CRP-C0262-01 Certification Report Kazumasa Fujie, Chairman Information-technology Promotion Agency, Japan Target of Evaluation Application date/ID 2010-2-22 (ITC-0290) Certification No. C0262 Sponsor RICOH COMPANY, Ltd. Name of TOE Following MFP with FCU (Fax Option Type 5001). MFP: Ricoh Aficio MP 4001, Ricoh Aficio MP 4001G, Ricoh Aficio MP 5001, Ricoh Aficio MP 5001G, Savin 9240, Savin 9240G, Savin 9250, Savin 9250G, Lanier LD140, Lanier LD140G, Lanier LD150, Lanier LD150G, Lanier MP 4001, Lanier MP 5001, Gestetner MP 4001, Gestetner MP 4001G, Gestetner MP 5001, Gestetner MP 5001G, nashuatec MP 4001, nashuatec MP 5001, Rex-Rotary MP 4001, Rex-Rotary MP 5001, infotec MP 4001, infotec MP 5001 FCU: Fax Option Type 5001 Version of TOE MFP Software/Hardware Version: Software System/Copy 1.00 Network Support 7.29.3 Scanner 01.24 Printer 1.00 Fax 01.00.00 Web Support 1.00.1 Web Uapl 1.02 Network Doc Box 1.00 Hardware Ic Key 1100 Ic Hdd 01 FCU Version: GWFCU3-19(WW) 01.00.00 PP Conformance None Assurance Package EAL3 Developer RICOH COMPANY, Ltd. Evaluation Facility Information Technology Security Center Evaluation Department This is to report that the evaluation result for the above TOE is certified as follows. 2010-7-30 Takumi Yamasato, Technical Manager Information Security Certification Office IT Security Center CRP-C0262-01 2 Evaluation Criteria, etc.: This TOE is evaluated in accordance with the following criteria prescribed in the "IT Security Evaluation and Certification Scheme". - Common Criteria for Information Technology Security Evaluation Version 3.1 Release 2 - Common Methodology for Information Technology Security Evaluation Version 3.1 Release 2 Evaluation Result: Pass "Following MFP with FCU (Fax Option Type 5001). MFP: Ricoh Aficio MP 4001, Ricoh Aficio MP 4001G, Ricoh Aficio MP 5001, Ricoh Aficio MP 5001G, Savin 9240, Savin 9240G, Savin 9250, Savin 9250G, Lanier LD140, Lanier LD140G, Lanier LD150, Lanier LD150G, Lanier MP 4001, Lanier MP 5001, Gestetner MP 4001, Gestetner MP 4001G, Gestetner MP 5001, Gestetner MP 5001G, nashuatec MP 4001, nashuatec MP 5001, Rex-Rotary MP 4001, Rex-Rotary MP 5001, infotec MP 4001, infotec MP 5001 FCU: Fax Option Type 5001" has been evaluated in accordance with the provision of the "IT Security Certification Procedure" by Information-technology Promotion Agency, Japan, and has met the specified assurance requirements. CRP-C0262-01 3 Notice: This document is the English translation version of the Certification Report published by the Certification Body of Japan Information Technology Security Evaluation and Certification Scheme. CRP-C0262-01 4 Table of Contents 1. Executive Summary.............................................................................. 1 1.1 Product Overview ............................................................................ 1 1.1.1 Assurance Package...................................................................... 1 1.1.2 TOE and Security Functionality ................................................... 1 1.1.2.1 Threats and Security Objectives ................................................ 2 1.1.2.2 Configuration and Assumptions ................................................ 2 1.1.3 Disclaimers ................................................................................ 3 1.2 Conduct of Evaluation..................................................................... 3 1.3 Certification ................................................................................... 3 2. Identification of TOE ............................................................................ 4 3. Security Policy ..................................................................................... 5 3.1 Security Function Policies ............................................................... 6 3.1.1 Threats and Security Function Policies ......................................... 6 3.1.1.1 Threats ................................................................................... 6 3.1.1.2 Security Function Policies against Threats ................................. 6 3.1.2 Organisational Security Policy and Security Function Policies ...... 14 3.1.2.1 Organisational Security Policy................................................. 14 3.1.2.2 Security Function Policies to Organisational Security Policy ...... 14 4. Assumptions and Clarification of Scope ............................................... 15 4.1 Usage Assumptions ....................................................................... 15 4.2 Environment Assumptions............................................................. 16 4.3 Clarification of scope .................................................................... 17 5. Architectural Information ................................................................... 22 5.1 TOE boundary and component ....................................................... 22 5.2 IT Environment............................................................................. 23 6. Documentations................................................................................. 25 7. Evaluation conducted by Evaluation Facility and results....................... 28 7.1 Evaluation Approach..................................................................... 28 7.2 Overview of Evaluation Activity ...................................................... 28 7.3 IT Product Testing ........................................................................ 28 7.3.1 Developer Testing...................................................................... 28 7.3.2 Evaluator Independent Testing................................................... 31 7.3.3 Evaluator Penetration Testing .................................................... 35 7.4 Evaluated Configuration................................................................ 38 7.5 Evaluation Results........................................................................ 38 7.6 Evaluator Comments/Recommendations......................................... 38 8. Certification ...................................................................................... 39 8.1 Certification Result ....................................................................... 39 CRP-C0262-01 5 8.2 Recommendations ......................................................................... 39 9. Annexes ............................................................................................ 40 10. Security Target................................................................................ 40 11. Glossary ......................................................................................... 41 12. Bibliography ................................................................................... 45 CRP-C0262-01 1 1. Executive Summary This Certification Report describes the content of certification result in relation to IT Security Evaluation of "Following MFP with FCU (Fax Option Type 5001). MFP: Ricoh Aficio MP 4001, Ricoh Aficio MP 4001G, Ricoh Aficio MP 5001, Ricoh Aficio MP 5001G, Savin 9240, Savin 9240G, Savin 9250, Savin 9250G, Lanier LD140, Lanier LD140G, Lanier LD150, Lanier LD150G, Lanier MP 4001, Lanier MP 5001, Gestetner MP 4001, Gestetner MP 4001G, Gestetner MP 5001, Gestetner MP 5001G, nashuatec MP 4001, nashuatec MP 5001, Rex-Rotary MP 4001, Rex-Rotary MP 5001, infotec MP 4001, infotec MP 5001 FCU: Fax Option Type 5001, MFP Software/Hardware Version: Software System/Copy 1.00, Network Support 7.29.3, Scanner 01.24, Printer 1.00, Fax 01.00.00, Web Support 1.00.1, Web Uapl 1.02, Network Doc Box 1.00, Hardware Ic Key 1100, Ic Hdd 01, FCU Version: GWFCU3-19(WW) 01.00.00" (hereinafter referred to as "the TOE") developed by RICOH COMPANY, Ltd., and evaluation of the TOE was finished on 2010-7-8 by Information Technology Security Center Evaluation Department (hereinafter referred to as "Evaluation Facility"). It reports to the sponsor, RICOH COMPANY, Ltd. and provides information to the users and system operators who are interested in this TOE. The reader of the Certification Report is advised to read the Security Target (hereinafter referred to as "the ST") that is the appendix of this report together. Especially, details of security functional requirements, the assurance requirements for TOE and rationale for sufficiency of those requirements of the TOE are described in ST. This certification report assumes "the person who managed this TOE" to be a reader. Note that the Certification Report presents the certification result based on assurance requirements to which the TOE conforms, and does not guarantee individual IT product itself. 1.1 Product Overview Overview of the TOE functions and operational conditions are as follows. Refer to and after Chapter 2 for details. 1.1.1 Assurance Package Assurance package of the TOE requires EAL3. 1.1.2 TOE and Security Functionality The subject device of this certification is a digital MFP (hereafter "MFP") made by RICOH COMPANY, LTD., and which provides the functions of copier, scanner, printer, and fax (option). However, the target of this certification is a device equipped with the optional Fax Function. This product is used for inputting, storing and outputting document data in the environments which handle office documents in general offices. This TOE contains the functions to encrypt the document data when storing into the TOE and the communicating document data when sending out of the TOE in order to protect the document data from accidental disclosure. Also, in order to allow only the specified users to operate the document data stored in the TOE, the device prevents performing the function to handle the document data and reading and writing the document data. It provides storing, printing, and sending the document data from the trusted TOE. For managing these security functions, this TOE enforces the identification and authentication to prevent TOE users (general user, administrator, and supervisor) from the unauthorised operation of the Security Management Functions and it protects the security CRP-C0262-01 2 functions from unauthorised persons by limiting the usage of the Security Management Functions. For these security functionalities, the evaluation for the validity of the design policy and the correctness of the implementation is conducted in the scope of the assurance package. The next clause describes the assumed threats and assumptions in this TOE. 1.1.2.1 Threats and Security Objectives This TOE counters threats with the following security functions: In order to protect the document data as protected assets from viewing and tampering by a third party who is not permitted to use the TOE, the TOE performs user identification and authentication for the TOE users and the TOE also restricts access to the document data and available functions according to user roles. This function enables only users who have been identified, authenticated, and permitted to access the functions of the TOE and the stored document data in the TOE. When permitted users store document data via internal networks into the TOE, in order to ensure the confidentiality and completeness of the document data during data communications, the device contains functions to encrypt the data between the connected computers and the TOE, and to decrypt the data on client computers and the TOE for communication on the internal network. This enables protection of document data from leakage and tampering by eavesdropping on the internal network from a third party. As for setting of the security functions mentioned above, in order to prevent users without permission to set the functions from changing and stopping the functions, the TOE confirms the user identification of supervisor and administrators and limits to the minimum necessary the security functions that can be operated by the supervisor and administrators to avoid the risk of stopping the security functions by misuse of privileges. 