JISEC-CC-CRP-C0634-01-2019 Certification Report Tatsuo Tomita, Chairman Information-technology Promotion Agency, Japan 2-28-8 Honkomagome, Bunkyo-ku, Tokyo IT Product (TOE) Reception Date of Application (Reception Number) 2018-05-30 (ITC-8674) Certification Identification JISEC-C0634 Product Name Fuji Xerox DocuCentre-VI C2264 model with Hard Disk, Data Security, Scan, and Fax Version and Release Numbers Controller ROM Ver. 1.1.3, FAX ROM Ver. 2.2.0 Product Manufacturer Fuji Xerox Co., Ltd. Conformance of Functionality PP conformant functionality, CC Part 2 Extended Protection Profile Conformance U.S. Government Approved Protection Profile - U.S. Government Protection Profile for Hardcopy Devices Version 1.0 (IEEE Std. 2600.2TM-2009) Assurance Package EAL2 Augmented by ALC_FLR.2 Name of IT Security Evaluation Facility Information Technology Security Center, Evaluation Department This is to report that the evaluation result for the above TOE has been certified as follows. 2019-03-18 Tatsuro Yano, Technical Manager IT Security Technology Evaluation Department IT Security Center Evaluation Criteria, etc.: This TOE is evaluated in accordance with the following standards prescribed in the "IT Security Evaluation and Certification Scheme Document." - Common Criteria for Information Technology Security Evaluation Version 3.1 Release 5 - Common Methodology for Information Technology Security Evaluation Version 3.1 Release 5 Evaluation Result: Pass JISEC-CC-CRP-C0634-01-2019 "Fuji Xerox DocuCentre-VI C2264 model with Hard Disk, Data Security, Scan, and Fax" has been evaluated based on the standards required, in accordance with the provisions of the "Requirements for IT Security Certification" by Information-technology Promotion Agency, Japan, and has met the specified assurance requirements. Notice: This document is the English translation version of the Certification Report published by the Certification Body of Japan Information Technology Security Evaluation and Certification Scheme. JISEC-CC-CRP-C0634-01-2019 Table of Contents 1. Executive Summary............................................................................................................. 1 1.1 Product Overview............................................................................................................. 1 1.1.1 Protection Profile or Assurance Package...................................................................... 1 1.1.2 TOE and Security Functionality ................................................................................... 1 1.1.2.1 Threats and Security Objectives ................................................................................ 2 1.1.2.2 Configuration and Assumptions................................................................................. 2 1.1.3 Disclaimers ..................................................................................................................... 2 1.2 Conduct of Evaluation...................................................................................................... 3 1.3 Certification...................................................................................................................... 3 2. Identification ........................................................................................................................ 4 3. Security Policy...................................................................................................................... 5 3.1 Security Function Policies ............................................................................................... 6 3.1.1 Threats and Security Function Policies........................................................................ 6 3.1.1.1 Threats ......................................................................................................................... 6 3.1.1.2 Security Function Policies against Threats............................................................... 6 3.1.2 Organizational Security Policies and Security Function Policies............................... 7 3.1.2.1 Organizational Security Policies................................................................................ 7 3.1.2.2 Security Function Policies to Organizational Security Policies............................... 8 4. Assumptions and Clarification of Scope........................................................................... 10 4.1 Usage Assumptions ........................................................................................................ 10 4.2 Environmental Assumptions ......................................................................................... 10 4.3 Clarification of Scope ..................................................................................................... 12 5. Architectural Information ................................................................................................. 13 5.1 TOE Boundary and Components .................................................................................. 13 5.2 IT Environment.............................................................................................................. 16 6. Documentation................................................................................................................... 17 7. Evaluation conducted by Evaluation Facility and Results............................................. 18 7.1 Evaluation Facility......................................................................................................... 18 7.2 Evaluation Approach...................................................................................................... 18 7.3 Overview of Evaluation Activity.................................................................................... 18 7.4 IT Product Testing.......................................................................................................... 19 7.4.1 Developer Testing ......................................................................................................... 19 7.4.2 Evaluator Independent Testing................................................................................... 23 7.4.3 Evaluator Penetration Testing .................................................................................... 24 7.5 Evaluated Configuration ............................................................................................... 27 7.6 Evaluation Results......................................................................................................... 28 7.7 Evaluator Comments/Recommendations ..................................................................... 28 JISEC-CC-CRP-C0634-01-2019 8. Certification........................................................................................................................ 29 8.1 Certification Result........................................................................................................ 29 8.2 Recommendations .......................................................................................................... 29 9. Annexes............................................................................................................................... 30 10. Security Target................................................................................................................... 30 11. Glossary .............................................................................................................................. 31 12. Bibliography ....................................................................................................................... 