canon imagerunner advance c350/c250 series 2600.1 model … · 2016-07-15 · title: canon...
TRANSCRIPT
Can
This dsecuri
non im
document ity target
mageRC350/
260
Secu
Ve20
Ca
is a trans written i
1
RUNNE/C25000.1 mo
rity T
rsion 1015/09/
anon I
slation of n Japane
C
ER ADSeries
odel
arget
.09 /28
nc.
the evaluese.
Date
Copyright Ca
DVANs
uated and
e of Issue: 201
anon Inc. 20
NCE
d certified
15/09/28
015
d
1 S
1.1
1.2
1.3
1.4
1.5
1.6
1.6.
1.6.
1.7
1.8
1.8.
1.8.
1.8.
2 C
2.1
2.2
2.3
2.3.
2.3.
2.3.
2.4
3 S
3.1
3.2
3.3
3.4
3.5
4 S
4.1
4.2
4.3
4.4
5 E
5.1
5.2
6 S
6.1
6.1.
6.1.
6.1.
6.1.
6.1.
6.1.
6.1.
6.1.
ST introductio
ST referenc
TOE refere
TOE overv
Terms and
TOE descr
Scope of th
.1 Physic
.2 Logica
Users of th
Assets .....
.1 User D
.2 TSF D
.3 Functi
Conformance
CC Confor
PP claim, P
SFR Packa
.1 SFR P
.2 SFR P
.3 SFR P
PP Conform
Security Prob
Notational
Threats ag
Threats to
Organizatio
Assumption
Security Obje
Security O
Security O
Security O
Security O
Extended com
FPT_CIP_E
FPT_FDI_E
Security requi
Security fu
.1 User A
.2 Functi
.3 Job O
.4 Forwa
.5 HDD D
.6 HDD D
.7 LAN D
.8 Self-T
ion ..............
ce .............
ence ..........
view ...........
Abbreviatio
ription .......
he TOE ......
cal Scope of
al Scope of t
he TOE ......
................
Data ..........
Data ...........
ions ..........
claims ........
rmance claim
Package claim
ages ...........
Packages refe
Package func
Package attri
mance ration
blem Definitio
conventions
gents ..........
TOE Asset
onal Security
ns .............
ectives .........
bjectives for
bjectives for
bjectives for
bjectives rat
mponents defi
EXP Confiden
EXP Restrict
uirements .....
unctional req
Authenticati
ion Use Rest
utput Restri
ard Received
Data Erase F
Data Encryp
Data Protect
Test Function
Table
..................
................
................
................
ons ............
................
................
the TOE ...
the TOE .....
................
................
................
................
................
..................
m ...............
m .............
................
erence .......
tions .........
ibutes ........
nale ...........
on ...............
s ...............
................
s ..............
y Policies ...
................
..................
r the TOE ..
r the IT envi
r the non-IT
tionale .......
finition (APE_
ntiality and
ted forwardin
..................
quirements ..
on Function
triction Fun
iction Functi
Jobs Functi
Function ....
ption Functio
tion Functio
n ..............
2
e of Con
..................
................
................
................
................
................
................
................
................
................
................
................
................
................
..................
................
................
................
................
................
................
................
..................
................
................
................
................
................
..................
................
ironment ....
T environmen
................
_ECD) .........
integrity of s
ng of data to
..................
................
n ...............
ction .........
ions ..........
ion ............
................
on .............
n ..............
................
C
tents
..................
................
................
................
................
................
................
................
................
................
................
................
................
................
..................
................
................
................
................
................
................
................
..................
................
................
................
................
................
..................
................
................
nt .............
................
..................
stored data
o external int
..................
................
................
................
................
................
................
................
................
................
Date
Copyright Ca
.................
................
................
................
................
................
................
................
................
................
................
................
................
................
.................
................
................
................
................
................
................
................
.................
................
................
................
................
................
.................
................
................
................
................
.................
................
terfaces .....
.................
................
................
................
................
................
................
................
................
................
e of Issue: 201
anon Inc. 20
.................
................
................
................
................
................
................
................
................
................
................
................
................
................
.................
................
................
................
................
................
................
................
.................
................
................
................
................
................
.................
................
................
................
................
.................
................
................
.................
................
................
................
................
................
................
................
................
................
15/09/28
015
........... 4
.......... 4
.......... 4
.......... 4
.......... 5
.......... 8
......... 10
......... 10
......... 11
......... 13
......... 13
......... 13
......... 13
......... 14
......... 15
......... 15
......... 15
......... 15
......... 15
......... 16
......... 17
......... 17
......... 20
......... 20
......... 20
......... 21
......... 21
......... 22
......... 23
......... 23
......... 23
......... 23
......... 24
......... 27
......... 27
......... 28
......... 30
......... 30
......... 30
......... 33
......... 35
......... 39
......... 39
......... 39
......... 41
......... 42
6.1.
6.1.
6.2
6.3
6.3.
6.3.
6.3.
6.4
7 T
7.1
7.2
7.3
7.3.
7.3.
7.3.
7.4
7.5
7.6
7.6.
7.6.
7.6.
7.7
7.7.
7.7.
7.8
7.9
7.10
7.10
7.10
Trademark- Cano
Inc. - Micro
trade- Mac O- Oracl
count- All na
comp- Portio
19.3, 445 Hfrom rights
.9 Audit
.10 Manag
Security as
Security fu
.1 The co
.2 The su
.3 The de
Security as
TOE Summary
User Authe
Function U
Job Output
.1 Job Ca
.2 In The
.3 Tempo
Forward Re
HDD Data
HDD Data
.1 Encryp
.2 Crypto
.3 Device
LAN Data
.1 IP Pac
.2 Crypto
Self-Test F
Audit Log
Managemen
0.1 User M
0.2 Device
k Notice on, the Canon lo
osoft, Windows,marks of MicrosOS is a trademae and Java artries. ames of comp
panies. ons of sections 19.4, Annex A a
Hoes Lane, PiscIEEE 2600.1(tm
s reserved.
Log Functio
gement Func
ssurance req
unctional req
ompleteness
ufficiency of
ependencies
ssurance req
ry specificatio
entication Fu
Use Restricti
t Restriction
ancel .........
e JOB Acces
orarily Store
eceived Jobs
Erase Func
Encryption
ption/Decry
ographic Key
e Identificati
Protection F
cket Encrypt
ographic Key
Function ....
Function ...
nt Functions
Management
e Manageme
ogo, imageRUN
, Windows XP, soft Corporationark of Apple Comre registered tra
panies and prod
1.1, 1.4, 5.3, 7, and Annex B arcataway, New Jem)-2009 Standa
on .............
ction ..........
quirements ..
quirements ra
of security
security req
of security
quirements ra
on ...............
unction ......
ion Function
n Functions .
................
ss Control ..
ed FAX TX J
s Function ..
ction ..........
Function ...
yption Funct
y Manageme
ion and Auth
Function ....
tion Function
y Manageme
................
................
s ...............
t Function ..
ent Function
NER, imageRU
Windows 2000n in the US. mputer Inc. in thademarks of O
ducts containe
8, 9, 10.1, 10.4e reprinted withersey 08854, ard for a Protec
3
................
................
................
ationale .....
requirement
quirements ..
requirement
ationale .....
..................
................
n ...............
................
................
................
Jobs ..........
................
................
................
ion ...........
ent Function
hentication F
................
n ..............
ent Function
................
................
................
................
...............
UNNER ADVANC
0, Windows Vi
he US. Oracle Corporat
d herein are t
4, 10.5, 10.6, 11h permission from
ction Profile in O
C
................
................
................
................
ts ..............
................
ts ..............
................
..................
................
................
................
................
................
................
................
................
................
................
n ...............
Function ....
................
................
n ...............
................
................
................
................
................
CE, MEAP, and
sta, and Active
tion and its affi
rademarks or
, 12.2, 12.3, 12m IEEE,
Operational Env
Date
Copyright Ca
................
................
................
................
................
................
................
................
.................
................
................
................
................
................
................
................
................
................
................
................
................
................
................
................
................
................
................
................
................
d the MEAP logo
e Directory are
iliates in the U
registered trad
.4, 13.2, 14.2, 1
vironment A, C
e of Issue: 201
anon Inc. 20
................
................
................
................
................
................
................
................
.................
................
................
................
................
................
................
................
................
................
................
................
................
................
................
................
................
................
................
................
................
o are trademark
trademarks or
United States an
emarks of the
5.2, 16.2, 17.2,
opyright(c) 200
15/09/28
015
......... 42
......... 45
......... 48
......... 49
......... 49
......... 50
......... 52
......... 54
......... 55
......... 55
......... 56
......... 56
......... 56
......... 57
......... 58
......... 58
......... 59
......... 59
......... 59
......... 60
......... 60
......... 60
......... 61
......... 61
......... 61
......... 61
......... 62
......... 62
......... 63
ks of Canon
r registered
nd in other
respective
18.2, 19.2,
09 IEEE. All
1 ST
1.1 S
This sect
ST nam VersioIssuedDate oKeywo
1.2 T
This sect
TOE nVersio
The TOE
1.3 T
The TC350/ADVAmakin2600.1
-
-
-
T introduct
ST referenc
tion provides
me: C
on: 1.d by: Cof Issue: 20ords: IE
(Mlo
TOE referen
tion provides
name: Con: 1.
E is comprisediRCH
SuAan
*JiRCH
SuA
TOE overvi
TOE is a digiC250 Series
ANCE C350/ng the proper1 model > or
iR-ADV Se
HDD Data
Fax Board
tion
ce
the Security
Canon imageR
.09 Canon Inc.
015/09/28 EEE 2600, CMFP), copy, og, encryption
nce
the TOE iden
Canon imageR.0
d of the folloR-ADV Secur
Canon image RHDD Data Enc
(Canon MFPuper G3 FAX
Access Managnd Canada)
Japanese NamR-ADV Secur
Canon image RHDD Data Enc
(Canon MFPuper G3 FAX
Access Manag
ew
ital multi-fun2600.1 mod
/C250 Seriesr settings, mTOE. ecurity Kit-J1
a Encryption K
d (Standard-eq
Target (ST) i
RUNNER AD
anon, imageRprint, fax, sen, Secured Pr
ntification inf
RUNNER AD
wing softwarrity Kit-J1 foRUNNER ADcryption Kit-P Security Ch
X Board-AN1gement System
me rity Kit-J1 foRUNNER ADcryption Kit-P Security Ch
X Board-AN1gement System
nction producel >. This is
s > which bymakes up the
for IEEE 260
Kit
quipment on "F
4
identification
DVANCE C35
RUNNER, iRend, facsimilerint, BOX, sec
formation.
DVANCE C35
re, hardware, r IEEE 2600.
DVANCE C3C hip 2.01) (Standard eqm (License o
r IEEE 2600.DVANCE C3C hip 2.01) (Standard-eqm (License op
ct (MFP) kna version of
y installing/a< Canon im
00.1 Common
F" model)
C
n information.
50/C250 Seri
R, Advance, de, identificaticurity kit
50/C250 Seri
and licenses..1 Common C50/C250 Ser
quipment on option: Stand
.1 Ver 1.00 50/C250 Ser
quipment onption: Standa
nown as < Cf the standardattaching the mageRUNNE
n Criteria
Date
Copyright Ca
.
es 2600.1 mo
digital MFP, ion, authentic
es 2600.1 mo
. Criteria Ver 1ies
“F” and “iF” ard-equipmen
ies
"F" and “iF” ard-equipmen
anon imageRd model < C
following 3ER ADVANC
e of Issue: 201
anon Inc. 20
odel Security
multifunctiocation, acces
odel
.00
models) nt in the Unit
model) nt in Japan)
RUNNER ADCanon imageR3 (or 4) prodCE C350/C25
15/09/28
015
Target
n product s control,
ted States
DVANCE RUNNER ducts and 50 Series
-
Fo
Fo
Fo
< iR-AProfillicenseHDD softwaFax Bo < Canimplemsecurit
Prot
-
SFR
-
-
-
-
-
-
-
1.4 T
The follo
Terms/AMulti-FuProduct (
Control s
Control p
1 "AccessSecurity K
(Access M
or machines in
or machines in
or machines in
ADV Securityle for Hardce. Data Encryp
are). oard is the ha
non imageRmenting the Pty functions r
tection Profil
2600.1, Prote
R Packages
2600.1-PRT,
2600.1-SCN,
2600.1-CPY,
2600.1-FAX
2600.1-DSR,Operational E
2600.1-NVSEnvironment
2600.1-SMI, Environment
Terms and
owing terms a
Abbreviationunction (MFP)
software
panel
s Management SKit-J1 for IEEE
Management S
n Japan, this o
n the United S
n Asia and Oc
y Kit-J1 for copy Device
ption Board
ardware to us
RUNNER ADProtection Prrequired by th
le
ection Profile
SFR Package
, SFR Package
, SFR Package
, SFR Packag
, SFR PackagEnvironment A
, SFR Packt A
SFR Packagt A
Abbreviati
and abbreviat
T
s A machincopier, fafacilitate
Software
One of toperation
System" is a lic2600.1 Commo
System) 1
option is attach
States and Can
ceania, "ACCE
IEEE 2600.1es, Operatio
is the hardw
e a fax facilit
DVANCE Crofile (PP) fohe 7 SFR Pac
for Hardcopy
e for Hardcop
e for Hardcop
e for Hardcop
e for Hardcop
ge for HardcoA
age for Har
ge for Hardco
ions
tions are used
Table 1 - Term
ne that incorpax, printer, ansuch capabili
that runs on t
the hardware keys, which
cense option. Thon Criteria.
5
hed to MFP as
nada, this optio
ESS MANAG
1 Common Conal Enviro
ware that enc
ty.
C350/C250 Sor Multi-Funckages define
y Devices, Ope
y Device Prin
py Device Sca
py Device Cop
py Device Fax
opy Device D
rdcopy Devic
opy Device S
d throughout t
ms and Abb
porates the fund Universal ities.
the hardware
e elements oprovides the
he component o
C
s "Security Op
on is standard
GEMENT SYS
Criteria > cononment A >
crypts all da
Series 2600.nction Producd in the PP.
erational Envi
nt Functions, O
an Functions, O
py Functions,
x Functions, O
ocument Stor
ce Nonvolati
Shared-mediu
this ST.
reviations
Descriptionunctionality oSend, and co
of the device
of the MFP, interface for
of "Access Man
Date
Copyright Ca
ption Kit-A1"
d-equipped.
STEM KIT-B
ntains the <> control soft
ata stored in
1 model > cts indicated
ironment A
Operational En
Operational E
Operational E
Operational En
rage and Retri
le Storage F
um Interface
of multiple dontaining a la
e, and control
consisting ooperation of
nagement System
e of Issue: 201
anon Inc. 20
by default.
1" option is n
< 2600.1, Prftware and se
n the HDD (
is capable below, as w
nvironment A
Environment A
Environment A
nvironment A
ieval (DSR) F
Functions, O
Functions, O
evices in onearge capacity
ls security fun
of a touch pf the MFP.
m" is included
15/09/28
015
eeded.
rotection ecurity kit
(including
of fully well as the
A
A
A
Functions,
Operational
Operational
e, such as y HDD to
nctions.
panel and
in iR-ADV
Terms/ARemote U
HDD
I-Fax
Image fil
Tempora
Roles
Administ
Job
Documen
Memory (Receptio
Memory
Mail serv
User aserver
Firewall
Time ser
[Secured
[Copy]
[Fax]
[Scan]
AbbreviationUI
le
ary image file
trator
nt data
RXon)
RX Inbox
ver
authentication
rver
d Print]
s An interfaallow theoperation
Hard disk
Short for
Image dareceive.
e Image fileuntil the j
Used by aOne role default roAdministr
A user ass(administ
User assig
Equivalen
When a ua Job is processin
The operaTX, Savegeneration
User datainformatio
X Allows daprocessin
When meMemory R
Server thathe MFP.
n Server thauthentica
Device orInternet.
Server thaInternet.
A button with a PIN
A button o
A button o
Indicates documentfolder in a
ace that prove acquisitions, and making
k drive mount
Internet Fax.
ata generated
es generated ob completes
access restricis associated
oles may berator, Power U
signed the Adtrative privile
gned the Adm
nt to U.ADM
user uses the fthe intendedg those data.
ations that cae, and Deleten, execution,
a processed on.
ata received g.
emory receptiRX Inbox. St
at facilitates I
hat maintains ation over the
r system des
at uses the N
on the controN).
on the contro
on the contro
the [Scan ants to be sent a PC.
6
ides access ton of operatig various sett
ted on the MF
Uses the Inte
within the M
during jobs s.
tion functiond with each
e modified toUser, Genera
dministrator ges).
ministrator rol
INISTRATO
functions of td document
an be performe. The procesand complet
within the
by fax/I-fax
ion is set, dotored docume
I-fax transmi
user informe network.
signed to pro
Network Time
ol panel that
ol panel that a
ol panel that a
nd Send] buttto some loc
C
Descriptiono the MFP froing status, ptings.
FP, where con
ernet to recei
MFP, from o
such as Copy
ns to restrict thuser. In add
o create custal User, Limit
role is capab
le and has ad
OR defined in
the TOE to exdata combin
med on a docssing phases tion.
MFP, consis
to be stored
ocuments receents can be pr
ssion or emai
mation such a
otect the inter
e Protocol to
activates the
activates the C
activates the F
ton on the cocation such a
Date
Copyright Ca
om a Web brperform job
ntrol software
ive and send f
operations su
y and Print, w
he functions tdition to pre-tom roles. Tted User, and
le of using m
dministrative p
the PP.
xecute an opened with the
cument are: Sfor a Job is
sting of imag
in the Memo
eived by fax/rinted or sent
il transmissio
as user ID an
rnal LAN ag
provide the a
e Secured Pri
Copy function
Fax function.
ontrol panel, as to an emai
e of Issue: 201
anon Inc. 20
owser via theoperations
e and assets a
faxes.
ch as scan, p
which are nee
that each use-defined defaThe default r
Guest User.
management o
privileges.
eration on a duser instruc
Scan, Print, Cssued by the
ge files and
ory RX Inbox
/I-fax are storlater.
on of docume
nd password,
gainst threats
accurate time
nt function (p
n.
which allowsil address or
15/09/28
015
e LAN, to or BOX
are stored.
print, and
eded only
er can use. ault roles, roles are:
operations
document, ctions for
Copy, Fax user are:
attribute
x for later
red in the
ent data in
, for user
from the
e over the
print jobs
s scanned r a shared
Terms/A[Fax/I-Fa
[Access
Remote U
[Fax/I-Fa
Abbreviationax Inbox]
Stored Files]
UI
ax Inbox]
s A button oThere is M
A button RX Inbox
A button RX Inbox
on the controMemory RX I
on the controx.
on the remox.
7
ol panel that aInbox to store
ol panel that a
te UI that all
C
Descriptionactivates the Fe files receive
allows the us
lows the user
Date
Copyright Ca
Fax/I-Fax Inbed by Fax and
er to access f
r to access fi
e of Issue: 201
anon Inc. 20
box function. d I-Fax.
files stored in
iles stored in
15/09/28
015
n Memory
n Memory
1.5 T
The TOEwhich codesignedProfile fo
This stanprocessinand infosecret, mThis envwill be k
FigureSeries require
Tim
In FigureMail SerFirewall when reca Web brorder to pcable cousome con
2 This ev
TOE descri
E is a MFP tonforms to "
d to operate inor Hardcopy D
ndard is for ng environmermation assu
mission criticavironment is nknown as "Op
e 1 shows the2600.1 mod
ed, the actual
Figure 1
Pdoc
Inme server
PC
Fax RX
Fax TX
PSTN
e 1, the MFPrver, User Au
from threatsceiving a docurowser2, funcprint from a Puld be used tnfiguration is
valuation was
ption
that offers C"2600.1, Protn an environmDevices, Ope
a Protection ent in which urance are real, or subject not intended tperational Env
environmentel > has beenl operational
1 T<
Fire
M
R
Paper uments
CopyPrint
nternet
Print via USB connection
P is connecteduthentication s from the Inument by I-Fctions such aPC, the approo connect thes required in
s performed u
Copy, Print, Utection Profi
ment such as erational Env
Profile for Ha relatively hquired. The to legal and rto support lifvironment A.
t for which thn designed, wenvironment
The assume< Canon image
HDD
ewall
Memory
RX Inbox
Multi-FuProd
d by an interServer, PC, a
nternet. To seax for examp
as printing, stopriate printee PC directly
nitially, in ord
using Microso
8
Universal Senile for Hardcthe one show
vironment A"
Hardcopy Dehigh level oftypical inforregulatory cofe-critical or n"
he TOE or < Cwith options i
is expected t
d operationeRUNNER A
Network fax
Send via
Rec
Papedocum
Copy
Send
Web brow
Remote U
I
unctionduct
rnal LAN, to and Firewall.end (via I-Faple, the MFP toring, or I-Fr driver need
y, and print order to protect
oft Internet Ex
C
nd, Fax, and copy Devices
wn below (as eclause "1.1 S
evices in a rf document srmation procensiderations,national secur
Canon imageincluded. Sinto differ than
al environmADVANCE C3
PC
LAN
a I -Fax/E-Mail
ceive I-Fax
er ents
ser
User authenticatAuthentication res
all of the oth. Furthermore
ax or email) aconnects to thax can also b
ds to be instalr store documt against data
xplorer 8 as t
Date
Copyright Ca
I-Fax RX cs, Operationaexcerpted fro
Scope").
restrictive coecurity, operessed in thissuch as for p
rity applicatio
eRUNNER Ance not all of
what is show
ment of the M350/C250 Seri
Mail server
tionsult
her major coe, the internaa previously he Mail Servbe executed rled in the PC
ment data froma being taken
the Web brow
e of Issue: 201
anon Inc. 20
capabilities. Tal Environmeom "2600.1, P
ommercial infrational accou environmenprivacy or goons. This env
ADVANCE C3these feature
wn here.
MFP ies >
User authenserve
mponents, naal LAN is pro
scanned docer. By using aremotely. Ho
C. Alternativem the PC. In n out of the
wser.
15/09/28
015
The TOE, ent A" is Protection
formation untability, nt is trade vernance. vironment
350/C250 es may be
ticationer
amely the otected by cument or a PC with
owever, in ly, a USB this case, MFP and
stored inreceived
The TOEauthenticenvironm
-
-
-
-
-
-
n a PC or USover phone l
E also obtaincation througment are listed
Copy func
Produces
Print funct
Produces PC).
