Upload
others
View
9
Download
0
Embed Size (px)
Citation preview
Can
This dsecuri
non im
document ity target
mageRC33260
Secu
Ve20
Ca
is a trans written i
1
RUNNE300 Ser00.1 mo
rity T
rsion 1015/07/
anon I
slation of n Japane
C
ER ADries odel
arget
.03 /23
nc.
the evaluese.
D
Copyright Ca
DVAN
uated and
Date of Issue: 2
anon Inc. 20
NCE
d certified
2015/07/23
015
d
1 S
1.1
1.2
1.3
1.4
1.5
1.6
1.6.
1.6.
1.7
1.8
1.8.
1.8.
1.8.
2 C
2.1
2.2
2.3
2.3.
2.3.
2.3.
2.4
3 S
3.1
3.2
3.3
3.4
3.5
4 S
4.1
4.2
4.3
4.4
5 E
5.1
5.2
6 S
6.1
6.1.6.1.6.1.6.1.
6.1.
6.1.
6.1.
T introductio
ST referenc
TOE refere
TOE overv
Terms and
TOE descr
Scope of th
.1 Physic
.2 Logica
Users of th
Assets .....
.1 User D
.2 TSF D
.3 Functi
Conformance
CC Confor
PP claim, P
SFR Packa
.1 SFR P
.2 SFR P
.3 SFR P
PP Conform
ecurity Prob
Notational
Threats ag
Threats to
Organizatio
Assumption
ecurity Obje
Security O
Security O
Security O
Security O
Extended com
FPT_CIP_E
FPT_FDI_E
ecurity requi
Security fu
.1 User A
.2 Functi
.3 Job O
.4 Forwa
.5 HDD D
.6 HDD D
.7 LAN D
on ..............
ce .............
ence ..........
view ...........
Abbreviatio
ription .......
he TOE ......
cal Scope of
al Scope of t
he TOE ......
................
Data ..........
Data ...........
ions ..........
claims ........
rmance claim
Package claim
ages ...........
Packages refe
Package func
Package attri
mance ration
lem Definitio
conventions
gents ..........
TOE Asset
onal Security
ns .............
ectives .........
bjectives for
bjectives for
bjectives for
bjectives rat
mponents defi
EXP Confiden
EXP Restrict
irements .....
unctional req
Authenticati
ion Use Rest
utput Restri
ard Received
Data Erase F
Data Encryp
Data Protect
Table
..................
................
................
................
ons ............
................
................
the TOE ...
the TOE .....
................
................
................
................
................
..................
m ...............
m .............
................
erence .......
tions .........
ibutes ........
nale ...........
on ...............
s ...............
................
s ..............
y Policies ...
................
..................
r the TOE ..
r the IT envi
r the non-IT
tionale .......
inition (APE_
ntiality and
ted forwardin
..................
quirements ..
on Function
triction Fun
iction Functi
Jobs Functi
Function ....
ption Functio
tion Functio
2
e of Con
..................
................
................
................
................
................
................
................
................
................
................
................
................
................
..................
................
................
................
................
................
................
................
..................
................
................
................
................
................
..................
................
ironment ....
T environmen
................
_ECD) .........
integrity of s
ng of data to
..................
................
n ...............
ction .........
ions ..........
ion ............
................
on .............
n ..............
C
tents
..................
................
................
................
................
................
................
................
................
................
................
................
................
................
..................
................
................
................
................
................
................
................
..................
................
................
................
................
................
..................
................
................
nt .............
................
..................
stored data
o external int
..................
................
................
................
................
................
................
................
................
D
Copyright Ca
.................
................
................
................
................
................
................
................
................
................
................
................
................
................
.................
................
................
................
................
................
................
................
.................
................
................
................
................
................
.................
................
................
................
................
.................
................
terfaces .....
.................
................
................
................
................
................
................
................
................
Date of Issue: 2
anon Inc. 20
.................
................
................
................
................
................
................
................
................
................
................
................
................
................
.................
................
................
................
................
................
................
................
.................
................
................
................
................
................
.................
................
................
................
................
.................
................
................
.................
................
................
................
................
................
................
................
................
2015/07/23
015
........... 4
.......... 4
.......... 4
.......... 4
.......... 5
.......... 8
......... 10
......... 10
......... 11
......... 13
......... 13
......... 13
......... 13
......... 14
......... 15
......... 15
......... 15
......... 15
......... 15
......... 16
......... 17
......... 17
......... 20
......... 20
......... 20
......... 21
......... 21
......... 22
......... 23
......... 23
......... 23
......... 23
......... 24
......... 27
......... 27
......... 28
......... 30
......... 30
......... 30
......... 33
......... 35
......... 39
......... 39
......... 39
......... 41
6.1.
6.1.
6.1.
6.2
6.3
6.3.
6.3.
6.3.
6.4
7 T
7.1
7.2
7.3
7.3.
7.3.
7.3.
7.4
7.5
7.6
7.6.
7.6.
7.6.
7.7
7.7.
7.7.
7.8
7.9
7.10
7.10
7.10
Trademark・ Cano
Inc. ・ Micro
trade・ Mac O・ Oracl
count・ All na
comp・ Portio
19.3, 445 Hfrom rights
.8 Self-T
.9 Audit
.10 Manag
Security as
Security fu
.1 The co
.2 The su
.3 The de
Security as
TOE Summary
User Authe
Function U
Job Output
.1 Job Ca
.2 In The
.3 Tempo
Forward Re
HDD Data
HDD Data
.1 Encryp
.2 Crypto
.3 Device
LAN Data
.1 IP Pac
.2 Crypto
Self-Test F
Audit Log
Managemen
0.1 User M
0.2 Device
k Notice on, the Canon lo
osoft, Windows,marks of MicrosOS is a trademae and Java artries. ames of comp
panies. ons of sections 19.4, Annex A a
Hoes Lane, PiscIEEE 2600.1(tm
s reserved.
Test Function
Log Functio
gement Func
ssurance req
unctional req
ompleteness
ufficiency of
ependencies
ssurance req
y specificatio
entication Fu
Use Restricti
t Restriction
ancel .........
e JOB Acces
orarily Store
eceived Jobs
Erase Func
Encryption
ption/Decry
ographic Key
e Identificati
Protection F
cket Encrypt
ographic Key
Function ....
Function ...
nt Functions
Management
e Manageme
ogo, imageRUN
, Windows XP, soft Corporationark of Apple Comre registered tra
panies and prod
1.1, 1.4, 5.3, 7, and Annex B arcataway, New Jem)-2009 Standa
n ..............
on .............
ction ..........
quirements ..
quirements ra
of security
security req
of security
quirements ra
on ...............
unction ......
ion Function
n Functions .
................
ss Control ..
ed FAX TX J
s Function ..
ction ..........
Function ...
yption Funct
y Manageme
ion and Auth
Function ....
tion Function
y Manageme
................
................
s ...............
t Function ..
ent Function
NER, imageRU
Windows 2000n in the US. mputer Inc. in thademarks of O
ducts containe
8, 9, 10.1, 10.4e reprinted withersey 08854, ard for a Protec
3
................
................
................
................
ationale .....
requirement
quirements ..
requirement
ationale .....
..................
................
n ...............
................
................
................
Jobs ..........
................
................
................
ion ...........
ent Function
hentication F
................
n ..............
ent Function
................
................
................
................
...............
UNNER ADVANC
0, Windows Vi
he US. Oracle Corporat
d herein are t
4, 10.5, 10.6, 11h permission from
ction Profile in O
C
................
................
................
................
................
ts ..............
................
ts ..............
................
..................
................
................
................
................
................
................
................
................
................
................
n ...............
Function ....
................
................
n ...............
................
................
................
................
................
CE, MEAP, and
sta, and Active
tion and its affi
rademarks or
, 12.2, 12.3, 12m IEEE,
Operational Env
D
Copyright Ca
................
................
................
................
................
................
................
................
................
.................
................
................
................
................
................
................
................
................
................
................
................
................
................
................
................
................
................
................
................
................
d the MEAP logo
e Directory are
iliates in the U
registered trad
.4, 13.2, 14.2, 1
vironment A, C
Date of Issue: 2
anon Inc. 20
................
................
................
................
................
................
................
................
................
.................
................
................
................
................
................
................
................
................
................
................
................
................
................
................
................
................
................
................
................
................
o are trademark
trademarks or
United States an
emarks of the
5.2, 16.2, 17.2,
opyright(c) 200
2015/07/23
015
......... 42
......... 43
......... 45
......... 49
......... 50
......... 50
......... 51
......... 53
......... 54
......... 56
......... 56
......... 57
......... 58
......... 58
......... 58
......... 60
......... 60
......... 61
......... 61
......... 61
......... 62
......... 62
......... 62
......... 63
......... 63
......... 63
......... 63
......... 64
......... 64
......... 65
ks of Canon
r registered
nd in other
respective
18.2, 19.2,
09 IEEE. All
1 ST
1.1 S
This sect
ST nam VersioIssuedDate oKeywo
1.2 T
This sect
TOE nVersio
The TOE
1.3 T
The TC3300ADVAin parSeries
–
–
–
T introduct
ST referenc
tion provides
me: C
on: 1.d by: Cof Issue: 20ords: IE
(Mlo
TOE referen
tion provides
name: Con: 1.
E is comprisediRH
SuCAan (JiRH(CSuCA
TOE overvi
TOE is a digi0 Series 260ANCE C3300rt) and makin
2600.1 modeiR-ADV S
HDD Data
Fax Board
tion
ce
the Security
Canon imageR
.03 Canon Inc.
015/07/23 EEE 2600, CMFP), copy, og, encryption
nce
the TOE iden
Canon imageR.0
d of the folloR-ADV Secur
HDD Data Enc(Canon MFP
uper G3 FAXCanon imageRAccess Managnd Canada)
Japanese NamR-ADV Secur
HDD Data EncCanon MFP Super G3 FAX
Canon imageRAccess Manag
ew
ital multi-fun0.1 model >
0 Series > whng the propeel > or TOE.
Security Kit-L
a Encryption K
d (Standard eq
Target (ST) i
RUNNER AD
anon, imageRprint, fax, sen, Secured Pr
ntification inf
RUNNER AD
wing softwarrity Kit-L1 focryption Kit-P Security Ch
X Board-AR1RUNNER ADgement Syste
me) rity Kit-L1 focryption Kit-
Security ChipX Board-AR1RUNNER ADgement System
nction produc>. This is a hich by instaler settings, m
L1 for IEEE 2
Kit-C
quipment on "
4
identification
DVANCE C33
RUNNER, iRend, facsimilerint, BOX, sec
formation.
DVANCE C33
re, hardware, or IEEE 2600C hip 2.01)
DVANCE C33em (License o
or IEEE 2600C
p 2.01) (Standard eq
DVANCE C33m (Standard e
ct (MFP) knversion of t
lling/attachingmakes up the
2600.1 Comm
"F model")
C
n information.
300 Series 26
R, Advance, de, identificaticurity kit
300 Series 26
and licenses.0.1 Common C
300 Series option: Stand
0.1 Ver 1.00
quipment on "300 Series equipment in
nown as < Cthe standard g the followi< Canon im
mon Criteria
D
Copyright Ca
.
600.1 model S
digital MFP, ion, authentic
600.1 model
. Criteria Ver 1
dard equipmen
"F model")
n Japan)
anon imageRmodel < C
ng 4 productmageRUNNE
Date of Issue: 2
anon Inc. 20
Security Targ
multifunctiocation, acces
1.00
nt in the Unit
RUNNER ADanon imageRts (standard e
ER ADVANC
2015/07/23
015
et
n product s control,
ted States
DVANCE RUNNER equipment CE C3300
–
iR-ADADVAHDD softwaFax Bo< CanoProtecrequire
Prot
–
SFR
–
–
–
–
–
–
–
1.4 T
The follo
Terms/AMulti-FuProduct (
Control s
Control p
Remote U
HDD
I-Fax
1 "AccessSecurity K
(Access M
For machine
For machine
DV Security ANCE C3300
Data Encrypare). The HDDoard is hardwon imageRUN
ction Profile ed by the 7 S
tection Profil
2600.1, Pro
R Packages
2600.1-PRT,
2600.1-SCN,
2600.1-CPY,
2600.1-FAX
2600.1-DSR,Operational E
2600.1-NVSEnvironment
2600.1-SMI, Environment
Terms and
owing terms a
Abbreviationunction (MFP)
software
panel
UI
s Management SKit-L1 for IEEE
Management S
es in Japan, th
es in Asia and
Kit-L1 for I0 Series > conption Board iD of the TOE
ware to use faNNER ADVA(PP) for MuFR Packages
le
tection Profile
SFR Package
, SFR Package
, SFR Package
, SFR Packag
, SFR PackagEnvironment A
, SFR Packt A
SFR Packagt A
Abbreviati
and abbreviat
Ta
s A machincopier, fafacilitate
Software
One of toperation
An interfaallow theoperation
Hard disk
Short for
System" is a lic
E 2600.1 Comm
System): Lice
he United State
d Oceania, "AC
IEEE 2600.1ntrol softwareis the hardw
E may be a rex functionalitANCE C3300lti-Function P
s defined in th
e for Hardcop
e for Hardcop
e for Hardcop
e for Hardcop
e for Hardcop
ge for HardcoA
age for Har
ge for Hardco
ions
tions are used
able 1 —Term
ne which incoax, printer, ansuch capabili
that runs on t
the hardware keys, which
ace that prove acquisitions, and making
k drive mount
Internet Fax.
cense option. Thmon Criteria.
5
ense option 1
es and Canada
CCESS MAN
Common Ce and security
ware which enmovable drivties. 0 Series 2600Products indhe PP.
py Devices, Op
y Device Prin
py Device Sca
py Device Cop
py Device Fax
opy Device D
rdcopy Devic
opy Device S
d throughout t
ms and Abb
orporates the nd Universal ities.
the hardware
e elements oprovides the
ides access ton of operatig various sett
ted on the MF
Uses the Inte
he component o
C
a, this option i
NAGEMENT S
Criteria contay kit license.ncrypts all dve.
0.1 model > isdicated below
perational Env
nt Functions, O
an Functions, O
py Functions,
x Functions, O
ocument Stor
ce Nonvolati
Shared-mediu
this ST.
breviations
Descriptionfunctionality Send, and co
of the device
of the MFP, interface for
o the MFP froing status, ptings.
FP, where con
ernet to recei
of "Access Man
D
Copyright Ca
is standard-eq
SYSTEM KIT
ains the < C
data stored in
s capable of fw, as well as
vironment A
Operational En
Operational E
Operational E
Operational En
rage and Retri
le Storage F
um Interface
of multiple dontaining a la
e, and control
consisting ooperation of
om a Web brperform job
ntrol software
ive and send f
nagement System
Date of Issue: 2
anon Inc. 20
quipped.
T-B1" option i
anon imageR
n the HDD (
fully implemethe security
nvironment A
Environment A
Environment A
nvironment A
ieval (DSR) F
Functions, O
Functions, O
devices in onarge capacity
ls security fun
of a touch pf the MFP.
owser via theoperations
e and assets a
faxes.
m" is included
2015/07/23
015
is needed.
RUNNER
(including
enting the functions
A
A
A
Functions,
Operational
Operational
e, such as y HDD to
nctions.
panel and
e LAN, to or BOX
are stored.
in iR-ADV
Terms/AImage fil
Tempora
Roles
Administ
Job
Documen
Memory (Receptio
Box
Mail Box
Memory
Mail serv
User aserver
Firewall
Time ser
[Secured
[Copy]
[Fax]
Abbreviationle
ary image file
trator
nt data
RXon)
x
RX Inbox
ver
authentication
rver
d Print]
s Image dareceive.
e Image fileuntil the j
Used by aOne role default roAdministr
A user ass(administ
User assig
Equivalen
When a ua Job is processin
The operaTX, Savegeneration
User datainformatio
X Allows daprocessin
Collectivedata from
*Use of F
When a gprinting fr
When meMemory R
Server thathe MFP.
n Server thauthentica
Device orInternet.
Server thaInternet.
A button with a PIN
A button o
A button o
ata generated
es generated ob completes
access restricis associated
oles may berator, Power U
signed the Adtrative privile
gned the Adm
nt to U.ADM
user uses the fthe intendedg those data.
ations that cae, and Deleten, execution,
a processed on.
ata received g.
e name for Mm operations s
Fax Inboxes is
general user ffrom a PC, da
emory receptiRX Inbox. St
at facilitates I
hat maintains ation over the
r system des
at uses the N
on the controN).
on the contro
on the contro
6
within the M
during jobs s.
tion functiond with each
e modified toUser, Genera
dministrator ges).
ministrator rol
INISTRATO
functions of td document
an be performe. The procesand complet
within the
by fax/I-fax
Mail Boxes, Fuch as scan, p
s not included
feeds data toata can be stor
ion is set, dotored docume
I-fax transmi
user informe network.
signed to pro
Network Time
ol panel that
ol panel that a
ol panel that a
C
DescriptionMFP, from o
such as Copy
ns to restrict thuser. In add
o create custal User, Limit
role is capab
le and has ad
OR defined in
the TOE to exdata combin
med on a docssing phases tion.
MFP, consis
to be stored
Fax Inboxes, print, and rec
d in this TOE
o the MFP dired here to be
ocuments receents can be pr
ssion or emai
mation such a
otect the inter
e Protocol to
activates the
activates the C
activates the F
D
Copyright Ca
operations su
y and Print, w
he functions tdition to pre-tom roles. Tted User, and
le of using m
dministrative p
the PP.
xecute an opened with the
cument are: Sfor a Job is
sting of imag
in the Memo
or the Memoceived faxes a
E.
rectly, or spee printed later
eived by fax/rinted or sent
il transmissio
as user ID an
rnal LAN ag
provide the a
e Secured Pri
Copy function
Fax function.
Date of Issue: 2
anon Inc. 20
ch as scan, p
which are nee
that each use-defined defaThe default r
Guest User.
management o
privileges.
eration on a duser instruc
Scan, Print, Cssued by the
ge files and
ory RX Inbox
ory RX Inboxare stored in t
ecifies a docur.
/I-fax are storlater.
on of docume
nd password,
gainst threats
accurate time
nt function (p
n.
2015/07/23
015
print, and
eded only
er can use. ault roles, roles are:
operations
document, ctions for
Copy, Fax user are:
attribute
x for later
x wherein the MFP.
ument for
red in the
ent data in
, for user
from the
e over the
print jobs
Terms/A[Scan]
[Fax/I-Fa
[Access
Remote U
[Access ReceivedFiles]
Abbreviation
ax Inbox]
Stored Files]
UI
d/Stored
s Indicates that allowdocumentfolder in a
A button oThere areFax Inbox
A button o
A button o
the [Scan anw the user tots to be sent a PC, respect
on the controe two types ox. You can us
on the contro
on the remote
7
nd Store] ando scan paper
to some loctively.
ol panel that aof Fax/I-Fax Ise both inboxe
ol panel that a
e UI that allo
C
Descriptiond [Scan and Sr documents cation such a
activates the FInbox: the Mes to store fil
allows the use
ws the user to
D
Copyright Ca
Send] buttonsto be stored
as to an emai
Fax/I-Fax InbMemory RX In
es received b
er to access fi
o access files
Date of Issue: 2
anon Inc. 20
s on the contd as files, oril address or
box function. nbox and Co
by Fax and I-F
iles stored in
s stored in a b
2015/07/23
015
rol panel, r scanned r a shared
nfidential Fax.
a box.
box.
1.5 T
The TOETOE, whis designProtectio
This stanprocessinand infosecret, mThis envwill be k
FigureSeries require
Tim
PS
In FigureMail SerFirewall when reca Web brorder to p
2 This ev
TOE descri
E is a MFP thhich conformned to operaton Profile for
ndard is for ng environmermation assu
mission criticavironment is nknown as "Op
e 1 shows th2600.1 mod
ed, the actual
Figure 1
Pdoc
Inme server
PC
Fax RX
Fax TX
STN
e 1, the MFPrver, User Au
from threatsceiving a docurowser2, funcprint from a P
valuation was
ption
hat offers Copms to " 2600.1
te in an envHardcopy De
a Protection ent in which urance are real, or subject not intended tperational Env
e environmenel > has beenl operational
1 T
Fire
M
R
Paper uments
CopyPrint
nternet
Print via USB connection
P is connecteduthentication s from the Inument by I-Fctions such aPC, the appro
s performed u
py, Print, Un1, Protection vironment sucevices, Opera
Profile for Ha relatively hquired. The to legal and rto support lifvironment A.
nt for whichn designed, wenvironment
The assume< Canon ima
HDD
ewall
Mail BoxMemory
RX Inbox
Multi-FuProd
d by an interServer, PC, a
nternet. To seax for examp
as printing, stopriate printe
using Microso
8
niversal Send,Profile for Hch as the onational Enviro
Hardcopy Dehigh level oftypical inforregulatory cofe-critical or n"
h the TOE orwith options i
is expected t
d operationageRUNNER
(Print/Store)
Network fax
Send via
Rec
Papedocum
Copy
Stor
e in M
ail B
ox
Send
Web brow
Remote U
I
unctionduct
rnal LAN, to and Firewall.end (via I-Faple, the MFP toring, or I-Fr driver need
oft Internet Ex
C
, Fax, I-Fax RHardcopy Devne shown belonment A" cl
evices in a rf document srmation procensiderations,national secur
r < Canon imincluded. Sinto differ than
al environmR ADVANCE
PC
LAN
a I -Fax/E-Mail
ceive I-Fax
er ents
ser
User authenticatAuthentication res
all of the oth. Furthermore
ax or email) aconnects to thax can also b
ds to be instal
xplorer 11 as
D
Copyright Ca
RX and Mailvices, Operatlow (as excelause "1.1 Sco
restrictive coecurity, operessed in thissuch as for p
rity applicatio
mageRUNNEnce not all of
what is show
ment of the MC3300 Series
Mail server
tionsult
her major coe, the internaa previously he Mail Servbe executed rled in the PC
the Web brow
Date of Issue: 2
anon Inc. 20
l Box capabiltional Environerpted from ope").
ommercial infrational accou environmenprivacy or goons. This env
ER ADVANCthese feature
wn here.
MFP s >
User authenserve
mponents, naal LAN is pro
scanned docer. By using aremotely. Ho
C. Alternative
wser.
2015/07/23
015
lities. The nment A" " 2600.1,
formation untability, nt is trade vernance. vironment
CE C3300 es may be
nticationer
amely the otected by cument or a PC with
owever, in ly, a USB
could be configuraPC or US
The TOEauthenticenvironm
–
–
–
–
–
–
–
used to connation is requiSB device.
E also obtaincation througment are listed
Copy func
Produces
Print funct
Produces PC).
I-Fax RX (
Uses the Istored in sent or de
Fax RX (re
Uses a fastored in Mor deleted
Fax TX (se
Scanned d
Universal
Scanned da shared f
Mail Box f
Refers to tutilize the M
- Functi
Scannebox.
