December 8, 2006December 8, 2006December 6, 2006 IEEE P2600/PPF-A-demo-24ba
IEEE P2600/PPF-A-demo24a
Last Edited: December 8, 2006December 8, 2006December 6, 2006
Draft
Family of Protection Profiles forHardcopy Devices
inOperational Environment A
Sponsored by the
Information Assurance Committee
of the IEEE Computer Society
Copyright © 2004-2006by the Institute of Electrical and Electronics Engineers, Inc.
Three Park Avenue
New York, New York10016-5997, USA
All rights reserved.
This document is an unapproved draft of a proposed IEEE Standard. As such, this document is subject to change. USE AT YOUR OWN RISK! Because this is an unapproved draft, this document must not be utilized for any conformance/compliance purposes. Permission is hereby granted for IEEE Standards Committee participants to reproduce this document for purposes of IEEE standardization activities only. Prior to submitting this document to another standards development organization for standardization activities, permission must first be obtained from the Manager, Standards Licensing and Contracts, IEEE Standards Activities Department. Other entities seeking permission to reproduce this document, in whole or in part, must obtain permission from the Manager, Standards Licensing and Contracts, IEEE Standards Activities Department.
IEEE Standards Activities Department
Standards Licensing and Contracts
445 Hoes Lane, P.O. Box 1331
Piscataway, NJ08855-1331, USA
Copyright © 2004-2006 IEEE. All rights reserved.
This is an unapproved IEEE Standards Draft, subject to change.1
December 8, 2006December 8, 2006December 6, 2006 IEEE P2600/PPF-A-demo-24ba
Forward
Hardcopy Devices (HCDs) are a category of information technology products that process paper documents as input or output. For the purposes of this document, this category is composed of printing, copying, scanning, and facsimile devices, and systems that combine one or more of those functions into a multifunctional device (MFD).
Typical applications of HCDs involve physical connection to other devices via telephone lines and wired and wireless networks, and logical connection to other devices using a variety of networking services and protocols. Establishing the security of HCDs is therefore a critical part of any information systems security plan where HCDs are present. Protection Profiles for HCDs are intended to provide the basis for evaluating the security functions of HCDs and help ensure that the security objectives of an information systems environment can be met.
This document, “Family of Protection Profiles for Hardcopy Devices inOperational Environment A”, describes the assumptions, threats, objectives, and requirements, related to the use of HCDs in an information technology environment where a relatively high level of document security, operational accountability, and information assurance is required. This family of protection profiles is an encapsulation of protection profiles that can be applied individually or in combination to satisfy the security needs of a variety of HCDs, ranging from single-function, non-networked devices, to complex multifunctional networked devices.
Other Families of Protection Profiles have been developed for HCDs in other operationalenvironments. Those environments are defined within their respective Protection Profile documents. Theoperational environment definitions are based on guidelines established by NIST in “Special Publication 800-70: Security Configuration Checklists Program for IT Products”[xxx] and are described in IEEE Std. P2600[xxx], Clause 5.
This Protection Profile has been developed by the Hardcopy Security Working Group of the Institute of Electrical and Electronic Engineers (IEEE) as part of the IEEE P2600 “Standard for Information Technology: Hardcopy System and Device Security”. It is designed for use in two contexts:
- As a standalone reference document for ISO/IEC 15408 (“Common Criteria”) certification; and,
- As an annexpart of the IEEE P2600 standard.
This Protection Profile is based on the “Common Criteria for Information Technology Security Evaluations, Version 3.1”.
Further information about this Protection Profile and the IEEE P2600 project, including status and updates, can be obtained at Comments on this document should be directed to the Editorof the P2600 working group, whose contact information is listed on that web site.
Contents
Forward......
Contents......
List of Tables......
List of Figures......
Revision History......
1OVERVIEW......
1.1PP Reference......
1.2TOE Overview......
1.2.1TOE Description......
1.2.2TOE Terminology......
1.2.3TOE Functional Description......
1.2.4TOE Architectural Description......
2Conformance claims......
2.1Conformance to Common Criteria......
2.2Conformance to other Protection Profiles......
2.3Conformance to Packages......
2.4Conformance to this Protection Profile......
3Security problem definition......
3.1Robustness......
3.2Threats to Security......
3.2.1T.UD (Unauthorized access to User Document Data)......
3.2.2T.RESOURCE (Unauthorized use of Resources)......
3.2.3T.DOS (Denial or impediment of services of the TOE)......
