Upload
others
View
5
Download
0
Embed Size (px)
Citation preview
Can
This dsecuri
non im4
document ity target
mageR900KB
260
Secu
Ve20
Ca
is a trans written i
1
RUNNEB/420000.1 mo
rity T
rsion 1015/10/
anon I
slation of n Japane
C
ER AD0 Serieodel
arget
.10 /22
nc.
the evaluese.
D
Copyright Ca
DVANes
uated and
Date of Issue: 2
anon Inc. 20
NCE
d certified
2015/10/22
013
d
1 S
1.1 1.2 1.3 1.4 1.5 1.6
1.6.1.6.
1.7 1.8
1.8.1.8.1.8.
2 C2.1 2.2 2.3
2.3.2.3.2.3.
2.4 3 S
3.1 3.2 3.3 3.4 3.5
4 S4.1 4.2 4.3 4.4
5 E5.1 5.2
6 S6.1
6.1.6.1.6.1.6.1.6.1.6.1.6.1.6.1.6.1.6.1.
6.2 6.3
6.3.
ST introductioST referencTOE refereTOE overvTerms and TOE descriScope of th
.1 Physic
.2 LogicaUsers of thAssets .......
.1 User D
.2 TSF D
.3 FunctiConformance
CC ConforPP claim, PSFR Packa
.1 SFR P
.2 SFR P
.3 SFR PPP Conform
Security ProblNotational Threats ageThreats to TOrganizatioAssumption
Security ObjecSecurity ObSecurity ObSecurity ObSecurity Ob
Extended comFPT_CIP_EFPT_FDI_E
Security requiSecurity fu
.1 User A
.2 Functi
.3 Job Ou
.4 Forwa
.5 HDD D
.6 HDD D
.7 LAN D
.8 Self-T
.9 Audit
.10 ManagSecurity asSecurity fu
.1 The co
on ..................ce ................ence .............view .............
Abbreviatioiption ..........he TOE ........cal Scope of al Scope of the TOE .............................Data .............Data ..............ions .............claims ..........
rmance claimPackage claimages ..............Packages refePackage funcPackage attribmance rationlem Definitioconventions
ents .............TOE Assets onal Securityns ................ctives ...........bjectives for bjectives for bjectives for bjectives rati
mponents definEXP ConfideEXP Restricirements ........unctional requAuthenticatioion Use Restutput Restric
ard Received Data Erase FData EncrypData Protecti
Test FunctionLog Functio
gement Funcsurance requ
unctional requompleteness
Table
.................................................................................ns ........................................................the TOE ......he TOE ................................................................................................................................
m ...................m .....................................
erence ..........tions ............butes ............nale ...............on ..............................................................................
y Policies ..............................................r the TOE .....r the IT envirr the non-IT eionale ..........nition (APE_entiality andted forwardi.....................uirements ....on Function ..triction Funcction Functio
Jobs FunctioFunction .......ption Functioion Function
n ...................on .................ction .............uirements .....uirements ratof security r
2
e of Con
........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................ronment .......environment....................
_ECD) .......... integrity of ing of data to............................................................tion .............
ons ...............on ...................................
on .................n ...................................................................................................tionale ........
requirements
C
tents
................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
t .............................................................stored data ..
o external int......................................................................................................................................................................................................................................................................................... ....................
D
Copyright Ca
.....................
....................
....................
....................
....................
....................
....................
....................
....................
....................
....................
....................
....................
....................
.....................
....................
....................
....................
....................
....................
....................
....................
.....................
....................
....................
....................
....................
....................
.....................
....................
....................
....................
....................
.....................
....................terfaces .....................................................................................................................................................................................................................................................................................................................
Date of Issue: 2
anon Inc. 20
....................
....................
....................
....................
....................
....................
....................
....................
....................
....................
....................
....................
....................
....................
....................
....................
....................
....................
....................
....................
....................
....................
....................
....................
....................
....................
....................
....................
....................
....................
....................
....................
....................
....................
....................
....................
....................
....................
....................
....................
....................
....................
....................
....................
....................
....................
....................
....................
....................
....................
....................
2015/10/22
013
.............. 4
............. 4
............. 4
............. 4
............. 5
............. 8
........... 10
........... 10
........... 11
........... 13
........... 13
........... 13
........... 13
........... 14
............ 15
........... 15
........... 15
........... 15
........... 15
........... 16
........... 17
........... 17
............ 20
........... 20
........... 20
........... 21
........... 21
........... 22
............ 23
........... 23
........... 23
........... 23
........... 24
............ 27
........... 27
........... 28
............ 30
........... 30
........... 30
........... 33
........... 35
........... 39
........... 39
........... 39
........... 41
........... 42
........... 43
........... 45
........... 49
........... 50
........... 50
6.3.6.3.
6.4 7 T
7.1 7.2 7.3
7.3.7.3.7.3.
7.4 7.5 7.6
7.6.7.6.7.6.
7.7 7.7.7.7.
7.8 7.9 7.10
7.107.10
Trademark- Cano
Inc. - Micro
trade- Mac O- Oracl
count- All na
comp- Portio
19.3, 445 Hfrom rights
.2 The su
.3 The deSecurity as
TOE SummaryUser AutheFunction UJob Output
.1 Job Ca
.2 In The
.3 TempoForward ReHDD Data HDD Data
.1 Encryp
.2 Crypto
.3 DeviceLAN Data
.1 IP Pac
.2 CryptoSelf-Test FAudit Log Manageme
0.1 User M0.2 Device
k Notice on, the Canon lo
osoft, Windows,marks of MicrosOS is a trademae and Java artries. ames of comp
panies. ons of sections 19.4, Annex A a
Hoes Lane, PiscIEEE 2600.1(tm
s reserved.
ufficiency of ependencies surance requy specificatioentication Fu
Use Restrictiot Restriction ancel ...........e JOB Accesorarily Storeeceived JobsErase FunctEncryption F
ption/Decrypographic Keye IdentificatiProtection F
cket Encryptiographic Key
Function .......Function .....
ent FunctionsManagement e Manageme
ogo, imageRUN
, Windows XP, soft Corporationark of Apple Comre registered tra
panies and prod
1.1, 1.4, 5.3, 7, and Annex B arcataway, New Jem)-2009 Standa
f security reqof security r
uirements raton .................unction .........on Function ..Functions ........................s Control .....d FAX TX J
s Function ....tion ..............Function ......ption Functioy Managemeion and Auth
Function .......ion Functiony Manageme........................................
s ...................Function ....
ent Function .
NER, imageRU
Windows 2000n in the US. mputer Inc. in thademarks of O
ducts containe
8, 9, 10.1, 10.4e reprinted withersey 08854, ard for a Protec
3
quirements ...requirementstionale .................................................................................................................................Jobs .........................................................................on ................ent Functionhentication F....................
n ...................ent Function....................................................................................................
UNNER ADVANC
0, Windows Vi
he US. Oracle Corporat
d herein are t
4, 10.5, 10.6, 11h permission from
ction Profile in O
C
.................... .........................................................................................................................................................................................................................................................................................unction ........................................................................................................................................................................
CE, MEAP, and
sta, and Active
tion and its affi
rademarks or
, 12.2, 12.3, 12m IEEE,
Operational Env
D
Copyright Ca
....................
....................
....................
.....................
....................
....................
....................
....................
....................
....................
....................
....................
....................
....................
....................
....................
....................
....................
....................
....................
....................
....................
....................
....................
d the MEAP logo
e Directory are
iliates in the U
registered trad
.4, 13.2, 14.2, 1
vironment A, C
Date of Issue: 2
anon Inc. 20
....................
....................
....................
....................
....................
....................
....................
....................
....................
....................
....................
....................
....................
....................
....................
....................
....................
....................
....................
....................
....................
....................
....................
....................
o are trademark
trademarks or
United States an
emarks of the
5.2, 16.2, 17.2,
opyright(c) 200
2015/10/22
013
........... 51
........... 53
........... 54
............ 56
........... 56
........... 56
........... 57
........... 58
........... 58
........... 60
........... 61
........... 61
........... 61
........... 61
........... 62
........... 62
........... 63
........... 63
........... 63
........... 63
........... 63
........... 64
........... 64
........... 65
ks of Canon
r registered
nd in other
respective
18.2, 19.2,
09 IEEE. All
1 ST
1.1 S
This sect
ST nam VersioIssuedDate oKeywo
1.2 T
This sect
TOE nVersio
The TOE
1.3 T
The T4900KADVAmakin2600.1
-
-
T introduct
ST referenc
tion provides
me: C
on: 1.d by: Cof Issue: 20ords: IE
(Mlo
TOE referen
tion provides
name: Con: 1.
E is comprisediRH
CCAan
*JiRH
CCA *Cimp
TOE overvi
TOE is a digiKB/4200 SeriANCE 4900Kng the proper1 model > or
iR-ADV Se
HDD Data
tion
ce
the Security
Canon imageR
.10 Canon Inc.
015/10/22 EEE 2600, CMFP), copy, og, encryption
nce
the TOE iden
Canon imageR.3
d of the folloR-ADV Secur
HDD Data Enc(Canon MFP
Canon Super GCanon imageRAccess Manag
nd Canada)
Japanese NamR-ADV Secur
HDD Data Enc(Canon MFP
Canon Super GCanon imageRAccess Manag
Canon imagmageRUNNEublic sector i
ew
ital multi-funes 2600.1 mo
KB/4200 Serir settings, maTOE. ecurity Kit-K1
a Encryption &
Target (ST) i
RUNNER AD
anon, imageRprint, fax, sen, Secured Pr
ntification inf
RUNNER AD
wing softwarrity Kit-K1 focryption & MP Security ChG3 FAX BoarRUNNER ADgement System
me rity Kit-K1 focryption / MiP Security ChG3 FAX BoarRUNNER ADgement System
geRUNNER ER ADVANCin Korea.
nction producodel >. This iies > which akes up the <
1 for IEEE 26
& Mirroring
4
identification
DVANCE 490
RUNNER, iRend, facsimilerint, BOX, sec
formation.
DVANCE 490
re, hardware, or IEEE 2600
Mirroring Kit-hip 2.01) rd-AP1
DVANCE 490m (License o
or IEEE 2600irroring Kit-Chip 2.01) rd-AP1 (Stan
DVANCE 490m(License op
ADVANCECE 4200 Serie
ct (MFP) knis a version oby installing< Canon ima
600.1 Common
Kit
C
n information.
00KB/4200 S
R, Advance, de, identificaticurity kit
00KB/4200 S
and licenses.0.1 Common -C
00B/4200 Seroption: Stand
0.1 Ver 1.03C
ndard-equipm00KB/4200 Sption: Standar
E 4900KBes except tha
nown as < Cof the standar/attaching th
ageRUNNER
n Criteria
D
Copyright Ca
.
eries 2600.1
digital MFP, ion, authentic
eries 2600.1
. Criteria Ver 1
ries ard-equipmen
ment on "F" meries rd-equipment
Series is t the former i
anon imageRrd model < C
he following R ADVANCE
Date of Issue: 2
anon Inc. 20
model Securi
multifunctiocation, acces
model
1.03
nt in the Unit
model)
t in Japan)
identical tois for exclusi
RUNNER ADCanon imageR3 (or 4) prod
E 4900KB/42
2015/10/22
013
ity Target
n product s control,
ted States
o Canon ive use by
DVANCE RUNNER ducts and 00 Series
-
-
Fo
Fo
Fo
iR-ADADVAHDD (includa fax f < Canimplemsecurit
Prot
-
SFR
-
-
-
-
-
-
-
1.4 T
The follo
Terms/AMulti-FuProduct (
Control s
Control p
1 "AccessSecurity K
Fax Board
(Access M
or machines in
or machines in
or machines in
DV Security KANCE 4900KData Encrypding softwarefacility.
non imageRUmenting the Pty functions rtection Profil
2600.1, Prote
R Packages
2600.1-PRT,
2600.1-SCN,
2600.1-CPY,
2600.1-FAX
2600.1-DSR,Operational E
2600.1-NVSEnvironment
2600.1-SMI, Environment
Terms and
owing terms a
Abbreviationunction (MFP)
software
panel
s Management SKit-K1 for IEEE
d (Standard-eq
Management S
n Japan, this o
n the United S
n Asia and Oc
Kit-K1 for IEKB/4200 Serieption & Mirroe). The HDD
UNNER ADProtection Prrequired by thle
ection Profile
SFR Package
, SFR Package
, SFR Package
, SFR Packag
, SFR PackagEnvironment A
, SFR Packt A
SFR Packagt A
Abbreviati
and abbreviat
T
s A machincopier, fafacilitate
Software
One of toperation
System" is a licE 2600.1 Comm
quipment on "F
System) 1
option is attach
States and Can
ceania, "ACCE
EEE 2600.1 es > control soring Boardof the TOE m
DVANCE 49rofile (PP) fohe seven SFR
for Hardcopy
e for Hardcop
e for Hardcop
e for Hardcop
e for Hardcop
ge for HardcoA
age for Har
ge for Hardco
ions
tions are used
Table 1 - Term
ne which incoax, printer, ansuch capabili
that runs on t
the hardware keys, which
cense option. Thmon Criteria.
5
F" model)
hed to MFP as
nada, this optio
ESS MANAG
Common Crsoftware and sis the hardwmay be a rem
900KB/4200 or Multi-Fun
R Packages de
y Devices, Ope
y Device Prin
py Device Sca
py Device Cop
py Device Fax
opy Device D
rdcopy Devic
opy Device S
d throughout t
ms and Abb
orporates the nd Universalities.
the hardware
e elements oprovides the
he component o
C
s "Security Op
on is standard
GEMENT SYS
riteria contaisecurity kit liare which en
movable drive
Series 2600nction Producefined in the P
erational Envi
nt Functions, O
an Functions, O
py Functions,
x Functions, O
ocument Stor
ce Nonvolati
Shared-mediu
this ST.
reviations
Descriptionfunctionality l Send, and c
of the device
of the MFP, interface for
of "Access Man
D
Copyright Ca
ption Kit-A1"
d-equipped.
STEM KIT-B
ins the < Cicense. ncrypts all dae. Fax Board
0.1 model >cts indicated PP.
ironment A
Operational En
Operational E
Operational E
Operational En
rage and Retri
le Storage F
um Interface
of multiple dcontains a la
e, and control
consisting ooperation of
nagement System
Date of Issue: 2
anon Inc. 20
by default.
1" option is n
Canon imageR
ata stored in is the hardw
> is capable below, as w
nvironment A
Environment A
Environment A
nvironment A
ieval (DSR) F
Functions, O
Functions, O
devices in onarge capacity
ls security fun
of a touch pf the MFP.
m" is included
2015/10/22
013
eeded.
RUNNER
the HDD are to use
of fully well as the
A
A
A
Functions,
Operational
Operational
e, such as y HDD to
nctions.
panel and
in iR-ADV
Terms/ARemote U
HDD
I-Fax
Image fil
Tempora
Roles
Administ
Job
Documen
Memory (Receptio
Box
Mail Box
Memory
Mail serv
User aserver
Firewall
Time ser
[Secured
AbbreviationUI
le
ary image file
trator
nt data
RXon)
x
RX Inbox
ver
authentication
rver
d Print]
s An interfaallow theoperation
Hard disk
Short for
Image dareceive.
e Image fileuntil the j
Used by aOne role default roAdministr
A user ass(administ
User assig
Equivalen
When a ua Job is processin
The operaTX, Savegeneration
User datainformatio
X Allows daprocessin
Collectivedata from
*Use of F
Whether aprinting fr
When meMemory R
Server thathe MFP.
n Server thauthentica
Device orInternet.
Server thaInternet.
A button with a PIN
ace that prove acquisitions, and making
k drive mount
Internet Fax.
ata generated
es generated ob completes
access restricis associated
oles may berator, Power U
signed the Adtrative privile
gned the Adm
nt to U.ADM
user uses the fthe intendedg those data.
ations that cae, and Deleten, execution,
a processed on.
ata received g.
e name for Mm operations s
Fax Inboxes is
a general usefrom a PC, da
emory receptiRX Inbox. St
at facilitates I
hat maintains ation over the
r system des
at uses the N
on the controN).
6
ides access ton of operating various sett
ted on the MF
Uses the Inte
within the M
during jobs s.
tion functiond with each
e modified toUser, Genera
dministrator ges).
ministrator rol
INISTRATO
functions of td document
an be performe. The procesand complet
within the
by fax/I-fax
Mail Boxes, Fauch as scan, p
s not included
er feeds data tata can be stor
ion is set, dotored docume
I-fax transmi
user informe network.
signed to pro
Network Time
ol panel that
C
Descriptiono the MFP fro
ng status, petings.
FP, where con
ernet to recei
MFP, from o
such as Copy
ns to restrict thuser. In add
o create custal User, Limit
role is capab
le and has ad
OR defined in
the TOE to exdata combin
med on a docssing phases tion.
MFP, consis
to be stored
ax Inboxes, aprint, and rec
d in this TOE
to the MFP dred here to be
ocuments receents can be pr
ssion or emai
mation such a
otect the inter
e Protocol to
activates the
D
Copyright Ca
om a Web brrforming job
ntrol software
ive and send f
operations su
y and Print, w
he functions tdition to pre-tom roles. Tted User, and
le of using m
dministrative p
the PP.
xecute an opened with the
cument are: Sfor a Job is
sting of imag
in the Memo
and the Memoceived faxes a
E.
directly, or spe printed or se
eived by fax/rinted or sent
il transmissio
as user ID an
rnal LAN ag
provide the a
e Secured Pri
Date of Issue: 2
anon Inc. 20
owser via theb operations
e and assets a
faxes.
ch as scan, p
which are nee
that each use-defined defaThe default r
Guest User.
management o
privileges.
eration on a duser instruc
Scan, Print, Cssued by the
ge files and
ory RX Inbox
ory RX Inboxare stored in t
ecifies a docuent later.
/I-fax are storlater.
on of docume
nd password,
gainst threats
accurate time
nt function (p
2015/10/22
013
e LAN, to or BOX
are stored.
print, and
eded only
er can use. ault roles, roles are:
operations
document, ctions for
Copy, Fax user are:
attribute
x for later
x wherein the MFP.
ument for
red in the
ent data in
, for user
from the
e over the
print jobs
Terms/A[Copy]
[Fax]
[Scan]
[Fax/I-Fa
[Access
Remote U
[Access ReceivedFiles]
Abbreviation
ax Inbox]
Stored Files]
UI
d/Stored
s A button o
A button o
Indicates that allowdocumentfolder in a
A button oThere areFax Inbox
A button Box/Inbo
A button Box/Inbo
on the contro
on the contro
the [Scan anw the user tots to be sent a PC, respect
on the controe two types ox. You can us
on the controx.
on the remox.
7
ol panel that a
ol panel that a
nd Store] ando scan paper
to some loctively.
ol panel that aof Fax/I-Fax Ise both inboxe
ol panel that
ote UI that a
C
Descriptionactivates the C
activates the F
d [Scan and Sr documents cation such a
activates the FInbox: the Mes to store fil
allows the u
llows the use
D
Copyright Ca
Copy function
Fax function.
Send] buttonsto be stored
as to an emai
Fax/I-Fax InbMemory RX In
es received b
user to access
er to access
Date of Issue: 2
anon Inc. 20
n.
s on the contd as files, oril address or
box function. nbox and Co
by Fax and I-F
s files stored
files stored i
2015/10/22
013
rol panel, r scanned r a shared
nfidential Fax.
in a Mail
in a Mail
1.5 T
The TOETOE, whdesignedProfile fo
This stanprocessinand infosecret, mThis envwill be k
Figure4900Kfeaturehere.
Tim
PS
In FigureMail SerFirewall when reca Web brorder to pcable cou
2 This eva
TOE descri
E is a MFP thhich conformsd to operate inor Hardcopy D
ndard is for ng environmermation assu
mission criticavironment is nknown as "Op
e 1 shows tKB/4200 Series may be re
Figure 1
Padoc
Ime server
PC
Fax RX
Fax TX
TN
e 1, the MFPrver, User Au
from threatsceiving a docurowser2, funcprint from a Puld be used t
aluation was pe
ption
hat offers Cops to "2600.1, n an environmDevices, Ope
a Protection ent in which urance are real, or subject not intended tperational Env
the environmes 2600.1 mo
equired, the a
1 T< C
Fire
M
aper uments
CopyPrint
nternet
Print via USB connection
P is connecteduthentication s from the Inument by I-Fctions such aPC, the approo connect the
erformed using
py, Print, UniProtection P
ment such as erational Env
Profile for Ha relatively hquired. The to legal and rto support lifvironment A.
ment for whodel > has beactual operati
The assumeCanon imageR
HDD
ewall
Mail BoxMemory
RX Inbox
Multi-FuProd
d by an interServer, PC, a
nternet. To seax for examp
as printing, stopriate printee PC directly
g Microsoft Inte
8
iversal Send,rofile for Harthe one show
vironment A"
Hardcopy Dehigh level oftypical inforregulatory cofe-critical or n"
hich the TOeen designedional environ
d operationRUNNER AD
(Print/Store)
Network fax
Send v
Rec
Papedocum
s
Copy
Store
in M
ail B
ox
Send
Web brow
Remote UI
unctionduct
rnal LAN, to and Firewall.end (via I-Faple, the MFP toring, or I-Fr driver need
y, and print or
ernet Explorer
C
Fax, I-Fax Rrdcopy Devic
wn below (as eclause "1.1 S
evices in a rf document srmation procensiderations,national secur
OE or < Ca, with option
nment is expe
al environmDVANCE 490
PC
LAN
via I-Fax/E-Mail
ceive I-Fax
er ment
wser
User authenticaAuthentication re
all of the oth. Furthermore
ax or email) aconnects to thax can also b
ds to be instalr store docum
8 as the Web b
D
Copyright Ca
RX, and Mailces, Operationexcerpted fro
Scope").
restrictive coecurity, operessed in thissuch as for p
rity applicatio
anon imageRns included. ected to diffe
ment of the M00KB/4200 Se
Mail server
ationesult
her major coe, the internaa previously he Mail Servbe executed rled in the PC
ment data from
rowser.
Date of Issue: 2
anon Inc. 20
l Box capabilnal Environm
om "2600.1, P
ommercial infrational accou environmenprivacy or goons. This env
RUNNER ADSince not al
er from what
MFP eries >
User authenserve
mponents, naal LAN is pro
scanned docer. By using aremotely. Ho
C. Alternativem the PC. In
2015/10/22
013
lities. The ment A" is Protection
formation untability, nt is trade vernance. vironment
DVANCE ll of these is shown
nticationer
amely the otected by cument or a PC with
owever, in ly, a USB this case,
some constored in
The TOEauthenticenvironm
-
-
-
-
-
-
-
nfiguration isa PC or USB
E also obtaincation througment are listed
Copy func
Produces
Print funct
Produces PC).
I-Fax RX (
Uses the Istored in sent or de
Fax RX (re
Uses a fastored in Mor deleted
Fax TX (se
Scanned dcan be ret
Universal
Scanned dcan be traformat.
