B&W for everyday with color when it counts.

bizhubC250P

Full Color Printer. Think of all the power you need for high-volume in-house printing. Fast output. Superior imaging. Automatic finishing. And lower total cost of ownership. Now, add color without sacrificing speed, reliability or cost-efficient operation. Thats the bizhub C250P.
bizhub C250P proudly joins the bizhub family named 2005 Product Line of the Year by Buyers Laboratory Inc.
At last: color that really means business. The bizhub C250P may be the smallest 11 x 17 color tandem printer in the industry. With a quiet, compact laser printing system for high-speed 25 ppm output, in both B&W and color. A robust duty cycle of 75,000 pages per month. And a wealth of advanced features and functions to increase production efficiency. Like the Emperon Print System, that does away with the need for an external or add-on print controller. A large-capacity B&W toner cartridge, for more economical high-volume monochrome printing. A new fusing section, with warm-up time of less than 2 minutes. A new 100-sheet bypass tray. And the ability to auto-duplex up to 140 lb. index paper.
A faster, smaller 11 x 17 color printer.
Every business needs color output capability but not at slower speed and higher cost. That makes the bizhub C250P an ideal solution for mid-size offices, workgroups and departments that need color printing and finishing, in-house and on-demand, in both cost-effective B&W and fast, high-quality color.
The power to print every job. Compared to sending color work to a print shop, youll save time and money. Youll maintain control of sensitive information. You can revise and reprint as often as necessary, without the expense of stocking and discarding old inventories because you only print as many documents as you need. And the bizhub C250P can handle anything your print job demands. Load up to 140 lb. index in the multi-purpose cassette and bypass tray with auto duplexing available for 140 lb. index. Print on coated stock and OHP transparencies. Even output 11 x 17 full-bleed originals on 12 x 18 paper, preserving borders and crop marks. And with options, youll have 3,350-sheet total capacity to handle long print/copy runs without reloading paper. The options to customize your workflow. Every workflow is different and one-size-fits-all solutions rarely get the job done with maximum efficiency at minimum cost. So the bizhub C250P lets you customize a solution thats perfect for the specific needs of your application. Youll have a choice of two powerful automatic finishers so you can customize the finishing capabilities your application demands, including sorting, multi-position stapling, 2/3-hole punching, even 60-page crease-fold saddle-stitch booklet-making. And with modular options, you can grow your system to keep pace with expanding output needs and rising document traffic.
Maintenance was never this easy. Toner bottles are positioned for clean, simple replacement. The paper path is easy to access, so misfeeds can be cleared faster. And paper trays are front-loading at convenient height and reach. Simitri Color Polymerized Toner uses ultra-fine particles for sharper fine lines and more legible text in B&W documents. Your bizhub C250P also adds advanced color technologies for spectacular halftones, precision accuracy and more consistent quality.

Simitri Pulverized

PageScope controls it all from your desktop. Whether youre an end-user or a system administrator, in charge of a single department or a large enterprise installation, PageScope gives you the tools you need to check device status, change settings, and set network configurations without leaving your desk. PageScope Job Spooler can also help you manage print queues and reprint jobs faster changing job order, adjusting job settings, and executing multiple jobs simultaneously. PageScope Data Administrator gives you desktop control over one-touch addressing, device settings and security data.
Customizing your print system.
Job Separator Tray (JS-601) lets you sort prints separately. (optional) Parallel USB 2.0 Interface Kit (EK-702) for local PC connectivity. (optional) Hard Disk Drive (HD-501) 40 GB capacity. (optional)
Punch Kit (PK-501) for 2/3-hole punching. (optional)
Enhanced Option Connection (MK-706) for quick and easy installation of upgrades (optional)
Automatic Duplex Unit (AD-503) can save time and paper by automatically making 2-sided copies and prints. (optional)

100-Sheet Bypass accepts up to 100 sheets, in sizes from 4 x 6 to 12 x 18 and weights from 16 lb. bond to 140 lb. index.
Multi-Purpose Cassette holds up to 250 sheets, in sizes from 4 x 6 to 12 x 18 and weights from 16 lb. bond to 140 lb. index.
Standard Universal Cassette holds up to 500 sheets, in sizes from 5-1/2 x 8-1/2 to 11 x 17 and weights from 16 lb. to 24 lb. bond. Paper Feed Cabinet (PC-203) has two 500-sheet universal drawers. (optional)
Staple Finisher (FS-501) lets you sort, group, and staple. (optional)
Paper Feed Cabinet (PC-103) holds up to 500 sheets (universal drawer) with storage drawer. (optional)
Booklet Finisher (FS-603) lets you center-fold and saddle-stitch up to 60-page booklets. (optional)
Large Capacity Tray (PC-403) handles 2,500 letter-size sheets. (optional) Copy Desk (DK-502) Copy Desk can be used for paper storage. (optional)

General Specifications

TYPE: WEIGHT:

Emperon Print System

PROCESSOR:
167 lbs. 8 oz. Full-Color Printer

PRINT PROCESS: OPTIONS:

466 MHz

Tandem Process

IMAGING SYSTEM:
Simitri Color Polymerized Toner

MONTHLY DUTY CYCLE:

75,000 pages

PRINT SPEED:

Full Color and B&W: 25 ppm (letter, portrait)

PRINT RESOLUTION:

600 x 600 dpi

MEMORY:

AD-503 Duplex Unit DK-502 Desk EK-702 Parallel/USB 2.0 I/F Kit FS-501 Staple Finisher FS-603 Booklet Finisher HD-501 Hard Disk Drive JS-601 Option Tray (for FS-501 Staple Finisher) MK-706 Enhanced Option Connection PC-103 Paper Feed Cabinet (500 sheets) PC-203 Paper Feed Cabinet (500 sheets x 2) PC-403 Large Capacity Tray (2500 sheets) PK-501 Punch Kit (for FS-603)

512 MB (standard)

HARD DISK DRIVE:

40 GB (optional)

PAGE DESCRIPTION LANGUAGE:
PCL 5e/5c Emulation PCL6 (XL version 2.1) Emulation PS3 Emulation

FONTS:

PCL Resident Fonts: 80 outline + 1 bitmap PS3 Emulation Resident Fonts: 136 outline

PRINT DRIVERS:

512 MB (standard/maximum) Available Print Functions*

GRADATION:

256 color shades per pixel

PAPER SIZE:

2005 KONICA MINOLTA BUSINESS SOLUTIONS U.S.A., INC. All rights bizhub bizhub ARCHITECTURE reserved. Reproduction in whole or in part without written permission bizhub bizhub OPEN is prohibited. Konica Minolta API and The essentials of imaging are trademarks of KONICA MINOLTA HOLDINGS, INC. bizhub, Emperon, PageScope, Workware, and Data Administrator are trademarks of KONICA MINOLTA BUSINESS TECHNOLOGIES, INC. EMPERON Simitri is PRINT SYSTEM trademark of a registered KONICA MINOLTA BUSINESS SOLUTIONS. All other brands and product names are registered trademarks or trademarks of their respective owners. For more information on PageScope, visit http://kmbs.konicaminolta.us and click on Solutions, PageScope Software Suite. Design & specifications are subject to change without notice.

* Some functions may require options,
Multi-Purpose Cassette: 4 x 6 to 12 x 18 Universal Cassette: 5-1/2 x 8-1/2 to 11 x 17 Multiple Bypass: 4 x 6 to 12 x 18

WARM-UP TIME:

Less than 110 seconds

FIRST PRINT:

Full color: less than 11.7 seconds (letter) B&W: less than 8.4 seconds (letter)

PRINT QUANTITY:

1 - 999

COLOR MODES:

Auto Color, Full Color, Black & White, 2-Color, Single Color

STANDARD PAPER SUPPLY:

which may or may not be available at time of launch.
250-sheet multi-purpose cassette (16 lb. bond to 140 lb. index) 500-sheet cassette (16 lb. bond to 24 lb. bond) 100-sheet bypass (16 lb. bond to 140 lb. index)

MAXIMUM PAPER CAPACITY:

3,350 sheets (total, with options)

POWER REQUIREMENTS:

120 V, 60 Hz

POWER CONSUMPTION:

Less than 1.5 kW

DIMENSIONS (W x D x H):

Account Track (100 Accounts without HDD; up to 1,000 Accounts with HDD) APS Auto Duplex Auto Reset Auto Tray Switching Bi-Directional Communication (Device Option Setting) Color Modes & Functions Auto Color/Full Color Black & White Mode Single Color Mode 2-Color Mode Color Adjustments (Brightness, Contrast, Saturation, Sharpness, Red, Green, Blue, Portrait, Hue Density, Color Balance, Copy Density) Cover Mode Criss-Cross Sorting Distribution Number Printing Energy Save Mode Finishing (Group, Sort, Staple, Punch, Booklet Center-Fold, Center-Staple) Form Overlay Image Adjustments (Color Matching, Pure Black Auto On/Off, Color Balance, Screen Setting, Image Smoothing On/Off) Image Preview (Job Finishing Image Display, Engine Configuration Display) OHP Interleaving Mixplex, Mix-Media Paper Type Selection (Normal, Thick 1, Thick 2, Thick 3, OHP) Proof Print Secure Printing Sleep Mode/Low Power Watermarks
PCL6: Windows 98SE, ME, 2000, XP, 2003, NT 4.0 SP6 PS3: Windows 98SE/ME (PPD files), 2000/XP/2003/NT 4.0 SP6 (Print Drivers), Mac OS 9.2 or later, Mac OS X 10.2, and Mac OS X 10.3 (PPD files) TWAIN Driver: Windows 98SE, ME, 2000, XP, NT 4.0 SP6

INTERFACE:

Ethernet 10/100 BaseT Parallel IEEE 1284 (optional) USB 1.1, 2.0 (optional)

PROTOCOLS:

TCP/IP, IPX/SPX (NPS), SMB, NetBEUI, LPD, LPR, IPP 1.1, SNMP, HTTP, AppleTalk (EtherTalk), Pserver (Novell 4.x, 5, 6/NDS), NPrinter, NDPS, SMTP, POP3, LDAP, SSL

PAGESCOPE APPLICATIONS:

Network & Device Management (bundled): PageScope Data Administrator for Printer Version PageScope Direct Print* PageScope EMS Plug-Ins PageScope Job Spooler PageScope NDPS Gateway PageScope Net Care PageScope Network Setup PageScope Web Connection

OTHER UTILITIES:

HDD Backup Tool* Plug-in for HP Web JetAdmin*
25-3/4 x 28 x 23-3/4 (standard configuration)
KONICA MINOLTA BUSINESS SOLUTIONS U.S.A., INC. 100 Williams Drive Ramsey, NJ 07446 www.kmbs.konicaminolta.us www.kmbs.konicaminolta.us/solutions

Item #: C250PBRO

3 / 90

6.2. TOE Security Strength of Function... 52 6.3. Correspondence between TOE Security Functions and Function Requirements. 53 6.4. Assurance Measures.... 53 7. PP Claims..... 55 8. Rational.... 56 8.1. Security Objectives Rationale... 56
8.1.1. Necessity.....56 8.1.2. Sufficiency of Assumptions....57 8.1.3. Sufficiency of Threats.....57 8.1.4. Sufficiency of Organizational Security Policies...59
8.2. IT Security Requirements Rationale... 59
8.2.1. Rationale for IT Security Functional Requirements...59 8.2.2. Rational for Minimum Strength of Function...75 8.2.3. Rationale for IT Security Assurance Requirements...75 8.2.4. Consistency rationale for the set of IT security functional requirement...75
8.3. Rational for TOE Summary Specifications... 76
8.3.1. Rational for the TOE Security Functions....76 8.3.2. Rational for TOE Security Strength of Function...89 8.3.3. Mutually Supported TOE Security Functions....89 8.3.4. Rationale for Assurance Measures...89
8.4. PP calims rationale.... 90
Figure 1 An example of the expected environment for usage of the Printer. 7 Figure 2 Hardware composition that relates to TOE... 8
Table 1 User Box Access Control Operational List... 22 Table 2 Secure Print File Access Control: Operational List... 22 Table 3 Setting Management Access Control: Operational List.. 23 Table 4 TOE Security Assurance Requirements... 38 Table 5: The list of the name and identifier of TOE Security function... 41 Table 6 Character and number of digits used for password... 42 Table 7 A type of overwrite deletion of all area and the method of overwriting.. 44 Table 8 Correspondence between TOE Assurance Requirements and assurance measures. 53 Table 9 Conformity of Security Objectives to assumptions and Threats... 56 Table 10 Conformity of IT Security Functional Requirements to Security Objectives. 60 Table 11 Dependencies of IT Security Functional Requirements Components. 69 Table 12 Mutual Support Correlations of IT Security Functional Requirements.. 71 Table 13 Conformity of TOE Security Functions to TOE Security Functional Requirements.. 76

