KONICA MINOLTA bizhub 450i/bizhub 360i/bizhub 300i with FK-514, DEVELOP ineo 450i/ineo 360i/ineo 300i with FK-514

Security Target

KONICA MINOLTA bizhub 450i/bizhub 360i/bizhub 300i

with FK-514,
DEVELOP ineo 450i/ineo 360i/bizhub 300i with FK-514
Security Target

Version: 2.00
Issued on：December 21, 2020
Created by：KONICA MINOLTA, INC

Copyright ©2020 KONICA MINOLTA, INC., All Rights Reserved

1 / 71
 KONICA MINOLTA bizhub 450i/bizhub 360i/bizhub 300i with FK-514, DEVELOP ineo 450i/ineo 360i/ineo 300i with FK-514
Security Target

―【Table of Contents】--
1. ST Introduction ........................................................................................................................................ 6
ST Reference ........................................................................................................................................................... 6
TOE Reference ........................................................................................................................................................ 6
TOE Overview......................................................................................................................................................... 6
1.3.1. Type of TOE .........................................................................................................................................................................6
1.3.2. Usage and Main Security Functions ...................................................................................................................................6
1.3.3. Operating environment ........................................................................................................................................................7
1.3.4. Necessary Hardware/Software for the TOE ........................................................................................................................8
TOE Description ...................................................................................................................................................... 9
1.4.1. Physical Scope of the TOE ..................................................................................................................................................9
1.4.2. Logical scope of the TOE ..................................................................................................................................................10
1.4.3. Glossary ............................................................................................................................................................................12
2. Conformance Claims ............................................................................................................................. 16
CC Conformance Claims ...................................................................................................................................... 16
PP Claim ................................................................................................................................................................ 16
PP Conformance Rationale ................................................................................................................................... 16
3. Security Problem Definition ................................................................................................................. 17
Users ...................................................................................................................................................................... 17
Assets ..................................................................................................................................................................... 17
3.2.1. User Data ..........................................................................................................................................................................17
3.2.2. TSF Data ...........................................................................................................................................................................17
Threat Definitions.................................................................................................................................................. 18
Organizational Security Policy Definitions .......................................................................................................... 18
Assumption Definitions ......................................................................................................................................... 19
4. Security Objectives ................................................................................................................................ 20
Definitions of Security Objectives for the Operational Environment................................................................... 20
5. Extended components definition .......................................................................................................... 21
FAU_STG_EXT Extended: External Audit Trail Storage .................................................................................... 21
FAU_CKM_EXT Extended: Cryptographic Key Management ........................................................................... 21
FCS_IPSEC_EXT Extended: IPsec selected ........................................................................................................ 22
FCS_RBG_EXT Extended: Cryptographic Operation (Random Bit Generation)................................................ 24
FDP_FXS_EXT Extended: Fax Separation .......................................................................................................... 25
FIA_PMG_EXT Extended: Password Management ............................................................................................. 26
FIA_PSK_EXT Extended: Pre-Shared Key Composition .................................................................................... 26
FPT_SKP_EXT Extended: Protection of TSF Data.............................................................................................. 27
FPT_TST_EXT Extended: TSF testing ................................................................................................................ 28
FPT_TUD_EXT Extended: Trusted Update ....................................................................................................... 29
6. Security Requirements .......................................................................................................................... 31
Security Functional Requirements ........................................................................................................................ 31
6.1.1. Mandatory Requirements ..................................................................................................................................................31
6.1.2. Conditionally Mandatory Requirements ...........................................................................................................................45
6.1.3. Selection-based Requirements ...........................................................................................................................................45
Security Assurance Requirements ......................................................................................................................... 47
Security Requirements Rationale .......................................................................................................................... 47
6.3.1. The dependencies of security requirements .......................................................................................................................47

Copyright ©2020 KONICA MINOLTA, INC., All Rights Reserved

2 / 71
 KONICA MINOLTA bizhub 450i/bizhub 360i/bizhub 300i with FK-514, DEVELOP ineo 450i/ineo 360i/ineo 300i with FK-514
Security Target

7. TOE Summary specification................................................................................................................. 51

Identification and Authentication function............................................................................................................ 51
Access control function ......................................................................................................................................... 53
Encryption function ............................................................................................................................................... 61
Trusted Communication function .......................................................................................................................... 63
Security Management function ............................................................................................................................. 65
Audit function ........................................................................................................................................................ 67
Trusted operation function .................................................................................................................................... 70
7.7.1. Update function .................................................................................................................................................................70
7.7.2. Self-test function ................................................................................................................................................................70
Fax separation function ......................................................................................................................................... 71

Copyright ©2020 KONICA MINOLTA, INC., All Rights Reserved

3 / 71
 KONICA MINOLTA bizhub 450i/bizhub 360i/bizhub 300i with FK-514, DEVELOP ineo 450i/ineo 360i/ineo 300i with FK-514
Security Target

―【Table of figures】---
Figure 1-1 TOE's operating environment ................................................................................................................... 7
Figure 1-2 The logical scope of TOE ....................................................................................................................... 10

―【Table of Contents】--

Table 1-1 Evaluation configuration ............................................................................................................................ 8

Table 1-2 Hardware / Software which compose TOE ................................................................................................ 9
Table 1-3 Guidance which compose TOE .................................................................................................................. 9
Table 1-4 TOE Basic functions ................................................................................................................................ 10
Table 1-5 TOE Security functions ........................................................................................................................... 11
Table 1-6 Glossary.................................................................................................................................................... 12
Table 3-1 User Categories ........................................................................................................................................ 17
Table 3-2 Asset categories ........................................................................................................................................ 17
Table 3-3 User Data types ........................................................................................................................................ 17
Table 3-4 TSF Data types ......................................................................................................................................... 17
Table 3-5 Threats ...................................................................................................................................................... 18
Table 3-6 Organizational Security Policies .............................................................................................................. 18
Table 3-7 Assumptions ............................................................................................................................................. 19
Table 4-1 Security Objectives for the Operational Environment ............................................................................. 20
Table 6-1 Auditable Events ...................................................................................................................................... 31
Table 6-2 D.USER.DOC Access Control SFP ......................................................................................................... 35
Table 6-3 D.USER.JOB Access Control SFP........................................................................................................... 36
Table 6-4 Management of Security Functions behavior .......................................................................................... 39
Table 6-5 Management of Subject Security Attribute .............................................................................................. 40
Table 6-6 Management of TSF Data ........................................................................................................................ 41
Table 6-7 list of management functions ................................................................................................................... 42
Table 6-8 TOE Security Assurance Requirements ................................................................................................... 47
Table 6-9 The dependencies of security requirements ............................................................................................. 48
Table 7-1 List of Security Functions ........................................................................................................................ 51
Table 7-2 User Authentication Setting function ....................................................................................................... 52
Table 7-3 D.USER.DOC (Print) access control ....................................................................................................... 55
Table 7-4 D.USER.DOC (Scan) access control ....................................................................................................... 55
Table 7-5 D.USER.DOC (Copy) access control ...................................................................................................... 55
Table 7-6 D.USER.DOC (Fax send) access control................................................................................................. 56
Table 7-7 D.USER.DOC (Fax receive) access control ............................................................................................ 56
Table 7-8 D.USER.DOC (Storage/retrieval) access control .................................................................................... 56
Table 7-9 D.USER.JOB (Print) access control ........................................................................................................ 58
Table 7-10 D.USER.JOB (Scan) access control ...................................................................................................... 58
Table 7-11 D.USER.JOB (Copy) access control ...................................................................................................... 59
Table 7-12 D.USER.JOB (Fax send) access control ................................................................................................ 59
Table 7-13 D.USER.JOB (Fax receive) access control ............................................................................................ 59
Table 7-14 D.USER.JOB (Storage/retrieval) access control.................................................................................... 60
Table 7-15 Storage and Destruction of Key ............................................................................................................. 62
Table 7-16 Communication with IT equipment ....................................................................................................... 63
Copyright ©2020 KONICA MINOLTA, INC., All Rights Reserved
4 / 71
 KONICA MINOLTA bizhub 450i/bizhub 360i/bizhub 300i with FK-514, DEVELOP ineo 450i/ineo 360i/ineo 300i with FK-514
Security Target

Table 7-17 Management functions provided to Administrator ................................................................................ 65

Table 7-18 Management function provided to normal users.................................................................................... 67
Table 7-19 List of Events to be Audited ................................................................................................................... 67
Table 7-20 Audit Log Data Specifications ............................................................................................................... 69
Table 7-21 Self-test .................................................................................................................................................. 70

Copyright ©2020 KONICA MINOLTA, INC., All Rights Reserved

5 / 71
 KONICA MINOLTA bizhub 450i/bizhub 360i/bizhub 300i with FK-514, DEVELOP ineo 450i/ineo 360i/ineo 300i with FK-514
Security Target

1. ST Introduction

ST Reference
・ ST name : KONICA MINOLTA bizhub 450i/bizhub 360i/bizhub 300i with FK-514,
DEVELOP ineo 450i/ineo 360i/ineo 300i with FK-514 Security Target
・ ST version : 2.00
・Created on : December 21, 2020
・Created by : KONICA MINOLTA, INC.

TOE Reference
・ TOE name : KONICA MINOLTA bizhub 450i/bizhub 360i/bizhub 300i with FK-514,
DEVELOP ineo 450i/ineo 360i/ineo 300i with FK-514
・ Version : G00-31

The physical components of the TOE are the MFP body and the FAX kit. “KONICA MINOLTA bizhub
450i/bizhub 360i/bizhub 300i with FK-514” is equipped with FAX kit (product name FK-514, corresponding
identification information A883) on the MFP body (KONICA MINOLTA bizhub 450i, KONICA MINOLTA
bizhub 360i, KONICA MINOLTA bizhub 300i, and its version (AC770Y0-F000-G00-31)). “DEVELOP ineo
450i/ineo 360i/ineo 300i with FK-514” is equipped with FAX kit (product name FK-514, corresponding
identification information A883) on the MFP body (DEVELOP ineo 450i, DEVELOP ineo 360i, DEVELOP ineo
300i, and its version (AC770Y0-F000-G00-31)).

TOE Overview

1.3.1. Type of TOE

TOE is a Multi-Function Printer (MFP) used in the network environment (LAN) and has the function of copying,
scanning, printing, faxing, and retrieving documents.

1.3.2. Usage and Main Security Functions

The TOE is connected to the LAN and to a public line and has the capability for users to print, scan, copy, fax, store
and retrieve documents. Also, in order to protect user documents and security-related data, the following security
functions are provided.
Identification and authentication function to specify users, Access control function to restrict access to documents and
various operations of TOE in accordance with the authority given to users, Security management function to restrict
users with administrator authority to set security functions, Audit function to record security- related events and send
them to the log server, Trusted communication function to protect communication between TOE and external IT devices
by IPsec, Encryption function to use for encrypting communication data in the trusted communication function, Fax
separation function to ensure separation between PSTN and LAN, Update function to prevent updating by illegal
firmware, and Trusted operation function by self-test function to verify normal operation of TSF.

Copyright ©2020 KONICA MINOLTA, INC., All Rights Reserved

6 / 71
 KONICA MINOLTA bizhub 450i/bizhub 360i/bizhub 300i with FK-514, DEVELOP ineo 450i/ineo 360i/ineo 300i with FK-514
Security Target

1.3.3. Operating environment

Figure 1-1 shows the operating environment of TOE. The TOE is used by connecting LAN and public line. The User
can operate the TOE by communicating through the LAN or the operation panel with which the TOE is equipped.

Figure 1-1 TOE's operating environment

(1) TOE (MFP)

TOE is connected to the intra-office LAN and the public line and performs the following function.
・Electronic documents’ RX
・Fax RX
The User can perform the following from the operation panel.
・MFP’s various settings
・Paper documents’ Copy, Fax TX, Accumulation as electronic documents, Network TX
・Accumulated documents’ Print, Fax TX, Network TX, Deletion

(2) TOE (FAX kit)

A device that is necessary for use Fax function with TOE. Set to MFP.

(3) LAN
Network used for the TOE setup environment

(4) Public line

Telephone line for transmitting the external fax

(5) Firewall
Device for protecting against the network attacks to intra-office LAN from the internet

(6) Client PC
By connecting to the LAN, this works as the client of the TOE. The user can access TOE from the client
PC and operate the following by installing the printer driver in the client PC.
・Accumulation, Print of electronic documents

Copyright ©2020 KONICA MINOLTA, INC., All Rights Reserved

7 / 71
 KONICA MINOLTA bizhub 450i/bizhub 360i/bizhub 300i with FK-514, DEVELOP ineo 450i/ineo 360i/ineo 300i with FK-514
Security Target

Also, the user can access TOE from the client PC and operate the following by installing the Web
browser in the client PC.
・WC

(7) SMTP server

Server used for sending the electronic documents stored in the TOE and scanned data.

(8) External Authentication server

Server to identify and authenticate TOE users. This is used only when external server authentication
method is used. Kerberos authentication is used in the external server authentication method.

(9) DNS server

Server for converting domain name to IP address

(10) Log server

Server to be destination of audit log TX function. The user can specify a WebDAV server as a
destination for files recorded audit logs.

(11) WebDAV server

Server used for stored the electronic documents stored in the TOE and scanned data that are sent from
TOE.

(12) SMB server

Server used for stored the electronic documents stored in the TOE and scanned data that are sent from
TOE.

1.3.4. Necessary Hardware/Software for the TOE

As the hardware and software necessary for using the TOE, the configuration that was used for the TOE
evaluation is as follows.

Table 1-1 Evaluation configuration

Hardware/software Used version for evaluation
Client PC (OS) Windows 10 Pro
Web Browser Microsoft Internet Explorer 11
Printer Driver KONICA MINOLTA 650iSeries
PCL / PS Version 2.1.13.0
IPsec Built-in OS
External Authentication Server Active Directory installed in Microsoft Windows Server 2012 R2
DNS Server (note) Built-in OS
Ipsec Built-in OS
SMTP Server Postfix 3.4.5
IPsec strongswan 5.8.0
DNS Server bind9 9.11.5
IPsec strongswan 5.8.0
Log Server apache2 2.4.38
IPsec strongswan 5.8.0

Copyright ©2020 KONICA MINOLTA, INC., All Rights Reserved

8 / 71
 KONICA MINOLTA bizhub 450i/bizhub 360i/bizhub 300i with FK-514, DEVELOP ineo 450i/ineo 360i/ineo 300i with FK-514
Security Target

Hardware/software Used version for evaluation

WebDAV Server apache2 2.4.38
IPsec strongswan 5.8.0
SMB Server samba 4.9.5
IPsec strongswan 5.8.0
(note) DNS server of Microsoft Windows Server 2012 R2 is necessary for using the external authentication.

TOE Description
This paragraph explains the overview of the physical scope and logical scope of the TOE.

1.4.1. Physical Scope of the TOE

The physical scope of TOE is the MFP body with installed optional Fax kit. TOE is delivered in units of MFP
(built-in firmware), Fax kit, and guidance. The hardware/software and guidance that composes TOE are as
follows.
USB IF is implemented in the MFP, but it is enabled only for the update function during operation, so users
cannot connect and use personal storage devices (portable flash memory devices, etc.). Also, RS-232C IF is
implemented in the MFP, but user cannot use this interface since it is disabled during operation.

Table 1-2 Hardware / Software which compose TOE

Delivery unit Product name Version/code Format Delivery method

bizhub 450i Firmware version

AC770Y0-F000-G00-31
bizhub 360i
MFP hardware Hardware with built-in Packed in the special
bizhub 300i
(Any of the firmware in binary box and delivered by
right) ineo 450i format the delivery company
ineo 360i

ineo 300i

Packed in the special

Code:
FAX kit FK-514 hardware box and delivered by
A883
the delivery company

Table 1-3 Guidance which compose TOE

Langua
Delivery unit Guidance Name Version Format Delivery method
ge

bizhub 650i/550i/450i User’s Guide 1.00 Japanese exe file Customer engineer

bizhub 360i/300i User’s Guide 1.00 Japanese (*2) (CE) bring. (*1)
（with
bizhub 650i/550i/450i User's Guide 1.00 English
FULL digital
bizhub 360i/300i User’s Guide 1.00 English
signature）
ineo 650i/550i/450i User's Guide 1.00 English
ineo 360i/300i User’s Guide 1.00 English
Security bizhub 650i/550i/450i/360i/300i User's exe file Customer engineer
1.02 Japanese
Functions Guide Security Functions (*3) (CE) bring. (*1)

Copyright ©2020 KONICA MINOLTA, INC., All Rights Reserved

9 / 71
 KONICA MINOLTA bizhub 450i/bizhub 360i/bizhub 300i with FK-514, DEVELOP ineo 450i/ineo 360i/ineo 300i with FK-514
Security Target

bizhub 650i/550i/450i/360i/300i User's （ with

1.02 English
Guide [Security Operations] digital
ineo 650i/550i/450i/360i/300i User's signature）
1.02 English
Guide [Security Operations]

(*1) Customer engineer delivers the guidance corresponding to the MFP (FULL and Security Functions).
Japanese/English is at the purchaser’s request.
(*2) Obtain html file by executing the exe file.
(*3) Obtain pdf file by executing the exe file.

1.4.2. Logical scope of the TOE

TOE security functions and the basic functions are described below.

Figure 1-2 The logical scope of TOE

1.4.2.1. Basic functions

TOE basic functions are described below.

Table 1-4 TOE Basic functions

No. Function Definition
1 Print function This function allows users to temporarily save and print electronic documents to TOE
via the LAN. Electronic documents can be temporarily saved in the ID & Print user box

Copyright ©2020 KONICA MINOLTA, INC., All Rights Reserved

10 / 71
 KONICA MINOLTA bizhub 450i/bizhub 360i/bizhub 300i with FK-514, DEVELOP ineo 450i/ineo 360i/ineo 300i with FK-514
Security Target

from the printer driver or WC of the client PC. In addition, electronic documents can be
temporarily saved from the WC to the password encrypted PDF user box. When a user
prints an electronic document that has been temporarily saved from the operation
panel, the relevant electronic document is deleted from the TOE.
2 Scan function This function scans paper documents, creates electronic documents, and sends them
(e-mail, WebDAV, SMB) through the user's operation from the operation panel.
3 Copy function This function scans paper documents and copies scanned images through the user's
operation from the operation panel.
4 Fax function This function sends and receives documents through Public switched telephone
network (PSTN) by using standard facsimile protocol.
・ Fax TX function
This function specifies a destination from the operation panel, scans paper documents,
creates electronic documents, and sends them to the specified external fax machine.
Electronic documents stored in the personal user box can also be sent by fax from the
operation panel.
・ Fax RX function
Function to receive electronic documents through the telephone line from the external
fax.
5 Document Storage and This function stores electronic documents in Personal user box, Memory RX user box
retrieval function and Password Encrypted PDF used box or retrieve the stored electronic documents
To personal user box, this function can store the electronic documents by scanning and
converting a paper document, can store the electronic document from the printer driver
or WC of a client PC and can store the Fax document with F code by Fax RX function.
This function can store the fax documents received by the fax function in Memory RX
user box. For Password encrypted PDF user box, electronic documents can be stored
from the WC of the client PC.
Electronic documents stored in personal user box can be printed, sent files to SMTP
server/WebDAV server/SMB server, and Fax TX from the operation panel. Also, it can
be sent files to SMTP server/WebDAV server/SMB server, and downloaded from the
WC. Electronic documents stored in Memory RX user box can be printed from the
operation panel and downloaded from the WC. Electronic documents stored in
Password encrypted PDF user box can be stored to personal user box from the
operation panel.