Mail Box f
Refers to that utilize
- Image fi
ScanneMail B
- Function
The fo
- Edit
- Send
- Delete
s required inB device.
ns accurate th the Externad below:
tion
duplicates of
tion
a hardcopy d
(receive) func
Internet to recMemory RXleted later.
eceive) functi
ax line to recMemory RX Id later.
end) function
document dattrieved for tra
Send function
document datansmitted by
function
the storage oe the Mail Bo
iles Stored in
ed documentBox.
ns that utilize
ollowing func
nitially, in ord
ime from theal Authentica
f the hardcopy
document fro
ction
ceive faxes. DX Inbox for p
ion
eive faxes. DInbox for proc
n
ta or electronansmission by
n
ta or electronemail or I-fa
of image fileox/inbox func
Mail Box
t data or elec
e Mail Box fu
ctions can be
9
der to protect
e Time serveation Server.
y document b
om its electro
Data receivedprocessing at
Data receivedcessing at a la
nic documentsy fax.
nic documentsax, or sent to
s into a Mailctionality.
ctronic data s
unctionality
executed on d
C
t against data
er for time sThe function
by scanning a
onic form (co
d by I-fax is na later time.
d by fax is noater time. Sto
s stored in a
s stored in a o a shared fo
l Box or in M
specified for
data stored in
D
Copyright Ca
a being taken
synchronizations available t
and printing.
ontained in th
not printed imStored docu
ot printed imored documen
Mail Box or
Mail Box or lder on a PC
Memory RX
storage from
n a Mail Box.
Date of Issue: 2
anon Inc. 20
n out of the
on, and suppto the MFP in
he MFP or se
mmediately; ruments can b
mmediately; rants can be pri
in Memory R
in Memory RC, in TIFF or
Inbox, or to
m a PC, are st
2015/10/22
013
MFP and
ports user n such an
ent from a
rather it is e printed,
ather it is nted, sent
RX Inbox
RX Inbox r PDF file
functions
tored in a
1.6 S
The TOEis design
The phys
1.6.1
The TOEillustrate
In Figure>.
Note alsCommon
The TMFP m
< Canonto the fol
ProductiR-ADViR-ADViR-ADV iR-AD
* iR-AD
* iR-AD
* iR-AD
The docu
(Eng- ima
-
Scope of th
E conforms toned to meet th
sical and logi
Physical S
E is a MFP cd in Figure 2
Fax
("F mequippeBoard b
(TOE: H
e 2, "Control
so that the "n Criteria > ma
OE or < Canmain unit com
n imageRUNNllowing produ
ts V 4951KB/42V 4945KB/42V 4935KB/42DV 4925KB/4
V 4251 is not
V 4245F/423
V 4951KB/4
umentation fo
glish Name) ageRUNNER
imageRUNN
he TOE
o "2600.1, Prhe requiremen
ical scopes of
Scope of the
consisting of 2.
Figure 2 Ha
x Board
model" is ed with Fax by default)
Hardware)
Software" re
MFP Main Uakes up the M
non imageRUmbined with t
NER ADVANuct lineup.
251, 245/4245F, 235/4235F, 4225/4225F t sold in Japan
35F/4225F ar
945KB/4935
or the TOE ar
ADVANCE NER ADVAN
rotection Profnts specified t
f the TOE are
e TOE
f hardware an
ardware and
C
Canon ima490
(
efers to the <
Unit" togethMFP main uni
UNNER ADVthe HDD Dat
NCE 4900KB
Table 2 -
n.
e sold only in
KB/4925KB
re listed below
4200 Series 2NCE 4251/42
10
file for Hardctherein, as de
e described be
nd software c
d software c
Control Softwar
(TOE Software
ageRUNNER 00KB/4200 S
MFP Main Un
(TOE: Hardwar
iR-ADV Sec
er with the it.
VANCE 4900Ka Encryption
B/4200 Series
Line of Pro
n Japan.
are sold only
w.
2600.1 model245/4235/422
C
copy Devicesescribed below
elow.
components.
components
re
e)
ADVANCE eries
it
re)
curity Kit-K1
< iR-ADV S
KB/4200 Ser & Mirroring
s >, or the ha
ducts
y in Korea.
l e-Manual C25 e-Manual
D
Copyright Ca
s, Operationaw.
The physical
s of the TOE
HDD Encrypt
Mirroring
(TOE: Ha
for IEEE 260
Security Kit-
ries 2600.1 mg Board and th
ardware maki
CD (USE Vers
Date of Issue: 2
anon Inc. 20
al Environmen
l scope of th
E
Data tion & g Board
ardware)
00.1 Commo
-K1 for IEE
model > consihe Fax Board
ing up the TO
sion)
2015/10/22
013
nt A" and
he TOE is
on Criteria
EE 2600.1
ists of the d.
OE, refers
-
- ima- -
- - -
(Japa
- ima- -
- iR-A- Befo- HDD
1.6.2
The logicServer, P
ACCESS MGuide
ageRUNNER imageRUNNACCESS MGuide iR-ADV SeBefore UsinHDD Data E
anese Name) ageRUNNER
imageRUNNACCESS MGuide
ADV Securityfore Using theD Data Encry
Logical Sc
cal scope of PC, and Time
U
User
LAND
User A
AuthI
TOE
MANAGEME
ADVANCE NER ADVAN
MANAGEME
ecurity Kit-K1ng the iR-ADEncryption K
ADVANCE NER ADVAN
MANAGEME
y Kit-K1 for e iR-ADV Seyption Kit Us
cope of the
the TOE is ilServer). In th
Figure 3
UI Func
r Auth Server
Data Protection
Auth Function
Info
P
S
Function Use Re
Job Output Res
Management F
Operate/
Display
ENT SYSTEM
4200 Series 2NCE 4251/42ENT SYSTEM
1 for IEEE 26DV Security KKit Reference
4200 Series 2NCE 4245/42ENT SYSTEM
IEEE 2600.1ecurity Kit-K1ser's Guide
TOE
llustrated in Fhe table, the s
3 Funct
LA
User
Mail Serve
LANData Prote
Email Functi
DocData
H
do
Input Fu
Scan
C
estriction
s triction
Function
11
M Individual
2600.1 model245/4235/422M Individual
600.1 CommoKit-K1 for IEE
Guide
2600.1 model245F/4235/42M Individual
Administrato1 for IEEE 26
Figure 3 (excsecurity funct
tional config
AN Data Protection F
er
ection
ion
LAN
W
Doc
Hardcopy
ocument
Output Func
Send
Copy Mai lb
User Authenticatio
Self-Test
Ha
do
Forward Received
Re
C
Management
l e-Manual C25 e-ManualManagement
on Criteria CEE 2600.1 Co
l e-Manual C235F/4225/42Management
or Guide 600.1
cluding: Usertions of the T
guration of t
Function
PC
N Data Protection
Web Browser
cData
unc
box/ Inbox
on H
ardcopy
ocument
Jobs
Receive
D
Copyright Ca
t Configuratio
CD (APE Vers
t Configuratio
ertification Aommon Crite
CD 225F e-Manut Configuratio
r, User AutheTOE are show
the TOE
HDD
Time Se
Time Fun
TimeInfo
HDD Data Erase
HDD Data Encryp
Audit Log
LANData P
Date of Issue: 2
anon Inc. 20
on Administr
sion)
on Administr
Administrator eria Certificat
al on Administr
entication Serwn in blue.
erver
nction
ption
Protection
Document
Document
2015/10/22
013
rator
rator
Guide ion
rator
rver, Mail
Flow of data
PCt data
USB connection
FAXt data
Phone line
n
In additio
-
-
-
The TOE
-
-
-
-
-
-
-
-
-
3 This evalu4 This evalu
on to the capa
UI Functio
Enables theon the contr
Output Fun
Enables the
Input Funct
Enables the
E embodies th
User Authe
Performs au
Two types takes place authenticati
Function U
Uses role m
Job Output
This functiothe job.
Forward Re
This functiprovided as
HDD Data
Function foprevent una
HDD Data
Because thepotentially Mirroring Bused with thconfidential
LAN Data P
To protect L
Self-Test Fu
When the mrunning pro
Audit Log F
Allows audlogs are pro
uation was perforuation was perfor
abilities descr
onality
e user to operrol panel.
nctionality
e TOE to outp
tionality
e TOE to inpu
he following s
entication Fun
uthentication
of user autheinternally w
ion server. Ex
se Restriction
management to
Restriction F
on restricts a
eceived Jobs F
on restricts ts a counterme
Erase Functio
or erasing unauthorized use
Encryption F
e HDD (alonbe removed
Board addreshe correct Mlity of the HD
Protection Fu
LAN data fro
unction
machine staroperly.
Function
diting of user otected and ca
rmed using Activrmed using eDire
ribed in Secti
rate the TOE
put hardcopy
ut hardcopy d
security func
nction
on the user, t
entication arewithin the TOxternal authen
n Function
o restrict the
Function
access to prin
Function
the machine easure against
on
nnecessary dae of previous
Function
ne or togetherfor unautho
ses this threaMFP. Addition
DD data.
unction
m IP packet s
rts, this func
operations byan be viewed
ve Directory Domectory 8.8 SP7 as
12
ion 1.5, the T
from the con
documents.
documents.
tions.
to prevent any
e supported: E, and Externtication uses
functions tha
nt, cancel and
from forwart threats arisin
ata from the sly generated
r with the HDorized access at by identify
nally, all data
sniffing, IP p
tion checks
y generating .
main Services2 as the authenticatio
C
TOE embodie
ntrol panel, a
y unauthorize
Internal Autrnal Authentics Kerberos3 o
at each authen
d other job op
rding receiveng from misu
hard disk byimage data.
DD Data Encto its conte
ying the MFPstored in the
ackets are en
to see that t
logs which a
the authenticatioon server software
D
Copyright Ca
s the followin
and the TOE
ed access to t
thentication wcation whichor LDAP4 au
nticated user
perations, to
ed data direcuse of the fax
y overwriting
cryption & Mnts, the HDD
P at startup, se HDD are en
ncrypted using
the primary
are stored in t
n server softwaree for LDAP auth
Date of Issue: 2
anon Inc. 20
ng basic func
to display inf
the TOE.
wherein autheh uses an exteuthentication.
can use.
the user that
ctly to the Lx line.
g the data, in
Mirroring BoaD Data Encrso that it mayncrypted to p
g IPSec.
security func
the HDD. Sto
e for Kerberos. entication.
2015/10/22
013
ctionality.
formation
entication ernal user
executed
AN. It is
n order to
ard) could ryption & y only be
protect the
ctions are
ored audit
-
1.7 U
Th
DesignU.USE U.N
U.A
1.8 A
The
1.8.1
Useof u
DesignD.DOC
D.FUN
1.8.2 T
TSFD.P
DesignD.PRO
The date/timis set by thobtained fro
Managemen
Consists of managemenspecified by
Users of the
he TOE has tw
nation ER NORMAL
ADMINISTRA
Assets
ere are three t
User Data
er data are creuser data: D.D
nation DefC Use
inclresidoc
NC Usethe
TSF Data
F Data are daPROT and D.C
nation DefiOT TSF
Admthe T
me recorded oe Managemeom the Time
nt Function
user managent functions why Administrato
e TOE
wo types of u
DefiAnyA Ufunc
ATOR A Uportpolicapa
types of asset
eated by the DOC and D.F
finition er Document ludes the origdually-stored ument and pri
er Function DTOE.
ata that have CONF.
finition F Protected Dministrator norTOE, but for w
on the audit lent Function, Server.
ment functionhich enable prors.
users (U.USE
Tab
finition y authorized UUser who is ctions of the TUser who hastion or all of cy (TSP). Aabilities to ove
s: user data, T
user, and havUNC.
Table
Data consistinal documen
data createdinted hardcop
ata are the inf
an effect on
Table
Data are assr the owner ofwhich disclos
13
og is provideor is set by t
ns such as usroper operatio
R): U.NORM
ble 3 - Users
User. authorized t
TOE. s been specif
f the TOE anddministrators erride portion
TSF data, and
ve no effect o
e 4 - User Da
t of the infornt itself in eithd by the hay output.
formation abo
TOE securit
e 5 - TSF Da
sets for whicf the data wou
sure is accepta
C
ed by the TOEtime synchro
ser registrationon of various s
MAL and U.A
s
to perform U
fically grantedd whose actio
may possesss of the TSP.
d functions.
on TOE secu
ata
rmation contaher hardcopy ardcopy devic
out a user's do
ty functions.
ta
ch alteration uld have an efable.
D
Copyright Ca
E. The TOE'sonization whe
n and role msecurity functi
ADMINISTRA
User Docume
d the authorions may affes special priv
urity function
ained in a usor electronic ce while pro
ocument or jo
There are tw
by a User ffect on the op
Date of Issue: 2
anon Inc. 20
s date/time infen the accura
management, aions, which ca
ATOR
ent Data pro
ity to manageect the TOE svileges that p
s. There are t
ser's documenform, image
ocessing an
ob to be proce
wo types of T
who is neitperational secu
2015/10/22
013
formation ate time is
and device an only be
ocessing
e some security provide
two types
nt. This data, or original
essed by
TSF data:
ther an urity of
DesignD.CON
A list of
Type D.PROT
D.CONF
1.8.3
Refer to
nation DefiNF TSF
neithsecu
the TSF data
TSF dataT User name
Role
Lockout settings Password settings
Auto Rsetting Date/TimeHDD Dsetting
IPSec sett
F Password
Audit logsBox PIN
Functions
the functions
finition F Confidentialher an Adminurity of the TO
used in this T
a e
policy
policy
Reset Time
e setting Data Erase
tings
s
s listed in Tab
l Data are assenistrator nor thOE.
TOE is given
Table 6 -
DescriptioUser idenidentificatiUsed by functions tSettings foattempts bPolicy for minimum combinatioSettings fo
Specifies tSettings fothe settingfunction.Settings fincludingData ProtePassword IdentificatiLogs generPIN used Memory ROutput Re
ble 7.
14
ets for which he owner of th
n in Table 6.
- List of TSF
on ntification inion and autheaccess restri
that each useror the lockouefore lockoutthe passwordpassword le
on of characteor session tim
the date and tor the HDD gs to enable
for the LAthe settings
ection functioused to aut
ion and Authrated by the Afor access c
RX Inbox whstriction func
C
either discloshe data would
F data
nformation uentication funiction functir can use. ut function, t and the lockd for user autength, allower types.
meout in the co
ime that is seData Erase
or disable th
AN Data Pto enable o
on. thenticate thehentication funAudit Log funcontrol to thhere the datactions.
D
Copyright Ca
sure or alteratid have an effe
used by thnction. ions to restr
such as numkout time. thentication, s
wed character
ontrol panel.
et. function, inc
he HDD Data
rotection fuor disable the
e user in thnction. nction.
he Mail Box a is stored, f
Date of Issue: 2
anon Inc. 20
ion by a Userect on the oper
Stoe user HD
rict the HD
mber of HD
such as rs, and
HD
NomeRT
cluding a Erase
Nome
unction, e LAN
Nome
he User HD
HDor the
for Job HD
2015/10/22
013
r who is rational
ored in DD
DD
DD
DD
n-volatile mory
TC n-volatile mory
n-volatile mory
DD
DD DD
2 Co
2.1 C
This ST c
-
-
-
2.2 P
This ST c
- Title: 26
-
This ST i
-
-
-
-
-
-
-
2.3 S
2.3.1 S
Title: 260Package CommonCommonPackage Usage: TMFPs) thoutput. Title: 260Package CommonCommonPackage Usage: TMFPs) thoutput.
onformanc
CC Conform
conforms to t
Common C
Common C
Assurance
PP claim, P
conforms to t
600.1, Protect
Version:1.0
is package-co
2600.1-PRT
2600.1-SCN
2600.1-CPY
2600.1-FAX
2600.1-DSR
2600.1-NV
2600.1-SM
SFR Packag
SFR Packa
00.1-PRT, SFRversion: 1.0,
n Criteria versn Criteria conf
conformanceThis SFR packhat perform a p
00.1-SCN, SFversion: 1.0,
n Criteria versn Criteria conf
conformanceThis SFR packhat perform a s
ce claims
mance clai
the following
Criteria version
Criteria confor
level:
Package cla
the following
tion Profile fo
0, dated June 2
onformant to
T conformant
N conformant
Y conformant
X conformant
R conformant
VS augmented
MI augmented
ges
ages refere
R Package fordated June 20
sion: Version formance: Pa
e: EAL3 augmkage shall be uprinting functi
FR Package fodated June 20
sion: Version formance: Pa
e: EAL3 augmkage shall be uscanning func
m
g Common Cr
n:
rmance:
aim
g Protection P
r Hardcopy D
2009
and package
t
t
t
t
t
ence
r Hardcopy D009 3.1 Revision
art 2 and Part 3mented by ALCused for HCD ion in which e
or Hardcopy D009 3.1 Revision
art 2 and Part 3mented by ALCused for HCD ction in which
15
riteria (CC).
Version 3.
Part 2 exte
EAL3 augm
Profile (PP).
Devices, Opera
-augmented b
Device Print Fu
2 3 conformantC_FLR.2 products (suc
electronic doc
Device Scan Fu
2 3 conformantC_FLR.2 products (sucphysical docu
C
1 Release 4
ended and Part
mented by AL
ational Enviro
by the follow
unctions, Oper
ch as printers, cument input i
unctions, Ope
ch as scannersument input is
D
Copyright Ca
t 3 conforman
LC_FLR.2
onment A
wing SFR pack
rational Envir
paper-based fis converted to
erational Envir
, paper-based s converted to
Date of Issue: 2
anon Inc. 20
nt
kages:
ronment A
fax machines,o physical doc
ronment A
fax machineso electronic do
2015/10/22
013
and cument
s, and ocument
Title: 260Package CommonCommonPackage Usage: Tfunction i Title: 260Package CommonCommonPackage Usage: Tscanning transmissto physic Title: 260OperationPackage CommonCommonPackage Usage: Tretrieval f Title: 260EnvironmPackage CommonCommonPackage Usage: Tnonvolatiby authorRemovabsupplied Title: 260EnvironmPackage CommonCommonPackage Usage: Tcommunisuch as wprovide aIf such pr
2.3.2
FunfuncProf
00.1-CPY, SFversion: 1.0,
n Criteria versn Criteria conf
conformanceThis Protectionin which phys
00.1-FAX, SFversion: 1.0,
n Criteria versn Criteria conf
conformanceThis SFR pack
function in wsion, and a prial document o
00.1-DSR, SFnal Environmeversion: 1.0,
n Criteria versn Criteria conf
conformanceThis SFR packfeature in whi
00.1-NVS, SFment A
version: 1.0, n Criteria versn Criteria conf
conformanceThis SFR packile storage devrized personneble Nonvolatilonly by the T
00.1-SMI, SFRment A
version: 1.0, n Criteria versn Criteria conf
conformanceThis SFR packications mediu
wired network a trusted channrotection is su
SFR Pack
nctions performctions that arefile, are listed
FR Package fodated June 20
sion: Version formance: Pa
e: EAL3 augmn Profile shall sical documen
FR Package fodated June 20
sion: Version formance: Pa
e: EAL3 augmkage shall be uwhich physicalinting functionoutput.
FR Package foent A dated June 20
sion: Version formance: Pa
e: EAL3 augmkage shall be uich a documen
FR Package fo
dated June 20sion: Version formance: Pa
e: EAL3 augmkage shall be uvice (NVS) thel. This packale Storage devOE environm
R Package for
dated June 20sion: Version formance: Pa
e: EAL3 augmkage shall be uum which, in media and m
nel function alupplied by only
kage functi
m processing, e allowed, buin Table 7:
or Hardcopy D009 3.1 Revision
art 2 and Part 3mented by ALC
be used for Hnt input is dup
or Hardcopy D009 3.1 Revision
art 2 and Part 3mented by ALCused for HCD l document inpn in which a te
or Hardcopy D
009 3.1 Revision
art 2 and Part 3mented by ALCused for HCD nt is stored du
or Hardcopy D
009 3.1 Revision
art 2 extended mented by ALCused for produhat is part of thage applies forvices from una
ment, then this
r Hardcopy D
009 3.1 Revision
art 2 extended mented by ALCused for HCD conventional ost radio frequllowing for sey the TOE env
ons
storage, and ut not require
16
Device Copy F
2 3 conformantC_FLR.2
HCD products licated to phy
Device Fax Fu
2 3 conformantC_FLR.2 products (suc
put is converteelephone-base
Device Docum
2 3 conformantC_FLR.2 products (suc
uring one job a
Device Nonvol
2 and Part 3 co
C_FLR.2 ucts that providhe evaluated Tr TOEs that prauthorized dispackage cann
evice Shared-
2 and Part 3 co
C_FLR.2 products that practice, is oruency wirelesecure and authvironment, th
transmission ed in any par
C
Functions, Ope
(such as copiysical documen
nctions, Oper
ch as fax mached to a telephoed document f
ment Storage an
ch as MFPs) thand retrieved d
latile Storage
onformant
de storage of UTOE but is desrovide the abilclosure and m
not be claimed
-medium Inter
onformant
transmit or rer can be simulss media. Thishenticated comen this packag
of data that mticular confor
D
Copyright Ca
erational Envi
iers and MFPsnt output.
rational Enviro
hines and MFPone-based docfacsimile (fax)
nd Retrieval (
hat perform a during one or
Functions, Op
User Data or Tsigned to be relity to protect
modification. Id.
rface Function
eceive User Dltaneously accs package applmmunication wge cannot be c
may be presentrming Securit
Date of Issue: 2
anon Inc. 20
ironment A
s) that perform
onment A
Ps) that perforcument facsim) reception is
(DSR) Functio
document stomore subsequ
perational
TSF Data in aemoved from data stored on
If such protect
ns, Operationa
Data or TSF Dacessed by multlies for TOEs with other IT sclaimed.
t in HCD prodty Target or P
2015/10/22
013
m a copy
rm a mile (fax) converted
ons,
orage and uent jobs.
a the TOE n tion is
al
ata over a tiple users, that
systems.
ducts. The Protection
DesigF.PRT
F.SCN
F.CPY
F.FAX
F.DSR
F.NV
F.SMI
2.3.3 S
Wassoto dThe Prof
2.4 P
In additiodocumenappropria2.2).
In the foPackages
In terms other OS
This OSP
As such:
gnation DefT Prin
outpN Scan
docuY Cop
outpX Fax
docudocu
R Docand
S Nondeviauth
I Shara coaccewire
SFR Packa
hen a functionociated with thistinguish diff attributes thafile, are listed
Designation +PRT +SCN +CPY +FAXIN +FAXOUT +DSR +NVS +SMI
PP Conform
on to the primnt storage funate to confor
ollowing, thes.
of the SecurSP:
P.HDD.ACCP is a restricti
finition nting: a functioput nning: a funument output
pying: a functiput ing: a functioument facsimument facsimicument storagretrieved duri
nvolatile storaice that is parhorized personred-medium iommunicationessed by muleless media
age attribut
n is performinhat particular dferences in Seat are allowedin Table 8:
T
Definition Indicates dIndicates dIndicates dIndicates dIndicates dIndicates dIndicates dIndicates dinterface.
mance ratio
mary functionnction, HDD erm to all of th
e ST is comp
rity Problem
CESS.AUTHOion on the TO
Table 7 - SFR
on in which e
nction in wh
ion in which p
on in which pmile (fax) traile (fax) recep
ge and retrievaing one or mo
age: a functionrt of the evalunnel nterface: a fun
ns medium whltiple users,
tes
ng processingdata as a secu
ecurity Functiod, but not requ
Table 8 - SFR
data that are asdata that are asdata that are asdata that are asdata that are asdata that are asdata that are stodata that are
onale
nality of the encryption fuhe SFR Pack
pared agains
Definition, th
ORIZATIONOE, rather tha
17
R Package f
electronic docu
ich physical
physical docu
physical docuansmission, aption is converal: a function ore subsequentn that stores Uuated TOE bu
nction that trahich, in convsuch as wire
, storage, or turity attribute. onal Requirem
uired in any pa
R Package a
ssociated withssociated withssociated withssociated withssociated withssociated withored on a none transmitted
MFP (Copy, unction, and tkages defined
st the PP con
he ST is equi
an a restriction
C
functions
ument input is
document in
ument input is
ument input isand a functiorted to physicin which a dot jobs
User Data or Tut is designed
ansmits or receentional pract
ed network m
ransmission oThis attribute
ments that departicular confo
attributes
h a print job.h a scan job.h a copy job.h an inbound (rh an outbound h a document snvolatile storagd or received
Print, Scan, the LAN data
d in the PP (P
ntaining all s
ivalent to the
n on the oper
D
Copyright Ca
s converted to
nput is conv
s duplicated to
s converted toon in which al document oocument is st
TSF Data on ato be remove
eives User Datice, is or can
media and mo
of data, the idee in the TOE mpend on the fuorming Securi
received) fax (sent) fax job
storage and rege device. d over a sh
and Fax), thea encryption fPP claim, Pac
seven of the
e PP except f
rational envir
Date of Issue: 2
anon Inc. 20
o physical doc
verted to elec
o physical doc
o a telephonea telephone
output ored during o
a nonvolatile sed from the T
ata or TSF Datn be simultanost radio-freq
entity of the fmodel makes
unction being pity Target or P
job. b. etrieval job.
hared-medium
e TOE implemfunction. As ckage claim i
aforementio
for the additio
ronment.
