bizhub 4750 / bizhub 4050 / ineo 4750 / ineo 4050 Security Target Copyright ©2016 KONICA MINOLTA, INC., All Rights Reserved 1 / 73 bizhub 4750 / bizhub 4050 / ineo 4750 / ineo 4050 Security Target This document is a translation of the evaluated and certified security target written in Japanese. Version: 1.05 Issued on: September 14, 2016 Created by: KONICA MINOLTA, INC. bizhub 4750 / bizhub 4050 / ineo 4750 / ineo 4050 Security Target Copyright ©2016 KONICA MINOLTA, INC., All Rights Reserved 2 / 73 Date Ver Division Appro ved Check ed Create d Revision 2016/3/2 1.00 Office Products System Control Development Div. 2 Goto Konis hi Tamu kai Initial Version 2016/5/13 1.01 System Control Development Div. Goto Konis hi Tamu kai - Correction based on indication 2016/5/31 1.02 System Control Development Div. Goto Konis hi Tamu kai - Correction of TOE and firmware version 2016/6/28 1.03 System Control Development Div. Goto Konis hi Tamu kai - Deal with typos 2016/7/19 1.04 System Control Development Div. Goto Konis hi Tamu kai - Deal with typos 2016/9/14 1.05 System Control Development Div. Goto Konis hi Tamu kai - Deal with typos bizhub 4750 / bizhub 4050 / ineo 4750 / ineo 4050 Security Target Copyright ©2016 KONICA MINOLTA, INC., All Rights Reserved 3 / 73 ― [Contents] ――――――――――――――――――――――――――――――――― 1. ST introduction......................................................................................................................... 7 ST reference..................................................................................................................................7 TOE reference...............................................................................................................................7 TOE overview ...............................................................................................................................7 1.3.1. TOE type..........................................................................................................................................................7 1.3.2. Necessary Hardware/Software for the TOE ..................................................................................................8 1.3.3. Usage of the TOE ............................................................................................................................................8 1.3.4. TOE’s Main Basic Functions and Main Security Functions.........................................................................9 TOE description .........................................................................................................................10 1.4.1. Physical Scope of the TOE............................................................................................................................ 11 1.4.2. Guidance........................................................................................................................................................12 1.4.3. Identification of TOE Components...............................................................................................................13 1.4.4. Logical Scope of the TOE..............................................................................................................................13 1.4.5. TOE User.......................................................................................................................................................16 1.4.6. Protected Assets ............................................................................................................................................16 1.4.7. Glossary .........................................................................................................................................................18 2. Conformance claims ............................................................................................................... 21 CC Conformance claims.............................................................................................................21 PP claim......................................................................................................................................21 Package claim.............................................................................................................................21 2.3.1. SFR package reference..................................................................................................................................21 2.3.2. SFR Package functions .................................................................................................................................22 2.3.3. SFR Package attributes................................................................................................................................22 PP Conformance rationale.........................................................................................................23 2.4.1. Conformance Claim with TOE type of the PP .............................................................................................23 2.4.2. Conformance Claim with Security Problem and Security Objectives of the PP........................................23 2.4.3. Conformance Claim with Security requirement of the PP .........................................................................23 3. Security Problem Definition .................................................................................................. 26 Threats agents............................................................................................................................26 Threats to TOE Assets ...............................................................................................................26 Organizational Security Policies for the TOE ..........................................................................26 Assumptions ...............................................................................................................................27 4. Security Objectives................................................................................................................. 28 Security Objectives for the TOE................................................................................................28 Security Objectives for the IT environment..............................................................................28 Security Objectives for the non-IT environment ......................................................................29 Security Objectives rationale.....................................................................................................30 5. Extended components definition (APE_ECD) ...................................................................... 33 FPT_FDI_EXP Restricted forwarding of data to external interfaces......................................33 6. Security Requirements........................................................................................................... 35 Security functional requirements..............................................................................................35 6.1.1. Class FAU: Security audit ............................................................................................................................35 6.1.2. Class FCS: Cryptographic support...............................................................................................................38 6.1.3. Class FDP: User data protection..................................................................................................................39 6.1.4. Class FIA: Identification and authentication..............................................................................................44 6.1.5. Class FMT: Security management...............................................................................................................47 bizhub 4750 / bizhub 4050 / ineo 4750 / ineo 4050 Security Target Copyright ©2016 KONICA MINOLTA, INC., All Rights Reserved 4 / 73 6.1.6. Class FPT: Protection of the TSF .................................................................................................................54 6.1.7. Class FTA: TOE access .................................................................................................................................55 6.1.8. Class FTP: Trusted path/channels ...............................................................................................................55 Security assurance requirements..............................................................................................56 Security requirements rationale ...............................................................................................57 6.3.1. Common security requirements rationale (SFR Package is included).......................................................57 6.3.2. Security assurance requirements rationale.................................................................................................63 7. TOE Summary specification .................................................................................................. 64 F.AUDIT (Audit log function) ....................................................................................................64 7.1.1. Audit log acquirement function ....................................................................................................................64 7.1.2. Audit Log Review Function ..........................................................................................................................64 7.1.3. Audit storage function...................................................................................................................................65 7.1.4. Trusted time stamp function ........................................................................................................................65 F.HDD_ENCRYPTION (HDD Encryption function) ................................................................65 F.ACCESS_DOC (Stored documents access control function) .................................................66 F.ACCESS_FUNC (User restriction control function) .............................................................66 F.RIP (Residual information deletion function)........................................................................68 7.5.1. Temporary Data Deletion Function..............................................................................................................68 7.5.2. Data Complete Deletion Function................................................................................................................68 F.I&A (Identification and authentication function)..................................................................69 F.SEPARATE_EX_INTERFACE (External interface separation function).............................71 F.SELF_TEST (Self-test function).............................................................................................71 F.MANAGE (Security management function) ..........................................................................71 F.SECURE_LAN (Network communication protection function)..........................................73 bizhub 4750 / bizhub 4050 / ineo 4750 / ineo 4050 Security Target Copyright ©2016 KONICA MINOLTA, INC., All Rights Reserved 5 / 73 ― [List of Figures] ――――――――――――――――――――――――――――――――― Figure 1-1 TOE’s use environment.................................................................................................8 Figure 1-2 Physical scope of the TOE...........................................................................................11 Figure 1-3 Logical scope of the TOE.............................................................................................13 ― [List of Tables] ――――――――――――――――――――――――――――――――― Table 1-1 Users ..............................................................................................................................16 Table 1-2 User Data.......................................................................................................................16 Table 1-3 TSF Data........................................................................................................................17 Table 1-4 TSF Data........................................................................................................................17 Table 1-5 Glossary .........................................................................................................................18 Table 2-1 SFR Package functions .................................................................................................22 Table 2-2 SFR Package attributes ................................................................................................23 Table 3-1 Threats to User Data for the TOE................................................................................26 Table 3-2 Threats to TSF Data for the TOE.................................................................................26 Table 3-3 Organizational Security Policies for the TOE..............................................................27 Table 3-4 Assumptions for the TOE..............................................................................................27 Table 4-1 Security Objectives for the TOE...................................................................................28 Table 4-2 Security Objectives for the IT environment.................................................................28 Table 4-3 Security Objectives for the non-IT environment .........................................................29 Table 4-4 Completeness of Security Objectives............................................................................30 Table 4-5 Sufficiency of Security Objectives.................................................................................30 Table 6-1 Audit data requirements...............................................................................................36 Table 6-2 Cryptographic key algorithm key size..........................................................................39 Table 6-3 Cryptographic operations algorithm key size standards ............................................39 Table 6-4 Common Access Control SFP........................................................................................40 Table 6-5 PRT Access Control SFP ...............................................................................................40 Table 6-6 SCN Access Control SFP...............................................................................................40 Table 6-7 CPY Access Control SFP ...............................................................................................40 Table 6-8 FAX Access Control SFP ...............................................................................................41 Table 6-9 DSR Access Control SFP...............................................................................................41 Table 6-10 TOE Function Access Control SFP.............................................................................42 Table 6-11 Management of Object Security Attribute .................................................................48 Table 6-12 Management of Subject Security Attribute ...............................................................49 Table 6-13 Management of Subject Security Attribute ...............................................................49 Table 6-14 Management of Object Security Attribute .................................................................50 Table 6-15 Characteristics Static Attribute Initialization...........................................................50 Table 6-16 Characteristics Static Attribute Initialization...........................................................51 Table 6-17 Operation of TSF Data................................................................................................52 Table 6-18 Operation of TSF Data................................................................................................52 Table 6-19 list of management functions .....................................................................................53 Table 6-20 IEEE 2600.2 Security Assurance Requirements .......................................................56 Table 6-21 Completeness of security requirements....................................................................57 Table 6-22 Sufficiency of security requirements.........................................................................58 Table 6-23 The dependencies of security requirements .............................................................62 bizhub 4750 / bizhub 4050 / ineo 4750 / ineo 4050 Security Target Copyright ©2016 KONICA MINOLTA, INC., All Rights Reserved 6 / 73 Table 7-1 Names and identifiers of TOE Security Functions......................................................64 Table 7-2 Audit log .......................................................................................................................64 Table 7-3 Encryption Algorithm in HDD Encryption function ..................................................65 Table 7-4 Operation of document..................................................................................................66 Table 7-5 Operation Settings of Overwrite Deletion function of Temporary data....................68 Table 7-6 Operation settings of Data Complete Deletion Function...........................................68 Table 7-7 Authentication method................................................................................................69 Table 7-8 Password and Quality ...................................................................................................69 Table 7-9 Process at the time of authentication failure ...........................................................70 Table 7-10 Termination of interactive session ............................................................................70 Table 7-11 Management Function...............................................................................................71 Table 7-12 Encryption Communication provided by the TOE ....................................................73 bizhub 4750 / bizhub 4050 / ineo 4750 / ineo 4050 Security Target Copyright ©2016 KONICA MINOLTA, INC., All Rights Reserved 7 / 73 1. ST introduction ST reference - ST Title : bizhub 4750 / bizhub 4050 / ineo 4750 / ineo 4050 Security Target - ST Version : 1.05 - Created on : September 14, 2016 - Created by : KONICA MINOLTA, INC. TOE reference - TOE Name : bizhub 4750 / bizhub 4050 / ineo 4750 / ineo 4050 - TOE Version : G0804-W99 - Created by : KONICA MINOLTA, INC. TOE overview The TOE is a digital multi-function printer (hereinafter referred to as "mfp"), which requires a moderate document security, network security and information assurance, and which is used in the commercial information processing environment. In this environment, information/classified information in the ordinary business operation are processed. 