1.4.2.2. Security functions

TOE security functions are described below.
The functions related to the encryption on storage device are not included in the security functions provided
by the TOE.

Table 1-5 TOE Security functions

No. Function Definition
1 Identification and This function verifies a person who intends to use the TOE is the authorized user using
authentication function identification and authentication information obtained from the user, and to permit the
use of the TOE only to a person who is determined to be an authorized user. The
authentication using the Memory RX user box password is performed in addition to the

Copyright ©2020 KONICA MINOLTA, INC., All Rights Reserved

11 / 71
 KONICA MINOLTA bizhub 450i/bizhub 360i/bizhub 300i with FK-514, DEVELOP ineo 450i/ineo 360i/ineo 300i with FK-514
Security Target

identification and authentication of the user, when accessing the Memory RX user box
(except Fax RX). There are two types of Authentication Method: MFP authentication
method that TOE itself identifies and authenticates, and External server authentication
method using external authentication server. This function includes the following
functions.
- Function to stop the authentication when the number of continuous
authentication failures reaches to the setting value.
- Function to display the input password in dummy characters at login.
- Function to register only password that satisfy the condition of minimum
character of password, set by administrator for protecting the password
quality.
- Function to terminate that session when no operation is performed for a
certain period of time (the time set by the administrator) by the user who is
identified and authenticated.
2 Access control function This function restricts the access to the assets in the TOE only to the permitted users.

3 Encryption function Encryption function that prevents access to data assets during the communication
through LAN. The effectiveness of data encryption is assured by the use of
internationally accepted encryption algorithms.
4 Trusted communications The function to prevent information leakage due to wiretapping on a network when
function using a LAN. Encrypt the communication data between the client PC, SMTP server,
external authentication server, DNS server, log server, WebDAV server, SMB server
and TOE. Protects the protected assets flowing over the network by the encryption
function (No.3). This function ensures that the communication takes place between
known terminations.
5 Security management The function that ensures that only users who have administrator role (U.ADMIN)
function authenticated by the identification and authentication function can set and refer to the
TOE security function.
6 Audit function The function that records logs of events related to TOE use and security (hereinafter
referred to as "audit events") together with date and time information as audit log data.
The log file is sent to the log server using the trusted communication function and can
be viewed by the log server.
7 Trusted operation function The function (update function) that verifies the authenticity of the firmware to be
updated and verifies that the firmware is legitimate before the TOE starts firmware
update. The function (self-test function) to ensure that TOE operation is not interrupted
due to detectable failures, etc.
8 FAX separation function The function that ensures that the TOE Fax I/F cannot be used to generate a data bridge
between the PSTN and the LAN.

1.4.3. Glossary
The meanings of terms used in this ST are defined.

Table 1-6 Glossary

Designation Definition

Copyright ©2020 KONICA MINOLTA, INC., All Rights Reserved

12 / 71
 KONICA MINOLTA bizhub 450i/bizhub 360i/bizhub 300i with FK-514, DEVELOP ineo 450i/ineo 360i/ineo 300i with FK-514
Security Target

Designation Definition
Electronic document An electronic document is a document data that digitized information such as characters
and figures.
Paper document A paper document is a paper document that contains information such as characters and
figures.
Accumulated document An electronic document (Subject to storage and retrieval operations) that is to be stored
and retrieved.
Fax document Documents sent and received to external fax via public line by fax function.
Job Document processing task sent to hard copy device. Single processing task can process
more than one document.
WC Web Connection.
Function/Interface to operate TOE through the Web browser of the client PC.
Operation panel The control device for operating TOE. Consists of touch panel liquid crystal displays.
Scanner unit A device to read graphics and photographs from paper document and convert them into
electronic data by TOE.
Printer unit A device to print out image data converted for printing by TOE.
Controller unit A device to control TOE.
Firmware Software to control TOE.
CPU Central Processing Unit
RAM A volatile memory used as a working area.
SPI Flash Field-nonreplaceable nonvolatile memory that stores TSF data that decides TOE
operation.
SSD Field-nonreplaceable storage medium of 250GB. Stores the firmware, the language data
of each countries to display the response to access through the operation panel and
network, TOE setting data, electronical documents as a file.
Ethernet I/F The interface for connecting the TOE and LAN. 10BASE-T, 100BASE-TX, and Gigabit
Ethernet are supported.
USB I/F The interface for connection the TOE and USB device.
RS-232C I/F An interface that can be serially connected to the TOE via the D-sub9 pin. Customer
engineer shall use this for the maintenance function when TOE fails.
SMB TX A function that converts scanned data, electronic documents stored in TOE, etc. into
computer-handled files and sends them to public folders on computers and servers.
WebDAV TX A function that converts scanned data, electronic documents stored in TOE, etc. into
computer-handled files and uploads them to a WebDAV server. It is also used for when
sending the log to the log server.
User Box A function to store user document data and user job data in TOE for Print function, Fax
function, and Document Storage and retrieval function. During operation, ID & Print user
box, Password encrypted PDF user box, Memory RX user box, and Personal user box are
available.
ID & Print user box Electronic documents are temporarily saved when a normal user performs the print
function from the printer driver or WC of the client PC. The normal user can print
electronic documents temporarily saved from the operation panel.
Password encrypted PDF user Electronic documents are temporarily saved when a normal user prints or saves a
box password-encrypted PDF from the WC of the client PC. The normal user can print or store
electronic documents temporarily saved from the operation panel.

Copyright ©2020 KONICA MINOLTA, INC., All Rights Reserved

13 / 71
 KONICA MINOLTA bizhub 450i/bizhub 360i/bizhub 300i with FK-514, DEVELOP ineo 450i/ineo 360i/ineo 300i with FK-514
Security Target

Designation Definition
Memory RX user box Stores the fax document with no F-code received by Fax function. This function can be
used when the administrator has enabled Memory RX in the memory RX setting (enabled
during operation). Also, it is protected by the Memory RX user box password set by the
administrator in the memory RX setting. Normal user who knows the memory RX user box
password can retrieve fax documents from the operation panel and the WC of the client
PC.
Personal user box Normal users can store electronic documents from the operation panel, the printer driver or
the WC of the client PC into their own personal user box. If F-code is specified for the job
received by the fax function, the fax document is saved in the specified user box. The
normal users can retrieve electronic documents from the operation panel or the WC of the
client PC form their own personal user box.
Confidential RX This function saves the fax document with the specified F-code received by the fax
function in the personal user box. Normal users and administrators who own the personal
user box can set passwords for confidential RX and set valid/invalid for each personal user
box.
F-code Consists of SUB address and sender ID. When sending a fax to the personal user box
that confidential RX is set to be valid, enter the registered No. of the relevant personal
user box and the password for confidential RX as the SUB address and sender ID of
the F-code.
Role Role of security relevant that is associated with a user when logs in. TOE has the role of
normal user (U.NORMAL) and built-in administrator (U.BUILTIN_ADMIN).
Normal User User authorized to use TOE as normal user (U.NORMAL). When a user successfully logs
(U.NORMAL) in with a user name, user password, and without administrator rights, it is identified as a
normal user (U.NORMAL). Functions provided on the user screen are available.
Administrator User authorized to use TOE as administrator (U.ADMIN). The TOE administrators are the
(U.ADMIN) user administrator (U.USER_ADMIN) and built-in administrator (U.BUILTIN_ADMIN)
depending on the login method. The security management function provided on the
administrator screen can be used.
User administrator When a user successfully logs in with a user name, user password, and administrator
(U.USER_ADMIN) rights, it is identified as a user administrator (U.USER ADMIN).
Built-in administrator User who knows the administrator password. When a user successfully logs in with an
(U.BUILTIN_ADMIN) administrator password, it is identified as a built-in administrator (U.BUILTIN_ADMIN).
Customer Engineer User who knows the service password. When a user successfully logs in with a service
password, the function provided on the service screen can be used. Supports the TOE
installation and trouble.
User ID Identification to which the TOE identifies the user. If the user successfully logs in, it is
associated with the user attribute. For normal users and user administrators, the registered
No. of the user management function is assigned. Built-in administrator is assigned a
special fixed number.
Login Obtain credentials from users to perform identification and authentication, and if
identification and authentication is successful, make TOE available. This can be performed
from the operation panel, WC, and printer driver.
User name Identification entered as credential by the normal user and user administrator when logs in.
When MFP Device Authentication, the TOE identifies whether the user is a registered user
by user name. This is set when registering a normal user in the user management function

Copyright ©2020 KONICA MINOLTA, INC., All Rights Reserved

14 / 71
 KONICA MINOLTA bizhub 450i/bizhub 360i/bizhub 300i with FK-514, DEVELOP ineo 450i/ineo 360i/ineo 300i with FK-514
Security Target

Designation Definition
and cannot be changed thereafter.
Login password The password that the user enters as credential at login. When MFP Device
Authentication, the TOE authenticates the user by a login password. There are user
passwords, administrator passwords, and service passwords.
User password Login password for normal user. When MFP Device Authentication, the administrator can
set the user password for each normal user in the user management function. The normal
user can change his or her own user password.
Administrator password Login password for the built-in administrator. At the time of TOE shipment, the
predetermined administrator password is set, and the built-in administrator changes the
default value at the time of TOE installation. Thereafter, the administrator can change.
CE password Login password of the customer engineer.
Suspend temporarily Function that an administrator suspends the use of TOE by normal user. The administrator
can set and release the temporary suspension of use for each User ID registered in the user
management function. When a user who has a User ID with a Temporary Suspension is
logged in, the TOE discards the relevant user attribute and so user fails to log in and cannot
use the TOE.
Administrator Rights Function that an administrator allows the use of TOE by normal user in the role of
administrator. Administrator can set and release the administrator rights for each User ID
registered in the user management function. When a user who has a User ID set
administrator rights logs in successfully with the administrator authority, TOE can be
used in the role of administrator. When a user who has a User ID not set administrator
rights performs log in with the administrator authority, TOE discards the relevant user
attribute and so user fails to log in and cannot use the TOE.
Function Restriction A function that restricts the functions available to the normal user by the administrator. The
administrator can set or release the function restriction for each User ID registered in the
user management function. When a normal user with a User ID set a restricted function
performs a login, the TOE will hide the UI of the restricted function or display them with
the deactivate status and will not be able to use the restricted function.

Copyright ©2020 KONICA MINOLTA, INC., All Rights Reserved

15 / 71
 KONICA MINOLTA bizhub 450i/bizhub 360i/bizhub 300i with FK-514, DEVELOP ineo 450i/ineo 360i/ineo 300i with FK-514
Security Target

2. Conformance Claims

CC Conformance Claims
This ST conforms to the following Common Criteria (hereinafter referred to as “CC”).

CC version : Version 3.1 Release 5

CC Part 2 (CCMB-2017-04-002) extended, CC Part 3 (CCMB-2017-04-003)
CC conformance :
conformant

PP Claim
This ST conforms to the following PP and Errata.

PP Name : Protection Profile for Hardcopy Devices

PP Version : 1.0 dated September 10, 2015
Errata : Protection Profile for Hardcopy Devices – v1.0 Errata #1, June 2017

PP Conformance Rationale
This satisfies the following conditions required by PP and is "Exact Conformance" as required by PP. Therefore, the
TOE type is consistent with PP
・Required Uses
Printing, Scanning, Copying, Network communications, Administration
・Conditionally Mandatory Uses
PSTN faxing, Storage and retrieval
・Optional Uses
None

Copyright ©2020 KONICA MINOLTA, INC., All Rights Reserved

16 / 71
 KONICA MINOLTA bizhub 450i/bizhub 360i/bizhub 300i with FK-514, DEVELOP ineo 450i/ineo 360i/ineo 300i with FK-514
Security Target

3. Security Problem Definition

Users
TOE users are classified as follows.
Table 3-1 User Categories
Name Classification name Definitions
Normal user Normal User User who is identified and authenticated by a user name and
(U.NORMAL) (U.NORMAL) user password. It has the role of normal user (U.NORMAL).
Administrator User who is identified and authenticated by a user name and
User administrator
(U.ADMIN) user password with administrator rights by assigned an
(U.USER_ADMIN)
administrator authority by administrator.
Built-in administrator Administrator User who is identified and authenticated by an administrator
(U.BUILTIN_ADMIN) (U.ADMIN) password. It has the role of administrator (U.ADMIN).

Assets
The assets in the TOE are as follows.
Table 3-2 Asset categories
Designation Asset category Definition
D.USER User Data Data created by and for Users that do not affect the operation of the TSF
D.TSF TSF Data Data created by and for the TOE that might affect the operation of the TSF

3.2.1. User Data

User Data is composed from the following two types.
Table 3-3 User Data types
Designation User Data type Definition
User Document
D.USER.DOC Information contained in a User's Document, in electronic or hardcopy form.
Data
D.USER.JOB User Job Data Information related to a User's Document or Document Processing Job

3.2.2. TSF Data

TSF Data is composed from the following two types.
Table 3-4 TSF Data types
Designation User Data type Definition
TSF Data for which alteration by a User who is neither the data owner nor in an
D.TSF.PROT Protected TSF Data Administrator role might affect the security of the TOE, but for which disclosure
is acceptable
D.TSF.CONF Confidential TSF TSF Data for which either disclosure or alteration by a User who is neither the

Copyright ©2020 KONICA MINOLTA, INC., All Rights Reserved

17 / 71
 KONICA MINOLTA bizhub 450i/bizhub 360i/bizhub 300i with FK-514, DEVELOP ineo 450i/ineo 360i/ineo 300i with FK-514
Security Target

Designation User Data type Definition

Data data owner nor in an Administrator role might affect the security of the TOE

Threat Definitions
Threats are defined by a threat agent that performs an action resulting in an outcome that has the potential to violate
TOE security policies.

Table 3-5 Threats

Designation Definition
An attacker may access (read, modify, or delete) User Document Data or
T.UNAUTHORIZED_ACCESS change (modify or delete) User Job Data in the TOE through one of the
TOE's interfaces.
An attacker may gain Unauthorized Access to TSF Data in the TOE through
T.TSF_COMPROMISE
one of the TOE's interfaces.
A malfunction of the TSF may cause loss of security if the TOE is permitted
T.TSF_FAILURE
to operate.
T.UNAUTHORIZED_UPDATE An attacker may cause the installation of unauthorized software on the TOE.
An attacker may access data in transit or otherwise compromise the security
T.NET_COMPROMISE
of the TOE by monitoring or manipulating network communication.

Organizational Security Policy Definitions

OSPs that TOE realizes is as follows.
Table 3-6 Organizational Security Policies
Designation Definition
Users must be authorized before performing Document Processing and
P.AUTHORIZATION
administrative functions.
Security-relevant activities must be audited and the log of such actions must
P.AUDIT
be protected and transmitted to an External IT Entity.
P.COMMS_PROTECTION The TOE must be able to identify itself to other devices on the LAN.
If the TOE provides a PSTN fax function, it will ensure separation between
P.FAX_FLOW
the PSTN fax line and the LAN.

Copyright ©2020 KONICA MINOLTA, INC., All Rights Reserved

18 / 71
 KONICA MINOLTA bizhub 450i/bizhub 360i/bizhub 300i with FK-514, DEVELOP ineo 450i/ineo 360i/ineo 300i with FK-514
Security Target

Assumption Definitions
Assumptions are conditions that must be satisfied in order for the Security Objectives and functional requirements to be
effective.
Table 3-7 Assumptions
Designation Definition
Physical security, commensurate with the value of the TOE and the data it
A.PHYSICAL
stores or processes, is assumed to be provided by the environment.
The Operational Environment is assumed to protect the TOE from direct,
A.NETWORK
public access to its LAN interface.
TOE Administrators are trusted to administer the TOE according to site
A.TRUSTED_ADMIN
security policies.

Authorized Users are trained to use the TOE according to site security
A.TRAINED_USERS
policies.

Copyright ©2020 KONICA MINOLTA, INC., All Rights Reserved

19 / 71
 KONICA MINOLTA bizhub 450i/bizhub 360i/bizhub 300i with FK-514, DEVELOP ineo 450i/ineo 360i/ineo 300i with FK-514
Security Target

4. Security Objectives

Definitions of Security Objectives for the Operational Environment

Table 4-1 Security Objectives for the Operational Environment

Designation Definition
The Operational Environment shall provide physical security,
OE.PHYSICAL_PROTECTION
commensurate with the value of the TOE and the data it stores or processes.
The Operational Environment shall provide network security to protect the
OE.NETWORK_PROTECTION
TOE from direct, public access to its LAN interface.
The TOE Owner shall establish trust that Administrators will not use their
OE.ADMIN_TRUST
privileges for malicious purposes.
The TOE Owner shall ensure that Users are aware of site security policies
OE.USER_TRAINING
and have the competence to follow them.
The TOE Owner shall ensure that Administrators are aware of site security
OE.ADMIN_TRAINING policies and have the competence to use manufacturer's guidance to
correctly configure the TOE and protect passwords and keys accordingly.

Copyright ©2020 KONICA MINOLTA, INC., All Rights Reserved

20 / 71
 KONICA MINOLTA bizhub 450i/bizhub 360i/bizhub 300i with FK-514, DEVELOP ineo 450i/ineo 360i/ineo 300i with FK-514
Security Target

5. Extended components definition

This chapter defines the extended security functional requirements. All extended requirements are used as defined in
HCD-PP.

FAU_STG_EXT Extended: External Audit Trail Storage

Family Behavior:
This family defines requirements for the TSF to ensure that secure transmission of audit data from TOE to an External IT
Entity.

Component leveling:

FAU_STG_EXT.1: Extended: External Audit Trail Storage 1

FAU_STG_EXT.1 External Audit Trail Storage requires the TSF to use a trusted channel implementing a secure
protocol.

Management:
The following actions could be considered for the management functions in FMT:
 The TSF shall have the ability to configure the cryptographic functionality.

Audit:
The following actions should be auditable if FAU_GEN Security Audit Data Generation is included in the PP/ST:
 There are no auditable events foreseen.

FAU_STG_EXT.1 Extended: Protected Audit Trail Storage

Hierarchical to : No other components
Dependencies : FAU_GEN.1 Audit data generation,
FTP_ITC.1 Inter-TSF trusted channel
FAU_STG_EXT.1.1 The TSF shall be able to transmit the generated audit data to an External IT Entity using a trusted channel
according to FTP_ITC.1.

Rationale:
The TSF is required that the transmission of generated audit data to an External IT Entity which relies on a non-TOE
audit server for storage and review of audit records. The storage of these audit records and the ability to allow the
administrator to review these audit records is provided by the Operational Environment in that case. The Common
Criteria does not provide a suitable SFR for the transmission of audit data to an External IT Entity.

This extended component protects the audit records, and it is therefore placed in the FAU class with a single component.

FAU_CKM_EXT Extended: Cryptographic Key Management

Family Behavior:

Copyright ©2020 KONICA MINOLTA, INC., All Rights Reserved

21 / 71
 KONICA MINOLTA bizhub 450i/bizhub 360i/bizhub 300i with FK-514, DEVELOP ineo 450i/ineo 360i/ineo 300i with FK-514
Security Target

This family addresses the management aspects of cryptographic keys. Especially, this extended component is intended
for cryptographic key destruction.

Component leveling:

FCS_CKM_EXT.4: Extended: Cryptographic Key Material Destruction 4

FCS_CKM_EXT.4 Cryptographic Key Material Destruction ensures not only keys but also key materials that are no
longer needed are destroyed by using an approved method.

