number as shown in Table 1. The same firmware (FAX FIRMWARE)
regardless of the sales contries and areas which controls Fax communication and communication between the
System Control Units is stored in the FROM in the Fax Unit for each destination, and all users can use the same
fax functions. The fax option is delivered to the users by a transport service provider with being packed in a
cardboard box.
Copyright© 2018 TOSHIBA TEC. All rights reserved.
5/64
1.4.2. Guidance
There are two types of the TOE Guidance written in English and Japanese as shown in Table 2 and Table 3; One is
stored in the DVD-ROM in the PDF format and the other is supplied as a printed document. The Japanese version and
English version are delivered to Japan and the other countries respectively together with the MFP. For the Fax Option
Guidance, the Japanese version and the English version are packed as a printed document in GD-1370J and
GD-1370NA/1370EU respectively.
Table 2 English Guidance
Title Identifier PDF Format Print
Quick Start Guide OME17004400 〇 〇
Safety Information OME17005600 〇 〇
Copying Guide OME17006000 〇
Scanning Guide OME17006600 〇
MFP Management Guide OME17007400 〇
Software Installation Guide OME17007200 〇
Printing Guide OME17007000 〇
TopAccess Guide OME17007600 〇
Software Troubleshooting Guide OME17006200 〇
Hardware Troubleshooting Guide OME17004800 〇
High Security Mode Management Guide OME170078B0 〇
Paper Preparation Guide OME17004600 〇
Specifications Guide OME17005800 〇
Fax Guide GD-1370 OME17008000 〇 〇
Table 3 Japanese Guidance
Title Identifier PDF Format Print
かんたん操作ガイド OMJ17004300 〇 〇
安全にお使いいただくために OMJ17005500 〇 〇
コピーガイド OMJ17005900 〇
スキャンガイド OMJ17006500 〇
設定管理ガイド OMJ17007300 〇
インストールガイド OMJ17007100 〇
印刷ガイド OMJ17006900 〇
TopAccessガイド OMJ17007500 〇
トラブルシューティングガイド［ソフトウェア編］ OMJ17006100 〇
トラブルシューティングガイド［ハードウェア編］ OMJ17004700 〇
ハイセキュリティモード管理ガイド OMJ170077B0 〇
用紙準備ガイド OMJ17004500 〇
仕様ガイド OMJ17005700 〇
ファクスガイド GD-1370J OMJ17007900 〇 〇
Copyright© 2018 TOSHIBA TEC. All rights reserved.
6/64
1.4.3. Logical Boundary
The logical boundary of the TOE is defined by the TOE security function and a general function which are described in
the following section.
Logical
Boudary
TOE
TSF Self
Protection
Function
TSF Self
Protection
Function
User
Operation Panel
Unit
TSF Data Protection
Function
Secure Channel Function
Mail
Server
User Authentication Function
FTP
Server
Client PC
Public
Switched
Telephone
Networks
SYSLOG
Server
HDD
D.USER.DOC
D.TSF.PROT D.TSF.CONF
D.USER.JOB
Encryption
Function
General Function
Copy
Function
Scan
Function
Print
Function
FAX
Function
User Access Control
Function
FROM
D.TSF.PROT
D.TSF.CONF
NVRAM
D.TSF.PROT
D.TSF.CONF
Fax
Separation
Function
Figure 3 Logical Boundary
1.4.3.1. General Functions
The TOE is provided with a series of functions associated with images, such as Copy, Print, and Scan, as the General
Functions, and controls these functions integrally.
 Copy function
A Copy function is a function to read the original with the scanner and print it out from the printer according to the
general user’s operation from the control panel.
 Print function
A Print function is a function which transmits the print data from the client PC to the TOE through the LAN and
prints the data on a paper.
 Scan function
The Scan function can attach and send a paper document by user operation on the control panel and reading the
paper document with the Scanner to an email and the FTP server.
Copyright© 2018 TOSHIBA TEC. All rights reserved.
7/64
 Fax function
The Fax function consists of the Fax transmission function and the Fax reception function.
The Fax transmission function is a function which transmits the paper document data read with the Scanner Unit to
the external Fax machine through the PSTN. The Fax reception function is a function which receives the
document data transmitted from the external Fax machine through the PSTN. In order to achieve the above
functions, the Fax option (GD-1370 J, GD-1370NA, or GD-1370EU) is required.
 TOE setting function
The TOE setting function is a function by which only an administrator authorized by the identity authentication
function can execute the operations associated with the TSF data on the control panel or in TopAccess. For
example, an administrator can change the date, and register/delete a user.
1.4.3.2. Security Function
The security functions provided by the TOE are as follows:
 Function which gives permission to use the identity, authentication, and HCD functions
It is a function which verifies whether a user who wants to use the TOE is an authorized user, and gives the user a
permission to use the TOE only when the user is identified.
The TOE prompts a user to enter the user ID and user password from the control panel or the client PC for user
authentication, and has the feedback protection function which displays dummy characters during user password
entry and the lockout function which locks a user who failed in authentication out.
 Access Control Function
The TOE controls access to the user data and functions that are secured assets to the authorized users.
 Audit Function
The TOE generates audit logs for tracking the state of the TOE. All logs recorded per event are transferred to the
audit server and viewable from the audit server.
 Trusted Communication Function
The TOE supports the cryptographic communication protocol in order to prevent communication data from being
leaked or tampered on the network during connection and communication with the LAN.
The TOE communicates with the client PC, mail server, SYSLOG server, and FTP server in the operational
environment using TLS for data encryption. The TOE protects the print data by using TLS and print protocol
IPPS during communication with the client PC when IPP print is performed by the client PC using the printer
driver.
 TSF Self Protection
The TOE performs integrity tests on its static executables and configuration files using verification of their
digital signatures against the known signatures. This allows the TOE to detect any tampering of its trusted
state.
 TSF Data Protection
Only an administrator role user has the capability to manage the configuration and enable/disable available
services and protocols.
 Data Encryption
The Data Encryption is a function to encrypt user data saved in the HDD to protect them from being leaked.
 Function which separate PSTN Fax and Network
This function prevents access from the phone line to the LAN by restricting entry from PSTN to Fax reception.
Copyright© 2018 TOSHIBA TEC. All rights reserved.
8/64
 Software Update Verification
This function is a function which verifies whether software to be updated is authorized when software of the TOE
is updated.
1.4.3.3. Terminology
The terms which are defined by CC and PP in Chapter 2 out of the specific terms associated with the ST should follow
the definition thereof. The other terms are defined as shown in Table 4.
Table 4 Terminology
Terminology Definition
User ID An identifier given to a general user and MFP administrator. The TOE specifies
the user by the identifier.
User Password A password which is used to log into the TOE by a user.
Job Log The job information such as Print Job, Transmission Journals, Reception Journals
and Scan Job.
Message Log Logs regarding MFP's device information or operations executed by users.
TopAccess A web-based job and device control tool. The MFP information can be retrieved
by using this tool through network.
Auto Logout Time Time to log out when a logged in user does not operate the MFP for a certain
period of time.
Lockout Time Time until the locked out account is released.
Date and Time Time information for log management. Year/moth/day/hour/min/sec
Role U.NORMAL, U.ADMIN, U.FAXOPERATOR, U.ACCOUNTMANAGER,
U.ADDRESSBOOKOPERATOR
Firmware Software which is embedded into the device to control hardware.
Cipher Suite Combination of the cryptographic algorithms used for TLS communication,
which consists of the combination of “Key
replacement_Signature_Encryption_Hash function”.
Address Book Fax numbers and email addresses can be registered and displayed in the
destination list. It enables simple specification of the fax transmission
destinations and scan email transmission destinations.
User Authentication
Failure Handling
An administrator can change the number of retries for entering the login password
and lockout time and clear the locked out account status.
Secure Channel A communication channel in which data is encrypted to prevent wiretapping by the
third party.
European Special
Characters
Words with the German umlauts and French cedilla.
Copyright© 2018 TOSHIBA TEC. All rights reserved.
9/64
2. CONFORMANCE CLAIM
2.1. CC Conformance Claim
The following shows the CC Conformance Claim of the ST and TOE.
Common Criteria version: Version 3.1 Release 5
・ Part1: Introduction and general model April 2017 Version 3.1 Revision 5
・ Part2: Security functional components April 2017 Version 3.1 Revision 5
・ Part3: Security assurance components April 2017 Version 3.1 Revision 5
・ Conformance of ST to CC part2: CC part 2 Extended
・ Conformance of ST to CC part3: CC part 3 Conformant
2.2. PP Conformance Claim
The ST and TOE conform to the following PP.
PP Name: Protection Profile for Hardcopy Devices
PP Version: 1.0 dated September 10, 2015
Recognition Identification: JISEC-C0553
Errata： Protection Profile for Hardcopy Devices – v1.0
Errata #1, June 2017
2.3. Package Conformance Claim
The ST does not conform to the packages
2.4. Conformance Rationale
The following conditions requested by PP have been satisfied and must be “Exact Conformance” as requested by
PP. Therefore, the TOE type is consistent with PP.
・ Required Uses
Printing, Scanning, Copying, Networking communications, Addministration
・ Conditionally Mandatory Uses
PSTN faxing, Fileld-Replaceable Nonvolatile Storage
・ Optional Uses
None
Copyright© 2018 TOSHIBA TEC. All rights reserved.
10/64
3. SECURITY PROBLEM DEFINITION
3.1. User
The User and role of the TOE are defined as shown below in the ST.
Table 5 User Categories
Designation
Category
name
Definition
U.NORMAL Normal User A User who is authorized to execute Copy, Print,
Scan, and Fax functions which are the basic
functions of the TOE. A general user is
authorized to operate each function and can
execute only the authorized function.
U.ADMIN Administrator An administrator who is authorized to manage the
entire TOE, such as setting of the TOE security
functions, change of the user account
information, and browse of the audit log.
U.ACCOUNTMANAGER Administrator An administrator who can perform the settings
for the user account management (setting of the
user ID and role of the user and operation
authority of the basic functions).
U.FAXOPERATOR Normal User A user who can execute the Fax
transmission/reception functions.
U.ADDRESSBOOKOPERATOR Normal User A user who can edit the address book.
3.2. Assets
3.2.1. User Data
The two User Data is defined in the ST.
Table 6 User Data types
Designation User Data type Definition Details
D.USER.DOC User Document Data Information included in a user’s
documents electronically or in the
form of a hard copy.
Copy Document Data
Print Document Data
Scan Document Data
Fax Transmission Document
Data
Fax Reception Document Data
D.USER.JOB User Job Data Information associated with a
user’s documents or document
processing jobs.
Print Job
Scan Job
Copy Job
Fax Transmission Job
Fax Reception Job
3.2.2. TSF Data
The TSF Data consist of the following 2 types.
Table 7 TSF Data types
Designation TSF Data type Definition Details
D.TSF.PROT Protected TSF Data Protected TSF Data for which
alteration by a User who is neither
an Administrator nor the owner of
the data would have an effect on
the operational security of the
TOE, but for which disclosure is
acceptable.
Enable/Disable of the Secure
Channel
User ID
Role
Allowable Number of entry
for Login Password
Lockout Time
Locked Account Status
Auto Logout Time
Copyright© 2018 TOSHIBA TEC. All rights reserved.
11/64
Designation TSF Data type Definition Details
Date and Time Information
Minimum Password Length
Address Book
SYSLOG Server Settings
FTP Server Settings
D.TSF.CONF Confidential TSF
Data
Confidential TSF Data for which
either disclosure or alteration by a
user who is neither an
Administrator nor the owner of
the data would have an effect on
the operational security of the
TOE.
User Password
Encryption Key
3.3. Threats
The Threats to the TOE which are countered by the conforming products are as shown below.
The Threats are defined by the Threats Agents which execute actions which will possibly result in risks for the
TOE Security Policies.
Table 8 Threats
Designation Definition
T.UNAUTHORIZED_ACCESS An attacker may access (read, modify, or delete) User Document Data or
change (modify or delete) User Job Data in the TOE through one of the
TOE’s interfaces.
T.TSF_COMPROMISE An attacker may gain Unauthorized Access to TSF Data in the TOE
through one of the TOE’s interfaces.
T.TSF_FAILURE A malfunction of the TSF may cause loss of security if the TOE is
permitted to operate.
T.UNAUTHORIZED_UPDATE An attacker may cause the installation of unauthorized software on the
TOE.
T.NET_COMPROMISE An attacker may access data in transit or otherwise compromise the
security of the TOE by monitoring or manipulating network
communication.
3.4. Organization Security Policies
The following is the Organization Security Policies (OSPs) set by the conforming products.
3.4.1. Definition of Organization Security Policies
It is not practical to define the Organization Security Policies based on the threats to the assets.
Organizational Security Policies are used to provide a basis for Security Objectives that are not practical to define
on the basis of Threats to Assets or that originate primarily from customer expectations.
Table 9 Organization Security Policies
Designation Definition
P.AUTHORIZATION Users must be authorized before performing Document Processing and
administrative functions.
P.AUDIT Security-relevant activities must be audited and the log of such actions must
be protected and transmitted to an External IT Entity.
P.COMMS_PROTECTION The TOE must be able to identify itself to other devices on the LAN.
P.STORAGE_ENCRYPTION
(Required with conditions)
If the TOE stores USER.DOCument Data or Confidential TSF Data on
Field-Replaceable Nonvolatile Storage Devices, it will encrypt such data on
those devices.
P.KEY_MATERIAL
(Required with conditions)
Cleartext keys, submasks, random numbers, or any other values that
contribute to the creation of encryption keys for Field-Replaceable
Nonvolatile Storage of USER.DOCument Data or Confidential TSF Data
must be protected from unauthorized access and must not be stored on that
storage device.
Copyright© 2018 TOSHIBA TEC. All rights reserved.
12/64
Designation Definition
P.FAX_FLOW
(Required with conditions)
If the TOE provides a PSTN fax function, it will ensure separation between
the PSTN fax line and the LAN.
3.5. Prerequisites
The Prerequisites are the conditions which have to be satisfied so as to enable the Security Objectives and Security
Functional Requirements
Table 10 Assumptions
Designation Definition
A.PHYSICAL Physical security, commensurate with the value of the TOE and the data it
stores or processes, is assumed to be provided by the environment.
A.NETWORK The Operational Environment is assumed to protect the TOE from direct,
public access to its LAN interface.
A.TRUSTED_ADMIN TOE Administrators are trusted to administer the TOE according to site
security policies.
A.TRAINED_USERS Authorized Users are trained to use the TOE according to site security
policies.
4. SECURITY OBJECTIVES
4.1. Security Objectives for Operational Environment
The details of the Security Objectives for the Operational Environment are as described in Table 11.
Table 11 Security Objectives for the Operational Environment
Designation Definition
OE.PHYSICAL_PROTECTION The Operational Environment shall provide physical security,
commensurate with the value of the TOE and the data it stores or
processes.
OE.NETWORK_PROTECTION The Operational Environment shall provide network security to
protect the TOE from direct, public access to its LAN interface.
OE.ADMIN_TRUST The TOE Owner shall establish trust that Administrators will not use
their privileges for malicious purposes.
OE.USER_TRAINING The TOE Owner shall ensure that Users are aware of site security
policies and have the competence to follow them.
OE.ADMIN_TRAINING The TOE Owner shall ensure that Administrators are aware of site
security policies and have the competence to use manufacturer’s
guidance to correctly configure the TOE and protect passwords and
keys accordingly.
Copyright© 2018 TOSHIBA TEC. All rights reserved.
13/64
5. Extended Component Definitions
Extended component definitions are listed below.
5.1. FAU_STG_EXT Extended: External Audit Trail Storage
Family Behavior:
This family defines requirements for the TSF to ensure that secure transmission of audit data from TOE to an
External IT Entity.
Component leveling:
FAU_STG_EXT.1 External Audit Trail Storage requires the TSF to use a trusted channel implementing a
secure protocol.
Management:
The following actions could be considered for the management functions in FMT:
 The TSF shall have the ability to configure the cryptographic functionality.
Audit:
The following actions should be auditable if FAU_GEN Security Audit Data Generation is included in the
PP/ST:
 There are no auditable events foreseen.
FAU_STG_EXT.1 Extended: Protected Audit Trail Storage
Hierarchical to: No other components.
Dependencies: FAU_GEN.1 Audit data generation,
FTP_ITC.1 Inter-TSF trusted channel
FAU_STG_EXT.1.1 The TSF shall be able to transmit the generated audit data to an External IT Entity
using a trusted channel according to FTP_ITC.1.
Rationale:
The TSF is required that the transmission of generated audit data to an External IT Entity which relies on a
non-TOE audit server for storage and review of audit records. The storage of these audits records and the ability
to allow the administrator to review these audit records is provided by the Operational Environment in that case.
The Common Criteria does not provide a suitable SFR for the transmission of audit data to an External IT Entity.
This extended component protects the audit records, and it is therefore placed in the FAU class with a single
component.
5.2. FCS_CKM_EXT Extended: Cryptographic Key Management
Family Behavior:
This family addresses the management aspects of cryptographic keys. Especially, this extended component is
intended for cryptographic key destruction.
Component leveling:
FCS_CKM_EXT.4 Cryptographic Key Material Destruction ensures not only keys but also key materials that
are no longer needed are destroyed by using an approved method.
FAU_STG_EXT.1: Extended: External Audit Trail Storage 1
FCS_CKM_EXT.4: Extended: Cryptographic Key Material Destruction 4
Copyright© 2018 TOSHIBA TEC. All rights reserved.
14/64
Management:
The following actions could be considered for the management functions in FMT:
 There are no management actions foreseen.
Audit:
The following actions should be auditable if FAU_GEN Security Audit Data Generation is included in the
PP/ST:
 There are no auditable events foreseen.
FCS_CKM_EXT.4 Extended: Cryptographic Key Material Destruction
Hierarchical to: No other components.
Dependencies: [FCS_CKM.1(a) Cryptographic Key Generation (for asymmetric keys), or
FCS_CKM.1(b) Cryptographic key generation (Symmetric Keys)],
FCS_CKM.4 Cryptographic key destruction
Rationale:
Cryptographic Key Material Destruction is to ensure the keys and key materials that are no longer needed are
destroyed by using an approved method, and the Common Criteria does not provide a suitable SFR for the
Cryptographic Key Material Destruction.
This extended component protects the cryptographic key and key materials against exposure, and it is therefore
placed in the FCS class with a single component.
5.3. FCS_HTTPS_EXT Extended: HTTPS selected
Family Behavior:
Components in this family define requirements for protecting remote management sessions between the TOE
and a Security Administrator. This family describes how HTTPS will be implemented. This is a new family
defined for the FCS Class.
Component leveling:
FCS_HTTPS_EXT.1 HTTPS selected, requires that HTTPS be implemented according to RFC 2818 and
supports TLS.