1.1.2.2 Configuration and Assumptions The evaluated product is assumed to be operated under the following configuration and assumptions. This TOE is assumed to be used in the environments which handle the office documents in general offices. Also, the TOE is used through operation panel of the TOE, and through printer drivers and Web browsers of client computers which are connected via internal networks and telephone lines, and USB. Internal networks use IPv4. Server computers such as FTP server, SMB server, and SMTP server and client computers are connected to the internal networks. If connecting the TOE to the internal networks which are connected to the external networks such as Internet, not to attack in the TOE from the external networks through network, install firewalls in the boundaries of the external networks and internal networks and protect the internal networks and the TOE. Administrators of this TOE have sufficient knowledge to securely operate the TOE and they securely keep the TOE and the operational environment for the TOE. The administrators shall not perform the illegal acts to abuse their own privileges, leak or tamper the document data as protected assets, and to deactivate the security functions of the TOE. Also, for general users who use the MFP, provide the necessary advice and attentions to securely operate the TOE. Supervisor and Customer Engineers have sufficient knowledge to securely operate the TOE. CRP-C0262-01 3 They shall not perform the illegal acts to abuse their own privileges, leak or tamper the document data as protected assets, and to deactivate the security functions of the TOE. 1.1.3 Disclaimers This TOE can not assure security in the following cases: - If the settings in the Service Mode Lock Function are disabled, the TOE after that will not be CC-certified. - In the same way, if the TOE is configured with the following settings, the TOE will not be CC-certified. > Use IPv6 protocol > Use IP-Fax and Internet Fax Function > Use an authentication method other than Basic Authentication - Fax data that the TOE receives is not a target of this evaluation so it will not be CC-certified. - Address book data that was stored to SD card as a backup and was restored from a backup are not the target of this evaluation so it will not be CC-certified. - Although there are “document data and print data sent or received by the TOE” via USB interfaces or telephone lines, leakage or tampering of document data and print data via USB interfaces or telephone lines are not the target of this evaluation. Protection of such data will not be CC-certified. 1.2 Conduct of Evaluation Evaluation Facility conducted IT security evaluation, and completed on 2010-7 based on functional requirements and assurance requirements of the TOE according to the publicized documents "IT Security Evaluation and Certification Scheme"[1], "IT Security Certification Procedure"[2], "Evaluation Facility Approval Procedure"[3] provided by Certification Body. 1.3 Certification The Certification Body verifies the Evaluation Technical Report and Observation Report prepared by the Evaluation Facility and evaluation evidence materials, and confirmed that the TOE evaluation is conducted in accordance with the prescribed procedure. Those concerns pointed out by the Certification Body are fully resolved, and the Certification Body confirmed that the TOE evaluation is appropriately conducted in accordance with CC ([5][6] or [8][9]) and CEM (either of [10][11]). The Certification Body prepared this Certification Report based on the Evaluation Technical Report submitted by the Evaluation Facility and concluded fully certification activities. CRP-C0262-01 4 2. Identification of TOE The TOE is identified as follows; Name of TOE Following MFP with FCU (Fax Option Type 5001). MFP: Ricoh Aficio MP 4001, Ricoh Aficio MP 4001G, Ricoh Aficio MP 5001, Ricoh Aficio MP 5001G Savin 9240, Savin 9240G, Savin 9250, Savin 9250G, Lanier LD140, Lanier LD140G, Lanier LD150, Lanier LD150G, Lanier MP 4001, Lanier MP 5001, Gestetner MP 4001, Gestetner MP 4001G, Gestetner MP 5001, Gestetner MP 5001G, nashuatec MP 4001, nashuatec MP 5001, Rex-Rotary MP 4001, Rex-Rotary MP 5001, infotec MP 4001, infotec MP 5001 FCU: Fax Option Type 5001 Version of TOE MFP Software/Hardware Version: Software System/Copy 1.00 Network Support 7.29.3 Scanner 01.24 Printer 1.00 Fax 01.00.00 Web Support 1.00.1 Web Uapl 1.02 Network Doc Box 1.00 Hardware Ic Key 1100 Ic Hdd 01 FCU Version: GWFCU3-19(WW) 01.00.00 Developer RICOH COMPANY, LTD. The user can verify that a product is the TOE, which is evaluated and certified, by the following means. The user can confirm that the installed product is this evaluated TOE by comparing the names and the versions of hardware and firmware that are displayed on the operation panel of the TOE in MFP itself and in Fax Controller Unit, with the applicable descriptions in the list of the TOE configuration items. CRP-C0262-01 5 3. Security Policy This chapter describes security function policies and organisational security policies. The TOE imports the paper documents of users, receives the document data from client computers which are connected via Network, stores the confidential document data into HDD of the TOE, and performs outputting by print and delivery. Therefore, the TOE is a digital MFP with Security Function regarding receiving, storing, and outputting the document data. The security functions of the TOE protect the stored document data and setting data in the TOE from tampering and leakage by the third party in accordance with the user identification and authentication, the access control, and the encryption, and it protects the communication data on the internal network in accordance with the communication encryption. And the security functions of the TOE have the functions to confirm that MFP control software is software officially provided by RICOH COMPANY, LTD. and to record as audit logs the events when checking the operation status of the entire TOE, or in the occurrence of security breaches such as consecutive failures of the password entry. Furthermore, the security functions of the TOE have the functions to manage the settings related to the security functions, and to record the processing of the security functions. Preventing and detecting against the breaches of the usage of the assumed TOE security functions protect these implemented security functions. CRP-C0262-01 6 3.1 Security Function Policies The TOE possesses the security functions to counter the threats shown in Chapter 3.1.1 and to meet the organisational security policy shown in Chapter 3.1.2. 3.1.1 Threats and Security Function Policies 3.1.1.1 Threats The TOE assumes the threats shown in Table 3-1 and provides the functions for countermeasure against them. Table 3-1 Assumed Threats Identifier Threat T.ILLEGAL_USE Attackers may read or delete document data by gaining unauthorised access to the TOE though the external TOE interfaces (the operation panel, network interface, USB interface, or SD card interface). T.UNAUTH_ACCESS Authorised TOE users may breach the limits of authorised usage and access document data through the external TOE interfaces (the operation panel, network interface, or USB interface). T.ABUSE_SEC_MNG Persons not authorised to use Security Management Functions may abuse them. T.SALVAGE Attackers may remove the HDD from the TOE and disclose document data. T.TRANSIT Attackers may illegally obtain, leak or tamper with document data or print data sent or received by the TOE via the internal network. *Note: The "document and print data sent or received by the TOE" can exist on the USB interface or telephone lines; however, obtaining and tampering with data that is in transit through these media is not considered a threat. T.FAX_LINE Attackers may illegally gain access to the TOE through telephone lines. 3.1.1.2 Security Function Policies against Threats The TOE counters the threats shown in this Table 3-1 by the following security function policies. (1) Countermeasures against the threat T.ILLEGAL_USE T.ILLEGAL_USE in which attackers may read or delete document data by gaining unauthorised access to the TOE is countered by the user identification and authentication and the audit as follows: The TOE requires those who attempt to use the functions (hereafter, operators) to enter their user IDs and authentication information (hereafter, password). The TOE then verifies the authenticity of the entered user ID and password. After the TOE verifies the user ID and password, either 1) or 2) happens: 1) If the TOE does not recognise the user ID and password as valid, the TOE prevents the operator from using TOE functions. Operator who is authorised to use the TOE have valid user ID and password, while operator who is unauthorised to use the TOE do not have any user ID and password. Therefore, unauthorised operator is regarded as CRP-C0262-01 7 unpermitted user for the TOE and they cannot use the TOE functions. 2) If the TOE recognises the entered user ID and password as valid, it identifies the operator and furthermore, operator role by the user ID. The TOE, in accordance with the operator (hereafter, user) role that is permitted for the TOE usage, allows the usage of the TOE functions. The TOE, in order to counter spoofing by entering the user ID and password, has the following functions: 1) If with the same user ID, the number of consecutive unsuccessful attempts to authenticate arrived at the specified number of attempts before lockout, the TOE locks out that user ID (will not authenticate users with that user ID). 2) When requiring registering or changing their passwords, the TOE only accepts passwords that satisfy the conditions of minimum password length and complexity setting for password. 