I-Fax RX (
Uses the Istored in sent or de
Fax RX (re
Uses a fastored in Mor deleted
Fax TX (se
Scanned dfor transm
Universal
Scanned transmitte
SB device. Alines via the f
ns accurate th the Externad below:
tion
duplicates of
tion
a hardcopy d
(receive) func
Internet to recMemory RXleted later.
eceive) functi
ax line to recMemory RX Id later.
end) function
document datmission by fax
Send function
document ded by email or
Additionally, bfax board.
ime from theal Authentica
f the hardcopy
document fro
ction
ceive faxes. DX Inbox for p
ion
eive faxes. DInbox for proc
n
ta or electronx.
n
data or electr I-fax, or sen
9
by attaching
e Time serveation Server.
y document b
om its electro
Data receivedprocessing at
Data receivedcessing at a la
nic document
tronic documnt to a shared
C
a fax board t
er for time sThe function
by scanning a
onic form (co
d by I-fax is na later time.
d by fax is noater time. Sto
ts stored in M
ments storedd folder on a P
Date
Copyright Ca
to the TOE,
synchronizations available t
and printing.
ontained in th
not printed imStored docu
ot printed imored documen
Memory RX I
d in MemoryPC, in TIFF o
e of Issue: 201
anon Inc. 20
faxes can be
on, and suppto the MFP in
he MFP or se
mmediately; ruments can b
mmediately; rants can be pri
Inbox can be
y RX Inboxor PDF file fo
15/09/28
015
e sent and
ports user n such an
ent from a
rather it is e printed,
ather it is nted, sent
retrieved
x can be ormat.
1.6 S
The TOEis design
The phys
1.6.1
The TOEillustrate
In Figure>.
Note alsoCriteria >
The TMFP m
< Canonthe follow
ProductiR-ADViR-ADV
* In Japa
The docu
(Eng- ima
- -
- ima-
Scope of th
E conforms toned to meet th
sical and logi
Physical S
E is a MFP cd in Figure 2
Fax
("F momodel” with Fa
de
(TOE: H
e 2, "Control
o that the "M> makes up th
TOE or < Canmain unit com
imageRUNNwing product
ts V C350F, iR-V C250iF, iRan, only iR-AD
umentation fo
glish Name) ageRUNNER
imageRUNNACCESS MGuide
ageRUNNER imageRUNN
he TOE
o "2600.1, Prhe requiremen
ical scopes of
Scope of the
consisting of 2.
Figure 2 Ha
x Board
del" or “iF is equipped
ax Board by efault)
Hardware)
Software" re
MFP Main Unihe MFP main
non imageRUmbined with t
NER ADVANt lineup.
-ADV C350iFR-ADV C250i
DV C350F is
or the TOE is
ADVANCE NER ADVAN
MANAGEME
ADVANCE NER ADVAN
rotection Profnts specified t
f the TOE are
e TOE
f hardware an
ardware and
C
(
Canon imaC
(
efers to the <
it" together wunit.
UNNER ADVthe Encryptio
NCE C350/C
Table 2 -
F, iR-ADV Ci, iR-ADV C2s sold.
listed below.
C350/C250 SNCE C350iF/ENT SYSTEM
C350/C250 SNCE C350i/C
10
file for Hardctherein, as de
e described be
nd software c
d software c
Control Softwar
( TOE Software
ageRUNNER C350/C250 Seri
MFP Main Un
(TOE: Hardwar
iR-ADV Sec
with the < iR-
VANCE C35on Board and
250 Series >
Line of Pro
C350i, iR-ADV250
.
Series 2600.1/C250iF e-MM Individual
Series 2600.1C250i e-Manu
C
copy Devicesescribed below
elow.
components.
components
re
e )
ADVANCE ies
it
re)
curity Kit-J1
-ADV Securit
50/C250 Serithe Fax Boar
, or the hardw
ducts
V C350,
model e-Maanual Management
model e-Maual
Date
Copyright Ca
s, Operationaw.
The physical
s of the TOE
HDD Encryptio
(TOE: Ha
for IEEE 260
ty Kit-J1 for
es 2600.1 mord.
ware making
anual CD (US
t Configuratio
anual CD (AP
e of Issue: 201
anon Inc. 20
al Environmen
l scope of th
E
Data on Board
ardware)
00.1 Commo
IEEE 2600.1
odel > consi
up the TOE
SE Version)
on Administr
PE Version)
15/09/28
015
nt A" and
he TOE is
n Criteria
Common
sts of the
, refers to
rator
-
– iR-A– Befo– HD
(Japa- ima
- -
- iR-A- Befo- HDD
1.6.2
The logicServer, P
In additio
-
ACCESS MGuide
ADV Securityfore Using the
DD Data Enc
anese Name) ageRUNNER
imageRUNNACCESS MGuide
ADV Securityfore Using theD Data Encry
Logical Sc
cal scope of PC, and Time
U
User
LAN D
User A
AuthIn
TOE
on to the capa
UI Functio
MANAGEME
y Kit-J1 for Ie iR-ADV Secryption Ki
ADVANCE NER ADVAN
MANAGEME
y Kit-J1 for Ie iR-ADV Seyption Kit Us
cope of the
the TOE is ilServer). In th
Figure 3
UI Func
Auth Server
Data Protection
Auth Function
nfo
P
S
Function Use Re
Job Output Rest
Management Fu
Operate/
Display
abilities descr
onality
ENT SYSTEM
IEEE 2600.1 ecurity Kit-J1t Reference
C350/C250 SNCE C350F eENT SYSTEM
IEEE 2600.1 Aecurity Kit-J1ser's Guide
TOE
llustrated in Fhe table, the s
3 Funct
LAN
User
Mail Server
LAN Data Prote
Email Functio
DocData
Ha
do
Input Fun
Scan S
C
estriction
triction
unction
ribed in Secti
11
M Individual
Common Cri for IEEE 26
e Guide
Series 2600.1e-Manual M Individual
Administrato for IEEE 26
Figure 3 (excsecurity funct
tional config
N Data Protection Fu
r
ction
on
LAN
W
DocD
ardcopy
ocument
Output Func
Send
CopyMemInbox
User Authenticatio
Self-Test
Har
doc
Forward Received J
Re
ion 1.5, the T
C
Management
iteria Certific00.1 Commo
model e-Ma
Management
or Guide 00.1
cluding: Usertions of the T
guration of t
unction
PC
Data Protection
Web Browser
Data
unc
mory RX x
on H
rdcopy
cument
Jobs
eceive
TOE embodie
Date
Copyright Ca
t Configuratio
cation Adminion Criteria Ce
anual
t Configuratio
r, User AutheTOE are show
the TOE
HDD
Time Serv
Time Func
TimeInfo
HDD Data Erase
HDD Data Encrypti
Audit Log
LAN Data Pro
s the followin
e of Issue: 201
anon Inc. 20
on Administr
istrator Guideertification
on Administr
entication Serwn in blue.
ver
ction
ion
otection
Document d
Document d
ng basic func
15/09/28
015
rator
e
rator
rver, Mail
Flow of data
PCdata
USB connection
FAXdata
Phone line
ctionality.
-
-
The TOE
-
-
-
-
-
-
-
-
-
3 This evsoftware 4 This evauthentic
Enables theon the contr
Output Fun
Enables the
Input Funct
Enables the
E embodies th
User Authe
Performs au
Two types takes placeauthenticati
Function U
Uses role m
Job Output
This functiothe job.
Forward Re
This functiprovided as
HDD Data
Function foprevent una
HDD Data
Because theremoved fothreat by idAdditionalldata.
LAN Data P
To protect L
Self-Test Fu
When the mrunning pro
Audit Log F
Allows audprotected an
The date/timis set by th
valuation wasfor Kerberos
valuation wascation.
e user to operrol panel.
nctionality
e TOE to outp
tionality
e TOE to inpu
he following s
entication Fun
uthentication
of user authe internally wion server. Ex
se Restriction
management to
Restriction F
on restricts a
eceived Jobs F
on restricts ts a counterme
Erase Functio
or erasing unauthorized use
Encryption F
e HDD (alonor unauthorizedentifying thy, all data sto
Protection Fu
LAN data fro
unction
machine staroperly.
Function
diting of usernd can be vie
me recorded oe Manageme
s performed u. s performed u
rate the TOE
put hardcopy
ut hardcopy d
security func
nction
on the user, t
entication arewithin the TOxternal authen
n Function
o restrict the
Function
ccess to print
Function
the machine easure against
on
nnecessary dae of previous
Function
e or togethered access to i
he MFP at stored in the H
unction
m IP packet s
rts, this func
r operations bewed.
on the audit lent Function,
using Active D
using eDirecto
12
from the con
documents.
documents.
tions.
to prevent any
e supported: OE, and Extentication uses
functions tha
t, cancel, and
from forwart threats arisin
ata from the sly generated
r with the HDits contents, ttartup, so tha
HDD are encr
sniffing, IP p
tion checks
by generating
og is provideor is set by t
Directory Dom
ory 8.8 SP7 a
C
ntrol panel, a
y unauthorize
Internal Auternal Authents Kerberos3 o
at each authen
d other job op
rding receiveng from misu
hard disk byimage data.
DD Data Encrthe HDD Daat it may onrypted to prot
ackets are en
to see that t
g logs stored
ed by the TOEtime synchro
main Services
s the authent
Date
Copyright Ca
and the TOE
ed access to t
thentication wtication that or LDAP4 au
nticated user
perations, to
ed data direcuse of the fax
y overwriting
ryption Boardta Encryptionly be used wtect the confi
ncrypted using
the primary
in the HDD.
E. The TOE'sonization whe
2 as the auth
tication serve
e of Issue: 201
anon Inc. 20
to display inf
the TOE.
wherein autheuses an exte
uthentication.
can use.
the user that
ctly to the Lx line.
g the data, in
d) could poten Board addrwith the corridentiality of
g IPSec.
security func
. Stored audi
s date/time infen the accura
hentication se
er software for
15/09/28
015
formation
entication ernal user
executed
AN. It is
n order to
entially be resses this rect MFP. the HDD
ctions are
t logs are
formation ate time is
rver
r LDAP
-
1.7 U
Th
DesignU.USE U.N
U.A
1.8 A
The
1.8.1
Useof u
DesignD.DOC
D.FUN
1.8.2 T
TSFD.P
DesignD.PRO
D.CON
obtained fro
Managemen
Consists of managemenspecified by
Users of the
he TOE has tw
nation ER NORMAL
ADMINISTRA
Assets
ere are three t
User Data
er data are creuser data: D.D
nation DefC Use
inclresidoc
NC Usethe
TSF Data
F Data are daPROT and D.C
nation DefiOT TSF
Admthe T
NF TSFneithsecu
om the Time
nt Function
user managent functions why Administrato
e TOE
wo types of u
DefiAnyA Ufunc
ATOR A Uportpolicapa
types of asset
eated by the DOC and D.F
finition er Document ludes the origdually-stored ument and pri
er Function DTOE.
ata that have CONF.
finition F Protected Dministrator norTOE, but for w
F Confidentialher an Adminurity of the TO
Server.
ment functionhich enable prors.
users (U.USE
Tab
finition y authorized UUser who is ctions of the TUser who hastion or all of cy (TSP). Aabilities to ove
s: user data, T
user, and havUNC.
Table
Data consistinal documen
data createdinted hardcop
ata are the inf
an effect on
Table
Data are assr the owner ofwhich disclos
l Data are assenistrator nor thOE.
13
ns such as usroper operatio
R): U.NORM
ble 3 - Users
User. authorized t
TOE. s been specif
f the TOE anddministrators erride portion
TSF data, and
ve no effect o
e 4 - User Da
t of the infornt itself in eithd by the hay output.
formation abo
TOE securit
e 5 - TSF Da
sets for whicf the data wou
sure is accepta
ets for which he owner of th
C
ser registrationon of various s
MAL and U.A
s
to perform U
fically grantedd whose actio
may possesss of the TSP.
d functions.
on TOE secu
ata
rmation contaher hardcopy ardcopy devic
out a user's do
ty functions.
ta
ch alteration uld have an efable.
either discloshe data would
Date
Copyright Ca
n and role msecurity functi
ADMINISTRA
User Docume
d the authorions may affes special priv
urity function
ained in a usor electronic ce while pro
ocument or jo
There are tw
by a User ffect on the op
sure or alteratid have an effe
e of Issue: 201
anon Inc. 20
management, aions, which ca
ATOR
ent Data pro
ity to manageect the TOE svileges that p
s. There are t
ser's documenform, image
ocessing an
ob to be proce
wo types of T
who is neitperational secu
ion by a Userect on the oper
15/09/28
015
and device an only be
ocessing
e some security provide
two types
nt. This data, or original
essed by
TSF data:
ther an urity of
r who is rational
A list of
Type D.PROT
D.CONF
1.8.3
Refer to
the TSF data
TSF dataT User name
Role
Lockout settings Password settings
Auto Rsetting Date/TimeHDD Dsetting
IPSec sett
F Password
Audit logsBox PIN
Functions
the functions
used in this T
a e
policy
policy
Reset Time
e setting Data Erase
tings
s
s listed in Tab
TOE is given
Table 6 -
DescriptioUser idenidentificatiUsed by functions tSettings foattempts bPolicy for minimum combinatioSettings fo
Specifies tSettings fothe settingfunction.Settings fincludingData ProtePassword IdentificatiLogs generPIN used where thefunctions.
ble 7.
14
n in Table 6.
- List of TSF
on ntification inion and autheaccess restri
that each useror the lockouefore lockoutthe passwordpassword le
on of characteor session tim
the date and tor the HDD gs to enable
for the LAthe settings
ection functioused to aut
ion and Authrated by the Afor access co data is stor
C
F data
nformation uentication funiction functir can use. ut function, t and the lockd for user autength, allower types.
meout in the co
ime that is seData Erase
or disable th
AN Data Pto enable o
on. thenticate thehentication funAudit Log funontrol to the red, for Job
Date
Copyright Ca
used by thnction. ions to restr
such as numkout time. thentication, s
wed character
ontrol panel.
et. function, inc
he HDD Data
rotection fuor disable the
e user in thnction. nction. Memory RXOutput Res
e of Issue: 201
anon Inc. 20
Stoe user HD
rict the HD
mber of HD
such as rs, and
HD
NomeRT
cluding a Erase
Nome
unction, e LAN
Nome
he User HD
HDX Inbox
triction HD
15/09/28
015
ored in DD
DD
DD
DD
n-volatile mory
TC n-volatile mory
n-volatile mory
DD
DD DD
2 Co
2.1 C
This ST c
-
-
-
2.2 P
This ST c
- Title
-
This ST i
-
-
-
-
-
-
-
2.3 S
2.3.1 S
Title: 260Package CommonCommonPackage Usage: TMFPs) thoutput. Title: 260Package CommonCommonPackage Usage: TMFPs) thoutput.
onformanc
CC Conform
conforms to t
Common C
Common C
Assurance
PP claim, P
conforms to t
e : 2600.1, Pro
Version:1.0
is package-co
2600.1-PRT
2600.1-SCN
2600.1-CPY
2600.1-FAX
2600.1-DSR
2600.1-NV
2600.1-SM
SFR Packag
SFR Packa
00.1-PRT, SFRversion: 1.0,
n Criteria versn Criteria conf
conformanceThis SFR packhat perform a p
00.1-SCN, SFversion: 1.0,
n Criteria versn Criteria conf
conformanceThis SFR packhat perform a s
ce claims
mance clai
the following
Criteria version
Criteria confor
level:
Package cla
the following
otection Profil
0, dated June 2
onformant to
T conformant
N conformant
Y conformant
X conformant
R conformant
VS augmented
MI augmented
ges
ages refere
R Package fordated June 20
sion: Version formance: Pa
e: EAL3 augmkage shall be uprinting functi
FR Package fodated June 20
sion: Version formance: Pa
e: EAL3 augmkage shall be uscanning func
m
g Common Cr
n:
rmance:
aim
g Protection P
e for Hardcop
2009
and package
t
t
t
t
t
ence
r Hardcopy D009 3.1 Revision
art 2 and Part 3mented by ALCused for HCD ion in which e
or Hardcopy D009 3.1 Revision
art 2 and Part 3mented by ALCused for HCD ction in which
15
riteria (CC).
Version 3.
Part 2 exte
EAL3 augm
Profile (PP).
py Devices, Op
-augmented b
Device Print Fu
2 3 conformantC_FLR.2 products (suc
electronic doc
Device Scan Fu
2 3 conformantC_FLR.2 products (sucphysical docu
C
1 Release 4
ended and Part
mented by AL
perational Env
by the follow
unctions, Oper
ch as printers, cument input i
unctions, Ope
ch as scannersument input is
Date
Copyright Ca
t 3 conforman
LC_FLR.2
vironment A
wing SFR pack
rational Envir
paper-based fis converted to
erational Envir
, paper-based s converted to
e of Issue: 201
anon Inc. 20
nt
kages:
ronment A
fax machines,o physical doc
ronment A
fax machineso electronic do
15/09/28
015
and cument
s, and ocument
Title: 260Package CommonCommonPackage Usage: Tfunction i Title: 260Package CommonCommonPackage Usage: Tscanning transmissto physic Title: 260OperationPackage CommonCommonPackage Usage: Tretrieval f Title: 260EnvironmPackage CommonCommonPackage Usage: Tnonvolatiby authorRemovabsupplied Title: 260EnvironmPackage CommonCommonPackage Usage: Tcommunisuch as wprovide aIf such pr
2.3.2
FunfuncProf
00.1-CPY, SFversion: 1.0,
n Criteria versn Criteria conf
conformanceThis Protectionin which phys
00.1-FAX, SFversion: 1.0,
n Criteria versn Criteria conf
conformanceThis SFR pack
function in wsion, and a prial document o
00.1-DSR, SFnal Environmeversion: 1.0,
n Criteria versn Criteria conf
conformanceThis SFR packfeature in whi
00.1-NVS, SFment A
version: 1.0, n Criteria versn Criteria conf
conformanceThis SFR packile storage devrized personneble Nonvolatilonly by the T
00.1-SMI, SFRment A
version: 1.0, n Criteria versn Criteria conf
conformanceThis SFR packications mediu
wired network a trusted channrotection is su
SFR Pack
nctions performctions that arefile, are listed
FR Package fodated June 20
sion: Version formance: Pa
e: EAL3 augmn Profile shall sical documen
FR Package fodated June 20
sion: Version formance: Pa
e: EAL3 augmkage shall be uwhich physicalinting functionoutput.
FR Package foent A dated June 20
sion: Version formance: Pa
e: EAL3 augmkage shall be uich a documen
FR Package fo
dated June 20sion: Version formance: Pa
e: EAL3 augmkage shall be uvice (NVS) thel. This packale Storage devOE environm
R Package for
dated June 20sion: Version formance: Pa
e: EAL3 augmkage shall be uum which, in media and m
nel function alupplied by only
kage functi
m processing, e allowed, buin Table 7:
or Hardcopy D009 3.1 Revision
art 2 and Part 3mented by ALC
be used for Hnt input is dup
or Hardcopy D009 3.1 Revision
art 2 and Part 3mented by ALCused for HCD l document inpn in which a te
or Hardcopy D
009 3.1 Revision
art 2 and Part 3mented by ALCused for HCD nt is stored du
or Hardcopy D
009 3.1 Revision
art 2 extended mented by ALCused for produhat is part of thage applies forvices from una
ment, then this
r Hardcopy D
009 3.1 Revision
art 2 extended mented by ALCused for HCD conventional ost radio frequllowing for sey the TOE env
ons
storage, and ut not require
Table 7 - SFR
16
Device Copy F
2 3 conformantC_FLR.2
HCD products licated to phy
Device Fax Fu
2 3 conformantC_FLR.2 products (suc
put is converteelephone-base
Device Docum
2 3 conformantC_FLR.2 products (suc
uring one job a
Device Nonvol
2 and Part 3 co
C_FLR.2 ucts that providhe evaluated Tr TOEs that prauthorized dispackage cann
evice Shared-
2 and Part 3 co
C_FLR.2 products that practice, is oruency wirelesecure and authvironment, th
transmission ed in any par
R Package f
C
Functions, Ope
(such as copiysical documen
nctions, Oper
ch as fax mached to a telephoed document f
ment Storage an
ch as MFPs) thand retrieved d
latile Storage
onformant
de storage of UTOE but is desrovide the abilclosure and m
not be claimed
-medium Inter
onformant
transmit or rer can be simulss media. Thishenticated comen this packag
of data that mticular confor
functions
Date
Copyright Ca
erational Envi
iers and MFPsnt output.
rational Enviro
hines and MFPone-based docfacsimile (fax)
nd Retrieval (
hat perform a during one or
Functions, Op
User Data or Tsigned to be relity to protect
modification. Id.
rface Function
eceive User Dltaneously accs package applmmunication wge cannot be c
may be presentrming Securit
e of Issue: 201
anon Inc. 20
ironment A
s) that perform
onment A
Ps) that perforcument facsim) reception is
(DSR) Functio
document stomore subsequ
perational
TSF Data in aemoved from data stored on
If such protect
ns, Operationa
Data or TSF Dacessed by multlies for TOEs with other IT sclaimed.
t in HCD prodty Target or P
15/09/28
015
m a copy
rm a mile (fax) converted
ons,
orage and uent jobs.
a the TOE n tion is
al
ata over a tiple users, that
systems.
ducts. The Protection
DesigF.PRT
F.SCN
F.CPY
F.FAX
F.DSR
F.NV
F.SMI
2.3.3 S
Wassoto dThe Prof
2.4 P
In additioMemory is approp
In this ST
In the fol
In terms other OS
This OSP
As such:
- All
gnation DefT Prin
outpN Scan
docuY Cop
outpX Fax
docudocu
R Docand
S Nondeviauth
I Shara coaccewire
SFR Packa
hen a functionociated with thistinguish diff attributes thafile, are listed
Designation +PRT +SCN +CPY +FAXIN +FAXOUT +DSR +NVS +SMI
PP Conform
on to the primRX Inbox fu
priate to confo
T, F.DSR refe
llowing, the S
of the SecurSP:
P.HDD.ACCP is a restricti
TOEs that w
finition nting: a functioput nning: a funument output
pying: a functiput ing: a functioument facsimument facsimicument storagretrieved duri
nvolatile storaice that is parhorized personred-medium iommunicationessed by muleless media
age attribut
n is performinhat particular dferences in Seat are allowedin Table 8:
T
Definition Indicates dIndicates dIndicates dIndicates dIndicates dIndicates dIndicates dIndicates dinterface.
mance ratio
mary functionunction, HDDform to the SF
ers to Memor
ST is compar
rity Problem
CESS.AUTHOion on the TO
would meet th
on in which e
nction in wh
ion in which p
on in which pmile (fax) traile (fax) recep
ge and retrievaing one or mo
age: a functionrt of the evalunnel nterface: a fun
ns medium whltiple users,
tes
ng processingdata as a secu
ecurity Functiod, but not requ
Table 8 - SFR
data that are asdata that are asdata that are asdata that are asdata that are asdata that are asdata that are stodata that are
onale
nality of the D encryption FR Packages
ry RX Inbox.
red against the
Definition, th
ORIZATIONOE, rather tha
he security p
17
electronic docu
ich physical
physical docu
physical docuansmission, aption is converal: a function ore subsequentn that stores Uuated TOE bu
nction that trahich, in convsuch as wire
, storage, or turity attribute. onal Requirem
uired in any pa
R Package a
ssociated withssociated withssociated withssociated withssociated withssociated withored on a none transmitted
MFP (Copy, function, and(Chapter 2.2
e PP containi
he ST is equi
an a restriction
problem defin
C
ument input is
document in
ument input is
ument input isand a functiorted to physicin which a dot jobs
User Data or Tut is designed
ansmits or receentional pract
ed network m
ransmission oThis attribute
ments that departicular confo
attributes
h a print job.h a scan job.h a copy job.h an inbound (rh an outbound h a document snvolatile storagd or received
Print, Scan, d the LAN daPP claim, Pac
ing seven SFR
ivalent to the
n on the oper
nition in the S
Date
Copyright Ca
s converted to
nput is conv
s duplicated to
s converted toon in which al document oocument is st
TSF Data on ato be remove
eives User Datice, is or can
media and mo
of data, the idee in the TOE mpend on the fuorming Securi
received) fax (sent) fax job
storage and rege device. d over a sh
and Fax), theata encryptionckage claim)
R Packages a
e PP except f
rational envir
ST also meet
e of Issue: 201
anon Inc. 20
o physical doc
verted to elec
o physical doc
o a telephonea telephone
output ored during o
a nonvolatile sed from the T
ata or TSF Datn be simultanost radio-freq
entity of the fmodel makes
unction being pity Target or P
job. b. etrieval job.
hared-medium
e TOE implemn function. A.
above.
for the additio
ronment.
t the security
15/09/28
015
cument
ctronic
cument
e-based e-based
one job
storage OE by
ta over neously quency
function is it possible performed. Protection
m
ments the As such, it
on of one
y problem
defi
- All mee
In terms
This obje
As such:
- All obje
- All in th
In terms of the PPTable 9.