Management:
The following actions could be considered for the management functions in FMT:
 There are no management actions foreseen.
Audit:
The following actions should be auditable if FAU_GEN Security Audit Data Generation is included in the
PP/ST:
 Failure of HTTPS session establishment
FCS_HTTPS_EXT.1 Extended: HTTPS selected
Hierarchical to: No other components.
Dependencies: No dependencies.
FCS_HTTPS_EXT.1.1 The TSF shall implement the HTTPS protocol that complies with RFC 2818.
FCS_HTTPS_EXT.1.2 The TSF shall implement HTTPS using TLS as specified in FCS_TLS_EXT.1.
FCS_HTTPS_EXT.1 Extended: HTTPS selected 1
Copyright© 2018 TOSHIBA TEC. All rights reserved.
15/64
Rationale:
HTTPS is one of the secure communication protocols, and the Common Criteria does not provide a suitable SFR
for the communication protocols using cryptographic algorithms.
This extended component protects the communication data using cryptographic algorithms, and it is therefore
placed in the FCS class with a single component.
5.4. FCS_KDF_EXT Extended: Cryptographic Key Derivation
Family Behavior:
This family specifies the means by which an intermediate key is derived from a specified set of submasks.
Component leveling:
FCS_KDF_EXT.1 Cryptographic Key Derivation requires the TSF to derive intermediate keys from submasks
using the specified hash functions.
Management:
The following actions could be considered for the management functions in FMT:
 There are no management actions foreseen.
Audit:
The following actions should be auditable if FAU_GEN Security Audit Data Generation is included in the
PP/ST:
 There are no auditable events foreseen.
FCS_KDF_EXT.1 Extended: Cryptographic Key Derivation
Hierarchical to: No other components.
Dependencies: FCS_COP.1(h) Cryptographic Operation (for keyed-hash message authentication),
[if selected: FCS_RBG_EXT.1 Extended: Cryptographic Operation (Random Bit
Generation)]
FCS_KDF_EXT.1.1 The TSF shall accept [selection: a RNG generated submask as specified in
FCS_RBG_EXT.1, a conditioned password submask, imported submask] to derive an
intermediate key, as defined in [selection: NIST SP 800-108 [selection: KDF in Counter
Mode, KDF in Feedback Mode, KDF in Double-Pipeline Iteration Mode], NIST SP
800-132], using the keyed-hash functions specified in FCS_COP.1(h), such that the
output is at least of equivalent security strength (in number of bits) to the BEV.
Rationale:
The TSF is required to specify the means by which an intermediate key is derived from a specified set of
submasks using the specified hash functions.
This extended component protects the Data Encryption Keys using cryptographic algorithms in the maintained
key chains, and it is therefore placed in the FCS class with a single component.
5.5. FCS_KYC_EXT Extended: Cryptographic Operation (Key Chaining)
Family Behavior:
This family provides the specification to be used for using multiple layers of encryption keys to ultimately secure
the protected data encrypted on the storage.
Component leveling:
FCS_KDF_EXT: Cryptographic Key Derivation 1
FCS_KYC_EXT Key Chaining 1
Copyright© 2018 TOSHIBA TEC. All rights reserved.
16/64
FCS_KYC_EXT Key Chaining requires the TSF to maintain a key chain and specifies the characteristics of
that chain.
Management:
The following actions could be considered for the management functions in FMT:
 There are no management actions foreseen.
Audit:
The following actions should be auditable if FAU_GEN Security Audit Data Generation is included in the
PP/ST:
 There are no auditable events foreseen.
FCS_KYC_EXT.1 Extended: Key Chaining
Hierarchical to: No other components.
Dependencies: [FCS_COP.1(e) Cryptographic operation (Key Wrapping),
FCS_SMC_EXT.1 Extended: Submask Combining,
FCS_COP.1(i) Cryptographic operation (Key Transport),
FCS_KDF_EXT.1 Cryptographic Operation (Key Derivation),
and/or
FCS_COP.1(f) Cryptographic operation (Key Encryption)].
FCS_KYC_EXT.1.1 The TSF shall maintain a key chain of: [selection: one, using a submask as the BEVor
DEK; intermediate keys originating from one or more submask(s) to the BEV or DEK
using the following method(s): [selection: key wrapping as specified in FCS_COP.1(e),
key combining as specified in FCS_SMC_EXT.1, key encryption as specified in
FCS_COP.1(f), key derivation as specified in FCS_KDF_EXT.1, key transport as
specified in FCS_COP.1(i)]] while maintaining an effective strength of [selection: 128
bits, 256 bits].
Rationale:
Key Chaining ensures that the TSF maintains the key chain, and also specifies the characteristics of that chain.
However, the Common Criteria does not provide a suitable SFR for the management of multiple layers of
encryption key to protect encrypted data.
This extended component protects the TSF data using cryptographic algorithms, and it is therefore placed in the
FCS class with a single component.
5.6. FCS_RBG_EXT Extended: Cryptographic Operation (Random Bit Generation)
Family Behavior:
This family defines requirements for random bit generation to ensure that it is performed in accordance with
selected standards and seeded by an entropy source.
Component leveling:
FCS_RBG_EXT.1 Random Bit Generation requires random bit generation to be performed in accordance
with selected standards and seeded by an entropy source.
Management:
The following actions could be considered for the management functions in FMT:
 There are no management actions foreseen.
Audit:
The following actions should be auditable if FAU_GEN Security Audit Data Generation is included in the
FCS_RBG_EXT.1 Extended: Random Bit Generation 1
Copyright© 2018 TOSHIBA TEC. All rights reserved.
17/64
PP/ST:
 There are no auditable events foreseen.
FCS_RBG_EXT.1 Extended: Random Bit Generation
Hierarchical to: No other components.
Dependencies: No dependencies.
FCS_RBG_EXT.1.1 The TSF shall perform all deterministic random bit generation services in accordance
with [selection: ISO/IEC 18031:2011, NIST SP 800-90A] using [selection:
Hash_DRBG (any), HMAC_DRBG (any), CTR_DRBG (AES)].
FCS_RBG_EXT.1.2 The deterministic RBG shall be seeded by an entropy source that accumulates entropy
from [selection: [assignment: number of software-based sources] software-based noise
source(s), [assignment: number of hardware-based sources] hardware-based noise
source(s)] with a minimum of [selection: 128 bits, 256 bits] of entropy at least equal to
the greatest security strength, according to ISO/IEC 18031:2011 Table C.1 “Security
strength table for hash functions”, of the keys and hashes that it will generate.
Rationale:
Random bits/number will be used by the SFRs for key generation and destruction, and the Common Criteria
does not provide a suitable SFR for the random bit generation.
This extended component ensures the strength of encryption keys, and it is therefore placed in the FCS class with
a single component.
5.7. FCS_SMC_EXT Extended: Submask Combining
Family Behavior:
This family defines the means by which submasks are combined, if the TOE supports more than one submask
being used to derive or protect the BEV.
Component leveling:
FCS_SMC_EXT.1 Submask combining requires the TSF to combine the submasks in a predictable fashion.
Management:
The following actions could be considered for the management functions in FMT:
 There are no management actions foreseen.
Audit:
The following actions should be auditable if FAU_GEN Security Audit Data Generation is included in the
PP/ST:
 There are no auditable events foreseen.
FCS_SMC_EXT.1 Extended: Submask Combining
Hierarchical to: No other components.
Dependencies: FCS_COP.1(c) Cryptographic operation (Hash Algorithm)
FCS_SMC_EXT.1.1 The TSF shall combine submasks using the following method [selection: exclusive OR
(XOR), SHA-256, SHA-512] to generate an intermediary key or BEV.
Rationale:
Submask Combining is to ensure the TSF combine the submasks in order to derive or protect the BEV.
FCS_SMC_EXT.1 Extended: Submask Combining 1
Copyright© 2018 TOSHIBA TEC. All rights reserved.
18/64
This extended component protects the TSF data using cryptographic algorithms, and it is therefore placed in the
FCS class with a single component.
5.8. FCS_TLS_EXT Extended: TLS selected
Family Behavior:
This family addresses the ability for a server and/or a client to use TLS to protect data between a client and the
server using the TLS protocol.
Component leveling:
FCS_TLS_EXT.1TLS selected, requires the TLS protocol implemented as specified.
Management:
The following actions could be considered for the management functions in FMT:
 There are no management actions foreseen.
Audit:
The following actions should be auditable if FAU_GEN Security Audit Data Generation is included in the
PP/ST:
 Failure of TLS session establishment
FCS_TLS_EXT.1 Extended: TLS selected
Hierarchical to: No other components.
Dependencies: No dependencies.
FCS_TLS_EXT.1.1 The TSF shall implement one or more of the following protocols [selection: TLS 1.0 (RFC
2246), TLS 1.1 (RFC 4346), TLS 1.2 (RFC 5246)] supporting the following ciphersuites:
Mandatory Ciphersuites:
 TLS_RSA_WITH_AES_128_CBC_SHA
Optional Ciphersuites:
[selection:
 None
 TLS_RSA_WITH_AES_256_CBC_SHA
 TLS_DHE_RSA_WITH_AES_128_CBC_SHA
 TLS_DHE_RSA_WITH_AES_256_CBC_SHA
 TLS_RSA_WITH_AES_128_CBC_SHA256
 TLS_RSA_WITH_AES_256_CBC_SHA256
 TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
 TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
 TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
FCS_TLS_EXT.1 Extended: TLS selected 1
Copyright© 2018 TOSHIBA TEC. All rights reserved.
19/64
 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
].
Rationale:
TLS is one of the secure communication protocols, and the Common Criteria does not provide a suitable SFR for
the communication protocols using cryptographic algorithms.
This extended component protects the communication data using cryptographic algorithms, and it is therefore
placed in the FCS class with a single component.
5.9. FDP_DSK_EXT Extended: Protection of Data on Disk
Family Behavior:
This family is to mandate the encryption of all protected data written to the storage.
Component leveling:
FDP_DSK_EXT.1 Extended: Protection of Data on Disk, requires the TSF to encrypt all the Confidential TSF
and User Data stored on the Field-Replaceable Nonvolatile Storage Devices in
order to avoid storing these data in plaintext on the devices.
Management:
The following actions could be considered for the management functions in FMT:
 There are no management actions foreseen.
Audit:
The following actions should be auditable if FAU_GEN Security Audit Data Generation is included in the
PP/ST:
 There are no auditable events foreseen.
FDP_DSK_EXT.1 Extended: Protection of Data on Disk
Hierarchical to: No other components.
Dependencies: FCS_COP.1(d) Cryptographic operation (AES Data Encryption/Decryption)
FDP_DSK_EXT.1.1 The TSF shall [selection: perform encryption in accordance with FCS_COP.1(d), use a
self-encrypting Field-Replaceable Nonvolatile Storage Device that is separately CC
certified to conform to the FDE EE cPP] such that any Field-Replaceable Nonvolatile
Storage Device contains no plaintext User Document Data and no plaintext confidential
TSF Data.
FDP_DSK_EXT.1.2 The TSF shall encrypt all protected data without user intervention.
Rationale:
Extended: Protection of Data on Disk is to specify that encryption of any confidential data without user
intervention, and the Common Criteria does not provide a suitable SFR for the Protection of Data on Disk.
This extended component protects the Data on Disk, and it is therefore placed in the FDP class with a single
component.
5.10. FDP_FXS_EXT Extended: Fax Separation
Family Behavior:
This family addresses the requirements for separation between Fax PSTN line and the LAN to which TOE is
connected.
FDP_DSK_EXT.1 Extended: Protection of Data on Disk 1
Copyright© 2018 TOSHIBA TEC. All rights reserved.
20/64
Component leveling:
FDP_FXS_EXT.1 Fax Separation, requires the fax interface cannot be used to create a network bridge
between a PSTN and a LAN to which TOE is connected.
Management:
The following actions could be considered for the management functions in FMT:
 There are no management actions foreseen.
Audit:
The following actions should be auditable if FAU_GEN Security Audit Data Generation is included in the
PP/ST:
 There are no auditable events foreseen.
FDP_FXS_EXT.1 Extended: Fax separation
Hierarchical to: No other components.
Dependencies: No dependencies.
FDP_FXS_EXT.1.1 The TSF shall prohibit communication via the fax interface, except transmitting or
receiving User Data using fax protocols.
Rationale:
Fax Separation is to protect a LAN against attack from PSTN line, and the Common Criteria does not provide a
suitable SFR for the Protection of TSF or User Data.
This extended component protects the TSF Data or User Data, and it is therefore placed in the FDP class with a
single component.
5.11. FIA_PMG_EXT Extended: Password Management
Family Behavior:
This family defines requirements for the attributes of passwords used by administrative users to ensure that
strong passwords and passphrases can be chosen and maintained.
Component leveling:
FIA_PMG _EXT.1 Password management requires the TSF to support passwords with varying composition
requirements, minimum lengths, maximum lifetime, and similarity constraints.
Management:
The following actions could be considered for the management functions in FMT:
 There are no auditable events foreseen.
FIA_PMG _EXT.1 Extended: Password management
Hierarchical to: No other components.
Dependencies: No dependencies.
FIA_PMG _EXT.1.1 The TSF shall provide the following password management capabilities for User
passwords:
 Passwords shall be able to be composed of any combination of upper and lower case letters, numbers,
and the following special characters: [selection: “!”, “@”, “#”, “$”, “%”, “^”, “&”, “*”, “(“, “)”,
[assignment: other characters]];
FDP_FXS_EXT.1 Extended: Fax Separation 1
FIA_PMG _EXT.1 Extended: Password Managemen 1
Copyright© 2018 TOSHIBA TEC. All rights reserved.
21/64
 Minimum password length shall be settable by an Administrator, and have the capability to require
passwords of 15 characters or greater.
Rationale:
Password Management is to ensure the strong authentication between the endpoints of communication, and the
Common Criteria does not provide a suitable SFR for the Password Management.
This extended component protects the TOE by means of password management, and it is therefore placed in the
FIA class with a single component.
5.12. FPT_KYP_EXT Extended: Protection of Key and Key Material
Family Behavior:
This family addresses the requirements for keys and key materials to be protected if and when written to
nonvolatile storage.
Component leveling:
FPT_ KYP _EXT.1 Extended: Protection of key and key material, requires the TSF to ensure that no
plaintext key or key materials are written to nonvolatile storage.
Management:
The following actions could be considered for the management functions in FMT:
 There are no management actions foreseen.
Audit:
The following actions should be auditable if FAU_GEN Security Audit Data Generation is included in the
PP/ST:
 There are no auditable events foreseen.
FPT_ KYP _EXT.1 Extended: Protection of Key and Key Material
Hierarchical to: No other components.
Dependencies: No dependencies.
FPT_ KYP _EXT.1.1 The TSF shall not store plaintext keys that are part of the keychain specified by
FCS_KYC_EXT.1 in any Field-Replaceable Nonvolatile Storage Device, and not
store any such plaintext key on a device that uses the key for its encryption.
Rationale:
Protection of Key and Key Material is to ensure that no plaintext key or key material are written to nonvolatile
storage, and the Common Criteria does not provide a suitable SFR for the protection of key and key material.
This extended component protects the TSF data, and it is therefore placed in the FPT class with a single
component.
5.13. FPT_SKP_EXT Extended: Protection of TSF Data
Family Behavior:
This family addresses the requirements for managing and protecting the TSF data, such as cryptographic keys.
This is a new family modelled as the FPT Class.
Component leveling:
FPT_ KYP _EXT.1 Protection of key and key material 1
FPT_SKP_EXT.1 Extended: Protection of TSF Data 1
Copyright© 2018 TOSHIBA TEC. All rights reserved.
22/64
FPT_SKP_EXT.1 Protection of TSF Data (for reading all symmetric keys), requires preventing
symmetric keys from being read by any user or subject. It is the only component of this
family.
Management:
The following actions could be considered for the management functions in FMT:
 There are no management actions foreseen.
FPT_SKP_EXT.1 Extended: Protection of TSF Data
Hierarchical to: No other components.
Dependencies: No dependencies.
FPT_SKP_EXT.1.1 The TSF shall prevent reading of all pre-shared keys, symmetric keys, and private keys.
Rationale:
Protection of TSF Data is to ensure the pre-shared keys, symmetric keys and private keys are protected securely,
and the Common Criteria does not provide a suitable SFR for the protection of such TSF data.
This extended component protects the TOE by means of strong authentication using Pre-shared Key, and it is
therefore placed in the FPT class with a single component.
5.14. FPT_TST_EXT Extended: TSF testing
Family Behavior:
This family addresses the requirements for self-testing the TSF for selected correct operation.
Component leveling:
FPT_TST_EXT.1 TSF testing requires a suite of self-testing to be run during initial start-up in order to
demonstrate correct operation of the TSF.
Management:
The following actions could be considered for the management functions in FMT:
 There are no management actions foreseen.
Audit:
The following actions should be auditable if FAU_GEN Security Audit Data Generation is included in the
PP/ST:
 There are no auditable events foreseen.
FPT_TST_EXT.1 Extended: TSF testing
Hierarchical to: No other components.
Dependencies: No dependencies.
FPT_TST_EXT.1.1 The TSF shall run a suite of self-tests during initial start-up (and power on) to demonstrate
the correct operation of the TSF.
Rationale:
TSF testing is to ensure the TSF can be operated correctly, and the Common Criteria does not provide a suitable
SFR for the TSF testing. In particular, there is no SFR defined for TSF testing.
This extended component protects the TOE, and it is therefore placed in the FPT class with a single component.
FPT_TST_EXT.1 Extended: TSF testing 1
Copyright© 2018 TOSHIBA TEC. All rights reserved.
23/64
5.15. FPT_TUD_EXT Extended: Trusted Update
Family Behavior:
This family defines requirements for the TSF to ensure that only administrators can update the TOE
firmware/software, and that such firmware/software is authentic.
Component leveling:
FPT_TUD_EXT.1 Trusted Update, ensures authenticity and access control for updates.
Management:
The following actions could be considered for the management functions in FMT:
 There are no management actions foreseen.
Audit:
The following actions should be auditable if FAU_GEN Security Audit Data Generation is included in the
PP/ST:
 There are no auditable events foreseen.
FPT_TUD_EXT.1 Trusted Update
Hierarchical to: No other components.
Dependencies: [FCS_COP.1(b) Cryptographic Operation (for signature generation/verification), or
FCS_COP.1(c) Cryptographic operation (Hash Algorithm)].
FPT_TUD_EXT.1.1 The TSF shall provide authorized administrators the ability to query the current
version of the TOE firmware/software.
FPT_TUD_EXT.1.2 The TSF shall provide authorized administrators the ability to initiate updates to TOE
firmware/software.
