- DL manuals
- Xerox
- All in One Printer
- ColorQube 9301
- User Information
Xerox ColorQube 9301 User Information
Document Version 2.0, Revision 2.0
Xerox Multi-Function Device
Security Target
WorkCentre 5845, 5855, 5865, 5875,
5890, 7220, 7225, 7830, 7835, 7845, 7855
& ColorQube 9301, 9302, 9303
Prepared by:
Xerox Corporation
Computer Sciences Corporation
800 Phillips Road
7231 Parkway Drive
Webster, New York 14580
Hanover, Maryland 21076
Summary of ColorQube 9301
Page 1
Document version 2.0, revision 2.0 xerox multi-function device security target workcentre 5845, 5855, 5865, 5875, 5890, 7220, 7225, 7830, 7835, 7845, 7855 & colorqube 9301, 9302, 9303 prepared by: xerox corporation computer sciences corporation 800 phillips road 7231 parkway drive webster, new york ...
Page 2
Ii copyright 2013 xerox corporation. All rights reserved. ©2013 xerox corporation. All rights reserved. Xerox and the sphere of connectivity design are trademarks of xerox corporation in the united states and/or other counties. All copyrights referenced herein are the property of their respective ow...
Page 3
Xerox multi-function device security target 3 copyright 2013 xerox corporation. All rights reserved. Table of contents 1. Introduction ........................................................................................................ 6 1.1. St and toe i dentification .............................
Page 4
Xerox multi-function device security target 4 copyright 2013 xerox corporation. All rights reserved. 6.3.4. Class fdp: user data protection ..................................................................................... 45 6.3.5. Class fia: identification and authentication ......................
Page 5
Xerox multi-function device security target 5 copyright 2013 xerox corporation. All rights reserved. List of figures f igure 1: x erox w ork c entre 5845/5855/5865/5875/5890 ...................................................................... 7 f igure 2: x erox w ork c entre 7220/7225 ..............
Page 6
Xerox multi-function device security target 6 copyright 2013 xerox corporation. All rights reserved. 1. Introduction this security target (st) specifies the security claims of the workcentre 5845, 5855, 5865, 5875, 5890, 7220, 7225, 7830, 7835, 7845, 7855 & colorqube 9301, 9302, 9303 in accordance w...
Page 7
Xerox multi-function device security target 7 copyright 2013 xerox corporation. All rights reserved. 1.2. Toe overview 1.2.1. Usage and security features the workcentre 5845, 5855, 5865, 5875, 5890, 7220, 7225, 7830, 7835, 7845, 7855 & colorqube 9301, 9302, 9303, the target of evaluation (toe), is a...
Page 8
Xerox multi-function device security target 8 copyright 2013 xerox corporation. All rights reserved. Figure 2: xerox workcentre 7220/7225 figure 3: xerox workcentre 7830/7835/7845/7855 figure 4: xerox colorqube 9301/9302/9303.
Page 9
Xerox multi-function device security target 9 copyright 2013 xerox corporation. All rights reserved. Table 2 below shows the various models and capabilities of the toe. The models vary in printing speed, paper capacity and available finsher options. Table 2: models and capabilities wc58xx wc72xx wc7...
Page 10
Xerox multi-function device security target 10 copyright 2013 xerox corporation. All rights reserved. O kerberos and tls support are available for protecting communication with a remote authentication server. Authentication & access control. In the evaluated configuration, the toe requires users and...
Page 11
Xerox multi-function device security target 11 copyright 2013 xerox corporation. All rights reserved. 1.3. Toe description 1.3.1. Physical scope of the toe the toe is an mfd (workcentre 5845, 5855, 5865, 5875, 5890, 7220, 7225, 7830, 7835, 7845, 7855 & colorqube 9301, 9302, 9303) that consists of a ...
Page 12
Xerox multi-function device security target 12 copyright 2013 xerox corporation. All rights reserved. Title version date xerox workcentre 5845/5855/5865/5875/5890 user guide 1.0 january 2013 xerox workcentre 7220/7225 user guide 1.0 april 2013 xerox workcentre 7800 series user guide 1.0 february 201...
