Ricoh Mp C3001 Instruction Manual

							    Page 60 of 93 
Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved. 
FIA_UAU.1.2(a)  The TSF shall require each user to be successfully authenticated before allowing any other 
TSF-mediated actions on behalf of that user. 
FIA_UAU.1(b)  Timing of authentication 
Hierarchical to:  No other components. 
Dependencies:  FIA_UID.1 Timing of identification 
FIA_UAU.1.1(b)  The TSF shall allow [assignment: the viewing of the list of user jobs, Web Image Monitor 
Help from a Web browser, system status, counter and information of inquiries, execution 
of fax reception, and repair request notification] on behalf of the user to be performed before 
the user is authenticated (refinement: authentication of MFP administrator and supervisor with 
Basic Authentication, and authentication of normal user with external authentication server). 
FIA_UAU.1.2(b)  The TSF shall require each user to be successfully authenticated before allowing any other 
TSF-mediated actions on behalf of that user. 
FIA_UAU.2  User authentication before action 
Hierarchical to:  FIA_UAU.1 Timing of authentication 
Dependencies:  FIA_UID.1 Timing of identification 
FIA_UAU.2.1  The TSF shall require each user to be successfully authenticated (refinement: authentication of 
a person who intends to use the TOE from RC Gate communication interface) before allowing 
other TSF-mediated actions on behalf of that user. 
FIA_UAU.7 Protected authentication feedback 
Hierarchical to:  No other components. 
Dependencies:  FIA_UAU.1 Timing of authentication 
FIA_UAU.7.1  The TSF shall provide only [assignment: displaying dummy letters as authentication 
feedback on the Operation Panel] to the user while the authentication is in progress. 
FIA_UID.1(a) Timing of identification 
Hierarchical to:  No other components. 
Dependencies: No dependencies. 
FIA_UID.1.1(a)  The TSF shall allow [assignment: the viewing of the list of user jobs, Web Image Monitor 
Help from a Web browser, system status, counter and information of inquiries, execution 
of fax reception, and repair request notification] on behalf of the user to be performed before 
the user is identified (refinement: identification with Basic Authentication). 
FIA_UID.1.2(a)  The TSF shall require each user to be successfully identified before allowing any other 
TSF-mediated actions on behalf of that user. 
FIA_UID.1(b) Timing of identification 
Hierarchical to:  No other components. 
Dependencies: No dependencies. 
FIA_UID.1.1(b)  The TSF shall allow [assignment: the viewing of the list of user jobs, Web Image Monitor 
Help from a Web browser, system status, counter and information of inquiries, execution  
						

							    Page 61 of 93 
Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved. 
of fax reception, and repair request notification] on behalf of the user to be performed before 
the user is identified (refinement: authentication of MFP administrator and supervisor with 
Basic Authentication, and identification of normal user with external authentication server). 
FIA_UID.1.2(b)  The TSF shall require each user to be successfully identified before allowing other 
TSF-mediated actions on behalf of that user. 
FIA_UID.2  User identification before action 
Hierarchical to:  FIA_UID.1Timing of identification 
Dependencies: No dependencies. 
FIA_UID.2.1  The TSF shall require each user to be successfully identified (refinement: identification of a 
person who intends to use the TOE from RC Gate communication interface) before allowing 
other TSF-mediated actions on behalf of that user. 
FIA_USB.1 User-subject binding 
Hierarchical to:  No other components. 
Dependencies:  FIA_ATD.1 User attribute definition 
FIA_USB.1.1  The TSF shall associate the following user security attributes with subjects acting on the behalf 
of that user: [assignme nt: login user na me  of nor mal user, login user na me of MFP 
administrator, available function list, and user role]. 
FIA_USB.1.2  The TSF shall enforce the following rules on the initial association of user security attributes 
with subjects acting on the behalf of users: [assignment: rules for the initial association of 
attributes listed in Table 25]. 
Table 25 : Rules for Initial Association of Attributes 
Users Subjects User Security Attributes 
Normal user  Normal user process  - Login user name of normal user 
- User role 
- Available function list 
Supervisor  Supervisor process  - User role 
MFP administrator  MFP administrator process  - Login user name of MFP administrator 
- User role 
RC Gate  RC Gate process  - User role 
FIA_USB.1.3  The TSF shall enforce the following rules governing changes to the user security attributes 
associated with subjects acting on the behalf of users: [assignment: none]. 
6.1.5  Class FMT: Security management 
FMT_MSA.1(a) Management of security attributes 
Hierarchical to:  No other components.  
						