FPT_TUD_EXT.1.3 The TSF shall provide a means to verify firmware/software updates to the TOE using a
digital signature mechanism and [selection: no other functions] prior to installing those
updates.
Rationale:
Firmware/software is a form of TSF Data, and the Common Criteria does not provide a suitable SFR for the
management of firmware/software. In particular, there is no SFR defined for importing TSF Data.
This extended component protects the TOE, and it is therefore placed in the FPT class with a single component.
FPT_TUD_EXT.1 Extended: Trusted Update 1
Copyright© 2018 TOSHIBA TEC. All rights reserved.
24/64
6. SECURITY REQUIREMENTS
6.1. Notation
・Bold typeface indicates the portion that has been “completed” or “refined” in this PP.
・Bold italic typeface indicates the portion that has been “assigned” or “selected” in this ST.
・Letters in brackets indicate the “assigned” or “selected” results.
・SFR components that are followed by a letter in parentheses, e.g., (a), (b)… represent required iterations.
6.2. Class FAU: Security Audit
6.2.1. FAU_GEN.1 Audit data generation
(for O.AUDIT)
Hierarchical to: No other components.
Dependencies: FPT_STM.1 Reliable time stamps
FAU_GEN.1.1 The TSF shall be able to generate an audit record of the following auditable events:
a) Start-up and shutdown of the audit functions;
b) All auditable events for the not specified level of audit; and
c) All auditable events specified in Table 12, [none].
FAU_GEN.1.2 The TSF shall record within each audit record at least the following information:
a) Date and time of the event, type of event, subject identity (if applicable), and the outcome
(success or failure) of the event; and
b) For each audit event type, based on the auditable event definitions of the functional
components included in the PP/ST, additional information specified in Table 12, [none].
Table 12 Auditable Events
Auditable events Relevant SFR
Additional
information
Job completion FDP_ACF.1 Type of job
Unsuccessful User authentication FIA_UAU.1 None
Unsuccessful User identification FIA_UID.1 None
Use of management functions FMT_SMF.1 None
Modification to the group of Users that are part
of a role
FMT_SMR.1 None
Changes to the time FPT_STM.1 None
Failure to establish session FTP_ITC.1,
FTP_TRP.1(a),
FTP_TRP.1(b)
Reason for
failure
6.2.2. FAU_GEN.2 User identity association
(for O.AUDIT)
Hierarchical to: No other components.
Dependencies: FAU_GEN.1 Audit data generation
FIA_UID.1 Timing of identification
FAU_GEN.2.1 For audit events resulting from actions of identified users, the TSF shall be able to associate
each auditable event with the identity of the user that caused the event.
6.2.3. FAU_STG_EXT.1 Extended: External Audit Trail Storage
(for O.AUDIT)
Hierarchical to: No other components.
Dependencies: FAU_GEN.1 Audit data generation,
FTP_ITC.1 Inter-TSF trusted channel.
FAU_STG_EXT.1.1 The TSF shall be able to transmit the generated audit data to an External IT Entity using
a trusted channel according to FTP_ITC.1.
Copyright© 2018 TOSHIBA TEC. All rights reserved.
25/64
6.3. Class FCS: Cryptographic Support
6.3.1. FCS_CKM.1(a) Cryptographic Key Generation (for asymmetric keys)
(for O.COMMS_PROTECTION)
Hierarchical to: No other components.
Dependencies: FCS_COP.1(b) Cryptographic Operation (for signature generation/ verification)
FCS_COP.1(i) Cryptographic operation (Key Transport)]
FCS_CKM_EXT.4 Extended: Cryptographic Key Material Destruction
FCS_CKM.1.1(a) Refinement: The TSF shall generate asymmetric cryptographic keys used for key
establishment in accordance with [
 NIST Special Publication 800-56B, “Recommendation for Pair-Wise Key Establishment Schemes
Using Integer Factorization Cryptography” for RSA-based key establishment schemes
] and specified cryptographic key sizes equivalent to, or greater than, a symmetric key
strength of 112 bits.
6.3.2. FCS_CKM.1(b) Cryptographic key generation (Symmetric Keys)
(for O.COMMS_PROTECTION, O.STORAGE_ENCRYPTION)
Hierarchical to: No other components.
Dependencies: [FCS_COP.1(a) Cryptographic Operation (Symmetric encryption/decryption)
FCS_COP.1(e) Cryptographic Operation (Key Wrapping)
FCS_COP.1(f) Cryptographic operation (Key Encryption)
FCS_COP.1(g) Cryptographic Operation (for keyed-hash message authentication)
FCS_COP.1(h) Cryptographic Operation (for keyed-hash message authentication)]
FCS_CKM_EXT.4 Extended: Cryptographic Key Material Destruction
FCS_RBG_EXT.1 Extended: Cryptographic Operation (Random Bit Generation)
FCS_CKM.1.1(b)Refinement: The TSF shall generate symmetric cryptographic keys using a Random Bit
Generator as specified in FCS_RBG_EXT.1 and specified cryptographic key sizes [128
bit, 256 bit] that meet the following: No Standard.
6.3.3. FCS_CKM.4(a) Cryptographic key destruction
(for O.COMMS_PROTECTION, O.STORAGE_ENCRYPTION, O.PURGE_DATA))
Hierarchical to: No other components.
Dependencies: [FCS_CKM.1(a) Cryptographic Key Generation (for asymmetric keys), or
FCS_CKM.1(b) Cryptographic key generation (Symmetric Keys)]
FCS_CKM.4.1(a) Refinement: The TSF shall destroy cryptographic keys in accordance with a specified
cryptographic key destruction method [
For volatile memory, the destruction shall be executed by [powering off a device].
For nonvolatile storage, the destruction shall be executed by a [single] overwrite of key
data storage location consisting of [a pseudo random pattern using the TSF’s RBG (as
specified in FCS_RBG_EXT.1)], followed by a [none]. If read-verification of the
overwritten data fails, the process shall be repeated again;
] that meets the following: [no standard].
6.3.4. FCS_CKM.4(b) Cryptographic key destruction
(for O.COMMS_PROTECTION, O.STORAGE_ENCRYPTION, O.PURGE_DATA))
Hierarchical to: No other components.
Dependencies: [FCS_CKM.1(a) Cryptographic Key Generation (for asymmetric keys), or
FCS_CKM.1(b) Cryptographic key generation (Symmetric Keys)]
FCS_CKM.4.1(b) Refinement: The TSF shall destroy cryptographic keys in accordance with a specified
cryptographic key destruction method [
For volatile memory, the destruction shall be executed by [powering off a device].
For nonvolatile storage, the destruction shall be executed by a [three] overwrite of key
data storage location consisting of [a static pattern], followed by a [none]. If
read-verification of the overwritten data fails, the process shall be repeated again;
Copyright© 2018 TOSHIBA TEC. All rights reserved.
26/64
] that meets the following: [no standard].
6.3.5. FCS_CKM_EXT.4 Extended: Cryptographic Key Material Destruction
(for O.COMMS_PROTECTION, O.STORAGE_ENCRYPTION, O.PURGE_DATA)
Hierarchical to: No other components.
Dependencies: [FCS_CKM.1(a) Cryptographic Key Generation (for asymmetric keys), or
FCS_CKM.1(b) Cryptographic key generation (Symmetric Keys)],
FCS_CKM.4 Cryptographic key destruction
FCS_CKM_EXT.4.1 The TSF shall destroy all plaintext secret and private cryptographic keys and
cryptographic critical security parameters when no longer needed.
6.3.6. FCS_COP.1(a) Cryptographic Operation (Symmetric encryption/decryption)
(for O.COMMS_PROTECTION)
Hierarchical to: No other components.
Dependencies: FCS_CKM.1(b) Cryptographic key generation (Symmetric Keys)]
FCS_CKM_EXT.4 Extended: Cryptographic Key Material Destruction
FCS_COP.1.1(a) Refinement: The TSF shall perform encryption and decryption in accordance with a
specified cryptographic algorithm AES operating in [CBC modes] and cryptographic key
sizes 128-bits and 256-bits that meets the following:
 FIPS PUB 197, “Advanced Encryption Standard (AES)”
 [NIST SP 800-38A, NIST SP 800-38D]
6.3.7. FCS_COP.1(b) Cryptographic Operation (for signature generation/verification)
(for O.UPDATE_VERIFICATION, O.COMMS_PROTECTION)
Hierarchical to: No other components.
Dependencies: [FCS_CKM.1(a) Cryptographic key generation]
FCS_CKM_EXT.4 Extended: Cryptographic Key Material Destruction
FCS_COP.1.1(b) Refinement: The TSF shall perform cryptographic signature services in accordance with a
[RSA Digital Signature Algorithm (rDSA) with key sizes (modulus) of [2048 bits]] that
meets the following [FIPS PUB 186-4, “Digital Signature Standard”].
6.3.8. FCS_RBG_EXT.1(a) Extended: Cryptographic Operation (Random Bit Generation)
(for O.STORAGE_ENCRYPTION)
Hierarchical to: No other components.
Dependencies: No dependencies.
FCS_RBG_EXT.1.1(a)The TSF shall perform all deterministic random bit generation services in accordance
with [NIST SP 800-90A] using [Hash_DRBG (any)].
FCS_RBG_EXT.1.2(a)The deterministic RBG shall be seeded by at least one entropy source that accumulates
entropy from [[single] hardware-based noise source(s)] with a minimum of [256 bits]
of entropy at least equal to the greatest security strength, according to ISO/IEC
18031:2011 Table C.1 “Security Strength Table for Hash Functions”, of the keys and
hashes that it will generate.
6.3.9. FCS_RBG_EXT.1(b) Extended: Cryptographic Operation (Random Bit Generation)
(for O.COMMS_PROTECTION)
Hierarchical to: No other components.
Dependencies: No dependencies.
FCS_RBG_EXT.1.1(b)The TSF shall perform all deterministic random bit generation services in accordance
with [NIST SP 800-90A] using [CTR_DRBG (AES)].
FCS_RBG_EXT.1.2(b)The deterministic RBG shall be seeded by at least one entropy source that accumulates
entropy from [[single] hardware-based noise source(s)] with a minimum of [128bits] of
entropy at least equal to the greatest security strength, according to ISO/IEC
Copyright© 2018 TOSHIBA TEC. All rights reserved.
27/64
18031:2011 Table C.1 “Security Strength Table for Hash Functions”, of the keys and
hashes that it will generate.
6.3.10.FCS_COP.1(c) Cryptographic operation (Hash Algorithm)
(selected in FPT_TUD_EXT.1.3, or with FCS_SNI_EXT.1.1)
Hierarchical to: No other components.
Dependencies: No dependencies.
FCS_COP.1.1(c) Refinement: The TSF shall perform cryptographic hashing services in accordance with
[SHA-1, SHA-256, SHA-512] that meet the following: [ISO/IEC 10118-3:2004].
6.3.11. FCS_COP.1(f) Cryptographic operation (Key Encryption)
(selected from FCS_KYC_EXT.1.1)
Hierarchical to: No other components.
Dependencies: [FDP_ITC.1 Import of user data without security attributes, or
FDP_ITC.2 Import of user data with security attributes, or
FCS_CKM.1(b) Cryptographic key generation (Symmetric Keys)]
FCS_CKM_EXT.4 Extended: Cryptographic Key Material Destruction
FCS_COP.1.1(f) Refinement: The TSF shall perform key encryption and decryption in accordance with a
specified cryptographic algorithm AES used in [[CBC] mode] and cryptographic key sizes
[256 bits] that meet the following: [AES as specified in ISO /IEC 18033-3, [CBC as
specified in ISO/IEC 10116].
6.3.12. FCS_SMC_EXT.1 Extended: Submask Combining
(selected in FCS_KYC_EXT.1.1)
Hierarchical to: No other components.
Dependencies: FCS_COP.1(c) Cryptographic operation (Hash Algorithm)
FCS_SMC_EXT.1.1 The TSF shall combine submasks using the following method
[exclusive OR (XOR)] to generate an intermediary key or BEV.
6.3.13.FCS_COP.1(g) Cryptographic Operation (for keyed-hash message authentication)
(selected with FCS_IPSEC_EXT.1.4)
Hierarchical to: No other components.
Dependencies: [FCS_CKM.1(b) Cryptographic key generation (Symmetric Keys)]
FCS_CKM_EXT.4 Extended: Cryptographic Key Material Destruction
FCS_COP.1.1(g) Refinement: The TSF shall perform keyed-hash message authentication in accordance with a
specified cryptographic algorithm HMAC-[SHA-1, SHA-256], key size [160, 256]bits, and
message digest sizes [160, 256] bits that meet the following: FIPS PUB 198-1, "The
Keyed-Hash Message Authentication Code, and FIPS PUB 180-3, “Secure Hash Standard.”
6.3.14.FCS_COP.1(h) Cryptographic Operation (for keyed-hash message authentication)
(selected with FCS_PCC_EXT.1, FCS_KDF_EXT.1.1)
Hierarchical to: No other components.
Dependencies: FCS_CKM.1(b) Cryptographic key generation (Symmetric Keys)]
FCS_COP.1(c) Cryptographic operation (Hash Algorithm),
FCS_CKM_EXT.4 Extended: Cryptographic Key Material Destruction
FCS_COP.1.1(h) Refinement: The TSF shall perform [keyed-hash message authentication] in accordance
with [HMAC-SHA-512] and cryptographic key sizes [256] that meet the following: [ISO/IEC
9797-2:2011, Section 7 “MAC Algorithm 2”; ISO/IEC 10118].
6.3.15.FCS_TLS_EXT.1 Extended: TLS selected
(selected in FTP_ITC.1.1, FTP_TRP.1.1)
Hierarchical to: No other components.
Dependencies: FCS_CKM.1(a) Cryptographic Key Generation (for asymmetric Keys)
FCS_COP.1(a) Cryptographic Operation (Symmetric encryption/decryption)
FCS_COP.1(b) Cryptographic Operation (for signature generation/verification)
Copyright© 2018 TOSHIBA TEC. All rights reserved.
28/64
FCS_COP.1(c) Cryptographic Operation (Hash Algorithm)
FCS_COP.1(g) Cryptographic Operation (for keyed-hash message authentication)
FCS_RBG_EXT.1 Extended: Cryptographic Operation (Random Bit Generation)
FCS_TLS_EXT.1.1 The TSF shall implement one or more of the following protocols [TLS 1.2 (RFC
5246)] supporting the following ciphersuites:
Mandatory Ciphersuites:
 TLS_RSA_WITH_AES_128_CBC_SHA
Optional Ciphersuites:
[
 TLS_RSA_WITH_AES_256_CBC_SHA
 TLS_RSA_WITH_AES_128_CBC_SHA256
 TLS_RSA_WITH_AES_256_CBC_SHA256
].
6.3.16.FCS_HTTPS_EXT.1 Extended: HTTPS selected
Hierarchical to: No other components.
Dependencies: No dependencies.
FCS_HTTPS_EXT.1.1 The TSF shall implement the HTTPS protocol that complies with RFC 2818.
FCS_HTTPS_EXT.1.2 The TSF shall implement HTTPS using TLS as specified in FCS_TLS_EXT.1.
6.3.17.FCS_KDF_EXT Extended: Cryptographic Key Derivation
(for O.STORAGE_ENCRYPTION)
Hierarchical to: No other components.
Dependencies: FCS_COP.1(h) Cryptographic Operation (for keyed-hash message authentication),
[if selected: FCS_RBG_EXT.1 Extended: Cryptographic Operation (Random Bit
Generation)]
FCS_KDF_EXT.1.1 The TSF shall accept [a RNG generated submask as specified in FCS_RBG_EXT.1] to
derive an intermediate key, as defined in [NIST SP 800-108 [KDF in Counter Mode]],
using the keyed-hash functions specified in FCS_COP.1(h), such that the output is at
least of equivalent security strength (in number of bits) to the BEV.
6.3.18.FCS_KYC_EXT.1 Extended: Key Chaining
(for O.STORAGE_ENCRYPTION)
Hierarchical to: No other components.
Dependencies: [FCS_COP.1(e) Cryptographic operation (Key Wrapping),
FCS_SMC_EXT.1 Extended: Submask Combining,
FCS_COP.1(i) Cryptographic operation (Key Transport),
FCS_KDF_EXT.1 Cryptographic Operation (Key Derivation),
and/or FCS_COP.1(f) Cryptographic operation (Key Encryption)].
FCS_KYC_EXT.1.1 The TSF shall maintain a key chain of: [intermediate keys originating from one or more
submask(s) to the BEV or DEK using the following method(s): [key combining as
specified in FCS_SMC_EXT.1, key encryption as specified in FCS_COP.1(f), key
derivation as specified in FCS_KDF_EXT.1]] while maintaining an effective strength of
[256 bits].
6.4. Class FDP: User Data Protection
6.4.1. FDP_ACC.1 Subset access control
(for O.ACCESS_CONTROL and O.USER_AUTHORIZATION)
Hierarchical to: No other components.
Dependencies: FDP_ACF.1 Security attribute based access control
FDP_ACC.1.1 Refinement: The TSF shall enforce the User Data Access Control SFP on subjects, objects,
and operations among subjects and objects specified in Table 13 and Table 14.
Copyright© 2018 TOSHIBA TEC. All rights reserved.
29/64
Table 13 D.USER.DOC Access Control SFP
"Create" "Read" "Modify" "Delete"
Print
Operation:
Submit a
document to
be printed
View
image or
Release
printed output
Modify stored
document
Delete stored
document
Job owner (note 1) denied
U.ADMIN denied denied
U.NORMAL denied denied denied
U.ACCOUNTMANAGER denied denied denied denied
U.FAXOPERATOR denied denied denied denied
U.ADDRESSBOOKOPERA
TOR
denied denied denied denied
Unauthenticated (condition 1) denied denied denied
Scan
Operation:
Submit a
document for
scanning
View scanned
image
Modify stored
image
Delete stored
image
Job owner (note 2)
U.ADMIN denied denied
U.NORMAL denied denied denied
U.ACCOUNTMANAGER denied denied denied denied
U.FAXOPERATOR denied denied denied denied
U.ADDRESSBOOKOPERA
TOR
denied denied denied denied
Unauthenticated denied denied denied denied
Copy
Operation:
Submit a
document
for
copying
View
scanned
image or
Release
printed
copy
output
Modify stored
image
Delete stored
image
Job owner (note 2) denied
U.ADMIN denied denied
U.NORMAL denied denied denied
U.ACCOUNTMANAGER denied denied denied denied
U.FAXOPERATOR denied denied denied denied
U.ADDRESSBOOKOPERA
TOR
denied denied denied denied
Unauthenticated denied denied denied denied
Fax send
Operation:
Submit a
document
to send as
a fax
View scanned
image
Modify stored
image
Delete stored
image
Job owner (note 2)
U.ADMIN denied denied
U.NORMAL denied denied denied
U.ACCOUNTMANAGER denied denied denied denied
U.FAXOPERATOR denied denied denied
U.ADDRESSBOOKOPERA
TOR
denied denied denied denied
Unauthenticated denied denied denied denied
Fax receive
Operation:
Receive a
fax and
store it
View fax
image or
Release
printed
fax
output
Modify image
of received
fax
Delete image
of received
fax
Job owner (note 3) denied
Copyright© 2018 TOSHIBA TEC. All rights reserved.