- Functi
The fo
– Prin
– Del
nect the PC dred initially,
ns accurate th the Externad below:
tion
duplicates of
tion
a hardcopy d
(receive) func
Internet to recMemory RXleted later.
eceive) functi
ax line to recMemory RX Id later.
end) function
document dat
Send function
document datfolder on a PC
function
the storage ofMail Box/inbo
ons to store im
ed document
ons to utilize
llowing funct
nt
lete
directly, and pin order to pr
ime from theal Authentica
f the hardcopy
document fro
ction
ceive faxes. DX Inbox for p
ion
eive faxes. DInbox for proc
n
ta or in Memo
n
ta or in MemoC, in TIFF or
f image files iox functionali
mage files in M
data or electr
Mail Box fun
ions can be ex
9
print or store rotect against
e Time serveation Server.
y document b
om its electro
Data receivedprocessing at
Data receivedcessing at a la
ory RX Inbox
ory RX InboxPDF file form
into a Mail Bity.
Mail Box
ronic data spe
nctionality
xecuted on dat
C
document dat data being ta
er for time sThe function
by scanning a
onic form (co
d by I-fax is na later time.
d by fax is noater time. Sto
x can be retrie
x can be transmat.
Box or in Mem
cified for stor
ta stored in a M
D
Copyright Ca
ata from the Paken out of th
synchronizations available t
and printing.
ontained in th
not printed imStored docu
ot printed imored documen
eved for trans
smitted by em
mory RX Inbo
rage from a P
Mail Box.
Date of Issue: 2
anon Inc. 20
PC. In this cahe MFP and s
on, and suppto the MFP in
he MFP or se
mmediately; ruments can b
mmediately; rants can be pri
smission by f
mail or I-fax,
ox, or to func
PC, are stored
2015/07/23
015
ase, some stored in a
ports user n such an
ent from a
rather it is e printed,
ather it is inted, sent
fax.
or sent to
ctions that
in a Mail
1.6 S
The TOEis design
The phys
1.6.1
The TOEillustrate
In FigureCriteria. Note alsoCriteria m
The TOEunit com
< Canonfollowing
ProductiR-ADViR-ADViR-ADV
The guid
(English ・ ・ ・ ・ ・
(Japanes
・ ・
Scope of th
E conforms toned to meet th
sical and logi
Physical S
E is a MFP cd in Figure 2
Fax
("F mequippeBoard b
(TOE: H
e 2, "Contro
o that the "Mmake up the M
E or < Canon mbined with th
n imageRUNNg line of prod
ts V C3330 / iR-AV C3325/ iR-AV C3320/ iR-A
dance docume
Name) imageRUNNimageRUNNiR-ADV SecBefore UsinHDD Data E
e Name) imageRUNNiR-ADV Sec
he TOE
o " 2600.1, Prhe requiremen
ical scopes of
Scope of the
consisting of 2.
Figure 2 Ha
x Board
model" is ed with Fax by default)
Hardware)
l Software" i
MFP Main UnMFP main un
imageRUNNhe HDD Data
NER ADVANducts.
ADV C3330i ADV C3325i/ ADV C3320i/
ents for the T
NER ADVANNER ADVANcurity Kit-L1 g the iR-ADV
Encryption Ki
NER ADVANcurity Kit-L1
rotection Pronts specified t
f the TOE are
e TOE
f hardware an
ardware and
C
(
Canon imADVANC
MFP MaHa
is provided a
nit" together wnit.
NER ADVANa Encryption B
NCE C3300
Table 2 —
/ iR-ADV C3 iR-ADV C33
OE are listed
NCE C3300 SNCE C3300 S
for IEEE 260V Security Kiit Reference G
NCE C3300Ffor IEEE 260
10
file for Hardctherein, as de
e described be
nd software c
d software c
Control Softwar
(TOE: Software
mageRUNNECE C3300 Ser
ain Unit (TOE: ardware)
as the iR-AD
with the iR-A
NCE C3300 SBoard and Fa
Series >, or t
—Line of Pro
3330F /
320F
d below.
Series 2600.1 Series 2600.1 00.1 Commoit-L1 for IEEGuide
e-Manual CD00.1 Adminis
C
copy Devicesescribed below
elow.
components.
components
re
e)
ER ries HDD
DV Security
ADV Security
Series 2600.1 ax Board.
the hardware
oducts
model e-Manmodel e-Mann Criteria Ce
EE 2600.1 Com
D strator Guide
D
Copyright Ca
s, Operationaw.
The physical
s of the TOE
D Data Encrypti
(TOE: Hardwa
Kit-L1 for IE
y Kit-L1 for I
model > con
e making up t
nual CD (USEnual CD (APEertification Admmon Criteri
Date of Issue: 2
anon Inc. 20
al Environmen
l scope of th
E
on Board
are)
EEE 2600.1
IEEE 2600.1
nsists of the M
the TOE, ref
E Version) E Version) dministrator Gia Certificatio
2015/07/23
015
nt A" and
he TOE is
Common
Common
MFP main
fers to the
Guide on
・ ・
1.6.2
The logicServer, P
In additio
–
–
–
The TOE
Before UsinHDD Data E
Logical Sc
cal scope of PC, and Time
User
LAN D
User
Auth
TOE
on to the capa
UI Function
Enables theon the contr
Output Fun
Enables the
Input Funct
Enables the
E embodies th
g the iR-ADVEncryption Ki
cope of the
the TOE is ilServer). In th
Figure 3
UI Func
r Auth Server
Data Protection
Auth Function
hInfo
Function Use R
Job Output Re
Management F
Operate/
Display
abilities descr
nality
e user to operrol panel.
nctionality
e TOE to outp
tionality
e TOE to inpu
he following s
V Security Kiit User's Guid
TOE
llustrated in Fhe table, the s
3 Funct
LA
User
Mail Serv
LAN Data Pro
Email Func
DocData
H
d
Input F
Scan
Restriction
estriction
Function
ribed in Secti
rate the TOE
put hardcopy
ut hardcopy d
security func
11
it-L1 for IEEde
Figure 3 (excsecurity funct
tional config
AN Data Protection
ver
otection
ction
LA
Do
Hardcopy
document
Output Func
Send
Copy Mai
User Authentica
Self-Test
H
d
Forward Received
R
ion 1.5, the T
from the con
documents.
documents.
tions.
C
EE 2600.1
cluding: Usertions of the T
guration of t
n Function
PC
AN Data Protection
Web Browser
ocData
Func
ilbox/Inbox
ation
Hardcopy
document
d Jobs
Receive
TOE embodie
ntrol panel, a
D
Copyright Ca
r, User AutheTOE are show
the TOE
HDD
Time
Time F
TimeInfo
HDD Data Erase
HDD Data Encr
Audit Log
LAN Data
s the followin
and the TOE
Date of Issue: 2
anon Inc. 20
entication Serwn in blue.
Server
Function
ryption
a Protection
Docum
Docum
ng basic func
to display inf
2015/07/23
015
rver, Mail
Flow of dat
PCment data
USB connect
FAXment data
Phone line
ctionality.
formation
ta
tion
–
–
–
–
–
–
–
–
–
–
3 This evsoftware 4 This evauthentic
User Authe
Performs au
Two types takes place authenticati
Function U
Uses role m
Job Output
This functiothe job.
Forward Re
This functiprovided as
HDD Data
Function foprevent una
HDD Data
Because theremoved fothreat by idAdditionalldata.
LAN Data P
To protect L
Self-Test Fu
When the mrunning pro
Audit Log F
Allows audlogs are pro
The date/timis set by thobtained fro
Managemen
Consists of managemenspecified by
valuation wasfor Kerberos
valuation wascation.
entication Fun
uthentication
of user autheinternally w
ion server. Ex
se Restriction
management to
Restriction F
on restricts a
eceived Jobs F
on restricts ts a counterme
Erase Functio
or erasing unauthorized use
Encryption F
e HDD (alonor unauthorizedentifying thy, all data sto
Protection Fu
LAN data fro
unction
machine staroperly.
Function
diting of user otected and ca
me recorded oe Managemeom the Time
nt Function
user managent functions why Administrato
s performed uauthenticatio
s performed u
nction
on the user, t
entication arewithin the TOxternal authen
n Function
o restrict the
Function
ccess to print
Function
the machine easure against
on
nnecessary dae of previous
Function
e or togethered access to i
he MFP at stored in the H
unction
m IP packet s
rts, this func
operations byan be viewed
on the audit lent Function, Server.
ment functionhich enable prors.
using Active Don.
using eDirecto
12
to prevent any
e supported: E, and Externtication uses
functions tha
t, cancel, and
from forwart threats arisin
ata from the sly generated
r with the HDits contents, ttartup, so tha
HDD are encr
sniffing, IP p
tion checks
y generating .
og is provideor is set by t
ns such as usroper operatio
Directory Dom
ory 8.8 SP8 a
C
y unauthorize
Internal Autrnal Authentics Kerberos3 o
at each authen
d other job op
rding receiveng from misu
hard disk byimage data.
DD Data Encrthe HDD Daat it may onrypted to prot
ackets are en
to see that t
logs which a
ed by the TOEtime synchro
ser registrationon of various s
main Services
s the authent
D
Copyright Ca
ed access to t
thentication wcation whichor LDAP4 au
nticated user
perations, to
ed data direcuse of the fax
y overwriting
ryption Boardta Encryptionly be used wtect the confi
ncrypted using
the primary
are stored in t
E. The TOE'sonization whe
n and role msecurity functi
as the authe
tication serve
Date of Issue: 2
anon Inc. 20
the TOE.
wherein autheh uses an exteuthentication.
can use.
the user that
ctly to the Lx line.
g the data, in
d) could poten Board addrwith the corridentiality of
g IPSec.
security func
the HDD. Sto
s date/time infen the accura
management, aions, which ca
entication serv
er software for
2015/07/23
015
entication ernal user
executed
AN. It is
n order to
entially be resses this rect MFP. the HDD
ctions are
ored audit
formation ate time is
and device an only be
ver
r LDAP
1.7 U
Th
DesignU.USE U.N
U.A
1.8 A
The
1.8.1
Useof u
DesignD.DOC
D.FUN
1.8.2 T
TSFD.P
DesignD.PRO
D.CON
A list of
Users of the
he TOE has tw
nation ER NORMAL
ADMINISTRA
Assets
ere are three t
User Data
er data are creuser data: D.D
nation DefC Use
inclresidoc
NC Usethe
TSF Data
F Data are daPROT and D.C
nation DefiOT TSF
Admthe T
NF TSFneithsecu
the TSF data
e TOE
wo types of u
DefiAnyA Ufunc
ATOR A Uportpolicapa
types of asset
eated by the DOC and D.F
finition er Document ludes the origdually-stored ument and pri
er Function DTOE.
ata that have CONF.
finition F Protected Dministrator norTOE, but for w
F Confidentialher an Adminurity of the TO
used in this T
users (U.USE
Tab
finition y authorized UUser who is ctions of the TUser who hastion or all of cy (TSP). Aabilities to ove
s: user data, T
user, and havUNC.
Table
Data consistinal documen
data createdinted hardcop
ata are the inf
an effect on
Table
Data are assr the owner ofwhich disclos
l Data are assenistrator nor thOE.
TOE is given
13
R): U.NORM
ble 3 —Users
User. authorized t
TOE. s been specif
f the TOE anddministrators erride portion
TSF data, and
ve no effect o
4 — User Da
t of the infornt itself in eithd by the hay output.
formation abo
TOE securit
5 — TSF Da
sets for whicf the data wou
sure is accepta
ets for which he owner of th
n in Table 6.
C
MAL and U.A
s
to perform U
fically grantedd whose actio
may possesss of the TSP.
d functions.
on TOE secu
ata
rmation contaher hardcopy ardcopy devic
out a user's do
ty functions.
ata
ch alteration uld have an efable.
either discloshe data would
D
Copyright Ca
ADMINISTRA
User Docume
d the authorions may affes special priv
urity function
ained in a usor electronic ce while pro
ocument or jo
There are tw
by a User ffect on the op
sure or alteratid have an effe
Date of Issue: 2
anon Inc. 20
ATOR
ent Data pro
ity to manageect the TOE svileges that p
s. There are t
ser's documenform, image
ocessing an
ob to be proce
wo types of T
who is neitperational secu
ion by a Userect on the oper
2015/07/23
015
ocessing
e some security provide
two types
nt. This data, or original
essed by
TSF data:
ther an urity of
r who is rational
Type D.PROT
D.CONF
1.8.3
Refer to
TSF dataT User nam
Role
Lockout settings Password settings
Auto Rsetting Date/TimHDD Dsetting
IPSec sett
F Password
Audit logBOX PIN
Functions
the functions
a me
policy
policy
Reset Time
e setting Data Erase
tings
s N
s listed in Tab
Table 6 —
DescriptiUser ideidentificatUsed by functions
y Settings fattempts b
y Policy forminimum combinati
e Settings fo
Specifies e Settings fo
settings tfunction.Settings fothe settingfunction.Password IdentificatLogs genePIN used RX InboxRestriction
ble 7.
14
— List of TSF
on entification ition and authe
access restthat each usefor the lockobefore lockour the passwor
password ion of charactor session tim
the date and tfor the HDD Dto enable or
for the LAN Dgs to enable o
used to aution and Autherated by the for access cox where then functions.
C
F data
information entication funtriction funcer can use. out function,
ut and the lockrd for user aulength, allowter types.
meout in the c
time that is seData Erase fur disable th
Data Protectioor disable the
uthenticate thhentication fuAudit Log fu
ontrol to the Me data is sto
D
Copyright Ca
used by tnction. tions to res
, such as nukout time. uthenticationwed charact
control panel.
et. function, incluhe HDD Da
on function, iLAN Data P
he user in tunction. unction. Mail Box and ored, for Job
Date of Issue: 2
anon Inc. 20
Sthe user H
strict the H
umber of H
n, such as ters, and
H
H
Ruding the
ata Erase H
including Protection
H
the User H
HMemory
b Output H
2015/07/23
015
Stored inHDD
HDD
HDD
HDD
HDD
RTC HDD
HDD
HDD
HDD HDD
2 Co
2.1 C
This ST c
–
–
–
2.2 P
This ST c
- Title
–
This ST i
–
–
–
–
–
–
–
2.3 S
2.3.1 S
Title: 260Package CommonCommonPackage Usage: TMFPs) thoutput. Title: 260Package CommonCommonPackage Usage: TMFPs) thoutput.
onformanc
CC Conform
conforms to t
Common C
Common C
Assurance
PP claim, P
conforms to t
e: 2600.1, Prot
Version:1.0
is package-co
2600.1-PRT
2600.1-SCN
2600.1-CPY
2600.1-FAX
2600.1-DS
2600.1-NV
2600.1-SM
SFR Packag
SFR Packa
00.1-PRT, SFRversion: 1.0,
n Criteria versn Criteria conf
conformanceThis SFR packhat perform a p
00.1-SCN, SFversion: 1.0,
n Criteria versn Criteria conf
conformanceThis SFR packhat perform a s
ce claims
mance clai
the following
Criteria version
Criteria confor
level:
Package cla
the following
tection Profile
0, dated June 2
onformant to
T conformant
N conformant
Y conformant
X conformant
R conformant
VS augmented
MI augmented
ges
ages refere
R Package fordated June 20
sion: Version formance: Pa
e: EAL3 augmkage shall be uprinting functi
FR Package fodated June 20
sion: Version formance: Pa
e: EAL3 augmkage shall be uscanning func
m
g Common Cr
n:
rmance:
aim
g Protection P
e for Hardcopy
2009
and package
t
t
t
t
t
ence
r Hardcopy D009 3.1 Revision
art 2 and Part 3mented by ALCused for HCD ion in which e
or Hardcopy D009 3.1 Revision
art 2 and Part 3mented by ALCused for HCD ction in which
15
riteria (CC).
Version 3.
Part 2 exte
EAL3 augm
Profile (PP).
y Devices, Op
-augmented b
Device Print Fu
2 3 conformantC_FLR.2 products (suc
electronic doc
Device Scan Fu
2 3 conformantC_FLR.2 products (sucphysical docu
C
1 Release 4
ended and Part
mented by AL
perational Env
by the follow
unctions, Oper
ch as printers, cument input i
unctions, Ope
ch as scannersument input is
D
Copyright Ca
t 3 conforman
LC_FLR.2
vironment A
wing SFR pack
rational Envir
paper-based fis converted to
erational Envir
, paper-based s converted to
Date of Issue: 2
anon Inc. 20
nt
kages:
ronment A
fax machines,o physical doc
ronment A
fax machineso electronic do
2015/07/23
015
and cument
s, and ocument
Title: 260Package CommonCommonPackage Usage: Tfunction i Title: 260Package CommonCommonPackage Usage: Tscanning transmissto physic Title: 260OperationPackage CommonCommonPackage Usage: Tretrieval f Title: 260EnvironmPackage CommonCommonPackage Usage: Tnonvolatiby authorRemovabsupplied Title: 260EnvironmPackage CommonCommonPackage Usage: Tcommunisuch as wprovide aIf such pr
2.3.2
FunfuncProf
00.1-CPY, SFversion: 1.0,
n Criteria versn Criteria conf
conformanceThis Protectionin which phys
00.1-FAX, SFversion: 1.0,
n Criteria versn Criteria conf
conformanceThis SFR pack
function in wsion, and a prial document o
00.1-DSR, SFnal Environmeversion: 1.0,
n Criteria versn Criteria conf
conformanceThis SFR packfeature in whi
00.1-NVS, SFment A
version: 1.0, n Criteria versn Criteria conf
conformanceThis SFR packile storage devrized personneble Nonvolatilonly by the T
00.1-SMI, SFRment A
version: 1.0, n Criteria versn Criteria conf
conformanceThis SFR packications mediu
wired network a trusted channrotection is su
SFR Pack
nctions performctions that arefile, are listed
FR Package fodated June 20
sion: Version formance: Pa
e: EAL3 augmn Profile shall sical documen
FR Package fodated June 20
sion: Version formance: Pa
e: EAL3 augmkage shall be uwhich physicalinting functionoutput.
FR Package foent A dated June 20
sion: Version formance: Pa
e: EAL3 augmkage shall be uich a documen
FR Package fo
dated June 20sion: Version formance: Pa
e: EAL3 augmkage shall be uvice (NVS) thel. This packale Storage devOE environm
R Package for
dated June 20sion: Version formance: Pa
e: EAL3 augmkage shall be uum which, in media and m
nel function alupplied by only
kage functi
m processing, e allowed, buin Table 7:
T
or Hardcopy D009 3.1 Revision
art 2 and Part 3mented by ALC
be used for Hnt input is dup
or Hardcopy D009 3.1 Revision
art 2 and Part 3mented by ALCused for HCD l document inpn in which a te
or Hardcopy D
009 3.1 Revision
art 2 and Part 3mented by ALCused for HCD nt is stored du
or Hardcopy D
009 3.1 Revision
art 2 extended mented by ALCused for produhat is part of thage applies forvices from una
ment, then this
r Hardcopy D
009 3.1 Revision
art 2 extended mented by ALCused for HCD conventional ost radio frequllowing for sey the TOE env
ons
storage, and ut not require
Table 7 —SF
16
Device Copy F
2 3 conformantC_FLR.2
HCD products licated to phy
Device Fax Fu
2 3 conformantC_FLR.2 products (suc
put is converteelephone-base
Device Docum
2 3 conformantC_FLR.2 products (suc
uring one job a
Device Nonvol
2 and Part 3 co
C_FLR.2 ucts that providhe evaluated Tr TOEs that prauthorized dispackage cann
evice Shared-
2 and Part 3 co
C_FLR.2 products that practice, is oruency wirelesecure and authvironment, th
transmission ed in any par
R Package f
C
Functions, Ope
(such as copiysical documen
nctions, Oper
ch as fax mached to a telephoed document f
ment Storage an
ch as MFPs) thand retrieved d
latile Storage
onformant
de storage of UTOE but is desrovide the abilclosure and m
not be claimed
-medium Inter
onformant
transmit or rer can be simulss media. Thishenticated comen this packag
of data that mticular confor
functions
D
Copyright Ca
erational Envi
iers and MFPsnt output.
rational Enviro
hines and MFPone-based docfacsimile (fax)
nd Retrieval (
hat perform a during one or
Functions, Op
User Data or Tsigned to be relity to protect
modification. Id.
rface Function
eceive User Dltaneously accs package applmmunication wge cannot be c
may be presentrming Securit
Date of Issue: 2
anon Inc. 20
ironment A
s) that perform
onment A
Ps) that perforcument facsim) reception is
(DSR) Functio
document stomore subsequ
perational
TSF Data in aemoved from data stored on
If such protect
ns, Operationa
Data or TSF Dacessed by multlies for TOEs with other IT sclaimed.
t in HCD prodty Target or P
2015/07/23
015
m a copy
rm a mile (fax) converted
ons,
orage and uent jobs.
a the TOE n tion is
al
ata over a tiple users, that
systems.
ducts. The Protection
DesigF.PRT
F.SCN
F.CPY
F.FAX
F.DSR
F.NV
F.SMI
2.3.3 S
Wassoto dThe Prof
2.4 P
In additidocumenappropriaClaim).
