- TÜViT TÜV Informationstechnik GmbH
Contents
1. Device Management Update Device Firmware Device Firmware R R R R R R w W parameters 1 Device Firmware R R R R R R parameters 2 Device Firmware functions RW RW dm RW RW Tee RW RW Hede ad vi Seo Maintenance Restart Restart function E E E E E E E E Maintenance Communication Server Calls Service Test Call Service Test Call function Log R R R R RW RW Maintenance Communication Server Calls Device Check Req Call Device Check Req Call functions E E E E E E Message R R R R R R pc Maintenance Restore Restore parameters R R DE R R D R R mE E i Maintenance Log Log setup Maintenance Log parameters Maintenance Log collection level Maintenance Log System Log Maintenance System Log EE DE RE DE R R R R R mE Maintenance um R R R R R R qe 0 Communication Log Maintenance Memory Maintenance Memory parameters Mainten2. Page 17 of 59 3 2 Assumptions In this section the assumptions concerning the environment of the TOE are identified and described A PHYSICAL It is assumed that the TOE is physically protected RC Gate with its TOE is set in a place of safety such as business office Therefore the TOE containing the assets is indirectly protected because an accessible user with evil intent cannot access RC Gate respectively modify the TOE unobserved A DEVICE It is assumed that image I O devices are trusted Image I O devices are genuine products Illegal applications are not installed on image I O devices In addition firmware on image I O devices is not tampered A NETWORK Itis assumed that the network is properly managed by responsible person The network which RC Gate and image I O devices belong to is properly managed by responsible persons Furthermore the network is protected from outer attack via Internet by establishing a firewall and running virus protection programs A CE It is assumed that Customer Engineer is trusted The customer engineer CE is well trained and can be trusted He She belongs to Ricoh or a Ricoh s affiliate company and reads the maintenance documentation thoroughly responds appropriately to RC Gate He She does not change the configuration of RC Gate does not carry out the RC Gate and does not install programs into RC Gate without permission of user administrator Furthermore the customer enginee
3. 53 Copyright c 2004 2005 Ricoh Company Ltd all rights reserved Page 5 of 59 List of Figures Figure 1 Network environment of RC Gate Type BNI iese sesse see se se se Ge Ge Re Ge ee ek ee AR ee GR nennen nre 8 Figure 2 Network environment of RC Gate Type BMI eese ener enne 9 Figure 3 RC Gate nd the TOE 4 onere RE gebe ed E RO at 13 List of Tables Table 1 Product name and code of RC Gate ese se see Ge ee Re Se GR Ge Ge Ge Ge E ee ek ee GR Ge RR Ge ee 8 Table 2 Specific terms related to the RC Gate ee se see see ek Ge ee Re RA Ge RR Ge Re Ge Re eke GRA Ge ek ee ee 14 Table 3 Assets that the TOE intends to protect sorrnennrrvrnnorerevrnnenerennnevaenernrrsrnnererennnsranesnsenennersreneseresnesseene 16 Table 4 Setting items and allowed operations iese sesse se se ek Ge Re GR ee GR Ge Ge Re GR Re GR Ge AR Ge Re GR ee nennen 24 Table 5 Information passed between RC Gate and CS sss eene 28 Table 6 Cryptographic operations algorithms and key sizes srerervnrnannernrrvrnnvverennnerarnernrenernersrenereresvenseene 29 Table 7 Events recorded to audit log se ee ed Re ee ee Ge ee ee ee ee ee nennen nennen nennen 32 Table 8 TOE security assurance requirements EAL3 ees esse esse esse esse esse ee ee ee ee ee ede eed Gee see se ee se ee ee 33 Table 9 Information included in the audit records iese see se ee SR Se GR Ge Se RR Ge Re Ge Re e
4. necessary Furthermore the Administrator has to keep his her password secret OE CS CS shall ensure that the identification information is maintained correctly CS is the only and unique server for RC Gate so CS shall be trusted and the identification information for HTTPS method and SMTP method shall be maintained correctly The CS has to check the time and date regularly among others and correct these if necessary Copyright c 2004 2005 Ricoh Company Ltd all rights reserved Page 23 of 59 5 IT Security Requirements 5 1 TOE Security Functional Requirements In this section the functional requirements of the TOE to achieve the security objectives identified in section 4 1 are described The parts against which the assignment and selection operations defined in CC are performed are identified with bold letters and brackets FDP ACC 1 Subset access control Hierarchical to No other components FDP ACC 1 1 The TSF shall enforce the assignment RC Gate Operator Access Control Policy on assignment Subject operator Administrator Registrant or CE or CS Object setting item Operation R can see setting items existence can view its current value W can see setting items existence can change its value but cannot necessarily view the current and under change value of the item as only characters are shown if not in combination with RW A can add create new setting items can delete setting
5. FTP_ITC 1 1 The TSF shall provide a communication channel between itself and a remote trusted IT product that is logically distinct from other communication channels and provides assured identification of its end points and protection of the channel data from modification or disclosure FTP_ITC 1 2 The TSF shall permit selection the TSF to initiate communication via the trusted channel FTP_ITC 1 3 The TSF shall initiate communication via the trusted channel for assignment exporting and importing information listed in Table 5 between RC Gate and CS via HTTPS communication method Dependencies No dependencies Table 5 Information passed between RC Gate and CS Operation Information export from RC Gate to CS alert of image I O device alert of RC Gate Copyright c 2004 2005 Ricoh Company Ltd all rights reserved Page 29 of 59 status of image I O device notice of image I O device registration notice of RC Gate registration import from CS to RC Gate firmware of image I O devices certificates of image I O device request of setting modification of RC Gate FCS COP 1 Cryptographic operation Hierarchical to No other components FCS COP 1 1 The TSF shall perform assignment operations listed in Table 6 in accordance with a specified cryptographic algorithm assignment listed in Table 6 and cryptographic key sizes assignment listed in Table 6 that meet the following assi
6. Device Check Req Call functions Device Check Req Call functions CS Check Req Call Message Restore parameters Message Last backup date time Last restoration date time Restoration result Error code Restore function Restore function Maintenance Restore Notify Maintenance Restore Notify function Notify function Maintenance Log Log setup Maintenance Log parameters Communication log max capacity Log max capacity Maintenance Log collection level Log collection level Maintenance Log System Log Maintenance System Log System Log Maintenance Communication Log Communication Log Copyright c 2004 2005 Ricoh Company Ltd all rights reserved Page 59 of 59 Maintenance Memory Maintenance Memory parameters Used RAM area Free RAM area Used storage area Free storage area Maintenance Service Call Maintenance Service Call parameters Current SC status 1 SC code Detail code Date time Center communication Maintenance Service Call parameters Service depot 2 Service depot connection Maintenance System Status Maintenance System Status Current system status parameters Date time Reason Security Password CurrentUser CurrentUser Password password Security Permissions Permit access by service Permit access by service Permit updating of Firmware from Permit updating of Firmware Communication Serv
7. Remote Communication Gate Type BN1 Remote Communication Gate Type BM1 Image I O device developer s Guidance Version 1 00 2005 03 25 Copyright c 2004 2005 Ricoh Company Ltd all rights reserved Page 39 of 59 7 PP Claims There are no Protection Profiles claimed to which this ST is conformant Copyright c 2004 2005 Ricoh Company Ltd all rights reserved Page 40 of 59 8 Rationale 8 1 Security Objectives Rationale In this section it is demonstrated that the security objectives identified in section 4 are suitable and covering all aspects of the security environment described in section 3 Table 10 shows that each security objective covers at least one threat OSP or assumption and that each threat and assumption is covered by at least one security objective Table 10 Correspondence between security needs and security objectives O COM AUDIT O CS ID O TRUST NET O AC AUDIT O SYS AUDIT OE TIME OE PHYSIAL OE DEVICE OE NETWORK OE ADMIN OE CS O OPE I amp A x O A RIGHTS OE CE T WEB T CS COMM T CS MAIL x lt x lt x lt gt x lt O CIPHER T FAKE_CS X OSP AUDIT X X X X A PHYSICAL X A DEVICE X A NETWORK X A CE X A ADMIN X A CS 2 T WEB is countered by O OPE_I amp A O CIPHER and O A_RIGHTS because it is ensured user access is user access rights are limited via web interfa
8. is normally used Administrator can prohibit CE from accessing TOE using Administrator setting menu Authority of the administrator the registrant and the CE is divided in this ST definitely These authority separations depend on a user selection in login by RC Gate monitor 2 3 Importance of security for RC Gate It becomes important to protect all information at the office Image I O devices like copier facsimile or printer almost have many information These data such as copy counter toner remaining amount and accident information are available for accounting and maintenance Especially counter data are used for accounting so we have to prevent many threats such as illegal counter alternation non authorized CS RC Gate is responsible for prevention of these thinkable damages Software module is executed on RC Gate exclusive hardware The software is written into suitable media as SD memory card Main function of this software is recognition of Image I O devices and sending correct data toward CS using SSL Secure Socket Layer or S MIME technology Image I O device downtime is dramatically reduced through remote maintenance RC Gate is ready for receiving SC stand for Service Call call for maintenance service initiated from Image I O devices manufactured by Ricoh and call CS immediately Specifically remote maintenance cuts downtime by sending such calls automatically to CE Remote counter monitoring means the user no longer ha
9. 2 2 3 Operation ADO IGS 1 1 1 1 1 1 1 ADV_FSP 1 1 1 2 3 3 4 ADV_HLD 1 2 2 3 4 5 ADV IMP 1 2 3 3 Development ADV IMT 1 2 3 ADV LLD 1 1 2 2 ADV RCR 1 1 1 1 2 2 3 ADV SPM 1 3 3 3 Guidance AGD ADM 1 1 1 1 1 1 1 Documents AGD USR 1 1 1 1 1 1 1 ALC DVS 1 1 1 2 2 Life Cycle ALG FLR Support ALG LCD 1 2 2 3 ALC TAT 1 2 3 3 ATE COV 1 2 2 2 3 3 Tests ATE DPT 1 1 2 2 3 ATE FUN 1 1 1 1 2 2 ATE IND 1 2 2 2 2 2 3 AVA CCA 1 2 2 Vulnerability AVA MSU 1 2 2 3 3 Assessment AVA SOF 1 1 1 1 1 1 AVA VLA 1 1 2 3 4 4 Table 2 Evaluation assurance level summary Evaluation assurance level 1 EAL1 functionally tested EAL1 is applicable where some confidence in correct operation is required but the threats to security are not viewed as serious It will be of value where independent assurance is required to support the contention that due care has been exercised with respect to the protection of personal or similar information EAL1 provides an evaluation of the TOE as made available to the customer including independent testing against a specification and an examination of the guidance documentation provided It is intended that an EAL1 evaluation could be successfully conducted without assistance from the developer of the TOE and for minimal outlay An evaluation at this level should provide evidence that the TOE functions in a manner consistent with its documentation and that it provides useful protection against i
10. 2005 09 26 2 Certification Body CERTUVIT CERTUVIT the Certification Body of TUV Informationstechnik GmbH member of TUV NORD Group was established in 1998 and offers a variety of services in the context of security evaluation and validation CERTUVIT was accredited in September 1999 for certification of IT security products according to ITSEC and Common Criteria by Deutsche Akkreditierungsstelle fur Informations und Telekommunikationstechnik Dekitz now Deutsche Akkreditierungsstelle Technik e V DATech Frankfurt Main under DAR registration no DAT ZE 014 99 01 and performs its projects under a quality management system certified against ISO 9001 by Germanischer Lloyd Hamburg CERT VIT is accredited by Bundesamt f r Sicherheit in der Informationstechnik to issue the German IT Security Certificate which is recognised by BSI as equivalent to the German IT Security Certificate of BSI 3 Specifications of the Certification Procedure The certification body conducts the certification procedure according to the criteria laid down in the following e DIN EN 4501 1 e TUVIT Certification Scheme e TUVIT Certification Conditions e Regulations on the German IT Security Certificate issued by the BSI and accepted in the contract of BSI and T VIT as of November 20 2002 e Common Criteria for Information Technology Security Evaluation CC part 1 3 version 2 2 January 2004 e Common Methodology for Information
11. ACM CM automation ACM_AUT Configuration management CM capabilities ACM_CAP CM scope ACM_SCP Class ADO Delivery ADO_DEL Delivery and operation Installation generation and start up ADO_IGS Class ADV Functional specification ADV_FSP Development High level design ADV_HLD Implementation representation ADV_IMP TSF internals ADV_INT Low level design ADV_LLD Representation correspondence ADV_RCR Security policy modeling ADV_SPM Class AGD Administrator guidance AGD_ADM Guidance documents User guidance AGD_USR Class ALC Development security ALC DVS Life cycle support Flaw remediation ALC FLR Life cycle definition ALC LCD Tools and techniques ALC TAT Class ATE Coverage ATE COV Tests Depth ATE DPT Functional tests ATE FUN Independent testing ATE IND Class AVA Covert channel analysis AVA CCA Vulnerability assessment Misuse AVA MSU Strength of TOE security functions AVA SOF Vulnerability analysis AVA VLA Table 1 Assurance family breakdown and mapping Evaluation assurance levels chapter 6 The Evaluation Assurance Levels EALs provide an increasing scale that balances the level of assurance obtained with the cost and feasibility of acquiring that degree of assurance The CC approach identifies the separate concepts of assurance in a TOE at the end of the evaluation and of maintenance of that assurance during the operational use of the TOE It is important to note that not all families and components from Part 3 are included in the E
12. Basic R R R R R R RW RW parameters 5 Auth key version EE mE Er Er Sone NI R R mE arne Ee Sats Copyright c 2004 2005 Ricoh Company Ltd all rights reserved Page 25 of 59 Setting items Allowed operations for each operator and access method Administrator Registrant CE CS direct dialup direct dialup direct dialup direct dialup SMTP SMTP SMTP SMTP HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS RC Gate Settings Network Maintenance Port IP R R R RW RW RW RW RW RW RW RW address Other Maintenance Port R R R R R R R R R R R parameters LAN Port MAC address R R R R R R R R R R R Other LAN Port RW RW RW RW RW RW RW RW RW RW RW parameters Ethernet speed RW RW RW RW RW RW RW RW RW cem p se DNS server parameters RW RW RW RW RW RW W W W EST a at RC Gate Settings E mail E mail parameters 1 RW RW RW RW RW RW RW RW RW RW SRW Se Communication Server E mail address RC Gate admin s E mail R R RW R R RW
13. LangemarckstraBe 20 D 45121 Essen Germany B 16 TUVIT Part C Excerpts from the Criteria The excerpts from the criteria are dealing with conformance results assurance categorization evaluation assurance levels strength of security function vulnerability analysis T ViT GmbH w Certification body w LangemarckstraBe 20 D 45121 Essen Germany C 1 Certification file TUVIT DSZ CC 9240 2005 T UViT Certification report Software Module of RC Gate version 3 18 U i 2005 09 26 CC Part 1 Conformance results The conformance result indicates the source of the collection of requirements that is met by a TOE or PP that passes its evaluation This conformance result is presented with respect to Part 2 functional requirements Part 3 assurance requirements and if applicable to a pre defined set of requirements e g EAL Protection Profile The conformance result consists of one of the following Part 2 conformant A PP or TOE is Part 2 conformant if the functional requirements are based only upon functional components in Part 2 Part 2 extended A PP or TOE is Part 2 extended if the functional requirements include functional components not in Part 2 plus one of the following Part 3 conformant A PP or TOE is Part 3 conformant if the assurance requirements are based only upon assurance components in Part 3 Part 3 extended A PP or TOE is Part 3 extended if the assurance requirements include a
14. RW RW RW address E mail parameters 2 RW RW RW RW RW RW SMTP POP server server parameters 1 RW RW RW RW RW RW W W W oi Sos FE server parameters 2 RW RW RW RW RW RW RW RW RW SEER EES password W W w W W W W w w RC Gate Settings Communication Method Communication method ad R R R R R R R XE Internet connection method ker Ev EE oo oe SEED R R R R EE Other communication method parameters id E E DERE iud Ei E TE Ea TE Eu Dod RC Gate Settings Net Connection Settings Connection Details Internet connection method R R PA nus R R R R EE Proxy password W See oS W uem dese W W W W E Proxy server parameters RW a RW See SP RW RW se EE sce RC Gate Settings Net Connection Settings Dial up Dial up internet connection method PES ue apu d o n ur Hu ar MM mes Vall Access point parameter 1 EMI R mE RW c TUS RW eneren m RW Rone Access point text ad ad Eis SSeS SEER FEE RW xm Rec Dialing Line parameters TOC R RW TENE ad RW RW SEER Copyright c 2004 2005 Ricoh Company Ltd all rights re
15. Secure Digital memory card which is a highly sophisticated memory device about the size of a postage stamp and it is used for providing the TOE or other applications for the image I O device Page 15 of 59 Copyright c 2004 2005 Ricoh Company Ltd all rights reserved Page 16 of 59 3 TOE Security Environment 3 1 Subjects and Assets Subjects in context with the defined TOE Operator especially the Administrator the Registrant and the Customer engineer which is also abbr as CE Communication server also abbr as CS Attacker also called unauthorized person unauthorized operator outer evil person Furthermore the attacker can also be a mimicked faked communication server which is also called Fake CS none authorized CS or pseudo CS The assets that the TOE intends to protect are as follows Table 3 Assets that the TOE intends to protect TOE In particular IT security is focused on user Asset data confidentiality Integrity availability TOE Certificates for RC Gate TOE Passwords for each operator x TOE Audit logs access information communication information system X X information User Setting information for RC Gate X X User Collected information of image I O devices X User Firmware to update image I O device X User Certificates for image I O device X Copyright c 2004 2005 Ricoh Company Ltd all rights reserved