2015/10/22
013
cument
ctronic
cument
e-based e-based
one job
storage OE by
ta over neously quency
function is it possible performed. Protection
m
ments the such, it is
in Section
oned SFR
on of one
- All defi
- All mee
In terms
This obje
As such:
- All obje
- All in th
In terms of the PPTable 9.
PCCCCCCCCCCCCCCCCCCCCCCCCCCPPSSCCFFDD
TOEs that winition in the
operational eet the security
of Objectives
O.HDD.AC
ective is a res
TOEs that wectives for the
operational ehe PP would
of the functiP including t
Table
PP_Package Common Common Common Common Common Common Common Common Common Common Common Common Common Common Common Common Common Common Common Common Common Common Common Common Common Common PRT PRT SCN SCN CPY CPY FAX FAX DSR DSR
would meet thPP.
environmentsy problem def
s, the ST is eq
CCESS.AUTH
striction on th
would meet e TOE in the
environmentsalso meet the
ional requiremthe seven SF
e 9 - Functio
PP functionFAU_GEN.1 FAU_GEN.2 FAU_SAR.1 FAU_SAR.2 FAU_STG.1 FAU_STG.4 FDP_ACC.1(aFDP_ACC.1(bFDP_ACF.1(a)FDP_ACF.1(bFDP_RIP.1 FIA_ATD.1 FIA_UAU.1 FIA_UID.1 FIA_USB.1 FMT_MSA.1(FMT_MSA.3(FMT_MSA.1(FMT_MSA.3(FMT_MTD.1(FMT_MTD.1(FMT_SMF.1 FMT_SMR.1 FPT_STM.1 FPT_TST.1 FTA_SSL.3 FDP_ACC.1 FDP_ACF.1 FDP_ACC.1 FDP_ACF.1 FDP_ACC.1 FDP_ACF.1 FDP_ACC.1 FDP_ACF.1 FDP_ACC.1 FDP_ACF.1
he security p
s that would finition in the
quivalent to t
HORISED
he TOE.
the security PP.
s that would me security obj
ments, the STR Packages,
nal requirem
nal requirem
a) b) ) )
(a) (a) (b) (b) (FMT_MTD.1.(FMT_MTD.1.
18
problem defin
meet the sece ST.
the PP except
objectives f
meet the secuectives for th
T compared was well as a
ments speci
mentFAU_GFAU_GFAU_SFAU_SFAU_SFAU_SFDP_AFDP_AFDP_AFDP_AFDP_RFIA_ATFIA_UAFIA_UIFIA_USFMT_MFMT_MFMT_MFMT_M
1(a)) FMT_M1(b)) FMT_M
FMT_SFMT_SFPT_STFPT_TSFTA_SSFDP_AFDP_AFDP_AFDP_AFDP_AFDP_AFDP_AFDP_AFDP_AFDP_A
C
nition in the S
curity problem
t for the addit
for the TOE
urity objectivhe operational
with the PP cadditional fun
ified in the P
ST functioGEN.1 GEN.2
AR.1 AR.2 TG.1 TG.4
ACC.1(delete-joACC.1(exec-job)ACF.1(delete-jobACF.1(exec-job)RIP.1 TD.1 AU.1 ID.1 SB.1
MSA.1(delete-joMSA.3(delete-joMSA.1(exec-jobMSA.3(exec-jobMTD.1(device-mMTD.1(user-mgSMF.1 SMR.1 TM.1 ST.1 SL.3(lui), FTA_
ACC.1(in-job)ACF.1(in-job)ACC.1(in-job)ACF.1(in-job)ACC.1(in-job)ACF.1(in-job)ACC.1(in-job)ACF.1(in-job)ACC.1(in-job) ACF.1(in-job)
D
Copyright Ca
ST also meet
m definition
tion of one ot
in the ST a
ves for the opl environmen
ontains all functional requi
PP and the S
onal require
b) ) b) )
ob) ob) b) b) mgt) gt)
_SSL.3(rui)
Date of Issue: 2
anon Inc. 20
t the security
in the PP w
ther objective
also meet the
perational envnt in the ST.
unctional requirements, as
ST
ment
2015/10/22
013
y problem
would also
e:
e security
vironment
uirements shown in
PNSSSCCCNNSSN
Note the
For FDP_is specifi
For FDPControl r
For FDP_
For FDPAccess C
The ST Delete orrequirem
For FDP_
For FDPspecified
The ST fsuch, therequirem
Consequ
As such:
- All TO
In terms
As such, restrictio
Therefor
PP_Package NVS SMI SMI SMI Common Common Common NVS NVS・SMI SMI SMI NVS
following:
_ACF.1(a) inied as U.NOR
P_ACF.1(delerule for U.NO
_ACC.1 in th
P_ACC.1(in-jControl rule fo
functional rer Read, and r
ments specify
_ACF.1(a) in
P_ACF.1(deled as "Denied"
functional reqe ST functio
ment.
uently, the SFR
OEs that woul
of the Securi
this ST compons on the ope
re, this ST cla
PP functionFPT_CIP_EXPFAU_GEN.1 FPT_FDI_EXPFTP_ITC.1 - - - - - - - -
n the PP, the SRMAL.
ete-job) in thORMAL spec
he PP, the Sub
job) in the Sfor U.NORMA
equirements arestrains U.Ngreater restric
n the PP, the S
ete-job) in th.
quirement as onal requirem
Rs of the ST
d meet the SF
ity Assurance
pared with therational envi
aims demonst
nal requiremP.1
P.1
Subject for a D
he ST, the Scified as "Den
bject for a Re
ST, the SubjeAL specified
as mentionedNORMAL froctions than th
Subject for a M
he ST, the S
mentioned ament specifie
are equivalen
FRs in the ST
e Requiremen
he PP, specifieironment of th
trable conform
19
mentFPT_CIFAU_GFPT_FDFTP_ITFIA_AFFIA_SOFIA_UAFCS_COFCS_CKFCS_COFCS_CKFPT_PH
Delete of +FA
ubject is spenied".
ead of +FAXI
ect for a Reaas "Denied".
d above, areom having ache correspond
Modify of +F
Subject is sp
above, does ns greater res
nt or more res
T would also m
nts, the ST and
es equal or grhe TOE.
mance to the
C
ST functioIP_EXP.1
GEN.1 DI_EXP.1 TC.1 FL.1 OS.1 AU.7 OP.1(h) KM.1 OP.1(n) KM.2 HP.1
AXIN D.DOC
ecified as U.
IN D.DOC is
ad is specifie
restrictive inccess to any Oding PP funct
FAXIN D.FU
pecified as U
not allow use striction than
strictive than
meet the SFR
d PP are equi
reater restrict
PP.
D
Copyright Ca
onal require
C, and Delete
.ADMINISTR
specified as
ed as U.ADM
n the scope oObject. As sutional require
UNC is specifi
U.User, with
of the functin the corresp
SFRs of the
Rs in the PP.
ivalent.
ions on the T
Date of Issue: 2
anon Inc. 20
ment
e of +FAXIN
RATOR, wit
U.NORMAL
MINISTRAT
of Subjects auch, the ST fments.
fied as U.NOR
Access Con
ion to any Suponding PP f
PP.
TOE, and at m
2015/10/22
013
D.FUNC
th Access
L.
TOR, with
llowed to functional
RMAL.
ntrol rule
ubject. As functional
most equal
3 Se
3.1 N
3.2 T
Th
a
b
c
curity Pro
Notational c
- Defined
- Defined
- In tablesof a rowby the ob
- In tablesthe intera principindicates
- In tablesand purpsame rorequiremRequirem
o Bold typProfile, Compon
o Italic typconform
o Bold italthis ProtExtendedconform
- The follo
Threats age
his security pro
a) Persons wh
b) Persons whare not au
c) Persons whare not au
oblem Defi
convention
terms in full f
terms in abbr
s that describew and column i
bjective in tha
s that describesection of a ro
pal fulfillments that it perfor
s that describepose indicatesow. Requiremments performments (SFRs):
peface indicaterelative to th
nent Definition
peface indicaming Security T
lic typeface intection Profiled Component
ming Security T
owing prefixe
Tabl
ents
oblem definiti
ho are not perm
ho are authoriuthorized.
ho are authorizuthorized.
inition
ns
form are set in
reviated form a
e Security Objindicates that at column.
e completenesow and columt of the objectirms a supporti
e the sufficiens that the requment names m supporting:
es the portion he original Sn.
ates the portioTarget.
ndicates the poe, relative to t Definition, Target.
es are used to i
e 10 - Notatio
PrefixU. UD. DF. FT. TP. PA. AO. O
OE. E+ S
ion addresses
mitted to use t
ized to use the
zed to use the
20
n title case (fo
are set in all c
jectives rationthe threat ide
ss of security mn indicates th
ive indicated ing fulfillment
ncy of securityuirement perfo
and purposeg fulfillment
of an SFR thSFR definitio
on of an SFR
ortion of an Sthe original Sbut which a
indicate differ
onal prefix c
Type of eUser Data Function Threat Policy AssumptionObjective EnvironmentalSecurity attribu
threats posed
the TOE who
e TOE who m
e TOE who m
C
or example, "D
caps (for exam
nale, a checkmentified in that
requirements,hat the requirein that columnt.
y requirementorms a principes set in nots. In speci
at has been coon in Commo
R that must be
SFR that has bSFR definitiolso must be
rent entity typ
conventions
entity
l objectiveute
d by four categ
may attempt t
may attempt to
may attempt to
D
Copyright Ca
Document Stor
mple, "DSR").
mark ("") plt row is wholl
, a bold typefement identifien. A letter "S"
s, a bold typepal fulfillmentormal typefacifications of
ompleted or reon Criteria P
e completed b
been partially on in Commo
completed by
pes:
s
gories of threa
to use the TOE
o use TOE fu
o access data
Date of Issue: 2
anon Inc. 20
rage and Retr
laced at the inly or partially
face letter "P"ed in that row" in such an in
eface requiremt of the objectce indicate tf Security F
efined in this PPart 2 or an
by the ST Au
completed or n Criteria Pay the ST Au
at agents:
E
unctions for w
in ways for w
2015/10/22
013
ieval").
ntersection mitigated
" placed at w performs ntersection
ment name tive in the that those Functional
Protection Extended
uthor in a
refined in rt 2 or an
uthor in a
which they
which they
d
Th
3.3 T
Th
ThrT.DT.DT.F
ThrT.PRT.COT.CO
3.4 O
Thisprovenvithos
Name P.USER
P.SOFTW
P.AUDIT
P.INTER
P.HDD.A
d) Persons whthreats.
he threats and
Threats to T
his section des
reat DOC.DIS DOC.ALT FUNC.ALT
eat ROT.ALT ONF.DIS ONF.ALT
Organizatio
s section descvide a basis fironment but fse assets.
.AUTHORIZA
WARE.VERI
T.LOGGING
RFACE.MAN
ACCESS.AUT
ho unintention
policies defin
TOE Asset
scribes threats
Table
Affected asD.DOC D.DOC D.FUNC
Table
Affected asD.PROT D.CONF D.CONF
onal Securi
cribes the Orgafor Security Ofor which it is
Table
ATION
FICATION
NAGEMENT
THORIZATIO
nally cause a s
ned in this Pro
s
s to assets desc
11 - Threats
set DescripUser DUser DUser Fu
12 - Threats
sset DescripTSF ProTSF CoTSF Co
ity Policies
anizational SeObjectives thas not practical
13 - Organiz
DefTo pauthTo dwillTo pprovbe cdiscpersTo poperIT e
ON To pothe
21
software malfu
otection Profile
cribed in claus
to User Dat
ption ocument Dataocument Dataunction Data m
s to TSF Dat
ption otected Data monfidential Daonfidential Da
s
ecurity Policieat are commol to universally
zational Sec
finition preserve operahorized to use detect corruptl exist to self-vpreserve operavide an audit tcreated, maintclosure or altersonnel prevent unauthration of thoseenvironmentprevent accesser HCDs, TOE
C
unction that m
e address the t
se 1.8.
ta for the TO
a may be discla may be altermay be altered
ta for the TO
may be alteredata may be discata may be alte
es (OSPs) thatonly desired by define the as
curity Policie
ational accounthe TOE only
tion of the exeverify executaational accountrail of TOE uained, and proration, and wi
horized use ofe interfaces w
s TOE assets iE will have au
D
Copyright Ca
may expose th
threats posed
OE
losed to unautred by unauthod by unauthor
OE
d by unauthoriclosed to unauered by unauth
t apply to the by TOE Ownssets being pr
es
ntability and sy as permittedecutable code able code in thntability and suse and securitotected from uill be reviewed
f the external will be controll
in the HDD wuthorized acce
Date of Issue: 2
anon Inc. 20
he TOE to una
by these threa
thorized persoorized personsrized persons
ized persons uthorized pershorized person
TOE. OSPs aners in this orotected or the
security, Usersd by the TOE Oin the TSF, pr
he TSF security, recorty-relevant evunauthorized d by authorize
interfaces of tled by the TO
with connectiness the HDD d
2015/10/22
013
anticipated
at agents.
ons s
sons ns
are used to operational e threats to
s will be Owner rocedures
rds that vents will
ed
the TOE, E and its
ng the data.
3.5 A
The SecuProfile ar
AssumA.ACC
A.USER
A.ADM
A.ADM
Assumption
urity Objectivere based on th
ption CESS.MANAG
R.TRAINING
MIN.TRAININ
MIN.TRUST
ns
es and Securite condition th
DefiniGED The T
protecinterfa
G TOE Uorganiproced
NG Adminorganiand dowith thAdmin
ty Functional hat all of the as
Table 14
ition OE is located
ction from unmaces of the TOUsers are awarization, and ardures. nistrators are aization, are traocumentation,hose policies anistrators do n
22
Requirementssumptions de
4 - Assumpti
in a restrictedmanaged accesOE. re of the securre trained and
aware of the sained and com, and correctlyand procedure
not use their p
C
s defined in suescribed in thi
ions
d or monitoredss to the phys
rity policies acompetent to
security policimpetent to folloy configure anes. rivileged acce
D
Copyright Ca
ubsequent secis section are s
d environmenical componen
and procedures follow those
ies and procedow the manuf
nd operate the
ess rights for m
Date of Issue: 2
anon Inc. 20
ctions of this Psatisfied.
nt that providents and data
s of their policies and
dures of their facturer's guidTOE in accor
malicious purp
2015/10/22
013
Protection
s
dance rdance
poses.
4 Se
4.1 S
This sect
ObjeO.DO
O.DO
O.FU
O.PR
O.CO
O.CO
O.US
O.INT
O.SO
O.AU
O.HD
4.2 S
This sect
ObjecOE.A
OE.A
OE.IN
4.3 S
This sect
curity Obj
Security Ob
tion describes
ctive OC.NO_DIS
OC.NO_ALT
UNC.NO_ALT
ROT.NO_ALT
ONF.NO_DIS
ONF.NO_ALT
SER.AUTHOR
TERFACE.M
OFTWARE.VE
UDIT.LOGGE
DD.ACCESS.A
Security Ob
tion describes
ctive UDIT_STOR
UDIT_ACCE
NTERFACE.M
Security Ob
tion describes
T
jectives
bjectives fo
s the Security
Table
T
T
T
RIZED
MANAGED
ERIFIED
ED
AUTHORISE
bjectives fo
s the Security
Table 16 - S
RAGE.PROTE
ESS.AUTHOR
MANAGED
bjectives fo
s the Security
Table 17 - Sec
or the TOE
y Objectives t
e 15 - Securit
DefinThe TdiscloThe TalteraThe TalteraThe TalteraThe TdiscloThe TalteraThe Tand shsecurThe TaccorThe Tin theThe Tsecuror alte
ED The Twitho
or the IT en
y Objectives f
Security Obje
DefECTED If au
prodprot
RIZED If auTOEthat secuTheacce
or the non-
y Objectives f
curity Object
23
that are satisf
y Objectives
nition TOE shall protosure. TOE shall protation. TOE shall protation. TOE shall protation. TOE shall protosure. TOE shall protation. TOE shall requhall ensure thaity policies be
TOE shall manrdance with seTOE shall prove TSF. TOE shall creaity-relevant everation.
TOE shall protout the TOE au
nvironment
for the IT env
ectives for t
finition udit records arduct, the TOEtected from unudit records gE to another trthose records
urity violatione IT environmeess to TOE ex
-IT environ
for non-IT en
tives for the
C
fied by the TO
s for the TO
tect User Doc
tect User Doc
tect User Func
tect TSF Prote
tect TSF Conf
tect TSF Conf
uire identificaat Users are auefore allowingnage the operaecurity policievide procedur
ate and maintavents, and pre
tect TOE asseuthorization.
t
vironment.
the IT enviro
re exported froE Owner shall nauthorized acenerated by thrusted IT prods can be accesns, and only byent shall prov
xternal interfac
ment
nvironments.
e non-IT env
D
Copyright Ca
OE.
OE
cument Data fr
cument Data fr
ction Data fro
ected Data fro
fidential Data
fidential Data
ation and autheuthorized in a
g them to use tation of externs. res to self-veri
ain a log of TOevent its unaut
ets in the HDD
onment
om the TOE tensure that thccess, deletionhe TOE are exduct, the TOE sed in order toy authorized pide protectionces.
vironment
Date of Issue: 2
anon Inc. 20
from unauthori
from unauthori
om unauthoriz
om unauthoriz
from unautho
from unautho
entication of Uaccordance withe TOE. nal interfaces
ify executable
OE use and thorized disclo
D from accessi
to another trushose records arn and modificaxported from t
Owner shall eo detect poten
persons n from unmana
2015/10/22
013
ized
ized
zed
zed
orized
orized
Users, ith
in
e code
osure
ing
sted IT re ations.the ensure
ntial
aged
TTTTTTPPPPPAAA
ObjecOE.PH
OE.US
OE.US
OE.AD
OE.AD
OE.AU
4.4 S
This sect
Threats. PoT.DOC.DIS T.DOC.ALT T.FUNC.ALT.PROT.ALTT.CONF.DIST.CONF.ALTP.USER.AUP.SOFTWARP.AUDIT.LOP.INTERFAP.HDD.ACCA.ACCESS.MA.ADMIN.TA.ADMIN.T
ctive HYSICAL.MA
SER.AUTHO
SER.TRAINE
DMIN.TRAIN
DMIN.TRUS
UDIT.REVIE
Security Ob
tion describes
olicies, and A
LT T S T
UTHORIZATRE.VERIFICOGGING CE.MANAG
CESS.AUTHMANAGED
TRAINING TRUST
ANAGED
ORIZED
ED
NED
TED
EWED
bjectives ra
s the rationale
Table 18
Assumptions
TION CATION
GEMENT HORIZATION
DefinThe TproviThe Tto useof theThe TpolicitraininThe Tof thethe traguidathe TOThe Twill nThe Tapproactivi
ationale
e for the Secu
8 -Completen
s O.D
OC
.NO
_DIS
O.D
OC
.NO
_ALT
O.F
UN
C.N
O_A
LT
N
24
nition TOE shall be pdes protection
TOE Owner she the TOE acceir organizatioTOE Owner shies and procedng and compe
TOE Owner she security poliaining, compe
ance and documOE in accorda
TOE Owner shnot use their prTOE Owner shopriate intervaity.
urity Objectiv
ness of Secu
O.P
RO
T.N
O_A
LT
O.C
ON
F.N
O_D
IS
O.C
ON
F.N
O_A
LT
C
placed in a secn from unmanhall grant permcording to the on. hall ensure thadures of their oetence to follohall ensure thacies and proceetence, and timmentation, anance with thoshall establish trivileged accehall ensure thaals for security
ves.
urity Object
Obje
O.U
SE
R.A
UT
HO
RIZ
ED
OE
.US
ER
.AU
TH
OR
IZE
D
O.S
OF
TW
AR
E.V
ER
IFIE
D
OA
UD
ITL
OG
GE
D
D
Copyright Ca
cure or monitonaged physicalmission to Usesecurity polic
at Users are aworganization,
ow those policat TOE Adminedures of theirme to follow thnd correctly cose policies andtrust that TOEess rights for mat audit logs ay violations or
tives
ectives
O.A
UD
IT.L
OG
GE
D
O.H
DD
.AC
CE
SS
.AU
TH
OR
ISE
D
OE
.AU
DIT
_ST
OR
AG
E.P
RO
TE
CT
ED
OE
.AU
DIT
_AC
CE
SS
.AU
TH
OR
IZE
D
Date of Issue: 2
anon Inc. 20
ored area that l access to theers to be autho
cies and proce
ware of the seand have the
cies and procednistrators are r organizationhe manufactu
onfigure and od procedures. E Administratomalicious purpare reviewed ar unusual patte
OE
.AU
DIT
.RE
VIE
WE
D
O.I
NT
ER
FAC
E.M
AN
AG
ED
OE
.PH
YIS
CA
L.M
AN
AG
ED
OE
INT
ER
FAC
EM
AN
AG
ED
2015/10/22
013
e TOE.orized dures
ecurity
dures. aware
n, have urer's operate
ors poses.
at erns of
OE
.IN
TE
RFA
CE
.MA
NA
GE
D
OE
.AD
MIN
.TR
AIN
ED
OE
.AD
MIN
.TR
US
TE
D
OE
US
ER
TR
AIN
ED
OE
.US
ER
.TR
AIN
ED
A
Threats. PoA.USER.TR
Threats. Assu
T.DOC.D
T.DOC.A
T.FUNC.
T.PROT.