Management:
The following actions could be considered for the management functions in FMT:
 There are no management actions foreseen.

Audit:
The following actions should be auditable if FAU_GEN Security Audit Data Generation is included in the PP/ST:
 There are no auditable events foreseen.

FCS_CKM_EXT.4 Extended: Cryptographic Key Material Destruction

Hierarchical to : No other components
Dependencies : [FCS_CKM.1(a) Cryptographic Key Generation (for asymmetric keys), or
FCS_CKM.1(b) Cryptographic key generation (Symmetric Keys)],
FCS_CKM.4 Cryptographic key destruction
FCS_CKM_EXT.4.1 The TSF shall destroy all plaintext secret and private cryptographic keys and cryptographic critical
security parameters when no longer needed.

Rationale:
Cryptographic Key Material Destruction is to ensure the keys and key materials that are no longer needed are destroyed
by using an approved method, and the Common Criteria does not provide a suitable SFR for the Cryptographic Key
Material Destruction.

This extended component protects the cryptographic key and key materials against exposure, and it is therefore placed in
the FCS class with a single component.

FCS_IPSEC_EXT Extended: IPsec selected

Family Behavior:
This family addresses requirements for protecting communications using IPsec.

Component leveling:

FCS_IPSEC_EXT.1 Extended: IPsec selected 1

Copyright ©2020 KONICA MINOLTA, INC., All Rights Reserved

22 / 71
 KONICA MINOLTA bizhub 450i/bizhub 360i/bizhub 300i with FK-514, DEVELOP ineo 450i/ineo 360i/ineo 300i with FK-514
Security Target

FCS_IPSEC_EXT.1 IPsec requires that IPsec be implemented as specified.

Management:
The following actions could be considered for the management functions in FMT:
 There are no management actions foreseen.

Audit:
The following actions should be auditable if FAU_GEN Security Audit Data Generation is included in the PP/ST:
 Failure to establish an IPsec SA

FCS_IPSEC_EXT.1 Extended: IPsec selected

Hierarchical to : No other components
Dependencies : FIA_PSK_EXT.1 Extended: Pre-Shared Key Composition
FCS_CKM.1(a) Cryptographic Key Generation (for asymmetric keys)
FCS_COP.1(a) Cryptographic Operation (Symmetric
encryption/decryption)
FCS_COP.1(b) Cryptographic Operation (for signature
generation/verification)
FCS_COP.1(c) Cryptographic Operation (Hash Algorithm)
FCS_COP.1(g) Cryptographic Operation (for keyed-hash message
authentication)
FCS_RBG_EXT.1 Extended: Cryptographic Operation (Random Bit
FCS_IPSEC_EXT.1.1 The TSF shall implement the IPsec architecture as specified in RFC 4301.
FCS_IPSEC_EXT.1.2 The TSF shall implement [selection: tunnel mode, transport mode].
FCS_IPSEC_EXT.1.3 The TSF shall have a nominal, final entry in the SPD that matches anything that is otherwise
unmatched, and discards it.
FCS_IPSEC_EXT.1.4 The TSF shall implement the IPsec protocol ESP as defined by RFC 4303 using [selection: the
cryptographic algorithms AES-CBC-128 (as specified by RFC 3602) together with a Secure Hash
Algorithm (SHA)-based HMAC, AES-CBC-256 (as specified by RFC 3602) together with a Secure
Hash Algorithm (SHA)-based HMAC, AES-GCM-128 as specified in RFC 4106, AES-GCM-256 as
specified in RFC 4106].
FCS_IPSEC_EXT.1.5 The TSF shall implement the protocol: [selection: IKEv1, using Main Mode for Phase 1 exchanges, as
defined in RFCs 2407, 2408, 2409, RFC 4109, [selection: no other RFCs for extended sequence
numbers, RFC 4304 for extended sequence numbers], and [selection: no other RFCs for hash
functions, RFC 4868 for hash functions]; IKEv2 as defined in RFCs 5996, [selection: with no support
for NAT traversal, with mandatory support for NAT traversal as specified in section 2.23], and
[selection: no other RFCs for hash functions, RFC 4868 for hash functions]].
FCS_IPSEC_EXT.1.6 The TSF shall ensure the encrypted payload in the [selection: IKEv1, IKEv2] protocol uses the
cryptographic algorithms AES-CBC-128, AES-CBC-256 as specified in RFC 3602 and [selection:
AES-GCM-128, AES-GCM-256 as specified in RFC 5282, no other algorithm].
FCS_IPSEC_EXT.1.7 The TSF shall ensure that IKEv1 Phase 1 exchanges use only main mode.
FCS_IPSEC_EXT.1.8 The TSF shall ensure that [selection: IKEv2 SA lifetimes can be established based on [selection:
number of packets/number of bytes; length of time, where the time values can be limited to: 24 hours
for Phase 1 SAs and 8 hours for Phase 2 SAs]; IKEv1 SA lifetimes can be established based on
[selection: number of packets/number of bytes ; length of time, where the time values can be limited to:

Copyright ©2020 KONICA MINOLTA, INC., All Rights Reserved

23 / 71
 KONICA MINOLTA bizhub 450i/bizhub 360i/bizhub 300i with FK-514, DEVELOP ineo 450i/ineo 360i/ineo 300i with FK-514
Security Target

24 hours for Phase 1 SAs and 8 hours for Phase 2 SAs]].

FCS_IPSEC_EXT.1.9 The TSF shall ensure that all IKE protocols implement DH Groups 14 (2048-bit MODP), and
[selection: 24 (2048-bit MODP with 256-bit POS), 19 (256-bit Random ECP), 20 (384-bit Random
ECP, 5 (1536-bit MODP)), [assignment: other DH groups that are implemented by the TOE], no other
DH groups].
FCS_IPSEC_EXT.1.10 The TSF shall ensure that all IKE protocols perform Peer Authentication using the [selection: RSA,
ECDSA] algorithm and Pre-shared Keys.

Rationale:
IPsec is one of the secure communication protocols, and the Common Criteria does not provide a suitable SFR for the
communication protocols using cryptographic algorithms.

This extended component protects the communication data using cryptographic algorithms, and it is therefore placed in
the FCS class with a single component.

FCS_RBG_EXT Extended: Cryptographic Operation (Random Bit Generation)

Family Behavior:
This family defines requirements for random bit generation to ensure that it is performed in accordance with selected
standards and seeded by an entropy source.

Component leveling:

FCS_RBG_EXT.1 Extended: Random Bit Generation 1

FCS_RBG_EXT.1 Random Bit Generation requires random bit generation to be performed in accordance with
selected standards and seeded by an entropy source.

Management:
The following actions could be considered for the management functions in FMT:
 There are no management actions foreseen.

Audit:
The following actions should be auditable if FAU_GEN Security Audit Data Generation is included in the PP/ST:
 There are no auditable events foreseen.

FCS_RBG_EXT.1 Extended: Cryptographic Operation (Random Bit Generation)

Hierarchical to : No other components.
Dependencies : No dependencies.
FCS_RBG_EXT.1.1 The TSF shall perform all deterministic random bit generation services in accordance with [selection:
ISO/IEC 18031:2011, NIST SP 800-90A] using [selection: Hash_DRBG (any), HMAC_DRBG (any),
CTR_DRBG (AES)].
FCS_RBG_EXT.1.2 The deterministic RBG shall be seeded by at least one entropy source that accumulates entropy from
[selection: [assignment: number of software-based sources] software-based noise source(s), [assignment:

Copyright ©2020 KONICA MINOLTA, INC., All Rights Reserved

24 / 71
 KONICA MINOLTA bizhub 450i/bizhub 360i/bizhub 300i with FK-514, DEVELOP ineo 450i/ineo 360i/ineo 300i with FK-514
Security Target

number of hardware-based sources] hardware-based noise source(s)] with a minimum of [selection: 128
bits, 256 bits] of entropy at least equal to the greatest security strength, according to ISO/IEC 18031:2011
Table C.1 “Security Strength Table for Hash Functions”, of the keys and hashes that it will generate.

Rationale:
Random bits/number will be used by the SFRs for key generation and destruction, and the Common Criteria does not
provide a suitable SFR for the random bit generation.

This extended component ensures the strength of encryption keys, and it is therefore placed in the FCS class with a
single component.

FDP_FXS_EXT Extended: Fax Separation

Family Behavior:
This family addresses the requirements for separation between Fax PSTN line and the LAN to which TOE is
connected.

Component leveling:

FDP_FXS_EXT.1 Extended: Fax Separation 1

FDP_FXS_EXT.1 Fax Separation, requires the fax interface cannot be used to create a network bridge between a PSTN
and a LAN to which TOE is connected.

Management:
The following actions could be considered for the management functions in FMT:
 There are no management actions foreseen.

Audit:
The following actions should be auditable if FAU_GEN Security Audit Data Generation is included in the PP/ST:
 There are no auditable events foreseen.

FDP_FXS_EXT.1 Extended: Fax separation

Hierarchical to : No other components
Dependencies : No dependencies
FDP_FXS_EXT.1.1 The TSF shall prohibit communication via the fax interface, except transmitting or receiving
User Data using fax protocols.

Rationale:
Fax Separation is to protect a LAN against attack from PSTN line, and the Common Criteria does not provide a
suitable SFR for the Protection of TSF or User Data.
This extended component protects the TSF Data or User Data, and it is therefore placed in the FDP class with a single
component.

Copyright ©2020 KONICA MINOLTA, INC., All Rights Reserved

25 / 71
 KONICA MINOLTA bizhub 450i/bizhub 360i/bizhub 300i with FK-514, DEVELOP ineo 450i/ineo 360i/ineo 300i with FK-514
Security Target

FIA_PMG_EXT Extended: Password Management

Family Behavior:
This family defines requirements for the attributes of passwords used by administrative users to ensure that strong
passwords and passphrases can be chosen and maintained.

Component leveling:

FIA_PMG_EXT.1 Extended: Password Management 1

FIA_PMG_EXT.1 Password management requires the TSF to support passwords with varying composition
requirements, minimum lengths, maximum lifetime, and similarity constraints.

Management:
The following actions could be considered for the management functions in FMT:
 There are no management actions foreseen.

Audit:
The following actions should be auditable if FAU_GEN Security Audit Data Generation is included in the PP/ST:
 There are no auditable events foreseen.

FIA_PMG_EXT.1 Extended: Password Management

Hierarchical to : No other components
Dependencies : No dependencies
FIA_PMG_EXT.1.1 The TSF shall provide the following password management capabilities for User passwords:
・Passwords shall be able to be composed of any combination of upper and lower case letters, numbers,
and the following special characters: [selection: “!”, “@”, “#”, “$”, “%”, “^”, “&”, “*”, “(“, “)”,
[assignment: other characters]];
・Minimum password length shall be settable by an Administrator, and have the capability to require
passwords of 15 characters or greater;

Rationale:
Password Management is to ensure the strong authentication between the endpoints of communication, and the
Common Criteria does not provide a suitable SFR for the Password Management.

This extended component protects the TOE by means of password management, and it is therefore placed in the FIA
class with a single component.

FIA_PSK_EXT Extended: Pre-Shared Key Composition

Family Behavior:
This family defines requirements for the TSF to ensure the ability to use pre-shared keys for IPsec.

Component leveling:

Copyright ©2020 KONICA MINOLTA, INC., All Rights Reserved

26 / 71
 KONICA MINOLTA bizhub 450i/bizhub 360i/bizhub 300i with FK-514, DEVELOP ineo 450i/ineo 360i/ineo 300i with FK-514
Security Target

FIA_PSK_EXT.1 Extended: Pre-Shared Key Composition 1

FIA_PSK_EXT.1 Pre-Shared Key Composition, ensures authenticity and access control for updates.

Management:
The following actions could be considered for the management functions in FMT:
 There are no management actions foreseen.

Audit:
The following actions should be auditable if FAU_GEN Security Audit Data Generation is included in the PP/ST:
 There are no auditable events foreseen.

FIA_PSK_EXT.1 Extended: Pre-Shared Key Composition

Hierarchical to : No other components
Dependencies : FCS_RBG_EXT.1 Extended: Cryptographic Operation (Random Bit
Generation)
FIA_PSK_EXT.1.1 The TSF shall be able to use pre-shared keys for IPsec.
FIA_PSK_EXT.1.2 The TSF shall be able to accept text-based pre-shared keys that are:
・22 characters in length and [selection: [assignment: other supported lengths], no other lengths];
・composed of any combination of upper and lower case letters, numbers, and special characters (that
include: “!”, “@”, “#”, “$”, “%”, “^”, “&”, “*”, “(“, and “)”).
FIA_PSK_EXT.1.3 The TSF shall condition the text-based pre-shared keys by using [selection: SHA-1, SHA-256, SHA-512,
[assignment: method of conditioning text string]] and be able to [selection: use no other pre-shared keys;
accept bit-based pre-shared keys; generate bit-based pre-shared keys using the random bit generator
specified in FCS_RBG_EXT.1].

Rationale:
Pre-shared Key Composition is to ensure the strong authentication between the endpoints of communications, and the
Common Criteria does not provide a suitable SFR for the Pre-shared Key Composition.

This extended component protects the TOE by means of strong authentication, and it is therefore placed in the FIA
class with a single component.

FPT_SKP_EXT Extended: Protection of TSF Data

Family Behavior:
This family addresses the requirements for managing and protecting the TSF data, such as cryptographic keys. This is
a new family modelled as the FPT Class.

Component leveling:

FPT_SKP_EXT.1 Extended: Protection of TSF Data 1

Copyright ©2020 KONICA MINOLTA, INC., All Rights Reserved

27 / 71
 KONICA MINOLTA bizhub 450i/bizhub 360i/bizhub 300i with FK-514, DEVELOP ineo 450i/ineo 360i/ineo 300i with FK-514
Security Target

FPT_SKP_EXT.1 Protection of TSF Data (for reading all symmetric keys), requires preventing symmetric keys from
being read by any user or subject. It is the only component of this family.

Management:
The following actions could be considered for the management functions in FMT:
 There are no management actions foreseen.

Audit:
The following actions should be auditable if FAU_GEN Security Audit Data Generation is included in the PP/ST:
 There are no auditable events foreseen.

FPT_SKP_EXT.1 Extended: Protection of TSF Data

Hierarchical to : No other components.
Dependencies : No dependencies.
FPT_SKP_EXT.1.1 The TSF shall prevent reading of all pre-shared keys, symmetric keys, and private keys.

Rationale:
Protection of TSF Data is to ensure the pre-shared keys, symmetric keys and private keys are protected securely, and
the Common Criteria does not provide a suitable SFR for the protection of such TSF data.

This extended component protects the TOE by means of strong authentication using Preshared Key, and it is therefore
placed in the FPT class with a single component.

FPT_TST_EXT Extended: TSF testing

Family Behavior:
This family addresses the requirements for self-testing the TSF for selected correct operation.

Component leveling:

FPT_TST_EXT.1 Extended: TSF testing 1

FPT_TST_EXT.1 TSF testing requires a suite of self-testing to be run during initial start-up in order to demonstrate
correct operation of the TSF.

Management:
The following actions could be considered for the management functions in FMT:
 There are no management actions foreseen.

Audit:
The following actions should be auditable if FAU_GEN Security Audit Data Generation is included in the PP/ST:
 There are no auditable events foreseen.

FPT_TST_EXT.1 Extended: TSF testing

Copyright ©2020 KONICA MINOLTA, INC., All Rights Reserved

28 / 71
 KONICA MINOLTA bizhub 450i/bizhub 360i/bizhub 300i with FK-514, DEVELOP ineo 450i/ineo 360i/ineo 300i with FK-514
Security Target

Hierarchical to : No other components

Dependencies : No dependencies
FPT_TST_EXT.1.1 The TSF shall run a suite of self-tests during initial start-up (and power on) to demonstrate the correct
operation of the TSF.

Rationale:
TSF testing is to ensure the TSF can be operated correctly, and the Common Criteria does not provide a suitable SFR
for the TSF testing. In particular, there is no SFR defined for TSF testing.

This extended component protects the TOE, and it is therefore placed in the FPT class with a single component.

FPT_TUD_EXT Extended: Trusted Update

Family Behavior:
This family defines requirements for the TSF to ensure that only administrators can update the TOE
firmware/software, and that such firmware/software is authentic.

Component leveling:

FPT_TUD_EXT.1 Extended: Trusted Update 1

FPT_TUD_EXT.1 Trusted Update, ensures authenticity and access control for updates.

Management:
The following actions could be considered for the management functions in FMT:
 There are no management actions foreseen.

Audit:
The following actions should be auditable if FAU_GEN Security Audit Data Generation is included in the PP/ST:
 There are no auditable events foreseen.

FPT_TUD_EXT.1 Extended: Trusted Update

Hierarchical to : No other components
Dependencies : FCS_COP.1(b) Cryptographic Operation (for signature
generation/verification),
FCS_COP.1(c) Cryptographic operation (Hash Algorithm).
FPT_TUD_EXT.1.1 The TSF shall provide authorized administrators the ability to query the current version of the TOE
firmware/software.
FPT_TUD_EXT.1.2 The TSF shall provide authorized administrators the ability to initiate updates to TOE firmware/software.
FPT_TUD_EXT.1.3 The TSF shall provide a means to verify firmware/software updates to the TOE using a digital signature
mechanism and [selection: published hash, no other functions] prior to installing those updates.

Rationale:

Copyright ©2020 KONICA MINOLTA, INC., All Rights Reserved

29 / 71
 KONICA MINOLTA bizhub 450i/bizhub 360i/bizhub 300i with FK-514, DEVELOP ineo 450i/ineo 360i/ineo 300i with FK-514
Security Target

Firmware/software is a form of TSF Data, and the Common Criteria does not provide a suitable SFR for the
management of firmware/software. In particular, there is no SFR defined for importing TSF Data.

This extended component protects the TOE, and it is therefore placed in the FPT class with a single component.

Copyright ©2020 KONICA MINOLTA, INC., All Rights Reserved

30 / 71
 KONICA MINOLTA bizhub 450i/bizhub 360i/bizhub 300i with FK-514, DEVELOP ineo 450i/ineo 360i/ineo 300i with FK-514
Security Target

6. Security Requirements

Security Functional Requirements

In this chapter, the TOE security functional requirements for achieving the security objectives specified in
Chapter 4.1 are described. This quoted from the security functional requirements specified in the CC Part 2. The
security functional requirements which are not specified in the CC Part 2 are quoted from the extended security
functional requirements specified in the PP (Protection Profile for Hardcopy Devices 1.0 dated September 10,
2015, Protection Profile for Hardcopy Devices – v1.0 Errata #1, June 2017).

<Notation>
“Bold” indicates completed or refined in [PP].
“Italic” indicates parts that is necessary to select and/or assign in ST.
“Bold” and “Italic” indicate selected and/or completed in the ST to the parts of an SFR completed or refined in
[PP].
The brackets([]) indicate the values selected or assigned by ST.
SFR component with a character in the parentheses such as (a), (b) etc. means that it is used repeatedly.
Extended components are identified by adding “_EXT” to the SFR identification.

6.1.1. Mandatory Requirements

6.1.1.1. Class FAU: Security Audit

FAU_GEN.1 Audit data generation

(for O.AUDIT)

Hierarchical to : No other components.

