Home » Ricoh Manuals » Laser Printers » Ricoh Aficio SP C820DNT1 » Manual Viewer

Ricoh Aficio SP C820DNT1 Design Guide - Page 17

Protection of MFP/LP Firmware, 4-1 Firmware Installation/Update

View all Ricoh Aficio SP C820DNT1 manuals

Add to My Manuals
Save this manual to your list of manuals

Page 17 highlights

Print Controller Design Guide for Information Security 1-4 Protection of MFP/LP Firmware 1-4-1 Firmware Installation/Update It is possible to update the firmware stored on the MFP/LP using an SD card or via a remote connection. The following process is used to verify the validity of all firmware introduced into the MFP/LP in the field. This applies to firmware updates as well as to new installations of MFP/LP options. Firmware Installation/Update Using an SD Card Since SD cards themselves are generic items that are widely available for purchase in the field, the following process is used to prevent the illegal introduction of firmware into the MFP/LP via this storage media. Briefly stated, a license server assigns a digital signature to the firmware, which the MFP/LP then uses to authenticate the firmware when it is introduced in the field. 1. The Ricoh license server applies the SHA-1 algorithm (Secure Hash Algorithm 1) to the program to generate the value MD1. A private key is used to encrypt this value, which is then used as the firmware's digital signature. 2. The firmware in the SD card is introduced into the MFP/LP via the SD card slot. 3. The MFP/LP checks the firmware to identify the type (e.g. System, Printer, FAX, LCD). It then verifies that the model name is the same as its own, and in the case of a firmware update, that the firmware version is newer that the one already installed. 4. The MFP/LP then applies SHA-1 to the program to generate MD1, after which it uses a public key to decrypt the digital signature to generate MD2. 5. If MD1 = MD2, the firmware update process begins. Using a public key to decrypt the digital signature allows the MFP/LP to verify that the firmware has not been altered since it was assigned the digital signature by the license server. The basic identifying information of the firmware (version, type, etc.) is stored in the MFP/LP as the update is being performed. Therefore, the update can be reinitiated using the same SD card in the event that it is interrupted by a sudden loss of power or other cause. After recovery is initiated, the MFP/LP checks to see that the data in the SD card has not been altered, and then resumes the update. 1. Verification of model and target machine functions (Copier, Printer, etc .) 2. Verification of firmware version If MD1 ≠ MD2 Update process is cancelled and new firmware is not 3. Generate MD1 ins ta lled Program using SHA-1 MD1 Digital signa ture 5. Compare MD1 and MD2 3. Files are sent SD 64 MB SD card Progra m Digital signature Ricoh License Server 1. Generate MD using SHA-1 MD 2. Generate digital signature Private key 4. Decryption Public key M D2 If MD1 = MD2 "MD": Message Digest 6. Firmware is overwritten with new files Firmware Update Using an SD Card Page 17 of 86