T.CONF.
olicies, and ARAINING
Policies, andumptions
DIS
ALT
.ALT
ALT
.DIS
Assumptions
Table 1
d Summary
User Docudisclosed persons
User Docualtered by
User Funcaltered by
TSF Protealtered by
TSF Confdisclosed persons
s O.D
OC
.NO
_DIS
O.D
OC
.NO
_ALT
O.F
UN
C.N
O_A
LT
19 -Sufficien
y
ument Data mto unauthorize
ument Data my unauthorized
ction Data mayy unauthorized
ected Data may unauthorized
fidential Data to unauthorize
25
O.P
RO
T.N
O_A
LT
O.C
ON
F.N
O_D
IS
O.C
ON
F.N
O_A
LT
ncy of Secur
O
may be ed
OuOidaOrg
may be d persons
OuOidaOrg
y be d persons
OuOidaOrg
ay be d persons
OuOidaOrg
may be ed
OuOida
C
Obje
O.U
SE
R.A
UT
HO
RIZ
ED
OE
.US
ER
.AU
TH
OR
IZE
D
O.S
OF
TW
AR
E.V
ER
IFIE
D
OA
UD
ITL
OG
GE
D
rity Objectiv
Objectives an
O.DOC.NO_Dunauthorized dO.USER.AUTdentification a
authorizationOE.USER.AUresponsibility grant authorizaO.DOC.NO_Aunauthorized aO.USER.AUTdentification a
authorizationOE.USER.AUresponsibility grant authorizaO.FUNC.NO_unauthorized aO.USER.AUTdentification a
authorizationOE.USER.AUresponsibility grant authorizaO.PROT.NO_unauthorized aO.USER.AUTdentification a
authorizationOE.USER.AUresponsibility grant authorizaO.CONF.NO_unauthorized dO.USER.AUTdentification a
authorization
D
Copyright Ca
ectives
O.A
UD
IT.L
OG
GE
D
O.H
DD
.AC
CE
SS
.AU
TH
OR
ISE
D
OE
.AU
DIT
_ST
OR
AG
E.P
RO
TE
CT
ED
OE
.AU
DIT
_AC
CE
SS
.AU
TH
OR
IZE
D
ves
nd rationale
DIS protects Ddisclosure THORIZED esand authentica
UTHORIZED of the TOE Oation
ALT protects Dalteration
THORIZED esand authentica
UTHORIZED of the TOE Oation
_ALT protectsalteration
THORIZED esand authentica
UTHORIZED of the TOE Oation
_ALT protectsalteration
THORIZED esand authentica
UTHORIZED of the TOE Oation
_DIS protects disclosure THORIZED esand authentica
Date of Issue: 2
anon Inc. 20
OE
.AU
DIT
.RE
VIE
WE
D
O.I
NT
ER
FAC
E.M
AN
AG
ED
OE
.PH
YIS
CA
L.M
AN
AG
ED
OE
INT
ER
FAC
EM
AN
AG
ED
D.DOC from
stablishes useration as the ba
establishes Owner to appro
D.DOC from
stablishes useration as the ba
establishes Owner to appro
s D.FUNC fro
stablishes useration as the ba
establishes Owner to appro
D.PROT from
stablishes useration as the ba
establishes Owner to appro
D.CONF from
stablishes useration as the ba
2015/10/22
013
OE
.IN
TE
RFA
CE
.MA
NA
GE
D
OE
.AD
MIN
.TR
AIN
ED
OE
.AD
MIN
.TR
US
TE
D
OE
US
ER
TR
AIN
ED
r asis for
opriately
r asis for
opriately
om
r asis for
opriately
m
r asis for
opriately
m
r asis for
OE
.US
ER
.TR
AIN
ED
T.CONF.
P.USER.AATION
P.SOFTWICATION
P.AUDIT
P.HDD.AHORIZA
P.INTERAGEMEN
A.ACCEED
A.ADMING
A.ADMIN
A.USER.
.ALT
AUTHORIZ
WARE.VERIFN
T.LOGGING
ACCESS.AUTATION
RFACE.MANNT
SS.MANAG
N.TRAININ
N.TRUST
.TRAINING
TSF Confaltered by
Users willthe TOE
F Procedureself-verifythe TSF An audit tsecurity-recreated, mand review
T To preventhe HDD wother HCDauthorizedOperationwill be conand its IT
The TOE protectionaccess to tcomponenof the TOETOE Usertrained to policies anAdministrprivilegedmalicious Administrtrained to policies an
fidential Data y unauthorized
l be authorized
es will exist toy executable c
trail of TOE uelevant events
maintained, prowed.
nt access TOEwith connectinDs, TOE will hd access the Hn of external inntrolled by thenvironment.
environment pn from unmanathe physical nts and data inE. rs are aware ofollow securit
nd proceduresrators do not ud access rights
purposes. rators are awafollow securit
nd procedures
26
Org
may be d persons
OuOidaOrg
d to use OidaOrg
o code in
Oto
use and s will be otected,
OopOedOeprOra
assets in ng the have
HDD data.
OaT
nterfaces e TOE
OowOpin
provides aged
nterfaces
Op
f and ty
s
Ora
use their s for
Othw
re of and ty
s
Ootr
C
OE.USER.AUresponsibility grant authorizaO.CONF.NO_unauthorized aO.USER.AUTdentification a
authorizationOE.USER.AUresponsibility grant authorizaO.USER.AUTdentification a
authorization tOE.USER.AUresponsibility grant authorizaO.SOFTWARo self-verify e
O.AUDIT.LOGof TOE use anprevents unautOE.AUDIT_Sexported auditdeletion and mOE.AUDIT_Aestablishes resprovide approprecords OE.AUDIT.REresponsibility audit logs are aO.HDD.ACCEassets in the HTOE authoriza
O.INTERFACoperation of exwith security pOE.INTERFAprotected envinterfaces
OE.PHYSICAprotected phys
OE.ADMIN.Tresponsibility appropriate AdOE.ADMIN.The TOE Owne
with AdministOE.USER.TRAof the TOE Owraining.
D
Copyright Ca
UTHORIZED of the TOE Oation
_ALT protectsalteration
THORIZED esand authentica
UTHORIZED of the TOE Oation
THORIZED esand authenticato use the TOE
UTHORIZED of the TOE Oation
RE.VERIFIEDexecutable cod
GGED creatend security-relthorized discloTORAGE.PR
t records frommodifications ACCESS.AUTsponsibility ofpriate access t
EVIEWED esof the TOE Oappropriately ESS.AUTHOR
HDD from acceation.
CE.MANAGExternal interfapolicies
ACE.MANAGronment for T
AL.MANAGEsical environm
TRAINED estaof the TOE Odministrator tr
TRUST establier to have a trtrators. AINED estabwner to provid
Date of Issue: 2
anon Inc. 20
establishes Owner to appro
s D.CONF fro
stablishes useration as the ba
establishes Owner to appro
stablishes useration as the baE establishes
Owner to appro
D provides prode in the TSF
s and maintainlevant events, osure or altera
ROTECTED pm unauthorized
THORIZED f, the TOE Owto exported au
stablishes Owner to ensur
reviewed RISED protecessing withou
ED manages thaces in accord
GED establisheTOE external
ED establishes ment for the TO
ablishes Owner to proviraining. ishes responsirusted relation
lishes responsde appropriate
2015/10/22
013
opriately
om
r asis for
opriately
r asis for
opriately
cedures
ns a log and
ation protects d access,
wner to udit
re that
cts TOE ut the
he ance
es a
a OE
ide
ibility of nship
sibility e User
5 Ext
This Protextended employed
5.1 F
Family b This famdata. Confidencontainerprovided encryptiodisk is inbecomes access to Compon FPT_CIPstored on Managem The follo
a)
b)
Audit: The folloPP/ST:
a)
FPT_CI
FPT_CI
FPT_CI
FP
tended co
tection Profilecomponents
d only in TOE
FPT_CIP_E
behaviour:
mily defines re
ntiality and inr is not, or noby functional
on functions, wntended to ba very imporinformation.
ent leveling:
P_EXP.1 Confn a storage con
ment: FPT
owing actions
Managemen
Managemen
FPT
owing actions
Basic: failufunctionalit
IP_EXP.1 C
Hier
Dep
P_EXP.1.1 inteto st
P_EXP.1.2 [ass
PT_CIP_EX
omponents
e defines compare defined i
Es whose STs
EXP Confide
equirements fo
ntegrity of stot always, in ality that the Twhere the TSFe removable rtant function
fidentiality anntainer that can
T_CIP_EXP.1
could be cons
nt of the cond
nt of potential
T_CIP_EXP.1
s should be a
ure condition tty (e. g. detect
Confidentia
rarchical to:
endencies:
The grity of usertore the data
The ignment: lis
XP.1 Confide
s definitio
ponents that ain the Protectconform to th
entiality an
or the TSF to
ored data is ima protected enTSF uses for bF stores its ow
and therefornality to achie
nd integrity ofnnot be assum
1
sidered for the
ditions under w
l restrictions o
1
auditable if F
that prohibits ted modificati
ality and int
No o
No d
TSF shall pr and TSF d
ta].
TSF shalst of actions]
entiality an
27
on (APE_E
are extensionstion Profile b
hose SFR Pack
nd integrity
protect the c
mportant secunvironment. Cboth TSF and wn data as welre may be traeve the Secur
f stored data, med to be prot
e management
which the prot
on the allowan
AU_GEN Se
the function tions).
tegrity of s
other compo
dependencie
provide a fudata when ei
ll provide ] when it de
d integrity
C
ECD)
s to Common but are used ikages.
y of stored
confidentiality
urity functionConfidentiality
user data in thll as user data ansported intoity Objectives
provides for ected by the T
t functions in F
tection functio
nce to use this
ecurity Audit
to work prope
tored data
onents.
es
unction that ither is writ
a functionetects altera
of stored da
D
Copyright Ca
Criteria 3.1 Rn SFR Packa
data
y and integrity
nality in the cy and integrityhe same way.on the same d
o an unprotes of protectio
the protectionTOE environm
FMT:
on is activated
s function.
Data Genera
erly, detected
ensures thetten to [assi
n that dettion of user
ata
Date of Issue: 2
anon Inc. 20
Release 2, Parages, and ther
y of both TSF
case where thy of stored dat Examples ardisk. Especial
ected environmon against una
n of user and ment.
d or used;
ation is includ
attempts to b
e confidentiagnment: me
tects and pand TSF da
1
2015/10/22
013
rt 2. These refore, are
F and user
he storage ta is often e full disk lly when a ment, this authorized
TSF data
ded in the
bypass this
ality and edia used
performs ata when
Rationa
The ComFPT clasprotectionin cases widentical This Protfor both tsimplifiesand appliaddress th This exteFDP or Fstorage mit in the Fdefine a n
5.2 F
Family b This faminterface Many proinformaticapabilityconnectedexternal FPT_FDI Compon FPT_FDITSF contanother eallowanc Managem The follo
a)
b)
c)
Audit: The folloPP/ST:
FP
eith
le:
mmon Criteria ss. Although n, those compwhere a TOEway.
tection Profiletypes of data is the statemenicability of thhis functional
ended componFPT class. Si
media that migFPT class. It new family wi
FPT_FDI_E
behaviour:
mily defines reto another ext
oducts receiveion before it y for attackerd to the TOEinterfaces is I_EXP has be
ent leveling:
I_EXP.1 Resttrolled proces
external interfae by an author
ment: FPT
owing actions
Definition o
Managemenrole;
Revocation
FPT
owing actions
T_FDI_EXP
er is written
defines the pboth classes
ponents are deE provides fun
e defines an exin a single comnt of security
his Protection ity.
nent protects ince it is intenght be removadid not fit weith just one m
XP Restric
equirements fternal interfac
e information is transmitted
rs to misuse 's external intforbidden unen defined to
tricted forwarssing of data face. Direct forized administ
T_FDI_EXP.1
could be cons
of the role(s) t
nt of the cond
n of such an al
T_FDI_EXP.1
s should be a
P.1 Restrict
n to [assignm
protection of us contain comefined differennctionality for
xtended compmponent. Thefunctional reProfile. There
both user datnded to prote
able from the ell in any of t
member.
cted forwar
for the TSF tce.
on specific exd on another external interterfaces. Thernless explicitlspecify this k
rding of data received over
orwarding of dtrative role.
1
sidered for the
that are allow
ditions under
lowance.
1
auditable if F
ted forwardi
28
ment: media
user data in itmponents thatntly for user dr the confiden
ponent that come authors of thquirements siefore, the auth
ta and TSF daect data that aTOE, the auththe existing fa
rding of dat
to restrict dire
xternal interfaexternal inter
rfaces to violrefore, direct fly allowed by
kind of functio
to external inr defined extedata from one
e management
ed to perform
which direct
AU_GEN Se
ing of data t
C
a used to stor
ts FDP class at define conf
data and TSF dntiality and in
mbines the cohis Protection ignificantly anhors decided
ata, and it couare exported hors believed families in eith
ta to extern
ect forwardin
aces and are inrface. Howevlate the securforwarding ofy an authoriz
onality.
nterfaces, provernal interfaceexternal inter
t functions in F
m the managem
t forwarding c
ecurity Audit
to external
D
Copyright Ca
ore the data]
and the protecfidentiality prdata and therentegrity for bo
onfidentiality Profile view t
nd therefore eto define an e
uld therefore to storage mthat it was mher class, and
nal interfac
ng of informa
ntended to tranver, some prority of the TOf unprocessedzed administr
vides for the es before thesrface to anoth
FMT:
ment activities
can be allowe
Data Genera
interfaces
Date of Issue: 2
anon Inc. 20
.
ction of TSF rotection andefore are difficoth types of d
and integrity this as an app
enhances the rextended com
be placed in edia, and in post appropriat
d this led the
ces
ation from on
nsform and products may prOE or device
d data betweenrative role. T
functionality se data are se
her one require
;
ed by an adm
ation is includ
1
2015/10/22
013
data in its d integrity cult to use data in an
protection proach that readability
mponent to
either the particular, te to place authors to
e external
rocess this rovide the es that are n different he family
to require ent out on es explicit
ministrative
ded in the
1
There are Rational Quite oftbefore susystems bDirect fotherefore It has beeto disallois quite co The ComProtectionadministrpurpose rfor refinethis funct This exteFDP or Fapproprialed the au
FPT_FD
FPT_FD
e no auditable
le:
ten a TOE is uch (processedbut also other orwarding of s
a function tha
en viewed as uow direct forwommon for a n
mmon Criterian Profile, therative control resulted in SFement in a Sectionality.
ended componFPT class. Sinate to place it uthors to defin
DI_EXP.1 R
Hier
Dep
DI_EXP.1.1 [assproc
events forese
supposed to pd) data are allsystems that rsuch data (i.eat – if allowed
useful to havewarding and re
number of pro
a defines attre authors neeinstead of attr
FRs that werecurity Target.
nent protects nce its purposin the FPT cl
ne a new famil
Restricted f
rarchical to:
endencies:
The ignment: lis
cessing by th
een.
perform specilowed to be trequire a spec
e. without prod at all – can o
e this functionequire that onloducts, it has b
ribute-based ceded to expreribute-based c either too im Therefore, th
both user datse is to proteclass. It did noly with just on
forwarding
No o
FMTFMT
TSF shallist of externhe TSF to [a
29
ific checks antransferred to cific workflowocessing the donly be allowe
nality as a singly an authorizbeen viewed a
control of useess the contrcontrol. It was
mplementationhe authors dec
ta and TSF dact the TOE frt fit well in anne member.
of data to
other compo
T_SMF.1 SpT_SMR.1 Se
provide thnal interfacessignment: l
C
nd process datanother exter
w for the incomdata first) betwed by an autho
gle componened role can alas useful to de
er data flow rol of both us found that un-specific for cided to defin
ata, and it courom misuse, thny of the exis
external in
onents.
pecification oecurity roles
he capabilitces] from belist of extern
D
Copyright Ca
ta received onrnal interface.ming data befoween differenorized role.
nt that allows llow this. Sincefine an exten
in its FDP cuser data andusing FDP_IFFa Protection P
ne an extended
uld therefore he authors besting families
nterfaces
of Managem.
ty to restriceing forwardnal interface
Date of Issue: 2
anon Inc. 20
n one external. Examples ar
fore it can be tnt external int
specifying thece this is a funnded compone
class. Howeved TSF data flF and FDP_IFProfile or too d component
be placed in elieved that it
in either class
ment Functio
ct data receded withoutes].
2015/10/22
013
l interface re firewall transferred. terfaces is
e property nction that nt.
er, in this low using FC for this
unwieldy to address
either the was most
s, and this
ns
eived on t further
6 Se
This sect
6.1 S
This sectThe text
6.1.1
FIA_AF
FIA_AF
FIA_AF
FIA_AT
FIA_AT
curity req
tion describes
Security fun
tion describesin brackets fo
User Authe
FL.1 Aut
Hier
Dep
FL.1.1 The admvaluauth
[selepo
[ass
FL.1.2 Whe[sele
[sele
[ass
TD.1 Use
Hier
Dep
D.1.1 The indi
[ass
uirements
s the security
nctional re
s the securityfollowing the
entication
thenticatio
rarchical to:
endencies:
TSF shall ministrator coues]] unsuccehentication e
ection: [assiositive intege– an admin
signment: lis– Login att
en the definection: met,
ection: met, – met
signment: lis– Lockout
er attribute
rarchical to:
endencies:
TSF shall vidual users
signment: lis– User nam
s
y requirement
equirement
y functional recomponent id
Function
on failure h
No o
FIA
detect whenconfigurable essful autheevents].
ignment: poger within[asnistrator config
ist of authenttempts from t
ned numbesurpassed],
surpassed]
ist of actions]
e definition
No o
No d
maintain ts: [assignme
ist of securityme, role
30
s for the TOE
ts
equirements fdentifier or el
handling
other compo
A_UAU.1 Tim
n [selection: positive inte
entication at
ositive integssignment: rgurable positiv
ntication eventhe control pa
r of unsuccthe TSF sha
s]
n
other compo
dependencie
the followinent: list of se
ty attributes]
C
E.
for the TOE.lement name
onents.
ming of auth
[assignmenteger within[ttempts occu
ger number],range of acceve integer wit
ents] anel or remot
cessful authall [assignm
onents.
es
ng list of seecurity attrib
]
D
Copyright Ca
denotes itera
hentication
nt: positive i[assignmentur related to
], an adminieptable valuthin 1 to 10
te UIs.
hentication ment: list of a
ecurity attributes].
Date of Issue: 2
anon Inc. 20
ation operatio
integer numt: range of aco [assignmen
istrator confues]]
attempts hactions].
ributes belo
2015/10/22
013
ons.
mber], an cceptable nt: list of
nfigurable
has been
nging to
FIA_UA
FIA_UA
FIA_UA
FIA_UA
FIA_UA
FIA_UI
FIA_UID
FIA_UID
AU.1 Tim
Hier
Dep
AU.1.1 The withbefo
[assac
AU.1.2 The any
AU.7 Pro
Hier
Dep
AU .7.1 The auth
[ass
D.1 Tim
Hier
Dep
D.1.1 The withbefo
[assac
D.1.2 The othe
ming of aut
rarchical to:
endencies:
TSF shall ah access-contore the user
signment: ccess-control– Submissi
TSF shall rother TSF-m
otected aut
rarchical to:
endencies:
TSF shall hentication i
signment: lis– *
ming of ide
rarchical to:
endencies:
TSF shall ah access-contore the user
signment: ccess-control– Submissi
TSF shall rer TSF-medi
henticatio
No o
No d
allow [assignntrolled Func
is authentic
list of TSlled Functionion of print jo
require eachmediated ac
thenticatio
No o
FIA
provide onlis in progres
ist of feedbac
ntification
No o
No d
allow [assignntrolled Func
is identified
list of TSlled Functionion of print jo
require eachiated actions
31
on
other compo
dependencie
nment: list octions of thecated.
TSF-mediatedons of the TOobs, fax jobs,
h user to betions on beh
on feedbac
other compo
A_UAU.1 Tim
ly [assignmess.
ck]
other compo
dependencie
nment: list octions of thed.
TSF-mediatedons of the TOobs, fax jobs,
h user to bes on behalf o
C
onents.
es.
of TSF-medie TOE] on be
d actionsOE]
I-fax jobs
successfullyhalf of that u
ck
onents.
ming of auth
ent: list of f
onents.
es.
of TSF-medie TOE] on be
d actionsOE]
I-fax jobs
successfullyof that user.
D
Copyright Ca
diated actionsehalf of the u
that do
y authenticauser.
hentication
feedback] to
diated actionsehalf of the u
that do
y identified
Date of Issue: 2
anon Inc. 20
ns that do nouser to be pe
not confli
ated before
o the user w
ns that do nouser to be pe
not confli
before allow
2015/10/22
013
ot conflict erformed
ict with
allowing
while the
ot conflict erformed
ict with
wing any
FIA_US
FIA_US
FIA_US
FIA_US
FTA_S
FTA_SS
FTA_S
FTA_SS
SB.1 Use
Hier
Dep
SB.1.1 The on th
[ass
SB.1.2 The attriiniti
[ass
SB.1.3 The attrichan
[ass
SL.3(lui) T
Hier
Dep
SL.3.1(lui) Tinte
[ass
SL.3(rui) T
Hier
Dep
SL.3.1(rui) Tinte
[ass
er-subject
rarchical to:
endencies:
TSF shall ahe behalf of
signment: lis– User nam
TSF shall eibutes with
tial associatio
signment: ru– None
TSF shall eibutes with nging of attr
signment: ru– None
TSF-initiate
rarchical to:
endencies:
The TSF sherval of user
signment: tim– User inac
TSF-initiate
rarchical to:
endencies:
The TSF sherval of user
signment: tim– User inac
binding
No o
FIA
associate thef that user: [
ist of user secme, role
enforce the fthe subject
ion of attribu
ules for the i
enforce the the subject
ributes].
ules for the c
ed termina
No o
No d
hall terminar inactivity].
ime interval ctivity at the
ed termina
No o
No d
hall terminar inactivity].
ime interval ctivity at the
32
other compo
A_ATD.1 Use
e following uassignment
ecurity attrib
following rults acting on utes].
initial associ
following ruts acting on
changing of a
ation
other compo
dependencie
ate an inter
l of user inaccontrol panel
ation
other compo
dependencie
ate an inter
l of user inacremote UI la
C
onents.
er attribute d
user security: list of user
butes]
les on the inbehalf of u
iation of attr
ules governibehalf of u
attributes]
onents.
es.
ractive sess
ctivity] l lasting for th
onents.
es.
ractive sess
ctivity] sting for 15 m
D
Copyright Ca
definition
y attributes r security att
nitial associausers: [assign
tributes]
ng changes users: [assign
sion after a
he specified p
sion after a
minutes.
Date of Issue: 2
anon Inc. 20
with subjecttributes].
ation of usernment: rule
to the usernment: rule
a [assignme
period of time
a [assignme
2015/10/22
013
cts acting
r security es for the
security es for the
ent: time
e.
ent: time
6.1.2
FMT_M
FMT_M
FMT_M
FMT_M
FMT_M
Function U
MSA.1(exec
Hier
Dep
MSA.1.1(exec[assabilioper[ass
[ass
[sele
[ass
[ass
MSA.3(exec
Hier
Dep
MSA.3.1(exec[ass[seledefa
[ass
[sele
[ref
MSA.3.2(execto spinfor
[ass
Use Restric
c-job) Man
rarchical to:
endencies:
c-job) The ignment: acity to [selecrations]] theignment: th
signment: ac– None
ection: chan– query, mo
signment: lis– Role
signment: th– U.ADMIN
c-job) Sta
rarchical to:
endencies:
c-job) The ignment: aection, chooault values fo
signment: ac– None
ection, choos– Restrictiv
finement] – TOE Fun
c-job) The pecify alternrmation is c
signment: th– Nobody
ction Funct
nagement
No o
[FDFDPFMTFMT
TSF shalccess controlction: change security a
he authorised
ccess control
nge_default, odify, delete,
ist of security
he authoriseNISTRATOR
tic attribut
No o
FMTFMT
TSF shallaccess controse one of: for security a
ccess control
se one of: reve
nction Access
TSF shall anative initialcreated.
he authorize
33
tion
of security
other compo
P_ACC.1 SuP_IFC.1 SubT_SMR.1 SeT_SMF.1 Sp
ll enforce tl SFP(s), info
nge_default, attributes [ad identified
l SFP(s), info
query, modicreate
ty attributes]
ed identified R
te initialisa
other compo
T_MSA.1 MT_SMR.1 Se
l enforce throl SFP, inrestrictive, attributes th
l SFP, inform
estrictive, pe
Control Polic
allow the [al values to ov
ed identified
C
y attribute
onents.
ubset access bset informaecurity rolespecification o
the TOE Fformation flo
query, modassignment:roles].
formation flo
ify, delete, [a
]
d roles]
ation
onents.
anagement ecurity roles
he TOE Funformation
permissive,hat are used
mation flow
ermissive, [a
cy -> TOE Fun
assignment: verride the d
d roles]
D
Copyright Ca
es
control, or ation flow con
of Managem
Function Acow control Sdify, delete, : list of sec
ow control S
assignment:
of security a
unction Accflow contro, [assignme
d to enforce t
control SFP
assignment:
nction Access
the authoridefault valu
Date of Issue: 2
anon Inc. 20
ntrol]
ment Functio
ccess ContrSFP(s)] to res
[assignmencurity attrib
SFP(s)]
: other opera
attributes
cess Controol SFP] to ent: other pthe SFP.
