Ricoh's Security Functions
- Security for Multifunction Products
- Security Threats and Countermeasures
- Ricoh's Security Functions
- Ricoh's Common Criteria Certification Activities
- Ricoh Products Certified with Common Criteria (ISO/IEC 15408)
Security Functions for Communications
Network port security
Multifunction copiers, as well as other devices, have several communications protocols to choose from. Each of the protocols can either be enabled or disabled, so that only required protocols can be used and unauthorized access is minimized.
IP address filtering
Accesses using TCP/IP can be controlled by designating the range of IP addresses from which accesses are allowed. For instance, designating an access control range of [18.104.22.168] to [22.214.171.124] allows access from the PCs whose IP addresses are from 126.96.36.199 to 188.8.131.52. Limiting the IP addresses will reduce the risk of threats like access from unauthorized PCs.
Security for fax lines
A multifunction copier with a fax feature is connected to the outside via a telephone line. It is necessary to block unauthorized accesses via the telephone line. Ricoh software is designed to only process appropriate types of data and send that data to appropriate functions in the device. Therefore, only fax data is received from the fax line and it is communicated only to the processes needed for fax operation. This mechanism prevents unauthorized access from the fax line to the network or to the programs inside the device.
The administrator of the multifunction copier can use IPsec for encrypted communications. IPsec enables communications in units of secure packets at the IP protocol level. Even if no encryption is used in a high-order protocol or application, IPsec enhances security by preventing the content of communications from being tapped into or altered.
Encryption over SSL/TLS
The administrator of the multifunction copier can set up SSL/TLS for encrypted communications. The SSL/TLS setup prevents data from being tapped into, analyzed, or altered during communications. For instance, a customer using e-mail services and cloud services over the Internet may want to encrypt communications using the scan-to-e-mail function. This method greatly reduces the risk of information leaks or alterations when an external SMTP server is used.
Since recent hackers have high skills for decrypting communications, strong encryption algorithms are needed to minimize information leakage from hardcopy devices. By implementing the 256-bit AES and SHA-2 encryption algorithms required by the U.S. National Institute of Standards and Technology (NIST) and adopting HMAC_DRBG to create encryption key, Ricoh increases the security of communications and internal processing for all of its multifunction copiers.
- ※Ricoh's multifunction copiers are capable of SSL/TLS communications conforming to FIPS 140-2 specifications, the network communications requirements of the U.S. government.
SNMP (Simple Network Management Protocol) is a protocol for collecting information on network devices so that they can be monitored and controlled. The information includes, for example, the total number of copies a device has printed and the errors it has encountered. SNMP is also used to operate the devices, such as monitoring the operating status of its services. These functions are based on information obtained from a management information base (MIB), which describes the configuration of the network devices. SNMPv3 incorporates user authentication and data encryption functions which protect user data and network device information.
S/MIME for scan-to-e-mail
To minimize the risk of information leaks, e-mail messages can be sent using public key cryptography and a certificate of user verification that has been registered in the address book of a multifunction copier. Spoofing and message alteration can be prevented by attaching an electronic signature using a secret key based on a device certificate in the the multifunction copier.
- ※This feature is not available with W-NET FAX and direct SMTP.
WPA (Wi-Fi Protected Access) support
WPA is an encryption system for wireless networks. WPA provides greater security than WEP, a conventional encryption system. In addition to the SSID and security key used in WEP, WPA features a user authentication function and an encryption protocol called TKIP (Temporal Key Integrity Protocol) which automatically updates the encryption key at certain intervals.
Security Functions for Management
Individual users can be identified by the multifunction copier. Ricoh's user authentication functions are based either on user codes of up to eight digits or on combinations of login user names and passwords. Linked with the Windows® domain controllers and LDAP servers over the network, the multifunction copier allows user authentication via an existing authentication system.
User authentication using authentication cards
Instead of entering the user name and password, a user can just hold an authentication card over the card reader/writer for authentication. When data is sent from a client PC for printing, the multifunction copier suspends processing that data until the user walks over to the device, holds the authentication card over the reader, and enters printing instructions on the operator panel.
Job logs/access logs
Logs stored in the multiufnction copier provide a variety of information such as how the functions have been used, what errors have occurred, how the device has been accessed, and who have accessed the device. These logs impose a disincentive to people intending to leak information, and allow tracking in the unlikely event of an unauthorized access. The following information is logged:
- Job logs
- ・All information on the user's document workflow, including photocopying, document storage in a document box, printing on the printer, fax transmission, and scanner distribution.
- ・Printing of reports, including the system settings list that is output from the operating unit.
- Access logs
- ・Authentication events such as login and logout
- ・Document operation including generation, editing, and deletion of stored documents
- ・Operations by service engineers, such as hard disk initialization
- ・Log transfer results and system operation when an unauthorized copy is read
- ・Security operations such as encrypted communication, access attacks, lockouts, and firmware validation
User access restriction
With a user management tool, the system administrator can restrict the access privileges of users. For instance, the administrator can set up the privileges to allow only selected users to access the address book registered in the multifunction copier. This blocks unauthorized access to important information, such as the personal information recorded in the address book.