Page 13
Xerox multi-function device security target 13 copyright 2013 xerox corporation. All rights reserved. The on-demand image overwrite (odio) function overwrites the hard drive(s) on-demand of the system administrator. The odio function operates in two modes: full odio and standard odio. A standard odi...
Page 14
Xerox multi-function device security target 14 copyright 2013 xerox corporation. All rights reserved. 1.3.2.6. User data protection – disk encryption (tsf_fdp_ude) the toe utilizes data encryption (aes) to support encryption and decryption of designated portions of the hard disk where user image dat...
Page 15
Xerox multi-function device security target 15 copyright 2013 xerox corporation. All rights reserved. 1.4. Evaluated configuration the following features are enabled in the evaluated configuration: iio and odio (the image overwrite security package) https (tls\ssl) user authorization the following f...
Page 16
Xerox multi-function device security target 16 copyright 2013 xerox corporation. All rights reserved. 2. Conformance claims 2.1. Common criteria conformance claims the st is based upon the following, referenced hereafter as [cc]: common criteria for information technology security evaluation, part 1...
Page 17
Xerox multi-function device security target 17 copyright 2013 xerox corporation. All rights reserved. 2600.2-scn, sfr package for hardcopy device scan functions, operational environment b 2600.2-cpy, sfr package for hardcopy device copy functions, operational environment b 2600.2-fax, sfr package fo...
Page 18
Xerox multi-function device security target 18 copyright 2013 xerox corporation. All rights reserved. Family augmentation identification and authentication fia_uau.7 the packages shown in table 6 from ieee std. 2600.2-2009 have been augmented with additional (including iterated) sfrs from cc part 2....
Page 19
Xerox multi-function device security target 19 copyright 2013 xerox corporation. All rights reserved. 3. Security problem definition 3.1. Definitions 3.1.1. Users users are entities that are external to the toe and which interact with the toe. There may be two types of users: normal and administrato...
Page 20
Xerox multi-function device security target 20 copyright 2013 xerox corporation. All rights reserved. Table 8: user data designation definition d.Doc user document data consists of the information contained in a user’s document. This includes the original document itself in either hardcopy or electr...
Page 21
Xerox multi-function device security target 21 copyright 2013 xerox corporation. All rights reserved. Note: ieee std. 2600.2-2009 defines d.Prot and d.Conf, and requires the st author to categorize all tsf data as one of these two types: 1. Tsf protected data. Data that should be protected, but does...
Page 22
Xerox multi-function device security target 22 copyright 2013 xerox corporation. All rights reserved. 1. Private medium interface. Mechanisms for exchanging information that use (1) wired or wireless electronic methods over a communications medium which, in conventional practice, is not accessed by ...
Page 23
Xerox multi-function device security target 23 copyright 2013 xerox corporation. All rights reserved. 3.3. Threats 3.3.1. Threats addressed by the toe this security problem definition addresses threats posed by four categories of threat agents: 1. Persons who are not permitted to use the toe who may...
Page 24
Xerox multi-function device security target 24 copyright 2013 xerox corporation. All rights reserved. 3.4. Organizational security policies this section describes the organizational security policies (osps) that apply to the toe. Osps are used to provide a basis for security objectives that are comm...
Page 25
Xerox multi-function device security target 25 copyright 2013 xerox corporation. All rights reserved. 4. Security objectives the purpose of the security objectives is to detail the planned response to a security problem or threat. Threats can be directed against the toe or the security environment o...
Page 26
Xerox multi-function device security target 26 copyright 2013 xerox corporation. All rights reserved. Objective definition o.Audit_storage.Pro tected the toe shall ensure that internal audit records are protected from unauthorized access, deletion and modifications. 4.2. Security objectives for the ...
Page 27
Xerox multi-function device security target 27 copyright 2013 xerox corporation. All rights reserved. 4.3. Security objectives for the non- it environment this section describes the security objectives that must be fulfilled by non-it methods in the non-it environment of the toe. Table 18: security ...