3) Recording the entry of the user ID and password in the audit logs enables to re-detect spoofing by users attempting to enter a user ID and password. As mentioned above, T.ILLEGAL_USE in which attackers illegally access the TOE and operate the document data is countered by the user identification and authentication and the audit because the unpermitted TOE users cannot use the TOE functions. (2) Countermeasures against the threat T.UNAUTH_ACCESS T.UNAUTH_ACCESS, by which authorised TOE users may breach the limits of authorised usage and access document data, is countered by the user identification and authentication and the access control of protected assets. The TOE, if users request the usage of the TOE functions, in accordance with user roles, checks whether or not the users are authorised to use TOE functions, and grants the permission for using the functions. The available roles for the TOE are as follows: - General User - Supervisor - Administrator The administrator has the following roles. These roles are not performed exclusively, so multiple roles can be assigned to one administrator user ID. > User Administrator > Machine Administrator > Network Administrator > File Administrator The following shows the relation between the user roles and the TOE functions and the authorities to access the document data. 1) General User The general user is permitted to actively use the following MFP basic functions and security functions: Basic Functions: > File administration > Copy Function > Printer Function > Fax Function > Scanner Function CRP-C0262-01 8 > Document Server Function > Web Service Function > Management Function Security Functions: > Security Management Function (Management functions of document data ACL, management functions of general user information, etc.) The document data is added to the document data ACL. The document data ACL states that the general user can use the document data and the operational authorities for the document data. The general user who can manage the document is allowed to read, delete the document data, change print settings, and manage the document data ACL depending on whether or not the user is authorised to access the document data shown in Table 3-2. Also, the general user can modify only the document data ACL of the document data only if the user is the document file owner. The general user cannot change the general user ID by using the management functions of the general user. Therefore, the general user cannot manage the document data by modifying the document data ACL of the document data if the other general user is the document file owner. Table 3-2 Relation between Operational Authorities for the Document Data and the Operation Permission (Document File Owner) Operational Authorities for the Document Data Authorised Operations View Edit Edit/Delete Full Control Read Document Data X X X X Delete Document Data - - X X Change Print Settings - X X X Modify Document Data ACL - Newly create document file users - Delete document file users - Change operational authorities - - - X As mentioned above, a general user is allowed to use the basic functions to manage the document data, although the scope of operation on document data is restricted by the document data ACL, T.UNAUTH_ACCESS, by which authorised TOE users may breach the limits of authorised usage and access document data, is countered by the user identification and authentication and the access control of protected assets. 2) Supervisor The supervisor is permitted to actively use the following basic functions and security functions: Basic Functions: > Web Service Function > Management Function Security Functions: > Security Management Function (the parts of the security management functions that are permitted for supervisor such CRP-C0262-01 9 as management of administrator information, management of supervisor information, etc.) The supervisor is a user who can manage the information of the administrator and supervisor is allowed to access. Such information includes the administrator password, supervisor ID and the password. 3) Administrator (File Administrator) The file administrator is permitted to use the following basic functions and security functions: Basic Functions: > Document Server Function (for deletion only) > Web Service Function > Management Function Security Functions: > Security Management Function (Management of the document data ACL, Administrator information management etc, some functions that administrator (file administrator) is permitted.) Whatever the contents of the document data ACL are, the administrator (file administrator) is allowed to delete all the document data and modify all document data ACL (newly create the document file users, delete the document file users, change the operational authorities and document file owners). As mentioned above, the administrator (file administrator) is allowed to delete the document data of the document server function for all the document data. However, the administrator (file administrator), according to the assumption "A.ADMIN (Conditions of Administrators)", must not illegally exploit their privileges for malicious purposes in the administrator's work. Therefore, in this case, T.UNAUTH_ACCESS, by which authorised TOE users may breach the limits of authorised usage and access document data, is an exception. 4) Administrator (User Administrator, Machine Administrator, and Network Administrator) The administrator (User Administrator, Machine Administrator, and Network Administrator) is permitted to use the following basic functions and the security functions: Basic Functions: > Web Service Function > Management Function Security Functions: > Security Management Function (Administrator information management, general user information management, machine control data management etc, some functions that administrator is permitted.) The administrator (User Administrator, Machine Administrator, and Network Administrator) is a user who manages general user information, audit logs, and network CRP-C0262-01 10 connections. As mentioned above, T.UNAUTH_ACCESS, by which authorised TOE users may breach the limits of authorised usage and access document data, may be possible for general users. Although all general users are identified and authenticated by the user's ID and password and the scope of operations on the document data are restricted by the document data ACL. Therefore, T.UNAUTH_ACCESS is countered by the user identification and authentication and the access control of protected assets. (3) Countermeasures against the threat T.ABUSE_SEC_MNG T.ABUSE_SEC_MNG, which users not authorised for security management functions may abuse, is countered by the user identification and authentication, the security management, and the audit as follows: For the identification and authentication of the MFP users, "(1) Threat Countermeasures against T.ILLEGAL_USE", and "(2) Threat Countermeasures against T.UNAUTH_ACCESS" are as described. According to the roles, users are allowed for the security management function. Users, their roles, and the security management functions permitted for the usage in accordance with the roles are as follows: 1) Management Functions of the Document data ACL > General User (Document File Owner and Document File User who have the role to authorise the full control) + Query Document data ACL + Newly create and delete the document file users for the Document data ACL + Change the operational authority on the document data of the Document data ACL > Administrator (File Administrator) + Query Document data ACL + Newly create and delete the document file users for the Document data ACL + Change the operational authority on the document data of the Document data ACL + Change the document file owners 2) Management Functions of Administrator Information > Supervisor + Query all administrators' IDs + Change all administrators' passwords > Administrator + Query, change, and delete the applicable administrator's ID + Newly create the other administrators' IDs + Change the applicable administrator's password + Query the role of the applicable administrator + Delete the role of the applicable administrator (in case of the other administrator who has the administrator role of the applicable administrator) + Add the administrator role to the other administrator (only possible for the administrator role assigned to the applicable administrator) 3) Management Function of General User Information CRP-C0262-01 11 > User Administrator + Query, newly create, and delete general user's ID + Query, newly create, change, and delete general user's password + Query, newly create, delete, and change S/MIME User Information + Query and modify the Document data default ACL > General User + Query general user's ID + Query and change the applicable general user's password + Query, newly create, delete, and change S/MIME User Information of the applicable general user + Query and modify the Document data default ACL for the applicable general user 4) Management Functions of Supervisor Information > Supervisor + Query and change supervisor's ID + Change supervisor's password 5) Management Function of Machine Control Data > Administrator (File Administrator) + Query the date and time of system clock + Query Service Mode Lock Function > Administrator (Machine Administrator) + Query and modify Number of Attempts before Lockout + Query and modify Settings for Lockout Release Timer + Query and modify Lockout Time + Query and modify the date and time of system clock + Query and modify Lockout Flag of supervisor + Query and newly create HDD Encryption Keys + Query audit logs and delete all logs + Query and modify Service Mode Lock Function > Administrator (User Administrator) + Query and specify Minimum Password Length + Query and specify Password Complexity + Query the date and time of system clock + Query Service Mode Lock Function + Query and modify Lockout Flags for general users + Query Destination Information for Deliver to Folder > Administrator (Network Administrator) + Query the date and time of system clock + Query Service Mode Lock Function > Supervisor + Query the date and time of system clock + Query Service Mode Lock Function + Query and modify Lockout Flags for administrators > General User + Query the date and time of system clock + Query Service Mode Lock Function CRP-C0262-01 12 + Query Destination Information for Deliver to Folder As mentioned above, all the security management functions 1) to 5) properly permit the available functions according to the user role. Recording implemented actions of the Security Management Functions in audit logs enables re-detection of security breaches for the Security Management Functions as auditable events. Therefore, T.ABUSE_SEC_MNG, which users not authorised for Security Management Functions may abuse, is countered by the user identification and authentication, the security management, and the audit. (4) Countermeasures against the threat T.SALVAGE T.SALVAGE, by which attackers may remove the HDD from the TOE and disclose document data, is countered by the prevention of disclosing the memory storage data and the audit. The TOE generates a 256 bit encryption key by using a generation algorithm for the encryption key which conforms to BSI-AIS 31. The TOE uses the generated encryption key and cryptographic algorithm AES that matches and FIPS PUB 197, encrypts the document data, and stores it on the HDD. The TOE decrypts this when loading the document data from the HDD. Furthermore, the TOE checks the validity for the encryption key and performance of the hardware "Ic Hdd" to process the encryption and decryption at start-up. Finally, the TOE confirms that the processing of the encryption is performed correctly. Also, recording the results of the encryption key generation and encryption processing in audit logs enables re-detection of security breaches if the encryption key generation and the encryption processing are not correctly performed. Therefore, T.SALVAGE, by which attackers may remove the HDD from the TOE and disclose document data, is countered by the prevention of disclosing the memory storage data and the audit. (5) Countermeasures against the threat T.TRANSIT T.TRANSIT, by which attackers may illegally obtain, leak, or tamper with document data or print data sent or received by the TOE via the internal network, is countered by the protection of the network communication data and the audit. The TOE uses IPSec Protocol for data communications and encrypts the document data that is delivered to folders between the TOE and FTP server and between the TOE and SMB server. The TOE uses S/MIME and sends the encrypted document data sent by e-mail from the TOE to client computers. The SSL protocol is used for communication between the TOE and a client computer when connecting via an internal network and accessing the Web service of the TOE. The SSL protocol is also used when sending and printing print data from a client computer to the TOE via an internal network and also when sending document data by fax from a client computer via an internal network. The