3.2.4T.EA (Attacks on systems in the IT environment)......
3.2.5T.TSF (Accessing or altering TOE Security Functions)......
3.3Organizational Security Policies......
3.4Security Assumptions......
3.4.1A.ADMIN (Administrator trust and competence)......
3.4.2A. USER (User responsibility)......
3.4.3A.LOCATION (Limited physical access)
3.4.4A.NETWORK (Limited network access)
4Security Objectives......
4.1Security Objectives for the TOE......
4.1.1O.I&A (User identification and authentication)......
4.1.2O.ACCESS (User authorization)......
4.1.3O.DELETE (Deletion of residual data)......
4.1.4O.PROTECT (Protection of documents and data)
4.1.5O.NETWORK (Protecting transmitted data and resources)......
4.1.6O.MONITOR (Monitoring)......
4.1.7O.RESILIENT (Mitigation of DOS attack)
4.1.8O.GENUINE (Assurance of genuine TOE)
4.1.9O.FAXONLY (Fax modem can only be used for fax communication)
4.2Security Objectives for the development environment......
4.3Security Objectives for the operational environment......
4.3.1OE.TRAIN (Training)......
4.3.2OE.LOCATION (Limited physical access)......
4.3.3OE.NETWORK (Limited network access)
4.3.4OE.NET_MANAGE (Network Management)
4.4Security Objectives Rationale......
4.4.1Necessity and Completeness
4.4.2Correctness
5Extended Components Definition......
6Security Functional Requirements......
6.1FAU Security Audit......
6.1.1FAU_GEN.1 Audit data generation......
6.1.2FAU_GEN.2 User identity association......
6.1.3FAU_SAR.1 Audit review......
6.1.4FAU_SAR.2 Restricted audit review......
6.1.5FAU_STG.1 Protected audit trail storage......
6.1.6FAU_STG.4 Prevention of audit data loss......
6.2FCS Cryptographic Support......
6.2.1FCS_CKM.1 Cryptographic key generation......
6.2.2FCS_CKM.4 Cryptographic key destruction......
6.2.3FCS_COP.1 Cryptographic operation......
6.3FDP User Data Protection......
6.3.1FDP_ACC.2 Complete access control......
6.3.2FDP_ACF.1 Security attribute based access control......
6.3.3FDP_IFC.1 Subset information flow control......
6.3.4FDP_IFF.1 Simple security attributes......
6.3.5FDP_RIP.1 Subset residual information protection......
6.4FIA Identification and Authentication......
6.4.1FIA_AFL.1 Authentication failure handling......
6.4.2FIA_ATD.1 User attribute definition......
6.4.3FIA_SOS.1 Verification of secrets......
6.4.4FIA_UAU.1 Timing of authentication......
6.4.5FIA_UAU.6 Re-authenticating......
6.4.6FIA_UAU.7 Protected authentication feedback......
6.4.7FIA_UID.1 Timing of identification......
6.4.8FIA_USB.1 User-subject binding......
6.5FMT Security Management......
6.5.1FMT_MSA.1 Management of security attributes......
6.5.2FMT_MSA.2 Secure security attributes......
6.5.3FMT_MSA.3 Static attribute initialisation......
6.5.4FMT_MTD.1 Management of TSF data......
6.5.5FMT_SMF.1 Specification of Management Functions......
6.5.6FMT_SMR.1 Security roles......
6.6FPT Protection of the TSF......
6.6.1FPT_AMT.1 Abstract machine testing......
6.6.2FPT_STM.1 Reliable time stamps......
6.6.3FPT_TST.1 TSF testing......
6.7FTA TOE Access......
6.7.1FTA_SSL.3 TSF-initiated termination......
6.8FTP Trusted Paths/Channels......
6.8.1FTP_ITC.1 Inter-TSF trusted channel......
7Security Assurance Requirements for the TOE......
7.1ADV: Development......
7.1.1ADV_ARC Security Architecture......
7.1.2ADV_FSP Functional Specification......
7.1.3ADV_TDS TOE Design......
7.2AGD: Guidance Documents......
7.2.1AGE_OPE Operational user guidance......
7.2.2AGE_PRE Preparative procedures......
7.3ALC: Life-cycle Support......
7.3.1ALC_CMC CM Capabilities......
7.3.2ALC_DEL Delivery......
7.3.3ALC_DVS Development Security......
7.3.4ALC_LCD Life-Cycle Definition......
