Cctoolbox Version 5 Generated Report

MFP Protection Profile for

Environment A

Version 1.3

Aug 18 2004

DRAFT

Prepared For: IEEE-P2600

The protection profile is being created for the IEEE-P2600 committee in order to set a security requirement for Multifunctional Peripheral (MFP).
This is the first revision and is considered a draft document.

Version

/

Date

/

Author

/

Description

1.0

/

7/27/04

/

Ron Nevo

/

The first Version

1.3

/

8/18/04

/

Ron Nevo

/

TOE Description changes

1.  Introduction

1.1. Identification………………………………………………….. 6

1.2. Protection Profile Overview …………………………………. 7

2.  TOE Description…………………………………………………... 8

2.1. Specific Term in securing MFP PP………………………..… 8

2.2. About the Product…………………………………………..… 9

2.3. Detail Product description

3.  TOE Security Environment …….………………………………... 14

3.1. Secure Usage Assumptions ………………………………….. 14

3.2. Threats to Security …………………………………………... 15

3.3. Organizational Security Policies …………………………..… 16

4.  Security Objectives……………………………………………….. 17

4.1. Security Objectives for the TOE ……….…………………... 17

4.2. Security Objectives for the Environment …….……………. 18

5.  IT Security Requirements ………………………….………….… 19

5.1. TOE Security Functional Requirements …………………… 19

5.2. TOE Security Assurance Requirements …………………… 36

5.3. Security Requirements for IT Environment (Optional) ….. 41

5.4. Security Requirements for Non-IT Environment (Optional) 41

6.  Rationale ………………………………………………………… 42

6.1. Introduction and TOE Description Rationale (Optional). 42

6.2. Security Objectives Rationale …………………………….. 42

6.2.1.  Policies………………………………………………… 42

6.2.2.  Threats………………………………………………… 43

6.3. Security Requirements Rationale ………………………… 44

6.3.1.  Functional Security Requirements Rationale ……… 44

6.3.2.  Minimum strength of function level Rationale.…… 45

6.3.3.  Assurance requirements Rational………………..….. 46

6.3.4.  Mutual support of security requirements Rational. 46

6.4. Dependency Rationale …………………………………….. 50

6.5. Security Functional Requirements Grounding in Objectives 53

Appendix A………………………………………………….… 57

Table - 2-1 Specific Terms in secure MFP

Table - 5-1 Assurance Requirements: EAL (3)

Table - 6-1 Correspondence between security needs and security objectives

Table - 6-21 Mapping the TOE Security Environment to Security Objectives

Table - 6-22 Tracing of Security Objectives to the TOE Security Environment

Table - 6-3 Functional Component to Security Objective Mapping

Table - 6-4 Functional and Assurance Requirements Dependencies

Table - 6-5 Requirements to Objectives Mapping

Multi Functional Devices combine several different technical disciplines to accomplish their task. Connectivity to local area networks, dial-up lines, ftp services and http services make them a critical part of any infrastructure security plan. This protection profile will address all basic level security issues and form a basis for higher level protection profiles.

1.1 - Identification

Title:High levelSecure MFP Protection Profile

Version: 1.3

Date: 8/19/04

Authors: Ron Nevo, Yusuke ohta

CC used:

Keywords: MFP, document, copier, printer, scanner, facsimile, network, office

General Status:Draft

1.2 - Protection Profile Overview

The proposed Protection Profile per the Common Criteria documentation must address the security environment. MFPs are used in very diverse environments and are subject to different threats in those environments. Some of the threats identified are found only in very hostile environments. Some of the vulnerabilities identified can be exploited only by very highly skilled attackers. In order to be a practical guide for manufacturers it might be useful distinguish between benign and hostile environments.

The MFP is a network-connected device mainly used in office environment and provides multiple functions, e.g. copier, printer, scanner, and facsimile. As some of the objects (e.g. electronic documents, paper documents and address book) with which the MFP deals are sensitive for users, the appropriate protection for them is required.

Additionally, the residual image data temporarily stored in the memory and hard-disc drives (HDD) at user operations (e.g. copy, scan, fax or print) should be considered as asset to be protected. Moreover, some customers worry about unauthorized intrusion via telephone line that is used for facsimile.

The Target of Evaluation (TOE) focused in this PP is a set of modules of the MFP that realize the security functions to protect the assets. The security functions are realized by both software and hardware.