TOE encrypts the communication including the document data or the print data. As mentioned above, communication for the Web service, document data, and print data are encrypted in order to prevent leakage and tampering. However, the document data and the CRP-C0262-01 13 print data sent or received via a USB interface or telephone line by the TOE are not regarded as a threat of leakage and tampering. Also, recording implemented action of the above-encrypted communication in audit logs enables re-detection of security breaches if the encryption communication is not correctly performed. Therefore, T.TRANSIT, by which attackers may illegally obtain, leak or tamper with document data or print data sent or received by the TOE via the internal network, is countered by the protection of the Network communication data and the audit. (6) Countermeasures against the threat T.FAX_LINE T.FAX_LINE, by which attackers may illegally gain access to the TOE through the telephone line, is countered by the intrusion prevention via telephone lines and the audit. The TOE, only if the type of data received from the telephone line connected to a fax device is fax data, transfers the received data from fax process of the fax unit to fax reception process of the controller board. Also, recording implemented actions of intrusion prevention via telephone lines in audit logs enables re-detection of security breaches if the intrusion prevention via telephone lines is not correctly performed. Therefore, T.FAX_LINE, by which attackers may illegally gain access to the TOE through telephone lines, is countered by the intrusion prevention via telephone lines and the audit. CRP-C0262-01 14 3.1.2 Organisational Security Policy and Security Function Policies 3.1.2.1 Organisational Security Policy Organisational security policy required in use of the TOE is shown in Table 3-3. Table 3-3 Organisational Security Policy Identifier Organisational Security Policy P.SOFTWARE In order to prove the trusted MFP Control Software for consumers, measures are provided for verifying the integrity of MFP Control Software, which is installed in the FlashROM of the TOE. 3.1.2.2 Security Function Policies to Organisational Security Policy The TOE provides the security functions to fill the Organizational Security Policy shown in Table 3-3. (1) Countermeasures against Organisational Security Policy, "P.SOFTWARE". By verifying the e-signature added to the executable codes of the MFP control software installed in FlashROM the TOE can confirm that these executable codes are manufacturer-genuine and officially supplied by RICOH COMPANY, LTD. Considering the function of verifying the integrity of this software, and checking the version information outputted from the TOE, it is confirmed that the software is a correct version and officially supplied by RICOH COMPANY, LTD. CRP-C0262-01 15 4. Assumptions and Clarification of Scope In this chapter, it describes the assumptions and the operational environment to operate the TOE as useful information for the judgment before the assumed reader uses the TOE. 4.1 Usage Assumptions Table 4-1 shows assumptions to operate the TOE. The effective performance of the TOE security functions are not assured unless these assumptions are satisfied. Table 4-1 Assumptions in Use of the TOE Identifier Assumptions A.ADMIN Administrators of this TOE shall have sufficient knowledge to securely operate the TOE, and shall securely keep the TOE and the operational environment for the TOE. Administrators shall not abuse their permission maliciously, and they also shall not illegally act such as leakage or tampering of the document data as protected assets, and deactivating the security functions of the TOE. And provide the necessary advice and attentions for general users who use MFP in order to securely operate the TOE. The sufficient knowledge to securely operate the TOE includes the following: No use of the following functions and the settings: - Backup/Restore Address Book - Service Mode Lock set to "Off" - Use of the IPv6 protocol - Use of IP-Fax or Internet Fax Function - Use of Authentication method except for Basic Authentication A.SUPERVISOR Supervisor shall have sufficient knowledge to securely operate the TOE, and shall not abuse their permission maliciously. Also, they shall not illegally act such as leakage or tampering of the document data as protected assets, and deactivating the security functions of the TOE. A.NETWORK When the TOE is connected to the internal network connected to an external network such as the Internet, not for attacking in the TOE by the communication via the external network, install firewalls in the boundaries of the external network and the internal network to protect the internal network and the TOE. CRP-C0262-01 16 4.2 Environment Assumptions This TOE is installed in general offices and connected to the internal networks, and it is used by client computers connected to the internal networks likewise. Figure 4-1 shows the general operational environment as assumptions of this TOE. Internal network Internal network Internet (External network) Telephone line Office Firewall USB Connect Printer driver Fax driver Web browser Printer driver Fax driver MFP (TOE) Client computer Client computer SMTP server FTP server SMB server Figure 4-1 Operational Environment and Configuration Figure 4-1 gives an example environment to handle office documents in general offices where the TOE is assumed to be used. The TOE is connected to the internal network, telephone lines, and USB. When the TOE is connected to the internal network connected to an external network such as the Internet, through the network, not for attacking in the TOE by the communication via the external network, install firewalls in the boundaries of the external network and the internal network to protect the internal network and the TOE. The internal network uses IPv4. The internal network is connected to server computers and client computers such as FTP server, SMB server, and SMTP server and it performs the communication of the TOE and the document data. The operation of the TOE includes both cases of using the operation panel of the TOE and client computers. Installing printer drivers in client computers enables to send the print data into the TOE and process printing via the internal network or USB from client computers. And it enables to send the document data into the TOE via the internal network from client computers and the TOE can send by fax. The Web browser can operate the TOE on client computers. Also, the TOE can send the document data to client computers by e-mail via SMTP server and can deliver to folders the document data between the TOE and FTP server, and between the CRP-C0262-01 17 TOE and SMB server. However, the reliability of hardware shown in this configuration and the working software is outside the scope of this evaluation but it is considered of being fully reliable. 4.3 Clarification of scope Table 4-2 shows the relation of the basic functions of the TOE (Copy Function, Pinter Function, Fax Function, Scanner Function, Document Server Function, Management Function, and Web Service Function) and the information of protected assets used by the basic functions, and the protection by the security functions. Table 4-2 Information Relation which Basic Functions and Security Functions Regard as Protected Assets Basic Function Explanation Protected Assets Protection Copy Function Scan paper documents using the scanner engine, and print the documents in accordance with the specified print settings using the printer engine. Scanned image data can be stored in the D-BOX as document data (hereafter, "document data (non-Scanner Function)"). Document data (non-Scanner Function) x Receive print data via the internal network from a client computer, immediately print, or print the data once stored on the HDD. Especially when printing the stored data on the HDD, the received print data is stored as document data (non-Scanner Function) after encrypted in the D-BOX, and the data is printed out after decrypted. Print data x Print Function If receiving the print data via USB from a client computer, it is outside the scope of this evaluation. Document data (non-Scanner Function) - (*) * Refer to "1.1.3 Disclaimer" and "8.2 Recommendations". CRP-C0262-01 18 Basic Function Explanation Protected Assets Protection Fax Function (Reception) Receive fax data from the connected telephone lines, print or store the received fax data on the HDD. Especially when storing on the HDD, this function stores the fax data and converts it to Fax Reception Data and then (after encrypted) stores it in the D-BOX. However, the Fax Reception Data is outside the scope of this evaluation. Fax Reception Data - (*) Fax Function (Immediate Transmission / Memory Transmission) Scan paper documents using the scanner engine and immediately send by fax via the telephone line, or send by fax via the telephone line once stored in the memory medium. If immediately sending (hereafter, "Immediate Transmission"), after connecting the telephone line to the fax device of the destination fax, perform the sequential transmission of the generated image data to the fax device of the destination fax as it is being scanned. If sending after stored in the memory (hereafter, "Memory Transmission"), connect the fax device of the destination fax to the telephone line and send the image data after scanning originals and being stored in the memory medium. N/A x Fax Function (Stored Documents Fax Transmission) Decrypt and send the document data (non-Scanner Function) stored in the D-BOX into the fax device of the destination fax via the telephone line. However, after the document data (non-Scanner Function) is sent to the telephone line, it is outside the scope of this evaluation. Document data (non-Scanner Function) - (*) Fax Function (Fax Receive a print data from a client computer via the internal network, and send the data by fax via the telephone line. Print data x * Refer to "1.1.3 Disclaimer" and "8.2 Recommendations". CRP-C0262-01 19 Basic Function Explanation Protected Assets Protection Transmission from Computer) The case of receiving via USB print data from a client computer is outside the scope of this evaluation. Print data - (*) Fax Function (IP-Fax) Fax Function (IP-Fax) is outside the scope of this evaluation. Do not use this function. - (*) - (*) Fax Function (Internet Fax Function) Fax Function (Internet Fax Function) is outside the scope of this evaluation. Do not use this function. - (*) - (*) Scan paper documents using the scanner engine and then send the scanned data by e-mail. The scanned image data is encrypted and will be sent as an e-mail attachment to a specified e-mail address. E-mail x Scan paper documents using the scanner engine and then send the scanned data to the specified folder of the FTP server or SMB server by using the encrypted FTP or SMB protocol. FTP or SMB communication x Scanner Function (Scan) Scan paper documents using the scanner engine and then convert the scanned data to document data (only for the Scanner Function). The document data will be encrypted and stored in the D-BOX. Document data (Only for Scanner Function) x After decrypting the document data (only for the Scanner Function) stored in the D-BOX, the decrypted data is encrypted and will be sent as an e-mail attachment to a specified e-mail address. E-mail x Scanner Function (Administration) After decrypting the document data (only for the Scanner Function) stored in the D-BOX, the decrypted data will be sent to the specified folder of FTP or SMB server by