Dependencies : FPT_STM.1 Reliable time stamps
FAU_GEN.1.1 The TSF shall be able to generate an audit record of the following auditable events:
a) Start-up and shutdown of the audit functions;
b) All auditable events for the not specified level of audit; and
c) All auditable events specified in Table 6-1, [None].
FAU_GEN.1.2 The TSF shall record within each audit record at least the following information:
a) Date and time of the event, type of event, subject identity (if applicable), and the outcome
(success or failure) of the event; and
b) For each audit event type, based on the auditable event definitions of the functional
components included in the PP/ST, additional information specified in Table 6-1, [None].

Table 6-1 Auditable Events

Auditable event Relevant SFR Additional information
Job completion FDP_ACF.1 Type of job
Unsuccessful User authentication FIA_UAU.1 None
Unsuccessful User identification FIA_UID.1 None
Use of management functions FMT_SMF.1 None
Modification to the group of Users that are part of FMT_SMR.1 None

Copyright ©2020 KONICA MINOLTA, INC., All Rights Reserved

31 / 71
 KONICA MINOLTA bizhub 450i/bizhub 360i/bizhub 300i with FK-514, DEVELOP ineo 450i/ineo 360i/ineo 300i with FK-514
Security Target

Auditable event Relevant SFR Additional information

a role
Changes to the time FPT_STM.1 None
Failure to establish session FTP_ITC.1, Reason for failure
FTP_TRP.1(a),
FTP_TRP.1(b)

FAU_GEN.2 User identity association

(for O.AUDIT)
Hierarchical to : No other components.
Dependencies : FAU_GEN.1 Audit data generation
FIA_UID.1 Timing of identification
FAU_GEN.2.1 For audit events resulting from actions of identified users, the TSF shall be able to associate each
auditable event with the identity of the user that caused the event.

FAU_STG_EXT.1 Extended: External Audit Trail Storage

(for O.AUDIT)
Hierarchical to : No other components.
Dependencies : FAU_GEN.1 Audit data generation,
FTP_ITC.1 Inter-TSF trusted channel.
FAU_STG_EXT.1.1 The TSF shall be able to transmit the generated audit data to an External IT Entity using a trusted
channel according to FTP_ITC.1.

6.1.1.2. Class FCS: Cryptographic Support

FCS_CKM.1(a) Cryptographic Key Generation (for asymmetric keys)

(for O.COMMS_PROTECTION)
Hierarchical to : No other components.
Dependencies : [FCS_CKM.2 Cryptographic key distribution, or
FCS_COP.1(b) Cryptographic Operation (for signature
Generation/verification)]
FCS_COP.1(i) Cryptographic operation (Key Transport)]
FCS_CKM_EXT.4 Extended: Cryptographic Key Material
Destruction
FCS_CKM.1.1(a) Refinement: The TSF shall generate asymmetric cryptographic keys used for key
establishment in accordance with [
• NIST Special Publication 800-56A, "Recommendation for Pair-Wise Key Establishment
Schemes Using Discrete Logarithm Cryptography" for finite field-based key
establishment schemes;

• NIST Special Publication 800-56B, "Recommendation for Pair-Wise Key Establishment

Copyright ©2020 KONICA MINOLTA, INC., All Rights Reserved

32 / 71
 KONICA MINOLTA bizhub 450i/bizhub 360i/bizhub 300i with FK-514, DEVELOP ineo 450i/ineo 360i/ineo 300i with FK-514
Security Target

Schemes Using Integer Factorization Cryptography" for RSA-based key establishment

schemes
] and specified cryptographic key sizes equivalent to, or greater than, a symmetric key
strength of 112 bits.

FCS_CKM.1(b) Cryptographic Key Generation (Symmetric Keys)

(for O.COMMS_PROTECTION, O.STORAGE_ENCRYPTION)
Hierarchical to : No other components.

Dependencies : [FCS_CKM.2 Cryptographic key distribution, or

FCS_COP.1(a) Cryptographic Operation (Symmetric
Encryption/decryption)
FCS_COP.1(d) Cryptographic Operation (AES Data
Encryption/Decryption)
FCS_COP.1(e) Cryptographic Operation (Key Wrapping)
FCS_COP.1(f) Cryptographic operation (Key Encryption)]
FCS_COP.1(g) Cryptographic Operation (for keyed-hash message
authentication)
FCS_COP.1(h) Cryptographic Operation (for keyed-hash message
authentication)]
FCS_CKM_EXT.4 Extended: Cryptographic Key Material
Destruction
FCS_RBG_EXT.1 Extended: Cryptographic Operation (Random Bit
Generation)
FCS_CKM.1.1(b) Refinement: The TSF shall generate symmetric cryptographic keys using a Random Bit
Generator as specified in FCS_RBG_EXT.1 and specified cryptographic key sizes [128 bit,
256 bit] that meet the following: No Standard.

FCS_CKM_EXT.4 Extended: Cryptographic Key Material Destruction

(for O.COMMS_PROTECTION, O.STORAGE_ENCRYPTION, O.PURGE_DATA)

Hierarchical to : No other components.

Dependencies : [FCS_CKM.1(a) Cryptographic Key Generation (for asymmetric keys),

or
FCS_CKM.1(b) Cryptographic key generation (Symmetric Keys)],
FCS_CKM.4 Cryptographic key destruction
FCS_CKM_EXT.4.1 The TSF shall destroy all plaintext secret and private cryptographic keys and cryptographic critical
security parameters when no longer needed.

FCS_CKM.4 Cryptographic key destruction

(for O.COMMS_PROTECTION, O.STORAGE_ENCRYPTION, O.PURGE_DATA)

Hierarchical to : No other components.

Copyright ©2020 KONICA MINOLTA, INC., All Rights Reserved

33 / 71
 KONICA MINOLTA bizhub 450i/bizhub 360i/bizhub 300i with FK-514, DEVELOP ineo 450i/ineo 360i/ineo 300i with FK-514
Security Target

Dependencies : [FCS_CKM.1(a) Cryptographic Key Generation (for asymmetric keys),

or
FCS_CKM.1(b) Cryptographic key generation (Symmetric Keys)],
FCS_CKM.4.1 Refinement: The TSF shall destroy cryptographic keys in
accordance with a specified cryptographic key destruction method [
For volatile memory, the destruction shall be executed by [powering off a device].
For nonvolatile storage, the destruction shall be executed by a [single] overwrite of key data
storage location consisting of [a static pattern], followed by a [none]. If read-verification of the
overwritten data fails, the process shall be repeated again;
] that meets the following: [no standard].

FCS_COP.1(a) Cryptographic Operation (Symmetric encryption/decryption)

(for O.COMMS_PROTECTION)
Hierarchical to : No other components.
Dependencies : [FDP_ITC.1 Import of user data without security attributes, or
FDP_ITC.2 Import of user data with security attributes, or
FCS_CKM.1(b) Cryptographic key generation (Symmetric Keys)]
FCS_CKM_EXT.4 Extended: Cryptographic Key Material Destruction

FCS_COP.1.1(a) Refinement: The TSF shall perform encryption and decryption in accordance with a specified
cryptographic algorithm AES operating in [CBC mode] and cryptographic key sizes 128-bits
and 256-bits that meets the following:
• FIPS PUB 197, "Advanced Encryption Standard (AES)"
• [NIST SP 800-38A]

FCS_COP.1(b) Cryptographic Operation (for signature generation/verification)

(for O.UPDATE_VERIFICATION, O.COMMS_PROTECTION)
Hierarchical to : No other components.
Dependencies : [FDP_ITC.1 Import of user data without security attributes, or
FDP_ITC.2 Import of user data with security attributes, or
FCS_CKM.1 Cryptographic key generation
FCS_CKM.1(a) Cryptographic Key Generation (for asymmetric
Keys)]
FCS_CKM_EXT.4 Extended: Cryptographic Key Material
Destruction
FCS_COP.1.1(b) Refinement: The TSF shall perform cryptographic signature services in
accordance with a [RSA Digital Signature Algorithm (rDSA) with key sizes (modulus) of [2048
bits, 3072 bits] that meets the following [FIPS PUB 186-4, "Digital Signature Standard"].

FCS_RBG_EXT.1 Extended: Cryptographic Operation (Random Bit Generation)

(for O.STORAGE_ENCRYPTION and O.COMMS_PROTECTION)

Copyright ©2020 KONICA MINOLTA, INC., All Rights Reserved

34 / 71
 KONICA MINOLTA bizhub 450i/bizhub 360i/bizhub 300i with FK-514, DEVELOP ineo 450i/ineo 360i/ineo 300i with FK-514
Security Target

Hierarchical to : No other components.

Dependencies : No dependencies.
FCS_RBG_EXT.1.1 The TSF shall perform all deterministic random bit generation services in accordance with [NIST
SP 800-90A] using [CTR_DRBG (AES)].
FCS_RBG_EXT.1.2 The deterministic RBG shall be seeded by at least one entropy source that accumulates entropy
from [[one] software-based noise source] with a minimum of [256 bits] of entropy at least equal
to the greatest security strength, according to ISO/IEC 18031:2011 Table C.1 "Security Strength
Table for Hash Functions", of the keys and hashes that it will generate.

6.1.1.3. Class FDP: User Data Protection

FDP_ACC.1 Subset access control

(for O.ACCESS_CONTROL and O.USER_AUTHORIZATION)
Hierarchical to : No other components.
Dependencies : FDP_ACF.1 Security attribute based access control
FDP_ACC.1.1 Refinement: The TSF shall enforce the User Data Access Control SFP on subjects,
objects, and operations among subjects and objects specified in Table 6-2 and Table
6-3.

FDP_ACF.1 Security attribute based access control

(for O.ACCESS_CONTROL and O.USER_AUTHORIZATION)
Hierarchical to : No other components.
Dependencies : FDP_ACC.1 Subset access control
FMT_MSA.3 Static attribute initialization
FDP_ACF.1.1 Refinement: The TSF shall enforce the User Data Access Control SFP to objects
based on the following: subjects, objects, and attributes specified in Table 6-2 and
Table 6-3.
FDP_ACF.1.2 Refinement: The TSF shall enforce the following rules to determine if an operation
among controlled subjects and controlled objects is allowed: rules governing access
among controlled subjects and controlled objects using controlled operations on
controlled objects specified in Table 6-2 and Table 6-3..
FDP_ACF.1.3 Refinement: The TSF shall explicitly authorise access of subjects to objects based on
the following additional rules: [none].
FDP_ACF.1.4 Refinement: The TSF shall explicitly deny access of subjects to objects based on the
following additional rules: [deny access of user to objective functions based on the
function restriction].

Table 6-2 D.USER.DOC Access Control SFP

"Create" "Read" "Modify" "Delete"
Submit a View image or
Modify stored Delete stored
Operation： document to be Release printed
document document
Print printed output
Job owner (note 1)
U.ADMIN denied denied denied

Copyright ©2020 KONICA MINOLTA, INC., All Rights Reserved

35 / 71
 KONICA MINOLTA bizhub 450i/bizhub 360i/bizhub 300i with FK-514, DEVELOP ineo 450i/ineo 360i/ineo 300i with FK-514
Security Target

U.NORMAL denied denied denied

Unauthenticated denied denied denied denied
Submit a
View scanned Modify stored Delete stored
Operation： document for
image image image
scanning
Scan Job owner (note 2) denied
U.ADMIN denied denied denied
U.NORMAL denied denied denied
Unauthenticated denied denied denied denied
View scanned
Submit a
image or Modify stored Delete stored
Operation： document for
Release printed image image
copying
copy output
Copy
Job owner (note 2)
U.ADMIN denied denied denied
U.NORMAL denied denied denied
Unauthenticated denied denied denied denied
Submit a
View scanned Modify stored Delete stored
Operation： document to
image image image
send as a fax
Fax send Job owner (note 2) denied
U.ADMIN denied denied denied
U.NORMAL denied denied denied
Unauthenticated denied denied denied denied
View fax image
Receive a fax or Release Modify image Delete image of
Operation:
and store it printed fax of received fax received fax
output
Fax receive
Fax owner (note 3)
U.ADMIN (note 4) denied denied
U.NORMAL (note 4) denied denied denied
Unauthenticated (note 4) denied denied denied
Retrieve stored Modify stored Delete stored
Operation： Store document
document document document
Storage/ Job owner (note 5)
retrieval U.ADMIN denied denied denied
U.NORMAL denied denied denied
Unauthenticated denied denied denied denied

Table 6-3 D.USER.JOB Access Control SFP

"Create" "Read" "Modify" "Delete"
View print Modify print
Operation： Create print job Cancel print job
queue / log job
Job owner (note 1) denied
Print
U.ADMIN denied denied
U.NORMAL denied denied
Unauthenticated denied denied denied
View scan
Operation： Create scan job Modify scan job Cancel scan job
status / log
Job owner (note 2) denied
Scan
U.ADMIN denied denied
U.NORMAL denied denied
Unauthenticated denied denied denied

Copyright ©2020 KONICA MINOLTA, INC., All Rights Reserved

36 / 71
 KONICA MINOLTA bizhub 450i/bizhub 360i/bizhub 300i with FK-514, DEVELOP ineo 450i/ineo 360i/ineo 300i with FK-514
Security Target

View copy
Operation： Create copy job Modify copy job Cancel copy job
status / log
Job owner (note 2) denied
Copy
U.ADMIN denied denied
U.NORMAL denied denied
Unauthenticated denied denied denied
Create fax send View fax job Modify fax Cancel fax send
Operation:
job queue / log send job job
Job owner (note 2) denied
Fax send
U.ADMIN denied denied
U.NORMAL denied denied
Unauthenticated denied denied denied
Create fax View fax receive Modify fax Cancel fax
Operation:
receive job status / log receive job receive job
Fax Fax owner (note 3) denied
receive U.ADMIN (note 4) denied
U.NORMAL (note 4) denied denied
Unauthenticated (note 4) denied denied
Create storage / View storage / Modify storage Cancel storage /
Operation：
retrieval job retrieval log / retrieval job retrieval job
Storage / Job owner (note 6) denied
retrieval U.ADMIN denied denied
U.NORMAL denied denied
Unauthenticated denied denied denied

・Note 1: Job Owner is identified by a credential or assigned to an authorized User as part of the process of submitting
a print or storage Job.
・Note 2: Job Owner is assigned to an authorized User as part of the process of initiating a scan, copy, fax send, or
retrieval Job.
・Note 3: Job Owner of received faxes is assigned by default or configuration. Minimally, ownership of received
faxes is assigned to a specific user or U.ADMIN role.
・Note 4: PSTN faxes are received from outside of the TOE, they are not initiated by Users of the TOE.
・Note 5: Job Owner of the document created by Fax receive shall be Note3, Job Owner of the document sent from
the client PC shall be Note 1, Job Owner of the document generated by the scanner shall be Note 2, and Job
Owner of the document created by the store from Password encrypted PDF user box shall be Note 1.
・Note 6: Job Owner of the job created by Fax receive on "Create storage job" shall be Note3, Job Owner of the job
sent from the client PC shall be Note 1, Job Owner of the job generated by the scanner shall be Note 2, and Job
Owner of the job created by the store from Password encrypted PDF user box shall be Note 1. Job Owner of
"Create retrieval job" is Note 2.

6.1.1.4. Class FIA: Identification and Authentication

FIA_AFL.1 Authentication failure handling

(for O.USER_I&A)

Copyright ©2020 KONICA MINOLTA, INC., All Rights Reserved

37 / 71
 KONICA MINOLTA bizhub 450i/bizhub 360i/bizhub 300i with FK-514, DEVELOP ineo 450i/ineo 360i/ineo 300i with FK-514
Security Target

Hierarchical to : No other components.

Dependencies : FIA_UAU.1 Timing of authentication
FIA_AFL.1.1 The TSF shall detect when [an administrator configurable positive integer within [1～
3]] unsuccessful authentication attempts occur related to [Authentication by Login
password, Authentication by Memory-RX user box password].
FIA_AFL.1.2 When the defined number of unsuccessful authentication attempts has been [met,
surpassed], the TSF shall [Suspend authentication by login password of the user till it’s
released, Suspend authentication by Memory RX user box password till it’s released].

FIA_ATD.1 User attribute definition

(for O.USER_AUTHORIZATION)
Hierarchical to : No other components.
Dependencies : No dependencies
FIA_ATD.1.1 The TSF shall maintenance the following list of security attributes belonging to individual users:
[User ID, Administrator Rights, Function restriction, Access rights to Memory RX user box].

FIA_PMG_EXT.1 Extended: Password Management

(for O.USER_I&A)
Hierarchical to : No other components.
Dependencies : No dependencies
FIA_PMG_EXT.1.1 The TSF shall provide the following password management capabilities for User passwords:
・ Passwords shall be able to be composed of any combination of upper and lower case
letters, numbers, and the following special characters: [“!”, “@”, “#”, “$”, “%”, “^”, “&”,
“*”, “(”, “)”, [“-”, “¥”, “[”, “]”, “:”, “;”, “,”, “.”, “/”, “'”, “=”, “~”, “|”, “`”, “{”,
“}”, “+”, “<”, “>“, “?”, “_”, “ ”, (when Memory RX user box password) “””]];
・ Minimum password length shall be settable by an Administrator, and have the capability
to require passwords of 15 characters or greater;

FIA_UAU.1 Timing of authentication

(for O.USER_I&A)
Hierarchical to : No other components.
Dependencies : FIA_UID.1 Timing of identification
FIA_UAU.1.1 Refinement: The TSF shall allow [FAX RX, setting of TOE status and display] on the behalf of
the user to be performed before the user is authenticated.
FIA_UAU.1.2 The TSF shall require each user to be successfully authenticated before allowing any other
TSF-mediated actions on behalf of that user.

FIA_UAU.7 Protected authentication feedback

(for O.USER_I&A)
Hierarchical to : No other components.
Dependencies : FIA_UAU.1 Timing of authentication

Copyright ©2020 KONICA MINOLTA, INC., All Rights Reserved

38 / 71
 KONICA MINOLTA bizhub 450i/bizhub 360i/bizhub 300i with FK-514, DEVELOP ineo 450i/ineo 360i/ineo 300i with FK-514
Security Target

FIA_UAU.7.1 The TSF shall provide only [display "*" or "●" every character data input] to the user while the
authentication is in progress.

FIA_UID.1 Timing of identification

(for O.USER_I&A and O.ADMIN_ROLES)
Hierarchical to : No other components.
Dependencies : No dependencies
FIA_UID.1.1 Refinement: The TSF shall allow [FAX RX, setting of TOE status and display] on the behalf of
the user to be performed before the user is identified.
FIA_UID.1.2 The TSF shall require each user to be successfully identified before allowing any other
TSF-mediated actions on behalf of that user.

FIA_USB.1 User-subject binding

(for O.USER_I&A)
Hierarchical to : No other components.
Dependencies : FIA_ATD.1 User attribute definition
FIA_USB.1.1 The TSF shall associate the following user with security attributes with subjects acting on the
behalf of the user: [User ID, Administrator rights, Function restriction, and Access rights to
Memory RX user box].
FIA_USB.1.2 The TSF shall enforce the following rules on the initial association of user security attributes with
subject acting on the behalf of users: [Discard the security attribute associated to the user if the
temporary suspension is set on User ID, Discard the security attribute associated to the user if
user without administrator rights logs in with administrator rights.].
FIA_USB.1.3 The TSF shall enforce the following rules governing changes to the user security attributes
associated with subject action on the behalf of users: [Enable access to the user’s Memory RX
user box if the user succeeds in authentication of Memory RX user box password, Disable access
to the user’s Memory RX user box if the user fails to the authentication of Memory RX user box
password].

