COMMERCIAL
Océ Technologies BV
BrightSight report
ST-Océ PRISMAsync-11.9.75.55-4.6.2
ST of the Océ PRISMAsync 11.9.75.55
as used in the Océ VarioPrint 41x0 Release 1.3
Certification ID BSI-DSZ-CC-0615
Sponsor Océ Technologies BV
File name Oce PRISMAsync Security_Target 4.6.2.doc
No of pages 19
This Security Target was prepared for:
Océ Technologies BV
P.O. Box 101,
5900 MA Venlo,
The Netherlands
by Brightsight.
© 2009 Océ Technologies B.V., Brightsight. Respectively
Version 4.6.2
Date 08-October-2009
COMMERCIAL
08-October-2009 Page 2 of 55 Commercial BSI-DSZ-CC-0615
COMMERCIAL
08-October-2009 Page 3 of 55 Commercial BSI-DSZ-CC-0615
Document information
Date of issue 08-October-2009
Author(s)
Version number report 4.6.2
Certification ID BSI-DSZ-CC-0615
Scheme BSI
Sponsor Océ Technologies BV
P.O. Box 101,
5900 MA Venlo,
The Netherlands
Evaluation Lab Brightsight.
IT Security Evaluation Facility
Delftechpark 1
2628XJ Delft
The Netherlands
Sponsor Project leader Frederik Eveilleau
Target of Evaluation (TOE)
Océ PRISMAsync 11.9.75.55 as used in
the Océ VarioPrint 41x0 Release 1.3
TOE reference name Océ PRISMAsync
CC-EAL number 2+ (augmented with ALC_FLR.1)
Classification Commercial
Report title
ST of the Océ PRISMAsync 11.9.75.55
as used in the Océ VarioPrint 41x0
Release 1.3
Report reference name ST-Océ PRISMAsync-11.9.75.55-4.6.2
COMMERCIAL
08-October-2009 Page 4 of 55 Commercial BSI-DSZ-CC-0615
Document history
Version Date Comment
0.1 14-04-05 Initial draft
0.2 17-05-05 Incorporated Océ comments
0.3 30-05-05 Incorporated Océ and BSI comments
0.4 24-11-05 Incorporated Océ comments
1.0 06-02-06 Incorporated BSI comments
2.0 10-02-06 Incorporated BSI comments
2.1 16-02-06 Incorporated BSI comments
3.0 13-12-07 Updated for 21x0
3.1 31-1-08 Correction small error in Appendix D.
3.2 10-06-08 Adaptation to comments from BSI
3.3 04-07-08 Adaptation to comments ZK_0510_ASE_03.rtf
4.0 16-02-09 Updated for 41x0
4.0 19-02-09 Repair errors in ST
4.1 05-03-09 Incorporated BSI comments
4.2 27-03-09 Update with the last TOE version and the new brand
name
4.3 01-04-09 Update with the BSI ID and the ast TOE version
4.4 27-04-09 Incorporate BrightSight comments.
4.5 03-06-09 Incorporate BSI comments.
4.6 16-06-09 Update the reference to the user manual CCC
configuration.
4.6.1 21-09-09 Update the reference to the user manual CCC
configuration (2009-09).
4.6.2 08-10-09 Update the reference to the security service manual for
CCC (2009-10)
Signature
The sponsor project leader has signed for technical correctness.
Frederik Eveilleau
Sponsor Project leader
COMMERCIAL
08-October-2009 Page 5 of 55 Commercial BSI-DSZ-CC-0615
Contents
DOCUMENT INFORMATION.................................................................................................................. 3
DOCUMENT HISTORY............................................................................................................................. 4
1. SECURITY TARGET INTRODUCTION ....................................................................................... 7
1.1 ST Identification ............................................................................................................ 7
1.2 ST Overview .................................................................................................................. 8
1.3 CC Conformance............................................................................................................ 9
2. TOE DESCRIPTION ....................................................................................................................... 10
2.1 TOE Overview..............................................................................................................10
2.1.1 TOE physical scope and boundary ...........................................................................10
2.1.2 TOE logical scope and boundary..............................................................................14
3. TOE SECURITY ENVIRONMENT............................................................................................... 20
3.1 Definition of subjects, objects and operations ..............................................................20
3.1.1 Non-human subjects .................................................................................................20
3.1.2 Human subjects.........................................................................................................20
3.1.3 Objects......................................................................................................................21
3.1.4 Operations.................................................................................................................21
3.2 Assumptions..................................................................................................................22
3.3 Threats...........................................................................................................................23
3.4 Organisational Security Policies ...................................................................................23
4. SECURITY OBJECTIVES.............................................................................................................. 24
4.1 TOE Security Objectives ..............................................................................................24
4.1.1 Functional Security Objectives for the TOE.............................................................24
4.1.2 Assurance Security Objectives for the TOE.............................................................24
4.2 Security Objectives for the environment.......................................................................24
5. IT SECURITY REQUIREMENTS................................................................................................. 26
5.1 TOE Security Functional Requirements .......................................................................26
5.1.1 SFRs for Filtering .....................................................................................................26
5.1.2 SFRs for Shredding ..................................................................................................26
5.1.3 SFRs for Management..............................................................................................27
5.1.4 SFRs for Protection of the TSF itself .......................................................................29
5.1.5 Strength-of-function claim........................................................................................29
5.2 TOE Security Assurance Requirements........................................................................29
5.3 Security Requirements for the IT Environment............................................................30
5.4 Explicitly stated requirements.......................................................................................30
6. TOE SUMMARY SPECIFICATION ............................................................................................. 31
6.1 IT Security Functions....................................................................................................31
6.1.1 Probabilistic functions and mechanisms...................................................................31
6.1.2 Strength of function claim ........................................................................................32
COMMERCIAL
08-October-2009 Page 6 of 55 Commercial BSI-DSZ-CC-0615
6.2 Assurance Measures......................................................................................................33
7. PP CLAIMS....................................................................................................................................... 35
8. RATIONALE .................................................................................................................................... 36
8.1 Security Objectives Rationale.......................................................................................36
8.2 Security Requirements Rationale..................................................................................40
8.2.1 The SFRs meet the Security Objectives for the TOE ...............................................40
8.2.2 The security requirements for the IT environment meet the security objectives for
the environment .....................................................................................................................42
8.2.3 The Assurance Requirements and Strength of Function Claim are appropriate.......43
8.2.4 All dependencies have been met...............................................................................44
8.2.5 The requirements are internally consistent...............................................................44
8.2.6 The requirements are mutually supportive ...............................................................44
8.3 TOE Summary Specification Rationale........................................................................45
8.3.1 The functions meet the SFRs....................................................................................45
8.3.2 The assurance measures meet the SARs...................................................................47
8.3.3 The SOF-claims for functions meet the SOF-claims for the SFRs...........................47
8.3.4 The functions are mutually supportive .....................................................................48
8.4 PP Claims Rationale......................................................................................................48
9. APPENDIX A ABBREVIATIONS.................................................................................................. 49
10. APPENDIX B REFERENCES.................................................................................................... 50
11. APPENDIX C GLOSSARY OF TERMS................................................................................... 51
12. APPENDIX D FIREWALL RULE TABLE.............................................................................. 52
13. APPENDIX E SECURITY RELATED ADMINISTRATION FUNCTIONS ........................ 53
14. APPENDIX F XP PATCHES APPLIED ................................................................................... 54
15. DISTRIBUTION LIST ................................................................................................................ 55
COMMERCIAL
08-October-2009 Page 7 of 55 Commercial BSI-DSZ-CC-0615
1. Security Target Introduction
1.1 ST Identification
Name of the TOE:
Océ PRISMAsync 11.9.75.55 as used in the Océ VarioPrint 41x0 Release 1.3
Name of the Security Target:
ST of the
Océ PRISMAsync 11.9.75.55 as used in the Océ VarioPrint 41x0 Release 1.3
ST evaluation status: Non-evaluated release
ST version number: 4.6.2
ST publication date: 08-October-2009
ST authors:
This Security Target was prepared for:
Océ Technologies BV
P.O. Box 101,
5900 MA Venlo,
The Netherlands
by Brightsight. IT Security Evaluation
Facility
Delftechpark 1
2628XJ Delft
The Netherlands
COMMERCIAL
08-October-2009 Page 8 of 55 Commercial BSI-DSZ-CC-0615
1.2 ST Overview
The firm Océ produces a wide range of multifunctional devices for copying, printing and scanning
(MFDs) for various purposes. One of these MFD seriess: the VP41x0 R1.3(VP4110 and VP4120 ),
uses PC hardware based controller, the Océ PRISMAsync.
• The Océ PRISMAsync v11.9.75.55, is used with the Océ VP41x0 R1.3
These VarioPrint products are referred to collectively in this Security Target as MFDs
An Océ VP41x0
R1.3 with
embedded the Océ
PRISMAsync
controller.
The Océ PRISMAsync is a PC-based MFD-controller. The Océ PRISMAsync provides a wide
range of printing, scanning and copying functionality to the MFD peripherals to which it is
connected. The Océ PRISMAsync provides security functionality to the MFD.
This Security Target describes the Océ PRISMAsync and the specific security problem that it
addresses. The Target of Evaluation (TOE) is a collection of software components (Océ
developed software, 3rd
party printer language interpreters, Operating System) that use the
underlying hardware platform. The TOE is a subset of the complete Océ PRISMAsync.