In the fol
In terms other OS
This OSP
As such:
- All defi
gnation DefT Prin
outpN Scan
docuY Cop
outpX Fax
docudocu
R Docand
S Nondeviauth
I Shara coaccewire
SFR Packa
hen a functionociated with thistinguish diff attributes thafile, are listed
Designation +PRT +SCN +CPY +FAXIN +FAXOUT +DSR +NVS +SMI
PP Conform
ion to the print storage funate to confor
llowing, the S
of the SecurSP:
P.HDD.ACCP is a restricti
TOEs that winition in the
finition nting: a functioput nning: a funument output
pying: a functiput ing: a functioument facsimument facsimicument storagretrieved duri
nvolatile storaice that is parhorized personred-medium iommunicationessed by muleless media
age attribut
n is performinhat particular dferences in Seat are allowedin Table 8:
T
Definition Indicates dIndicates dIndicates dIndicates dIndicates dIndicates dIndicates dIndicates dinterface.
mance ratio
imary functionction, HDD erm to all of t
ST is compar
rity Problem
CESS.AUTHOion on the TO
would meet thPP.
on in which e
nction in wh
ion in which p
on in which pmile (fax) traile (fax) recep
ge and retrievaing one or mo
age: a functionrt of the evalunnel nterface: a fun
ns medium whltiple users,
tes
ng processingdata as a secu
ecurity Functiod, but not requ
Table 8 —SF
data that are asdata that are asdata that are asdata that are asdata that are asdata that are asdata that are stodata that are
onale
onality of theencryption futhe SFR Pac
red against the
Definition, th
ORIZATIONOE, rather tha
he security p
17
electronic docu
ich physical
physical docu
physical docuansmission, aption is converal: a function ore subsequentn that stores Uuated TOE bu
nction that trahich, in convsuch as wire
, storage, or turity attribute. onal Requirem
uired in any pa
R Package a
ssociated withssociated withssociated withssociated withssociated withssociated withored on a none transmitted
e MFP (Copunction, and tckages define
e PP containi
he ST is equi
an a restriction
problem defin
C
ument input is
document in
ument input is
ument input isand a functiorted to physicin which a dot jobs
User Data or Tut is designed
ansmits or receentional pract
ed network m
ransmission oThis attribute
ments that departicular confo
attributes
h a print job.h a scan job.h a copy job.h an inbound (rh an outbound h a document snvolatile storagd or received
y, Print, Scathe LAN dataed by the PP
ing all the sev
ivalent to the
n on the oper
nition in the S
D
Copyright Ca
s converted to
nput is conv
s duplicated to
s converted toon in which al document oocument is st
TSF Data on ato be remove
eives User Datice, is or can
media and mo
of data, the idee in the TOE mpend on the fuorming Securi
received) fax (sent) fax job
storage and rege device. d over a sh
an, and Fax), a encryption f
in Section 2
ven SFR Pack
e PP except f
rational envir
ST also meet
Date of Issue: 2
anon Inc. 20
o physical doc
verted to elec
o physical doc
o a telephonea telephone
output ored during o
a nonvolatile sed from the T
ata or TSF Datn be simultanost radio-freq
entity of the fmodel makes
unction being pity Target or P
job. b. etrieval job.
hared-medium
the TOE imfunction. As 2.2(PP claim,
kages.
for the additio
ronment.
t the security
2015/07/23
015
cument
ctronic
cument
e-based e-based
one job
storage OE by
ta over neously quency
function is it possible performed. Protection
m
mplements such, it is , Package
on of one
y problem
- All mee
In terms
This obje
As such:
- All obje
- All in th
In terms of the PP
PCCCCCCCCCCCCCCCCCCCCCCCCCCPPSSCCFFDDNSS
operational eet the security
of Objectives
O.HDD.AC
ective is a res
TOEs that wectives for the
operational ehe PP would
of the functiP including th
Table
PP_Package Common Common Common Common Common Common Common Common Common Common Common Common Common Common Common Common Common Common Common Common Common Common Common Common Common Common PRT PRT SCN SCN CPY CPY FAX FAX DSR DSR NVS SMI SMI
environmentsy problem def
s, the ST is eq
CCESS.AUTH
striction on th
would meet e TOE in the
environmentsalso meet the
ional requiremhe 7 SFR Pack
9 — Functio
PP functionFAU_GEN.1 FAU_GEN.2 FAU_SAR.1 FAU_SAR.2 FAU_STG.1 FAU_STG.4 FDP_ACC.1(aFDP_ACC.1(bFDP_ACF.1(a)FDP_ACF.1(bFDP_RIP.1 FIA_ATD.1 FIA_UAU.1 FIA_UID.1 FIA_USB.1 FMT_MSA.1(FMT_MSA.3(FMT_MSA.1(FMT_MSA.3(FMT_MTD.1(FMT_MTD.1(FMT_SMF.1 FMT_SMR.1 FPT_STM.1 FPT_TST.1 FTA_SSL.3 FDP_ACC.1 FDP_ACF.1 FDP_ACC.1 FDP_ACF.1 FDP_ACC.1 FDP_ACF.1 FDP_ACC.1 FDP_ACF.1 FDP_ACC.1 FDP_ACF.1 FPT_CIP_EXPFAU_GEN.1 FPT_FDI_EXP
s that would finition in the
quivalent to t
HORISED
he TOE.
the security PP.
s that would me security obj
ments, the STkages, as wel
onal require
nal requirem
a) b) ) )
(a) (a) (b) (b) (FMT_MTD.1.(FMT_MTD.1.
P.1
P.1
18
meet the sece ST.
the PP except
objectives f
meet the secuectives for th
T compared wll as additiona
ements spec
mentFAU_GFAU_GFAU_SFAU_SFAU_SFAU_SFDP_AFDP_AFDP_AFDP_AFDP_RFIA_ATFIA_UAFIA_UIFIA_USFMT_MFMT_MFMT_MFMT_M
1(a)) FMT_M1(b)) FMT_M
FMT_SFMT_SFPT_STFPT_TSFTA_SSFDP_AFDP_AFDP_AFDP_AFDP_AFDP_AFDP_AFDP_AFDP_AFDP_AFPT_CIFAU_GFPT_FD
C
curity problem
t for the addit
for the TOE
urity objectivhe operational
with the PP cal functional r
cified in the
ST functioGEN.1 GEN.2
AR.1 AR.2 TG.1 TG.4
ACC.1(delete-joACC.1(exec-job)ACF.1(delete-jobACF.1(exec-job)RIP.1 TD.1 AU.1 ID.1 SB.1
MSA.1(delete-joMSA.3(delete-joMSA.1(exec-jobMSA.3(exec-jobMTD.1(device-mMTD.1(user-mgSMF.1 SMR.1 TM.1 ST.1 SL.3(lui), FTA_
ACC.1(in-job)ACF.1(in-job)ACC.1(in-job) ACF.1(in-job) ACC.1(in-job) )ACF.1(in-job)ACC.1(in-job)ACF.1(in-job)ACC.1(in-job) ACF.1(in-job)
IP_EXP.1 GEN.1 DI_EXP.1
D
Copyright Ca
m definition
tion of one ot
in the ST a
ves for the opl environmen
ontains all furequirements
PP and the
onal require
b) ) b) )
ob) ob) b) b) mgt) gt)
_SSL.3(rui)
Date of Issue: 2
anon Inc. 20
in the PP w
ther objective
also meet the
perational envnt in the ST.
unctional requs, as shown in
ST
ment
2015/07/23
015
would also
e:
e security
vironment
uirements n Table 9.
PSCCCNNSSN
Note the
For FDP_is specifi
For FDPControl r
For FDP_
For FDPU.ADMI
The ST Delete orrequirem
For FDP_
For FDPspecified
The ST fsuch, therequirem
Consequ
As such:
- All TOE
In terms
As such, restrictio
Therefor
PP_Package SMI Common Common Common NVS NVS・SMI SMI SMI NVS
following:
_ACF.1(a) inied as U.NOR
P_ACF.1(delerule for U.NO
_ACC.1 in th
P_ACC.1(in-jINISTRATOR
functional rer Read, and r
ments specify
_ACF.1(a) in
P_ACF.1(deled as "Denied"
functional reqe ST functio
ment.
uently, the SFR
Es that would
of the Securi
this ST compons on the ope
re, this ST cla
PP functionFTP_ITC.1 - - - - - - - -
n the PP, the SRMAL.
ete-job) in thORMAL spec
he PP, the Sub
job) in the R, with Acces
equirements arestrains U.Ngreater restric
n the PP, the S
ete-job) in th.
quirement as onal requirem
Rs of the ST
d meet the SF
ity Assurance
pared with therational envi
aims demonst
nal requirem
Subject for a D
he ST, the Scified as "Den
bject for a Re
ST, the Suss Control ru
as mentionedNORMAL froctions than th
Subject for a M
he ST, the S
mentioned ament specifie
compared wi
FRs in the ST
e Requiremen
he PP, specifieironment of th
trable conform
19
mentFTP_ITFIA_AFFIA_SOFIA_UAFCS_COFCS_CKFCS_COFCS_CKFPT_PH
Delete of +FA
ubject is spenied".
ead of +FAXI
ubject for ale for U.NOR
d above, areom having ache correspond
Modify of +F
Subject is sp
above, does ns greater res
ith the PP, spe
would also m
nts, the ST and
es equal or grhe TOE.
mance to the
C
ST functioTC.1 FL.1 OS.1 AU.7 OP.1(h) KM.1 OP.1(n) KM.2 HP.1
AXIN D.DOC
ecified as U.
IN D.DOC is
a Read of +RMAL specif
restrictive inccess to any Oding PP funct
FAXIN D.FU
pecified as U
not allow use striction than
ecifies equal
meet the SFR
d PP are equi
reater restrict
PP.
D
Copyright Ca
onal require
C, and Delete
.ADMINISTR
specified as
+FAXIN D.Dfied as "Denie
n the scope oObject. As sutional require
UNC is specifi
U.User, with
of the functin the corresp
or greater res
Rs in the PP.
ivalent.
ions on the T
Date of Issue: 2
anon Inc. 20
ment
e of +FAXIN
RATOR, wit
U.NORMAL
DOC is speed".
of Subjects auch, the ST fments.
fied as U.NOR
Access Con
ion to any Suponding PP f
strictions on t
TOE, and at m
2015/07/23
015
D.FUNC
th Access
L.
ecified as
llowed to functional
RMAL.
ntrol rule
ubject. As functional
the TOE.
most equal
3 Se
3.1 N
3.2 T
Th
a
b
c
curity Pro
Notational c
– Define
– Define
– In tableof a romitigat
– In tablethe intperformintersec
– In tablname ain the requireRequir
o Bold tProtectExtend
o Italic tconform
o Bold itin this Extendconform
– The fol
Threats age
his security pro
a) Persons wh
b) Persons whare not au
c) Persons whnot autho
oblem Defi
convention
d terms in ful
d terms in abb
es that describow and columted by the obje
es that describtersection of ms a principalction indicate
les that descrand purpose insame row. R
ements perforements (SFRs
typeface indiction Profile, rded Componen
typeface indicming Security
talic typeface Protection Pr
ded Componeming Security
llowing prefix
Table
ents
oblem definiti
ho are not perm
ho are authoriuthorized.
ho are authorizorized.
inition
ns
l form are set
breviated form
be Security Obmn indicates ective in that c
be completenea row and c
l fulfillment os that it perfor
ribe the sufficndicates that t
Requirement norm supportins):
cates the porrelative to thnt Definition.
cates the portiy Target.
indicates the ofile, relative
ent Definitiony Target.
xes are used to
e 10 — Notat
PrefixU. UD. DF. FT. TP. PA. AO. O
OE. E+ S
ion addresses
mitted to use t
ized to use the
zed to use the
20
in title case (f
m are set in all
bjectives ratiothat the thre
column.
ess of securitycolumn indicaof the objectivrms a support
ciency of seche requiremen
names and purng fulfillmen
rtion of an She original SF
ion of an SFR
portion of anto the origina, but which
o indicate diff
ional prefix
Type of eUser Data Function Threat Policy AssumptionObjective EnvironmentalSecurity attribu
threats posed
the TOE who
e TOE who m
e TOE who m
C
for example, "
l caps (for exa
onale, a checkmeat identified
y requirementsates that the e indicated ining fulfillmen
curity requiremnt performs a rposes set in nts. In spec
SFR that has FR definition
R that must b
n SFR that hasal SFR definitalso must be
ferent entity ty
convention
entity
l objectiveute
d by four categ
may attempt t
may attempt to
may attempt to
D
Copyright Ca
"Document St
ample, "DSR"
mark ("") plin that row
s, a bold typefrequirement
n that column.nt.
ments, a boldprincipal fulfnormal typef
cifications of
been comple in Common
be completed
s been partialltion in Comm completed b
ypes:
ns
gories of threa
to use the TOE
o use TOE fu
o access data
Date of Issue: 2
anon Inc. 20
torage and Re
).
laced at the inis wholly or
face letter "P"identified in A letter "S" i
d typeface refillment of theface indicate f Security F
eted or refinen Criteria Par
by the ST Au
ly completed mon Criteria Paby the ST Au
at agents:
E
unctions for w
in ways for w
2015/07/23
015
trieval").
ntersection r partially
" placed at that row
in such an
quirement e objective that those
Functional
ed in this rt 2 or an
uthor in a
or refined art 2 or an uthor in a
which they
which they
d
Th
3.3 T
Th
ThrT.DT.DT.F
ThrT.PRT.COT.CO
3.4 O
Thisprovenvithos
Name P.USER
P.SOFTW
P.AUDIT
P.INTER
P.HDD.A
d) Persons whthreats.
he threats and
Threats to T
his section des
reat DOC.DIS DOC.ALT FUNC.ALT
eat ROT.ALT ONF.DIS ONF.ALT
Organizatio
s section descvide a basis fironment but fse assets.
.AUTHORIZA
WARE.VERI
T.LOGGING
RFACE.MAN
ACCESS.AUT
ho unintention
policies defin
TOE Asset
scribes threats
Table 1
Affected asD.DOC D.DOC D.FUNC
Table
Affected asD.PROT D.CONF D.CONF
onal Securi
cribes the Orgafor Security Ofor which it is
Table
ATION
FICATION
NAGEMENT
THORIZATIO
nally cause a s
ned in this Pro
s
s to assets desc
11 —Threats
set DescripUser DUser DUser Fu
12 —Threats
sset DescripTSF ProTSF CoTSF Co
ity Policies
anizational SeObjectives thas not practical
13 —Organiz
DefTo pauthTo dwillTo pprovbe cdiscpersTo poperIT e
ON To pothe
21
software malfu
otection Profile
cribed in claus
s to User Da
ption ocument Dataocument Dataunction Data m
s to TSF Dat
ption otected Data monfidential Daonfidential Da
s
ecurity Policieat are commol to universally
zational Sec
finition preserve operahorized to use detect corruptl exist to self-vpreserve operavide an audit tcreated, maintclosure or altersonnel prevent unauthration of thoseenvironmentprevent accesser HCDs, TOE
C
unction that m
e address the t
se 1.8.
ata for the TO
a may be discla may be altermay be altered
ta for the TO
may be alteredata may be discata may be alte
es (OSPs) thatonly desired by define the as
curity Polici
ational accounthe TOE only
tion of the exeverify executaational accountrail of TOE uained, and proration, and wi
horized use ofe interfaces w
s TOE assets iE will have au
D
Copyright Ca
may expose th
threats posed
OE
losed to unautred by unauthod by unauthor
OE
d by unauthoriclosed to unauered by unauth
t apply to the by TOE Ownssets being pr
es
ntability and sy as permittedecutable code able code in thntability and suse and securitotected from uill be reviewed
f the external will be controll
in the HDD wuthorized acce
Date of Issue: 2
anon Inc. 20
he TOE to una
by these threa
thorized persoorized personsrized persons
ized persons uthorized pershorized person
TOE. OSPs aners in this orotected or the
security, Usersd by the TOE Oin the TSF, pr
he TSF security, recorty-relevant evunauthorized d by authorize
interfaces of tled by the TO
with connectiness the HDD d
2015/07/23
015
anticipated
at agents.
ons s
sons ns
are used to operational e threats to
s will be Owner rocedures
rds that vents will
ed
the TOE, E and its
ng the data.
3.5 A
The SecuProfile ar
AssumA.ACC
A.USER
A.ADM
A.ADM
Assumption
urity Objectivere based on th
ption CESS.MANAG
R.TRAINING
MIN.TRAININ
MIN.TRUST
ns
es and Securite condition th
DefiniGED The T
protecinterfa
G TOE Uorganiproced
NG Adminorganiand dowith thAdmin
ty Functional hat all of the as
Table 14
ition OE is located
ction from unmaces of the TOUsers are awarization, and ardures. nistrators are aization, are traocumentation,hose policies anistrators do n
22
Requirementssumptions de
4 —Assumpt
in a restrictedmanaged accesOE. re of the securre trained and
aware of the sained and com, and correctlyand procedure
not use their p
C
s defined in suescribed in thi
tions
d or monitoredss to the phys
rity policies acompetent to
security policimpetent to folloy configure anes. rivileged acce
D
Copyright Ca
ubsequent secis section are s
d environmenical componen
and proceduresfollow those
ies and procedow the manuf
nd operate the
ess rights for m
Date of Issue: 2
anon Inc. 20
ctions of this Psatisfied.
nt that providents and data
s of their policies and
dures of their facturer's guidTOE in accor
malicious purp
2015/07/23
015
Protection
s
dance rdance
poses.
4 Se
4.1 S
This sect
ObjeO.DO
O.DO
O.FU
O.PR
O.CO
O.CO
O.US
O.INT
O.SO
O.AU
O.HD
4.2 S
This sect
ObjecOE.A
OE.A
OE.IN
4.3 S
This sect
curity Obj
Security Ob
tion describes
ctive OC.NO_DIS
OC.NO_ALT
UNC.NO_ALT
ROT.NO_ALT
ONF.NO_DIS
ONF.NO_ALT
SER.AUTHOR
TERFACE.M
OFTWARE.VE
UDIT.LOGGE
DD.ACCESS.A
Security Ob
tion describes
ctive UDIT_STOR
UDIT_ACCE
NTERFACE.M
Security Ob
tion describes
Ta
jectives
bjectives fo
s the Security
Table
T
T
T
RIZED
MANAGED
ERIFIED
ED
AUTHORISE
bjectives fo
s the Security
Table 16 — S
RAGE.PROTE
ESS.AUTHOR
MANAGED
bjectives fo
s the Security
able 17 — Sec
or the TOE
y Objectives t
15 — Securi
DefinThe TdiscloThe TalteraThe TalteraThe TalteraThe TdiscloThe TalteraThe Tand shsecurThe TaccorThe Tin theThe Tsecuror alte
ED The Twitho
or the IT en
y Objectives f
Security Obj
DefECTED If au
prodprot
RIZED If auTOEthat secuTheacce
or the non-
y Objectives f
curity Objec
23
that are satisf
ty Objective
nition TOE shall protosure. TOE shall protation. TOE shall protation. TOE shall protation. TOE shall protosure. TOE shall protation. TOE shall requhall ensure thaity policies be
TOE shall manrdance with seTOE shall prove TSF. TOE shall creaity-relevant everation.
TOE shall protout the TOE au
nvironment
for the IT env
jectives for
finition udit records arduct, the TOEtected from unudit records gE to another trthose records
urity violatione IT environmeess to TOE ex
-IT environ
for non-IT en
ctives for th
C
fied by the TO
es for the TO
tect User Doc
tect User Doc
tect User Func
tect TSF Prote
tect TSF Conf
tect TSF Conf
uire identificaat Users are auefore allowingnage the operaecurity policievide procedur
ate and maintavents, and pre
tect TOE asseuthorization.
t
vironment.
the IT envir
re exported froE Owner shall nauthorized acenerated by thrusted IT prods can be accesns, and only byent shall prov
xternal interfac
ment
nvironments.
e non-IT env
D
Copyright Ca
OE.
OE
cument Data fr
cument Data fr
ction Data fro
ected Data fro
fidential Data
fidential Data
ation and autheuthorized in a
g them to use tation of externs. res to self-veri
ain a log of TOevent its unaut
ets in the HDD
ronment
om the TOE tensure that thccess, deletionhe TOE are exduct, the TOE sed in order toy authorized pide protectionces.
vironment
Date of Issue: 2
anon Inc. 20
from unauthori
from unauthori
om unauthoriz
om unauthoriz
from unautho
from unautho
entication of Uaccordance withe TOE. nal interfaces
ify executable
OE use and thorized disclo
D from accessi
to another trushose records arn and modificaxported from t
Owner shall eo detect poten
persons n from unmana
2015/07/23
015
ized
ized
zed
zed
orized
orized
Users, ith
in
e code
osure
ing
sted IT re ations.the ensure
ntial
aged
TTTTTTPPPPPAAA
ObjecOE.PH
OE.US
OE.US
OE.AD
OE.AD
OE.AU
4.4 S
This sect
Threats. PoT.DOC.DIS T.DOC.ALT T.FUNC.ALT.PROT.ALTT.CONF.DIST.CONF.ALTP.USER.AUP.SOFTWARP.AUDIT.LOP.INTERFAP.HDD.ACCA.ACCESS.MA.ADMIN.TA.ADMIN.T
ctive HYSICAL.MA
SER.AUTHO
SER.TRAINE
DMIN.TRAIN
DMIN.TRUS
UDIT.REVIE
Security Ob
tion describes
olicies, and A
LT T S T
UTHORIZATRE.VERIFICOGGING CE.MANAG
CESS.AUTHMANAGED
TRAINING TRUST
ANAGED
ORIZED
ED
NED
TED
EWED
bjectives ra
s the rationale
Table 18 —
Assumptions
TION CATION
GEMENT HORIZATION
DefinThe TproviThe Tto useof theThe TpolicitraininThe Tof thethe traguidathe TOThe Twill nThe Tapproactivi
ationale
e for the Secu
—Complete
s O.D
OC
.NO
_DIS
O.D
OC
.NO
_ALT
O.F
UN
C.N
O_A
LT
N
24
nition TOE shall be pdes protection
TOE Owner she the TOE acceir organizatioTOE Owner shies and procedng and compe
TOE Owner she security poliaining, compe
ance and documOE in accorda
TOE Owner shnot use their prTOE Owner shopriate intervaity.
urity Objectiv
eness of Sec
O.P
RO
T.N
O_A
LT
O.C
ON
F.N
O_D
IS
O.C
ON
F.N
O_A
LT
C
placed in a secn from unmanhall grant permcording to the on. hall ensure thadures of their oetence to follohall ensure thacies and proceetence, and timmentation, anance with thoshall establish trivileged accehall ensure thaals for security
ves.
curity Objec
Obje
O.U
SE
R.A
UT
HO
RIZ
ED
OE
.US
ER
.AU
TH
OR
IZE
D
O.S
OF
TW
AR
E.V
ER
IFIE
D
OA
UD
ITL
OG
GE
D
D
Copyright Ca
cure or monitonaged physicalmission to Usesecurity polic
at Users are aworganization,
ow those policat TOE Adminedures of theirme to follow thnd correctly cose policies andtrust that TOEess rights for mat audit logs ay violations or
ctives
ectives
O.A
UD
IT.L
OG
GE
D
O.H
DD
.AC
CE
SS
.AU
TH
OR
ISE
D
OE
.AU
DIT
_ST
OR
AG
E.P
RO
TE
CT
ED
OE
.AU
DIT
_AC
CE
SS
.AU
TH
OR
IZE
D
Date of Issue: 2
anon Inc. 20
ored area that l access to theers to be autho
cies and proce
ware of the seand have the
cies and procednistrators are r organizationhe manufactu
onfigure and od procedures. E Administratomalicious purpare reviewed ar unusual patte
OE
.AU
DIT
.RE
VIE
WE
D
O.I
NT
ER
FAC
E.M
AN
AG
ED
OE
.PH
YIS
CA
L.M
AN
AG
ED
OE
INT
ER
FAC
EM
AN
AG
ED
2015/07/23
015
e TOE.orized dures
ecurity
dures. aware
n, have urer's operate
ors poses.
at erns of
OE
.IN
TE
RFA
CE
.MA
NA
GE
D
OE
.AD
MIN
.TR
AIN
ED
OE
.AD
MIN
.TR
US
TE
D
OE
US
ER
TR
AIN
ED
OE
.US
ER
.TR
AIN
ED
A
Threats. PoA.USER.TR
Threats, Assu
T.DOC.D
T.DOC.A
T.FUNC.
T.PROT.