7.4APE Protection Profile Evaluation......
7.4.1APC_CCL Conformance Claims......
7.4.2APE_ECD Extended Components Definition......
7.4.3APE_INT PP Introduction......
7.4.4APE_OBJ Security objectives......
7.4.5APE_REQ Security requirements......
7.4.6APE_SPD Security Problem Definition......
7.5ATE Tests......
7.5.1ATE_COV Coverage......
7.5.2ATE_DPT Depth......
7.5.3Dependencies:......
7.5.4Objectives......
7.5.5ATE_FUN Functional tests......
7.5.6ATE_IND Independent Testing......
7.6AVA Vulnerability Assessment......
7.6.1AVA_VAN Vulnerability Analysis......
8Security Requirements Rationale......
8.1Functional Security Requirements Rationale......
List of Tables
Table 1. Asset Terminology
Table 2. Actor Terminology
Table 3. Access Terminology
Table 4. Miscellaneous Terminology
Table 5. T.UD Threats
Table 6. T.RESOURCE Threats
Table 7. T.DOS Threats
Table 8. T.EA Threats
Table 9. T.TSF Threats
Table 10 Correspondence between operational environment and security objectives
Table 11 Additional justification for Security Objectives
Table 12. Assurance Requirements: EAL 2
Table 13. Correspondence between security objectives and security functional requirements
List of Figures
Figure 1. Overview of the TOE Actors, Access, and Assets
Figure 2. TOE Architectural Description
Revision History
Version / Date / Author(s) / Description0.1 / 4/19/04 / Ohta / PP proposal
1.0 / 7/27/04 / Nevo / First draft
1.3 / 8/18/04 / Nevo / TOE description changes
1.4 / 8/20/04 / group / Typographical corrections
1.5 / 9/8/04 / Nevo, Cybuck / Sections 1-4
1.51, 1.52 / 10/4-8/04 / group / Corrections from Montreal meeting and cleanup of sections 1-4
1.60 / 10/25/04 / Nevo, Cybuck / Corrections from Lexington meeting to sections 1-4, update all sections
1.70 / 11/2/04 / Ohta, Smithson / Many changes, see associated 1.70 Change Notes document
1.71 / 11/7/04 / Nevo, Cybuck / Combines 1.60 and 1.70 to have one document according to IEEE format
1.72 / 11/10/04 / Ohta, Smithson / Section 4
1.73 / 11/23/04 / Smithson, Ohta / Corrections and updates from San Antonio meeting to sections 1-6
1.735 / 11/26/04 / Ohta / Corrections to section 5.1 and 5.2
1.74 / 12/22/04 / Nevo, Cybuck / Additional Corrections and updates from San Antonio meeting to sections 1-5
1.75 / 02/07/05 / Smithson, Ohta / Added new section 6 “PP Application Notes” (but still TBD), and the “Rationale” moved from section 6 to 7.
Added some descriptions to section 7 “Rationale”, but much part is still just examples and under construction.
Changed Customer Engineer from “trusted” to “untrusted”.
Removed assumptions of network security and physical location security and their corresponding objectives.
Clarified definitions of Authorized User and Unauthorized User. Updated Figures 1 and 2
1.75-brian / 02/08/05 / Smithson / Added Tables 12 and 13 (completeness and correctness of objectives)
1.75-Ohta / 02/10/05 / Ohta / Performed some operations against SFRs in section 5.1
Removed FTP_RCV.2 from section 5.1
Added some description to section 6 “PP Application Notes”
Added small description to section 7.2.1, but gave up…
1.80 / 02/08/05 / Nevo, Cybuck / Update section 1-4 after 1/2005 meeting, Added example to figure 1,2 , added firmware as assets, added A. PHS added back OE location
1.81 / 02/17/05 / Smithson / Merge 1.75 / 1.80
1.83 / 04/01/05 / Nevo, Cybuck / Update section 1-4 after 2/2005 meeting to include:
Firmware update, adding Paragraph for TOE architectural Description, adding Scanner and printer to TOE components, revised the description of T.EA and T.DOS,
1.90 / 03/29/05 / Ohta / Update section 1-7.
Section 7.2 is still under construction.
1.91 / 04/07/05 / Nevo, Cybuck / Update after 04/07 conference call.
1.92 / 04/08/05 / Ohta / Change the description of T.DOS.
Correct small inconsistencies.