PCCCCCCCCCCCCCCCCCCCCCCCCCCPPSSCCFFDDN
inition in the
operational eet the security
of Objectives
O.HDD.AC
ective is a res
TOEs that wectives for the
operational ehe PP would
of the functiP including t
Table
PP_Package Common Common Common Common Common Common Common Common Common Common Common Common Common Common Common Common Common Common Common Common Common Common Common Common Common Common PRT PRT SCN SCN CPY CPY FAX FAX DSR DSR NVS
PP.
environmentsy problem def
s, the ST is eq
CCESS.AUTH
striction on th
would meet e TOE in the
environmentsalso meet the
ional requiremthe seven SF
e 9 - Functio
PP functionFAU_GEN.1 FAU_GEN.2 FAU_SAR.1 FAU_SAR.2 FAU_STG.1 FAU_STG.4 FDP_ACC.1(aFDP_ACC.1(bFDP_ACF.1(a)FDP_ACF.1(bFDP_RIP.1 FIA_ATD.1 FIA_UAU.1 FIA_UID.1 FIA_USB.1 FMT_MSA.1(FMT_MSA.3(FMT_MSA.1(FMT_MSA.3(FMT_MTD.1(FMT_MTD.1(FMT_SMF.1 FMT_SMR.1 FPT_STM.1 FPT_TST.1 FTA_SSL.3 FDP_ACC.1 FDP_ACF.1 FDP_ACC.1 FDP_ACF.1 FDP_ACC.1 FDP_ACF.1 FDP_ACC.1 FDP_ACF.1 FDP_ACC.1 FDP_ACF.1 FPT_CIP_EXP
s that would finition in the
quivalent to t
HORISED
he TOE.
the security PP.
s that would me security obj
ments, the STR Packages,
nal requirem
nal requirem
a) b) ) )
(a) (a) (b) (b) (FMT_MTD.1.(FMT_MTD.1.
P.1
18
meet the sece ST.
the PP except
objectives f
meet the secuectives for th
T compared was well as a
ments speci
mentFAU_GFAU_GFAU_SFAU_SFAU_SFAU_SFDP_AFDP_AFDP_AFDP_AFDP_RFIA_ATFIA_UAFIA_UIFIA_USFMT_MFMT_MFMT_MFMT_M
1(a)) FMT_M1(b)) FMT_M
FMT_SFMT_SFPT_STFPT_TSFTA_SSFDP_AFDP_AFDP_AFDP_AFDP_AFDP_AFDP_AFDP_AFDP_AFDP_AFPT_CI
C
curity problem
t for the addit
for the TOE
urity objectivhe operational
with the PP cadditional fun
ified in the P
ST functioGEN.1 GEN.2
AR.1 AR.2 TG.1 TG.4
ACC.1(delete-joACC.1(exec-job)ACF.1(delete-jobACF.1(exec-job)RIP.1 TD.1 AU.1 ID.1 SB.1
MSA.1(delete-joMSA.3(delete-joMSA.1(exec-jobMSA.3(exec-jobMTD.1(device-mMTD.1(user-mgSMF.1 SMR.1 TM.1 ST.1 SL.3(lui), FTA_
ACC.1(in-job)ACF.1(in-job)ACC.1(in-job)ACF.1(in-job)ACC.1(in-job)ACF.1(in-job)ACC.1(in-job)ACF.1(in-job)ACC.1(in-job) ACF.1(in-job)
IP_EXP.1
Date
Copyright Ca
m definition
tion of one ot
in the ST a
ves for the opl environmen
ontains all functional requi
PP and the S
onal require
b) ) b) )
ob) ob) b) b) mgt) gt)
_SSL.3(rui)
e of Issue: 201
anon Inc. 20
in the PP w
ther objective
also meet the
perational envnt in the ST.
unctional requirements, as
ST
ment
15/09/28
015
would also
e:
e security
vironment
uirements shown in
PSSSCCCNNSSN
Note the
For FDP+FAXINspecified
For FDP_
For FDPAccess C
The ST Delete orrequirem
For FDPU.NORMControl r
The ST fsuch, therequirem
Consequ
As such:
- All TO
In terms
As such, restrictio
Therefor
PP_Package SMI SMI SMI Common Common Common NVS NVS・SMI SMI SMI NVS
following:
P_ACF.1(a) N/+DSR D.FUd as U.ADMIN
_ACC.1 in th
P_ACC.1(in-jControl rule fo
functional rer Read, and r
ments specify
P_ACF.1(a) iMAL. For FDrule specified
functional reqe ST functio
ment.
uently, the SFR
OEs that woul
of the Securi
this ST compons on the ope
re, this ST cla
PP functionFAU_GEN.1 FPT_FDI_EXPFTP_ITC.1 - - - - - - - -
in the PP, tUNC is specifNISTRATOR
he PP, the Sub
job) in the Sfor U.NORMA
equirements arestrains U.Ngreater restric
in the PP, thDP_ACF.1(dd as "Denied"
quirement as onal requirem
Rs of the ST
d meet the SF
ity Assurance
pared with therational envi
aims demonst
nal requirem
P.1
the Subjectfied as U.NORR, with Acces
bject for a Re
ST, the SubjeAL specified
as mentionedNORMAL froctions than th
he Subject felete-job) in .
mentioned ament specifie
are equivalen
FRs in the ST
e Requiremen
he PP, specifieironment of th
trable conform
19
mentFAU_GFPT_FDFTP_ITFIA_AFFIA_SOFIA_UAFCS_COFCS_CKFCS_COFCS_CKFPT_PH
for a DeleteRMAL. For Fss Control rul
ead of +FAXI
ect for a Reaas "Denied".
d above, areom having ache correspond
for a Modifythe ST, the
above, does ns greater res
nt or more res
T would also m
nts, the ST and
es equal or grhe TOE.
mance to the
C
ST functioGEN.1 DI_EXP.1 TC.1 FL.1 OS.1 AU.7 OP.1(h) KM.1 OP.1(n) KM.2 HP.1
e of +FAXIFDP_ACF.1(le for U.NOR
IN/+DSR D.D
ad is specifie
restrictive inccess to any Oding PP funct
y of +FAXINe Subject is
not allow use striction than
strictive than
meet the SFR
d PP are equi
reater restrict
PP.
Date
Copyright Ca
onal require
IN/+DSR D.delete-job) in
RMAL specifi
DOC is specif
ed as U.ADM
n the scope oObject. As sutional require
N/+DSR D.Fspecified as
of the functin the corresp
SFRs of the
Rs in the PP.
ivalent.
ions on the T
e of Issue: 201
anon Inc. 20
ment
DOC, and Dn the ST, the ied as "Denie
fied as U.NO
MINISTRAT
of Subjects auch, the ST fments.
FUNC is speU.User, wit
ion to any Suponding PP f
PP.
TOE, and at m
15/09/28
015
Delete of Subject is
ed".
ORMAL.
TOR, with
llowed to functional
ecified as th Access
ubject. As functional
most equal
3 Se
3.1 N
3.2 T
Th
a
b
c
curity Pro
Notational c
- Defined
- Defined
- In tablesa row anthe objec
- In tablesthe intera principindicates
- In tablesand purpsame rorequiremRequirem
o Bold typProfile, Compon
o Italic typconform
o Bold italthis ProtExtendedconform
- The follo
Threats age
his security pro
a) Persons wh
b) Persons whare not au
c) Persons whnot autho
oblem Defi
convention
terms in full f
terms in abbr
s that describend column indctive in that co
s that describesection of a ro
pal fulfillments that it perfor
s that describepose indicatesow. Requiremments performments (SFRs):
peface indicaterelative to th
nent Definition
peface indicaming Security T
lic typeface intection Profiled Component
ming Security T
owing prefixe
Tabl
ents
oblem definiti
ho are not perm
ho are authoriuthorized.
ho are authorizorized.
inition
ns
form are set in
reviated form a
e Security Objdicates that theolumn.
e completenesow and columt of the objectirms a supporti
e the sufficiens that the requment names m supporting:
es the portion he original Sn.
ates the portioTarget.
ndicates the poe, relative to t Definition, Target.
es are used to i
e 10 - Notatio
PrefixU. UD. DF. FT. TP. PA. AO. O
OE. E+ S
ion addresses
mitted to use t
ized to use the
zed to use the
20
n title case (fo
are set in all c
ectives ratione threat identi
ss of security mn indicates th
ive indicated ing fulfillment
ncy of securityuirement perfo
and purposeg fulfillment
of an SFR thSFR definitio
on of an SFR
ortion of an Sthe original Sbut which a
indicate differ
onal prefix c
Type of eUser Data Function Threat Policy AssumptionObjective EnvironmentalSecurity attribu
threats posed
the TOE who
e TOE who m
e TOE who m
C
or example, "D
caps (for exam
nale, a checkmfied in that ro
requirements,hat the requirein that columnt.
y requirementorms a principes set in nots. In speci
at has been coon in Commo
R that must be
SFR that has bSFR definitiolso must be
rent entity typ
conventions
entity
l objectiveute
d by four categ
may attempt t
may attempt to
may attempt to
Date
Copyright Ca
Document Stor
mple, "DSR").
mark ("") plaow is wholly o
, a bold typefement identifien. A letter "S"
s, a bold typepal fulfillmentormal typefacifications of
ompleted or reon Criteria P
e completed b
been partially on in Commo
completed by
pes:
s
gories of threa
to use the TOE
o use TOE fu
o access data
e of Issue: 201
anon Inc. 20
rage and Retr
ace at the interor partially mi
face letter "P"ed in that row" in such an in
eface requiremt of the objectce indicate tf Security F
efined in this PPart 2 or an
by the ST Au
completed or n Criteria Pay the ST Au
at agents:
E
unctions for w
in ways for w
15/09/28
015
ieval").
rsection of itigated by
" placed at w performs ntersection
ment name tive in the that those Functional
Protection Extended
uthor in a
refined in rt 2 or an
uthor in a
which they
which they
d
Th
3.3 T
Th
ThrT.DT.DT.F
ThrT.PRT.COT.CO
3.4 O
Thisprovenvithos
Name P.USER
P.SOFTW
P.AUDIT
P.INTER
P.HDD.A
d) Persons whthreats.
he threats and
Threats to T
his section des
reat DOC.DIS DOC.ALT FUNC.ALT
eat ROT.ALT ONF.DIS ONF.ALT
Organizatio
s section descvide a basis fironment but fse assets.
.AUTHORIZA
WARE.VERI
T.LOGGING
RFACE.MAN
ACCESS.AUT
ho unintention
policies defin
TOE Asset
scribes threats
Table
Affected asD.DOC D.DOC D.FUNC
Table
Affected asD.PROT D.CONF D.CONF
onal Securi
cribes the Orgafor Security Ofor which it is
Table
ATION
FICATION
NAGEMENT
THORIZATIO
nally cause a s
ned in this Pro
s
s to assets desc
11 - Threats
set DescripUser DUser DUser Fu
12 - Threats
sset DescripTSF ProTSF CoTSF Co
ity Policies
anizational SeObjectives thas not practical
13 - Organiz
DefTo pauthTo dwillTo pprovbe cdiscpersTo poperIT e
ON To pothe
21
software malfu
otection Profile
cribed in claus
to User Dat
ption ocument Dataocument Dataunction Data m
s to TSF Dat
ption otected Data monfidential Daonfidential Da
s
ecurity Policieat are commol to universally
zational Sec
finition preserve operahorized to use detect corruptl exist to self-vpreserve operavide an audit tcreated, maintclosure or altersonnel prevent unauthration of thoseenvironmentprevent accesser HCDs, TOE
C
unction that m
e address the t
se 1.8.
ta for the TO
a may be discla may be altermay be altered
ta for the TO
may be alteredata may be discata may be alte
es (OSPs) thatonly desired by define the as
curity Policie
ational accounthe TOE only
tion of the exeverify executaational accountrail of TOE uained, and proration, and wi
horized use ofe interfaces w
s TOE assets iE will have au
Date
Copyright Ca
may expose th
threats posed
OE
losed to unautred by unauthod by unauthor
OE
d by unauthoriclosed to unauered by unauth
t apply to the by TOE Ownssets being pr
es
ntability and sy as permittedecutable code able code in thntability and suse and securitotected from uill be reviewed
f the external will be controll
in the HDD wuthorized acce
e of Issue: 201
anon Inc. 20
he TOE to una
by these threa
thorized persoorized personsrized persons
ized persons uthorized pershorized person
TOE. OSPs aners in this orotected or the
security, Usersd by the TOE Oin the TSF, pr
he TSF security, recorty-relevant evunauthorized d by authorize
interfaces of tled by the TO
with connectiness the HDD d
15/09/28
015
anticipated
at agents.
ons s
sons ns
are used to operational e threats to
s will be Owner rocedures
rds that vents will
ed
the TOE, E and its
ng the data.
3.5 A
The SecuProfile ar
AssumA.ACC
A.USER
A.ADM
A.ADM
Assumption
urity Objectivere based on th
ption CESS.MANAG
R.TRAINING
MIN.TRAININ
MIN.TRUST
ns
es and Securite condition th
DefiniGED The T
protecinterfa
G TOE Uorganiproced
NG Adminorganiand dowith thAdmin
ty Functional hat all of the as
Table 14
ition OE is located
ction from unmaces of the TOUsers are awarization, and ardures. nistrators are aization, are traocumentation,hose policies anistrators do n
22
Requirementssumptions de
4 - Assumpti
in a restrictedmanaged accesOE. re of the securre trained and
aware of the sained and com, and correctlyand procedure
not use their p
C
s defined in suescribed in thi
ions
d or monitoredss to the phys
rity policies acompetent to
security policimpetent to folloy configure anes. rivileged acce
Date
Copyright Ca
ubsequent secis section are s
d environmenical componen
and procedures follow those
ies and procedow the manuf
nd operate the
ess rights for m
e of Issue: 201
anon Inc. 20
ctions of this Psatisfied.
nt that providents and data
s of their policies and
dures of their facturer's guidTOE in accor
malicious purp
15/09/28
015
Protection
s
dance rdance
poses.
4 Se
4.1 S
This sect
ObjeO.DO
O.DO
O.FU
O.PR
O.CO
O.CO
O.US
O.INT
O.SO
O.AU
O.HD
4.2 S
This sect
ObjecOE.A
OE.A
OE.IN
4.3 S
This sect
curity Obj
Security Ob
tion describes
ctive OC.NO_DIS
OC.NO_ALT
UNC.NO_ALT
ROT.NO_ALT
ONF.NO_DIS
ONF.NO_ALT
SER.AUTHOR
TERFACE.M
OFTWARE.VE
UDIT.LOGGE
DD.ACCESS.A
Security Ob
tion describes
ctive UDIT_STOR
UDIT_ACCE
NTERFACE.M
Security Ob
tion describes
T
jectives
bjectives fo
s the Security
Table
T
T
T
RIZED
MANAGED
ERIFIED
ED
AUTHORISE
bjectives fo
s the Security
Table 16 - S
RAGE.PROTE
ESS.AUTHOR
MANAGED
bjectives fo
s the Security
Table 17 - Sec
or the TOE
y Objectives t
e 15 - Securit
DefinThe TdiscloThe TalteraThe TalteraThe TalteraThe TdiscloThe TalteraThe Tand shsecurThe TaccorThe Tin theThe Tsecuror alte
ED The Twitho
or the IT en
y Objectives f
Security Obje
DefECTED If au
prodprot
RIZED If auTOEthat secuTheacce
or the non-
y Objectives f
curity Object
23
that are satisf
y Objectives
nition TOE shall protosure. TOE shall protation. TOE shall protation. TOE shall protation. TOE shall protosure. TOE shall protation. TOE shall requhall ensure thaity policies be
TOE shall manrdance with seTOE shall prove TSF. TOE shall creaity-relevant everation.
TOE shall protout the TOE au
nvironment
for the IT env
ectives for t
finition udit records arduct, the TOEtected from unudit records gE to another trthose records
urity violatione IT environmeess to TOE ex
-IT environ
for non-IT en
tives for the
C
fied by the TO
s for the TO
tect User Doc
tect User Doc
tect User Func
tect TSF Prote
tect TSF Conf
tect TSF Conf
uire identificaat Users are auefore allowingnage the operaecurity policievide procedur
ate and maintavents, and pre
tect TOE asseuthorization.
t
vironment.
the IT enviro
re exported froE Owner shall nauthorized acenerated by thrusted IT prods can be accesns, and only byent shall prov
xternal interfac
ment
nvironments.
e non-IT env
Date
Copyright Ca
OE.
OE
cument Data fr
cument Data fr
ction Data fro
ected Data fro
fidential Data
fidential Data
ation and autheuthorized in a
g them to use tation of externs. res to self-veri
ain a log of TOevent its unaut
ets in the HDD
onment
om the TOE tensure that thccess, deletionhe TOE are exduct, the TOE sed in order toy authorized pide protectionces.
vironment
e of Issue: 201
anon Inc. 20
from unauthori
from unauthori
om unauthoriz
om unauthoriz
from unautho
from unautho
entication of Uaccordance withe TOE. nal interfaces
ify executable
OE use and thorized disclo
D from accessi
to another trushose records arn and modificaxported from t
Owner shall eo detect poten
persons n from unmana
15/09/28
015
ized
ized
zed
zed
orized
orized
Users, ith
in
e code
osure
ing
sted IT re ations.the ensure
ntial
aged
TTTTTTPPPPPAAA
ObjecOE.PH
OE.US
OE.US
OE.AD
OE.AD
OE.AU
4.4 S
This sect
Threats. PoT.DOC.DIS T.DOC.ALT T.FUNC.ALT.PROT.ALTT.CONF.DIST.CONF.ALTP.USER.AUP.SOFTWARP.AUDIT.LOP.INTERFAP.HDD.ACCA.ACCESS.MA.ADMIN.TA.ADMIN.T
ctive HYSICAL.MA
SER.AUTHO
SER.TRAINE
DMIN.TRAIN
DMIN.TRUS
UDIT.REVIE
Security Ob
tion describes
olicies, and A
LT T S T
UTHORIZATRE.VERIFICOGGING CE.MANAG
CESS.AUTHMANAGED
TRAINING TRUST
ANAGED
ORIZED
ED
NED
TED
EWED
bjectives ra
s the rationale
Table 18
Assumptions
TION CATION
GEMENT HORIZATION
DefinThe TproviThe Tto useof theThe TpolicitraininThe Tof thethe traguidathe TOThe Twill nThe Tapproactivi
ationale
e for the Secu
8 -Completen
s O.D
OC
.NO
_DIS
O.D
OC
.NO
_ALT
O.F
UN
C.N
O_A
LT
N
24
nition TOE shall be pdes protection
TOE Owner she the TOE acceir organizatioTOE Owner shies and procedng and compe
TOE Owner she security poliaining, compe
ance and documOE in accorda
TOE Owner shnot use their prTOE Owner shopriate intervaity.
urity Objectiv
ness of Secu
O.P
RO
T.N
O_A
LT
O.C
ON
F.N
O_D
IS
O.C
ON
F.N
O_A
LT
C
placed in a secn from unmanhall grant permcording to the on. hall ensure thadures of their oetence to follohall ensure thacies and proceetence, and timmentation, anance with thoshall establish trivileged accehall ensure thaals for security
ves.
urity Object
Obje
O.U
SE
R.A
UT
HO
RIZ
ED
OE
.US
ER
.AU
TH
OR
IZE
D
O.S
OF
TW
AR
E.V
ER
IFIE
D
OA
UD
ITL
OG
GE
D
Date
Copyright Ca
cure or monitonaged physicalmission to Usesecurity polic
at Users are aworganization,
ow those policat TOE Adminedures of theirme to follow thnd correctly cose policies andtrust that TOEess rights for mat audit logs ay violations or
tives
ectives
O.A
UD
IT.L
OG
GE
D
O.H
DD
.AC
CE
SS
.AU
TH
OR
ISE
D
OE
.AU
DIT
_ST
OR
AG
E.P
RO
TE
CT
ED
OE
.AU
DIT
_AC
CE
SS
.AU
TH
OR
IZE
D
e of Issue: 201
anon Inc. 20
ored area that l access to theers to be autho
cies and proce
ware of the seand have the
cies and procednistrators are r organizationhe manufactu
onfigure and od procedures. E Administratomalicious purpare reviewed ar unusual patte
OE
.AU
DIT
.RE
VIE
WE
D
O.I
NT
ER
FAC
E.M
AN
AG
ED
OE
.PH
YIS
CA
L.M
AN
AG
ED
OE
INT
ER
FAC
EM
AN
AG
ED
15/09/28
015
e TOE.orized dures
ecurity
dures. aware
n, have urer's operate
ors poses.
at erns of
OE
.IN
TE
RFA
CE
.MA
NA
GE
D
OE
.AD
MIN
.TR
AIN
ED
OE
.AD
MIN
.TR
US
TE
D
OE
US
ER
TR
AIN
ED
OE
.US
ER
.TR
AIN
ED
A
Threats. PoA.USER.TR
Threats. Assu
T.DOC.D
T.DOC.A
T.FUNC.
T.PROT.