P]
other proper
s Control SFP
ized identifiues when an
2015/10/22
013
ns
rol SFP, strict the nt: other butes] to
ations]]
l Policy, provide
property]]
erty]]
fied roles] object or
FDP_A
FDP_AC
FDP_A
FDP_AC
FDP_AC
FDP_AC
FDP_AC
ACC.1(exec
Hier
Dep
CC.1.1(exec-as soper
ACF.1(exec
Hier
Dep
CF.1.1(exec-jbasesecu
[assth
CF.1.2(exec-jamoexplauth[ass
[selefuus
[ass
CF.1.3(exec-jthe [assacce
[assac
CF.1.4(exec-j[asssubj
[ass
c-job) Sub
rarchical to:
endencies:
-job) The subjects, TOrations.
c-job) Sec
rarchical to:
endencies:
job) The ed on the fourity attribu
signment: lishe TOE Func– objects c
each, the
job) The ong controllelicitly authohorized to uignment: lis
ection: the unction, a usse the functi– [assignm
signment: ot– rules spec
among coon contro
job) The following aignment: ot
ess of subject
signment: otccess of subje– None
job) The ignment: ru
bjects to objec
signment: ru
bset acces
No o
FDP
TSF shall eOE function
curity attrib
No o
FDPFMT
TSF shall efollowing: usute(s) used to
ist of TOE fuction Access ontrolled undindicated secu
TSF shall eed subjects aorized by Uuse the TOst of function
user is exser that is auions [assignm
ment: other co
ther conditiocified in the Tontrolled userolled objects
TSF shall eadditional ruther rules, bcts to objects]
ther rules, bjects to objec
TSF shall eules, based cts].
ules, based
34
ss control
other compo
P_ACF.1 Sec
enforce the Tns as object
bute based
other compo
P_ACC.1 SubT_MSA.3 St
enforce the Tsers and [ao determine
unctions ands Control SFPder the TOE Furity attribute
enforce the fand controll
U.ADMINISTOE is automns], [assignm
xplicitly aututhorized to ment: list of onditions]
ons] TOE Function rs as subjects
explicitly autules: the usbased on se
s].
based on sects]
explicitly denon security
on security
C
onents.
curity attrib
TOE Functits, and the
d access c
onents.
bset access ctatic attribut
TOE Functiossignment:
e the TOE Fu
d the securityFP] Function Accees in Table 20.
following ruled objects is
STATOR to umatically aument: other c
thorized by o use the TOEf functions],
Access Contrand controlled
thorise acceser acts in ecurity attri
ecurity attri
ny access ofy attributes,
y attributes,
D
Copyright Ca
ute based ac
ion Access Cright to u
control
control te initialisat
on Access Colist of TOE
unction Acce
ty attribute(
ess Control SF.
ules to determs allowed: [suse a functuthorized toconditions]].
y U.ADMINOE is automa
[assignment
rol SFP in Tabd objects usin
ss of subjectthe role U
ibutes, that
ibutes, that
f subjects to , that expli
s, that expli
Date of Issue: 2
anon Inc. 20
ccess contro
Control SFP se the func
tion
ontrol SFP tE functions ess Control S
(s) used to de
FP in Table 2
mine if an oselection: thtion, a usero use the f.
NISTATOR tatically autht: other cond
ble 20 governng controlled o
ts to objects .ADMINIST
t explicitly a
t explicitly a
objects baseicitly deny a
icitly deny a
2015/10/22
013
l
on users ctions as
to objects and the
SFP].
determine
20, and for
operation he user is r that is functions
to use a horized to ditions]]
ing access operations
based on TRATOR, authorise
authorise
ed on the access of
access of
Object
[Secured
[Copy]
[Scan]
[Fax]
[Fax/I-Fa
[Access Files]
Remote U
[Access ReceivedFiles]
6.1.3 J
6.1.3.1
FMT_M
FMT_M
su
d Print]
ax Inbox]
Stored
UI
d/Stored
Job Output
Delete Job
MSA.1(delet
Hier
Dep
MSA.1.1(delet[assabilioper[ass
ubjects to obj– None
Table 2
Attribute
+PRT
+CPY +DSR
+SCN +DSR
+FAXOUT
+FAXIN
+DSR
+DSR +FAXIN
t Restrictio
b
te-job) Man
rarchical to:
endencies:
te-job) The ignment: acity to [selecrations]] theignment: th
bjects]
20 -TOE Func
OperationUse of the function, upointer to tObject. Use of the function, upointer to tObject.
Use of the function, upointer to tObject.
Use of the function, upointer to tObject. Use of the function, upointer to tObject. Use of the function, upointer to tObject.
Use of the function, upointer to tObject.
n Functions
nagement o
No o
[FDFDPFMTFMT
TSF shall ccess controlction: change security a
he authorised
35
ction Acces
(s) Subj
using the
U.US
using the
U.US
using the
U.US
using the
U.US
using the
U.US
using the
U.US
using the
U.US
s
of security
other compo
P_ACC.1 SuP_IFC.1 SubT_SMR.1 SeT_SMF.1 Sp
enforce the l SFP(s), info
nge_default, attributes [ad identified
C
ss Control S
ect Attrib
SER
Role
SER
Role
SER
Role
SER
Role
SER
Role
SER
Role
SER
Role
y attributes
onents.
ubset access bset informaecurity rolespecification o
Common Aformation flo
query, modassignment:roles].
D
Copyright Ca
SFP
bute AcceFor ththe roSubjeperfoFor ththe roSubjeperfo
For ththe roSubjeperfo
For ththe roSubjeperfoFor ththe roSubjeperfoFor ththe roSubjeperfo
If theSubjeOper
control, or ation flow con
of Managem
Access Controw control Sdify, delete, : list of sec
Date of Issue: 2
anon Inc. 20
ss control rulhe attribute oole associatedect, must be aorm the Operahe attribute oole associatedect, must be aorm the Opera
he attribute oole associatedect, must be aorm the Opera
he attribute oole associatedect, must be aorm the Operahe attribute oole associatedect, must be aorm the Operahe attribute oole associatedect, must be aorm the Opera
e role associaect is Adminiration is perm
ntrol]
ment Functio
rol SFP in TSFP(s)] to res
[assignmencurity attrib
2015/10/22
013
le of the Object, d with the authorized to ation. of the Object, d with the authorized to ation.
of the Object, d with the authorized to ation.
of the Object, d with the authorized to ation. of the Object, d with the authorized to ation. of the Object, d with the authorized to ation.
ted with the istrator, the
mitted.
ns
Table 22, strict the nt: other butes] to
SeU
B
PI
APPLICAdefinthat thpossibperfo
FMT_M
FMT_M
FMT_M
[ass
[se
[ass
[ass
ecurity AttribUser name
Box PINs
IN of own M
ATION NOTE 1ed by SFR packhis Protection Pble for the ST A
ormed by any U
MSA.3(dele
Hier
Dep
MSA.3.1(delet[ass[seledefa
[ass
[se
MSA.3.2(deletto spinfor
[ass
signment: ac– In The J
election: cha– Refer to
signment: lis– Refer to
signment: th– Refer to
Table 2
butes
Mail Box
1. This kages or by the Profile allows thAuthor to state
User.
ete-job)
rarchical to:
endencies:
te-job) The ignment: aection, chooault values fo
signment: ac– Common– In The J
election, choo– restrictive
te-job) The pecify alternrmation is c
signment: th– Nobody
ccess controlob Access Co
ange_default"Operation"
ist of security"Security A
he authorise"Role" in Ta
21 -Managem
Operatio
delete, cre
modify, c
modify
Protection ProfST Author. Th
he ST Author tothat some mana
Static
No o
FMTFMT
TSF shall access controse one of: for security a
ccess controln Access Conob Access Co
ose one of: re
TSF shall anative initialcreated.
he authorize
36
l SFP(s), infoontrol SFP in
t, query, mod" in Table 21.
ty attributes]ttributes" in
ed identified able 21.
ment of secu
on
eate, query
create
file does not defhe ST Author sho instantiate "Nagement action
c attribute
other compo
T_MSA.1 MT_SMR.1 Se
enforce the rol SFP, inrestrictive, attributes th
l SFP, informntrol SFP in Tontrol SFP in
restrictive, p
allow the [al values to ov
ed identified
C
formation flon Table 23
dify, delete, [.
] n Table 21.
d roles]
urity attribut
fine any mandahould define ho
Nobody" as an as (e.g., deleting
initialisatio
onents.
anagement ecurity roles
Common Anformation
permissive,hat are used
mation flow Table 22 n Table 23
permissive, [
assignment: verride the d
d roles]
D
Copyright Ca
ow control S
[assignment
tes
Role
U.ADMIN
U.ADMIN
U.NORM
atory security atw security attri
authorized identg a security attri
on
of security a
Access Contrflow contro, [assignme
d to enforce t
control SFP
[assignment
the authoridefault valu
Date of Issue: 2
anon Inc. 20
SFP(s)]
t: other oper
NISTRATOR
NISTRATOR
MAL
ttributes, but soibutes are manatified role, whicibute) may not b
attributes
rol SFP in Tol SFP] to ent: other pthe SFP.
P]
t: other prope
ized identifiues when an
2015/10/22
013
rations]]
R
R
ome may be aged. Note ch makes it be
Table 22, provide
property]]
perty]]
fied roles] object or
FDP_A
FDP_AC
FDP_A
FDP_AC
FDP_AC
FDP_AC
FDP_AC
ObjectD.DOC
D.DOC
ACC.1(dele
Hier
Dep
CC.1.1(deletthe cove
ACF.1(delet
Hier
Dep
CF.1.1(deleteobjeundsecu
CF.1.2(deleteamoComas su
CF.1.3(deletethe that
[asssu
CF.1.4(delete[asssubj
[asssu
t AttribuC +PRT,+
+FAXO+DSR
C +FAXI
ete-job) Sub
rarchical to:
endencies:
te-job) The list of users
ered by the C
te-job)
rarchical to:
endencies:
e-job) The cts based oner the Com
urity attribu
e-job) The ong controllemmon Accessubjects and
e-job) The following a
t explicitly a
signment: ruubjects to obj– U.ADMI– U.ADMIN
+FAXOU
e-job) The ignment: ru
bjects to objec
signment: ruubjects to obj– None
Tabl
ute +SCN,+CPY, OUT,
N
bset acces
No o
FDP
TSF shall es as subjectCommon Acc
Secur
No o
FDPFMT
TSF shall en the followmon Access
utes in Table
TSF shall eed subjects as Control SFcontrolled o
TSF shall edditional ru
authorise acc
ules, based objects] INISTRATONISTRATOR
UT D.FUNC.
TSF shall eules, based cts].
ules, based bjects]
le 22 -Comm
OperDelet
Delet
37
ss control
other compo
P_ACF.1 Sec
enforce the Cts, objects, acess Control
rity attribu
other compo
P_ACC.1 SubT_MSA.3 St
enforce the Cing: the list Control SF 22.
enforce the fand controllFP in Table 2objects using
explicitly autules: [assigncess of subje
on security a
R is authorizR is authori
explicitly denon security
on security
on Access C
ration(s) Sute U
te U
C
onents.
curity attrib
Common Acand operatiol SFP in Tab
te based a
onents.
bset access ctatic attribut
Common Act of users asFP in Table
following ruled objects i22 governing controlled
thorise accenment: rulesects to object
attributes, th
ed to delete aized to mod
ny access ofy attributes,
y attributes,
Control SFP
ubject .NORMAL
.NORMAL
D
Copyright Ca
ute based ac
cess Controlons among ble 22.
access con
control te initialisat
cess Contros subjects an22, and for
ules to determs allowed: rg access amoperations o
ss of subjects, based on ts].
hat explicitly
any D.DOC/Ddify any +C
f subjects to , that expli
s, that expli
P
Access contDenied, excdocuments
Denied
Date of Issue: 2
anon Inc. 20
ccess contro
l SFP in Tabsubjects and
ntrol
tion
l SFP in Tabnd objects cor each, the i
mine if an orules specifie
mong controllon controlled
ts to objects n security at
ly authorise
D.FUNC. CPY, +SCN
objects baseicitly deny a
icitly deny a
trol rule cept for his/her
2015/10/22
013
l
ble 22 on d objects
ble 22 to ontrolled indicated
operation ed in the led users d objects.
based on ttributes,
access of
N, +DSR,
ed on the access of
access of
r own
ObjectD.FUN
D.FUN
D.FUN
6.1.3.2
FDP_A
FDP_AC
FDP_A
FDP_AC
FDP_AC
FDP_AC
FDP_AC
t AttribuNC +PRT,+
+FAXO+DSR
NC +FAXI
NC +FAXI
In The Job
ACC.1(in-jo
Hier
Dep
CC.1.1(in-jobon tby th
ACF.1(in-jo
Hier
Dep
CF.1.1(in-jobTablundsecu
CF.1.2(in-joboperspecUser
CF.1.3(in-jobbaseattri
[asssu
CF.1.4(in-job[asssubj
[asssu
ute +SCN,+CPY, OUT
N
N
ob)
rarchical to:
endencies:
b) The he list of suhe In The Jo
ob)
rarchical to:
endencies:
b) le 23 to objeer the In Th
urity attribu
b) ration amoncified in the rs and contr
b) ed on the fributes, that
signment: ruubjects to obj– U.ADMIN
b) The ignment: ru
bjects to objec
signment: ruubjects to obj– None
Oper Modi
Delet
Modi
Delet
Subse
No o
FDP
TSF shall eubjects, objecob Access Co
Secur
No o
FDPFMT
The TScts based onhe Job Acces
utes in Table
The TSng controlleIn The Job A
rolled object
The TSfollowing adt explicitly au
ules, based objects]
NISTRATOR
TSF shall eules, based cts].
ules, based bjects]
38
ration(s) Suify; te
U
ify U
te U
et access
other compo
P_ACF.1 Sec
enforce the cts, and opeontrol SFP i
rity attribu
other compo
P_ACC.1 SubT_MSA.3 St
SF shall enfn the followinss Control S 23.
SF shall enfed subjects Access Conts using cont
SF shall expdditional rulauthorise acc
on security a
R is authorize
explicitly denon security
on security
C
ubject .NORMAL
.USER
.NORMAL
control
onents.
curity attrib
In The Jobrations amon Table 23.
te based a
onents.
bset access ctatic attribut
force the In ng: the list o
SFP in Table
force the foland contro
rol SFP in Ttrolled opera
plicitly autholes: [assignm
cess of subjec
attributes, th
d to read any
ny access ofy attributes,
y attributes,
D
Copyright Ca
Access contDenied, excfunction dat
Denied
Denied
ute based ac
Access Contong subjects
access con
control te initialisat
The Job Acof subjects ae 23, and for
llowing ruleolled object
Table 23 goveations on con
orise access ment: rules
ects to object
hat explicitly
+FAXIN/+D
f subjects to , that expli
s, that expli
Date of Issue: 2
anon Inc. 20
trol rule cept for his/herta
ccess contro
trol SFP in s and objects
ntrol
tion
ccess Contrond objects cor each, the i
es to determts is alloweerning accesntrolled obje
of subjects ts, based on ts].
ly authorise
SR D.Doc
objects baseicitly deny a
icitly deny a
2015/10/22
013
r own
l
Table 23 s covered
ol SFP in ontrolled indicated
mine if an ed: rules ss among ects.
to objects security
access of
ed on the access of
access of
ObjecD.DOD.DOD.DOD.DOD.DOD.DO
6.1.4
FPT_FD
FPT_FD
6.1.5
FDP_R
FDP_RI
6.1.6
6.1.6.1
FCS_C
ct AttribuOC +PRT OC +SCN OC +CPY OC +FAXINOC +FAXOOC +DSR
Forward R
DI_EXP.1
Hier
Dep
DI_EXP.1.1 exteany
HDD Data
RIP.1 Sub
Hier
Dep
IP.1.1 The unavreso
[sele
[ass
HDD Data
Encryption
COP.1(h) C
Hier
Dep
Table
ute(s) OpReReRe
N ReOUT Re
Re
Received Jo
Res
rarchical to:
endencies:
The ernal Interfa
Shared-med
Erase Func
bset residu
rarchical to:
endencies:
TSF shall evailable upo
ource from] t
ection: alloc– deallocat
signment: lis– None
Encryption
n/Decryption
ryptograp
rarchical to:
endencies:
e 23 -In The J
peration Sead Uead Uead Uead Uead Uead U
obs Functio
stricted for
No o
FMTFMT
TSF shall ace from beindium Interfa
ction
ual informa
No o
No d
ensure that on the [selethe following
cation of the ion of the reso
ist of objects]
n Function
n Function
hic operat
No o
[FDattrFDPFCSFCS
39
Job Access
Subject U.USER U.USER U.USER U.NORMALU.USER U.NORMAL
on
rwarding o
other compo
T_SMF.1 SpT_SMR.1 Se
provide the ng forwardeace.
ation prote
other compo
dependencie
any previouction: allocag objects: D.
e resource to,ource from
]
tion
other compo
P_ITC.1 Imibutes, or
P_ITC.2 ImpS_CKM.1 CrS_CKM.4 Cr
C
Control SF
Access conDenied, exDenied, exDenied Denied Denied, exDenied, ex
of data to e
onents.
pecification oecurity roles
capability ted without fu
ection
onents.
es
us informatioation of the DOC, [assig
, deallocatio
onents.
mport of
port of user dryptographicryptographic
D
Copyright Ca
P
ntrol rule cept for his/hecept for his/he
cept for his/hecept for his/he
external in
of Managem.
to restrict durther proce
on content oresource to
gnment: list
on of the reso
user data
data with sec key generac key destru
Date of Issue: 2
anon Inc. 20
er own documer own docum
er own documer own docum
nterfaces
ment Functio
data receivedessing by th
of a resourceo, deallocatiot of objects].
ource from]
a without
ecurity attribation] ction
2015/10/22
013
ments ments
ments ments
ns
d on any he TSF to
e is made ion of the
security
butes, or
FCS_CO
FPT_C
FPT_CI
FPT_CI
APPLICAdisks correpresewithiFPT_
Quote fro
6.1.6.2
FPT_P
OP.1.1(h) Thaccoalgomee
[assi
[assi
[assi
[assi
IP_EXP.1
Hier
Dep
P_EXP.1.1 inteNon
[ass
P_EXP.1.2 [asseith
[ass
[ass
ATION NOTE 2to meet disk enct credentials (e
ented. Assumingn the TOE and
_CIP_EXP.1.2, om [PP Guide
Device Ide
HP.1 Pass
Hier
Dep
he TSF shordance withorithm] and et the followi
ignment: list o– Encrypti– Decrypti
ignment: cryp– AES
ignment: cryp– 256 bit
ignment: list o– FIPS PUB
Con
rarchical to:
endencies:
The grity of user
nvolatile Stor
signment: a – HDD
The ignment: liser is written
signment: lis– no action
signment: a – HDD
2. Todancryption requieither the key itg that this functtherefore it shoarguing that un]
ntification an
sive detect
rarchical to:
endencies:
hall performh a specifiedcryptographing: [assignm
of cryptographon of data wrion of data rea
ptographic alg
ptographic key
of standards]B 197
nfidentialit
No o
No d
TSF shall pr and TSF da
orage device]
Removable
TSF shalst of actions]n to [assignm
ist of actions]n
Removable
ay many manufarements. Some tself or credentitionality cannotould be possiblenauthorized mo
nd Authentica
tion of phy
No o
No d
40
m [assignmed cryptograhic key sizesment: list of
hic operationsritten to the Had out from t
gorithm]
y sizes]
ty and inte
other compo
dependencie
provide a fuata when eit.
Nonvolatile
ll provide ] when it dement: a Rem
s]
Nonvolatile
acturers are looof these drives
ials required to t be bypassed, de to instantiate "dification is pre
ation Functio
ysical attac
other compo
dependencie
C
ent: list ofphic algorit
s [assignmenf standards].
s] HDD the HDD
egrity of st
onents.
es
unction that ther is writt
e Storage dev
a functionetects altera
movable Nonv
e Storage dev
king at hardwas will not allow unlock the key
detection of mo"no action" in thevented by the d
on
ck
onents.
es.
D
Copyright Ca
f cryptograpthm [assignmnt: cryptogra.
ored data
ensures theten to [assig
vice]
n that dettion of user
nvolatile Stor
vice]
are solutions sucdata to be writt
y stored in a secodifications is nhe assignment fdesign of the sy
Date of Issue: 2
anon Inc. 20
aphic operatment: crypt
raphic key si
e confidentianment: a Re
tects and pand TSF da
rage device]
ch as fully encryten to the drive
cure area of the ot a useful funcfor the "list of aystem.
2015/10/22
013
tions] in tographic izes] that
ality and emovable
performs ata when .
ypting unless the drive) are
ction actions" in
FPT_PH
FPT_PH
6.1.7
6.1.7.1
FCS_C
FCS_CO
cr3AA
HP.1.1 The com
[refiEncr
HP.1.2 The with
[refiEncr
LAN Data P
IP Packet E
COP.1(n) C
Hier
Dep
OP.1.1(n) Thaccoalgomee
[ass
[ass
[ass
[ass
Table 2
ryptographicDES-CBC
AES-CBC AES-GCM
TSF shall promise the
inement] phryption & Mi
TSF shall h the TSF's d
inement] phryption & Mi
Protection
Encryption F
ryptograp
rarchical to:
endencies:
he TSF shordance withorithm] and et the followi
signment: lis– Encrypti– Decrypti
signment: cr– Refer to
signment: cr– Refer to
signment: lis– Refer to
24 - IPSec cr
c algorithm
provide unae TSF.
hysical tampirroring Board
provide thedevices or T
hysical tampirroring Board
Function
Function
hic operat
No o
[FDattrFDPFCSFCS
hall performh a specifiedcryptographing: [assignm
ist of cryptogon of IP packion of IP pack
ryptographic"Cryptograph
ryptographic"Cryptograph
ist of standar"List of Stan
ryptographic
crypto168 bit128 bit128 bit
41
ambiguous d
pering -> Phyd
e capability SF's elemen
pering -> Phyd
tion
other compo
P_ITC.1 Imibutes, or
P_ITC.2 ImpS_CKM.1 CrS_CKM.4 Cr
m [assignmed cryptograhic key sizesment: list of
graphic operakets sent to thkets received
c algorithm]hic Algorithm
c key sizes]hic Key Sizes
rds] ndards" in Ta
c algorithm
ographic key t t, 192bit, 256 t, 192bit, 256
C
detection of
ysical replace
to determinnts has occur
ysical replace
onents.
mport of
port of user dryptographicryptographic
ent: list ofphic algorit
s [assignmenf standards].
rations] he LAN
from the LA
m" in Table 24
s" in Table 24
able 24.