4 / 90

1. ST Introduction

1.1. ST Identification

ST Title ST Version CC Version Created on Created by bizhub C250P / ineo+ 250P / magicolor 7460CK Control Software Security Target 1.04 2.3 June 1, 2007 KONICA MINOLTA BUSINESS TECHNOLOGIES, INC. Eiichi Yoshida

1.2. TOE Identification

TOE Name Japan bizhub C250P / ineo+ 250P / magicolor 7460CK Zentai Seigyo bizhub C250P / ineo+ 250P / magicolor 7460CK Control
Software Overseas Software TOE Version TOE Type Created by
4038-0100-GM0-11-000 Software KONICA MINOLTA BUSINESS TECHNOLOGIES, INC.
1.3. CC Conformance Claim
The TOE, which is the subject of this ST, conforms to the following. Security function requirement Part2 Extended Security assurance requirement Part3 Conformant Evaluation assurance level EAL3 Conformant (No additional assurance component) PP Reference This ST does not carry out a PP reference.

5 / 90

Reference Common Criteria for Information Technology Security Evaluation Part 1:Introduction and general model 2005 Version 2.3 CCMB-2005-08-001 Common Criteria for Information Technology Security Evaluation Part 2:Security functional requirements 2005 Version 2.3 CCMB-2005-08-002 Common Criteria for Information Technology Security Evaluation Part 3:Security assurance requirements 2005 Version 2.3 CCMB-2005-08-003 Common Criteria for Information Technology Security Evaluation Part 1: Introduction and General Model August 2005 Version 2.3 CCMB-2005-08-001 (December 2005 Translation Version 1.0, Information-technology Promotion Agency Japan, Security Center Common Criteria for Information Technology Security Evaluation Part 2: Security Functional Requirements August 2005 Version 2.3 CCMB-2005-08-002 (December 2005 Translation Version 1.0, Information-technology Promotion Agency Japan, Security Center Common Criteria for Information Technology Security Evaluation Part 3: Security Assurance Requirements August 2005 Version 2.3 CCMB-2005-08-003 (December 2005 Translation Version 1.0, Information-technology Promotion Agency Japan, Security Center Interpretations - 0512 (December 2005 Information-technology Promotion Agency Japan, Security Center, Information Security Certification Office

1.4. ST Overview

bizhub C250P/ ineo+ 250P / magicolor 7460CK is Konica Minolta Business Technologies, Inc. network printer. Hereafter, Printer as all these generic names. The target of evaluation (TOE) of this Security Target (ST) is the bizhub C250P/ ineo+ 250P / magicolor 7460CK Control Software, that controls the entire operation of the printer, including the operation control processing and the image data management that are accepting from the panel of the main body of the printer or through the network. This ST explains the security functions that are realized by the TOE. TOE offers the protection from exposure of the highly confidential document stored in the printer. Moreover, TOE can encrypt the image data written in HDD for the danger of taking HDD that is the medium that stores the image data in the printer out illegally by installing the encryption board which is the option parts of the printer. Besides, TOE has the deletion method to follow various overwrite deletion standards. It deletes all the data of HDD completely and it contributes to the prevention of the divulging information of the organization that uses the printer by using the method at the time of abandonment or the lease returns. This ST is the documentation for describing the necessity and sufficiency of these TOE Security Functions.

8 / 90

Encryption Board

Optional Part

The hardware-based cryptographic function, which is the integrated circuit for encryption, is installed in order to encipher all data to be written in HDD. It is not pre-installed in printer as standard for convenience' sake of a sale, but is sold as an optional part. 2 Lines LCD Panel The exclusive control device for the operation of the printer equipped with the 2lines LCD panel of a liquid crystal monitor, ten-key, cursor key, menu/select key, cancel key. Main power supply The power switch for activating Printer Network Unit The interface device to connect to the Ethernet. It supports 10BASE-T and 100BASE-TX. Local Connecting Unit Optional part
A unit that uses Print function with local connection by connecting using the client PC and USB or parallel port. According to the circumstances in sales, it is sold as the option part and is not attached on the printer. RS-232C The serial can be connected through the D-sub9 pin. When breaking down, the maintenance function can be used through this. In addition, it can utilize a remote diagnostic function (later description) to connect with the modem connected with the public circuit.
2.4. Role of the TOE User
The roles of the personnel that relate to the use of the printer with the TOE are defined as follows. User Printers user who performs a printing from PC by using printer. the office is assumed. Administrator Printer's user who carries out the management of the operation of the printer. An administrator performs the operation management of the printer and the management of users. (In general, it is assumed that the person elected from the employees in the office plays this role. Service Engineers A user who performs management of maintenance for the printer. Service Engineer performs the repair and adjustment of printer. (In general, the person in charge at the sales companies that performs the maintenance service of printer and is in cooperation with Konica Minolta Business Technologies Inc. is assumed.)

Malicious person or user changes the network setting which set in printer to identify printer itself where TOE installed, by setting to the value of the entity such as another illegal printer from the value of printer (NetBIOS name, AppleTalk printer name, IP address etc) that TOE is originally installed, so that secure print file is exposed. T.ACCESS-SETTING security The possibility of leaking a user box file and secure print file rises because malicious person or user changes the settings related to the enhanced security function. T.BACKUP-RESTORE Unauthorized use of Backup function and restoration function The user box file and the secure print file can leak by malicious person or user using the backup function and the restoration function illegally. Also highly confidential data such as password can be exposed and each setting values are falsified. An unauthorized change of a function setting condition related to
3.4. Organizational Security Policies
There is no organizational security policy assumed to be applied to this TOE.