COMMERCIAL
08-October-2009 Page 9 of 55 Commercial BSI-DSZ-CC-0615
1.3 CC Conformance
The evaluation is based upon:
• Common Criteria for Information Technology Security Evaluation, Version 2.3, Part 1:
General model, August 2005.
• Common Criteria for Information Technology Security Evaluation, Version 2.3, Part 2:
Security functional requirements, August 2005.
• Common Criteria for Information Technology Security Evaluation, Version 2.3, Part 3:
Security assurance requirements, August 2005.
• Common Methodology for Information Technology Security Evaluation, Version 2.3, Part 2:
Evaluation Methodology, August 2005.
The chosen level of assurance is:
EAL2 (Evaluation Assurance Level 2 augmented with ALC_FLR.1)
This Security Target claims the following conformance to the CC:
CC Part 2 conformant
CC Part 3 conformant
COMMERCIAL
08-October-2009 Page 10 of 55 Commercial BSI-DSZ-CC-0615
2. TOE Description
2.1 TOE Overview
This section presents an overview of the TOE.
2.1.1 TOE physical scope and boundary
The firm Océ produces a wide range of multifunctional devices for copying, printing and
scanning (MFDs). For the purpose of this evaluation, the MFD consists of two main parts: (1) the
Océ PRISMAsync controller and (2) the Digital Printer and Scanner/Copier and Local User
Interface peripherals that together form the VP41x0 R1.3 product.
The Océ PRISMAsync is a PC-based MFD-controller that provides a wide range of printing,
scanning and copy functionality to the Digital Printer, Scanner and Copier and Local User
Interface peripherals to which the Océ PRISMAsync is connected. The Océ PRISMAsync
provides security functionality to the MFD.
The Océ PRISMAsync can operate in two different security modes: ‘High’ and ‘Normal’. This
Security Target covers the Océ PRISMAsync operating in the security mode ‘High’ as delivered
by Océ to the customer. This mode provides a restricted set of functionality that is configured to
meet the Security Target claim. Changing the operational mode invalidates the claims made in
this Security Target.
COMMERCIAL
08-October-2009 Page 11 of 55 Commercial BSI-DSZ-CC-0615
The Océ PRISMAsync is connected between a network and the MFD. This is depicted in Figure
1.
Figure 1: Relation between the Océ PRISMAsync and MFD.
The Océ PRISMAsync is located internally in the MFD. This physical configuration is depicted
in Figure 2.
Figure 2: View of the Océ PRISMAsync controller in VP4110/4120 (open or closed side)
Output Tray of MFD
Print Data
MFD peripherals PRISMAsync
MFD
Network
Copy Data
Flow
Scan Data
Flow
Input Glass Plate of MFD
Flow
COMMERCIAL
08-October-2009 Page 12 of 55 Commercial BSI-DSZ-CC-0615
Figure 3: Viewer of a separated Océ PRISMAsync controller
The internal configuration helps prevent theft of the Océ PRISMAsync, but prevention of theft of
the Océ PRISMAsync is outside the scope of this evaluation1. All logical access points (network
ports, USB/serial/parallel ports etc.) are protected from physical access in the internal
configuration by a metal casing.
The Océ PRISMAsync consists of:
1. A generic off-the-shelf PC comprising an Intel CPU (Mono-Core @ 2.0GHz or Dual-
Core @ 2.2GHz*), Up to 2Go internal DDR2 RAM*, a VGA output (graphical I/O), up
to2 x 160GB hard drive*, 6 x USB 2.0 ports, 2 x serial ports (1 x RS-232 & 1 x RS-422)
and 2 x Ethernet ports (UTP), Audio output.
2. Generic embedded graphics card and 2 network cards supporting 10/100/1000Mbs
Ethernet UTP.
3. Drivers for the PC (Chipset, CPU, graphics card, audio and network cards).
4. The Microsoft Windows XP embedded (XPe) operating system with service pack 2
included the additional patches listed in Appendix F.
5. Océ PRISMAsync-specific software release 11.9.75.55.
6. Third-party developed software: Adobe PS3-PDF Interpreter, Version 3018; PCL6
interpreter, Version IPS6.0.2; Tomcat Web server version 5.5.26 (with SSL support).
Of these 6, the first three are not part of the TOE and together form the underlying hardware
platform that the TOE makes use of. The underlying hardware platform does not provide any
specific security related functionality for the TOE. The TSF is mediated by the last three software
components that are part of the TOE. This is depicted in
Figure 4.
1 Note that the Océ PRISMAsync protects print, copy, and scan data stored in it against
theft through e-shredding, but the Océ PRISMAsync itself may be stolen.
COMMERCIAL
08-October-2009 Page 13 of 55 Commercial BSI-DSZ-CC-0615
Figure 4: Division of the Océ PRISMAsync into TOE and non-TOE.
The physical interfaces through which the TOE communicates are:
• A network card through which a service engineer can administer the TOE (directly
physically accessible thanks to a cable extender).
• A network card through which print and scan jobs can pass and a remote system
administrator can administer the TOE (physically accessible after removing a screwed
panel).
• A RS232 interface. The data that flows between the TOE and the MFD for printer control
purposes passes through this interface (physically accessible after removing a screwed
panel).
• A RS422 interface. The data that flows between the TOE and the MFD for scanner
control purposes passes through this interfaces (physically accessible after removing a
screwed panel).
• A USB interface. The data that flows between the TOE and the MFD for all printing,
scanning, copying, and power management purposes passes through this interface
(physically accessible after removing a screwed panel).
• A USB port through which the Operator can communicate with the TOE via the toucg
screen (LUI) to manage print jobs (but this interface cannot be used to perform any
security management operations) (physically accessible after removing a screwed
panel).
• A USB port through the TOE gives the printer status via the Red/Orange/Green Operator
light
• A USB port through which the Operator can stop or re-start the print process (HO-GO
Button).
Microsoft Windows 2000 (5)
Geric PC Hardware
and
OceDP1 card
(1,2,3)
Generic PC Hardware Drivers (4)
OceGeneric PC Hardware
SmartImager
specific
Software (6)
Third-party
Software (7)
Microsoft Windows XPe (4)
Generic PC Hardware (1,2)
Generic PC Hardware Drivers (3)
Oce
PRISMAsync
specific
Software (5)
Third-party
Software (6)
TOE
Non TOE
COMMERCIAL
08-October-2009 Page 14 of 55 Commercial BSI-DSZ-CC-0615
The operator2
guidance for the TOE consists of:
• Océ VarioPrint 4110/4120 Manual type Operating information, version 2008-11.
• Océ VarioPrint 4110/4120 Common Criteria certified configuration of the Océ
PRISMAsync, Edition 2009-09.
The administrator guidance for the TOE consists of:
• Océ VarioPrint 4110/4120 Administrator settings and tasks, Edition 2009-05
• Océ VarioPrint 4110/4120 Common Criteria certified configuration of the Océ
PRISMAsync, Edition 2009-09
The Océ PRISMAsync administration guidance for the Océ service engineer consists of:
• Océ VarioPrint 4110/4120 Security service documentation, Edition 2009-10
2.1.2 TOE logical scope and boundary
The TOE protects two assets: itself and the copy, print and scan job data that it receives:
Firstly, the TOE protects its own integrity against threats from the LAN to which it is attached
through use of a firewall.
Secondly, the TOE protects the confidentiality of print, copy and scan job data after they are no
longer needed. The Océ PRISMAsync does this by shredding the data after they are deleted.
In order to protect these two assets, it offers the following functionality:
The TOE controls printing from the network
The TOE accepts Postscript, PDF and PCL6 print jobs from remote users on the network (lpr
over TCP/IP) and provides these as images to the attached MFD printing peripheral.
The TOE receives a print job from a remote end-user, and it is either put in the print waiting
room3
or in the print queue. Once this job becomes the first in the queue, the TOE processes this
print job into images, and sends these images to the attached MFD peripheral for printing.
The remote end-users and interfaces they interact with are depicted in Figure 5.
2
No guidance is necessary for the remote end user of the TOE.
3
The waiting room is the name use to refer to operator mailbox.
COMMERCIAL
08-October-2009 Page 15 of 55 Commercial BSI-DSZ-CC-0615
Figure 5: End-users and interfaces for printing
The TOE is configured to destroy the data relating to print jobs4
and temporary files5
.
This is achieved by writing over the job related data with other data, thereby making it difficult to
retrieve the original data.
The TOE administrators can select the number of write iterations. This 2-fold mechanism is fully
asynchronous. Shredding is performed in a separate process, with different priorities depending
on the overwriting iteration. The first iteration starts after the data is deleted. The remaining
iterations take place with low priority in the background.
Additionally, the TOE is also configured to shred all data periodically (Every day, every week or
every month or never.)6
.
The TOE operators scan jobs that are exported to the network
Operators can scan documents on the VP41x0 R1.3 using the Local User Interface (LUI), and the
resulting images will then be submitted to the TOE. The TOE can process the images to a variety
of file formats and then transfer the resulting files by ftp to an ftp-server or by SMTP to an e-mail
server on the network. The Operator can also complete copy jobs through the LUI, with the
resulting images sent to the MFD.
The operators and interfaces they interact with (LUI7
and network) are depicted in Figure 6.