Section	Page
04/23/2010	1
For these details, please refer to the Operating Instructions for the specific machine in question.	6
Hardware Configuration	7
MFP	7
LP	9
TPM (Trusted Platform Module): When the MFP/LP main power is turned on, this security module (chip) performs a verification on the validity of the software installed on the hardware platform, which includes checking for any illegal alterations.	10
Shared Service Layers	11
Principal Machine Functions	12
Data Security	14
External I/F	14
Protection of Program Data from Illegal Access via an External Device	14
IC card-based authentication functions: Authentication is mutual and encrypted, which prevents impersonation and ensures that data is properly protected.	16
Firmware Installation/Update	17
Remote Firmware Installation via Web SmartDeviceMonitor Professional IS (performed by the end user)	19
Verification of Firmware/Program Validity	20
Note: Produced by STMicroelectronics, TPM is a product of the ST19WP18 family, which has earned Common Criteria certification (EAL5+).	20
Authentication	21
IC Card Authentication	24
Access Control	25
In addition, it is possible to create an access control list (ACL) for each individual Address Book entry and Document Server document at both the individual user and group levels.	25
If the MLP/LP is initialized in this way, all of the user information, document data, and settings stored in the MLP/LP since installation will be initialized (erased).	26
Data Erase/Overwrite	27
To execute the overwrite, the operator can choose from two options: \	28
The execution of this feature does not clear engine-related information such as the value of the total counter, or engine-related adjustment settings contained in SP mode and UP mode.	28
Through this arrangement, the copy of the HDD storage key is automatically decrypted once the Encryption Key Restore has been completed.	31
Document Server Documents (MFP models only)	33
Access Privileges and Operations for Stored Documents	34
Without HDD: 500 entries	38
Overview of Capture Operations	39
Operations that Generate Captured Images	39
Capture Settings	41
Security Considerations	42
Captured Documents and Log Data	42
Additional Methods for Increased Security	42
(Authentication not required)	42
Copier (MFP Models Only)	43
Overview of Copier Operations	43
Data Security Considerations	43
Protection of Copy Jobs in Progress	43
Protection of Document Server Documents	43
Refer to 1.7.2 Document Server Documents (MFP models only) for details on the Document Lock feature.	44
Restricting the Available Functions for Each Individual User	45
Job/Access Log Data Collection	45
Print Backup	45
(printing out, editing, copying).	46
Overview of Printer Operations	47
Data Flow	47
Data Security Considerations	51
The \	53
Overview of Scanner Operations	54
Data Flow Security Considerations	54
Protection of Data when Performing Scanning and Sending Operations	55
Protection of Document Server Documents	56
Protection of Sending Results and Status Information	57
Protection of the Scanner Features Settings	57
Data Stored in the Job Log	58
Terminology	58
FTP (File Transfer Protocol): A protocol used when transferring files over a TCP/IP network.	58
Overview of FAX operations	59
Data Security Considerations	60
Protection of the Journal and Documents in Document Server Storage	61
Protection of FAX Transmission Operations	61
Protection of FAX Features Settings	62
The \	62
Job Log	62
Protection of Internet FAX Transmissions using S/MIME	62
Preventing FAX Transmission to Unintended Destination(s)	63
This prevents a FAX from being sent to an unintended destination when, for example, the operator accidentally touches an additional Quick Dial key.	63
Overview of NetFile Operations	64
Data Flow	65
Supplementary	65
Network Topology for a System Using Integration Server Authentication (Sample)	66
As long as the track ID is not stolen from the communication path between the PC and MFP/LP (which can be protected against by enabling SSL encryption) or from the PC itself, it is impossible to perform any unauthorized operations on these print jobs	68
Web Server Framework	69
WebDocBox (MFP models only)	70
For more details on job and access logs, please refer to 1.9 Job/Access Logs.	72
@Remote	73
Overview of @Remote Operations	73
Data Security Considerations	73
Security is increased even further by the fact that the symmetric key used is not a static key, but rather one that is generated every time a new session is initiated.	73
Overview of Copy Data Security Operations	74
Data Flow	75
Following this, an entry for the event itself is stored in the access log, along with the username.	75
Overview of Operations	77
1	77
Overview of SDK Application Functions	79
3: DSDK Œ MFP/LP Hardware Configuration	79
Scanning Functions: Sending Data Over the Network with the Copier and Scanner (MFP models only)	80
FAX Functions (MFP models only)	80
Network Functions	81
Printer Functions	81
Machine Administrative Functions (MFP models only)	81
Authentication Functions	81
Data Security Considerations	83
Preventing the Installation of Illegal Applications	83
Authentication of SDK Applications at Installation	83
Prevention of Access to Address Book Data and Machine Management Data	85
Protection Against Attacks on Principal MFP/LP Functions, Prevention of Damage to the System	85
Protection Against Attacks from External Sources	85

Match case Limit results 1 per page

Print Controller Design Guide for Information Security

Page 17 of 86

1-4

Protection of MFP/LP Firmware

1-4-1 Firmware Installation/Update

It is possible to update the firmware stored on the MFP/LP using an SD card or via a remote connection.

The following process is used to verify the validity of all firmware introduced into the MFP/LP in the field.

This applies to firmware updates as well as to new installations of MFP/LP options.

Firmware Installation/Update Using an SD Card

Since SD cards themselves are generic items that are widely available for purchase in the field, the

following process is used to prevent the illegal introduction of firmware into the MFP/LP via this storage

media. Briefly stated, a license server assigns a digital signature to the firmware, which the MFP/LP

then uses to authenticate the firmware when it is introduced in the field.

The Ricoh license server applies the SHA-1 algorithm (Secure Hash Algorithm 1) to the program to

generate the value MD1. A private key is used to encrypt this value, which is then used as the

firmware’s digital signature.

The firmware in the SD card is introduced into the MFP/LP via the SD card slot.

3. The MFP/LP checks the firmware to identify the type (e.g. System, Printer, FAX, LCD). It then

verifies that the model name is the same as its own, and in the case of a firmware update, that the

firmware version is newer that the one already installed.

The MFP/LP then applies SHA-1 to the program to generate MD1, after which it uses a public key

to decrypt the digital signature to generate MD2.

If MD1 = MD2, the firmware update process begins.

Using a public key to decrypt the digital signature allows the MFP/LP to verify that the firmware has not

been altered since it was assigned the digital signature by the license server.

The basic identifying information of the firmware (version, type, etc.) is stored in the MFP/LP as the

update is being performed. Therefore, the update can be reinitiated using the same SD card in the

event that it is interrupted by a sudden loss of power or other cause. After recovery is initiated, the

MFP/LP checks to see that the data in the SD card has not been altered, and then resumes the

update.

Digital

signature

Program

3. Generate MD1

using SHA-1

MD1

MD2

Public key

4. Decryption

5. Compare MD1

and MD2

If MD1

≠

MD2

Update process is cancelled

and new firmware is not

installed

If MD1 = MD2

2. Verification of firmware version

6. Firmware is overwritten

with new files

1. Verification of model and target

machine functions (Copier, Printer,

etc.)

Ricoh License Server

Digital signature

2. Generate

digital signature

Program

1. Generate MD

using SHA-1

3. Files are sent

Private key

SD card

"MD": Message Digest

Firmware Update Using an SD Card