Page 28
Xerox multi-function device security target 28 copyright 2013 xerox corporation. All rights reserved. Table 19: completeness of security objectives objectives o .Do c.No _di s o .Do c.No _a lt o .Fu nc.No _ a lt o .P ro t .No _ a lt o .Co nf .No _di s o .Co nf .No _a lt o .Us e r.A ut ho riz e d o e...
Page 29
Xerox multi-function device security target 29 copyright 2013 xerox corporation. All rights reserved. Threats. Policies, and assumptions summary objectives and rationale oe.User.Authenticated establishes alternative (remote) means for user identification and authentication as the basis for authoriza...
Page 30
Xerox multi-function device security target 30 copyright 2013 xerox corporation. All rights reserved. Threats. Policies, and assumptions summary objectives and rationale oe.User.Authorized establishes responsibility of the toe owner to appropriately grant authorization oe.User.Authenticated establis...
Page 31
Xerox multi-function device security target 31 copyright 2013 xerox corporation. All rights reserved. Threats. Policies, and assumptions summary objectives and rationale oe.User.Authorized establishes responsibility of the toe owner to appropriately grant authorization oe.User.Authenticated establis...
Page 32
Xerox multi-function device security target 32 copyright 2013 xerox corporation. All rights reserved. Threats. Policies, and assumptions summary objectives and rationale a.Access.Managed the toe environment provides protection from unmanaged access to the physical components and data interfaces of t...
Page 33
Xerox multi-function device security target 33 copyright 2013 xerox corporation. All rights reserved. 5. Extended components definition this security target defines components that are extensions to common criteria 3.1 release 3, part 2. 5.1. Fpt_fdi_exp restricted forwarding of data to external int...
Page 34
Xerox multi-function device security target 34 copyright 2013 xerox corporation. All rights reserved. The following actions could be considered for the management functions in fmt: a) definition of the role(s) that are allowed to perform the management activities; b) management of the conditions und...
Page 35
Xerox multi-function device security target 35 copyright 2013 xerox corporation. All rights reserved. Fpt_fdi_exp.1.1 the tsf shall provide the capability to restrict data received on [assignment: list of external interfaces] from being forwarded without further processing by the tsf to [assignment:...
Page 36
Xerox multi-function device security target 36 copyright 2013 xerox corporation. All rights reserved. 6. Security requirements this section defines the it security requirements that shall be satisfied by the toe or its environment: the cc divides toe security requirements into two categories: 1. Sec...
Page 37
Xerox multi-function device security target 37 copyright 2013 xerox corporation. All rights reserved. 6.2. Toe security policies this chapter contains the definition of security policies which must be enforced by the tsf. 6.2.1. Ip filter sfp the security function “user data protection – ip filterin...
Page 38
Xerox multi-function device security target 38 copyright 2013 xerox corporation. All rights reserved. Object attribute operation(s) subject access control rule +faxin read, delete u.Administrator (system administrator) allowed read, delete u.Normal u.Administrator (accounting administrator) denied +...
Page 39
Xerox multi-function device security target 39 copyright 2013 xerox corporation. All rights reserved. Designation definition +cpy indicates data that are associated with a copy job. +faxin indicates data that are associated with an inbound (received) fax job. +faxout indicates data that are associat...
Page 40
Xerox multi-function device security target 40 copyright 2013 xerox corporation. All rights reserved. Any user who is authorized to establish a connection with the toe through the ethernet port is able to perform the following toe functions as defined in the ieee std. 2600.2-2009 sfr packages in sec...
Page 41
Xerox multi-function device security target 41 copyright 2013 xerox corporation. All rights reserved. Functional component id functional component name fia_usb.1 user-subject binding fmt_msa.1 management of security attributes fmt_msa.3 static attribute initialisation fmt_mtd.1 management of tsf dat...
Page 42
Xerox multi-function device security target 42 copyright 2013 xerox corporation. All rights reserved. - and the following audit attribute: o entry number (an integer value from 1 to the number of entries in the audit log) ] table 24: audit data requirements auditable event relevant sfr audit level a...