30/64
"Create" "Read" "Modify" "Delete"
U.ADMIN (note 4) denied
U.NORMAL (note 4) denied denied denied
U.ACCOUNTMANAGER (note 4) denied denied denied
U.FAXOPERATOR (note 4) denied
U.ADDRESSBOOKOPERA
TOR
(note 4) denied denied denied
Unauthenticated (note 4) denied denied denied
Table 14 D.USER.JOB Access Control SFP
"Create" * "Read" "Modify" "Delete"
Print
Operation:
Create print
job
View print
queue / log
Modify print
job
Cancel print
job
Job owner (note 1) denied
U.ADMIN denied
U.NORMAL denied denied
U.ACCOUNTMANAGER denied denied denied
U.FAXOPERATOR denied denied denied
U.ADDRESSBOOKOPER
ATOR
denied denied denied
Unauthenticated denied denied denied
Scan
Operation:
Create scan
job
View scan
status / log
Modify scan
job
Cancel scan
job
Job owner (note 2) denied
U.ADMIN denied
U.NORMAL denied denied
U.ACCOUNTMANAGER denied denied denied
U.FAXOPERATOR denied denied denied
U.ADDRESSBOOKOPER
ATOR
denied denied denied
Unauthenticated denied denied denied denied
Copy
Operation:
Create copy
job
View copy
status / log
Modify copy
job
Cancel copy
job
Job owner (note 2)
U.ADMIN denied
U.NORMAL denied denied
U.ACCOUNTMANAGER denied denied denied
U.FAXOPERATOR denied denied denied
U.ADDRESSBOOKOPER
ATOR
denied denied denied
Unauthenticated denied denied denied denied
Fax send
Operation:
Create fax
send job
View fax job
queue / log
Modify fax
send job
Cancel fax
send job
Job owner (note 2)
U.ADMIN denied
U.NORMAL denied denied
U.ACCOUNTMANAGER denied denied denied
U.FAXOPERATOR denied denied
U.ADDRESSBOOKOPER
ATOR
denied denied denied
Unauthenticated denied denied denied denied
Fax receive
Operation:
Create fax
receive job
View fax
receive status
/ log
Modify fax
receive job
Cancel fax
receive job
Fax owner (note 3) denied denied
U.ADMIN (note 4) denied denied
U.NORMAL (note 4) denied denied denied
Copyright© 2018 TOSHIBA TEC. All rights reserved.
31/64
"Create" * "Read" "Modify" "Delete"
U.ACCOUNTMANAGER (note 4) denied denied denied
U.FAXOPERATOR (note 4) denied denied
U.ADDRESSBOOKOPER
ATOR
(note 4) denied denied denied
Unauthenticated (note 4) denied denied denied
Application note:
Condition 1: Jobs submitted by unauthenticated users must contain a credential that the TOE can use to
identify the Job Owner.
Note 1: Job Owner is identified by a credential or assigned to an authorized User as part of the
process of submitting a print or storage Job.
Note 2: Job Owner is assigned to an authorized User as part of the process of initiating a scan, copy,
fax send, or retrieval Job.
Note 3: Job Owner of received faxes is assigned by default or configuration. Minimally, ownership of
received faxes is assigned to a specific user or U.ADMIN role.
Note 4: PSTN faxes are received from outside of the TOE, they are not initiated by Users of the TOE.
6.4.2. FDP_ACF.1 Security attribute based access control
(for O.ACCESS_CONTROL and O.USER_AUTHORIZATION)
Hierarchical to: No other components.
Dependencies: FDP_ACC.1 Subset access control
FMT_MSA.3 Static attribute initialization
FDP_ACF.1.1 Refinement: The TSF shall enforce the User Data Access Control SFP to objects based on
the following: subjects, objects, and attributes specified in Table 2 and Table 3.
FDP_ACF.1.2 Refinement: The TSF shall enforce the following rules to determine if an operation among
controlled subjects and controlled objects is allowed: rules governing access among
controlled subjects and controlled objects using controlled operations on controlled objects
specified in Table 13 and Table 14.
FDP_ACF.1.3 Refinement: The TSF shall explicitly authorise access of subjects to objects based on the
following additional rules: [rules none].
FDP_ACF.1.4 Refinement: The TSF shall explicitly deny access of subjects to objects based on the
following additional rules: [rules none].
6.4.3. FDP_FXS_EXT.1 Extended: Fax separation
(for O.FAX_NET_SEPARATION)
Hierarchical to: No other components.
Dependencies: No dependencies.
FDP_FXS_EXT.1.1 The TSF shall prohibit communication via the fax interface, except transmitting or
receiving User Data using fax protocols.
6.4.4. FDP_DSK_EXT.1 Extended: Protection of Data on Disk
(for O.STORAGE_ENCRYPTION)
Hierarchical to: No other components.
Dependencies: FCS_COP.1(d) Cryptographic operation (AES Data Encryption/Decryption).
FDP_DSK_EXT.1.1 The TSF shall [use a self-encrypting Field-Replaceable Nonvolatile Storage Device that
is separately CC certified to conform to the FDE EE cPP], such that any
Field-Replaceable Nonvolatile Storage Device contains no plaintext User Document
Data and no plaintext Confidential TSF Data.
FDP_DSK_EXT.1.2 The TSF shall encrypt all protected data without user intervention.
Copyright© 2018 TOSHIBA TEC. All rights reserved.
32/64
6.5. Class FIA: Identification and Authentication
6.5.1. FIA_AFL.1 Authentication failure handling
(for O.USER_I&A)
Hierarchical to: No other components.
Dependencies: FIA_UAU.1 Timing of authentication
FIA_AFL.1.1 The TSF shall detect when [an administrator configurable positive integer within [1 - 30]]
unsuccessful authentication attempts occur related to [the unsuccessful user authentication
attempts of following the last successful authentication or clear of user account lock].
FIA_AFL.1.2 When the defined number of unsuccessful authentication attempts has been [met], the TSF
shall [lockout each account in lockout time, U.ADMIN and U.ACCOUNTMANAGER can
release a lockout account].
6.5.2. FIA_ATD.1 User attribute definition
(for O.USER_AUTHORIZATION)
Hierarchical to: No other components.
Dependencies: No dependencies.
FIA_ATD.1.1 The TSF shall maintain the following list of security attributes belonging to individual users:
[User ID, Role].
6.5.3. FIA_PMG_EXT Extended: Password Management
(for O.USER_I&A)
Hierarchical to: No other components.
Dependencies: No dependencies.
FIA_PMG_EXT.1.1 The TSF shall provide the following password management capabilities for User
passwords:
 Passwords shall be able to be composed of any combination of upper and lower case letters, numbers,
and the following special characters: [“!”, “@”, “#”, “$”, “^”, “*”, “(“, “)”, [refer to Table 15]];
 Minimum password length shall be settable by an Administrator, and have the capability to require
passwords of 15 characters or greater;
Table 15 Other Available Characters
Type of
Characters
Available Characters
Punctuation + , - . / : ; = ? ¥ _ ` { | } ~ Space
European
Special
Characters
¢£§ª°µ¿₣€
ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõöøùúûü
ýþÿĀāĂ㥹ĆćČčĎďĐĒēĖėĘęĚěĞğĢģĪīĮįİıĶĹĺĻļĽľŁłŃŇňŌōŐőŒœŔŕŖŗŘřŚśŞ
ŠšŢţŤťŪūŮŰűŲųŸŹźŻżŽžƒЁЂЃЄЅІЇЈЉЊЋЌЎЏАБВГДЕЖЗИЙКЛМНОПРС
ТУФХЦЧШЩЪЫЬЭЮЯабвгдежзийклмноптуфхцчшщъыьэюяёђѓєѕіїјљњћќў
џҐΆΈΉΊΌΎΏΐάέήίΰαβγδεζηθικλμνξοπρςστυφχψωϊϋόύώ
6.5.4. FIA_UAU.1 Timing of authentication
(for O.USER_I&A)
Hierarchical to: No other components.
Dependencies: FIA_UID.1 Timing of identification
FIA_UAU.1.1 Refinement: The TSF shall allow [storing the document data from printer driver, receive
PSTN Fax data] on behalf of the user to be performed before the user is authenticated.
FIA_UAU.1.2 The TSF shall require each user to be successfully authenticated before allowing any other
TSF-mediated actions on behalf of that user.
6.5.5. FIA_UAU.7 Protected authentication feedback
(for O.USER_I&A)
Hierarchical to: No other components.
Copyright© 2018 TOSHIBA TEC. All rights reserved.
33/64
Dependencies: FIA_UAU.1 Timing of authentication
FIA_UAU.7.1 The TSF shall provide only [display dummy characters] to the user while the authentication is
in progress.
6.5.6. FIA_UID.1 Timing of identification
(for O.USER_I&A and O.ADMIN_ROLES)
Hierarchical to: No other components.
Dependencies: No dependencies.
FIA_UID.1.1 Refinement: The TSF shall allow [receive PSTN fax data] on behalf of the user to be
performed before the user is identified.
FIA_UID.1.2 The TSF shall require each user to be successfully identified before allowing any other
TSF-mediated actions on behalf of that user.
6.5.7. FIA_USB.1 User-subject binding
(for O.USER_I&A)
Hierarchical to: No other components.
Dependencies: FIA_ATD.1 User attribute definition
FIA_USB.1.1 The TSF shall associate the following user security attributes with subjects acting on the
behalf of that user: [User ID, Role].
FIA_USB.1.2 The TSF shall enforce the following rules on the initial association of user security attributes
with subjects acting on the behalf of users: [none].
FIA_USB.1.3 The TSF shall enforce the following rules governing changes to the user security attributes
associated with subjects acting on the behalf of users: [none].
6.6. Class FMT: Security Management
6.6.1. FMT_MOF.1 Management of security functions behavior
(for O.ADMIN_ROLES)
Hierarchical to: No other components.
Dependencies: FMT_SMR.1 Security roles
FMT_SMF.1 Specification of Management Functions
FMT_MOF.1.1 The TSF shall restrict the ability to [disable, enable] the functions [Secure Channel] to
U.ADMIN.
6.6.2. FMT_MSA.1 Management of security attributes
(for O.ACCESS_CONTROL and O.USER_AUTHORIZATION)
Hierarchical to: No other components.
Dependencies: FDP_ACC.1 Subset access control,
FDP_IFC.1 Subset information flow control]
FMT_SMR.1 Security roles
FMT_SMF.1 Specification of Management Functions
FMT_MSA.1.1 Refinement: The TSF shall enforce the User Data Access Control SFP to restrict the ability
to [query, modify, delete, [create, export]] the security attributes [User ID, Role] to [See
Table 16].
Table 16 Security Attributes List
Security Attributes Operation User
User ID create, modify, query , delete,
export
U.ADMIN
query, export U.ACCOUNTMANAGER
query U.NORMAL,
U.ADDRESSBOOKOPERATOR,
U.FAXOPERATOR
Copyright© 2018 TOSHIBA TEC. All rights reserved.
34/64
Security Attributes Operation User
User ID
(Except for
U.ADMIN)
create, modify, delete U.ACCOUNTMANAGER
Role create, modify, query, delete,
export
U.ADMIN
query, export U.ACCOUNTMANAGER
query U.NORMAL
U.ADDRESSBOOKOPERATOR
U.FAXOPERATOR
Role
(Except for
U.ADMIN)
create, modify, delete U.ACCOUNTMANAGER
6.6.3. FMT_MSA.3 Static attribute initialization
(for O.ACCESS_CONTROL and O.USER_AUTHORIZATION)
Hierarchical to: No other components.
Dependencies: FMT_MSA.1 Management of security attributes
FMT_SMR.1 Security roles
FMT_MSA.3.1 Refinement: The TSF shall enforce the User Data Access Control SFP to provide
[restrictive] default values for security attributes that are used to enforce the SFP.
FMT_MSA.3.2 Refinement: The TSF shall allow the [No Role] to specify alternative initial values to
override the default values when an object or information is created.
6.6.4. FMT_MTD.1 Management of TSF data
(for O.ACCESS CONTROL)
Hierarchical to: No other components.
Dependencies: FMT_SMR.1 Security roles
FMT_SMF.1 Specification of Management Functions
FMT_MTD.1.1 Refinement: The TSF shall restrict the ability to perform the specified operations on the
specified TSF Data to the roles specified in Table 17.
Table 17 Management of TSF Data
Data Operation Authorised role(s)
User Password of U.ADMIN modify, export U.ADMIN
User Password of
U.ACCOUNTMANAGER
modify, export U.ADMIN,
U.ACCOUNTMANAGER
User Password of U.FAXOPERATOR modify, U.FAXOPERATOR relevant to this
TSF data
modify, export U.ADMIN,
U.ACCOUNTMANGER
User Password of
U.ADDRESSBOOKOPERATOR
modify U.ADDRESSBOOKOPERATOR
relevant to this TSF data
modify, export U.ADMIN,
U.ACCOUNTMANGER
User Password of U.NORMAL modify U.NORMAL relevant to this TSF
data
modify, export U.ADMIN,
U.ACCOUNTMANAGER
Allowable Number of entry for Login
Password
modify U.ADMIN
Lockout Time modify U.ADMIN
Locked-out Account Status clear U.ADMIN,
U.ACCOUNTMANGER
Auto Logout Time modify U.ADMIN
Date and Time Information modify U.ADMIN
Minimum Password Length modify U.ADMIN
Copyright© 2018 TOSHIBA TEC. All rights reserved.
35/64
Data Operation Authorised role(s)
Address Book create, modify,
delete
U.ADMIN
U.ADDRESSBOOKOPERATOR
SYSLOG Server Settings modify U.ADMIN
FTP Server Settings modify U.ADMIN
6.6.5. FMT_SMF.1 Specification of Management Functions
(for O.USER_AUTHORIZATION, O.ACCESS_CONTROL, and O.ADMIN_ROLES)
Hierarchical to: No other components.
Dependencies: No dependencies.
FMT_SMF.1.1: The TSF shall be capable of performing the following management functions: [refer to Table
18].
Table 18 Management Functions
SFR Management Management Functions Reason
FAU_GEN.1 There are no management activities
foreseen.
None
-
FAU_GEN.2 There are no management activities
foreseen.
None
-
FAU_STG_EXT.1 The TSF shall have the ability to configure
the cryptographic functionality.
None This function is
not provided.
FCS_CKM.1(b) There are no management activities
foreseen.
None -
FCS_CKM.4(a) There are no management activities
foreseen.
None -
FCS_CKM.4(b) There are no management activities
foreseen.
None -
FCS_CKM_EXT.4 There are no management activities
foreseen.
None -
FCS_COP.1(b) There are no management activities
foreseen.
None -
FCS_COP.1(c) There are no management activities
foreseen.
None -
FCS_COP.1(f) There are no management activities
foreseen.
None -
FCS_COP.1(g) There are no management activities
foreseen.
None -
FCS_COP.1(h) There are no management activities
foreseen.
None -
FCS_RBG_EXT.1(a) There are no management activities
foreseen.
None -
FCS_RBG_EXT.1(b) There are no management activities
foreseen.
None -
FCS_TLS_EXT.1 There are no management activities
foreseen.
None -
FCS_HTTPS_EXT.1 There are no management activities
foreseen.
None -
FCS_KDF_EXT.1(b) There are no management activities
foreseen.
None -
FCS_KYC_EXT.1 There are no management activities
foreseen.
None -
FDP_ACC.1 There are no management activities
foreseen.
None -
FDP_ACF.1 a) Management of attributes used for
decision based on explicit access or denial.
None The default
value of an
attribute is fixed
and cannot be
changed.
Copyright© 2018 TOSHIBA TEC. All rights reserved.
36/64
SFR Management Management Functions Reason
FDP_FXS_EXT.1 There are no management activities
foreseen.
None -
FDP_DSK_EXT.1 There are no management activities
foreseen.
None -
FIA_AFL.1 a) Management of the threshold for
unsuccessful authentication attempts
Management of
unsuccessful user
authentication processing
-
b) Management of actions which are taken
for the unsuccessful authentication events
None It is a predefined
action and not
managed.
FIA_ATD.1 a) If “assigned”, an authorized
administrator can define additional security
attributes to a user.
None This function is
not provided.
FIA_PMG_EXT.1 There are no management activities
foreseen.
Minimum Password
Length management
-
FIA_UAU.1 a) Authentication data management by an
administrator
･Management of User
Password
(U.ACCOUNTMANAG
ER/ U.ADMIN
/U.NORMAL/
U.FAXOPERATOR/
U.ADDRESSBOOKOP
ERATOR) by
U.ADMIN.
･Management of User
Password(U.ACCOUN
TMANAGER/U.NOR
MAL/U.FAXOPERATO
R/
U.ADDRESSBOOKOP
ERATOR) by
U.ACCOUNTMANAG
ER
-
b) Authentication data management by a
relative user
･Management of own
User Password by
U.NORMAL
･Management of own
User Password by
U.FAXOPERATOR
･Management of own
User Password by
U.ADDRESSBOOKOP
ERATOR
-
c) List of actions to be taken before user
authentication shall be managed.
None It is a predefined
action and not
managed.
FIA_UAU.7 There are no management activities
foreseen.
None
-
FIA_UID.1 a) Management of User Identity Management of User ID -
b) If an authorized administrator can
change the authorized actions before
identification, the action list must be
controlled.
None It is a predefined
action and not
managed.
FIA_USB.1 a) An authorized administrator can define
security attributes for a default subject.
None There are no
permitted roles.
b) An authorized administrator can change
security attributes of a subject.
None There are no
permitted roles.
Copyright© 2018 TOSHIBA TEC. All rights reserved.
37/64
SFR Management Management Functions Reason
FMT_MOF.1 a) Groups of roles which may affect
reciprocally with the TSF Functions shall
be managed.
None It is a predefined
action and not
managed.
FMT_MSA.1 a) Groups of roles which may affect
reciprocally with the Security Attributes
shall be managed.
None It is a predefined
action and not
managed.
b) Rules for which the Security Attributes
take over any particular values shall be
managed.
None It is a predefined
action and not
managed.
FMT_MSA.3 a) Groups which may be able to identify
the default value shall be managed.
None There are no
roles to specify
the default
value.
b) Restrictive or permissive settings of the
default value for the prescribed access
control SFP shall be managed.