T.CONF.
olicies, and ARAINING
Policies, andumptions
DIS
ALT
.ALT
ALT
.DIS
Assumptions
Table 1
d Summary
User Docudisclosed persons
User Docualtered by
User Funcaltered by
TSF Protealtered by
TSF Confdisclosed persons
s O.D
OC
.NO
_DIS
O.D
OC
.NO
_ALT
O.F
UN
C.N
O_A
LT
9 —Sufficien
y
ument Data mto unauthorize
ument Data my unauthorized
ction Data mayy unauthorized
ected Data may unauthorized
fidential Data to unauthorize
25
O.P
RO
T.N
O_A
LT
O.C
ON
F.N
O_D
IS
O.C
ON
F.N
O_A
LT
ncy of Secu
O
may be ed
OuOidaOrg
may be d persons
OuOidaOrg
y be d persons
OuOidaOrg
ay be d persons
OuOidaOrg
may be ed
OuOida
C
Obje
O.U
SE
R.A
UT
HO
RIZ
ED
OE
.US
ER
.AU
TH
OR
IZE
D
O.S
OF
TW
AR
E.V
ER
IFIE
D
OA
UD
ITL
OG
GE
D
urity Objectiv
Objectives an
O.DOC.NO_Dunauthorized dO.USER.AUTdentification a
authorizationOE.USER.AUresponsibility grant authorizaO.DOC.NO_Aunauthorized aO.USER.AUTdentification a
authorizationOE.USER.AUresponsibility grant authorizaO.FUNC.NO_unauthorized aO.USER.AUTdentification a
authorizationOE.USER.AUresponsibility grant authorizaO.PROT.NO_unauthorized aO.USER.AUTdentification a
authorizationOE.USER.AUresponsibility grant authorizaO.CONF.NO_unauthorized dO.USER.AUTdentification a
authorization
D
Copyright Ca
ectives
O.A
UD
IT.L
OG
GE
D
O.H
DD
.AC
CE
SS
.AU
TH
OR
ISE
D
OE
.AU
DIT
_ST
OR
AG
E.P
RO
TE
CT
ED
OE
.AU
DIT
_AC
CE
SS
.AU
TH
OR
IZE
D
ves
nd rationale
DIS protects Ddisclosure THORIZED esand authentica
UTHORIZED of the TOE Oation
ALT protects Dalteration
THORIZED esand authentica
UTHORIZED of the TOE Oation
_ALT protectsalteration
THORIZED esand authentica
UTHORIZED of the TOE Oation
_ALT protectsalteration
THORIZED esand authentica
UTHORIZED of the TOE Oation
_DIS protects disclosure THORIZED esand authentica
Date of Issue: 2
anon Inc. 20
OE
.AU
DIT
.RE
VIE
WE
D
O.I
NT
ER
FAC
E.M
AN
AG
ED
OE
.PH
YIS
CA
L.M
AN
AG
ED
OE
INT
ER
FAC
EM
AN
AG
ED
D.DOC from
stablishes useration as the ba
establishes Owner to appro
D.DOC from
stablishes useration as the ba
establishes Owner to appro
s D.FUNC fro
stablishes useration as the ba
establishes Owner to appro
D.PROT from
stablishes useration as the ba
establishes Owner to appro
D.CONF from
stablishes useration as the ba
2015/07/23
015
OE
.IN
TE
RFA
CE
.MA
NA
GE
D
OE
.AD
MIN
.TR
AIN
ED
OE
.AD
MIN
.TR
US
TE
D
OE
US
ER
TR
AIN
ED
r asis for
opriately
r asis for
opriately
om
r asis for
opriately
m
r asis for
opriately
m
r asis for
OE
.US
ER
.TR
AIN
ED
T.CONF.
P.USER.AATION
P.SOFTWICATION
P.AUDIT
P.HDD.AHORIZA
P.INTERAGEMEN
A.ACCEED
A.ADMING
A.ADMIN
A.USER.
.ALT
AUTHORIZ
WARE.VERIFN
T.LOGGING
ACCESS.AUTATION
RFACE.MANNT
SS.MANAG
N.TRAININ
N.TRUST
.TRAINING
TSF Confaltered by
Users willthe TOE
F Procedureself-verifythe TSF An audit tsecurity-recreated, mand review
T To preventhe HDD wother HCDauthorizedOperationwill be conand its IT
The TOE protectionaccess to tcomponenof the TOETOE Usertrained to policies anAdministrprivilegedmalicious Administrtrained to policies an
fidential Data y unauthorized
l be authorized
es will exist toy executable c
trail of TOE uelevant events
maintained, prowed.
nt access TOEwith connectinDs, TOE will hd access the Hn of external inntrolled by thenvironment
environment pn from unmanathe physical nts and data inE. rs are aware ofollow securit
nd proceduresrators do not ud access rights
purposes. rators are awafollow securit
nd procedures
26
Org
may be d persons
OuOidaOrg
d to use OidaOrg
o code in
Oto
use and s will be otected,
OopOedOeprOra
assets in ng the have
HDD data.
OaT
nterfaces e TOE .
OowOpin
provides aged
nterfaces
Op
f and ty
s
Ora
use their s for
Othw
re of and ty
s
Ootr
C
OE.USER.AUresponsibility grant authorizaO.CONF.NO_unauthorized aO.USER.AUTdentification a
authorizationOE.USER.AUresponsibility grant authorizaO.USER.AUTdentification a
authorization tOE.USER.AUresponsibility grant authorizaO.SOFTWARo self-verify e
O.AUDIT.LOGof TOE use anprevents unautOE.AUDIT_Sexported auditdeletion and mOE.AUDIT_Aestablishes resprovide approprecords OE.AUDIT.REresponsibility audit logs are aO.HDD.ACCEassets in the HTOE authoriza
O.INTERFACoperation of exwith security pOE.INTERFAprotected envinterfaces
OE.PHYSICAprotected phys
OE.ADMIN.Tresponsibility appropriate AdOE.ADMIN.The TOE Owne
with AdministOE.USER.TRAof the TOE Owraining.
D
Copyright Ca
UTHORIZED of the TOE Oation
_ALT protectsalteration
THORIZED esand authentica
UTHORIZED of the TOE Oation
THORIZED esand authenticato use the TOE
UTHORIZED of the TOE Oation
RE.VERIFIEDexecutable cod
GGED creatend security-relthorized discloTORAGE.PR
t records frommodifications ACCESS.AUTsponsibility ofpriate access t
EVIEWED esof the TOE Oappropriately ESS.AUTHOR
HDD from acceation.
CE.MANAGExternal interfapolicies
ACE.MANAGronment for T
AL.MANAGEsical environm
TRAINED estaof the TOE Odministrator tr
TRUST establier to have a trtrators. AINED estabwner to provid
Date of Issue: 2
anon Inc. 20
establishes Owner to appro
s D.CONF fro
stablishes useration as the ba
establishes Owner to appro
stablishes useration as the baE establishes
Owner to appro
D provides prode in the TSF
s and maintainlevant events, osure or altera
ROTECTED pm unauthorized
THORIZED f, the TOE Owto exported au
stablishes Owner to ensur
reviewed RISED protecessing withou
ED manages thaces in accord
GED establisheTOE external
ED establishes ment for the TO
ablishes Owner to proviraining. ishes responsirusted relation
lishes responsde appropriate
2015/07/23
015
opriately
om
r asis for
opriately
r asis for
opriately
cedures
ns a log and
ation protects d access,
wner to udit
re that
cts TOE ut the
he ance
es a
a OE
ide
ibility of nship
sibility e User
5 Ext
This Protextended employed
5.1 F
Family b This famdata. Confidencontainerprovided encryptiodisk is inbecomes access to Compon FPT_CIPstored on Managem The follo
a)
b)
Audit: The folloPP/ST:
a)
FPT_CI
FPT_CI
FPT_CI
FP
tended co
tection Profilecomponents
d only in TOE
FPT_CIP_E
behaviour:
mily defines re
ntiality and inr is not, or noby functional
on functions, wntended to ba very imporinformation.
ent leveling:
P_EXP.1 Confn a storage con
ment: FPT
owing actions
Managemen
Managemen
FPT
owing actions
Basic: failufunctionalit
IP_EXP.1 C
Hier
Dep
P_EXP.1.1 inteto st
P_EXP.1.2 [ass
PT_CIP_EX
omponents
e defines compare defined i
Es whose STs
EXP Confide
equirements fo
ntegrity of stot always, in ality that the Twhere the TSFe removable rtant function
fidentiality anntainer that can
T_CIP_EXP.1
could be cons
nt of the cond
nt of potential
T_CIP_EXP.1
s should be a
ure condition tty (e. g. detect
Confidentia
rarchical to:
endencies:
The grity of usertore the data
The ignment: lis
XP.1 Confide
s definitio
ponents that ain the Protectconform to th
entiality an
or the TSF to
ored data is ima protected enTSF uses for bF stores its ow
and therefornality to achie
nd integrity ofnnot be assum
1
sidered for the
ditions under w
l restrictions o
1
auditable if F
that prohibits ted modificati
ality and int
No o
No d
TSF shall pr and TSF d
ta].
TSF shalst of actions]
entiality an
27
on (APE_E
are extensionstion Profile b
hose SFR Pack
nd integrity
protect the c
mportant secunvironment. Cboth TSF and wn data as welre may be traeve the Secur
f stored data, med to be prot
e management
which the prot
on the allowan
AU_GEN Se
the function tions).
tegrity of s
other compo
dependencie
provide a fudata when ei
ll provide ] when it de
d integrity
C
ECD)
s to Common but are used ikages.
y of stored
confidentiality
urity functionConfidentiality
user data in thll as user data ansported intoity Objectives
provides for ected by the T
t functions in F
tection functio
nce to use this
ecurity Audit
to work prope
tored data
onents.
es
unction that ither is writ
a functionetects altera
of stored da
D
Copyright Ca
Criteria 3.1 Rn SFR Packa
data
y and integrity
nality in the cy and integrityhe same way.on the same d
o an unprotes of protectio
the protectionTOE environm
FMT:
on is activated
s function.
Data Genera
erly, detected
ensures thetten to [assi
n that dettion of user
ata
Date of Issue: 2
anon Inc. 20
Release 2, Parages, and ther
y of both TSF
case where thy of stored dat Examples ardisk. Especial
ected environmon against una
n of user and ment.
d or used;
ation is includ
attempts to b
e confidentiagnment: me
tects and pand TSF da
1
2015/07/23
015
rt 2. These refore, are
F and user
he storage ta is often e full disk lly when a ment, this authorized
TSF data
ded in the
bypass this
ality and edia used
performs ata when
Rationa
The ComFPT clasprotectionin cases widentical This Protfor both tsimplifiesand appliaddress th This exteFDP or Fstorage mit in the Fdefine a n
5.2 F
Family b This faminterface Many proinformaticapabilityconnectedexternal FPT_FDI Compon FPT_FDITSF contanother eallowanc Managem The follo
a)
b)
c)
Audit: The folloPP/ST:
FP
eith
le:
mmon Criteria ss. Although n, those compwhere a TOEway.
tection Profiletypes of data is the statemenicability of thhis functional
ended componFPT class. Si
media that migFPT class. It new family wi
FPT_FDI_E
behaviour:
mily defines reto another ext
oducts receiveion before it y for attackerd to the TOEinterfaces is I_EXP has be
ent leveling:
I_EXP.1 Resttrolled proces
external interfae by an author
ment: FPT
owing actions
Definition o
Managemenrole;
Revocation
FPT
owing actions
T_FDI_EXP
er is written
defines the pboth classes
ponents are deE provides fun
e defines an exin a single comnt of security
his Protection ity.
nent protects ince it is intenght be removadid not fit weith just one m
XP Restric
equirements fternal interfac
e information is transmitted
rs to misuse 's external intforbidden unen defined to
tricted forwarssing of data face. Direct forized administ
T_FDI_EXP.1
could be cons
of the role(s) t
nt of the cond
n of such an al
T_FDI_EXP.1
s should be a
P.1 Restrict
n to [assignm
protection of us contain comefined differennctionality for
xtended compmponent. Thefunctional reProfile. There
both user datnded to prote
able from the ell in any of t
member.
cted forwar
for the TSF tce.
on specific exd on another external interterfaces. Thernless explicitlspecify this k
rding of data received over
orwarding of dtrative role.
1
sidered for the
that are allow
ditions under
lowance.
1
auditable if F
ted forwardi
28
ment: media
user data in itmponents thatntly for user dr the confiden
ponent that come authors of thquirements siefore, the auth
ta and TSF daect data that aTOE, the auththe existing fa
rding of dat
to restrict dire
xternal interfaexternal inter
rfaces to violrefore, direct fly allowed by
kind of functio
to external inr defined extedata from one
e management
ed to perform
which direct
AU_GEN Se
ing of data t
C
a used to stor
ts FDP class at define conf
data and TSF dntiality and in
mbines the cohis Protection ignificantly anhors decided
ata, and it couare exported hors believed families in eith
ta to extern
ect forwardin
aces and are inrface. Howevlate the securforwarding ofy an authoriz
onality.
nterfaces, provernal interfaceexternal inter
t functions in F
m the managem
t forwarding c
ecurity Audit
to external
D
Copyright Ca
ore the data]
and the protecfidentiality prdata and therentegrity for bo
onfidentiality Profile view t
nd therefore eto define an e
uld therefore to storage mthat it was mher class, and
nal interfac
ng of informa
ntended to tranver, some prority of the TOf unprocessedzed administr
vides for the es before thesrface to anoth
FMT:
ment activities
can be allowe
Data Genera
interfaces
Date of Issue: 2
anon Inc. 20
.
ction of TSF rotection andefore are difficoth types of d
and integrity this as an app
enhances the rextended com
be placed in edia, and in post appropriat
d this led the
ces
ation from on
nsform and products may prOE or device
d data betweenrative role. T
functionality se data are se
her one require
;
ed by an adm
ation is includ
1
2015/07/23
015
data in its d integrity cult to use data in an
protection proach that readability
mponent to
either the particular, te to place authors to
e external
rocess this rovide the es that are n different he family
to require ent out on es explicit
ministrative
ded in the
1
There are Rational Quite oftbefore susystems transferreinterfaces It has beeto disallois quite co The ComProtectionadministrpurpose rfor refinethis funct This exteFDP or Fapproprialed the au
FPT_FD
FPT_FD
e no auditable
le:
ten a TOE is uch (processedbut also othe
ed. Direct forws is therefore a
en viewed as uow direct forwommon for a n
mmon Criterian Profile, therative control resulted in SFement in a Sectionality.
ended componFPT class. Sinate to place it uthors to defin
DI_EXP.1 R
Hier
Dep
DI_EXP.1.1 [assproc
events forese
supposed to pd) data are aller systems thwarding of sua function tha
useful to havewarding and re
number of pro
a defines attre authors neeinstead of attr
FRs that werecurity Target.
nent protects nce its purposin the FPT cl
ne a new famil
Restricted f
rarchical to:
endencies:
The ignment: lis
cessing by th
een.
perform specilowed to be t
hat require a uch data (i. e
at – if allowed
e this functionequire that onloducts, it has b
ribute-based ceded to expreribute-based c either too im Therefore, th
both user datse is to proteclass. It did noly with just on
forwarding
No o
FMTFMT
TSF shallist of externhe TSF to [a
29
ific checks antransferred to
specific wore. without pro
at all – can on
nality as a singly an authorizbeen viewed a
control of useess the contrcontrol. It was
mplementationhe authors dec
ta and TSF dact the TOE frt fit well in anne member.
of data to
other compo
T_SMF.1 SpT_SMR.1 Se
provide thnal interfacessignment: l
C
nd process datanother exter
rk flow for thocessing the dnly be allowed
gle componened role can alas useful to de
er data flow rol of both us found that un-specific for cided to defin
ata, and it courom misuse, thny of the exis
external in
onents.
pecification oecurity roles
he capabilitces] from belist of extern
D
Copyright Ca
ta received onrnal interface.he incoming
data first) betwd by an author
nt that allows llow this. Sincefine an exten
in its FDP cuser data andusing FDP_IFFa Protection P
ne an extended
uld therefore he authors besting families
nterfaces
of Managem.
ty to restriceing forwardnal interface
Date of Issue: 2
anon Inc. 20
n one external. Examples ardata before
ween differenrized role.
specifying thece this is a funnded compone
class. Howeved TSF data flF and FDP_IFProfile or too d component
be placed in elieved that it
in either class
ment Functio
ct data receded withoutes].
2015/07/23
015
l interface re firewall it can be
nt external
e property nction that nt.
er, in this low using FC for this
unwieldy to address
either the was most
s, and this
ns
eived on t further
6 Se
This sect
6.1 S
This sectThe text
6.1.1
FIA_AF
FIA_AF
FIA_AF
FIA_AT
FIA_AT
curity req
tion describes
Security fun
tion describesin brackets fo
User Authe
FL.1 Aut
Hier
Dep
FL.1.1 The admvaluauth
[selepo
[ass
FL.1.2 Whe[sele
[sele
[ass
TD.1 Use
Hier
Dep
D.1.1 The indi
[ass
uirements
s the security
nctional re
s the securityfollowing the
entication
thenticatio
rarchical to:
endencies:
TSF shall ministrator coues]] unsuccehentication e
ection: [assiositive intege an admin
signment: lis Login att
en the definection: met,
ection: met, met
signment: lis Lockout
er attribute
rarchical to:
endencies:
TSF shall vidual users
signment: lis User nam
s
y requirement
equirement
y functional recomponent id
Function
on failure h
No o
FIA
detect whenconfigurable essful autheevents].
ignment: poger within[asnistrator config
ist of authenttempts from t
ned numbesurpassed],
surpassed]
ist of actions]
e definition
No o
No d
maintain ts: [assignme
ist of securityme, role
30
s for the TOE
ts
equirements fdentifier or el
handling
other compo
A_UAU.1 Tim
n [selection: positive inte
entication at
ositive integssignment: rgurable positiv
ntication eventhe control pa
r of unsuccthe TSF sha
s]
n
other compo
dependencie
the followinent: list of se
ty attributes]
C
E.
for the TOE.lement name
onents.
ming of auth
[assignmenteger within[ttempts occu
ger number],range of acceve integer wit
ents] anel or remot
cessful authall [assignm
onents.
es
ng list of seecurity attrib
]
D
Copyright Ca
denotes itera
hentication
nt: positive i[assignmentur related to
], an adminieptable valuthin 1 to 10
te UIs.
hentication ment: list of a
ecurity attributes].
Date of Issue: 2
anon Inc. 20
ation operatio
integer numt: range of aco [assignmen
istrator confues]]
attempts hactions].
ributes belo
2015/07/23
015
ons.
mber], an cceptable nt: list of
nfigurable
has been
nging to
FIA_UA
FIA_UA
FIA_UA
FIA_UA
FIA_UA
FIA_UI
FIA_UID
FIA_UID
AU.1 Tim
Hier
Dep
AU.1.1 The withbefo
[assac
AU.1.2 The any
AU.7 Pro
Hier
Dep
AU .7.1 The auth
[ass
D.1 Tim
Hier
Dep
D.1.1 The withbefo
[assac
D.1.2 The othe
ming of aut
rarchical to:
endencies:
TSF shall ah access-contore the user
signment: ccess-control Submissi
TSF shall rother TSF-m
otected aut
rarchical to:
endencies:
TSF shall hentication i
signment: lis *
ming of ide
rarchical to:
endencies:
TSF shall ah access-contore the user
signment: ccess-control Submissi
TSF shall rer TSF-medi
henticatio
No o
No d
allow [assignntrolled Func
is authentic
list of TSlled Functionion of print jo
require eachmediated ac
thenticatio
No o
FIA
provide onlis in progres
ist of feedbac
ntification
No o
No d
allow [assignntrolled Func
is identified
list of TSlled Functionion of print jo
require eachiated actions
31
on
other compo
dependencie
nment: list octions of thecated.
TSF-mediatedons of the TOobs, fax jobs,
h user to betions on beh
on feedbac
other compo
A_UAU.1 Tim
ly [assignmess.
ck]
other compo
dependencie
nment: list octions of thed.
TSF-mediatedons of the TOobs, fax jobs,
h user to bes on behalf o
C
onents.
es.
of TSF-medie TOE] on be
d actionsOE]
I-fax jobs
successfullyhalf of that u
ck
onents.
ming of auth
ent: list of f
onents.
es.
of TSF-medie TOE] on be
d actionsOE]
I-fax jobs
successfullyof that user.
D
Copyright Ca
diated actionsehalf of the u
that do
y authenticauser.
hentication
feedback] to
diated actionsehalf of the u
that do
y identified
Date of Issue: 2
anon Inc. 20
ns that do nouser to be pe
not confli
ated before
o the user w
ns that do nouser to be pe
not confli
before allow
2015/07/23
015
ot conflict erformed
ict with
allowing
while the
ot conflict erformed
ict with
wing any
FIA_US
FIA_US
FIA_US
FIA_US
FTA_S
FTA_SS
FTA_S
FTA_SS
SB.1 Use
Hier
Dep
SB.1.1 The on th
[ass
SB.1.2 The attriiniti
[ass
SB.1.3 The attrichan
[ass
SL.3(lui) T
Hier
Dep
SL.3.1(lui) Tinte
[ass
SL.3(rui) T
Hier
Dep
SL.3.1(rui) Tinte
[ass
er-subject
rarchical to:
endencies:
TSF shall ahe behalf of
signment: lis User nam
TSF shall eibutes with
tial associatio
signment: ru None
TSF shall eibutes with nging of attr
signment: ru None
TSF-initiate
rarchical to:
endencies:
The TSF sherval of user
signment: tim User inac
TSF-initiate
rarchical to:
endencies:
The TSF sherval of user
signment: tim User inac
binding
No o
FIA
associate thef that user: [
ist of user secme, role
enforce the fthe subject
ion of attribu
ules for the i
enforce the the subject
ributes].
ules for the c
ed termina
No o
No d
hall terminar inactivity].
ime interval ctivity at the
ed termina
No o
No d
hall terminar inactivity].
ime interval ctivity at the
32
other compo
A_ATD.1 Use
e following uassignment
ecurity attrib
following rults acting on utes].
initial associ
following ruts acting on
changing of a
ation
other compo
dependencie
ate an inter
l of user inaccontrol panel
ation
other compo
dependencie
ate an inter
l of user inacremote UI la
C
onents.
er attribute d
user security: list of user
butes]
les on the inbehalf of u
iation of attr
ules governibehalf of u
attributes]
onents.
es.
ractive sess
ctivity] l lasting for th
onents.
es.
ractive sess
ctivity] sting for 15 m
D
Copyright Ca
definition
y attributes r security att
nitial associausers: [assign
tributes]
ng changes users: [assign
sion after a
he specified p
sion after a
minutes.
Date of Issue: 2
anon Inc. 20
with subjecttributes].
ation of usernment: rule
to the user nment: rule
a [assignme
period of time
a [assignme
2015/07/23
015
cts acting
r security es for the
security es for the
ent: time
e.
ent: time
6.1.2
FMT_M
FMT_M
FMT_M
FMT_M
FMT_M
Function U
MSA.1(exec
Hier
Dep
MSA.1.1(exec[assabilioper[ass
[ass
[sele
[ass
[ass
MSA.3(exec
Hier
Dep
MSA.3.1(exec[ass[seledefa
[ass
[sele
[ref
MSA.3.2(execto spinfor
[ass
Use Restric
c-job) Man
rarchical to:
endencies:
c-job) The ignment: acity to [selecrations]] theignment: th
signment: ac None
ection: chan query, mo
signment: lis Role
signment: th U.ADMIN
c-job) Sta
rarchical to:
endencies:
c-job) The ignment: aection, chooault values fo
signment: ac None
ection, choos Restrictiv
finement] TOE Fun
c-job) The pecify alternrmation is c
signment: th Nobody
ction Funct
nagement
No o
[FDFDPFMTFMT
TSF shalccess controlction: change security a
he authorised
ccess control
nge_default, odify, delete,
ist of security
he authoriseNISTRATOR
tic attribut
No o
FMTFMT
TSF shallaccess controse one of: for security a
ccess control
se one of: reve
nction Access
TSF shall anative initialcreated.
he authorize
33
tion
of security
other compo
P_ACC.1 SuP_IFC.1 SubT_SMR.1 SeT_SMF.1 Sp
ll enforce tl SFP(s), info
nge_default, attributes [ad identified
l SFP(s), info
query, modicreate
ty attributes]
ed identified R
te initialisa
other compo
T_MSA.1 MT_SMR.1 Se
l enforce throl SFP, inrestrictive, attributes th
l SFP, inform
estrictive, pe
Control Polic
allow the [al values to ov
ed identified
C
y attribute
onents.
ubset access bset informaecurity rolespecification o
the TOE Fformation flo
query, modassignment:roles].
formation flo
ify, delete, [a
]
d roles]
ation
onents.
anagement ecurity roles
he TOE Funformation
permissive,hat are used
mation flow
ermissive, [a
cy -> TOE Fun
assignment: verride the d
d roles]
D
Copyright Ca
es
control, or ation flow con
of Managem
Function Acow control Sdify, delete, : list of sec
ow control S
assignment:
of security a
unction Accflow contro, [assignme
d to enforce t
control SFP
assignment:
nction Access
the authoridefault valu
Date of Issue: 2
anon Inc. 20
ntrol]
ment Functio
ccess ContrSFP(s)] to res
[assignmencurity attrib
SFP(s)]
: other opera
attributes
cess Controol SFP] to ent: other pthe SFP.