1.3.1. TOE type The TOE is the mfp used in the network environment (LAN), and has the function to store documents in addition to copy, scan, print and FAX functions. The connection of FAX kit (option) is necessary to use FAX function. bizhub 4750 / bizhub 4050 / ineo 4750 / ineo 4050 Security Target Copyright ©2016 KONICA MINOLTA, INC., All Rights Reserved 8 / 73 1.3.2. Necessary Hardware/Software for the TOE The following is the configuration for TOE evaluation including hardware and software necessary for using the TOE. Hardware /Software Used version for evaluation FAX kit FK-512 (KONICA MINOLTA) Client PC (OS) Windows 7 Professional SP1 Client PC (Web browser) Internet Explorer Ver.11 Client PC (Printer driver) KONICA MINOLTA 4750 Series PCL6 v3.2.1 XPS v3.2.0 (for administrator) Client PC (Device management software tool) KONICA MINOLTA Data Administrator with Device Set-Up and Utilities Ver. 1.0.06000 KONICA MINOLTA Data Administrator Ver. 4.1.35000 External authentication server ActiveDirectory installed in Microsoft Windows Server 2008 R2 Standard Service Pack1 DNS server DNS server installed in Microsoft Windows Server 2008 R2 Standard Service Pack1 SMTP server BlackJumboDog v6.1.8 1.3.3. Usage of the TOE TOE’s use environment is shown below, and the usage for the TOE is described. SMTP server External authentication server Internet Public line Client PC mfp (including FAX kit) Office LAN DNS server Firewall Figure 1-1 TOE’s use environment The TOE is used by connecting LAN and public line, as shown in Figure 1-1. The User can operate the TOE by communicating through the LAN or the operation panel with which the TOE is equipped. The following explain about the mfp, which is the TOE, and the hardware and software, which are not the TOE. bizhub 4750 / bizhub 4050 / ineo 4750 / ineo 4050 Security Target Copyright ©2016 KONICA MINOLTA, INC., All Rights Reserved 9 / 73 (1) mfp (including FAX kit) This is the TOE. mfp is connected to the office LAN. The user can perform the following from the operation panel.  mfp’s various settings  Paper documents' Copy, Fax TX, saving as electronic documents, Network TX  Stored documents’ Print, Network TX, Deletion In addition, Fax TX/RX is available with installing Fax kit. (2) LAN Network used for the TOE setup environment. (3) Public line Telephone line being connected to Fax kit for TX/RX with external fax. (4) Firewall Device for protecting against the network attacks to intra-office LAN from the internet. (5) Client PC By connecting to the LAN, this works as the client of the TOE. Web browser, printer driver and PSDA (administrator only) can be installed in Client PC. A normal user can access mfp using these to store and print electric document and download and delete scan/fax document. An administrator can access mfp using these to configure various mfp settings. (6) SMTP server Server used for sending the electronic documents in the TOE by e-mail. (7) External authentication server Server to identify and authenticate general TOE users. This is used only when external server authentication method is used. Kerberos authentication is used in the external server authentication method. (8) DNS server Server for converting domain name to IP address 1.3.4. TOE’s Main Basic Functions and Main Security Functions TOE’s main basic functions are as follows. (1) Print Function to print the print data. (2) Scan Function to generate a document file by scanning paper documents. (3) Copy Function to copy scanned image by scanning paper documents. (4) FAX bizhub 4750 / bizhub 4050 / ineo 4750 / ineo 4050 Security Target Copyright ©2016 KONICA MINOLTA, INC., All Rights Reserved 10 / 73 Function to send the scanned paper documents to the external FAX. Function to receive documents from the external FAX. (5) Document storage and retrieval function Function to store documents in the TOE and retrieve the stored documents. (6) Shared-medium interface function Function to operate the TOE remotely from the Client PC by TOE users. TOE’s main security functions are as follows. (1) Identification and authentication function Function to identify and authenticate TOE users (2) Stored documents access control function Function to control the operation of stored documents. (3) User restriction control function Function to control the operation of TOE functions and to control the operation to the documents other than the stored documents included in the performing jobs. (4) HDD encryption function Function to encrypt recorded data to HDD. (5) Audit log function Function to record the log of events related to TOE usage and security as the audit log and to refer to it. (6) Residual information deletion function Function to disable the reuse of the deleted documents, temporary documents or its fragmented files in the TOE. (7) Network communication protection function Function to prevent the disclosure of information caused by wiretapping on the network when using the LAN. (8) Self-test function Function to verify the integrity of TSF executable code and integrity of passphrase when starting mfp, and substantiate the normal performance of overall control function. (9) Security management function Function to control the operation to TSF data. (10)External interface separation function Function to disable the direct forwarding of the input from the external interface, including USB interface, to Shared-medium Interface, and also to prevent the intrusion to the LAN from the telephone line. TOE description This paragraph explains the overview of the physical scope of the TOE, the TOE user’s definition, the logical scope of the TOE and the protected assets. bizhub 4750 / bizhub 4050 / ineo 4750 / ineo 4050 Security Target Copyright ©2016 KONICA MINOLTA, INC., All Rights Reserved 11 / 73 1.4.1. Physical Scope of the TOE The TOE, as shown in Figure 1-2, is the mfp composed of main/sub power, operation panel, scanner unit, automatic document feeder, mfp controller unit, printer unit and HDD. RAM CPU Paper HDD ASIC Paper mfp eMMC - Scanner unit - Automatic document feeder Controller unit FAX kit Public line Operation panel Operator Main power Sub power Printer unit Operator Ethernet I/F USB I/F Figure 1-2 Physical scope of the TOE (1) Main/sub power supply Power switches for activating mfp. (2) Operation Panel An exclusive control device for the operation of mfp, equipped with a touch panel of a liquid crystal monitor, numeric keypad1, start key, stop key, screen switch key, etc. (3) Scan unit / Automatic document feeder A device that scans images and photos from paper and converts them into digital data. (4) mfp Controller unit A device that controls mfp. (5) CPU Central processing unit. (6) RAM A volatile memory used as the working area. (7) ASIC An integrated circuit that is designed for performing all image processing as well as performing processing of image expansion and color adjustment when printing image. 1 Numeric keypad is displayed on the touch panel. Hard numeric keypad is the option (Not the TOE). bizhub 4750 / bizhub 4050 / ineo 4750 / ineo 4050 Security Target Copyright ©2016 KONICA MINOLTA, INC., All Rights Reserved 12 / 73 (8) eMMC NAND type flash memory which stores the following codes and data:  Object code of controller software (including message data in supported languages for to display for response to access from operation panel or network)  Object code of TOE (Boot controller)  TSF data which determines mfp’s behavior (9) Printer unit A device to actually print the image data which were converted for printing when receiving a print request from the mfp controller. (10)HDD A hard disk drive of 320GB in capacity. This is used not only for storing electronic documents as files but also for working area. The HDD is not the removable nonvolatile storage device on this TOE. (11)Ethernet I/F Interface which supports 10BASE-T, 100BASE-TX, and Gigabit Ethernet. (12)USB I/F Interface which can perform TOE update. Note that USB local printer connection is one-to-one, and USB I/F is not a Shared-medium interface. (13)FAX kit A device that is used for communications for FAX-data transmission and remote diagnostic via the public line. This is not included in the TOE. 1.4.2. Guidance There are English and Japanese versions of TOE guidance, and they are distributed depending on sales areas. The following shows the list of guidance. Name Ver. bizhub 4050 User’s Guide (Japanese) 2016.5 Ver. 1.00 bizhub 4050 User’s Guide [Security Operations] (Japanese) 2.01 bizhub 4750/4050 User's Guide 2016.5 Ver. 1.00 bizhub 4750/4050 User's Guide [Security Operations] 2.01 ineo 4750/4050 User's Guide 2016.5 Ver. 1.00 ineo 4750/4050 User's Guide [Security Operations] 2.01 bizhub 4750 / bizhub 4050 / ineo 4750 / ineo 4050 Security Target Copyright ©2016 KONICA MINOLTA, INC., All Rights Reserved 13 / 73 1.4.3. Identification of TOE Components Each of the mfp, firmware and mfp board, which composes the TOE, has its own identification. The relation between each identification and the components built in the mfp is as follows. mfp mfp board Firmware bizhub 4750 3080103R05 A6F730G0804-W99 ineo 4750 bizhub 4050 ineo 4050 1.4.4. Logical Scope of the TOE TOE security functions and the basic functions are described below. SMTP server External authentication server DNS server FAX U.USER Panel Network communication protection function Identification and authentication function (This function is executed with external authentication server in case of external authentication.) Basic function Print Scan Copy FAX Document storage and retrieval Stored documents access control function D.PROT D.CONF eMMC D.PROT D.CONF D.DOC D.FUNC HDD HDD encryption function Residual information deletion function Audit log function Self test function User restriction control function Security management function N e t w o r k c o m m u n i c a t i o n p r o t e c t i o n f u n c t i o n External interface separation function Client PC Figure 1-3 Logical scope of the TOE 1.4.4.1. Basic Functions TOE basic functions are described below. bizhub 4750 / bizhub 4050 / ineo 4750 / ineo 4050 Security Target Copyright ©2016 KONICA MINOLTA, INC., All Rights Reserved 14 / 73 (1) Print Function to print the print data received via LAN from a client PC or from USB interface (2) Scan Function to scan a document (paper) by normal user’s operation from operation panel and generates a document file (3) Copy Function to scan a document (paper) by normal user’s operation from operation panel and copies a scanned image. (4) FAX Function to scan a paper document and sends it to external fax (FAX TX function) and receives the document from external fax (FAX RX function)  Fax TX function Function to send a paper document and Fax TX print to the external fax device from the telephone line. The paper document is scanned by the operation on the panel and performs Fax TX.  Fax RX function Function to receive documents through the telephone line from the external fax. (5) Document storage and retrieval function Function to store documents in the TOE and retrieves the stored documents. The print data, document files generated by scanning and documents received by Fax are also available for storing and retrieving. (6) Shared-medium interface function Function to operate the TOE remotely from the Client PC by TOE users. Along with the guidance, Web browser or application, etc. is installed and connected with the TOE through LAN. 1.4.4.2. Security Functions TOE security functions are described below. (1) Identification and authentication function This function verifies whether a person who uses the TOE is the authorized user of the TOE or not by user ID and password. If it was confirmed to be the authorized user of the TOE, this function permits the use of the TOE. There are machine authentication (for administrator and normal user) and external server authentication (for normal user only) as the methods to verify, and it is authenticated by the method which was set by administrator beforehand. This function includes the function to display the input password on the operation panel with dummy characters. Moreover, it includes the authentication lock function when the continuous number of authentication failures reaches to the setting value, and the function to register only passwords that satisfy the conditions, like minimum character of password, bizhub 4750 / bizhub 4050 / ineo 4750 / ineo 4050 Security Target Copyright ©2016 KONICA MINOLTA, INC., All Rights Reserved 15 / 73 set by administrator for keeping the password quality. (2) Stored documents access control function This function permits operation of stored documents for authorized user of the TOE who was authenticated by identification and authentication function, based on the authority given to the user's role or each user. (3) User restriction control function This function permits the operation of print, scan, copy, fax, document storage and retrieval function, and shared-medium interface function for authorized user of the TOE who was authenticated by identification and authentication function, based on the operation authority given to the user's role or each user. Also, this function takes control of the operation of documents other than stored documents included in executing jobs. (4) HDD encryption function This function encrypts data saved in the HDD for protecting against unauthorized disclosure. (5) Audit log function This function records logs of the events related to the TOE use and security (hereinafter, referred to as “audit event”) with date and time information as the audit log, and provides the recorded audit log in the auditable form. Audit log is stored in the HDD of the TOE, but if the storage area becomes full, accepting jobs is suspended or oldest audit record stored is overwritten according to administrator’s settings. Moreover, recorded audit log is permitted to read and delete only by administrator. (6) Residual information deletion function This function makes residual information non-reusable by overwriting the deleted documents, temporary documents, or their parts in the TOE with special data. (7) Network communication protection function This function prevents the disclosure of information by wiretapping on a network when using the LAN. This function encrypts the communication data between client PC and mfp, and between external authentication server / DNS server, SMTP server and mfp. (8) Self-test function Function to verify the integrity of TSF executable code and integrity of passphrase when starting mfp, and substantiate the normal performance of overall control function. (9) Security management function This function controls the operation to TSF data for authorized user of the TOE who was authenticated by identification and authentication function based on the authority given to the user's role or each user. (10)External interface separation function This function prevents transferring the input from external interfaces, including USB bizhub 4750 / bizhub 4050 / ineo 4750 / ineo 4050 Security Target Copyright ©2016 KONICA MINOLTA, INC., All Rights Reserved 16 / 73 interface, to Shared-medium Interface as it is, and prevents the intrusion to LAN from telephone line. Regarding the telephone line, this function prevents intrusion from the telephone line by limiting the input information only to FAX RX and prevents the intrusion to LAN from the telephone line by prohibiting the transfer of received fax. 1.4.4.3. Restriction Prohibited functions and unusable functions are described below. (1) Print functions other than ID&Print (Print function is restricted to ID&Print only.) (2) Internet FAX (3) FTP TX, SMB TX, WebDAV TX, SNMP, LPD settings, RAW printing *(1) is the function which is prohibited when Enhanced Security setting is enabled. (2) is the function which only an administrator can change although it is prohibited when Enhanced Security setting is enabled. (3) is the function which only an administrator can change. 1.4.5. TOE User TOE users (U.USER) are classified as follows. Table 1-1 Users Designation Definition U.USER (Authorized user) Any authorized User. U.NORMAL (Normal user) A User who is authorized to perform User Document Data processing functions of the TOE. U.ADMINISTRATOR (Administrator) A User who has been specifically granted the authority to manage some portion or all of the TOE and whose actions may affect the TOE security policy (TSP). Administrators may possess special privileges that provide capabilities to override portions of the TSP. 1.4.6. Protected Assets Protected assets are User Data, TSF Data and Functions. 