6.1.1.5. Class FMT: Security Management

FMT_MOF.1 Management of security functions behavior

(for O.ADMIN_ROLES)
Hierarchical to : No other components.
Dependencies : FMT_SMR.1 Security roles
FMT_SMF.1 Specification of Management Functions
FMT_MOF.1.1 Refinement: The TSF shall restrict the ability to [disable, enable, modify the behavior of] the
functions [refer to Table 6-4] to U.ADMIN..

Table 6-4 Management of Security Functions behavior

Security Functions Operations

Copyright ©2020 KONICA MINOLTA, INC., All Rights Reserved

39 / 71
 KONICA MINOLTA bizhub 450i/bizhub 360i/bizhub 300i with FK-514, DEVELOP ineo 450i/ineo 360i/ineo 300i with FK-514
Security Target

Security Functions Operations

Enhanced Security Setting disable, enable
User Authentication method modify the behavior
Audit function modify the behavior
Trusted communications function modify the behavior
Memory RX modify the behavior

FMT_MSA.1 Management of security attributes

(for O.ACCESS_CONTROL and O.USER_AUTHORIZATION)
Hierarchical to : No other components.

Dependencies : [FDP_ACC.1 Subset access control, or

FDP_IFC.1 Subset information flow control]
FMT_SMR.1 Security roles
FMT_SMF.1 Specification of Management Functions
FMT_MSA.1.1 Refinement: The TSF shall force the User Data Access Control SFP to restrict the ability to
[modify, delete, [create, suspend temporarily / release of temporary suspension, add, set]] the
security attributes [Security Attributes in Table 6-5] to [Authorised Identified Roles in Table 6-5].

Table 6-5 Management of Subject Security Attribute

Security Attributes Authorized Identified Roles Operations
Create
U.ADMIN Delete
Suspend temporarily / Release of temporary Suspension
U.ADMIN
User ID Set of owner of personal user box
U.NORMAL
U.ADMIN
U.NORMAL who is the Change of owner of personal user box
owner of the user box
Delete
Administrator Rights U.ADMIN
Add
Delete
Function Restriction U.ADMIN
Setting

FMT_MSA.3 Static attribute initialization

(for O.ACCESS_CONTROL and O.USER_AUTHORIZATION)
Hierarchical t : No other components.
Dependencies : FMT_MSA.1 Management of security attributes
FMT_SMR.1 Security roles
FMT_MSA.3.1 Refinement: The TSF shall enforce the User Data Access Control SFP to provide [restrictive]
default values for security attributes that are used to enforce the SFP.
FMT_MSA.3.2 Refinement: The TSF shall allow the [no role] to specify alternative initial values to override the
default values when an object or information is created.

Copyright ©2020 KONICA MINOLTA, INC., All Rights Reserved

40 / 71
 KONICA MINOLTA bizhub 450i/bizhub 360i/bizhub 300i with FK-514, DEVELOP ineo 450i/ineo 360i/ineo 300i with FK-514
Security Target

FMT_MTD.1 Management of TSF data

(for O.ACCESS CONTROL)
Hierarchical to : No other components.
Dependencies : FMT_SMR.1 Security roles
FMT_SMF.1 Specification of Management Functions
FMT_MTD.1.1 Refinement: The TSF shall restrict the ability to perform the specified operations on the
specified TSF Data to the roles specified in Table 6-6.

Table 6-6 Management of TSF Data

Data Operation Authorised role(s)
[assignment: list of TSF Data owned by [selection: change default, query,
a U.NORMAL or associated with modify, delete, clear, [assignment: U.ADMIN, the owning
Documents or jobs owned by a other operations]] U.NORMAL.
U.NORMAL]
User password [assignment: other operations]
U.ADMIN
registration
modify U.ADMIN, the owning
U.NORMAL
Memory RX User Box password [assignment: other operations]
registration U.ADMIN
modify
[assignment: list of TSF Data [selection: change default, query,
not owned by a U.NORMAL] modify, delete, clear, [assignment: U.ADMIN
other operations]]
Administrator password modify
Date and time information modify
System auto reset time modify
Auto logout time modify
Number of authentication failures modify
threshold
Number of authentication failures clear
(other than U.BUILTIN_ADMIN)
Password rule modify U.ADMIN
External server authentication setting modify
data [assignment: other operations]
registration
Time to release operation of modify
administrator authentication
Network settings modify
[assignment: other operations]
registration
[assignment: list of software, [selection: change default, query,
firmware, and related modify, delete, clear, [assignment: U.ADMIN
configuration data] other operations]]

Copyright ©2020 KONICA MINOLTA, INC., All Rights Reserved

41 / 71
 KONICA MINOLTA bizhub 450i/bizhub 360i/bizhub 300i with FK-514, DEVELOP ineo 450i/ineo 360i/ineo 300i with FK-514
Security Target

Data Operation Authorised role(s)

TOE software/firmware update data modify
(software/firmware to be updated, U.ADMIN
configuration data related to update)

FMT_SMF.1 Specification of Management Functions

(for O.USER_AUTHORIZATION, O.ACCESS_CONTROL, and O.ADMIN_ROLES)
Hierarchical to : No other components.
Dependencies: : No dependencies
FMT_SMF.1.1 The TSF shall be capable of performing the following management functions: [refer to Table
6-7].

Table 6-7 list of management functions

Management functions
Enhanced Security setting function by U.ADMIN
User management function by U.ADMIN
User Authentication setting function by U.ADMIN
External authentication server setting function by U.ADMIN.
Trusted communication management function by U.ADMIN
Registration and Modification function of Network setting by U.ADMIN
Modification function of date and time information by U.ADMIN
Audit log management function by U.ADMIN
Modification function of system auto reset time by U.ADMIN
Modification function of auto logout time by U.ADMIN
Modification function of release time of operation prohibition of administrator authentication by U.ADMIN
Modification function of Password policy by U.ADMIN
Modification function of Authentication failure frequency threshold by U.ADMIN
Clear function of Authentication failure frequency (except U.BUILTIN_ADMIN) by U.ADMIN
User box management function by U.ADMIN
Memory RX setting function by U.ADMIN
Administrator password setting function by U.BUILTIN_ADMIN
User box management function by U.NORMAL
User password setting function by U.NORMAL

FMT_SMR.1 Security roles

(for O.ACCESS_CONTROL, O.USER_AUTHORIZATION, and O.ADMIN_ROLES)
Hierarchical to : No other components.
Dependencies : FIA_UID.1 Timing of identification
FMT_SMR.1.1 Refinement: The TSF shall maintain the roles U.ADMIN, U.NORMAL.
FMT_SMR.1.2 The TSF shall be able to associate users with roles.

Copyright ©2020 KONICA MINOLTA, INC., All Rights Reserved

42 / 71
 KONICA MINOLTA bizhub 450i/bizhub 360i/bizhub 300i with FK-514, DEVELOP ineo 450i/ineo 360i/ineo 300i with FK-514
Security Target

6.1.1.6. Class FPT: Protection of the TSF

FPT_SKP_EXT.1 Extended: Protection of TSF Data

(for O.COMMS_PROTECTION)
Hierarchical to : No other components.
Dependencies : No dependencies
FPT_SKP_EXT.1.1 The TSF shall prevent reading of all pre-shared keys, symmetric keys, and private keys.

FPT_STM.1 Reliable time stamps

(for O.AUDIT)
Hierarchical to : No other components.
Dependencies : No dependencies
FPT_STM.1.1 TSF shall be able to provide reliable time stamps.

FPT_TST_EXT.1 Extended: TSF testing

(for O.TSF_SELF_TEST)
Hierarchical to : No other components.
Dependencies : No dependencies
FPT_TST_EXT.1.1 The TSF shall run a suite of self-tests during initial start-up (and power on) to demonstrate the
correct operation of the TSF.

FPT_TUD_EXT.1 Extended: Trusted Update

(for O.UPDATE_VERIFICATION)
Hierarchical to : No other components.
Dependencies : FCS_COP.1(b) Cryptographic Operation (for signature
generation/verification),
FCS_COP.1(c) Cryptographic operation (Hash Algorithm)
FPT_TUD_EXT.1.1 The TSF shall provide authorized administrators the ability to query the current version of the TOE
firmware/software.
FPT_TUD_EXT.1.2 The TSF shall provide authorized administrators the ability to initiate updates to TOE
firmware/software.
FPT_TUD_EXT.1.3 The TSF shall provide a means to verify firmware/software updates to the TOE using a digital
signature mechanism and [no other functions] prior to installing those updates.

6.1.1.7. Class FTA: TOE Access

FTA_SSL.3 TSF-initiated termination

(for O.USER_I&A)
Hierarchical to : No other components.

Copyright ©2020 KONICA MINOLTA, INC., All Rights Reserved

43 / 71
 KONICA MINOLTA bizhub 450i/bizhub 360i/bizhub 300i with FK-514, DEVELOP ineo 450i/ineo 360i/ineo 300i with FK-514
Security Target

Dependencies : No dependencies
FTA_SSL.3.1 The TSF shall terminate an interactive session after a [time determined by system auto reset time
for operation panels, time determined by automatic logout time for WCs, and no interactive
session for printer drivers].

6.1.1.8. Class FTP: Trusted Path/Cannels

FTP_ITC.1 Inter-TSF trusted channel

(for O.COMMS_PROTECTION, O.AUDIT)
Hierarchical to : No other components.
Dependencies : [FCS_IPSEC_EXT.1 Extended: IPsec selected, or
FCS_TLS_EXT.1 Extended: TLS selected, or
FCS_SSH_EXT.1 Extended: SSH selected, or
FCS_HTTPS_EXT.1 Extended: HTTPS selected].
FTP_ITC.1.1 Refinement: The TSF shall use [IPsec] to provide a trusted communication channel between
itself and authorized IT entities supporting the following capabilities: [authentication server,
[SMTP server, DNS server, Log server, WebDAV server, SMB server]] that is logically distinct
from other communication channels and provides assured identification of its end points and
protection of the channel data from disclosure and detection of modification of the channel
data.
FTP_ITC.1.2 Refinement: The TSF shall permit the TSF, or the authorized IT entities, to initiate
communication via the trusted channel
FTP_ITC.1.3 Refinement: The TSF shall initial communication via the trusted channel for [authentication
service, mail service, DNS service, log transmission service, WebDAV service, SMB service].

FTP_TRP.1(a) Trusted path (for Administrators)

(for O.COMMS_PROTECTION)
Hierarchical to : No other components.
Dependencies : [FCS_IPSEC_EXT.1 Extended: IPsec selected, or
FCS_TLS_EXT.1 Extended: TLS selected, or
FCS_SSH_EXT.1 Extended: SSH selected, or
FCS_HTTPS_EXT.1 Extended: HTTPS selected].
FTP_TRP.1.1(a) Refinement: The TSF shall use [IPsec] to provide a trusted communication path between itself
and remote administrators that is logically distinct from other communication paths and
provides assured identification of its end points and protection of the communicated data from
disclosure and detection of modification of the communicated data.
FTP_TRP.1.2(a) Refinement: The TSF shall permit remote administrators to initiate communication via the
trusted path
FTP_TRP.1.3(a) Refinement: The TSF shall require the use of the trusted path for initial administrator
authentication and all remote administration actions.

FTP_TRP.1(b) Trusted path (for Non-administrators)

Copyright ©2020 KONICA MINOLTA, INC., All Rights Reserved

44 / 71
 KONICA MINOLTA bizhub 450i/bizhub 360i/bizhub 300i with FK-514, DEVELOP ineo 450i/ineo 360i/ineo 300i with FK-514
Security Target

(for O.COMMS_PROTECTION)
Hierarchical to : No other components.
Dependencies : [FCS_IPSEC_EXT.1 Extended: IPsec selected, or
FCS_TLS_EXT.1 Extended: TLS selected, or
FCS_SSH_EXT.1 Extended: SSH selected, or
FCS_HTTPS_EXT.1 Extended: HTTPS selected].
FTP_TRP.1.1(b) Refinement : The TSF shall use [IPsec] to provide a trusted communication path between itself
and remote users that is logically distinct from other communication paths and provides assured
identification of its end points and protection of the communicated data from disclosure and
detection of modification of the communicated data.
FTP_TRP.1.2(b) Refinement: The TSF shall permit [remote users] to initiate communication via the trusted path
FTP_TRP.1.3(b) Refinement: The TSF shall require the use of the trusted path for initial user authentication
and all remote user actions.

6.1.2. Conditionally Mandatory Requirements

6.1.2.1. PSTN Fax-Network Separation

FDP_FXS_EXT.1 Extended: Fax separation

(for O.FAX_NET_SEPARATION)
Hierarchical to : No other components.
Dependencies : No dependencies
FDP_FXS_EXT.1.1 The TSF shall prohibit communication via the fax interface, except transmitting or receiving User
Data using fax protocols.

6.1.3. Selection-based Requirements

6.1.3.1. Protected Communications

FCS_IPSEC_EXT.1 Extended: IPsec selected

(selected in FTP_ITC.1.1, FTP_TRP.1.1)

Hierarchical to : No other components.

Dependencies : FIA_PSK_EXT.1 Extended: Pre-Shared Key Composition
FCS_CKM.1(a) Cryptographic Key Generation (for asymmetric keys)
FCS_COP.1(a) Cryptographic Operation (Symmetric
encryption/decryption)
FCS_COP.1(b) Cryptographic Operation (for signature
generation/verification)
FCS_COP.1(c) Cryptographic Operation (Hash Algorithm)
FCS_COP.1(g) Cryptographic Operation (for keyed-hash message
authentication)
FCS_RBG_EXT.1 Extended: Cryptographic Operation (Random Bit
Generation)
FCS_IPSEC_EXT.1.1 The TSF shall implement the IPsec architecture as specified in RFC 4301.

Copyright ©2020 KONICA MINOLTA, INC., All Rights Reserved

45 / 71
 KONICA MINOLTA bizhub 450i/bizhub 360i/bizhub 300i with FK-514, DEVELOP ineo 450i/ineo 360i/ineo 300i with FK-514
Security Target

FCS_IPSEC_EXT.1.2 The TSF shall implement [transport mode].

FCS_IPSEC_EXT.1.3 The TSF shall have a nominal, final entry in the SPD that matches anything that is otherwise
unmatched, and discards it.
FCS_IPSEC_EXT.1.4 The TSF shall implement the IPsec protocol ESP as defined by RFC 4303 using [the
cryptographic algorithms AES-CBC-128 (as specified by RFC 3602) together with a Secure Hash
Algorithm (SHA)-based HMAC, AES-CBC-256 (as specified by RFC 3602) together with a
Secure Hash Algorithm (SHA)-based HMAC].
FCS_IPSEC_EXT.1.5 The TSF shall implement the protocol: [IKEv1, using Main Mode for Phase 1 exchanges, as
defined in RFCs 2407, 2408, 2409, RFC 4109, [RFC 4304 for extended sequence numbers], and
[RFC 4868 for hash functions]].
FCS_IPSEC_EXT.1.6 The TSF shall ensure the encrypted payload in the [IKEv1] protocol uses the cryptographic
algorithms AES-CBC-128, AES-CBC-256 as specified in RFC 3602 and [no other algorithm].
FCS_IPSEC_EXT.1.7 The TSF shall ensure that IKEv1 Phase 1 exchanges use only main mode.
FCS_IPSEC_EXT.1.8 The TSF shall ensure that [IKEv1 SA lifetimes can be established based on [length of time, where
the time values can be limited to: 24 hours for Phase 1 SAs and 8 hours for Phase 2 SAs]].
FCS_IPSEC_EXT.1.9 The TSF shall ensure that all IKE protocols implement DH Groups 14 (2048-bit MODP), and [no
other DH groups].
FCS_IPSEC_EXT.1.10 The TSF shall ensure that all IKE protocols perform Peer Authentication using the [RSA]
algorithm and Pre-shared Keys.

FCS_COP.1(g) Cryptographic Operation (for keyed-hash message authentication)

(selected with FCS_IPSEC_EXT.1.4)

Hierarchical to : No other components.

Dependencies : [FDP_ITC.1 Import of user data without security attributes, or
FDP_ITC.2 Import of user data with security attributes, or
FCS_CKM.1(b) Cryptographic key generation (Symmetric Keys)]
FCS_CKM_EXT.4 Extended: Cryptographic Key Material
Destruction
FCS_COP.1.1(g) Refinement: The TSF shall perform keyed-hash message authentication in accordance with a
specified cryptographic algorithm HMAC-[SHA-1, SHA-256, SHA-384, SHA-512], key size
[160, 256, 384, 512 bits], and message digest sizes [160, 256, 384, 512] bits that meet the
following:
"FIPS PUB 198-1, "The Keyed-Hash Message Authentication Code, and FIPS PUB 180-3,
"Secure Hash Standard."

FIA_PSK_EXT.1 Extended: Pre-Shared Key Composition

(selected with FCS_IPSEC_EXT.1.4)
Hierarchical to : No other components.
Dependencies : FCS_RBG_EXT.1 Extended: Cryptographic Operation (Random Bit
Generation)
FIA_PSK_EXT.1.1 The TSF shall be able to use pre-shared keys for IPsec.
FIA_PSK_EXT.1.2 The TSF shall be able to accept text-based pre-shared keys that are:
22 characters in length and [no other lengths];

Copyright ©2020 KONICA MINOLTA, INC., All Rights Reserved

46 / 71
 KONICA MINOLTA bizhub 450i/bizhub 360i/bizhub 300i with FK-514, DEVELOP ineo 450i/ineo 360i/ineo 300i with FK-514
Security Target

composed of any combination of upper and lower case letters, numbers, and special characters
(that include: "!", "@", "#", "$", "%", "^", "&", "*", "(", and ")").
FIA_PSK_EXT.1.3 The TSF shall condition the text-based pre-shared keys by using [SHA-1, SHA-256, SHA-512,
[SHA-384]] and be able to [use no other pre-shared keys].

6.1.3.2. Trusted Update

FCS_COP.1(c) Cryptographic operation (Hash Algorithm)

(selected in FPT_TUD_EXT.1.3, or with FCS_SNI_EXT.1.1)
Hierarchical to : No other components.
Dependencies : No dependencies.
FCS_COP.1.1(c) Refinement: The TSF shall perform cryptographic hashing services in accordance with
[SHA-1, SHA-256, SHA-384, SHA-512] that meet the following: [ISO/IEC 10118-3:2004].

Security Assurance Requirements

The TOE security assurance requirements specified in Table 6-8 provides evaluative activities required to address the
threats identified in 3.3 of this ST.

Table 6-8 TOE Security Assurance Requirements

Assurance
Assurance Class Assurance Components Description
Components
ASE_CCL.1 Conformance claims
ASE_ECD.1 Extended components definition
ASE_INT.1 ST introduction
Security Target Evaluation ASE_OBJ.1 Security objectives for the operational environment
ASE_REQ.1 Stated security requirements
ASE_SPD.1 Security Problem Definition
ASE_TSS.1 TOE Summary Specification
Development ADV_FSP.1 Basic functional specification
AGD_OPE.1 Operational user guidance
Guidance Documents
AGD_PRE.1 Preparative procedures
ALC_CMC.1 Labelling of the TOE
Life-cycle support
ALC_CMS.1 TOE CM coverage
Tests ATE_IND.1 Independent testing – Conformance
Vulnerability assessment AVA_VAN.1 Vulnerability survey

Security Requirements Rationale

6.3.1. The dependencies of security requirements

The dependencies between TOE security functional requirements are shown in the table below.