33 JISEC-CC-CRP-C0634-01-2019 1 1. Executive Summary This Certification Report describes the content of the certification result in relation to IT Security Evaluation of "Fuji Xerox DocuCentre-VI C2264 model with Hard Disk, Data Security, Scan, and Fax, Version Controller ROM Ver. 1.1.3, FAX ROM Ver. 2.2.0" (hereinafter referred to as the "TOE") developed by Fuji Xerox Co., Ltd., and the evaluation of the TOE was finished on 2019-03-07 by Information Technology Security Center, Evaluation Department (hereinafter referred to as the "Evaluation Facility"). It is intended to report to the sponsor, Fuji Xerox Co., Ltd., and provide security information to procurement entities and consumers who are interested in the TOE. Readers of the Certification Report are advised to read the Security Target (hereinafter referred to as the "ST") described in Chapter 10. Especially, details of security functional requirements, assurance requirements and rationale for sufficiency of these requirements of the TOE are described in the ST. This Certification Report assumes procurement entities who purchase the TOE to be readers. Note that the Certification Report presents the certification result based on assurance requirements to which the TOE conforms, and does not guarantee an individual IT product itself. 1.1 Product Overview An overview of the TOE functions and operational conditions is described as follows. Refer to Chapter 2 and subsequent chapters for details. 1.1.1 Protection Profile or Assurance Package The TOE conforms to the following Protection Profile [14][15] (hereinafter referred to as the "Conformance PP"). U.S. Government Protection Profile for Hardcopy Devices Version 1.0 (IEEE Std. 2600.2TM -2009) Assurance Package of the TOE is EAL2 augmented by ALC_FLR.2. 1.1.2 TOE and Security Functionality The TOE is the multi-function device (hereinafter referred to as "MFD"), which has such basic functions as copy, print, scan, network scan, fax, and mailbox. In addition to the basic MFD functions, the TOE provides security functions to protect the document data used in basic functions and the setting data affecting security, etc., from disclosure and alteration. In regard to these security functionalities, the validity of the design policy and the accuracy JISEC-CC-CRP-C0634-01-2019 2 of the implementation were evaluated within the scope of the assurance package. Threats and assumptions that the TOE assumes are described in the next clause. 1.1.2.1 Threats and Security Objectives The TOE assumes the following threats and provides security functions against them. The document data of users and the setting data affecting security, which are assets to be protected, may be disclosed or altered by unauthorized operation of the TOE or by unauthorized access to the communication data on the network to which the TOE is connected. Therefore, the TOE provides security functions such as identification and authentication, access control, and encryption, to prevent the assets from unauthorized disclosure or alteration. 1.1.2.2 Configuration and Assumptions The evaluated product is assumed to be operated under the following configuration and assumptions. The TOE is assumed to be located in an environment where physical components and interfaces of the TOE are protected from the unauthorized access. For the operation of the TOE, the TOE shall be properly configured, managed and maintained according to the guidance documents. 1.1.3 Disclaimers The following restrictions are applied to the functions of the TOE and the scope guaranteed in this evaluation. 1) The following operations are not guaranteed in this evaluation: - Use of the maintenance function for customer engineers, and operations after those functions are used. JISEC-CC-CRP-C0634-01-2019 3 1.2 Conduct of Evaluation Under the IT Security Evaluation and Certification Scheme that the Certification Body operates, the Evaluation Facility conducted IT security evaluation and completed in 2019-03, based on functional requirements and assurance requirements of the TOE according to the publicized documents "IT Security Evaluation and Certification Scheme Document"[1], "Requirements for IT Security Certification"[2], and "Requirements for Approval of IT Security Evaluation Facility"[3] provided by the Certification Body. 1.3 Certification The Certification Body verified the Evaluation Technical Report [13] and the Observation Report prepared by the Evaluation Facility as well as evaluation documentation, and confirmed that the TOE evaluation was conducted in accordance with the prescribed procedure. The certification oversight reviews were also prepared for those concerns found in the certification process. The Certification Body confirmed that those concerns pointed out by the Certification Body were fully resolved, and that the TOE evaluation had been appropriately conducted in accordance with the CC ([4][5][6] or [7][8][9]) and the CEM (either of [10][11]). The Certification Body prepared this Certification Report based on the Evaluation Technical Report and fully concluded certification activities. JISEC-CC-CRP-C0634-01-2019 4 2. Identification The TOE is identified as follows: TOE Name: Fuji Xerox DocuCentre-VI C2264 model with Hard Disk, Data Security, Scan, and Fax TOE Version: Controller ROM FAX ROM Ver. 1.1.3 Ver. 2.2.0 Developer: Fuji Xerox Co., Ltd. Users can verify that a product is the evaluated and certified TOE by the following means. Users operate on the control panel according to the procedure written in the guidance document, and confirm the name of the model, the version and optional information displayed on the screen. - Model name: DocuCentre-VI C2264 - Each version of Controller ROM, and FAX ROM - Option Users confirm the operation buttons of the following functions are displayed on the screen: Hard Disk, Data Security, Scan, and Fax. JISEC-CC-CRP-C0634-01-2019 5 3. Security Policy This chapter describes security function policies that the TOE adopts to counter threats, and organizational security policies. The TOE provides the basic MFD functions such as copy, print, scan, network scan, fax, and mailbox, and has functions to store the user document data in the TOE's internal HDD and to communicate with user clients and various servers via network. When those MFD functions are used, the TOE provides security functions that fulfill the security functional requirements required by the Conformance PP. The security functions that the TOE provides include identification/authentication and access control of users, encryption of the document data stored in HDD, data overwrite at deleting the document data in HDD, and encryption communication. The TOE prevents the user's document data and the setting data affecting security that are assets to be protected from being disclosed or altered by unauthorized persons. The TOE assumes the following user roles: - General User Any person who uses the basic MFD functions provided by the TOE. - System Administrator A user who has been specifically granted the authority to configure settings of the TOE security functions. System administrator includes "key operator" who can use all the management functions, and "SA (system administrator privilege)" who can use a part of the management functions. - TOE Owner Any person or organizational entity responsible for protecting TOE assets and establishing the security objectives for the TOE operating environment. - Customer Engineer Customer service engineer who maintains and repairs the MFD. The TOE's assets to be protected are as follows: - User Document Data User Document Data consist of the information contained in a user's document. - User Function Data User Function data are the information about a user job to be processed by the TOE. - TSF Confidential Data TSF Confidential Data are the data used for security functions, and whose integrity and confidentiality are required. In the definition of the TOE, they include passwords of users, the cryptographic seed key used to generate a cryptographic key, the setting values of encryption communication protocol, and the audit logs. - TSF Protected Data TSF Protected Data are the data used for security functions, and whose integrity only is required. In the definition of the TOE, they include the setting values of security functions excluding TSF Confidential Data. For example, TSF Protected Data include user IDs, information on user permission for the basic functions, information on the owners of document data, etc. JISEC-CC-CRP-C0634-01-2019 6 3.1 Security Function Policies The TOE possesses the security functions to counter the threats shown in Section 3.1.1, and to satisfy the organizational security policies shown in Section 3.1.2. 