None The default
value is fixed
and cannot be
changed.
c) Rules for which the Security Attributes
take over any particular values shall be
managed.
None The rules cannot
be changed.
FMT_MTD.1 a) Groups of roles which may affect
reciprocally with the TSF Data shall be
managed.
None It is a predefined
action and not
managed.
FMT_SMF.1 There are no management activities
foreseen.
None
-
FMT_SMR.1 a) Management of Groups of Users who
are part of the Role.
None It is a predefined
action and not
managed.
FPT_SKP_EXT.1 There are no management activities
foreseen.
None
-
FPT_STM.1 a) Maqnagement of time Management of the time
stamp settings
-
FPT_TST_EXT.1 There are no management activities
foreseen.
None
FPT_TUD_EXT.1 There are no management activities
foreseen.
None
FTA_SSL.3 a) Specification of the time in which an
user who may cause termination of the
interactive session between each user is
non-active
None Users cannot
configure the
setting
individually.
b) Specification of the default time in
which an user who may cause termination
of the interactive session is non-active
Specification of the
default time in which a
user is non-active after a
session finishes.
-
FTP_ITC.1 a) Configuration of actions which require
the trusted channle, if supported.
Secure channel settings
-
FTP_TRP.1(a) a) Configuration of actions which require
the trusted path, if supported.
None It is a predefined
action and not
managed.
FTP_TRP.1(b) a) Configuration of actions which require
the trusted path, if supported.
None It is a predefined
action and not
managed.
Copyright© 2018 TOSHIBA TEC. All rights reserved.
38/64
SFR Management Management Functions Reason
- -
･Address Book
management
･SYSLOG Server
Settings
･FTP Server Settings
-
6.6.6. FMT_SMR.1 Security roles
(for O.ACCESS_CONTROL, O.USER_AUTHORIZATION, and O.ADMIN_ROLES)
Hierarchical to: No other components.
Dependencies: FIA_UID.1 Timing of identification
FMT_SMR.1.1 The TSF shall maintain the roles U.ADMIN, U.NORMAL, U.FAXOPERATOR,
U.ACCOUNTMANAGER, and U.ADDRESSBOOKOPERATOR.
FMT_SMR.1.2 The TSF shall be able to associate users with roles.
6.7. Class FPT: Protection of the TSF
6.7.1. FPT_SKP_EXT.1 Extended: Protection of TSF Data
(for O.COMMS_PROTECTION)
Hierarchical to: No other components.
Dependencies: No dependencies.
FPT_SKP_EXT.1.1 The TSF shall prevent reading of all pre-shared keys, symmetric keys, and private keys.
6.7.2. FPT_STM.1 Reliable time stamps
(for O.AUDIT)
Hierarchical to: No other components.
Dependencies: No dependencies.
FPT_STM.1.1 The TSF shall be able to provide reliable time stamps.
6.7.3. FPT_TST_EXT.1 Extended: TSF testing
(for O.TSF_SELF_TEST)
Hierarchical to: No other components.
Dependencies: No dependencies.
FPT_TST_EXT.1.1 The TSF shall run a suite of self-tests during initial start-up (and power on) to
demonstrate the correct operation of the TSF.
6.7.4. FPT_TUD_EXT.1 Extended: Trusted Update
(for O.UPDATE_VERIFICATION)
Hierarchical to: No other components.
Dependencies: FCS_COP.1(b) Cryptographic Operation (for signature generation/verification),
FCS_COP.1(c) Cryptographic operation (Hash Algorithm).
FPT_TUD_EXT.1.1 The TSF shall provide authorized administrators the ability to query the current version
of the TOE firmware/software.
FPT_TUD_EXT.1.2 The TSF shall provide authorized administrators the ability to initiate updates to TOE
firmware/software.
FPT_TUD_EXT.1.3 The TSF shall provide a means to verify firmware/software updates to the TOE using a
digital signature mechanism and [no other functions] prior to installing those updates.
6.7.5. FPT_KYP_EXT.1 Extended: Protection of Key and Key Material
(for O.KEY_MATERIAL)
Hierarchical to: No other components.
Dependencies: No dependencies.
Copyright© 2018 TOSHIBA TEC. All rights reserved.
39/64
FPT_KYP_EXT.1.1 Refinement: The TSF shall not store plaintext keys that are part of the keychain
specified by FCS_KYC_EXT.1 in any Field-Replaceable Nonvolatile Storage Device.
6.8. Class FTA: TOE Access
6.8.1. FTA_SSL.3 TSF-initiated termination
(for O.USER_I&A)
Hierarchical to: No other components.
Dependencies: No dependencies.
FTA_SSL.3.1 The TSF shall terminate an interactive session after a [refer to Table 19].
Table 19 Time Interval of User Inactivity
Interface Auto Logout Time
Control Panel 15 - 150 Sec.
Web Browser 5 - 999 Sec.
6.9. Class FTP: Trusted Paths/Channels
6.9.1. FTP_ITC.1 Inter-TSF trusted channel
(for O.COMMS_PROTECTION, O.AUDIT)
Hierarchical to: No other components.
Dependencies: [FCS_IPSEC_EXT.1 Extended: IPsec selected, or
FCS_TLS_EXT.1 Extended: TLS selected, or
FCS_SSH_EXT.1 Extended: SSH selected, or
FCS_HTTPS_EXT.1 Extended: HTTPS selected].
FTP_ITC.1.1 Refinement: The TSF shall use [TLS] to provide a trusted communication channel between
itself and authorized IT entities supporting the following capabilities: [[SYSLOG server,
Ftp server, mail server]] that is logically distinct from other communication channels and
provides assured identification of its end points and protection of the channel data from
disclosure and detection of modification of the channel data.
FTP_ITC.1.2 Refinement: The TSF shall permit the TSF, or the authorized IT entities, to initiate
communication via the trusted channel
FTP_ITC.1.3 Refinement: The TSF shall initiate communication via the trusted channel for [SYSLOG
service, FTP service, mail service].
6.9.2. FTP_TRP.1(a) Trusted path (for Administrators)
(for O.COMMS_PROTECTION)
Hierarchical to: No other components.
Dependencies: [FCS_IPSEC_EXT.1 Extended: IPsec selected, or
FCS_TLS_EXT.1 Extended: TLS selected, or
FCS_SSH_EXT.1 Extended: SSH selected, or
FCS_HTTPS_EXT.1 Extended: HTTPS selected].
FTP_TRP.1.1(a) Refinement: The TSF shall use [TLS, TLS/HTTPS] to provide a trusted communication
path between itself and remote administrators that is logically distinct from other
communication paths and provides assured identification of its end points and protection of
the communicated data from disclosure and detection of modification of the
communicated data.
FTP_TRP.1.2(a) Refinement: The TSF shall permit remote administrators to initiate communication via the
trusted path
FTP_TRP.1.3(a) Refinement: The TSF shall require the use of the trusted path for initial administrator
authentication and all remote administration actions.
6.9.3. FTP_TRP.1(b) Trusted path (for Non-administrators)
(for O.COMMS_PROTECTION))
Hierarchical to: No other components.
Dependencies: [FCS_IPSEC_EXT.1 Extended: IPsec selected, or
Copyright© 2018 TOSHIBA TEC. All rights reserved.
40/64
FCS_TLS_EXT.1 Extended: TLS selected, or
FCS_SSH_EXT.1 Extended: SSH selected, or
FCS_HTTPS_EXT.1 Extended: HTTPS selected].
FTP_TRP.1.1(b) Refinement: The TSF shall use [TLS, TLS/HTTPS] to provide a trusted communication
path between itself and remote users that is logically distinct from other communication paths
and provides assured identification of its end points and protection of the communicated data
from disclosure and detection of modification of the communicated data.
FTP_TRP.1.2(b) Refinement: The TSF shall permit [remote users] to initiate communication via the trusted
path
FTP_TRP.1.3(b) Refinement: The TSF shall require the use of the trusted path for initial user authentication
and all remote user actions.
6.10. Security Assurance Requirements
Table 20 lists the security assurance requirements for the Protection Profile for Hardcopy Devices – v1.0.
ASE_SPD.1 is added to the component set defined in EAL1 of the evaluation assurance level in this table.
Table 20 TOE Security Assurance Requirements
Assurance Class
Assurance
Component
Assurance Components Description
Security Target Evaluation ASE_CCL.1 Conformance claims
ASE_ECD.1 Extended components definition
ASE_INT.1 ST introduction
ASE_OBJ.1 Security objectives for the operational
environment
ASE_REQ.1 Stated security requirements
ASE_SPD.1 Security Problem Definition
ASE_TSS.1 TOE Summary Specification
Development ADV_FSP.1 Basic functional specification
Guidance Documents AGD_OPE.1 Operational user guidance
AGD_PRE.1 Preparative procedures
Assurance Class ALC_CMC.1 Labelling of the TOE
ALC_CMS.1 TOE CM coverage
Tests ATE_IND.1 Independent testing – Conformance
Vulnerability assessment AVA_VAN.1 Vulnerability survey
6.11. Security Functional Requirements Rationale
6.11.1. Dependencies of Security Functional Requirements Documents
Table 21 shows the analysis results of dependencies for the TOE Security Functional Requirements in this ST.
Table 21 Analysis Results of Dependencies for Security Functional Requirements
TOE Security
Functional
Requirements
Dependencies Required
by CC and PP
Fulfilled
Dependencies in ST
Un-fulfilled
Dependencies
in ST
Reason
FAU_GEN.1 FPT_STM.1 FPT_STM.1 None
FAU_GEN.2 FAU_GEN.1,
FIA_UID.1
FAU_GEN.1,
FIA_UID.1
None
FAU_STG_EXT.1 FAU_GEN.1,
FTP_ITC.1
FAU_GEN.1,
FTP_ITC.1
None
FCS_CKM.1(a) [FCS_COP.1(b), or
FCS_COP.1(i)],
FCS_CKM_EXT.4
FCS_COP.1(b),
FCS_CKM_EXT.4
None
FCS_CKM.1(b) [FCS_COP.1(a), or
FCS_COP.1(d), or
FCS_COP.1(e), or
FCS_COP.1(f), or
FCS_COP.1(g), or
FCS_COP.1(h)],
FCS_COP.1(a),
FCS_COP.1(g),
FCS_CKM_EXT.4,
FCS_RBG_EXT.1(a),
FCS_RBG_EXT.1(b)
None
Copyright© 2018 TOSHIBA TEC. All rights reserved.
41/64
TOE Security
Functional
Requirements
Dependencies Required
by CC and PP
Fulfilled
Dependencies in ST
Un-fulfilled
Dependencies
in ST
Reason
FCS_CKM_EXT.4,
FCS_RBG_EXT.1
FCS_CKM.4(a) [FCS_CKM.1(a), or
FCS_CKM.1(b)]
FCS_CKM.1(a),
FCS_CKM.1(b)
None
FCS_CKM.4(b) [FCS_CKM.1(a), or
FCS_CKM.1(b)]
FCS_CKM.1(a),
FCS_CKM.1(b)
None
FCS_CKM_EXT.4 [FCS_CKM.1(a) or
FCS_CKM.1(b)],
FCS_CKM.4
FCS_CKM.1(a),
FCS_CKM.1(b),
FCS_CKM.4(a),
FCS_CKM.4(b)
None
FCS_COP.1(a)
[FCS_CKM.1(b)],
FCS_CKM_EXT.4
FCS_CKM.1(b),
FCS_CKM_EXT.4
None
FCS_COP.1(b)
[FCS_CKM.1(a)],
FCS_CKM_EXT.4
FCS_CKM.1(a)
FCS_CKM_EXT.4
None
FCS_COP.1(c) None None None
FCS_COP.1(f)
FCS_CKM.1(b),
FCS_CKM_EXT.4
FCS_CKM.1(b),
FCS_CKM_EXT.4
None
FCS_COP.1(g)
[FCS_CKM.1(b)],
FCS_CKM_EXT.4
FCS_CKM.1(b),
FCS_CKM_EXT.4
None
FCS_COP.1(h)
FCS_CKM.1(b),
FCS_COP.1(c),
FCS_CKM_EXT.4
FCS_CKM.1(b),
FCS_COP.1(c),
FCS_CKM_EXT.4
None
FCS_SMC_EXT.1 FCS_COP.1(c) FCS_COP.1(C) None
FCS_RBG_EXT.1(a) None None None
FCS_RBG_EXT.1(b) None None None
FCS_TLS_EXT.1
FCS_CKM.1(a),
FCS_COP.1(a),
FCS_COP.1(b),
FCS_COP.1(c),
FCS_COP.1(g),
FCS_RBG_EXT.1
FCS_CKM.1(a),
FCS_COP.1(a),
FCS_COP.1(b),
FCS_COP.1(c),
FCS_COP.1(g),
FCS_RBG_EXT.1(b)
None
FCS_HTTPS_EXT.1 FCS_TLS_EXT.1 FCS_TLS_EXT.1 None
FPT_KYP_EXT.1 None None None
FCS_KYC_EXT.1
[FCS_COP.1(e),
FCS_SMC_EXT.1,
FCS_COP.1(i),
FCS_KDF_EXT.1, and/or
FCS_COP.1(f)]
FCS_KDF_EXT.1,
FCS_SMC_EXT.1,
FCS_COP.1(f)
FCS_KDF_EXT.1 FCS_COP.1(h) FCS_COP.1(h) None
FDP_DSK_EXT.1
FCS_COP.1(d) None FCS_COP.1(d) A
self-encrypting
Field-Replaceab
le Nonvolatile
Storage Device
that is separately
CC certified to
conform to the
FDE EE cPP is
used.
FDP_ACC.1 FDP_ACF.1 FDP_ACF.1 None
FDP_ACF.1 FDP_ACC.1,
FMT_MSA.3
FDP_ACC.1,
FMT_MSA.3
None
FDP_FXS_EXT.1 None None None
FIA_AFL.1 FIA_UAU.1 FIA_UAU.1 None
FIA_ATD.1 None None None
FIA_PMG_EXT.1 None None None
Copyright© 2018 TOSHIBA TEC. All rights reserved.
42/64
TOE Security
Functional
Requirements
Dependencies Required
by CC and PP
Fulfilled
Dependencies in ST
Un-fulfilled
Dependencies
in ST
Reason
FIA_UAU.1 FIA_UID.1 FIA_UID.1 None
FIA_UAU.7 FIA_UAU.1 FIA_UAU.1 None
FIA_UID.1 None None None
FIA_USB.1 FIA_ATD.1 FIA_ATD.1 None
FMT_MOF.1 FMT_SMR.1,
FMT_SMF.1
FMT_SMR.1,
FMT_SMF.1
None
FMT_MSA.1 [FDP_ACC.1],
FMT_SMR.1,
FMT_SMF.1
FDP_ACC.1,
FMT_SMR.1,
FMT_SMF.1
None
FMT_MSA.3 FMT_MSA.1,
FMT_SMR.1
FMT_MSA.1,
FMT_SMR.1
None
FMT_MTD.1 FMT_SMR.1,
FMT_SMF.1
FMT_SMR.1,
FMT_SMF.1
None
FMT_SMF.1 None None None
FMT_SMR.1 FIA_UID.1 FIA_UID.1 None
FPT_SKP_EXT.1 None None None
FPT_STM.1 None None None
FPT_TST_EXT.1 None None None
FPT_TUD_EXT.1 FCS_COP.1(b),
FCS_COP.1(c)
FCS_COP.1(b),
FCS_COP.1(c)
None
FTA_SSL.3 None None None
FTP_ITC.1 [FCS_IPSEC_EXT.1, or
FCS_TLS_EXT.1, or
FCS_SSH_EXT.1, or
FCS_HTTPS_EXT.1]
FCS_TLS_EXT.1,
FCS_HTTPS_EXT.1
None
FTP_TRP.1(a) [FCS_IPSEC_EXT.1, or
FCS_TLS_EXT.1, or
FCS_SSH_EXT.1, or
FCS_HTTPS_EXT.1]
FCS_TLS_EXT.1,
FCS_HTTPS_EXT.1
None
FTP_TRP.1(b) [FCS_IPSEC_EXT.1, or
FCS_TLS_EXT.1, or
FCS_SSH_EXT.1, or
FCS_HTTPS_EXT.1
FCS_TLS_EXT.1,
FCS_HTTPS_EXT.1
None
6.11.2. Security Assurance Requirements Rationale
The rationale for choosing these security assurance requirements is that they define a minimum security baseline that is
based on the anticipated threat level of the attacker, the security of the Operational Environment in which the TOE is
deployed, and the relative value of the TOE itself. The assurance activities throughout the ST are used to provide
tailored guidance on the specific expectations for completing the security assurance requirements.
Copyright© 2018 TOSHIBA TEC. All rights reserved.
43/64
7. TOE SUMMARY SPECIFICATION
Summary Specification of the TOE Security Functionality (TSF) is described in this Chapter.
7.1. Audit
The Summary Specification of the Class FAU Requirements is described as follows.
FAU_GEN.1
The TOE generates audit logs and record them in the audit log file when audit-relevant events occur. This causes
FAU_GEN.1 to be realized.
Table 22 Recorded Events and Audit Logs
Auditable events Events
Recorded User
ID
Result
Start-up of audit
functions
MFP power-on None None
Shutdown of audit
functions
MFP power-off None None
Job completion Print job completion Job owner Success or failure
Scan job completion Job owner Success or failure
Copy job completion Job owner Success or failure
Fax transmission job
completion
Job owner Success or failure
Fax reception job
completion
Job owner Success or deletion
Unsuccessful user
authentication and
identification
Failure of login Logged in User Success or failure
Use of management
functions
Addition of User User who made
modifications
Success or failure
Change of User ID User who made
modifications
Success or failure
Deletion of User User who made
modifications
Success
Change of the settings User who made
modifications
Success
Modification to the
group of Users that are
part of a role
Change of the role
information
User who made
modifications
Success
Changes to the time Modification of the time User who made
modifications
Success
Failure to establish
session
Failure of TLS session
establishment
None Success or failure
The TOE adds the following data to the events to be audited.
・ Date and Time: Time when an error/event occurred.
・ Message: Sentence which describes the event content (Reason of failure when session failed)
・ Error Code: An event is defined as a code, and represented as 4-digit hexadecimal numbers.
・ User ID: Identifier of a Logged in user
・ Result: Result of event implementation
[Relevant TSFI]
・ Control Panel: Login, Home screen, Copy, Simple Copy, Scan, Simple Scan, Fax transmission, Print, Job
display and Log display, Admin settings, Power key
・ TopAccess: Login, Job status, Account, User management, Admin settings
・ Printer Driver: Interface to a Print request
・ Others: Main switch, PSTN Fax interface
Copyright© 2018 TOSHIBA TEC. All rights reserved.
