DataSec1 v1

Data Security Part 1 v1
1

On completion of this module you will have developed a solid understanding of
possible threats concerning data security and how Konica Minolta devices deploy
methods and technology in order to protect data against unauthorized access.

The specific areas and applications covered are:
Sniffing as a means of data theft
The Common Criteria certification for IT systems and devices
The control and limitation of access to MFPs via network
Data protection by encryption
Measures to protect data stored on the MFPs hard disk drive
The Enhanced Security Mode of Konica Minolta MFPs
The monitoring of data security
2
Module Training Overview
Target audience will be:
All employees and co-workers of Konica Minolta and our partners obtaining the Outward certification
level
Expert Office Solutions.

Attainment Targets:
To understand the various measures that can be taken to protect image and user data handled and
distributed by the MFP.
To understand how access to the MFP can be defined and limited by appropriate settings.
To know how encryption works and how it is deployed on different levels of the MFPs
operation.
To know which measures and functions are available to protect data that is stored on the MFPs
hard disk drive.
To understand the task of the Enhanced Security Mode and its effects.
To understand how data security monitoring can be carried out in order to maintain a high level
of data security.

2007 KONICA MINOLTA BUSINESS TECHNOLOGIES, INC
All rights reserved. No part of this publication may be reproduced in any form (including electronic
processing, distribution or copying), by any means (printed, copied, micro filmed, or otherwise) without
the prior written permission of the publisher.
The publication is produced and edited with the best care and efforts. Despite the great care taken, errors
cannot be totally excluded. The publisher and the author make no representation or warranties with
respect to the accuracy and completeness of the contents of this publication, and specifically disclaim
any implied warranties. Neither the publisher, nor the author shall be legally liable for the loss or damage
that may result from erroneous information contained in the publication.

3
Contents
Module Training Overview 2
1 Data security 5
1.1 Introduction 5
1.2 Issues of Data Security 6
1.2.1 Data Theft by Sniffing 7
1.2.2 Data Theft by recovering deleted files 9
1.3 Data Protection Standards 9
1.3.1 The Common Criteria certification 9
1.3.2 EAL Levels 10
1.4 Review questions 11
2 Data Protection for MFPs and Printers 13
2.1 Introduction 13
2.2 Overview 13
3 Data Protection by Access Definition for Access via Network 16
3.1 Introduction 17
3.2 IP Filtering 19
3.3 Disabling application protocols 21
3.4 Change of Port Settings 21
4 Data Protection by Encryption 23
4.1 Introduction 24
4.2 Encryption Algorithms: DES and AES 26
4.3 Encrypted Transmissions: SSL and TLS 27
4.4 File Encryption and Protection by Applications 29
4.4.1 File encryption and protection by applications used in office environments 29
4.4.2 MFP-based file encryption of scanned documents 30
4
4.5 Encryption of Print Data Streams 30
5 Data Protection on the HDD of MFPs and Printers 36
5.1 Introduction 36
5.2 Hardware Security 36
5.3 HDD Lock Password 37
5.4 Encryption of Files on HDD 37
5.5 Safe Deletion of Files 38
5.5.1 Working method of safe data deletion 38
5.5.2 Safe Deletion of Files on Konica Minolta Devices 39
6 Enhanced Security Mode on Konica Minolta MFPs and Printers 43
6.1 Introduction 43
6.2 Preparations for the Enhanced Security Mode 43
6.3 Predefined settings of the Enhanced Security Mode 45
7 Monitoring Data Security 47
7.1 Introduction 48
7.2 Log Files 48
8 Review questions 52
9 Appendix: Port scanners 54

5
1 Data security
1.1 Introduction
In general, IT environments have to be considered complex systems. In terms of data security,
unauthorized persons may make use of numerous methods on different levels in order to get
possession of data to which they do not have regular access.
Basically, unauthorized access to data may happen in three areas:
Access to stored data
Access to data transmissions
Access via authorization