16. TOE was evaluated against the claims of the Security Target attached in part D by the evaluation body of T V Informationstechnik GmbH TUViT The evaluation was completed on September 16 2005 TUViT s evaluation body is recognised by BSI 12 Assurance Package The TOE security assurance requirements are based entirely on the assurance components and classes defined in Part 3 of the Common Criteria see part C of this report or CC Part 3 for details The TOE meets the assurance requirements of assurance level EAL 3 Evaluation Assurance Level 3 1 3 Strength of Functions The TOE s strength of functions is rated basic SOF basic The strength of functions rating does not include cryptographic algorithms for encryption and decryption For more details see also chapter 9 of this report 1 4 Functionality The TOE s security requirements have exclusively been taken from CC part 2 i e the set is CC part 2 conformant CC Chapter 9 lists the security functional requirements in detail They are met by suitable IT security functions realized by the TOE SF OPE I amp A TSF identifies and authenticates operator Administrator Registrant and CE prior to the operation listed below When authentication is succeeded TSF assigns a role Administrator Registrant and CE to the operator While the operator is entering password the asterisks are shown instead of password characters If the wrong password is entered three con
17. Technology Security Evaluation CEM part 1 version 0 6 January 1997 e Common Methodology for Information Technology Security Evaluation CEM part 2 version 2 2 January 2004 e Application Notes and Interpretations of the Scheme AIS published by BSI in the following termed shortly TUViT in the following termed shortly BSI T ViT GmbH w Certification body w LangemarckstraBe 20 D 45121 Essen Germany A 3 Certification file TUVIT DSZ CC 9240 2005 T UViT Certification report Software Module of RC Gate version 3 18 U i 2005 09 26 4 Recognition Agreements In order to avoid multiple certification of the same product by different certification bodies a mutual recognition of IT security certificates as far as such certificates are based on ITSEC or CC under certain conditions was agreed ceRTUVIT certificates are German IT Security Certificates recognized by BSI the national German certification body in international agreements to be equivalent to its own certificates but they are not part of these international agreements 4 1 CC Certificates An arrangement Common Criteria Arrangement on the mutual recognition of certificates based on the CC evaluation assurance levels up to and including EAL4 was signed between the national participants of Australia and New Zealand Austria Canada Czech Republic Finland France Germany Greece Hungary India Israel Italy Japan The Netherlands Norw
18. The evaluation performed in accordance to EAL3 has shown that the TOE security functional requirements are correctly realised by the TOE security functions Thus in realising these functional requirements it is assured that the TOE will meet the security objectives claimed in the ST The evaluation has shown that the TOE will fulfil the claimed strength of function SOF basic for the probabilistic and permutational mechanisms account name password based authentication implemented in security function SF OPE I amp A The sponsor must advise the certification authority about any modification of the TOE or its guidance documentation The certification authority will then check whether the certification results are still valid and if necessary initiate all further steps concerning a re evaluation The results of the evaluation are only applicable to Software Module of RC Gate version 3 18 The validity can be extended to new versions and releases of the product provided the sponsor applies for re certification of the modified product in accordance with the procedural requirements and the evaluation does not reveal any security deficiencies 10 Evaluation stipulations comments and recommendations With reference to a potential vulnerability found during penetration testing the following hint important to the end user customer was provided by the developer on the web site for RC Gate as supplement to Service Manual and Operating Instruction
19. Type BM1 Version 1 0 2005 08 15 ADV_RCR 1 Correspondence Analysis for Remote Communication Gate Type BNI Remote Communication Gate Type BM1 Version 1 0 2005 08 15 AGD AGD_ADM 1 Remote Communication Gate Type BN1 Remote Guidance documents AGD_USR 1 Communication Gate Type BMI Setup Guide Operating Instructions Version 1 0 2005 08 15 Service Manual for Remote Communication Gate Type BN1 Remote Communication Gate Type BM1 Copyright c 2004 2005 Ricoh Company Ltd all rights reserved Page 50 of 59 Assurance Class Assurance Component Assurance Measure Version 1 0 2005 08 15 Remote Communication Gate Type BNI BMI Machine Code A768 A769 SERVICE MANUAL Version 1 0 revised 2005 05 24 Remote Communication Gate Type BNI Remote Communication Gate Type BM1 Safety Information and Setup Guide Version A768 8603A A768 8605A 2005 06 22 Remote Communication Gate Type BNI Remote Communication Gate Type BM1 Operating Instructions Version A768 8604A A768 8606A 2005 07 01 Remote Communication Gate Type BNI Remote Communication Gate Type BM1 CS developer s Guidance Version 1 00 2005 03 25 Remote Communication Gate Type BNI Remote Communication Gate Type BM1 Image I O device developer s Guidance Version 1 00 2005 03 25 Remote Communication Gate Type BN1 BM1 Machine Code A768 A769 SERVICE MANUAL Version 1 0 revised 2005 05 24 Remote Communication Gate Type BN1 Remo
20. authenticates CS before communicates with CS by HTTPS When the identification and authentication is succeeded it is allowed to export or import information to from CS If the identification and authentication is failed it is denied to export nor import information between CS For authentication of CS TSF uses the HTTPS mutual authentication mechanism FIA AFL 1 SF OPE I amp A If the wrong password is entered three consecutive times TSF reject identification and authentication for one minutes FIA ATD 1 SF OPE I amp A TSF identifies and authenticates operator Administrator Registrant and CE prior to the operation listed below When authentication is succeeded TSF assigns a role Administrator Registrant and CE to the operator If the authentication is failed the operator cannot perform following operations read audit logs read and modify setting information modify password FIA SOS 1 SF OPE I amp A The operator can change his own password The length of new password should be at least 8 and at most 13 characters If the length new password is not in the range the new password is rejected Copyright c 2004 2005 Ricoh Company Ltd all rights reserved Page 47 of 59 FIA UAU 1 SF OPE I amp A FIA UID 1 TSF identifies and authenticates operator Administrator Registrant and CE prior to the operation listed below When authentication is succeeded TSF assigns a role Administr
21. bypassed deactivated or corrupted it may still be possible to defeat them by direct attack A level or a specific metric may be claimed for the strength of each of these functions Strength of function analysis is performed to determine whether such functions meet or exceed the claim For example strength of function analysis of a password mechanism can demonstrate that the password function meets the strength claim by showing that the password space is sufficiently large Three levels exist SOF basic SOF medium and SOF high T ViT GmbH w Certification body w LangemarckstraBe 20 D 45121 Essen Germany C 7 Certification file TUVIT DSZ CC 9240 2005 T UViT Certification report Software Module of RC Gate version 3 18 U i 2005 09 26 Vulnerability analysis AVA_VLA AVA_VLA Vulnerability analysis Vulnerability analysis consists of the identification of flaws potentially introduced in the different refinement steps of the development It results in the definition of penetration tests through the collection of the necessary information concerning 1 the completeness of the TSF does the TSF counter all the postulated threats and 2 the dependencies between all security functions These potential vulnerabilities are assessed through penetration testing to determine whether they could in practice be exploitable to compromise the security of the TOE Application notes A vulnerability analysis is performed by
22. consumer needs Security Function A part or parts of the TOE that have to be relied upon for enforcing a closely related subset of the rules from the TSP Security Target A set of security requirements and specifications to be used as the basis for evaluation of an identified TOE Semiformal Expressed in a restricted syntax language with defined semantics Strength of Function A qualification of a TOE security function expressing the minimum efforts assumed necessary to defeat its expected security behaviour by directly attacking its underlying security mechanisms SOF basic A level of the TOE strength of function where analysis shows that the function provides adequate protection against casual breach of TOE security by attackers possessing a low attack potential SOF medium A level of the TOE strength of function where analysis shows that the function provides adequate protection against straightforward or intentional breach of TOE security by attackers possessing a moderate attack potential T ViT GmbH w Certification body w LangemarckstraBe 20 D 45121 Essen Germany B 15 Certification file TUVIT DSZ CC 9240 2005 T UViT Certification report Software Module of RC Gate version 3 18 U i j 2005 09 26 SOF high A level of the TOE strength of function where analysis shows that the function provides adequate protection against deliberately planned or organised breach of TOE security by attackers possessing a hi
23. for various services will be sent to CS from RC Gate 2 Access Point The nearest access point of the area RC Gate is used is pre installed 3 Image I O Devices managed via IP network RC Gate can manage image I O devices and laser printers which support MIB information or Ricoh s remote service 4 PC for Administration Administrating RC Gate via PC Web browser called RC Gate Monitor 5 This Equipment Remote Communication Gate Type BM1 Various pieces of information of the image I O devices managed by RC Gate are sent to CS There is one communication method between RC Gate and CS 1 HTTPS method exchanges messages between CS as the HTTPS server and RC Gate as the HTTPS client Firmware download and mail system cannot used in this type because of data transfer speed 6 The Image I O Devices managed via serial communication bus TIA EIA 485 Image I O devices manufactured by Ricoh can also be managed by directly connecting them to RC Gate with the serial modular cable A maximum of five image I O devices can be connected to one RC Gate In this system security functionality of RC Gate consists of six functions as follows 1 RC Gate identifies and authenticates the different operators administrator registrant or CE Communication between RC Gate and RC Gate Monitor is based on the https protocol RC Gate controls operations performed by the operator RC Gate identifies and authenticates CS before communicates with
24. items existence can view its current value can see setting items existence can change its value but cannot necessarily view the current and under change value of the item as only lt characters are shown if not in combination with RW can add create new setting items can delete setting items can execute a function can not see setting items existence can not view or change or the value of the setting item Setting items Allowed operations for each operator and access method Administrator Registrant CE CS direct dialup direct dialup direct dialup direct dialup SMTP SMTP SMTP SMTP HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS RC Gate Settings Basic RC Gate Setting Basic R R R R R R R R R R R parameters 1 RC Gate Setting Basic R R R R R R R R R parameters 2 RC Gate Setting Basic R R R R R R RW RW parameters 3 RC Gate Setting Basic R R R R R R d parameters 4 Language R R R RW RW Time zone RW RW RW RW RW RW RW RW RW RW RW SES Date Time RW RW RW RW RW RW RW RW RW RW RW Sam RC Gate Setting
25. log exceeds 64 Kbytes the oldest record is overwritten with new record 8 3 2 Rationale for strength of function claims As shown in section 6 2 there are four security functions SF OPE I amp A SF CS_I amp A SF CS_HTTPS and SF CS SMIME that have the probabilistic or permutational mechanism Only the function SF OPE I amp A has the strength SOF Basic Other functions SF CS I amp A SF CS HTTPS and SF CS SMIME are excluded from the SOF rating On the other hand as claimed in section 5 2 the minimum strength of TOE security functions is SOF Basic RC Gate manages data which are assets of only low financial value Therefore SOF Basic can be considered appropriate for the assets It is obvious that those claims are consistent 8 3 3 Rationale for combination of security functions As shown in section 8 3 1 the 6 security functions defined in section 6 1 cover all the security functional requirements And as shown in section 8 2 4 those requirements mutually support each other In addition there is no security weakness due to the combination of security functions since those functions are independent each other because it is obvious that there are no overlapping parts of them That is all the security functions work together so as to satisfy the security functional requirements 8 3 4 Rationale for assurance measures Table 14 shows that the corresponding assurance measures are provided for each assurance requirement due
26. low financial value Therefore SOF Basic can be considered appropriate for the minimum strength of function level for the TOE 8 2 3 Rationale for assurance requirements An attacker may disclose the information data which is sent received between RC Gate and CS via Internet or telephone line directly The attacker may be an evil person wandering around Internet or monitoring line in secret For providing this countermeasure the TOE identifies and authenticates operator SF OPE I amp A and communication apparatus SF CS_I amp A In addition user data is encrypted by HTTPS SF CS_HTTPS and SMIME SF CS_SMIME Summarized the following security functions are realised by probabilistic or permutational mechanisms SF OPE I amp A Copyright c 2004 2005 Ricoh Company Ltd all rights reserved Page 44 of 59 s SF CS I amp A s SF CS_HTTPS and SF CS_SMIME Three of those SF CS I amp A SF CS HTTPS and SF CS_SMIME are realised only by cryptographic mechanisms whereas the strength of function of SF OPE_I amp A will be SOF Basic Furthermore the higher attack potential is required for such attacks as bypassing or tampering the TSF itself and it is out of scope of this evaluation RC Gate manages only data from the image devices no direct financial assets i e analysis of obvious vulnerabilities AVA_VLA 1 is enough for general needs On the other hand it is needed to keep the secret concerning th
27. security functional requirements for the environment TOE Summary Specification Rationale Rationale for TOE security functions In this section it is demonstrated that the security functions defined in section 6 1 realize the security functional requirements specified in section 5 1 Table 12 shows that each security function for the TOE covers at least one TOE security functional requirement and that each TOE security functional requirement is covered by at least one security function for the TOE Copyright c 2004 2005 Ricoh Company Ltd all rights reserved Page 45 of 59 Table 12 Correspondence between functional requirements and security functions SF OPE I amp A SF CS_I amp A SF CS_HTTPS SF CS_SMIME SF AUDIT FDP_ACC 1 FDP_ACF 1 FTP_ITC 1 X X FCS_COP 1 X X X FIA AFL 1 FIA ATD 1 FIA SOS 1 FIA UAU 1 FIA UAU 7 FIA UID 1 FMT MTD 1 FMT SMF 1 FMT SMR 1 FAU GEN FAU GEN 2 FAU SAR 1 a FAU SAR l b FAU STG 2 x lt 4 SF OPE AC POPE PG PE PANNEN xx PV PG PV PN The following Table 13 shows the corresponding part of description of the security function which derives from section 6 1 Table 13 Corresponding description of security functions Requirement Description of security functions FDP ACC 1 SF OPE AC FDP ACF 1 TSF controls operations performed by the operator based on the operator s identifica
28. the developer in order to ascertain the presence of security vulnerabilities and should consider at least the contents of all the TOE deliverables including the ST for the targeted evaluation assurance level The developer is required to document the disposition of identified vulnerabilities to allow the evaluator to make use of that information if it is found useful as a support for the evaluator s independent vulnerability analysis The intent of the developer analysis is to confirm that no identified security vulnerabilities can be exploited in the intended environment for the TOE and that the TOE is resistant to obvious penetration attacks Obvious vulnerabilities are considered to be those that are open to exploitation that requires a minimum of understanding of the TOE skill technical sophistication and resources These might be suggested by the TSF interface description Obvious vulnerabilities include those in the public domain details of which should be known to a developer or available from an evaluation authority Performing a search for vulnerabilities in a systematic way requires that the developer identify those vulnerabilities in a structured and repeatable way as opposed to identifying them in an ad hoc fashion The associated evidence that the search for vulnerabilities was systematic should include identification of all TOE documentation upon which the search for flaws was based Independent vulnerability analysis goes beyon
