INSERT DATE P<Designation>D<Number s4

{INSERT DATE} P<designation>D<number

IEEE P2600™/PP 1.100d1

Last Edited: May 12, 2005

Draft
Protection Profile for
Hardcopy Devices
for High Security Environments

Forward

Hardcopy Devices (HCDs) are a category of information technology products that process paper documents as input and/or output. For the purposes of this document, this category is composed of printing, copying, scanning, and facsimile devices, and systems that combine one or more of those functions into a multifunctional device (MFD).

Typical applications of HCDs involve physical connection to other devices via telephone lines and wired and wireless networks, and logical connection to other devices using a variety of networking services and protocols. Establishing the security of HCDs is therefore a critical part of any information systems security plan where HCDs are present. Protection Profiles for HCDs are intended to provide the basis for evaluating the security functions of HCDs and help ensure that the security objectives of an information systems environment can be met.

This document, “Protection Profile for Hardcopy Devices for High Security Environments”, describes the assumptions, threats, objectives, and requirements, related to the use of HCDs in an information technology environment where a relatively high level of security is required. Other Protection Profiles have been developed for HCDs in other security environments. Those environments are defined within the Protection Profile documents, and their definitions are based on guidelines established by NIST.

This Protection Profile has been developed by the Hardcopy Security Working Group of the Institute of Electrical and Electronic Engineers (IEEE) as part of the IEEE P2600™ “Standard for Information Technology: Hardcopy System and Device Security”. It is designed for use in two contexts:

As a standalone reference document for ISO/IEC 15408 (“Common Criteria”) certification; and,
As a section within the IEEE P2600™ standard.

This Protection Profile is based on the “Common Criteria for Information Technology Security Evaluations, Version 2.2”.

Further information about this Protection Profile and the IEEE P2600™ project, including status and updates, can be obtained at http://grouper.ieee.org/groups/2600/. Comments on this document should be directed to the Chairperson of the P2600™ working group, whose contact information is listed on that web site.