Copyright ©2020 KONICA MINOLTA, INC., All Rights Reserved

47 / 71
 KONICA MINOLTA bizhub 450i/bizhub 360i/bizhub 300i with FK-514, DEVELOP ineo 450i/ineo 360i/ineo 300i with FK-514
Security Target

Table 6-9 The dependencies of security requirements

Dependency ST-satisfied Requirements that do not meet
Functional requirements
relationship dependencies dependency
FAU_GEN.1 FPT_STM.1 FPT_STM.1 N/A
FAU_GEN.2 FAU_GEN.1 FAU_GEN.1 N/A
FIA_UID.1 FIA_UID.1 N/A
FAU_STG_EXT.1 FAU_GEN.1 FAU_GEN.1 N/A
FTP_ITC.1 FTP_ITC.1 N/A
FCS_CKM.1(a) FCS_COP.1(b) FCS_COP.1(b) N/A
FCS_COP.1(i)
FCS_CKM_EXT.4 FCS_CKM_EXT.4 N/A
FCS_CKM.1(b) FCS_COP.1(a) FCS_COP.1(a) N/A
FCS_COP.1(d) FCS_COP.1(g)
FCS_COP.1(e)
FCS_COP.1(f)
FCS_COP.1(g)
FCS_COP.1(h)
FCS_CKM_EXT.4 FCS_CKM_EXT.4 N/A
FCS_RBG_EXT.1 FCS_RBG_EXT.1 N/A
FCS_CKM.4 FCS_CKM.1(a) FCS_CKM.1(a) N/A
or FCS_CKM.1(b)
FCS_CKM.1(b)
FCS_CKM_EXT.4 FCS_CKM.1(a) FCS_CKM.1(a) N/A
or FCS_CKM.1(b)
FCS_CKM.1(b)
FCS_CKM.4 FCS_CKM.4 N/A
FCS_COP.1(a) FCS_CKM.1(b) FCS_CKM.1(b) N/A
FCS_CKM_EXT.4 FCS_CKM_EXT.4 N/A
FCS_COP.1(b) FCS_CKM.1(a) FCS_CKM.1(a) For IPsec communication
(FCS_IPSEC_EXT.1). In the case of the
update function (FPT_TUD_EXT.1),
FCS_CKM.1(a) and FCS_CKM_EXT.4
FCS_CKM_EXT.4 FCS_CKM_EXT.4
are not satisfied, but there is no problem
because key generation is not
performed.
FCS_COP.1(c) No dependencies No dependencies N/A
FCS_COP.1(g) FCS_CKM.1(b) FCS_CKM.1(b) N/A
FCS_CKM_EXT.4 FCS_CKM_EXT.4 N/A
FCS_IPSEC_EXT.1 FIA_PSK_EXT.1 FIA_PSK_EXT.1 N/A
FCS_CKM.1(a) FCS_CKM.1(a) N/A
FCS_COP.1(a) FCS_COP.1(a) N/A
FCS_COP.1(b) FCS_COP.1(b) N/A
FCS_COP.1(c) FCS_COP.1(c) N/A
FCS_COP.1(g) FCS_COP.1(g) N/A

Copyright ©2020 KONICA MINOLTA, INC., All Rights Reserved

48 / 71
 KONICA MINOLTA bizhub 450i/bizhub 360i/bizhub 300i with FK-514, DEVELOP ineo 450i/ineo 360i/ineo 300i with FK-514
Security Target

Dependency ST-satisfied Requirements that do not meet

Functional requirements
relationship dependencies dependency
FCS_RBG_EXT.1 FCS_RBG_EXT.1 N/A
FCS_RBG_EXT.1 No dependencies No dependencies N/A
FDP_ACC.1 FDP_ACF.1 FDP_ACF.1 N/A
FDP_ACF.1 FDP_ACC.1 FDP_ACC.1 N/A
FMT_MSA.3 FMT_MSA.3 N/A
FDP_FXS_EXT.1 No dependencies No dependencies N/A
FIA_AFL.1 FIA_UAU.1 FIA_UAU.1 N/A
FIA_ATD.1 No dependencies No dependencies N/A
FIA_PMG_EXT.1 No dependencies No dependencies N/A
FIA_PSK_EXT.1 FCS_RBG_EXT.1 ― Because bit-based pre-shared key
generation using random bit generator is
not selected.
FIA_UAU.1 FIA_UID.1 FIA_UID.1 N/A
FIA_UAU.7 FIA_UAU.1 FIA_UAU.1 N/A
FIA_UID.1 No dependencies No dependencies N/A
FIA_USB.1 FIA_ATD.1 FIA_ATD.1 N/A
FMT_MOF.1 FMT_SMR.1 FMT_SMR.1 N/A
FMT_SMF.1 FMT_SMF.1 N/A
FMT_MSA.1 FDP_ACC.1 FDP_ACC.1 N/A
FMT_SMR.1 FMT_SMR.1 N/A
FMT_SMF.1 FMT_SMF.1 N/A
FMT_MSA.3 FMT_MSA.1 FMT_MSA.1 N/A
FMT_SMR.1 FMT_SMR.1 N/A
FMT_MTD.1 FMT_SMR.1 FMT_SMR.1 N/A
FMT_SMF.1 FMT_SMF.1 N/A
FMT_SMF.1 No dependencies No dependencies N/A
FMT_SMR.1 FIA_UID.1 FIA_UID.1 N/A
FPT_SKP_EXT.1 No dependencies No dependencies N/A
FPT_STM.1 No dependencies No dependencies N/A
FPT_TST_EXT.1 No dependencies No dependencies N/A
FPT_TUD_EXT.1 FCS_COP.1(b) FCS_COP.1(b) N/A
FCS_COP.1(c) FCS_COP.1(c) N/A
FTA_SSL.3 No dependencies No dependencies N/A
FTP_ITC.1 FCS_IPSEC_EXT.1 FCS_IPSEC_EXT.1 N/A
or
FCS_TLS_EXT.1
or
FCS_SSH_EXT.1
or
FCS_HTTPS_EXT.1
FTP_TRP.1(a) FCS_IPSEC_EXT.1 FCS_IPSEC_EXT.1 N/A
or
FCS_TLS_EXT.1

Copyright ©2020 KONICA MINOLTA, INC., All Rights Reserved

49 / 71
 KONICA MINOLTA bizhub 450i/bizhub 360i/bizhub 300i with FK-514, DEVELOP ineo 450i/ineo 360i/ineo 300i with FK-514
Security Target

Dependency ST-satisfied Requirements that do not meet

Functional requirements
relationship dependencies dependency
or
FCS_SSH_EXT.1
or
FCS_HTTPS_EXT.1
FTP_TRP.1(b) FCS_IPSEC_EXT.1 FCS_IPSEC_EXT.1 N/A
or
FCS_TLS_EXT.1
or
FCS_SSH_EXT.1
or
FCS_HTTPS_EXT.1

Copyright ©2020 KONICA MINOLTA, INC., All Rights Reserved

50 / 71
 KONICA MINOLTA bizhub 450i/bizhub 360i/bizhub 300i with FK-514, DEVELOP ineo 450i/ineo 360i/ineo 300i with FK-514
Security Target

7. TOE Summary specification

Summary specifications for the security functions provided by TOE.

Table 7-1 List of Security Functions

No. Security function name
1 Identification and Authentication function
2 Access control function
3 Encryption function
4 Trusted communication function
5 Security Management function
6 Audit function
7 Trusted operation function
8 FAX separation function

Identification and Authentication function

TOE acquires credentials from users, performs identification and authentication, and provides an identification and
authentication function, that allows to use TOE, only to those who are judged as authorized users as a result of
verification.

FIA_UAU.1, FIA_UID.1
TOE supports the three authentication methods shown in Table 7-2 and an administrator can set in the user
authentication setting function.
When using TOE from the operation panel or WC, enter the user name, user password, and administrator rights. When
using TOE from the operation panel or WC as the built-in administrator, enter the administrator password from the login
screen for the built-in administrator. When using TOE from the printer driver, enter the user name and user password.
TOE performs the identification and the authentication based on the input credentials, and permits the use of TOE only
if successful. If the external server authentication method is set, the user enters an external authentication server ID in
addition to the user name and user password. TOE sends the user name to the specified external authentication server and
decrypts the returned credential by user key generated from the user password. It determines that the authentication is
successful when the decryption is successful, and that the authentication is not successful when the decryption is failed.
Identification and authentication of Built-in Administrator is always performed by the MFP authentication method,
regardless of the authentication method setting.
TOE provides a function for the administrator to set the password to the Memory RX user box in the Memory RX
setting function, and Memory RX user box password has been set during operation. When a normal user who succeeds in
identification and authentication from the operation panel or WC accesses the Memory RX user box, authentication
using the Memory RX user box password is requested, and access is permitted only when authentication is successful.
Therefore, a normal user who does not know the Memory RX user box password cannot operate fax documents stored in
the Memory RX user box. The authentication of Memory RX user box password is always performed by the MFP
authentication method, regardless of the setting of the authentication method.
Since identification and authentication is performed for each of the above interfaces, the normal user can perform
identification and authentication from the panel while the administrator is performing the remote management function
from the WC, and if successful, the TOE can be operated. However, because identification and authentication of other

Copyright ©2020 KONICA MINOLTA, INC., All Rights Reserved

51 / 71
 KONICA MINOLTA bizhub 450i/bizhub 360i/bizhub 300i with FK-514, DEVELOP ineo 450i/ineo 360i/ineo 300i with FK-514
Security Target

administrators is prohibited while an administrator logs in, two or more administrators cannot use TOE simultaneously
When TOE is used by the printer driver, there is no interactive session. When TOE receives electronic document,
identification and authentication is performed using the credential (user name, user password) included in the electronic
document. If successful, the normal user (U.NORMAL) is assigned as the user’s role and stored in TOE as an electronic
document owned by relevant normal user. If it fails, the received electronic document is destroyed without storing it. The
Printer Driver does not provide a way for administrators to use TOE.
Possible operations before performing identification and authentication are as follows.
・FAX RX
・The following settings can be used to check and display the TOE status.
 Device information display from the operation panel (firmware version etc.)
 Job display from the operation panel
 Enlarge display setting from the operation panel
 Change of display language of the WC

Table 7-2 User Authentication Setting function

Authorization method Identification and authentication
TOE performs identification and authentication. Confirms that the user name and user
MFP device authentication password or administrator password or Memory RX user box password match the
information registered in the TOE.
TOE performs identification and authentication by using the external authentication server
(Active Directory). TOE sends user name to the external authentication server specified by
External server authentication
user by using the Kerberos version 5 protocol, and decrypts the returned credential by the
user key generated from user password, and performs identification and authentication.
MFP device + External server TOE performs identification and authentication using either MFP device authentication or
authentication external server authentication. The user selects the authentication method when logging in.

FIA_ATD.1
For each normal user registered with the user management function, TOE defines the User ID, administrator rights
and the access authority of function restriction as the user attribute. Also, the access authority to Memory RX user box is
defined as the user attribute, too. This is provided the interface of Memory RX user box password authentication to
access memory RX user box only to normal user registered with the user management function, and associates the
normal user who is succeded this authentication. Also, User ID is defined as user attributes of the built-in administrator.

FIA_USB.1
TOE associates the user attribute (User ID, administrator rights, function restriction, access authority to Memory RX
user box), if a normal user or a user administrator succeeds in identification and authentication. TOE associates the user
attribute (User ID), if the built-in administrator succeeds in identification and authentication.
At this time, TOE discards the user attribute associated with the user, if the temporary suspension is set to the User ID.
Also, if the administrator rights are not set to the user who performed the login as the user administrator, the user
attribute associated with the relevant user is discarded.
When accessing the memory RX user box after a normal user succeeds in identification and authentication, the
authentication by memory RX user box password is required. If the authentication is successful, TOE enables access to
the memory RX user box that is the user attribute of the relevant user. If the authentication fails, the TOE disables access
to the memory RX user box that is the user attribute of the relevant user.

Copyright ©2020 KONICA MINOLTA, INC., All Rights Reserved

52 / 71
 KONICA MINOLTA bizhub 450i/bizhub 360i/bizhub 300i with FK-514, DEVELOP ineo 450i/ineo 360i/ineo 300i with FK-514
Security Target

FIA_AFL.1
The TOE provides an authentication operation prohibition function to stop the user's authentication when the
administrator detects a continuous authentication failure more than the number of checks (1 to 3 times) set in advance by
the administrator in the user's identification and authentication. If an administrator rights is assigned to a normal user, the
number of authentication failures as a normal user and the number of authentication failures as a user administrator are
totaled.
When the authentication of the built-in administrator was suspended, turn OFF and ON the TOE power first. Then, the
authentication suspension is released when the time set for the operation prohibition release time setting, has passed after
the TOE is started. If the authentication of the normal user or the user administrator is suspended, the administrator who
is not in the suspended status can release their suspension by performing the deletion function of the number of the
authentication failure.
The TOE also performs the above-mentioned authentication failure operation for identification and authentication by
an external server authentication method.
The authentication of the memory RX user box password is suspended when the administrator detects a continuous
authentication failure more than the number of checks (1 to 3 times) set in advance by the administrator in the
identification and authentication of memory RX user box password. If the authentication of memory RX user box
password is suspended, the administrator who is not in the suspended status can release the authentication suspension by
performing the deletion function of the number of authentication failures.

FIA_UAU.7
When entering the login password or the memory RX user box password in the authentication processing of the
interactive session (login from the operation panel or WC), TOE displays "*" or "●" for each character entered.

FIA_PMG_EXT.1
Characters that TOE can use as a user password are uppercase and lowercase letters in the alphabet , numbers,
symbols (“!”, “@”, “#”, “$”, “%”, “^”, “&”, “*”, “(“, “)”, “-”, “¥”, “[”, “]”, “:”, “;”, “,”, “.”, “/“, “'”, “=”, “~”, “|”, “`”, “{”,
“}”, “+”, “<”, “>“, “?” ,“_” and space), special characters (97 characters). In addition to the above characters, “””
(double quotation) can be used for the memory RX user box password. The administrator can set the minimum password
length from 8 to 64 characters. Therefore, the minimum password length of 15 characters or longer can be set.

FTA_SSL.3
The TOE terminates the session when a user who has been identified and authenticated by the operation panel or WC
satisfies the following conditions. In the case of the printer driver, there is no interactive session, but it logs in when the
requested processing is received from the printer driver and logs out immediately after the processing is completed.
・In the case of the operation panel, the user is logged out when the system auto reset time (settable between 1 and 9
minutes) has passed since the process of the final operation was completed.
・In the case of the WC, the user is logged out when the automatic logout time (settable between 1 and 60 minutes)
has passed since the process of the final operation was completed.

Access control function

FDP_ACC.1, FDP_ACF.1
The TOE restricts the operation of user document data and user job data as described in Tables 7-3 through 7-14, based
on the user data access control in Tables 6-2 and 6-3. For unauthorized operations, the interface is hidden or displayed in
an inoperable state, or a message is displayed indicating that the operation cannot be performed because there is no

Copyright ©2020 KONICA MINOLTA, INC., All Rights Reserved

53 / 71
 KONICA MINOLTA bizhub 450i/bizhub 360i/bizhub 300i with FK-514, DEVELOP ineo 450i/ineo 360i/ineo 300i with FK-514
Security Target

authority on the operation request, and the operation is rejected.

When a normal user (U.NORAML) allowed by the identification and authentication performs Create operations in
Tables 7-3 through 7-14, the user becomes a Job Owner and TOE records the User ID as the owner information of a
document or Job. TOE does not provide an interface for an administrator (U.ADMIN) to perform a Create operation.
Since the Fax RX function (Fax receive) performs the Create operation by receiving a fax from an external fax without
the TOE operation, the job owner of the document or job until the Fax RX completion is assigned to the administrator
(*1). In the case of Fax RX with no F-code specified, the fax document is saved in the Memory RX user box, so the job
owner after the Fax RX is the normal user who knows the Memory RX user box password (*2). In the case of Fax RX
with the F-code specified, the fax document is saved in the specified personal user box, so the job owner after Fax RX is
the normal user who owns the personal user box (*3). Saving from the password encrypted PDF user box (Storage /
retrieval) is performed the create operation by retrieving the document, set to be saved, from the password encrypted
PDF user box and saving it in the operator's personal user box, when performing the direct print. The job owner of the
document or job after saving is the normal user who is the owner of the personal user box.

TOE has a function restriction setting that restricts the functions available to each normal user by the administrator in
the user management functions. The TOE displays the interface of the restricted function either hidden or inoperable
based on the user attribute function limitations. Therefore, a normal user with a function restriction cannot use the
operation using the restricted function from Table 7-3 to Table 7-14.

TOE has Memory RX setting function in which the administrator restricts the access of the normal user to the memory
RX user box in the Memory RX setting function. During operation, access is restricted by the memory RX user box
password. Based on the access authority to the memory RX user box of user attribute, the TOE allows access to the user's
memory RX user box if it is valid, and denies access to the user's memory RX user box if it is invalid. Therefore, normal
users who do not know the memory RX user box password cannot use the operations required to access the memory RX
user box in Tables 7-3 to 7-14.

In the user box management function, the TOE has a function to set the owner of the personal user box (User ID) by
the administrator or normal user. It has a function to change the owner of the personal user box (User ID) by the
administrator or the normal user who owns the personal user box. The TOE restricts access to the personal user box and
documents stored in the personal user box. If the normal user has the same User ID based on the Personal user Box
Owner (User ID), the TOE provides an interface to the Personal User Box and permits access to the Personal User Box.
On the other hand, if the normal user has a different User ID, the TOE will hide the interface of the relevant Personal
User Box, so the operation that requires the access to the relevant personal user box with Tables 7-3 to 7-14 cannot used.

<Supplement to Table 7-3 through Table 7-14>

The interface provided by TOE is as follows.
PN: Operation panel, WC: Web Connection, PD: Printer driver

The descriptions in the table are as follows.

〇: Supported by TOE, -: Not supported by TOE

Notes are as follows.

*1:U.ADMIN
*2: U.NORMAL who knows the memory RX user box password.
*3: U.NORMAL who is the owner of the personal user box specified by F-code.

Copyright ©2020 KONICA MINOLTA, INC., All Rights Reserved

54 / 71
 KONICA MINOLTA bizhub 450i/bizhub 360i/bizhub 300i with FK-514, DEVELOP ineo 450i/ineo 360i/ineo 300i with FK-514
Security Target

Table 7-3 D.USER.DOC (Print) access control

Operation Operable user Interface
Operation method
PN WC PD
Create Job owner - - 〇 Perform Printing.
U.NORMAL - 〇 - Perform Direct printing.
- 〇 - To the password encrypted PDF, specify the print and perform
Direct Printing.
Read Job owner 〇 - - Select the document from the ID & Print user box to display the
document preview.
〇 - - Select the document from the ID & Print user box and preform
the printing.
(Documents will be deleted upon completion of printing.)
〇 - - Select the document from the Password Encryption PDF user
box and perform the printing.
(Password must be entered for printing. Documents will be
deleted upon completion of printing.)
Modify Job owner 〇 - - Perform print settings for the printing from the ID & Print user
bod.
Delete Job owner 〇 - - Delete document from ID & Print user box.
〇 - - Delete document from password encrypted PDF user box.

Job owner 〇 〇 - Delete documents due to job deletion.