Page 43
Xerox multi-function device security target 43 copyright 2013 xerox corporation. All rights reserved. Fau_stg.1.2: the tsf shall be able to prevent unauthorized modifications to the stored audit records in the audit trail. 6.3.1.4. Fau_stg.4 prevention of audit data loss hierarchical to: fau_stg.3. ...
Page 44
Xerox multi-function device security target 44 copyright 2013 xerox corporation. All rights reserved. Cryptographic operations cryptographic algorithm key sizes (bits) standards & certs.* digital signature generation and verification rsa 1024 fips 186-3 (cert #914) message digest sha-256 n/a fips 18...
Page 45
Xerox multi-function device security target 45 copyright 2013 xerox corporation. All rights reserved. Fcs_ckm.2.1 the tsf shall distribute cryptographic keys in accordance with a specified cryptographic key distribution method [the method shown for each related protocol in table 27] that meet the fo...
Page 46
Xerox multi-function device security target 46 copyright 2013 xerox corporation. All rights reserved. 6.3.4.2. Fdp_acc.1 (func) subset access control hierarchical to: no other components. Dependencies: fdp_acf.1 security attribute based access control fdp_acc.1.1 (func) the tsf shall enforce the [to...
Page 47
Xerox multi-function device security target 47 copyright 2013 xerox corporation. All rights reserved. Fdp_acf.1.1 (func) the tsf shall enforce the [toe function access control sfp] to objects based on the following: [users and their role based permissions to perform any or all of the following funct...
Page 48
Xerox multi-function device security target 48 copyright 2013 xerox corporation. All rights reserved. - information: ip packet o source ip address, protocol used (tcp or udp), destination tcp or udp port]. Fdp_iff.1.2 (filter) the tsf shall permit an information flow between a controlled subject and...
Page 49
Xerox multi-function device security target 49 copyright 2013 xerox corporation. All rights reserved. 6.3.5.2. Fia_uau.1 timing of authentication hierarchical to: no other components dependencies: fia_uid.1 timing of identification fia_uau.1.1 the tsf shall allow [job requests to be received via pri...
Page 50
Xerox multi-function device security target 50 copyright 2013 xerox corporation. All rights reserved. Acting on behalf of users: [security attributes of subjects acting on behalf of a user will not be changed while an action is in progress and cannot be changed by anyone but u.Administrator (system ...
Page 51
Xerox multi-function device security target 51 copyright 2013 xerox corporation. All rights reserved. Fmt_msa.3.1 (user) the tsf shall enforce the [user access control sfp in table 21] to provide permissive default values for security attributes that are used to enforce the sfp. Fmt_msa.3.2 (user) t...
Page 52
Xerox multi-function device security target 52 copyright 2013 xerox corporation. All rights reserved. Fmt_mtd.1.1 (mgmt2) the tsf shall restrict the ability to change_default, modify, delete, [read] the [role and associated permissions] to [u.Administrator (system administrator)]. Application note: ...
Page 53
Xerox multi-function device security target 53 copyright 2013 xerox corporation. All rights reserved. - enable/disable immediate image overwrite (iio) [tsf_iow]; - enable/disable and configure smart card use; - configure usb ports; - invoke odio [tsf_iow]; - create a recurrence schedule for “on dema...
Page 54
Xerox multi-function device security target 54 copyright 2013 xerox corporation. All rights reserved. Administrator), u.Normal (authenticated user / system administrator defined roles containing no administrative privileges), nobody]. Fmt_smr.1.2 the tsf shall be able to associate users with roles, ...
Page 55
Xerox multi-function device security target 55 copyright 2013 xerox corporation. All rights reserved. Fpt_tst.1.3 the tsf shall provide authorised users with the capability to verify the integrity of stored tsf executable code. 6.3.8.3. Class fru: resource utilization there are no class fru security...