29. view the current and under change value of the item as only characters are shown if not in combination with RW A can add create new setting items can delete setting items E Can execute a function can not see setting items existence can not view or change or the value of the setting item on setting items objects as defined in table 4 in ST Security policy is described more detailed in the ST which is attached as part D of this certification report 4 Assumptions and Clarification of Scope 4 1 Usage Assumptions It is assumed that the local network is properly managed and that RC Gate is physically protected Administrator Registrant and Customer engineer CE are trustworthy 4 2 Environmental Assumptions The specific conditions listed below are assumed to exist in the TOE environment These assumptions include essential environmental constraints on the use of the TOE T ViT GmbH w Certification body w LangemarckstraBe 20 D 45121 Essen Germany B 8 Certification file TUVIT DSZ CC 9240 2005 T UViT Certification report Software Module of RC Gate version 3 18 U i 2005 09 26 A PHYSICAL The TOE is physically protected A DEVICE Laser printers and multifunctional printers are trusted A NETWORK Network is properly managed by responsible persons A CE Customer Engineer CE is trusted A ADMIN Administrator and Registrant are trusted A CS Communication Server is properly managed by resp
30. which includes copier printer facsimile and multi functional device UNIX compatible OS is freeware and high portability RC Gate is working on RC Gate OS based on MontaVista Linux supplied by MontaVista Software Inc Management Information Base Network machinery managed with SNMP is information to show in order to tell RC Gate about a state of oneself outside There is MIB2 prescribed with MIB1 and RFC 1213 prescribed as RFC 1156 and RC Gate shall treat MIB2 and MIBI Master key is a symmetric key used by Certificate Manager to encrypt decrypt information There are three kinds of operators Administrator Registrant and CE Public Key Infrastructure which is a digital key technology used for secure communication Private key is used to encrypt decrypt information association with public key Public key is using to identify communication apparatus 2 Certificate Manager is part of an OpenSSL library and used from CS Management Module Page 14 of 59 Copyright c 2004 2005 Ricoh Company Ltd all rights reserved Term Definition RC Gate RC Gate monitor Registrant SD memory card Remote Communication Gate is the communication box between image I O devices and the Communication Server WEB interface of RC Gate operator has access to RC Gate using this interface Registrant is the trusted person who is authorised to set up operations of the RC Gate SD memory card is
31. 05 08 15 Copyright c 2004 2005 Ricoh Company Ltd all rights reserved Page 52 of 59 8 4 PP Claims Rationale There are no Protection Profiles claimed to which this ST is conformant Copyright c 2004 2005 Ricoh Company Ltd all rights reserved 9 Annex 9 1 Source Page 53 of 59 ISO IEC 15408 Information technology Security techniques Evaluation criteria for IT security ISO IEC 15408 1 1999 E Part 1 Introduction and general model ISO IEC 15408 2 1999 E Part 2 Security functional requirements ISO IEC 15408 3 1999 E Part 3 Security assurance requirements 9 2 Abbreviation CC CE CS DBMS Image I O device LAN MIB OS PP SC SD memory card SF ST TIA EIA TOE TSF Common Criteria Customer Engineer Communication Server Data Base Management System Copier Printer Facsimile and Multi functional Printer Local Area Network Management Information Base Operating System Protection Profile Service Call Secure Digital memory card Security Function Security Target The US Telecommunications Industries Association and Electronics Industries Association Target of Evaluation TOE Security Function 9 3 Grouping Setting Items RC Gate has many setting items and the setting items contain items not related to security functions The setting items shown in Table 4 are summarized for simplification Each setting items shown in Table 4 are grouped fr
32. 1 Acronyms 13 2 Glossary Bibliography T ViT GmbH w Certification body w LangemarckstraBe 20 D 45121 Essen Germany TUVIT O 0 O oooO DA N NOOO OAA B RC CO ml h mk ak ak ol Pe A O 3 amp m an A Oo B 2 Certification file TUVIT DSZ CC 9240 2005 T UViT Certification report Software Module of RC Gate version 3 18 U i 2005 09 26 1 Executive Summary 1 1 Target of Evaluation and Evaluation Background The TOE is the Software module of RC Gate V3 18 implemented in the product Remote Communication Gate Type BN1 and Remote Communication Gate Type BM1 The product RC Gate acts as a relay unit which collects operational data like alerts status or counter information from networked laser printers or multifunctional printers MFPs Collected data is sent to a trusted management server via Internet or telephone line Dial up PPP connection The trusted management server is called Communication Server CS During transmission the information is HTTPS or S MIME secured Once received the data is processed and used to generate meter billing printer supply orders and fleet utilization reports Furthermore RC Gate supports the firmware update of networked laser printers and multifunctional printers MFPs RC Gate identifies and authenticates different operators administrator registrant or CE It controls operations performed by the operator and identifies and authenticates CS before com
33. ALs This is not to say that these do not provide meaningful and desirable assurances T ViT GmbH w Certification body w LangemarckstraBe 20 D 45121 Essen Germany C 3 Certification file TUVIT DSZ CC 9240 2005 T UViT Certification report Software Module of RC Gate version 3 18 U i j 2005 09 26 Instead it is expected that these families and components will be considered for augmentation of an EAL in those PPs and STs for which they provide utility Evaluation assurance level EAL overview Table 2 represents a summary of the EALs The columns represent a hierarchically ordered set of EALs while the rows represent assurance families Each number in the resulting matrix identifies a specific assurance component where applicable As outlined in the next section seven hierarchically ordered evaluation assurance levels are defined in the CC for the rating of a TOE s assurance They are hierarchically ordered inasmuch as each EAL represents more assurance than all lower EALs The increase in assurance from EAL to EAL is accomplished by substitution of a hierarchically higher assurance component from the same assurance family i e increasing rigour scope and or depth and from the addition of assurance components from other assurance families i e adding new requirements These EALs consist of an appropriate combination of assurance components as described in chapter 2 of CC Part 3 More precisely each EAL includes n
34. CS by HTTPS method RC Gate shall export and import encrypted information when HTTPS method is selected RC Gate shall export encrypted E mail information to CS when SMTP method is selected DN Se AMY RC Gate records three types of audit log access log communication log and system log 2 2 Persons concerned The followings are concerned persons of TOE The person concerned is separated by authority to show in the following Every each authority is separated 1 Administrator RC Gate administrator can access for various setting information of RC Gate He She is a manager of a customer managing RC Gate to be concrete He She can access RC Gate through RC Gate monitor and setting of proxy is possible Copyright c 2004 2005 Ricoh Company Ltd all rights reserved Page 11 of 59 2 Registrant RC Gate registrant has authority to register RC Gate on CS Registration Wizard is available on the RC Gate monitor Application Note Registrant authority is opened up to above administrator However in case of user s request CE Customer Engineer to put up next is entrusted to this authority 3 CE CE Customer Engineer can access information of RC Gate via RC Gate monitor to maintain it or to investigate it in an obstacle He She is a trusted person authorized by RICOH or affiliate companies He She shall receive education of RC Gate and read Service Manual thoroughly CE port the outside LAN port of RC Gate
35. Furthermore the customer engineer CE can change the administrator and registrant password if he knows their current password The length of new password should be at least 8 and at most 13 characters If the length new password is not in the range the new password is rejected Prior to identification and authentication it is possible to read RC Gate version and Licenses and to select language and operator list via RC Gate monitor SF OPE AC TSF controls operations performed by the operator based on the operator s identification information and method to communicate with CS When direct HTTPS method dialup HTTPS method or SMTP method is used to communicate with CS operators can access to the information based on Table 4 SF CS I amp A TSF identifies and authenticates CS before communicates with CS by HTTPS When the identification and authentication is succeeded it is allowed to export or import information to from CS If the identification and authentication is failed it is denied to export nor import information between CS For authentication of CS TSF uses the HTTPS mutual authentication mechanism SF CS HTTPS TSF can export and import information listed in Table 5 to from CS by using HTTPS protocol TSF authenticates CS before export or import information When CS is successfully authenticated TSF encrypts the information to export and decrypts the imported information Furthermore CS is able to perform the allowed ope
36. Internet or telephone line directly The attacker may be an evil person wandering around Internet or monitoring line in secret Leakage of or tampering with information at Internet when mail method is used An attacker may disclose and or modify information in mails relevant assets as defined in chapter 3 1 before which is sent from RC Gate toward CS via Internet The attacker may be an evil person wandering around Internet A fake CS may be built in Internet or telephone network when RC Gate communicates with CS An attacker may build a fake CS non authorized CS In addition he she may get the information data relevant assets as defined in chapter 3 1 before which is sent received between RC Gate and the fake CS via Internet or telephone line The attacker may be an evil person wandering around Internet or telephone network 3 4 Organisational Security Policies In this section the organisational security policies concerning the TOE are identified and described OSP AUDIT TOE shall write create logs for audit or maintenance There are the following three types of log information access information Login authentication communicating information Sending information to CS and image I O device Receiving information from CS and image I O device system information Start up of the TOE Shutdown of the TOE Process information These defined types of log information should contain date and time of each ev
37. Ltd Date 2005 08 15 Version 1 0 T ViT GmbH w Certification body w LangemarckstraBe 20 D 45121 Essen Germany Page 1 of 59 Security Target for Remote Communication Gate Type BN1 Remote Communication Gate Type BMI Author Hiroshi KAKII Atsushi SATOH Tomoaki ENOKIDA Masahiro ITOH Chitose MIURA Haruyuki HIRABAYASHI Jun SATOH Ricoh Company Ltd Date 2005 08 15 Version 1 0 Copyright c 2004 2005 Ricoh Company Ltd all rights reserved Document Revision History Page 2 of 59 Version Date Author Description 1 0 2005 08 15 Hiroshi KAKI Atsushi SATOH Tomoaki ENOKIDA Masohiro ITOH Chitose MIURA Haruyuki HIRABAYSHI Jun SATOH Adjusted version s and date s of all reference s Copyright c 2004 2005 Ricoh Company Ltd all rights reserved Page 3 of 59 Table of Contents Do STIntroduchonsuartssasuskea arr stk seende a SiS 6 1 1 ST TlemtificatiO Rees 6 1 2 ST OVET VIEW MER N n Ge be 6 1 3 ISO IEC 15408 Conformance Claim e se ee See Ee Se EG Be etes GEE tuse Se suse Be EG Gee Ge ee Se ee ee 7 2 AE EE EE RE EE optet deb qeu ea 8 2 1 Product Ty p sees seks sei sedasie esse ie DE eg ee N ee bee ee Re RA de Re ge Ne ee ede ede 8 2 2 Persons coneerred EE OE OO EE EE EE ED GE 10 2 3 Importance of security for RC Gate essesevesnseensesnsenseensenneensennsensvennvsnnvsnnesnnesnnennnenneennsenseense
38. T environment iese sesse se se ee Gee ek Ge ee GR ee Se Ge Re Gee Re ek ee ee 21 5 IT Security Hi OGE OE EE OR EE EE EE eI 23 5 1 TOE Security Functional Requirements esevvnrenvvnnverenevenernnennennennennenevenennnennenevnnennennnenennenesenevenensen 23 5 2 Minimum Strength of Function Claim sesecevesvenvennverevevenernnennennennennennvenevneennennnnnennenesenevnnennennnnennee 33 5 3 TOE Security Assurance Requirements esreeneererevenernvennennennennennnnnennenneenennnennennnnnennennvenevnnensennnnennee 33 5 4 Security Requirements for the Environment seseverevvvensensvnvennennvnnennenneenevnnennenennnennennvenevnnennennsnnennee 34 6 AAI EO DY Ee IE OU OE OE EE N IE RE RE ee cbe pesos eee ceie 35 6 1 TOE Security Functions 4 reete ss og se do sg sk ge ee Ge do dog ske ehe ge sod do ge be de See gs ees Ge goe 35 6 2 Strength of Function Claims 4 ee ee Ge EG EG BEG eese Se seta seta Ee GE Ge Ge Ge EG EG Bee Bee ee Se sssi 36 6 3 Assurance Measures sessesnvereerensennnnnennennvenennrenennnennenennneenenenenenneennenennnennenesnnsenenerenennnnnnenennnennennneneenee 36 7 JPPClaims2x AE EE RE MEE ELE Nada i DE EE DA ete 39 Se LE ES AE N EE ER AE inen IEE 40 8 1 Security Objectives Rationale sesse sesse soe see Bee Bee Se Ee ee ee EE Ee Ge Ge Ge EG EG Bee Bee Se ee sete Ge a 40 8 2 Security Requirements Rationale 4 sae soe EG Bee EG eese enne Be seta seta Ee Ge ss Ge Ge EG EG
39. TUVIT CERTIFICATION REPORT Certification file Product system Product manufacturer Customer Evaluation facility Evaluation report Result Evaluation stipulations Certifier Certification stipulations Essen 2005 09 26 Dr Christoph Sutter TUVIT DSZ CC 9240 2005 Remote Communication Unit Software Module of Remote Communication Gate Type BN1 amp BM1 Version 3 18 summarized as Software Module of RC Gate version 3 18 Ricoh Company Ltd 1 3 6 Nakamagome Ohta ku Tokyo 143 8555 Japan see above TUViT evaluation body for IT security Version 1 1 as of 2005 09 16 Document number 20653678 TUVIT 023 02 Author Harald Wacker EAL3 none Joachim Faulhaber none Joachim Faulhaber T ViT GmbH w Certification body w LangemarckstraBe 20 D 45121 Essen Germany Certification file TUVIT DSZ CC 9240 2005 Certification report Software Module of RC Gate version 3 18 Contents Part A Certificate and Background of the Certification Part B Certification Results Part C Excerpts from the Criteria Part D Security Target TUVIT 2005 09 26 T ViT GmbH w Certification body w LangemarckstraBe 20 D 45121 Essen Germany II TUVIT Part A Certificate and Background of the Certification Part A presents a copy of the issued certificate and summarizes e information about the certification body e the certification procedure and e the performance of evaluation a
40. TuVvir Certification report Software Module of RC Gate version 3 18 U i j 2005 09 26 This work was concluded on September 26 2005 The confirmation of the evaluation assurance level EAL only applies on the condition that e all stipulations regarding generation configuration and operation as given in part B of this report are observed e the productis operated where indicated in the environment described This certification report applies only to the version of the product indicated here The validity of the certificate can be extended to cover new versions and releases of the product provided the applicant applies for re certification of the modified product in accordance with the procedural requirements and provided the evaluation does not reveal any security deficiencies With regard to the meaning of the evaluation assurance levels EAL and the strength of function SOF please refer to part C of this report 6 Publication The following Certification Results consist of pages B 1 to B 16 The product Software Module of RC Gate version 3 18 will be included in the BSI list of certified products which is published at regular intervals e g in the Internet at http www bsi bund de and the TVIT certification lists http www certuvit de Further copies of this certification report may be ordered from the sponsor of the product The certification report may also be obtained in electronic form at the internet a
41. U i 2005 09 26 e Certificates for image VO device The threats as defined in the security target are T WEB Assets in RC Gate may be read modified or destroyed by employees or external attackers T CS COMM Leackage of or tampering at Internet or telephone line when RC Gate communicates CS directly T CS MAIL Leackage of or tampering with information at Internet when mail method is used T FAKE_CS A fake CS may be built in Internet or telephone network when RC Gate communications with CS The TOE complies with the following organisational security policy OSP OSP AUDIT TOE shall write create logs for audit or maintenance A more detailed description of the threats and OSPs which were assumed for the evaluation are specified in the ST which is attached as part D of this certification report 1 6 Special Configuration Requirements The TOE is delivered as one fixed configuration and no further generation takes place after delivery to the customer 1 7 Assumptions about the Operating Environment The assumptions about the environment of use of the TOE and about the intended usage of the TOE cover physical and personnel aspects It is assumed that RC Gate is placed in a physical secure place Multifuntional printers and laser printers are genuine products The network is properly managed and the CE is well trained Furthermore CE administrator registrant and the communication server can be trusted Further assumptions
42. also schedules the communication timing to CS or image I O device according to the setting information for RC Gate DBMS provides data management function and interfaces of SD memory SD memory stores collected information settings or firmware and certificates for devices Image I O device information is stored in SD memory through DBMS SMTP Communication Module sends mail information to external SMTP server Copyright c 2004 2005 Ricoh Company Ltd all rights reserved Page 13 of 59 Web Management Module performs operator identification and authentication This module also provides Web interface Flash memory is used for storing certificates These certificates are read by Web Management Module when RC Gate starts up CS Management module performs CS identification authentication and data exchange Cryptographic function is included in this module Certificates are read via Web Management Module Log Management Module provides log management function Each module such as CS Web and Device Management Module send the logging event to Log Management Module This module reads system time from OS to create audit event Log files are saved in SD memory Device Management Module manages image I O devices includes copier printer facsimile and multi functional device Main function of this module is collecting information of Image I O devices Communication Management Module RC Gate Flash Memor