4
Also scan and copy jobs, see the next sub-section and Figure 6.
5
Job data is deleted when the job is completed or deleted from the mailbox. Temporary files (swap
file) are shredded during system restart.
6
The setting to shred the data at a particular time interval is set to everyday at 12am by default.
MFD peripheral PRISMAsync
MFD
Remote end-user
Network
COMMERCIAL
08-October-2009 Page 16 of 55 Commercial BSI-DSZ-CC-0615
Figure 6: Operators and interfaces for scanning
7
The operator is unable to access any of the TOE security functions through the LUI. The LUI can only be
used for scanning, copying, printing and managing print queues.
MFD Peripheral PRISMAsync
MFD
Operators
LUI
FTP-server
E-mail server
Network
COMMERCIAL
08-October-2009 Page 17 of 55 Commercial BSI-DSZ-CC-0615
The TOE can be managed
As indicated in the previous sections, the MFD (of which the TOE is a part) supports remote end-
users and Operators. The MFD also supports various administrators, which are described briefly
here:
Remote Key Operator: These are typically administrators or secretaries from the organization
owning/renting the TOE. They can interact with the Océ PRISMAsync through a Web interface
that communicates with the TOE via the LAN. Through this interaction they have access to a
limited amount of non-security related settings of the TOE.
Remote System administrator (HTTPS): These are remote administrators, typically a network
administrator from the organization owning/renting the TOE. They can read and write a limited
set of settings of the TOE through an SSL over HTTP connection (HTTPS). The remote
administrator can identify the TOE via a certificate. Web pages that are delivered via the HTTPS
connection are ‘non-cacheable’.
Remote System administrator (SNMP): These are remote administrators, typically a network
administrator from the organization owning/renting the TOE. They can read and write a limited
set of settings of the TOE through a SNMP connection. None of the settings that the remote
system administrator can access through SNMP are security related in the sense that they provide
access to the assets that the TOE protects or allow changes to be made to the TOE security
functionality.
Service engineer: These are local administrators, and are typically employed by Océ. They have
access through an Ethernet connection to a wide range of settings on the TOE. The TOE
connection is PIN code protected and service license protected and access to the management
functions provided to the Service engineer require specific hardware and software. It is not
possible to access the management functions made available to the service engineer without the
software that is installed on the service engineer laptop.
COMMERCIAL
08-October-2009 Page 18 of 55 Commercial BSI-DSZ-CC-0615
MFD Peripheral PRISMAsync
MFD
Remote system
administrator
Service
Engineer
Remote Key-operator
Ethernet
Network
Network
The various administrators and the interfaces through which they interact with the TOE are
depicted in Figure 7.
Figure 7: MFD Administrators and interfaces
The TOE has minimized all other functionality
The TOE supports the following network protocols:
• TCP/IP, UDP/IP and ICMP.
No other network protocols are enabled. The TOE manufacturer has filtered all network ports so
that only data that is essential to the operation of the TOE can enter the TOE through the network
interface. The TOE has further restricted the functionality behind each open network port to that
which is absolutely necessary to its functioning. This is done to maximize the integrity of the
TOE itself and minimize the risk of the TOE being infected or hacked and subsequently being
used as a stepping-stone to damage the network.
The availability of security related functionality
As depicted in Figure 7, The Remote Key Operator is not able to influence the security of the
TOE as they have no access to security settings via the Océ PRISMAsync Setting Editor.
COMMERCIAL
08-October-2009 Page 19 of 55 Commercial BSI-DSZ-CC-0615
Because the Remote Key Operator and TOE Operator cannot access security related settings on
the Océ PRISMAsync LUI, they cannot affect the TOE. For the sake of clarity, Figure 8 shows
the interfaces to the TOE and the subjects that can access and manage TOE security settings.
Figure 8: TOE Administrators and interfaces
PRISMAsync
Remote system
administrator
Ethernet
Network
Network
Service
Engineer
COMMERCIAL
08-October-2009 Page 20 of 55 Commercial BSI-DSZ-CC-0615
3. TOE Security Environment
The TOE is intended to provide scan, print and copy functionality to users requiring a low to
moderate level of security assurance. Additional environmental and organisational requirements
support the security functionality provided by the TOE.
3.1 Definition of subjects, objects and operations
To facilitate definition of threats, OSPs, assumptions, security objectives and security
requirements, we define the subjects, objects and operations to be used in the ST first.
3.1.1 Non-human subjects
The system (equipment) that will be interacting with the TOE (in alphabetical order):
S.DIGITAL_PRINTER A device that is part of the MFD peripheral that physically renders a
print job and is attached to the TOE via a cable.
S.DIGITAL_SCANNER A device that is part of the MFD peripheral that scans in a copy or
scan job and is attached to the TOE via a cable.
S.LUI A device that provides a User Interface to S.OPERATOR for non-
security related operations, such as local
copying/printing/scanning/queue management.
S.NETWORK_DEVICE An unspecified network device that is logically connected to the TOE
and is located in the same operating environment (office building).
3.1.2 Human subjects
The users (or subject acting on behalf of that user) that will be interacting with the TOE are:
S.REMOTE_USER A person who can interact with the TOE indirectly by sending or
creating print jobs, and can send them to S.OPERATOR to be
forwarded to the TOE. They are not malicious towards the TOE.
S.REMOTE_USER typically sends print jobs from their desktop PC.
S.OPERATOR A person with access to the operational environment of the TOE who
is aware of how the TOE should be used. They are not malicious
towards the TOE. S.OPERATOR typically interacts indirectly with
the TOE via S.LUI or over the network. S.OPERATOR receives print
jobs from S.REMOTE_USER and places the jobs in the TOE print
queue or in the waiting room as appropriate to be processed by the
TOE.
S.REMOTE_SYSADMIN A person who can change some TOE settings using an Océ supplied
interface accessed remotely over a network connection. They are
trusted by the customer and are adequately trained. They are capable
COMMERCIAL
08-October-2009 Page 21 of 55 Commercial BSI-DSZ-CC-0615
of making mistakes. They access the TOE via its network card from a
remote location on the customer LAN. They do not access the TOE
via the service network link.
S.SERVICE_ENGINEER A person with elevated privileges above those of S.OPERATOR and
S.REMOTE_SYSADMIN. This person is an Océ representative and
accesses the TOE through a dedicated network interface that is
separated from the customer network interface. They are not
malicious towards the TOE but are capable of making mistakes when
operating it.
S.THIEF S.THIEF (cleaning staff, burglar, visitor, in rare cases a user) will
have no moral issues in stealing the TOE or parts of it. Once S.THIEF
has stolen the TOE or parts of it he may attempt to retrieve earlier
print, scan and copy jobs from the TOE. S.THIEF is opportunistic and
is not a recurring visitor to the environment in which the TOE
operates.
3.1.3 Objects
The (data) objects for the TOE that the TOE will operate upon are:
D.PRINT_JOB A print job received by S.OPERATOR from S.REMOTE_USER, and
submitted to the TOE.
D.SCAN_JOB Data that is scanned in via the S.DIGITAL_SCANNER peripheral
attached to the Océ PRISMAsync. Data is sent from the TOE to a FTP
or e-mail server located elsewhere on the network.
D.COPY_JOB Data that is scanned in via the S.DIGITAL_SCANNER peripheral
attached to the Océ PRISMAsync. Data is returned from the TOE to
the printer peripheral for rendering.
D.INBOUND_TRAFFIC TCP/IP, UDP/IP or ICMP network packets received by the TOE.
D.INBOUND_TRAFFIC has the Security Attributes Port and
Protocol associated with it.
3.1.4 Operations
The operations that are performed by the TOE are:
R.PRINT_JOB The TOE processes and releases a D.PRINT_JOB to the attached
S.DIGITAL_PRINTER peripheral.
R.SCAN_JOB The TOE processes and releases a D.SCAN_JOB to the attached
network though S.NETWORK_DEVICE.
R.COPY_JOB The TOE processes and releases a D.COPY_JOB to the attached
S.DIGITAL_PRINTER peripheral.
COMMERCIAL
08-October-2009 Page 22 of 55 Commercial BSI-DSZ-CC-0615
R.SHRED_JOB The TOE shreds released D.PRINT_JOB, D.SCAN_JOB and
D_COPY_JOB data objects from the TOE’s hard disk.
R.ENTER_TOE The TOE allows D.INBOUND_TRAFFIC from
S.NETWORK_DEVICE to enter its boundary.
3.2 Assumptions
A.DIGITAL_PRINTER It is assumed that the TOE has a S.DIGITAL_PRINTER device
attached to it. S.DIGITAL_PRINTER is part of the Océ VP41x0
MFD. It is assumed that for EAL2, that the interface from the Océ
PRISMAsync to the S.DIGITAL_PRINTER will not be used to mount
an attack and that the interface is only used for the purposes of
printing.
A.DIGITAL_SCANNER It is assumed that the TOE has an S.DIGITAL_SCANNER device
attached to it. S.DIGITAL_SCANNER is part of the Océ VP41x0
R1.3MFD. It is assumed that for EAL2, that the interface from the
Océ PRISMAsync to the S.DIGITAL_SCANNER will not be used to
mount an attack and that the interface is only used for the purposes of
scanning.