P]
other proper
s Control SFP
ized identifiues when an
2015/07/23
015
ns
rol SFP, strict the nt: other butes] to
ations]]
l Policy, provide
property]]
erty]]
fied roles] object or
FDP_A
FDP_AC
FDP_A
FDP_AC
FDP_AC
FDP_AC
FDP_AC
ACC.1(exec
Hier
Dep
CC.1.1(exec-as soper
ACF.1(exec
Hier
Dep
CF.1.1(exec-jbasesecu
[assth
CF.1.2(exec-jamoexplauth[ass
[selefuus
[ass
CF.1.3(exec-jthe [assacce
[assac
CF.1.4(exec-j[asssubj
[ass
c-job) Sub
rarchical to:
endencies:
-job) The subjects, TOrations.
c-job) Sec
rarchical to:
endencies:
job) The ed on the fourity attribu
signment: lishe TOE Func objects c
each, the
job) The ong controllelicitly authohorized to uignment: lis
ection: the unction, a usse the functi [assignm
signment: ot rules spec
among coon contro
job) The following aignment: ot
ess of subject
signment: otccess of subje None
job) The ignment: ru
bjects to objec
signment: ru
bset acces
No o
FDP
TSF shall eOE function
curity attrib
No o
FDPFMT
TSF shall efollowing: usute(s) used to
ist of TOE fuction Access ontrolled undindicated secu
TSF shall eed subjects aorized by Uuse the TOst of function
user is exser that is auions [assignm
ment: other co
ther conditiocified in the Tontrolled userolled objects
TSF shall eadditional ruther rules, bcts to objects]
ther rules, bjects to objec
TSF shall eules, based cts].
ules, based
34
ss control
other compo
P_ACF.1 Sec
enforce the Tns as object
bute based
other compo
P_ACC.1 SubT_MSA.3 St
enforce the Tsers and [ao determine
unctions ands Control SFPder the TOE Furity attribute
enforce the fand controll
U.ADMINISTOE is automns], [assignm
xplicitly aututhorized to ment: list of onditions]
ons] TOE Function rs as subjects
explicitly autules: the usbased on se
s].
based on sects]
explicitly denon security
on security
C
onents.
curity attrib
TOE Functits, and the
d access c
onents.
bset access ctatic attribut
TOE Functiossignment:
e the TOE Fu
d the securityFP] Function Accees in Table 20.
following ruled objects is
STATOR to umatically aument: other c
thorized by o use the TOEf functions],
Access Contrand controlled
thorise acceser acts in ecurity attri
ecurity attri
ny access ofy attributes,
y attributes,
D
Copyright Ca
ute based ac
ion Access Cright to u
control
control te initialisat
on Access Colist of TOE
unction Acce
ty attribute(
ess Control SF.
ules to determs allowed: [suse a functuthorized toconditions]].
y U.ADMINOE is automa
[assignment
rol SFP in Tabd objects usin
ss of subjectthe role U
ibutes, that
ibutes, that
f subjects to , that expli
s, that expli
Date of Issue: 2
anon Inc. 20
ccess contro
Control SFP se the func
tion
ontrol SFP tE functions ess Control S
(s) used to de
FP in Table 2
mine if an oselection: thtion, a usero use the f.
NISTATOR tatically autht: other cond
ble 20 governng controlled o
ts to objects .ADMINIST
t explicitly a
t explicitly a
objects baseicitly deny a
icitly deny a
2015/07/23
015
l
on users ctions as
to objects and the
SFP].
determine
20, and for
operation he user is r that is functions
to use a horized to ditions]]
ing access operations
based on TRATOR, authorise
authorise
ed on the access of
access of
Object
[Secured
[Copy]
[Scan]
[Fax]
[Fax/I-Fa
[Access SFiles]
Remote U
[Access ReceivedFiles]
6.1.3 J
6.1.3.1
FMT_M
FMT_M
su
d Print]
ax Inbox]
Stored
UI
d/Stored
Job Output
Delete Job
MSA.1(delet
Hier
Dep
MSA.1.1(delet[assabilioper[ass
ubjects to obj None
Table 20
Attribute
+PRT
+CPY +DSR
+SCN +DSR
+FAXOUT
+FAXIN
+DSR
+DSR +FAXIN
t Restrictio
b
te-job) Man
rarchical to:
endencies:
te-job) The ignment: acity to [selecrations]] theignment: th
bjects]
0 —TOE Fun
OperationUse of the function, upointer to tObject. Use of the function, upointer to tObject.
Use of the function, upointer to tObject.
Use of the function, upointer to tObject. Use of the function, upointer to tObject. Use of the function, upointer to tObject
Use of the function, upointer to tObject.
n Functions
nagement o
No o
[FDFDPFMTFMT
TSF shall ccess controlction: change security a
he authorised
35
nction Acces
(s) Subj
using the
U.US
using the
U.US
using the
U.US
using the
U.US
using the
U.US
using the
U.US
using the
U.US
s
of security
other compo
P_ACC.1 SuP_IFC.1 SubT_SMR.1 SeT_SMF.1 Sp
enforce the l SFP(s), info
nge_default, attributes [ad identified
C
ss Control S
ect Attrib
SER
Role
SER
Role
SER
Role
SER
Role
SER
Role
SER
Role
SER
Role
y attributes
onents.
ubset access bset informaecurity rolespecification o
Common Aformation flo
query, modassignment:roles].
D
Copyright Ca
SFP
bute AcceFor ththe roSubjeperfoFor ththe roSubjeperfo
For ththe roSubjeperfo
For ththe roSubjeperfoFor ththe roSubjeperfoFor ththe roSubjeperfo
If theSubjeOper
control, or ation flow con
of Managem
Access Controw control Sdify, delete, : list of sec
Date of Issue: 2
anon Inc. 20
ss control rulhe attribute oole associatedect, must be aorm the Operahe attribute oole associatedect, must be aorm the Opera
he attribute oole associatedect, must be aorm the Opera
he attribute oole associatedect, must be aorm the Operahe attribute oole associatedect, must be aorm the Operahe attribute oole associatedect, must be aorm the Opera
e role associaect is Adminiration is perm
ntrol]
ment Functio
rol SFP in TSFP(s)] to res
[assignmencurity attrib
2015/07/23
015
le of the Object, d with the authorized to ation. of the Object, d with the authorized to ation.
of the Object, d with the authorized to ation.
of the Object, d with the authorized to ation. of the Object, d with the authorized to ation. of the Object, d with the authorized to ation.
ted with the istrator, the
mitted.
ns
Table 22, strict the nt: other butes] to
SeU
B
PI
APPLICAdefinthat thpossibperfo
FMT_M
FMT_M
FMT_M
[ass
[se
[ass
[ass
ecurity AttribUser name
Box PINs
INs of own M
ATION NOTE 1ed by SFR packhis Protection Pble for the ST A
ormed by any U
MSA.3(dele
Hier
Dep
MSA.3.1(delet[ass[seledefa
[ass
[sele
MSA.3.2(deletto spinfor
[ass
signment: ac In The J
election: cha Refer to
signment: lis Refer to
signment: th Refer to
Table 2
butes
Mail Box
1. This kages or by the Profile allows thAuthor to state
User.
ete-job)
rarchical to:
endencies:
te-job) The ignment: aection, chooault values fo
signment: ac Common In The J
ection, choos restrictive
te-job) The pecify alternrmation is c
signment: th Nobody
ccess controlob Access Co
ange_default"Operation"
ist of security"Security A
he authorise"Role" in Ta
1 —Managem
Operatio
delete, cre
modify, c
modify
Protection ProfST Author. Th
he ST Author tothat some mana
Static
No o
FMTFMT
TSF shall access controse one of: for security a
ccess controln Access ConOB Access C
se one of: ree
TSF shall anative initialcreated.
he authorize
36
l SFP(s), infoontrol SFP in
t, query, mod" in Table 21.
ty attributes]ttributes" in
ed identified able 21.
ment of sec
on
eate, query
create
file does not defhe ST Author sho instantiate "Nagement action
c attribute
other compo
T_MSA.1 MT_SMR.1 Se
enforce the rol SFP, inrestrictive, attributes th
l SFP, informntrol SFP in TControl SFP in
estrictive, pe
allow the [al values to ov
ed identified
C
formation flon Table 23
dify, delete, [.
] n Table 21.
d roles]
curity attribu
fine any mandahould define ho
Nobody" as an as (e.g., deleting
initialisatio
onents.
anagement ecurity roles
Common Anformation
permissive,hat are used
mation flow Table 22 n Table 23
ermissive, [a
assignment: verride the d
d roles]
D
Copyright Ca
ow control S
[assignment
utes
Role
U.ADMIN
U.ADMIN
U.NORM
atory security atw security attri
authorized identg a security attri
on
of security a
Access Contrflow contro, [assignme
d to enforce t
control SFP
assignment:
the authoridefault valu
Date of Issue: 2
anon Inc. 20
SFP(s)]
t: other oper
NISTRATOR
NISTRATOR
MAL
ttributes, but soibutes are manatified role, whicibute) may not b
attributes
rol SFP in Tol SFP] to ent: other pthe SFP.
P]
other proper
ized identifiues when an
2015/07/23
015
rations]]
R
R
ome may be aged. Note ch makes it be
Table 22, provide
property]]
erty]]
fied roles] object or
FDP_A
FDP_AC
FDP_A
FDP_AC
FDP_AC
FDP_AC
FDP_AC
ObjectD.DOC
D.DOC
ACC.1(dele
Hier
Dep
CC.1.1(deletthe cove
ACF.1(delet
Hier
Dep
CF.1.1(deleteobjeundsecu
CF.1.2(deleteamoComas su
CF.1.3(deletethe that
[asssu
CF.1.4(delete[asssubj
[asssu
t AttribuC +PRT,+
+FAXO+DSR
C +FAXI
ete-job) Sub
rarchical to:
endencies:
te-job) The list of users
ered by the C
te-job)
rarchical to:
endencies:
e-job) The cts based oner the Com
urity attribu
e-job) The ong controllemmon Accessubjects and
e-job) The following a
t explicitly a
signment: ruubjects to obj U.ADMI U.ADMIN
+FAXOU
e-job) The ignment: ru
bjects to objec
signment: ruubjects to obj None
Table
ute +SCN,+CPY, OUT,
N
bset acces
No o
FDP
TSF shall es as subjectCommon Acc
Secur
No o
FDPFMT
TSF shall en the followmon Access
utes in Table
TSF shall eed subjects as Control SFcontrolled o
TSF shall edditional ru
authorise acc
ules, based objects] INISTRATONISTRATOR
UT D.FUNC.
TSF shall eules, based cts].
ules, based bjects]
e 22 —Comm
OperDelet
Delet
37
ss control
other compo
P_ACF.1 Sec
enforce the Cts, objects, acess Control
rity attribu
other compo
P_ACC.1 SubT_MSA.3 St
enforce the Cing: the list Control SF 22.
enforce the fand controllFP in Table 2objects using
explicitly autules: [assigncess of subje
on security a
R is authorizR is authoriz
explicitly denon security
on security
mon Access
ration(s) Sute U
te U
C
onents.
curity attrib
Common Acand operatiol SFP in Tab
te based a
onents.
bset access ctatic attribut
Common Act of users asFP in Table
following ruled objects i22 governing controlled
thorise accenment: rulesects to object
attributes, th
ed to delete azed to mod
ny access ofy attributes,
y attributes,
Control SF
ubject .NORMAL
.NORMAL
D
Copyright Ca
ute based ac
cess Controlons among ble 22.
access con
control te initialisat
cess Contros subjects an22, and for
ules to determs allowed: rg access amoperations o
ss of subjects, based on ts].
hat explicitly
any D.DOC/Ddify any +
f subjects to , that expli
s, that expli
P
Access contDenied, excdocuments
Denied
Date of Issue: 2
anon Inc. 20
ccess contro
l SFP in Tabsubjects and
ntrol
tion
l SFP in Tabnd objects cor each, the i
mine if an orules specifie
mong controllon controlled
ts to objects n security at
ly authorise
D.FUNC. CPY, +SCN
objects baseicitly deny a
icitly deny a
trol rule cept for his/her
2015/07/23
015
l
ble 22 on d objects
ble 22 to ontrolled indicated
operation ed in the led users d objects.
based on ttributes,
access of
N, +DSR,
ed on the access of
access of
r own
ObjectD.FUN
D.FUN
D.FUN
6.1.3.2
FDP_A
FDP_AC
FDP_A
FDP_AC
FDP_AC
FDP_AC
FDP_AC
t AttribuNC +PRT,+
+FAXO+DSR
NC +FAXI
NC +FAXI
In The Job
ACC.1(in-jo
Hier
Dep
CC.1.1(in-jobon tby th
ACF.1(in-jo
Hier
Dep
CF.1.1(in-jobTablundsecu
CF.1.2(in-joboperspecamoobje
CF.1.3(in-jobbaseattri
[asssu
CF.1.4(in-job[asssubj
[asssu
ute +SCN,+CPY, OUT,
N
N
ob)
rarchical to:
endencies:
b) The he list of suhe In The JO
ob)
rarchical to:
endencies:
b) le 23 to objeer the In Th
urity attribu
b) ration amoncified in theong Users acts.
b) ed on the fributes, that
signment: ruubjects to obj U.ADMIN
b) The ignment: ru
bjects to objec
signment: ruubjects to obj None
OperModiDelet
Modi
Delet
Subse
No o
FDP
TSF shall eubjects, objecOB Access C
Secur
No o
FDPFMT
The TScts based on
he JOB Acceutes in Table
The TSng controllee In The JOand controll
The TSfollowing adt explicitly au
ules, based objects]
NISTRATOR
TSF shall eules, based cts].
ules, based bjects]
38
ration(s) Suify; te
U
ify U
te U
et access
other compo
P_ACF.1 Sec
enforce the Icts, and ope
Control SFP
rity attribu
other compo
P_ACC.1 SubT_MSA.3 St
SF shall enfn the followiness Control S 23.
SF shall enfed subjects OB Access Cled objects
SF shall expdditional rulauthorise acc
on security a
R is authorized
explicitly denon security
on security
C
ubject .NORMAL
.USER
.NORMAL
control
onents.
curity attrib
In The JOBrations amoin Table 23.
te based a
onents.
bset access ctatic attribut
force the In ng: the list oSFP in Table
force the foland contro
Control SFPusing contr
plicitly autholes: [assignm
cess of subjec
attributes, th
d to Read any
ny access ofy attributes,
y attributes,
D
Copyright Ca
Access contDenied, excfunction dat
Denied
Denied
ute based ac
Access Conong subjects.
access con
control te initialisat
The JOB Acof subjects ae 23, and for
llowing ruleolled objectP in Table 2rolled opera
orise access ment: rules
ects to object
hat explicitly
+FAXIN/+D
f subjects to , that expli
s, that expli
Date of Issue: 2
anon Inc. 20
trol rule cept for his/herta
ccess contro
ntrol SFP in s and objects
ntrol
tion
ccess Contrond objects cor each, the i
es to determts is allowe23 governinations on co
of subjects ts, based on ts].
ly authorise
SR D.DOC.
objects baseicitly deny a
icitly deny a
2015/07/23
015
r own
l
Table 23 s covered
ol SFP in ontrolled indicated
mine if an ed: rules ng access ontrolled
to objects security
access of
ed on the access of
access of
ObjecD.DOD.DOD.DOD.DOD.DOD.DO
6.1.4
FPT_FD
FPT_FD
6.1.5
FDP_R
FDP_RI
6.1.6
6.1.6.1
FCS_C
ct AttribuOC +PRT OC +SCN OC +CPY OC +FAXINOC +FAXOOC +DSR
Forward R
DI_EXP.1
Hier
Dep
DI_EXP.1.1 exteany
HDD Data
RIP.1 Sub
Hier
Dep
IP.1.1 The unavreso
[sele
[ass
HDD Data
Encryption
COP.1(h) C
Hier
Dep
Table
ute(s) OpReReRe
N ReOUT Re
Re
Received Jo
Res
rarchical to:
endencies:
The ernal Interfa
Shared-med
Erase Func
bset residu
rarchical to:
endencies:
TSF shall evailable upo
ource from] t
ection: alloc deallocat
signment: lis None
Encryption
n/Decryption
ryptograp
rarchical to:
endencies:
23 —In The J
peration Sead Uead Uead Uead Uead Uead U
obs Functio
stricted for
No o
FMTFMT
TSF shall ace from beindium Interfa
ction
ual informa
No o
No d
ensure that on the [selethe following
cation of the ion of the reso
ist of objects]
n Function
n Function
hic operat
No o
[FDattrFDPFCS
39
JOB Access
Subject U.USER U.USER U.USER U.NORMALU.USER U.NORMAL
on
rwarding o
other compo
T_SMF.1 SpT_SMR.1 Se
provide the ng forwardeace.
ation prote
other compo
dependencie
any previouction: allocag objects: D.
e resource to,ource from
]
tion
other compo
P_ITC.1 Imibutes, or
P_ITC.2 ImpS_CKM.1 Cr
C
s Control SF
Access conDenied, exDenied, exDenied Denied Denied, exDenied, ex
of data to e
onents.
pecification oecurity roles
capability ted without fu
ection
onents.
es
us informatioation of the DOC, [assig
, deallocatio
onents.
mport of
port of user dryptographic
D
Copyright Ca
FP
ntrol rule cept for his/hecept for his/he
cept for his/hecept for his/he
external in
of Managem.
to restrict durther proce
on content oresource to
gnment: list
on of the reso
user data
data with sec key genera
Date of Issue: 2
anon Inc. 20
er own documer own docum
er own documer own docum
nterfaces
ment Functio
data receivedessing by th
of a resourceo, deallocatiot of objects].
ource from]
a without
ecurity attribation]
2015/07/23
015
ments ments
ments ments
ns
d on any he TSF to
e is made ion of the
security
butes, or
FCS_CO
FPT_C
FPT_CI
FPT_CI
APPLICAdisks correpresewithiFPT_
Quote fro
6.1.6.2
FPT_P
OP.1.1(h) Thaccoalgomee
[assi
[assi
[assi
[assi
IP_EXP.1
Hier
Dep
P_EXP.1.1 inteNon
[ass
P_EXP.1.2 [asseith
[ass
[ass
ATION NOTE 2to meet disk enct credentials (e
ented. Assumingn the TOE and
_CIP_EXP.1.2, om [PP Guide
Device Ide
HP.1 Pass
Hier
he TSF shordance withorithm] and et the followi
ignment: list o Encrypti Decrypti
ignment: cryp AES
ignment: cryp 256 bit
ignment: list o FIPS PUB
Con
rarchical to:
endencies:
The grity of user
nvolatile Stor
signment: a HDD
The ignment: liser is written
signment: lis no action
signment: a HDD
2. Todancryption requieither the key itg that this functtherefore it shoarguing that un]
ntification an
sive detect
rarchical to:
FCS
hall performh a specifiedcryptographing: [assignm
of cryptographon of data wrion of data rea
ptographic alg
ptographic key
of standards]B 197
nfidentialit
No o
No d
TSF shall pr and TSF da
orage device]
Removable
TSF shalst of actions]n to [assignm
ist of actions]n
Removable
ay many manufarements. Some tself or credentitionality cannotould be possiblenauthorized mo
nd Authentica
tion of phy
No o
40
S_CKM.4 Cr
m [assignmed cryptograhic key sizesment: list of
hic operationsritten to the Had out from t
gorithm]
y sizes]
ty and inte
other compo
dependencie
provide a fuata when eit.
Nonvolatile
ll provide ] when it dement: a Rem
s]
Nonvolatile
acturers are looof these drives
ials required to t be bypassed, de to instantiate "dification is pre
ation Functio
ysical attac
other compo
C
ryptographic
ent: list ofphic algorit
s [assignmenf standards].
s] HDD the HDD
egrity of st
onents.
es
unction that ther is writt
e Storage dev
a functionetects altera
movable Nonv
e Storage dev
king at hardwas will not allow unlock the key
detection of mo"no action" in thevented by the d
on
ck
onents.
D
Copyright Ca
c key destru
f cryptograpthm [assignmnt: cryptogra.
ored data
ensures theten to [assig
vice]
n that dettion of user
nvolatile Stor
vice]
are solutions sucdata to be writt
y stored in a secodifications is nhe assignment fdesign of the sy
Date of Issue: 2
anon Inc. 20
ction
aphic operatment: crypt
raphic key si
e confidentianment: a Re
tects and pand TSF da
rage device]
ch as fully encryten to the drive
cure area of the ot a useful funcfor the "list of aystem.
2015/07/23
015
tions] in tographic izes] that
ality and emovable
performs ata when .
ypting unless the drive) are
ction actions" in
FPT_PH
FPT_PH
6.1.7
6.1.7.1
FCS_C
FCS_CO
cr3AA
Dep
HP.1.1 The com
[refiEncr
HP.1.2 The with
[refiEncr
LAN Data P
IP Packet E
COP.1(n) C
Hier
Dep
OP.1.1(n) Thaccoalgomee
[ass
[ass
[ass
[ass
Table
ryptographicDES-CBC
AES-CBC AES-GCM
endencies:
TSF shall promise the
inement] phryption Board
TSF shall h the TSF's d
inement] phryption Board
Protection
Encryption F
ryptograp
rarchical to:
endencies:
he TSF shordance withorithm] and et the followi
signment: lis Encrypti Decrypti
signment: cr Refer to
signment: cr Refer to
signment: lis Refer to
24 — IPSec
c algorithm
No d
provide unae TSF.
hysical tampd
provide thedevices or T
hysical tampd
Function
Function
hic operat
No o
[FDattrFDPFCSFCS
hall performh a specifiedcryptographing: [assignm
ist of cryptogon of IP packion of IP pack
ryptographic"Cryptograph
ryptographic"Cryptograph
ist of standar"List of Stan
cryptograp
crypto168 bit128 bit128 bit
41
dependencie
ambiguous d
pering -> Phy
e capability SF's elemen
pering -> Phy
tion
other compo
P_ITC.1 Imibutes, or
P_ITC.2 ImpS_CKM.1 CrS_CKM.4 Cr
m [assignmed cryptograhic key sizesment: list of
graphic operakets sent to thkets received
c algorithm]hic Algorithm
c key sizes]hic Key Sizes
rds] ndards" in Ta
phic algorith
ographic key t t, 192bit, 256 t, 192bit, 256
C
es.
detection of
ysical replace
to determinnts has occur
ysical replace
onents.
mport of
port of user dryptographicryptographic
ent: list ofphic algorit
s [assignmenf standards].
rations] he LAN
from the LA
m" in Table 24
s" in Table 24
able 24.
hm, key size
sizes lisFI
bit FIbit SP
D
Copyright Ca
physical ta
ement of the
ne whether rred.
ement of the
user data
data with sec key generac key destru
f cryptograpthm [assignmnt: cryptogra.