using the encrypted FTP or SMB protocol. FTP or SMB communication x * Refer to "1.1.3 Disclaimer" and "8.2 Recommendations". CRP-C0262-01 20 Basic Function Explanation Protected Assets Protection After decrypting the document data (only for the Scanner Function) stored in the D-BOX, the Web browser of a client computer will download the data by the encrypted communication via the internal network. Web communication x Document Server Function (Scan) Scan paper documents using the scanner engine, encrypt and store the documents as document data (non-Scanner Function) in the D-BOX. Cannot use "document data (only for Scanner Function)" which is encrypted and stored in the D-BOX by "Scanner Function (Scan)". Document data (non-Scanner Function) x Decrypt and print the document data (non-Scanner Function) stored in the D-BOX. Document data (non-Scanner Function) x After decrypting the document data (non-Scanner Function) stored in the D-BOX, the Web browser of a client computer will download the data by the encrypted communication via the internal network. Web communication x Document Server Function (Management) Encrypt and print the fax reception data stored in the D-BOX. However, the Fax Reception Data is outside the scope of this evaluation. Fax Reception Data - (*) Management Function Configure the following settings: TOE machine settings, network connection settings, authorised user information settings, and settings for information to restrict the usage of document data. The user's ability to manage this information is determined in accordance with the user role of the authorised TOE user (general user, administrator, or supervisor). Setting information x * Refer to "1.1.3 Disclaimer" and "8.2 Recommendations". CRP-C0262-01 21 Basic Function Explanation Protected Assets Protection Web Service Function Remotely operate the TOE by authorised TOE users (general users, administrators, and the supervisor) using a Web browser running on a client computer. However, this function can only operate the function described in this table from "Copy function" to "Management function". There are some functions that are not available with this function. Web communication (Command, Document data, etc.) x CRP-C0262-01 22 5. Architectural Information This chapter explains the purpose and the relation on a scope of the TOE and the main component. 5.1 TOE boundary and component The TOE consists of configuration items shown in Figure 5-1. The TOE is equipped with Fax Unit (FCU) which is an optional product to MFP. Engine Unit Scanner Engine Printer Engine Fax Unit Engine Control Board Controller Board HDD RAM NVRAM Ic Key FlashROM Processor Ic Hdd USB Port User Document Output Document Telephone Line Operation Panel Unit TOE TOE SD CARD Slot Network Unit * Optional Figure 5.1 TOE boundary The physical components that constitute the TOE of Operation Panel Unit, Engine Unit, Fax Unit (option), Network Unit, Controller Board, Ic Hdd, USB port, and SD card slot are described. (1) Operation Panel Unit The Operation Panel Unit (hereafter Operation Panel) is a physical interface device that is installed on the TOE when the TOE users directly operate the TOE. It features key switches, LED indicators, an LCD touch screen, and the Operation Panel Control Board. (2) Engine Unit The Engine Unit contains a scanner engine, printer engine and the engine control board. The scanner engine is an input device for reading paper documents. The printer engine is an output device for printing and outputting paper documents. (3) Fax Unit (optional) The Fax Unit is a device that has a modem function to send and receive fax data when connected to a telephone line. This TOE is a product equipped with Fax Function (optional). CRP-C0262-01 23 (4) Network Unit The Network Unit is an interface board for connection to an Ethernet (100BASE-TX/10BASE-T) network. (5) Controller Board The controller board contains processors, RAM, NVRAM, Ic Key and FlashROM. The Ic Key is a security chip that generates random numbers and encryption keys, and detects any tampering with the MFP control software. MFP control software is installed in the FlashROM that is on this Controller Board. MFP control software consists of the following software such as System/Copy, Network Support, Scanner, Printer, Fax, Web Support, Web Uapl, and Network Doc Box. (6) Ic Hdd Ic Hdd is a security chip that encrypts information to be stored on the HDD, and decrypts information to be read from the HDD. (7) HDD HDD is a hard disk drive where document data (non-Scanner Function), document data (only for the Scanner Function), print data, fax reception data, user information for identification and authentication, and audit logs are recorded. The area that stores document data (non-Scanner Function), document data (only for Scanner Function), print data, and fax reception data is called D-BOX. (8) USB Port The USB port is used to connect a client computer to the TOE, print or fax from the client computer. (9) SD Card Slot SD card slot is a slot for maintenance that customer engineers use for SD cards. It is on the side of the TOE and is usually covered by a cover with a screw. The customer engineers remove this cover and insert the SD card for maintenance. The slot is used for the activation of the Stored Data Protection Function and the initial settings to encrypt the HDD when the TOE is installed. No maintenance based on this certification is assumed, so this interface is used only for the installation of the TOE. 5.2 IT Environment The TOE is connected to the internal network and performs communication with server computers such as FTP server, SMB server, SMTP server, and client computers. Then the TOE performs the communication with client computers and the fax device of the destination fax connected via telephone lines. The TOE performs the document data transmission into server computers such as FTP server, SMB server, and SMTP server that are connected via the internal network. Client computers that are connected to the TOE via the internal network or USB uses the TOE through the printer driver and Web browser. The client computers can not only send and receive document data, but also can operate some management functions and check the TOE performance through the Web browser. CRP-C0262-01 24 However, the TOE must not modify the following environments and settings: - Store and restore an address book data to the SD card. - Use of IPv6 protocol - Use of IP-Fax or Internet Fax Function CRP-C0262-01 25 6. Documentations The identification of documents attached to the TOE is listed below. The document attached to this TOE has the following four sets by the difference between the selling area and sales companies. It explains the difference of those sets as follows. It is the same content except the explained difference. - Difference in British English and United States English (center : centre、enquirely : inquirely、color : colour) - Difference of specification method for the paper size - Names of Standard specification, such as A4 and B5 (for Asia for Europe) - Specification by inch (for North America) - Difference of sample screen (for date or content) illustrated in document - Difference of description of regulation by country (Describe it dividing the regulation in each region and the country into North America and Europe. ) - Difference number of part and document name TOE users are required fully understanding and complying with the following documents in order to satisfy the assumptions. Table 6-1 [English version - 1] Product attachment document for North America Document Name Number of part 9240/9250 MP 4001 /5001 LD140/LD150 Aficio MP 4001 /5001 Operating Instructions About This Machine D092-7753 D092-7757 9240/9250 MP 4001 /5001 LD140/LD150 Aficio MP 4001 /5001 Operating Instructions Troubleshooting D092-7803 D092-7807 Notes for Users D092-7727 D092-7729 App2Me Start Guide D085-7906B D085-7905B Manuals for Users 9240/9250 MP 4001 /5001 LD140/LD150 Aficio MP 4001 /5001 D092-7502 Manuals for Administrators 9240/9250 MP 4001 /5001 LD140/LD150 Aficio MP 4001 /5001 D092-7504 Manuals for Administrators Security Reference Supplement 9240/9250 MP 4001 /5001 LD140/LD150 Aficio MP 4001 /5001 D092-7790 Notes for Administrators: Using this Machine in a CC-Certified Environment D092-7754 D092-7756 VM Card Manuals D377-7500 CRP-C0262-01 26 Table 6-2 [English version - 2] Product attachment document For Europe Document Name Number of part Quick Reference Copy Guide D092-7714 Quick Reference Fax Guide D509-8534 Quick Reference Printer Guide D381-7303 Quick Reference Scanner Guide D381-7309 Manuals for This Machine D092-7704 Safety Information for Aficio MP 4001/Aficio MP 5001 D092-7700 Notes for Users D092-7726 App2Me Start Guide D085-7904B Manuals for Users MP 4001/5001 Aficio MP 4001/5001 A D085-7510 Manuals for Administrators Security Reference MP 4001/5001 Aficio MP 4001/5001 D092-7512 Manuals for Administrators Security Reference Supplement 9240/9250 MP 4001 /5001 LD140/LD150 Aficio MP 4001 /5001 D092-7790 Notes for Administrators: Using this Machine in a CC-Certified Environment D092-7752 VM Card Manuals D377-7500 Table 6-3 [English version - 3] Product attachment document for Europe Document Name Number of part Quick Reference Copy Guide D092-7714 Quick Reference Fax Guide D509-8534 Quick Reference Printer Guide D381-7303 Quick Reference Scanner Guide D381-7309 Manuals for This Machine D092-7704 Safety Information for MP 4001/ MP 5001 D092-7701 Notes for Users D092-7726 App2Me Start Guide D085-7904B Manuals for Users MP 4001/5001 Aficio MP 4001/5001 A D085-7510 Manuals for Administrators Security Reference MP 4001/5001 Aficio MP 4001/5001 D092-7512 Manuals for Administrators Security Reference Supplement 9240/9250 MP 4001 /5001 LD140/LD150 Aficio MP 4001 /5001 D092-7790 CRP-C0262-01 27 Document Name Number of part Notes for Administrators: Using this Machine in a CC-Certified Environment D092-7752 VM Card Manuals D377-7500 Table 6-4 [English version - 4] Product attachment document for Asia Document Name Number of part MP 4001/MP 5001 MP 4001/MP 5001 Aficio MP 4001/5001 Operating Instructions About This Machine D092-7755 MP 4001/MP 5001 MP 4001/MP 5001 Aficio MP 4001/5001 Operating Instructions Troubleshooting D092-7805 Quick Reference Copy Guide D092-7715 Quick Reference Fax Guide D509-8535 Quick Reference Printer Guide D381-7307 Quick Reference Scanner Guide D381-7407 Notes for Users D092-7730 App2Me Start Guide D085-7906B Manuals for Users MP 4001/5001 Aficio MP 4001/5001 D092-7506 Manuals for Administrators MP 4001/5001 Aficio MP 4001/5001 D092-7508 Manuals for Administrators Security Reference Supplement 9240/9250 MP 4001/5001 LD140/LD150 Aficio MP 4001/5001 D092-7790 VM Card Manuals D377-7500 Notes for Administrators:Using this Machine in a CC-Certified Environment D092-7754 CRP-C0262-01 28 7. Evaluation conducted by Evaluation Facility and results 7.1 Evaluation Approach Evaluation was conducted by using the evaluation methods prescribed in CEM in accordance with the assurance components in CC Part 3. Details for evaluation activities are reported in the Evaluation Technical Report. In the Evaluation Technical Report, it explains the summary of the TOE, the content of the evaluation and verdict of each work unit. 7.2 Overview of Evaluation Activity The history of evaluation conducted was present in the Evaluation Technical Report as follows; Evaluation has started on 2010-2 and concluded by completion the Evaluation Technical Report dated 2010-7. The evaluator received a full set of evaluation deliverables necessary for evaluation provided by the developer, and examined the evidences in relation to a series of evaluation conducted. Additionally, the Evaluation Facility directly visited the development and manufacturing sites on 2010-4, 2010-5 and 2010-6, and examined procedural status conducted in relation to each work unit for configuration management, delivery and operation and lifecycle by investigating records and staff interview. Because TOE is product intended for the United States, Europe and Asia, TOE is manufactured and distributed from Japan and two or more overseas branches. The evaluator went to branch factories in Japan, the United States, Europe and Asia where the investigation was necessary, and conducted the investigation to note manufacturing and the assembly process of TOE across two or more branches. Further, the evaluator executed the sampling check of the developer testing and the evaluator testing by using developer testing environment at developer site on 2010-4. Concerns found in evaluation activities for each work unit were all issued as Observation Report and were reported to the developer. These concerns were reviewed by the developer and all concerns were solved eventually. 