, key sizes a
sizes lisFI
bit FIbit SP
D
Copyright Ca
physical ta
ement of the
ne whether rred.
ement of the
user data
data with sec key generac key destru
f cryptograpthm [assignmnt: cryptogra.
AN
4.
4.
and standar
st of standardIPS PUB 46-3IPS PUB 197 P800-38D
Date of Issue: 2
anon Inc. 20
ampering th
HDD and H
physical ta
HDD and H
a without
ecurity attribation] ction
aphic operatment: crypt
raphic key si
rds
ds 3
2015/10/22
013
at might
HDD Data
ampering
HDD Data
security
butes, or
tions] in tographic izes] that
FTP_IT
FTP_ITC
FTP_ITC
FTP_ITC
6.1.8 S
FPT_TS
FPT_TS
FPT_TS
FPT_TS
TC.1 Inte
Hier
Dep
C.1.1 The trusand com
C.1.2 The com
C.1.3 The of D
Self-Test F
ST.1 TSF
Hier
Dep
ST.1.1 The periconddemTSF
[selereqwh
[sele
ST.1.2 The of [s
[sele
ST.1.3 The of st
er-TSF trus
rarchical to:
endencies:
TSF shall sted IT prod
provides amunicated d
TSF shalmunication
TSF shall iD.DOC, D.FU
Function
F testing
rarchical to:
endencies:
TSF shalliodically durditions [ass
monstrate thF].
ection: duriequest of thehich self test– during in
ection: [assi– Cryptogr
3DES)
TSF shall pselection: [as
ection: [assi– Cryptogr
TSF shall ptored TSF ex
sted chann
No o
No d
provide a duct that is assured idedata from m
ll permit via the trus
initiate comUNC, D.PRO
No o
No d
l run a suring normal signment: che correct op
ing initial se authorisedst should occ
itial start-up
gnment: parraphic algorit
provide authssignment: p
gnment: parraphic key
provide authxecutable co
42
nel
other compo
dependencie
communicalogically di
entification modification o
the TSF, sted channel
munication OT, and D.CO
other compo
dependencie
uite of self l operation, aconditions uperation of
start-up, perd user, at thcur]]
rts of TSF], thms used w
horised userparts of TSF
rts of TSF],
horised userode.
C
onents.
es.
ation channistinct from of its end
or disclosure
another trul.
via the trusONF over an
onents.
es.
tests [seleat the requeunder which[selection: [
riodically duhe conditions
the TSF] with the LAN
rs with the cF], TSF data]
TSF data]
rs with the c
D
Copyright Ca
nel between other commpoints and
e.
usted IT p
sted channeny Shared-m
ection: duriest of the autch self test[assignment
during normas [assignme
N Data Prote
capability to].
capability to
Date of Issue: 2
anon Inc. 20
itself and munication cd protection
product to
el for commumedium Inte
ing initial uthorised uset should oc: parts of T
mal operationnt: condition
ection Functi
o verify the
o verify the
2015/10/22
013
another channels n of the
initiate
unication erface.
start-up, er, at the ccur]] to TSF], the
n, at the ons under
ion (AES,
integrity
integrity
6.1.9 A
FAU_G
FAU_GE
FAU_GE
Auditab
Job comBoth sucauthentiBoth sucidentificUse of tModificpart of aChangesTerminasession Failure o
5 See "SectIn IEEE Stdtranscription
Audit Log
GEN.1 Aud
Hier
Dep
EN.1.1 The
- Start-up an
- All auditabof audi
- all AuditabSFR in
[sel
[ass
EN.1.2 The
- Date and tifailure)
- For each aincludeby its requir
[ass
ble event
mpletion ccessful and uication mechanccessful and ucation mechanthe managemecations to the ga role s to the time ation of an intlocking mechof the trusted
tion 14.1 IEEE Sd 2600.1, this is inn error.
Function
dit data ge
rarchical to:
endencies:
TSF shall b
nd shutdown o
ble events for it; and
ble Events asn Table 25; [a
ection, choo– not specif
signment: o– None
TSF shall r
me of the eve) of the event;
audit event tyed in the PP/S
Audit Leveed); [assignm
signment: o– None
T
unsuccessful unism
unsuccessful unism ent functions group of users
eractive sessiohanism5
channel funct
td 2600.1 Errata"ndicated as "Lock
eneration
No o
FPT
be able to gen
of the audit fun
the [selection
s each is defiassignment: ot
ose one of: mfied
other specifi
record within
ent, type of ev; and
ype, based on ST, for each Rel (if one is ment: other aud
other audit r
Table 25 -Aud
use of the
use of the
s that are
on by the
tions
" in the PP Guideking of an interac
43
other compo
T_STM.1 Rel
nerate an au
nctions;
n, choose one
ned for its Ather specifical
minimum, b
fically define
n each audit
ent, subject id
the auditableRelevant SFRspecified), a
dit relevant inf
relevant inf
dit data requ
Relevant SF
FDP_ACF.1FIA_UAU.1
FIA_UID.1
FMT_SMF.1FMT_SMR.1
FPT_STM.1FTA_SSL.3
FTP_ITC.1
. ctive session by th
C
onents.
liable time s
udit record o
of: minimum
Audit Level (illy defined au
basic, detail
ed auditable
t record at le
dentity (if app
e event definR listed in Taand (2) all Anformation].
formation]
uirements
R Aud
Not Basi
Basi
Min1 Min
MinMin
Min
he session lockin
D
Copyright Ca
stamps
of the followi
, basic, detail
if one is speciditable events
led, not spec
le events]
east the follo
licable), and t
itions of the able 25: (1) inAdditional In
dit level
specified ic
ic
nimum nimum
nimum nimum
nimum
g mechanism" bu
Date of Issue: 2
anon Inc. 20
ing auditabl
led, not specif
ified) for the s].
cified]
owing inform
the outcome (
functional conformation anformation (
Additional inform
Type of job None requir
Attempted uidentity, if aNone requirNone requir
None requirNone requir
None requir
ut notes that this i
2015/10/22
013
le events:
fied] level
Relevant
mation:
success or
omponents as defined (if any is
mation
red
user availablered red
red red
red
is a
FAU_G
FAU_GE
FPT_ST
FPT_ST
FAU_S
FAU_SA
FAU_SA
FAU_S
FAU_SA
GEN.2 Use
Hier
Dep
EN.2.1 For asso
TM.1 Rel
Hier
Dep
TM.1.1 The
SAR.1 Audi
Hier
Dep
AR.1.1 The[ass
[ass
[ass
AR.1.2 Theinte
SAR.2 Rest
Hier
Dep
AR.2.1 Theuser
er identity
rarchical to:
endencies:
audit eventociate each a
iable time
rarchical to:
endencies:
TSF shall b
it review
rarchical to:
endencies:
e TSF shall ignment: lis
signment: a– U.ADMIN
signment: li– Refer to
e TSF shall rpret the inf
tricted aud
rarchical to:
endencies:
e TSF shall rs that have
associatio
No o
FAUFIA
s resulting fauditable ev
stamps
No o
No d
be able to pr
No o
FAU
provide [assst of audit in
authorised uNISTRATOR
ist of audit the audit logs
provide thformation.
dit review
No o
FAU
prohibit allbeen grante
44
on
other compo
U_GEN.1 AuA_UID.1 Tim
from actionsent with the
other compo
dependencie
ovide reliab
other compo
U_GEN.1 Au
signment: aunformation] f
users] R
informations listed in Tab
e audit reco
other compo
U_SAR.1 Aud
l users readed explicit re
C
onents.
udit data genming of identi
s of identifiee identity of
onents.
es.
le time stam
onents.
udit data gen
uthorised usfrom the aud
n] ble 25.
ords in a m
onents.
dit review
d access to ead-access.
D
Copyright Ca
neration ification
d users, the the user tha
mps.
neration
sers] with thdit records.
manner suita
the audit re
Date of Issue: 2
anon Inc. 20
TSF shall bat caused th
he capability
able for the
ecords, exce
2015/10/22
013
be able to he event.
y to read
e user to
ept those
FAU_S
FAU_ST
FAU_ST
FAU_S
FAU_ST
6.1.10
6.1.10.1
FIA_SO
FIA_SO
STG.1 Prote
Hier
Dep
TG.1.1 The Tdele
TG.1.2 Themod
[sel
STG.4 Prev
Hier
Dep
TG.4.1 Theaud"ovebe t
[seleexceolde
[ass
Manageme
User Mana
OS.1 Ver
Hier
Dep
OS.1.1 The defin
[ass
ected audi
rarchical to:
endencies:
TSF shall pretion.
e TSF shall difications to
ection, choo– prevent
vention of a
rarchical to:
endencies:
e TSF shaldited events,erwrite the taken in cas
ection, chooept those taest stored au– "overwrit
signment: ot– None
ent Functio
agement Fun
rification o
rarchical to:
endencies:
TSF shall ined quality
signment: a – Use a pas– Prohibit t– Use at lea– Use at lea– Use at lea– Use at lea– Allowed
it trail stor
No o
FAU
rotect the st
be able to [o the stored
ose one of: p
audit data
FAU
FAU
ll [selections, except tho
oldest storese of audit s
ose one of: aken by theudit recordste the oldest st
ther actions
on
nction
of secrets
No o
No d
provide a mmetric].
defined quassword 4 to 3the use of 3 oast one upperast one lowerast one numbast one non-acharacters
45
rage
other compo
U_GEN.1 Au
tored audit r
[selection, chaudit record
prevent, det
loss
U_STG.3 Act
U_STG.1 Pro
n, choose onose taken byred audit restorage failu
f: "ignore aue authorised
ds"] tored audit rec
s to be taken
other compo
dependencie
mechanism
ality metric]32 characters or more consercase charactercase characteber (0-9) alphabet chara
C
onents.
udit data gen
records in th
hoose one ofds in the aud
tect]
tion in case o
otected audi
one of: "ignoy the author
ecords"] andure] if the au
udited evend user with
cords"
n in case of
onents.
es
to verify th
in length ecutive characer (A to Z) er (a to z)
acters (^-@[]
D
Copyright Ca
neration
he audit trai
of: prevent, ddit trail.
of possible a
it trail stora
nore auditedorised user wd [assignmeudit trail is
nts", "preveh special righ
f audit stora
hat secrets m
cters
]:;,./¥!"#$%&
Date of Issue: 2
anon Inc. 20
il from unau
detect] unau
audit data lo
ge
d events", with specialent: other ac full.
ent auditedghts", "overw
age failure]
meet [assign
&'()=~|{`+*}_
2015/10/22
013
uthorised
uthorised
oss
"prevent l rights",
actions to
d events, write the
nment: a
_?><)
FMT_M
FMT_M
TSF
User
role
Pass
Own
FMT_S
FMT_SM
FMT_SM
6.1.10.2
MTD.1(user
Hier
Dep
MTD.1.1 (usemoddataownU.A
[seleop
[assas
[seleU.
F data
r name
swords
n password
SMR.1 Sec
Hier
Dep
MR.1.1 The Nob
[sele
MR.1.2 The whic
Cryptograp
- All c
r-mgt) Man
rarchical to:
endencies:
r-mgt) The dify, delete, ca associated ned by a UADMINISTRA
ection: chaperations]] – Refer to
signment: lissociated wit– Refer to
ection, choU.NORMAL t– Refer to
Table
curity roles
rarchical to:
endencies:
TSF shall body, [assign
ection: Nobo– Nobody
TSF shall bch no user s
phic Key Man
characters oth
nagement
No o
FMTFMT
TSF shall rclear, [assig
d with a U.NOU.NORMAL
RATOR, the U
ange_default
"Operation"
list of TSF ith document
"TSF Data" i
oose one to whom suc"Role" in Tab
e 26 - User in
Rol
U.A
U.A
U.A
U.N
s
No o
FIA
maintain thnment: the a
ody, [assignm
be able to ashall be asso
nagement Fu
46
her than cont
of TSF da
other compo
T_SMR.1 SeT_SMF.1 Sp
restrict the gnment: othe
NORMAL or TL] to [selecU.NORMAL
t, query, m
in Table 26.
F data assocnts or jobs ow
in Table 26.
of: Nobodych TSF data ble 26.
nformation m
le
ADMINISTRA
ADMINISTRA
ADMINISTRA
NORMAL
other compo
A_UID.1 Tim
he roles U.Aauthorised id
ment: the au
ssociate userciated.
unction
C
trol characters
ta
onents.
ecurity rolespecification o
ability to [sher operation
TSF Data asction, choosL to whom su
modify, dele
ciated with wned by a U.
y, [selectioa are associat
managemen
Op
ATOR dele
ATOR mod
ATOR mod
mod
onents.
ming of identi
ADMINISTRdentified role
uthorised ide
rs with roles
D
Copyright Ca
s
of Managem
selection: chns]] the [assissociated witse one of: uch TSF dat
ete, clear,
h a U.NORMU.NORMAL]
n: U.ADMated]]
nt
eration
ete, create, qu
dify, delete, cr
dify, delete, cr
dify
ification
RATOR, U.Nles]].
dentified role
s, except for
Date of Issue: 2
anon Inc. 20
ment Functio
hange_defaulignment: lis
ith documentNobody, [s
ta are associ
[assignmen
RMAL or TS
MINISTRATO
uery
reate, query
reate
NORMAL, [s
es]]
the role "No
2015/10/22
013
ns
ult, query, st of TSF
nts or jobs selection: iated]].
nt: other
TSF Data
OR, the
selection:
obody" to
FCS_C
FCS_CK
FCS_C
FCS_CK
6.1.10.3
FMT_M
FMT_M
CKM.1 Cryp
Hier
Dep
KM.1.1 Thecrypgenecryp
[ass
[ass
[ass
CKM.2 Cryp
Hier
Dep
KM.2.1 Thecrypmeth
[ass
[as
Device Ma
MTD.1(devi
Hier
Dep
MTD.1.1(devimoddata[ass
[sele
ptographic
rarchical to:
endencies:
e TSF shalptographic eration algptographic k
signment: cr– Cryptogr
signment: cr– 128bit, 16
signment: lis– FIPS PUB
ptographic
rarchical to:
endencies:
TSF shallptographic kthod] that m
signment: cr– DH (Diff
ssignment: l– SP800-56
nagement F
ice-mgt)
rarchical to:
endencies:
ice-mgt) The dify, delete, ca] to [selecignment: th
ection: cha
c key gene
No o
[FCFCSFCS
l generate key gener
gorithm] ankey sizes] tha
ryptographicraphic key ge
ryptographic8bit, 192bit, 25
ist of standarB 186-2
c key distr
No o
[FDattrFDPFCSFCS
l distribute ey distributeets the foll
ryptographicfie Hellman) a
list of standa6A
unction
Mana
No o
FMTFMT
TSF shall rclear, [assigction, chooshe authorized
ange_default
47
eration
other compo
S_CKM.2 CS_COP.1 CryS_CKM.4 Cr
cryptographration algond specifiedat meet the
c key generaeneration algo
c key sizes]56 bit
rds]
ibution
other compo
P_ITC.1 Imibutes, or
P_ITC.2 ImpS_CKM.1 CrS_CKM.4 Cr
cryptograpion method owing: [assi
c key distriband ECDH (El
ards]
gement of
other compo
T_SMR.1 SeT_SMF.1 Sp
restrict the gnment: othee one of: d identified
t, query, m
C
onents.
ryptographiyptographic ryptographic
hic keys inorithm [asd cryptografollowing: [a
ation algorithorithm accord
onents.
mport of
port of user dryptographicryptographic
phic keys in[assignmentgnment: list
bution metholliptic Curve D
f TSF data
onents.
ecurity rolespecification o
ability to [sher operation
Nobody, [seroles except
modify, dele
D
Copyright Ca
ic key distriboperation]
c key destru
n accordancsignment: aphic key assignment:
thm] ding to FIPS P
user data
data with sec key generac key destru
n accordanct: cryptograpt of standard
od] Diffie Hellma
of Managem
selection: chns]] the [assielection: Ut U.NORMA
ete, clear,
Date of Issue: 2
anon Inc. 20
bution, or
ction
ce with a cryptographsizes [assilist of stand
PUB 186-2
a without
ecurity attribation] ction
ce with a aphic key distds].
an)
ment Functio
hange_defaulignment: lis
U.ADMINISTAL]]].
[assignmen
2015/10/22
013
specified phic key
ignment: dards].
security
butes, or
specified stribution
ns
ult, query, st of TSF TRATOR,
nt: other
FMT_S
FMT_SM
op
[ass
[seleth
TSF Da
Date/Ti
HDD D
IPSec se
Auto Re
Lockou
Passwor
Audit lo
SMF.1 Spe
Hier
Dep
MF.1.1 The [ass
[ass
Man
Date
HDD
IPSe
Auto
Lock
perations]] – Refer to
signment: lis– Refer to
ection, choohe authorized– Refer to
Tabl
ata
me settings
Data Erase set
ettings
eset settings
ut policy settin
rd policy sett
og
ecification
rarchical to:
endencies:
TSF shall ignment: lis
signment: lis– Refer to
Table 28 -Th
nagement
e/Time setting
D Data Erase
c settings
o Reset setting
kout policy se
"Operation"
ist of TSF da"TSF Data T
ose one of: Nd identified "Role" in Tab
le 27 - Device
ttings
ngs
tings
of Manage
No o
No d
be capablest of manage
ist of manage"Managemen
he managem
Function
gs
settings
gs
ettings
48
in Table 27.
ata] able 27.
Nobody, [seld roles except
ble 27.
e manageme
Role
U.ADMIN
U.ADMIN
U.ADMIN
U.ADMIN
U.ADMIN
U.ADMIN
U.ADMIN
ement Fun
other compo
dependencie
e of performement functi
ement functint Function" i
ment of secu
Operat
modify
query, m
query, m
query, m
query, m
C
lection: U.ADt U.NORMA
ent function
NISTRATOR
NISTRATOR
NISTRATOR
NISTRATOR
NISTRATOR
NISTRATOR
NISTRATOR
nctions
onents.
es.
ming the foltions to be pr
tions to be prin Table 28.
urity require
tion
modify
modify
modify
modify
D
Copyright Ca
ADMINISTRAAL]]]
n
Operatio
R modify
R query, mo
R query, mo
R query, mo
R query, mo
R query, mo
R query, del
llowing manrovided by th
rovided by th
ements
Date of Issue: 2
anon Inc. 20
RATOR, [assi
on
odify
odify
odify
odify
odify
lete
nagement futhe TSF].
the TSF]
2015/10/22
013
ignment:
unctions:
6.2 S
This secti Table 29Operation
AsAD
AG
AL
AS
AT
AV
Man
Passw
Audi
User
role
Passw
Box
Own
PIN
Security as
ion defines th
9 lists the secnal Environme
ssurance ClasDV: Developm
GD: Guidance
LC: Life-cycle
SE: Security T
TE: Tests
VA: Vulnerab
nagement
word policy s
it log
rname
word
PIN
n password
of own Mail
ssurance re
e security assu
curity assuranent A, and rel
Table 29 - 2
ss ment
e documents
e support
Target evaluati
ility assessme
Function
settings
Box
equirement
urance require
nce requiremeated SFR pack
2600.1 Secu
AssuranADV_AADV_FADV_TAGD_OAGD_PALC_CALC_CALC_DALC_DALC_FALC_L
ion ASE_CASE_ECASE_INASE_OASE_RASE_SPASE_TSATE_CATE_DATE_FUATE_IN
ent AVA_V
49
Operat
query, m
query, d
delete, c
modify,
modify,
modify,
modify
modify
ts
ements for the
ents for 2600kages, EAL 3
rity Assuran
nce componeARC.1 SecuritFSP.3 FunctionTDS.2 ArchiteOPE.1 OperatiPRE.1 PreparaCMC.3 AuthorCMS.3 ImplemDEL.1 DeliverDVS.1 Identifi
LR.2 Flaw repLCD.1 Develop
CL.1 ConformCD.1 Extende
NT.1 ST introdOBJ.2 Security
EQ.2 DerivedPD.1 SecuritySS.1 TOE sum
COV.2 AnalysiDPT.1 Testing:
UN.1 FunctioND.2 IndepenVAN.2 Vulner
C
tion
modify
delete
create, query
delete, create
delete, create
create
e TOE.
0.1-PP, Protec augmented b
nce Require
ents ty architecturenal specificati
ectural designional user guidative procedurrisation contro
mentation repry procedurescation of secuporting procedper defined lifmance claimsed componentduction
y objectives d security requy problem defimmary specifiis of coverage: basic design
onal testing dent testing -rability analys
D
Copyright Ca
e, query
e
ction Profile fby ALC_FLR.
ements
e description ion with comp
dance res ols esentation CM
urity measuresdures (augmenfe-cycle mode
ts definition
uirements inition ication e
sample sis
Date of Issue: 2
anon Inc. 20
for Hardcopy2.
plete summary
M coverage
s ntation of EAel
2015/10/22
013
y Devices,
y
L3)
6.3 S
6.3.1 T
Table 30how eachBold typsupportin
Security fun
The compl
0 provides a mh of the securpeface items ng (S) fulfillm
SFRs FIA_AFL.1
FIA_ATD.1
FIA_UAU.1
FIA_UAU.7
FIA_UID.1
FIA_USB.1
FTA_SSL.3(
FTA_SSL.3(
FMT_MSA.
FMT_MSA.
FDP_ACC.1
FDP_ACF.1
FMT_MSA.
FMT_MSA.
FDP_ACC.1
FDP_ACF.1
FDP_ACC.1
FDP_ACF.1
FPT_FDI_E
FDP_RIP.1
FPT_CIP_E
FCS_COP.1
FPT_PHP.1
FCS_COP.1
FTP_ITC.1
FCS_CKM.
FCS_CKM.2
FPT_TST.1
FAU_GEN.1
FAU_GEN.2
FAU_SAR.1
nctional re
eteness of
mapping of Trity functionaprovide princ
ment.
Table 30 -Th
1
7
(lui)
(rui)
.1(exec-job)
.3(exec-job)
1(exec-job)
(exec-job)
.1(delete-job)
.3(delete-job)
1(delete-job)
(delete-job)
1(in-job)
(in-job)
EXP.1
XP.1
(h)
(n)
1
2
1
2
1
equirement
f security r
OE Security al requiremencipal (P) fulfi
he complete
O.D
OC
.NO
_DIS
O.D
OC
.NO
AL
T
S S
S SS SP PS S
PS
PP PS S
S SP PS SS S
50
ts rationale
requiremen
Objectives annts correspondfillment of the
eness of sec
O.
OC
.NO
_
O.F
UN
C.N
O_A
LT
O.P
RO
T.N
O_A
LT
S S S
S SS SP PS S
P P PS S S
S S SP P PS S SS S S
C
e
nts
nd security fuds to at least oe objectives,
curity requir
Objectives
O.C
ON
F.N
O_D
IS
O.C
ON
F.N
O_A
LT
S S
P PS S
S SP PS SS S
D
Copyright Ca
unctional requone TOE Secand normal t
rements
s
O.U
SER
.AU
TH
OR
IZE
D
O.I
NT
ER
FAC
E.M
AN
AG
ED
O.S
OFT
WA
RE
.VE
RIF
IED
S S
P P
S P P
P
P P
P P
S
S
P
S
P
P
Date of Issue: 2
anon Inc. 20
uirements. Thcurity Objectitypeface item
O.A
UD
IT.L
OG
GE
D
O.H
DD
.AC
CE
SS.