3.1.1 Threats and Security Function Policies 3.1.1.1 Threats The TOE assumes the threats shown in Table 3-1 and provides the security functions to counter them. These threats are the same as those described in the Conformance PP. Table 3-1 Assumed Threats Identifier Threat T.DOC.DIS User Document Data may be disclosed to unauthorized persons. T.DOC.ALT User Document Data may be altered by unauthorized persons. T.FUNC.ALT User Function Data may be altered by unauthorized persons. T.PROT.ALT TSF Protected Data may be altered by unauthorized persons. T.CONF.DIS TSF Confidential Data may be disclosed to unauthorized persons. T.CONF.ALT TSF Confidential Data may be altered by unauthorized persons. 3.1.1.2 Security Function Policies against Threats The TOE counters the threats shown in Table 3-1 by the following security function policies. Details of each security function are described in Chapter 5. 1) Countermeasures against threat "T.DOC.DIS," "T.DOC.ALT" and "T.FUNC.ALT" These are threats to user data (User Document Data and User Function Data). The TOE counters the threats by the following functions: User Authentication, Hard Disk Data Overwrite, and Internal Network Data Protection. The User Authentication function of the TOE is to allow only identified and authenticated users to use the TOE. When successfully identified and authenticated users attempt to use MFD's basic functions, the TOE checks the identification JISEC-CC-CRP-C0634-01-2019 7 information of authorized users set for each basic function of the MFD and allows only authorized users to use them. In addition, when users who are permitted to use the basic functions of the MFD attempt to manipulate user data, the TOE allows only users with access rights to access the data. The Hard Disk Data Overwrite function of the TOE is to overwrite the internal HDD area where the document data are stored when the data are deleted. This function prevents the residual information of the deleted document data from being read out. The Internal Network Data Protection function of the TOE is to use encryption communication protocol and to encrypt the communication data when the TOE communicates with client PCs and various servers. With the above functions, the TOE prevents the user data to be protected from being disclosed or altered by unauthorized usage of the TOE or by unauthorized access to the communication data. 2) Countermeasures against threat "T.PROT.ALT," "T.CONF.DIS," and "T.CONF.ALT" These are the threats to the data used for security functions. The TOE counters the threats by the following functions: User Authentication, System Administrator's Security Management, Customer Engineer Operation Restriction, and Internal Network Data Protection. The User Authentication function and the System Administrator's Security Management function of the TOE are to allow only identified and authenticated system administrators to refer to and change the data used for security functions. For general users, changing their own passwords is permitted. The Customer Engineer Operation Restriction function of the TOE is to allow only identified and authenticated system administrators to refer to and change the setting data that control enabling and disabling of customer engineer operation restriction. The Internal Network Data Protection function of the TOE is to use encryption communication protocol and to encrypt the communication data when the TOE communicates with client PCs and various servers. With the above functions, the TOE prevents the data to be protected from being disclosed or altered by unauthorized usage of the TOE or by unauthorized access to the communication data. 3.1.2 Organizational Security Policies and Security Function Policies 3.1.2.1 Organizational Security Policies Organizational security policies required in use of the TOE are shown in Table 3-2. These organizational security policies are the same as those described in the Conformance PP, except that P.CIPHER is added. JISEC-CC-CRP-C0634-01-2019 8 Table 3-2 Organizational Security Policies Identifier Organizational Security Policy P.USER.AUTHORIZATION To preserve operational accountability and security, Users will be authorized to use the TOE only as permitted by the TOE Owner. P.SOFTWARE.VERIFICATION To detect corruption of the executable code in the TSF, procedures will exist to self-verify executable code in the TSF. P.AUDIT.LOGGING To preserve operational accountability and security, records that provide an audit trail of TOE use and security-relevant events will be created, maintained, and protected from unauthorized disclosure or alteration, and will be reviewed by authorized personnel. P.INTERFACE.MANAGEMENT To prevent unauthorized use of the external interfaces of the TOE, operation of those interfaces will be controlled by the TOE and its IT environment. P .CIPHER To prevent unauthorized reading-out, the document data in the internal HDD will be encrypted by the TOE. 3.1.2.2 Security Function Policies to Organizational Security Policies The TOE provides the security functions to satisfy the organizational security policies shown in Table 3-2. Details of each security function are described in Chapter 5. 1) Means of organizational security policy "P.USER.AUTHORIZATION" The TOE realizes this policy by the User Authentication function. The User Authentication function of the TOE is to allow only identified and authenticated users to use the TOE. When successfully identified and authenticated users attempt to use MFD's basic functions, the TOE checks the identification information of authorized users set for each basic function of the MFD and allows only authorized users to use them. 2) Means of organizational security policy "P.SOFTWARE.VERIFICATION" The TOE realizes this policy by the Self Test function. The Self Test function of the TOE is to verify check sum of Controller ROM and FAX ROM upon booting. The TOE also checks the TSF data stored in NVRAM and SEEPROM to detect errors. Thus, this function verifies the integrity of TSF executable code. 3) Means of organizational security policy "P.AUDIT.LOGGING" The TOE realizes this policy by the Security Audit Log function. JISEC-CC-CRP-C0634-01-2019 9 The Security Audit Log function of the TOE is to record security relevant events as audit logs. Only identified and authenticated system administrators can read out the stored audit logs. It is not possible to delete and modify the audit logs. 4) Means of organizational security policy "P.INTERFACE.MANAGEMENT" The TOE realizes this policy by the User Authentication and the Information Flow Security functions. The User Authentication function of the TOE is to allow only identified and authenticated users to use the TOE. Furthermore, the TOE terminates a session when the state that a user does not perform any operations continues for the specified amount of time. With the Information Flow Security function of the TOE, the data received from various external interfaces of the TOE cannot be transferred to the internal network unless the data are processed by the TOE, thereby preventing unauthorized data transfer from external interfaces (including telephone lines) to the internal network. 