44/64
FAU_GEN.2
If an auditable event occurs, the TOE realizes FAU_GEN.2 by attaching the user ID of a user who caused the
event to the audit log.
[Relevant TSFI]
・ Control Panel: Login, Home screen, Copy, Simple Copy, Scan, Simple Scan, Fax transmission, Print, Job
display and Log display, Admin settings, Power key
・ TopAccess: Login, Job status, Registration, Account, User management, Admin settings
・ Printer Driver: Interface to a Print request
・ Others: Main switch, PSTN Fax interface
FAU_STG_EXT.1
U.ADMIN can set the SYSLOG server as the server where an audit log is transferred from the Admin settings in
TopAccess.
The TOE can save the generated audit log to the internal storage device first, then transfer the data to the SYSLOG
server which is the external audit log server using the communication protocol TLS1.2. The maximum number
of records which can be stored in the storage area of the audio log in the internal storage is as follows: 10,000
message logs, 5,000 print logs, 5,000 scan logs, 5,000 Fax transmission journals, and 5,000 Fax reception journals.
When the maximum number of records of each log reaches the limit, the oldest audit data will be deleted to save
the newest one.
Only U.ADMIN can refers to all the audit logs which were saved to the internal storage and other users can refer
to own job log only by access control.
[Relevant TSFI]
・ Control Panel: Login, Home screen, Copy, Simple Copy, Scan, Simple Scan, Fax transmission, Print, Job
display and Log display, Admin settings, Power key
・ TopAccess: Login, Job status, Registration, Account, User management, Admin settings
・ Printer Driver: Interface to a Print request
・ Others: Main switch, PSTN Fax interface
7.2. Cryptographic Support
The following describes the summary specifications for requirements of Class FCS.
FCS_CKM.1(a)
The TOE creates the RSA key pair as the asymmetric cryptographic key used for key establishment for
cryptographic communication by the rsakpg1-crt method described in Section 6.3.1.3. of NIST SP
80056-B,Revision 1. Random numbers used for key creation is created by CTR_DRBG (AES-256) according to
FCS_RBG_EXT.1(b). This key is saved to the self-encrypting drive after being encrypted.
The TOE does not include the TOE-specific extensions, unique processing which is not written in HCD-PP, or
another implementation which is permitted, for the TSF.
The following shows the TSFO related to this requirement.
[Relevant TSFI]
・ TopAccess: Admin settings
FCS_CKM.1(b)
The TSF creates a session key and HMAC key for communication at the TLS communication negotiation. The
session key and HMAC key are created from the random number shared between the server and client. The
random number is created by CTR_DRBG (AES-256) according to FCS_RBG_EXT.1(b). The parameters of
each key differ depending on the selected Cipher Suite as shown below.
 Session key
A session key is used for encrypting the communication data. The used cryptographic algorithm and key
length differ depending on the selected Cipher Suite. The cryptographic algorithm uses AES-CBC, and
128bit and 256bit can be selected as the session key length.
Copyright© 2018 TOSHIBA TEC. All rights reserved.
45/64
 HMAC key
A HMAC key is used to verify the pseudo random function (PRF) and communication data for key extension.
The key for key extension generates the 256-bit MAC key and the key for data verification generates the
MAC key with the key length according to Cipher Suite.
These keys are saved to the volatile memory and deleted by turning off the power.
[Relevant TSFI]
・ Conform to TSFI of FCS_ITC_EXT.1.
The TSF generates a key derivation key by Hash_DRBG (SHA-512) according to FCS_RBG_EXT.1(a) before
switching to the TOE settings. At this time, the TSF derives the host authentication key 256bit used for the
self-encrypting drive to authenticate the MFP according to FCS_KDF_EXT.1 based on the key derivation key. A
challenge code used for protecting the host authentication key is generated by a random number which was
generated by the random number generation function of the self-encrypting drive (JCMVP authentication No.:
F0022).
[Relevant TSFI]
・ Control Panel: Power key (Only for the first start-up after TOE establishment)
・ Others: Main switch (Only for the first start-up after TOE establishment)
FCS_CKM_EXT.4/FCS_CKM.4(a)
The following keys and BEV handled by the TSF are discarded when they become unnecessary.
 Host authentication key for self-encrypting drive
This key is handled as a unnecessary key when the MFP is disposed. It is discarded by overwriting the area
where the key is stored with a random number using Hash_DRBG (SHA-512) by a random number generator
according to FCS_RBG_EXT.1(a).
The TSFI related to this requirement is as shown below.
[Relevant TSFI]
・ Control Panel: Power key (Only for the first start-up after TOE establishment)
・ Others: Main switch (Only for the first start-up after TOE establishment)
 key derivation key, intermediate key (output value of FCS_KDF_EXT.1), host authentication key, challenge
code, response code, session key and HMAC key for communication
They are saved to the volatile memory and deleted by turn off the power.
[Relevant TSFI]
・ Control Panel: Power key
・ Others: Main switch
FCS_CKM_EXT.4/FCS_CKM.4(b)
The following keys handled by the TSF are discarded when they are unnecessary.
 Secret key of the server
The secret key of the server is stored in the nonvolatile storage of the self-encrypting drive by being
encrypted. It is handled as a unnecessary key when the administrator generates a new certificate, and the
area where the key is stored is overwritten three times with a fixed value. The key stored in the volatile
memory is deleted by turning off the power.
The TSFI related to this requirement is as shown below.
[Relevant TSFI]
・ TopAccess: Admin settings
FCS_COP.1(a)
The TSF encrypts and decrypts the communication data by operating the 128 bit or 256 bit cryptographic key
generated by FCS_CKM.1(b) and AES cryptographic algorithm conforms to FIPS PUB197 in the CBC mode
complies with NIST SP 800-38A so as to protect the communication data in FTP_ITC.1, FTP_TRP.1(a), and
FTP_TRP.1(b).
The TSFI related to this requirement is as shown below.
Copyright© 2018 TOSHIBA TEC. All rights reserved.
46/64
[Relevant TSFI]
・ Conform to TSFI of FTP_ITC.1
FCS_COP.1(b)
The TSF uses the RSA digital signature algorithm (rDSA) of which the key length is 2048bit which complies with
the Digital Signature Standard prescribed in FIPS PUB 186-4 for creation of signatures during device certificate
creation and verification of the server certificate by FCS_ITC.1 and firmware update by FPT_TUD_EXT.1. The
TSF uses RSASSA-PKCS1-v1_5 for creation of the signatures during device certificate creation and verification
of the server certificate, and RSASSA-PSS for verification of firmware update. Also, the RSA key generated by
FCS_CKM.1 (a) is used for creation of the certificate.
The TSFI related to this requirement is as shown below.
[Relevant TSFI]
・ Conform to TSFI of FCS_ITC.1 and FPT_TUD_EXT.1.
FCS_RBG_EXT.1(a)
The TSF uses entropy sources and DRBG to generate a random number. The DRBG generates a random number
using Hash_DRBG (SHA-512) according to NIST SP 800-90A. The entropy source includes a hardware-based
noise source, and outputs an entropy input which has at least 256-bit entropy from the entropy source to DRBG
according to ISO/IEC 18031:2011 Table C.1“Security Strength Table for Hash Functions”. The noise source
uses the ES of the hardware embedded in SoC (Intel Atom Processor E3825) of the TOE. Output from the noise
source is used for seeding the DRBG in SoC, and outputted by the RDRAND instruction after processing
according to CTR_DRBG(AES) of NIST SP 800-90A. It is known that the noise source includes the minimum
entropy, 0.5 bits or more per 1bit, by the description in [Rambus 2012], the RDRAND instruction is the output of
the DRBG with the security strength of 128 bits which was initialized at the seed of 256 bit entropy from the noise
source. The RDRAND instruction is reseeded from the ES after outputting 511 of 128 bits. Thus, the rngd
daemon process which constitutes the entropy source collects the RDRAND instruction output of which the seed
differs per 16 bytes by compressing 128*512=65,536bit=8,192byte acquired by the RDRAND instruction into 16
bytes by the AES-CBC-MAC processing, and temporarily compiles almost full entropy data in the three
2,500-byte buffers of rngd. When this TSF is used, the parameter has been configured so that Linux PRNG
retains the entropy more than 2048 bits. So the 128 byte data read from the /dev/urandom output of Linux PRNG
by Hash_DRBG (SHA-512) of the TSF is supposed to be almost full entropy.
From the Minimum entropy estimate in Section 6 of NIST SP800-90B, the TSF developer confirmed that the
/dev/urandom output included the minimum entropy, 5.7 bits or more per 8 bits, within the TOE operation
conditions range. It is supposed that the 128 byte bit string of the /dev/urandom output includes the
729.6(=128*8*5.7/8) bit entropy even if it is not estimated as full entropy. FCS_RGB_EXT.1 (a) is realized by
making this bit string as the Entropy Input and supplying the seed value to Hash_DRBG (SHA-512).
[Relevant TSFI]
・ Control Panel: Power key (Only for the first start-up after TOE establishment)
・ Others: Main switch (Only for the first start-up after TOE establishment)
FCS_RBG_EXT.1(b)
The TSF uses entropy sources and DRBG to generate a random number. The DRBG generates a random number
using CTR_DRBG (AES) according to NIST SP 800-90A. This CTR_DRBG (AES) uses the Entropy Input and
Nonce as the seed materials to use the derivation function. The entropy source includes a hardware-based noise
source, and outputs an entropy input which has at least 128-bit entropy and Nonce which has 64-bit entropy from
the entropy source to DRBG according to ISO/IEC 18031:2011 Table C.1“Security Strength Table for Hash
Functions”. The noise source uses the ES of the hardware embedded in SoC (Intel Atom Processor E3825) of the
TOE. Output from the noise source is used for seeding the DRBG in SoC, and outputted by the RDRAND
instruction after processing according to CTR_DRBG(AES) of NIST SP 800-90A. It is known that the noise
source includes the minimum entropy, 0.5bit or more per 1bit, by the description in [Rambus 2012], the RDRAND
instruction is the output of the DRBG with the security strength of 128 bits which was initialized at the seed of 256
bit entropy from the noise source. The RDRAND instruction is reseeded from the ES after outputting 511 of 128
bits. Thus, the rngd daemon process which constitutes the entropy source collects the RDRAND instruction
output of which the seed differs per 16 bytes by compressing 128*512=65,536bit=8,192byte acquired by the
RDRAND instruction into 16 bytes by the AES-CBC-MAC processing, and temporarily compiles almost full
entropy data in the three 2,500-byte buffers of rngd. The necessary entropy is sufficiently supplied from rngd to
Linux PRNG. So the 32 byte data read from the /dev/random output of Linux PRNG by the TSF is supposed to
Copyright© 2018 TOSHIBA TEC. All rights reserved.
47/64
be almost full entropy. From the Minimum entropy estimate in Section 6 of NIST SP800-90B, the TSF
developer confirmed that the /dev/random output included the minimum entropy, 5.7 bits or more per 8 bits,
within the TOE operation conditions range. It is supposed that the 32 byte bit string of the /dev/random output
includes the 182.4(=32*8*5.7/8) bit entropy even if it is not estimated as full entropy. Input this bit string to the
OpenSSL random number which have a role equivalent to the conditioning component role in NIST SP800-90B,
and output the two bit strings, 320 bit and 160 bit, of the OpenSSL random number from the entropy source
respectively. From Section 3.1.5.2 and Section 6 of NIST SP800-90B, the output bit string of this conditioning
component has at least 128 bit and 64 bit entropies. FCS_RGB_EXT.1 (b) is realized by making this bit string as
the Entropy Input and Nonce, and supplying the seed value to CTR_DRBG (AES).
[Relevant TSFI]
・ Control Panel: Power key, Scan, Simple Scan
・ TopAccess: Login, Job status, Account, User management, Admin settings
・ Printer Driver: Interface to a Print request
・ Others: Main switch
7.3. Storage Encryption (Conditionally mandatory)
The following describes the summary specifications for the conditional requirements B.1.
FPT_KYP_EXT.1
The following keys constitute the key chain in FCS_KYC_EXT.1 of this TOE.
 key derivation key
A key derivation key is a 256 bit random number generated by using Hash_DRBG (SHA-512) according to
FCS_RBG_EXT.1, and saved to the volatile storage.
 Intermediate key (Output value of FCS_KDF_EXT.1)
An intermediate key is a 256 bit key derived from the key derivation key according to FCS_KDF_EXT.1, and
saved to the volatile storage.
 Host authentication key
The value which XORed the 256 bit intermediate key (Output value of FCS_KDF_EXT.1) with the 256 bit value
according to FCS_SMC_EXT.1 is used as the host authentication key. This host authentication key is saved to
the volatile storage and the FROM. The FROM is a nonvolatile storage which is not field-replaceable.
 Challenge code
A challenge code is a 256 bit random number generated by using the random number generating function in the
self-encryption drive, and saved to the volatile storage.
 Response code
A response code is an encrypted value used for encryption of the host authentication key by EAS-CBC according
to FCS_COP.1 (f) using the challenge code as the cryptographic key, and saved to the volatile storage.
FCS_KYC_EXT.1
 Host authentication key generation
An intermediate key is derived from the key derivation key according to FCS_KDF_EXT.1. The key
derivation key is a 256 bit random number generated by using Hash_DRBG (SHA-512) according to
FCS_RBG_EXT.1 (a). The KDF processing prescribed in FCS_KDF_EXT.1 is performed for the key
derivation key to derive the intermediate key. In FCS_COP.1 (h), HMAC-SHA-512 is selected so that the
security strength is maintained to be more than 256 bits. This random number was generated by giving a
sufficient entropy amount (256 bits or more) to the DRBG.
Then, use the value which XORed the intermediate key with the 256 bit value according to FCS_SMC_EXT.1 as
the host authentication key.
 Challenge response authentication
A challenge code is a 256 bit random number generated by using the random number generating function in the
self-encryption drive. This challenge code is transmitted to the system control board from the self-encrypting
drive. In the system control board, the host authentication key is encrypted by AES-CBC according to
Copyright© 2018 TOSHIBA TEC. All rights reserved.
48/64
FCS_COP.1(f) by making the challenge code as the cryptographic key. The encrypted value is sent to the
self-encrypting drive from the system control board as the 256 bit response code. The BEV of the key chain in
this TOE is this response code.
From the above, the security strength more than 256 bits is secured in each phase of the key chain.
[Relevant TSFI]
・ Control Panel: Power key (Only for the first start-up after TOE establishment)
・ Others: Main switch (Only for the first start-up after TOE establishment)
FDP_DSK_EXT.1
The TSF encrypts the user data and confidential TSF data by saving them to the self-encrypting drive (JCMVP
authentication No.: F0022). A host authentication key is saved to the MFP and self-encrypting drive when the
MFP is configured as the TOE. This host authentication key is used so that the self-encrypting drive
authenticates the system control board per power on. If authentication successfully finishes, data writing to the
self-encrypting drive is enabled and the written data is automatically encrypted. There is no area which cannot be
encrypted in the self-encrypting drive area used by the TOE. All the user data are encrypted and saved.
[Relevant TSFI]
・ Conform to TSFI of FDP_ACC.1/FDP_ACF.1 and FMT_SMF.1.
7.4. Storage Encryption (Selective requirements)
The following describes the summary specifications for the requirements D.4 selected in Storage Encryption.
FCS_COP.1(f)
The TSF encrypts the random number which was generated by the random number generating function in the
self-encrypting drive per power on (hereinafter, referred to as challenge code) by AES-CBC by making the host
authentication key as the cryptographic key. The value in which the challenge code is encrypted is sent to the
system control board from the self-encrypting drive of the TOE. The system control board encrypts the host
authentication key by AES-CBC by using the challenge code as the key encryption key. The value in which the
host authentication key is encrypted is sent to the self-encrypting drive from the system control board of the TOE.
[Relevant TSFI]
・ Control Panel: Power key (Only for the first start-up after TOE establishment)
・ Others: Main switch (Only for the first start-up after TOE establishment)
FCS_KDF_EXT.1
The TSF derives the intermediate key by the method conforms to KDF in Counter Mode of NIST SP800-108
using the random number which was generated by the random number generator at Hash_DRBG (SHA-512)
according to FCS_RBG_EXT.1 (a) as a sub mask with the hash function with a key according to FCS_COP (h).1
[Relevant TSFI]
・ Control Panel: Power key (Only for the first start-up after TOE establishment)
・ Others: Main switch (Only for the first start-up after TOE establishment)
FCS_SMC_EXT.1
The TSF function outputs the value which XORed the intermediate key outputted by FCS_KDF_EXT.1 with the
256 bit value. This value is used as the host authentication key.
[Relevant TSFI]
・ Control Panel: Power key (Only for the first start-up after TOE establishment)
・ Others: Main switch (Only for the first start-up after TOE establishment)
FCS_COP.1(h)
The TSF uses HMAC-SHA-512 which conforms to ISO/IEC 9797-2:2011, Section 7 “MAC Algorithm 2”, and
ISO/IEC 10118 for calculating the hash message function with a key in FCS_KDF_EXT.1 during derivation of the
intermediate key from the key derivation key. The HMAC key length is 256 bits, hash function is SHA-512,
block length is 512 bits, and outputted MAC length is 512 bits.
[Relevant TSFI]
・ Control Panel: Power key (Only for the first start-up after TOE establishment)
Copyright© 2018 TOSHIBA TEC. All rights reserved.
49/64
・ Others: Main switch (Only for the first start-up after TOE establishment)
7.5. Communication Protection (Selective requirements)
The following describes the summary specifications for the selective requirements D.2.
FCS_TLS_EXT.1
The TSF supports the TLS communication for communication with each type of servers mentioned in FTP_ITC.1
and communication with the client PC mentioned in FTP_TRP.1(a)/FTP_TRP.1(b). The TLS communication
supported by the TSF is TLS1.2(RFC 5246).
 TLS_RSA_WITH_AES_128_CBC_SHA
 TLS_RSA_WITH_AES_256_CBC_SHA
 TLS_RSA_WITH_AES_128_CBC_SHA256
 TLS_RSA_WITH_AES_256_CBC_SHA256
Communication between TSF and Client PC
 The TSF generates the server secret key and public key of the RSA used for the TLS communication
according to FCS_RBG_EXT.1(b) and FCS_CKM.1(a). The signature of the server certificate is
generated by using the secret key according to FCS_COP.1(b).
 The following shows how to share the secret random number data.
 The TSF decrypts the secret random number encrypted by the RSA public key which was sent
from the client PC using the server secret key. The TSF generates the session key and HMAC
key from the secret random number through the pseudo random function (PRF) using the
hashing (HMAC) with a key for message authentication according to FCS_COP.1(c) and
FCS_COP.1(g).
 The following shows how to encrypt and verify the communication data.