43. ance Service Call Maintenance Service Call R R R R R R R R R R R parameters 1 Copyright c 2004 2005 Ricoh Company Ltd all rights reserved Page 28 of 59 Setting items Allowed operations for each operator and access method Administrator Registrant CE CS direct dialup direct dialup direct dialup direct dialup SMTP SMTP SMTP SMTP HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS Maintenance Service Call R R R R R R R Re parameters 2 Maintenance System Status Maintenance System R R R R R R R R Status parameters Security Password CurrentUser gt gt see pe ga W W W m uuu x Password W W W W W W W W w Security Permissions Permit access by service RW RW RW Sage aoe soos desc secs Soc Sars Permit updating of Firmware from RW RW M RUE Er de Communication Server Security Access Log Access Log R R R R R R R R R FTP_ITC 1 Inter TSF trusted channel Hierarchical to No other components
44. ations could not be installed without being noticed by those responsible therefore the image I O device is held genuine status A NETWORK is covered by OE NETWORK because it is ensured that the office network is working well and LAN circumstance is protected by firewall A CE is covered by OE CE because it is ensure that reliable CE comes to carry out the maintenance of RC Gate since the user commissions the proper dealer to repair They are responsible for the TOE confirms that CE is an authentic person of Ricoh or a proper distributor and make efforts to keep up it correctly A ADMIN is covered by OE ADMIN because it is ensure that user administrator carries out the settings of RC Gate since he she reads user s documentations properly A CS is covered by OE CS because it is ensured that CS is unique and trusted CS is protected from outer evil person Copyright c 2004 2005 Ricoh Company Ltd all rights reserved Page 42 of 59 8 2 Security Requirements Rationale 8 2 1 Rationale for functional requirements In this section it is demonstrated that the security functional requirements specified in section 5 achieve the security objectives identified n section 4 Table 11 shows that TOE security functional requirement covers security objective for the TOE and security functional requirement for the IT environment covers security objective for the IT environment Table 11 Correspondence between security obj
45. ator Registrant and CE to the operator If the authentication is failed the operator cannot perform following operations read audit logs read and modify setting information modify password FIA_UAU 7 SF OPE_I amp A While the operator is entering password the asterisks are shown instead of password characters FMT_MTD 1 SF OPE_I amp A The operator can change his own password The length of new password should be at least 8 and at most 13 characters If the length new password is not in the range the new password is rejected FMT SMF 1 SF OPE I amp A The operator can change his own password The length of new password should be at least 8 and at most 13 characters If the length new password is not in the range the new password is rejected FMT SMR 1 SF OPE I amp A TSF identifies and authenticates operator Administrator Registrant and CE prior to the operation listed below When authentication is succeeded TSF assigns a role Administrator Registrant and CE to the operator If the authentication is failed the operator cannot perform following operations read audit logs read and modify setting information modify password SF CS I amp A TSF identifies and authenticates CS before communicates with CS by HTTPS When the identification and authentication is succeeded it is allowed to export or import information to from CS If the identification and authentication is failed it is denied to
46. ay Republic of Singapore Spain Sweden Turkey United Kingdom and the United States 4 2 ITSEC CC Certificates The SOGIS Agreement on the mutual recognition of certificates based on ITSEC was signed by the national bodies of Finland France Germany Greece Italy The Netherlands Norway Portugal Spain Sweden Switzerland and the United Kingdom The arrangement on the mutual recognition of IT security certificates based on the CC was extended by these participants up to and including the evaluation assurance level EAL7 5 Performance of Evaluation and Certification The certification body monitors each individual evaluation to ensure uniform procedures interpretations of the criteria and ratings The product Software Module of RC Gate version 3 18 has undergone the certification procedure at TUViT certification body It was an initial certification The evaluation of the product Software Module of RC Gate version 3 18 was conducted by the evaluation body for IT security of T ViT and concluded on September 16 2005 The TUVIT evaluation facility is recognised by BSI The sponsor as well as the developer is Ricoh Company Ltd Distributor of the product is Ricoh Company Ltd The certification was concluded with e the comparability check and e the preparation of this certification report T ViT GmbH w Certification body w LangemarckstraBe 20 D 45121 Essen Germany A 4 Certification file TUVIT DSZ CC 9240 2005
47. ce O OPE_I amp A is performed for operators by login ID and password process Access rights as defined in Table 4 are ensured by O A_RIGHTS Furthermore data transmission is encoded by O CIPHER O CIPHER serves as prevention against network monitoring and therefore no one can analyse the password respectively no one can analyse the authentication data to get unauthorized access rights T CS_COMM is countered by O TRUST_NET O CIPHER because it is ensured that TOE communicates CS using O TRUST NET Communication data between TOE and CS is encrypted by O CIPHER Copyright c 2004 2005 Ricoh Company Ltd all rights reserved Page 41 of 59 T CS MAIL is countered by O CIPHER because it is ensured that Mail information toward CS is encrypted by O CIPHER Encrypted mail information is decrypted by the private key of CS T FAKE CS is countered by O CS ID because it is ensured that TOE identifies and authenticates CS using a unique ID by O CS_ID OSP AUDIT is countered by O AC AUDIT O COM_AUDIT O SYS_AUDIT and OE TIME because it is ensured that access evidence is logged with occurred time by O AC_AUDIT O COM_AUDIT O SYS_AUDIT and OE TIME A PHYSICAL is covered by OE PHYSICAL because it is ensured that storage media and the information stored in are protected from an attacker outer evil person A DEVICE is covered by OE DEVICE because it is ensured that image I O devices are set up in an orderly manner and illegal applic
48. cess rights to the administrator registrant customer engineer or communication server CS as stated in ST Table 4 The TOE must ensure a trusted communication between RC Gate and CS For the communication between RC Gate and CS a trusted channel HTTPS communication has to be used focused on the identification and authentication protocol mechanisms The TOE must ensure that communications are done through encrypted channel When RC Gate is accessed by an operator via its web user interface or RC Gate is communicating with CS directly those data is encrypted decrypted using HTTPS technology method When RC Gate sends mail toward CS the mail is encrypted using SMIME technology TOE must ensure that access information shall be logged When RC Gate is accessed via RC Gate monitor access information must be logged by the TOE Copyright c 2004 2005 Ricoh Company Ltd all rights reserved Page 20 of 59 The logged access information can only be read out not modified by the administrator registrant or CE as stated specified in ST Table 4 Therefore illegal access can be detected by way of analysing this log O COM AUDIT TOE must ensure that communicating information shall be logged When RC Gate communicates with CS or with image I O devices all specified communication information s has to be logged The logged communication information s can only be read out not modified by the administrator regi
49. d the vulnerabilities identified by the developer The main intent of the evaluator analysis is to determine that the TOE is resistant to penetration attacks performed by an attacker possessing a low for AVA_VLA 2 moderate for AVA_VLA 3 or high for AVA_VLA 4 attack potential To accomplish this intent the evaluator first assesses the exploitability of all identified vulnerabilities This is accomplished by conducting penetration testing The evaluator should assume the role of an attacker with a low for AVA_VLA 2 moderate for T ViT GmbH w Certification body w LangemarckstraBe 20 D 45121 Essen Germany C 8 Certification file TUVIT DSZ CC 9240 2005 TuVif Certification report Software Module of RC Gate version 3 18 U I 2005 09 26 AVA VLA 3 or high for AVA VLA 4 attack potential when attempting to penetrate the TOE Any exploitation of vulnerabilities by such an attacker should be considered by the evaluator to be obvious penetration attacks with respect to the AVA VLA 2C elements in the context of the components AVA VLA 2 through AVA VLA 4 T ViT GmbH w Certification body w LangemarckstraBe 20 D 45121 Essen Germany C 9 TUVIT Part D Security Target Attached is the Security Target for Remote Communication Gate Type BN1 Remote Communication Gate Type BM1 Author Hiroshi KAKII Atsushi SATOH Tomoaki ENOKIDA Masahiro ITOH Chitose MIURA Haruyuki HIRABAYASHI Jun SATOH Ricoh Company
50. ddress of CERTUVIT as stated above T ViT GmbH w Certification body w LangemarckstraBe 20 D 45121 Essen Germany A 5 TUVIT Part B Certification Result The following results represent a summary of e the security target of the sponsor for the target of evaluation e the relevant evaluation results from the evaluation facility and e complementary notes and stipulations of the certification body TUVIT GmbH w Certification body w LangemarckstraBe 20 D 45121 Essen Germany B 1 Certification file TUVIT DSZ CC 9240 2005 Certification report Software Module of RC Gate version 3 18 2005 09 26 Contents of the Certification Result 1 O ao N O UI 11 12 13 14 Executive Summary 1 1 Target of Evaluation and Evaluation Background 1 2 Assurance Package 1 3 Strength of Functions 1 4 Functionality 1 5 Summary of Threats and Organisational Security Policies OSPs 1 6 Special Configuration Requirements 1 7 Assumptions about the Operating Environment 1 8 Independence of the Certifier 1 9 Disclaimers Identification of the TOE Security Policy Assumptions and Clarification of Scope 4 1 Usage Assumptions 4 2 Environmental Assumptions 4 3 Clarification of Scope Architectural Information Documentation IT Product Testing Evaluated Configuration Results of the Evaluation Evaluation stipulations comments and recommendations Certification stipulations and notes Security Target Definitions 13
51. dentified threats T ViT GmbH w Certification body w LangemarckstraBe 20 D 45121 Essen Germany C 5 Certification file TUVIT DSZ CC 9240 2005 TuVvir Certification report Software Module of RC Gate version 3 18 U i 2005 09 26 Evaluation assurance level 2 EAL2 structurally tested EAL2 requires the co operation of the developer in terms of the delivery of design information and test results but should not demand more effort on the part of the developer than is consistent with good commercial practice As such it should not require a substantially increased investment of cost or time EAL2 is therefore applicable in those circumstances where developers or users require a low to moderate level of independently assured security in the absence of ready availability of the complete development record Such a situation may arise when securing legacy systems or where access to the developer may be limited Evaluation assurance level 3 EAL3 methodically tested and checked EAL3 permits a conscientious developer to gain maximum assurance from positive security engineering at the design stage without substantial alteration of existing sound development practices EAL3 is applicable in those circumstances where developers or users require a moderate level of independently assured security and require a thorough investigation of the TOE and its development without substantial re engineering Evaluation assuranc
52. e events a Start up and shutdown of the audit functions b All auditable events for the selection not specified level of audit and c assignment The events listed in Table 7 Copyright c 2004 2005 Ricoh Company Ltd all rights reserved Page 32 of 59 FAU GEN 1 2 The TSF shall record within each audit record at least the following information a Date and time of the event type of event subject identity and the outcome success or failure of the event and b For each audit event type based on the auditable event definitions of the functional components included in the PP ST assignment no other audit relevant information Dependencies FPT STM 1 Reliable time stamps Table 7 Events recorded to audit log Type of audit log Event Access log Login authentication Communication log Sending information to CS and image I O device Receiving information from CS and image I O device System log Start up of the TOE Shutdown of the TOE Information of each function e g PPP Dial up CGI Web SMTP E Mail DBMS Database FAU GEN 2 User identity association Hierarchical to No other components FAU GEN 2 1 The TSF shall be able to associate each auditable event refinement of access log with the identity of the user that caused the event Dependencies FAU GEN 1 Audit data generation FIA UID 1 Timing of identification FAU SAR 1 a Audit review Hierarchical to No other comp
53. e level 4 EAL4 methodically designed tested and reviewed EAL4 permits a developer to gain maximum assurance from positive security engineering based on good commercial development practices which though rigorous do not require substantial specialist knowledge skills and other resources EAL4 is the highest level at which it is likely to be economically feasible to retrofit to an existing product line EAL4 is therefore applicable in those circumstances where developers or users require a moderate to high level of independently assured security in conventional commodity TOEs and are prepared to incur additional security specific engineering costs Evaluation assurance level 5 EAL5 semiformally designed and tested EAL5 permits a developer to gain maximum assurance from security engineering based upon rigorous commercial development practices supported by moderate application of specialist security engineering techniques Such a TOE will probably be designed and developed with the intent of achieving EAL5 assurance It is likely that the additional costs attributable to the EAL5 requirements relative to rigorous development without the application of specialised techniques will not be large T ViT GmbH w Certification body w LangemarckstraBe 20 D 45121 Essen Germany C 6 Certification file TUVIT DSZ CC 9240 2005 TuVif Certification report Software Module of RC Gate version 3 18 U i 2005 09 26 EAL5 is th
54. e relevant information in an effort to make an attack harder and Ricoh considers that it is meaningful to get confidence of security also from the development environment i e development security ALC_DVS 1 For the reason stated above EAL3 is selected as the proper estimation assurance level for this TOE 8 2 4 Mutual support of security requirements 8 3 8 3 1 The set of security functional requirements that are selected in this ST covers all the TOE security objectives as demonstrated in section 8 2 1 In this ST the component FMT MSA 3 is required as the dependencies of FDP ACF 1 but FMT_MSA 3 is not included in the TOE security functional requirements The access right to the setting information is fixed and the security attributes are not changed So it is not necessary to change initial values of security attribute and the requirement FMT MSA 3 is not required In this ST the components FCS CKM 1 FCS CKM 4 and FMT MSA 2 are required as the dependencies of FCS COP 1 but those requirements are not included in the TOE security functional requirements The cryptographic key is installed during production of RC Gate and is not replaced until the end of the life cycle Therefore the requirements FCS_CKM 1 FCS CKM 4 and FMT MSA 2 are not required In this ST the component FPT STM 1 is required as the dependencies of FAU GEN 1 but FPT SMT 1 is not included in the TOE security functional requirements FPT SMT 1 is included in
55. ectives and functional requirements Elzsazsasszzzzzziz 8 3 5 3 5 amp O OPE_I amp A X XX XXX X O CS ID X O A RIGHTS XX XIX O TRUST_NET X X O CIPHER X O AC AUDIT X X X X O COM AUDIT X X X O SYS AUDIT X XIX OE TIME X O OPE_I amp A is achieved by FIA_AFL 1 FIA ATD 1 FIA SOS 1 FIA_UAU 1 FIA_UAU 7 FIA UID 1 and FMT SMR 1 because those requirements ensure that only authorized operator can access TOE data i e unauthorized person cannot access TOE O CS ID is achieved by FTP ITC 1 because that requirement ensures that RC Gate identifies and authenticates CS i e RC Gate never connects pseudo CS O A_RIGHTS is achieved first by FDP_ACC 1 and FDP_ACF 1 because these two requirements ensure that RC Gate gives the defined specified access rights as stated in Table 4 to the operator or CS as correctly identified and Copyright c 2004 2005 Ricoh Company Ltd all rights reserved Page 43 of 59 authenticated before Additionally O A RIGHTS is achieved by FMT_MTD 1 restriction to modify the password and by FMT SMF 1 capability to modify operator s password O TRUST NET is achieved by FTP ITC 1 and FCS COP 1 because those requirements ensure that CS is identified and authenticated when establishing a trusted channel and the information as stated in Table 5 respectively the rel