5) Means of organizational security policy "P.CIPHER" The TOE realizes this policy by the Hard Disk Data Encryption function. The Hard Disk Data Encryption function of the TOE is to encrypt data to be written to the internal HDD. The cryptographic algorithm is 256-bit AES. JISEC-CC-CRP-C0634-01-2019 10 4. Assumptions and Clarification of Scope This chapter describes the assumptions and the operational environment to operate the TOE as useful information for the assumed readers to determine the use of the TOE. 4.1 Usage Assumptions Table 4-1 shows assumptions to operate the TOE. These assumptions are the same as those described in the Conformance PP. The effective performances of the TOE security functions are not assured unless these assumptions are satisfied. Table 4-1 Assumptions in Use of the TOE Identifier Assumptions A.ACCESS.MANAGED The TOE is located in a restricted or monitored environment that provides protection from unmanaged access to the physical components and data interfaces of the TOE. A.USER.TRAINING TOE Users are aware of the security policies and procedures of their organization, and are trained and competent to follow those policies and procedures. A.ADMIN.TRAINING Administrators are aware of the security policies and procedures of their organization, are trained and competent to follow the manufacturer's guidance and documentation, and correctly configure and operate the TOE in accordance with those policies and procedures. A.ADMIN.TRUST Administrators do not use their privileged access rights for malicious purposes. 4.2 Environmental Assumptions The TOE is assumed to be used at general office, connected to the internal network, and used from client PCs connected to the internal network. Figure 4-1 shows the general operational environment of the TOE. It is possible to use the print function of the TOE by connecting client PCs to the TOE via USB ports JISEC-CC-CRP-C0634-01-2019 11 Figure 4-1 Operational Environment of the TOE The following are components excluding the TOE in the operational environment of the TOE: 1) General User Client General User Client is a general-purpose PC for general users and connected to the TOE via USB or the internal network. The following software is required: - OS: Windows 7 or Windows 10 - Printer driver: ART EX Driver (Microsoft WHQL Certified Driver) When the client is connected to the internal network, the following software is required in addition to those listed above: - Web browser (included with OS) 2) System Administrator Client System Administrator Client is a general-purpose PC for system administrators and connected to the TOE via the internal network. The following software is required: JISEC-CC-CRP-C0634-01-2019 12 - OS: Windows 7 or Windows 10 - Web browser (included with OS) 3) FTP Server The TOE has basic functions to transfer document data with FTP server. These servers are necessary upon using the basic MFD functions. 5) DNS Server The TOE uses the DNS server to retrieve IP addresses of various servers, etc. It should be noted that the reliability of the hardware and the cooperating software other than the TOE shown in this configuration is outside the scope of the evaluation. Those are assumed to be trustworthy. 4.3 Clarification of Scope As described below, there are restrictions on the security functions of the TOE. 1) IPsec for IPv6 The TOE was evaluated with only IPsec protocol for IPv4. The TOE was not evaluated with IPsec for IPv6, so the operation with IPsec for IPv6 is not assured by this evaluation. JISEC-CC-CRP-C0634-01-2019 13 5. Architectural Information This chapter explains the scope and the main components of the TOE. 5.1 TOE Boundary and Components Figure 5-1 shows the components of the TOE. The scope of the TOE is the MFD including the Fax board. Figure 5.1 Components of the TOE The TOE has security functions and other basic MFD functions. The following describe the security functions of the TOE. Regarding the basic MFD functions, please refer to Glossary in Chapter 11. 1) User Authentication This function includes the following three functions: identification and authentication of users, access control for MFD's basic functions, and access control for user data. JISEC-CC-CRP-C0634-01-2019 14 a) Identification and authentication of users This is the function to identify and authenticate TOE users with their IDs and passwords. Identification and authentication are applied to the following user interfaces. - Control panel - Client PCs (Web browsers, Printer Driver) For enhanced security, the following are provided for the user identification and authentication. - Users are required to use passwords of nine or more characters. - If a system administrator fails to be authenticated for five times in a row, the authentication process is suspended. This restriction is not applied to general users. - If no user operation is confirmed for a specified amount of time after a user has been successfully authenticated, the session is terminated. b) Access control for MFD's basic functions This is the function to restrict the use of the MFD's basic functions such as copy, scan, network scan, print, and fax. When a user attempts to use a MFD's basic function, the TOE determines whether to restrict or allow the use of the basic functions based on the identification information of authorized users set for each basic function of the MFD and the role of the user. However, general users are not allowed to use the fax receive function. Any identified and authenticated user can use the Mailbox function. Use of this function cannot be restricted. c) Access control for user data This is the function to restrict the access to document data and job information used in MFD's basic functions to only authorized users. As to the stored document data or the job information, access control is performed based on the owner information of the data and the role of the user who is attempting to access the data. As to the document data generated in the process of the fax send function or network scan function, only those users who performed the functions are allowed to send the data by fax or via network. No access means to such data is provided to other users. 2) System Administrator's Security Management This is the function that permits only identified and authenticated system administrators to configure, refer to, and change the setting of the data used for security functions. For general users, changing their own passwords is permitted. 3) Customer Engineer Operation Restriction This is the function with which system administrators restrict the operation by customer engineers. Only identified and authenticated system administrators are permitted to JISEC-CC-CRP-C0634-01-2019 15 refer to and change the setting data that control enabling and disabling of customer engineer operation restriction. If customer engineer operation is restricted, customer engineers are required to enter the password set by a system administrator in order to operate the MFD. 4) Security Audit Log This is the function that records security relevant audit events as audit logs. Only identified and authenticated system administrators can read out the audit logs stored in the TOE via Web browsers. It is not possible to delete or modify the audit logs. Up to 15,000 events can be stored as audit logs. When the number of events exceeds the limit, the oldest event is deleted to record a new event. 