T.CONF.
olicies, and ARAINING
Policies, andumptions
DIS
ALT
.ALT
ALT
.DIS
Assumptions
Table 1
d Summary
User Docudisclosed persons
User Docualtered by
User Funcaltered by
TSF Protealtered by
TSF Confdisclosed persons
s O.D
OC
.NO
_DIS
O.D
OC
.NO
_ALT
O.F
UN
C.N
O_A
LT
19 -Sufficien
y
ument Data mto unauthorize
ument Data my unauthorized
ction Data mayy unauthorized
ected Data may unauthorized
fidential Data to unauthorize
25
O.P
RO
T.N
O_A
LT
O.C
ON
F.N
O_D
IS
O.C
ON
F.N
O_A
LT
ncy of Secur
O
may be ed
OuOidaOrg
may be d persons
OuOidaOrg
y be d persons
OuOidaOrg
ay be d persons
OuOidaOrg
may be ed
OuOida
C
Obje
O.U
SE
R.A
UT
HO
RIZ
ED
OE
.US
ER
.AU
TH
OR
IZE
D
O.S
OF
TW
AR
E.V
ER
IFIE
D
OA
UD
ITL
OG
GE
D
rity Objectiv
Objectives an
O.DOC.NO_Dunauthorized dO.USER.AUTdentification a
authorizationOE.USER.AUresponsibility grant authorizaO.DOC.NO_Aunauthorized aO.USER.AUTdentification a
authorizationOE.USER.AUresponsibility grant authorizaO.FUNC.NO_unauthorized aO.USER.AUTdentification a
authorizationOE.USER.AUresponsibility grant authorizaO.PROT.NO_unauthorized aO.USER.AUTdentification a
authorizationOE.USER.AUresponsibility grant authorizaO.CONF.NO_unauthorized dO.USER.AUTdentification a
authorization
Date
Copyright Ca
ectives
O.A
UD
IT.L
OG
GE
D
O.H
DD
.AC
CE
SS
.AU
TH
OR
ISE
D
OE
.AU
DIT
_ST
OR
AG
E.P
RO
TE
CT
ED
OE
.AU
DIT
_AC
CE
SS
.AU
TH
OR
IZE
D
ves
nd rationale
DIS protects Ddisclosure THORIZED esand authentica
UTHORIZED of the TOE Oation
ALT protects Dalteration
THORIZED esand authentica
UTHORIZED of the TOE Oation
_ALT protectsalteration
THORIZED esand authentica
UTHORIZED of the TOE Oation
_ALT protectsalteration
THORIZED esand authentica
UTHORIZED of the TOE Oation
_DIS protects disclosure THORIZED esand authentica
e of Issue: 201
anon Inc. 20
OE
.AU
DIT
.RE
VIE
WE
D
O.I
NT
ER
FAC
E.M
AN
AG
ED
OE
.PH
YIS
CA
L.M
AN
AG
ED
OE
INT
ER
FAC
EM
AN
AG
ED
D.DOC from
stablishes useration as the ba
establishes Owner to appro
D.DOC from
stablishes useration as the ba
establishes Owner to appro
s D.FUNC fro
stablishes useration as the ba
establishes Owner to appro
D.PROT from
stablishes useration as the ba
establishes Owner to appro
D.CONF from
stablishes useration as the ba
15/09/28
015
OE
.IN
TE
RFA
CE
.MA
NA
GE
D
OE
.AD
MIN
.TR
AIN
ED
OE
.AD
MIN
.TR
US
TE
D
OE
US
ER
TR
AIN
ED
r asis for
opriately
r asis for
opriately
om
r asis for
opriately
m
r asis for
opriately
m
r asis for
OE
.US
ER
.TR
AIN
ED
T.CONF.
P.USER.AATION
P.SOFTWICATION
P.AUDIT
P.HDD.AHORIZA
P.INTERAGEMEN
A.ACCEED
A.ADMING
A.ADMIN
A.USER.
.ALT
AUTHORIZ
WARE.VERIFN
T.LOGGING
ACCESS.AUTATION
RFACE.MANNT
SS.MANAG
N.TRAININ
N.TRUST
.TRAINING
TSF Confaltered by
Users willthe TOE
F Procedureself-verifythe TSF An audit tsecurity-recreated, mand review
T To preventhe HDD wother HCDauthorizedOperationwill be conand its IT
The TOE protectionaccess to tcomponenof the TOETOE Usertrained to policies anAdministrprivilegedmalicious Administrtrained to policies an
fidential Data y unauthorized
l be authorized
es will exist toy executable c
trail of TOE uelevant events
maintained, prowed.
nt access TOEwith connectinDs, TOE will hd access the Hn of external inntrolled by thenvironment
environment pn from unmanathe physical nts and data inE. rs are aware ofollow securit
nd proceduresrators do not ud access rights
purposes. rators are awafollow securit
nd procedures
26
Org
may be d persons
OuOidaOrg
d to use OidaOrg
o code in
Oto
use and s will be otected,
OopOedOeprOra
assets in ng the have
HDD data.
OaT
nterfaces e TOE .
OowOpin
provides aged
nterfaces
Op
f and ty
s
Ora
use their s for
Othw
re of and ty
s
Ootr
C
OE.USER.AUresponsibility grant authorizaO.CONF.NO_unauthorized aO.USER.AUTdentification a
authorizationOE.USER.AUresponsibility grant authorizaO.USER.AUTdentification a
authorization tOE.USER.AUresponsibility grant authorizaO.SOFTWARo self-verify e
O.AUDIT.LOGof TOE use anprevents unautOE.AUDIT_Sexported auditdeletion and mOE.AUDIT_Aestablishes resprovide approprecords OE.AUDIT.REresponsibility audit logs are aO.HDD.ACCEassets in the HTOE authoriza
O.INTERFACoperation of exwith security pOE.INTERFAprotected envinterfaces
OE.PHYSICAprotected phys
OE.ADMIN.Tresponsibility appropriate AdOE.ADMIN.The TOE Owne
with AdministOE.USER.TRAof the TOE Owraining.
Date
Copyright Ca
UTHORIZED of the TOE Oation
_ALT protectsalteration
THORIZED esand authentica
UTHORIZED of the TOE Oation
THORIZED esand authenticato use the TOE
UTHORIZED of the TOE Oation
RE.VERIFIEDexecutable cod
GGED creatend security-relthorized discloTORAGE.PR
t records frommodifications ACCESS.AUTsponsibility ofpriate access t
EVIEWED esof the TOE Oappropriately ESS.AUTHOR
HDD from acceation.
CE.MANAGExternal interfapolicies
ACE.MANAGronment for T
AL.MANAGEsical environm
TRAINED estaof the TOE Odministrator tr
TRUST establier to have a trtrators. AINED estabwner to provid
e of Issue: 201
anon Inc. 20
establishes Owner to appro
s D.CONF fro
stablishes useration as the ba
establishes Owner to appro
stablishes useration as the baE establishes
Owner to appro
D provides prode in the TSF
s and maintainlevant events, osure or altera
ROTECTED pm unauthorized
THORIZED f, the TOE Owto exported au
stablishes Owner to ensur
reviewed RISED protecessing withou
ED manages thaces in accord
GED establisheTOE external
ED establishes ment for the TO
ablishes Owner to proviraining. ishes responsirusted relation
lishes responsde appropriate
15/09/28
015
opriately
om
r asis for
opriately
r asis for
opriately
cedures
ns a log and
ation protects d access,
wner to udit
re that
cts TOE ut the
he ance
es a
a OE
ide
ibility of nship
sibility e User
5 Ext
This Protextended employed
5.1 F
Family b This famdata. Confidencontainerprovided encryptiodisk is inbecomes access to Compon FPT_CIPstored on Managem The follo
a)
b)
Audit: The folloPP/ST:
a)
FPT_CI
FPT_CI
FPT_CI
FP
tended co
tection Profilecomponents
d only in TOE
FPT_CIP_E
behaviour:
mily defines re
ntiality and inr is not, or noby functional
on functions, wntended to ba very imporinformation.
ent leveling:
P_EXP.1 Confn a storage con
ment: FPT
owing actions
Managemen
Managemen
FPT
owing actions
Basic: failufunctionalit
IP_EXP.1 C
Hier
Dep
P_EXP.1.1 inteto st
P_EXP.1.2 [ass
PT_CIP_EX
omponents
e defines compare defined i
Es whose STs
EXP Confide
equirements fo
ntegrity of stot always, in ality that the Twhere the TSFe removable rtant function
fidentiality anntainer that can
T_CIP_EXP.1
could be cons
nt of the cond
nt of potential
T_CIP_EXP.1
s should be a
ure condition tty (e. g. detect
Confidentia
rarchical to:
endencies:
The grity of usertore the data
The ignment: lis
XP.1 Confide
s definitio
ponents that ain the Protectconform to th
entiality an
or the TSF to
ored data is ima protected enTSF uses for bF stores its ow
and therefornality to achie
nd integrity ofnnot be assum
1
sidered for the
ditions under w
l restrictions o
1
auditable if F
that prohibits ted modificati
ality and int
No o
No d
TSF shall pr and TSF d
ta].
TSF shalst of actions]
entiality an
27
on (APE_E
are extensionstion Profile b
hose SFR Pack
nd integrity
protect the c
mportant secunvironment. Cboth TSF and wn data as welre may be traeve the Secur
f stored data, med to be prot
e management
which the prot
on the allowan
AU_GEN Se
the function tions).
tegrity of s
other compo
dependencie
provide a fudata when ei
ll provide ] when it de
d integrity
C
ECD)
s to Common but are used ikages.
y of stored
confidentiality
urity functionConfidentiality
user data in thll as user data ansported intoity Objectives
provides for ected by the T
t functions in F
tection functio
nce to use this
ecurity Audit
to work prope
tored data
onents.
es
unction that ither is writ
a functionetects altera
of stored da
Date
Copyright Ca
Criteria 3.1 Rn SFR Packa
data
y and integrity
nality in the cy and integrityhe same way.on the same d
o an unprotes of protectio
the protectionTOE environm
FMT:
on is activated
s function.
Data Genera
erly, detected
ensures thetten to [assi
n that dettion of user
ata
e of Issue: 201
anon Inc. 20
Release 2, Parages, and ther
y of both TSF
case where thy of stored dat Examples ardisk. Especial
ected environmon against una
n of user and ment.
d or used;
ation is includ
attempts to b
e confidentiagnment: me
tects and pand TSF da
1
15/09/28
015
rt 2. These refore, are
F and user
he storage ta is often e full disk lly when a ment, this authorized
TSF data
ded in the
bypass this
ality and edia used
performs ata when
Rationa
The ComFPT clasprotectionin cases widentical This Protfor both tsimplifiesand appliaddress th This exteFDP or Fstorage mit in the Fdefine a n
5.2 F
Family b This faminterface Many proinformaticapabilityconnectedexternal FPT_FDI Compon FPT_FDITSF contanother eallowanc Managem The follo
a)
b)
c)
Audit: The folloPP/ST:
FP
eith
le:
mmon Criteria ss. Although n, those compwhere a TOEway.
tection Profiletypes of data is the statemenicability of thhis functional
ended componFPT class. Si
media that migFPT class. It new family wi
FPT_FDI_E
behaviour:
mily defines reto another ext
oducts receiveion before it y for attackerd to the TOEinterfaces is I_EXP has be
ent leveling:
I_EXP.1 Resttrolled proces
external interfae by an author
ment: FPT
owing actions
Definition o
Managemenrole;
Revocation
FPT
owing actions
T_FDI_EXP
er is written
defines the pboth classes
ponents are deE provides fun
e defines an exin a single comnt of security
his Protection ity.
nent protects ince it is intenght be removadid not fit weith just one m
XP Restric
equirements fternal interfac
e information is transmitted
rs to misuse 's external intforbidden unen defined to
tricted forwarssing of data face. Direct forized administ
T_FDI_EXP.1
could be cons
of the role(s) t
nt of the cond
n of such an al
T_FDI_EXP.1
s should be a
P.1 Restrict
n to [assignm
protection of us contain comefined differennctionality for
xtended compmponent. Thefunctional reProfile. There
both user datnded to prote
able from the ell in any of t
member.
cted forwar
for the TSF tce.
on specific exd on another external interterfaces. Thernless explicitlspecify this k
rding of data received over
orwarding of dtrative role.
1
sidered for the
that are allow
ditions under
lowance.
1
auditable if F
ted forwardi
28
ment: media
user data in itmponents thatntly for user dr the confiden
ponent that come authors of thquirements siefore, the auth
ta and TSF daect data that aTOE, the auththe existing fa
rding of dat
to restrict dire
xternal interfaexternal inter
rfaces to violrefore, direct fly allowed by
kind of functio
to external inr defined extedata from one
e management
ed to perform
which direct
AU_GEN Se
ing of data t
C
a used to stor
ts FDP class at define conf
data and TSF dntiality and in
mbines the cohis Protection ignificantly anhors decided
ata, and it couare exported hors believed families in eith
ta to extern
ect forwardin
aces and are inrface. Howevlate the securforwarding ofy an authoriz
onality.
nterfaces, provernal interfaceexternal inter
t functions in F
m the managem
t forwarding c
ecurity Audit
to external
Date
Copyright Ca
ore the data]
and the protecfidentiality prdata and therentegrity for bo
onfidentiality Profile view t
nd therefore eto define an e
uld therefore to storage mthat it was mher class, and
nal interfac
ng of informa
ntended to tranver, some prority of the TOf unprocessedzed administr
vides for the es before thesrface to anoth
FMT:
ment activities
can be allowe
Data Genera
interfaces
e of Issue: 201
anon Inc. 20
.
ction of TSF rotection andefore are difficoth types of d
and integrity this as an app
enhances the rextended com
be placed in edia, and in post appropriat
d this led the
ces
ation from on
nsform and products may prOE or device
d data betweenrative role. T
functionality se data are se
her one require
;
ed by an adm
ation is includ
1
15/09/28
015
data in its d integrity cult to use data in an
protection proach that readability
mponent to
either the particular, te to place authors to
e external
rocess this rovide the es that are n different he family
to require ent out on es explicit
ministrative
ded in the
1
There are Rational Quite oftbefore susystems transferreinterfaces It has beeto disallois quite co The ComProtectionadministrpurpose rfor refinethis funct This exteFDP or Fapproprialed the au
FPT_FD
FPT_FD
e no auditable
le:
ten a TOE is uch (processedbut also othe
ed. Direct forws is therefore a
en viewed as uow direct forwommon for a n
mmon Criterian Profile, therative control resulted in SFement in a Sectionality.
ended componFPT class. Sinate to place it uthors to defin
DI_EXP.1 R
Hier
Dep
DI_EXP.1.1 [assproc
events forese
supposed to pd) data are aller systems thwarding of sua function tha
useful to havewarding and re
number of pro
a defines attre authors neeinstead of attr
FRs that werecurity Target.
nent protects nce its purposin the FPT cl
ne a new famil
Restricted f
rarchical to:
endencies:
The ignment: lis
cessing by th
een.
perform specilowed to be t
hat require a uch data (i. e
at – if allowed
e this functionequire that onloducts, it has b
ribute-based ceded to expreribute-based c either too im Therefore, th
both user datse is to proteclass. It did noly with just on
forwarding
No o
FMTFMT
TSF shallist of externhe TSF to [a
29
ific checks antransferred to
specific wore. without pro
at all – can on
nality as a singly an authorizbeen viewed a
control of useess the contrcontrol. It was
mplementationhe authors dec
ta and TSF dact the TOE frt fit well in anne member.
of data to
other compo
T_SMF.1 SpT_SMR.1 Se
provide thnal interfacessignment: l
C
nd process datanother exter
rk flow for thocessing the dnly be allowed
gle componened role can alas useful to de
er data flow rol of both us found that un-specific for cided to defin
ata, and it courom misuse, thny of the exis
external in
onents.
pecification oecurity roles
he capabilitces] from belist of extern
Date
Copyright Ca
ta received onrnal interface.he incoming
data first) betwd by an author
nt that allows llow this. Sincefine an exten
in its FDP cuser data andusing FDP_IFFa Protection P
ne an extended
uld therefore he authors besting families
nterfaces
of Managem.
ty to restriceing forwardnal interface
e of Issue: 201
anon Inc. 20
n one external. Examples ardata before
ween differenrized role.
specifying thece this is a funnded compone
class. Howeved TSF data flF and FDP_IFProfile or too d component
be placed in elieved that it
in either class
ment Functio
ct data receded withoutes].
15/09/28
015
l interface re firewall it can be
nt external
e property nction that nt.
er, in this low using FC for this
unwieldy to address
either the was most
s, and this
ns
eived on t further
6 Se
This sect
6.1 S
This sectThe text
6.1.1
FIA_AF
FIA_AF
FIA_AF
FIA_AT
FIA_AT
curity req
tion describes
Security fun
tion describesin brackets fo
User Authe
FL.1 Aut
Hier
Dep
FL.1.1 The admvaluauth
[selepo
[ass
FL.1.2 Whe[sele
[sele
[ass
TD.1 Use
Hier
Dep
D.1.1 The indi
[ass
uirements
s the security
nctional re
s the securityfollowing the
entication
thenticatio
rarchical to:
endencies:
TSF shall ministrator coues]] unsuccehentication e
ection: [assiositive intege– an admin
signment: lis– Login att
en the definection: met,
ection: met, – met
signment: lis– Lockout
er attribute
rarchical to:
endencies:
TSF shall vidual users
signment: lis– User nam
s
y requirement
equirement
y functional recomponent id
Function
on failure h
No o
FIA
detect whenconfigurable essful autheevents].
ignment: poger within[asnistrator config
ist of authenttempts for int
ned numbesurpassed],
surpassed]
ist of actions]
e definition
No o
No d
maintain ts: [assignme
ist of securityme, role
30
s for the TOE
ts
equirements fdentifier or el
handling
other compo
A_UAU.1 Tim
n [selection: positive inte
entication at
ositive integssignment: rgurable positiv
ntication eventernal authent
r of unsuccthe TSF sha
s]
n
other compo
dependencie
the followinent: list of se
ty attributes]
C
E.
for the TOE.lement name
onents.
ming of auth
[assignmenteger within[ttempts occu
ger number],range of acceve integer wit
ents] tication from
cessful authall [assignm
onents.
es
ng list of seecurity attrib
]
Date
Copyright Ca
denotes itera
hentication
nt: positive i[assignmentur related to
], an adminieptable valuthin 1 to 10
m the control p
hentication ment: list of a
ecurity attributes].
e of Issue: 201
anon Inc. 20
ation operatio
integer numt: range of aco [assignmen
istrator confues]]
panel or remo
attempts hactions].
ributes belo
15/09/28
015
ons.
mber], an cceptable nt: list of
nfigurable
ote UIs.
has been
nging to
FIA_UA
FIA_UA
FIA_UA
FIA_UA
FIA_UA
FIA_UI
FIA_UID
FIA_UID
AU.1 Tim
Hier
Dep
AU.1.1 The withbefo
[assac
AU.1.2 The any
AU.7 Pro
Hier
Dep
AU .7.1 The auth
[ass
D.1 Tim
Hier
Dep
D.1.1 The withbefo
[assac
D.1.2 The othe
ming of aut
rarchical to:
endencies:
TSF shall ah access-contore the user
signment: ccess-control– Submissi
TSF shall rother TSF-m
otected aut
rarchical to:
endencies:
TSF shall hentication i
signment: lis– *
ming of ide
rarchical to:
endencies:
TSF shall ah access-contore the user
signment: ccess-control– Submissi
TSF shall rer TSF-medi
henticatio
No o
No d
allow [assignntrolled Func
is authentic
list of TSlled Functionion of print jo
require eachmediated ac
thenticatio
No o
FIA
provide onlis in progres
ist of feedbac
ntification
No o
No d
allow [assignntrolled Func
is identified
list of TSlled Functionion of print jo
require eachiated actions
31
on
other compo
dependencie
nment: list octions of thecated.
TSF-mediatedons of the TOobs, fax jobs,
h user to betions on beh
on feedbac
other compo
A_UAU.1 Tim
ly [assignmess.
ck]
other compo
dependencie
nment: list octions of thed.
TSF-mediatedons of the TOobs, fax jobs,
h user to bes on behalf o
C
onents.
es.
of TSF-medie TOE] on be
d actionsOE]
I-fax jobs
successfullyhalf of that u
ck
onents.
ming of auth
ent: list of f
onents.
es.
of TSF-medie TOE] on be
d actionsOE]
I-fax jobs
successfullyof that user.
Date
Copyright Ca
diated actionsehalf of the u
that do
y authenticauser.
hentication
feedback] to
diated actionsehalf of the u
that do
y identified
e of Issue: 201
anon Inc. 20
ns that do nouser to be pe
not confli
ated before
o the user w
ns that do nouser to be pe
not confli
before allow
15/09/28
015
ot conflict erformed
ict with
allowing
while the
ot conflict erformed
ict with
wing any
FIA_US
FIA_US
FIA_US
FIA_US
FTA_S
FTA_SS
FTA_S
FTA_SS
SB.1 Use
Hier
Dep
SB.1.1 The on th
[ass
SB.1.2 The attriiniti
[ass
SB.1.3 The attrichan
[ass
SL.3(lui) T
Hier
Dep
SL.3.1(lui) Tinte
[ass
SL.3(rui) T
Hier
Dep
SL.3.1(rui) Tinte
[ass
er-subject
rarchical to:
endencies:
TSF shall ahe behalf of
signment: lis– User nam
TSF shall eibutes with
tial associatio
signment: ru– None
TSF shall eibutes with nging of attr
signment: ru– None
TSF-initiate
rarchical to:
endencies:
The TSF sherval of user
signment: tim– User inac
TSF-initiate
rarchical to:
endencies:
The TSF sherval of user
signment: tim– User inac
binding
No o
FIA
associate thef that user: [
ist of user secme, role
enforce the fthe subject
ion of attribu
ules for the i
enforce the the subject
ributes].
ules for the c
ed termina
No o
No d
hall terminar inactivity].
ime interval ctivity at the
ed termina
No o
No d
hall terminar inactivity].
ime interval ctivity at the
32
other compo
A_ATD.1 Use
e following uassignment
ecurity attrib
following rults acting on utes].
initial associ
following ruts acting on
changing of a
ation
other compo
dependencie
ate an inter
l of user inaccontrol panel
ation
other compo
dependencie
ate an inter
l of user inacremote UI la
C
onents.
er attribute d
user security: list of user
butes]
les on the inbehalf of u
iation of attr
ules governibehalf of u
attributes]
onents.
es.
ractive sess
ctivity] l lasting for th
onents.
es.
ractive sess
ctivity] sting for 15 m
Date
Copyright Ca
definition
y attributes r security att
nitial associausers: [assign
tributes]
ng changes users: [assign
sion after a
he specified p
sion after a
minutes.
e of Issue: 201
anon Inc. 20
with subjecttributes].
ation of usernment: rule
to the usernment: rule
a [assignme
period of time
a [assignme
15/09/28
015
cts acting
r security es for the
security es for the
ent: time
e.
ent: time
6.1.2
FMT_M
FMT_M
FMT_M
FMT_M
FMT_M
Function U
MSA.1(exec
Hier
Dep
MSA.1.1(exec[assabilioper[ass
[ass
[sele
[ass
[ass
MSA.3(exec
Hier
Dep
MSA.3.1(exec[ass[seledefa
[ass
[sele
[ref
MSA.3.2(execto spinfor
[ass
Use Restric
c-job) Man
rarchical to:
endencies:
c-job) The ignment: acity to [selecrations]] theignment: th
signment: ac– None
ection: chan– query, mo
signment: lis– Role
signment: th– U.ADMIN
c-job) Sta
rarchical to:
endencies:
c-job) The ignment: aection, chooault values fo
signment: ac– None
ection, choos– Restrictiv
finement] – TOE Fun
c-job) The pecify alternrmation is c
signment: th– Nobody
ction Funct
nagement
No o
[FDFDPFMTFMT
TSF shalccess controlction: change security a
he authorised
ccess control
nge_default, odify, delete,
ist of security
he authoriseNISTRATOR
tic attribut
No o
FMTFMT
TSF shallaccess controse one of: for security a
ccess control
se one of: reve
nction Access
TSF shall anative initialcreated.
he authorize
33
tion
of security
other compo
P_ACC.1 SuP_IFC.1 SubT_SMR.1 SeT_SMF.1 Sp
ll enforce tl SFP(s), info
nge_default, attributes [ad identified
l SFP(s), info
query, modicreate
ty attributes]
ed identified R
te initialisa
other compo
T_MSA.1 MT_SMR.1 Se
l enforce throl SFP, inrestrictive, attributes th
l SFP, inform
estrictive, pe
Control Polic
allow the [al values to ov
ed identified
C
y attribute
onents.
ubset access bset informaecurity rolespecification o
the TOE Fformation flo
query, modassignment:roles].
formation flo
ify, delete, [a
]
d roles]
ation
onents.
anagement ecurity roles
he TOE Funformation
permissive,hat are used
mation flow
ermissive, [a
cy -> TOE Fun
assignment: verride the d
d roles]
Date
Copyright Ca
es
control, or ation flow con
of Managem
Function Acow control Sdify, delete, : list of sec
ow control S
assignment:
of security a
unction Accflow contro, [assignme
d to enforce t
control SFP
assignment:
nction Access
the authoridefault valu
e of Issue: 201
anon Inc. 20
ntrol]
ment Functio
ccess ContrSFP(s)] to res
[assignmencurity attrib
SFP(s)]
: other opera
attributes
cess Controol SFP] to ent: other pthe SFP.