1.4.6.1. User Data User Data are generated by or for the authorized users, which do not have any effect on the operations of TOE security functions. User data are classified as follows. Table 1-2 User Data Designation Definition D.DOC User Document Data consists of the information contained in a user’s document. This includes the original document itself in either hardcopy or electronic form, image data, or residually-stored data created by the hardcopy device while processing an original bizhub 4750 / bizhub 4050 / ineo 4750 / ineo 4050 Security Target Copyright ©2016 KONICA MINOLTA, INC., All Rights Reserved 17 / 73 document and printed hardcopy output. D.FUNC User Function Data are the information about a user’s document or job to be processed by the TOE. 1.4.6.2. TSF Data TSF Data are data generated by or generating for the TOE, which affect TOE operations. TSF Data are classified as follows. Table 1-3 TSF Data Designation Definition D.PROT TSF Protected Data are assets for which alteration by a User who is neither an Administrator nor the owner of the data would have an effect on the operational security of the TOE, but for which disclosure is acceptable. D.CONF TSF Confidential Data are assets for which either disclosure or alteration by a User who is neither an Administrator nor the owner of the data would have an effect on the operational security of the TOE. TSF Data covered in this TOE are as follows. Table 1-4 TSF Data Designation Definition D.PROT Auto reset time Auto logout time Data which relates to access control (Authentication failure frequency, etc.) External server authentication setting data Date information Network settings (IP address of SMTP server, Port No., etc., mfp IP address, etc.) TX address settings (address of e-mail TX, etc.) Password Policy Admin ID User ID Permission Role Allocation Role FAXIN Box Word D.CONF Login password Encryption passphrase Audit log 1.4.6.3. Functions Functions shown in 2.3.2 SFR Package functions. bizhub 4750 / bizhub 4050 / ineo 4750 / ineo 4050 Security Target Copyright ©2016 KONICA MINOLTA, INC., All Rights Reserved 18 / 73 1.4.7. Glossary The meanings of terms used in this ST are defined. Table 1-5 Glossary Designation Definition Allocation Role Attributes related to a normal user. Refer when mfp function is executed. Copy Role Role which can perform a copy. Data Administrator Application software to perform administrator settings from client PC. DSR Role Role which can store data to HDD, can read out stored data in HDD, and can delete. Fax Role Role which can perform a fax function. FTP TX Function which uploads to FTP server by converting scanned data to the available file on the computer. HDD data overwrite deletion function Function to overwrite and delete the data on HDD. Operation settings of HDD data overwrite deletion function Function which sets the deletion methods which are used for HDD data overwrite deletion function. Panel Operation Status which logs-in and operates the TOE from the operation panel. Permission Role Attributes related to mfp function. Print Role Role which can perform a print from a client PC. Scan Role Role which can perform a scan. SMB TX Function which transmits to a computer and a public folder of server by converting scanned data to the available file on the computer. User Role Necessary role when print, scan, copy, FAX and store of files are performed. Web Connection Function to change mfp settings and confirm status by using Web browser of the computer on the network. WebDAV TX Function which uploads to WebDAV server by converting scanned data to the available file on the computer. Remote diagnostic function mfp’s equipment information, such as operating state and the number of printed sheets, is managed by making use of the connection by a port of FAX public line or by E-mail to communicate with the support center of mfp produced by KONICA MINOLTA, INC. In addition, if necessary, appropriate services (shipment of additional toner packages, account claim, dispatch of service engineers due to the failure diagnosis, etc.) are provided. Auto Reset Function which logs out automatically when there is no access for a period of set time during logging-in. Auto Reset Time Setup time by administrator. It logs out automatically after this time passes. Job Document processing task which is sent to hard copy device. Single bizhub 4750 / bizhub 4050 / ineo 4750 / ineo 4050 Security Target Copyright ©2016 KONICA MINOLTA, INC., All Rights Reserved 19 / 73 processing task can process more than one document. Enhanced security settings Function to set the setting which is related to the behavior of the security function, collectively to the secure values and maintain it. When this function is activated, the use of the update function of the TOE through the network and the setting change by remote diagnostic function are prohibited, or alert screen is displayed when it is used. The alert screen is displayed when the setting value is changed. Print job input function Function that the TOE receives the User ID, the login password and the print data which are sent from client PC. Only when the identification and authentication of User ID and login password succeeded, the print data are received. User ID Identification that is given to a normal user. The TOE specifies a user by that identification. Admin ID Identification that is given to an administrator. Admin ID is embedded in TOE and no operation for the ID is provided. User management function Function to perform registration / deletion of user and addition / deletion / change of the authority. User authentication function Function to authenticate TOE users. There are two types. Machine authentication (INTERNALLY AUTHENTICATION) and External server authentication (EXTERNALLY AUTHENTICATION). Administrator is authenticated only by Machine Authentication. Management function of User Authentication Function which sets authentication methods (mfp authentication / External server authentication). Login To identify and authenticate on the TOE by user ID and login password. Login Password (LOGIN PASSWORD) Password for logging in the TOE. Encryption passphrase Data which is used for generating encryption key which is used with HDD encryption. The TOE generates encryption key by using encryption passphrase. External server authentication setting data Setting data related to the external authentication server. (Including domain name which external server belongs to) Audit log management function Function which sets the operation when audit log was full, and which reads out and deletes the audit log. Audit log function Function to obtain audit logs. Trust Channel Function Function to protect transmitting data via LAN by encrypting. Trust Channel Management Function Function to perform Trust Channel function, and to manage SSL/TLS server certification and cryptographic method. Residual information deletion function Function to delete the data on HDD by HDD data overwrite deletion function. Date information Information of date. When any event occurred, the date information is recorded on audit log. Auto logout time Time set by administrator. Automatically logs out after the setting time. Web Connection is an object. bizhub 4750 / bizhub 4050 / ineo 4750 / ineo 4050 Security Target Copyright ©2016 KONICA MINOLTA, INC., All Rights Reserved 20 / 73 Session Auto terminate function Function to terminate session automatically. Terminate the session automatically when no operation is performed for a certain period of time on each of Operation panel and Web Connection. ID & Print function (AUTH PRINT) Function to save the document which has user name and password which is sent from PC on the network as the directed print document. TOE status check and display setting User can configure Print Reports (Configuration page, Statistics page, Font list, etc.), Consumables remaining display, State confirmation of counter display, Brightness adjustment, Page number print position, etc. before succeeding identity authentication. Overall control function This is a function to control overall mfp including Audit log, HDD encryption, Stored document access control, User limitation control, Residual information deletion, Identification and authentication, External interface separation, Self-test, Security management and Network communication protection. FAXIN Box Word This is information required to access Memory RX document and this is set by administrator. bizhub 4750 / bizhub 4050 / ineo 4750 / ineo 4050 Security Target Copyright ©2016 KONICA MINOLTA, INC., All Rights Reserved 21 / 73 2. Conformance claims CC Conformance claims This ST conforms to the following Common Criteria (hereinafter referred to as “CC”). CC version : Version 3.1 Release 4 CC conformance : CC Part 2 extended, CC Part 3 conformant Assurance level : EAL2 augmented by ALC_FLR.2 PP claim This ST conforms to the following PP. PP identification : IEEE Std 2600.2-2009 PP Title : 2600.2-PP, Protection Profile for Hardcopy Devices, Operational Environment B PP registration : BSI-CC-PP-0058-2009 PP version : 1.0 Date : March 2009 Package claim This ST conforms to the following SFR Packages. ・2600.2-PRT Conformant ・2600.2-SCN Conformant ・2600.2-CPY Conformant ・2600.2-FAX Conformant ・2600.2-DSR Conformant ・2600.2-SMI Conformant 2.3.1. SFR package reference Title : 2600.2-PRT SFR Package for Hardcopy Device Print Functions, Operational Environment B Package version : 1.0 Date : March 2009 Title : 2600.2-SCN SFR Package for Hardcopy Device Scan Functions, Operational Environment B Package version : 1.0 Date : March 2009 bizhub 4750 / bizhub 4050 / ineo 4750 / ineo 4050 Security Target Copyright ©2016 KONICA MINOLTA, INC., All Rights Reserved 22 / 73 Title : 2600.2-CPY SFR Package for Hardcopy Device Copy Functions, Operational Environment B Package version : 1.0 Date : March 2009 Title : 2600.2-FAX SFR Package for Hardcopy Device Fax Functions, Operational Environment B Package version : 1.0 Date : March 2009 Title : 2600.2-DSR SFR Package for Hardcopy Device Document Storage and Retrieval Functions, Operational Environment B Package version : 1.0 Date : March 2009 Title : 2600.2-SMI SFR Package for Hardcopy Device Shared-medium Interface Functions, Operational Environment B Package version : 1.0 Date : March 2009 2.3.2. SFR Package functions Functions perform processing, storage, and transmission of data that may be present in HCD products. The functions that are allowed, but not required in any particular conforming Security Target or Protection Profile, are listed in Table 2-1. Table 2-1 SFR Package functions Designation Definition F.PRT Printing: a function in which electronic document input is converted to physical document output F.SCN Scanning: a function in which physical document input is converted to electronic document output F.CPY Copying: a function in which physical document input is duplicated to physical document output F.FAX Faxing: a function in which physical document input is converted to a telephone-based document facsimile (fax) transmission, and a function in which a telephone-based document facsimile (fax) reception is converted to physical document output F.DSR Document storage and retrieval: a function in which a document is stored during one job and retrieved during one or more subsequent jobs F.SMI Shared-medium interface: a function that transmits or receives User Data or TSF Data over a communications medium which, in conventional practice, is or can be simultaneously accessed by multiple users, such as wired network media and most radio-frequency wireless media 2.3.3. SFR Package attributes When a function is performing processing, storage, or transmission of data, the identity of the function is associated with that particular data as a security attribute. This attribute in the TOE model makes it possible to distinguish differences in Security Functional Requirements that bizhub 4750 / bizhub 4050 / ineo 4750 / ineo 4050 Security Target Copyright ©2016 KONICA MINOLTA, INC., All Rights Reserved 23 / 73 depend on the function being performed. The attributes that are allowed, but not required in any particular conforming Security Target or Protection Profile, are listed in Table 2-2. Table 2-2 SFR Package attributes Designation Definition +PRT Indicates data that are associated with a print job. +SCN Indicates data that are associated with a scan job. +CPY Indicates data that are associated with a copy job. +FAXIN Indicates data that are associated with an inbound (received) fax job. +FAXOUT Indicates data that are associated with an outbound (sent) fax job. +DSR Indicates data that are associated with a document storage and retrieval job. +SMI Indicates data that are transmitted or received over a Shared-medium interface. PP Conformance rationale 2.4.1. Conformance Claim with TOE type of the PP The product type that the PP intends is Hard Copy Device (Hereinafter referred to as "HCD"). The HCD is a product used for converting hard copy document to digital form (SCAN) or for converting digital document to hard copy form (PRINT) or for transmitting hard copy document through the telephone line (FAX), or for generating a copy of hard copy document (COPY). The HCD is implemented by many different configurations depending on objectives, and in order to extend a function, there are some which have added hard disk drive, other non-volatile storage system or document server function, etc. This TOE type is the mfp. The mfp have devices that the HCD has including additional devices and functions that the HCD has are installed. Therefore, this TOE type is consistent with the PP's TOE type. 2.4.2. Conformance Claim with Security Problem and Security Objectives of the PP This ST adds each of OSP and Objective along with security problem of the PP, but this is consistent with the PP. The rationale is described below. Added OSP in ST is P.HDD.CRYPTO. This requests to encrypt the data recorded in HDD. This does not give restriction relating to operational environment, but restricts the TOE. Also, the added Objective (O.HDD.CRYPTO) in the ST is corresponding to added OSP and this also does not give restriction relating to operational environment, but restricts the TOE. Therefore, the ST imposes restriction on the TOE more than the PP and imposes on TOE’s operational environment equivalent to the PP. This satisfies the conditions that are equivalent or more restrictive to the PP. 2.4.3. Conformance Claim with Security requirement of the PP The SFRs of this TOE consist of Common Security Functional Requirements, 2600.2-PRT, 2600.2-SCN, 2600.2-CPY, 2600.2-FAX, 2600.2-DSR and 2600.2-SMI. bizhub 4750 / bizhub 4050 / ineo 4750 / ineo 4050 Security Target Copyright ©2016 KONICA MINOLTA, INC., All Rights Reserved 24 / 73 Common Security Functional Requirements are mandatory SFRs specified by the PP and 2600.2-PRT, 2600.2-SCN, 2600.2-CPY, 2600.2-FAX, 2600.2-DSR and 2600.2-SMI are selected from SFR Packages specified by the PP. Security requirements of this ST include the part that is added and fleshed out to security requirements of the PP, but this is consistent with the PP. The following describes the part that is added and fleshed out, and the rationale that those are consistent with the PP. Common Access Control SFP Modify of D.FUNC cannot be executed with this TOE. This is more limitational access control than that of PP. The PP defines access control relating to Delete of D.DOC that has attributes of +FAXIN and Delete of D.FUNC, and only an administrator can cancel FAX communication that the TOE is receiving. And so, D.DOC and D.FUNC under receiving are deleted. However, this is not the process to intend to Delete of D.DOC and D.FUNC but this is the Delete associated with the cancel of transmission. This does not undermine the requirement of the PP, since this is saved in the user box after receiving and protected by becoming the object of FAX Access Control SFP. After receiving, D.DOC and D.FUNK which have +FAXIN attribution are all stored as +DSR. These will not change security requirements specified with PP since these will be subject to DSR Access Control SFP and protected. Moreover, PP defines access control concerning Delete of D.DOC which has +DSR attribution and Delete of D.FUNC, however, this is not conflict with access control of PP since this TOE defines in DSR Access Control SFP in accordance with D.DOC being fleshed out. Addition of FAU_SAR.1, FAU_SAR.2, FAU_STG.1, FAU_STG.4(1), FAU_STG.4(2) This TOE adds FAU_SAR.1, FAU_SAR.2, FAU_STG.1, FAU_STG.4(1) and FAU_STG.4(2) in accordance with the PP APPLICATION NOTE5 and PP APPLICATION NOTE7 to maintain and manage the audit log. Addition of FCS_CKM.1, FCS_COP.1, FIA_SOS.1(3) This TOE adds O.HDD.CRYPTO as Objectives, and with that, FCS_CKM.1, FCS_COP.1 and FIA_SOS.1(3) are added, but this does not mean to change the contents of security requirements specified by the PP. Addition of FIA_AFL.1, FIA_SOS.1(1), FIA_SOS.1(2), FIA_UAU.6, FIA_UAU.7 Machine authentication is the function that this TOE implements. In accordance with the PP APPLICATION NOTE 38, FIA_AFL.1, FIA_SOS.1(1), FIA_SOS.1(2), FIA_UAU.6 and FIA_UAU.7 are added. Addition of FMT_MOF.1 The TOE requires operating in the state of enabled Enhanced Security Setting by the guidance and restricts the change of Enhanced Security Setting only to U.ADMINISTRATOR and prevents from unauthorized change of Enhanced Security setting. This is not the change of content of security requirement specified by the PP. User authentication, HDD data overwrite deletion, Audit log, Trust channel management and User management are restricted only to U.ADMINISTRATOR and prevents from bizhub 4750 / bizhub 4050 / ineo 4750 / ineo 4050 Security Target Copyright ©2016 KONICA MINOLTA, INC., All Rights Reserved 25 / 73 unauthorized execution of management function. This is not the change of content of security requirement specified by the PP. As stated above, some SFRs are added, however, Audit logs for these SFRs are not defined with FAU_GEN.1 since audit level is not defined with the PP. bizhub 4750 / bizhub 4050 / ineo 4750 / ineo 4050 Security Target Copyright ©2016 KONICA MINOLTA, INC., All Rights Reserved 26 / 73 3. Security Problem Definition Threats agents This security problem definition addresses threats posed by four categories of threat agents: a) Persons who are not permitted to use the TOE who may attempt to use the TOE. b) Persons who are authorized to use the TOE who may attempt to use TOE functions for which they are not authorized. c) Persons who are authorized to use the TOE who may attempt to access data in ways for which they are not authorized. d) Persons who unintentionally cause a software malfunction that may expose the TOE to unanticipated threats. The threats and policies defined in this Protection Profile address the threats posed by these threat agents. Threats to TOE Assets This section describes threats to assets described in clause in 1.4.6. Table 3-1 Threats to User Data for the TOE Threat Affected asset Description T.DOC_REST.DIS D.DOC User Document Data at rest (stored) in the TOE may be disclosed to unauthorized persons T.DOC_REST.ALT D.DOC User Document Data at rest (stored) in the TOE may be altered by unauthorized persons T.FUNC_REST.ALT D.FUNC User Function Data at rest (stored) in the TOE may be altered by unauthorized persons Table 3-2 Threats to TSF Data for the TOE Threat Affected asset Description T.PROT.ALT D.PROT TSF Protected Data may be altered by unauthorized persons T.CONF.DIS D.CONF TSF Confidential Data may be disclosed to unauthorized persons T.CONF.ALT D.CONF TSF Confidential Data may be altered by unauthorized persons Organizational Security Policies for the TOE This section describes the Organizational Security Policies (OSPs) that apply to the TOE. OSPs are used to provide a basis for Security Objectives that are commonly desired by TOE Owners in this operational environment but for which it is not practical to universally define the assets being protected or the threats to those assets. bizhub 4750 / bizhub 4050 / ineo 4750 / ineo 4050 Security Target Copyright ©2016 KONICA MINOLTA, INC., All Rights Reserved 27 / 73 Table 3-3 Organizational Security Policies for the TOE Name Definition P.USER.AUTHORIZATION To preserve operational accountability and security, Users will be authorized to use the TOE only as permitted by the TOE Owner. P.SOFTWARE.VERIFICATION To detect corruption of the executable code in the TSF, procedures will exist to self-verify executable code in the TSF. P.AUDIT.LOGGING To preserve operational accountability and security, records that provide an audit trail of TOE