5) Hard Disk Data Encryption This is the function that encrypts data to be stored in the internal HDD. The cryptographic algorithm is 256-bit AES. A cryptographic key is generated upon booting the TOE using the proprietary algorithm of Fuji Xerox Co., Ltd., based on the cryptographic seed key of 12 alphanumeric characters set by system administrators when the TOE is installed. The same value of the cryptographic key is generated every time the power is turned on and stored in the volatile memory, while it is deleted when the power is turned off. 6) Hard Disk Data Overwrite This is the function that overwrites the internal HDD area where document data were stored when the data are deleted. This overwrite operation is performed in the following cases. - When document data have become unnecessary after a user finishes using MFD's basic functions. Unnecessary data include those temporarily generated in the TOE while the TOE is executing some processing. - When a user has requested to delete document data. - When the power of the MFD is turned on. If the overwrite operation has not been completed when the power is turned off, the operation resumes when the power is turned on. System administrators can select one pass overwrite (overwriting with zero) or three pass overwrite (overwriting with a random number, a random number, and zero). It should be noted that the data actually overwritten on the internal HDD are encrypted. Therefore, the data actually overwritten is different from the overwrite pattern. 7) Internal Network Data Protection This is the function that encrypts communication with IT devices using the following protocols and methods. - IPsec, TLS (v1.0, v1.1, v1.2) 8) Information Flow Security This is the function that prevents unauthorized data transfer from external interfaces JISEC-CC-CRP-C0634-01-2019 16 (including telephone lines) to the internal network. Data received from external interfaces of the TOE cannot be transferred to the internal network unless the data are processed by the TOE. 9) Self Test This is the function that conducts the following self tests when the TOE is turned on. - Verification of the check sum of Controller ROM and FAX ROM - Verification of TSF data stored in NVRAM and SEEPROM 5.2 IT Environment The TOE communicates with system administrator clients, general user clients, and FTP servers. JISEC-CC-CRP-C0634-01-2019 17 6. Documentation The identification of the documents attached to the TOE is listed below. TOE users are required to fully understand and comply with the following documents in order to satisfy the assumptions. - DocuCentre-VI C2264 Administrator Guide1: ME8372J1-1 - DocuCentre-VI C2264 User Guide1: ME8371J1-1 - DocuCentre-VI C2264 Security Function Supplementary Guide1: ME8373J1-2_20190306 Note that these documents are stored in the DVD delivered together with the TOE. 1 The document is written in Japanese. The document name listed here is the translation of Japanese name. JISEC-CC-CRP-C0634-01-2019 18 7. Evaluation conducted by Evaluation Facility and Results 7.1 Evaluation Facility Information Technology Security Center, Evaluation Department that conducted the evaluation as the Evaluation Facility is approved under JISEC and is accredited by NITE (National Institute of Technology and Evaluation), the Accreditation Body, which joins Mutual Recognition Arrangement of ILAC (International Laboratory Accreditation Cooperation). It is periodically confirmed that the above Evaluation Facility meets the requirements on the appropriateness of the management and evaluators for maintaining the quality of evaluation. 7.2 Evaluation Approach Evaluation was conducted by using the evaluation methods prescribed in the CEM in accordance with the assurance components in the CC Part 3. Details for evaluation activities were reported in the Evaluation Technical Report. The Evaluation Technical Report explains the summary of the TOE as well as the content of the evaluation and the verdict of each work unit in the CEM. 7.3 Overview of Evaluation Activity The history of the evaluation conducted is described in the Evaluation Technical Report as follows. The evaluation started in 2018-05 and concluded upon completion of the Evaluation Technical Report dated 2019-03. The Evaluation Facility received a full set of evaluation deliverables necessary for evaluation provided by the developer, and examined the evidence in relation to a series of evaluation conducted. Additionally, the evaluator directly visited the development site in 2018-07 and 2018-12, and examined procedural status conducted in relation to each work unit for configuration management and delivery, by investigating records and interviewing staff. For some manufacturing sites, site visits were omitted as the Evaluation Facility determined that the examination details of the past CC-certified products could be reused. Furthermore, the evaluator conducted the sampling check of the developer testing and the evaluator testing by using the developer testing environment at the developer site in 2018-07 and 2018-12. Concerns found in evaluation activities were issued as the Observation Report, and reported to the developer. Those concerns were reviewed by the developer, and all the concerns were solved eventually. Concerns that the Certification Body found in the evaluation process were described as the certification oversight reviews, and those were sent to the Evaluation Facility. After the Evaluation Facility and the developer examined them, those concerns were reflected in the Evaluation Technical Report. JISEC-CC-CRP-C0634-01-2019 19 7.4 IT Product Testing The evaluator confirmed the validity of the testing that the developer had performed. As the verification results of the evidence shown in the process of the evaluation and the testing performed by the developer, the evaluator performed the reproducibility testing, additional testing and penetration testing based on vulnerability assessments judged to be necessary. 7.4.1 Developer Testing The evaluator evaluated the integrity of the developer testing that the developer performed and the documentation of actual test results. The content of the developer testing evaluated by the evaluator is explained as follows. 1) Developer Testing Environment Figure 7-1 shows the testing configuration performed by the developer. Figure 7-1 Configuration of the Developer Testing Configuration items for the developer testing are shown in Table 7-1 below. SATA bus monitor Interface converter General User Client 1 -Printer driver -Fax driver -Web Browser System Administrator Client - Web Browser External Network Internal Network Firewall General User Client 3 -Printer driver -Fax driver USB Public Telephone Line General User Client 2 -Modem Debug serial tool Server TOE JISEC-CC-CRP-C0634-01-2019 20 Table 7-1 Configuration Items for the Developer Testing Items Description TOE Fuji Xerox DocuCentre-VI C2264 model with Hard Disk, Data Security, Scan, and Fax (Controller ROM Ver. 1.1.3, FAX ROM Ver. 2.2.0) Server Used as FTP server. - PC with Microsoft Windows Server 2008 R2 SP1 - FTP server: Standard software in OS System Administrator Client Used as system administrator client. The testing is performed with the following two models: a) PC with Microsoft Windows 7 Professional SP1 (Web browser: Microsoft Internet Explorer 11) b) PC with Microsoft Windows 10 (Web browser: Microsoft Internet Explorer 11) General User Client 1 Used as general user client (connected via internal network). The testing is performed with the following two models: a) PC with Microsoft Windows 7 Professional SP1 (Web browser: Microsoft Internet Explorer 11) b) PC with Microsoft Windows 10 (Web browser: Microsoft Internet Explorer 11) Additionally , the following software is used. - Printer driver: ART EX Driver (Microsoft WHQL Certified Driver) Version 6.9.0 - Fax driver: ART EX Direct Fax Driver Version 2.9.0 * Fax drivers are used for confirming that they cannot be used. General User Client 2 Used for confirming send/receive fax. - PC with Microsoft Windows 10 * PC modem port is connected to public telephone line. General User Client 3 Used as general user client (connected