17 / 90

4. Security Objectives
In this chapter, in relation to the assumptions, the threats, and the organizational security policy identified in Chapter 3, the required security objectives policy for the TOE and the environment for the usage of the TOE are described by being divided into the categories of the security objectives for the TOE and the security objectives for the environment, as follows.
4.1. Security Objectives for the TOE
In this section, the security objectives for the TOE is identified and described. O.BOX User box access control
TOE permits the user functions of the user box and the user box file in the user box only to the user who is permitted the use of this user box. O.SECURE-PRINT secure print file. O.CONFIG Access limitation to management function Secure print file access control
TOE permits the print of the secure print file only to the user who is permitted the use of this
TOE permits only the administrator the operations of the following functions. The setting function related to the network address of printer Backup function Restoration function TOE permits the operations of the following functions only to the administrator and the service engineer. The function related to the setting of Enhanced Security function O.OVERWRITE-ALL Complete overwrite deletion
TOE overwrites all data regions of HDD in printer by using the data for deletion, and makes impossible the restoration of all the image data. In addition, TOE offers a function to initialize a setting value such as the highly confidential password on NVRAM that is set by a user or an administrator. (Administrator password, SNMP password, HDD lock password, Encryption Passphrase) O.CRYPT-KEY Encryption key generation

5.1. TOE Security Requirements
5.1.1. TOE Security Function Requirements
5.1.1.1. Cryptographic Support

FCS_CKM.1

Cryptographic key generation
FCS_CKM.1.1 The TSF shall generate cryptographic keys in accordance with a specified cryptographic key generation algorithm [assignment: cryptographic key generation algorithm] and specified cryptographic key sizes [assignment: cryptographic key sizes] that meet the following: [assignment: list of standards]. [assignment: list of standards] Konica Minolta Encryption specification standard [assignment: cryptographic key generation algorithm] Konica Minolta HDD Encryption key generation algorithm (SHA-1) [assignment: cryptographic key sizes] 128bit Hierarchical to No other components Dependencies FCS_CKM.2 or FCS_COP.1 FCS_COP.1[E] FCS_CKM.4 N/A FMT_MSA.2 N/A

21 / 90

5.1.1.2. User data protection Subset access control

FDP_ACC.1[1]

FDP_ACC.1.1[1] The TSF shall enforce the [assignment: access control SFP] on [assignment: list of subjects, objects, and operations among subjects and objects covered by the SFP]. [assignment: list of subjects, objects, and operations among subjects and objects covered by the SFP] Listed in Table1 User Box Access Control Operational List [assignment: access control SFP] User Box access control Hierarchical to No other components Dependencies FDP_ACF.1 FDP_ACF.1[1]
Table 1 User Box Access Control Operational List
A task to act for a user User Box File Print Move to other user boxes Copy to other user boxes Backup

FDP_ACC.1[2]

Subset access control
FDP_ACC.1.1[2] The TSF shall enforce the [assignment: access control SFP] on [assignment: list of subjects, objects, and operations among subjects and objects covered by the SFP]. [assignment: list of subjects, objects, and operations among subjects and objects covered by the SFP] Listed in Tabel2 Secure print file access control operational list [assignment: access control SFP] Secure print file access control Hierarchical to No other components Dependencies FDP_ACF.1 FDP_ACF.1[2]
Table 2 Secure Print File Access Control: Operational List
Subject A task to act for a user Object Secure Print File Access Control Operational list Print Back-Up

FDP_ACC.1[3]

FDP_ACC.1.1[3] The TSF shall enforce the [assignment: access control SFP] on [assignment: list of subjects, objects, and operations among subjects and objects covered by the SFP]. [assignment: list of subjects, objects, and operations among subjects and objects covered by the SFP] Listed in Table 3 Setting management access control operational list [assignment: access control SFP] Setting management access control Hierarchical to No other components Dependencies FDP_ACF.1 FDP_ACF.1[3]

22 / 90

Table 3 Setting Management Access Control: Operational List
Subject A task to act for a user Object HDD Lock Password Object Encryption passphrase Object Operational list Settings Back-Up Restore Settings Restore
Printer Address Group Object

FDP_ACF.1[1]

Security attribute based access control
FDP_ACF.1.1[1] The TSF shall enforce the [assignment: access control SFP] to objects based on the following: [assignment: list of subjects and objects controlled under the indicated SFP, and for each, the SFP-relevant security attributes, or named groups of SFP-relevant security attributes]. [assignment: list of subjects and objects controlled under the indicated SFP, and for each, the SFP-relevant security attributes, or named groups of SFP-relevant security attributes] Subject Subject attributes A task to act for a user User Box Attributes User Box ID Administrator Attributes ---------------------------------------------------------------------------------------------------------------------------------------------Object Object attributes User Box File User Box Attributes User Box ID [assignment: access control SFP] User Box access control FDP_ACF.1.2[1] The TSF shall enforce the following rules to determine if an operation among controlled subjects and controlled objects is allowed: [assignment: rules governing access among controlled subjects and controlled objects using controlled operations on controlled objects]. [assignment: rules governing access among controlled subjects and controlled objects using controlled operations on controlled objects] A task to act for a user who is related to the user box attributes (user box ID) is permitted to print, move to other user boxes and copy to the other user boxes, to the user box file that have the matched user box attributes with the user box attributes (user box ID) of the subject attributes. A task to act for a user who has an administrator attribute is permitted to backup a user box file. FDP_ACF.1.3[1] The TSF shall explicitly authorize access of subjects to objects based on the following additional rules: [assignment: rules, based on security attributes, that explicitly authorise access of subjects to objects]. [assignment: rules, based on security attributes, that explicitly authorise access of subjects to objects] None FDP_ACF.1.4[1] The TSF shall explicitly deny access of subjects to objects based on the [assignment: rules, based on security attributes, that explicitly deny access of subjects to objects]. [assignment: rules, based on security attributes, that explicitly deny access of subjects to objects] None Hierarchical to No other components Dependencies FDP_ACC.1 FDP_ACC.1[1] FMT_MSA.3 N/A