U.ADMIN

Table 7-4 D.USER.DOC (Scan) access control

Operation Operable user Interface
Operation method
PN WC PD
Create Job owner 〇 - - Set an original on the scanner unit and perform the transmission
U.NORMAL by specifying the destination (excluding the fax destination)
from the scan/fax menu screen.
Read - - - - None.
Modify Job owner 〇 - - Perform the application setting with the Create operation.
Delete Job owner 〇 〇 - Delete documents due to job deletion.
U.ADMIN

Table 7-5 D.USER.DOC (Copy) access control

Operation Operable user Interface
Operation method
PN WC PD
Create Job owner 〇 - - Set an original on the scanner unit and perform the copy from the
U.NORMAL copy menu screen.
Read Job owner 〇 - - Perform Create operation.
Modify Job owner 〇 - - Perform the application setting with the Create operation.
Delete Job owner 〇 〇 - Delete documents due to job deletion.
U.ADMIN

Copyright ©2020 KONICA MINOLTA, INC., All Rights Reserved

55 / 71
 KONICA MINOLTA bizhub 450i/bizhub 360i/bizhub 300i with FK-514, DEVELOP ineo 450i/ineo 360i/ineo 300i with FK-514
Security Target

Table 7-6 D.USER.DOC (Fax send) access control

Operation Operable user Interface
Operation method
PN WC PD
Create Job owner 〇 - - Set an original on the scanner unit and select the fax destination
U.NORMAL from the scan/fax menu screen to perform the transmission.
Read - - - - None.
Modify Job owner 〇 - - Perform the application setting with the Create operation.
Delete Job owner 〇 〇 - Delete documents due to job deletion.
U.ADMIN

Table 7-7 D.USER.DOC (Fax receive) access control

Operation Operable user Interface
Operation method
PN WC PD
Create Job owner(*1) - - - No operation of TOE. Fax without an F-code is received from an
external fax.
- - - No operation of TOE. Fax with an F-code specified is received
from an external fax machine.
Read Job owner 〇 〇 - Select the fax document from the Memory RX user box and
display the document preview.
〇 〇 - Select the fax document from the personal user box and display
the document preview.
〇 - - Select the fax document from the Memory RX user box and
perform printing.
(The fax document will be deleted upon completion of printing.)
〇 - - Select the fax document from the personal user box and perform
printing.
(The fax document will be deleted upon completion of printing.)
Modify Job owner 〇 - - Perform application setting when printing fax documents from
personal user boxes.
〇 〇 - Select and edit fax documents from the personal user box.
Delete Job owner 〇 〇 - Delete fax documents from the memory RX user box.
U.ADMIN
Job owner 〇 〇 - Delete fax document from personal user box.

Job owner 〇 〇 - Deletion of fax documents due to deletion of print job of fax
U.ADMIN documents.
〇 〇 - Deletion of fax documents due to deletion of personal user
boxes.

Table 7-8 D.USER.DOC (Storage/retrieval) access control

Operation Operable user Interface
Operation method
PN WC PD
Create Job owner - - 〇 Save in User Box.
U.NORMAL - 〇 - Specify the Save in User Box and perform direct print.
〇 - - Set an original on the scanner unit, specify a personal user box

Copyright ©2020 KONICA MINOLTA, INC., All Rights Reserved

56 / 71
 KONICA MINOLTA bizhub 450i/bizhub 360i/bizhub 300i with FK-514, DEVELOP ineo 450i/ineo 360i/ineo 300i with FK-514
Security Target

from the user box menu screen, and save in the user box.
- 〇 - To the password encrypted PDF, specify the Save in User Box
and perform direct print.
〇 Select the document from the password encrypted PDF user box
and save. (Selected document is moved to the operator’s
personal user box.)
Job owner(*2) - - - No operation of TOE. After receiving a Fax with no F-code from
an external Fax, save the fax document in the Memory RX user
box.
Job owner(*3) - - - No operation of TOE. After receiving a Fax with F-code from the
external Fax, save the fax document is the specified personal
user box.
Read Job owner 〇 〇 - Select the document from the personal user box and display the
document preview.
(Except fax documents. Document previews of fax documents
are controlled by the Read operation in Table 7-7.)
〇 - - Select the document from the personal user box and print, send,
fax TX, move, or copy it.
(Except the printing of fax documents. The printing of fax
documents is controlled by the Read operation in Table 7-7.)
- 〇 - Select a document from the personal user box and send,
download, move, or copy it.
- 〇 - Select a document from the Memory RX user box and download
it.
〇 - - Select the document from the Password Encrypted PDF user box
and save it.
(Password must be entered for storage. Documents will be
deleted upon completion of storage.)
Modify Job owner 〇 〇 - Select a document from the personal user box and edit it.
(Except fax documents. Editing of fax documents is controlled
by the Modify operation in Table 7-7.)
〇 〇 - Perform application setting in Read operation (send, print).
(Except printing of fax documents. The application setting in the
printing of fax documents is controlled by the Modify operation
in Table 7-7.)
〇 - - Select the fax document from the Memory RX user box and edit
it (change name).
Delete Job owner 〇 〇 - Delete the document from the personal user box.
(Except the deletion of fax documents. Delete of fax documents
is controlled by Delete operation in Table 7-7.)
〇 - - Delete document from password encrypted PDF user box.
Job owner 〇 〇 - Deletion of documents due to deletion of personal user boxes.
U.ADMIN (Except deletion of fax documents. Delete of fax documents is
controlled by Delete operation in Table 7-7.)

Copyright ©2020 KONICA MINOLTA, INC., All Rights Reserved

57 / 71
 KONICA MINOLTA bizhub 450i/bizhub 360i/bizhub 300i with FK-514, DEVELOP ineo 450i/ineo 360i/ineo 300i with FK-514
Security Target

Table 7-9 D.USER.JOB (Print) access control

Operation Operable user Interface
Operation method
PN WC PD
Create Job owner - - 〇 Select the document from the client PC, perform the print
U.NORMAL operation using the printer driver, select the document
temporarily saved in the ID & Print user box from the operation
panel, and perform the print.
(Documents will be deleted upon completion of printing.)
- 〇 - Select the document from the WC of the client PC, perform the
direct print, select the document temporarily saved in the ID &
Print user box from the operation panel, and perform the print.
(Documents will be deleted upon completion of printing.)
- 〇 - Select the password encrypted PDF document from the WC of
the client PC, specify the print, perform the direct print, select
the temporarily saved document from the password encrypted
PDF user box from the operation panel, and perform the print.
(Password must be entered for printing. Documents will be
deleted upon completion of printing.)
Read Job Owner 〇 〇 -
U.ADMIN Displays the job.
U.NORMAL (except the receiving jobs of password encrypted PDF)
Unauthenticated 〇 - -
Modify - - - - None.
Delete Job owner 〇 〇 - Delete a job from the job display.
U.ADMIN (In the case of print jobs from ID & Print user boxes, the
document is also deleted by deleting the job.)

Table 7-10 D.USER.JOB (Scan) access control

Operation Operable user Interface
Operation method
PN WC PD
Create Job owner 〇 - - Set an original on the scanner unit and perform the transmission
U.NORAML by specifying the destination (excluding the fax destination)
from the scan/fax menu screen.
Read Job owner 〇 〇 -
U.ADMIN
Displays the job.
U.NORMAL
Unauthenticated 〇 - -
Modify - - - - None.
Delete Job owner 〇 - - When the scanner unit is reading an original, perform Stop on the
original reading screen or press the Stop key to perform deletion
of the stopping job.
(Documents will also be deleted due to job deletion)
Job owner 〇 〇 - Delete a job from the job display.
U.ADMIN (Documents will also be deleted due to job deletion)

Copyright ©2020 KONICA MINOLTA, INC., All Rights Reserved

58 / 71
 KONICA MINOLTA bizhub 450i/bizhub 360i/bizhub 300i with FK-514, DEVELOP ineo 450i/ineo 360i/ineo 300i with FK-514
Security Target

Table 7-11 D.USER.JOB (Copy) access control

Operation Operable user Interface
Operation method
PN WC PD
Create Job owner 〇 - - Set an original on the scanner unit and perform copy from the
U.NORAML copy menu screen.
Read Job owner 〇 〇 -
U.ADMIN
Displays the job.
U.NORMAL
Unauthenticated 〇 - -
Modify - - - - None.
Delete Job owner 〇 - - When the scanner unit is reading an original, perform Stop on the
original reading screen or press the Stop key to perform deletion
of the stopping job.
(Documents will also be deleted due to job deletion)
Job owner 〇 〇 - Delete a job from the job display.
U.ADMIN (Documents will also be deleted due to job deletion)

Table 7-12 D.USER.JOB (Fax send) access control

Operation Operable user Interface
Operation method
PN WC PD
Create Job owner 〇 - - Set an original on the scanner unit and select the fax destination
U.NORMAL from the scan/fax menu screen to perform transmission.
Read Job owner 〇 〇 -
U.ADMIN
Displays the job.
U.NORMAL
Unauthenticated 〇 - -
Modify - - - - None.
Delete Job owner 〇 - - When the scanner unit is reading an original, perform Stop on the
original reading screen or press the Stop key to perform deletion
of the stopping job.
(Documents will also be deleted due to job deletion)
Job owner 〇 〇 - Delete a job from the job display.
U.ADMIN (Documents will also be deleted due to job deletion)

Table 7-13 D.USER.JOB (Fax receive) access control

Operation Operable user Interface
Operation method
PN WC PD
Create Job owner(*1) - - - No operation of TOE. Fax without an F-code is received from an
external fax.
- - - No operation of TOE. Fax with an F-code specified is received
from an external fax.
Job owner(*2) 〇 - - Select the fax document from the memory user box and perform
printing.
(The fax document will be deleted upon completion of printing.)
Job owner(*3) 〇 - - Select the fax document from the personal user box and perform

Copyright ©2020 KONICA MINOLTA, INC., All Rights Reserved

59 / 71
 KONICA MINOLTA bizhub 450i/bizhub 360i/bizhub 300i with FK-514, DEVELOP ineo 450i/ineo 360i/ineo 300i with FK-514
Security Target

printing.
(The fax document will be deleted upon completion of printing.)
Read Job owner 〇 〇 -
U.ADMIN
Displays the job.
U.NORMAL
Unauthenticated 〇 - -
Modify - - - - None.
Job owner 〇 〇 - Delete a job from the job display.
U.ADMIN (In the case of a print job, the fax document is also deleted by
deleting the job.)

Table 7-14 D.USER.JOB (Storage/retrieval) access control

Operation Operable user Interface
Operation method
PN WC PD
Create Job owner - - 〇 Save in user box.
U.NORAML - 〇 - Specify the Save in user box and perform direct print.
〇 - - Set an original on the scanner unit, specify a personal user box
from the user box menu screen, and save in the user box.
- 〇 - Specify the Save in User Box and perform a direct print of
password encrypted PDF.
Job owner(*2) - - - No operation of TOE. After receiving a fax without an F-code
from an external fax, the fax document is saved in the memory
RX user box.
Job owner(*3) - - - No operation of TOE. After receiving a fax with the specified F-
code from an external fax, the fax document is saved in the
specified personal user box.
Job owner 〇 - - Select a document from the personal user box and print, send, fax
U.NORMAL TX, move, or copy it.
(Except the printing fax documents. The printing of fax
documents is controlled by the Create operation in Table 7-13)
- 〇 - Select a document from the personal user box and send,
download, move, or copy it.
Job owner - 〇 - Select the fax document from the memory RX user box and
U.NORMAL download it.
Job owner 〇 - - Select the document from the Password Encrypted PDF user box
U.NORMAL and perform save.
(Password must be entered for storage. Documents will be
deleted upon completion of storage.)
Read Job owner 〇 〇 -
U.ADMIN Displays the job.
U.NORMAL (except the receiving jobs of password encrypted PDF)
Unauthenticated 〇 - -
Modify - - - - None.
Delete Job owner 〇 - - When the scanner unit is reading an original, perform Stop on the
original reading screen or press the Stop key to perform deletion

Copyright ©2020 KONICA MINOLTA, INC., All Rights Reserved

60 / 71
 KONICA MINOLTA bizhub 450i/bizhub 360i/bizhub 300i with FK-514, DEVELOP ineo 450i/ineo 360i/ineo 300i with FK-514
Security Target

of the stopping job.

(Documents will also be deleted due to job deletion)
〇 - - After printing from the personal user box, press the Stop key to
delete the job in suspend.
(Documents are not deleted after deletion of the job.)
Job owner 〇 〇 -
Delete a job from the job display.
U.ADMIN

Encryption function
FCS_CKM.1(a)
The TOE generates an RSA asymmetric key with a key length of 2048 bits in the method described in the rsakpg1-crt
method described in Section 6.3.1.3 of NIST SP800-56B, Revision 1 in the generation of IPsec certificates used in the
key establishment for IPsec communication. Also, in the key establishment for IPsec communication, an asymmetric key
is generated by Diffie-Hellman Group 14 as described in the Using the Approved Safe-Prime Groups described in
Section 5.6.1.1.1 of NIST SP800-56A, Revision 3.

FCS_CKM.1(b)
The TOE generates a random number using the RBG described in FCS_RBG_EXT.1 and generates a 128-bit or
256-bit symmetric encryption key at the start of IPsec communication or at the key establishment after the SA lifetime.
TOE starts the above RBG by calling the DRBG function (CTR DRBG (AES-256)) and generates a random number.

FCS_RBG_EXT.1
TOE implements a CTR DRBG (AES-256) conforming to NIST SP 800-90A and an RBG consisting of a single
software entropy source. The above CTR DRBG uses the Derivation Function and Reseed, but the Prediction Resistance
function does not work. The software entropy source implements a condition branch code etc., that affects the internal
state of the CPU, and a clock counter value acquisition process in the loop process. The variation of the loop processing
performance time is acquired via the clock counter and obtain the raw data. Conditioning is performed to agitate and
compress the entropy included in the raw data into the entire bit using shift operations and XOR, and after increasing the
entropy rate of the entire bit, it is output as an entropy value.
The TOE uses this RBG to generate random numbers and uses them to generate encryption keys (key length 256 bit
and 128 bit) with a trusted communication function. When the TOE generates a random number, if the CTR DRBG
requires a seed material (Entropy Input and Nonce), start the software to be used as the entropy source and obtain and use
the required size entropy value. This entropy value satisfies the minimum amount of entropy required for Instantiate and
Reseed (in the case of TOE, 256 bits equal to the security strength) shown in 10.2.1 of NIST SP800-90A and contains
sufficient entropy.

FIA_PSK_EXT.1
The TOE uses the following text-based pre-shared key as the pre-shared key for IPsec. The text-based pre-shared key
is also converted into a bit string using the hash algorithm described below.
・Text-based pre-shared key
 Length: 22 characters
 Available Characters: ASCII String or HEX Values
 Conditioning methods: SHA-1, SHA-256, SHA-384, and SHA-512

Copyright ©2020 KONICA MINOLTA, INC., All Rights Reserved

61 / 71
 KONICA MINOLTA bizhub 450i/bizhub 360i/bizhub 300i with FK-514, DEVELOP ineo 450i/ineo 360i/ineo 300i with FK-514
Security Target

FCS_COP.1(a)
TOE uses an AES-CBC with a key length of 128 bits and 256 bits conforming to FIPS PUB 197 and NIST SP 800-38A
as an ESP encryption algorithm for IPsec communication.

FCS_COP.1(b)
TOE uses the RSA digital signature algorithm with a key length of 2048 bits conforming to FIPS PUB 186-4 in FW
verification of the update function. The RSA digital signature algorithm (signature generation) with a key length of 2048
bits conforming to FIPS PUB 186-4 is used for peer authentication of IPsec communications, and the RSA digital
signature algorithm (signature verification), with a key length of 2048 bits and 3048 bits, conforming to FIPS PUB 186-4
is used for digital signature verification.

FCS_COP.1(c)
In the update function described in Section 7.7.1, TOE verifies firmware data using digital signature verification as
follows. Among them, the calculation of the hash value by SHA-256 conforming to ISO/IEC 10118-3:2004 is
performed.
Decodes the digital signature data with the RSA public key (key length 2048 bit) owned by TOE.
Calculate the hash value of the firmware data with SHA-256.
Compare the values of (1) and (2). The firmware data is judged to be correct if the data are matched.

As an IKEv1 authentication algorithm for IPsec communication, TOE calculates hash values using SHA-1, SHA-256,
SHA-348, and SHA-512 conforming to ISO/IEC 10118-3:2004.

FCS_COP.1(g)
In IPsec communication, TOE implements the following ESP by keyed hash message authentication in compliance
with The Keyed-Hash Message Authentication Code defined in FIPS PUB 198-1 and Secure Hash Standard defined in
FIPS PUB 180-3.
・Message digest length: 160, 256, 384, 512
・Key Length: 160, 256, 384, 512
・Encryption algorithms: HMAC-SHA-1, HMAC-SHA-256, HMAC-SHA-384, and HMAC-SHA-512

FCS_CKM.4, FCS_CKM_EXT.4
Table 7-15 shows the storage destination of keys and key materials used for IPsec communication and the method of
destruction. The pre-shared key set by the administrator and the private key of the IPsec certificate are stored in the
field-nonreplaceable SSD. When the administrator performs the deletion of these keys, it is overwritten with 0x00.
Session keys (temporary encryption keys) used in IPsec are stored in RAM. These items are deleted when the TOE
power is turned off since they will be no longer needed.

Table 7-15 Storage and Destruction of Key

Key Storage Timing of destruction Method of
destinatio destruction
n
Pre-Shared Key Pre-shared key set by the SSD Delete/Change Pre-shared key by Deleted by
administrator administrator (Trusted 0x00
communication management
function)

Copyright ©2020 KONICA MINOLTA, INC., All Rights Reserved

62 / 71
 KONICA MINOLTA bizhub 450i/bizhub 360i/bizhub 300i with FK-514, DEVELOP ineo 450i/ineo 360i/ineo 300i with FK-514
Security Target

Key generated by converting the RAM Power OFF ―

Pre-shared key set by the
administrator
Symmetric key Shared secret key for IKE RAM Power OFF ―
(generated in IKEv1 Phase 1)
Shared secret key for IPsec RAM Power OFF ―
(Generated in IKEv1 Phase 2)
Private key Private key of the IPsec SSD When deleted a certification by an Deleted by
certification administrator (Trusted 0x00
communication management
function)
Diffie-Hellman private key of RAM Power OFF ―
IPsec (generated in IKEv1 Phase
1)

Trusted Communication function

FTP_ITC.1
Since the TOE uses the IPsec protocol in communication with the IT device shown in Table 7-16, channel data is not
transmitted in plaintext.

Table 7-16 Communication with IT equipment

TSF-permitted IT devices Protocol
SMTP server IPsec
External authentication server IPsec
DNS server IPsec
Log server IPsec
WebDAV server IPsec
SMB server IPsec

FTP_TRP.1(a)
TOE provides a WC that runs on the browser of the client PC as a way for the administrator to remotely manage TOE.
Communication between TOE and client PC uses the IPsec protocol, which is the trusted communication path. When the
TOE is accessed from the client PC for remote management, the TOE starts communication only with the IPsec protocol
and guarantees end point identification, protection from communication data leakage, and detection of communication
data modification.

FTP_TRP.1(b)
TOE provides WC and printer drivers that run on the browser of the client PC as a way for non-administrator users to
access TOE remotely. Communication between TOE and client PC uses the IPsec protocol, which is the trusted
communication path. When the TOE is accessed from the client PC for remote access, the TOE starts communication
only with the IPsec protocol and guarantees end point identification, protection from communication data leakage, and
detection of communication data modification.