1.93 / 04/25/05 / Ohta, Smithson / Update after 4/2005 meeting to include:
Added information flow control (OE.NETWORK and FDP_IFC and FDP_IFF),
Added network management (OE.NET_MANAGE),
Added auto logout (FTA_SSL), and
Some minor corrections.
1.93R / 4/25/05 / Nevo,Cybuck / Additional update after 4/2005 meeting to include:
T.DOS update description
O.network additing protocol
Update to Table 10 (T.TSF.SW)
Update to table 11 (T.TSF.SW)
11a / 6/9/05 / Ohta, Smithson / Adopt new convention of the version number.
Update to reflect the comments 5/2005 meeting.
(See “P2600-comments-database-May 2005.xls” for detail.)
11b
12a
14a / 7/5/05
9/14/05
11/20/05 / Ohta
Nevo
Nevo+Carmen / Prepare as the draft for discussion in San Jose meeting including:
Removing ADV_SPM.1,Removing T.UD.ANALYZE, andModifying T.DOS.(Not yet making all parts consistent, especially in rationale section.)
Major Structural changes to meet common criteria v3
Changes to meet common criteria v3 ,additing section 5 and 6.1 and 6.3 ,(6.2 still need adjustment)
15a / 1/10/06 / Smithson / Applied updates from Rancho Bernardo review of Ent PP
17a / 2/24/06 / Smithson
Aubry / AI #67, 103, 131, 132, 135, 139, 140, 141, 142, 143, 145, 151
Modify IT requirements to define subjects and operation. Uses these definitions for FDP_ISA, FDP_ACC, FIA_UAU, FIA_UID. Add FMI_CHO. Rplace FPT_RIP.1 with FPT_RIP.2
19a / 5/12/06 / Smithson / Action items #154, 167, 169, 175, 182, and 183
20a / 6/12/06 / Smithson / Action items #13, 205, 206, 207.
21a / 7/14/06 / Smithson / Action items #164, 193, 216, 217, 221, 223
22a / 8/23/06 / Smithson / Action items #227, 229, 230, 236
24a / 11/28/06 / Smithson / Action items #251, 255, 270, 271, 272, 273, ,
Reconciled threats/objectives with version 24b threat analysis and threat/objective/environment spreadsheet
Added T.DOS.FAX, T.TSF.SALVAGE (in place of T.TSF.CRED.GUESS), and T.RESOURCE.COPY
Removed “definition of subjects, objects, [etc]” (I propose that we add a PP appendix with an example entity model)
Inserted temporary SFR data from v24 PP SFRs draft, and created rationale table
Inserted temporary SAR data from v23 PP SARs draft
24b / 12/6/06 / Smithson / Minor edits
PPF-demo-24a / 12/8/06 / Smithson / Throw-away prototype of Family of PPs (functional)
1OVERVIEW
1.1PP Reference
Title:Family of Protection Profiles for Hardcopy Devices inOperational Environment A
Protection Profiles:P2600-A-PRT P2600 Protection Profile for Hardcopy Device Print Functions in Operational Environment A
P2600-A-SCN P2600 Protection Profile for Hardcopy Device Scan Functions in Operational Environment A
P2600-A-CPY P2600 Protection Profile for Hardcopy Device Copy Functions in Operational Environment A
P2600-A-FAX P2600 Protection Profile for Hardcopy Device Fax Functions in Operational Environment A
P2600-A-SVR P2600 Protection Profile for Hardcopy Device Document Server Functions in Operational Environment A
P2600-A-NET P2600 Protection Profile for Hardcopy Device Networking Functions in Operational Environment A
P2600-A-NVS P2600 Protection Profile for Hardcopy Device Nonvolatile Storage Functions in Operational Environment A
Version:24a
Date:December 8, 2006December 68, 2006
Authors:IEEE P2600 Working Group
CC Version:3.1
EAL:3
Keywords:Hardcopy, Paper, Document, Copier, Printer, Scanner, Facsimile, FAX, Multifunction Device, MFD, MFP, Network, Office
Status:Draft
1.2TOE Overview
1.2.1TOE DescriptionFamily
The Target of Evaluation (TOE) of thisThis Family of Protection Profiles serves theis the entire Hardcopy Device (HCD) class of products.as available to end customers, i.e., the compliant configuration. HCDs perform one or more of the following functions and are primarily used in office environments:
- Copying paper documents
- Printing digital documents to paper form
- Scanning paper documents to digital form
- Transmitting paper or digital documents to a facsimile device
- Receiving documents from a facsimile device and delivering them in paper or digital form
- Sending and receiving documents over a network interface
- Storing documents temporarily or persistently on nonvolatile storage devices
- Storing and retrieving documents on a network-accessible server
- TOE Functions and Applicable Protection Profiles
The class of HCD products encompasses a wide variety of functions and configurations, from small non-networked printers to large networked multifunction devices. To accommodate this variety of products, this Family of Protection Profiles encapsulates a variety of individual protection profiles, and HCD manufacturers can compose an appropriate Security Target for their products by conforming to one or more of the protection profiles in this family. It is expected that a manufacturer will conform to all of the protection profiles that apply to their product.