FIA_SOS.1[5]

FIA_SOS.1.1[5] The TSF shall provide a mechanism to verify that secrets (Session Information) meet [assignment: a defined quality metric]. [assignment: a defined quality metric] and above Hierarchical to No other components Dependencies No dependencies

FIA_SOS.2

TSF Generation of secrets
FIA_SOS.2.1 The TSF shall provide a mechanism to generate secrets (Session information) that meet [assignment: a defined quality metric.]. [assignment: a defined quality metric.] 10 10and above FIA_SOS.2.2 The TSF shall be able to enforce the use of TSF generated secrets for [assignment: list of TSF functions]. [assignment: list of TSF functions] Administrator authentication Access through the network User box authentication Access through the network Hierarchical to No other components Dependencies No dependencies

FIA_UAU.2[1]

User authentication before any action
FIA_UAU.2.1[1] The TSF shall require each user Service Engineer to be successfully authenticated before allowing any other TSF-mediated actions on behalf of that user Service Engineer. Hierarchical to FIA_UAU.1

29 / 90

Dependencies

FIA_UID.1 FIA_UID.2[1]

FIA_UAU.2[2]
FIA_UAU.2.1[2] The TSF shall require each user Administrator to be successfully authenticated before allowing any other TSF-mediated actions on behalf of that user Administrator. Hierarchical to FIA_UAU.1 Dependencies FIA_UID.1 FIA_UID.2[2]
FIA_UAU.2.1[3] The TSF shall require each user User who is permitted to use secure print file to be successfully authenticated before allowing any other TSF-mediated actions on behalf of that user User who is permitted to use secure print file Hierarchical to FIA_UAU.1 Dependencies FIA_UID.1 FIA_UID.2[3]
FIA_UAU.2.1[4] The TSF shall require each user User who is permitted to use the user box to be successfully authenticated before allowing any other TSF-mediated actions on behalf of that user User who is permitted to use the user box Hierarchical to FIA_UAU.1 Dependencies FIA_UID.1 FIA_UID.2[4]

FIA_UAU.6

Re-authenticating
FIA_UAU.6.1 The TSF shall re-authenticate the use under the conditions [assignment: list of conditions under which re-authentication is required]. [assignment: list of conditions under which re-authentication is required] When the administrator modifies the administrator password. When the service engineer modifies the CE password. When the administrator changes the HDD lock setting. When the administrator changes the Encryption function setting. Hierarchical to No other components Dependencies No dependencies

This security objective limits the print of the secure print file only for the user, who is permitted the use of the secure print file, and requires various requirements that relate to the access control. Secure print file access control As it must be a user who is permitted the use of the secure print file to print it, FIA_UID.2[3] and FIA_UAU.2[3] identifies and authenticates that it is a user who is permitted the use of the secure print file. FIA_UAU.7 returns *" for each entered character as feedback protected by the panel and supports the authentication. FIA_AFL.1 [6] refuses all input acceptances from the panel for 5 seconds in every failure. When the authentication failure reaches 1-3 times, FIA_AFL.1 [4] locks the authentication function for to the concerned secure print file. This lock status is released by the TOE rebooting or the administrator's release operation. FMT_MTD.1[1] permits only to the administrator the setting of the threshold of the unauthorized access detection value that is the trial frequency of the failure authentication in the authentication of the user who is permitted the use of the secure print file. When FIA_ATD.1 and FIA_USB.1 relate the secure print internal control ID to the task of acting use, FDP_ACC.1[2] and FDP_ACF.1[2] permit the print operation to the secure print

62 / 90

file that has a corresponding object attribute to the secure print internal control ID of the subject attribute. As for secure print internal control ID, FMT_MSA.3 gives the value uniquely identified when the secure print file is registered. Secure print password FIA_SOS.1[4] verifies the quality of the secure print password. Necessary requirement to keep the administrator secure refer to set.admin Necessary requirement to keep the service engineer secure refer to set.service Role and controlling function for each management As the role of doing these managements, FMT_SMR.1[2] maintains an administrator. Moreover, FMT_SMF.1 specifies these management functions. This security objective is satisfied by the completion of these multiple functional requirements. O.CONFIG Access limitation to an management function
This security objective limits the setting related to the IP address of the printer, the setting related to the Enhanced Security function, the backup function and the restorations function to the administrator, and needs various requirements to limit the access to a series of setting function and the management function. Management of network setting When the administrator attribute is associated with the task of substituting the use, FDP_ACC.1[3] and FDP_ACF.1[3] permits the task of substituting the user to operate the setting for the Printer address group object. Operation limitation of Backup and restoration function When the administrator attribute is related to the task of acting the use, the task of acting the user is permitted the back-up operation of; the user box files by FDP_ACC.1[1] and FDP_ACF.1[1]. the secure print files by FDP_ACC.1[2] and FDP_ACF.1[2]. the encryption passphrase object and the HDD lock password object by FDP_ACC.1[3] and FDP_ACF.1[3]. In addition, the restoration operation is permitted for the encryption passphrase object, the HDD lock password object and the Printer address group object by FDP_ACC.1[3] and FDP_ACF.1[3]. Moreover, the restoration operation (modifying operation) of the followings is permitted only to the administrator. the Enhanced security setting data by FMT_MOF.1[1]. the SNMP password, the authentication failure frequency, the secure print password by FMT_MTD.1[1].

This security objective regulates that the data stored in HDD is encrypted by the encryption board that is the entity of a necessary IT environment for the security maintenance of TOE, and needs various requirements that relate to the encryption. Applying FCS_COP.1[E], the encryption board encodes and decodes all the written data to HDD by the 128bit encryption key using AES that conforms to FIPS PUB 197. This security objective is satisfied by the completion of this function requirement.