Copyright ©2020 KONICA MINOLTA, INC., All Rights Reserved

63 / 71
 KONICA MINOLTA bizhub 450i/bizhub 360i/bizhub 300i with FK-514, DEVELOP ineo 450i/ineo 360i/ineo 300i with FK-514
Security Target

FCS_IPSEC_EXT.1
TOE implements an IPsec architecture conforming to RFC 4301. Only the administrator can set and change the
following settings as the IPsec protocol, but cannot use the settings other than followings.

・IPsec Encapsulation Settings: Transport Mode

・Security Protocol: ESP (conform to RFC 4303)
 ESP Encryption Algorithm: AES-CBC-128, AES-CBC-256 (conform to RFC3602)
 ESP Authentication Algorithm: HMAC-SHA-1, HMAC-SHA-256, HMAC-SHA-384, and
HMAC-SHA-512
・Key Exchange Method: IKEv1 (conform to RFC 2407,2408,2409,4109)
 IKEv1 Encryption Algorithm: AES-CBC-128, AES-CBC-256 (conform to RFC 3602)
 Negotiation mode: Main Mode
 SA lifetime
 Phase 1 of SA: 600 to 86400 seconds
 Phase 2 of SA: 600 to 28800 seconds
 Diffie-Hellman Group: Group 14
 ESN: invalid, valid (conform to RFC 4304)
・IKE Authentication Method: Digital Signature (RSA), Text-Based Pre-shared Key
 Digital signature
 RSA-2048 (Signature generation, Signature verification)
 RSA-3072 (Signature Verification)
 Authentication Algorithm: SHA-256, SHA-384, and SHA-512 (conform to RFC 4868)
 Text-based pre-shared key
 Pre-shared key set by the administrator: 22-character string (ASCII string or HEX value)
 Authentication Algorithms: SHA-1, SHA-256, SHA-384, and SHA-512 (conform to RFC 4868)
 Protocol Setting
 Protocol Identification Setting: No Selection (Any)
 IPsec Setting
 Default Action: Discard
 Certificate Verification Level Settings: Expiration Date: Check
Key Usage: No check
Chain: Check the path of certification
Expiration Date Confirmation: No check

Also, the TOE implements the IPsec Security Policy Database (SPD) and the followings can be set by the administrator.
・IPsec Policy: Specify the IP packet conditions and select which of the protected, allow, and deny operations to
perform for IP packets that meet each of these conditions. Inbound packet and outbound packet are processed
with same rule from the view of the IPsec policy. For IP packet conditions, protocols of Any and destination IP
addresses (Individual, or Subnet settings) can be set.
IPsec policy can be set to 10 groups of IP policy groups 1 to 10. When multiple IPsec policies are set, the
operation is applied in the following order of precedence, regardless of the order in which IPsec policy groups 1
to 10 are registered.
Priority: High Protected > Deny > Allow Priority: Low
・Default Action: If the IPsec policy is not matched, select the action from the following. (Guidance instructs
administrators to choose to discard in this setting.)
 Deny: Discard IP packets that do not match the IPsec policy setting
 Allow: Bypassing IP packets that do not match the IPsec policy setting
Copyright ©2020 KONICA MINOLTA, INC., All Rights Reserved
64 / 71
 KONICA MINOLTA bizhub 450i/bizhub 360i/bizhub 300i with FK-514, DEVELOP ineo 450i/ineo 360i/ineo 300i with FK-514
Security Target

Security Management function

FMT_MOF.1, FMT_MSA.1, FMT_MSA.3, FMT_MTD.1, FMT_SMF.1, FMT_SMR.1
TOE provides the following management functions to users. Each management function is operable only from the
interface described. The printer driver does not provide management functions. When transiting the screen of
performing the following management functions on the operation panel or WC, identification and authentication to TOE
is requested, and so the management function cannot be used without authentication. At login, associate roles
(U.ADMIN, U.NORMAL) with the user and maintain the associated roles until they are logged out. Cannot use the
management functions that are not provided in the user role. In the access control of Tables 6-2 and 6-3, TOE assigns the
User ID of the normal user who created the user document data and the user job data as the initial value of the security
attribute. User document data and user job data generated by the Fax RX function are created by users other than TOE.
Therefore, an administrator's User ID is assigned as the initial value of the security attribute, and the access control of
Fax receiving is performed. After Fax RX is completed, Fax document is stored in the Memory RX user box if F-code is
not specified, and it is controlled with the access authority of Memory RX user box and so the security attribute is not
related. Administrator’s User ID is assigned as the initial value. If Fax RX with F-code, specified personal user box’s
User ID is assigned as the initial value of security attributes. Refer to “ 7.2 Access control function” for details. TOE
does not have a function to overwrite the User ID assigned as the initial value.

Table 7-17 Management functions provided to Administrator

Management function Description Permitted Operable interface
operations
User management Register/delete a user with a user attribute User ID of Registration, Operation panel,
function TOE, register/change a user password, set/release a Modification, WC
temporarily suspension of use, set/release a function Deletion
restriction, and assign/delete an administrator rights.
When the user registered user creates a document or job,
the User ID is set as the initial value of the security
attribute, and the user data access control in Tables 6-2
and 6-3 is performed. If the user is deleted, the document
in which the user is the owner is also deleted.
Administrator password Set the administrator password. The default value is set Modification Operation panel
setting function for the administrator password at the time of shipment.
The built-in administrator changes the setting when the
setup procedure at the start of operation.
User Authentication Set the user authentication method. Select either of MFP Modification Operation panel,
setting function device authentication, external server authentication, or WC
MFP device + external server authentication. The
Built-in Manager is always identified and authenticated
by the MFP device authentication.
External Authentication Sets the external authentication server to be used by the Registration, Operation panel,
server setting function external server authentication method. Modification, WC
Deletion
Modification function of Set the threshold of the number of authentication Modification Operation panel,
No. of Authentication failures. When the number of continuous user WC

Copyright ©2020 KONICA MINOLTA, INC., All Rights Reserved

65 / 71
 KONICA MINOLTA bizhub 450i/bizhub 360i/bizhub 300i with FK-514, DEVELOP ineo 450i/ineo 360i/ineo 300i with FK-514
Security Target

Management function Description Permitted Operable interface

operations
Failures Threshold authentication failures reaches this set value, the TOE
suspends authentication to the relevant user.
Modification function of Set the time until releasing the suspension of Modification Operation panel,
Operation prohibition authentication when the built-in administrator's WC
release time of authentication is suspended due to the number of
Administrator continuous authentication failures reaching the
Authentication threshold.
Clear function of Clear the number of authentication failures. This Execution Operation panel,
No of Authentication operation can release the authentication suspension of a WC
Failures (other than the user other than the built-in administrator.
built-in administrator)
Modification function of Set and change the password rule (including the setting Modification Operation panel,
Password rule of the number of minimum password character). WC
Enhanced Security setting Enable/disable the enhanced security settings. Modification Operation panel,
function When enabled, the settings related to the behavior of the WC
security function are set to secure values and the settings
are maintained. The use of the TOE updating function
through the network, the maintenance function (using
RS-232C I/F), and the network setting management
initialization function is prohibited. When a user
performs a prohibited function or a setting change, the
enhanced security setting is changed to disable if user
instructs to continue the operation after the warning
screen is displayed.
Modification function of Set the date and time information. If an event under audit Modification Operation panel,
Date/Time information occurs, this date and time information is recorded in the WC
audit log.
Modification function of Set the system auto reset time during operation of the Modification Operation panel,
System Auto reset time operation panel. WC
Modification function of Sets automatic logout time during WC operation. Modification WC
Automatic Logout time
Trusted Communication Set IPsec communication, which is a trusted Registration, Operation panel,
Management function communication function. IPsec communication setting, Modification, WC
pre-shared key setting. Registration, modification, and Deletion
deletion of IPsec certificate setting.
Network setting function Register and change the network settings (IP address of Registration, Operation panel,
TOE, IP address of the DNS server, the port number, Modification WC
NetBIOS name, etc.).
Audit Log Management Enable/disable the audit function, how to obtain the audit Registration, Operation panel,
function log, log server, setting of automatic log distribution Modification WC
conditions, and send/delete of the audit log are
performed.
User box Management Register/change the personal user box (change the user Registration, Operation panel,
function box name, register/change the user box password, Modification, WC

Copyright ©2020 KONICA MINOLTA, INC., All Rights Reserved

66 / 71
 KONICA MINOLTA bizhub 450i/bizhub 360i/bizhub 300i with FK-514, DEVELOP ineo 450i/ineo 360i/ineo 300i with FK-514
Security Target

Management function Description Permitted Operable interface

operations
change the owner user, etc.) and delete. Deletion
Memory RX setting Enable/disable the Memory RX, register/change the Registration, Operation panel,
function memory RX user box password. Modification WC

Table 7-18 Management function provided to normal users

Management function Description Permitted Operable interface
operations
User Password setting Set the user password. After identification and Modification Operation panel,
function authentication, the user can change user’s own password. WC
User Box Management Register a personal user box. Also change and delete the Registration, Operation panel,
function user box owned by the user (change the user box name, Modification, WC
register/change the user box password, change the owner Deletion
user, etc.).

FPT_SKP_EXT.1
TOE stores the pre-shared key set by the administrator and the private key of the IPsec certificate, among the
encryption keys used for IPsec communication in the SSD that is a Field- nonreplaceable non-volatile storage. Other
encryption keys are stored in RAM (see Table 7-15). The TOE does not provide the ability to view stored pre-shared
keys, private keys, and encryption keys, so users cannot retrieve them by operating the TOE. The TOE implements
RS-232C IF on the MFP itself, but since it is disabled during operation, the user cannot use this interface to retrieve SSD
internal data. Other than the RS-232C IF, the interface for retrieving SSD internal data from outside the TOE is not
implemented. Because SSD is the field-nonreplaceable storage, user cannot remove SSD and retrieve internal data.
Therefore, users cannot read the stored pre-shared key, private key, or encryption key.

Audit function
TOE generates and records an audit log for the event being audited and sends it to the log server.

FAU_GEN.1, FAU_GEN.2
The TOE defines the following events as the event to be audited and records the event occurrence time (year, month,
day, hour, minute, second), event type, subject identification information, and event results.

Table 7-19 List of Events to be Audited

ID (Subject Identification
Event to be audited Results
Information *1)
Admin ID/User ID/unregistered
Perform of User Authentication OK/NG
ID
Perform of Memory RX user box password authentication User ID OK/NG
Registration, modification, and deletion by the User
Admin ID OK/NG
management function
Modification of User password User ID OK/NG

Copyright ©2020 KONICA MINOLTA, INC., All Rights Reserved

67 / 71
 KONICA MINOLTA bizhub 450i/bizhub 360i/bizhub 300i with FK-514, DEVELOP ineo 450i/ineo 360i/ineo 300i with FK-514
Security Target

ID (Subject Identification
Event to be audited Results
Information *1)
Modification of Administrator password Admin ID OK
Modification of User Authentication Settings Admin ID OK
Registration and modification of External Authentication
Admin ID OK
Server settings
Modification of the No. of Authentication Failures threshold Admin ID OK
Modification of the Prohibited operation Release time of
Admin ID OK
Administrator authentication
Clearing the No. of Authentication Failures (other than
Admin ID OK
U.BUILTIN_ADMIN)
Password rule modification function Admin ID OK/NG
Modification of Enhanced Security mode settings Admin ID OK
Modification of Date and time information Admin ID OK
Modification of System Auto reset time Admin ID OK
Modification of Automatic Logout time Admin ID OK
Registration, modification and deletion of Trusted
Admin ID OK/NG
Communication Management settings
Registration and modification of Network settings Admin ID OK/NG
Start of the Audit Log acquisition function Admin ID OK
End of the Audit Log acquisition function Admin ID OK
Registration and modification of Audit Log management
Admin ID OK
function
Registration, modification, and deletion of personal user box
Admin ID/User ID OK/NG
by User box management functions
Registration, modification of Memory RX setting function Admin ID
Storing a print job User ID OK/NG
Printing a print job User ID OK/NG
Sending a scan job User ID OK/NG
Printing a copy job User ID OK/NG
Sending a Fax TX job User ID OK/NG
Receiving a Fax RX job System ID OK/NG
Printing a Fax RX job User ID OK/NG
Storing a saved job User ID OK/NG
Storing a Fax RX job System ID OK/NG
Printing a saved job User ID OK/NG
Sending a saved job User ID OK/NG
Fax sending a saved job User ID OK/NG
Downloading a saved job User ID OK/NG
Moving a saved job User ID OK/NG
Duplicating a saved job User ID OK/NG
Deleting a saved job User ID OK/NG
Failure of IPsec session establishment System ID ErrNo(*2)
(*1) The ID of the event to be audited (subject identification information) that occurred before identification and
authentication records a fixed value such as an unregistered ID.

Copyright ©2020 KONICA MINOLTA, INC., All Rights Reserved

68 / 71
 KONICA MINOLTA bizhub 450i/bizhub 360i/bizhub 300i with FK-514, DEVELOP ineo 450i/ineo 360i/ineo 300i with FK-514
Security Target

The system ID (fixed value: system (MFP)) is recorded because no identification and authentication is performed
for Fax RX.
The system ID (fixed value: system (MFP)) is recoded in the failure of IPsec session establishment.
(*2) A predetermined error such as "1414" (failure of secure communication (IPSec)) is recorded.

FAU_STG_EXT.1
TOE provides the Audit Log management function performed by the administrator for enabling/disabling the audit
function, how to obtain the audit log, log server, setting of automatic log distribution conditions, and sending and
deleting the audit log. Use WebDAV server for the log server. IPsec communication between TOE and the log server is
set by the trusted communication management function.
The TOE temporarily saves log information as a log file in the local storage area of the TOE. It converts it to XML
data and sends it to the log server when the date and time set in the automatic log distribution condition or the log storage
amount set in the automatic log distribution condition is reached or when the administrator performs the audit log
transmission.
Log files temporarily saved in TOE are deleted after conversion to XML data or when an administrator performs the
audit log deletion. XML data is deleted at the timing of XML data conversion of the next file, after transmission to the
log server is completed. The only interfaces that access the log files and XML data stored temporarily in the TOE are the
sending and deletion of audit logs by the administrator, and so unauthorized access by normal users or attackers is not
possible.
When log information cannot be sent to the log server due to network failure, etc., and the local storage area in the
TOE becomes full, the functions that can be performed are limited to the following functions.
・End of the audit log acquisition function by turning OFF the power supply
・Start of the audit log acquisition function by turning ON the power
・User Authentication (only administrator login from the operation panel is allowed)
・Sending or deleting audit log by administrator
The restriction is released, by an administrator sends an audit log or performs an audit log deletion and clears the full of
the local storage area.

Table 7-20 Audit Log Data Specifications

Handling of audit log data Overview
Storage area of log information Store on the SSD
Log information is temporarily saved as a log file, converted to XML data, and
sent to the log server.
Log files can be saved up to 40 MB and converted to XML data for transmission
to the log server at any of the following timings. After conversion, the
corresponding log file is deleted.
・ When the date and time set by the administrator or the accumulated amount
Size to hold log information
are reached
・ Upon reaching 36 MB
・ When an administrator performs an audit log TX
XML data is deleted when the next XML data is generated after sending it to the
log server. If the transmission fails, a maximum of 76 MB (40 MB of log file, 36
MB of XML data) is temporarily stored in the TOE.

FPT_STM.1

Copyright ©2020 KONICA MINOLTA, INC., All Rights Reserved

69 / 71
 KONICA MINOLTA bizhub 450i/bizhub 360i/bizhub 300i with FK-514, DEVELOP ineo 450i/ineo 360i/ineo 300i with FK-514
Security Target

TOE has a clock function and provides only the administrator with the function to change the time of TOE. Time
information to be recorded in the audit log is provided by the clock function.

Trusted operation function

7.7.1. Update function

FPT_TUD_EXT.1
The administrator can confirm the firmware version on the administrator screen after the identification and
authentication from the operation panel or WC.
In addition, the administrator can install a USB memory storing firmware data and digital signature data in the TOE
and perform the firmware update function on the administrator screen after the identification and authentication on the
operation panel. Firmware data includes various firmware such as system controller and print controller, and hash value
information for each firmware calculated by SHA-256 (used for self-test function described in 7.7.2). Digital signature
data is data signed with the RSA digital signature algorithm (key length 2048 bit, signature scheme PKCS #1 Ver 1.5)
described in FIPS PUB 186-4, "Digital Signature Standard" for the hash value of firmware data calculated by SHA-256.
When the administrator performs the update function, the TOE verifies the digital signature of the firmware data by
using the RSA public key (key length 2048 bit, installed in TOE at the time of shipment) before starting the installation.
If the signature verification fails, a warning is displayed on the operation panel and firmware is not rewritten. If the
signature verification is successful, the firmware and the hash value information for each firmware is installed. The
procedures for digital signature verification are as follows.
Decrypt the digital signature data with the RSA public key (key length 2048 bit) owned by TOE.
Calculate the hash value of the firmware data by SHA-256.
Compare the values of (1) and (2). The firmware data is judged to be correct if the data are matched.

7.7.2. Self-test function

FPT_TST_EXT.1
TOE performs the tests described in the table below in sequence, when the power is turned on. If an error is detected,
display a warning on the operation panel, stop the operation, and will transit to the status not to accept the operation. This
confirms the integrity of the firmware that performs TSF.

Table 7-21 Self-test

No. Target Test
Confirm that the hash value for each firmware calculated by SHA-256 matches
Various firmware such as system the value recorded in the hash value information installed in TOE by the update
1
controllers function. The encryption library used in TOE is also subject to hash value
verification.
Known Answer Test for each encryption algorithm: KAT test for SHA-1, KAT
test for SHA-512, KAT test for HMAC SHA-256, KAT test for AES encryption
Encryption Library Algorithm:
2 (CBC, 128-bit key), KAT test for AES decryption (CBC, 128-bit key), KAT for
SHA, HMAC, etc.
RSA 2048-bit (PKCS #1 v1.5), KAT for DSA (signing P = 2048/N = 256;
verification P = 1024/N = 160), and KAT for Diffie-Hellman are performed.
Encryption Library Algorithm: Set the software to be used as the entropy source and perform the health test of
3
DRBG the DRBG function (Known Answer Test of Instantiate, Generate, and Reseed

Copyright ©2020 KONICA MINOLTA, INC., All Rights Reserved

70 / 71
 KONICA MINOLTA bizhub 450i/bizhub 360i/bizhub 300i with FK-514, DEVELOP ineo 450i/ineo 360i/ineo 300i with FK-514
Security Target

No. Target Test

Functions based on "11.3 Health Testing" in NIST SP800-90A).

Fax separation function

FDP_FXS_EXT.1
TOE implements fax interfaces for receiving faxes from external fax devices via public lines and by sending faxes
from the operation panel. The data permitted to be sent and received through the fax interface is only the fax documents
described above use .
TOE implements fax modem functions and supports the Super G3 and G3 protocols. The fax modem only performs
Fax TX and RX, and does not accept any other commands through the public line. The TOE also does not have a function
to form a network bridge between the PSTN and the LAN.
Therefore, user can use the TOE Fax interface only for the Fax TX and RX.

---End---

Copyright ©2020 KONICA MINOLTA, INC., All Rights Reserved

71 / 71