AU
TH
OR
ISE
D
S
P
P
P
P
2015/10/22
013
his shows ive.
ms provide
6.3.2 T
This sectSecurity O.DOC.NdisclosurBased onassigned The idFMT_MThe idenFDP_ACtypes. Furthermof job prothe HDDFCS_CKalteration O.DOC.NalterationBased onassigned The idFMT_MSFurthermprotectedFCS_CKdisclosur O.FUNCalteration
SFRs FAU_SAR.2
FAU_STG.1
FAU_STG.4
FPT_STM.1
FIA_SOS.1
FMT_MTD.
FMT_SMR.
FMT_MTD.
FMT_SMF.1
The suffici
tion providesObjectives.
NO_DIS is thre. O.DOC.Nn user identiffor access co
dentified usSA.1(delete-jntified users CC.1(in-job)/F
more, by FDP_ocessing is enD are protec
KM.1, and FCn and disclosur
NO_ALT is tn. O.DOC.NOn user identiffor access co
dentified usSA.1(delete-jo
more, by FPT_d from unauth
KM.2, user dae. By FMT_S
C.NO_ALT isn. O.FUNC.N
2
1
4
1
.1(user-mgt)
1
.1(device-mgt)
1
ency of se
s the rationale
he security oO_DIS is addfication inforontrol. sers are ajob)/FMT_Mare allowed
FDP_ACF.1(
_RIP.1, complnsured. By FPcted from unS_CKM.2, usre. By FMT_S
the security oO_ALT is addfication inforontrol. sers are ob)/FMT_MS_CIP_EXP.1, horized altera
ata and TSF SMF.1, manag
the security NO_ALT is ad
O.D
OC
.NO
_DIS
O.D
OC
.NO
AL
T
S S
S S
ecurity requ
e on how the
objective that dressed by thrmation resul
allowed to MSA.3(delete-
to access o(in-job), and N
lete deletion oT_CIP_EXP.nauthorized ser data and TSMF.1, manag
objective that dressed by thermation resul
allowed toA.3(delete-jobFCS_COP.1(ation and disdata sent ov
gement functio
objective thaddressed by t
51
O.
OC
.NO
_
O.F
UN
C.N
O_A
LT
O.P
RO
T.N
O_A
LT
P
S S S P
S S S
uirements
security func
ensures usere following:lting from FI
cancel -job), FDP_Anly his/her oNobody is al
of residual info1, FCS_COP.alteration anTSF data sengement functi
ensures protee following:lting from FI
o operateb), FDP_ACCh), and FCS_sclosure. By
ver the LAN ons related to t
at ensures prohe following
C
Objectives
O.C
ON
F.N
O_D
IS
O.C
ON
F.N
O_A
LT
P P S S P PS S
ctional requir
r document d
IA_UID.1, ro
only his/ACC.1(delete-own documellowed to acc
ormation of u1(h), and FCS
nd disclosurent over the LAions related to
ection of user
IA_UID.1, ro
only his/hC.1(delete-job_CKM.1, user
FCS_COP.1(are protected
these actions,
otection of us:
D
Copyright Ca
s
O.U
SER
.AU
TH
OR
IZE
D
O.I
NT
ER
FAC
E.M
AN
AG
ED
O.S
OFT
WA
RE
.VE
RIF
IED
S
S
rements are s
data is protect
oles managed
/her own -job)/FDP_Ant data in press any docu
user documentS_CKM.1, use. By FCS_C
AN are proteco these actions
r document d
oles managed
her own )/FDP_ACF.1r data and TS(n), FTP_ITCd from unautare provided.
ser function d
Date of Issue: 2
anon Inc. 20
O.A
UD
IT.L
OG
GE
D
O.H
DD
.AC
CE
SS.
AU
TH
OR
ISE
D
P P P
S
sufficient to s
ted from una
d by FMT_SM
job accorCF.1(delete-jrint job, acc
ument data in
t data created er data and TCOP.1(n), FTcted from unas, are provided
data from una
d by FMT_SM
job accor1(delete-job). F data in the
C.1, FCS_CKthorized alter.
data from una
2015/10/22
013
satisfy the
authorized
MR.1 are
rding to job). ording to other job
as a result SF data in TP_ITC.1, authorized d.
authorized
MR.1 are
rding to
HDD are KM.1, and ration and
authorized
Based onassigned The idFMT_MSFurthermprotectedFCS_CKdisclosur O.PROTalterationBased onroles manFMT_MTFurthermprotectedFCS_CKdisclosur O.CONFunauthorBased onroles manFMT_MTFurthermprotectedFCS_CKdisclosur O.CONFunauthorBased onroles manFMT_MTFurthermprotectedFCS_CKdisclosur O.USERO.USERUsers autFIA_UAUFTA_SSLFDP_ACFurthermFMT_MS O.INTERinterfaceBy FIA_By FPT_ O.SOFTW O.AUDITFAU_GEthe mean
n user identiffor access co
dentified usSA.1(delete-jo
more, by FPT_d from unauth
KM.2, user dae. By FMT_S
T.NO_ALT is n. O.PROT.Nn user identifinaged by FMTTD.1(device-m
more, by FPT_d from unauth
KM.2, user dae.
F.NO_DIS isrized disclosun user identifinaged by FMTTD.1(device-m
more, by FPT_d from unauth
KM.2, user dae.
F.NO_ALT isrized alteration user identifinaged by FMTTD.1(device-m
more, by FPT_d from unauth
KM.2, user dae.
R.AUTHORIZR.AUTHORIZ
thenticated byU.7, and FL.3(lui)/FTA_
CC.1(exec-job)more, authoriSA.3(exec-job
RFACE.MANs in accordan
_UAU.1, FIA__FDI_EXP.1,
WARE.VER
T.LOGGED EN.2, FAU_SAs for user info
fication inforontrol. sers are ob)/FMT_MS_CIP_EXP.1, horized altera
ata and TSF SMF.1, manag
the security oNO_ALT is adication informT_SMR.1 are mgt), and FMT_CIP_EXP.1, horized altera
ata and TSF
s the securiture. O.CONF.ication informT_SMR.1 are mgt), and FMT_CIP_EXP.1, horized altera
ata and TSF
s the securion. O.CONF.Nication informT_SMR.1 are mgt), and FMT_CIP_EXP.1(hhorized altera
ata and TSF
ZED is the ZED is addresy the identificFIA_AFL.1, _SSL.3(rui), a)/FDP_ACF.1ized user b), FMT_SMR
NAGED is tnce with secu_UID.1, FTA restricted for
RIFIED is add
is addressed AR.1, FAU_Sormation and t
rmation resul
allowed toA.3(delete-jobFCS_COP.1(ation and disdata sent ov
gement functio
objective thatddressed by thmation manage
assigned for tT_SMF.1. FCS_COP.1(ation and disdata sent ov
ty objective .NO_DIS is a
mation manageassigned for tT_SMF.1. FCS_COP.1(ation and disdata sent ov
ty objective NO_ALT is a
mation manageassigned for tT_SMF.1. h), FCS_COPation and disdata sent ov
security objessed by the focation and aut
with user are granted us1(exec-job).information
R.1.
the security rity policy. O
A_SSL.3(lui)/rwarding of d
dressed by pro
by providinSAR.2, FAU_timestamps ge
52
lting from FI
o operateb), FDP_ACCh), and FCS_sclosure. By
ver the LAN ons related to t
t ensures prothe following:ed by FMT_Mthe Device M
h), and FCS_sclosure. By
ver the LAN
that ensureaddressed by ed by FMT_Mthe Device M
h), and FCS_sclosure. By
ver the LAN
that ensureaddressed by ted by FMT_Mthe Device M
P.1, and FCS_sclosure. By
ver the LAN
ective that eollowing: thentication m
sessions me of the funct
are manag
objective thO.INTERFAC/FTA_SSL.3(data to the LA
oviding the se
ng the Audi_STG.1, and Fenerated on au
C
IA_UID.1, ro
only his/hC.1(delete-job_CKM.1, user
FCS_COP.1(are protected
these actions,
tection of TSF
MTD.1(user-mManagement fu
_CKM.1, userFCS_COP.1(are protected
es protectionthe following
MTD.1(user-mManagement fu
_CKM.1, userFCS_COP.1(are protected
es protectionthe followingMTD.1(user-m
Management fu
_CKM.1, userFCS_COP.1(are protected
ensures user
mechanism spemanaged by tion, as determ
ged by FIA
hat ensures CE.MANAGE(rui), the userAN is specifie
elf-test proced
t Log functiFAU_STG.4. Fudit logs.
D
Copyright Ca
oles managed
her own)/FDP_ACF.1r data and TS(n), FTP_ITCd from unautare provided.
F protected d
mgt) and resuunction as spec
r data and TS(n), FTP_ITCd from unaut
of TSF cog: mgt) and resuunction as spec
r data and TS(n), FTP_ITCd from unaut
n of TSF cog: mgt) and resuunction as spec
r data and TS(n), FTP_ITCd from unaut
identificatio
ecified by FIAFIA_ATD.
mined by acce
A_SOS.1, F
control of oED is addressr interface is med.
dures specifie
ion as speciFIA_UID.1 an
Date of Issue: 2
anon Inc. 20
d by FMT_SM
job accor1(delete-job). F data in the
C.1, FCS_CKthorized alter.
data from una
ulting from FIcified by FMT
F data in the C.1, FCS_CKthorized alter
onfidential d
ulting from FIcified by FMT
F data in the C.1, FCS_CKthorized alter
onfidential d
ulting from FIcified by FMT
F data in the C.1, FCS_CKthorized alter
on and authe
A_UAU.1, FI1, FIA_USBess control sp
FMT_MSA.1(
operations ofed by the follmanaged.
ed by FPT_T
fied by FAUnd FPT_STM
2015/10/22
013
MR.1 are
rding to
HDD are KM.1, and ration and
authorized
IA_UID.1, T_SMR.1,
HDD are KM.1, and ration and
data from
IA_UID.1, T_SMR.1,
HDD are KM.1, and ration and
data from
IA_UID.1, T_SMR.1,
HDD are KM.1, and ration and
entication.
IA_UID.1, B.1, and ecified by
(exec-job),
f the I/O lowing:
TST.1.
U_GEN.1, .1 provide
O.HDD.Aspecified
6.3.3 T
This sect
FuReq
FIA_AFIA_ATFIA_UFIA_UFIA_UFIA_UFTA_SFTA_S
FMT_Mb)
FMT_Mb)
FDP_A)
FDP_A)
FMT_Mob)
FMT_Mob)
FDP_Aob)
FDP_Ab)
FDP_A
FDP_A
FPT_FD
FDP_R
FPT_C
FCS_C
ACCESS.AUTby FPT_PHP
The depen
tion provides
unctional quirement FL.1 TD.1 AU.1 AU.7 ID.1 SB.1 SL.3(lui) SL.3(rui)
MSA.1(exec-jo
MSA.3(exec-jo
ACC.1(exec-job
ACF.1(exec-job
MSA.1(delete-j
MSA.3(delete-j
ACC.1(delete-j
ACF.1(delete-jo
ACC.1(in-job)
ACF.1(in-job)
DI_EXP.1
RIP.1
CIP_EXP.1
COP.1(h)
THORISED iP.1, prior to pe
dencies of
the justificat
Table 31 -Th
Dependerequired FIA_UAU.1No dependeFIA_UID.1 FIA_UAU.1No dependeFIA_ATD.1No dependeNo depende[FDP_ACCFDP_IFC.1]FMT_SMRFMT_SMF.
FMT_MSAFMT_SMR
bFDP_ACF.1
FDP_ACC.FMT_MSA[FDP_ACCFDP_IFC.1]FMT_SMRFMT_SMF.
FMT_MSAFMT_SMR
FDP_ACF.1
FDP_ACC.FMT_MSA
FDP_ACF.1
FDP_ACC.FMT_MSA
FMT_SMF.FMT_SMR
No depende
No depende
[FDP_ITC.1FDP_ITC.2 FCS_CKM.FCS_CKM.
is addressed ermitting acce
f security r
tion for any d
he dependen
encies by CC
1 FIAencies. No
FIA1 FIAencies. No FIA
encies. No encies. No .1 or ] .1 1
FDPFMFM
A.1 .1
FMFM
1 FDP
1 A.3
FDPFM
.1 or ] .1 1
FDPFMFM
A.1 .1
FMFM
1 FDP
1 A.3
FDPFM
1 FDP
1 A.3
FDPFM
1 .1
FMFM
encies. No
encies. No
1 or or
.1]
.4
FCS
53
by the Devicess to the HDD
requiremen
dependencies
ncies of sec
Dependencsatisfied by
A_UAU.1 dependencies.
A_UID.1 A_UAU.1
dependencies.A_ATD.1
dependencies.dependencies.
P_ACC.1(execMT_SMR.1 MT_SMF.1
MT_MSA.1(execMT_SMR.1
P_ACF.1(exec-
P_ACC.1(execMT_MSA.3(exec
P_ACC.1(deletMT_SMR.1 MT_SMF.1
MT_MSA.1(deleMT_SMR.1
P_ACF.1(delete
P_ACC.1(deletMT_MSA.3(dele
P_ACF.1(in-job
P_ACC.1(in-joMT_MSA.3(dele
MT_SMF.1 MT_SMR.1
dependencies.
dependencies.
S_CKM.1
C
ce IdentificatD.
nts
not met.
curity requir
ies ST
N/AN/A
N/AN/A
N/AN/AN/A
N/A
-job) N/A
c-job) N/A
-job) N/A
-job) c-job)
N/A
te-job) N/A
ete-job) N/A
e-job) N/A
te-job) ete-job)
N/A
b) N/A
ob) ete-job)
N/A
N/A
N/A
N/A
FCS_Crypand Alsoprevsuchsecur
D
Copyright Ca
ion and Auth
rements
Reason fordepen
(dependencies (dependencies
(dependencies (dependencies
(no dependenc(dependencies (no dependenc
(no dependenc(dependencies
(dependencies
(dependencies
(dependencies
(dependencies
(dependencies
(dependencies
(dependencies
(dependencies
(dependencies
(dependencies
(no dependenc
(no dependenc
_CKM.4 is not ptographic keys
disappear wheo, extraction of ented by the de
h, cryptographirely enough
Date of Issue: 2
anon Inc. 20
hentication fu
r not meetinndencies are satisfied) are satisfied)
are satisfied) are satisfied)
ies) are satisfied) ies)
ies) are satisfied)
are satisfied)
are satisfied)
are satisfied)
are satisfied)
are satisfied)
are satisfied)
are satisfied)
are satisfied)
are satisfied)
are satisfied)
ies)
ies)
claimed becaus are stored inen power is sf cryptographic esign of the sysic keys are mnot to requi
2015/10/22
013
unction as
g
use: n RAM, shut off.
keys is stem. As managed ire any
FuReq
FPT_PH
FTP_IT
FCS_C
FCS_C
FCS_C
FPT_T
FAU_G
FAU_G
FPT_STFAU_S
FAU_S
FAU_S
FAU_S
FIA_SO
FMT_Mgt) FMT_S
FMT_Mmgt)
FMT_S
6.4 S
ThinfoaccobecaalmoAgeremdevi
unctional quirement
HP.1
TC.1
COP.1(n)
CKM.1
CKM.2
ST.1
GEN.1
GEN.2
TM.1 SAR.1
SAR.2
STG.1
STG.4
OS.1
MTD.1(user-m
SMR.1
MTD.1(device-
SMF.1
Security as
his Protectionormation proceountability andause it is assuost constant p
ents cannot pmovable nonvo
ices are remov
Dependerequired
No depende
No depende
[FDP_ITC.1FDP_ITC.2 FCS_CKM.FCS_CKM.
[FCS_CKMFCS_COP.1FCS_CKM.
[FDP_ITC.1FDP_ITC.2 FCS_CKM.FCS_CKM.
No depende
FPT_STM.1
FAU_GEN.FIA_UID.1 No dependeFAU_GEN.
FAU_SAR.
FAU_GEN.
FAU_STG.1
No depende
FMT_SMRFMT_SMF.FIA_UID.1
FMT_SMRFMT_SMF.
No depende
ssurance re
n Profile hasessing environd information
umed that the protection frophysically accolatile storageved from the
encies by CC
encies. No
encies. No
1 or or
.1]
.4
FCS
M.2 or 1] .4
FCSFCS
1 or or
.1]
.4
FCS
encies. No
1 FPT
1 FAUFIA
encies. No 1 FAU
1 FAU
1 FAU
1 FAU
encies. No
.1 1
FMFMFIA
.1 1
FMFM
encies. No
equirement
been develonments that re
n assurance. ThTOE will be
om unauthorizcess any none devices, wheTOE environ
54
Dependencsatisfied by
dependencies.
dependencies.
S_CKM.1
S_COP.1(n) S_COP.1(h)
S_CKM.1
dependencies.
T_STM.1
U_GEN.1 A_UID.1
dependencies.U_GEN.1
U_SAR.1
U_GEN.1
U_STG.1
dependencies.
MT_SMR.1 MT_SMF.1 A_UID.1
MT_SMR.1 MT_SMF.1
dependencies.
ts rationale
oped for Harequire a relatihe TOE envirlocated in a r
zed and unmanvolatile storaere protection
nment. Agents
C
ies ST
methN/A
N/A
FCS_Crypand AlsoprevsuchsecurmethFCS_Crypand AlsoprevsuchsecurmethFCS_Crypand Alsoprevsuchsecurmeth
N/A
N/A
N/A
N/AN/AN/A
N/AN/A
N/A
N/A
N/A
N/A
N/A
e
rdcopy Devicively high levronment will brestricted or m
anaged accessage without n of User ands have limited
D
Copyright Ca
Reason fordepen
hod for their des(no dependenc
(no dependenc
_CKM.4 is not ptographic keys
disappear wheo, extraction of ented by the de
h, cryptographirely enough
hod for their des_CKM.4 is not
ptographic keysdisappear whe
o, extraction of ented by the de
h, cryptographirely enough
hod for their des_CKM.4 is not
ptographic keysdisappear whe
o, extraction of ented by the de
h, cryptographirely enough
hod for their des
(no dependenc
(dependencies
(dependencies
(no dependenc(dependencies (dependencies
(dependencies (dependencies
(dependencies
(dependencies
(dependencies
(dependencies
(no dependenc
ces used in vel of documebe exposed to monitored envs to the TOE disassembling
d TSF Data aror no means
Date of Issue: 2
anon Inc. 20
r not meetinndencies struction. ies)
ies)
claimed becaus are stored inen power is sf cryptographic esign of the sysic keys are mnot to requi
struction. claimed becau
s are stored inen power is sf cryptographic esign of the sysic keys are mnot to requi
struction. claimed becau
s are stored inen power is sf cryptographic esign of the sysic keys are mnot to requi
struction.
ies)
are satisfied)
are satisfied)
ies) are satisfied) are satisfied)
are satisfied) are satisfied)
are satisfied)
are satisfied)
are satisfied)
are satisfied)
ies)
restrictive coent security, oonly a low le
vironment thaand its data i
g the TOE ere provided wof infiltrating
2015/10/22
013
g
use: n RAM, shut off.
keys is stem. As managed ire any
use: n RAM, shut off.
keys is stem. As managed ire any
use: n RAM, shut off.
keys is stem. As managed ire any
ommercial operational vel of risk
at provides interfaces. except for when such g the TOE
withmalf
EA
and inclu
h code to efffunctions. As
AL 3 is augmeprocedures f
usion is expec
ffect a changsuch, the Eva
ented with ALfor the reporcted by the co
ge and the Taluation Assur
LC_FLR.2, Flrting and remnsumers of th
55
TOE self-verifrance Level 3
law reporting mediation of ihis TOE.
C
fies its execuis appropriate
procedures. Aidentified sec
D
Copyright Ca
utable code te.
ALC_FLR.2 ecurity flaws a
Date of Issue: 2
anon Inc. 20
to detect uni
ensures that inare in place,
2015/10/22
013
intentional
nstructions and their
7 TO
This sect
7.1 U
-
When thTOE requof print j
Two met
-
-
For user authenticFor secur
The TOE
The ACTapplicatio
The TOE
-
-
The TOElasting fo
-
-
7.2 F
-
OE Summa
tion describes
User Authe
SupportedFIA_USB.
e control panuires user autobs, fax jobs
thods of user
External A
Authentican Activeauthentica
Internal Au
Authentic
authenticatiocation succeerity, note that
E issues an Ac
T is an objecon functions
E provides a l
This functfailed authbefore loc
Any user 1 to 60 mi
E terminates aor a specified
At the confrom 10 se
At a remo
Function Us
SupportedFMT_MSA
ary specifi
s the TOE sum
entication F
d functional1, FIA_AFL.
nel or a remothentication i, and I-fax jo
authenticatio
Authentication
cation is basede Directory seation.
uthentication
cation is based
on, the TOE peds only if tht the passwor
ccess Control
ct that contathat are speci
lockout functi
tion locks ouhentication atckout (Initial
that is lockedinutes can be
an interactived period of tim
ntrol panel, seconds to 9 m
ote UI, session
se Restrictio
d functionA.1(exec-job)
ication
mmary specif
Function
l requireme.1, FTA_SSL
ote UI is usedin order to idbs is always p
on are support
n
d on user infoerver that use
d on user info
prompts inputhe user name d is masked b
l Token (ACT
ains the user'ified for each
ion in order t
ut any user thattempts. A vavalue: 3).
d out will note specified as
e session wheme. [FTA_SS
session timeominutes can b
n timeout occ
on Function
nal require), FMT_MSA
56
fications.
ents: FIA_U.3(lui), FTA_
d to operate tentify and aupermitted. [F
ted:
formation regies Kerberos a
ormation regi
t of the user nand passwor
by asterisks in
T) to each use
s name and h user role. [F
to minimize in
at fails to logalue from 1 to
t be able to lothe lockout t
en there is noSL.3(lui), FTA
out occurs aftbe specified (I
curs after 15 m
ements: FDA.3(exec-job),
C
UAU.1, FIA_U_SSL.3(rui)
the MFP, befouthenticate vaFIA_UAU.1,
istered in theauthentication
istered in the
name, password matches thn the text fiel
er successfull
role, as wellFIA_ATD.1, F
nvalid login a
gin successfulo 10 can be s
ogin until theime (Initial v
o user activityA_SSL.3(rui
er a specifiedInitial value:
minutes of us
DP_ACC.1(e, FMT_SMF.
D
Copyright Ca
UID.1, FIA_
fore permittinalid users. HoFIA_UID.1]
authentication, or LDAP s
device.
ord, and the lhe one at theld. [FIA_UA
ly authenticat
l as the acceFIA_USB.1]
attempts. [FIA
lly within thespecified as th
e lockout timevalue: 3 minut
y at the contri)]
d period of u2 minutes).
ser inactivity.
exec-job), F1
Date of Issue: 2
anon Inc. 20
_UAU.7, FIA
ng such operaowever, the su
on server. Thserver that us
login destinate specified deU.7]
ted.
ess permissio]
A_AFL.1]
e maximum nhe number of
e passes. A vtes).
rol panel or r
ser inactivity
.