65 / 90

Access control of HDD
This security objective regulates that it refuses the unauthorized access from the printer other than the one that is set by the HDD which is the entity of a necessary IT environment for the TOE security maintenance, and needs various requirements that verify that it is the right Printer where TOE is installed. By FIA_UAU.2[E], HDD authenticates that the entity accessing to HDD is the Printer, which HDD is installed. When the failure authentication reaches five times, FIA_AFL.1[E] refuses all the accesses to HDD concerning reading and writing data. This security objective is satisfied by the combination of these multiple functional requirements. OE.FEED-BACK Feedback of password
This security objective regulates that the application (used by client PC for accessing to the Printer) that is the entity of a necessary IT environment for the TOE security maintenance offers the appropriate protected feedback for the entered user box password and the entered administrator password. By FIA_UAU.7[E], the application displays *" for each character as feedback for entered character data. This security objective is satisfied by the completion of this function requirement. The following is the compilation of set such as administrator secure (set.admin), secure (set.service). the set of necessary requirement to keep
the set of necessary requirement to keep service engineer
set.admin Set of necessary requirement to keep administrator secure Identification and Authentication of an administrator FIA_UID.2[2] and FIA_UAU.2[2] identifies and authenticates that the accessing user is an administrator. FIA_UAU.7 returns *" for each character entered as feedback protected in the panel, and supports the authentication. FIA_AFL.1[6] refuses, in case of the failure authentication tried from the panel, all the input receipts from the panel for five seconds in every failure. When the failure authentication reaches 1-3 times, FIA_AFL.1[2] locks all the authentication functions that use the administrator password from then on. This lock is released by starting TOE with turning OFF and ON the power supply. FMT_MTD.1[1] permits only to the administrator the setting of the threshold of the unauthorized access detection value which is the trial frequency of the failure authentication in the administrator authentication.

71 / 90

IT Security Functional Requirement FIA_AFL.1[2] FIA_AFL.1[3] FIA_AFL.1[4] FIA_AFL.1[5] FIA_ATD.1 FIA_SOS.1[1] FIA_SOS.1[2] FIA_SOS.1[3] FIA_SOS.1[4] FIA_SOS.1[5] FIA_SOS.2 FIA_UAU.2[1] FIA_UAU.2[2]
Functional requirement component that operates other security functional requirements validly Bypass Prevention N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A FPT_RVM.1 FPT_RVM.1 Interference/ Destruction Prevention FMT_MTD.1[1] FMT_MTD.1[1] FMT_MTD.1[1] FMT_MTD.1[1] N/A N/A N/A N/A N/A N/A N/A FMT_MTD.1[5] FMT_MTD.1[1] FMT_MTD.1[3] FMT_MTD.1[4] FMT_MTD.1[6] FMT_MTD.1[1] FMT_MTD.1[4] FMT_MTD.1[2] FMT_MTD.1[4] N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A Deactivation Prevention FMT_MOF.1[1] FMT_MOF.1[1] FMT_MOF.1[1] FMT_MOF.1[1] FMT_MOF.1[1] FMT_MOF.1[1] FMT_MOF.1[1] FMT_MOF.1[1] FMT_MOF.1[1] N/A N/A FMT_MOF.1[1] FMT_MOF.1[1] N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A Disabling Detection
FIA_UAU.2[3] FIA_UAU.2[4] FIA_UAU.6 FIA_UAU.7 FIA_UID.2[1] FIA_UID.2[2] FIA_UID.2[3] FIA_UID.2[4] FIA_USB.1 FMT_MOF.1[1] FMT_MOF.1[2] FMT_MOF.1[3] FMT_MSA.3 FMT_MTD.1[1] FMT_MTD.1[2] FMT_MTD.1[3] FMT_MTD.1[4] FMT_MTD.1[5] FMT_MTD.1[6] FMT_SMF.1 FMT_SMR.1[1] FMT_SMR.1[2] FMT_SMR.1[3] FPT_RVM.1 FPT_SEP.1 FIA_NEW.1 FNEW_RIP.1 FCS_COP.1[E] FIA_AFL.1[E] FIA_UAU.2[E] FIA_UAU.7[E]
FPT_RVM.1 FPT_RVM.1 N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A FPT_RVM.1 N/A N/A N/A N/A N/A
FMT_MOF.1[1] FMT_MOF.1[1] FMT_MOF.1[1] FMT_MOF.1[1] FMT_MOF.1[1] FMT_MOF.1[1] FMT_MOF.1[1] FMT_MOF.1[1] FMT_MOF.1[1] N/A FMT_MOF.1[1] N/A FMT_MOF.1[1] FMT_MOF.1[1] FMT_MOF.1[1] FMT_MOF.1[1] FMT_MOF.1[1] FMT_MOF.1[1] FMT_MOF.1[1] FMT_MOF.1[1] FMT_MOF.1[1] FMT_MOF.1[1] FMT_MOF.1[1] FMT_MOF.1[1] FMT_MOF.1[1] FMT_MOF.1[1] N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A

72 / 90

Bypass Prevention By-pass prevention of functional requirement that relates to administrator As for FDP_ACF.1[1] that regulates the user box access control, FDP_ACF.1[2] that regulates the secure print file access control, and FDP_ACF.1[3] that regulates the administrator mode access control, the by-pass prevention is supported by FIA_UAU.2[2] that regulates the administrators identification and authentication. Furthermore, because FIA_UAU.2[2] is called by FPT_RVM.1 without fail, the by-pass prevention is supported. By-pass prevention of functional requirement that relates to service engineer As for FDP_ACF.1[3] that regulates the setting management access control, the by-pass prevention is supported by FIA_UAU.2[1] that regulates the service engineers identification and authentication. In addition, FIA_UAU.2[1] is called by FPT_RVM.1 without fail, the by-pass prevention is supported. By-pass prevention of functional requirement that relates to user box As for FDP_ACF.1[1] that regulates the user box access control, the by-pass prevention is supported by FIA_UAU.2[4] that authenticates the user is the permitted user to use the user box. In addition, because FIA_UAU.2[4] that regulates the authentication of the user who is permitted the use of the user box are called by FPT_RVM.1 without fail, and so the by-pass prevention is supported. By-pass prevention of functional requirement that relates to secure print As for FDP_ACF.1[2] that regulates the secure print file access control, the by-pass prevention is supported by FIA_UAU.2[3] that authenticates the authorized user to use the secure print file. In addition, because FIA_UAU.2[3] that regulates the authentication of the authorized user to use the secure print file are called by FPT_RVM.1 without fail, so that the by-pass prevention is supported. By-pass prevention of validity verification of HDD FIA_NEW.1 that verifies the validity of HDD is called by FPT_RVM.1 without fail, so that the by-pass prevention is supported. Interference and Destruction Prevention Maintenance of user box access control By FPT_SEP.1, only the subject of two types such as the authenticated administrator who is assumed by the user box access control and the user who is permitted the use of the authenticated user box, can operate the user box and the user box file. With two requirements in the above-mentioned, FDP_ACF.1[1] is supported in the prevention of interference and destruction from other illegal subject. Maintenance of secure print file access control FPT_SEP.1 permits the operation of the secure print file only to the two types of subject