Forward 2

Contents 3

List of Tables 7

List of Figures 7

Revision History 8

1 Introduction 10

1.1 Identification 10

1.2 Protection Profile Overview 10

2 TOE Description 11

2.1 TOE Terminology 11

2.2 TOE Functional Description 13

2.2.1 Actors 13

2.2.2 Accesses 13

2.2.3 Assets 13

2.3 TOE Architectural Description 15

2.3.1 Original Document Handler 16

2.3.2 Hardcopy Output Handler 16

2.3.3 Data Interface 16

2.3.4 Media Marking Path 16

2.3.5 Operator Interface 16

2.3.6 External Device Interface 16

2.3.7 Maintenance Ports 16

2.3.8 Marker/Consumables Interface 16

2.3.9 Input Media Interface 17

2.3.10 System Processor and Memory/Storage 17

2.3.11 Scanner 17

2.3.12 Printer 17

3 TOE Security Environment 18

3.1 Secure Usage Assumptions 18

3.1.1 A.ADMIN (Administrator trust and competence) 18

3.1.2 A. USER (User responsibility) 18

3.1.3 A.LOCATION (Limited physical access) 18

3.1.4 A.NETWORK (Limited network access) 18

3.2 Threats to Security 20

3.2.1 T.UD (Unauthorized access to User Documents) 20

3.2.2 T.RESOURCE.PEER (Unauthorized use of Resources) 20

3.2.3 T.DOS (Denial or impediment of services of the TOE) 20

3.2.4 T.EA (Attacks on external systems in the IT environment) 21

3.2.5 T.TSF (Accessing or altering TOE Security Functions) 21

3.3 Organizational Security Policies 21

4 Security Objectives 22

4.1 Security Objectives for the TOE 22

4.1.1 O.I&A (User identification and authentication) 22

4.1.2 O.ACCESS (User authorization) 22

4.1.3 O.DELETE (Deletion of residual data) 22

4.1.4 O.PROTECT (Protection of documents and data) 22

4.1.5 O.NETWORK (Protecting transmitted data and resources) 22

4.1.6 O.MONITOR (Monitoring) 22

4.1.7 O.RESILIENT (Mitigation of DOS attack) 22

4.1.8 O.GENUINE (Assurance of genuine TOE) 22

4.2 Security Objectives for the Environment 23

4.2.1 Security objectives for the IT environment 23

4.2.2 Security objectives for the non-IT environment 23

5 IT Security Requirements 24

5.1 TOE Security Functional Requirements 24

5.1.1 Security audit (FAU) 24

5.1.2 Cryptographic support (FCS) 26

5.1.3 User data protection (FDP) 27

5.1.4 Identification and authentication (FIA) 29

5.1.5 Security management (FMT) 30

5.1.6 Protection of the TOE Security Functions (FPT) 32

5.1.7 TOE access (FTA) 33

5.1.8 Trusted path/channels (FTP) 34

5.2 TOE Security Assurance Requirements 35

5.2.1 Configuration management (ACM) 36

5.2.2 Delivery and operation (ADO) 37

5.2.3 Development (ADV) 38

5.2.4 Guidance documents (AGD) 40

5.2.5 Tests (ATE) 42

5.2.6 Vulnerability assessment (AVA) 44

5.3 Security Requirements for the IT Environment 46

5.4 Minimum Strength of Function Claim 46

6 PP Application Notes 47

6.1 Completion of the operations on the security functional requirements 47

6.2 Combination of threats and assumption 47

6.3 TOE or IT environment 47

7 Rationale 48

7.1 Security Objectives Rationale 48

7.1.1 Necessity and Completeness 48

7.1.2 Correctness 49

7.2 Security Requirements Rationale 54

7.2.1 Functional Security Requirements Rationale 54

7.2.2 Rationale for assurance requirements 55

7.2.3 Rationale for minimum strength of function level 55

7.2.4 Mutual support of security requirements 55

7.2.5 Dependency Rationale 55

8 Acronyms 56

List of Tables

Table 1. Asset Terminology 11

Table 2. Actor Terminology 11

Table 3. Access Terminology 12

Table 4. Miscellaneous Terminology 12

Table 5. T.UD Threats 20

Table 6. T.DOS Threats 20

Table 7. T.EA Threats 21

Table 8. T.TSF Threats 21

Table 9. Assurance Requirements: EAL 2 35

Table 10. Correspondence between security environment and security objectives 48

Table 11 Additional justification for Security Objectives 49

Table 12. Correspondence between security objectives and security functional requirements 54

List of Figures

Figure 1. Overview of the TOE Actors, Access, and Assets 13

Figure 2. TOE Architectural Description 15

Revision History

Version / Date / Author(s) / Description
0.1 / 4/19/04 / Ohta / PP proposal
1.0 / 7/27/04 / Nevo / First draft
1.3 / 8/18/04 / Nevo / TOE description changes
1.4 / 8/20/04 / group / Typographical corrections
1.5 / 9/8/04 / Nevo, Cybuck / Sections 1-4
1.51, 1.52 / 10/4-8/04 / group / Corrections from Montreal meeting and cleanup of sections 1-4
1.60 / 10/25/04 / Nevo, Cybuck / Corrections from Lexington meeting to sections 1-4, update all sections
1.70 / 11/2/04 / Ohta, Smithson / Many changes, see associated 1.70 Change Notes document
1.71 / 11/7/04 / Nevo, Cybuck / Combines 1.60 and 1.70 to have one document according to IEEE format
1.72 / 11/10/04 / Ohta, Smithson / Chapter 4
1.73 / 11/23/04 / Smithson, Ohta / Corrections and updates from San Antonio meeting to chapters 1-6
1.735 / 11/26/04 / Ohta / Corrections to chapter 5.1 and 5.2
1.74 / 12/22/04 / Nevo, Cybuck / Additional Corrections and updates from San Antonio meeting to chapters 1-5
1.75 / 02/07/05 / Smithson, Ohta / Added new section 6 “PP Application Notes” (but still TBD), and the “Rationale” moved from section 6 to 7.
Added some descriptions to section 7 “Rationale”, but much part is still just examples and under construction.
Changed Customer Engineer from “trusted” to “untrusted”.
Removed assumptions of external network security and physical location security and their corresponding objectives.
Clarified definitions of Authorized User and Unauthorized User. Updated Figures 1 and 2
1.75-brian / 02/08/05 / Smithson / Added Tables 12 and 13 (completeness and correctness of objectives)
1.75-ohta / 02/10/05 / Ohta / Performed some operations against SFRs in section 5.1
Removed FTP_RCV.2 from section 5.1
Added some description to section 6 “PP Application Notes”
Added small description to section 7.2.1, but gave up…
1.80 / 02/08/05 / Nevo, Cybuck / Update section 1-4 after 1/2005 meeting, Added example to figure 1,2 , added firmware as assets, added A. PHS added back OE location
1.81 / 02/17/05 / Smithson / Merge 1.75 / 1.80
1.83 / 04/01/05 / Nevo, Cybuck / Update section 1-4 after 2/2005 meeting to include:
Firmware update, adding Paragraph for TOE architectural Description, adding Scanner and printer to TOE components, revised the description of T.EA and T.DOS,
1.90 / 03/29/05 / Ohta / Update section 1-7.
Section 7.2 is still under construction.
1.91 / 04/07/05 / Nevo, Cybuck / Update after 04/07 conference call.
1.92 / 04/08/05 / Ohta / Change the description of T.DOS.
Correct small inconsistencies.
1.93 / 04/25/05 / Ohta, Smithson / Update after 4/2005 meeting to include:
- Added information flow control (OE.NETWORK and FDP_IFC and FDP_IFF),
- Added network management (OE.NET_MANAGE),
- Added auto logout (FTA_SSL), and
- Some minor corrections.
1.93R / 4/25/05 / Nevo, Cybuck / Additional update after 4/2005 meeting to include:
v T.DOS update description
v O.network additing protocol
v Update to Table 10 (T.TSF.SW)
v Update to table 11 (T.TSF.SW)
1.100