Page 56
Xerox multi-function device security target 56 copyright 2013 xerox corporation. All rights reserved. 6.4. Explicitly stated requirements for the toe 6.4.1. Fpt_fdi_exp.1 restricted forwarding of data to external interfaces hierarchical to: no other components. Dependencies: fmt_smf.1 specification ...
Page 57
Xerox multi-function device security target 57 copyright 2013 xerox corporation. All rights reserved. Assurance class assurance components adv_fsp.2 security-enforcing functional specification adv_tds.1 basic design agd: guidance documents agd_ope.1 operational user guidance agd_pre.1 preparative pr...
Page 58
Xerox multi-function device security target 58 copyright 2013 xerox corporation. All rights reserved. Table 29: completeness of security functional requirements sfrs objectives o .Do c.No _di s o .Do c.No _a lt o .Fu nc.No _ a lt o .P ro t .No _ a lt o .Co nf .No _di s o .Co nf .No _a lt o .Us e r.A...
Page 59
Xerox multi-function device security target 59 copyright 2013 xerox corporation. All rights reserved. Sfrs objectives o .Do c.No _di s o .Do c.No _a lt o .Fu nc.No _ a lt o .P ro t .No _ a lt o .Co nf .No _di s o .Co nf .No _a lt o .Us e r.A ut ho riz e d o .Interfa ce .Ma na g e d o .S o f t w a re...
Page 60
Xerox multi-function device security target 60 copyright 2013 xerox corporation. All rights reserved. Objectives description sfrs purpose fia_uid.1 supports access control and security roles by requiring user identification. Fmt_msa.1(user) supports access control function by enforcing control of se...
Page 61
Xerox multi-function device security target 61 copyright 2013 xerox corporation. All rights reserved. Objectives description sfrs purpose fdp_acf.1(func) supports access control policy by providing access control function. Fia_atd.1 supports authorization by associating security attributes with user...
Page 62
Xerox multi-function device security target 62 copyright 2013 xerox corporation. All rights reserved. Objectives description sfrs purpose o.Interface.M anaged management of external interfaces fdp_ifc.1 (filter) enforces management of external interfaces by establishing an information flow policy fo...
Page 63
Xerox multi-function device security target 63 copyright 2013 xerox corporation. All rights reserved. Objectives description sfrs purpose fau_gen.2 enforces audit policies by requiring logging of information associated with audited events. Fia_uid.1 supports audit policies by associating user identi...
Page 64
Xerox multi-function device security target 64 copyright 2013 xerox corporation. All rights reserved. Objectives description sfrs purpose fpt_stm.1 supports audit policies by requiring time stamps associated with events. O.Doc.No_dis o.Doc.No_alt o.Func.No_alt o.Prot.No_alt o.Conf.No_dis o.Conf.No_a...
Page 65
Xerox multi-function device security target 65 copyright 2013 xerox corporation. All rights reserved. Inclusion is expected by the consumers of this toe, and that consumers of this toe are automatically notified of flaws and changes to the toe. 6.8. Rationale for dependencies 6.8.1. Security functio...
Page 66
Xerox multi-function device security target 66 copyright 2013 xerox corporation. All rights reserved. Functional component dependency (ies) satisfied fdp_acf.1(func) fdp_acc.1 yes, fdp_acc.1(func) fmt_msa.3 yes, fmt_msa.3 (func) fdp_ifc.1 (filter) fdp_iff.1 yes, fdp_iff.1 (filter) fdp_iff.1 (filter)...
Page 67
Xerox multi-function device security target 67 copyright 2013 xerox corporation. All rights reserved. Functional component dependency (ies) satisfied fmt_mtd.1 (filter) fmt_smf.1 yes fmt_smr.1 yes fmt_mtd.1 (key) fmt_smf.1 yes fmt_smr.1 yes fmt_smf.1 none fmt_smr.1 fia_uid.1 yes fpt_stm.1 none fpt_t...
Page 68
Xerox multi-function device security target 68 copyright 2013 xerox corporation. All rights reserved. Assurance component id dependencies satisfied ase_ccl.1 ase_ecd.1 ase_int.1 ase_req.1 yes yes yes, hierarchically ase_ecd.1 none ase_int.1 none ase_obj.2 ase_spd.1 yes ase_req.2 ase_ecd.1 ase_obj.2 ...