FDP_ACF.1(e
2015/10/22
013
A_ATD.1,
ations, the ubmission
is may be ses LDAP
tion. User estination.
ons to the
number of f attempts
alue from
remote UI
y. A value
exec-job),
For eachthe ACTcontainedattribute
When thdependin
When a rattribute
Only U.A
UI
Control p
Remote U
7.3 J
For PrintRestrictio
h UI, the TOET issued to ad in the ACTof the Object
he control pang on the setti
remote UI is values associ
ADMINISTR
Obje
panel PointPrint
Point
PointSend
Point
PointInbox
PointStore
PointStore
UI PointRece
Job Output R
t, Copy, Scanon restricts ac
E provides Fauthenticated T, are performt is the functi
anel is used, ings in "Appl
used, Functiiated with the
RATORs are a
Table
ect
ter to [Secure]
ter to [Copy]
ter to [Scan ad]
ter to [Fax]
ter to [Fax/I-Fx]
ter to [Accessed Files]
ter to [Scan ae]
ter to [Accessived/Stored F
Restriction
n, and Fax Tccess to subm
unction Use users. Any q
med by U.ADions itself, an
Function Uslication Restr
ion Use Restre role in the A
allowed use o
e 32 - Functio
Cond
ed The rhave funct
The rhave
and The rhave funct
The rhave funct
Fax The rhave Files
s The rhave Files
and The rhave funct
s Files]
The ranyth
Functions
TX jobs, the mitted jobs, to
57
Restriction, wqueries, modDMINISTRA
nd is therefore
se Restrictionrictions", whi
riction FunctiACT.
of all function
on Use Rest
dition
role associatepermission t
tion.
role associatepermission t
role associatepermission t
tion
role associatepermission t
tion
role associatepermission t] function
role associatepermission t] function
role associatepermission t
tion
role associatehing other tha
TOE provideo the user that
C
which controdifications, deATORs only. e fixed.
n Function pich are based
ion permits o
ns.
riction Polic
ed with U.USo the [Secure
ed with U.USo the [Copy]
ed with U.USo the [Scan a
ed with U.USo the [Scan a
ed with U.USo the [Access
ed with U.USo the [Access
ed with U.USo the [Scan a
ed with U.USan Administra
es the followt executed the
D
Copyright Ca
ols access baseletions, andFor Function
permits or deon the role c
or denies use
cy
SER must ed Print]
SER must function
SER must and Send]
SER must and Send]
SER must s Stored
SER must s Stored
SER must and Store]
SER is ator.
wing security e job.
Date of Issue: 2
anon Inc. 20
sed on the cod additions ton Use Restri
enies use of ontained in th
of functions
Operation
Executed bactivating Object.
Executed bactivating Object.
Executed bactivating Object.
Executed bactivating Object.
Executed bactivating Object.
Executed bactivating Object.
Executed bactivating Object.
Cannot be
functions. Jo
2015/10/22
013
ontents of o the role ction, the
functions he ACT.
based on
n
by the
by the
by the
by the
by the
by the
by the
executed.
ob Output
7.3.1
-
TOE caninitialize
-
-
With the
7.3.2
-
TOE proinitialize
Copy, S
-
-
Tempor
If a printAdditionaccess re
For tempmatches
-
-
-
Printing
For all te
-
Receive
For docustored asto this into the MeOnly U.AInbox, w
Job C
SupportedFMT_MSA
n deletes Printd by usernam
U.NORMA
U.ADMIN
cancellation
In The
SupportedFMT_MSA
ovides the folld by usernam
Scan, Fax TX
Nobody is
Nobody isTemporaril
rarily Stored
t job with a Pnally, it uses testriction as d
porarily storethe user nam
Change pri
Delete
starts when th
emporarily sto
Delete
ed Fax Jobs
uments receivs files, to be onbox, is equivemory RX InADMINISTR
which means
Cancel
d functionaA.1(delete-job
t, Copy, Scanme of the user
AL is authori
NISTRATOR
of the job, th
e JOB Acc
d functionA.1(delete-job
lowing accesme of the user
X Jobs
authorized to
authorized tly Stored FAX
d Print Jobs
PIN is submithe user name
described belo
ed jobs, the fme associated w
iority for prin
he PIN for th
ored jobs, U.A
ved by fax/I-output at a la
valent to accenbox, to preveRATORs are a
only U.ADM
al requiremb), FMT_MS
n, and Fax TXr that execute
zed to delete
is authorized
he attribute va
ess Contro
nal requirb), FMT_MS
s control funcr that execute
o read docum
to read documX TX Jobs.
itted, the jobe associated ow.
following opwith the desir
nting
he print job is
ADMINISTR
fax, the TOEater time. Sinss control to ent unauthorizauthorized toMINISTRATO
58
ments: FDPSA.3(delete-jo
X jobs accordd the job.
his/her own j
d to delete all
alue to be atta
ol
rements: SA.3(delete-jo
ctions for docd the job.
ments in any c
ments in any
b is temporariwith the prin
erations are red job.
entered from
RATOR is all
E provides thce these are sthe stored dozed access by initialize, seORS are allo
C
P_ACC.1(deleob), FMT_SM
ding to follow
job.
jobs.
ached to the j
FDP_ACCob), FMT_SM
cuments in ea
copy jobs.
scan, and Fa
ily stored in nt job to deter
available to
m the control p
owed to exec
he Memory Rstored in the
ocument data.y a user. t, modify, or
owed access
D
Copyright Ca
ete-job), FDMF.1
wing. The user
ob is deleted
C.1(in-job), MF.1
ach jobs. Use
ax TX jobs, e
the machine rmine its own
U.USERs, on
panel of the m
cute the follow
RX Inbox whMemory RX
. A seven dig
delete the PIto the stored
Date of Issue: 2
anon Inc. 20
DP_ACF.1(de
r name of the
d.
FDP_ACF.
r name of the
except in case
without beinner, in order
nly if the us
machine.
wing:
ere these jobX Inbox, acce
it PIN can be
IN on the Med document
2015/10/22
013
elete-job),
ese jobs is
.1(in-job),
ese jobs is
e of 7.3.3
ng output. to realize
er's name
bs may be ss control e assigned
emory RX data. The
TOE realthe ownoperation
If the coentering
-
-
-
If a rementering
-
-
-
Docume
For Copydata, to bis equiva
A seven d
No PIN determin
For docuby enteri
-
-
-
-
-
If the coentering
-
-
-
-
-
lizes access rner of the stns on the docu
ontrol panel iany PIN.
Send
Delete
mote UI is usthe correct P
Send
Delete
ent Data Sto
y, Scan, or Sebe printed or alent to access
digit PIN can
is required wning the U.US
ument data stoing the correc
Change pri
Preview
Send
Delete
ontrol panel iany PIN.
Change pri
Preview
Send
Delete
restriction, bytored documument data.
s used, U.AD
sed, U.ADMIN.
ored in Mail
end jobs, thesent at a laters control to th
n be assigned
when storing SER that ente
ored in a Mact PIN.
int settings
s used, U.AD
int settings
y determiningent data, pre
DMINISTRA
MINISTRATO
Box
TOE providr time. Since he stored doc
to a Mail Bo
document drs the correct
ail Box, the fo
DMINISTRA
59
g the U.ADMeventing any
ATOR is allow
OR is allowe
des Mail Boxethese are stor
cument data.
ox, to help pre
data in a Mait PIN, to be th
ollowing oper
ATOR is allow
C
MINISTRATOy U.NORMA
wed access to
d access to
es where thesred in Mail B
event unautho
l Box. The The owner of t
rations are m
wed access to
D
Copyright Ca
OR that entersAL from exe
o the followi
the followin
se jobs may bBoxes, access
orized access
TOE realizesthe stored doc
made available
o the followi
Date of Issue: 2
anon Inc. 20
s the correct Pecuting print
ing operation
ng operations
be stored as dcontrol to M
by others.
access restrcument data.
e to U.NORM
ing operation
2015/10/22
013
PIN to be t or send
ns without
s only by
document Mail Boxes,
iction, by
MAL only
ns without
If a rementering
-
-
-
-
-
[Box PINFor the Prole are afor the M
7.3.3
-
There arPreview
Delayed
When thsending a
For tempuser's nam
-
For all te
-
Preview
When thand later
For tempname ma
-
-
-
mote UI is usthe correct P
Change pri
Preview
Send
Delete
N] PIN set on Maallowed to se
Mail Box they
Temp
SupportedFDP_ACC
re two types function as T
d Send
e TOE receivat the specifie
porarily storeme matches t
Change de
emporarily sto
Change de
w
he TOE receiv, it is sent.
porarily storeatches the use
Preview
Delete Pag
Delete Job
sed, U.ADMIN.
int settings
ail Boxes/Meet, change any use.
porarily Sto
d functioC.1(delete-job
of Send JobsTemporarily S
ves a FAX TXed time.
ed FAX TX jthe user name
estination
ored FAX TX
estination
ves a FAX T
d FAX TX joer name assoc
ges
bs
MINISTRATO
emory RX Inbny PIN. Note
ored FAX T
nal requb), FDP_ACF
s: Fax TX joStored FAX T
X job with tr
obs, the folloe associated w
X jobs, U.ADM
TX job with P
obs, the followciated with th
60
OR is allowe
box, only U.Ahowever, tha
TX Jobs
irements:F.1(delete-job
ob and Scan jTX Jobs funct
ansmission ti
owing operatwith the desir
MINISTRAT
Preview settin
wing operatiohe desired job
C
d access to
ADMINISTRat U.NORMA
FDP_ACC)
job. And thetion to store j
ime specified
tions are avaired job.
TOR is allowe
ng, it is first
ons are availab.
D
Copyright Ca
the followin
RATORs assigALs are allow
.1(in-job),
ere are Delayobs temporar
d, it is first sto
ilable to U.N
ed to execute
stored tempo
able to U.US
Date of Issue: 2
anon Inc. 20
ng operations
gned the Admwed to chang
FDP_ACF.
yed Send funrily.
ored tempora
NORMALs, o
the followin
orarily and pr
SERs, only if
2015/10/22
013
s only by
ministrator e the PIN
.1(in-job),
nction and
arily, until
only if the
g:
reviewed,
the user's
7.4 F
-
The desifunction
7.5 H
-
By overwfiles) in t
The user
-
-
-
-
The timin
-
-
-
7.6 H
-
The secubelow.
The encrprovide c
7.6.1
-
To protecthe follow
-
-
Forward Re
Supported
gn of the TOenables the u
HDD Data E
Supported
writing with rthe HDD, to e
r can choose o
Overwrite
Overwrite
Overwrite
Overwrite
ng in which d
Image fileduring or a
Document Box/Memo
Residual inerased from
HDD Data E
Supported
urity function
ryption/decryconfidentialit
Encry
Supported
ct the confidewing cryptog
Encryption
Decryption
eceived Job
d functional
OE prevents reuser to restric
Erase Func
d functional
random data,ensure that no
one of the fol
using the Do
with random
once with ran
once with nu
data are erase
es temporarilyafter processi
data are comory RX Inbox
nformation thm the HDD u
Encryption
d functional
ns provided b
yption functioty and integrit
yption/Dec
d functional
entiality and igraphic operat
n of data writ
n of data read
bs Functio
requirement
eceived data t forwarding
ction
requirement
the TOE pero trace of the
llowing erasu
oD standard
m data three tim
ndom data
ull data
ed is specified
y stored in thng of the job
mpletely erasex.
hat remainedupon startup o
Function
requirement
by the TOE's
on together wty protection
ryption Fu
requirement
integrity of utions to encry
tten to the HD
d out from the
61
on
ts: FPT_FDI
from being fof received j
ts: FDP_RIP
rmanently era document da
ure methods:
mes
d below.
he HDD as a.
ed from the H
d unerased duof the TOE.
ts: FPT_CIP
"HDD Data
with the Devfor user data
nction
ts: FCS_COP
user data and ypt all data st
DD.
e HDD.
C
_EXP.1
forwarded dirobs to the LA
P.1
ases documenata remains o
a result of jo
HDD, immedi
ue to a sudden
_EXP.1
a Encryption
vice Identifica and TSF dat
P.1(h)
TSF data stoored in the H
D
Copyright Ca
rectly to a serAN.
nt data (incluon the HDD.
ob processing
iately after be
n power shut
& Mirroring
cation and Auta stored in th
red in the HDHDD.
Date of Issue: 2
anon Inc. 20
rver or comp
uding tempora
g is complete
eing deleted f
tdown, are co
g Board" are
uthenticationhe HDD.
DD, the TOE
2015/10/22
013
puter. This
ary image
ely erased
from Mail
ompletely
described
n function
performs
The cryp
-
-
7.6.2
-
The TOEdata encr
-
-
The cryp
-
-
No methcryptogra
7.6.3
-
The HDDHDD oncontents removed
[Registra
The HDauthentic
[Procedu
Upon stapasses toits deviceto the enorder to v
Access tothat it is
ptographic alg
AES algor
256 bit key
Crypt
Supported
E uses the foryption functi
Uses a cryp
Generates
ptographic key
Upon starcryptograp
After gene
hod is availaaphic key is s
Devic
Supported
D Data Encrynly if it is ide
of the HDDd and connecte
ation of the A
DD Data Enccation ID from
ure for identif
artup, the HDo the MFP dee authenticati
ncryption boaverify the res
o the HDD ismounted on t
gorithm and c
rithm (FIPS P
y length
tographic K
d functional
llowing specion.
ptographic ke
a cryptograph
y is managed
rtup, the TOphic key.
erating the cry
able for acqustored in vola
ce Identific
d functional
yption & Mirrentified as th
D, even if thed to a differe
Authentication
cryption & m the MFP de
fication and a
DD Data Encvice as a randion ID and th
ard. The HDDsponse.
s denied, unlthe correct M
cryptographic
PUB 197)
Key Manag
requirement
cifications for
ey generation
hic key with
d as follows.
OE reads the
yptographic k
uiring the seeatile RAM me
ation and A
requirement
roring Board he correct Mhe HDD and ent MFP.
n ID]
Mirroring Bevice, and sto
authentication
ryption & Mdom number he received raD Data Encry
less the HDDMFP device.
62
c key size are
gement Fun
ts: FCS_CKM
r generating t
n algorithm ac
256 bit key le
e seed inform
key, the TOE
ed from the emory, it disa
Authentica
ts: FPT_PHP
identifies theFP. This funHDD Data
Board, when ores it in Flas
n]
Mirroring boarto a challeng
andom numbyption & Mirr
D Data Encryp
C
specified bel
nction
M.1
the cryptogra
ccording to F
ength
mation stored
stores the ke
encryption bappears when
ation Funct
P.1
e MFP at eacnction helps p
Encryption &
it is initialhROM.
rd generates ge. The MFP er, and passeroring Board
ption & Mirr
D
Copyright Ca
low:
aphic key tha
FIPS PUB 186
d in FlashR
ey in RAM.
board. Note an power is shu
tion
ch startup, andprevent unaut& Mirroring
lly mounted,
a pseudo-randevice make
es the resultinperforms the
roring Board
Date of Issue: 2
anon Inc. 20
at is used by
6-2
ROM and ge
also, that beut off.
d permits accthorized acceBoard are p
, acquires th
ndom numberes a computatng hash valuee same comp
confirms suc
2015/10/22
013
the HDD
enerates a
cause the
cess to the ess to the physically
he device
r which it tion using e (SHA-1) utation in
ccessfully
7.7 L
LAN Dadevice.
7.7.1
-
To ensurthe TOE
- Encr
- Decr
The follo
- Se
7.7.2
-
The TOEpacket en
- Use
- Gen
The folloEncryptio
- ECD
7.8 S
-
At startup
- Che
- Che
- Che
7.9 A
-
The TOE
LAN Data P
ata Protection
IP Pa
Supported
re confidentiauses IPSec to
ryption of IP
ryption of IP
owing cryptog
ee Table 24
Crypt
Supported
E uses the foncryption fun
es a cryptogra
nerates a cryp
owing methoon Function,
DH (Elliptic C
Self-Test Fu
Supported
p, the TOE p
ecks whether
ecks the integ
ecks the integ
Audit Log F
SupportedFAU_SAR
E generates lo
Protection F
n Function en
cket Encry
d functional
ality and intego encrypt/dec
packets sent
packets recei
graphic algor
tographic K
d functional
ollowing spenction.
aphic key gen
ptographic ke
od is used bto the other p
Curve Diffie
unction
d functional
erforms the f
cryptographi
grity of the cry
grity of the ex
Function
d functional R.2, FAU_STG
ogs for the fol
Function
ncrypts/decryp
yption Func
requirement
grity of user crypt all IP pa
to the LAN
ived from the
rithm and cry
Key Manag
requirement
cifications fo
neration algor
y with 128/16
by the TOE, party
Hellman) an
requirement
following self
ic algorithms
yptographic k
xecutable cod
requiremenG.1, FAU_ST
llowing event
63
pts all IP pac
ction
ts: FCS_COP
data and TSFackets.
e LAN
yptographic ke
gement Fun
ts: FCS_CKM
or generating
rithm accordi
68/192/256 b
to transmit
d DH (Diffie
ts: FPT_TST
f-test.
are running p
key
de of the crypt
nts: FAU_GETG.4
ts.
C
kets that are
P.1(n), FTP_I
F data comm
ey sizes are u
nction
M.1, FCS_CK
g the cryptog
ng to FIPS PU
bit key length
the cryptogr
Hellman) ac
T.1
properly (AE
tographic alg
EN.1, FAU_G
D
Copyright Ca
used in comm
ITC.1
municated to a
used.
KM.2
graphic key t
UB 186-2
raphic key u
ccording to SP
ES, 3DES)
gorithm
GEN.2, FPT_
Date of Issue: 2
anon Inc. 20
munication w
and from an I
that is used b
used by the I
P800-56A
_STM.1, FAU
2015/10/22
013
with an IT
IT device,
by the IP
IP Packet
U_SAR.1,
-
-
-
-
-
-
-
-
-
The itemdate/timeaccurate
-
Other log
-
-
Also, expof this fu
Users othfrom a re
When acthe deleti
Users othfrom a re
A maximoverwritt
7.10 M
7.10.1
-
In the TOrole, and
General use.
[Setting/
New use
Startup
Shutdown
Job comple
User authe
Logout
Use of dev
Use of use
Changes to
IPSec conn
ms that are rece informationtime is obtain
Date/Time
g events may
Job type (j
Name of th
port of audit lunction is rest
her than U.Aemote UI.
ccessing the Tion of log rec
her than U.ADemote UI, thu
mum of 20,00ten with the n
Managemen
User
SupportedFMT_MSAFMT_SMF
OE, only U.Ad access restri
users or U.N
Changing/De
rs are registe
etion
entication suc
vice managem
er managemen
o the date/tim
nection failur
corded on eacn is set by thned from the
e, User Name
have additio
ob completio
he user that fa
logs can be ptricted to U.A
ADMINISTRA
TOE from a rcords from th
DMINISTRAus preventing
00 audit recornewest.
nt Function
Manageme
d functionA.1(exec-job)F.1
ADMINISTRction informa
NORMAL, ca
eleting User, R
red by setting
ccess/failure
ment function
nt functions
me setting
res
ch log, are listhe ManagemTime Server.
, Event Type
nal items as d
on)
ailed authenti
performed froADMINISTRA
ATOR are no
remote UI, ane [Deleting C
ATOR are notunauthorized
rds can be m
ns
ent Functio
nal requir) FMT_MS
RATORs assigation and box
an only chang
Role, and Ac
g the user nam
64
ns
ted below. Thment Function.
, Outcome (S
described bel
ication (authe
om a remote UATORs only.
ot allowed to
nother capabiCollected Log
t allowed accd alterations f
maintained. On
on
rements: FSA.1(delete-jo
gned the Admx PINs.
ge their own
cess Restricti
me and passw
C
he date/time in, or is set b
Success/Failed
low.
entication fail
UI, in order to
o export audi
ility restrictedgs] menu.
ess to this capfrom occurrin
nce this beco
FIA_SOS.1 ob), FMT_M
ministrator ro
passwords a
ion Informati
word, and assi
D
Copyright Ca
is provided bby time sync
d)
lure)
o read out log
it logs when
d to U.ADMI
pability whenng.
omes full, the
, FMT_MSA.3(delete
ole can set, c
and the PIN f
ion]
igning a role
Date of Issue: 2
anon Inc. 20
y the TOE. Tchronization
g records, alth
logged in to
INISTRATOR
n logged in to
e oldest audit
_MTD.1(user-e-job) ,FMT
change, or de
for the Mail
to the user. R
2015/10/22
013
The TOE's when the
hough use
the TOE
Rs only is
o the TOE
t record is
-mgt) , T_SMR.1,
elete user,
Box they
Registered
user infocan be dpassword
Five roleand GuesGuest Us
The Adm
The initia
The acceis specifiinitial vaRestrictio
[Types o
There are
- U.AD
Us
- U.NO
Ge
7.10.2
-
To provU.ADMI
The follo
[Passwor
To encou
-
-
-
-
-
-
-
[Lockout
The num
- Num
ormation can deleted altoged policy.
es exist, whicst User. To crser, is used as
ministrator rol
al value for "
ess restrictionied by the "Aalue for "Apons" can be c
f Users]
e two types o
DMINISTRA
ser assigned t
ORMAL
eneral user as
Device Ma
Supported
vide for tINISTRATOR
owing setting
rd Policy Sett
urage the use
Use a pass
Prohibit th
Use at leas
Use at leas
Use at leas
Use at leas
Allowed ch
- All char
t Policy Settin
mber of attemp
mber of attemp
be modified ether. User sp
ch are called reate a new "s a template f
le is a role wh
Base Role" c
n informationApplication Repplication Rechanged for cu
of users: U.AD
ATOR
the Administr
ssigned a role
nagement
d functional
the effectivRs to set the d
s are also pro
tings]
of strong pas
sword 4 to 32
he use of 3 or
st one upperc
st one lowerc
st one number
st one non-alp
haracters:
racters other t
ngs]
pts before loc
pts before loc
by changing pecified pass
"Base Roles"Custom Rolefor the new ro
hose base role
can be change
n that determiestrictions" seestrictions" iustom roles.
DMINISTRA
rator role and
e other than G
Function
requirement
ve enforcemdevice manag
ovided.
sswords, the f
characters in
more consec
ase character
ase character
r (0-9)
phabet charac
than control c
ckout and the
ckout
65
the passwordswords are ch
s": Administre" different t
ole, which can
e is "Adminis
ed to any one
ines whether etting, whichis fixed for
ATOR and U.N
d has adminis
Guest User ro
ts: FMT_MT
ment of segement settin
following pas
n length
cutive charact
rs (A to Z)
rs (a to z)
cters (^-@[]:;
characters
lockout time
C
d, or the assihecked to see
rator, Power han these, ann then be regi
strator", and h
of four base
use of certaih depends on w
base roles,
NORMAL.
strative privile
ole or Admini
TD.1(device-m
ecurity funcngs in Table 2
ssword policy
ters
,./¥!"#$%&'(
e can be set.
D
Copyright Ca
gned role, ore that they a
User, Generany one of fouistered.
has administr
roles except
in functions iwhat role is athe initial v
eges.
strator role.
mgt), FMT_S
ctions, the 27.
y may be set.
()=~|{`+*}_?>
Date of Issue: 2
anon Inc. 20
r the user's reare consistent
al User, Limiur base roles e
rative privileg
Guest User.
is permitted oassigned. Althvalue of "Ap
SMF.1, FMT_
TOE allow
><)
2015/10/22
013
egistration t with the
ited User, excluding
ges.
or denied, hough the pplication
_SMF.1
ws only
Se
- Lock
Se
elect a value f
kout time
elect a value f
from 1 to 10
from 1 to 60
(Initial value
minutes (Init
66
: 3)
tial value: 3 m
C
minutes)
D
Copyright Ca
Date of Issue: 2
anon Inc. 20
2015/10/22
013
END