On MFPs and other hardware devices such as workstations, servers and also printers, data is
stored on the devices hard disk drive (HDD). A simple way to access this data is to directly
access the HDD e.g. by removing it from the device and by installing it in another device from
which the data on the HDD can be read. A more complex task is to gain access to a network and
to access stored data via network.
In networks such as LANs or the Internet, data is transmitted between different devices.
Unauthorized persons may scan the network traffic by using appropriate software- or hardware
tools in order to catch desired data. This kind of method for gaining unauthorized access is called
sniffing.
Access to data by regular users is usually controlled by authorization. User authorization most
often is based on user names and passwords (but it may also use biometric methods such as
fingerprint scans). To access data, unauthorized persons may try to get possession of a regular
users user name and password. There are different methods to get possession of another persons
user names and passwords. For example, users may write down their user name and password on
a piece of paper which they place in their desk or wallet or even on a pinboard where any persons
who enters the room may read it. Users may also disclose their user name and password in a
conversation or over the telephone. To use Internet or web-based services, users usually need to
log in by entering their user name and password into a login mask (e.g. a web page with text
fields where users have to enter their names and passwords). Unauthorized persons often try to
steal this information by providing faked login masks. This method and other similar methods are
called phishing.
6

Fig. 1: Methods to realize unauthorized access to data
Konica Minolta Business Solutions understands the importance of data security and has invested
in various technologies that ensure the data integrity. This module introduces several methods
and technologies which are used to protect data on MFPs and in networks built up around MFPs.
Please note, that a secure environment also requires users to adapt their behavior, for example, by
specifying secure password and by keeping them secret.

1.2 Issues of Data Security
This chapter highlights two important technical methods that can be used to gain unauthorized
access to data,
sniffing and
the recovery of deleted data.

A
A
Accessing data
stored on the MFPs
HDD by removing
the HDD
Accessing the MFP by using
the identity (user name,
password) of a regular user
Accessing data
transmitted
via network by
sniffing
Network
Unauthorized
user
MFP
HDD
Network server
Network traffic
(e.g. e-mails, print data)
7
1.2.1 Data Theft by Sniffing
First of all, sniffing is technology that was developed to analyze network data traffic and to find
the sources of problems that occur in networks. But the same technology can also be used to spy
out network data traffic and to gain unauthorized access to data.
The central component of data sniffing is a sniffing program that needs to be installed on a
device of the network. This software tool scans the data traffic of the network in the form of IP
packages. By analyzing the IP addresses of sending and receiving network devices and the used
protocols, it is possible to identify particular messages sent via network. For example, these
messages can be
user names and passwords being transmitted to a network server for authentication,
e-mails being transmitted from an e-mail client to the networks e-mail server, or
documents to be printed by a network printer.

A very popular tool for sniffing is Wireshark (the successor of Ethereal). With Wireshark you
can
capture live network packet data
display detailed protocol information contained in the packets
save, export, and import the packet data
search for certain packets and filter packets on different criteria

By using the appropriate filter definitions it is possible to search for e.g.
a particular type of messages (e.g. e-mail messages, which use the POP and SMTP
protocols) or
a particular sender or receiver of messages (by using the IP address of the
sender/receiver),

8

Fig. 1: The Ethereal main window showing a list of scanned packets, their properties and content

Wireshark is also able to recombine complete messages from putting all corresponding IP
packets together again and to store them in a file.
For more detailed information about the working method and options of Wireshark/Ethereal refer
to the Outward module Advanced Failure Analysis and Error Reporting, chapter File capturing
on the network.

To prevent sniffed data from being read by unauthorized persons, Konica Minolta devices may
deploy data encryption on several levels, for example,
the encryption of data transmissions of web-based applications such as PageScope Web
Connection by using SSL/TLS (see chapter 4.3 and 4.4),
the encryption of print data transmissions by using IPP in combination with SSL/TLS or
J Scribe (see chapter 4.5), or
the support of APOP (Authenticated Post Office Protocol; see Data Security Part 2
Authentication, chapter 4.1), which uses encrypted passwords for e-mail download,
and several others.
9
1.2.2 Data Theft by recovering deleted files
In many cases, files that are deleted from an MFPs hard disk drive can be recovered by using
appropriate tools. Simply said, the problem is that deleted files still reside on the hard disk drive
in the form of magnetic fields. The safe deletion of files requires the deletion of these magnetic
fields by overwriting the corresponding areas of the hard disk with new data.
There are several methods available that overwrite original data with patterns of new data in
order to prevent deleted data from being recovered. Konica Minolta devices provide data
overwriting functionality to protect deleted data. For more details about safe deletion of files and
the working method of overwriting data, see chapter 5.5.