7.3 IT Product Testing The evaluator confirmed the validity of the developer testing. Based on the evidence shown by the process of the evaluation and those confirmed validity, the evaluator executed the reappearance testing, additional testing and penetration testing based on vulnerability assessments judged to be necessary. 7.3.1 Developer Testing The evaluator evaluated the integrity of the developer testing that the developer executed and the testing documentation of actual testing results. It explains the content of the developer testing evaluated by the evaluator as follows. 1) Developer Testing Environment Figure 7-1 shows the testing configuration executed by the developer. CRP-C0262-01 29 Figure 7-1 Developer Testing Configurations The TOEs for the evaluation are Ricoh Aficio MP4001, Ricoh Aficio MP5001, and Ricoh Aficio MP5001G and can be used for evaluation. The TOE targets include the following 24 machines: Ricoh Aficio MP 4001, Ricoh Aficio MP 4001G, Ricoh Aficio MP 5001, Ricoh Aficio MP 5001G, Savin 9240, Savin 9240G, Savin 9250, Savin 9250G, Lanier LD140, Lanier LD140G, Lanier LD150, Lanier LD150G, Lanier MP 4001, Lanier MP 5001, Gestetner MP 4001, Gestetner MP 4001G, Gestetner MP 5001, Gestetner MP 5001G, nashuatec MP 4001, nashuatec MP 5001, Rex-Rotary MP 4001, Rex-Rotary MP 5001, infotec MP 4001, infotec MP 5001. See below for different names assigned to these models: - Because of different sales areas or companies, these models have different names, but the TOE configurations and security functions are identical. (Ricoh Aficio MP, Savin, Lanier LD, Lanier MP, Gestetner MP, nashuatec MP, Rex-Rotary MP, infotec MP) - The figures in the TOE names indicate print speeds and differences of print speeds is reflected in the TOE names ("4001 and 5001", "9240 and 9250", "140 and 150": “4001” means 40 sheets per minute, and “5001” means 50 sheets per minute, etc.). The TOE configurations and security functions are identical. - The suffix "G" of the names indicates different branch factories. The TOE configurations and the security functions are identical. As a target of the evaluation, the TOE of the above mentioned three models (Ricoh Aficio MP4001, Ricoh Aficio MP5001 and Ricoh Aficio MP5001G) are selected. The developer is afraid some differences of testing results by the different print speeds (40 sheets per minute, 50 sheets per minute) and the different branch factories, selected the above models. Because Telephone Switchboard Simulator(TLE-101Ⅲ) PSTN Certificate Issuance Aficio MP5001G 192.168.13.87 MP5001 192.168.13.89 PSTN Router (RTX-1000) 4 Hubs (LSW2-GT-8NPR LSW2-GT-16NPR) Aficio MP4001X2 192.168.13.90 192.168.13.88 Internal Network (Independent of Office Networks) Mail Server SMB/FTP Server 192.168.13.8 Client PCs 192.168.13.141 OS: Windows XP Web browser: IE6.0 192.168.13.148 OS: Windows XP Web browser: IE8.0 192.168.13.154 OS: Windows Vista Web browser: IE7.0 OS: Windows Server 2003 CRP-C0262-01 30 the difference other than that is only the naming. Depending on this combination, all 24 models can be regarded as the same case of conducting the testing which considered the difference. Table 7-1 explains non-TOE configuration items in the developer testing. Table 7-1 Developer Testing Configuration Items Configuration Item Detail Client Computer Web browser - Internet Explorer 6.0 (IE6) - Internet Explorer 7.0 (IE7) - Internet Explorer 8.0 (IE8) Driver - PCL 6 driver V1.0.0.0 - LAN Fax driver V1.61 Mail Server SMTP Server Function of Windows Server 2003 SP2 FTP Server FTP Server Function of Windows Server Function 2003 SP2 SMB Server SMB Server Function of Windows Server Function 2003 SP2 Fax Device Ricoh Aficio MP 4001, Ricoh Aficio MP 5001 Telephone Switchboard Simulator TLE-101 III (manufactured by LSI JAPAN Co., Ltd.) The developer testing is executed the same TOE testing environment as TOE configuration identified in ST. 2) Summary of Developer Testing Summary of the developer testing is as follows: a. Developer Testing Outline Outline of the developer testing is as follows; The testing procedure consisted on stimulation of the external TOE interface by the assumed TOE operations (operations of the operation panel, the client computer connected via the internal network or USB, and fax machines) and visual observation of the results. And the vulnerability in the Web interface of TOE was investigated with a vulnerability detection tool of the Web application. However, if not visually observing the testing results, the following approaches were used instead: - The communication over the internal network captures data and it verifies the communication protocol (SSL and IPSec) using packet capture software. - Use internal tools that produce debug information and check the activity inside the TOE from output debug information. - Replace the MFP Control Software with software that had "compromised validity", use internal tools that produced debug information, and verify the integrity of the MFP Control Software Validity Checking Function from the outputted debug information. Table 7-2 shows the tools used in the developer testing. "Debug console to monitor of the TOE CRP-C0262-01 31 internal operation" and "SD card for changing or overwriting the internal configuration items of the TOE" are developed by the developer and are used after confirming that they are normally operated. Table 7-2 Tools for the Developer Testing Name of tool Outline and purpose of use WireShark 1.0. 2 Tool to obtain or monitor packets over LAN (software) Debugging console to monitor the TOE internal operation A debugging console to monitor the TOE internal operation is software installed in the computer. This tool was developed by RICOH COMPANY, LTD. for testing and is not publically available. The computer with the installed debugging console and the controller board for the TOE were connected by special serial connectors and a special debugging serial cable. This tool was used to specify necessary testing items to check TOE internal operations. SD card for changing or overwriting the internal configuration items of the TOE The SD card stores programs and data for testing that performs changing and overwriting the internal configuration items of the TOE, which were developed in accordance with the testing items. This tool was used to specify necessary testing items to check TOE internal operations. The values of testing plans expected in advance that is described in the expected testing results of individual testing specifications which are evidence materials provided by the developer was compared with the values of the developer testing results described in the notes of the individual testing items (judgments) of the individual testing result reports which are evidence materials provided by the developer as well. As a result, it was found that the expected results are consistent with the actual testing results of testing evidence materials. b. Scope of Execution of the Developer Testing The developer testing is executed about 513 items (1008 cases) by the developer. By the coverage analysis, it was verified that all security functions and external interfaces described in the functional specification had been tested. By the depth analysis, it was verified that all security functions and external interfaces described in the functional specification had been tested enough. c. Result The evaluator confirmed consistencies between the testing results expected by the developer and the actual testing results executed by the developer. The evaluator confirmed an approach of the executing developer testing and legitimacy of tested items, and confirmed consistencies between testing approach described in the testing plan and actual testing approach. 7.3.2 Evaluator Independent Testing The evaluator executed the evaluator independent testing to reconfirm that security functions are certainly implemented from the evidence shown by the process of the evaluation. It explains the evaluator independent testing executed by the evaluator as follows; CRP-C0262-01 32 1) Evaluator Independent Testing Environment Figure 7-2 shows the evaluator independent testing configuration executed by the evaluator. Figure 7-2 Evaluator Independent Testing Configurations The evaluation models included in the TOE are Ricoh Aficio MP4001 and Ricoh Aficio MP5001G. Because in this evaluator independent testing, depending on the different print speeds (40 sheets per minute, 50 sheets per minute) and the different branch factories, there are no concerns in which the difference occurs as the result of the evaluator independent testing. The above configuration is determined. The non-TOE configuration items in the configuration of the evaluator independent testing are identical to the configuration of the developer testing except for client computers equipped with Internet Explorer 7.0 (IE7). However, it was found that the operation of Internet Explorer 7.0 (IE7) has no difference by the difference of OS equipped with client computers. Therefore, the configuration of the evaluator independent testing is regarded as the one of the developer testing. The evaluator independent testing is executed in a TOE testing environment with the same TOE configuration as that identified in this ST. 2) Summary of Independent Testing Summary of the Evaluator Independent testing is as follow; a. Independent Testing Viewpoints The evaluator independently devised 40 testing items around the following Viewpoints by the developer testing and the evidence materials provided: - (Viewpoint 1) To make the testing conducted by the developer more rigorous, execute additional tests based on new parameters and conditions - (Viewpoint 2) As for characteristic security functions for protecting communication (SSL, Telephone Switchboard Simulator(TLE-101Ⅲ) PSTN Certificate Issuance Aficio MP5001G 192.168.13.87 PSTN Router (RTX-1000) 4 Hubs (LSW2-GT-8NPR LSW2-GT-16NPR) Aficio MP4001 192.168.13.88 Internal Network (Independent of Office Networks) Mail Server SMB/FTP Server 192.168.13.8 Client PCs 192.168.13.141 OS: Windows XP Web browser: IE6.0 192.168.13.148 OS: Windows XP Web browser: IE7.0 192.168.13.154 OS: Windows XP Web browser: IE8.0 OS:Windows Server 2003 CRP-C0262-01 33 IPSec, S/MIME), execute supplemental tests to ensure these functions always work effectively. To take these Viewpoints into account and to test the security functions and interfaces, 192 items were identified for