via USB port for printer). - PC with Microsoft Windows 10 - Printer driver: ART EX Driver (Microsoft WHQL Certified Driver) Version 6.9.0 - Fax driver: ART EX Direct Fax Driver Version 2.9.0 * Fax drivers are used for confirming that they cannot be used. SATA Bus Monitor A tool to monitor the SATA bus data transferred to and from the internal HDD. - PC with Microsoft Windows 7 Professional SP1 to which the dedicated device, ST2-31-2-A by Catalyst Enterprises, is connected - Dedicated software: stx sata protocolsuite V4.20 JISEC-CC-CRP-C0634-01-2019 21 Debug Serial Debugging terminal of the MFD; i.e., PC whose serial port is connected to the terminal port of the MFD for debugging via interface converter. - PC with Microsoft Windows 7 Professional SP1 - Terminal Software: Tera Term Pro Version 2.3 Interface converter Fuji Xerox-unique conversion board to connect the MFD and debug serial. Public Telephone Line Use a pseudo exchange system (N4T-EXCH by How Inc.) as an alternative of public telephone line. The developer testing was performed in the same TOE testing environment as the TOE configuration identified in the ST. 2) Summary of the Developer Testing A summary of the developer testing is as follows. a. Developer Testing Outline An outline of the developer testing is as follows. (1) The behavior that can be observed at the external interface of the TOE Operate basic MFD functions and security management functions from the MFD control panel, system administrator client, and general user client, and confirm the response, MFD behavior, communication data, and audit log. (2) The behavior that cannot be observed at the external interface of the TOE The following approaches were employed to confirm the behavior that cannot be observed at the external interface of the TOE: - Check the internal behaviors of the TOE using the developer interfaces. - Check the behavior of modules such as an encryption function using the firmware modified for the developer testing. - Confirm that the encryption algorithm is implemented as specified by comparing the data that were obtained by the above approach and the known data calculated by a different approach. Table 7-2 shows tools used in the developer testing. JISEC-CC-CRP-C0634-01-2019 22 Table 7-2 Developer Testing Tools Tool Name Outline and Purpose of Use SATA Bus Monitor (PC and dedicated device) * See Table 7-1 for configuration. Monitor the data in SATA bus for connecting the internal HDD in the MFD, and check the data to be written to the internal HDD, and also read out the data written in the internal HDD. Protocol Analyzer (Wireshark Version 1.10.6) Monitor the communication data on the internal network, and confirm that the encryption communication protocol is IPsec or TLS as specified. HTTP debugger (Fiddler 2.4.7.1) A tool to mediate the communication between a Web browser (client PC) and a Web server (MFD) and to refer to and change the data communicated between them. Debug Serial and Interface Converter * See Table 7-1 for configuration. Read out the data written on the internal HDD and check the contents. Nmap Version 7.70 A tool to detect available network service ports. Basic MFD functions and security management functions are operated from every interface, and it was confirmed that the security functions to be applied to various input parameters are operated as specified. The variations of the input parameters include the rewrite of communication data between web browsers and the TOE, and power-on/off of the TOE while document data is overwritten. b. Scope of the Performed Developer Testing The developer testing was performed on 57 items by the developer. By the coverage analysis, it was verified that all security functions and external interfaces described in the functional specification had been tested. c. Result The evaluator confirmed an approach of the performed developer testing and the legitimacy of tested items, and confirmed consistencies between the testing approach described in the testing plan and the actual testing approach. The evaluator confirmed consistencies between the test results expected by the developer and the actual test results performed by the developer. JISEC-CC-CRP-C0634-01-2019 23 7.4.2 Evaluator Independent Testing The evaluator performed the sampling testing to reconfirm the implementation of security functions using the test items extracted from the developer testing. In addition, the evaluator performed the evaluator independent testing (hereinafter referred to as the "independent testing") to gain further confidence that security functions are certainly implemented based on the evidence shown in the process of the evaluation. The independent testing performed by the evaluator is explained as follows. 1) Independent Testing Environment The configuration of the independent testing performed by the evaluator is the same as that of the developer testing shown in Figure 7-1, except for the following. - As a fax destination, Xerox VersaLink C405, which is an MFD, was used instead of general user client 2. The evaluator determined that changing the fax destination does not affect the security functions of the TOE. The independent testing was performed in the same environment as the TOE configuration identified in the ST. The testing tools and components in the independent testing environment were the same as those used in the developer testing and some of them include tools and components developed by the developer. The validity verification and operation tests for the testing tools and components were performed by the evaluator. 2) Summary of the Independent Testing A summary of the Independent testing is as follows. a. Viewpoints of the Independent Testing Viewpoints of the independent testing that the evaluator designed from the developer testing and the provided evaluation documentation are shown below. (1) For interfaces to which strict testing was not performed on the behavior of security functions in the developer testing, confirm the behavior of them with different parameters. (2) As the sampling testing, select the test items of the developer testing from the following viewpoints: - Check all the security functions and the external interfaces. - Check the access control for the combinations of all user types and Mailbox as well as those of all user types and Private Print. b. Independent Testing Outline An outline of the independent testing that the evaluator performed is as follows. JISEC-CC-CRP-C0634-01-2019 24 The independent testing was performed by the evaluator using the same testing approach as the developer testing. The same testing tools as those of the developer testing were used. The evaluator performed the sampling testing of 48 items and the additional testing of 6 items, based on the viewpoints of the independent testing. Table 7-3 shows viewpoints of the independent testing and the content of the major testing corresponding to them. Table 7-3 Major Independent Testing Performed Viewpoint Outline of the Independent Testing Viewpoint (1) Confirm that the restrictions of length, etc. of the user ID and password are as specified when they are entered for a user registration. Viewpoint (1) Confirm that the account lock is performed as specified when different user accounts are used. Viewpoint (1) Confirm that the behavior of the TOE is as specified when users who own document data are unregistered while their document data exist in the TOE. Viewpoint (1) Confirm that the print data are saved in the Private Print as the TOE configuration, even if the print driver specifies another option such as the print data are saved in Mailbox. Viewpoint (1) Confirm that the behavior of the TOE such as access control when the job information is modified, fax receive setting, etc. is as specified. c. Result All the independent testing performed by the evaluator was correctly completed, and the evaluator confirmed the behavior of the TOE. The evaluator confirmed consistencies between the expected behavior and all the test results. 