56. ecurity function evaluation AVA VLA 1 Developer vulnerability analysis 5 4 Security Requirements for the Environment In this section the functional requirements of the environment to achieve the security objectives identified in section 4 2 are described The parts against which the assignment selection and refinement operations are performed are identified with bold letters and brackets FPT_STM 1 Reliable time stamps Hierarchical to No other components FPT STM 1 1 The refinement IT environment shall be able to provide reliable time stamps for its own use Dependencies No dependencies Copyright c 2004 2005 Ricoh Company Ltd all rights reserved Page 35 of 59 6 TOE Summary Specification 6 1 TOE Security Functions SF OPE I amp A TSF identifies and authenticates operator Administrator Registrant and CE prior to the operation listed below When authentication is succeeded TSF assigns a role Administrator Registrant and CE to the operator If the authentication is failed the operator cannot perform following operations read audit logs read and modify setting information modify password While the operator is entering password the asterisks are shown instead of password characters If the wrong password is entered three consecutive times TSF reject identification and authentication for one minutes The operator Administrator Registrant and CE can change his own password
57. ee ee Ee a 42 8 2 1 Rationale for functional requirements ee GR Re ER RA RA GRA GRA Gee Ge ee ee Ge ee ee Re 42 Copyright c 2004 2005 Ricoh Company Ltd all rights reserved Page 4 of 59 8 22 Rationale for minimum strength of function level sesse se se ee Ge ee Re Re GR ee RA Ge Re Ge Re eke ee 43 8 23 Rationale for assurance requirements sesse see se ee ee ee eke GR Ge Re Ge ee GR ee GRA Ge Re Ge Re Re Gee Re ke ee 43 8 24 Mutual support of security requirements esse see se ee Gee Se eene Ge Re Ge ee eke ge RA Ge ee Ge ee 44 8 3 TOE Summary Specification Rationale sesossvvnsevnsveneesveenvevnversvensesseesnnvsnnesnnennsenneenneenseensenseensennsene 44 8 3 1 Rationale for TOE security functions eerte eene nennen ener tnen rre trennen 44 8 3 2 Rationale for strength of function claims se se ek Ge Re Re GR enne enne enne nennen enne 48 8 3 3 Rationale for combination of security functions essere eene enne 48 8 3 4 Rationale for assurance measures srrrrnrvrrannrrnrrnennernrrnennrevrenereresnernaenennsevrenersravnesvssnennsevreneenssvsesnee 48 8 4 PP Claims ETD ELE ER ER EE Eae e Po aae Ere PERSE SER Ue Po Pe eU Re a eR REPE Te ead 52 PME IL aent ere M 53 9 1 SOUFCE 53 9 2 UP N EE N kesir is sei ebai res eriu ESEESE RESEN ANSES PEE ESENE SVAS KESESER EPEE KESE iisS 53 9 3 LOO TANISDUPBIUI
58. ent Furthermore the access information and communicating information should be steady checked by administrator registrant and CE Additionally the system information should be checked by CE and or CS Copyright c 2004 2005 Ricoh Company Ltd all rights reserved Page 19 of 59 4 Security Objectives 4 1 Security Objectives for the TOE In this section the security objectives of the TOE that cover the aspects of the threats and OSP in section 3 3 are described O OPE_I amp A O CS ID O A RIGHTS O TRUST NET O CIPHER O AC AUDIT The TOE must identify and authenticate the operator When someone accesses the TOE via Web Interface the TOE must unambiguously identify one of the following operators administrator registrant and or customer engineer via secured password login After successfully operator identification and authentication the TOE will give the specified allowed access rights to the operator The TOE must ensure that RC Gate shall communicate with the correct CS The TOE will ensure that CS shall be strictly correct one RC Gate compares a unique ID of CS to the information of electrical certification Therefore no other server can access the TOE The TOE must control access to the assets by appropriate access rights After successfully operator identification and authentication O OPE I amp A or O CS ID the TOE will give the specified allowed access rights to respectively control the ac
59. er from Communication Server Security Access Log Access Log Log Security Format RC Gate Format function Format function Copyright c 2004 2005 Ricoh Company Ltd all rights reserved
60. ered to the user and marked with the developer s identifiers TOE Software module of RC Gate V3 18 Produet Remote Communication Gate Type BN1 TOE platform Code Europe A76827 Code North America A76817 Remote Communication Gate Type BM1 Code Europe A76927 Code North America A76917 Operating system of the TOE platform RC Gate OS V1 11 based on MontaVista Linux The evaluated TOE version can be uniquely identified by comparison of the information presented on RC Gate Login page browser GUl browser window with validation T ViT GmbH w Certification body w LangemarckstraBe 20 D 45121 Essen Germany B 7 Certification file TUVIT DSZ CC 9240 2005 T UViT Certification report Software Module of RC Gate version 3 18 U i j 2005 09 26 information s provided by the developer on the web site for RC Gate e g firmware 3 19 1 11 The first figure denotes the version of the TOE and the second figure denotes the version of the underlying operating system 3 Security Policy The security policy is described in section 5 1 ST as Role Based Access Control SFP and deals with the following subjects e Operator Administrator Registrant or CE e Communication Server CS who can perform the following operations R can see setting items existence can view its current value W can see setting items existence can change its value but cannot necessarily
61. erefore applicable in those circumstances where developers or users require a high level of independently assured security in a planned development and require a rigorous development approach without incurring unreasonable costs attributable to specialist security engineering techniques Evaluation assurance level 6 EAL6 semiformally verified design and tested EAL6 permits developers to gain high assurance from application of security engineering techniques to a rigorous development environment in order to produce a premium TOE for protecting high value assets against significant risks EAL6 is therefore applicable to the development of security TOEs for application in high risk situations where the value of the protected assets justifies the additional costs Evaluation assurance level 7 EAL7 formally verified design and tested EAL7 is applicable to the development of security TOEs for application in extremely high risk situations and or where the high value of the assets justifies the higher costs Practical application of EAL7 is currently limited to TOEs with tightly focused security functionality that is amenable to extensive formal analysis Strength of TOE security functions AVA SOF AVA SOF Strength of TOE security functions Strength of function analysis addresses TOE security functions that are realised by a probabilistic or permutational mechanism e g a password or hash function Even if such functions cannot be
62. etrieve device information Interval time to retrieve device counter information Interval time to re retrieve device counter information Number of times to re retrieve device counter information Devices to repeat search HTTP and SNMP Devices to repeat search HTTP and SNMP Copyright c 2004 2005 Ricoh Company Ltd all rights reserved Page 57 of 59 Other Network Connection settings Interval time to refresh device connection HTTP Interval time to refresh device connection SNMP Interval time to detect device warning SNMP Interval time to start repeat search function for devices HTTP and SNMP Interval time to start repeat search devices HTTP and SNMP Time lapse before devices are considered temporarily suspended HTTP and SNMP Time lapse before devices are considered suspended HTTP and SNMP RS 485 Connection parameters Interval time to refresh device connection RS 485 Time lapse before devices are considered temporarily suspended RS 485 Time lapse before devices are considered suspended RS 485 Time lapse before devices are considered disconnected RS 485 Device Management Connection Details Device retry parameters Interval times to retry HTTP SNMP RS 485 connections Numbers of times to retry HTTP SNMP RS 485 connections Device Management Registered Device List M R Device List parameters I IP address Device l
63. evant defined assets in chapter 3 1 between RC Gate and CS is protected i e it is hard to analyse the information O CIPHER is achieved by FCS COP 1 because this requirement ensures that communication data are encrypted by HTTPS or S MIME O AC AUDIT is achieved by FAU GEN 1 FAU GEN 2 FAU SAR 1 a and FAU STG 2 because those requirements ensure that the access log is recorded is associated with operator identity is reviewed by operators and is guaranteed in term of availability O COM_AUDIT is achieved by FAU GEN 1 FAU SAR 1 a and FAU STG 2 because those requirements ensure that the communication log is recorded is reviewed by operators and is guaranteed in term of availability O SYS_AUDIT is achieved by FAU GEN 1 FAU SAR 1 b and FAU STG 2 because those requirements ensure that the system log is recorded is reviewed by CE and is guaranteed in term of availability OE TIME is achieved by FPT_STM 1 because this requirement ensures that correct time stamp is provided for TOE 8 2 2 Rationale for minimum strength of function level To achieve O OPE_I amp A identification and authentication I amp A is needed for operators to access the TOE Since the RC Gate is used in the relatively secure environment as described in OE PHYSICAL the TOE is just intended to protect the assets and to be protected itself against low potential attackers Additionally RC Gate manages only data from the image devices which are assets of only
64. export nor import information between CS For authentication of CS TSF uses the HTTPS mutual authentication mechanism FAU GEN 1 SF AUDIT TSF records 3 types of audit log access log communication log and system log The events listed in Table 7 are recorded to each audit log and the information listed in Table 9 are included in the records FAU GEN 2 SF AUDIT TSF records 3 types of audit log access log communication log and system log The events listed in Table 7 are recorded to each audit log and the information listed in Table 9 are included in the records Copyright c 2004 2005 Ricoh Company Ltd all rights reserved Page 48 of 59 FAU SAR 1 a SF AUDIT The operator successfully authenticated by SF OPE I amp A is allowed to read access log and communication log Only CE successfully authenticated by SF OPE_I amp A is allowed to read system log They cannot modify those audit logs FAU_SAR 1 b SF AUDIT The operator successfully authenticated by SF OPE_I amp A is allowed to read access log and communication log Only CE successfully authenticated by SF OPE_I amp A is allowed to read system log They cannot modify those audit logs FAU_STG 2 SF AUDIT TSF records 3 types of audit log access log communication log and system log The events listed in Table 7 are recorded to each audit log and the information listed in Table 9 are included in the records When size of each audit
65. gh attack potential Subject An entity within the TSC that causes operations to be performed Target of Evaluation An IT product or system and its associated administrator and user guidance documentation that is the subject of an evaluation TOE Security Functions A set consisting of all hardware software and firmware of the TOE that must be relied upon for the correct enforcement of the TSP TOE Security Policy A set of rules that regulate how assets are managed protected and distributed within a TOE TSF Scope of Control The set of interactions that can occur with or within a TOE and are subject to the rules of the TSP 14 Bibliography AIS Application Notes and Interpretations of the Scheme AIS published by BSI CC Common Criteria for Information Technology Security Evaluation Version 2 2 January 2004 Part 1 Introduction and general model Part 2 Security functional requirements Part 3 Security assurance requirements CEM Common Methodology for Information Technology Security Evaluation Part 1 Introduction and general model version 0 6 revision 11 01 1997 Part 2 Evaluation Methodology Version 2 2 January 2004 ETR Evaluation Technical Report version 1 1 2005 09 16 T V Informationstechnik GmbH document number 20653678 TUViT 023 02 ST Security Target for Remote Communication Gate Type BN1 Remote Communication Gate Type BM1 Version 1 0 2005 08 15 T ViT GmbH w Certification body w
66. gnment SSL V3 1 and S MIME specification Dependencies under consideration of final interpretation FI220 FDP_ITC 1 Import of user data without security attributes or FDP_ITC 2 Import of user data with security attributes or FCS_CKM 1 Cryptographic key generation FCS_CKM 4 Cryptographic key destruction FMT MSA 2 Secure security attributes Table 6 Cryptographic operations algorithms and key sizes Operation Algorithm Key size Authentication and key exchange HTTPS RSA 512 bits SHA 1 N A Encryption and decryption HTTPS DES 56 bits Encryption S MIME RSA 512 bits DES 56 bits Signature S MIME RSA 512 bits SHA 1 N A Concerning Encryption and Signature for S MIME RFC2311 S MIME Version2 Message Specification is supported FIA_AFL 1 Authentication failure handling Hierarchical to No other components FIA_AFL 1 1 The TSF shall detect when selection assignment three unsuccessful authentication attempts occur related to assignment consecutive presentations of a wrong password via RC Gate monitor FIA_AFL 1 2 When the defined number of unsuccessful authentication attempts has been met or surpassed the TSF shall assignment refuse to access via RC Gate monitor for one minute Copyright c 2004 2005 Ricoh Company Ltd all rights reserved Page 30 of 59 Dependencies FIA UAU 1 Timing of authentication FIA ATD 1 User attribute definition Hierarchical to N
67. ification file TUVIT DSZ CC 9240 2005 TuVvir Certification report Software Module of RC Gate version 3 18 U i j 2005 09 26 e Safety Information amp Setup Guide either European North America or Asia version 2005 06 22 e Remote Communication Gate Type BN1 BM1 Operating Instructions either European North America or Asia version 2005 07 01 available via Internet URL given in above mentioned document e Remote Communication Gate Type BN1 BM1 Machine Code A768 A769 Service Manual 2005 05 24 provided to customer engineer only 7 IT Product Testing The developer s strategy was to test the TOE against the specification of all security enforcing functions detailed in the functional specifications and in the high level design Furthermore the developer s test cases were conducted with the goal to confirm that the TOE meets the security functional requirements The test cases reported approx 80 different test cases test steps e completely cover the security functions altogether 6 e correspond to the external interfaces altogether 10 of the TOE defined in the functional specification e correspond also to the defined subsystems altogether 7 as defined in the high level design and e completely cover the 4 modules chapt 5 the TOE consists of The developer specified conducted and documented suitable functional tests for the security functions The test results obtained for all of the performed tests turned ou
68. im The TOE is conformant to ISO IEC 15408 2 1999 E The TOE is conformant to ISO IEC 15408 3 1999 E assurance level EAL3 There are no PPs claimed to which this ST is conformant Copyright c 2004 2005 Ricoh Company Ltd all rights reserved Page 8 of 59 2 TOE Description 2 1 Product Type The product type of RC Gate listed in Table 1 is a communication box manufactured by Ricoh All of those product names are described in 1 1 ST Identification and detailed explanation about the products is described later Application software is installed in a trusted factory and assembled in another trusted factory Table 1 Product name and code of RC Gate Product name Destination Europe North America Remote Communication Gate Type BN1 A76827 A76817 Remote Communication Gate Type BM1 A76927 A76917 When the office network is connected to the Internet RC Gate uses this network to send and receive data from CS Typical network environment is as follows Figure 1 Network environment of RC Gate Type BN1 RS 485 stands for TIA EIA 485 1 Communication Server CS Information for various services will be sent to CS from RC Gate Copyright c 2004 2005 Ricoh Company Ltd all rights reserved Page 9 of 59 2 Proxy Server and Firewall Security system for the network environment should be established 3 Image I O Devices managed via IP network RC Gate can manage image I O device
69. items E can execute a function can not see setting items existence can not view or change or the value of the setting item Dependencies FDP ACF 1 Security attribute based access control FDP ACF 1 Security attribute based access control Hierarchical to No other components FDP ACF 1 1 The TSF shall enforce the assignment RC Gate Operator Access Control Policy to objects based on the following assignment subjects operator or CS Objects setting items respectively assets as defined in chapter 3 1 Subject attributes operator ID and CS ID Communication method direct HTTPS dialup HTTPS SMTP Object attributes list of allowed operations FDP ACF 1 2 The TSF shall enforce the following rules to determine if an operation among controlled subjects and controlled objects is allowed assignment The operation is allowed according to the rules given in Table 4 Copyright c 2004 2005 Ricoh Company Ltd all rights reserved FDP ACF 1 3 FDP ACF 1 4 Dependencies Page 24 of 59 The TSF shall explicitly authorize access of subjects to objects based on the following additional rules assignment none The TSF shall explicitly deny access of subjects to objects based on the assignment no additional rules FDP ACC 1 Subset access control FMT MSA 3 Static attribute initialization R W A 7 Table 4 Setting items and allowed operations can see setting
70. ke GRA Ge ee ee 36 Table 10 Correspondence between security needs and security objectives esee 40 Table 11 Correspondence between security objectives and functional requirements sess 42 Table 12 Correspondence between functional requirements and security functions eise ese see see ek ee ee 45 Table 13 Corresponding description of security functions ssrenernernrvvnnnvrvrennnerarnesvrevernernsenennervrevereresnesveene 45 Table 14 Correspondence between assurance requirements and assurance measures eeeeeee 49 Table 15 Relations between grouped items and detailed item eee 54 Copyright c 2004 2005 Ricoh Company Ltd all rights reserved Page 6 of 59 1 ST Introduction 1 1 ST Identification Title Security Target for Remote Communication Gate Type BN1 Remote Communication Gate Type BM1 Version 1 0 Date 2005 08 15 Author Hiroshi KAKII Atsushi SATOH Tomoaki ENOKIDA Masahiro ITOH Chitose MIURA Haruyuki HIRABAYASHI Jun SATOH Ricoh Company Ltd Product Remote Communication Gate Type BN1 Remote Communication Gate Type BM 1 Note Hereafter these products are called with a generic name RC Gate TOE Software module of RC Gate V3 18 CC used ISO IEC 15408 1999 E Furthermore all relevant final interpretations until creation of this documentation were also considered Keywords Remote service copier printer network