1 Introduction

1.1 Identification

Title: Protection Profile for Hardcopy Devices for High Security Environments

Version: 1.100d1

Date: May 12, 2005

Authors: IEEE P2600 Working Group

CC Version: 2.2

EAL: 2

Keywords: Hardcopy, Paper, Document, Copier, Printer, Scanner, Facsimile, FAX, Multifunction Device, MFD, MFP, Network, Office

Status: Draft

1.2 Protection Profile Overview

The Target of Evaluation (TOE) of this Protection Profile is the whole Hardcopy Devices (HCDs) or the software, hardware, and/or firmware components thereof that realize HCDs’ security functions. HCDs perform one or more of the following functions and are primarily used in office environments:

· Copying paper documents

· Printing digital documents to paper form

· Scanning paper documents to digital form

· Transmitting paper or digital documents to a facsimile device

· Receiving documents from a facsimile device and delivering them in paper or digital form

Many of the information objects that are processed or used by HCDs may contain valuable or sensitive information that needs to be protected from unauthorized disclosure, alteration, and destruction. This includes the documents in paper and digital forms, job information stored in usage logs, user information stored in address books, and residual data stored in hard disks, other memory devices, and electrostatic components. Documents and other information may be transmitted over telephone lines and computer networks, and so protection of network services should be considered. The utility of the device itself may be considered a valuable asset which also needs to be protected, in terms of both availability for authorized use and prevention of unauthorized use. Lastly, there may be a need to ensure that the HCD cannot be misused in such a way that it causes harm to external devices to which the HCD is connected.

All of the aforementioned items are considered to be assets requiring some level of protection, depending upon the security requirements of the environment in which the TOE is being used. Several Protection Profiles are available for HCDs in different environments:

· High Security Environment

· Enterprise Environment

· Small Office / Home Office (SOHO) Environment

· Custom Environment

This Protection Profile addresses the security threats, objectives, and requirements that apply to the High Security Environment, which is described in 3. TOE Security Environment, below.

2 TOE Description

2.1 TOE Terminology

Table 1. Asset Terminology

Term / Definition /
User Document / Includes all representations of documents processed by the TOE, including: original paper to be copied, electronic files to be printed, image data sent by scanning or with facsimile, printed paper output, and deliberate or residual stored data in hard disks or other memory devices. /
User Function Data / Data about users that the TOE applications use, excluding passwords, but including user identifiers for access control, destination lists for scanning and address books for facsimile delivery. /
Management Data / Data that controls the configuration of and access to the device, including: user and administrator authentication information user and administrator passwords; device management data such as audit data, log data, and paper configuration; and network management data such as IP addresses. Management Data is not a direct asset in itself, but their disclosure, alteration, or destruction are threats to direct assets. /
Resource / Physical components that comprise the TOE (e.g., electronic, electrical, and mechanical items); resident digital components (e.g., fonts); and consumable supplies for the TOE (e.g., paper, toner). /
Firmware / Software that is embedded in a hardware device that allows reading and executing the software, but does not allow modification, e.g., writing or deleting code by an end user. /

Table 2. Actor Terminology

Term / Definition /
Internal User / A person who access the TOE physically or using any interface that is not publicly accessible (including virtual private network connections). Internal User includes the Device Administrator, Network Administrator, Normal User, and Customer Engineers. For detail of those roles, see below. /
External User / A person who accesses the TOE from outside of the office using the Telephone Line or any other interface that is publicly accessible. /
Normal User / A person who accesses to the TOE for normal use (e.g. copy, print, fax and scan) using the Operator Panel or Network or Local Interfaces. /
Device Administrator / A person who controls administrative operations of the TOE other than its network configuration (e.g., management of users, resources of the TOE, and audit data). /
Network Administrator / A person who manages the network configuration of the TOE. This Protection Profile distinguishes the Network Administrator from the Device Administrator because it may be a different person and/or the roles are granted different privileges on the TOE. /
Auditor / (To be discussed) /
Customer Engineer / A person authorized to maintain the TOE at a customer site. /
Authorized User / A person who is permitted to access and use the TOE for a defined purpose. This can include persons who are permitted to perform some operations but may be able to attempt or perform operations that are beyond those permissions. Therefore, a person may be an Authorized User for some purposes and an Unauthorized User for other purposes. /
Unauthorized User / A person who is not permitted to access or use the TOE for a defined purpose. This can include persons who are permitted to access and use the TOE for other defined purposes in addition to those who are permitted to be physically proximate to the TOE or who are permitted to access a network to which the TOE is connected. Therefore, a person may be an Unauthorized User for some purposes and an Authorized User for other purposes. /

Table 3. Access Terminology

INSERT DATE P&lt;Designation&gt;D&lt;Number s4