P]
other proper
s Control SFP
ized identifiues when an
15/09/28
015
ns
rol SFP, strict the nt: other butes] to
ations]]
l Policy, provide
property]]
erty]]
fied roles] object or
FDP_A
FDP_AC
FDP_A
FDP_AC
FDP_AC
FDP_AC
FDP_AC
ACC.1(exec
Hier
Dep
CC.1.1(exec-as soper
ACF.1(exec
Hier
Dep
CF.1.1(exec-jbasesecu
[assth
CF.1.2(exec-jamoexplauth[ass
[selefuus
[ass
CF.1.3(exec-jthe [assacce
[assac
CF.1.4(exec-j[asssubj
[ass
c-job) Sub
rarchical to:
endencies:
-job) The subjects, TOrations.
c-job) Sec
rarchical to:
endencies:
job) The ed on the fourity attribu
signment: lishe TOE Func– objects c
each, the
job) The ong controllelicitly authohorized to uignment: lis
ection: the unction, a usse the functi– [assignm
signment: ot– rules spec
among coon contro
job) The following aignment: ot
ess of subject
signment: otccess of subje– None
job) The ignment: ru
bjects to objec
signment: ru
bset acces
No o
FDP
TSF shall eOE function
curity attrib
No o
FDPFMT
TSF shall efollowing: usute(s) used to
ist of TOE fuction Access ontrolled undindicated secu
TSF shall eed subjects aorized by Uuse the TOst of function
user is exser that is auions [assignm
ment: other co
ther conditiocified in the Tontrolled userolled objects
TSF shall eadditional ruther rules, bcts to objects]
ther rules, bjects to objec
TSF shall eules, based cts].
ules, based
34
ss control
other compo
P_ACF.1 Sec
enforce the Tns as object
bute based
other compo
P_ACC.1 SubT_MSA.3 St
enforce the Tsers and [ao determine
unctions ands Control SFPder the TOE Furity attribute
enforce the fand controll
U.ADMINISTOE is automns], [assignm
xplicitly aututhorized to ment: list of onditions]
ons] TOE Function rs as subjects
explicitly autules: the usbased on se
s].
based on sects]
explicitly denon security
on security
C
onents.
curity attrib
TOE Functits, and the
d access c
onents.
bset access ctatic attribut
TOE Functiossignment:
e the TOE Fu
d the securityFP] Function Accees in Table 20.
following ruled objects is
STATOR to umatically aument: other c
thorized by o use the TOEf functions],
Access Contrand controlled
thorise acceser acts in ecurity attri
ecurity attri
ny access ofy attributes,
y attributes,
Date
Copyright Ca
ute based ac
ion Access Cright to u
control
control te initialisat
on Access Colist of TOE
unction Acce
ty attribute(
ess Control SF.
ules to determs allowed: [suse a functuthorized toconditions]].
y U.ADMINOE is automa
[assignment
rol SFP in Tabd objects usin
ss of subjectthe role U
ibutes, that
ibutes, that
f subjects to , that expli
s, that expli
e of Issue: 201
anon Inc. 20
ccess contro
Control SFP se the func
tion
ontrol SFP tE functions ess Control S
(s) used to de
FP in Table 2
mine if an oselection: thtion, a usero use the f.
NISTATOR tatically autht: other cond
ble 20 governng controlled o
ts to objects .ADMINIST
t explicitly a
t explicitly a
objects baseicitly deny a
icitly deny a
15/09/28
015
l
on users ctions as
to objects and the
SFP].
determine
20, and for
operation he user is r that is functions
to use a horized to ditions]]
ing access operations
based on TRATOR, authorise
authorise
ed on the access of
access of
Object
[Secured
[Copy]
[Scan]
[Fax]
[Fax/I-Fa
Remote U
[Fax/I-Fa
6.1.3 J
6.1.3.1
FMT_M
FMT_M
su
d Print]
ax Inbox]
UI
ax Inbox]
Job Output
Delete Job
MSA.1(delet
Hier
Dep
MSA.1.1(delet[assabilioper[ass
[ass
[se
ubjects to obj– None
Table 2
Attribute
+PRT
+CPY
+SCN
+FAXOUT
+FAXIN +DSR
+FAXIN +DSR
t Restrictio
b
te-job) Man
rarchical to:
endencies:
te-job) The ignment: acity to [selecrations]] theignment: th
signment: ac– In The J
election: cha– Refer to
bjects]
20 -TOE Func
OperationUse of the function, upointer to tObject. Use of the function, upointer to tObject.
Use of the function, upointer to tObject.
Use of the function, upointer to tObject. Use of the function, upointer to tObject. Use of the function, upointer to tObject.
n Functions
nagement o
No o
[FDFDPFMTFMT
TSF shall ccess controlction: change security a
he authorised
ccess controlob Access Co
ange_default"Operation"
35
ction Acces
(s) Subj
using the
U.US
using the
U.US
using the
U.US
using the
U.US
using the
U.US
using the
U.US
s
of security
other compo
P_ACC.1 SuP_IFC.1 SubT_SMR.1 SeT_SMF.1 Sp
enforce the l SFP(s), info
nge_default, attributes [ad identified
l SFP(s), infoontrol SFP in
t, query, mod" in Table 21.
C
ss Control S
ect Attrib
SER
Role
SER
Role
SER
Role
SER
Role
SER
Role
SER
Role
y attributes
onents.
ubset access bset informaecurity rolespecification o
Common Aformation flo
query, modassignment:roles].
formation flon Table 23
dify, delete, [.
Date
Copyright Ca
SFP
bute AcceFor ththe roSubjeperfoFor ththe roSubjeperfo
For ththe roSubjeperfo
For ththe roSubjeperfoFor ththe roSubjeperfo
If theSubjeOper
control, or ation flow con
of Managem
Access Controw control Sdify, delete, : list of sec
ow control S
[assignment
e of Issue: 201
anon Inc. 20
ss control rulhe attribute oole associatedect, must be aorm the Operahe attribute oole associatedect, must be aorm the Opera
he attribute oole associatedect, must be aorm the Opera
he attribute oole associatedect, must be aorm the Operahe attribute oole associatedect, must be aorm the Opera
e role associaect is Adminiration is perm
ntrol]
ment Functio
rol SFP in TSFP(s)] to res
[assignmencurity attrib
SFP(s)]
t: other oper
15/09/28
015
le of the Object, d with the authorized to ation. of the Object, d with the authorized to ation.
of the Object, d with the authorized to ation.
of the Object, d with the authorized to ation. of the Object, d with the authorized to ation.
ted with the istrator, the
mitted.
ns
Table 22, strict the nt: other butes] to
rations]]
SeU
PI
APPLICAdefinthat thpossibperfo
FMT_M
FMT_M
FMT_M
FDP_A
FDP_AC
[ass
[ass
ecurity AttribUser name
IN of Memor
ATION NOTE 1ed by SFR packhis Protection Pble for the ST A
ormed by any U
MSA.3(dele
Hier
Dep
MSA.3.1(delet[ass[seledefa
[ass
[se
MSA.3.2(deletto spinfor
[ass
ACC.1(dele
Hier
Dep
CC.1.1(deletthe cove
signment: lis– Refer to
signment: th– Refer to
Table 2
butes
ry RX Box
1. This kages or by the Profile allows thAuthor to state
User.
ete-job)
rarchical to:
endencies:
te-job) The ignment: aection, chooault values fo
signment: ac– Common– In The J
election, choo– restrictive
te-job) The pecify alternrmation is c
signment: th– Nobody
ete-job) Sub
rarchical to:
endencies:
te-job) The list of users
ered by the C
ist of security"Security A
he authorise"Role" in Ta
21 -Managem
Operatio
delete, cre
modify, c
Protection ProfST Author. Th
he ST Author tothat some mana
Static
No o
FMTFMT
TSF shall access controse one of: for security a
ccess controln Access Conob Access Co
ose one of: re
TSF shall anative initialcreated.
he authorize
bset acces
No o
FDP
TSF shall es as subjectCommon Acc
36
ty attributes]ttributes" in
ed identified able 21.
ment of secu
on
eate, query
create
file does not defhe ST Author sho instantiate "Nagement action
c attribute
other compo
T_MSA.1 MT_SMR.1 Se
enforce the rol SFP, inrestrictive, attributes th
l SFP, informntrol SFP in Tontrol SFP in
restrictive, p
allow the [al values to ov
ed identified
ss control
other compo
P_ACF.1 Sec
enforce the Cts, objects, acess Control
C
] n Table 21.
d roles]
urity attribut
fine any mandahould define ho
Nobody" as an as (e.g., deleting
initialisatio
onents.
anagement ecurity roles
Common Anformation
permissive,hat are used
mation flow Table 22 n Table 23
permissive, [
assignment: verride the d
d roles]
onents.
curity attrib
Common Acand operatiol SFP in Tab
Date
Copyright Ca
tes
Role
U.ADMIN
U.ADMIN
atory security atw security attri
authorized identg a security attri
on
of security a
Access Contrflow contro, [assignme
d to enforce t
control SFP
[assignment
the authoridefault valu
ute based ac
cess Controlons among ble 22.
e of Issue: 201
anon Inc. 20
NISTRATOR
NISTRATOR
ttributes, but soibutes are manatified role, whicibute) may not b
attributes
rol SFP in Tol SFP] to ent: other pthe SFP.
P]
t: other prope
ized identifiues when an
ccess contro
l SFP in Tabsubjects and
15/09/28
015
R
R
ome may be aged. Note ch makes it be
Table 22, provide
property]]
perty]]
fied roles] object or
l
ble 22 on d objects
FDP_A
FDP_AC
FDP_AC
FDP_AC
FDP_AC
ObjectD.DOC
D.DOC
D.FUN
D.FUN
D.FUN
6.1.3.2
ACF.1(delet
Hier
Dep
CF.1.1(deleteobjeundsecu
CF.1.2(deleteamoComas su
CF.1.3(deletethe that
[asssu
CF.1.4(delete[asssubj
[asssu
t AttribuC +PRT,+
+FAXOC +FAXI
NC +PRT,++FAXO
NC +FAXI
NC +FAXI
In The Job
te-job)
rarchical to:
endencies:
e-job) The cts based oner the Com
urity attribu
e-job) The ong controllemmon Accessubjects and
e-job) The following a
t explicitly a
signment: ruubjects to obj– U.ADMI– U.ADMIN
+FAXOU
e-job) The ignment: ru
bjects to objec
signment: ruubjects to obj– None
Tabl
ute +SCN,+CPY, OUT N, +DSR
+SCN,+CPY, OUT N, +DSR
N, +DSR
Secur
No o
FDPFMT
TSF shall en the followmon Access
utes in Table
TSF shall eed subjects as Control SFcontrolled o
TSF shall edditional ru
authorise acc
ules, based objects] INISTRATONISTRATOR
UT D.FUNC.
TSF shall eules, based cts].
ules, based bjects]
le 22 -Comm
OperDelet
Delet
ModiDeletModi
Delet
37
rity attribu
other compo
P_ACC.1 SubT_MSA.3 St
enforce the Cing: the list Control SF 22.
enforce the fand controllFP in Table 2objects using
explicitly autules: [assigncess of subje
on security a
R is authorizR is authori
explicitly denon security
on security
on Access C
ration(s) Sute U
te U
ify; te
U
ify U
te U
C
te based a
onents.
bset access ctatic attribut
Common Act of users asFP in Table
following ruled objects i22 governing controlled
thorise accenment: rulesects to object
attributes, th
ed to delete aized to mod
ny access ofy attributes,
y attributes,
Control SFP
ubject .NORMAL
.NORMAL
.NORMAL
.USER
.NORMAL
Date
Copyright Ca
access con
control te initialisat
cess Contros subjects an22, and for
ules to determs allowed: rg access amoperations o
ss of subjects, based on ts].
hat explicitly
any D.DOC/Ddify any +C
f subjects to , that expli
s, that expli
P
Access contDenied, excdocuments Denied
Denied, excfunction datDenied
Denied
e of Issue: 201
anon Inc. 20
ntrol
tion
l SFP in Tabnd objects cor each, the i
mine if an orules specifie
mong controllon controlled
ts to objects n security at
ly authorise
D.FUNC. CPY, +SCN
objects baseicitly deny a
icitly deny a
trol rule cept for his/her
cept for his/herta
15/09/28
015
ble 22 to ontrolled indicated
operation ed in the led users d objects.
based on ttributes,
access of
N, +DSR,
ed on the access of
access of
r own
r own
FDP_A
FDP_AC
FDP_A
FDP_AC
FDP_AC
FDP_AC
FDP_AC
ObjecD.DOD.DOD.DOD.DO
D.DO
ACC.1(in-jo
Hier
Dep
CC.1.1(in-jobon tby th
ACF.1(in-jo
Hier
Dep
CF.1.1(in-jobTablundsecu
CF.1.2(in-joboperspecUser
CF.1.3(in-jobbaseattri
[asssu
CF.1.4(in-job[asssubj
[asssu
ct AttribuOC +PRT OC +SCN OC +CPY OC +FAXIN
+DSR OC +FAXO
ob)
rarchical to:
endencies:
b) The he list of suhe In The Jo
ob)
rarchical to:
endencies:
b) le 23 to objeer the In Th
urity attribu
b) ration amoncified in the rs and contr
b) ed on the fributes, that
signment: ruubjects to obj– U.ADMIN
b) The ignment: ru
bjects to objec
signment: ruubjects to obj– None
Table
ute(s) OpReReRe
N Re
OUT Re
Subse
No o
FDP
TSF shall eubjects, objecob Access Co
Secur
No o
FDPFMT
The TScts based onhe Job Acces
utes in Table
The TSng controlleIn The Job A
rolled object
The TSfollowing adt explicitly au
ules, based objects]
NISTRATOR
TSF shall eules, based cts].
ules, based bjects]
e 23 -In The J
peration Sead Uead Uead Uead U
ead U
38
et access
other compo
P_ACF.1 Sec
enforce the cts, and opeontrol SFP i
rity attribu
other compo
P_ACC.1 SubT_MSA.3 St
SF shall enfn the followinss Control S 23.
SF shall enfed subjects Access Conts using cont
SF shall expdditional rulauthorise acc
on security a
R is authorize
explicitly denon security
on security
Job Access
Subject U.USER U.USER U.USER U.NORMAL
U.USER
C
control
onents.
curity attrib
In The Jobrations amon Table 23.
te based a
onents.
bset access ctatic attribut
force the In ng: the list o
SFP in Table
force the foland contro
rol SFP in Ttrolled opera
plicitly autholes: [assignm
cess of subjec
attributes, th
d to read any
ny access ofy attributes,
y attributes,
Control SF
Access conDenied, exDenied, exDenied Denied
Denied, ex
Date
Copyright Ca
ute based ac
Access Contong subjects
access con
control te initialisat
The Job Acof subjects ae 23, and for
llowing ruleolled object
Table 23 goveations on con
orise access ment: rules
ects to object
hat explicitly
+FAXIN/+D
f subjects to , that expli
s, that expli
P
ntrol rule cept for his/hecept for his/he
cept for his/he
e of Issue: 201
anon Inc. 20
ccess contro
trol SFP in s and objects
ntrol
tion
ccess Contrond objects cor each, the i
es to determts is alloweerning accesntrolled obje
of subjects ts, based on ts].
ly authorise
SR D.Doc
objects baseicitly deny a
icitly deny a
er own documer own docum
er own docum
15/09/28
015
l
Table 23 s covered
ol SFP in ontrolled indicated
mine if an ed: rules ss among ects.
to objects security
access of
ed on the access of
access of
ments ments
ments
6.1.4
FPT_FD
FPT_FD
6.1.5
FDP_R
FDP_RI
6.1.6
6.1.6.1
FCS_C
FCS_CO
Forward R
DI_EXP.1
Hier
Dep
DI_EXP.1.1 exteany
HDD Data
RIP.1 Sub
Hier
Dep
IP.1.1 The unavreso
[sele
[ass
HDD Data
Encryption
COP.1(h) C
Hier
Dep
OP.1.1(h) Thaccoalgomee
[assi
[assi
Received Jo
Res
rarchical to:
endencies:
The ernal Interfa
Shared-med
Erase Func
bset residu
rarchical to:
endencies:
TSF shall evailable upo
ource from] t
ection: alloc– deallocat
signment: lis– None
Encryption
n/Decryption
ryptograp
rarchical to:
endencies:
he TSF shordance withorithm] and et the followi
ignment: list o– Encrypti– Decrypti
ignment: cryp
obs Functio
stricted for
No o
FMTFMT
TSF shall ace from beindium Interfa
ction
ual informa
No o
No d
ensure that on the [selethe following
cation of the ion of the reso
ist of objects]
n Function
n Function
hic operat
No o
[FDattrFDPFCSFCS
hall performh a specifiedcryptographing: [assignm
of cryptographon of data wrion of data rea
ptographic alg
39
on
rwarding o
other compo
T_SMF.1 SpT_SMR.1 Se
provide the ng forwardeace.
ation prote
other compo
dependencie
any previouction: allocag objects: D.
e resource to,ource from
]
tion
other compo
P_ITC.1 Imibutes, or
P_ITC.2 ImpS_CKM.1 CrS_CKM.4 Cr
m [assignmed cryptograhic key sizesment: list of
hic operationsritten to the Had out from t
gorithm]
C
of data to e
onents.
pecification oecurity roles
capability ted without fu
ection
onents.
es
us informatioation of the DOC, [assig
, deallocatio
onents.
mport of
port of user dryptographicryptographic
ent: list ofphic algorit
s [assignmenf standards].
s] HDD the HDD
Date
Copyright Ca
external in
of Managem.
to restrict durther proce
on content oresource to
gnment: list
on of the reso
user data
data with sec key generac key destru
f cryptograpthm [assignmnt: cryptogra.
e of Issue: 201
anon Inc. 20
nterfaces
ment Functio
data receivedessing by th
of a resourceo, deallocatiot of objects].
ource from]
a without
ecurity attribation] ction
aphic operatment: crypt
raphic key si
15/09/28
015
ns
d on any he TSF to
e is made ion of the
security
butes, or
tions] in tographic izes] that
FPT_C
FPT_CI
FPT_CI
APPLICAdisks correpresewithiFPT_
Quote fro
6.1.6.2
FPT_P
FPT_PH
FPT_PH
[assi
[assi
IP_EXP.1
Hier
Dep
P_EXP.1.1 inteNon
[ass
P_EXP.1.2 [asseith
[ass
[ass
ATION NOTE 2to meet disk enct credentials (e
ented. Assumingn the TOE and
_CIP_EXP.1.2, om [PP Guide
Device Ide
HP.1 Pass
Hier
Dep
HP.1.1 The com
[refiEncr
HP.1.2 The with
– AES
ignment: cryp– 256 bit
ignment: list o– FIPS PUB
Con
rarchical to:
endencies:
The grity of user
nvolatile Stor
signment: a – HDD
The ignment: liser is written
signment: lis– no action
signment: a – HDD
2. Todancryption requieither the key itg that this functtherefore it shoarguing that un]
ntification an
sive detect
rarchical to:
endencies:
TSF shall promise the
inement] phryption Board
TSF shall h the TSF's d
ptographic key
of standards]B 197
nfidentialit
No o
No d
TSF shall pr and TSF da
orage device]
Removable
TSF shalst of actions]n to [assignm
ist of actions]n
Removable
ay many manufarements. Some tself or credentitionality can noould be possiblenauthorized mo
nd Authentica
tion of phy
No o
No d
provide unae TSF.
hysical tampd
provide thedevices or T
40
y sizes]
ty and inte
other compo
dependencie
provide a fuata when eit.