2.1- Specific Term in securing MFP PP

Table 2.1 shows the definition of specific terms in this PP in order for readers to understand the PP easily.

Term / Meaning
Assets
Document
User Function Data
Management Data
Resource / It includes all kind of documents with which users consciously deal, e.g.
original paper to be copied, electronic files to be printed from PCs, image data sent by scanning or with facsimile, stored data in the HDD of the MFP and so on.
It indicates the user original data other than Documents that the MFP
applications use, e.g. phone books for facsimile. It is distinguished from the Management Data.
It indicates the secondary asset that is needed for the security functions of the MFP but not for users. The examples are as follows:
- user management data, e.g. password,
- device management data, e.g. audit data, log data, paper configuration,
- network management data, e.g. MFP IP address, server’s IP address, etc.
From the point of view of the CC, this data is categorized as “TSF data”.
It indicates hardware modules that consist of the MFP (e.g. CPU, RAM, and/or HDD), software modules, network interface / user interface and the supply for the MFP (e.g. paper, toner).
User role
Internal User
Device Administrator
Network Administrator
Normal User / It indicates the entity that accesses to the MFP physically or via intranet. The
Internal User includes Device Administrator, Network Administrator, Normal User, Customer Engineer and Maintenance Device. For detail of those roles, see below.
It indicates the privileged user who performs administrative operations of the
MFP other than the network configuration (e.g. management of users, resources of the MFP and audit data). The Device Administrator is one role of the Internal User.
It indicates the privileged user who manages the network configuration of the MFP. This PP distinguishes the Network Administrator from the Device
Administrator because of some users’ requests. In many cases, the same person might act the two roles. The Network Administrator is one role of the Internal User.
It indicates the user who accesses to the MFP for normal use via the Operation Panel of the MFP or via intranet (e.g. copy, print, and scan). The Network Administrator is one role of the Internal User.
Term / Meaning
Customer Engineer
Maintenance Device
External User / It indicates the person who works for the vendor of the MFP and maintains it at the customer’s site. The Customer Engineer is one role of the Internal User.
It indicates the dedicated device that is set in the intranet and maintains the MFP. The Maintenance Device is not a person but is considered as one role of the Internal User.
It indicates the entity that accesses to the MFP from outside of the office via the Telephone Line.
Interfaces to the MFP
Operation Panel
Network Interface
Telephone Line / It indicates the panel for operations that is attached to the MFP. It typically
consists of a LCD and some buttons and optional card scanner. The Internal Users operate the MFP with the Operation Panel.
Network Interface It indicates the interface used to connect the MFP to intranet, e.g. the Ethernet interface or USB to memory device.
Telephone Line It indicates the interface used to connect the MFP to the public circuit for facsimile.
Miscellanea
Temporary Data
Stored Data
Application / It indicates the image data that is temporarily built on the HDD before the MFP performing operations of the Applications.
It includes: Fonts, Form and Document data files.
It indicates the major functions that the MFP provides, e.g. copying, printing, scanning, and facsimile.

2.2 About the product

The product type of the TOE is Multi-functional Peripheral (MFP).

The MFP provides some Applications concerning the Documents mainly in office environment. Some kind of MFP also provides the functionality such as transferring scanned data to PCs or servers via network. And the MFP realizes the advanced copying operations, e.g. integration of pages or repetition of printing, by keeping the Temporary Data in the built-in HDD or memory.

The objects that are dealt with by the MFP and considered as assets (necessary to be protected) are primarily the Documents, the User Function Data, and the Resources (for detail, see Table 1). In addition, the Management Data needed for security functions should be considered the secondary assets and be protected appropriately.

As interfaces to the MFP, the Operation Panel for direct access, the Network Interface for remote access, and the Telephone Line for facsimile should be considered. The Internal User uses the Operation Panel and the Network Interface to access the MFP, and the External User uses the Telephone Line.

Figure 1 shows overview diagram of the TOE, data, users, and interfaces.

2.3.  TOE Architecture Description

Figure 2 shoes an example block diagram of a detail MFP with the primary components that may have security requirements. (Note that this figure is purely illustrative and is not intended to constrain the TOE design or mandate a particular architecture or product configuration, however a Security Target (ST) written to comply with this PP shall specify the product features as well as the architecture of the design.)