71. l parameters 2 Communication Server E mail address RC Gate admin s E mail address Number of times to resend E mail Resend E mail interval time Copyright c 2004 2005 Ricoh Company Ltd all rights reserved Page 55 of 59 SMTP server parameters I SMTP server address SMTP server port SMTP user name SMTP server parameters 2 SMTP AUTH flag SMTP AUTH method authentication SMTP password SMTP password POP server parameters 1 POP server address POP server port POP user name POP server parameters 2 POP before SMTP flag Wait time after authentication POP password POP password RC Gate Settings Communication Method Communication method Communication method Internet connection method Internet connection method Other communication method parameters Communication server address Interval time to Sleep shift Interval time to Sleep return detection Interval time to retry HTTP connection Number of times to retry HTTP connection HTTP transmitting delay connection demand HTTP connection timeout HTTP transmitting timeout HTTP receiving timeout Interval time to retry HTTP GET POST Number of times to retry HTTP GET POST RC Gate Settings Net Connection Settings Connection Details Internet connection method Internet connection method Proxy password Proxy password Proxy server parame
72. low assignment everybody to read the RC Gate version and Licenses and to select language and operator list via RC Gate monitor on behalf of the user to be performed before the user is identified FIA UID 1 2 The TSF shall require each user to be successfully identified before allowing any other TSF mediated actions on behalf of that user Dependencies No dependencies FMT MTD 1 Management of TSF data Hierarchical to No other components FMT MTD 1 1 The TSF shall restrict the ability to selection modify the assignment passwords to assignment Administrator Registrant and CE Dependencies FMT SMF 1 Specification of Management Functions FMT_SMR 1 Security roles Notes Each operator has his her own password FMT SMF 1 Specification of Management Functions Hierarchical to No other components FMT SMF 1 1 The TSF shall be capable of performing the following security management functions assignment function to modify operator s password Dependencies No Dependencies FMT SMR 1 Security roles Hierarchical to No other components FMT_SMR 1 1 The TSF shall maintain the roles assignment operator Administrator Registrant and CE CS FMT SMR 1 2 The TSF shall be able to associate users with roles Dependencies FIA_UID 1 Timing of identification FAU GEN 1 Audit data generation Hierarchical to No other components FAU GEN 1 1 The TSF shall be able to generate an audit record of the following auditabl
73. main board and modem board Modem board has the interfaces for telephone line The hardware specification of RC Gate Type BN1 and BMI is shown as follows CPU Correspond to TX4925XB 200 ROM 4MB RAM 64MB SD memory card 32MB NIC 1OBASE T 100Base TX Front Indication Green LED indicates power supply Orange LED indicates communication status and Red LED indicates system status LAN Indication Orange LED indicates communication speed e g 100 10Mbps and Green LED indicates link status Software part of RC Gate Type BNI and BM1 consists of application software and its Operation System OS Between Type BN1 and BMI there is no difference in software component TOE is the application software module of RC Gate OS is out of TOE 2 5 Logical boundary of the TOE RC Gate consists of hardware and software parts The software part consists of OS DBMS Communication Management Module Device Management Module Log Management Module Web Management Module CS Management Module and SMTP Communication Module The OS is embedded Linux operating system Hereafter RC Gate OS OS DBMS Communication Management Module and SMTP Communication Module are out of the TOE Optional wireless LAN card can be attached to RC Gate but the wireless option is out of the TOE SD memory card sockets and Flash Memory are embedded on the main hardware board Communication Management Module is the main controller of communication which
74. munication takes place RC Gate exports and imports encrypted information when HTTPS method is selected and exports encrypted E mail information to CS when SMTP method is selected Additionally RC Gate records three types of audit log access log communication log and system log RC Gate consists of the main board with CPU flash memory LAN Ethernet circuit RS485 and the interface of power supply RC Gate type BM1 differs from BN1 by an additional modem board which provides an interface to the telephone line Optional wireless LAN card can be attached to RC Gate but the wireless option is out of scope of the TOE The software part of the RC Gate consists of e embedded Linux operating system RC Gate OS V1 11 based on MontaVista Linux out of scope of the TOE e Data Base Management System DBMS out of scope of the TOE e Communication Management Module out of scope of the TOE e SMTP Communication Module out of scope of the TOE e as well as the software parts of the TOE o Device Management Module o Log Management Module o Web Management Module and o CS Management Module T ViT GmbH w Certification body w LangemarckstraBe 20 D 45121 Essen Germany B 3 Certification file TUVIT DSZ CC 9240 2005 TuVif Certification report Software Module of RC Gate version 3 18 U i j 2005 09 26 The sponsor vendor and distributor is Ricoh Company Ltd 1 3 6 Nakamagome Ohta ku Tokyo 143 8555 Japan The
75. nd certification T ViT GmbH w Certification body w LangemarckstraBe 20 D 45121 Essen Germany A 1 Certification file TUVIT DSZ CC 9240 2005 TUViT j Certification report Software Module of RC Gate version 3 18 u i 2005 09 26 i 1 The Certificate The Certification Body of TOV Informationstechnik GmbH hereby certifies that for Ricoh s remote communication unit the Software Module Version 3 18 of Remote Communication Gate Type BN1 and Remote Communication Gate Type BM1 of Ricoh Company Ltd Tokyo Japan has been evaluated at an anccdithd and an cenfapzoz4 mal ier fAslitv us 3 chm Gammon Mednocelcoy for MH Secety braan HEM Pat 1 Verset 9 5 and CSIR Pat Werstor 7 0 to ounkam as te bis Camna Gaia for IT Secunty Evaluation CC Version 2 1 SOMES 15398 1990 and indudi 3 final intaprelations for conpliance wich Common Capo Versier 2 2 and Common Methacocgy Par Verman 2 2 wilh ite Aloe ng resa ts SCCURI Y URCT ONALITY Product specific Security Target Common Criteria part 2 conformant ASSURANCE PACKAGE Common Criteria part 3 canformant EAL 3 his catincst gt app es cnl bu the specilic asion and releese c tre p due n is evaluabed contiquration and vonjuneio wih ths ovrplate setificatis1 report The som T Sisters and stipulations in the verlifissl Lat epul mest be erperled The evaluclien kes bees Gursusled in ecoordarce wilt Uie pravis ans of ihe cenMestia scheme of TUY Infe
76. nseensennenee 11 2 4 Physical boundary of the TOE esse esse esse ese ee Ge EG EG Bee esee Se ee Ee EG sete seta EE Ge EE Ge Ge EG EG EG Bee Be Ge Ge 12 2 5 Logical boundary of the TOE sesse sesse ese se ese ee Be EG Be EE SEE eene testes Be EE tastes suse Be EG Be sensns Be EG Se Ge Ge ee 12 2 6 Definition of Specific Terms se ese se ee Be Be EG Be EE SEE EG Be EG Be EE tastes suse ta sene Be EG See ee GE Ee sone ee 14 3 TOE Security Environment its DE ee EE Ge ED ar bee ee ee Ee eese ge ae ee Bee Rg ee Ee Weed 16 3 1 Subjects And Assets ss sesse Se ok od ge pa to AE ge N RS eed oe Sk ese Seba Ke Ge gee SEES ede dk ee 16 32 ASSUIMPDEHORS os sos eo ee E dog ed oe Ges eko ges eo os ed N Geo ge See gek og Gee es ge de 17 3 3 Threats ie de De id Ge ee Be Ee GE ee Ge ke Ge ek S T M ee DE ee oe 17 3 4 Organisational Security Policies vererevnvenrensvnrvnnennnnnenrennvenernnennennnnnennennrenevnnennenennnennennnenennennsenevenennee 18 4 Security ObJectives oie Oe Ge ee Re Ee e ed aent 19 4 1 Security Objectives for the TOE sesesevevennenvennenrennvenevnneneenernnennenennnennenneenevenennennnnnennennsenevnnensennsenennee 19 4 2 Security Objectives for the Environment sesesvenvennverenevenernvennennennennennrenennnennenennnennennnnnennenesenenenensen 21 4 2 1 Security objectives for the IT environment see see se ee RR RA GRA Re Gee ee ee Re Re ee nennen enne 21 4 2 2 Security objectives for the non I
77. nstallation Generation and Start up MFP Multifunctional Printer OSP Organisational Security Policy PP Protection Profile SAR Security Assurance Requirement SF Security Function SFP Security Function Policy SFR Security Functional Requirement SIF Sub interface T ViT GmbH w Certification body w LangemarckstraBe 20 D 45121 Essen Germany B 14 Certification file TUVIT DSZ CC 9240 2005 T UViT Certification report Software Module of RC Gate version 3 18 U i 2005 09 26 SOF Strength of Function SS Sub system SSL Secure Sockets Layer ST Security Target TOE Target Of Evaluation TSC TSF Scope of Control TSF TOE Security Functions TSFI TOE Security Function Interfaces TSP TOE Security Policy USR User Guidance VLA Vulnerability Analysis 13 2 Glossary Augmentation The addition of one or more assurance component s from Part3 to an EAL or assurance package Extension The addition to an ST or PP of functional requirements not contained in Part 2 and or assurance requirements not contained in Part 3 of the CC Formal Expressed in a restricted syntax language with defined semantics based on well established mathematical concepts Informal Expressed in natural language Object An entity within the TSC that contains or receives information and upon which subjects perform operations Protection Profile An implementation independent set of security requirements for a category of TOEs that meet specific
78. o more than one component of each assurance family and all assurance dependencies of every component are addressed While the EALs are defined in the CC it is possible to represent other combinations of assurance Specifically the notion of augmentation allows the addition of assurance components from assurance families not already included in the EAL or the substitution of assurance components with another hierarchically higher assurance component in the same assurance family to an EAL Of the assurance constructs defined in the CC only EALs may be augmented The notion of an EAL minus a constituent assurance component is not recognised by the CC as a valid claim Augmentation carries with it the obligation on the part of the claimant to justify the utility and added value of the added assurance component to the EAL An EAL may also be extended with explicitly stated assurance requirements T ViT GmbH w Certification body w LangemarckstraBe 20 D 45121 Essen Germany C 4 Certification file TUVIT DSZ CC 9240 2005 T UViT Certification report Software Module of RC Gate version 3 18 U i 2005 09 26 Assurance Assurance ane components by Class Family Evaluation Assurance Level EAL1 EAL2 EAL3 EAL4 EAL5 EAL6 EAL7 Configuration AEM AUT 1 i 2 2 Management ACM_CAP 1 2 3 4 4 5 5 ACM_SCP 1 2 3 3 3 Delivery and ADO DEL 1 1 2
79. o other components FIA_ATD 1 1 The TSF shall maintain the following list of security attributes belonging to individual users assignment operator identity Administrator Registrant and CE Dependencies No dependencies FIA_SOS 1 Verification of secrets Hierarchical to No other components FIA_SOS 1 1 The TSF shall provide a mechanism to verify that secrets meet assignment the following the password has to be at least 8 and at most 13 characters long Dependencies No dependencies FIA_UAU 1 Timing of authentication Hierarchical to No other components FIA_UAU 1 1 The TSF shall allow assignment everybody to read the RC Gate version and Licenses and to select language and operator list via RC Gate monitor on behalf of the user to be performed before the user is authenticated FIA UAU 1 2 The TSF shall require each user to be successfully authenticated before allowing any other TSF mediated actions on behalf of that user Dependencies FIA_UID 1 Timing of identification FIA_UAU 7 Protected authentication feedback Hierarchical to No other components FIA UAU 7 1 The TSF shall provide only assignment asterisks to the user while the authentication is in progress Dependencies FIA_UAU 1 Timing of authentication FIA_UID 1 Timing of identification Hierarchical to No other components Copyright c 2004 2005 Ricoh Company Ltd all rights reserved Page 31 of 59 FIA UID 1 1 The TSF shall al
80. ocation Supply ordering person s E mail address Device name Device name SNMP community name SNMP community name M R Device List parameters 2 Machine ID Model name MAC address Connection Type Meter Reading Date Time Device ID RS 485 Status Method to assign IP address Method to assign IP address Copyright c 2004 2005 Ricoh Company Ltd all rights reserved Page 58 of 59 Machine address administrators E mail M R Device List parameters 3 Machine administrator s E mail address Service depot Service depot contact Supply order from Supply order phone No Device Management Notify Device Management Notify parameters SC CC MC Alarm Supply Device Management Update Device Firmware Maintenance Restart RC Gate Device Firmware parameters 1 Schedule Period URL for firmware download Message Device Firmware functions Update button Previous Update Details button Object devices list Object devices list Device Firmware parameters 2 Maintenance Restart function Device ID Update Status Update date time Update Result Restart function Maintenance Communication Server Calls Service Test Call Service Test Call function Service Test Call function CS Test Call Log Log Maintenance Communication Server Calls Device Check Req Call Maintenance Restore
81. of the assurance components are also assessed with PASS Therefore the TOE as defined in the security target is considered to be Part 3 conformant The security target chapter 5 claims that the TOE will fulfil the following TOE security functional requirements which were exclusively taken from CC part 2 Component ID Componenttitle FAU_GEN 1 Audit data generation FAU_GEN 2 User identity association FAU_SAR 1 a Audit review FAU_SAR 1 b Audit review FAU_STG 2 Guarantees of audit data availability FCS COP 1 Cryptographic operations FDP_ACC 1 Subset access control FDP_ACF 1 Security attribute based access control FDP_ITC 1 Import of user data without security attributes FIA_AFL 1 Authentication failure handling FIA_ATD 1 User attribute definition FIA_SOS 1 Verification of secrets FIA_UAU 1 Timing of authentication T ViT GmbH w Certification body w LangemarckstraBe 20 D 45121 Essen Germany Certification file TUVIT DSZ CC 9240 2005 TuVvir Certification report Software Module of RC Gate version 3 18 U i j 2005 09 26 Component ID Component title FIA_UAU 7 Protected authentication feedback FIA_UID 1 Timing of identification FMT MTD 1 Management of TST data FMT SMF 1 Specification of Management Functions FMT SMR 1 Security roles FPT STM 1 Reliable time stamps FTP ITC 1 Inter TSF trusted channel
82. office security 1 2 ST Overview This Security Target ST describes the security specification of software module of the Remote Communication Gate RC Gate RC Gate is used mainly in business office and acts as a relay unit to which the user s image I O devices e g Copiers Multi Functional Printers are connected RC Gate collects data on mentioned devices connected to it through the LAN or directly Collected data are received by a trusted management server via Internet or telephone line Dial up PPP connection The trusted management server is called Communication Server CS The TOE is the Software module of RC Gate and works as following security features Prevention of unauthorized disclosure and modification of the information on the inner memory of RC Gate Prevention of unauthorised disclosure and modification of the information via internet intranet and or telephone line Prevention of receiving sending information from to a non authorized CS There are three broad features of this system an overview of the involved components systems is shown by the following figure 1 1 System means here the configuration of elements in the network with RC Gate as a central element Copyright c 2004 2005 Ricoh Company Ltd all rights reserved Page 7 of 59 1 Reduced Image I O device Downtime Image I O device downtime is dramatically reduced through remote maintenance Specifically remote maintenance cut
83. om several corresponding detailed items Table 15 shows the relations between grouped items and corresponding detailed items Copyright c 2004 2005 Ricoh Company Ltd all rights reserved Table 15 Relations between grouped items and detailed item Page 54 of 59 Category Grouped item Detailed item RC Gate Settings Basic RC Gate Setting Basic parameters 1 RC Gate ID Model name Application version OS version RC Gate Setting Basic parameters 2 RC Gate location Application last updated OS last updated Service depot Service depot contact Language Language Time zone Time zone RC Gate Setting Basic parameters 3 Log max capacity Log collection level Auth key version Auth key version RC Gate Settings Date Time Date Time Date Time RC Gate Settings Network Maintenance Port IP address IP address Other Maintenance Port parameters MAC address Subnet Mask LAN Port MAC address Other LAN Port parameters DNS server parameters MAC address DHCP IP address Subnet mask Default gateway address Ethernet speed Main DNS server Sub DNS server RC Gate Settings E mail Send Test E mail Send Test E mail function E mail parameters 1 RC Gate E mail address sender RC Gate E mail address receiver for for Communication Server E mail address RC Gate admin s E mail address E mai