sampling testing of the developer testing. - Testing will be enforced for the following behaviours, which are essential to verify correct operations of the security functions. > Every possible combination of Access Control Function related to stored documents. > Every possible combination of authorised users and authorised Security Management Function operations. > Every possible combination of authentication failure conditions. > Performance of all functions related to verification of software validity. > Checking functions for password strength. > The Lockout and Lockout Release functions following password authentication failure. > The encryption functions on stored documents. > The Self-Test Function for encryption at TOE initialization. >The Network Communication Protection Function. - Testing covered the verification of audit log completeness and verification of the audit log records obtained. - Testing covered all possible TOE interfaces (operation panel, Web interfaces, etc.) b. Independent Testing Outline Outline of the independent testing that the evaluator executed is as follow; < Independent testing approach > For (Viewpoint 1) of the independent testing, testing was executed using the same approaches as used in the developer testing. For example: - Use of different combinations of operating interfaces when developer testing involved testing of competing operations on the same document. - Use of different combinations of operating interfaces and roles when developer testing involved access control testing. For (Viewpoint 2) of the independent testing, testing was executed using an environment and under settings that made SSL, IPSec, and S/MIME inactive. This ensured the TOE did not perform any communications not encrypted by SSL, IPSec, or S/MIME. For SSL and IPSec, packet capture software was used to check the content of communications. For S/MIME, checks were made to verify that e-mail could not be sent from the client computer. Testing sampled from the developer testing was performed using the same approaches as those used in the developer testing. CRP-C0262-01 34 The independent testing used the tools of Table 7-2 in the developer testing. For evaluator independent testing, 40 items for independent testing and 192 items for sampling testing are specified in Table 7-3 and 7-4. Table 7-3 Executed Independent Testing Number Category name of testing item Number of testing item 1 Access control (Stored document) 2 2 User authentication 4 3 Lockout 4 4 Password policy 7 5 Password entry 7 6 TSF administration / TSF data administration (via Panel) 3 7 TSF administration / TSF data administration (via WIM) 2 8 IPSec 2 9 SSL / TLS 1 10 S/MIME 4 11 Simultaneous access 4 Total 40 Table 7-4 Executed Sampling Testing Number Category name of testing item Number of testing item 1 Access control (Stored document) 52 2 User authentication 9 3 Lockout 7 4 Password policy 8 5 TSF administration / TSF data administration (via Panel) 32 6 TSF administration / TSF data administration (via WIM) 44 7 IPSec 2 8 SSL/TLS 3 9 S/MIME 3 10 Fax lines intrusion 2 11 Version display 1 12 Logging document data 5 13 Log overflow 2 14 Document operation log 3 15 Stored document deletion 4 CRP-C0262-01 35 Number Category name of testing item Number of testing item 16 Password entry 9 17 Confirming the firm validity 3 18 Encryption of HDD data 1 19 Generation of encryption key and update processing 2 Total 192 c. Result All the executed evaluator independent testing was correctly completed, and the evaluator confirmed the behavior of TOE. The evaluator confirmed consistencies between the expected behavior and all the testing results. 7.3.3 Evaluator Penetration Testing The evaluator devised and conducted the necessary evaluator penetration testing about the possibility of exploitable concern at assumed environment of use and attack level. It explains the penetration testing executed by the evaluator as follows; 1) Summary of the Evaluator Penetration Testing Summary of the penetration testing executed by the evaluator is as follows; a. Vulnerability of concern The evaluator searched into the provided evidence and the public domain information for the evaluator potential vulnerabilities, and then identified the following vulnerabilities which require the penetration testing. Table 7-5 Anticipated Vulnerabilities No. Anticipated Vulnerabilities V1 When access to the TOE through the Web browser is established, the TOE may be accessed through direct call to the CGI without the procedures of the user identification and authentication. V2 If a general user is registered with the same user ID as an administrator, administrator roles may be assigned to the general user at login. V3 Some interfaces may allow access to the TOE's protected assets prior to user identification and authentication through the operation panel or Web browser. V4 If general user ID and administrator ID cannot be distinguished, and general user can register with the same ID as an administrator, then general user may obtain an administrator privilege. V5 The TOE's USB port may run an unauthorised program that causes disclosure of protected assets. And unauthorised access to the HDD may also be gained through connection of a computer to the TOE's USB port. V6 If an error occurs during the HDD check at start-up and then the HDD initialization process starts, the TOE's security may be weakened. V7 Users accessing the TOE from the operation panel or Web browser at start-up may obtain access before the TOE's security functions come into effect. V8 The TOE may open unnecessary TCP/IP ports, and the ports in use may affect enforcement of SFR. V9 Vulnerabilities in cross-site scripting and cross-site request forgery. CRP-C0262-01 36 b. Evaluator Penetration testing Outline The evaluators executed the following evaluator penetration testing to identify possibly exploitable vulnerabilities. The testing environment is the same as the environment of the evaluator independent testing. The configuration figure is also the same as the one in Figure 7-2. This environment is assumed that the TOE is securely installed and operated according to "Security Objectives for the TOE" and "Security Objectives for Operational Environment" in this ST. For instance, the attack via networks from the external network such as the Internet is the exception because the unnecessary ports are closed in the boundaries of the external network and the internal network. Under the above conditions, it is assumed that attacks occur using public interfaces and usual available tools by general users and attackers except for administrators. Table 7-6 shows the difference between the developer testing and evaluator independent testing for evaluator penetration testing. It also shows the tools used. Table 7-6 Configuration Items for the Evaluator Penetration Testing Component Item Details Hardware: Toshiba dynabook SS RX1 OS: Windows XP Pro SP3 Browser: Internet Explorer 8.0 (IE8) Software for Port Scan: Zenmap 4.76 Software for line trace: Wireshark V1.0.6 Unix Access Tool: Cygwin V2.573.23 Computer for Penetration Testing Vulnerability Detection Tool: Paros V3.2.13 For anticipated vulnerabilities identified in Table 7-5 to search for potential vulnerabilities, Table 7-7 shows the penetration testing that corresponds to this. The evaluator executed the following penetration testing to identify possibly exploitable vulnerabilities. Table 7-7 Overview of Evaluator Penetration Testing No. Overview of Penetration Testing Anticipated Vulnerability T1 Checked opened ports. V8 T2 Executed a scan of the LAN ports and ensured unnecessary ports were not open or opened. V8 T3 Penetration testing on open ports. V1 T4 Ensured that unauthorised users cannot access to the OS of the TOE directly via LAN ports from the remote client computer. V1 T5 Unauthorised access to document files through the Internet. V3 T6 Ensured that unauthorised users cannot access to document files, even if they specify a URL directly using delivered URL link information. V3 T7 Obtained information using direct URLs. V9 CRP-C0262-01 37 No. Overview of Penetration Testing Anticipated Vulnerability T8 Ensured access via URL is denied, even if URLs for protected assets and TOE resources are derived from URLs used by the TOE. V6, V7 T9 Ensured no access measures to the TOE are usable through the Web interfaces without prior identification and authentication of the user. V5 T10 Ensured no security functions are usable through the Web interfaces without prior identification and authentication of the user. V2, V3 T11 Ensured no access measures to the TOE are usable through the operation panel without prior identification and authentication of the user. V4 c. Result The executed evaluator penetration testing did not find any vulnerability exploitable by attackers with the assumed attack potential. CRP-C0262-01 38 7.4 Evaluated Configuration In this evaluation, the configurations outlined in "7.3.2 Evaluator Independent Testing" and Figure 7-2 were evaluated. The TOE will not be used in the configuration which is significantly different from above configuration components. Therefore, the evaluator determined the configuration of the above-evaluation is appropriate. 7.5 Evaluation Results The evaluator had the conclusion that the TOE satisfies all work units prescribed in CEM by submitting the Evaluation Technical Report. In the evaluation, the following were confirmed. - PP Conformance: none - Security functional requirements: Common Criteria Part 2 Conformant - Security assurance requirements: Common Criteria Part 3 Conformant As a result of the evaluation, the verdict "PASS" was confirmed for the following assurance components. - All assurance components of EAL3 package The result of the evaluation is applied to the composed by corresponding TOE to the identification described in the chapter 2. 7.6 Evaluator Comments/Recommendations The evaluator recommendations for users are not mentioned. CRP-C0262-01 39 8. Certification The certification body conducted the following certification based on each materials submitted by the Evaluation Facility during evaluation process. 1. Contents pointed out in the Observation Report shall be adequate. 2. Contents pointed out in the Observation Report shall properly be reflected. 3. Evidential materials submitted were sampled, its contents were examined, and related work units shall be evaluated as presented in the Evaluation Technical Report. 4. Rationale of evaluation verdict by the evaluator presented in the Evaluation Technical Report shall be adequate. 5. The evaluator's evaluation methodology presented in the Evaluation Technical Report shall conform to the CEM. 8.1 Certification Result As a result of verification of submitted Evaluation Technical Report, Observation Report and related evaluation deliverables, Certification Body determined that the TOE satisfies all components of the EAL3 in the CC part 3. 8.2 Recommendations For TOE operations, the guidelines require that the Service Mode Lock Function is always enabled. If the TOE is operated in the assumed operating environment, it should not be placed in maintenance mode. The TOE is outside the scope of CC-certification when administrators release the settings of the Service Mode Lock Function and the TOE operation mode is changed to the maintenance mode. There are some cases where the TOE is not able to counter threats and it was outside the CC-certified scope for this TOE as described in "1.1.3 Disclaimers". Before purchasing this product, consumers need to be especially cautious and check the expected settings and functions for the product in the operational environment are not duplicated by the settings and functions, which are restricted to the previously-described environment. CRP-C0262-01 40 9. Annexes There is no annex. 