Nonvolatile
ll provide ] when it dement: a Rem
s]
Nonvolatile
acturers are looof these drives
ials required to ot be bypassed, e to instantiate "dification is pre
ation Functio
ysical attac
other compo
dependencie
ambiguous d
pering -> Phy
e capability SF's elemen
C
egrity of st
onents.
es
unction that ther is writt
e Storage dev
a functionetects altera
movable Nonv
e Storage dev
king at hardwas will not allow unlock the keydetection of mo"no action" in thevented by the d
on
ck
onents.
es.
detection of
ysical replace
to determinnts has occur
Date
Copyright Ca
ored data
ensures theten to [assig
vice]
n that dettion of user
nvolatile Stor
vice]
are solutions sucdata to be writt
y stored in a secodifications is nhe assignment fdesign of the sy
physical ta
ement of the
ne whether rred.
e of Issue: 201
anon Inc. 20
e confidentianment: a Re
tects and pand TSF da
rage device]
ch as fully encryten to the drive
cure area of the not a useful funfor the "list of aystem.
ampering th
HDD and H
physical ta
15/09/28
015
ality and emovable
performs ata when .
ypting unless the drive) are ction actions" in
at might
HDD Data
ampering
6.1.7
6.1.7.1
FCS_C
FCS_CO
cr3AA
FTP_IT
FTP_ITC
FTP_ITC
[refiEncr
LAN Data P
IP Packet E
COP.1(n) C
Hier
Dep
OP.1.1(n) Thaccoalgomee
[ass
[ass
[ass
[ass
Table 2
ryptographicDES-CBC
AES-CBC AES-GCM
TC.1 Inte
Hier
Dep
C.1.1 The trusand com
C.1.2 The com
inement] phryption Board
Protection
Encryption F
ryptograp
rarchical to:
endencies:
he TSF shordance withorithm] and et the followi
signment: lis– Encrypti– Decrypti
signment: cr– Refer to
signment: cr– Refer to
signment: lis– Refer to
24 - IPSec cr
c algorithm
er-TSF trus
rarchical to:
endencies:
TSF shall sted IT prod
provides amunicated d
TSF shalmunication
hysical tampd
Function
Function
hic operat
No o
[FDattrFDPFCSFCS
hall performh a specifiedcryptographing: [assignm
ist of cryptogon of IP packion of IP pack
ryptographic"Cryptograph
ryptographic"Cryptograph
ist of standar"List of Stan
ryptographic
crypto168 bit128 bit128 bit
sted chann
No o
No d
provide a duct that is assured idedata from m
ll permit via the trus
41
pering -> Phy
tion
other compo
P_ITC.1 Imibutes, or
P_ITC.2 ImpS_CKM.1 CrS_CKM.4 Cr
m [assignmed cryptograhic key sizesment: list of
graphic operakets sent to thkets received
c algorithm]hic Algorithm
c key sizes]hic Key Sizes
rds] ndards" in Ta
c algorithm
ographic key t t, 192bit, 256 t, 192bit, 256
nel
other compo
dependencie
communicalogically di
entification modification o
the TSF, sted channel
C
ysical replace
onents.
mport of
port of user dryptographicryptographic
ent: list ofphic algorit
s [assignmenf standards].
rations] he LAN
from the LA
m" in Table 24
s" in Table 24
able 24.
, key sizes a
sizes lisFI
bit FIbit SP
onents.
es.
ation channistinct from of its end
or disclosure
another trul.
Date
Copyright Ca
ement of the
user data
data with sec key generac key destru
f cryptograpthm [assignmnt: cryptogra.
AN
4.
4.
and standar
st of standardIPS PUB 46-3IPS PUB 197 P800-38D
nel between other commpoints and
e.
usted IT p
e of Issue: 201
anon Inc. 20
HDD and H
a without
ecurity attribation] ction
aphic operatment: crypt
raphic key si
rds
ds 3
itself and munication cd protection
product to
15/09/28
015
HDD Data
security
butes, or
tions] in tographic izes] that
another channels n of the
initiate
FTP_ITC
6.1.8 S
FPT_TS
FPT_TS
FPT_TS
FPT_TS
6.1.9 A
FAU_G
FAU_GE
C.1.3 The of D
Self-Test F
ST.1 TSF
Hier
Dep
ST.1.1 The periconddemTSF
[selereqwh
[sele
ST.1.2 The of [s
[sele
ST.1.3 The of st
Audit Log
GEN.1 Aud
Hier
Dep
EN.1.1 The
- Start-up an
- All auditabof audi
- all AuditabSFR in
[sel
TSF shall iD.DOC, D.FU
Function
F testing
rarchical to:
endencies:
TSF shalliodically durditions [ass
monstrate thF].
ection: duriequest of thehich self test– during in
ection: [assi– Cryptogr
3DES)
TSF shall pselection: [as
ection: [assi– Cryptogr
TSF shall ptored TSF ex
Function
dit data ge
rarchical to:
endencies:
TSF shall b
nd shutdown o
ble events for it; and
ble Events asn Table 25; [a
ection, choo
initiate comUNC, D.PRO
No o
No d
l run a suring normal signment: che correct op
ing initial se authorisedst should occ
itial start-up
gnment: parraphic algorit
provide authssignment: p
gnment: parraphic key
provide authxecutable co
eneration
No o
FPT
be able to gen
of the audit fun
the [selection
s each is defiassignment: ot
ose one of: m
42
munication OT, and D.CO
other compo
dependencie
uite of self l operation, aconditions uperation of
start-up, perd user, at thcur]]
rts of TSF], thms used w
horised userparts of TSF
rts of TSF],
horised userode.
other compo
T_STM.1 Rel
nerate an au
nctions;
n, choose one
ned for its Ather specifical
minimum, b
C
via the trusONF over an
onents.
es.
tests [seleat the requeunder which[selection: [
riodically duhe conditions
the TSF] with the LAN
rs with the cF], TSF data]
TSF data]
rs with the c
onents.
liable time s
udit record o
of: minimum
Audit Level (illy defined au
basic, detail
Date
Copyright Ca
sted channeny Shared-m
ection: duriest of the autch self test[assignment
during normas [assignme
N Data Prote
capability to].
capability to
stamps
of the followi
, basic, detail
if one is speciditable events
led, not spec
e of Issue: 201
anon Inc. 20
el for commumedium Inte
ing initial uthorised uset should oc: parts of T
mal operationnt: condition
ection Functi
o verify the
o verify the
ing auditabl
led, not specif
ified) for the s].
cified]
15/09/28
015
unication erface.
start-up, er, at the ccur]] to TSF], the
n, at the ons under
ion (AES,
integrity
integrity
le events:
fied] level
Relevant
FAU_GE
Auditab
Job comBoth sucauthentiBoth sucidentificUse of tModificpart of aChangesTerminasession Failure o
FAU_G
FAU_GE
FPT_ST
FPT_ST
5 See "SeIn IEEE but notes
[ass
EN.1.2 The
- Date and tifailure)
- For each aincludeby its requir
[ass
ble event
mpletion ccessful and uication mechanccessful and ucation mechanthe managemecations to the ga role s to the time ation of an intlocking mechof the trusted
GEN.2 Use
Hier
Dep
EN.2.1 For asso
TM.1 Rel
Hier
Dep
TM.1.1 The
ection 14.1 IEStd 2600.1, t
s that this is a
– not specif
signment: o– None
TSF shall r
me of the eve) of the event;
audit event tyed in the PP/S
Audit Leveed); [assignm
signment: o– None
T
unsuccessful unism
unsuccessful unism ent functions group of users
eractive sessiohanism5
channel funct
er identity
rarchical to:
endencies:
audit eventociate each a
iable time
rarchical to:
endencies:
TSF shall b
EEE Std 2600his is indicatea transcriptio
fied
other specifi
record within
ent, type of ev; and
ype, based on ST, for each Rel (if one is ment: other aud
other audit r
Table 25 -Aud
use of the
use of the
s that are
on by the
tions
associatio
No o
FAUFIA
s resulting fauditable ev
stamps
No o
No d
be able to pr
.1 Errata" in ed as "Lockinon error.
43
fically define
n each audit
ent, subject id
the auditableRelevant SFRspecified), a
dit relevant inf
relevant inf
dit data requ
Relevant SF
FDP_ACF.1FIA_UAU.1
FIA_UID.1
FMT_SMF.1FMT_SMR.1
FPT_STM.1FTA_SSL.3
FTP_ITC.1
on
other compo
U_GEN.1 AuA_UID.1 Tim
from actionsent with the
other compo
dependencie
ovide reliab
the PP Guideng of an intera
C
ed auditable
t record at le
dentity (if app
e event definR listed in Taand (2) all Anformation].
formation]
uirements
R Aud
Not Basi
Basi
Min1 Min
MinMin
Min
onents.
udit data genming of identi
s of identifiee identity of
onents.
es.
le time stam
e. active session
Date
Copyright Ca
le events]
east the follo
licable), and t
itions of the able 25: (1) inAdditional In
dit level
specified ic
ic
nimum nimum
nimum nimum
nimum
neration ification
d users, the the user tha
mps.
n by the sessio
e of Issue: 201
anon Inc. 20
owing inform
the outcome (
functional conformation anformation (
Additional inform
Type of job None requir
Attempted uidentity, if aNone requirNone requir
None requirNone requir
None requir
TSF shall bat caused th
on locking me
15/09/28
015
mation:
success or
omponents as defined (if any is
mation
red
user availablered red
red red
red
be able to he event.
echanism"
FAU_S
FAU_SA
FAU_SA
FAU_S
FAU_SA
FAU_S
FAU_ST
FAU_ST
FAU_S
FAU_ST
SAR.1 Audi
Hier
Dep
AR.1.1 The[ass
[ass
[ass
AR.1.2 Theinte
SAR.2 Rest
Hier
Dep
AR.2.1 Theuser
STG.1 Prote
Hier
Dep
TG.1.1 The Tdele
TG.1.2 Themod
[sel
STG.4 Prev
Hier
Dep
TG.4.1 Theaud"ovebe t
it review
rarchical to:
endencies:
e TSF shall ignment: lis
signment: a– U.ADMIN
signment: li– Refer to
e TSF shall rpret the inf
tricted aud
rarchical to:
endencies:
e TSF shall rs that have
ected audi
rarchical to:
endencies:
TSF shall pretion.
e TSF shall difications to
ection, choo– prevent
vention of a
rarchical to:
endencies:
e TSF shaldited events,erwrite the taken in cas
No o
FAU
provide [assst of audit in
authorised uNISTRATOR
ist of audit the audit logs
provide thformation.
dit review
No o
FAU
prohibit allbeen grante
it trail stor
No o
FAU
rotect the st
be able to [o the stored
ose one of: p
audit data
FAU
FAU
ll [selections, except tho
oldest storese of audit s
44
other compo
U_GEN.1 Au
signment: aunformation] f
users] R
informations listed in Tab
e audit reco
other compo
U_SAR.1 Aud
l users readed explicit re
rage
other compo
U_GEN.1 Au
tored audit r
[selection, chaudit record
prevent, det
loss
U_STG.3 Act
U_STG.1 Pro
n, choose onose taken byred audit restorage failu
C
onents.
udit data gen
uthorised usfrom the aud
n] ble 25.
ords in a m
onents.
dit review
d access to ead-access.
onents.
udit data gen
records in th
hoose one ofds in the aud
tect]
tion in case o
otected audi
one of: "ignoy the author
ecords"] andure] if the au
Date
Copyright Ca
neration
sers] with thdit records.
manner suita
the audit re
neration
he audit trai
of: prevent, ddit trail.
of possible a
it trail stora
nore auditedorised user wd [assignmeudit trail is
e of Issue: 201
anon Inc. 20
he capability
able for the
ecords, exce
il from unau
detect] unau
audit data lo
ge
d events", with specialent: other ac full.
15/09/28
015
y to read
e user to
ept those
uthorised
uthorised
oss
"prevent l rights",
actions to
6.1.10
6.1.10.1
FIA_SO
FIA_SO
FMT_M
FMT_M
[seleexceolde
[ass
Manageme
User Mana
OS.1 Ver
Hier
Dep
OS.1.1 The defin
[ass
MTD.1(user
Hier
Dep
MTD.1.1 (usemoddataownU.A
[seleop
[assas
[seleU.
ection, chooept those taest stored au– "overwrit
signment: ot– None
ent Functio
agement Fun
rification o
rarchical to:
endencies:
TSF shall ined quality
signment: a – Use a pas– Prohibit t– Use at lea– Use at lea– Use at lea– Use at lea– Allowed
- All c
r-mgt) Man
rarchical to:
endencies:
r-mgt) The dify, delete, ca associated ned by a UADMINISTRA
ection: chaperations]] – Refer to
signment: lissociated wit– Refer to
ection, choU.NORMAL t– Refer to
Table
ose one of: aken by theudit recordste the oldest st
ther actions
on
nction
of secrets
No o
No d
provide a mmetric].
defined quassword 4 to 3the use of 3 oast one upperast one lowerast one numbast one non-acharacters characters oth
nagement
No o
FMTFMT
TSF shall rclear, [assig
d with a U.NOU.NORMAL
RATOR, the U
ange_default
"Operation"
list of TSF ith document
"TSF Data" i
oose one to whom suc"Role" in Tab
e 26 - User in
45
f: "ignore aue authorised
ds"] tored audit rec
s to be taken
other compo
dependencie
mechanism
ality metric]32 characters or more consercase charactercase characteber (0-9) alphabet chara
her than cont
of TSF da
other compo
T_SMR.1 SeT_SMF.1 Sp
restrict the gnment: othe
NORMAL or TL] to [selecU.NORMAL
t, query, m
in Table 26.
F data assocnts or jobs ow
in Table 26.
of: Nobodych TSF data ble 26.
nformation m
C
udited evend user with
cords"
n in case of
onents.
es
to verify th
in length ecutive characer (A to Z) er (a to z)
acters (^-@[]
trol characters
ta
onents.
ecurity rolespecification o
ability to [sher operation
TSF Data asction, choosL to whom su
modify, dele
ciated with wned by a U.
y, [selectioa are associat
managemen
Date
Copyright Ca
nts", "preveh special righ
f audit stora
hat secrets m
cters
]:;,./¥!"#$%&
s
of Managem
selection: chns]] the [assissociated witse one of: uch TSF dat
ete, clear,
h a U.NORMU.NORMAL]
n: U.ADMated]]
nt
e of Issue: 201
anon Inc. 20
ent auditedghts", "overw
age failure]
meet [assign
&'()=~|{`+*}_
ment Functio
hange_defaulignment: lis
ith documentNobody, [s
ta are associ
[assignmen
RMAL or TS
MINISTRATO
15/09/28
015
d events, write the
nment: a
_?><)
ns
ult, query, st of TSF
nts or jobs selection: iated]].
nt: other
TSF Data
OR, the
TSF
User
role
Pass
Own
FMT_S
FMT_SM
FMT_SM
6.1.10.2
FCS_C
FCS_CK
FCS_C
F data
r name
swords
n password
SMR.1 Sec
Hier
Dep
MR.1.1 The Nob
[sele
MR.1.2 The whic
Cryptograp
CKM.1 Cryp
Hier
Dep
KM.1.1 Thecrypgenecryp
[ass
[ass
[ass
CKM.2 Cryp
Hier
Dep
curity roles
rarchical to:
endencies:
TSF shall body, [assign
ection: Nobo– Nobody
TSF shall bch no user s
phic Key Man
ptographic
rarchical to:
endencies:
e TSF shalptographic eration algptographic k
signment: cr– Cryptogr
signment: cr– 128bit, 16
signment: lis– FIPS PUB
ptographic
rarchical to:
endencies:
Rol
U.A
U.A
U.A
U.N
s
No o
FIA
maintain thnment: the a
ody, [assignm
be able to ashall be asso
nagement Fu
c key gene
No o
[FCFCSFCS
l generate key gener
gorithm] ankey sizes] tha
ryptographicraphic key ge
ryptographic8bit, 192bit, 25
ist of standarB 186-2
c key distr
No o
[FDattrFDPFCSFCS
46
le
ADMINISTRA
ADMINISTRA
ADMINISTRA
NORMAL
other compo
A_UID.1 Tim
he roles U.Aauthorised id
ment: the au
ssociate userciated.
unction
eration
other compo
S_CKM.2 CS_COP.1 CryS_CKM.4 Cr
cryptographration algond specifiedat meet the
c key generaeneration algo
c key sizes]56 bit
rds]
ibution
other compo
P_ITC.1 Imibutes, or
P_ITC.2 ImpS_CKM.1 CrS_CKM.4 Cr
C
Op
ATOR dele
ATOR mod
ATOR mod
mod
onents.
ming of identi
ADMINISTRdentified role
uthorised ide
rs with roles
onents.
ryptographiyptographic ryptographic
hic keys inorithm [asd cryptografollowing: [a
ation algorithorithm accord
onents.
mport of
port of user dryptographicryptographic
Date
Copyright Ca
eration
ete, create, qu
dify, delete, cr
dify, delete, cr
dify
ification
RATOR, U.Nles]].
dentified role
s, except for
ic key distriboperation]
c key destru
n accordancsignment: aphic key assignment:
thm] ding to FIPS P
user data
data with sec key generac key destru
e of Issue: 201
anon Inc. 20
uery
reate, query
reate
NORMAL, [s
es]]
the role "No
bution, or
ction
ce with a cryptographsizes [assilist of stand
PUB 186-2
a without
ecurity attribation] ction
15/09/28
015
selection:
obody" to
specified phic key
ignment: dards].
security
butes, or
FCS_CK
6.1.10.3
FMT_M
FMT_M
KM.2.1 Thecrypmeth
[ass
[as
Device Ma
MTD.1(devi
Hier
Dep
MTD.1.1(devimoddata[ass
[seleop
[ass
[seleth
TSF Da
Date/Ti
HDD D
IPSec se
Auto Re
Lockou
Passwor
Audit lo
TSF shallptographic kthod] that m
signment: cr– DH (Diff
ssignment: l– SP800-56
nagement F
ice-mgt)
rarchical to:
endencies:
ice-mgt) The dify, delete, ca] to [selecignment: th
ection: chaperations]] – Refer to
signment: lis– Refer to
ection, choohe authorized– Refer to
Tabl
ata
me settings
Data Erase set
ettings
eset settings
ut policy settin
rd policy sett
og
l distribute ey distributeets the foll
ryptographicfie Hellman) a
list of standa6A
unction
Mana
No o
FMTFMT
TSF shall rclear, [assigction, chooshe authorized
ange_default
"Operation"
ist of TSF da"TSF Data T
ose one of: Nd identified "Role" in Tab
le 27 - Device
ttings
ngs
tings
47
cryptograpion method owing: [assi
c key distriband ECDH (El
ards]
gement of
other compo
T_SMR.1 SeT_SMF.1 Sp
restrict the gnment: othee one of: d identified
t, query, m
in Table 27.
ata] able 27.
Nobody, [seld roles except
ble 27.
e manageme
Role
U.ADMIN
U.ADMIN
U.ADMIN
U.ADMIN
U.ADMIN
U.ADMIN
U.ADMIN
C
phic keys in[assignmentgnment: list
bution metholliptic Curve D
f TSF data
onents.
ecurity rolespecification o
ability to [sher operation
Nobody, [seroles except
modify, dele
lection: U.ADt U.NORMA
ent function
NISTRATOR
NISTRATOR
NISTRATOR
NISTRATOR
NISTRATOR
NISTRATOR
NISTRATOR
Date
Copyright Ca
n accordanct: cryptograpt of standard
od] Diffie Hellma
of Managem
selection: chns]] the [assielection: Ut U.NORMA
ete, clear,
ADMINISTRAAL]]]
n
Operatio
R modify
R query, mo
R query, mo
R query, mo
R query, mo
R query, mo
R query, del
e of Issue: 201
anon Inc. 20
ce with a aphic key distds].
an)
ment Functio
hange_defaulignment: lis
U.ADMINISTAL]]].
[assignmen
RATOR, [assi
on
odify
odify
odify
odify
odify
lete
15/09/28
015
specified stribution
ns
ult, query, st of TSF TRATOR,
nt: other
ignment:
FMT_S
FMT_SM
6.2 S
This secti Table 29Operation
AsAD
AG
SMF.1 Spe
Hier
Dep
MF.1.1 The [ass
[ass
Man
Date
HDD
IPSe
Auto
Lock
Passw
Audi
User
role
Passw
PIN
Own
Security as
ion defines th
9 lists the secnal Environme
ssurance ClasDV: Developm
GD: Guidance
ecification
rarchical to:
endencies:
TSF shall ignment: lis
signment: lis– Refer to
Table 28 -Th
nagement
e/Time setting
D Data Erase
c settings
o Reset setting
kout policy se
word policy s
it log
rname
word
of Memory R
n password
ssurance re
e security assu
curity assuranent A, and rel
Table 29 - 2
ss ment
e documents
of Manage
No o
No d
be capablest of manage
ist of manage"Managemen
he managem
Function
gs
settings
gs
ettings
settings
RX Box
equirement
urance require
nce requiremeated SFR pack
2600.1 Secu
AssuranADV_AADV_FADV_TAGD_O
48
ement Fun
other compo
dependencie
e of performement functi
ement functint Function" i
ment of secu
Operat
modify
query, m
query, m
query, m
query, m
query, m
query, d
delete, c
modify,
modify,
modify,
modify
ts
ements for the
ents for 2600kages, EAL 3
rity Assuran
nce componeARC.1 SecuritFSP.3 FunctionTDS.2 ArchiteOPE.1 Operati
C
nctions
onents.
es.
ming the foltions to be pr
tions to be prin Table 28.
urity require
tion
modify
modify
modify
modify
modify
delete
create, query
delete, create
delete, create
create
e TOE.
0.1-PP, Protec augmented b
nce Require
ents ty architecturenal specificati
ectural designional user guid
Date
Copyright Ca
llowing manrovided by th
rovided by th
ements
e, query
e
ction Profile fby ALC_FLR.
ements
e description ion with comp
dance
e of Issue: 201
anon Inc. 20
nagement futhe TSF].
the TSF]
for Hardcopy2.
plete summary
15/09/28
015
unctions:
y Devices,
y
As
AL
AS
AT
AV
6.3 S
6.3.1 T
Table 30how eachBold typsupportin
ssurance Clas
LC: Life-cycle
SE: Security T
TE: Tests
VA: Vulnerab
Security fun
The compl
0 provides a mh of the securpeface items ng (S) fulfillm
SFRs FIA_AFL.1
FIA_ATD.1
FIA_UAU.1
FIA_UAU.7
FIA_UID.1
FIA_USB.1
FTA_SSL.3(
FTA_SSL.3(
FMT_MSA.
FMT_MSA.
ss
e support
Target evaluati
ility assessme
nctional re
eteness of
mapping of Trity functionaprovide princ
ment.
Table 30 -Th
1
7
(lui)
(rui)
.1(exec-job)
.3(exec-job)
AssuranAGD_PALC_CALC_CALC_DALC_DALC_FALC_L
ion ASE_CASE_ECASE_INASE_OASE_RASE_SPASE_TSATE_CATE_DATE_FUATE_IN
ent AVA_V
equirement
f security r
OE Security al requiremencipal (P) fulfi
he complete
O.D
OC
.NO
_DIS
O.D
OC
.NO
AL
T
S S
49
nce componePRE.1 PreparaCMC.3 AuthorCMS.3 ImplemDEL.1 DeliverDVS.1 Identifi
LR.2 Flaw repLCD.1 Develop
CL.1 ConformCD.1 Extende
NT.1 ST introdOBJ.2 Security
EQ.2 DerivedPD.1 SecuritySS.1 TOE sum
COV.2 AnalysiDPT.1 Testing:
UN.1 FunctioND.2 IndepenVAN.2 Vulner
ts rationale
requiremen
Objectives annts correspondfillment of the
eness of sec
O.