A.LUI It is assumed that the TOE has a S.LUI device attached to it. S.LUI is
part of the Océ VP41x0 MFD. It is assumed that for EAL2, the
interface from the LUI to the Océ PRISMAsync will not be used to
mount an attack as the TOE security functions cannot be accessed via
this interface and the interface is only used for the purposes of
printing, scanning and copying.
A.ENVIRONMENT The TOE assumes that its operational environment is a repro-room
contained within a regular office environment. Physical access to the
operational environment is restricted to S.OPERATOR and
S.SERVICE_ENGINEER. The office environment also contains non-
threatening office personnel (S.OPERATOR, S.REMOTE_USER,
S.REMOTE_SYSADMIN and S.SERVICE_ENGINEER). S.THIEF
is only rarely present in this environment and not on a recurring basis.
A.SECURITY_POLICY It is assumed that the customer will have a Security Policy governing
the use of IT products by employees in the customer organisation. The
TOE assumes that the network to which it is attached is protected by
security measures that are intended to prevent mal-ware, viruses and
network traffic, not related to the working of the operational
environment, entering the network to which it is attached. Although
the Virus database files and various patches are kept up to date, the
policy recognises that new threats emerge over time and that
occasionally they may enter the environment from outside and
COMMERCIAL
08-October-2009 Page 23 of 55 Commercial BSI-DSZ-CC-0615
provides measures to help limit the damage. The Policy will define
how IT products are protected against threats originating from outside
the customer organisation. The organisation’s employees are aware of,
are trained in and operate according to the terms and conditions of the
policy. The policy also covers physical security and the need for
employees to work in a security aware manner including the usage of
the TOE. The Security Policy describes and requires a low to medium
level of assurance (EAL2) for the TOE.
A.SLA It is assumed that any security flaws discovered in the TOE will be
repaired by Océ (possibly as part of an agreed service level
agreement).
3.3 Threats
T.RESIDUAL_DATA S.THIEF steals the TOE or parts thereof and retrieves stored or
deleted D.PRINT_JOB, D.SCAN_JOB and D.COPY_JOB. The
motivation for S.THIEF to attack the TOE is low because it requires
sophisticated data recovery equipment that can recover data even after
the shredding mechanism has executed to recover data that has little
value to the attacker.
T.MALWARE An S.NETWORK_DEVICE is used by malware that may have
entered the TOE’s operational environment to launch an attack on the
integrity of the TOE. The motivation to carry out this attack is low.
3.4 Organisational Security Policies
P.JOB_DELETE When D.PRINT_JOB, D.SCAN_JOB and D.COPY_JOB objects are
no longer needed by the TOE, they will be deleted by the TOE at the
earliest available opportunity in a manner that meets a recognised
standard.
P.TOE_ADMINISTRATION The modification of TOE security settings shall be restricted to
S.SERVICE_ENGINEER and S.REMOTE_SYSADMIN.
COMMERCIAL
08-October-2009 Page 24 of 55 Commercial BSI-DSZ-CC-0615
4. Security Objectives
4.1 TOE Security Objectives
This section consists of two groups of objectives:
• Functional Security Objectives for the TOE, that deal with what the TOE must do;
• Assurance Security Objectives for the TOE, that deal with how much assurance one should
have in that the TOE does what it is expected to.
4.1.1 Functional Security Objectives for the TOE
O.F.INBOUND_FILTER The TOE will only support TCP/IP, UDP/IP and ICMP as a network
protocol. D.INBOUND_TRAFFIC shall only enter the TOE
(R.ENTER_TOE) if its Port is specified as being open in Appendix D.
O.F.JOB_SHRED The TOE shall delete all D.PRINT_JOB, D.SCAN_JOB and
D.COPY_JOB data as soon as it is no longer required. During the
start-up procedure, any residual D.PRINT_JOB, D.SCAN_JOB and
D.COPY_JOB located in the TOE’s hard disk (including the swap
file) is deleted. The first write cycle occurs after the job has been
deleted and the other remaining cycles occur once the TOE enters an
idle state. The data shall be deleted according to a recognised standard
so that it cannot be reconstituted.
O.F.AUTHENTICATE The TOE ensures that S.REMOTE_SYSADMIN and
S.SERVICE_ENGINEER must authenticate themselves to the TOE
before allowing them to modify the TOE security settings.
4.1.2 Assurance Security Objectives for the TOE
O.A.SLA The TOE shall be evaluated to ALC_FLR.1
4.2 Security Objectives for the environment
O.E.ENVIRONMENT The environment into which the TOE will be introduced is protected
by physical measures that limit access to S.OPERATOR, and
S.SERVICE_ENGINEER. The physical measures are adequate to
prevent all other persons but not a determined S.THIEF who
deliberately wants to steal a part of or the entire TOE by methodically
planning an attack on the TOE over a period of time.
O.E.NETWORK_POLICY The network to which the TOE is attached shall be adequately
protected so that the TOE is not visible outside the network. In
COMMERCIAL
08-October-2009 Page 25 of 55 Commercial BSI-DSZ-CC-0615
addition, measures shall be implemented to only allow connections to
the TOE from devices situated on the same network. No inbound
connections from external networks are allowed. The network scans
data for mal-ware (viruses and worms). This type of data may
originate from either inside or outside the network to which the TOE
is attached and includes the TOE itself.
O.E.DEPLOYMENT The network (LAN) to which the TOE is attached is well managed
with established procedures for introducing and attaching new devices
to the network.
O.E.LOCAL_INTERFACE The environment into which the TOE will be introduced shall
contain an Océ VP41x0 MFD that provides a Local User Interface and
Glass Plate through which S.OPERATOR can interact easily with the
TOE to manage the print queue. When sending a D.PRINT_JOB to
the Océ PRISMAsync, S.OPERATOR will ensure the print job is
deleted from the TOE during the same working day either by printing
not using the TOE waiting room, or deleting the jobs manually from
the automatic print queue or waiting room. Additionally,
S.REMOTE_SYSADMIN can remove all jobs in the waiting room at
any time. The Océ PRISMAsync MFD peripheral provides a glass
plate and LUI with which S.OPERATOR can perform print, scan and
copy jobs. The ST claim is not valid when the TOE is used with any
other type of Océ MFD. The TOE will not work with any other device
(including Digital MFD Products from any other manufacturers).
COMMERCIAL
08-October-2009 Page 26 of 55 Commercial BSI-DSZ-CC-0615
5. IT Security Requirements
5.1 TOE Security Functional Requirements
5.1.1 SFRs for Filtering
FDP_ACC.1 Subset access control
FDP_ACC1.1 The TSF shall enforce the NETWORK_POLICY on:
• D.INBOUND_TRAFFIC
Dependencies: FDP_ACF.1 (included)
FDP_ACF.1 Security attributes based access control
FDP_ACF1.1 The TSF shall enforce the NETWORK_POLICY to objects based on
the following:
• Port;
• Protocol.
FDP_ACF.1.2 The TSF shall enforce the following rules to determine if an operation
among controlled subjects and controlled objects is allowed:
• The TOE shall perform R.ENTER_TOE on D.INBOUND_TRAFFIC only if
Port(D.INBOUND_TRAFFIC) = ICMP, LPR, HTTP, HTTPS, SNMP and
Protocol = TCP/IP or UDP/IP
FDP_ACF.1.3 The TSF shall explicitly authorise access of subjects to objects based on
the following additional rules:
• none
FDP_ACF.1.4 The TSF shall explicitly deny access of subjects to objects based on the
following additional rules:
• none
Dependencies: FDP_ACC.1 (included)
FMT_MSA.3 (included)
5.1.2 SFRs for Shredding
FDP_RIP.1 Subset residual; information protection
COMMERCIAL
08-October-2009 Page 27 of 55 Commercial BSI-DSZ-CC-0615
FDP_RIP.1.18 The TSF shall ensure that any previous information content of a resource
is made unavailable upon the deallocation of the resource from the following objects:
D.PRINT_JOB, D.SCAN_JOB, and D_COPY_JOB
• On deletion of R.PRINT_JOB, R.COPY_JOB and R.SCAN_JOB by
S.OPERATOR, S.REMOTE_SYSADMIN or S.SERVICE_ENGINEER,
• On TOE start-up or TOE reboot.9
Dependencies: No dependencies.
5.1.3 SFRs for Management
FIA_UID.2 User identification before any action
FIA_UID.2.1 The TSF shall require S.REMOTE_SYSADMIN and
S.SERVICE_ENGINEER to identify themselves before allowing any other TSF-
mediated actions on the behalf of that user.
Dependencies: No dependencies.
FIA_UAU.2 User authentication before any action
FIA_UAU.2.1 The TSF shall require S.REMOTE_SYSADMIN and
S.SERVICE_ENGINEER to be successfully authenticated before allowing any other
TSF-mediated actions on the behalf of that user.
Dependencies: FIA_UID.1 (hierarchical component included)
FMT_MOF.1 Management of security functions behaviour (S.REMOTE_SYSADMIN)10
FMT_MOF.1.1 The TSF shall restrict the ability to modify the behaviour of the
functions described in appendix E for S.REMOTE_SYSADMIN to
S.REMOTE_SYSADMIN.
Dependencies: FMT_SMF.1 (included)
FMT_SMR.1 (included)
8 This is a refinement to show when the de-allocation is to take place. When you delete a file, the
OS modifies the relevant entry from the file allocation table. The data remains on the hard disk and can
be retrieved with suitable tools. This is why the TOE shreds the data. What is happening is that:
• When the job manager discards data, it moves the data reference in
the file allocation table to a location that is dedicated to the E-shred subsystem.