 The TSF verifies alteration of the communication data by using the HMAC key according to
FCS_COP.1(c) and FCS_COP.1(g).
 The TSF encrypts and decrypts the communication data in the AES-CBC mode according to
FCS_COP.1 (a).
[Relevant TSFI]
・ Conform to TSFI of FTP_TRP.1(a) and FTP_TRP.1(b).
Communication between TSF and Servers
 The TSF verifies the signature of the server certificate which was sent from each server according to
FCS_COP.1(b).
 The following shows how to share the secret random number data.
 The TSF generates a secret random number according to FCS_RBG_EXT.1(b) for generating the
session key and HMAC key.
 The TSF encrypts the secret random number using the RSA server public key which was sent
from each server. The TSF generates the session key and HMAC key from the secret random
number through the pseudo random function using the hashing (HMAC) with a key for message
authentication according to FCS_COP.1(c) and FCS_COP.1(g).
 The following shows how to encrypt and verify the communication data.
 The TSF verifies alteration of the communication data by using the HMAC key according to
FCS_COP.1(c) and FCS_COP.1(g).
 The TSF encrypts and decrypts the communication data in the AES-CBC mode according to
FCS_COP.1 (a).
[Relevant TSFI]
・ Conform to TSFI of FTP_ITC.1.
Communication between TSF and Client PC using IPPS
 The TSF generates the server secret key and public key of the RSA used for the TLS communication
according to FCS_RBG_EXT.1(b) and FCS_CKM.1(a). The signature of the server certificate is
Copyright© 2018 TOSHIBA TEC. All rights reserved.
50/64
generated by using the secret key according to FCS_COP.1(b).
 The TSF decrypts the secret random number encrypted by the RSA public key which was sent from the
client PC using the server secret key. The TSF generates the session key and HMAC key from the
secret random number through the pseudo random function using the hashing (HMAC) with a key
for message authentication according to FCS_COP.1(c) and FCS_COP.1(g).
 The TSF verifies alteration of the communication data by using the HMAC key according to
FCS_COP.1(c) and FCS_COP.1(g).
 The TSF encrypts and decrypts the communication data in the AES-CBC mode according to
FCS_COP.1 (a).
[Relevant TSFI]
・ Printer Driver: Interface to a Print request
FCS_HTTPS_EXT.1
The HTTP protocol which complies with RFC2818 is implemented so as to establish the trusted communication
path between the TOE and the remote users. FCS_HTTPS_EXT.1 is realized by enabling the HTTPS
communication using the TLS protocol which is specified at FCS_TLS_EXT.1.
[Relevant TSFI]
・ TopAccess: Login, Job status, Account, User management, Admin settings
FCS_COP.1(g)
The TSF is used for the pseudo random function (PRF) which is used for generating the session key and HMAC
key from a secret random number during the TLS communication. The TSF is also used for verifying alteration
of the communication data in TLS communication. The hash message with a key is authenticated according to
HMAC-SHA-1 in which the message length and key length that satisfy FIPS PUB 198-1, “The Keyed-Hash
Message Authentication Code”, and FIPSPUB 180-3, “Secure Hash Standard” are 160 bits and HMAC-SHA-1 in
which the message length and key length are 256 bits. The hash function used at this time conforms to
FCS_COP.1(c). From the above, FCS_COP.1(g) is realized.
[Relevant TSFI]
・ Conform to TSFI of FTP_ITC.1.
7.6. Trusted Update (Selective requirements)
The following describes the summary specifications for the selective requirements D.3.
FCS_COP.1(c)
A digital signature must be attached to the firmware to verify the integrity of the firmware during firmware update
at FPT_TUD_EXT.1. The cryptographic hash function conforms to SHA-256 which complies with ISO/IEC
10118-3:2004. The TSF authenticates the hash message with a key according to FCS_COP.1(g) during
verification of the communication data integrity. The cryptographic hash function which is used at that time
conforms to SHA-1 and SHA-256 which comply with ISO/IEC 10118-3:2004. The TSF authenticates the hash
message with a key according to FCS_COP.1(h) during generation of the host authentication key. The
cryptographic hash function which is used at that time conforms to SHA-512 which comply with ISO/IEC
10118-3:2004.
From the above, FCS_COP.1(c) is realized.
[Relevant TSFI]
・ Control Panel: Admin settings
・ TopAccess: Admin settings
7.7. User Data Protection
The following describes the summary specifications for the requirements for Class FDP.
FDP_ACC.1/FDP_ACF.1
The TOE performs access control for the user document data and operation for the user document data. Access
control for the user document data allows access only when the user ID linked to the document data matched the
Copyright© 2018 TOSHIBA TEC. All rights reserved.
51/64
user ID of a user who has been identified and authenticated at login. The access control for the user document
operation is performed according to the roles retained by the user as shown in Table 13 and Table 14.
FCC_ACC.1 and FDP.AFC.1 are realized by the access control shown in the table below.
Table 23 Print Access Control for D.USER.DOC
User Access Control Rules
Job Owner ・ Assign U.ADMIN and U.NORMAL as the Job owners who
implement printing of the documents.
・ Allow browse and output of the documents implemented by the Job
Owner.
・ Deny modification of the documents implemented by the Job
Owner.
・ Allow deletion of the documents implemented by the Job Owner.
U.ADMIN ・ Allow implementation of the documents to be printed.
・ Deny implementation of the print documents implemented by other
users.
・ Deny modification of the print documents implemented by other
users.
・ Allow deletion of the print documents stored by other users.
U.NORMAL ・ Allow implementation of the documents to be printed.
・ Deny implementation of the print documents implemented by other
users.
・ Deny modification of the print documents implemented by other
users.
・ Deny deletion of the print documents stored by other users.
U.ACCOUNTMANAGER
U.FAXOPERATOR
U.ADDRESSBOOKOPERATOR
・ Deny implementation of the documents to be printed.
・ Deny browse of all implemented print documents.
・ Deny modification of all implemented print documents.
・ Deny deletion of all stored print documents.
Unauthorized User ・ Allow the print documents implemented by the identified
U.ADMIN and U.NORMAL.
・ Deny browse of all implemented print documents.
・ Deny modification of all implemented print documents.
・ Deny deletion of all stored print documents.
[Relevant TSFI]
・ Control Panel: Print
・ Printer Driver: Interface to a Print request
Table 24 Scan Access Control for D.USER.DOC
User Access Control Rules
Job Owner ・ Assign U.NORMAL as the Job owner who implements scanning of
the document.
・ Allow browse of the images scanned by the Job Owner.
・ Allow modification and deletion of the image scanned by the Job
Owner.
U.ADMIN ・ Allow implementation of the documents to be scanned.
・ Deny browse of the images scanned by other users.
・ Deny modification of the images scanned by all users.
・ Allow deletion of the images scanned by the U.ADMIN and deny
deletion of the images scanned by other users.
U.NORMAL ・ Allow implementation of the documents to be scanned.
・ Deny browse of the images scanned by other users.
・ Deny modification and deletion of the images scanned by all users.
U.ACCOUNTMANAGER
U.FAXOPERATOR
U.ADDRESSBOOKOPERATOR
・ Deny implementation of the documents to be scanned.
・ Deny browse of all scanned images.
・ Deny modification and deletion of the images scanned by all users.
Copyright© 2018 TOSHIBA TEC. All rights reserved.
52/64
User Access Control Rules
Unauthorized User ・ Deny implementation of the documents to be scanned.
・ Deny browse of all scanned images.
・ Deny modification and deletion of all scanned images.
[Relevant TSFI]
・ Control Panel: Scan, Simple Scan
Table 25 Copy Access Control for D.USER.DOC
User Access Control Rules
Job Owner ・ Assign U.ADMIN and U.NORMAL as the Job owners who
implement copying of the documents.
・ Allow output of the copied documents printed by the Job Owner.
・ Deny modification and deletion of images personally saved.
・ Allow deletion of images personally saved.
U.ADMIN ・ Allow implementation of the documents to be copied.
・ Deny browse of the images copied by the other users.
・ Deny modification of the images copied and saved by the other
users.
・ Allow deletion of the images copied and saved by the other users.
U.NORMAL ・ Allow implementation of the documents to be copied.
・ Deny browse of the images copied by the other users.
・ Deny modification of the images copied and saved by the other
users.
・ Deny deletion of the images copied and saved by the other users.
U.ACCOUNTMANAGER
U.FAXOPERATOR
U.ADDRESSBOOKOPERATOR
・ Deny implementation of the documents to be copied.
・ Deny browse of all copied images.
・ Deny modification of all copied and saved images.
・ Deny deletion of all copied and saved images.
Unauthorized User ・ Deny implementation of the documents to be copied.
・ Deny browse of all copied images.
・ Deny modification of all copied and saved images.
・ Deny deletion of all copied and saved images.
[Relevant TSFI]
・ Control Panel: Copy, Simple Copy, Job display and Log display
Table 26 Fax Transmission Access Control for D.USER.DOC
User Access Control Rules
Job Owner ・ Assign U.ADMIN, U.NORMAL and U.FAXOPERATOR as the
Job owners who implement fax transmission of the documents.
・ Allow browse of the images scanned by the Job Owner.
・ Allow modification of the images personally saved.
・ Allow deletion of the images personally saved.
U.ADMIN ・ Allow implementation of Fax transmission documents.
・ Deny browse of the images scanned by the other users.
・ Deny modification of the images saved by the other users.
・ Allow deletion of the images saved by the other users.
U.NORMAL
U.FAXOPERATOR
・ Allow implementation of Fax transmission documents.
・ Deny browse of the images scanned by other users.
・ Deny modification of images saved by the other users.
・ Deny deletion of images saved by the other users.
U.ACCOUNTMANAGER
U.ADDRESSBOOKOPERATOR
・ Deny implementation of Fax transmission documents.
・ Deny browse of all scanned images.
・ Deny modification of all saved images.
・ Deny deletion of all saved images.
Copyright© 2018 TOSHIBA TEC. All rights reserved.
53/64
User Access Control Rules
Unauthorized User ・ Deny implementation of Fax transmission documents.
・ Deny browse of all scanned images.
・ Deny modification of all saved images.
・ Deny deletion of all saved images.
[Relevant TSFI]
・ Control Panel: Fax, Job display and Log display
Table 27 Fax Reception Access Control for D.USER.DOC
User Access Control Rules
Job Owner ・ Assign U.ADMIN and U.FAXOPERATOR as the Job owners who
implement fax reception of the documents.
・ Allow browse and print of all Fax-received documents.
・ Deny modification of all Fax-received documents.
・ Allow deletion of all Fax-received documents.
U.ADMIN
U.FAXOPERATOR
・ Allow all Fax receptions regardless of the user’s operation.
・ Allow browse and print of all Fax-received documents.
・ Deny modification of all Fax-received documents.
・ Allow deletion of all Fax-received documents.
U.NORMAL
U.ACCOUNTMANAGER
U.ADDRESSBOOKOPERATOR
・ Allow all Fax receptions regardless of the user’s operation.
・ Deny browse and print of all Fax-received images.
・ Deny modification of all Fax-received images.
・ Deny deletion of all Fax-received images.
Unauthorized User ・ Allow all Fax receptions regardless of the user’s operation.
・ Deny browse and print of all Fax-received images.
・ Deny modification of all Fax-received images.
・ Deny deletion of all Fax-received images.
None ・ All Fax-received images are received from the outside of the TOE
regardless of the user’s operation.
[Relevant TSFI]
・ Control Panel: Print
・ Others: PSTN Fax Interface
Table 28 Print Access Control for D.USER.JOB
User Access Control Rules
Job Owner ・ Assign U.ADMIN and U.NORMAL as the Job owners of the jobs
printed by themselves.
U.ADMIN ・ Allow creation of the print jobs.
・ Allow browse of all print jobs.
・ Deny modification of all print jobs.
・ Allow cancel of all print jobs.
U.NORMAL ・ Allow creation of the print jobs.
・ Allow browse of all print jobs.
・ Deny modification of all print jobs.
・ Allow cancel of own print jobs, but deny cancel of other users’
print jobs.
U.ACCOUNTMANAGER
U.FAXOPERATOR
U.ADDRESSBOOKOPERATOR
・ Deny creation of the print jobs.
・ Allow browse of all print jobs.
・ Deny modification of all print jobs.
・ Deny cancel of all print jobs.
Unauthorized User ・ Allow creation of the print jobs.
・ Deny browse of all print jobs.
・ Deny modification of all print jobs.
・ Deny cancel of all print jobs.
Copyright© 2018 TOSHIBA TEC. All rights reserved.
54/64
[Relevant TSFI]
・ Control Panel: Print, Job display and Log display
・ TopAccess: Job status
・ Printer Driver: Interface to a Print request
Table 29 Scan Access Control for D.USER.JOB
User Access Control Rules
Job Owner ・ Assign U.ADMIN and U.NORMAL as the Job owners of the jobs
scanned by themselves.
U.ADMIN ・ Allow creation of the scanned jobs.
・ Allow browse of all scanned jobs.
・ Deny modification of all scanned jobs.
・ Allow cancel of all scanned jobs.
U.NORMAL ・ Allow creation of the scanned jobs.
・ Allow browse of all scanned jobs.
・ Deny modification of all scanned jobs.
・ Allow cancel of own scanned jobs, but deny cancel of other users’
scanned job.
U.ACCOUNTMANAGER
U.ADDRESSBOOKOPERATOR
U.FAXOPERATOR
・ Deny creation of the scanned jobs.
・ Allow browse of all scanned jobs.
・ Deny modification of all scanned jobs.
・ Deny cancel of all scanned jobs.
Unauthorized User ・ Deny creation of the scanned jobs.
・ Deny browse of all scanned jobs.
・ Deny modification of all scanned jobs.
・ Deny cancel of all scanned jobs.
[Relevant TSFI]
・ Control Panel: Scan, Simple Scan, Job display and Log display
・ TopAccess: Job status
Table 30 Copy Access Control for D.USER.JOB
User Access Control Rules
Job Owner ・ Assign U.ADMIN and U.NORMAL as the Job owners of the copy
jobs executed by themselves.
U.ADMIN ・ Allow creation of the copy jobs.
・ Allow browse of all copy jobs.
・ Deny modification of all copy jobs.
・ Deny cancel of all copy jobs.
U.NORMAL ・ Allow creation of the copy jobs.
・ Allow browse of all copy jobs.
・ Deny modification of all copy jobs.
・ Allow cancel of own copy jobs, but deny cancel of other users’
copy jobs.
U.ACCOUNTMANAGER
U.FAXOPERATOR
U.ADDRESSBOOKOPERATOR
・ Deny creation of the copy jobs.
・ Allow browse of all copy jobs.
・ Deny modification of all copy jobs.
・ Deny cancel of all copy jobs.
Unauthorized User ・ Deny creation of the copy jobs.
・ Deny browse of all copy jobs.
・ Deny modification of all copy jobs.
・ Deny cancel of all copy jobs.
[Relevant TSFI]
・ Control Panel: Copy, Simple Copy, Job display and Log display
・ TopAccess: Job status
Copyright© 2018 TOSHIBA TEC. All rights reserved.
55/64
Table 31 Fax Transmission Access Control for D.USER.JOB
User Access Control Rules
Job Owner ・ Assign U.ADMIN, U.NORMAL, and U.FAXOPERATOR as the
Job owners of the fax transmission jobs executed by themselves.
U.ADMIN ・ Allow creation of Fax transmission jobs.
・ Allow browse of all Fax transmission jobs.
・ Deny modification of all Fax transmission jobs.
・ Allow cancel of all Fax transmission jobs.
U.NORMAL ・ Allow creation of Fax transmission jobs.
・ Allow browse of all Fax transmission jobs.
・ Deny modification of all Fax transmission jobs.
・ Allow cancel of own Fax transmission jobs, but deny cancel of
other users’ Fax transmission jobs.
U.ACCOUNTMANAGER
U.ADDRESSBOOKOPERATOR
・ Deny creation of Fax transmission jobs.
・ Allow browse of all Fax transmission jobs.
・ Deny modification of all Fax transmission jobs.
・ Deny cancel of all Fax transmission jobs.
U.FAXOPERATOR ・ Allow creation of Fax transmission jobs.
・ Allow browse of all Fax transmission jobs.
・ Deny modification of all Fax transmission jobs.
・ Allow cancel of own Fax transmission jobs, but deny cancel of
other users’ Fax transmission jobs.
Unauthorized User ・ Deny creation of Fax transmission jobs.
・ Deny browse of all Fax transmission jobs.
・ Deny browse of all Fax transmission logs.
・ Deny modification of all Fax transmission jobs.
・ Deny cancel of all Fax transmission jobs.
[Relevant TSFI]
・ Control Panel: Fax transmission, Job display and Log display
・ TopAccess: Job status
Table 32 Fax Reception Access Control for D.USER.JOB
User Access Control Rules
Job Owner ・ Assign U.ADMIN and U.FAXOPERATOR as the Job owners of
the fax reception jobs executed by themselves.
U.ADMIN
U.FAXOPERATOR
・ Allow creation of all Fax-received Jobs regardless of the user’s
operation.
・ Allow browse of all Fax-received Jobs.
・ Deny modification of all Fax-received Jobs.
・ Allow cancel of all Fax-received Jobs.
U.NORMAL
U.ACCOUNTMANAGER
U.ADDRESSBOOKOPERATOR
・ Allow creation of all Fax-received Jobs regardless of the user’s
operation.
・ Deny browse of all Fax-received Jobs.
・ Deny modification of all Fax-received Jobs.
・ Deny cancel of all Fax-received Jobs.
Unauthorized User ・ Allow creation of all Fax-received jobs.
・ Deny browse of all Fax-received Jobs.
・ Deny modification of all Fax-received Jobs.
・ Deny cancel of all Fax-received Jobs.
[Relevant TSFI]
・ Control Panel: Job display and Log display
・ TopAccess: Job status
・ Others: PSTN Fax Interface
Copyright© 2018 TOSHIBA TEC. All rights reserved.
56/64
7.8. PSTN Fax-Network Separation
The following describes the summary specifications for the conditional requirements B.2.
FDP_FXS_EXT.1
Fax transmission and reception are only the functions of the Fax modem.
The Fax interface of the TOE is used only for transmission and reception of the Fax document data with the
external Fax machines, and is not used for other purposes.
The Fax interface of the TOE supports only ITU-T-compliant G3 as the transmission/reception protocol. Thus,
only transmission and reception using the Fax protocol are accepted in communication between the TOE and
PSTN. However, communication in which the negotiation with Phase B is not established does not move to the
subsequent phase and fails in the communication error, so the TOE disconnects the communication line.
From the above, bridge connection between the PSTN and LAN is prohibited.
[Relevant TSFI]
・ Others: PSTN Fax Interface
7.9. Identification and Authentication
The following describes the summary specifications for the requirements for Class FIA.