OC
.NO
_
O.F
UN
C.N
O_A
LT
O.P
RO
T.N
O_A
LT
S S S
C
ents ative procedurrisation contro
mentation repry procedurescation of secuporting procedper defined lifmance claimsed componentduction
y objectives d security requy problem defimmary specifiis of coverage: basic design
onal testing dent testing -rability analys
e
nts
nd security fuds to at least oe objectives,
curity requir
Objectives
O.C
ON
F.N
O_D
IS
O.C
ON
F.N
O_A
LT
S S
Date
Copyright Ca
res ols esentation CM
urity measuresdures (augmenfe-cycle mode
ts definition
uirements inition ication e
sample sis
unctional requone TOE Secand normal t
rements
s
O.U
SER
.AU
TH
OR
IZE
D
O.I
NT
ER
FAC
E.M
AN
AG
ED
O.S
OFT
WA
RE
.VE
RIF
IED
S S
P P
S P P
P
P P
P P
S
S
e of Issue: 201
anon Inc. 20
M coverage
s ntation of EAel
uirements. Thcurity Objectitypeface item
O.A
UD
IT.L
OG
GE
D
O.H
DD
.AC
CE
SS.
AU
TH
OR
ISE
D
S
15/09/28
015
L3)
his shows ive.
ms provide
6.3.2 T
This sectSecurity O.DOC.NdisclosurBased onassigned
SFRs FDP_ACC.1
FDP_ACF.1
FMT_MSA.
FMT_MSA.
FDP_ACC.1
FDP_ACF.1
FDP_ACC.1
FDP_ACF.1
FPT_FDI_E
FDP_RIP.1
FPT_CIP_E
FCS_COP.1
FPT_PHP.1
FCS_COP.1
FTP_ITC.1
FCS_CKM.
FCS_CKM.2
FPT_TST.1
FAU_GEN.1
FAU_GEN.2
FAU_SAR.1
FAU_SAR.2
FAU_STG.1
FAU_STG.4
FPT_STM.1
FIA_SOS.1
FMT_MTD.
FMT_SMR.
FMT_MTD.
FMT_SMF.1
The suffici
tion providesObjectives.
NO_DIS is thre. O.DOC.Nn user identiffor access co
1(exec-job)
(exec-job)
.1(delete-job)
.3(delete-job)
1(delete-job)
(delete-job)
1(in-job)
(in-job)
EXP.1
XP.1
(h)
(n)
1
2
1
2
1
2
1
4
1
.1(user-mgt)
1
.1(device-mgt)
1
ency of se
s the rationale
he security oO_DIS is addfication inforontrol.
O.D
OC
.NO
_DIS
O.D
OC
.NO
AL
T
S SS SP PS S
PS
PP PS S
S SP PS SS S
S S
S S
ecurity requ
e on how the
objective that dressed by thrmation resul
50
O.
OC
.NO
_
O.F
UN
C.N
O_A
LT
O.P
RO
T.N
O_A
LT
S SS SP PS S
P P PS S S
S S SP P PS S SS S S
P
S S S P
S S S
uirements
security func
ensures usere following:lting from FI
C
Objectives
O.C
ON
F.N
O_D
IS
O.C
ON
F.N
O_A
LT
P PS S
S SP PS SS S
P P S S P PS S
ctional requir
r document d
IA_UID.1, ro
Date
Copyright Ca
s
O.U
SER
.AU
TH
OR
IZE
D
O.I
NT
ER
FAC
E.M
AN
AG
ED
O.S
OFT
WA
RE
.VE
RIF
IED
P
S
P
P
S
S
rements are s
data is protect
oles managed
e of Issue: 201
anon Inc. 20
O.A
UD
IT.L
OG
GE
D
O.H
DD
.AC
CE
SS.
AU
TH
OR
ISE
D
P
P
P
P P P P
S
sufficient to s
ted from una
d by FMT_SM
15/09/28
015
satisfy the
authorized
MR.1 are
The idFMT_MThe idenFDP_ACtypes. Furthermof job prothe HDDFCS_CKalteration O.DOC.NalterationBased onassigned The idFMT_MSFurthermprotectedFCS_CKdisclosur O.FUNCalterationBased onassigned The idFMT_MSFurthermprotectedFCS_CKdisclosur O.PROTalterationBased onroles manFMT_MTFurthermprotectedFCS_CKdisclosur O.CONFunauthorBased onroles manFMT_MTFurthermprotectedFCS_CKdisclosur O.CONFunauthorBased onroles manFMT_MT
dentified usSA.1(delete-jntified users CC.1(in-job)/F
more, by FDP_ocessing is enD are protec
KM.1, and FCn and disclosur
NO_ALT is tn. O.DOC.NOn user identiffor access co
dentified usSA.1(delete-jo
more, by FPT_d from unauth
KM.2, user dae. By FMT_S
C.NO_ALT isn. O.FUNC.Nn user identiffor access co
dentified usSA.1(delete-jo
more, by FPT_d from unauth
KM.2, user dae. By FMT_S
T.NO_ALT is n. O.PROT.Nn user identifinaged by FMTTD.1(device-m
more, by FPT_d from unauth
KM.2, user dae.
F.NO_DIS isrized disclosun user identifinaged by FMTTD.1(device-m
more, by FPT_d from unauth
KM.2, user dae.
F.NO_ALT isrized alteration user identifinaged by FMTTD.1(device-m
sers are ajob)/FMT_Mare allowed
FDP_ACF.1(
_RIP.1, complnsured. By FPcted from unS_CKM.2, usre. By FMT_S
the security oO_ALT is addfication inforontrol. sers are ob)/FMT_MS_CIP_EXP.1, horized altera
ata and TSF SMF.1, manag
the security NO_ALT is adfication inforontrol. sers are ob)/FMT_MS_CIP_EXP.1, horized altera
ata and TSF SMF.1, manag
the security oNO_ALT is adication informT_SMR.1 are mgt), and FMT_CIP_EXP.1, horized altera
ata and TSF
s the securiture. O.CONF.ication informT_SMR.1 are mgt), and FMT_CIP_EXP.1, horized altera
ata and TSF
s the securion. O.CONF.Nication informT_SMR.1 are mgt), and FMT
allowed to MSA.3(delete-
to access o(in-job), and N
lete deletion oT_CIP_EXP.nauthorized ser data and TSMF.1, manag
objective that dressed by thermation resul
allowed toA.3(delete-jobFCS_COP.1(ation and disdata sent ov
gement functio
objective thaddressed by trmation resul
allowed toA.3(delete-jobFCS_COP.1(ation and disdata sent ov
gement functio
objective thatddressed by thmation manage
assigned for tT_SMF.1. FCS_COP.1(ation and disdata sent ov
ty objective .NO_DIS is a
mation manageassigned for tT_SMF.1. FCS_COP.1(ation and disdata sent ov
ty objective NO_ALT is a
mation manageassigned for tT_SMF.1.
51
cancel -job), FDP_Anly his/her oNobody is al
of residual info1, FCS_COP.alteration anTSF data sengement functi
ensures protee following:lting from FI
o operateb), FDP_ACCh), and FCS_sclosure. By
ver the LAN ons related to t
at ensures prohe followinglting from FI
o operateb), FDP_ACCh), and FCS_sclosure. By
ver the LAN ons related to t
t ensures prothe following:ed by FMT_Mthe Device M
h), and FCS_sclosure. By
ver the LAN
that ensureaddressed by ed by FMT_Mthe Device M
h), and FCS_sclosure. By
ver the LAN
that ensureaddressed by ted by FMT_Mthe Device M
C
only his/ACC.1(delete-own documellowed to acc
ormation of u1(h), and FCS
nd disclosurent over the LAions related to
ection of user
IA_UID.1, ro
only his/hC.1(delete-job_CKM.1, user
FCS_COP.1(are protected
these actions,
otection of us: IA_UID.1, ro
only his/hC.1(delete-job_CKM.1, user
FCS_COP.1(are protected
these actions,
tection of TSF
MTD.1(user-mManagement fu
_CKM.1, userFCS_COP.1(are protected
es protectionthe following
MTD.1(user-mManagement fu
_CKM.1, userFCS_COP.1(are protected
es protectionthe followingMTD.1(user-m
Management fu
Date
Copyright Ca
/her own -job)/FDP_Ant data in press any docu
user documentS_CKM.1, use. By FCS_C
AN are proteco these actions
r document d
oles managed
her own )/FDP_ACF.1r data and TS(n), FTP_ITCd from unautare provided.
ser function d
oles managed
her own)/FDP_ACF.1r data and TS(n), FTP_ITCd from unautare provided.
F protected d
mgt) and resuunction as spec
r data and TS(n), FTP_ITCd from unaut
of TSF cog: mgt) and resuunction as spec
r data and TS(n), FTP_ITCd from unaut
n of TSF cog: mgt) and resuunction as spec
e of Issue: 201
anon Inc. 20
job accorCF.1(delete-jrint job, acc
ument data in
t data created er data and TCOP.1(n), FTcted from unas, are provided
data from una
d by FMT_SM
job accor1(delete-job). F data in the
C.1, FCS_CKthorized alter.
data from una
d by FMT_SM
job accor1(delete-job). F data in the
C.1, FCS_CKthorized alter.
data from una
ulting from FIcified by FMT
F data in the C.1, FCS_CKthorized alter
onfidential d
ulting from FIcified by FMT
F data in the C.1, FCS_CKthorized alter
onfidential d
ulting from FIcified by FMT
15/09/28
015
rding to job). ording to other job
as a result SF data in TP_ITC.1, authorized d.
authorized
MR.1 are
rding to
HDD are KM.1, and ration and
authorized
MR.1 are
rding to
HDD are KM.1, and ration and
authorized
IA_UID.1, T_SMR.1,
HDD are KM.1, and ration and
data from
IA_UID.1, T_SMR.1,
HDD are KM.1, and ration and
data from
IA_UID.1, T_SMR.1,
FurthermprotectedFCS_CKdisclosur O.USERO.USERUsers autFIA_UAUFTA_SSLFDP_ACFurthermFMT_MS O.INTERinterfaceBy FIA_By FPT_ O.SOFTW O.AUDITFAU_GEthe mean O.HDD.Aspecified
6.3.3 T
This sect
FuReq
FIA_AFIA_ATFIA_UFIA_UFIA_UFIA_UFTA_SFTA_S
FMT_Mb)
FMT_Mb)
FDP_A)
FDP_A)
FMT_Mob)
more, by FPT_d from unauth
KM.2, user dae.
R.AUTHORIZR.AUTHORIZ
thenticated byU.7, and FL.3(lui)/FTA_
CC.1(exec-job)more, authoriSA.3(exec-job
RFACE.MANs in accordan
_UAU.1, FIA__FDI_EXP.1,
WARE.VER
T.LOGGED EN.2, FAU_SAs for user info
ACCESS.AUTby FPT_PHP
The depen
tion provides
unctional quirement FL.1 TD.1 AU.1 AU.7 ID.1 SB.1 SL.3(lui) SL.3(rui)
MSA.1(exec-jo
MSA.3(exec-jo
ACC.1(exec-job
ACF.1(exec-job
MSA.1(delete-j
_CIP_EXP.1(hhorized altera
ata and TSF
ZED is the ZED is addresy the identificFIA_AFL.1, _SSL.3(rui), a)/FDP_ACF.1ized user b), FMT_SMR
NAGED is tnce with secu_UID.1, FTA restricted for
RIFIED is add
is addressed AR.1, FAU_Sormation and t
THORISED iP.1, prior to pe
dencies of
the justificat
Table 31 -Th
Dependerequired FIA_UAU.1No dependeFIA_UID.1 FIA_UAU.1No dependeFIA_ATD.1No dependeNo depende[FDP_ACCFDP_IFC.1]FMT_SMRFMT_SMF.
FMT_MSAFMT_SMR
bFDP_ACF.1
FDP_ACC.FMT_MSA[FDP_ACCFDP_IFC.1]FMT_SMRFMT_SMF.
h), FCS_COPation and disdata sent ov
security objessed by the focation and aut
with user are granted us1(exec-job).information
R.1.
the security rity policy. O
A_SSL.3(lui)/rwarding of d
dressed by pro
by providinSAR.2, FAU_timestamps ge
is addressed ermitting acce
f security r
tion for any d
he dependen
encies by CC
1 FIAencies. No
FIA1 FIAencies. No FIA
encies. No encies. No .1 or ] .1 1
FDPFMFM
A.1 .1
FMFM
1 FDP
1 A.3
FDPFM
.1 or ] .1 1
FDPFMFM
52
P.1, and FCS_sclosure. By
ver the LAN
ective that eollowing: thentication m
sessions me of the funct
are manag
objective thO.INTERFAC/FTA_SSL.3(data to the LA
oviding the se
ng the Audi_STG.1, and Fenerated on au
by the Devicess to the HDD
requiremen
dependencies
ncies of sec
Dependencsatisfied by
A_UAU.1 dependencies.
A_UID.1 A_UAU.1
dependencies.A_ATD.1
dependencies.dependencies.
P_ACC.1(execMT_SMR.1 MT_SMF.1
MT_MSA.1(execMT_SMR.1
P_ACF.1(exec-
P_ACC.1(execMT_MSA.3(exec
P_ACC.1(deletMT_SMR.1 MT_SMF.1
C
_CKM.1, userFCS_COP.1(are protected
ensures user
mechanism spemanaged by tion, as determ
ged by FIA
hat ensures CE.MANAGE(rui), the userAN is specifie
elf-test proced
t Log functiFAU_STG.4. Fudit logs.
ce IdentificatD.
nts
not met.
curity requir
ies ST
N/AN/A
N/AN/A
N/AN/AN/A
N/A
-job) N/A
c-job) N/A
-job) N/A
-job) c-job)
N/A
te-job) N/A
Date
Copyright Ca
r data and TS(n), FTP_ITCd from unaut
identificatio
ecified by FIAFIA_ATD.
mined by acce
A_SOS.1, F
control of oED is addressr interface is med.
dures specifie
ion as speciFIA_UID.1 an
ion and Auth
rements
Reason fordepen
(dependencies (dependencies
(dependencies (dependencies
(no dependenc(dependencies (no dependenc
(no dependenc(dependencies
(dependencies
(dependencies
(dependencies
(dependencies
e of Issue: 201
anon Inc. 20
F data in the C.1, FCS_CKthorized alter
on and authe
A_UAU.1, FI1, FIA_USBess control sp
FMT_MSA.1(
operations ofed by the follmanaged.
ed by FPT_T
fied by FAUnd FPT_STM
hentication fu
r not meetinndencies are satisfied) are satisfied)
are satisfied) are satisfied)
ies) are satisfied) ies)
ies) are satisfied)
are satisfied)
are satisfied)
are satisfied)
are satisfied)
15/09/28
015
HDD are KM.1, and ration and
entication.
IA_UID.1, B.1, and ecified by
(exec-job),
f the I/O lowing:
TST.1.
U_GEN.1, .1 provide
unction as
g
FuReq
FMT_Mob)
FDP_Aob)
FDP_Ab)
FDP_A
FDP_A
FPT_FD
FDP_R
FPT_C
FCS_C
FPT_PH
FTP_IT
FCS_C
FCS_C
FCS_C
FPT_T
FAU_G
FAU_G
FPT_ST
unctional quirement MSA.3(delete-j
ACC.1(delete-j
ACF.1(delete-jo
ACC.1(in-job)
ACF.1(in-job)
DI_EXP.1
RIP.1
CIP_EXP.1
COP.1(h)
HP.1
TC.1
COP.1(n)
CKM.1
CKM.2
ST.1
GEN.1
GEN.2
TM.1
Dependerequired FMT_MSAFMT_SMR
FDP_ACF.1
FDP_ACC.FMT_MSA
FDP_ACF.1
FDP_ACC.FMT_MSA
FMT_SMF.FMT_SMR
No depende
No depende
[FDP_ITC.1FDP_ITC.2 FCS_CKM.FCS_CKM.
No depende
No depende
[FDP_ITC.1FDP_ITC.2 FCS_CKM.FCS_CKM.
[FCS_CKMFCS_COP.1FCS_CKM.
[FDP_ITC.1FDP_ITC.2 FCS_CKM.FCS_CKM.
No depende
FPT_STM.1
FAU_GEN.FIA_UID.1 No depende
encies by CC
A.1 .1
FMFM
1 FDP
1 A.3
FDPFM
1 FDP
1 A.3
FDPFM
1 .1
FMFM
encies. No
encies. No
1 or or
.1]
.4
FCS
encies. No
encies. No
1 or or
.1]
.4
FCS
M.2 or 1] .4
FCSFCS
1 or or
.1]
.4
FCS
encies. No
1 FPT
1 FAUFIA
encies. No
53
Dependencsatisfied by
MT_MSA.1(deleMT_SMR.1
P_ACF.1(delete
P_ACC.1(deletMT_MSA.3(dele
P_ACF.1(in-job
P_ACC.1(in-joMT_MSA.3(dele
MT_SMF.1 MT_SMR.1
dependencies.
dependencies.
S_CKM.1
dependencies.
dependencies.
S_CKM.1
S_COP.1(n) S_COP.1(h)
S_CKM.1
dependencies.
T_STM.1
U_GEN.1 A_UID.1
dependencies.
C
ies ST
ete-job) N/A
e-job) N/A
te-job) ete-job)
N/A
b) N/A
ob) ete-job)
N/A
N/A
N/A
N/A
FCS_Crypand AlsoprevsuchsecurmethN/A
N/A
FCS_Crypand AlsoprevsuchsecurmethFCS_Crypand AlsoprevsuchsecurmethFCS_Crypand Alsoprevsuchsecurmeth
N/A
N/A
N/A
N/A
Date
Copyright Ca
Reason fordepen
(dependencies
(dependencies
(dependencies
(dependencies
(dependencies
(dependencies
(no dependenc
(no dependenc
_CKM.4 is not ptographic keys
disappear wheo, extraction of ented by the de
h, cryptographirely enough
hod for their des(no dependenc
(no dependenc
_CKM.4 is not ptographic keys
disappear wheo, extraction of ented by the de
h, cryptographirely enough
hod for their des_CKM.4 is not
ptographic keysdisappear whe
o, extraction of ented by the de
h, cryptographirely enough
hod for their des_CKM.4 is not
ptographic keysdisappear whe
o, extraction of ented by the de
h, cryptographirely enough
hod for their des
(no dependenc
(dependencies
(dependencies
(no dependenc
e of Issue: 201
anon Inc. 20
r not meetinndencies are satisfied)
are satisfied)
are satisfied)
are satisfied)
are satisfied)
are satisfied)
ies)
ies)
claimed becaus are stored inen power is sf cryptographic esign of the sysic keys are mnot to requi
struction. ies)
ies)
claimed becaus are stored inen power is sf cryptographic esign of the sysic keys are mnot to requi
struction. claimed becau
s are stored inen power is sf cryptographic esign of the sysic keys are mnot to requi
struction. claimed becau
s are stored inen power is sf cryptographic esign of the sysic keys are mnot to requi
struction.
ies)
are satisfied)
are satisfied)
ies)
15/09/28
015
g
use: n RAM, shut off.
keys is stem. As managed ire any
use: n RAM, shut off.
keys is stem. As managed ire any
use: n RAM, shut off.
keys is stem. As managed ire any
use: n RAM, shut off.
keys is stem. As managed ire any
FuReq
FAU_S
FAU_S
FAU_S
FAU_S
FIA_SO
FMT_Mgt) FMT_S
FMT_Mmgt)
FMT_S
6.4 S
ThinfoaccobecaalmoAgeremdeviwithmalf
EA
and inclu
unctional quirement SAR.1
SAR.2
STG.1
STG.4
OS.1
MTD.1(user-m
SMR.1
MTD.1(device-
SMF.1
Security as
his Protectionormation proceountability andause it is assuost constant p
ents cannot pmovable nonvo
ices are removh code to efffunctions. As
AL 3 is augmeprocedures f
usion is expec
Dependerequired FAU_GEN.
FAU_SAR.
FAU_GEN.
FAU_STG.1
No depende
FMT_SMRFMT_SMF.FIA_UID.1
FMT_SMRFMT_SMF.
No depende
ssurance re
n Profile hasessing environd information
umed that the protection frophysically accolatile storageved from the
ffect a changsuch, the Eva
ented with ALfor the reporcted by the co
encies by CC 1 FAU
1 FAU
1 FAU
1 FAU
encies. No
.1 1
FMFMFIA
.1 1
FMFM
encies. No
equirement
been develonments that re
n assurance. ThTOE will be
om unauthorizcess any none devices, wheTOE environ
ge and the Taluation Assur
LC_FLR.2, Flrting and remnsumers of th
54
Dependencsatisfied by
U_GEN.1
U_SAR.1
U_GEN.1
U_STG.1
dependencies.
MT_SMR.1 MT_SMF.1 A_UID.1
MT_SMR.1 MT_SMF.1
dependencies.
ts rationale
oped for Harequire a relatihe TOE envirlocated in a r
zed and unmanvolatile storaere protection
nment. AgentsTOE self-verifrance Level 3
law reporting mediation of ihis TOE.
C
ies ST
N/AN/A
N/AN/A
N/A
N/A
N/A
N/A
N/A
e
rdcopy Devicively high levronment will brestricted or m
anaged accessage without n of User ands have limited fies its execuis appropriate
procedures. Aidentified sec
Date
Copyright Ca
Reason fordepen
(dependencies (dependencies
(dependencies (dependencies
(dependencies
(dependencies
(dependencies
(dependencies
(no dependenc
ces used in vel of documebe exposed to monitored envs to the TOE disassembling
d TSF Data aror no means
utable code te.
ALC_FLR.2 ecurity flaws a
e of Issue: 201
anon Inc. 20
r not meetinndencies are satisfied) are satisfied)
are satisfied) are satisfied)
are satisfied)
are satisfied)
are satisfied)
are satisfied)
ies)
restrictive coent security, oonly a low le
vironment thaand its data i
g the TOE ere provided wof infiltrating
to detect uni
ensures that inare in place,
15/09/28
015
g
ommercial operational vel of risk
at provides interfaces. except for when such g the TOE intentional
nstructions and their
7 TO
This sect
7.1 U
-
When thTOE requof print j
Two met
-
-
For user authenticFor secur
The TOE
The ACTapplicatio
The TOE[FIA_AF
-
-
The TOElasting fo
-
-
OE Summa
tion describes
User Authe
SupportedFIA_USB.
e control panuires user autobs, fax jobs
thods of user
External A
Authentican Activeauthentica
Internal Au
Authentic
authenticatiocation succeerity, note that
E issues an Ac
T is an objecon functions
E provides a lFL.1]
This functfailed authbefore loc
Any user 1 to 60 mi
E terminates aor a specified
At the confrom 10 se
At a remo
ary specifi
s the TOE sum
entication F
d functional1, FIA_AFL.
nel or a remothentication i, and I-fax jo
authenticatio
Authentication
cation is basede Directory seation.
uthentication
cation is based
on, the TOE peds only if tht the passwor
ccess Control
ct that contathat are speci
lockout functi
tion locks ouhentication atckout (Initial
that is lockedinutes can be
an interactived period of tim
ntrol panel, seconds to 9 m
ote UI, session
ication
mmary specif
Function
l requireme.1, FTA_SSL
ote UI is usedin order to idbs is always p
on are support
n
d on user infoerver that use
d on user info
prompts inputhe user name d is masked b
l Token (ACT
ains the user'ified for each
ion in order t
ut any user thattempts. A vavalue: 3).
d out will note specified as
e session wheme. [FTA_SS
session timeominutes can b
n timeout occ
55
fications.
ents: FIA_U.3(lui), FTA_
d to operate tentify and aupermitted. [F
ted:
formation regies Kerberos a
ormation regi
t of the user nand passwor
by asterisks in
T) to each use
s name and h user role. [F
to minimize in
at fails to logalue from 1 to
t be able to lothe lockout t
en there is noSL.3(lui), FTA
out occurs aftbe specified (I
curs after 15 m
C
UAU.1, FIA_U_SSL.3(rui)
the MFP, befouthenticate vaFIA_UAU.1,
istered in theauthentication
istered in the
name, password matches thn the text fiel
er successfull
role, as wellFIA_ATD.1, F
nvalid login a
gin successfulo 10 can be s
ogin until theime (Initial v
o user activityA_SSL.3(rui
er a specifiedInitial value:
minutes of us
Date
Copyright Ca
UID.1, FIA_
fore permittinalid users. HoFIA_UID.1]
authentication, or LDAP s
device.
ord, and the lhe one at theld. [FIA_UA
ly authenticat
l as the acceFIA_USB.1]
attempts in In
lly within thespecified as th
e lockout timevalue: 3 minut
y at the contri)]
d period of u2 minutes).
ser inactivity.
e of Issue: 201
anon Inc. 20
_UAU.7, FIA
ng such operaowever, the su
on server. Thserver that us
login destinate specified deU.7]
ted.
ess permissio]
nternal Authe
e maximum nhe number of
e passes. A vtes).
rol panel or r
ser inactivity
.