AN
4.
4.
es and stand
st of standardIPS PUB 46-3IPS PUB 197 P800-38D
Date of Issue: 2
anon Inc. 20
ampering th
HDD and H
physical ta
HDD and H
a without
ecurity attribation] ction
aphic operatment: crypt
raphic key si
dards
ds 3
2015/07/23
015
at might
HDD Data
ampering
HDD Data
security
butes, or
tions] in tographic izes] that
FTP_IT
FTP_ITC
FTP_ITC
FTP_ITC
6.1.8 S
FPT_TS
FPT_TS
FPT_TS
FPT_TS
TC.1 Inte
Hier
Dep
C.1.1 The trusand com
C.1.2 The com
C.1.3 The of D
Self-Test F
ST.1 TSF
Hier
Dep
ST.1.1 The periconddemTSF
[selereqwh
[sele
ST.1.2 The of [s
[sele
ST.1.3 The of st
er-TSF trus
rarchical to:
endencies:
TSF shall sted IT prod
provides amunicated d
TSF shalmunication
TSF shall iD.DOC, D.FU
Function
F testing
rarchical to:
endencies:
TSF shalliodically durditions [ass
monstrate thF].
ection: duriequest of thehich self test during in
ection: [assi Cryptogr
3DES)
TSF shall pselection: [as
ection: [assi Cryptogr
TSF shall ptored TSF ex
sted chann
No o
No d
provide a duct that is assured idedata from m
ll permit via the trus
initiate comUNC, D.PRO
No o
No d
l run a suring normal signment: che correct op
ing initial se authorisedst should occ
itial start-up
gnment: parraphic algorit
provide authssignment: p
gnment: parraphic key
provide authxecutable co
42
nel
other compo
dependencie
communicalogically di
entification modification o
the TSF, sted channel
munication OT, and D.CO
other compo
dependencie
uite of self l operation, aconditions uperation of
start-up, perd user, at thcur]]
rts of TSF], thms used w
horised userparts of TSF
rts of TSF],
horised userode.
C
onents.
es.
ation channistinct from of its end
or disclosure
another trul.
via the trusONF over an
onents.
es.
tests [seleat the requeunder which[selection: [
riodically duhe conditions
the TSF] with the LAN
rs with the cF], TSF data]
TSF data]
rs with the c
D
Copyright Ca
nel between other commpoints and
e.
usted IT p
sted channeny Shared-m
ection: duriest of the autch self test[assignment
during normas [assignme
N Data Prote
capability to].
capability to
Date of Issue: 2
anon Inc. 20
itself and munication cd protection
product to
el for commumedium Inte
ing initial uthorised uset should oc: parts of T
mal operationnt: condition
ection Functi
o verify the
o verify the
2015/07/23
015
another channels n of the
initiate
unication erface.
start-up, er, at the ccur]] to TSF], the
n, at the ons under
ion (AES,
integrity
integrity
6.1.9 A
FAU_G
FAU_GE
FAU_GE
Auditab
Job comBoth sucauthentiBoth sucidentificUse of tModificpart of aChangesTerminasession Failure o
5 See “SeIn IEEE but notes
Audit Log
GEN.1 Aud
Hier
Dep
EN.1.1 The
– Start-up
– All audlevel o
– all AuReleva
[sel
[ass
EN.1.2 The
– Date a(succes
– For eacincludeby its requir
[ass
ble event
mpletion ccessful and uication mechanccessful and ucation mechanthe managemecations to the ga role s to the time ation of an intlocking mechof the trusted
ection 14.1 IEStd 2600.1, t
s that this is a
Function
dit data ge
rarchical to:
endencies:
TSF shall b
p and shutdow
ditable eventsf audit; and
uditable Evenant SFR in Ta
ection, choo not specif
signment: o None
TSF shall r
and time of thss or failure) o
ch audit evented in the PP/S
Audit Leveed); [assignm
signment: o None
Ta
unsuccessful unism
unsuccessful unism ent functions group of users
eractive sessiohanism5
channel funct
EEE Std 2600his is indicatea transcriptio
eneration
No o
FPT
be able to gen
wn of the audi
s for the [sele
nts as each iable 25; [assig
ose one of: mfied
other specifi
record within
he event, typof the event; a
t type, based oST, for each Rel (if one is ment: other aud
other audit r
able 25 —Aud
use of the
use of the
s that are
on by the
tions
.1 Errata” in ed as “Lockinon error.
43
other compo
T_STM.1 Rel
nerate an au
it functions;
ection, choose
is defined fognment: other
minimum, b
fically define
n each audit
pe of event, sand
on the auditabRelevant SFRspecified), a
dit relevant inf
relevant inf
dit data requ
Relevant SF
FDP_ACF.1FIA_UAU.1
FIA_UID.1
FMT_SMF.1FMT_SMR.1
FPT_STM.1FTA_SSL.3
FTP_ITC.1
the PP Guideng of an intera
C
onents.
liable time s
udit record o
e one of: mini
or its Audit Lr specifically d
basic, detail
ed auditable
t record at le
subject identi
ble event definR listed in Taand (2) all Anformation].
formation]
uirements
R Aud
Not Basi
Basi
Min1 Min
MinMin
Min
e. active session
D
Copyright Ca
stamps
of the followi
imum, basic,
Level (if onedefined audita
led, not spec
le events]
east the follo
ty (if applica
nitions of the able 25: (1) inAdditional In
dit level
specified ic
ic
nimum nimum
nimum nimum
nimum
n by the sessio
Date of Issue: 2
anon Inc. 20
ing auditabl
detailed, not
e is specifiedable events].
cified]
owing inform
able), and the
functional conformation anformation (
Additional inform
Type of job None requir
Attempted uidentity, if aNone requirNone requir
None requirNone requir
None requir
on locking me
2015/07/23
015
le events:
specified]
d) for the
mation:
e outcome
omponents as defined (if any is
mation
red
user availablered red
red red
red
echanism”
FAU_G
FAU_GE
FPT_ST
FPT_ST
FAU_S
FAU_SA
FAU_SA
FAU_S
FAU_SA
GEN.2 Use
Hier
Dep
EN.2.1 For asso
TM.1 Rel
Hier
Dep
TM.1.1 The
SAR.1 Audi
Hier
Dep
AR.1.1 The[ass
[ass
[ass
AR.1.2 Theinte
SAR.2 Rest
Hier
Dep
AR.2.1 Theuser
er identity
rarchical to:
endencies:
audit eventociate each a
iable time
rarchical to:
endencies:
TSF shall b
it review
rarchical to:
endencies:
e TSF shall ignment: lis
signment: a U.ADMIN
signment: li Refer to
e TSF shall rpret the inf
tricted aud
rarchical to:
endencies:
e TSF shall rs that have
associatio
No o
FAUFIA
s resulting fauditable ev
stamps
No o
No d
be able to pr
No o
FAU
provide [assst of audit in
authorised uNISTRATOR
ist of audit the audit logs
provide thformation.
dit review
No o
FAU
prohibit allbeen grante
44
on
other compo
U_GEN.1 AuA_UID.1 Tim
from actionsent with the
other compo
dependencie
ovide reliab
other compo
U_GEN.1 Au
signment: aunformation] f
users] R
informations listed in Tab
e audit reco
other compo
U_SAR.1 Aud
l users readed explicit re
C
onents.
udit data genming of identi
s of identifiee identity of
onents.
es.
le time stam
onents.
udit data gen
uthorised usfrom the aud
n] ble 25.
ords in a m
onents.
dit review
d access to ead-access.
D
Copyright Ca
neration ification
d users, the the user tha
mps.
neration
sers] with thdit records.
manner suita
the audit re
Date of Issue: 2
anon Inc. 20
TSF shall bat caused th
he capability
able for the
ecords, exce
2015/07/23
015
be able to he event.
y to read
e user to
ept those
FAU_S
FAU_ST
FAU_ST
FAU_S
FAU_ST
6.1.10
6.1.10.1
FIA_SO
FIA_SO
STG.1 Prote
Hier
Dep
TG.1.1 Thedele
TG.1.2 Themod
[sel
STG.4 Prev
Hier
Dep
TG.4.1 Theaud"ovebe t
[seleexceolde
[ass
Manageme
User Mana
OS.1 Ver
Hier
Dep
OS.1.1 The defin
[ass
ected audi
rarchical to:
endencies:
e TSF shall petion.
e TSF shall difications to
ection, choo prevent
vention of a
rarchical to:
endencies:
e TSF shaldited events,erwrite the taken in cas
ection, chooept those taest stored au "overwrit
signment: ot None
ent Functio
agement Fun
rification o
rarchical to:
endencies:
TSF shall ined quality
signment: a Use a pas Prohibit t Use at lea Use at lea Use at lea Use at lea Allowed
it trail stor
No o
FAU
protect the s
be able to [o the stored
ose one of: p
audit data
FAU
FAU
ll [selections, except tho
oldest storese of audit s
ose one of: aken by theudit recordste the oldest st
ther actions
on
nction
of secrets
No o
No d
provide a mmetric].
defined quassword 4 to 3the use of 3 oast one upperast one lowerast one numbast one non-acharacters
45
rage
other compo
U_GEN.1 Au
stored audit
[selection, chaudit record
prevent, det
loss
U_STG.3 Act
U_STG.1 Pro
n, choose onose taken byred audit restorage failu
f: "ignore aue authorised
ds"] tored audit rec
s to be taken
other compo
dependencie
mechanism
ality metric]32 characters or more consercase charactercase characteber (0-9) alphabet chara
C
onents.
udit data gen
records in th
hoose one ofds in the aud
tect]
tion in case o
otected audi
one of: "ignoy the author
ecords"] andure] if the au
udited evend user with
cords"
n in case of
onents.
es
to verify th
in length ecutive characer (A to Z) er (a to z)
acters (^-@[]
D
Copyright Ca
neration
he audit trai
of: prevent, ddit trail.
of possible a
it trail stora
nore auditedorised user wd [assignmeudit trail is
nts", "preveh special righ
f audit stora
hat secrets m
cters
:;,./¥!"#$%&'(
Date of Issue: 2
anon Inc. 20
il from unau
detect] unau
audit data lo
ge
d events", with specialent: other ac full.
ent auditedghts", "overw
age failure]
meet [assign
()=~|{`+*}_?>
2015/07/23
015
uthorised
uthorised
oss
"prevent l rights",
actions to
d events, write the
nment: a
><)
FMT_M
FMT_M
TSF
User
Role
Pass
Own
FMT_S
FMT_SM
FMT_SM
6.1.10.2
MTD.1(user
Hier
Dep
MTD.1.1 (usemoddataownU.A
[seleop
[assas
[seleU.
F data
r name
e
swords
n password
SMR.1 Sec
Hier
Dep
MR.1.1 The Nob
[sele
MR.1.2 The whic
Cryptograp
Al
r-mgt) Man
rarchical to:
endencies:
r-mgt) The dify, delete, ca associated ned by a UADMINISTRA
ection: chaperations]] Refer to
signment: lissociated wit Refer to
ection, choU.NORMAL t Refer to
Table
curity roles
rarchical to:
endencies:
TSF shall body, [assign
ection: Nobo Nobody
TSF shall bch no user s
phic Key Man
ll characters o
nagement
No o
FMTFMT
TSF shall rclear, [assig
d with a U.NOU.NORMAL
RATOR, the U
ange_default
"Operation"
list of TSF ith document
"TSF Data" i
oose one to whom suc"Role" in Tab
26 — User i
Rol
U.A
U.A
U.A
U.N
s
No o
FIA
maintain thnment: the a
ody, [assignm
be able to ashall be asso
nagement Fu
46
other than con
of TSF da
other compo
T_SMR.1 SeT_SMF.1 Sp
restrict the gnment: othe
NORMAL or TL] to [selecU.NORMAL
t, query, m
in Table 26.
F data assocnts or jobs ow
in Table 26.
of: Nobodych TSF data ble 26.
nformation
le
ADMINISTRA
ADMINISTRA
ADMINISTRA
NORMAL
other compo
A_UID.1 Tim
he roles U.Aauthorised id
ment: the au
ssociate userciated.
unction
C
ntrol characte
ta
onents.
ecurity rolespecification o
ability to [sher operation
TSF Data asction, choosL to whom su
modify, dele
ciated with wned by a U.
y, [selectioa are associat
manageme
Op
ATOR dele
ATOR mod
ATOR mod
mod
onents.
ming of identi
ADMINISTRdentified role
uthorised ide
rs with roles
D
Copyright Ca
ers
of Managem
selection: chns]] the [assissociated witse one of: uch TSF dat
ete, clear,
h a U.NORMU.NORMAL]
n: U.ADMated]]
nt
eration
ete, create, qu
dify, delete, cr
dify, delete, cr
dify
ification
RATOR, U.Nles]].
dentified role
s, except for
Date of Issue: 2
anon Inc. 20
ment Functio
hange_defaulignment: lis
ith documentNobody, [s
ta are associ
[assignmen
RMAL or TS
MINISTRATO
uery
reate, query
reate
NORMAL, [s
es]]
the role "No
2015/07/23
015
ns
ult, query, st of TSF
nts or jobs selection: iated]].
nt: other
TSF Data
OR, the
selection:
obody" to
FCS_C
FCS_CK
FCS_C
FCS_CK
6.1.10.3
FMT_M
FMT_M
CKM.1 Cryp
Hier
Dep
KM.1.1 Thecrypgenecryp
[ass
[ass
[ass
CKM.2 Cryp
Hier
Dep
KM.2.1 Thecrypmeth
[ass
[as
Device Ma
MTD.1(devi
Hier
Dep
MTD.1.1(devimoddata[ass
[sele
ptographic
rarchical to:
endencies:
e TSF shalptographic eration algptographic k
signment: cr Cryptogr
signment: cr 128bit, 16
signment: lis FIPS PUB
ptographic
rarchical to:
endencies:
TSF shallptographic kthod] that m
signment: cr DH (Diff
ssignment: l SP800-56
nagement F
ice-mgt)
rarchical to:
endencies:
ice-mgt) The dify, delete, ca] to [selecignment: th
ection: cha
c key gene
No o
[FCFCSFCS
l generate key gener
gorithm] ankey sizes] tha
ryptographicraphic key ge
ryptographic8bit, 192bit, 25
ist of standarB 186-2
c key distr
No o
[FDattrFDPFCSFCS
l distribute ey distributeets the foll
ryptographicfie Hellman) a
list of standa6A
unction
Mana
No o
FMTFMT
TSF shall rclear, [assigction, chooshe authorized
ange_default
47
eration
other compo
S_CKM.2 CS_COP.1 CryS_CKM.4 Cr
cryptographration algond specifiedat meet the
c key generaeneration algo
c key sizes]56 bit
rds]
ibution
other compo
P_ITC.1 Imibutes, or
P_ITC.2 ImpS_CKM.1 CrS_CKM.4 Cr
cryptograpion method owing: [assi
c key distriband ECDH (El
ards]
gement of
other compo
T_SMR.1 SeT_SMF.1 Sp
restrict the gnment: othee one of: d identified
t, query, m
C
onents.
ryptographiyptographic ryptographic
hic keys inorithm [asd cryptografollowing: [a
ation algorithorithm accord
onents.
mport of
port of user dryptographicryptographic
phic keys in[assignmentgnment: list
bution metholliptic Curve D
f TSF data
onents.
ecurity rolespecification o
ability to [sher operation
Nobody, [seroles except
modify, dele
D
Copyright Ca
ic key distriboperation]
c key destru
n accordancsignment: aphic key assignment:
thm] ding to FIPS P
user data
data with sec key generac key destru
n accordanct: cryptograpt of standard
od] Diffie Hellma
of Managem
selection: chns]] the [assielection: Ut U.NORMA
ete, clear,
Date of Issue: 2
anon Inc. 20
bution, or
ction
ce with a cryptographsizes [assilist of stand
PUB 186-2
a without
ecurity attribation] ction
ce with a aphic key distds].
an)
ment Functio
hange_defaulignment: lis
U.ADMINISTAL]]].
[assignmen
2015/07/23
015
specified phic key
ignment: dards].
security
butes, or
specified stribution
ns
ult, query, st of TSF TRATOR,
nt: other
FMT_S
FMT_SM
op
[ass
[seleth
TSF Da
Date/Ti
HDD D
IPSec se
Auto Re
Lockou
Passwor
Audit lo
SMF.1 Spe
Hier
Dep
MF.1.1 The [ass
[ass
perations]] Refer to
signment: lis Refer to
ection, choohe authorized Refer to
Table
ata
me settings
Data Erase set
ettings
eset settings
ut policy settin
rd policy sett
og
ecification
rarchical to:
endencies:
TSF shall ignment: lis
signment: lis Refer to
Table 28 —T
Manag
Date/Tim
HDD D
IPSec se
Auto Re
Lockou
"Operation"
ist of TSF da"TSF Data T
ose one of: Nd identified "Role" in Tab
e 27 — Devic
ttings
ngs
tings
of Manage
No o
No d
be capablest of manage
ist of manage"Managemen
The manage
gement Fu
me settings
Data Erase sett
ettings
eset settings
t policy settin
48
in Table 27.
ata] able 27.
Nobody, [seld roles except
ble 27.
ce managem
Role
U.ADMIN
U.ADMIN
U.ADMIN
U.ADMIN
U.ADMIN
U.ADMIN
U.ADMIN
ement Fun
other compo
dependencie
e of performement functi
ement functint Function" i
ement of sec
unction
tings
ngs
C
lection: U.ADt U.NORMA
ment functio
NISTRATOR
NISTRATOR
NISTRATOR
NISTRATOR
NISTRATOR
NISTRATOR
NISTRATOR
nctions
onents.
es.
ming the foltions to be pr
tions to be prin Table 28.
curity requir
Operatio
modify
query, mo
query, mo
query, mo
query, mo
D
Copyright Ca
ADMINISTRAAL]]]
n
Operatio
R modify
R query, mo
R query, mo
R query, mo
R query, mo
R query, mo
R query, del
llowing manrovided by th
rovided by th
rements
on
odify
odify
odify
odify
Date of Issue: 2
anon Inc. 20
RATOR, [assi
on
odify
odify
odify
odify
odify
lete
nagement futhe TSF].
the TSF]
2015/07/23
015
ignment:
unctions:
6.2 S
This secti Table 29Operation
AsAD
AG
AL
AS
AT
AV
Security as
ion defines th
9 lists the secnal Environme
ssurance ClasDV: Developm
GD: Guidance
LC: Life-cycle
SE: Security T
TE: Tests
VA: Vulnerab
Manag
Passwor
Audit lo
Usernam
Role
Passwor
Box PIN
Own pa
PIN of o
ssurance re
e security assu
curity assuranent A, and rel
Table 29 —
ss ment
e documents
e support
Target evaluati
ility assessme
gement Fu
rd policy sett
og
me
rd
N
assword
own Mail Bo
equirement
urance require
nce requiremeated SFR pack
2600.1 Secu
AssuranADV_AADV_FADV_TAGD_OAGD_PALC_CALC_CALC_DALC_DALC_FALC_L
ion ASE_CASE_ECASE_INASE_OASE_RASE_SPASE_TSATE_CATE_DATE_FUATE_IN
ent AVA_V
49
unction
tings
ox
ts
ements for the
ents for 2600kages, EAL 3
urity Assura
nce componeARC.1 SecuritFSP.3 FunctionTDS.2 ArchiteOPE.1 OperatiPRE.1 PreparaCMC.3 AuthorCMS.3 ImplemDEL.1 DeliverDVS.1 Identifi
LR.2 Flaw repLCD.1 Develop
CL.1 ConformCD.1 Extende
NT.1 ST introdOBJ.2 Security
EQ.2 DerivedPD.1 SecuritySS.1 TOE sum
COV.2 AnalysiDPT.1 Testing:
UN.1 FunctioND.2 IndepenVAN.2 Vulner
C
Operatio
query, mo
query, del
delete, query
modify, create, qu
modify, create
modify, c
modify
modify
e TOE.
0.1-PP, Protec augmented b
ance Requir
ents ty architecturenal specificati
ectural designional user guidative procedurrisation contro
mentation repry procedurescation of secuporting procedper defined lifmance claimsed componentduction
y objectives d security requy problem defimmary specifiis of coverage: basic design
onal testing dent testing -rability analys
D
Copyright Ca
on
odify
lete
create,
delete, uery
delete,
reate
ction Profile fby ALC_FLR.
rements
e description ion with comp
dance res ols esentation CM
urity measuresdures (augmenfe-cycle mode
ts definition
uirements inition ication e
sample sis
Date of Issue: 2
anon Inc. 20
for Hardcopy2.
plete summary
M coverage
s ntation of EAel
2015/07/23
015
y Devices,
y
L3)
6.3 S
6.3.1 T
Table 30how eachBold typsupportin
Security fun
The compl
0 provides a mh of the securpeface items ng (S) fulfillm
SFRs FIA_AFL.1
FIA_ATD.1
FIA_UAU.1
FIA_UAU.7
FIA_UID.1
FIA_USB.1
FTA_SSL.3(
FTA_SSL.3(
FMT_MSA.
FMT_MSA.
FDP_ACC.1
FDP_ACF.1
FMT_MSA.
FMT_MSA.
FDP_ACC.1
FDP_ACF.1
FDP_ACC.1
FDP_ACF.1
FPT_FDI_E
FDP_RIP.1
FPT_CIP_E
FCS_COP.1
FPT_PHP.1
FCS_COP.1
FTP_ITC.1
FCS_CKM.
FCS_CKM.2
FPT_TST.1
FAU_GEN.1
FAU_GEN.2
FAU_SAR.1
nctional re
eteness of
mapping of Trity functionaprovide princ
ment.
Table 30 —T
1
7
(lui)
(rui)
.1(exec-job)
.3(exec-job)
1(exec-job)
(exec-job)
.1(delete-job)
.3(delete-job)
1(delete-job)
(delete-job)
1(in-job)
(in-job)
EXP.1
XP.1
(h)
(n)
1
2
1
2
1
equirement
f security r
OE Security al requiremencipal (P) fulfi
he complete
O.D
OC
.NO
_DIS
O.D
OC
.NO
AL
T
S S
S SS SP PS S
PS
P
P PS S
S SP PS SS S
50
ts rationale
requiremen
Objectives annts correspondfillment of the
eness of sec
O.
OC
.NO
_
O.F
UN
C.N
O_A
LT
O.P
RO
T.N
O_A
LT
S S S
S SS SP PS S
P P PS S S
S S SP P PS S SS S S
C
e
nts
nd security fuds to at least oe objectives,
curity requi
Objectives
O.C
ON
F.N
O_D
IS
O.C
ON
F.N
O_A
LT
S S
P PS S
S SP PS SS S
D
Copyright Ca
unctional requone TOE Secand normal t
rements
s
O.U
SER
.AU
TH
OR
IZE
D
O.I
NT
ER
FAC
E.M
AN
AG
ED
O.S
OFT
WA
RE
.VE
RIF
IED
S
S
P P
S
P P
P
P P
P P
S
S
P
S
P
P
Date of Issue: 2
anon Inc. 20
uirements. Thcurity Objectitypeface item
O.A
UD
IT.L
OG
GE
D
O.H
DD
.AC
CE
SS.