• The E-shred subsystem then erases the data (makes the data
unavailable) by overwriting the data several times.
• The E-shred service then removes the reference to the erased data
from the file allocation table so that the erased disk resources can be re-used.
9 The Océ PRISMAsync can experience errors and sometimes require restarting to handle
these errors (or users restart the photocopier anyway in an attempt to handle these errors). It is
therefore important that the photocopier also deletes data whenever it is restarted.
10 Note that this SFR relates to administration via the HTTPS connection. There are no TSF
mediated actions that can be managed via the SNMP connection.
COMMERCIAL
08-October-2009 Page 28 of 55 Commercial BSI-DSZ-CC-0615
FMT_MOF.1 Management of security functions behaviour (S.SERVICE_ENGINEER)
FMT_MOF.1.1 The TSF shall restrict the ability to modify the behaviour of the
functions described in appendix E for S.SERVICE_ENGINEER to
S.SERVICE_ENGINEER.
Dependencies: FMT_SMF.1 (included)
FMT_SMR.1 (included)
FMT_MSA.1 Management of security attributes
FMT_MSA.1.1 The TSF shall enforce the NETWORK_POLICY to restrict the ability
to change the default 11 security attributes Port and Protocol to nobody.12
Dependencies: FDP_ACC.1 (included)
FMT_SMF.1 (included)
FMT_SMR.1 (included)
FMT_MSA.3 Static Attribute initialisation
FMT_MSA.3.1 The TSF shall enforce the NETWORK_POLICY to provide restrictive
default values for security attributes that are used to enforce the SFP.
FMT_MSA.3.2 The TSF shall allow nobody13 to specify alternative initial values to
override the default values when an object or information is created.
Dependencies: FMT_MSA.1 (included)
FMT_SMR.1 (included)
FMT_SMF.1 Specification of Management Functions
FMT_SMF.1.1 The TSF shall be capable of performing the following security
management functions as described in appendix E:
Functions related to R.SHRED_JOB that are available to S.REMOTE_SYSADMIN
and S.SERVICE_ENGINEER
• Set the number of shred runs14
Dependencies: No dependencies.
11 For grammatical and clarity reasons, the underscore between change and default was
removed and the word ‘the’ before security attributes was moved to between ’change’ and
‘default’.
12 The TOE does not allow any users to change any security attributes in the evaluated
configuration.
13 The word ‘the’ before ‘nobody’ was removed for grammatical reasons.
14 Note that this is the only setting which is available in security mode high, the evaluated
configuration.
COMMERCIAL
08-October-2009 Page 29 of 55 Commercial BSI-DSZ-CC-0615
FMT_SMR.1 Security roles
FMT_SMR.1.1 The TSF shall maintain the roles S.REMOTE_SYSADMIN,
S.SERVICE_ENGINEER, S.REMOTE_USER and S.OPERATOR.
FMT_SMR.1.2 The TSF shall be able to associate users with roles.
Dependencies: FIA_UID.1 (hierarchical component included)
5.1.4 SFRs for Protection of the TSF itself
FPT_SEP.1 TSF domain separation
FPT_SEP1.1 The TSF shall maintain a security domain for its own execution that
protects it from interference and tampering by untrusted subjects.
FPT_SEP.1.2 The TSF shall enforce separation between the security domains of subjects
in the TSC.
Dependencies: No dependencies.
FPT_RVM.1 Non-bypassability of the TSP
FPT_RVM.1.1 The TSF shall ensure that TSP enforcement functions are invoked and
succeed before each function within the TSC is allowed to proceed.
Dependencies: No dependencies
5.1.5 Strength-of-function claim
The Strength of function claim for all the probabilistic functions and mechanisms provided by the
TOE is SOF-basic.
5.2 TOE Security Assurance Requirements
The TOE security assurance requirements are conformant to the CC Evaluation Assurance Level
EAL2 +ALC_FLR.1. In detail the following Security Assurance Requirements are chosen for the
TOE:
Components for Configuration management (Class ACM)
ACM_CAP.2 Configuration Items
Components for Delivery and operation (Class ADO)
ADO_DEL.1 Delivery procedures
ADO_IGS.1 Installation, generation, and start-up procedures
COMMERCIAL
08-October-2009 Page 30 of 55 Commercial BSI-DSZ-CC-0615
Components for Development (Class ADV)
ADV_FSP.1 Informal functional specification
ADV_HLD.1 Descriptive high-level design
ADV_RCR.1 Informal correspondence demonstration
Components for Guidance documents (Class AGD)
AGD_ADM.1 Administrator guidance
AGD_USR.1 User guidance
Components for Life cycle support (Class ALC)
ALC_FLR.1 Basic flaw remediation
Components for Tests (Class ATE)
ATE_COV.1 Evidence of coverage
ATE_FUN.1 Functional testing
ATE_IND.2 Independent testing – sample
Components for Vulnerability assessment (Class AVA)
AVA_SOF.1 Strength of TOE security function evaluation
AVA_VLA.1 Developer vulnerability analysis
5.3 Security Requirements for the IT Environment
None15.
5.4 Explicitly stated requirements
None.
15 The ST defines security objectives for the IT environment in which the TOE will operate.
In accordance with the Common Criteria Standard, these objectives are not mapped to Security
Requirements for the IT Environment.
COMMERCIAL
08-October-2009 Page 31 of 55 Commercial BSI-DSZ-CC-0615
6. TOE Summary Specification
6.1 IT Security Functions
SF.FILTERING
The TOE uses a built-in firewall to block ports that are not needed for the operation of the TOE.
In addition no network protocols that are not supported by the evaluated configuration are
enabled.
By default no traffic is permitted to enter the TOE from the network to which it is attached,
except for the supported network packets via the ports defined in the rule table described in
Appendix D.
SF.SHREDDING
Once a print, copy or scan job has been deleted, the data is overwritten. It is possible to perform
multiple write cycles, with various patterns being applied. At least three write cycles will always
take place. The first write cycle starts after the job has been deleted and to improve job
throughput performance, all other remaining cycles are done once the TOE enters an idle state.
The shredding mechanism supports US DOD 5220-22m and Gutmann algorithms16.
SF.MANAGEMENT
The TOE can be managed in relation to SF.SHREDDING. In order to gain access, the
S.REMOTE_SYSADMIN or S.SERVICE_ENGINEER must authenticate themselves to the
TOE. S.SERVICE_ENGINEER does this by entering a PIN. S.REMOTE_SYSADMIN
authenticates himself by entering a password. The TOE is delivered by Océ with the most
restrictive set of operational settings.
6.1.1 Probabilistic functions and mechanisms
The TOE contains probabilistic functions and mechanisms in the form of passwords and PIN
numbers that are used for the authentication of S.REMOTE_SYSADMIN and
S.SERVICE_ENGINEER respectively.
16 See Appendix B – References for more information relating to these algorithms
COMMERCIAL
08-October-2009 Page 32 of 55 Commercial BSI-DSZ-CC-0615
Subject Function Mechanism
S.REMOTE_SYSADMIN SF.MANAGEMENT,
SF.SHREDDING
For the HTTPS connection,
an alpha-numeric password
(ASCII characters 32-127)
ranging in length between 8
and 50 characters is required.
After the first failed attempt,
a delay mechanism is
invoked.
There are no security
management functions or
access to the assets that the
TOE protects that are
accessible via the SNMP
connection.
S.SERVICE_ENGINEER SF.MANAGEMENT,
SF.SHREDDING
A fixed length numeric pin
code of 6 digits.
6.1.2 Strength of function claim
The SFRs FIA_UID.2 and FIA_UAU.2 require the TOE to provide security functions that
provide identification/authentication functionality that meets a SOF claim of ‘SOF basic’.
A strength of function claim of ‘SOF basic’ is made for the security function
SF.MANAGEMENT. This is the security function that implements FIA_UID.2 and FIA_UAU.2.
COMMERCIAL
08-October-2009 Page 33 of 55 Commercial BSI-DSZ-CC-0615
6.2 Assurance Measures
Appropriate assurance measures are employed to satisfy the security assurance requirements. The
following list gives a mapping between the assurance requirements and the documents containing
the information needed for the fulfilment of the respective requirement.
Configuration Management (ACM) assurance measures
The documents containing the description of the configuration management system as required by
ACM and how it is used are is:
• Configuration Management List for the Océ PRISMAsync Controller (PS) R11.9.75.55
as used in the Océ VarioPrint 4110/4120 printer/copier/scanner release 1.3 products,
version 1.9.2
Delivery and Operation (ADO) assurance measures
The document containing the description of all steps necessary for secure installation, generation
and start-up of the TOE is:
• Software development and delivery for the Océ PRISMAsync Controllers
Development (ADV) assurance measures
The developer documentation for ADV functional specifications can be found in:
• Functional Specification for the Océ PRISMAsync 11.9.75.55 as used in the Océ VP41x0
R1.3, version 1.4
• High Level Design for the Océ PRISMAsync 11.9.75.55 as used in the Océ VP VP41x0
R1.3, version 1.3
Guidance (AGD) assurance measures
The document containing the guidance for Océ service engineers is maintained on the service
engineers’ laptop with the reference:
• Océ VarioPrint 4110/4120 Security service documentation, Edition 2009-10
It is not a publicly available document.