84. on secure usage are detailed in the ST which is attached as part D of this certification report 1 8 Independence of the Certifier Within the last two years the certifier did not render any consulting or other services for the company ordering the certification and there was no relationship between them which might have an influence on his assessment T ViT GmbH w Certification body w LangemarckstraBe 20 D 45121 Essen Germany B 6 Certification file TUVIT DSZ CC 9240 2005 T UViT Certification report Software Module of RC Gate version 3 18 U i j 2005 09 26 The certifier did not participate at any time in test procedures for the product which forms the basis of the certification 1 9 Disclaimers The certification results only apply to the version of the product indicated in the certificate and on the condition that all the stipulations are kept with regard to generation configuration and operation as detailed in this certification report This certificate is not an endorsement of the IT product by the TUV Informationstechnik GmbH or any other organisation that recognises or gives effect to this certificate and no warranty of the IT product by TUV Informationstechnik GmbH or any other organisation that recognises or gives effect to this certificate is either expressed or implied 2 Identification of the TOE Beside guidance documentation see chapter 6 the RC Gate box with preinstalled operating system and TOE are deliv
85. onents FAU SAR 1 a 1 The TSF shall provide assignment Administrator Registrant and CE with the capability to read assignment communication and access log from the audit records FAU SAR 1 a 2 The TSF shall provide the audit records in a manner suitable for the user to interpret the information Dependencies FAU GEN 1 Audit data generation FAU SAR 1 b Audit review Hierarchical to No other components Copyright c 2004 2005 Ricoh Company Ltd all rights reserved Page 33 of 59 FAU SAR 1 b 1 The TSF shall provide assignment CE CS with the capability to read assignment system log from the audit records FAU SAR 1 b 2 The TSF shall provide the audit records in a manner suitable for the user to interpret the information Dependencies FAU GEN 1 Audit data generation FAU STG 2 Guarantees of audit data availability Hierarchical to FAU STG 1 FAU STG 2 1 The TSF shall protect the stored audit records from unauthorized deletion FAU STG 2 2 The TSF shall be able to selection prevent modifications to the audit records FAU STG 2 3 The TSF shall ensure that assignment 64k bytes latest audit records will be maintained when the following conditions occur selection audit storage exhaustion Dependencies FAU GEN 1 Audit data generation 5 2 Minimum Strength of Function Claim The minimum strength level claimed for the TOE is SOF Basic 5 3 TOE Security Assurance Requirements The a
86. onsible company and persons 4 3 Clarification of Scope Access to RC Gate via the web interface is not necessarily located within the customer end user network It is up to the customer to prevent such access from the internet and to have administration locally 5 Architectural Information The TOE consists of the following modules e CS Management Module e Device Management Module e Log Management Module e Web Management Module CS Management module performs CS identification and data exchange Cryptographic function is included in this module Certificates are read via Web Management Module Device Management Module manages laser printers and multifunctional printers Main function of this module is collecting information of these devices Log Management Module provides log management function Each module such as CS Web and Device Management Module send the logging event to Log Management Module This module reads system time from OS to create audit event Log files are saved in SD memory The Web Management Module provides the Web interface and performs operator identification and authentication Flash memory is used for storing certificates these certificates are read by Web Management Module when RC Gate starts up 6 Documentation The following documentation is provided with the product by the developer to the consumer T ViT GmbH w Certification body w LangemarckstraBe 20 D 45121 Essen Germany B 9 Cert
87. overage ACM SCP 1 PASS Delivery and operation CC Class ADO PASS Delivery procedures ADO DEL 1 PASS Installation generation and start up procedures ADO IGS 1 PASS Development CC Class ADV PASS Informal functional specification ADV FSP 1 PASS Security enforcing high level design ADV HLD 2 PASS Informal correspondence demonstration ADV RCR 1 PASS Guidance documents CC Class AGD PASS n a not applicable T ViT GmbH w Certification body w LangemarckstraBe 20 D 45121 Essen Germany B 11 Certification file TUVIT DSZ CC 9240 2005 Certification report Software Module of RC Gate version 3 18 TUVIT 2005 09 26 Administrator guidance AGD_ADM 1 PASS User guidance AGD_USR 1 PASS Life cycle support CC Class ALC PASS Identification of security measures ALC_DVS 1 PASS Tests CC Class ATE PASS Analysis of coverage ATE_COV 2 PASS Testing high level design ATE_DPT 1 PASS Functional testing ATE_FUN 1 PASS Independent testing sample ATE_IND 2 PASS Vulnerability assessment CC Class AVA PASS Examination of guidance AVA_MSU 1 PASS Strength of TOE security function evaluation AVA_SOF 1 PASS Developer vulnerability analysis AVA VLA 1 PASS No Protection Profile PP compliance claims were made in the ST Thus the component ASE_PPC 1 is not applicable All other assurance components were assessed with the verdict PASS This includes that all evaluator action elements being part
88. r will keep his her password secret A ADMIN It is assumed that both Administrator and Registrant are trusted The user administrator and registrant can be trusted Administrator and registrant may be same person He She reads the user s documentations Set up Guide and Operating Instructions thoroughly responds appropriately to RC Gate He She can set and change the configuration of RC Gate Furthermore the administrator and or registrant will keep his her password secret A CS It is assumed that Communication Server is properly managed by responsible company and persons The communication server is trusted Responsible persons shall manage CS properly 3 3 Threats In this section the threats that will be countered by the TOE or its environment are identified and described Copyright c 2004 2005 Ricoh Company Ltd all rights reserved Page 18 of 59 T WEB T CS COMM T CS MAIL T FAKE CS Assets in RC Gate may be read modified or destroyed by employees or external attackers The assets inside RC Gate as defined could be attacked through web interface by an employee and or an attacker especially by attack attempts from intranet and or internet Leakage of or tampering with information at Internet or telephone line when RC Gate communicates CS directly An attacker may disclose and or modify the data relevant assets as defined in chapter 3 1 before which are sent received between RC Gate and CS via
89. rations as specified stated in ST Table 4 after a successful authentication If the authentication is failed the information are not exported nor imported Copyright c 2004 2005 Ricoh Company Ltd all rights reserved Page 36 of 59 SF CS SMIME TSF can export information listed in Table 4 and Table 5 to CS by E Mail When TSF export information to CS by using E Mail TSF encrypts E Mail message by S MIME TSF encrypts the message by the public key of CS to prevent other than CS to read the message SF AUDIT TSF records 3 types of audit log access log communication log and system log The events listed in Table 7 are recorded to each audit log and the information listed in Table 9 are included in the records When size of each audit log exceeds 64 Kbytes the oldest record is overwritten with new record The operator successfully authenticated by SF OPE I amp A is allowed to read access log and communication log Only CE successfully authenticated by SF OPE I amp A is allowed to read system log They cannot modify those audit logs Table 9 Information included in the audit records Type of audit log Content Access log date and time terminal IP address operator name result of login Communication log date and time IP address of CS or image I O device send or receive content of sent received information System log audit level date and time function name PPP Dial up CGI Web SMTP E Mail DBMS Da
90. rmatcnstechnk ST7 4 and the 6516 Lzlors of the evaluation zsilky Ir tee svelLatlon technica reat are eansieerr v tth the evidence adduced he sezurty verge against heh tie product ras cesen avaluated 13 pan c he cerbticaten report Ihe rating ol the etre gt ot 2nyptozraph 2 m echar sms suitzble tor enay ier ant decryctior 18 excuder am the recogr tion bv Bol A copy c t e cert este are otis certificat on reontis avs lable trom he araduet Manutacturer or am Neve tinsecior boc y This catificata ie nel an e doreariant of tie I7 procust by TUY for alionetezhrk Grib or by any xha orgarisation ihat 30071 see ar giv effec to tiis Jarticats a73 no warranty 9 the T product by TU Informaticnetechni SOsH er zy 37y 37a orgarisatia1 that recogniess or gives stas E this cert ficate is elther expressed or Implied Certit cate Regist stior Ne Essen 2005 09 26 sin Dr Grusclrertz Up I bS2 CC 82410 2005 Cui lilicslior Budy TUY In zmiattonebechni GrEF member of TUS KJR Z HY201 A 100 H 4139201 GE sroup Laigematkarets 20 4511 Essen GETTY O keut Of eav certvt ce AGENT 08 1H amp rurry Larmia Sunder DAR redgsetaha is ra 101 En ACIE by Ecutzche kkrrdtieunasste le Technik c v DAT sch T ViT GmbH w Certification body w LangemarckstraBe 20 D 45121 Essen Germany A 2 Certification file TUVIT DSZ CC 9240 2005 T UViT Certification report Software Module of RC Gate version 3 18 U i
91. rted information Furthermore CS is able to perform the allowed operations as specified stated in ST table 4 after a successful authentication TSF can export information listed in ST Table 5 to CS by E Mail When TSF export information to CS by using E Mail TSF encrypts E Mail message by S MIME TSF encrypts the message by the public key of CS to prevent other than CS to read the message TSF records 3 types of audit log access log communication log and system log The events listed in Table 7 ST are recorded to each audit log and the information listed in ST Table 9 are included in the records When size of each audit log exceeds 64 Kbytes the oldest record is overwritten with new record The operator successfully authenticated by SF OPE_I amp A is allowed to read access log and communication log Only CE successfully authenticated by SF OPE_I8 amp A is allowed to read system log They cannot modify those audit logs 1 5 Summary of Threats and Organisational Security Policies OSPs The assets the TOE intends to protect are e Certificates for RC Gate e Passwords for each operator e Audit logs e Setting information for RC Gate e Collected information of image VO devices e Firmware to update image VO device T ViT GmbH w Certification body w LangemarckstraBe 20 D 45121 Essen Germany B 5 Certification file TUVIT DSZ CC 9240 2005 T UViT Certification report Software Module of RC Gate version 3 18
92. ry parameters mE R R mE RW RW Device Management Registered Device List M R Device List RW RW RW RW RW RW RW RW parameters 1 Device name R R LE RW RW rim RW RW aoe RW RW So SNMP community name R Re SES RW RW ziii TRE R DE RW RW Aem M R Device List R R R R R R R R parameters 2 M R Device List R R R R R R RW RW parameters 3 Method to assign IP RW RW RW RW RW RW address Machine administrator s i RW RW RW RW w w RW RW E mail address M R Device List R R R R RW RW RW RW parameters 4 Copyright c 2004 2005 Ricoh Company Ltd all rights reserved Page 27 of 59 Setting items Allowed operations for each operator and access method Administrator Registrant CE CS direct dialup direct dialup direct dialup direct dialup SMTP SMTP SMTP SMTP HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS Device Management Notify Device Management Notify R R RW RW parameters
93. s e RC Gate must be always connected to a UPS uninterruptible power supply system to prevent the log files from getting lost by a power cut One week s logs are lost at worst case scenario T ViT GmbH w Certification body w LangemarckstraBe 20 D 45121 Essen Germany B 13 Certification file TUVIT DSZ CC 9240 2005 T UViT Certification report Software Module of RC Gate version 3 18 U i j 2005 09 26 e Before power down deactivation of RC Gate please log on as registrant and perform a restart procedure by clicking Restart button on RC Gate monitor to save latest logs After a short time the yellow and green LEDs come to remain lit then you can shut off the power supply 11 Certification stipulations and notes The hints given to the end user customer referenced in chap 10 shall be taken into account in operating RC Gate 12 Security Target The security target for Software Module of RC Gate version 3 18 as of 2005 08 15 version 1 0 is included in part D of this certification report 13 Definitions 13 1 Acronyms ADM Administrator Guidance CC Common Criteria for Information Technology Security Evaluation referenced to as CC CE Customer Engineer CEM Common Methodology for Information Technology Security Evaluation referenced to as CEM CM Configuration Management EAL Evaluation Assurance Level FSP Functional Specification HLD High level Design IF Interface IGS I
94. s and laser printers which support MIB information or Ricoh s remote service 4 PC for Administration Communication between RC Gate and RC Gate Monitor is based on the https protocol Note The so called RC Gate Monitor is a web based access which is not necessarily located within the customer end user network protected intranet Nn This Equipment Remote Communication Gate Type BN1 Various pieces of information of the image I O devices managed by RC Gate are sent to CS There are two communication methods between RC Gate and CS 1 HTTPS method exchanges messages between CS as the HTTPS server and RC Gate as the HTTPS client 2 SMTP method sends messages from RC Gate toward CS via SMTP server 6 The Image I O Devices managed via serial communication bus TIA EIA 485 Image I O devices manufactured by Ricoh can also be managed by directly connecting them to RC Gate with the serial modular cable A maximum of five image I O devices can be connected to one RC Gate If the office network environment cannot access the Internet directly RC Gate can communicate with CS using a modem type Type BM1 Here this is called Dial up For the Dial up facsimile line or telephone line prepared for RC Gate can be used Figure 2 Network environment of RC Gate Type BM1 Copyright c 2004 2005 Ricoh Company Ltd all rights reserved Page 10 of 59 RS 485 stands for TIA EIA 485 1 Communication Server Information
95. s downtime by sending service calls automatically to Ricoh s service technician In addition to further cut on time and expense many upgrades firmware etc can be performed remotely too services only made possible through connection to the Internet This means customers end users can operate without worrying about incomplete jobs or being tied to maintenance or repairs companies are freed from time consuming duties and additional downtime expense 2 Automated Counter Checking Remote counter monitoring means the user no longer has to manually report counter figures This system offers an improvement in the form of remote automated counter checking This system allows billing to be better timed User workload is reduced and so too the previously inevitable billing mistakes red tape routine and associated complications 3 Ordering Supplies toner etc Remote system notifies remaining amount of supplies like toner to CS image I O device downtime is reduced and the user no longer has to worry about re order telephone calls forgotten stock supply control and so on now that monitoring and dispatch is fully user independent Therefore RC Gate becomes a significant device in this system as the information between the user image I O devices and CS shall be stringently correct For example wrongheaded image I O device information shall bring some wrongheaded accounting or service for users 1 3 ISO IEC 15408 Conformance Cla
96. s to manually report counter figure This mode supports identification of the machine maintained and gets correct counters of that machine This system system overview is shown by figure 1 and 2 offers an improvement in the form of remote automated counter checking This system allows billing to be better timed User workload is reduced and so too the previously inevitable billing mistakes red tape routine and associated complications Remote system provides toner remaining amount data to our service company image I O device downtime is reduced as the user no longer has to worry about re order telephone calls forgotten stock supply control and so on now that monitoring and dispatch is fully user independent Copyright c 2004 2005 Ricoh Company Ltd all rights reserved Page 12 of 59 RC Gate becomes a significant device in this system as the information between the user image I O devices and the server shall be stringently correct For example a wrongheaded image I O device information shall bring some wrongheaded accounting or service for our customers 2 4 Physical boundary of the TOE RC Gate acts as an intermediary between the image I O device and CS e g intermediation network communication appliance It is used mostly in general LAN constructed office Common hardware part of RC Gate is main board on which CPU Flash memory LAN Ethernet circuit RS485 and the interface of power supply RC Gate type BM1 consists of
97. secutive times TSF reject identification and authentication for one minute The operator Administrator Registrant and CE can change his own password The length of new password should be at least 8 and at most 13 characters If the length of the new password is not in the range the new password is rejected SF OPE_AC TSF controls operations performed by the operator based on the operator s identification information and method to communicate with CS When direct HTTPS method dialup HTTPS method or 3 hereinafter called ST T ViT GmbH w Certification body w LangemarckstraBe 20 D 45121 Essen Germany B 4 Certification file TUVIT DSZ CC 9240 2005 TUVir Certification report Software Module of RC Gate version 3 18 U i j 2005 09 26 SF CS_I amp A SF CS_HTTPS SF CS_SMIME SF AUDIT SMTP method is used to communicate with CS operators can access to the information based on ST Table 4 TSF identifies and authenticates CS before communicates with CS by HTTPS When the identification and authentication is succeeded it is allowed to export or import information to from CS For authentication of CS TSF uses the HTTPS mutual authentication mechanism TSF can export and import information listed in ST Table 5 to from CS by using HTTPS protocol TSF authenticates CS before export or import information When CS is successfully authenticated TSF encrypts the information to export and decrypts the impo