15/09/28
015
A_ATD.1,
ations, the ubmission
is may be ses LDAP
tion. User estination.
ons to the
entication.
number of f attempts
alue from
remote UI
y. A value
7.2 F
-
For eachthe ACTcontainedattribute
When thdependin
When a rattribute
Only U.A
UI
Control p
Remote U
7.3 J
For PrintRestrictio
7.3.1
-
Function Us
SupportedFMT_MSA
h UI, the TOET issued to ad in the ACTof the Object
he control pang on the setti
remote UI is values associ
ADMINISTR
Obje
panel PointPrint
Point
PointSend
Point
PointInbox
UI PointInbox
Job Output R
t, Copy, Scanon restricts ac
Job C
SupportedFMT_MSA
se Restrictio
d functionA.1(exec-job)
E provides Fauthenticated T, are performt is the functi
anel is used, ings in "Appl
used, Functiiated with the
RATORs are a
Table
ect
ter to [Secure]
ter to [Copy]
ter to [Scan ad]
ter to [Fax]
ter to [Fax/I-Fx]
ter to [Fax/I-Fx]
Restriction
n, and Fax Tccess to subm
Cancel
d functionaA.1(delete-job
on Function
nal require), FMT_MSA
unction Use users. Any q
med by U.ADions itself, an
Function Uslication Restr
ion Use Restre role in the A
allowed use o
e 32 - Functio
Cond
ed The rhave funct
The rhave
and The rhave funct
The rhave funct
Fax The rhave Files
Fax The ranyth
Functions
TX jobs, the mitted jobs, by
al requiremb), FMT_MS
56
ements: FDA.3(exec-job),
Restriction, wqueries, modDMINISTRA
nd is therefore
se Restrictionrictions", whi
riction FunctiACT.
of all function
on Use Rest
dition
role associatepermission t
tion.
role associatepermission t
role associatepermission t
tion
role associatepermission t
tion
role associatepermission t] function
role associatehing other tha
TOE providey the user tha
ments: FDPSA.3(delete-jo
C
DP_ACC.1(e, FMT_SMF.
which controdifications, deATORs only. e fixed.
n Function pich are based
ion permits o
ns.
riction Polic
ed with U.USo the [Secure
ed with U.USo the [Copy]
ed with U.USo the [Scan a
ed with U.USo the [Scan a
ed with U.USo the [Access
ed with U.USan Administra
es the followat executed th
P_ACC.1(deleob), FMT_SM
Date
Copyright Ca
exec-job), F1
ols access baseletions, andFor Function
permits or deon the role c
or denies use
cy
SER must ed Print]
SER must function
SER must and Send]
SER must and Send]
SER must s Stored
SER is ator.
wing security he job.
ete-job), FDMF.1
e of Issue: 201
anon Inc. 20
FDP_ACF.1(e
sed on the cod additions ton Use Restri
enies use of ontained in th
of functions
Operation
Executed bactivating Object.
Executed bactivating Object.
Executed bactivating Object.
Executed bactivating Object.
Executed bactivating Object.
Cannot be
functions. Jo
DP_ACF.1(de
15/09/28
015
exec-job),
ontents of o the role ction, the
functions he ACT.
based on
n
by the
by the
by the
by the
by the
executed.
ob Output
elete-job),
TOE caninitialize
-
-
With the
7.3.2
-
TOE proinitialize
Copy, S
-
-
Tempor
If a printAdditionaccess re
For tempmatches
-
-
-
Printing
For all tefollowing
-
Receive
For docustored asto this inMemory Only U.AInbox, wTOE realthe ownoperation
n deletes Printd by usernam
U.NORMA
U.ADMIN
cancellation
In The
SupportedFMT_MSA
ovides the folld by usernam
Scan, Fax TX
Nobody is
Nobody isTemporaril
rarily Stored
t job with a Pnally, it uses testriction as d
porarily storethe user nam
Change pri
Delete
starts when th
emporarily stg:
Delete
ed Fax Jobs
uments receivs files, to be onbox, is equiRX Inbox, to
ADMINISTRwhich means lizes access r
ner of the stns on the docu
t, Copy, Scanme of the user
AL is authori
NISTRATOR
of the job, th
e JOB Acc
d functioA.1(delete-job
lowing accesme of the user
X Jobs
authorized to
authorized tly Stored FAX
d Print Jobs
PIN is submithe user name
described belo
ed jobs, the fme associated w
iority for prin
he PIN for th
tored jobs, U
ved by fax/I-output at a laivalent to acco prevent una
RATORs are aonly U.ADM
restriction, bytored documument data.
n, and Fax TXr that execute
zed to delete
is authorized
he attribute va
ess Contro
nal requb), FMT_MS
ss control funr that execute
o read docum
to read documX TX Jobs.
itted, the jobe associated ow.
following opwith the desir
nting
he print job is
U.ADMINIST
fax, the TOEater time. Sincess control tauthorized accauthorized toMINISTRATOy determiningent data, pre
57
X jobs accordd the job.
his/her own j
d to display a
alue to be atta
ol
irements:SA.3(delete-jo
nctions for dod the job.
ments in any c
ments in any
b is temporariwith the prin
erations are red job.
entered from
TRATOR is a
E provides thce these are sto the stored cess by other initialize, seORS are allog the U.ADMeventing any
C
ding to follow
job.
list of all job
ached to the j
FDP_ACCob), FMT_SM
cuments in e
copy jobs.
scan, and Fa
ily stored in nt job to deter
available to
m the control p
llowed to dis
he Memory Rstored in the document d
r users. t, modify, or
owed access MINISTRATOy U.NORMA
Date
Copyright Ca
wing. The user
bs and delete
ob is deleted
.1(in-job), MF.1
ach job. User
ax TX jobs, e
the machine rmine its own
U.USERs, on
panel of the m
splay a list of
RX Inbox whMemory RX
data. A PIN c
delete the PIto the stored
OR that entersAL from exe
e of Issue: 201
anon Inc. 20
r name of the
any of them.
d.
FDP_ACF.
r name of the
except in case
without beinner, in order
nly if the us
machine.
f jobs and ex
ere these jobX Inbox, accecan be assign
IN on the Med document s the correct Pecuting print
15/09/28
015
ese jobs is
.1(in-job),
ese jobs is
e of 7.3.3
ng output. to realize
er's name
xecute the
bs may be ss control
ned to the
emory RX data. The PIN to be t or send
If the coentering
-
-
-
If a rementering
-
-
-
7.3.3
-
There arPreview
Delayed
When thsending a
For tempuser's nam
-
For all te
-
Preview
When thlater it is
For tempname ma
-
-
-
7.4 F
-
ontrol panel iany PIN.
Send
Delete
mote UI is usthe correct P
Send
Delete
Temp
SupportedFDP_ACC
re two types function as T
d Send
e TOE receivat the specifie
porarily storeme matches t
Change de
emporarily sto
Change de
w
he TOE receiv send.
porarily storeatches the use
Preview
Delete Pag
Delete Job
Forward Re
Supported
s used, U.AD
sed, U.ADMIN.
porarily Sto
d functioC.1(delete-job
of Send JobsTemporarily S
ves a FAX TXed time.
ed FAX TX jthe user name
estination
ored FAX TX
estination
ves a FAX T
d FAX TX joer name assoc
ges
bs
eceived Job
d functional
DMINISTRA
MINISTRATO
ored FAX T
nal requb), FDP_ACF
s: Fax TX joStored FAX T
X job with tr
obs, the folloe associated w
X jobs, U.ADM
TX job with P
obs, the followciated with th
bs Functio
requirement
58
ATOR is allow
OR is allowe
TX Jobs
irements:F.1(delete-job
ob and Scan jTX Jobs funct
ansmission ti
owing operatwith the desir
MINISTRAT
Preview settin
wing operatiohe desired job
on
ts: FPT_FDI
C
wed access to
d access to
FDP_ACC)
job. And thetion to store j
ime specified
tions are avaired job.
TOR is allowe
ng, it is first
ons are availab.
_EXP.1
Date
Copyright Ca
o the followi
the followin
.1(in-job),
ere are Delayobs temporar
d, it is first sto
ilable to U.N
ed to execute
stored tempo
able to U.US
e of Issue: 201
anon Inc. 20
ing operation
ng operations
FDP_ACF.
yed Send funrily.
ored tempora
NORMALs, o
the followin
orarily and pr
SERs, only if
15/09/28
015
ns without
s only by
.1(in-job),
nction and
arily, until
only if the
g:
reviewed,
the user's
The desifunction
7.5 H
-
By overwfiles) in t
The user
-
-
-
-
The timin
-
-
7.6 H
-
The secu
The encrprovide c
7.6.1
-
To protecthe follow
-
-
The cryp
-
-
gn of the TOenables the u
HDD Data E
Supported
writing with rthe HDD, to e
r can choose o
Overwrite
Overwrite
Overwrite
Overwrite
ng in which d
Image fileduring or a
Residual inerased from
HDD Data E
Supported
urity function
ryption/decryconfidentialit
Encry
Supported
ct the confidewing cryptog
Encryption
Decryption
ptographic alg
AES algor
256 bit key
OE prevents reuser to restric
Erase Func
d functional
random data,ensure that no
one of the fol
using the Do
with random
once with ran
once with nu
data are erase
es temporarilyafter processi
nformation thm the HDD u
Encryption
d functional
s provided by
yption functioty and integrit
yption/Dec
d functional
entiality and igraphic operat
n of data writ
n of data read
gorithm and c
rithm (FIPS P
y length
eceived data t forwarding
ction
requirement
the TOE pero trace of the
llowing erasu
oD standard
m data three tim
ndom data
ull data
ed is specified
y stored in thng of the job
hat remainedupon startup o
Function
requirement
y the TOE's "
on together wty protection
ryption Fu
requirement
integrity of utions to encry
tten to the HD
d out from the
cryptographic
PUB 197)
59
from being fof received j
ts: FDP_RIP
rmanently era document da
ure methods:
mes
d below.
he HDD as a.
d unerased duof the TOE.
ts: FPT_CIP
HDD Data E
with the Devfor user data
nction
ts: FCS_COP
user data and ypt all data st
DD.
e HDD.
c key size are
C
forwarded dirobs to the LA
P.1
ases documenata remains o
a result of jo
ue to a sudden
_EXP.1
Encryption Bo
vice Identifica and TSF dat
P.1(h)
TSF data stoored in the H
specified bel
Date
Copyright Ca
rectly to a serAN.
nt data (incluon the HDD.
ob processing
n power shut
oard" are desc
cation and Auta stored in th
red in the HDHDD.
low:
e of Issue: 201
anon Inc. 20
rver or comp
uding tempora
g is complete
tdown, are co
cribed below.
uthenticationhe HDD.
DD, the TOE
15/09/28
015
puter. This
ary image
ely erased
ompletely
n function
performs
7.6.2
-
The TOEdata encr
-
-
The cryp
-
-
No methcryptogra
7.6.3
-
The HDDit is idenHDD, evdifferent
[Registra
The HDDthe MFP
[Procedu
Upon staMFP devauthenticencryptioresponse
Access tmounted
7.7 L
LAN Dadevice.
Crypt
Supported
E uses the foryption functi
Uses a cryp
Generates
ptographic key
Upon starcryptograp
After gene
hod is availaaphic key is s
Devic
Supported
D Data Encryntified as the ven if the HMFP.
ation of the A
D Data Encrydevice, and s
ure for identif
artup, the HDvice as a randcation ID andon board. The.
to the HDD d on the correc
LAN Data P
ata Protection
tographic K
d functional
llowing specion.
ptographic ke
a cryptograph
y is managed
rtup, the TOphic key.
erating the cry
able for acqustored in vola
ce Identific
d functional
yption Board correct MFPDD and HD
Authentication
yption Board,stores it in Fl
fication and a
DD Data Encrdom numberd the receivee HDD Data
is denied, unct MFP devic
Protection F
n Function en
Key Manag
requirement
cifications for
ey generation
hic key with
d as follows.
OE reads the
yptographic k
uiring the seeatile RAM me
ation and A
requirement
identifies theP. This functi
DD Data Enc
n ID]
, when it is inlashROM.
authentication
ryption boardr to a challened random nu
Encryption B
nless the HDce.
Function
ncrypts/decryp
60
gement Fun
ts: FCS_CKM
r generating t
n algorithm ac
256 bit key le
e seed inform
key, the TOE
ed from the emory, it disa
Authentica
ts: FPT_PHP
e MFP at eachon helps prevryption Boar
nitially moun
n]
d generates ange. The MFPumber, and pBoard perfor
DD Data Enc
pts all IP pac
C
nction
M.1
the cryptogra
ccording to F
ength
mation stored
stores the ke
encryption bappears when
ation Funct
P.1
h startup, andvent unauthord are physic
nted, acquires
a pseudo-randP device makpasses the resms the same
cryption Boa
kets that are
Date
Copyright Ca
aphic key tha
FIPS PUB 186
d in FlashR
ey in RAM.
board. Note an power is shu
tion
d permits acceorized access cally remove
s the device a
dom number kes a computsulting hash computation
rd confirms
used in comm
e of Issue: 201
anon Inc. 20
at is used by
6-2
ROM and ge
also, that beut off.
ess to the HDto the conten
ed and conne
authentication
which it pastation using ivalue (SHA-
n in order to v
successfully
munication w
15/09/28
015
the HDD
enerates a
cause the
DD only if nts of the
ected to a
n ID from
ses to the its device -1) to the verify the
that it is
with an IT
7.7.1
-
To ensurthe TOE
- Encr
- Decr
The follo
- Se
7.7.2
-
The TOEpacket en
- Use
- Gen
The folloEncryptio
- ECD
7.8 S
-
At startup
- Che
- Che
- Che
7.9 A
-
The TOE
-
-
-
-
IP Pa
Supported
re confidentiauses IPSec to
ryption of IP
ryption of IP
owing cryptog
ee Table 24
Crypt
Supported
E uses the foncryption fun
es a cryptogra
nerates a cryp
owing methoon Function,
DH (Elliptic C
Self-Test Fu
Supported
p, the TOE p
ecks whether
ecks the integ
ecks the integ
Audit Log F
SupportedFAU_SAR
E generates lo
Startup
Shutdown
Job comple
User authe
cket Encry
d functional
ality and intego encrypt/dec
packets sent
packets recei
graphic algor
tographic K
d functional
ollowing spenction.
aphic key gen
ptographic ke
od is used bto the other p
Curve Diffie
unction
d functional
erforms the f
cryptographi
grity of the cry
grity of the ex
Function
d functional R.2, FAU_STG
ogs for the fol
etion
entication suc
yption Func
requirement
grity of user crypt all IP pa
to the LAN
ived from the
rithm and cry
Key Manag
requirement
cifications fo
neration algor
y with 128/16
by the TOE, party
Hellman) an
requirement
following self
ic algorithms
yptographic k
xecutable cod
requiremenG.1, FAU_ST
llowing event
ccess/failure
61
ction
ts: FCS_COP
data and TSFackets.
e LAN
yptographic ke
gement Fun
ts: FCS_CKM
or generating
rithm accordi
68/192/256 b
to transmit
d DH (Diffie
ts: FPT_TST
f-test.
are running p
key
de of the crypt
nts: FAU_GETG.4
ts.
C
P.1(n), FTP_I
F data comm
ey sizes are u
nction
M.1, FCS_CK
g the cryptog
ng to FIPS PU
bit key length
the cryptogr
Hellman) ac
T.1
properly (AE
tographic alg
EN.1, FAU_G
Date
Copyright Ca
ITC.1
municated to a
used.
KM.2
graphic key t
UB 186-2
raphic key u
ccording to SP
ES, 3DES)
gorithm
GEN.2, FPT_
e of Issue: 201
anon Inc. 20
and from an I
that is used b
used by the I
P800-56A
_STM.1, FAU
15/09/28
015
IT device,
by the IP
IP Packet
U_SAR.1,
-
-
-
-
-
The itemdate/timeaccurate
-
Other log
-
-
Also, expof this fu
Users othfrom a re
When acthe deleti
Users othfrom a re
A maximoverwritt
7.10 M
7.10.1
-
In the TOrole, andown pass
[Setting/
New useuser infocan be dpassword
Five roleand GuesGuest Us
Logout
Use of dev
Use of use
Changes to
IPSec conn
ms that are rece informationtime is obtain
Date/Time
g events may
Job type (j
Name of th
port of audit lunction is rest
her than U.Aemote UI.
ccessing the Tion of log rec
her than U.ADemote UI, thu
mum of 20,00ten with the n
Managemen
User
SupportedFMT_MSAFMT_SMF
OE, only U.Ad access restriswords.
Changing/De
rs are registeormation can deleted altoged policy.
es exist, whicst User. To crser, is used as
vice managem
er managemen
o the date/tim
nection failur
corded on eacn is set by thned from the
e, User Name
have additio
ob completio
he user that fa
logs can be ptricted to U.A
ADMINISTRA
TOE from a rcords from th
DMINISTRAus preventing
00 audit recornewest.
nt Function
Manageme
d functioA.1(exec-job)F.1
ADMINISTRiction informa
eleting User, R
red by settingbe modified
ether. User sp
ch are called reate a new "s a template f
ment function
nt functions
me setting
res
ch log, are listhe ManagemTime Server.
, Event Type
nal items as d
on)
ailed authenti
performed froADMINISTRA
ATOR are no
remote UI, ane [Deleting C
ATOR are notunauthorized
rds can be m
ns
ent Functio
onal req), FMT_MS
RATORs assigation and box
Role, and Ac
g the user namby changing
pecified pass
"Base Roles"Custom Rolefor the new ro
62
ns
ted below. Thment Function.
, Outcome (S
described bel
ication (authe
om a remote UATORs only.
ot allowed to
nother capabiCollected Log
t allowed accd alterations f
maintained. On
on
quirements:SA.1(delete-jo
gned the Admx PINs. Gene
cess Restricti
me and passwg the passworswords are ch
s": Administre" different t
ole, which can
C
he date/time in, or is set b
Success/Failed
low.
entication fail
UI, in order to
o export audi
ility restrictedgs] menu.
ess to this capfrom occurrin
nce this beco
FIA_SOob), FMT_M
ministrator roeral users or U
ion Informati
word, and assird or the assighecked to see
rator, Power han these, ann then be regi
Date
Copyright Ca
is provided bby time sync
d)
lure)
o read out log
it logs when
d to U.ADMI
pability whenng.
omes full, the
OS.1, FMMSA.3(delete
ole can set, cU.NORMAL,
ion]
igning a role gned role, ore that they a
User, Generany one of fouistered.
e of Issue: 201
anon Inc. 20
y the TOE. Tchronization
g records, alth
logged in to
INISTRATOR
n logged in to
e oldest audit
MT_MTD.1(ue-job), FMT
change, or de, can only cha
to the user. Rr the user's reare consistent
al User, Limiur base roles e
15/09/28
015
The TOE's when the
hough use
the TOE
Rs only is
o the TOE
t record is
user-mgt), T_SMR.1,
elete user, ange their
Registered egistration t with the
ited User, excluding
The Adm
The initia
The acceis specifiinitial vaRestrictio
[Types o
There are
- U.AD
Us
- U.NO
Ge
7.10.2
-
To provU.ADMI
The follo
[Passwor
To encou
-
-
-
-
-
-
-
[Lockout
The num
- Num
Se
- Lock
Se
ministrator rol
al value for "
ess restrictionied by the "Aalue for "Apons" can be c
f Users]
e two types o
DMINISTRA
ser assigned t
ORMAL
eneral user as
Device Ma
Supported
vide for tINISTRATOR
owing setting
rd Policy Sett
urage the use
Use a pass
Prohibit th
Use at leas
Use at leas
Use at leas
Use at leas
Allowed ch
- All char
t Policy Settin
mber of attemp
mber of attemp
elect a value f
kout time
elect a value f
le is a role wh
Base Role" c
n informationApplication Repplication Rechanged for cu
of users: U.AD
ATOR
the Administr
ssigned a role
nagement
d functional
the effectivRs to set the d
s are also pro
tings]
of strong pas
sword 4 to 32
he use of 3 or
st one upperc
st one lowerc
st one number
st one non-alp
haracters:
racters other t
ngs]
pts before loc
pts before loc
from 1 to 10
from 1 to 60
hose base role
can be change
n that determiestrictions" seestrictions" iustom roles.
DMINISTRA
rator role and
e other than G
Function
requirement
ve enforcemdevice manag
ovided.
sswords, the f
characters in
more consec
ase character
ase character
r (0-9)
phabet charac
than control c
ckout and the
ckout
(Initial value
minutes (Init
63
e is "Adminis
ed to any one
ines whether etting, whichis fixed for
ATOR and U.N
d has adminis
Guest User ro
ts: FMT_MT
ment of segement settin
following pas
n length
cutive charact
rs (A to Z)
rs (a to z)
cters (^-@[]:;
characters
lockout time
: 3)
tial value: 3 m
C
strator", and h
of four base
use of certaih depends on w
base roles,
NORMAL.
strative privile
ole or Admini
TD.1(device-m
ecurity funcngs in Table 2
ssword policy
ters
,./¥!"#$%&'(
e can be set.
minutes)
Date
Copyright Ca
has administr
roles except
in functions iwhat role is athe initial v
eges.
strator role.
mgt), FMT_S
ctions, the 7.
y may be set.
()=~|{`+*}_?>
e of Issue: 201
anon Inc. 20
rative privileg
Guest User.
is permitted oassigned. Althvalue of "Ap
SMF.1, FMT_
TOE allow
><)
15/09/28
015
ges.
or denied, hough the pplication
_SMF.1
ws only
END