The guidance for the customer administrators and users is in:
• Océ VarioPrint 4110/4120 Administrator settings and tasks, Edition 2009-05
• Océ VarioPrint 4110/4120 Manual type Operating information, version 2008-11
• Océ VarioPrint 4110/4120 Common Criteria certified configuration of the Océ
PRISMAsync, Edition 2009-09
Life Cycle (ALC) assurance measures
The physical, procedural, personnel and other security measures applied by the developer can be
found in:
• Flaw remediation for Océ printer/copier/scanner/products
COMMERCIAL
08-October-2009 Page 34 of 55 Commercial BSI-DSZ-CC-0615
Test (ATE) assurance measures
The developer test documentation can be a test analysis showing that the tests cover the entire
functional specification can be found in:
• Test Specification for the Common Criteria Evaluated Security Functionality
implemented in the Océ PRISMAsync Controller, version 2.6
Vulnerability Assessment (AVA) assurance measures
An analysis of vulnerabilities can be found in:
• Strength of function analysis the Océ PRISMAsync 11.9.75.55 as used in the Océ
VP41x0 R1.3, version 1.4
• Vulnerability analysis for the Océ PRISMAsync 11.9.75.55 as used in the Océ
VarioPrint 4110/4120 printer/copier/scanner Release 1.3, version 1.3.
• Océ PRISMAsync Vulnerability Analysis, Internal Report
• Océ PRISMAsync Penetration Tests, Internal Report
• Océ PRISMAsync Common Criteria Security test results, Internal Report
COMMERCIAL
08-October-2009 Page 35 of 55 Commercial BSI-DSZ-CC-0615
7. PP Claims
This Security Target TOE does not claim compliance to a Protection Profile.
COMMERCIAL
08-October-2009 Page 36 of 55 Commercial BSI-DSZ-CC-0615
8. Rationale
8.1 Security Objectives Rationale
For each assumption, threat and OSP we demonstrate that it is met by the security objectives. The
tracings are provided in the following table.
O.F.INBOUND_FILTER
O.F.JOB_SHRED
O.F.AUTHENTICATE
O.A.SLA
O.
E.ENVIRONMENT
O.E.NETWORK_POLICY
O.E.DEPLOYMENT
O.E.LOCAL_INTERFACE
A.DIGITAL_PRINTER X
A.DIGITAL_SCANNER X
A.LUI X
A.ENVIRONMENT X
A.SECURITY_POLICY X X X
A.SLA X
T.RESIDUAL_DATA X
T.MALWARE X
P.TOE_ADMINISTRATION X
P.JOB_DELETE X
The individual rationales demonstrating that the threats, assumptions and organizational security
policies are met are described as follows:
A.DIGITAL_COPIER
The assumption is met by the following TOE assurance objective:
O.E.LOCAL_INTERFACE - The environment into which the TOE will be introduced shall
contain an Océ VP41x0 MFD that provides a Local User Interface and Glass Plate through which
S.OPERATOR can interact easily with the TOE to manage the print queues. When sending a
D.PRINT_JOB to the Océ PRISMAsync, S.OPERATOR is aware that they must delete the job on
the same workday that it is sent to the TOE, whether or not it is used. Requiring job data to be
deleted from the TOE on the same workday it is sent reduces the time available to an attacker in
which the data object is vulnerable. The MFD provides a glass plate and LUI with which
S.OPERATOR can perform print/copy/scan jobs. The ST claim is not valid when the TOE is used
with any other type of Océ MFD. The TOE will not work with any other device (including Digital
MFD Products from any other manufacturers).
COMMERCIAL
08-October-2009 Page 37 of 55 Commercial BSI-DSZ-CC-0615
Although the assumption states that a VP41x0 MFD from Océ will be used, the MFD is an un-
trusted device.
A.ENVIRONMENT
The assumption is met by the following objectives for the environment:
O.E.ENVIRONMENT - The environment into which the TOE will be introduced is protected by
physical measures that limit access to S.OPERATOR, and S.SERVICE_ENGINEER. The
physical measures are adequate to prevent all other persons but a determined S.THIEF who
deliberately wants to steal a part of or the entire TOE by methodically planning an attack on the
TOE over a period of time.
A.SECURITY_POLICY
The assumption is met by the following objectives for the environment:
O.E.NETWORK_POLICY - The network to which the TOE is attached shall be adequately
protected so that the TOE is not visible outside the network. In addition, measures shall be
implemented to only allow connections to the TOE from devices situated on the same network.
No inbound connections from external networks are allowed. The network scans data for mal-
ware (viruses and worms). This type of data may originate from either inside or outside the
network to which the TOE is attached and includes the TOE itself.
O.E.DEPLOYMENT - The network (LAN) to which the TOE is attached is well managed with
established procedures for introducing and attaching new devices to the network.
O.E.LOCAL_INTERFACE - The environment into which the TOE will be introduced shall
contain an Océ VP41x0 that provides a Local User Interface and Glass Plate through which
S.OPERATOR can interact easily with the TOE to manage the print queues. When sending a
D.PRINT_JOB to the Océ PRISMAsync, S.OPERATOR is aware that they must delete the job on
the same workday that it is sent to the TOE, whether or not it is printed. The MFD provides a
glass plate and LUI with which S.OPERATOR can perform print/copy/scan jobs. The ST claim is
not valid when the TOE is used with any other type of Océ MFD. The TOE will not work with
any other device (including Digital MFD Products from any other manufacturers).
A.SLA
The assumption is met by the following TOE assurance objective:
O.A.SLA - The TOE shall be evaluated to ALC_FLR.1.There are measures in place to repair
faults in the TOE when they occur.
T.RESIDUAL_DATA
The threat is met by the following TOE functional objective:
COMMERCIAL
08-October-2009 Page 38 of 55 Commercial BSI-DSZ-CC-0615
O.F.JOB_SHRED - The TOE shall delete all D.PRINT_JOB, D.SCAN_JOB and D.COPY_JOB
data as soon as it is no longer required or during the start-up procedure if residuals
D.PRINT_JOB, D.SCAN_JOB or D.COPY_JOB are found on the TOE’s hard disk (including
the swap file). The first write cycle starts immediately after the job has deleted and the rest are
completed once the TOE enters an idle state. The data shall be deleted according to a recognised
standard so that it cannot be reconstituted.
‘Scrubbing’ the data from the hard disk when it is no longer needed helps prevent the data been
accessed by unauthorised persons.
T.MALWARE
The threat is met by the following objectives for the environment:
O.F.INBOUND_FILTER - The TOE will only support TCP/IP, UDP/IP and ICMP as a network
protocol. D.INBOUND_TRAFFIC shall only enter the TOE (R.ENTER_TOE) if the Port is
specified as being open in Appendix D.
The chances of mal-ware being accidentally sent to the TOE and causing a security violation is
limited by only opening the ports and enabling the protocols that are absolutely necessary for the
operation of the TOE.
Although the TOE is designed, tested and configured with security as a main concern, it is
possible that vulnerabilities will be discovered in the future that could be exploited in order to use
the TOE as a launch pad for an attack. By only opening the ports and enabling the protocols that
are absolutely necessary for the operation of the TOE, the chances of a successful attack launch
are limited.
P.JOB_DELETE
The policy requirement is met by the following TOE functional objective:
O.F.JOB_SHRED - The TOE shall delete all D.PRINT_JOB, D.SCAN_JOB and D.COPY_JOB
data as soon as it is no longer required or if during the start-up procedure residual .PRINT_JOB,
D.SCAN_JOB and D.COPY_JOB are found on the TOE’s hard disk (including the swap file).
The first write cycle starts immediately after the job has deleted and the remaining cycles are
completed once the TOE enters an idle state. The data shall be deleted according to a recognised
standard so that it cannot be reconstituted.
‘Scrubbing’ the data from the hard disk when it is no longer needed helps prevent the data been
accessed by unauthorised persons.
P.TOE_ADMINISTRATION
The policy requirement is met by the following TOE functional objective:
COMMERCIAL
08-October-2009 Page 39 of 55 Commercial BSI-DSZ-CC-0615
O.F.AUTHENTICATE - The TOE ensures that S.REMOTE_SYSADMIN and
S.SERVICE_ENGINEER must identify and authenticate themselves to the TOE before allowing
them to modify the TOE security settings.
COMMERCIAL
08-October-2009 Page 40 of 55 Commercial BSI-DSZ-CC-0615
8.2 Security Requirements Rationale
The purpose of the Security Requirements Rationale is to demonstrate that the security
requirements are suitable to meet the Security Objectives.
8.2.1 The SFRs meet the Security Objectives for the TOE
For each Security Objective for the TOE we demonstrate that it is met by the SFRs. The tracings
are provided implicitly by the rationales.
FDP
ACC1
FDP
ACF
1
FDP
RIP
1
FIA
UID
2
FIA
UAU
2
FMT
MOF
1
FMT
MSA
1
FMT
MSA
3
FMT
SMF
1
FMT
SMR
1
FPT
SEP
1
FPT
RVM
1
O.F.INBOUND_FILTER X X X X X X
O.F.JOB_SHREAD X X X
O.F.AUTHENTICATE X X X X X X X
The individual rationales demonstrating the objectives are met are described as follows:
O.F.INBOUND_FILTER
FDP_ACC.1 Subset access control
Inbound traffic is filtered so that only traffic relating to the operation of the TOE is allowed to
enter the TOE. This SFR supports the security objective by restricting the TOE data flow to only
that that is necessary for the operation of the TOE. This reduces the number of vulnerable entry
points.