							    Page 62 of 93 
Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved. 
Dependencies:  [FDP_ACC.1 Subset access control, or 
FDP_IFC.1 Subset information flow control] 
FMT_SMR.1 Security roles 
FMT_SMF.1 Specification of Management Function 
FMT_MSA.1.1(a) The TSF shall enforce the [assignment: document access control SFP] to restrict the ability to 
[selection: query, modify, delete, [assignment: newly create]] the security attributes 
[assignment: security attributes in Table 26] to [assignment: the user roles with operation 
permission in Table 26]. 
Table 26 : User Roles for Security Attributes (a) 
Security Attributes Operations User Roles 
with Operation Permission 
Query, 
modify, 
delete, 
newly create MFP administrator 
Login user name of normal user 
for Basic Authentication 
Query Normal user who owns the applicable 
login user name 
Login user name of normal user 
for External Authentication Query, 
modify, 
delete, 
newly create MFP administrator   
Login user name of supervisor Query, 
modify Supervisor 
Newly create  MFP administrator 
Query, 
modify MFP administrator who owns the 
applicable login user name Login user name of MFP administrator 
Query Supervisor 
Document data attribute  No operation permitted  - 
Document user list 
[when document data attributes are 
(+PRT), (+SCN), (+CPY), and 
(+FAXOUT)] No operation permitted  - 
Document user list 
[when document data attribute is (+DSR)] Query, 
modify MFP administrator, 
applicable normal user who stored the 
document data 
Document user list 
[when document data attribute is 
(+FAXIN)] Query, 
modify MFP administrator 
-: No user roles are permitted for operations by the TOE.  
						

							    Page 63 of 93 
Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved. 
FMT_MSA.1(b)Management of security attributes 
Hierarchical to:  No other components. 
Dependencies:  [FDP_ACC.1 Subset access control, or 
FDP_IFC.1 Subset information flow control] 
FMT_SMR.1 Security roles 
FMT_SMF.1 Specification of Management Function 
FMT_MSA.1.1(b)The TSF shall enforce the [assignment: TOE function access control SFP] to restrict the 
ability to [selection: query, modify, delete, [assignment: newly create]] the security attributes 
[assignment: security attributes in Table 27] to [assignment: the user roles with operation 
permission in Table 27]. 
Table 27 : User Roles for Security Attributes (b) 
Security Attributes Operations User Roles with operation permission 
Query, 
modify, 
delete, 
newly create MFP administrator 
Login user name of normal user 
for Basic Authentication 
Query  Normal user who owns the applicable 
login user name 
Login user name of normal user 
for External Authentication Query, 
modify, 
delete, 
newly create MFP administrator 
Query, 
modify MFP administrator Available function list 
Query 
(however, query is not 
allowed in case of 
External Authentication) Applicable normal user 
Function type  No operation permitted  - 
User role  No operation permitted  - 
-: No user roles are permitted for operations by the TOE. 
FMT_MSA.3(a) Static  attribute  initialisation 
Hierarchical to:  No other components. 
Dependencies:  FMT_MSA.1 Management of security attributes 
FMT_SMR.1 Security roles 
FMT_MSA.3.1(a) The TSF shall enforce the [assignment: document access control SFP] to provide [selection: 
restrictive] default values for security attributes that are used to enforce the SFP.  
						

							    Page 64 of 93 
Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved. 
FMT_MSA.3.2(a) The TSF shall allow the [assignment: authorised identified roles shown in Table 28] to 
specify alternative initial values to override the default values when an object or information is 
created. 
Table 28 : Authorised Identified Roles Allowed to Override Default Values 
Objects Security 
Attributes 
Authorised Identified Roles 
Document data  Document  data 
attribute - No authorised identified roles 
Document data 
[when document 
data attribute is 
(+DSR)] Document user 
list - MFP administrator 
- Normal user who stored the applicable document data 
Document data 
[when document 
data attributes are 
(+PRT), (+SCN), 
(+CPY), 
(+FAXIN), and 
(+FAXOUT)] Document user 
list - No authorised identified roles 
User job  Login user name 
of normal user - No authorised identified roles 
FMT_MSA.3(b) Static attribute initialisation 
Hierarchical to:  No other components. 
Dependencies:  FMT_MSA.1 Management of security attributes 
FMT_SMR.1 Security roles 
FMT_MSA.3.1(b)The TSF shall enforce the [assignment: TOE function access control SFP] to provide 
[selection: [assignment: the permissive to the available function list, restrictive to the 
function type, restrictive to the user role]] default values for security attributes that are used 
to enforce the SFP. 
FMT_MSA.3.2(b) The TSF shall allow the [assignment: MFP administrator for the available function list, no 
authorised identified roles for the function type, no authorised identified roles for the user 
role] to specify alternative initial values to override the default values when an object or 
information is created. 
FMT_MTD.1  Management of TSF data 
Hierarchical to:  No other components. 
Dependencies:  FMT_SMR.1 Security roles 
FMT_SMF.1 Specification of Management Functions  
						