10. Security Target Security Target[12] of the TOE is provided within a separate document of this certification report. Aficio MP 4001/5001 series with Fax Option Type 5001 Security Target Version 1.00 (June 17, 2010) RICOH COMPANY, Ltd. CRP-C0262-01 41 11. Glossary The abbreviations relating to CC used in this report are listed below. CC Common Criteria for Information Technology Security Evaluation CEM Common Methodology for Information Technology Security Evaluation EAL Evaluation Assurance Level PP Protection Profile ST Security Target TOE Target of Evaluation TSF TOE Security Functionality The abbreviations relating to TOE used in this report are listed below. AES Advanced Encryption Standard (AES Encryption) BSI-AIS 31 Standard for the hardware random number generation issued by Bundesamt fur Sicherheit in der Informationstechnik (BSI) D-BOX Name of the storage area for document data on the HDD. FCU Fax Controller Unit FIPS PUB 197 Federal Information Processing Standards Publication 197 FTP File Transfer Protocol HDD An abbreviation of "Hard Disk Drive". Refers to the HDD installed in the TOE. Ic Hdd A hardware device that encrypts the data to be written on the HDD and decrypts the data to be read from the HDD. Ic Key A chip that contains a microprocessor for encryption processing and EEPROM where a private key for secure communication is held. The Ic Key holds the keys for validity authentication and encryption processing, and a random number generator. IPSec Secure Architecture for Internet Protocol. A protocol that provides the functions of data tampering protection and data confidentiality of IP packets using cryptographic technology. MFP An abbreviation for digital "multi function product". NVRAM Non-Volatile Random Access Memory, where MFP Control Data governing MFP operations is stored. PSTN Public Switched Telephone Networks RAM A volatile memory medium used for image processing. S/MIME Secure/Multipurpose Internet Mail Extensions. A standard for e-mail encryption that uses digital signatures and a public key system. SSL Secure Sockets Layer. A protocol for secure communication. USB An abbreviation of Universal Serial Bus. A serial bus standard for connecting peripherals to computers. CRP-C0262-01 42 The definition of terms used in this report is listed below. Address Book A database containing general user information for each general user. Administrator One of the authorised TOE users who manages the TOE. Administrators are given administrator roles and perform administrative operations accordingly. Up to four administrators can be registered, and each administrator is given one or more administrator roles. Administrator role Management Functions given to administrators. There are four types of administrator role: user administration, machine administration, network administration and file administration. Each administrator role is assigned to a registered administrator. Basic Authentication The most basic authentication method, it identifies and verifies users accessing through the Internet. It is supported by HTTP as standard, and by many Web servers and browsers. It authorises access by verifying user names and passwords. Deliver to Folder A function that sends document data from the TOE to folders on an SMB or FTP server via a network. Document data Electronic data sent to the MFP by authorised MFP users who perform either of the following operations. 1. Scanning from paper and digitizing. 2. Received as print data and then converted by the MFP into a format that can be processed by the MFP. Document data ACL An "access control list" of general users that is set for each document data. Document data default ACL An item of general user information. The default value that is set for the document data ACL of a new document data to be stored. Ethernet A computer network standard. The most common technical standard used in communication networks in offices and homes around the world. There are other Ethernet standards, such as 100BASE-TX or 10BASE-T. External Networks Networks that are not managed by the organisation that manages the MFP. Generally indicates the Internet. File administration An administrator role assigning responsibility for management of the D-BOX, where document data is stored on the TOE, and management of the document data ACL, which is the list that controls the access to the document data. The file administrator is a person who has the role of file administration. FTP Server A server for sending files to a client computer and receiving files from a client computer using File Transfer Protocol. General user One of the authorised TOE users who uses the Basic Functions of the TOE. General user information A database containing information about general users as data items that include the general user ID, general user authentication information, Document data default ACL, and S/MIME user information. Internal networks Networks managed by an organisation that has an MFP. Normally refers to an office LAN environment established as the intranet. CRP-C0262-01 43 Internet Fax A function that reads a fax original then converts the scanned image to an e-mail format for sending as data over the Internet to a machine with an e-mail address. IP-Fax A function that sends and receives document files between two faxes that are directly connected to a TCP/IP network. It can also send document files to a fax that is connected to a telephone line. IPv4 Protocol A widely used, standard protocol governing communication of data between computers over the Internet. It employs 32-bit addressing. IPv6 Protocol A widely used, standard protocol created to provide increased address space and improved security compared to IPv4. It employs 128-bit addressing. LAN-Fax Transmission A function that faxes document data from a client computer via the TOE when the client computer is connected to the TOE via a network or USB Ports. Lockout A function that prohibits access to the TOE to the specific user IDs. Machine administration An administrator role that assigns responsibility for machine management and performing audits. The machine administrator is a person who has the machine management role. Memory Transmission A function that stores scanned data of an original in memory and then dials and faxes that data at a later time. MFP Control Software Software installed in the TOE that can identify TOE components such as System/Copy, Network Support, Scanner, Printer, Fax, Web Support, Web Uapl, and Network Doc Box. Manages the resources for units and devices that comprise the MFP and controls their operation. Minimum Password Length The minimum number of digits that can be registered in passwords. Network administration An administrator role assigning responsibility for management of the TOE's network connections. The network administrator is a person with network management responsibility. Operation Panel A display-input device that consists of a touch screen LCD, key switches, and LED indicators, and is used for MFP operation by users. Also known as an "Operation Panel Unit". Packet Capture Software Software that intercepts communications on networks, records them, and reviews the content of communications. Password Complexity Setting The minimum combination of character types that can be registered in passwords. There are four character types: upper-case letters, lower-case letters, numbers, and symbols. There are Level 1 and Level 2 Password Complexity Setting. Level 1 requires passwords to include a combination of more than two types of character. Level 2 requires passwords to include a combination of more than three types of character. Print data The document files in the client computer that are sent to the TOE from a client computer to be printed or faxed. Drivers must be installed in the client computer in advance: a printer driver for printing and a fax driver for faxing. Print data is received by the TOE through the Network Unit or USB Port. CRP-C0262-01 44 Print Settings Print Settings for printed output, including paper size, printing magnification, and custom information (such as duplex or layout settings). Processor Hardware that processes the instructions of software in the computer. It has an arithmetic logic unit, a peripheral circuit, and memory units that store instructions or data. S/MIME User Information Information about each general user that is required for using S/MIME. Includes e-mail address, user certificates, and a specified value for S/MIME use. Sending by E-mail A function that sends e-mail with attached document data from the TOE. SMB Protocol Server Message Block protocol. A standard protocol governing communication of data between computers. SMB Server A server for sharing files with a client computer using Server Massage Block Protocol. SMTP server A server for sending e-mail using Simple Mail Transfer Protocol. Stored Data Protection Function A function that protects document data stored on the HDD from leakage. Stored Documents Fax Transmission A function that faxes document data stored earlier in the D-BOX. Supervisor One of the authorised TOE users who manages a password of administrator. User administration An administrator role assigning responsibility for management of general users. The user administrator is a person who has the user management role. CRP-C0262-01 45 12. Bibliography [1] IT Security Evaluation and Certification Scheme, May 2007, Information-technology Promotion Agency, Japan CCS-01 [2] IT Security Certification Procedure, May 2007, Information-technology Promotion Agency, Japan CCM-02 [3] Evaluation Facility Approval Procedure, May 2007, Information-technology Promotion Agency, Japan CCM-03 [4] Common Criteria for Information Technology Security Evaluation Part1: Introduction and general model Version 3.1 Revision 1, September 2006, CCMB-2006-09-001 [5] Common Criteria for Information Technology Security Evaluation Part2: Security functional components Version 3.1 Revision 2, September 2007, CCMB-2007-09-002 [6] Common Criteria for Information Technology Security Evaluation Part3: Security assurance components Version 3.1 Revision 2, September 2007, CCMB-2007-09-003 [7] Common Criteria for Information Technology Security Evaluation Part 1: Introduction and general model Version 3.1 Revision 1, September 2006, CCMB-2006-09-001 (Japanese Version 1.2, March 2007) [8] Common Criteria for Information Technology Security Evaluation Part 2: Security functional components Version 3.1 Revision 2, September 2007, CCMB-2007-09-002 (Japanese Version 2.0, March 2008) [9] Common Criteria for Information Technology Security Evaluation Part 3: Security assurance components Version 3.1 Revision 2, September 2007, CCMB-2007-09-003 (Japanese Version 2.0, March 2008) [10] Common Methodology for Information Technology Security Evaluation: Evaluation Methodology Version 3.1 Revision 2, September 2007, CCMB-2007-09-004 [11] Common Methodology for Information Technology Security Evaluation: Evaluation Methodology Version 3.1 Revision 2, September 2007, CCMB-2007-09-004 (Japanese Version 2.0, March 2008) [12] Aficio MP 4001/5001 series with Fax Option Type 5001 Security Target Version 1.00 (June 17, 2010) RICOH COMPANY, Ltd. [13] RICOH COMPANY, Ltd. Aficio MP 2851/3351 series with Fax Option Type 3351 Evaluation Technical Report Version 1.6, June 18, 2010, Information Technology Security Center Evaluation Department