7.4.3 Evaluator Penetration Testing The evaluator devised and performed the necessary evaluator penetration testing (hereinafter referred to as the "penetration testing") on the potentially exploitable vulnerabilities of concern under the assumed environment of use and attack level from the evidence shown in the process of the evaluation. The penetration testing performed by the evaluator is explained as follows. 1) Summary of the Penetration Testing JISEC-CC-CRP-C0634-01-2019 25 A summary of the penetration testing performed by the evaluator is as follows. a. Vulnerability of Concern The evaluator searched into the provided documentation and the publicly available information for the potential vulnerabilities, and then identified the following vulnerabilities which require the penetration testing. (1)There is a concern that known vulnerabilities may exist in the network interfaces. (2)There is a concern that known vulnerabilities may exist in the print processing. (3)There is a concern that the TOE behaves unexpectedly for the unexpected entry on the control panel. (4)There is a concern of unauthorized access by USB port. (5)There is a concern that inconsistencies are occurred in the document data, which is an asset to be protected, when multiple users access the data in a Mailbox at the same time. (6)There is a concern that security functions do not behave properly, being affected by unauthorized access during initialization processing. b. Penetration Testing Outline The evaluator performed the following penetration testing to identify potentially exploitable vulnerabilities. Penetration Testing was performed in the same environment as that of the evaluator independent testing, except for the additional PC with tools for penetration testing. Table 7-4 shows details of tools used in the penetration testing. Table 7-4 Penetration Testing Tools Tool Name Outline and Purpose of Use Nmap Version 6.47 A tool to detect available network service ports. netcat Version 1.11 A tool to transfer data to network ports. Fiddler V4.6.20173.34691 A tool to mediate the communication between Web browser and Web server (TOE), which refers to and changes the communication data between them. OWASP ZAP Version 2.6.0 A tool to inspect vulnerabilities of the Web application. SSLScan Version 1.8.2 A tool to check whether SSL/TLS cipher suites are supported or not. JISEC-CC-CRP-C0634-01-2019 26 Metasploit Version 4.6.2 and 4.13.0 The tool is used for the creation of the testing data to inspect the vulnerabilities caused by PDF files. PRET Version 0.40 A tool to inspect various vulnerabilities in a printing processing. Table 7-5 shows vulnerabilities of concern and the content of the penetration testing corresponding to them. Table 7-5 Outline of the Penetration Testing Vulnerability Penetration Testing Outline (1) - Executed Nmap for the TOE and confirmed that the open port cannot be misused. - Conducted various entries to Web server (TOE) using OWASP ZAP, Web browser and Fiddler, and confirmed that there is no known vulnerability. - Executed SSLScan for the TOE, and confirmed that weak encryption methods are not supported. (2) - Confirmed that the unauthorized processing is not executed even if print job commands and print files including unauthorized processing are input to the TOE. (3) - Confirmed that the character of out-of-spec length, character code, and special key cannot be entered from the control panel. (4) - Confirmed that, other than the intended functions such as print, it cannot be used even when attempting to access the TOE by connecting the client for the penetration testing to each USB port of the TOE. (5) - Confirmed that while a user is performing an operation on a document data in a Mailbox, access to the data by other users is denied. (6) - Confirmed that operation is rejected during initialization processing of the MFD after the power-on. c. Result In the penetration testing performed by the evaluator, the evaluator did not find any exploitable vulnerabilities that attackers who have the assumed attack potential could exploit. JISEC-CC-CRP-C0634-01-2019 27 7.5 Evaluated Configuration TOE configuration conditions for this evaluation are as described in the guidance documents shown in Chapter 6. To enable security functions of the TOE and securely use them, system administrators of the TOE need to configure the TOE settings to satisfy the configuration conditions as described in the guidance. If these setting values are changed to the values different from those specified in the guidance, the configuration will not be assured by this evaluation. TOE configuration conditions include settings that disable some functions which the TOE provides. For example, setting values for the TOE as described below are included. - Customer Engineer Operation Restriction: [Enabled] - Direct Fax (Fax driver): [Disabled] - Send Mail/Receive Mail: [Disabled] - SNMP: [Disabled] - Print from USB, Store to USB: [Disabled] - Shared Mailbox Creation: [Prohibited] - Registering a Mailbox created by a general user as a destination for received fax documents: [Prohibited] System administrators of the TOE need to be noted that TOE configuration conditions include the settings to disable some functions that the TOE provides. If these setting values are changed to the values different from those specified in the guidance, the configuration will not be assured by this evaluation. JISEC-CC-CRP-C0634-01-2019 28 7.6 Evaluation Results The evaluator had concluded that the TOE satisfies all work units prescribed in the CEM as per the Evaluation Technical Report. In the evaluation, the following were confirmed. - PP Conformance: U.S. Government Approved Protection Profile - U.S. Government Protection Profile for Hardcopy Devices Version 1.0 (IEEE Std. 2600.2TM-2009) The TOE also conforms to the following SFR packages defined in the above PP: - 2600.2-PRT, SFR Package for Hardcopy Device Print Functions, Operational Environment B - 2600.2-SCN, SFR Package for Hardcopy Device Scan Functions, Operational Environment B - 2600.2-CPY, SFR Package for Hardcopy Device Copy Functions, Operational Environment B - 2600.2-FAX, SFR Package for Hardcopy Device Fax Functions, Operational Environment B - 2600.2-DSR, SFR Package for Hardcopy Device Document Storage and Retrieval (DSR) Functions, Operational Environment B - 2600.2-SMI, SFR Package for Hardcopy Device Shared-medium Interface Functions, Operational Environment B - Security functional requirements: Common Criteria Part 2 Extended - Security assurance requirements: Common Criteria Part 3 Conformant As a result of the evaluation, the verdict "PASS" was confirmed for the following assurance components. - All assurance components of EAL2 package - Additional assurance component ALC_FLR.2 The result of the evaluation is only applied to those which are composed by the TOE corresponding to the identification described in the Chapter 2. 7.7 Evaluator Comments/Recommendations The evaluator recommendations for users are not mentioned. JISEC-CC-CRP-C0634-01-2019 29 8. Certification The Certification Body conducted the following certification based on the materials submitted by the Evaluation Facility during the evaluation process. 1. Contents pointed out in the Observation Report shall be adequate. 2. Contents pointed out in the Observation Report shall properly be solved. 3. The submitted documentation was sampled, the content was examined, and the related work units shall be evaluated as presented in the Evaluation Technical Report. 4. Rationale of the evaluation verdict by the evaluator presented in the Evaluation Technical Report shall be adequate. 