FIA_AFL.1
・ When the number of failed authentication, counted from the last succeeded authentication or login after
releasing the account lock reaches the number of times set by the U.ADMIN (1 to 30), the TOE locks out the
applicable user ID for a certain period of time.
・ The function which releases the locked-out state of a user is provided for the U.ADMIN and
U.ACCOUNTMANAGER.
[Relevant TSFI]
・ Control Panel: Login
・ TopAccess: Login, Admin settings
FIA_ATD.1
・ The TOE associates the user ID and role with a user as the security attributes and registers and maintains them.
[Relevant TSFI]
・ TopAccess: User management
FIA_PMG_EXT.1
The TOE provides the function to investigate the user password at registration and change of the password. Any
combination of the following characters is allowed as a password: Upper and lower case letters, numbers,
punctuation marks (+ , - . / : ; = ? ¥ _ ` { | } ~ space), special characters (! @#$^ *()), and European special
characters (characters with the German umlauts and French cedilla: See Table 15 for details.). It is also
possible to set the minimum number of digits for a password to more than 15 letters by the U.ADMIN.
[Relevant TSFI]
・ Control Panel: Home screen, Login, Admin settings
・ TopAccess: Login, Account
FIA_UAU.7
If a user enters a password on the control panel, the TOE displays “●” as dummy characters on the control panel
instead of the entered characters. Similarly, in the case that a user enters a password from the web browser,
alternative characters are displayed instead of the entered characters. The alternative characters depend on the
browser used by the user.
[Relevant TSFI]
・ Control Panel: Login
・ TopAccess: Login
Copyright© 2018 TOSHIBA TEC. All rights reserved.
57/64
FIA_UAU.1/FIA_UID.1
The TOE requires identification and authentication of a user. Identification and authentication of a user are
executed to the user account database. If the user ID and password do not match the credential data which is
internally saved, login is denied and an input prompt is displayed again for the user.
The user ID of a job owner is associated with a print job performed from the client PC through the printer driver.
The TOE identifies the user ID upon reception of a print job, and stores the print job in the print hold queue.
Also, the TOE saves a fax-received job internally without performing identification and authentication of the job.
[Relevant TSFI]
・ Control Panel: Login
・ TopAccess: Login
・ Print driver: Interface to a Print request
・ Others: PSTN Fax Interface
FIA_USB.1
・ The TOE associates a user with the user ID and role if identification and authentication are successfully
finished.
[Relevant TSFI]
・ Control Panel: Login
・ TopAccess: Login
7.10. Security Management
The following describes the summary specifications for the requirements for Class FMT.
FMT_MOF.1
The TOE provides the U.ADMIN only with the function which switches the Enable/Disable settings for secure
channel function.
[Relevant TSFI]
・ Control Panel: Admin settings
・ TopAccess: Admin settings
FMT_MSA.1
The TOE provides the U.ADMIN with the following functions.
・ Creation, change, inquiry, deletion, and export of all user IDs
・ Creation, change, inquiry, deletion, and export of all roles
The TOE provides the U.ACCOUNTMANAGER with the following functions.
・ Inquiry and export of all user IDs
・ Creation, change, and deletion of the user IDs except for the U.ADMIN
・ Creation, change and deletion of the roles except for the U.ADMIN
The TOE provides the U.NORMAL, U.ADDRESSBOOKOPERATOR, and U.FAXOPERATOR with the
following functions.
・ Inquiry of own user ID
・ Inquiry of own role
[Relevant TSFI]
・ TopAccess: User management
FMT_MSA.3
When a new D.USER.DOC and D.USER.JOB are created, the TOE assigns the user ID of the user who created
them as the initial value of the security attribute.
The TOE does not provide the function which overwrites the initial value of the user ID which is the security
attribute when the D.USER.DOC and D.USER.JOB are created.
[Relevant TSFI]
Copyright© 2018 TOSHIBA TEC. All rights reserved.
58/64
・ Control Panel: Copy, Simple Copy, Scan, Simple Scan, Fax transmission
・ TopAccess: User management
・ Printer Driver: Interface to a Print request
FMT_MTD.1
The TOE provides the U.ADMIN with the following operation functions.
・ Change and export of the user password for the U.ADMIN.
・ Change and export of the user password for the U.ACCOUNTMANAGER.
・ Change and export of the user password for the U.FAXOPERATOR.
・ Change and export of the user password for the U.ADDRESSBOOKOPERATOR.
・ Change and export of the user password for the U.NORMAL.
・ Change of the Allowable Number of entry for Login Password.
・ Change of the lockout time.
・ Status clear for all locked-out accounts.
・ Change of the auto logout time.
・ Change of the date and time information.
・ Change of the minimum password length.
・ Creation, change, and deletion of the address book.
・ Change of the SYSLOG server settings.
・ Change of the FTP server settings.
The TOE provides the U.FAXOPERATOR with the following operation functions.
・ Change of the own user password.
The TOE provides the U.ACCOUNTMANAGER with the following operation functions.
・ Change and export of the user password for the U.ACCOUNTMANAGER.
・ Change and export of the user password for the U.FAXOPERATOR.
・ Change and export of the user password for the U.ADDRESSBOOKOPERATOR.
・ Change and export of the user password for the U.NORMAL.
・ Status clear for the locked-out accounts other than the U.ADMIN.
The TOE provides the U.NORMAL with the following operation functions.
・ Change of the own user password.
The TOE provides the U.ADDRESSBOOKOPERATOR with the following operation functions.
・ Change of the own user password.
[Relevant TSFI]
・ Control Panel: Login, Home screen, Job display and Log display, Admin settings
・ TopAccess: Login, Account, User management, Admin settings
FMT_SMF.1
The TOE provides the following security management functions to realize FMT_SMF.1.
Time Stamp Settings Management:
・ Change operation of the date and time information by the U.ADMIN.
User ID Management:
・ Change operation of the user ID by the U.ADMIN or U.ACCOUNTMANAGER.
User Password Management:
・ Change and export operation of the user password for U.ACCOUNTMANAGER, U.NORMAL,
U.FAXOPERATOR, U.ADMIN and U.ADDRESSBOOKOPERATOR by the U.ADMIN.
Copyright© 2018 TOSHIBA TEC. All rights reserved.
59/64
・ Change and export operation of the user password for the U.ACCOUNTMANAGER, U.NORMAL,
U.FAXOPERATOR, and U.ADDRESSBOOKOPERATOR by the U.ACCOUNTMANAGER.
・ Change operation of the own user password by the U.NORMAL.
・ Change operation of the user password by the U.FAXOPERATOR.
・ Change operation of the user password by the U.ADDRESSBOOKOPERATOR.
Unsuccessful User Authentication Processing Management:
・ Change operation of the number of entries of the login password by the U.ADMIN.
・ Change operation of the lockout time by the U.ADMIN.
・ Locked-out account status clear operation by the U.ADMIN or U.ACCOUNTMANAGER.
Minimum Password Length Management:
・ Change operation of the minimum password length by the U.ADMIN.
Specification of the inactive predetermined time for the user after the session is finished:
・ Change operation of the auto logout time by the U.ADMIN.
Secure Channel Settings:
・ Change operation of the Enable/Disable settings for TLS communication by the U.ADMIN.
Address Book Management:
・ Change operation of the Address Book by the U.ADMIN.
SYSLOG Server:
・ Change operation of the SYSLOG server settings by the U.ADMIN.
FTP Server:
・ Change operation of the FTP server settings by the U.ADMIN.
[Relevant TSFI]
・ Control Panel: Login, Home screen, Job display and Log display, Admin settings
・ TopAccess: Login, Account, User management, Admin settings
FMT_SMR.1
The TOE retains a role related to the U.ADMIN, U.ACCOUNTMANAGER, U.NORMAL, U.FAXOPERATOR,
and U.ADDRESSBOOKOPERATOR, and associates the role with the applicable user when a user is registered.
[Relevant TSFI]
・ TopAccess: User management
7.11. Protection of the TSF
The following describes the summary specifications for the requirements for Class FPT.
FPT_SKP_EXT.1
・ The TSF stores the encrypted server secret key in the self-encrypting drive, but does not provide a function to
access all users.
・ The TSF saves the key derivation key, intermediate key, challenge code and response code to the volatile
memory in the plain text, but does not provide a function to access all users. These CSP will be deleted by
turning off the power.
・ The TSF saves the host authentication key to the FROM in the plain text, but does not provide a function to
access all users.
・ The TSF saves the session key and HMAC key for the TLS communication to the volatile memory in the plain
text, but does not provide a function to access all users. These common keys are deleted by turning off the
power.
From the above, FPT_SKP_EXT.1 is realized.
Copyright© 2018 TOSHIBA TEC. All rights reserved.
60/64
FPT_STM.1
The TOE uses “Year”, “Month”, “Day”, “Hour”, “Minute”, and “Second”, which are provided by the real clock
IC embedded in the TOE for registration of the audit log, as a stamp to realize FPT_STM.1.
[Relevant TSFI]
・ Conform to relevant TSFI of FAU_GEN.1, FAU_GEN.２.
FPT_TST_EXT.1
The TOE conducts the following self-tests at power on.
・ Health test of the firmware
Software that controls the MFP (SYSTEM FIRMWARE and SYSTEM SOFTWARE) implements verification
by the electronic signature system which uses RSA as the public key system and SHA-256 as the hash function.
Firmware of the printer unit (ENGINE FIRMWARE), scanner unit (SCANNER FIRMWARE), and fax unit
(FAX FIRMWARE) respectively calculates 16-bit checksum to verify whether firmware is legitimate.
・ Health test of the entropy source
Software that controls the MFP (SYSTEM SOFTWARE) starts the rngd process at power on and gets 4096
bytes from /dev/random of Linux PRNG to perform self verification according to NIST SP 800-90B. rngd
calls the RDRAND instruction several times by retrying tight loop because entropy is supplied to Linux PRNG
at this time. The SYSTEM SOFTWARE outputs a log of the abnormal detection and terminates the rngd
process upon detection of the continuous error (CF=0) 10 times during the call. If the constant monitoring of
the process monitoring task detects the termination of the rngd process, Service Call is displayed on the panel,
and the TOE stops operation. When the RDRAND instruction is called, the continuous health test is
automatically performed by the Online Health Test (OHT) which is embedded in SoC so as to assure that the
noise source inside the entropy source is not broken. The frequency of occurrence of the 6-type bit patterns
which are from the 1-bit through 4-bit length to the raw output of the noise source, 256 bit, is counted in the
test. If the frequency is within the appropriate range, it is recorded as acceptable. If not, it is recorded as
rejected. The probability that the identically distributed random numbers are judged as failure is about 1%.
On the other hand, it is known by the description in [Rambus 2012] that occurrence of fatal failures, such that
the output patterns of the noise source are fixed to 0 or 1 or 0 and 1 appear alternately, are detected. The
OHT retains the recent 256 histories. If the results are acceptable more than 129, the RDRAND instruction
returns the value together with CF=1. If not, an error is returned by CF=0. Also, the Built in Self Test
(BIST) embedded in SoC which is executed automatically at power on confirms that the OHT within SoC and
CTR_DRBG work correctly by the known answer so as to verify that the OHT works correctly. If an
abnormality is detected in the BIST, the RDRAND instruction always returns an error by CF=0.
If an abnormality is detected in the above health test, an error code appears on the control panel, the TOE stops
startup, and a user cannot use the TOE. The software TSF implemented in the firmware has verified the
integrity of the execution code by the health test of the firmware. The hardware TSF uses the hardware-based
noise source in the entropy source. Failures are detected by the verification whether the raw output of the
noise source in the entropy source is correct by executing the functions of the health test embedded in SoC
during the health test of the entropy source.
From the above, it is substantial as a test which verifies that the TSF works correctly at power on.
[Relevant TSFI]
・ Control Panel: Power key
・ Others: Main switch
FPT_TUD_EXT.1
The TSF provides the U.ADMIN with the Admin settings screen on the Home screen of the control panel as an
interface to confirm the current software version information of the TOE, and the Admin settings screen on the
control panel and the admin settings screen in TopAccess as the interfaces to update software.
Also, the TSF provides the digital signature verification function which verifies the authenticity of software to be
updated before starting update. The verification method is as follows: Compare the hash value which is
decrypted from the digital signature provided in the files of each firmware to be updated (SYSTEM SOTWAER,
SYSTEM FIRMWARE, ENGINE FIRMWARE, SCNNER FIRMARE, and FAX1 FIRMWARE) by
Copyright© 2018 TOSHIBA TEC. All rights reserved.
61/64
RSASSA-PSS according to FCS_COP.1(b) and the hash value which is derived from each firmware to be updated
by SHA-256 according to FCS_COP.1(c). If the values match, it can be verified that the firmware is correct.
[Relevant TSFI]
・ Control Panel: Home screen, Admin settings
・ TopAccess: Admin settings
7.12. TOE Access
The following describes the summary specifications for the requirements for Class FTA.
FTA_SSL.3
The TOE forcibly logs the user out if the user does not operate the control panel for a certain period of time. The
time can be set from 15 through 150 seconds. Also, a session is forcibly terminated and a user is logged out
when the user does not operate for a certain period of time after accessing the TOE though the web browser. The
time can be set from 5 through 999 minutes.
[Relevant TSFI]
・ Control Panel: Login
・ TopAccess: Login
7.13. Trusted Path/Channel
The following describes the summary specifications for the requirements for Class FTP.
FTP_ITC.1
The TOE starts communication using TLS1.2 to protect data during communication between each server. In the
case that the TOE accesses the mail server, SYSLOG server, and FTP server through the trusted channel, start of
the TLS communication is requested to each server.
[Relevant TSFI]
・ Control Panel: Power key, Login, Home screen, Copy, Simple Copy, Scan, Simple Scan, Print, Fax
transmission, Job display and Log display, Admin settings
・ TopAccess: Login, Job status, Account, User management, Admin settings
・ Printer Driver: Interface to a Print request
・ Others: Main switch, PSTN Fax interface
FTP_TRP.1(a), FTP_TRP.1(b)
The TSF provides the following functions in order to prevent the communication data from leakage and provide
the trusted path which detects alteration of the communication data in the communication path among the TOE,
remote administrators, and remote users.
Communication with the WEB page:
・ Connection is made by the HTTPS network protocol so as to establish the trusted path from the client PC to
the web page of the TOE.
・ Communication starts only in the case that the connection is made by the HTTPS protocol when a remote
administrator and remote user connect to the web page of the TOE from the client PC using the web
browser.
・ The first administrator authentication, user authentication, and all remote user actions from the client PC
are executed only for connection using the HTTPS protocol.
Print from the client PC:
・ For printing from the client PC using the printer driver, connection should be made by the TLS
communication protocol for establishing the trusted path during connection to the TOE.
[Relevant TSFI]
・ TopAccess: Login, Job status, Account, User management, Admin settings
Printer Driver: Interface to a Print request
Copyright© 2018 TOSHIBA TEC. All rights reserved.
62/64
Table 33 defines the TSFI related to this Chapter.
Table 33 Definition of TSFI
TSFI Name Details
Control Panel
Power key An interface which starts up and shuts down the MFP by turning off and on the main
switch.
Login An interface which identifies and authenticates a user who accesses the MFP from the
control panel.
Home Screen An interface which changes the user password and confirms the TOE version.
Copy An interface which copies a document.
Simple Copy An interface which copies a document.
Scan An interface which scans an original as the image data, and previews, deletes, replaces,
and inserts the scanned image data, saves the data to the folder in the FTP server, and
sends the data to the specified email address.
Simple Scan An interface which scans an original as the image data, and previews and deletes the
scanned image data, and sends the data to the specified email address as an attached file.
Print An interface which prints an original which was sent from the client PC and stored in the
hold queue of the MFP and fax-received data.
Fax Transmission An interface which scans an original as the image data, and previews, deletes, replaces,
and inserts the scanned image data, and performs Fax transmission.
Job Display and Log
Display
An interface which operates the execution status of Print and Scan and the Address Book
data.
Admin Settings An interface by which the Admin performs Security operations, such as change of the
Admin password and Address Book data operation.
TopAccess
Login An interface which identifies and authenticates a user who accesses the MFP from the
client PC.
Job Status An interface which operates the active print job and scan job.
Account An interface which changes the own password and displays the set role information.
User Management An interface which executes management related to a user, such as registration of the
user information.
Admin Settings An interface which performs the MFP settings, such as the Auto Clear setting, and MFP
management, such as the password policy setting and import of the Address Book.
Printer Driver
Interface to a Print
Request
An interface which holds (saves) the print data from the client PC to the MFP.
Others
PSTN Fax Interface An interface which receives the Fax data from the external Fax machines.
Main Switch An interface which turns on the MFP and starts log collection to use the TOE.
Copyright© 2018 TOSHIBA TEC. All rights reserved.
63/64
Appendix
This Appendix describes the definition of acronyms and reference documents.
Table 34 Definition of Acronyms
Abbreviation Definition
AES Advanced Encryption Standard
BEV Border Encryption Value
CBC Cipher Block Chaining
CC Common Criteria
cPP Collaborative Protection Profile
CPU Central Processing Unit
DRAM Dynamic Random Access Memory
DRBG Deterministic Random Bit Generator
EE Encryption Engine
FDE Full Drive Encryption
FIPS PUB Federal Information Processing Standards Publication
FRAM Ferroelectric Random Access Memory
FROM Flash ROM
FTP File Transfer Protocol
GCM Galois Counter Mode
HCD Hardcopy Device
HDD Hard Disk Drive
HMAC Hash Message Authentication Code
HTTPS Hypertext Transfer Protocol over SSL
IPP Internet Printing Protocol
IPPS IPP over SSL
IT Information Technology
ISO/IEC
International Organization for Standardization / International Electrotechnical
Commission
LAN Local Area Network
LCD Liquid crystal display
LED light emitting diode
MFP Multifunction Peripheral
NCU Network control unit
NIC Network Interface Controller
NIST National Institute of Standards and Technology
PC Personal Computer
PP Protection Profile
PSTN Public Switched Telephone Network
RFC Request for Comments
RNG Random Number Generator
RSA Rivest-Shamir-Adleman
SAR Security Assurance Requirement
SFP Security Function Policy
SFR Security Functional Requirement
SHA Secure Hash Algorithm
SMTP Simple Mail Transfer Protocol
Soc System-on-a-chip
TLS Transport Layer Security
TOE Target of Evaluation
TSF TOE Security Functionality
Copyright© 2018 TOSHIBA TEC. All rights reserved.
64/64
 Reference Documents
 [Rambus 2012]
 Analysis of Intel's Ivy Bridge Digital Random Number Generator, Cryptography Research a division of
Rambus, 2012.
 Available: https://www.rambus.com/intel-ivy-bridge-random-number-generator/.