81 / 90

(0x20-0x7E, except 0x22 and 0x2B) in total 93 characters by eight digits and is not composed of one kind of characters. Accordingly, this functional requirement is satisfied. FIA_SOS.1[5] FIA_SOS.1[5] regulates the quality of the session information. F.ADMIN verifies that a space quality is more than 1010 as the quality of session information. F.BOX verifies that a space quality is more than 1010 as the quality of session information. Accordingly, this functional requirement is satisfied. FIA_SOS.2 FIA_SOS.2 regulates the generation of session information and its quality. F.ADMIN generates the secrets that are the space quality of 1010 or more to session information in the administrator authentication. F.BOX generates the secrets that are the space quality of 1010 or more to session information in the user box authentication. Accordingly, this functional requirement is satisfied. FIA_UAU.2[1] FIA_UAU.2[1] regulates the authentication of the service engineer. F.SERVICE authenticates that the user who accesses the service mode by using the CE password is the service engineer. Accordingly, this functional requirement is satisfied. FIA_UAU.2[2] FIA_UAU.2[2] regulates the authentication of the administrator. F.ADMIN authenticates that the user who accesses the administrator mode by using the administrator password is the administrator. F.ADMIN-SNMP authenticates that the user who accesses the MIB object by using the SNMP password (Privacy password, Authentication password) is the administrator. Accordingly, this functional requirement is satisfied. FIA_UAU.2[3] FIA_UAU.2[3] regulates the authentication of the authorized user to use the secure print file. F.PRINT authenticates that the user is the authorized user to use the secure print file by using the secure print password that is set to each secure print file. Accordingly, this functional requirement is satisfied. FIA_UAU.2[4] FIA_UAU.2[4] regulates the authentication of the authorized user to use the user box. F.BOX authenticates that the user is the authorized user to use the user box by using the user box password that is set to each user box. Accordingly, this functional requirement is satisfied. FIA_UAU.6 FIA_UAU.6 regulates the re-authentication for the important operation such as changing a password.

82 / 90

F.ADMIN re-authenticates the administrator at the operation for the change of the administrator password. Along with the change operation of the HDD lock password and encryption passphrase, by collating the registered HDD lock password and registered encryption passphrase, it re-authenticates the administrator who has known each of confidential information. F.SERVICE re-authenticates the service engineer at the operation of the change of the CE password. Accordingly, this functional requirement is satisfied. FIA_UAU.7 FIA_UAU.7 regulates the return of *" as the feedback under the authentication. F.ADMIN returns *" for each character for entered administrator password from the panel in the authentication and re-authentication of administrator, and prevents a direct display of the administrator password. F.SERVICE returns *" for each character for the entered CE password from the panel in the authentication and re-authentication of the service engineer, and prevents a direct display of the CE password. F.PRINT returns *" for each character for the entered secure print password from the panel in the authentication of the authorized user who can use the secure print file, and prevents the direct display of the secure print password. F.BOX returns "*" for each character for the entered user box password from the panel in the authentication of the user who is permitted the use of the public user box, and prevents a direct display of the user box password. Accordingly, this functional requirement is satisfied. FIA_UID.2[1] FIA_UID.2[1] regulates the identification of the service engineer. F.SERVICE identifies the user who accesses the service mode is a service engineer. Accordingly, this functional requirement is satisfied. FIA_UID.2[2] FIA_UID.2[2] regulates the authentication of the administrator. F.ADMIN identifies the user who accesses the administrator mode is an administrator. F.ADMIN-SNMP identifies the user, who accesses the MIB object, is an administrator. Accordingly, this functional requirement is satisfied. FIA_UID.2[3] FIA_UID.2[3] regulates the identification of the user who is permitted the use of the secure print file. F.PRINT identifies a user who is permitted the use of the secure print file by selecting the secure print file as an operation target. Accordingly, this functional requirement is satisfied. FIA_UID.2[4] FIA_UID.2[4] regulates the identification of the user who is permitted the use of the user box. F.BOX identifies the user who is permitted the use of the user box by selecting the user box as the operation target.

84 / 90

FMT_MTD.1[1] FMT_MTD.1[1] regulates the management of a SNMP password, the failure number of times threshold, and a secure print password. F.ADMIN permits the operation to change the SNMP password and the setting data of authentication failure frequency threshold in the administrator mode. In addition, F.ADMIN permits the administrator the back-up and restoration operation, and so it is possible to change the back-up data which is acquired by back-up operation, and to change a SNMP password, the failure number of times threshold and a secure print password as a result of performing the restoration operation. F.SNMP-ADMIN permits the change of the SNMP password. Accordingly, this functional requirement is satisfied. FMT_MTD.1[2] FMT_MTD.1[2] regulates the management of the user box password. F.ADMIN permits the change operation of the user box password that is set to the user box in the administrator mode. In addition, F.ADMIN permits the administrator the back-up and restoration operation, and so it is possible to change the back-up data which is acquired by back-up operation, and to change the user box password as a result of performing the restoration operation. F.BOX permits the change operation of the user box password to the authenticated user as the user who is permitted the use of the user box concerned. Accordingly, this functional requirement is satisfied. FMT_MTD.1[3] FMT_MTD.1[3] regulates the management of the administrator password. F.ADMIN permits the change operation of the administrator password in the administrator mode. F.SERVICE permits the change operation of the administrator password in the service mode. Accordingly, this functional requirement is satisfied. FMT_MTD.1[4] FMT_MTD.1[4] regulates the management of the SNMP password, the User box password and the Secure Print password. F.ADMIN permits the administrator the back-up and restoration operation, and so it is possible to browse the SNMP password, the User box password and the Secure Print password by means of the back-up data which is acquired by back-up operation. Accordingly, this functional requirement is satisfied. FMT_MTD.1[5] FMT_MTD.1[5] regulates the management of the CE password. F.SERVICE permits the change operation of the CE password in the service mode. Accordingly, this functional requirement is satisfied. FMT_MTD.1[6] FMT_MTD.1[6] regulates the management of the administrator password and the SNMP password.