Page 69
Xerox multi-function device security target 69 copyright 2013 xerox corporation. All rights reserved. 7. Toe summary specification this section presents an overview of the security functions implemented by the toe. 7.1. Toe security functions this section presents the security functions performed by...
Page 70
Xerox multi-function device security target 70 copyright 2013 xerox corporation. All rights reserved. After the job has completed, the files are overwritten, and this is called immediate image overwrite (iio). The toe automatically starts an iio procedure for all abnormally terminated copy, print, s...
Page 71
Xerox multi-function device security target 71 copyright 2013 xerox corporation. All rights reserved. Received from the fax interface and buffered in memory before it is transformed by an intermediary subsystem into an email attachment and sent out through the network interface. 7.1.3. Authenticatio...
Page 72
Xerox multi-function device security target 72 copyright 2013 xerox corporation. All rights reserved. Card authentication, ldap v4, kerberos v5 (solaris) and kerberos v5 (windows 2000/2003/2008). When a user authenticates using the smart card method a pin number is used instead of a password. The pi...
Page 73
Xerox multi-function device security target 73 copyright 2013 xerox corporation. All rights reserved. The toe utilizes digital signature generation and verification (rsa), data encryption (tdes, aes), key establishment (rsa) and cryptographic checksum generation and secure hash computation (hmac, sh...
Page 74
Xerox multi-function device security target 74 copyright 2013 xerox corporation. All rights reserved. 7.1.10.1. Management security functions section 6.3.6.9 of the st (fmt_smf.1.1) provides a list of the security management functions provided by the toe. Management of the security functions and att...
Page 75
Xerox multi-function device security target 75 copyright 2013 xerox corporation. All rights reserved. 7.1.10.5. Scan documents can only be scanned at the local user interface. During job setup, document image (d.Doc +scn read, delete) may be read or deleted. Once the job is committed, the owner may ...
Page 76
Xerox multi-function device security target 76 copyright 2013 xerox corporation. All rights reserved. Loaded is compared to the expected software version number; any corruption of this data will be reported. The system administrator can verify the integrity of the toe software image through the web ...
Page 77
Xerox multi-function device security target 77 copyright 2013 xerox corporation. All rights reserved. 8. Glossary for the purposes of this document, the following terms and definitions apply. Ieee std. 100, the authoritative dictionary of ieee standards, seventh edition, should be referenced for ter...
Page 78
Xerox multi-function device security target 78 copyright 2013 xerox corporation. All rights reserved. Evaluation assurance level: an assurance package, consisting of assurance requirements drawn from cc part 3, representing a point on the cc predefined assurance scale. External interface: a non-hard...
Page 79
Xerox multi-function device security target 79 copyright 2013 xerox corporation. All rights reserved. Operation: a specific type of action performed by a subject on an object. Operational environment: the total environment in which a toe operates, including the consideration of the value of assets a...
Page 80
Xerox multi-function device security target 80 copyright 2013 xerox corporation. All rights reserved. Communications medium which, in conventional practice, is or can be simultaneously accessed by multiple users. Subject: an active entity in the toe that performs operations on objects. Target of eva...
Page 81
Xerox multi-function device security target 81 copyright 2013 xerox corporation. All rights reserved. 9. Acronyms for the purposes of this document, the following acronyms and definitions apply. Ieee std. 100, the authoritative dictionary of ieee standards, seventh edition, should be referenced for ...
Page 82
Xerox multi-function device security target 82 copyright 2013 xerox corporation. All rights reserved. Acronym definition osp organizational security policy piv personal identity verification ppm page per minute pp protection profile prt print pstn public switched telephone network scn scan sfp secur...
Page 83
Xerox multi-function device security target 83 copyright 2013 xerox corporation. All rights reserved. 10. Bibliography [b1] common criteria for information technology security evaluation version 3.1 release 3 - part 1: introduction and general model [b2] common methodology for information technology...