1.3 Data Protection Standards
1.3.1 The Common Criteria certification
Driven by growing threats concerning data security, the Common Criteria for Data Security,
also known as the ISO 15408 standard, were developed by several national security organizations
from Canada, the United States, the United Kingdom, France, Germany, the Netherlands, Spain,
Australia, New Zealand and J apan.
Some of the security concerns addressed by the Common Criteria are
that unauthorized persons gain access to data,
that confidential data may be distributed without control, and
that important information about servers may be hacked.

Version 1.0 of the Common Criteria was developed in 1996 as a combination of US and
European security standards,
the US security standard TCSEC (Trusted Computer System Evaluation Criteria, also
known as Orange Book) which has existed since 1983 and
the European security standard ITSEC (Information Technology Security Evaluation
Criteria) which has existed since 1991.
Versions 2.0 and 2.1 of the Common Criteria were developed in 1998 and 1999, when the
Common Criteria were also proposed to the ISO/IEC standards organization.
Also in 1999, the Common Criteria was approved as international standard ISO 15408.
The Common Criteria defines a structured method for evaluating IT systems and devices.
According to the Common Criteria, a structured evaluation is carried out to find security
10
weaknesses of IT systems and devices which may lead to a disclosure of data and of confidential
data in particular.
The structure of the evaluation is built up from several levels, so-called Evaluation Assurance
Levels (EALs). Each level defines a set of demands to be met by evaluated systems and devices.
A successful evaluation makes it possible to certify tested systems and devices. Such systems and
devices can be called ISO-15408-certified.

1.3.2 EAL Levels
There are seven EAL available, which can be used as a basis of evaluation. These levels are:
EAL Level 1: On this level, systems and devices are functionally tested. There is no need
of cooperation by the developers of the system/device.
EAL Level 2: In addition to the demands of Level 1, this level requires some information
from the developers about the design of the system/device.
EAL Level 3: On this level, systems/devices are tested and checked methodically (which,
for example, means that the source code management of a software is checked, but not
the source code itself).
EAL Level 4: On this level, also the design phase of a system/device is evaluated, which
e.g. means that the source code of a piece of software needs to be evaluated before it is
implemented.
EAL Level 5 to 7: These levels require that developers of a system/device utilize formal
specification- and verification procedures right from the beginning of the design and
development process.

The demands of the EAL Levels 4 and higher may be very time consuming as they not only
evaluate the operation of a system/device, but also its design- and development phase. These
EAL levels provide a level of security e.g. required for firewalls deployed by banks or military
organizations.
EAL Level 3 is commonly regarded as appropriate for digital multifunctional products. That is
why Konica Minolta devices are EAL Level 3-evaluated. You find a link on list of ISO-15408-
certified Konica Minolta products at the following web address:
http://www.konicaminolta.eu/products/business_products/security_and_certification/

11
1.4 Review questions
Which are the three main areas, unauthorized data access attempts can be divided into?

What does sniffing mean?

How can sniffing programs be used to access data?

12
What is the Common Criteria used for?

13
2 Data Protection for MFPs and Printers
2.1 Introduction
Today, MFPs have to be regarded as IT systems which are integrated into IT environments such
as networks. Thus, the data stored on MFPs and handled by MFPs are exposed to the same risks
and threats as any other data created, stored and transmitted in IT environments.
This characteristics of MFPs requires security measures and functions that operate on the same
level as the ones known from conventional IT systems or devices such as workstations,
network servers and operating systems.
As the central device for imaging purposes and document workflows, MFPs handle lots of a
companys data, for example, in the form of e-mail traffic, sales reports, employee records,
invoices, orders, marketing strategies, or customer lists. Much of this data has to be regarded
confidential as it may disclose personal information or information that is vital for the success of
the company. For these reasons, Konica Minolta devices are equipped with a range of up-to-date
security-related features and technologies in order to protect data effectively.

2.2 Overview
As outlined in chapter 1, data security concerns can be divided into three basic areas:
The storage of data
The transmission of data
The access of data (by users as well as by applications)

Accordingly, the different security measures and functions of Konica Minolta devices can be
assigned to these areas:
Storage of data is the purpose of the MFPs HDD. There are different approaches to protect the
data on the HDD:
The HDD is protected against removal by using special screws and jigs and by the design
of the MFP which makes it difficult and time-consuming to remove the HDD (see chapter
5.2).
The HDD can be protected by assigning an HDD Lock Password which binds the HDD to
the original MFP. If the HDD is removed and connected to another device, the HDD
Lock Password prevents access to the HDD (see chapter 5.3).
14
Data on the HDD can be encrypted. This makes it difficult if not impossible for
unauthorized persons to read the data stored on the HDD (see chapter 5.4).
Data on the HDD will be deleted after some time, either in the case of temporary files
which only have to reside on the MFP for the duration of a particular operation, or in the
case of the MFPs disposal when all the data on the HDD is deleted before the MFP e.g.
is handed back to the dealer. Data overwriting functions make it possible to completely
remove files from the HDD so that deleted files cannot be recovered afterwards (see
chapter 5.5).