use and security-relevant events will be created, maintained, and protected from unauthorized disclosure or alteration, and will be reviewed by authorized personnel. P.INTERFACE.MANAGEMENT To prevent unauthorized use of the external interfaces of the TOE, operation of those interfaces will be controlled by the TOE and its IT environment. P.HDD.CRYPTO The Data stored in an HDD must be encrypted to improve the secrecy. Assumptions The Security Objectives and Security Functional Requirements defined in subsequent sections of this Protection Profile are based on the condition that all of the assumptions described in this section are satisfied. Table 3-4 Assumptions for the TOE Assumptions Definition A.ACCESS.MANAGED The TOE is located in a restricted or monitored environment that provides protection from unmanaged access to the physical components and data interfaces of the TOE. A.USER.TRAINING TOE Users are aware of the security policies and procedures of their organization, and are trained and competent to follow those policies and procedures. A.ADMIN.TRAINING Administrators are aware of the security policies and procedures of their organization, are trained and competent to follow the manufacturer’s guidance and documentation, and correctly configure and operate the TOE in accordance with those policies and procedures. A.ADMIN.TRUST Administrators do not use their privileged access rights for malicious purposes. bizhub 4750 / bizhub 4050 / ineo 4750 / ineo 4050 Security Target Copyright ©2016 KONICA MINOLTA, INC., All Rights Reserved 28 / 73 4. Security Objectives Security Objectives for the TOE This section describes the Security Objectives that the TOE shall fulfill. Table 4-1 Security Objectives for the TOE Objective Definition O.DOC_REST.NO_DIS The TOE shall protect User Document Data at rest (stored) in the TOE from unauthorized disclosure. O.DOC_REST.NO_ALT The TOE shall protect User Document Data at rest (stored) in the TOE from unauthorized alteration. O.FUNC_REST.NO_ALT The TOE shall protect User Function Data at rest (stored) in the TOE from unauthorized alteration. O.PROT.NO_ALT The TOE shall protect TSF Protected Data from unauthorized alteration. O.CONF.NO_DIS The TOE shall protect TSF Confidential Data from unauthorized disclosure. O.CONF.NO_ALT The TOE shall protect TSF Confidential Data from unauthorized alteration. O.USER.AUTHORIZED The TOE shall require identification and authentication of Users and shall ensure that Users are authorized in accordance with security policies before allowing them to use the TOE. O.INTERFACE.MANAGED The TOE shall manage the operation of external interfaces in accordance with security policies. O.SOFTWARE.VERIFIED The TOE shall provide procedures to self-verify executable code in the TSF. O.AUDIT.LOGGED The TOE shall create and maintain a log of TOE use and security-relevant events and prevent its unauthorized disclosure or alteration. O.HDD.CRYPTO The TOE shall encrypt data at the time of storing it to an HDD. Security Objectives for the IT environment This section describes the Security Objectives that must be fulfilled by IT methods in the IT environment of the TOE. Table 4-2 Security Objectives for the IT environment Objective Definition OE.AUDIT_STORAGE.PROTECTED If audit records are exported from the TOE to another trusted IT product, the TOE Owner shall ensure that those records are protected from unauthorized access, deletion and modifications. OE.AUDIT_ACCESS.AUTHORIZED If audit records generated by the TOE are exported from the TOE to another trusted IT product, the TOE Owner shall ensure that those records can be accessed in order to detect potential security violations, and only by authorized persons. OE.INTERFACE.MANAGED The IT environment shall provide protection from unmanaged access to TOE external interfaces. bizhub 4750 / bizhub 4050 / ineo 4750 / ineo 4050 Security Target Copyright ©2016 KONICA MINOLTA, INC., All Rights Reserved 29 / 73 Security Objectives for the non-IT environment This section describes the Security Objectives that must be fulfilled by non-IT methods in the non-IT environment of the TOE. Table 4-3 Security Objectives for the non-IT environment Objective Definition OE.PHYSICAL.MANAGED The TOE shall be placed in a secure or monitored area that provides protection from unmanaged physical access to the TOE. OE.USER.AUTHORIZED The TOE Owner shall grant permission to Users to be authorized to use the TOE according to the security policies and procedures of their organization. OE.USER.TRAINED The TOE Owner shall ensure that Users are aware of the security policies and procedures of their organization and have the training and competence to follow those policies and procedures. OE.ADMIN.TRAINED The TOE Owner shall ensure that TOE Administrators are aware of the security policies and procedures of their organization; have the training, competence, and time to follow the manufacturer’s guidance and documentation; and correctly configure and operate the TOE in accordance with those policies and procedures. OE.ADMIN.TRUSTED The TOE Owner shall establish trust that TOE Administrators will not use their privileged access rights for malicious purposes. OE.AUDIT.REVIEWED The TOE Owner shall ensure that audit logs are reviewed at appropriate intervals for security violations or unusual patterns of activity. bizhub 4750 / bizhub 4050 / ineo 4750 / ineo 4050 Security Target Copyright ©2016 KONICA MINOLTA, INC., All Rights Reserved 30 / 73 Security Objectives rationale This section demonstrates that each threat, organizational security policy, and assumption are mitigated by at least one security objective for the TOE, and that those Security Objectives counter the threats, enforce the policies, and uphold the assumptions. Table 4-4 Completeness of Security Objectives Threats, policies, And assumptions Objectives O.DOC_REST.NO_DIS O.DOC_REST.NO_ALT O.FUNC_REST.NO_ALT O.PROT.NO_ALT O.CONF.NO_DIS O.CONF.NO_ALT O.USER.AUTHORIZED OE.USER.AUTHORIZED O.SOFTWARE.VERIFIED O.AUDIT.LOGGED O.HDD.CRYPTO OE.AUDIT_STORAGE.PROTECTED OE.AUDIT_ACCESS.AUTHORIZED OE.AUDIT.REVIEWED O.INTERFACE.MANAGED OE.PHYISCAL.MANAGED OE.INTERFACE.MANAGED OE.ADMIN.TRAINED OE.ADMIN.TRUSTED OE.USER.TRAINED T.DOC_REST.DIS ✔ ✔ ✔ T.DOC_REST.ALT ✔ ✔ ✔ T.FUNC_REST.ALT ✔ ✔ ✔ T.PROT.ALT ✔ ✔ ✔ T.CONF.DIS ✔ ✔ ✔ T.CONF.ALT ✔ ✔ ✔ P.USER.AUTHORIZATION ✔ ✔ P.SOFTWARE.VERIFICATION ✔ P.AUDIT.LOGGING ✔ ✔ ✔ ✔ P.INTERFACE.MANAGEMENT ✔ ✔ P.HDD.CRYPTO ✔ A.ACCESS.MANAGED ✔ A.ADMIN.TRAINING ✔ A.ADMIN.TRUST ✔ A.USER.TRAINING ✔ Table 4-5 Sufficiency of Security Objectives Threats. Policies, and assumptions Summary Objectives and rationale T.DOC_REST.DIS User Document Data at rest in the TOE may be disclosed to unauthorized persons. O.DOC_REST.NO_DIS protects D.DOC at rest in the TOE from unauthorized disclosure. O.USER.AUTHORIZED establishes user identification and authentication as the basis for T.DOC_REST.DIS authorization. OE.USER.AUTHORIZED establishes responsibility bizhub 4750 / bizhub 4050 / ineo 4750 / ineo 4050 Security Target Copyright ©2016 KONICA MINOLTA, INC., All Rights Reserved 31 / 73 of the TOE Owner to appropriately grant authorization. T.DOC_REST.ALT User Document Data at rest in the TOE may be altered by unauthorized persons. O.DOC_REST.NO_ALT protects D.DOC at rest in the TOE from unauthorized alteration. O.USER.AUTHORIZED establishes user identification and authentication as the basis for T.DOC_REST.ALT authorization. OE.USER.AUTHORIZED establishes responsibility of the TOE Owner to appropriately grant authorization. T.FUNC_REST.ALT User Function Data at rest in the TOE may be altered by unauthorized persons. O.FUNC_REST.NO_ALT protects D.FUNC at rest in the TOE from unauthorized alteration. O.USER.AUTHORIZED establishes user identification and authentication as the basis for T.FUNC_REST.ALT authorization. OE.USER.AUTHORIZED establishes responsibility of the TOE Owner to appropriately grant authorization. T.PROT.ALT TSF Protected Data may be altered by unauthorized persons. O.PROT.NO_ALT protects D.PROT from unauthorized alteration. O.USER.AUTHORIZED establishes user identification and authentication as the basis for authorization. OE.USER.AUTHORIZED establishes responsibility of the TOE Owner to appropriately grant authorization. T.CONF.DIS TSF Confidential Data may be disclosed to unauthorized persons. O.CONF.NO_DIS protects D.CONF from unauthorized disclosure. O.USER.AUTHORIZED establishes user identification and authentication as the basis for authorization. OE.USER.AUTHORIZED establishes responsibility of the TOE Owner to appropriately grant authorization T.CONF.ALT TSF Confidential Data may be altered by unauthorized persons. O.CONF.NO_ALT protects D.CONF from unauthorized alteration. O.USER.AUTHORIZED establishes user identification and authentication as the basis for authorization. OE.USER.AUTHORIZED establishes responsibility of the TOE Owner to appropriately grant authorization P.USER.AUTHORIZATION Users will be authorized to use the TOE O.USER.AUTHORIZED establishes user identification and authentication as the basis for authorization to use the TOE. OE.USER.AUTHORIZED establishes responsibility bizhub 4750 / bizhub 4050 / ineo 4750 / ineo 4050 Security Target Copyright ©2016 KONICA MINOLTA, INC., All Rights Reserved 32 / 73 of the TOE Owner to appropriately grant authorization P.SOFTWARE.VERIFICATION Procedures will exist to self- verify executable code in the TSF. O.SOFTWARE.VERIFIED provides procedures to self-verify executable code in the TSF. P.AUDIT.LOGGING An audit trail of TOE use and security-relevant events will be created, maintained, protected, and reviewed. O.AUDIT.LOGGED creates and maintains a log of TOE use and security-relevant events and prevents unauthorized disclosure or alteration. OE.AUDIT_STORAGE.PROTECTED protects exported audit records from unauthorized access, deletion, and modifications. OE.AUDIT_ACCESS.AUTHORIZED establishes responsibility of, the TOE Owner to provide appropriate access to exported audit records. OE.AUDIT.REVIEWED establishes responsibility of the TOE Owner to ensure that audit logs are appropriately reviewed. P.INTERFACE.MANAGEMENT Operation of external interfaces will be controlled by the TOE and its IT environment. O.INTERFACE.MANAGED manages the operation of external interfaces in accordance with security policies. OE.INTERFACE.MANAGED establishes a protected environment for TOE external interfaces. P.HDD.CRYPTO Cryptographic operation will be controlled by TOE. O.HDD.CRYPTO encrypts data stored in HDD by TOE. A.ACCESS.MANAGED The TOE environment provides protection from unmanaged access to the physical components and data interfaces of the TOE. OE.PHYSICAL.MANAGED establishes a protected physical environment for the TOE. A.ADMIN.TRAINING TOE Users are aware of and trained to follow security policies and procedures. OE.ADMIN.TRAINED establishes responsibility of the TOE Owner to provide appropriate Administrator training. A.ADMIN.TRUST Administrators do not use their privileged access rights for malicious purposes. OE.ADMIN.TRUST establishes responsibility of the TOE Owner to have a trusted relationship with Administrators. A.USER.TRAINING Administrators are aware of and trained to follow security policies and procedures. OE.USER.TRAINED establishes responsibility of the TOE Owner to provide appropriate User training. bizhub 4750 / bizhub 4050 / ineo 4750 / ineo 4050 Security Target Copyright ©2016 KONICA MINOLTA, INC., All Rights Reserved 33 / 73 5. Extended components definition (APE_ECD) This Protection Profile defines components that are extensions to Common Criteria 3.1 Revision 2, Part 2. These extended components are defined in the Protection Profile but are used in SFR Packages and, therefore, are employed only in TOEs whose STs conform to those SFR Packages. FPT_FDI_EXP Restricted forwarding of data to external interfaces Family behaviour: This family defines requirements for the TSF to restrict direct forwarding of information from one external interface to another external interface. Many products receive information on specific external interfaces and are intended to transform and process this information before it is transmitted on another external interface. However, some products may provide the capability for attackers to misuse external interfaces to violate the security of the TOE or devices that are connected to the TOE’s external interfaces. Therefore, direct forwarding of unprocessed data between different external interfaces is forbidden unless explicitly allowed by an authorized administrative role. The family FPT_FDI_EXP has been defined to specify this kind of functionality. Component leveling: FPT_FDI_EXP.1 Restricted forwarding of data to external interfaces provides for the functionality to require TSF controlled processing of data received over defined external interfaces before these data are sent out on another external interface. Direct forwarding of data from one external interface to another one requires explicit allowance by an authorized administrative role. Management: FPT_FDI_EXP.1 The following actions could be considered for the management functions in FMT: a) Definition of the role(s) that are allowed to perform the management activities b) Management of the conditions under which direct forwarding can be allowed by an administrative role c) Revocation of such an allowance Audit: FPT_FDI_EXP.1 The following actions should be auditable if FAU_GEN Security Audit Data Generation is included in the PP/ST: There are no auditable events foreseen. Rationale: Quite often, a TOE is supposed to perform specific checks and process data received on one external interface before such (processed) data are allowed to be transferred to another external interface. Examples are firewall systems but also other systems that require a specific work flow FPT_FDI_EXP.1 Restricted forwarding of data to external interfaces 1 bizhub 4750 / bizhub 4050 / ineo 4750 / ineo 4050 Security Target Copyright ©2016 KONICA MINOLTA, INC., All Rights Reserved 34 / 73 for the incoming data before it can be transferred. Direct forwarding of such data (i.e., without processing the data first) between different external interfaces is therefore a function that—if allowed at all—can only be allowed by an authorized role. It has been viewed as useful to have this functionality as a single component that allows specifying the property to disallow direct forwarding and require that only an authorized role can allow this. Since this is a function that is quite common for a number of products, it has been viewed as useful to define an extended component. The Common Criteria defines attribute-based control of user data flow in its FDP class. However, in this Protection Profile, the authors needed to express the control of both user data and TSF data flow using administrative control instead of attribute-based control. It was found that using FDP_IFF and FDP_IFC for this purpose resulted in SFRs that were either too implementation-specific for a Protection Profile or too unwieldy for refinement in a Security Target. Therefore, the authors decided to define an extended component to address this functionality. This extended component protects both user data and TSF data, and it could therefore be placed in either the FDP or the FPT class. Since its purpose is to protect the TOE from misuse, the authors believed that it was most appropriate to place it in the FPT class. It did not fit well in any of the existing families in either class, and this led the authors to define a new family with just one member. FPT_FDI_EXP.1 Restricted forwarding of data to external interfaces Hierarchical to: No other components Dependencies: FMT_SMF.1 Specification of Management Functions FMT_SMR.1 Security roles FPT_FDI_EXP.1.1 The TSF shall provide the capability to restrict data received on [assignment: list of external interfaces] from being forwarded without further processing by the TSF to [assignment: list of external interfaces]. bizhub 4750 / bizhub 4050 / ineo 4750 / ineo 4050 Security Target Copyright ©2016 KONICA MINOLTA, INC., All Rights Reserved 35 / 73 6. Security Requirements In this chapter, the security requirements are described. Security functional requirements In this chapter, the TOE security functional requirements for achieving the security objectives specified in Chapter 4.1 are described. This is quoted from the security functional requirements specified in the CC Part 2. See the chapter 5 for the security functional requirements which are not specified in the CC Part 2. < Method of specifying security functional requirement "Operation" > In the following description function elements, when items are indicated in “bold,” it means that their operation is completed or refined with PP. When items are indicated in "italic" and "bold," it means that they are assigned or selected. When IB with parenthesis right after the underlined original sentences, it means that the underlined sentences are refined. A number in the parentheses after a label means that the functional requirement is used repeatedly. Components of security function requirements which are defined with PP are indicated in “bold”, and components which are added with ST are indicated in “italic” and “bold”. 