AU
TH
OR
ISE
D
S
P
P
P
P
2015/07/23
015
his shows ive.
ms provide
6.3.2 T
This sectSecurity O.DOC.NdisclosurBased onassigned The ideFMT_MThe idenFDP_ACtypes. Furthermresult of TSF datFTP_ITCunauthorprovided O.DOC.NalterationBased onassigned The idFMT_MSFurthermprotectedFCS_CKdisclosur
SFRs FAU_SAR.2
FAU_STG.1
FAU_STG.4
FPT_STM.1
FIA_SOS.1
FMT_MTD.
FMT_SMR.
FMT_MTD.
FMT_SMF.1
The suffici
tion providesObjectives.
NO_DIS is thre. O.DOC.Nn user identiffor access co
entified userSA.1(delete-jntified users CC.1(in-job)/F
more, by FDPjob processina in the HD
C.1, FCS_CKrized alteratiod.
NO_ALT is tn. O.DOC.NOn user identiffor access co
dentified usSA.1(delete-jo
more, by FPT_d from unauth
KM.2, user dae. By FMT_S
2
1
4
1
.1(user-mgt)
1
.1(device-mgt)
1
ency of se
s the rationale
he security oO_DIS is addfication inforontrol. rs are allowjob)/FMT_Mare allowed
FDP_ACF.1(
P_RIP.1, comng is ensured
DD are proteKM.1, and FCon and disclos
the security oO_ALT is addfication inforontrol. sers are ob)/FMT_MS_CIP_EXP.1, horized altera
ata and TSF SMF.1, manag
O.D
OC
.NO
_DIS
O.D
OC
.NO
AL
T
S S
S S
ecurity requ
e on how the
objective that dressed by thrmation resul
wed to opeMSA.3(delete-
to access o(in-job), and N
mplete deletiond. By FPT_Cected from uCS_CKM.2, usure. By FMT
objective that dressed by thermation resul
allowed toA.3(delete-jobFCS_COP.1(ation and disdata sent ov
gement functio
51
O.
OC
.NO
_
O.F
UN
C.N
O_A
LT
O.P
RO
T.N
O_A
LT
PS S S
PS S S
uirements
security func
ensures usere following:lting from FI
erate only -job), FDP_Anly his/her oNobody is al
n of residual IP_EXP.1, F
unauthorized user data and T_SMF.1, ma
ensures protee following:lting from FI
o operateb), FDP_ACCh), and FCS_sclosure. By
ver the LAN ons related to t
C
Objectives
O.C
ON
F.N
O_D
IS
O.C
ON
F.N
O_A
LT
P PS SP PS S
ctional requir
r document d
IA_UID.1, ro
his/her ownACC.1(delete-own documellowed to acc
information FCS_COP.1(h
alteration anTSF data sen
anagement fu
ection of user
IA_UID.1, ro
only his/hC.1(delete-job_CKM.1, user
FCS_COP.1(are protected
these actions,
D
Copyright Ca
s
O.U
SER
.AU
TH
OR
IZE
D
O.I
NT
ER
FAC
E.M
AN
AG
ED
O.S
OFT
WA
RE
.VE
RIF
IED
S
S
rements are s
data is protect
oles managed
n job to -job)/FDP_Ant data in press any docu
of user documh), and FCS_nd disclosurent over the LAunctions relate
r document d
oles managed
her own )/FDP_ACF.1r data and TS(n), FTP_ITCd from unautare provided.
Date of Issue: 2
anon Inc. 20
O.A
UD
IT.L
OG
GE
D
O.H
DD
.AC
CE
SS.
AU
TH
OR
ISE
D
P P P
S
sufficient to s
ted from una
d by FMT_SM
cancel accoCF.1(delete-jrint job, acc
ument data in
ment data cre_CKM.1, usere. By FCS_CAN are proteed to these ac
data from una
d by FMT_SM
job accor1(delete-job). F data in the
C.1, FCS_CKthorized alter.
2015/07/23
015
satisfy the
authorized
MR.1 are
ording to job). ording to other job
eated as a r data and COP.1(n), cted from ctions, are
authorized
MR.1 are
rding to
HDD are KM.1, and ration and
O.FUNCalterationBased onassigned The idFMT_MSFurthermprotectedFCS_CKdisclosur O.PROTalterationBased onroles manFMT_MTFurthermprotectedFCS_CKdisclosur O.CONFunauthorBased onroles manFMT_MTFurthermprotectedFCS_CKdisclosur O.CONFunauthorBased onroles manFMT_MTFurthermprotectedFCS_CKdisclosur O.USERO.USERUsers autFIA_UAUFTA_SSLFDP_ACFurthermFMT_MS O.INTERinterfaceBy FIA_By FPT_ O.SOFTW
C.NO_ALT isn. O.FUNC.Nn user identiffor access co
dentified usSA.1(delete-jo
more, by FPT_d from unauth
KM.2, user dae. By FMT_S
T.NO_ALT is n. O.PROT.Nn user identifinaged by FMTTD.1(device-m
more, by FPT_d from unauth
KM.2, user dae.
F.NO_DIS isrized disclosun user identifinaged by FMTTD.1(device-m
more, by FPT_d from unauth
KM.2, user dae.
F.NO_ALT isrized alteration user identifinaged by FMTTD.1(device-m
more, by FPT_d from unauth
KM.2, user dae.
R.AUTHORIZR.AUTHORIZ
thenticated byU.7, and FL.3(lui)/FTA_
CC.1(exec-job)more, authoriSA.3(exec-job
RFACE.MANs in accordan
_UAU.1, FIA__FDI_EXP.1,
WARE.VER
the security NO_ALT is adfication inforontrol. sers are ob)/FMT_MS_CIP_EXP.1, horized altera
ata and TSF SMF.1, manag
the security oNO_ALT is adication informT_SMR.1 are mgt), and FMT_CIP_EXP.1, horized altera
ata and TSF
s the securiture. O.CONF.ication informT_SMR.1 are mgt), and FMT_CIP_EXP.1, horized altera
ata and TSF
s the securion. O.CONF.Nication informT_SMR.1 are mgt), and FMT_CIP_EXP.1(hhorized altera
ata and TSF
ZED is the ZED is addresy the identificFIA_AFL.1, _SSL.3(rui), a)/FDP_ACF.1ized user b), FMT_SMR
NAGED is tnce with secu_UID.1, FTA restricted for
RIFIED is add
objective thaddressed by trmation resul
allowed toA.3(delete-jobFCS_COP.1(ation and disdata sent ov
gement functio
objective thatddressed by thmation manage
assigned for tT_SMF.1. FCS_COP.1(ation and disdata sent ov
ty objective .NO_DIS is a
mation manageassigned for tT_SMF.1. FCS_COP.1(ation and disdata sent ov
ty objective NO_ALT is a
mation manageassigned for tT_SMF.1. h), FCS_COPation and disdata sent ov
security objessed by the focation and aut
with user are granted us1(exec-job).information
R.1.
the security rity policy. O
A_SSL.3(lui)/rwarding of d
dressed by pro
52
at ensures prohe followinglting from FI
o operateb), FDP_ACCh), and FCS_sclosure. By
ver the LAN ons related to t
t ensures prothe following:ed by FMT_Mthe Device M
h), and FCS_sclosure. By
ver the LAN
that ensureaddressed by ed by FMT_Mthe Device M
h), and FCS_sclosure. By
ver the LAN
that ensureaddressed by ted by FMT_Mthe Device M
P.1, and FCS_sclosure. By
ver the LAN
ective that eollowing: thentication m
sessions me of the funct
are manag
objective thO.INTERFAC/FTA_SSL.3(data to the LA
oviding the se
C
otection of us: IA_UID.1, ro
only his/hC.1(delete-job_CKM.1, user
FCS_COP.1(are protected
these actions,
tection of TSF
MTD.1(user-mManagement fu
_CKM.1, userFCS_COP.1(are protected
es protectionthe following
MTD.1(user-mManagement fu
_CKM.1, userFCS_COP.1(are protected
es protectionthe followingMTD.1(user-m
Management fu
_CKM.1, userFCS_COP.1(are protected
ensures user
mechanism spemanaged by tion, as determ
ged by FIA
hat ensures CE.MANAGE(rui), the userAN is specifie
elf-test proced
D
Copyright Ca
ser function d
oles managed
her own)/FDP_ACF.1r data and TS(n), FTP_ITCd from unautare provided.
F protected d
mgt) and resuunction as spec
r data and TS(n), FTP_ITCd from unaut
of TSF cog: mgt) and resuunction as spec
r data and TS(n), FTP_ITCd from unaut
n of TSF cog: mgt) and resuunction as spec
r data and TS(n), FTP_ITCd from unaut
identificatio
ecified by FIAFIA_ATD.
mined by acce
A_SOS.1, F
control of oED is addressr interface is med.
dures specifie
Date of Issue: 2
anon Inc. 20
data from una
d by FMT_SM
job accor1(delete-job). F data in the
C.1, FCS_CKthorized alter.
data from una
ulting from FIcified by FMT
F data in the C.1, FCS_CKthorized alter
onfidential d
ulting from FIcified by FMT
F data in the C.1, FCS_CKthorized alter
onfidential d
ulting from FIcified by FMT
F data in the C.1, FCS_CKthorized alter
on and authe
A_UAU.1, FI1, FIA_USBess control sp
FMT_MSA.1(
operations ofed by the follmanaged.
ed by FPT_T
2015/07/23
015
authorized
MR.1 are
rding to
HDD are KM.1, and ration and
authorized
IA_UID.1, T_SMR.1,
HDD are KM.1, and ration and
data from
IA_UID.1, T_SMR.1,
HDD are KM.1, and ration and
data from
IA_UID.1, T_SMR.1,
HDD are KM.1, and ration and
entication.
IA_UID.1, B.1, and ecified by
(exec-job),
f the I/O lowing:
TST.1.
O.AUDITFAU_GEthe mean O.HDD.Aspecified
6.3.3 T
This sect
FuReq
FIA_AFIA_ATFIA_UFIA_UFIA_UFIA_UFTA_SFTA_S
FMT_Mb)
FMT_Mb)
FDP_A)
FDP_A)
FMT_Mob)
FMT_Mob)
FDP_Aob)
FDP_Ab)
FDP_A
FDP_A
FPT_FD
FDP_R
FPT_C
FCS_C
T.LOGGED EN.2, FAU_SAs for user info
ACCESS.AUTby FPT_PHP
The depen
tion provides
unctional quirement FL.1 TD.1 AU.1 AU.7 ID.1 SB.1 SL.3(lui) SL.3(rui)
MSA.1(exec-jo
MSA.3(exec-jo
ACC.1(exec-job
ACF.1(exec-job
MSA.1(delete-j
MSA.3(delete-j
ACC.1(delete-j
ACF.1(delete-jo
ACC.1(in-job)
ACF.1(in-job)
DI_EXP.1
RIP.1
CIP_EXP.1
COP.1(h)
is addressed AR.1, FAU_Sormation and t
THORISED iP.1, prior to pe
dencies of
the justificat
Table 31 —T
Dependerequired FIA_UAU.1No dependeFIA_UID.1 FIA_UAU.1No dependeFIA_ATD.1No dependeNo depende[FDP_ACCFDP_IFC.1]FMT_SMRFMT_SMF.
FMT_MSAFMT_SMR
bFDP_ACF.1
FDP_ACC.FMT_MSA[FDP_ACCFDP_IFC.1]FMT_SMRFMT_SMF.
FMT_MSAFMT_SMR
FDP_ACF.1
FDP_ACC.FMT_MSA
FDP_ACF.1
FDP_ACC.FMT_MSA
FMT_SMF.FMT_SMR
No depende
No depende
[FDP_ITC.1FDP_ITC.2
by providinSAR.2, FAU_timestamps ge
is addressed ermitting acce
f security r
tion for any d
he depende
encies by CC
1 FIAencies. No
FIA1 FIAencies. No FIA
encies. No encies. No .1 or ] .1 1
FDPFMFM
A.1 .1
FMFM
1 FDP
1 A.3
FDPFM
.1 or ] .1 1
FDPFMFM
A.1 .1
FMFM
1 FDP
1 A.3
FDPFM
1 FDP
1 A.3
FDPFM
1 .1
FMFM
encies. No
encies. No
1 or or
FCS
53
ng the Audi_STG.1, and Fenerated on au
by the Devicess to the HDD
requiremen
dependencies
encies of sec
Dependencsatisfied by
A_UAU.1 dependencies.
A_UID.1 A_UAU.1
dependencies.A_ATD.1
dependencies.dependencies.
P_ACC.1(execMT_SMR.1 MT_SMF.1
MT_MSA.1(execMT_SMR.1
P_ACF.1(exec-
P_ACC.1(execMT_MSA.3(exec
P_ACC.1(deletMT_SMR.1 MT_SMF.1
MT_MSA.1 MT_SMR.1
P_ACF.1(delete
P_ACC.1(deletMT_MSA.3(dele
P_ACF.1(in-job
P_ACC.1(in-joMT_MSA.3(dele
MT_SMF.1 MT_SMR.1
dependencies.
dependencies.
S_CKM.1
C
t Log functiFAU_STG.4. Fudit logs.
ce IdentificatD.
nts
not met.
curity requi
ies ST
N/AN/A
N/AN/A
N/AN/AN/A
N/A
-job) N/A
c-job) N/A
-job) N/A
-job) c-job)
N/A
te-job) N/A
N/A
e-job) N/A
te-job) ete-job)
N/A
b) N/A
ob) ete-job)
N/A
N/A
N/A
N/A
FCS_Cryp
D
Copyright Ca
ion as speciFIA_UID.1 an
ion and Auth
rements
Reason fordepen
(dependencies (dependencies
(dependencies (dependencies
(no dependenc(dependencies (no dependenc
(no dependenc(dependencies
(dependencies
(dependencies
(dependencies
(dependencies
(dependencies
(dependencies
(dependencies
(dependencies
(dependencies
(dependencies
(no dependenc
(no dependenc
_CKM.4 is not ptographic keys
Date of Issue: 2
anon Inc. 20
fied by FAUnd FPT_STM
hentication fu
r not meetinndencies are satisfied) are satisfied)
are satisfied) are satisfied)
ies) are satisfied) ies)
ies) are satisfied)
are satisfied)
are satisfied)
are satisfied)
are satisfied)
are satisfied)
are satisfied)
are satisfied)
are satisfied)
are satisfied)
are satisfied)
ies)
ies)
claimed becaus are stored in
2015/07/23
015
U_GEN.1, .1 provide
unction as
g
use: n RAM,
FuReq
FPT_PH
FTP_IT
FCS_C
FCS_C
FCS_C
FPT_T
FAU_G
FAU_G
FPT_STFAU_S
FAU_S
FAU_S
FAU_S
FIA_SO
FMT_Mgt) FMT_S
FMT_Mmgt)
FMT_S
6.4 S
Thinfoaccobeca
unctional quirement
HP.1
TC.1
COP.1(n)
CKM.1
CKM.2
ST.1
GEN.1
GEN.2
TM.1 SAR.1
SAR.2
STG.1
STG.4
OS.1
MTD.1(user-m
SMR.1
MTD.1(device-
SMF.1
Security as
his Protectionormation proceountability andause it is assu
Dependerequired FCS_CKM.FCS_CKM.
No depende
No depende
[FDP_ITC.1FDP_ITC.2 FCS_CKM.FCS_CKM.
[FCS_CKMFCS_COP.1FCS_CKM.
[FDP_ITC.1FDP_ITC.2 FCS_CKM.FCS_CKM.
No depende
FPT_STM.1
FAU_GEN.FIA_UID.1 No dependeFAU_GEN.
FAU_SAR.
FAU_GEN.
FAU_STG.1
No depende
FMT_SMRFMT_SMF.FIA_UID.1
FMT_SMRFMT_SMF.
No depende
ssurance re
n Profile hasessing environd information
umed that the
encies by CC
.1]
.4
encies. No
encies. No
1 or or
.1]
.4
FCS
M.2 or 1] .4
FCSFCS
1 or or
.1]
.4
FCS
encies. No
1 FPT
1 FAUFIA
encies. No 1 FAU
1 FAU
1 FAU
1 FAU
encies. No
.1 1
FMFMFIA
.1 1
FMFM
encies. No
equirement
been develonments that re
n assurance. ThTOE will be
54
Dependencsatisfied by
dependencies.
dependencies.
S_CKM.1
S_COP.1(n) S_COP.1(h)
S_CKM.1
dependencies.
T_STM.1
U_GEN.1 A_UID.1
dependencies.U_GEN.1
U_SAR.1
U_GEN.1
U_STG.1
dependencies.
MT_SMR.1 MT_SMF.1 A_UID.1
MT_SMR.1 MT_SMF.1
dependencies.
ts rationale
oped for Harequire a relatihe TOE envirlocated in a r
C
ies ST
and AlsoprevsuchsecurmethN/A
N/A
FCS_Crypand AlsoprevsuchsecurmethFCS_Crypand AlsoprevsuchsecurmethFCS_Crypand Alsoprevsuchsecurmeth
N/A
N/A
N/A
N/AN/AN/A
N/AN/A
N/A
N/A
N/A
N/A
N/A
e
rdcopy Devicively high levronment will brestricted or m
D
Copyright Ca
Reason fordepen
disappear wheo, extraction of ented by the de
h, cryptographirely enough
hod for their des(no dependenc
(no dependenc
_CKM.4 is not ptographic keys
disappear wheo, extraction of ented by the de
h, cryptographirely enough
hod for their des_CKM.4 is not
ptographic keysdisappear whe
o, extraction of ented by the de
h, cryptographirely enough
hod for their des_CKM.4 is not
ptographic keysdisappear whe
o, extraction of ented by the de
h, cryptographirely enough
hod for their des
(no dependenc
(dependencies
(dependencies
(no dependenc(dependencies (dependencies
(dependencies (dependencies
(dependencies
(dependencies
(dependencies
(dependencies
(no dependenc
ces used in vel of documebe exposed to monitored env
Date of Issue: 2
anon Inc. 20
r not meetinndencies en power is sf cryptographic esign of the sysic keys are mnot to requi
struction. ies)
ies)
claimed becaus are stored inen power is sf cryptographic esign of the sysic keys are mnot to requi
struction. claimed becau
s are stored inen power is sf cryptographic esign of the sysic keys are mnot to requi
struction. claimed becau
s are stored inen power is sf cryptographic esign of the sysic keys are mnot to requi
struction.
ies)
are satisfied)
are satisfied)
ies) are satisfied) are satisfied)
are satisfied) are satisfied)
are satisfied)
are satisfied)
are satisfied)
are satisfied)
ies)
restrictive coent security, oonly a low le
vironment tha
2015/07/23
015
g
shut off. keys is
stem. As managed ire any
use: n RAM, shut off.
keys is stem. As managed ire any
use: n RAM, shut off.
keys is stem. As managed ire any
use: n RAM, shut off.
keys is stem. As managed ire any
ommercial operational vel of risk
at provides
almoAgeremdeviwithmalf
EA
and inclu
ost constant pents cannot p
movable nonvoices are removh code to efffunctions. As
AL 3 is augmeprocedures f
usion is expec
protection frophysically accolatile storageved from the
ffect a changsuch, the Eva
ented with ALfor the reporcted by the co
om unauthorizcess any none devices, wheTOE environ
ge and the Taluation Assur
LC_FLR.2, Flrting and remnsumers of th
55
zed and unmanvolatile storaere protection
nment. AgentsTOE self-verifrance Level 3
law reporting mediation of ihis TOE.
C
anaged accessage without n of User ands have limitedfies its execuis appropriate
procedures. Aidentified sec
D
Copyright Ca
s to the TOE disassembling
d TSF Data ar or no means utable code te.
ALC_FLR.2 ecurity flaws a
Date of Issue: 2
anon Inc. 20
and its data ig the TOE ere provided wof infiltrating
to detect uni
ensures that inare in place,
2015/07/23
015
interfaces. except for when such g the TOE intentional
nstructions and their
7 TO
This sect
7.1 U
–
When thTOE requof print j
Two met
–
–
For user authenticFor secur
The TOE
The ACTapplicatio
The TOE
–
–
The TOElasting fo
–
–
OE Summa
tion describes
User Authe
SupportedFIA_USB.
e control panuires user autobs, fax jobs
thods of user
External A
Authentican Activeauthentica
Internal Au
Authentic
authenticatiocation succeerity, note that
E issues an Ac
T is an objecon functions
E provides a l
This functfailed authbefore loc
Any user 1 to 60 mi
E terminates aor a specified
At the confrom 10 se
At a remo
ary specifi
s the TOE sum
entication F
d functional1, FIA_AFL.
nel or a remothentication i, and I-fax jo
authenticatio
Authentication
cation is basede Directory seation.
uthentication
cation is based
on, the TOE peds only if tht the passwor
ccess Control
ct that contathat are speci
lockout functi
tion locks ouhentication atckout (Initial
that is lockedinutes can be
an interactived period of tim
ntrol panel, seconds to 9 m
ote UI, session
ication
mmary specif
Function
l requireme.1, FTA_SSL
ote UI is usedin order to idbs is always p
on are support
n
d on user infoerver that use
n
d on user info
prompts inputhe user name d is masked b
l Token (ACT
ains the user'ified for each
ion in order t
ut any user thattempts. A vavalue: 3).
d out will note specified as
e session wheme. [FTA_SS
session timeominutes can b
n timeout occ
56
fications.
ents: FIA_UL.3(lui), FTA_
d to operate tentify and aupermitted. [F
ted:
formation regies Kerberos a
ormation regi
t of the user nand passwor
by asterisks in
T) to each use
s name and h user role. [F
to minimize in
at fails to logalue from 1 to
t be able to lothe lockout t
en there is noSL.3(lui), FTA
out occurs aftbe specified (I
curs after 15 m
C
UAU.1, FIA_U_SSL.3(rui)
the MFP, befouthenticate vaFIA_UAU.1,
istered in theauthentication
istered in the
name, password matches thn the text fiel
er successfull
role, as wellFIA_ATD.1, F
nvalid login a
gin successfulo 10 can be s
ogin until theime (Initial v
o user activityA_SSL.3(rui
er a specifiedInitial value:
minutes of us
D
Copyright Ca
UID.1, FIA_
fore permittinalid users. HoFIA_UID.1]
authentication, or LDAP s
device.
ord, and the lhe one at theld. [FIA_UA
ly authenticat
l as the acceFIA_USB.1]
attempts. [FIA
lly within thespecified as th
e lockout timevalue: 3 minut
y at the contri)]
d period of u2 minutes).
ser inactivity.
Date of Issue: 2
anon Inc. 20
_UAU.7, FIA
ng such operaowever, the su
on server. Thserver that us
login destinate specified deU.7]
ted.
ess permissio]
A_AFL.1]
e maximum nhe number of
e passes. A vtes).
rol panel or r
ser inactivity
.