							    Page 65 of 93 
Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved. 
FMT_MTD.1.1  The TSF shall restrict the ability to [selection: query, modify, delete, [assignment: newly 
create]] the [assignment: list of TSF data in Table 29] to [assignment: the user roles in 
Table 29]. 
Table 29 : List of TSF Data 
TSF Data Operations User Roles 
Newly create, modify  MFP administrator Login password of normal user 
for Basic Authentication Modify  Normal user who owns the login 
password 
Login password of supervisor  Modify  Supervisor 
Modify Supervisor 
Newly create  MFP administrator Login password of MFP 
administrator 
Modify  MFP administrator who owns the 
login password 
Number of Attempts before 
Lockout for Basic 
Authentication Query MFP administrator 
Setting for Lockout Release 
Timer for Basic Authentication Query MFP administrator 
Lockout time for Basic 
Authentication Query MFP administrator 
Query, modify  MFP administrator Date setting (year, month, 
day), time setting (hour, 
minute) Query Supervisor, 
normal user 
Minimum character number for 
Basic Authentication Query MFP administrator 
Password complexity setting 
for Basic Authentication Query MFP administrator 
Audit logs  Query, delete  MFP administrator 
HDD cryptographic key  Newly create  MFP administrator 
Newly create, modify, query, 
delete MFP administrator 
S/MIME user information Query 
(however, operation of query 
on user certificate is not 
allowed in case of External 
Authentication) Normal user 
Newly create, modify, query, 
delete MFP administrator Destination information for 
folder transmission 
Query Normal user  
						

							    Page 66 of 93 
Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved. 
TSF Data Operations User Roles 
Users for stored and received 
documents Query, modify  MFP administrator 
User authentication method  Query  MFP administrator 
FMT_SMF.1  Specification of Management Functions 
Hierarchical to:  No other components. 
Dependencies: No dependencies. 
FMT_SMF.1.1  The TSF shall be capable of performing the following management functions: [assignment: 
management functions shown in Table 30]. 
Table 30 : List of Specification of Management Functions 
Management Functions 
New creation, query, modification, and deletion of the login user name of normal user by MFP administrator 
when the Basic Authentication is used 
Query of own login user name by normal user when the Basic Authentication is used 
New creation, query, modification, and deletion of the login user name of normal user by MFP administrator 
when External Authentication is used 
Query and modification of login user name of supervisor by supervisor 
New creation of login user name of MFP administrator by MFP administrator 
Query and modification of own login user name by MFP administrator 
Query of login user name of MFP administrator by supervisor 
New creation and modification of login password of normal user by MFP administrator when the Basic 
Authentication is used 
Modification of own login password by normal user when the Basic Authentication is used 
Modification of login password of supervisor by supervisor 
Modification of login password of MFP administrator by supervisor 
New creation of login password of MFP administrator by MFP administrator 
Modification of own login password by MFP administrator 
Query of minimum character number by MFP administrator when the Basic Authentication is used 
Query of Password Complexity by MFP administrator when the Basic Authentication is used 
Query of Number of Attempts before Lockout by MFP administrator when the Basic Authentication is used 
Query of Lockout Release Timer Setting by MFP administrator when the Basic Authentication is used 
Query of lockout time by MFP administrator when the Basic Authentication is used 
Query and modification of document user list by MFP administrator 
Query and modification of document user list by the normal user who stored the document 
Query and modification of available function list by MFP administrator 
Query of own available function list by normal user when the Basic Authentication is used  
						

							    Page 67 of 93 
Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved. 
Query and modification of date and time by MFP administrator 
Query of date and time by supervisor 
Query of date and time by normal user 
Query and deletion of audit logs by MFP administrator 
New creation of HDD encryption key by MFP administrator 
New creation, modification, query and deletion of S/MIME user information by MFP administrator 
Query of S/MIME user information by normal user 
New creation, modification, query and deletion of destination information for folder transmission by MFP 
administrator 
Query of destination information for folder transmission by normal user 
Query and modification of users for stored and received documents by MFP administrator 
Query of user authentication method by MFP administrator 
 