6.1.1. Class FAU: Security audit FAU_GEN.1 Audit data generation Hierarchical to : No other components Dependencies : FPT_STM.1 Reliable time stamps FAU_GEN.1.1 The TSF shall be able to generate an audit record of the following auditable events: - Start-up and shutdown of the audit functions; and - All auditable events for the [selection, choose one of: minimum, basic, detailed, not specified] level of audit; and - All Auditable Events as each is defined for its Audit Level (if one is specified) for the Relevant SFR in Table 6-1; [assignment: other specifically defined auditable events] [selection, choose one of: minimum, basic, detailed, not specified] not specified [assignment: other specifically defined auditable events] None FAU_GEN.1.2 The TSF shall record within each audit record at least the following information: - Date and time of the event, type of event, subject identity (if applicable), and the outcome (success or failure) of the event; and - For each audit event type, based on the auditable event definitions of the functional components included in the PP/ST, for each Relevant SFR listed in Table 6-1: (1) information as defined by its Audit Level (if one is specified), and (2) all Additional Information (if any is required); [assignment: other audit relevant information] [assignment: other audit relevant information] None bizhub 4750 / bizhub 4050 / ineo 4750 / ineo 4050 Security Target Copyright ©2016 KONICA MINOLTA, INC., All Rights Reserved 36 / 73 Table 6-1 Audit data requirements Auditable event Relevant SFR Audit level Additional information Details Both successful and unsuccessful use of the authentication mechanism FIA_UAU.1 Basic None required - Success of login - Failure of login The reaching of the threshold for the unsuccessful authentication attempts and the actions (e.g. disabling of a terminal) taken and the subsequent, if appropriate, restoration to the normal state (e.g. re-enabling of a terminal). FIA_AFL.1 Minimum None required -Suspension of authentication -Recovery to normal state Both successful and unsuccessful use of the identification mechanism FIA_UID.1 Basic Attempted user identity, if available - Success of login - Failure of login Failure of reauthentication FIA_UAU.6 Minimum None required - Failure of reauthentication Use of the management functions FMT_SMF.1 Minimum None required - Use of the management functions Modifications to the group of users that are part of a role FMT_SMR.1 Minimum None required No record because no group of users as a role does not exist. Failure of the trusted channel functions FTP_ITC.1 Minimum None required - Failure of communication Changes to the time FPT_STM.1 Minimum None required - Change of date Locking of an interactive session by the session locking FTA_SSL.3 Minimum None required - Termination of an interactive session bizhub 4750 / bizhub 4050 / ineo 4750 / ineo 4050 Security Target Copyright ©2016 KONICA MINOLTA, INC., All Rights Reserved 37 / 73 mechanism FAU_GEN.2 User identity association Hierarchical to : No other components Dependencies : FAU_GEN.1 Audit data generation FIA_UID.1 Timing of identification FAU_GEN.2.1 For audit events resulting from actions of identified users, the TSF shall be able to associate each auditable event with the identity of the user that caused the event. FAU_SAR.1 Audit review Hierarchical to : No other components Dependencies : FAU_GEN.1 Audit data generation FAU_SAR.1.1 The TSF shall provide [assignment: authorised users] with the capability to read [assignment: list of audit information] from the audit records. [assignment: authorised users] U.ADMINISTRATOR [assignment: list of audit information] Audit log indicated in Table 6-1 FAU_SAR.1.2 The TSF shall provide the audit records in a manner suitable for the user to interpret the information. FAU_SAR.2 Restricted audit review Hierarchical to : No other components Dependencies : FAU_SAR.1 Audit review FAU_SAR.2.1 The TSF shall prohibit all users read access to the audit records, except those users that have been granted explicit read-access. FAU_STG.1 Protected audit trail storage Hierarchical to : No other components Dependencies : FAU_GEN.1 Audit data generation FAU_STG.1.1 The TSF shall protect the stored audit records in the audit trail from unauthorized deletion. FAU_STG.1.2 The TSF shall be able to [selection, choose one of: prevent, detect] unauthorised modifications to the stored audit records in the audit trail. [selection, choose one of: prevent, detect] prevent FAU_STG.4(1) Prevention of audit data loss Hierarchical to : FAU_STG.3 Action in case of possible audit data loss Dependencies : FAU_STG.1 Protected audit trail storage bizhub 4750 / bizhub 4050 / ineo 4750 / ineo 4050 Security Target Copyright ©2016 KONICA MINOLTA, INC., All Rights Reserved 38 / 73 FAU_STG.4.1(1) The TSF shall [selection, choose one of: “ignore audited events”, “prevent audited events, except those taken by the authorised user with special rights”, “overwrite the oldest stored audit records”] and [assignment: other actions to be taken in case of audit storage failure] if the audit trail is full (if the audit trail is full, in the state where operation when the audit trail was full was set as "overwrite prohibition").. [selection, choose one of: “ignore audited events”, “prevent audited events, except those taken by the authorised user with special rights”, “overwrite the oldest stored audit records”] prevent audited events, except those taken by the authorised user with special rights [assignment: other actions to be taken in case of audit storage failure] - Deletion of Audit log by administrator - Export of Audit log by administrator (Audit log on TOE is deleted in accordance with Export.) - Setting change from “overwrite prohibition” to “overwrite permission” by administrator FAU_STG.4(2) Prevention of audit data loss Hierarchical to : FAU_STG.3 Action in case of possible audit data loss Dependencies : FAU_STG.1 Protected audit trail storage FAU_STG.4.1(2) The TSF shall [selection, choose one of: “ignore audited events”, “prevent audited events, except those taken by the authorised user with special rights”, “overwrite the oldest stored audit records”] and [assignment: other actions to be taken in case of audit storage failure] if the audit trail is full (if the audit trail is full, in the state where operation when the audit trail was full was set as "overwrite prohibition"). [selection, choose one of: “ignore audited events”, “prevent audited events, except those taken by the authorised user with special rights”, “overwrite the oldest stored audit records”] overwrite the oldest stored audit records [assignment: other actions to be taken in case of audit storage failure] None 6.1.2. Class FCS: Cryptographic support FCS_CKM.1 Cryptographic key generation Hierarchical to : No other components. Dependencies : [FCS_CKM.2 Cryptographic key distribution, or FCS_COP.1 Cryptographic operation] FCS_CKM.4 Cryptographic key destruction FCS_CKM.1.1 The TSF shall generate cryptographic keys (cryptographic keys for HDD encryption) in accordance with a specified cryptographic key generation algorithm [assignment: cryptographic key generation algorithm] and specified cryptographic key sizes [assignment: cryptographic key sizes] that meet the following: [assignment: list of standards]. [assignment: cryptographic key generation algorithm] bizhub 4750 / bizhub 4050 / ineo 4750 / ineo 4050 Security Target Copyright ©2016 KONICA MINOLTA, INC., All Rights Reserved 39 / 73 refer to Table 6-2 [assignment: cryptographic key sizes] refer to Table 6-2 [assignment: list of standards] refer to Table 6-2 Table 6-2 Cryptographic key algorithm key size list of standards cryptographic key generation algorithm key sizes FIPS180-3 SHA-256 ・256bit FCS_COP.1 Cryptographic operation Hierarchical to : No other components Dependencies : [FDP_ITC.1 Import of user data without security attributes, or FDP_ITC.2 Import of user data with security attributes, or FCS_CKM.1 Cryptographic key generation] FCS_CKM.4 Cryptographic key destruction ..FCS_COP.1.1 The TSF shall perform [assignment: list of cryptographic operations] in accordance with a specified cryptographic algorithm [assignment: cryptographic algorithm] and cryptographic key sizes [assignment: cryptographic key sizes] that meet the following: [assignment: list of standards]. [assignment: list of cryptographic operations] refer to Table 6-3 [assignment: cryptographic algorithm] refer to Table 6-3 [assignment: cryptographic key sizes] refer to Table 6-3 [assignment: list of standards] refer to Table 6-3 Table 6-3 Cryptographic operations algorithm key size standards Standard cryptographic algorithm key sizes cryptographic operations FIPS PUB197 AES ・256 bit Encrypt HDD 6.1.3. Class FDP: User data protection FDP_ACC.1(a) Subset access control Hierarchical to : No other components Dependencies : FDP_ACF.1 Security attribute based access control FDP_ACC.1.1(a) The TSF shall enforce the Common Access Control SFP in Table 17 (Access Control SFP bizhub 4750 / bizhub 4050 / ineo 4750 / ineo 4050 Security Target Copyright ©2016 KONICA MINOLTA, INC., All Rights Reserved 40 / 73 in Table 6-4,Table 6-5,Table 6-6,Table 6-7,Table 6-8,Table 6-9) on the list of users as subjects, objects, and operations among subjects and objects covered by the Common Access Control SFP in Table 17 (the list of users as subjects, objects, and operations among subjects and objects covered by the Access Control SFP in Table 6-4,Table 6-5,Table 6-6,Table 6-7,Table 6-8,Table 6-9). Table 6-4 Common Access Control SFP Object Attribute Operation(s) Subject Subject Attribute Access control rule Function Attribute Object Attribute D.DOC +PRT +SCN +CPY +FAXOUT User ID Delete U.NORMAL User ID Operation is permitted, only when User ID matches. D.FUNC +PRT +SCN +CPY +FAXOUT User ID Delete U.NORMAL User ID Operation is permitted, only when User ID matches. Table 6-5 PRT Access Control SFP Object Attribute Operation(s) Subject Subject Attribute Access control rule Function Attribute Object Attribute D.DOC +PRT User ID Read U.NORMAL User ID Operation is permitted only to the one whose user ID matches. Table 6-6 SCN Access Control SFP Object Attribute Operation(s) Subject Subject Attribute Access control rule Function Attribute Object Attribute D.DOC +SCN User ID Read U.NORMAL User ID Operation is permitted only to the one whose user ID matches Table 6-7 CPY Access Control SFP Object Attribute Operation(s) Subject Subject Attribute Access control rule Function Attribute Object Attribute D.DOC +CPY User ID Read Access control limitation is not specified in accordance with PP bizhub 4750 / bizhub 4050 / ineo 4750 / ineo 4050 Security Target Copyright ©2016 KONICA MINOLTA, INC., All Rights Reserved 41 / 73 Table 6-8 FAX Access Control SFP Object Attribute Operation(s) Subject Subject Attribute Access control rule Function Attribute Object Attribute D.DOC + FAXIN FAXIN Box Word Read U.NORMAL FAXIN Box Word Operation is permitted when FAXIN Box Word matches. D.DOC +FAXOUT User ID Read U.NORMAL User ID Operation is permitted only to the one whose user ID matches. Table 6-9 DSR Access Control SFP Object Attribute Operation(s) Subject Subject Attribute Access control rule Function Attribute Object Attribute D.DOC +DSR (Storing from +SCN) User ID Read Delete U.NORMAL User ID Operation is permitted only to the one whose user ID matches. +DSR (Storing from +FAXIN) FAXIN Box Word Read Delete U.NORMAL FAXIN Box Word Operation is permitted when FAXIN Box Word matches. D.FUN C +DSR (Storing from +SCN) User ID Delete U.NORMAL User ID Operation is permitted only to the one whose user ID matches. +DSR (Storing from +FAXIN) FAXIN Box Word Delete U.NORMAL FAXIN Box Word Operation is permitted when FAXIN Box Word matches. In Access Control SFP in Table 6-4, Table 6-5, Table 6-6, Table 6-7, Table 6-8 and Table 6-9, Access control rule for “Create” operation is not specified in accordance with PP APPLICATION NOTE 19. FDP_ACC.1(b) Subset access control Hierarchical to : No other components Dependencies : FDP_ACF.1 Security attribute based access control FDP_ACC.1.1(b) The TSF shall enforce the TOE Function Access Control SFP (TOE Function Access Control SFP in Table 6-10) on users as subjects, TOE functions as objects, and the right to use the functions as operations (the list of users as subjects, objects, and operations among subjects and objects covered by the TOE Function Access Control SFP in Table bizhub 4750 / bizhub 4050 / ineo 4750 / ineo 4050 Security Target Copyright ©2016 KONICA MINOLTA, INC., All Rights Reserved 42 / 73 6-10) . Table 6-10 TOE Function Access Control SFP Object (TOE Function) Object Attribute Operation(s) Subject Subject Attribute Access control rule F.PRT Permission Role Execution U.NORMAL Allocation Role Execution of the function is permitted, when Allocation Role that is a Subject includes Permission Role that is an Object. F.SCN Permission Role Execution U.NORMAL Allocation Role Execution of the function is permitted, when Allocation Role that is a Subject includes Permission Role that is an Object. F.CPY Permission Role Execution U.NORMAL Allocation Role Execution of the function is permitted, when Allocation Role that is a Subject includes Permission Role that is an Object. F.FAX Permission Role Execution U.NORMAL Allocation Role Execution of the function is permitted, when Allocation Role that is a Subject includes Permission Role that is an Object. F.DSR Permission Role Execution U.NORMAL Allocation Role Execution of the function is permitted, when Allocation Role that is a Subject includes Permission Role that is an Object. FDP_ACF.1(a) Security attribute based access control : Hierarchical to : No other components Dependencies : FDP_ACC.1 Subset access control FMT_MSA.3 Static attribute initialisation FDP_ACF.1.1(a) The TSF shall enforce the Common Access Control SFP in Table 17 (Access Control SFP in Table 6-4,Table 6-5,Table 6-6,Table 6-7,Table 6-8,Table 6-9) to objects based on the following: the list of users as subjects and objects controlled under the Common Access bizhub 4750 / bizhub 4050 / ineo 4750 / ineo 4050 Security Target Copyright ©2016 KONICA MINOLTA, INC., All Rights Reserved 43 / 73 Control SFP in Table 17, and for each, the indicated security attributes in Table 17 (the list of users as subjects and objects controlled under the Access Control SFP in Table 6-4,Table 6-5,Table 6-6,Table 6-7,Table 6-8,Table 6-9 and for each, the indicated security attributes in Table 6-4,Table 6-5,Table 6-6,Table 6-7,Table 6-8,Table 6-9) . FDP_ACF.1.2(a) The TSF shall enforce the following rules to determine if an operation among controlled subjects and controlled objects is allowed: rules specified in the Common Access Control SFP in Table 17 governing access among controlled users as subjects and controlled objects using controlled operations on controlled objects (rules specified in the Document Access Control SFP in Table 6-4,Table 6-5,Table 6-6,Table 6-7,Table 6-8,Table 6-9 governing access among controlled users as subjects and controlled objects using controlled operations on controlled objects) . FDP_ACF.1.3(a) The TSF shall explicitly authorize access of subjects to objects based on the following additional rules: [assignment: rules, based on security attributes, that explicitly authorize access of subjects to objects]. [assignment: rules, based on security attributes, that explicitly authorize access of subjects to objects] ・U.ADMINISTRATOR はすべての D.DOC、D.FUNC の Delete が可能 ・U.ADMINISTRATOR は+FAXIN、+DSR の属性をもつ D.DOC の Read が可能 FDP_ACF.1.4(a) The TSF shall explicitly deny access of subjects to objects based on the [assignment: rules, based on security attributes, that explicitly deny access of subjects to objects]. [assignment: rules, based on security attributes, that explicitly deny access of subjects to objects]. None FDP_ACF.1(b) Security attribute based access control Hierarchical to : No other components Dependencies : FDP_ACC.1 Subset access control FMT_MSA.3 Static attribute initialisation FDP_ACF.1.1(b) The TSF shall enforce the TOE Function Access Control SFP (TOE Function Access Control SFP in Table 6-10) to objects based on the following: users and [assignment: list of TOE functions and the security attribute(s) used to determine the TOE Function Access Control SFP]. [assignment: list of TOE functions and the security attribute(s) used to determine the TOE Function Access Control SFP] the list of users as subjects and objects controlled under the TOE Function Access Control SFP in Table 6-10, and for each, the indicated security attributes in Table 6-10 FDP_ACF.1.2(b) The TSF shall enforce the following rules to determine if an operation among controlled subjects and controlled objects is allowed: [selection: the user is explicitly authorized by U.ADMINISTRATOR to use a function, a user that is authorized to use the TOE is automatically authorized to use the functions [assignment: list of functions], [assignment: other conditions]]. [selection: the user is explicitly authorized by U.ADMINISTRATOR to use a function, a user that is authorized to use the TOE is automatically authorized to use the functions [assignment: list of functions], [assignment: other conditions]] [assignment: other conditions] bizhub 4750 / bizhub 4050 / ineo 4750 / ineo 4050 Security Target Copyright ©2016 KONICA MINOLTA, INC., All Rights Reserved 44 / 73 Table 6-10 FDP_ACF.1.3(b) The TSF shall explicitly authorise access of subjects to objects based on the following additional rules: the user acts in the role U.ADMINISTRATOR: [assignment: other rules, based on security attributes, that explicitly authorise access of subjects to objects]. [assignment: other rules, based on security attributes, that explicitly authorise access of subjects to objects]. None FDP_ACF.1.4(b) The TSF shall explicitly deny access of subjects to objects based on the [assignment: rules based on security attributes that explicitly deny access of subjects to objects]. The TSF shall explicitly deny access of subjects to objects based on the [assignment: rules based on security attributes that explicitly deny access of subjects to objects]. None FDP_RIP.1 Subset residual information protection Hierarchical to : No other components Dependencies : No dependencies FDP_RIP.1.1 The TSF shall ensure that any previous information content of a resource is made unavailable upon the [selection: allocation of the resource to, deallocation of the resource from] the following objects: D.DOC, [assignment: list of objects]. [selection: allocation of the resource to, deallocation of the resource from] deallocation of the resource from [assignment: list of objects]. None 6.1.4. Class FIA: Identification and authentication FIA_AFL.1 Authentication failure handling Hierarchical to : No other components Dependencies : FIA_UAU.1 Timing of authentication FIA_AFL.1.1 The TSF shall detect when [selection: [assignment: positive integer number], an administrator configurable positive integer within[assignment: range of acceptable values]] unsuccessful authentication attempts occur related to [assignment: list of authentication events]. [selection: [assignment: positive integer number], an administrator configurable positive integer within[assignment: range of acceptable values]] an administrator configurable positive integer within[assignment: range of acceptable values] [assignment: range of acceptable values] 3 [assignment: list of authentication events] Authentication of login password FIA_AFL.1.2 When the defined number of unsuccessful authentication attempts has been [selection: met, surpassed], the TSF shall [assignment: list of actions]. [selection: met, surpassed] bizhub 4750 / bizhub 4050 / ineo 4750 / ineo 4050 Security Target Copyright ©2016 KONICA MINOLTA, INC., All Rights Reserved 45 / 73 met [assignment: list of actions] Suspend authentication by login password <Operation for recovering the normal condition> Administrator Authentication: Perform the boot process of the TOE. (Release process is performed after time set in the release time setting of operation prohibition for Administrator authentication passed by the boot process.) Other: Execute the delete function of authentication failure frequency by administrator. FIA_ATD.1 User attribute definition Hierarchical to : No other