FDP_ACF.1 Security attributes based access control
All ports that are not necessary for the operation of the TOE as described in this document are
blocked. This SFR supports the security objective by reducing the number of entry points that
could be vulnerable to attack.
FMT_MSA.1 Management of security attributes
The TOE is delivered pre-configured to the customer. This SFR supports the objective by
ensuring that it is not possible for any user (including S.SERVICE_ENGINEER and
S.REMOTE_SYSADMIN) to change the settings of the firewall mechanism.
FMT_MSA.3 Static Attribute initialisation
In order to change the security attributes of the TOE the management interfaces provided for
S.SERVICE_ENGINEER and S.REMOTE_SYSADMIN must be used. This SFR supports the
objective by ensuring that the TOE provides restrictive default security related settings that
require no additional modification by SERVICE_ENGINEER or S.REMOTE_SYSADMIN.
Nobody is allowed to create new settings with alternative values.
FPT_RVM.1 Non-bypassability of the TSP
COMMERCIAL
08-October-2009 Page 41 of 55 Commercial BSI-DSZ-CC-0615
In order for data to enter or leave the TOE it must pass through the filtering mechanism. This
SFR supports the security objective by ensuring that TSF cannot be bypassed, resulting in a direct
line between the network to which the TOE is attached and the TOE being created.
FPT_SEP.1 TSF domain separation
Filtering of network traffic occurs is an area of the TOE that is separate to non-TSF related
operation. This SFR supports the objective by ensuring that the filtering mechanism is protected
by it not being exposed to non TSF mechanisms from which a possible attack could be made.
O.F.JOB_SHRED
FDP_RIP.1 Subset residual; information protection
This SFR supports the objective by ensuring that once print, copy or scan job is no longer needed
and during the startup procedure, if residual print or scan job data is found then the related data
will be electronically shredded from the hard disk. The SFR has been refined to describe the
moment when the data will be shredded.
FPT_RVM.1 Non-bypassability of the TSP
Print and scan jobs must pass through the shredding mechanism. This SFR supports the objective
by ensuring that print and scan jobs cannot leave the TOE except in the authorised manner.
FPT_SEP.1 TSF domain separation
Shredding occurs is an area of the TOE that in separate to non-TSF related operation. This SFR
supports the objective by ensuring that the shredding mechanism is protected by it not being
exposed to other non TSF-mechanisms from which a possible attack could be made.
O.F.AUTHENTICATE
FIA_UID.2 User identification before any action
S.REMOTE_SYSADMIN and S.SERVICE_ENGINEER must identify themselves to the TOE
before any TOE management actions can be performed.
FIA_UAU.2 User authentication before any action
S.REMOTE_SYSADMIN and S.SERVICE_ENGINEER must authenticate themselves to the
TOE before any TOE management actions can be performed.
FMT_SMF.1 Specification of Management Functions
The functions that can be performed by either the S.REMOTE_SYSADMIN or
S.SERVICE_ENGINEER are defined.
FMT_MOF.1 Management of security functions behaviour
Only TOE administrators and Océ technicians can use security related functions.
FMT_SMR.1 Security roles
The TOE shall make a distinction between administrators and ordinary users.
FPT_RVM.1 Non-bypassability of the TSP
COMMERCIAL
08-October-2009 Page 42 of 55 Commercial BSI-DSZ-CC-0615
Users other than S.REMOTE_SYSADMIN and S.SERVICE_ENGINEER cannot gain access to
security management functions of the TOE without begin first controlled by the mechanisms
specified in this document.
FPT_SEP.1 TSF domain separation
Identification and authentication of users occurs in an area of the TOE that is separate to non-
security related operation.
8.2.2 The security requirements for the IT environment meet the security objectives for
the environment
The TOE does not make any security requirements on its environment.
COMMERCIAL
08-October-2009 Page 43 of 55 Commercial BSI-DSZ-CC-0615
8.2.3 The Assurance Requirements and Strength of Function Claim are appropriate
The Assurance Requirements consist of EAL 2 requirements components. The TOE is a
commercially available device produced by a well-known manufacturer and most importantly,
provides a limited set of security related functionality. The TOE has been structurally tested by
Océ and is suitable for environments that require a low to moderate level of independently
assured security. The developer works in a consistent manner with good commercial practice.
Occasionally the TOE may develop a problem that requires S.SERVICE_ENGINEER to make a
visit to the customer location in order to repair the TOE. Océ has procedures that support these
processes and for this reason the assurance requirements have been augmented with the following
assurance classes as the developer is able to meet them:
Components for Life cycle support (Class ALC)
• ALC_FLR.1 Basic Flaw Remediation
The evaluation of the TOE security mechanisms at AVA_VLA.1 is designed to provide assurance
the exploit of obvious vulnerabilities by an attacker with a low attack potential. Therefore the
SOF claim is SOF-basic. This strength of function claim is consistent with the security objectives
for the TOE and the defined TOE assumptions that have been made.
EAL2+ ALC_FLR
Which comprises of:
ACM_CAP.2 Configuration Items
ADO_DEL.1 Delivery procedures
ADO_IGS.1 Installation, generation, and start-up procedures
ADV_FSP.1 Fully defined external interfaces
ADV_HLD.1 Security enforcing high-level design
ADV_RCR.1 Informal correspondence demonstration
AGD_ADM.1 Administrator Guidance
AGD_USR.1 User guidance
ALC_FLR.1 Basic Flaw remediation
ATE_COV.1 Analysis of coverage
ATE_FUN.1 Functional testing
ATE_IND.2 Independent testing – sample
AVA_SOF.1 Strength of TOE security function evaluation
AVA_VLA.1 Developer vulnerability analysis
O.A.SLA
COMMERCIAL
08-October-2009 Page 44 of 55 Commercial BSI-DSZ-CC-0615
8.2.4 All dependencies have been met
The following dependencies are identified and met: FDP_ACF.1, FDP_ACC.1, FMT_MSA.1,
FMT_MSA.3, FIA_UID.2, FMT_SMF.1, FMT_SMR.1.
8.2.5 The requirements are internally consistent
Because the assurance requirements form a package (EAL 2) they are internally consistent. The
addition of ALC_FLR.1 does not cause inconsistencies with the EAL 2 package.
The functional requirements and assurance requirements do not have any dependencies between
them, and are therefore completely independent of each other. Because both functional and
assurance requirements are internally consistent, and they are independent, the requirements are
internally consistent.
8.2.6 The requirements are mutually supportive
The requirements are complete and do not cause inconsistencies, therefore the requirements are
considered to be mutually supportive. (This argument has been based on section 9.3.8 of Guide
for the production of PPs and STs, PDTR 15446 N2449).
COMMERCIAL
08-October-2009 Page 45 of 55 Commercial BSI-DSZ-CC-0615
8.3 TOE Summary Specification Rationale
8.3.1 The functions meet the SFRs
For each SFR we demonstrate that it is met by the Security Functions. The tracings are provided
implicitly by the rationales.
FDP
ACC1
FDP
ACF
1
FDP
RIP
1
FIA
UID
2
FIA
UAU
2
FMT
MOF
1
FMT
MSA
1
FMT
MSA
3
FMT
SMF
1
FMT
SMR
1
FPT
SEP
1
FPT
RVM
1
SF.FILTERING X X X X X X
SF.SHREDDING X X X
SF.MANAGEMENT X X X X X X X X X
FDP_ACC.1
This Security Functional Requirement ensures that only traffic is allowed to enter the TOE that is
relevant to its operation. This SFR is supported by SF.FILTERING that restricts flow of network
traffic and limits the supported network protocols.
FDP_ACF.1
This Security Functional Requirement ensures that all ports that are non-essential to the operation
of the TOE are blocked. This SFR is supported by SF.FILTERING. SF.FILTERING expands on
the restricted flow of network traffic and supported network protocols by defining which ports are
open and which protocols are supported.
FDP_RIP.1
This Security Functional Requirement ensures requires that residual information relating to
D.PRINT_JOB, D.COPY_JOB and D.SCAN_JOB is deleted once they are no longer needed or
during the startup procedure, if residual print or scan job data is found on the hard disk (including
the swap file). The SFR has been refined to describe the moment when the data will be shredded.
This SFR is supported by SF.SHREDDING that provides functionality that ensures the data
objects detailed above are shredded in accordance with known standards. This SFR helps to
reduce the amount of sensitive data present on the hard disk in the event of it being stolen.
FIA_UID.2
This Security Functional Requirement ensures that administrators correctly identify themselves to
the TOE before security management functions can be used. This SFR is supported by
SF.MANAGEMENT and provides functionality whereby administrators
(S.REMOTE_SYSADMIN and S.SERVICE_ENGINEER) can identify themselves to the TOE.
This helps to restrict access to security management functions and thereby reduces the risk of
modification being made to the TOE settings by unauthorised users.