1.2.2.1P2600-A-PRT — P2600 Protection Profile for Hardcopy Device Print Functions in Operational Environment A
This protection profile is used for HCD products that have any kind of printing function with electronic document input and physical document output, such as printers, copiers, paper-based fax machines, and MFPs.
1.2.2.2P2600-A-SCN — P2600 Protection Profile for Hardcopy Device Scan Functions in Operational Environment A
This protection profile is used for HCD products that have any kind of scanning function with physical document input and electronic document output, such as scanners, copiers, paper-based fax machines, and MFPs.
1.2.2.3P2600-A-CPY — P2600 Protection Profile for Hardcopy Device Copy Functions in Operational Environment A
This protection profile is used for HCD products that have any kind of copy function with physical document input and physical document output, such as copiers, fax machines that provide such a copy function, and MFPs.
1.2.2.4P2600-A-FAX — P2600 Protection Profile for Hardcopy Device Fax Functions in Operational Environment A
This protection profile is used for HCD products that have any kind of telephone-based document facsimile (fax) transmission or reception function, such as fax machines and MFPs.
1.2.2.5P2600-A-SVR — P2600 Protection Profile for Hardcopy Device Document Server Functions in Operational Environment A
This protection profile is used for HCD products that have any kind of network-based document storage and retrieval function, such as MFPs.
1.2.2.6P2600-A-NET — P2600 Protection Profile for Hardcopy Device Networking Functions in Operational Environment A
This protection profile is used for HCD products that have any kind of network-based document transmission or reception function.
1.2.2.7P2600-A-NVS — P2600 Protection Profile for Hardcopy Device Nonvolatile Storage Functions in Operational Environment A
This protection profile is used for products that have any kind of nonvolatile document storage function, whether such storage is temporary and residual in nature or is deliberately persistent.
1.2.3TOE Security Requirements
Many of the information objects that are processed or used by HCDs may contain valuable or sensitive information that needs to be protected from unauthorized disclosure, alteration, and destruction. This includes the documents in paper and digital forms, job information stored in usage logs, user information stored in address books, and residual data stored in hard disks, other memory devices, and electrostatic components. Documents and other information may be transmitted over telephone lines and computer networks, and so protection of network services should be considered. The utility of the device itself may be considered a valuable asset which also needs to be protected, in terms of both availability for authorized use and prevention of unauthorized use. Lastly, there may be a need to ensure that the HCD cannot be misused in such a way that it causes harm to devices to which the HCD is connected.
1.2.4Operational Environments
All of the aforementioned items are considered to be assets requiring some level of protection, depending upon the security requirements of the environment in which the TOE is being used. Several Protection Profiles are available for HCDs in different environments:
Operational Environment A, generally characterized as a restrictive commercial information processing environment in which a relatively high level of document security, operational accountability, and information assurance, are required. Typical information processed in this environment is trade secret, mission-critical, or subject to legal and regulatory considerations such as for privacy or governance. This environment is not intended to support life-critical or national security applications.
Operational Environment B, generally characterized as a commercial information processing environment in which a moderate level of document security, network security, and security assurance, are required. Typically, the day-to-day proprietary and non-proprietary information needed to operate an enterprise will be handled by this environment.
Operational Environment C, generally characterized as a public-facing environment in which document security is not guaranteed, but access control and usage accounting are important to the operator of the environment. A retail copy center, public library, Internet café, and hotel business centerare typical applications of this environment.
Operational Environment D, generally characterized by a small, private information processing environment in which most elements of security are provided by the physical environment, but basic network security is needed to protect the device and its network from misuse from outside of the environment. Small offices and home offices are typical applications of this environment.
All of these operational environments are more fully described in IEEE Std. P2600, clause 5.
This Protection Profile addresses the security threats, objectives, assumptions, objectives, and requirements that apply to Operational Environment A.