Figure 2: The general Architecture of TOE

Original Document Handler

The Original Document Handler is the part of the Toe’s scanning function that manipulates the input document into position for scanning as well as any location for storage of the input document before or after scanning. The type of input document is not restricted to paper, and may include transparencies, slides, or film. Examples of an Output Document Handler include: flatbed glass window, single sheet feeder, or a multiple sheet input with duplexer.

Hardcopy Output Handler

The Hardcopy Output Handler is the part of the Toe’s printing function that holds or manipulates the media after it has exited the Media Marking Path (print engine). The Hardcopy Output Handler may also include certain post-printing processes (finishing options) such as stapling, whole punching, folding etc. Examples include: the exit tray of a printer, mailbox attachments to an MFP, stapler/collator attachment for a copier etc.

Data Interface

The Data Interface of a hardcopy device includes any interface that transports print/scan data into or out of the hardcopy device’s system processor and memory. Some data interface designs may include independent processor and memory subsystems that shall be included in STs based on this profile. Note that some hardcopy device architectures may include data interfaces between specific functions of the device (e.g. scanner to print engine interface in an MFP, or a Printing system where the System Processor and Memory is an external computer) that shall be included in the evaluation.

Examples of common data interfaces that may be considered within the security boundary of STs based on this profile are:

·  Wide Area Network (WAN): (e.g., GPRS/Cellular Data, PSTN Fax etc.)

·  Local Area Network (LAN): (e.g., Ethernet, Token Ring, WiFi/802.11, etc.)

·  Personal Area Network (PAN): (e.g., USB, WiMedia/802.15, UWB, SCSI, IRDA, 1394, etc.)

·  Local Port or Connection: (e.g., IEEE1284, RS232, Compact Flash, CD/DVD, diskette, etc.)

Media Marking Path

The Media Marking Path of a HD TOE includes all paths in the printing function that the input media takes between the Input Media Interface and the Hardcopy Output Handler. This path may include certain intermediate media handling devices (e.g., duplexer) as well as the path through the marking mechanism.

Operator Interface

The Operator Interface of the HD TOE is any physical human interface (e.g., touch screen LCD control panel) that allows access to display and/or modify the state of the hardcopy device. This interface can be as simple as a few lights and buttons on an inkjet printer to a full screen display with keyboard. This interface does not include “remote” or reflected user interfaces that may be implemented as part of a management application that is accessing the device via one of the data interfaces.

Marker/Consumables Interface

The Marker/Consumables Interface includes any method for human access to the user replaceable components (i.e., ink/toner cartridge, developer roll, waste toner bottle etc.) in a hardcopy device. An example of this interface would be the doors and latches that must be opened to replace a toner cartridge in a general-purpose laser printer.

Input Media Interface

The Input Media Interface includes any method for human access to the mechanisms that store and feed media (paper) to be marked on by a hardcopy device. Examples of this interface would be the sliding drawers that hold paper for an office MFP or the roll paper mechanism for a production printer.

System Microprocessor and Memory/Storage

The System Processor includes ANY microprocessor, DSP, or microcontroller that has modifiable micro-code (regardless of how) or processes any type of user data or management information for the hardcopy device. All system processors shall be included in STs written to comply with this PP. The System Memory/Storage includes ANY volatile or non-volatile storage in the hardcopy devices. Examples include EEPROM, DRAM, SRAM Flash Memory of any form factor or type, Hard Disk etc. Note that while Figure 2 shows the System Microprocessor/Memory system as a “single” entity in the Hardcopy Device, many of the other interfaces or components within the Hardcopy Device will also have their own microprocessor/memory subsystems that shall be included in STs written to comply with this PP

This chapter identifies assumptions (A) and threats (T) related to the TOE.

Assumptions are given to detail the expected environment and operating conditions of the system. Threats are those that are address by the TOE and operating environment.

The primary assets that the TOE shall protect are the Documents, the User Function Data and the Resources of the MFP. In addition, the Management Data is considered as secondary assets because it is necessary to protect it in order for the MFP to protect primary assets appropriately.

3.1 - Secure Usage Assumptions

In this section, the assumptions that are postulated in the environment of use of the MFP are defined with identifiers (e.g. A.ADMIN). The security functions of the MFP will be designed on condition that all the assumptions are satisfied. In other words, if one or more assumptions are not fulfilled, it means there is the possibility that the assets might not be protected with the security functions of the MFP.