2015/07/23
015
A_ATD.1,
ations, the ubmission
is may be ses LDAP
tion. User estination.
ons to the
number of f attempts
alue from
remote UI
y. A value
7.2 F
–
For eachthe ACTcontainedattribute
When thdependin
When a rattribute
Only U.A
UI
Control p
Remote U
Function Us
SupportedFMT_MSA
h UI, the TOET issued to ad in the ACTof the Object
he control pang on the setti
remote UI is values associ
ADMINISTR
Obje
panel PointPrint
Point
PointSend
Point
PointInbox
PointStore
PointStore
UI PointRecei
se Restrictio
d functionA.1(exec-job)
E provides Fauthenticated T, are performt is the functi
anel is used, ings in "Appl
used, Functiiated with the
RATORs are a
Table 3
ect
ter to [Secure]
ter to [Copy]
ter to [Scan ad]
ter to [Fax]
ter to [Fax/I-Fx]
ter to [Access ed Files]
ter to [Scan ane]
ter to [Accessived/Stored Fi
on Function
nal require), FMT_MSA
unction Use users. Any q
med by U.ADions itself, an
Function Uslication Restr
ion Use Restre role in the A
allowed use o
32 — Functio
Cond
ed The rhave funct
The rhave
and The rhave funct
The rhave funct
Fax The rhave Files
The rhave Files
nd The rhave funct
s iles]
The ranyth
57
ements: FDA.3(exec-job),
Restriction, wqueries, modDMINISTRA
nd is therefore
se Restrictionrictions", whi
riction FunctiACT.
of all function
on Use Rest
dition
role associatepermission t
tion.
role associatepermission t
role associatepermission t
tion
role associatepermission t
tion
role associatepermission t] function
role associatepermission t] function
role associatepermission t
tion
role associatehing other tha
C
DP_ACC.1(e, FMT_SMF.
which controdifications, deATORs only. e fixed.
n Function pich are based
ion permits o
ns.
triction Poli
ed with U.USo the [Secure
ed with U.USo the [Copy]
ed with U.USo the [Scan a
ed with U.USo the [Scan a
ed with U.USo the [Access
ed with U.USo the [Access
ed with U.USo the [Scan a
ed with U.USan Administra
D
Copyright Ca
exec-job), F1
ols access baseletions, andFor Function
permits or deon the role c
or denies use
icy
SER must ed Print]
SER must function
SER must and Send]
SER must and Send]
SER must s Stored
SER must s Stored
SER must and Store]
SER is ator.
Date of Issue: 2
anon Inc. 20
FDP_ACF.1(e
sed on the cod additions ton Use Restri
enies use of ontained in th
of functions
Operation
Executed bactivating Object.
Executed bactivating Object.
Executed bactivating Object.
Executed bactivating Object.
Executed bactivating Object.
Executed bactivating Object.
Executed bactivating Object.
Cannot be
2015/07/23
015
exec-job),
ontents of o the role ction, the
functions he ACT.
based on
n
by the
by the
by the
by the
by the
by the
by the
executed.
7.3 J
For Printaccess.
7.3.1
–
TOE caninitialize
–
–
With the
7.3.2
–
TOE proinitialize
Copy, S
–
–
Tempor
If a printAdditionaccess re
For tempmatches
–
–
–
Printing
For all tethe follow
–
Job Output R
t, Copy, Scan
Job C
SupportedFMT_MSA
n delete Print,d by usernam
U.NORMA
U.ADMIN
cancellation
In The
SupportedFMT_MSA
ovides the folld by usernam
Scan, Fax TX
Nobody is Note that interruptin
Nobody isTemporaril
rarily Stored
t job with a Pnally, it uses testriction as d
porarily storethe user nam
Change pr
Delete
starts when th
emporarily stwing:
Delete
Restriction
n, and Fax TX
Cancel
d functionaA.1(delete-job
, Copy, Scan,me of the user
AL is authori
NISTRATOR
of the job, th
e JOB Acc
d functionA.1(delete-job
lowing accesme of the user
X Jobs
authorized tothe owner
ng print.
s authorized tly Stored FAX
d Print Jobs
PIN is submithe user name
described belo
ed jobs, the fme associated w
iority for prin
he PIN for th
ored print job
Functions
X jobs, etc., t
al requiremb), FMT_MS
, and Fax TXr that execute
zed to delete
is authorized
he attribute va
ess Contro
nal requirb), FMT_MS
s control funcr that execute
o read documof the docu
to read documX TX Jobs.
itted, the jobe associated ow.
following opwith the desir
nting
he print job is
bs, U.ADMIN
58
the TOE prov
ments: FDPSA.3(delete-jo
X jobs accordid the job.
his/her own j
d to display a
alue to be atta
ol
rements: SA.3(delete-jo
ctions for docd the job.
ments in any cuments and
ments in any
b is temporariwith the prin
erations are red job.
entered from
NISTRATOR
C
vides the foll
P_ACC.1(deleob), FMT_SM
ing to follow
job.
list of all job
ached to the j
FDP_ACCob), FMT_SM
cuments in ea
copy jobs. U.ADMINI
scan, and Fa
ily stored in nt job to deter
available to
m the control p
R is allowed t
D
Copyright Ca
owing securi
ete-job), FDMF.1
wing. The user
bs and delete
ob is deleted
C.1(in-job), MF.1
ach jobs. Use
STRATOR
ax TX jobs, e
the machine rmine its own
U.USERs, on
panel of the m
to display a li
Date of Issue: 2
anon Inc. 20
ity functions
DP_ACF.1(de
r name of the
any of them.
d.
FDP_ACF.
r name of the
can execute
except in case
without beinner, in order
nly if the us
machine.
ist of jobs an
2015/07/23
015
to restrict
elete-job),
ese jobs is
.1(in-job),
ese jobs is
priority/
e of 7.3.3
ng output. to realize
er's name
nd execute
Receive
For docustored asto this into the MeOnly U.Awhich mrealizes aowner ofthe docum
If the coentering
–
–
–
If a rementering
–
–
–
Docume
For Copydata, to bis equiva
A seven d
No PIN determin
For docuby enteri
–
–
–
If the coentering
–
–
–
ed Fax Jobs
uments receivs files, to be onbox, is equivemory RX InADMINISTR
means only Uaccess restricf the stored doment data.
ontrol panel iany PIN.
Send
Delete
mote UI is usthe correct P
Send
Delete
ent Data Sto
y, Scan, or Sebe printed or alent to access
digit PIN can
is required wning the U.US
ument data stoing the correc
Change pri
Delete
ontrol panel iany PIN.
Change pri
Delete
ved by fax/I-output at a la
valent to accenbox, to preveRATORs are aU.ADMINISTction, by deteocument data
s used, U.AD
sed, U.ADMIN.
ored in Mail
end jobs, thesent at a laters control to th
n be assigned
when storing SER that ente
ored in a Mact PIN.
int settings
s used, U.AD
int settings
fax, the TOEater time. Sinss control to ent unauthorizauthorized toTRATORS arermining the a, preventing
DMINISTRA
MINISTRATO
Box
TOE providr time. Since he stored doc
to a Mail Bo
document drs the correct
ail Box, the fo
DMINISTRA
59
E provides thce these are sthe stored dozed access by initialize, sere allowed aU.ADMINISany U.NORM
ATOR is allow
OR is allowe
des Mail Boxethese are stor
cument data.
ox, to help pre
data in a Mait PIN, to be th
ollowing oper
ATOR is allow
C
he Memory Rstored in the
ocument data.y a user. t, or modify t
access to theSTRATOR thMAL from ex
wed access to
d access to
es where thesred in Mail B
event unautho
l Box. The The owner of t
rations are m
wed access to
D
Copyright Ca
RX Inbox whMemory RX
. A seven dig
the PIN on th stored docu
hat enters the xecuting print
o the followi
the followin
se jobs may bBoxes, access
orized access
TOE realizesthe stored doc
made available
o the followi
Date of Issue: 2
anon Inc. 20
ere these jobX Inbox, acce
it PIN can be
he Memory Rument data. T
correct PIN t or send oper
ing operation
ng operations
be stored as dcontrol to M
by a user.
access restrcument data.
e to U.NORM
ing operation
2015/07/23
015
bs may be ss control e assigned
RX Inbox, The TOE to be the
rations on
ns without
s only by
document Mail Boxes,
iction, by
MAL only
ns without
If a rementering
–
–
–
Box PIN
For the Pare allowMail Box
7.3.3
–
There arPreview
Delayed
When thsending a
For tempuser's nam
–
For all te
–
Preview
When thand sent
For tempname ma
–
–
–
7.4 F
–
The desifunction
mote UI is usthe correct P
Change pri
Delete
N
PIN set on Maiwed to set or cx they use.
Temp
SupportedFDP_ACC
re two types function as T
d Send
e TOE receivat the specifie
porarily storeme matches t
Change de
emporarily sto
Change de
w
he TOE receivlater.
porarily storeatches the use
Preview
Delete Pag
Delete Job
Forward Re
Supported
gn of the TOenables the u
sed, U.ADMIN.
int settings
il Boxes/Memchange any PI
porarily Sto
d functioC.1(delete-job
of Send JobsTemporarily S
ves a FAX TXed time.
ed FAX TX jthe user name
estination
ored FAX TX
estination
ves a FAX T
d FAX TX joer name assoc
ges
bs
eceived Job
d functional
OE prevents reuser to restric
MINISTRATO
mory RX InboIN. Note how
ored FAX T
nal requb), FDP_ACF
s: Fax TX joStored FAX T
X job with tr
obs, the folloe associated w
X jobs, U.ADM
TX job with P
obs, the followciated with th
bs Functio
requirement
eceived data t forwarding
60
OR is allowe
x, only U.ADever, that U.N
TX Jobs
irements:F.1(delete-job
ob and Scan jTX Jobs funct
ansmission ti
owing operatwith the desir
MINISTRAT
Preview settin
wing operatiohe desired job
on
ts: FPT_FDI
from being fof received j
C
d access to
DMINISTRATNORMALs ar
FDP_ACC)
job. And thetion to store j
ime specified
tions are avaired job.
TOR is allowe
ng, it is first
ons are availab.
I_EXP.1
forwarded dirobs to the LA
D
Copyright Ca
the followin
TORs assignedre allowed to
.1(in-job),
ere are Delayobs temporar
d, it is first sto
ilable to U.N
ed to execute
stored tempo
able to U.US
rectly to a serAN.
Date of Issue: 2
anon Inc. 20
ng operations
d the Adminischange the P
FDP_ACF.
yed Send funrily.
ored tempora
NORMALs, o
the followin
orarily and pr
SERs, only if
rver or comp
2015/07/23
015
s only by
strator role IN for the
.1(in-job),
nction and
arily, until
only if the
g:
reviewed,
the user's
puter. This
7.5 H
–
By overwfiles) in t
The user
–
–
–
–
The timin
–
–
–
7.6 H
–
The secu
The encrprovide c
7.6.1
–
To protecthe follow
–
–
The cryp
–
–
HDD Data E
Supported
writing with rthe HDD, to e
r can choose o
Overwrite
Overwrite
Overwrite
Overwrite
ng in which d
Image fileduring or a
Document Box/Memo
Residual inerased from
HDD Data E
Supported
urity function
ryption/decryconfidentialit
Encry
Supported
ct the confidewing cryptog
Encryption
Decryption
ptographic alg
AES algor
256 bit key
Erase Func
d functional
random data,ensure that no
one of the fol
using the Do
with random
once with ran
once with nu
data are erase
es temporarilyafter processi
data are comory RX Inbox
nformation thm the HDD u
Encryption
d functional
s provided by
yption functioty and integrit
yption/Dec
d functional
entiality and igraphic operat
n of data writ
n of data read
gorithm and c
rithm (FIPS P
y length
ction
requirement
the TOE pero trace of the
llowing erasu
oD standard
m data three tim
ndom data
ull data
ed is specified
y stored in thng of the job
mpletely erasex.
hat remainedupon startup o
Function
requirement
y the TOE's "
on together wty protection
ryption Fu
requirement
integrity of utions to encry
tten to the HD
d out from the
cryptographic
PUB 197)
61
ts: FDP_RIP
rmanently era document da
ure methods:
mes
d below.
he HDD as a.
ed from the H
d unerased duof the TOE.
ts: FPT_CIP
HDD Data E
with the Devfor user data
nction
ts: FCS_COP
user data and ypt all data st
DD.
e HDD.
c key size are
C
P.1
ases documenata remains o
a result of jo
HDD, immedi
ue to a sudden
_EXP.1
Encryption Bo
vice Identifica and TSF dat
P.1(h)
TSF data stoored in the H
specified bel
D
Copyright Ca
nt data (incluon the HDD.
ob processing
iately after be
n power shut
oard" are desc
cation and Auta stored in th
red in the HDHDD.
low:
Date of Issue: 2
anon Inc. 20
uding tempora
g is complete
eing deleted f
tdown, are co
cribed below.
uthenticationhe HDD.
DD, the TOE
2015/07/23
015
ary image
ely erased
from Mail
ompletely
n function
performs
7.6.2
–
The TOEdata encr
–
–
The cryp
–
–
No methcryptogra
7.6.3
–
The HDDit is idenHDD, evdifferent
[Registra
The HDDthe MFP
[Procedu
Upon staMFP devauthenticencryptioresponse
Access tmounted
7.7 L
LAN Dadevice.
Crypt
Supported
E uses the foryption functi
Uses a cryp
Generates
ptographic key
Upon starcryptograp
After gene
hod is availaaphic key is s
Devic
Supported
D Data Encryntified as the ven if the HMFP.
ation of the A
D Data Encrydevice, and s
ure for identif
artup, the HDvice as a randcation ID andon board. The.
to the HDD d on the correc
LAN Data P
ata Protection
tographic K
d functional
llowing specion.
ptographic ke
a cryptograph
y is managed
rtup, the TOphic key.
erating the cry
able for acqustored in vola
ce Identific
d functional
yption Board correct MFPDD and HD
Authentication
yption Board,stores it in Fl
fication and a
DD Data Encrdom numberd the receivee HDD Data
is denied, unct MFP devic
Protection F
n Function en
Key Manag
requirement
cifications for
ey generation
hic key with
d as follows.
OE reads the
yptographic k
uiring the seeatile RAM me
ation and A
requirement
identifies theP. This functi
DD Data Enc
n ID]
, when it is inlashROM.
authentication
ryption boardr to a challened random nu
Encryption B
nless the HDce.
Function
ncrypts/decryp
62
gement Fun
ts: FCS_CKM
r generating t
n algorithm ac
256 bit key l
e seed inform
key, the TOE
ed from the emory, it disa
Authentica
ts: FPT_PHP
e MFP at eachon helps prevryption Boar
nitially moun
n]
d generates ange. The MFPumber, and pBoard perfor
DD Data Enc
pts all IP pac
C
nction
M.1
the cryptogra
ccording to F
ength
mation stored
stores the ke
encryption bappears when
ation Funct
P.1
h startup, andvent unauthord are physic
nted, acquires
a pseudo-randP device makpasses the resms the same
cryption Boa
kets that are
D
Copyright Ca
aphic key tha
FIPS PUB 186
d in FlashR
ey in RAM.
board. Note an power is shu
tion
d permits acceorized access cally remove
s the device a
dom number kes a computsulting hash computation
rd confirms
used in comm
Date of Issue: 2
anon Inc. 20
at is used by
6-2
ROM and ge
also, that beut off.
ess to the HDto the conten
ed and conne
authentication
which it pastation using ivalue (SHA-
n in order to v
successfully
munication w
2015/07/23
015
the HDD
nerates a
cause the
DD only if nts of the
ected to a
n ID from
ses to the its device -1) to the verify the
that it is
with an IT
7.7.1
–
To ensurthe TOE
– Encr
– Decr
The follo
– Se
7.7.2
–
The TOEpacket en
– Use
– Gen
The folloEncryptio
– ECD
7.8 S
–
At startup
– Che
– Che
– Che
7.9 A
–
The TOE
–
–
–
–
IP Pa
Supported
re confidentiauses IPSec to
ryption of IP
ryption of IP
owing cryptog
ee Table 24
Crypt
Supported
E uses the foncryption fun
es a cryptogra
nerates a cryp
owing methoon Function,
DH (Elliptic C
Self-Test Fu
Supported
p, the TOE p
ecks whether
ecks the integ
ecks the integ
Audit Log F
SupportedFAU_SAR
E generates lo
Startup
Shutdown
Job compl
User authe
cket Encry
d functional
ality and intego encrypt/dec
packets sent
packets recei
graphic algor
tographic K
d functional
ollowing spenction.
aphic key gen
ptographic ke
od is used bto the other p
Curve Diffie
unction
d functional
erforms the f
cryptographi
grity of the cry
grity of the ex
Function
d functional R.2, FAU_STG
ogs for the fol
etion
entication suc
yption Func
requirement
grity of user crypt all IP pa
to the LAN
ived from the
rithm and cry
Key Manag
requirement
cifications fo
neration algor
y with 128/16
by the TOE, party
Hellman) an
requirement
following self
ic algorithms
yptographic k
xecutable cod
requiremenG.1, FAU_ST
llowing event
ccess/failure
63
ction
ts: FCS_COP
data and TSFackets.
e LAN
yptographic ke
gement Fun
ts: FCS_CKM
or generating
rithm accordi
68/192/256 b
to transmit
d DH (Diffie
ts: FPT_TST
f-test.
are running p
key
de of the crypt
nts: FAU_GETG.4
ts.
C
P.1(n), FTP_I
F data comm
ey sizes are u
nction
M.1, FCS_CK
g the cryptog
ng to FIPS PU
bit key length
the cryptogr
Hellman) ac
T.1
properly (AE
tographic alg
EN.1, FAU_G
D
Copyright Ca
ITC.1
municated to a
used.
KM.2
graphic key t
UB 186-2
raphic key u
ccording to SP
ES、3DES)
gorithm
GEN.2, FPT_
Date of Issue: 2
anon Inc. 20
and from an I
that is used b
used by the I
P800-56A
_STM.1, FAU
2015/07/23
015
IT device,
by the IP
IP Packet
U_SAR.1,
–
–
–
–
–
The itemdate/timeaccurate
–
Other log
–
–
Also, expof this fu
Users othfrom a re
When acthe deleti
Users othfrom a re
A maximoverwritt
7.10 M
7.10.1
–
In the Trole, andtheir own
[Setting/
New useuser infobe deletepassword
Five roleand GuesGuest Us
Logout
Use of dev
Use of use
Changes to
IPSec conn
ms that are rece informationtime is obtain
Date/Time
g events may
Job type (j
Name of th
port of audit lunction is rest
her than U.Aemote UI.
ccessing the Tion of log rec
her than U.ADemote UI, thu
mum of 20,00ten with the n
Managemen
User
SupportedFMT_MSAFMT_SMF
TOE, only U.d access restrn passwords a
Changing/De
rs are registeormation can ed altogetherd policy.
es exist, whicst User. To crser, is used as
vice managem
er managemen
o the date/tim
nection failur
corded on eacn is set by thned from the
e, User Name
have additio
ob completio
he user that fa
logs can be ptricted to U.A
ADMINISTRA
TOE from a rcords from th
DMINISTRAus preventing
00 audit recornewest.
nt Function
Manageme
d functioA.1(exec-job)F.1
.ADMINISTRriction informand the PIN f
eleting User, R
red by settingbe modified r. User spec
ch are called reate a new "s a template f
ment function
nt functions
me setting
res
ch log, are listhe ManagemTime Server.
, Event Type
nal items as d
on)
failed authenti
performed froADMINISTRA
ATOR are no
remote UI, ane [Deleting C
ATOR are notunauthorized
rds can be m
ns
ent Functio
onal req), FMT_MS
RATORs assmation and infor the Mail B
Role, and Ac
g the user namby changing ified passwo
"Base Roles"Custom Rolefor the new ro
64
ns
ted below. Thment Function.
e, Outcome (S
described bel
ication (authe
om a remote UATORs only.
ot allowed to
nother capabiCollected Log
t allowed accd alterations f
maintained. On
on
quirements:SA.1(delete-jo
igned the Adnbox PINs. GBox they use.
cess Restricti
me and passwpassword or
ords are chec
s": Administre" different t
ole, which can
C
he date/time in, or is set b
Success/Faile
low.
entication fail
UI, in order to
o export audi
ility restrictedgs] menu.
ess to this capfrom occurrin
nce this beco
FIA_SOob), FMT_M
dministrator rGeneral users
ion Informati
word, and assir the assignedcked to see
rator, Power han these, ann then be regi
D
Copyright Ca
is provided bby time sync
d)
lure)
o read out log
it logs when
d to U.ADMI
pability whenng.
omes full, the
OS.1, FMMSA.3(delete
role can set, cs or U.NORM
ion]
igning a role d role, or the that they ar
User, Generany one of fouistered.
Date of Issue: 2
anon Inc. 20
y the TOE. Tchronization
g records, alth
logged in to
INISTRATOR
n logged in to
e oldest audit
MT_MTD.1(ue-job), FMT
change, or deMAL can onl
to the user. Ruser's registr
re consistent
al User, Limiur base roles e
2015/07/23
015
The TOE's when the
hough use
the TOE
Rs only is
o the TOE
t record is
user-mgt), T_SMR.1,
elete user, ly change
Registered ration can
with the
ited User, excluding
The Adm
The initia
The acceis specifiinitial vaRestrictio
[Types o
There are
– U.AD
Us
– U.NO
Ge
7.10.2
–
To provU.ADMI
The follo
[Passwor
To encou
–
–
–
–
–
–
–
[Lockout
The num
– Num
Se
– Lock
Se
ministrator rol
al value for "
ess restrictionied by the "Aalue for "Apons" can be c
f Users]
e two types o
DMINISTRA
ser assigned t
ORMAL
eneral user as
Device Ma
Supported
vide for tINISTRATOR
owing setting
rd Policy Sett
urage the use
Use a pass
Prohibit th
Use at leas
Use at leas
Use at leas
Use at leas
Allowed ch
All chara
t Policy Settin
mber of attemp
mber of attemp
elect a value f
kout time
elect a value f
le is a role wh
Base Role" c
n informationApplication Repplication Rechanged for cu
of users: U.AD
ATOR
the Administr
ssigned a role
nagement
d functional
the effectivRs to set the d
s are also pro
tings]
of strong pas
sword 4 to 32
he use of 3 or
st one upperc
st one lowerc
st one number
st one non-alp
haracters:
acters other th
ngs]
pts before loc
pts before loc
from 1 to 10
from 1 to 60
hose base role
can be change
n that determiestrictions" seestrictions" iustom roles.
DMINISTRA
rator role and
e other than G
Function
requirement
ve enforcemdevice manag
ovided.
sswords, the f
characters in
more consec
ase character
ase character
r (0-9)
phabet charac
han control ch
ckout and the
ckout
(Initial value
minutes (Init
65
e is "Adminis
ed to any one
ines whether etting, whichis fixed for
ATOR and U.N
d has adminis
Guest User ro
ts: FMT_MT
ment of segement settin
following pas
n length
cutive charact
rs (A to Z)
rs (a to z)
cters (^-@[]:;,
haracters
lockout time
: 3)
tial value: 3 m
C
strator", and h
of four base
use of certaih depends on w
base roles,
NORMAL.
strative privile
ole or Admini
TD.1(device-m
ecurity funcngs in Table 2
ssword policy
ters
,./¥!"#$%&'()
e can be set.
minutes)
D
Copyright Ca
has administr
roles except
in functions iwhat role is athe initial v
eges.
strator role.
mgt), FMT_S
ctions, the 7.
y may be set.
=~|{`+*}_?><
Date of Issue: 2
anon Inc. 20
rative privileg
Guest User.
is permitted oassigned. Althvalue of "Ap
SMF.1
TOE allow
<)
2015/07/23
015
ges.
or denied, hough the pplication
ws only
END