User lockout function
When wrong passwords are consecutively entered during the login process, the multifunction copier judges that the password is being cracked. This triggers the lockout function, which inhibits login using that user name. The locked-out user name cannot be authenticated even if it is combined with the correct password. The lockout will be released in a certain lapse of time or by an administrator or a supervisor. Thus, the attacker cannot continue cracking the password.
Hard Disk Security Functions
Hard disk drive (HDD) encryption
Address books, authentication information, and accumulated documents stored in a multifunction copiers are encrypted as they are stored. This function prevents information from being leaked even if the hard disk drive is physically removed.
- Data to be encrypted
The following data stored in the non-volatile memory or hard disk drive of the multifunction copiers are encrypted:
DataOverwriteSecurity System (DOSS)
When a document is scanned by an MFP or a scanner or when data is received from a PC, some data may be stored on the hard disk drive or memory device. For example, temporary image data, data the user has chosen to save, or device configuration data may be stored. When the data is no longer needed this function actively erases it by overwriting it.
The image data stored in the device during the copying and printing processes is overwritten and erased each time a job is executed.
- Overwrite all:
All data, including the user information registered in the multifunction copier, is erased at one time when the multifunction copier is to be transferred to another department or to be decommissioned.
- Method of erasing:
NSA Data is overwritten twice with random numbers and once with zeros. DoD Data is overwritten by a random number, then by its complement, and then by another random number. Random Numbers Data is overwritten multiple times with random numbers. The number of overwrites can be selected from 1 to 9. BSI/VSITR* Data is overwritten 7 times with the following patterns: 0x00, 0xFF, 0x00, 0xFF, 0x00, 0xFF, 0xAA. Secure Erase* Data is overwritten using an algorithm that is built in to the hard disk drive. Format* The hard disk is formatted. Data is not overwritten.
*These methods are available for Overwrite all function.
Our device supports the above erasing methods to enable customers to select the erasing method which follows customers' security policies. The results of each erasing method except for Format are the same.
Encryption key protection via TPM
Ricoh MFPs employ a Trusted Platform Module (TPM) which is a tamper-proof hardware security module that performs cryptographic functions and securely stores cryptographic data. Ricoh uses the TPM to store the root encryption key that protects the hard disk data encryption key and the digital certificate of the MFP, and to perform a trusted boot operation which validates MFP firmware authenticity before permitting the MFP to operate.
The root key and cryptographic functions are always contained within the TPM and cannot be altered from outside. This provides a high level assurance of the validity of the MFP’s firmware, device identity, and hard disk security. This is another good example of how Ricoh’s MFP products are designed with our customers’ security interests at the forefront.
Document Security Functions
PDF password encryption
To increase security against unauthorized use, PDF files can be protected by encryption and password. A protected PDF file can be opened only by a person who knows the password. A password can also set for changing the privileges, thus restricting the printing, modification, copying, and extraction of the content.
A document received from a PC can be stored in the hard disk drive in the multifunction copier. Using the locked print function, a password is specified when sending the document, and that password must be entered on the multifunction copier before it can be printed. Since the document will not be printed until the owner reaches the device, locked print makes sure that the document will remain under the control of its owner.
Unauthorized copy control
To guard against attempts to make unauthorized copies, Ricoh offers functions to ensure security of hardcopy documents. The copy guard function prints/copies documents with special invisible patterns embedded across the background. If the printed/copied document is photocopied, the embedded patterns will be visible on the copies. With the optional unauthorized copy guard module installed, the copier will detect the embedded patterns and replace the photocopied image with a gray image to prevent information leaks. This function is useful when confidential information has to be printed. Restricting the duplication of confidential information prevents this kind of information leakage.
Device Operation Security Functions
Displaying confirmation of transmission
Before you start sending a fax, information on the destination fax number and the number of pages can be easily viewed. This screen minimizes the risk of dialing the wrong number. Our customer engineers can set up the device so that this screen is always displayed before transmission.
Re-entering a fax number to confirm destination
People can easily make mistakes when entering a fax number directly on the keypad. Our customer engineers can set up the device so that the number needs to be entered twice or more for confirmation. If different numbers are entered, the transmission will not commence. This feature minimizes the risk of sending information to a wrong destination.
- ※Ricoh's multifunction products comply with FASEC 1, a security guideline for facsimile
Ricoh's Functions Designed to Protect Firmware
Multifunction copiers and ordinary printers have built-in software (called firmware) which controls their operation. If the firmware is altered by a malicious person, the devices could be used as stepping stones for intrusion into the corporate networks or to damage the devices.
To prevent the genuine firmware from being overridden by the unauthorized firmware, Ricoh uses electronic signatures to validate the firmware. Moreover, a Trusted Platform Module (TPM) which is tamper-proof hardware security module validates MFP firmware authenticity before permitting the MFP to operate. These technologies ensure device security.
Supported security functions vary from products. For more information describing the functions of each product please reference the specific product related support documentation., or contact your nearest Ricoh dealer.