components Dependencies : No dependencies FIA_ATD.1.1 The TSF shall maintain the following list of security attributes belonging to individual users: [assignment: list of security attributes]. [assignment: list of security attributes]. AdminID User ID Allocation Role FAXIN Box Word FIA_SOS.1(1) Verification of secrets Hierarchical to : No other components Dependencies : No dependencies FIA_SOS.1.1(1) The TSF shall provide a mechanism to verify that secrets (Login password (U.ADMINISTRATOR) ) meet [assignment: a defined quality metric]. [assignment: a defined quality metric] -Number of characters : 8 or more characters -Character type : possible to choose from 95 or more characters -Rule: (1) Do not compose by only one and the same character. (2) Do not set the same password as the current setting after change. FIA_SOS.1(2) Verification of secrets Hierarchical to : No other components Dependencies : No dependencies FIA_SOS.1.1(2) The TSF shall provide a mechanism to verify that secrets (Login password (U.NORMAL) ) meet [assignment: a defined quality metric]. [assignment: a defined quality metric] -Number of characters : 8 or more characters -Character type : possible to choose from 93 or more characters -Rule: (1) Do not compose by only one and the same character. (2) Do not set the same password as the current setting after change. bizhub 4750 / bizhub 4050 / ineo 4750 / ineo 4050 Security Target Copyright ©2016 KONICA MINOLTA, INC., All Rights Reserved 46 / 73 FIA_SOS.1(3) Verification of secrets Hierarchical to : No other components Dependencies : No dependencies FIA_SOS.1.1(3) The TSF shall provide a mechanism to verify that secrets (Encryption passphrase) meet [assignment: a defined quality metric]. [assignment: a defined quality metric] -Number of characters: 20 characters -Character type: possible to choose from 95 or more characters -Rule: (1)Do not compose by only one and the same character (2) Do not compose by only one type of character FIA_UAU.1 Timing of authentication Hierarchical to : No other components Dependencies : FIA_UID.1 Timing of identification FIA_UAU.1.1 The TSF shall allow [assignment: list of TSF-mediated actions that do not conflict with access-controlled Functions of the TOE] on behalf of the user to be performed before the user is authenticated. [assignment: list of TSF-mediated actions that do not conflict with access-controlled Functions of the TOE] Receive Fax TOE status check and display setting FIA_UAU.1.2 The TSF shall require each user to be successfully authenticated before allowing any other TSF-mediated actions on behalf of that user. FIA_UAU.6 Re-authenticating Hierarchical to : No other components Dependencies : No dependencies FIA_UAU.6.1 The TSF shall re-authenticate the user under the conditions [assignment: list of conditions under which re-authentication is required]. [assignment: list of conditions under which re-authentication is required] Change of user’s own login password. FIA_UAU.7 Protected authentication feedback Hierarchical to : No other components Dependencies : FIA_UAU.1 Timing of authentication FIA_UAU.7.1 The TSF shall provide only [assignment: list of feedback] to the user while the authentication is in progress. [assignment: list of feedback] Display “*” every character data input. bizhub 4750 / bizhub 4050 / ineo 4750 / ineo 4050 Security Target Copyright ©2016 KONICA MINOLTA, INC., All Rights Reserved 47 / 73 FIA_UID.1 Timing of identification Hierarchical to : No other components Dependencies : No dependencies FIA_UID.1.1 The TSF shall allow [assignment: list of TSF-mediated actions that do not conflict with access-controlled Functions of the TOE] on behalf of the user to be performed before the user is identified. [assignment: list of TSF-mediated actions that do not conflict with access-controlled Functions of the TOE] Receive RX TOE status check and display setting FIA_UID.1.2 The TSF shall require each user to be successfully identified before allowing any other TSF-mediated actions on behalf of that user. FIA_USB.1 User-subject binding Hierarchical to : No other components Dependencies : FIA_ATD.1 User attribute definition FIA_USB.1.1 The TSF shall associate the following user security attributes with subjects acting on the behalf of that user: [assignment: list of user security attributes]. [assignment: list of user security attributes]. AdminID User ID Allocation Role FAXIN Box Word FIA_USB.1.2 The TSF shall enforce the following rules on the initial association of user security attributes with the subjects acting on behalf of users: [assignment: rules for the initial association of attributes]. [assignment: rules for the initial association of attributes] None FIA_USB.1.3 The TSF shall enforce the following rules governing changes to the user security attributes with the subjects acting on behalf of users: [assignment: rules for the changing of attributes]. [assignment: rules for the changing of attributes] None 6.1.5. Class FMT: Security management FMT_MOF.1 Management of security functions behaviour Hierarchical to : No other components Dependencies : FMT_SMR.1 Security roles FMT_SMF.1 Specification of Management Functions FMT_MOF.1.1 The TSF shall restrict the ability to [selection: determine the behaviour of, disable, enable, modify the behaviour of] the functions [assignment: list of functions] to [assignment: the authorised identified roles]. bizhub 4750 / bizhub 4050 / ineo 4750 / ineo 4050 Security Target Copyright ©2016 KONICA MINOLTA, INC., All Rights Reserved 48 / 73 [selection: determine the behaviour of, disable, enable, modify the behaviour of] modify the behaviour of [assignment: list of functions] - Enhanced Security Setting - User Authentication function - HDD data overwrite deletion function - Audit Log function - Trusted Channel function - User management function [assignment: the authorised identified roles]. U.ADMINISTRATOR FMT_MSA.1(a) Management of security attributes Hierarchical to : No other components Dependencies : [FDP_ACC.1 Subset access control, or FDP_IFC.1 Subset information flow control] FMT_SMR.1 Security roles FMT_SMF.1 Specification of Management Functions FMT_MSA.1.1(a) The TSF shall enforce the Common Access Control SFP in Table 17 (Access Control SFP in Table 6-4,Table 6-5,Table 6-6,Table 6-7,Table 6-8,and Table 6-9),[assignment: access control SFP(s), information flow control SFP(s)] to restrict the ability to [selection: change_default, query, modify, delete, [assignment: other operations]] the security attributes [assignment: list of security attributes] to [assignment: the authorized identified roles]. [assignment: access control SFP(s), information flow control SFP(s)] None [selection: change_default, query, modify, delete, [assignment: other operations]] Refer to Table 6-11,Table 6-12 [assignment: list of security attributes] Refer to Table 6-11,Table 6-12 [assignment: the authorized identified roles] Refer to Table 6-11,Table 6-12 Table 6-11 Management of Object Security Attribute Access Control SFP Object Security Attribute Authorized Identified Roles Operations Common Access Control SFP PRT Access Control SFP SCN Access Control SFP CPY Access Control SFP FAX Access Control SFP (FAXOUT) DSR Access Control SFP (SCN) User ID Nobody Any operation bizhub 4750 / bizhub 4050 / ineo 4750 / ineo 4050 Security Target Copyright ©2016 KONICA MINOLTA, INC., All Rights Reserved 49 / 73 FAX Access Control SFP (FAXIN) DSR Access Control SFP (FAXIN) FAXIN Box Word U.ADMINISTRATOR Register Modify Table 6-12 Management of Subject Security Attribute Access Control SFP Subject Security Attribute Authorized Identified Roles Operations Common Access Control SFP PRT Access Control SFP SCN Access Control SFP CPY Access Control SFP FAX Access Control SFP (FAXOUT) DSR Access Control SFP (SCN) User ID U.ADMINISTRATOR Delete Modify FAX Access Control SFP (FAXIN) DSR Access Control SFP (FAXIN) FAXIN Box Word Nobody Any operation FMT_MSA.1(b) Management of security attributes Hierarchical to : No other components Dependencies : [FDP_ACC.1 Subset access control, or FDP_IFC.1 Subset information flow control] FMT_SMR.1 Security roles FMT_SMF.1 Specification of Management Functions FMT_MSA.1.1(b) The TSF shall enforce the TOE Function Access Control SFP (TOE Function Access Control SFP in Table 6-10), [assignment: access control SFP(s), information flow control SFP(s)] to restrict the ability to [selection: change_default, query, modify, delete, [assignment: other operations]] the security attributes [assignment: list of security attributes] to [assignment: the authorised identified roles]. [assignment: access control SFP(s), information flow control SFP(s)] None [selection: change_default, query, modify, delete, [assignment: other operations]] Refer to Table 6-13, Table 6-14 [assignment: list of security attributes] Refer to Table 6-13, Table 6-14 [assignment: the authorised identified roles] Refer to Table 6-13, Table 6-14 Table 6-13 Management of Subject Security Attribute Access Control SFP Subject Security Authorized Identified Roles Operations bizhub 4750 / bizhub 4050 / ineo 4750 / ineo 4050 Security Target Copyright ©2016 KONICA MINOLTA, INC., All Rights Reserved 50 / 73 Attribute TOE Function Access Control SFP Allocation Role U.ADMINISTRATOR Delete Modify Table 6-14 Management of Object Security Attribute Access Control SFP Object Security Attribute Authorized Identified Roles Operations TOE Function Access Control SFP Permission Role Nobody Any operation FMT_MSA.3(a) Static attribute initialisation Hierarchical t : No other components Dependencies: : FMT_MSA.1 Management of security attributes FMT_SMR.1 Security roles FMT_MSA.3.1(a) The TSF shall enforce the Common Access Control SFP in Table 17 (Access Control SFP in Table 6-4,Table 6-5,Table 6-6,Table 6-7,Table 6-8,Table 6-9), [assignment: access control SFP, information flow control SFP] to provide [selection, choose one of: restrictive, permissive, [assignment: other property]] default values for security attributes that are used to enforce the SFP. [assignment: access control SFP, information flow control SFP] None [selection, choose one of: restrictive, permissive, [assignment: other property]] default values for security attributes that are used to enforce the SFP. [assignment: other property] refer to Table 6-15 FMT_MSA.3.2(a) The TSF shall allow the [assignment: the authorized identified roles] to specify alternative initial values to override the default values when an object or information is created. [assignment: the authorized identified roles] nobody Table 6-15 Characteristics Static Attribute Initialization Access Control SFP Object Function Attribute Object Attribute Default values for Object Security Attribute Common Access Control SFP / PRT Access Control SFP / SCN Access Control SFP / CPY Access Control SFP / FAX Access Control D.DOC D.FUNC +PRT +SCN +CPY +FAXOUT User ID User ID of U.NORMAL who created the Object D.DOC D.FUNC +DSR (Storing from +SCN) User ID User ID of U.NORMAL who created the Object D.DOC +FAXIN FAXIN Box Word FAXIN Box Word associates with bizhub 4750 / bizhub 4050 / ineo 4750 / ineo 4050 Security Target Copyright ©2016 KONICA MINOLTA, INC., All Rights Reserved 51 / 73 SFP / DSR Access Control SFP / DSR Access Control SFP D.FUNC +DSR (Storing from +FAXIN) a value set by U.ADMINISTRATOR. * Multiple Function Attributes are not given at the same time since it is given corresponding to the functions (print, scan, etc.) that generate objects. FMT_MSA.3(b) Static attribute initialisation Hierarchical to : No other components Dependencies: : FMT_MSA.1 Management of security attributes FMT_SMR.1 Security roles FMT_MSA.3.1(b) The TSF shall enforce the TOE Function Access Control Policy (TOE Function Access Control SFP (TOE Function Access Control SFP in Table 6-10), [assignment: access control SFP, information flow control SFP] to provide [selection, choose one of: restrictive, permissive, [assignment: other property]] default values for security attributes that are used to enforce the SFP. [assignment: access control SFP, information flow control SFP] None [selection, choose one of: restrictive, permissive, [assignment: other property]] [assignment: other property]] Refer to Table 6-16 FMT_MSA.3.2(b) The TSF shall allow the [assignment: the authorized identified roles] to specify alternative initial values to override the default values when an object or information is created. [assignment: the authorized identified roles] nobody Table 6-16 Characteristics Static Attribute Initialization Object (TOE Function) Object Attribute Characteristics which restricts access only to Subject which any of the following attributes F.PRT Permission Role Print Role F.SCN Permission Role Scan Role F.CPY Permission Role Copy Role F.FAX Permission Role Fax Role F.DSR Permission Role DSR Role FMT_MTD.1 Management of TSF data Hierarchical to : No other components Dependencies: : FMT_SMR.1 Security roles FMT_SMF.1 Specification of Management Functions FMT_MTD.1.1(a) The TSF shall restrict the ability to [selection: change_default, query, modify, delete, bizhub 4750 / bizhub 4050 / ineo 4750 / ineo 4050 Security Target Copyright ©2016 KONICA MINOLTA, INC., All Rights Reserved 52 / 73 clear, [assignment: other operations]] the [assignment: list of TSF data] to [selection, choose one of: Nobody, [selection: U.ADMINISTRATOR, [assignment: the authorized identified roles except U.NORMAL]]]. [selection: change_default, query, modify, delete, clear, [assignment: other operations]] refer to Table 6-17 [assignment: other operations] refer to Table 6-17 [assignment: list of TSF data] refer to Table 6-17 [selection, choose one of: Nobody, [selection: U.ADMINISTRATOR, [assignment: the authorized identified roles except U.NORMAL]]] refer to Table 6-17 FMT_MTD.1.1(b) The TSF shall restrict the ability to [selection: change_default, query, modify, delete, clear, [assignment: other operations]] the [assignment: list of TSF data associated with a U.NORMAL or TSF data associated with documents or jobs owned by a U.NORMAL] to [selection, choose one of: Nobody, [selection: U.ADMINISTRATOR, the U.NORMAL to whom such TSF data are associated]]. refer to Table 6-18 Table 6-17 Operation of TSF Data TSF Data Authorized Identification Roles Operations Login password of U.NORMAL U.ADMINISTRATOR Register Login password of U.ADMINISTRATOR U.ADMINISTRATOR Modify Encryption Passphrase U.ADMINISTRATOR Set Date Information U.ADMINISTRATOR Modify Auto Reset Time U.ADMINISTRATOR Modify Auto logout time U.ADMINISTRATOR Modify Number of Authentication Failure (except Administrators) U.ADMINISTRATOR Clear Password rule U.ADMINISTRATOR Modify External server authentication setting data U.ADMINISTRATOR Register Modify Network Settings U.ADMINISTRATOR Register Modify Transmission address setting U.ADMINISTRATOR Register Modify Audit Log U.ADMINISTRATOR Query Delete Table 6-18 Operation of TSF Data TSF Data Authorized Identification Roles Operations bizhub 4750 / bizhub 4050 / ineo 4750 / ineo 4050 Security Target Copyright ©2016 KONICA MINOLTA, INC., All Rights Reserved 53 / 73 Login Password of U.NORMAL User who is related with the password (U.NORMAL) U.ADMINISTRATOR Modify FMT_SMF.1 Specification of Management Functions Hierarchical to : No other components Dependencies: : No dependencies FMT_SMF.1.1 The TSF shall be capable of performing the following management functions: [assignment: list of management functions to be provided by the TSF]. [assignment: list of management functions to be provided by the TSF] refer to Table 6-19 Table 6-19 list of management functions management functions Management function of Enhanced Security Setting by U.ADMINISTRATOR Management function of User Authentication function by U.ADMINISTRATOR Operation setting function of HDD data overwrite deletion function by U.ADMINISTRATOR Audit log management function by U.ADMINISTRATOR Trusted Channel management function by U.ADMINISTRATOR User management function by U.ADMINISTRATOR* Modification function of one’s own login password by U.NORMAL Modification function of one’s own login password by U.ADMINISTRATOR Setting function of encryption passphrase by U.ADMINISTRATOR Modification function of date and time information by U.ADMINISTRATOR Modification function of auto reset time by U.ADMINISTRATOR Modification function of auto logout time by U.ADMINISTRATOR Registration and modification function of External server authentication setting data by U.ADMINISTRATOR Deletion function of Authentication failure frequency (except administrator) by U.ADMINISTRATOR Modification function of Password policy by U.ADMINISTRATOR Registration and Modification function of Network setting by U.ADMINISTRATOR Registration and Modification function of transmission address by U.ADMINISTRATOR Registration and Modification function of FAXIN Box Word by U.ADMINISTRATOR *User management function includes management of login password of U.NORMAL and management of security attribute of subject by U.ADMINISTRATOR. FMT_SMR.1 Security roles Hierarchical to : No other components Dependencies: : FIA_UID.1 Timing of identification FMT_SMR.1.1 The TSF shall maintain the roles U.ADMINISTRATOR, U.NORMAL, [selection: bizhub 4750 / bizhub 4050 / ineo 4750 / ineo 4050 Security Target Copyright ©2016 KONICA MINOLTA, INC., All Rights Reserved 54 / 73 Nobody, [assignment: the authorised identified roles]]. [selection: Nobody, [assignment: the authorised identified roles]] Nobody FMT_SMR.1.2 The TSF shall be able to associate users with roles, except for the role “Nobody” to which no user shall be associated. 