85 / 90

F.ADMIN permits the initialization operation of the administrator password and the SNMP password, that is performed along with the execution of the overwrite deletion operation of all area in the administrator mode. F.SERVICE permits the initialization operation of the administrator password and the SNMP password, which is performed along with the execution of the initializing function in the service mode. Accordingly, this functional requirement is satisfied. FMT_SMF.1 FMT_SMF.1 specifies the security management function. F.ADMIN provides the following security management functions. Setting function of authentication failure frequency threshold Back-up and restoration function It consequentially corresponds to the inquiry function of the following TSF data. SNMP password User box password Secure Print password It also corresponds to the modification function of the following TSF data. SNMP password User box password Secure print password Operational setting data of the Enhanced Security function Authentication failure frequency threshold of the authentication operation prohibited function Stop function of the Enhanced Security function Operational setting function of the Enhanced Security function HDD logical format function Modification function of the administrator password Modification function of the user box password Modification function of the SNMP password (Privacy password and Authentication password Lock release function This offers the following authentication functions. Authentication function in the access to the MIB object Authentication function in the access to the user box Authentication function in the access to the secure print F.ADMIN-SNMP offers security management functions. Modification function of the SNMP password (Privacy password and Authentication password Operational setting function of the SNMP password authentication function F.SERVICE offers the following security management functions. Modification function of the CE password Modification function of the administrator password Operation setting function of setup function Initialization function of the administrator password Initialization function Initialization function of the SNMP password (Privacy password and Authentication

86 / 90

password Initialization function Stop function of the Enhanced Security function HDD logical format function HDD physical format function HDD installation setting function Initialization function F.BOX offers the following security management functions. Modification function of the user box password F.ADMIN offers the following security management functions. Stop function of the Enhanced Security function Overwrite deletion function of all area Initialization of the administrator password Overwrite deletion function of all area Initialization of the SNMP password (Privacy password and Authentication password Overwrite deletion function of all area Accordingly, this functional requirement is satisfied. FMT_SMR.1[1] FMT_SMR.1[1] regulates the role as the service engineer. F.SERVICE recognizes the user who is authenticated by the CE password as a service engineer. Accordingly, this functional requirement is satisfied. FMT_SMR.1[2] FMT_SMR.1[2] regulates the role as an administrator. F.ADMIN recognizes the user who is authenticated by the administrator password as an administrator. F.ADMIN-SNMP recognizes the user who is authenticated by the SNMP password Privacy password and Authentication password as an administrator. Accordingly, this functional requirement is satisfied. FMT_SMR.1[3] FMT_SMR.1[3] regulates the role as a user who is permitted the use of the user box. F.BOX recognizes the user who is authenticated by the user box password as the authorized user who can use the user box. Accordingly, this functional requirement is satisfied. FPT_RVM.1 FPT_RVM.1 regulates to support that a corresponding TSP execution function must be called before each TOE security function is permitted to start its operation. F.ADMIN definitely activates "Administrator authentication function" of which performance is indispensable, before the use of various functions that can be performed only by administrator is permitted. F.ADMIN-SNMP definitely activates "Administrator authentication function" of which performance is indispensable, before the use of network functions that can be performed only by administrator is permitted.

87 / 90

F.SERVICE definitely activates "Service engineer authentication function" of which performance is indispensable, before the use of various functions that can be performed only by the service engineer is permitted. F.BOX definitely activates "Authentication function by the user box password" of which performance is indispensable, before the use of various functions that can be performed only by the authorized user who can use the user box is permitted. F.PRINT definitely activates "Authentication function by the secure print password" of which performance is indispensable, before the use of various functions that can be performed only by the authorized user who can use the secure print is permitted. F.HDD definitely activates "Validity verification function of HDD" of which performance is indispensable, before writing HDD is permitted when HDD lock function is activated. Accordingly, this functional requirement is satisfied. FPT_SEP.1 FPT_SEP.1 regulates maintaining of security domains for protecting against interference and tampering by subjects who cannot be trusted and regulates separating of security domains of subjects. F.ADMIN maintains the administrator authentication domain that is provided various functions permitted to operate only by administrator, and it does not permit the interference by the unauthorized subject. F.ADMIN-SNMP maintains the administrator authentication domain that is provided various functions permitted to operate only by the administrator who is authenticated with the SNMP password, and it doesn't permit the interference by the unauthorized subjects. F.BOX maintains the user box authentication domain that is provided various functions permitted to operate only by the authorized user who can use the user box by the authentication of the user box password, and it doesn't allow the interference by the unauthorized subject. F.PRINT maintains the secure print file authentication domain that is provided various functions permitted to operate only by a user who is permitted to use the secure print file by the authentication of the secure print password, and it doesn't allow the interference by the unauthorized subject. F.SERVICE maintains the service engineer authentication domain that is provided various functions permitted to operate only by the service engineer, and it doesn't allow the interference by the unauthorized subject. Accordingly, this functional requirement is satisfied. FNEW_RIP.1 FNEW_RIP.1 regulates that the object and the TSF data, that are targeted in the explicit deletion operation can not be restored. F.OVERWRITE-ALL deletes the user box file, the secure print file, the on-memory image file, the stored image file, the remaining image file, the image related file, the user box password, the secure print password and the remaining TSF data by performing the overwrite deletion to all area of HDD by means of the specified method of overwrite deletion. In addition, it initializes the NVRAM administrator password and the SNMP password, and sets OFF the operations of the HDD lock function and the Encryption function. Accordingly, this functional requirement is satisfied.