FMT_SMR.1 Security roles 
Hierarchical to:  No other components. 
Dependencies:  FIA_UID.1 Timing of identification 
FMT_SMR.1.1  The TSF shall maintain the roles [assignment: normal user, supervisor, MFP administrator, 
and RC Gate]. 
FMT_SMR.1.2  The TSF shall be able to associate users with roles. 
6.1.6  Class FPT: Protection of the TSF 
FPT_STM.1  Reliable time stamps 
Hierarchical to:  No other components. 
Dependencies: No dependencies. 
FPT_STM.1.1  The TSF shall be able to provide reliable time stamps. 
FPT_TST.1 TSF testing 
Hierarchical to:  No other components. 
Dependencies: No dependencies. 
FPT_TST.1.1  The TSF shall run a suite of self tests [selection: during initial start-up] to demonstrate the 
correct operation of [selection: [assignment: the MFP Control Software, FCU Control 
Software]]. 
FPT_TST.1.2  The TSF shall provide authorised users with the capability to verify the integrity of [selection: 
[assignment: the audit log data file]]. 
FPT_TST.1.3  The TSF shall provide authorised users with the capability to verify the integrity of [selection: 
[assignment: the stored TSF executable code]].  
						

							    Page 68 of 93 
Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved. 
FPT_FDI_EXP.1  Restricted forwarding of data to external interfaces 
Hierarchical to:  No other components. 
Dependencies:  FMT_SMF.1 Specification of Management Functions 
FMT_SMR.1 Security roles 
FPT_FDI_EXP.1.1  The TSF shall provide the capability to restrict data received on [assignment: the 
Operation Panel, LAN, telephone line] from being forwarded without further processing by 
the TSF to [assignment: the LAN and telephone line]. 
6.1.7  Class FTA: TOE access 
FTA_SSL.3 TSF-initiated termination 
Hierarchical to:  No other components. 
Dependencies: No dependencies. 
FTA_SSL.3.1  The TSF shall terminate an interactive session after a [assignment: elapsed time of auto 
logout, completion of document data reception from the printer driver, completion of 
document data reception from the fax driver, and termination of communication with RC 
Gate]. 
6.1.8  Class FTP: Trusted path/channels 
FTP_ITC.1 Inter-TSF trusted channel 
Hierarchical to:  No other components. 
Dependencies: No dependencies. 
FTP_ITC.1.1  The TSF shall provide a communication channel between itself and another trusted IT product 
that is logically distinct from other communication channels and provides assured identification 
of its end points and protection of the channel data from modification or disclosure. 
FTP_ITC.1.2  The TSF shall permit [selection: the TSF, another trusted IT product] to initiate 
communication via the trusted channel. 
FTP_ITC.1.3  The TSF shall initiate communication via the trusted channel for [assignment: communication 
via the LAN of document data, function data, protected data, and confidential data, and 
communication with RC Gate via the LAN]. 
6.2 Security Assurance Requirements 
The evaluation assurance level of this TOE is EAL3+ALC_FLR.2. Table 31 lists the assurance components 
of the TOE. ALC_FLR.2 was added to the set of components defined in evaluation assurance level 3 
(EAL3).  
						

							    Page 69 of 93 
Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved. 
Table 31 : TOE Security Assurance Requirements (EAL3+ALC_FLR.2) 
Assurance Classes Assurance Components 
ADV_ARC.1  Security architecture description 
ADV_FSP.3  Functional specification with complete summary 
ADV: 
Development 
ADV_TDS.2 Architectural design 
AGD_OPE.1  Operational user guidance AGD: 
Guidance documents 
AGD_PRE.1 Preparative procedures 
ALC_CMC.3 Authorisation controls 
ALC_CMS.3  Implementation representation CM coverage 
ALC_DEL.1 Delivery procedures 
ALC_DVS.1  Identification of security measures 
ALC_LCD.1  Developer defined life-cycle model 
ALC: 
Life-cycle support 
ALC_FLR.2  Flaw reporting procedures 
ASE_CCL.1 Conformance claims 
ASE_ECD.1 Extended components definition 
ASE_INT.1 ST introduction 
ASE_OBJ.2 Security objectives 
ASE_REQ.2  Derived security requirements 
ASE_SPD.1  Security problem definition 
ASE: 
Security Target evaluation 
ASE_TSS.1 TOE summary specification 
ATE_COV.2  Analysis of coverage 
ATE_DPT.1  Testing: basic design 
ATE_FUN.1 Functional testing 
ATE: 
Tests 
ATE_IND.2  Independent testing - sample 
AVA: 
Vulnerability assessment AVA_VAN.2 Vulnerability analysis 
6.3  Security Requirements Rationale 
This section describes the rationale for security requirements. 
If all security functional requirements are satisfied as below, the security objectives defined in 4 Security 
Objectives are fulfilled. 
6.3.1 Tracing 
Table 32 shows the relationship between the TOE security functional requirements and TOE security 
objectives. Table 32 shows that each TOE security functional requirement fulfils at least one TOE security 
objective.