6.1.6. Class FPT: Protection of the TSF FPT_FDI_EXP.1 Restricted forwarding of data to external interfaces Hierarchical to : No other components Dependencies: : FMT_SMF.1 Specification of Management Functions FMT_SMR.1 Security roles FPT_FDI_EXP.1.1 The TSF shall provide the capability to restrict data received on any external Interface from being forwarded without further processing by the TSF to any Shared-medium Interface. FPT_STM.1 Reliable time stamps Hierarchical to : No other components Dependencies: : No dependencies FPT_STM.1.1 TSF shall be able to provide reliable time stamps. FPT_TST.1 TSF testing Hierarchical to : No other components Dependencies: : No dependencies FPT_TST.1.1 The TSF shall run a suite of self tests [selection: during initial start-up, periodically during normal operation, at the request of the authorised user, at the conditions [assignment: conditions under which self test should occur]] to demonstrate the correct operation of [selection: [assignment: parts of TSF], the TSF]. [selection: during initial start-up, periodically during normal operation, at the request of the authorised user, at the conditions [assignment: conditions under which self test should occur]] during initial start-up [selection: [assignment: parts of TSF], the TSF] [assignment: parts of TSF] Overall control function, HDD Encryption Function (Encryption passphrase) FPT_TST.1.2 The TSF shall provide authorised users with the capability to verify the integrity of [selection: [assignment: parts of TSF], TSF data]. [selection: [assignment: parts of TSF], TSF data]. [assignment: parts of TSF] Encryption passphrase FPT_TST.1.3 The TSF shall provide authorised users with the capability to verify the integrity of stored TSF executable code. bizhub 4750 / bizhub 4050 / ineo 4750 / ineo 4050 Security Target Copyright ©2016 KONICA MINOLTA, INC., All Rights Reserved 55 / 73 6.1.7. Class FTA: TOE access FTA_SSL.3 TSF-initiated termination Hierarchical to : No other components Dependencies: : No dependencies FTA_SSL.3.1 The TSF shall terminate an interactive session after a [assignment: time interval of user inactivity]. [assignment: time interval of user inactivity] - Time decided by the auto reset time after the last operation and processing by the last operation being completed in case of operation panel. - Time decided by auto logout time after the last operation and processing by the last operation being completed in case of Web Connection. - 60 minutes in case of Data Administrator - No interactive session in case of printer driver. 6.1.8. Class FTP: Trusted path/channels FTP_ITC.1 Inter-TSF trusted channel Hierarchical to : No other components Dependencies: : No dependencies FTP_ITC.1.1 The TSF shall provide a communication channel between itself and another trusted IT product that is logically distinct from other communication channels and provides assured identification of its end points and protection of the communicated data from modification or disclosure. FTP_ITC.1.2 The TSF shall permit the TSF, another trusted IT product to initiate communication via the trusted channel. FTP_ITC.1.3 The TSF shall initiate communication via the trusted channel for communication of D.PROT, and D.CONF over any Shared-medium Interface. bizhub 4750 / bizhub 4050 / ineo 4750 / ineo 4050 Security Target Copyright ©2016 KONICA MINOLTA, INC., All Rights Reserved 56 / 73 Security assurance requirements Table 6-20 lists the security assurance requirements for 2600.2-PP, Protection Profile for Hardcopy Devices, Operational Environment B, and related SFR packages, EAL 2 augmented by ALC_FLR.2. Table 6-20 IEEE 2600.2 Security Assurance Requirements Assurance class Assurance components ADV: Development ADV_ARC.1 Security architecture description ADV_FSP.2 Security-enforcing functional specification ADV_TDS.1 Basic design AGD: Guidance documents AGD_OPE.1 Operational user guidance AGD_PRE.1 Preparative procedures ALC: Life-cycle support ALC_CMC.2 Use of a CM system ALC_CMS.2 Parts of the TOE CM coverage ALC_DEL.1 Delivery procedures ALC_FLR.2 Flaw reporting procedures (augmentation of EAL2) ASE: Security Target evaluation ASE_CCL.1 Conformance claims ASE_ECD.1 Extended components definition ASE_INT.1 ST introduction ASE_OBJ.2 Security objectives ASE_REQ.2 Derived security requirements ASE_SPD.1 Security problem definition ASE_TSS.1 TOE summary specification ATE: Tests ATE_COV.1 Evidence of coverage ATE_FUN.1 Functional testing ATE_IND.2 Independent testing—sample AVA: Vulnerability assessment AVA_VAN.2 Vulnerability analysis bizhub 4750 / bizhub 4050 / ineo 4750 / ineo 4050 Security Target Copyright ©2016 KONICA MINOLTA, INC., All Rights Reserved 57 / 73 Security requirements rationale 6.3.1. Common security requirements rationale (SFR Package is included) Table 6-21 and Table 6-22 demonstrate the completeness and sufficiency of SFRs that fulfill the objectives of the TOE. Bold typeface items provide principal (P) fulfillment of the objectives, and normal typeface items provide supporting (S) fulfillment. Table 6-21 Completeness of security requirements SFRs Objectives O.DOC_REST.NO_DIS O.DOC_REST.NO_ALT O.FUNC_REST.NO_ALT O.PROT.NO_ALT O.CONF.NO_DIS O.CONF.NO_ALT O.USER.AUTHORIZED O.INTERFACE.MANAGED O.SOFTWARE.VERIFIED O.AUDIT.LOGGED O.HDD.CRYPTO FAU_GEN.1 P FAU_GEN.2 P FAU_SAR.1 P FAU_SAR.2 P FAU_STG.1 P FAU_STG.4(1) P FAU_STG.4(2) P FCS_CKM.1 S FCS_COP.1 P FDP_ACC.1(a) P P P FDP_ACC.1(b) P FDP_ACF.1(a) S S S FDP_ACF.1(b) S FDP_RIP.1 P FIA_AFL.1 S FIA_ATD.1 S FIA_SOS.1(1) S FIA_SOS.1(2) S FIA_SOS.1(3) S FIA_UAU.1 P P FIA_UAU.6 S S FIA_UAU.7 S FIA_UID.1 S S S S S S P P S S FIA_USB.1 P FMT_MOF.1 S S S S S S S S S S FMT_MSA.1(a) S S S P FMT_MSA.1(b) P S FMT_MSA.3(a) S S S FMT_MSA.3(b) S FMT_MTD.1 P P P S FMT_SMF.1 S S S S S S S S S S FMT_SMR.1 S S S S S S S S S S bizhub 4750 / bizhub 4050 / ineo 4750 / ineo 4050 Security Target Copyright ©2016 KONICA MINOLTA, INC., All Rights Reserved 58 / 73 SFRs Objectives O.DOC_REST.NO_DIS O.DOC_REST.NO_ALT O.FUNC_REST.NO_ALT O.PROT.NO_ALT O.CONF.NO_DIS O.CONF.NO_ALT O.USER.AUTHORIZED O.INTERFACE.MANAGED O.SOFTWARE.VERIFIED O.AUDIT.LOGGED O.HDD.CRYPTO FPT_FDI_EXP.1 P FPT_STM.1 S FPT_TST.1 P FTA_SSL.3 P P FTP_ITC.1 P P P P P P Table 6-22 Sufficiency of security requirements Objectives Description SFRs Purpose O.DOC_REST.NO_DIS, O.DOC_REST.NO_ALT, O.FUNC_REST.NO_ALT Protection of User Data at rest in the TOE from unauthorized disclosure or alteration FDP_ACC.1(a) Enforces protection by establishing an access control policy. FDP_ACF.1(a) Supports access control policy by providing access control function. FIA_UID.1 Supports access control and security roles by requiring user identification. FMT_MOF.1 Supports protection by management of security functions behavior. FMT_MSA.1(a) Supports access control function by enforcing control of security attributes. FMT_MSA.3(a) Supports access control function by enforcing control of security attribute defaults. FMT_SMF.1 Supports control of security attributes by requiring functions to control attributes. FMT_SMR.1 Supports control of security attributes by requiring security roles. FTP_ITC.1 Enforces protection by requiring the use of trusted channels for communication of data over Shared-medium Interfaces. O.DOC_REST.NO_DIS Protection of User Document Data at rest in the TOE from unauthorized disclosure FDP_RIP.1 Enforces protection by making residual data unavailable. bizhub 4750 / bizhub 4050 / ineo 4750 / ineo 4050 Security Target Copyright ©2016 KONICA MINOLTA, INC., All Rights Reserved 59 / 73 O.PROT.NO_ALT Protection of TSF Data from unauthorized alteration FIA_UID.1 Supports access control and security roles by requiring user identification. FMT_MOF.1 Supports protection by management of security functions behavior. FMT_MSA.1(a) Enforces protection by control of security attributes. FMT_MSA.1(b) Enforces protection by control of security attributes. FMT_MTD.1 Enforces protection by restricting access. FMT_SMF.1 Supports control of security attributes by requiring functions to control attributes. FMT_SMR.1 Supports control of security attributes by requiring security roles. FTP_ITC.1 Enforces protection by requiring the use of trusted channels for communication of data over Shared-medium Interfaces. O.CONF.NO_DIS, O.CONF.NO_ALT Protection of TSF Data from Unauthorized disclosure or alteration FIA_UID.1 Supports access control and security roles by requiring user identification. FMT_MOF.1 Supports protection by management of security functions behavior. FMT_MTD.1 Enforces protection by restricting access. FMT_SMF.1 Supports control of security attributes by requiring functions to control attributes. FMT_SMR.1 Supports control of security attributes by requiring security roles. FTP_ITC.1 Enforces protection by requiring the use of trusted channels for communication of data over Shared-medium Interfaces. O.USER_AUTHORIZED Authorization of Normal Users and Administrators to use the TOE FDP_ACC.1(b) Enforces authorization by establishing an access control policy. FDP_ACF.1(b) Supports access control policy by providing access control function. FIA_AFL.1 Supports authorization by requiring access control. FIA_ATD.1 Supports authorization by associating security attributes with users. FIA_SOS.1(1) Supports authorization by requiring by specification of secrets. FIA_SOS.1(2) Supports authorization by requiring by specification of secrets. bizhub 4750 / bizhub 4050 / ineo 4750 / ineo 4050 Security Target Copyright ©2016 KONICA MINOLTA, INC., All Rights Reserved 60 / 73 FIA_UAU.1 Enforces authorization by requiring user authentication. FIA_UAU.6 Supports authorization by requiring user authentication. FIA_UAU.7 Supports authorization by requiring user authentication. FIA_UID.1 Enforces authorization by requiring user identification. FIA_USB.1 Enforces authorization by distinguishing subject security attributes associated with user roles. FMT_MOF.1 Supports protection by management of security functions behavior. FMT_MSA.1(b) Supports access control function by enforcing control of security attributes. FMT_MSA.3(b) Supports access control function by enforcing control of security attribute defaults. FMT_SMF.1 Supports control of security attributes by requiring functions to control attributes. FMT_SMR.1 Supports authorization by requiring security roles. FTA_SSL.3 Enforces authorization by terminating inactive sessions. O.INTERFACE.MANAGED Management of external interfaces FIA_UAU.1 Enforces management of external interfaces by requiring user authentication. FIA_UAU.6 Supports authorization by requiring user authentication. FIA_UID.1 Enforces management of external interfaces by requiring user authentication. FMT_MOF.1 Supports protection by management of security functions behavior. FMT_SMF.1 Supports control of security attributes by requiring functions to control attributes. FMT_SMR.1 Supports authorization by requiring security roles. FPT_FDI_EXP.1 Enforces management of external interfaces by requiring (as needed) administrator control of data transmission from external Interfaces to Shared-medium Interfaces. FTA_SSL.3 Enforces management of external bizhub 4750 / bizhub 4050 / ineo 4750 / ineo 4050 Security Target Copyright ©2016 KONICA MINOLTA, INC., All Rights Reserved 61 / 73 interfaces by terminating inactive sessions. O.SOFTWARE.VERIFIED Verification of software integrity FPT_TST.1 Enforces verification of software by requiring self-tests. O.AUDIT.LOGGED Logging and authorized access to audit events FAU_GEN.1 Enforces audit policies by requiring logging of relevant events. FAU_GEN.2 Enforces audit policies by requiring logging of information associated with audited events. FAU_SAR.1 Enforces audit policies by providing security audit record. FAU_SAR.2 Enforces audit policies by restricting reading of security audit records. FAU_STG.1 Enforces audit policies by protecting from unauthorised deletion and/or modification. FAU_STG.4(1) Enforces audit policies by preventing audit data loss. FAU_STG.4(2) Enforces audit policies by preventing audit data loss. FIA_UID.1 Supports management of external interfaces by requiring user authentication. FMT_MOF.1 Supports protection by management of security functions behavior. FMT_SMF.1 Supports control of security attributes by requiring functions to control attributes. FMT_SMR.1 Supports authorization by requiring security roles. FPT_STM.1 Supports audit policies by requiring time stamps associated with events. O.HDD.CRYPTO The encryption of data FCS_CKM.1 Supports HDD encryption by requesting encryption key generation. FCS_COP.1 Executes HDD encryption by requesting encryption operation. FIA_SOS.1(3) Supports encryption by verifying quality of base data of encryption key. FIA_UID.1 Supports authorization by requiring user identification. FMT_MOF.1 Supports the encryption of data by management of security functions behavior. FMT_MTD.1 Supports the encryption of data by management of TSF data. FMT_SMF.1 Supports control of security attributes bizhub 4750 / bizhub 4050 / ineo 4750 / ineo 4050 Security Target Copyright ©2016 KONICA MINOLTA, INC., All Rights Reserved 62 / 73 by requiring functions to control attributes. FMT_SMR.1 Supports authorization by requiring security roles. 6.3.1.1. The dependencies of security requirements The dependencies of the security functional requirements components are shown in the following table. When dependencies specified in the CC Part 2 are not satisfied, the rationale is provided in the section for the “Dependencies Relation in this ST.” Table 6-23 The dependencies of security requirements Functional Requirements Component for this ST Dependencies on CC Part2 Dependencies Relation in this ST FAU_GEN.1 FPT_STM.1 FPT_STM.1 FAU_GEN.2 FAU_GEN.1 FIA_UID.1 FAU_GEN.1 FIA_UID.1 FAU_SAR.1 FAU_GEN.1 FAU_GEN.1 FAU_SAR.2 FAU_SAR.1 FAU_SAR.1 FAU_STG.1 FAU_GEN.1 FAU_GEN.1 FAU_STG.4(1) FAU_STG.1 FAU_STG.1 FAU_STG.4(2) FAU_STG.1 FAU_STG.1 FCS_CKM.1 [FCS_CKM.2 or FCS_COP.1] FCS_CKM.4 FCS_COP.1 The encryption key is used for encrypting HDD data and generated when turning the power ON. The generated key is stored in the volatile memory, but there is no necessity to consider the encryption key destruction since no external interface to access this key is not provided and it is destroyed by turning off the power. FCS_COP.1 [FDP_ITC.1 or FDP_ITC.2 or FCS_CKM.1] FCS_CKM.4 FCS_CKM.1 The encryption key is used for encrypting HDD data and generated when turning the power ON. The generated key is stored in the volatile memory, but there is no necessity to consider the encryption key destruction since no external interface to access this key is not provided and it is destroyed by turning off the power. FDP_ACC.1(a) FDP_ACF.1 FDP_ACF.1(a) FDP_ACC.1(b) FDP_ACF.1 FDP_ACF.1(b) FDP_ACF.1(a) FDP_ACC.1 FMT_MSA.3 FDP_ACC.1(a) FMT_MSA.3(a) FDP_ACF.1(b) FDP_ACC.1 FMT_MSA.3 FDP_ACC.1(b) FMT_MSA.3(b) FDP_RIP.1 None N/A FIA_AFL.1 FIA_UAU.1 FIA_UAU.1 FIA_ATD.1 None N/A FIA_SOS.1(1) None N/A bizhub 4750 / bizhub 4050 / ineo 4750 / ineo 4050 Security Target Copyright ©2016 KONICA MINOLTA, INC., All Rights Reserved 63 / 73 Functional Requirements Component for this ST Dependencies on CC Part2 Dependencies Relation in this ST FIA_SOS.1(2) None N/A FIA_SOS.1(3) None N/A FIA_UAU.1 FIA_UID.1 FIA_UID.1 FIA_UAU.6 None N/A FIA_UAU.7 FIA_UAU.1 FIA_UAU.1 FIA_UID.1 None N/A FIA_USB.1 FIA_ATD.1 FIA_ATD.1 FMT_MOF.1 FMT_SMR.1 FMT_SMF.1 FMT_SMR.1 FMT_SMF.1 FMT_MSA.1(a) [FDP_ACC.1 orFDP_IFC.1] FMT_SMR.1 FMT_SMF.1 FDP_ACC.1(a) FMT_SMR.1 FMT_SMF.1 FMT_MSA.1(b) [FDP_ACC.1 orFDP_IFC.1] FMT_SMR.1 FMT_SMF.1 FDP_ACC.1(b) FMT_SMR.1 FMT_SMF.1 FMT_MSA.3(a) FMT_MSA.1 FMT_SMR.1 FMT_MSA.1(a) FMT_SMR.1 FMT_MSA.3(b) FMT_MSA.1 FMT_SMR.1 FMT_MSA.1(b) FMT_SMR.1 FMT_MTD.1 FMT_SMR.1 FMT_SMF.1 FMT_SMR.1 FMT_SMF.1 FMT_SMF.1 None N/A FMT_SMR.1 FIA_UID.1 FIA_UID.1 FPT_STM.1 None N/A FPT_TST.1 None N/A FTA_SSL.3 None N/A FTP_ITC.1 None N/A FPT_FDI_EXP.1 FMT_SMF.1 FMT_SMR.1 FMT_SMF.1 FMT_SMR.1 6.3.2. Security assurance requirements rationale This Protection Profile has been developed for Hardcopy Devices to be used in commercial information processing environments that require a moderate level of document security, network security, and security assurance. The TOE will be exposed to only a low level of risk because it is assumed that the TOE will be located in a restricted or monitored environment that provides almost constant protection from unauthorized and unmanaged access to the TOE and its data interfaces. Agents cannot physically access any nonvolatile storage without disassembling the TOE except for removable nonvolatile storage devices, where protection of User and TSF Data are provided when such devices are removed from the TOE environment. Agents have limited or no means of infiltrating the TOE with code to effect a change, and the TOE self-verifies its executable code to detect unintentional malfunctions. As such, the Evaluation Assurance Level 2 is appropriate. EAL 2 is augmented with ALC_FLR.2, Flaw reporting procedures. ALC_FLR.2 ensures that instructions and procedures for the reporting and remediation of identified security flaws are in place, and their inclusion is expected by the consumers of this TOE. bizhub 4750 / bizhub 4050 / ineo 4750 / ineo 4050 Security Target Copyright ©2016 KONICA MINOLTA, INC., All Rights Reserved 64 / 73 7. TOE Summary specification The list of the TOE security functions led from the TOE security functional requirements is shown in Table 7-1. The detail is explained in the paragraph described below. Table 7-1 Names and identifiers of TOE Security Functions No. TOE Security Function 1 F.AUDIT Audit log function 2 F.HDD_ENCRYPTION HDD encryption function 3 F.ACCESS_DOC Stored documents access control function 4 F.ACCESS_FUNC User restriction control function 5 F.RIP Residual information deletion function 6 F.I&A Identification and Authentication function 7 F.SEPARATE_EX_INTERFACE External interface separation function 8 F.SELF_TEST Self-test function 9 F.MANAGE Security management function 10 F.SEUCRE_LAN Network communication protection function F.AUDIT (Audit log function) F.AUDIT acquires audit log and also protects the acquired audit log against alteration and disclosure. 7.1.1. Audit log acquirement function - Corresponding functional requirements: FAU_GEN.1, FAU_GEN.2 The TOE generates the following log. Table 7-2 Audit log Events Log Start of Audit log acquirement function Date/time of events Identification information of events Identification information of subjects (AdminID, User ID) Result of the events (Success or failure) End of Audit log acquirement function Success and Failure of login operation Failure of reauthentication Authentication Suspension Recover from authentication suspension state Use of management function of Table 6-19. Failure of communication through the network End of session by auto session terminate function 7.1.2. Audit Log Review Function - Corresponding functional requirements: FAU_SAR.1, FAU_SAR.2 The TOE restricts the read of audit log only to U.ADMINISTRATOR. The TOE provides the function to download the audit log to client PC as XML-format file including log date, operator, bizhub 4750 / bizhub 4050 / ineo 4750 / ineo 4050 Security Target Copyright ©2016 KONICA MINOLTA, INC., All Rights Reserved 65 / 73 operation and result. 7.1.3. Audit storage function - Corresponding functional requirements: FAU_STG.1, FAU_STG.4(1), FAU_STG.4(2) The TOE prohibits the unpermitted modification or deletion of audit log. The TOE stores the audit log in the HDD of the TOE, but the following process is performed when the storage area became full. (1). When “Restriction of overwriting” is set, the operations other than followings are prohibited. Print from PC and Fax RX are also rejected. Deleting audit log and export (Audit log on TOE will be deleted by export.) Setting change from “Restriction of overwriting” to “Permission of overwriting” (2). When “Permission of overwriting” is set, the oldest stored audit log is overwritten. The settings of エラー! 