5. The evaluator's evaluation methodology presented in the Evaluation Technical Report shall conform to the CEM. Concerns found in the certification process were prepared as the certification oversight reviews, and those were sent to the Evaluation Facility. The Certification Body confirmed such concerns pointed out in the certification oversight reviews were solved in the ST and the Evaluation Technical Report and issued this Certification Report. 8.1 Certification Result As a result of verification of the submitted Evaluation Technical Report, Observation Report and related evaluation documentation, the Certification Body determined that the TOE satisfies all assurance requirements for EAL2 augmented by ALC_FLR.2 in the CC Part 3. 8.2 Recommendations Procurement entities who are interested in the TOE need to consider whether the scope of this evaluation and the operational requirements of the TOE satisfy the operational conditions that they assume, by referring to the descriptions in "1.1.3 Disclaimers," "4.3 Clarification of Scope," and "7.5 Evaluated Configuration." Especially, when maintenance function is enabled for use, any effects on security functions of the TOE are out of the scope of this evaluation. Therefore, it is a responsibility of the administrator to decide whether to accept maintenance. When using the print function of the TOE, the print data from the client PC are stored in the TOE, and the operation from the control panel is required to output printed documents. However, document data stored in the Mailbox of the TOE can be output as printed documents by operation from the client PC. Thus, it should be noted that the TOE may not be able to satisfy the needs of procurement entities who expect that document data can be printed out only when they operate from the control panel to ensure the security of paper documents. JISEC-CC-CRP-C0634-01-2019 30 9. Annexes There is no annex. 10. Security Target Security Target [12] of the TOE is provided as a separate document along with this Certification Report. Fuji Xerox DocuCentre-VI C2264 model with Hard Disk, Data Security, Scan, and Fax Security Target, Version 1.1.9, March 6, 2019, Fuji Xerox Co., Ltd. JISEC-CC-CRP-C0634-01-2019 31 11. Glossary The abbreviations relating to the CC used in this report are listed below. CC Common Criteria for Information Technology Security Evaluation CEM Common Methodology for Information Technology Security Evaluation EAL Evaluation Assurance Level PP Protection Profile ST Security Target TOE Target of Evaluation TSF TOE Security Functionality The abbreviations relating to the TOE used in this report are listed below. ADF Auto Document Feeder CWIS CentreWare Internet Services IIT Image Input Terminal IOT Image Output Terminal MFD Multi-Function Device NVRAM Non Volatile Random Access Memory SA System Administrator privilege SEEPROM Serial Electronically Erasable and Programmable Read Only Memory The definitions of terms used in this report are listed below. Copy Function: Copy Function is to read the original data from IIT and print it out from IOT according to the general user's instruction from the control panel. Customer Engineer (CE): Customer service engineer who maintains and repairs the MFD. CWIS Function: CWIS function is a service used by general users and system administrators via the Web browser in order for them to confirm the status of the TOE, change settings of the TOE, request the TOE to retrieve and print the documents, and job deletion of the TOE. Fax Function: Fax function is to send and receive fax data. Fax sending function is a function to read the original data from IIT and send them to the destination via public telephone line, according to the general user's instruction from the control panel. Fax receiving function is a function to receive the document data via a public telephone. The received data are stored in the Mailbox. Key Operator: Key operator is a system administrator who can use all the management functions. JISEC-CC-CRP-C0634-01-2019 32 Mailbox: An area in the MFD to store the document data scanned by the scan function or the copy function. Mailbox Function: Mailbox function is a function for general users and system administrators to retrieve and/or print out document data stored in Mailboxes. Network Scan Function: Network Scan function is to read the original data from IIT according to the general user's instruction from the control panel, and automatically send to FTP server according to the setting of the MFD. Print Function: Print function is to print out the data from IOT, which are sent to the MFD from printer driver of a general user client. The received print data are stored into the Private Print inside the MFD, and printed out according to the general user's instruction from the control panel. Private Print: An area in the MFD to store print data sent from a general user client to the MFD. SA: SA is a system administrator who can use a part of management functions. The role of SA is set by key operator as required by the corresponding organization. Scan Function: Scan function is to read the original data from IIT and then store them into the Mailbox according to the general user's instruction from the control panel. System Administrator: An authorized administrator who configures TOE security functions and other device settings. This term covers both key operator and SA (System Administrator privilege). JISEC-CC-CRP-C0634-01-2019 33 12. Bibliography [1] IT Security Evaluation and Certification Scheme Document, July 2018, Information-technology Promotion Agency, Japan, CCS-01 [2] Requirements for IT Security Certification, September 2018, Information-technology Promotion Agency, Japan, CCM-02 [3] Requirements for Approval of IT Security Evaluation Facility, September 2018, Information-technology Promotion Agency, Japan, CCM-03 [4] Common Criteria for Information Technology Security Evaluation Part 1: Introduction and general model, Version 3.1 Revision 5, April 2017, CCMB-2017-04-001 [5] Common Criteria for Information Technology Security Evaluation Part 2: Security functional components, Version 3.1 Revision 5, April 2017, CCMB-2017-04-002 [6] Common Criteria for Information Technology Security Evaluation Part 3: Security assurance components, Version 3.1 Revision 5, April 2017, CCMB-2017-04-003 [7] Common Criteria for Information Technology Security Evaluation Part 1: Introduction and general model, Version 3.1 Revision 5, April 2017, CCMB-2017-04-001, (Japanese Version 1.0, July 2017) [8] Common Criteria for Information Technology Security Evaluation Part 2: Security functional components, Version 3.1 Revision 5, April 2017, CCMB-2017-04-002, (Japanese Version 1.0, July 2017) [9] Common Criteria for Information Technology Security Evaluation Part 3: Security assurance components, Version 3.1 Revision 5, April 2017, CCMB-2017-04-003, (Japanese Version 1.0, July 2017) [10] Common Methodology for Information Technology Security Evaluation: Evaluation methodology, Version 3.1 Revision 5, April 2017, CCMB-2017-04-004 [11] Common Methodology for Information Technology Security Evaluation: Evaluation methodology, Version 3.1 Revision 5, April 2017, CCMB-2017-04-004, (Japanese Version 1.0, July 2017) [12] Fuji Xerox DocuCentre-VI C2264 model with Hard Disk, Data Security, Scan, and Fax Security Target, Version 1.1.9, March 6, 2019, Fuji Xerox Co., Ltd. [13] Fuji Xerox DocuCentre-VI C2264 model with Hard Disk, Data Security, Scan, and Fax Evaluation Technical Report, Version 1.9, March 7, 2019, Information Technology Security Center, Evaluation Department [14] U.S. Government Approved Protection Profile - U.S. Government Protection Profile for Hardcopy Devices Version 1.0 (IEEE Std. 2600.2TM-2009) [15] CCEVS Policy Letter #20, 15 November 2010, National Information Assurance Partnership