98. served Page 26 of 59 Setting items Allowed operations for each operator and access method Administrator Registrant CE CS direct dialup direct dialup direct dialup direct dialup SMTP SMTP SMTP SMTP HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS Modem parameters SaaS e epu cs m RW Tr ipi RW zs Auto Discovery Auto Discovery Settings Auto Discovery permit RW RW RW RW mE m mE Er Auto Discovery server J e qe R R RW RW address Max E mail size Er RW RW R Auto Discovery start schedule RW RW RW RW RW RW RW RW RW RW RW SNMP community name Auto Discovery Range ARW ARW ARW ARW ARW ARW ARW ARW ARW reke aves EE parameters Device Management Common management Information Retrieval R R R R R R RW RW settings Devices to repeat search RW RW RW RW RW RW HTTP and SNMP Other Network Connection R R R R RW RW settings RS 485 Connection R R R R RW RW parameters Device Management Connection Details Device ret
99. ssurance components for the TOE are shown Table 8 It is the set of components defined by the evaluation assurance level EAL3 and no other requirements have been augmented Table 8 TOE security assurance requirements EAL3 Assurance Class Assurance Component Security Target ASE_DES 1 TOE description ASE_ENV 1 Security environment ASE_INT 1 ST introduction ASE_OBJ 1 Security objectives ASE_PPC 1 PP claims ASE_REQ 1 IT security requirements ASE_SRE 1 Explicitly stated IT security requirements ASE_TSS 1 TOE summary specification Configuration Management ACM_CAP 3 Authorisation controls ACM_SCP 1 TOE CM coverage Copyright c 2004 2005 Ricoh Company Ltd all rights reserved Page 34 of 59 Assurance Class Assurance Component Delivery and operation ADO_DEL 1 Delivery procedures ADO_IGS 1 Installation generation and start up procedures Development ADV_FSP 1 Informal functional specification ADV_HLD 2 Security enforcing high level design ADV_RCR 1 Informal correspondence demonstration Guidance documents AGD ADM 1 Administrator guidance AGD USR 1 User guidance Life cycle support ALC DVS 1 Identification of security measures Tests ATE COV 2 Analysis of coverage ATE DPT 1 Testing high level design ATE FUN 1 Functional testing ATE IND 2 Independent testing sample Vulnerability assessment AVA MSU 1 Examination of guidance AVA SOF 1 Strength of TOE s
100. ssurance requirements not in Part 3 Additionally the conformance result may include a statement made with respect to sets of defined requirements in which case it consists of one of the following Package name Conformant A PP or TOE is conformant to a pre defined named functional and or assurance package e g EAL if the requirements functions or assurance include all components in the packages listed as part of the conformance result Package name Augmented A PP or TOE is an augmentation of a predefined named functional and or assurance package e g EAL if the requirements functions or assurance are a proper superset of all components in the packages listed as part of the conformance result Finally the conformance result may also include a statement made with respect to Protection Profiles in which case it includes the following PP Conformant A TOE meets specific PP s which are listed as part of the conformance result T ViT GmbH w Certification body w LangemarckstraBe 20 D 45121 Essen Germany C 2 Certification file TUVIT DSZ CC 9240 2005 T UViT Certification report Software Module of RC Gate version 3 18 U i 2005 09 26 CC Part 3 Assurance categorisation The assurance classes families and the abbreviation for each family are shown in Table 1 Assurance Class Assurance Family Abbreviated Name Class
101. strant and CE Therefore illegal communication can be detected by way of analysing this log O SYS_AUDIT TOE must ensure that system information shall be logged When RC Gate is running system information must be logged Therefore CE can analyse the information in case of software accident Audit data are only readable by CE and CS Copyright c 2004 2005 Ricoh Company Ltd all rights reserved Page 21 of 59 4 2 Security Objectives for the Environment In the following responsible persons refer to operators 4 2 1 Security objectives for the IT environment OE TIME Responsible persons who should watch RC Gate working correctly will keep correct time for RC Gate Responsible persons should watch that RC Gate is working correctly and well regarding the presented used time Audit logs which will be created are using this time 4 2 2 Security objectives for the non IT environment In this section the security objectives of the non IT environment that cover the aspects of the assumptions described in section 3 OE PHYSICAL OE DEVICE OE NETWORK OE CE The TOE and assets are physically protected Responsible person should set the RC Gate in stable place as an accessible user with evil intent cannot access RC Gate physically and confirm that they are working correctly Responsible persons shall watch the image I O device working correctly Responsible persons who should watch the image I O de
102. t to be as expected No errors or other flaws occurred with regard to the security functionalities and the TOE subsystems Consequently the test results demonstrate that the behaviour of the security functions is as specified The evaluator s independent testing as well as penetration tests were partly performed in the developer s testing environment and partly at TUVIT GmbH information security department in Essen The same platforms and tools as for the developer tests were used The evaluator s objective regarding this aspect was to test the functionality of the TOE as described in the functional specifications and the high level design and to verify the developer s test results The evaluators sample of developer tests covers all TSF The results of the specified and conducted independent evaluator tests confirm the TOE functionality The TOE security functions were found to behave as specified Penetration testing has been conducted by repeating 19 developer tests and 39 evaluator tests including independent penetration and confirmation tests of non exploitability of T ViT GmbH w Certification body w LangemarckstraBe 20 D 45121 Essen Germany B 10 Certification file TUVIT DSZ CC 9240 2005 TuVvir Certification report Software Module of RC Gate version 3 18 U I 2005 09 26 vulnerabilities The penetration testing conducted confirms that all the obvious vulnerabilities were considered and that the vulnerabilities iden
103. tabase error code description 6 2 Strength of Function Claims The security functions realised by probabilistic or permutational mechanisms are SF OPE_I amp A SF CS_I amp A SF CS_HTTPS and SF CS_SMIME Three of those SF CS_I amp A SF CS HTTPS and SF CS_SMIME are realised only by cryptographic mechanisms So those three functions are excluded from the SOF rating Target of SOF rating is only SF OPE_I amp A The strength of function level for the function is SOF Basic 6 3 Assurance Measures The following documents are provided as the assurance measures Security Target for Remote Communication Gate Type BN1 Remote Communication Gate Type BM1 Version 1 0 2005 08 15 Security Functional Specification for Remote Communication Gate Type BN1 Remote Communication Gate Type BM1 Version 1 0 2005 08 15 Copyright c 2004 2005 Ricoh Company Ltd all rights reserved Page 37 of 59 High level Design for Remote Communication Gate Type BN1 Remote Communication Gate Type BM 1 Version 1 0 2005 08 15 Correspondence Analysis for Remote Communication Gate Type BN1 Remote Communication Gate Type BM 1 Version 1 0 2005 08 15 Remote Communication Gate Type BN1 Remote Communication Gate Type BM 1 Setup Guide Operating Instructions Version 1 0 2005 08 15 Security Test Documentation for Remote Communication Gate Type BN1 Remote Communication Gate Type BM 1 Version 1 0 2005 08 15 Strength of Function Anal
104. te Communication Gate Type BMI Safety Information and Setup Guide Version A768 8603A A768 8605A 2005 06 22 Remote Communication Gate Type BN1 Remote Communication Gate Type BMI Operating Instructions Version A768 8604A A 768 8606A 2005 07 01 Remote Communication Gate Type BN1 Remote Communication Gate Type BMI CS developer s Guidance Version 1 00 2005 03 25 Remote Communication Gate Type BN1 Remote Copyright c 2004 2005 Ricoh Company Ltd all rights reserved Page 51 of 59 Assurance Class Assurance Assurance Measure Component Communication Gate Type BM1 Image I O device developer s Guidance Version 1 00 2005 03 25 ALC ALC DVS 1 Development Security Plan for Life cycle support Remote Communication Gate Type BNI Remote Communication Gate Type BM1 Version 1 0 2005 08 15 ATE ATE COV 2 Security Test Documentation for Tests ATE DPT 1 Remote Communication Gate Type BNI ATE FUN 1 Remote Communication Gate Type BM1 ATE INT 2 Version 1 0 2005 08 15 AVA AVA MSU 1 Remote Communication Gate Type BN1 Remote Vulnerability assessment Communication Gate Type BM 1 Setup Guide Operating Instructions Version 1 0 2005 08 15 AVA SOF 1 Strength of Function Analysis for Remote Communication Gate Type BN1 Remote Communication Gate Type BM 1 Version 1 0 2005 08 15 AVA VLA Vulnerability Analysis for Remote Communication Gate Type BNI Remote Communication Gate Type BM1 Version 1 0 20
105. ters Proxy server Proxy address Proxy port Proxy user name RC Gate Settings Net Connection Settings Dial up Dial up internet connection method Internet connection method Access point parameters 1 Access point select RC Gate phone No Line connection Copyright c 2004 2005 Ricoh Company Ltd all rights reserved Page 56 of 59 Access point text Access point text Dialing Line Settings Dialing Line parameters Pulse Tone dialing line Outside access No Modem Settings Modem parameters Dial up authentication method Dial up User name Dial up Password Connection timeout Number of times to re dial Interval time to re dial Number of times to retry callback AT command Ring count Timers Tl to T7 IT Pattern Timer for a fax on hook at call back Auto Discovery Auto Discovery Settings Auto Discovery Auto Discovery Auto Discovery permit Permit setting of Auto Discovery from Communication Server Auto Discovery Settings Auto Discovery server address Auto Discovery server address Max E mail size Max E mail size Auto Discovery Range parameters Range Subnet Mask Discovery Range Name Comment Device Management Common management Information Retrieval settings Interval time to retrieve device information Interval time to re retrieve device information Number of times to re r
106. tified are non exploitable by attackers with low attack potential in the intended operational environment of the TOE if taking into consideration all the measures the user is informed about 8 Evaluated Configuration The TOE is delivered in one fixed configuration and no further generation takes place Therefore the evaluated configuration is identical to the TOE which can be identified as described in chapter 2 of this certification report firmware 3 18 1 11 9 Results of the Evaluation The Evaluation Technical Report ETR was provided by TUViT s evaluation body according to the requirements of the Scheme the Common Criteria CC the Methodology CEM and the Application Notes and Interpretations of the Scheme AIS The verdicts for the CC part 3 assurance classes and components according to EAL3 and the class ASE for the Security Target Evaluation are summarised in the following table EAL3 assurance classes and components Verdict Security Target evaluation CC Class ASE PASS TOE description ASE DES 1 PASS Security environment ASE ENV 1 PASS ST introduction ASE INT 1 PASS Security objectives ASE OBJ 1 PASS PP claims ASE PPC 1 n a IT security requirements ASE REQ 1 PASS Explicitly stated IT security requirements ASE SRE 1 PASS TOE summary specification ASE TSS 1 PASS Configuration Management CC Class ACM PASS Authorisation controls ACM CAP 3 PASS TOE CM c
107. tion information and method to communicate with CS When direct HTTPS method dialup HTTPS method or SMTP method is used to communicate with CS operators can access to the information based on Table 4 Copyright c 2004 2005 Ricoh Company Ltd all rights reserved Page 46 of 59 FTP ITC 1 SF CS I amp A TSF identifies and authenticates CS before communicates with CS by HTTPS When the identification and authentication is succeeded it is allowed to export or import information to from CS If the identification and authentication is failed it is denied to export nor import information between CS SF CS HTTPS TSF can export and import information listed in Table 5 to from CS by using HTTPS protocol TSF authenticates CS before export or import information When CS is successfully authenticated TSF encrypts the information to export and decrypts the imported information FCS COP 1 SF CS HTTPS TSF can export and import information listed in Table 5 to from CS by using HTTPS protocol When CS is successfully authenticated TSF encrypts the information to export and decrypts the imported information SF CS SMIME TSF can export information listed in Table 4 and Table 5 to CS by E Mail When TSF export information to CS by using E Mail TSF encrypts E Mail message by S MIME TSF encrypts the message by the public key of CS to prevent other than CS to read the message SF CS I amp A TSF identifies and
108. to class ASE and EAL 3 The actual fulfilment of the requirements by these assurance measures is inspected during the evaluation Copyright c 2004 2005 Ricoh Company Ltd all rights reserved Page 49 of 59 Table 14 Correspondence between assurance requirements and assurance measures Assurance Class Assurance Assurance Measure Component ASE ASE_DES 1 Security Target for Security Target evaluation ASE_ENV 1 Remote Communication Gate Type BNI ASE_INT 1 Remote Communication Gate Type BM1 ASE_OBJ 1 Version 1 0 2005 08 15 ASE_PPC 1 ASE_REQ 1 ASE_SRE 1 ASE_TSS 1 ACM ACM_CAP 3 Configuration Management Plan for Configuration management ACM_SCP 1 Remote Communication Gate Type BNI Remote Communication Gate Type BM1 Version 1 0 2005 08 15 ADO ADO_DEL 1 Delivery Procedure for Delivery and operation ADO_IGS 1 Remote Communication Gate Type BNI Remote Communication Gate Type BM1 Version 1 0 2005 08 15 Production Procedure for Remote Communication Gate Type BNI Remote Communication Gate Type BM1 Version 1 0 2005 08 15 Remote Communication Gate Type BN1 Remote Communication Gate Type BMI Setup Guide Operating Instructions Version 1 0 2005 08 15 ADV ADV_FSP 1 Security Functional Specification for Development Remote Communication Gate Type BNI Remote Communication Gate Type BM1 Version 1 0 2005 08 15 ADV_HLD 2 High level Design for Remote Communication Gate Type BNI Remote Communication Gate
109. vice confirm that they are working correctly Especially the image I O device that RC Gate manages explicitly should up and run well Responsible persons who should watch the office network working correctly will ensure that office network system is trusted Responsible persons should watch the office network working correctly and well When the TOE is using under circumstance of Internet Firewall and virus protecting programs shall be established The maintenance of RC Gate shall carry out by CE who is an employee of Ricoh or a Ricoh s affiliate company CE is well trained and well informed about RC Gate He She reads the maintenance documentation and user documentation thoroughly therefore he she can respond appropriately to RC Gate The CE has to check the time and date regularly among others and correct these if necessary Furthermore the CE has to keep his her password secret Copyright c 2004 2005 Ricoh Company Ltd all rights reserved Page 22 of 59 OE ADMIN Those responsible for the TOE shall assign the reliable administrator and registrant and train them appropriately Reliable persons are assigned as Administrator and Registrant of the TOE Administrator and Registrant should read the user s document thoroughly therefore they can respond appropriately to RC Gate as an Administrator and Registrant The Administrator and Registrant has to check the time and date regularly among others and correct these if
110. y d Device i i i i Management Management Management j Management Module Module Module Module B og a o J 5 4 B o n d e D a Q et oO B o 5 E o u e o B B e 5 E mp o D Un lt n Figure 3 RC Gate and the TOE Copyright c 2004 2005 Ricoh Company Ltd all rights reserved 2 6 Definition of Specific Terms For clear understanding of this ST the meanings of specific terms are defined as shown in Table 2 Table 2 Specific terms related to the RC Gate Term Definition Administrator CE Certificates for RC Gate Certificates for image I O device Firewall Flash memory Image I O device Linux MIB Master key Operator PKI Private key Public key Administrator is the trusted person who is authorised to perform the administrative operations of the RC Gate CE Customer Engineer is the person who performs maintenance operation of the RC Gate The CEs are employees of Ricoh or its affiliated company Public Private key for the RC Gate and the root key for CS and Image I O device Public Private key for the image I O device and the root key for RC Gate A set of related programs located at a network gateway server that protects the resources of a private network from users from other networks Flash memory is non volatile memory which is a fixed memory device on board Image I O device
111. ysis for Remote Communication Gate Type BN1 Remote Communication Gate Type BM 1 Version 1 0 2005 08 15 Vulnerability Analysis for Remote Communication Gate Type BN1 Remote Communication Gate Type BM 1 Version 1 0 2005 08 15 Configuration Management Plan for Remote Communication Gate Type BN1 Remote Communication Gate Type BM 1 Version 1 0 2005 08 15 Development Security Plan for Remote Communication Gate Type BN1 Remote Communication Gate Type BM 1 Version 1 0 2005 08 15 Delivery Procedure for Remote Communication Gate Type BN1 Remote Communication Gate Type BM 1 Version 1 0 2005 08 15 Production Procedure for Remote Communication Gate Type BN1 Remote Communication Gate Type BM 1 Version 1 0 2005 08 15 Service Manual for Remote Communication Gate Type BN1 Remote Communication Gate Type BM1 Version 1 0 2005 08 15 Remote Communication Gate Type BN1 BM1 Machine Code A768 A769 SERVICE MANUAL Version 1 0 revised 2005 05 24 Remote Communication Gate Type BN1 Remote Communication Gate Type BM1 Safety Information and Setup Guide Version A768 8603A A768 8605A 2005 06 22 Remote Communication Gate Type BN1 Remote Communication Gate Type BM1 Operating Instructions Version A768 8604A A768 8606A 2005 07 01 Copyright c 2004 2005 Ricoh Company Ltd all rights reserved Page 38 of 59 Remote Communication Gate Type BN1 Remote Communication Gate Type BM1 CS developer s Guidance Version 1 00 2005 03 25
Download Pdf Manuals
Related Search