参照元が見つかりません。 and エラー! 参照元が見つかりません。 are performed by U.ADMINISTRATOR. 7.1.4. Trusted time stamp function - Corresponding functional requirements: FPT_STM.1 The TOE has clock function. The TOE issues time stamp of clock function at the time of audit log generation. F.HDD_ENCRYPTION (HDD Encryption function) - Corresponding functional requirements: FCS_CKM.1, FCS_COP.1, FIA_SOS.1(3) The TOE performs encryption to protect data stored in HDD against unauthorized disclosure. Used encryption key and algorithm are as follows. (1). Encryption Key Encryption key is generated by SHA-256 algorism that FIPS180-3 defines. (Encryption key length is 256 bit.) Unique encryption key for each TOE is generated by generating it based on the encryption passphrase set by U.ADMINISTRATOR. Only encryption passphrase that satisfies the following qualities with F.MANAGE is accepted.  Number of characters: 20 characters  Character type: possible to choose from 95 or more characters  Rule:  Do not compose by only one and the same character.  Do not compose by only one type of character. (2). Encryption Algorithm Encryption algorithm is shown in Table 7-3. Table 7-3 Encryption Algorithm in HDD Encryption function bizhub 4750 / bizhub 4050 / ineo 4750 / ineo 4050 Security Target Copyright ©2016 KONICA MINOLTA, INC., All Rights Reserved 66 / 73 Encryption Key sizes Encryption Algorithm 256 bit Encryption algorithm which conforms to FIPS PUB197 (AES) F.ACCESS_DOC (Stored documents access control function) - Corresponding functional requirements: FDP_ACC.1(a), FDP_ACF.1(a) Only access control function for HDD stored document is described in this chapter, and other access control function for D.DOC is described in F.ACCESS_FUNC. The TOE provides the function to store document. Documents are stored in HDD and access control is performed by referring to the document attribute, and then this can perform downloading to PC a deletion. The following shows the details of access control of documents. Table 7-4 Operation of document Document Operation of document Create Modify Read Delete Memory RX document (Storing to +DSR from +FAXIN) Saves FAX RX documents. D.DOC where documents are saved is associated with FAXIN Box Word. ― None Download to PC U.USER or U.ADMIN U.USER or U.ADMIN Scanned stored document (Storing to +DSR from + SCN) Saves scanned (HDD) documents. D.DOC where documents are saved is associated with User ID. login_id None Download to PC login_id or U.ADMIN login_id or U.ADMIN * U.USER: Represent that the specified FAXIN Box Word matches and U.USER whose function is allowed to be utilized can operate. U.ADMIN: Represent that U. ADMINISTRATOR can operate. login_id: Represent that only when User ID of login user and User ID of document are matched it can be operated. Since Memory RX document is created by FAX RX, it is not required to define “Create”. F.ACCESS_FUNC (User restriction control function) - Corresponding functional requirements: FDP_ACC.1(a), FDP_ACF.1(a), FDP_ACC.1(b), FDP_ACF.1(b), FMT_MSA.3(a), FMT_MSA.3(b) With user management function of F.MANAGE, normal user is authorized and registered. The TOE permits the operation of F.PRT, F.SCN, F.CPY, F.FAX and F.DSR according to the authority of identified and authenticated normal user. Also, operation to Permission Role which is these bizhub 4750 / bizhub 4050 / ineo 4750 / ineo 4050 Security Target Copyright ©2016 KONICA MINOLTA, INC., All Rights Reserved 67 / 73 attributes cannot be performed. Identified and authenticated normal user can perform only function that is permitted to oneself. F.MANAGE gives corresponding attribute to D.DOC and D.FUNC, which are generated by each function, when they are generated. Also, following operations are available to D.DOC and D.FUNC which occur during execution of functions. Performer is the user who has the same attribute of D.DOC and D.FUNC of operation objects or permitted attribute. The TOE compares them and only when it matches, that user is accepted as the performer. U.ADMINISTRATOR can delete all D.DOC and D.FUNC by deleting job. Moreover, U.NORMAL can delete D.Funk with DSR attribute as well as F.ACCESS_DOC deleting D.DOC. - In case of PRINT (+PRT) Following operations are possible. (Use ID & Print user box) - Register ID & Print job A job is registered when user authentication is successful by print operation with printer driver on client PC. - Print U.NORMAL that performed that printing can print. (Read) - Delete U.NORMAL that performed that printing can delete. (Delete) - In case of SCAN (+SCN) Following operations are possible. - Operation of D.DOC U.NORMAL that performs the scan can send read original data by e-mail. With F.ACCESS_DOC, it can save to HDD (Create of +DSR) and operate D.DOC (+DSR) which is saved to HDD. When the job enters the waiting state of transmitting, the following operation is available. - Delete U.NORMAL that performed that scanning can delete the job that is waiting state of transmitting. (Delete) - In case of COPY (+CPY) Following operations are possible. - Print U.NORMAL that performed that copying can print. - Delete U.NORMAL that performed that copying can delete the job. (Delete) - In case of FAX RX (+FAXIN) D.DOC received by FAX is saved to HDD being associated with FAXIN Box Word. U.USER and U.ADMIN which are matched with specified FAXIN Box Word can print FAX. Since others are handled as stored documents, they can be operated by F.ACCESS_DOC. - In case of FAX TX (+FAXOUT) Following operations are possible. - FAX TX operation U.NORMAL which is allowed to send FAX can read original data and send by FAX. - Delete bizhub 4750 / bizhub 4050 / ineo 4750 / ineo 4050 Security Target Copyright ©2016 KONICA MINOLTA, INC., All Rights Reserved 68 / 73 U.NORMAL that performed that FAX TX can delete the job. (Delete) F.RIP (Residual information deletion function) 7.5.1. Temporary Data Deletion Function - Corresponding functional requirement: FDP_RIP.1 The TOE prevents to reuse the residual information by overwriting and deleting the deleted document, the temporary document or its parts in HDD. This function is performed at the following timing. (1). When a job such as print or scan is completed or suspended. Delete the temporary document or its parts which is generated during job execution. (2). When the deleting operation is performing. Delete the specified document. (3). When the residual information exists at the time of turning on the power. When the power is turned off during deletion of (1) or (2) and the deletion was not completed with the residual information, this deletes them at the time of the power ON. U.ADMINISTRATOR sets the overwriting data and the frequency of overwriting, by the operation setting function of the HDD data overwrite deletion function. The possible settings and its details are as follows. Table 7-5 Operation Settings of Overwrite Deletion function of Temporary data Setting Contents (Overwritten data type and its order) Mode:1 Overwrite once with 0x00 Mode:2 Overwrite with 0x00, 0xFF, 0x61 in this order and Verify the result 7.5.2. Data Complete Deletion Function - Corresponding functional requirements: FDP_RIP.1 U.ADMINISTRATOR can perform overwriting and deleting to the data area including image data in HDD. This deletes document in HDD and prevents to reuse the residual information. U.ADMINISTRATOR sets the overwriting data and the frequency of overwriting, by the operation setting function of the HDD data overwrite deletion function. The possible settings and its details are as follows. Table 7-6 Operation settings of Data Complete Deletion Function Method Overwritten data type and their order Mode:1 0x00 Mode:2 Random numbers ⇒ Random numbers ⇒ 0x00 Mode:3 0x00 ⇒ 0xFF ⇒ Random numbers ⇒ Verification Mode:4 Random numbers ⇒ 0x00 ⇒ 0xFF Mode:5 0x00 ⇒ 0xFF ⇒ 0x00 ⇒ 0xFF Mode:6 0x00 ⇒ 0xFF ⇒ 0x00 ⇒ 0xFF ⇒ 0x00 ⇒ 0xFF ⇒ Random numbers Mode:7 0x00 ⇒ 0xFF ⇒ 0x00 ⇒ 0xFF ⇒ 0x00 ⇒ 0xFF ⇒ 0xAA Mode:8 0x00 ⇒ 0xFF ⇒ 0x00 ⇒ 0xFF ⇒ 0x00 ⇒ 0xFF ⇒ 0xAA ⇒ Verification bizhub 4750 / bizhub 4050 / ineo 4750 / ineo 4050 Security Target Copyright ©2016 KONICA MINOLTA, INC., All Rights Reserved 69 / 73 F.I&A (Identification and authentication function) - Corresponding functional requirements: FIA_AFL.1, FIA_ATD.1, FIA_SOS.1(1), FIA_SOS.1(2), FIA_UAU.1, FIA_UAU.6, FIA_UAU.7, FIA_UID.1, FIA_USB.1, FTA_SSL.3, FMT_SMR.1 The TOE verifies that person who tries to use the TOE is the authorized user by using the identification and authentication information obtained from the user, and permits the use of the TOE only to the person who was determined as the authorized user. Identification and authentication function has the machine authentication method that the TOE itself identifies and authenticates, and the external server authentication method that uses external authentication server. Table 7-7 Authentication method Authentication method Possible operations before success of identification and authentication SFR Machine Authentication External Server Authentication FAX RX TOE status check and display setting FIA_UID.1 FIA_UAU.1 * The setting of authentication method is performed by U.ADMINISTRATOR. Both Machine authentication and External sever authentication cannot be activated at the same time. When U.ADMINISTRATOR is set to use external server authentication method, Normal user can select connection destination of external authentication server with authentication. Reauthentication is restricted for authorized user changing his/her password by F.MANAGE. FIA_UAU.6. TOE displays “*” every character data input to hide entered password. FIA_UAU.7. When identification and authentication are successful, specified FAXIN Box Word, User ID and Allocation Role are combined to the process that acts as the appropriate user. FIA_ATD.1, FIA_USB.1 Moreover, the TOE prevents from setting the low strength password by restricting for satisfying the following qualities in the passwords used for authentication by F.MANAGE. Table 7-8 Password and Quality Objective Condition SFR Login Password (U.ADMINISTRATOR) The TOE accepts only the password that satisfies the following. -Number of characters : 8 or more characters -Character type : possible to choose from 95 or more characters -Rule: (1) Do not compose by only one and the same character. (2) Do not set the same password as the current setting after FIA_SOS.1(1) bizhub 4750 / bizhub 4050 / ineo 4750 / ineo 4050 Security Target Copyright ©2016 KONICA MINOLTA, INC., All Rights Reserved 70 / 73 change. Login Password (U.NORMAL) The TOE accepts only the password that satisfies the following. -Number of characters : 8 or more characters -Character type : possible to choose from 93 or more characters -Rule: (1) Do not compose by only one and the same character. (2) Do not set the same password as the current setting after change. FIA_SOS.1(2) When the authentication failed, the TOE performs the following process. Table 7-9 Process at the time of authentication failure Objective Processing SFR Authentication failure by login password Authentication is suspended when number of continuous authentication failure reached three times. When the authentication of administrator is suspended, it is released by performing boot process of the TOE and passing the time set in the release time setting of operation prohibition for administrator authentication from boot process. In other cases, it is released by performing deletion function of number of authentication failure by administrator with F.MANAGE. FIA_AFL.1 When the identified and authenticated user does not operate for a certain period of time, the session is terminated. The details are as follows. FTA_SSL.3 Table 7-10 Termination of interactive session Objective Session termination Others Operation panel When it passes for the time determined by auto reset time, after the last operation and the processing of last operation were completed. Auto reset time is set in the factory and administrator can change it. Web Connection When it passes for the time determined by auto logout time, after the last operation and the processing of last operation were completed. Auto reset time is set in the factory and administrator can change it. Data Administrator When it passes for 60 minutes, after processing of last operation was Time is fixed. bizhub 4750 / bizhub 4050 / ineo 4750 / ineo 4050 Security Target Copyright ©2016 KONICA MINOLTA, INC., All Rights Reserved 71 / 73 completed.* Printer driver There is no interactive session since accept of the request is the start and the completion of process is end. *This is the time considered the process that takes time such as downloading the registered information. F.SEPARATE_EX_INTERFACE (External interface separation function) - Corresponding functional requirement: FPT_FDI_EXP.1 The TOE prevents the access from telephone line by limiting the input information from telephone line only to FAX RX and Remote Access function, and prohibits the transfer of received fax. Moreover, it is a structure which cannot be transfer the input from external interface including USB interface to Shared-medium Interface as it is. F.SELF_TEST (Self-test function) - Corresponding functional requirement: FPT_TST.1 The TOE verifies the integrity of encryption passphrase and normal performance of encryption function by comparing encryption passphrase which is generated with power-on and the value which is calculated with mfp activation. Moreover, the TOE verifies the integrity of TSF executable code and normal performance of overall control function by calculating hash value of control software when the power is ON and checking whether it corresponds to the recorded value or not. If the loss of completeness was detected in the integrity verification of encryption passphrase and control software, the TOE displays the alert on the operation panel and does not accept the operation. F.MANAGE (Security management function) - Corresponding functional requirements: FIA_SOS.1(1), FIA_SOS.1(2), FMT_MOF.1, FMT_MSA.1(a), FMT_MSA.1(b), FMT_MTD.1, FMT_SMF.1, FMT_SMR.1, FIA_SOS.1(3) The TOE provides the following management functions. Table 7-11 Management Function Management function Contents Operator Management function of Enhanced Security settings Enable or disable Enhanced Security settings U.ADMINISTRATOR Management function of User Authentication function Performs the setting of authentication method. U.ADMINISTRATOR Operation setting function of HDD data overwrite deletion function Performs the operation setting of HDD data overwrite deletion function. (Setting of Mode) U.ADMINISTRATOR bizhub 4750 / bizhub 4050 / ineo 4750 / ineo 4050 Security Target Copyright ©2016 KONICA MINOLTA, INC., All Rights Reserved 72 / 73 Audit log management function Performs the operation setting when the audit log is full (Restriction of overwriting / Permission of overwriting). Read audit log and delete. U.ADMINISTRATOR Trust Channel Management Function Communication Encryption Strength Setting (Change of communication encryption method) U.ADMINISTRATOR User management function Registration, deletion and modification of U.NORMAL (UserID) to the TOE. Modification and deletion of authority (Allocation Role). Default of each Role of Allocation Role are shown below: - Print Role (Default: Allow) - Scan Role (Default: Allow) - Copy Role (Default: Allow) - Fax Role (Default: Restrict) - DSR Role (SCN) (Default: Allow) - DSR Role (FAXIN) (Default: Restrict) Registration and modification of login password of U.NORMAL are performed. The password quality is checked at this time. U.ADMINISTRATOR Initialization of attributes (D.DOC and D.FUNC) The TOE initializes the security attributes of D.DOC and D.FUNC in accordance with Table 6-15. +DSR(+FAXIN): FAXIN Box Word set by U.ADMINISTRATOR Others: U.NORMAL Initialization of attributes (F.PRT, F.SCN, F.CPY, F.FAX, F.DSR) Since attributes of F.PRT, F.SCN, F.CPY, F.FAX and F.DSR of TOE are fixed as stated in Table 6-16, there is no function to intervene in this initialization processing. None Modification function of U.NORMAL’s login password Change login password of U.NORMAL. The password quality is checked at this time. U.NORMAL Modification function of U.ADMINISTRATOR login password U.ADMINISTRATOR changes own password. (There is no setting function since initial value is set at factory default.) The password quality is checked at this time. U.ADMINISTRATOR Setting function of encryption passphrase Set other encryption passphrase which is basic data for encryption key used for HDD encryption function. The quality of encryption passphrase is checked at this time. U.ADMINISTRATOR Modification function of date information Set the date and time information U.ADMINISTRATOR Modification function of Change the Auto reset time. (There is no U.ADMINISTRATOR bizhub 4750 / bizhub 4050 / ineo 4750 / ineo 4050 Security Target Copyright ©2016 KONICA MINOLTA, INC., All Rights Reserved 73 / 73 Auto reset time setting function since initial value is set at factory default.) Modification function of Auto logout time Change the Auto logout time. U.ADMINISTRATOR Registration / Modification function of External server authentication setting data Register and change the setting data for the external authentication server (including the domain name that external server belongs to) U.ADMINISTRATOR Deletion function of Authentication failure frequency (except administrator) Delete the number of authentication failure (except administrator). Accordingly, the lock of authentication function is canceled. U.ADMINISTRATOR Modification function of Password policy Set and change Password policy. U.ADMINISTRATOR Registration / Modification function of Network setting Set and change the network settings (IP address / port No. of SMTP sever / DNS server, mfp IP address, NetBIOS name, etc.) U.ADMINISTRATOR Registration / Modification function of transmission address Register and change the transmission address setting (address of e-mail transmission, etc.) U.ADMINISTRATOR Registration / Modification function of FAXIN Box Word Register and change the FAXIN Box Word of Memory RX where received FAX document is saved. U.ADMINISTRATOR F.SECURE_LAN (Network communication protection function) - Corresponding functional requirement: FTP_ITC.1 The TOE performs encryption communication in communications with IT devices. Encryption communication provided by the TOE is as follows. (When the Enhanced Security Setting is valid.) Table 7-12 Encryption Communication provided by the TOE Destination Protocol Encryption algorithm Client PC TLSv1.0,TLSv1.1,TLSv1.2 3DES(168 bits), AES(128bits, 256bits) External authentication server IPsec 3DES(168 bits), AES(128bits, 192bits, 256bits) DNS server IPsec 3DES(168 bits), AES(128bits, 192bits, 256bits) SMTP server IPsec 3DES(168 bits), AES(128bits, 192bits, 256bits) END