COMMERCIAL
08-October-2009 Page 46 of 55 Commercial BSI-DSZ-CC-0615
FIA_UAU.2
This Security Functional Requirement ensures that administrators correctly authenticate
themselves to the TOE before security management functions can be used. This SFR is supported
by SF.MANAGEMENT and provides functionality whereby administrators
(S.REMOTE_SYSADMIN and S.SERVICE_ENGINEER) can authenticate themselves to the
TOE. This helps to restrict access to security management functions and thereby reduces the risk
of modification being made to the TOE settings by unauthorised users.
FMT_MOF.1
This Security Functional Requirement ensures that the TOE management functions are only used
by either the Océ technician (S.SERVICE_ENGINEER) or customer system administrator
(S.REMOTE_SYSADMIN). This SFR is supported by SF.MANAGEMENT and ensures that
non-administrators cannot administer the TOE.
FMT_MSA.1
This Security Functional Requirement ensures that the TOE management functions related to the
filter mechanism settings cannot be changed. This SFR is supported by SF.MANGEMENT that
ensures that filter related settings cannot be changed by administrators.
FMT_MSA.3
This Security Functional Requirement ensures that the TOE management functions related to the
filter mechanism settings are given default values. This SFR is supported by
SF.MANAGEMENT that ensures that the filter related settings are pre-configured before delivery
to the customer.
FMT_SMF.1
This Security Functional Requirement ensures that the TOE management functions are defined.
This SFR is supported by functions made available by SF.MANAGEMENT and defines the set of
operations that are available to the Océ technician (S.SERVICE_ENGINEER) or customer
system administrator (S.REMOTE_SYSADMIN) that are needed to administrate the TOE.
FMT_SMR.1
This Security Functional Requirement ensures that the TOE makes a distinction between security
related roles and normal users. This SFR is supported by SF.MANAGEMENT. This SFR is
supported by SF.MANAGEMENT and ensures that non-administrators cannot administer the
TOE.
FPT_SEP.1
This Security Functional Requirement ensures that the TSF operates in its own domain and
cannot be influenced by external sources. This requirement is met by the physical characteristics
of the TOE that comprises software that uses a generic PC hardware platform. The Océ
PRISMAsync only provides functionality related to the operation of the TOE and does not have
dual function, for example, as an office file server. The nature of the TOE is such that evaluation
at EAL2 provides a suitable level of assurance that the TSF operates in its own domain.
COMMERCIAL
08-October-2009 Page 47 of 55 Commercial BSI-DSZ-CC-0615
The operation of the TSF in its own domain provides the following:
1. The filtering mechanisms are in a separate domain to the rest of the non-security related
operations that the TOE performs. This SFR is supported by SF.FILTERING. This
protects the integrity of the filtering mechanism against un-authorised subjects and threat
attacks.
2. The shredding mechanisms are in a separate domain to the rest of the non-security
related operations that the TOE performs. This SFR is supported by SF.SHREDDING.
This protects the integrity of the shredding mechanism against un-authorised subjects
and threat attacks.
3. The TOE security management mechanisms are in a separate domain to the rest of the
non-security related operations that the TOE performs. This SFR is supported by
SF.MANAGEMENT. This protects the integrity of the security management
mechanisms against un-authorised subjects and threat attacks.
FPT_RVM.1
This Security Functional Requirement ensures that no security related operations can be
performed without being controlled by the TOE’s security mechanisms. The Océ PRISMAsync
provides a limited set of security functionality that is related to the operation of the TOE. The
nature of the TOE is such that evaluation at EAL2 provides a suitable level of assurance that the
only the TSF can perform security related operations.
This SFR is supported by SF.MANAGEMENT.
This Security Functional Requirement ensures that:
1. No filtering mechanisms can be performed without being controlled by the TOE’s
security mechanisms. This SFR is supported by SF.FILTERING.
2. No shredding mechanisms can be performed without being controlled by the TOE’s
security mechanisms. This SFR is supported by SF.SHREDDING.
3. No security related operations can be performed without being controlled by the TOE’s
security mechanisms. This SFR is supported by SF.MANAGEMENT.
8.3.2 The assurance measures meet the SARs
The statement of assurance measures has been presented in the form of a reference to the
documents that show that the assurance measures have been met (CC Part 3 paragraph 188). This
statement can be found in section 6.2.
8.3.3 The SOF-claims for functions meet the SOF-claims for the SFRs
The SFRs FIA_UAU.2, and FIA_UID.2 require the TOE to provide security functions that
provide identification/authentication functionality that meets a SOF claim of ‘SOF basic’.
This rational for this is that the claim must adequate to defend against the identified threats to the
TOE that are identified in the TOE Security Environment for which a low attack potential exists.
The Security Function that is realised by probabilistic or permutational mechanisms is:
• SF.MANAGEMENT
COMMERCIAL
08-October-2009 Page 48 of 55 Commercial BSI-DSZ-CC-0615
The claim for this Security Function is ‘SOF basic’. These Security Function is traced back to the
TOE SFRs it implements in 8.3.1.
As the SOF claim for the Security Function is equal to the SOF claims for the TOE SFRs it
implements, the SOF claims are consistent.
8.3.4 The functions are mutually supportive
The requirements are mutually supportive (see section 8.2.6) and the functions that implement
theses requirements are complete (see section 8.3.1). The functions are mutually supportive. (This
argument has been based on section 9.3.8 of Guide for the production of PPs and STs, PDTR
15446 N2449).
8.4 PP Claims Rationale
This Security Target TOE does not claim conformance to any Protection Profile.
COMMERCIAL
08-October-2009 Page 49 of 55 Commercial BSI-DSZ-CC-0615
9. Appendix A Abbreviations
BSI Bundesamt für Sicherheit in der Informationtechnik
ITSEF IT Security Evaluation Facility
LUI Local User Interface (attached to the Océ PRISMAsync via a USB
connection) non-security related interface used to manage the print queues
MFD Multifunctional device for copying, printing and scanning, connected to a
network
COMMERCIAL
08-October-2009 Page 50 of 55 Commercial BSI-DSZ-CC-0615
10. Appendix B References
1. Secure Deletion of Data from Magnetic and Solid State Memory, Peter Guttman 1996
(http://www.cs.auckland.ac.nz/~pgut001/pubs/secure_del.html)
2. US Department of Defence Military Standard DOD 5220-22m
(http://www.dss.mil/isecnispom_0195.htm)
COMMERCIAL
08-October-2009 Page 51 of 55 Commercial BSI-DSZ-CC-0615
11. Appendix C Glossary of Terms
Repro-room Reprographics room.
COMMERCIAL
08-October-2009 Page 52 of 55 Commercial BSI-DSZ-CC-0615
12. Appendix D Firewall rule table
The firewall rule table that is used by the Océ PRISMAsync for controlling the inbound flow of
data is given below:
By default no traffic is permitted to enter the TOE except for the ports defined in the rule tables
below.
ICMP(administration)
Protocol Destination Port
ICMP any
LPR (accepting print jobs)
Protocol Destination Port
TCP 515
Web HTTPS server with HTTP redirect (administration)
Protocol Destination Port
TCP 443
TCP 80
SNMP (non security functionality related administration)
Protocol Destination Port
UDP 161
COMMERCIAL
08-October-2009 Page 53 of 55 Commercial BSI-DSZ-CC-0615
13. Appendix E Security Related Administration Functions
In this appendix the security related administration functions that are available to
S.SERVICE_ENGINEER and S.REMOTE_SYSADMIN are detailed. The tables give the
administration function name and a short description.
S.SERVICE_ENGINEER
Administration Function Description
ResetSASPassword Resets the S.REMOTE_SYSADMIN
password to its default value
S.REMOTE_SYSADMIN & S.SERVICE_ENGINEER
Administration Function Description
Security\Security level\enable high level Enable/disable switch for high security
level
17
(This must not be changed if the
customer requires the CC evaluated
configuration)
Security\E-shredding\Method Shredding method (Dod, Guttmann,
custom)
Security\E-shredding\Number of runs Number of runs can be set from 3 to 35
when the ‘Custom’ shredding method is
selected
18
System\System administrator PIN Change S.REMOTE_SYSADMIN
password
17
In high security mode shredding cannot be turned off.
18
When "DoD" is chosen, the number of passes is fixed to 3, and cannot be changed. When
"Gutmann" is chosen, the number of passes is fixed to 35, and cannot be changed.
COMMERCIAL
08-October-2009 Page 54 of 55 Commercial BSI-DSZ-CC-0615
14. Appendix F XP Patches applied
KB888413
KB918118
KB921503
KB924270
KB924667
KB925454
KB925902
KB926247
KB926255
KB926436
KB927779
KB928090
KB928255
KB928388
KB930178
KB931784
KB931836
KB933360
KB933566
KB933729
KB935839
KB935840
KB936021
KB937143
KB938829
KB939373
KB939653
KB941568
KB941644
KB941693
KB942527
KB942615
KB942763
KB942830
KB942831
KB943055
KB943460
KB943485
KB944338
KB944338-v2
KB944533
KB944945
KB945553
KB946026
KB947864
KB948590
KB948686
KB948881
KB950749
KB950759
KB950760
KB950974
KB951072
KB951698
KB951748
KB952954
KB953838
KB953839
KB953839
KB954211
KB956390
KB956391
KB956803
KB956841
KB957095
COMMERCIAL
08-October-2009 Page 55 of 55 Commercial BSI-DSZ-CC-0615
15. Distribution list
1. BSI
2. Océ Technologies BV
3. Brightsight