Transmission of data from the MFP to the network or vice versa occurs in many cases:
For example, scanned documents are transmitted to the network by using Scan-to-
Destination functions.
Print data streams are transmitted to the MFP, if documents are to be printed from a
workstation of the network.
Users submit their authentication data to the MFP, if they e.g. use web-based application
for configuration, administration and management purposes.
All this data needs to be transmitted via network and, thus, is vulnerable to threats such as
sniffing. To protect transmitted data, the MFP makes use of several encryption methods:
Web-based application data can be protected by using SSL/TLS (see chapter 4.3 and 4.4).
Current versions of application protocols, which include encryption capabilities, are
supported (for example, APOP which makes use of password encryption when e-mails
are downloaded; see Data Security Part 2 Authentication, chapter 4.1).
Print data streams sent to the MFP can be protected by IPP combined with SSL/TLS or
J Scribe (see chapter 4.5).

To limit the access of data to authorized persons, Konica Minolta devices deploy several
authentication methods:
Users have to enter their user name and password before they can access the MFP and the
data on it. They can also be forced to specify secure password which are difficult to guess
for unauthorized persons.
MFPs may not only use internal authentication which is set up directly on the MFP. They
may also use authentication services provided by the network (e.g. in the form of
Windows Active Directory).
MFPs support several protocols and their authentication methods (for example, APOP,
SMTP, POP-before-SMTP, SNMP, IEEE802.1x).
15
On the user operation level, the access to user boxes and system user boxes is password-
protected as well as the printing of confidential document by using the Secure Print
function.
For more information on authentication with Konica Minolta devices refer to the Outward
module Data Security Part 2 Authentication.
The access to the MFP can also be controlled by defining IP addresses and application protocols
which are either allowed or denied or set up individually to access the MFP (see chapter 3).
In addition, Konica Minolta devices provide
log files that record security-related events and corresponding information and make it
possible to detect possible threats (see chapter 7) and
the Enhanced Security Mode which automatically makes several security-related
settings (see chapter 6).

16
Which measures and functions are available on Konica Minolta devices to protect data
stored on an MFPs hard disk drive?

that is transmitted via network?

Which authentication measures are deployed on Konica Minolta devices?

17
3 Data Protection by Access Definition for Access via Network
3.1 Introduction
Modern MFPs are mainly used via their network connection. For example, this network
connection makes it possible to
send print jobs to the MFP from your workstation,
to use TWAIN scanning in order to load scanned data directly into a TWAIN-compatible
application on your workstation,
to send scanned image data directly to e-mail accounts, ftp servers or shared folders
within the network, and in general
to use the MFP as a communication device and a distribution point for image data and
documents.

At the same time, the MFPs network connection is also a weak point which makes it vulnerable
to network technologies which are used to spy out data on network devices. The network
connection is a possible point of entry for people to attempt to retrieve data for which they are
not authorized.
Disabling the network connection would be the simplest way to prevent this kind of unauthorized
access to data. Of course this is not possible, as the value of the MFP is based for the most part
on its network capabilities. But it is possible to lower the risk of data theft via network
connections by applying some methods which make it possible to control and limit access to the
MFP via networks.
In this chapter you get to know three methods which can be used to define the access to the
MFP via networks and which can be used to limit the network access to an extent that meets the
requirements of the environment the MFP is operated in:
IP filtering
Disabling application protocols
Changing port settings

By IP filtering, you are able to define which other network devices are enabled to access the
MFP and which are denied to access it. IP filtering allows you to limit the access from those
devices and grant access to those addresses which have users that require access to the MFP or
who can be trusted in terms of data security.
18
Disabling application protocols allows preventing access to the MFP via particular protocols or
related applications. This more technical approach reduces the possible methods unauthorized
persons may use to spy out the MFP.
Changing port settings allows using required application protocols and related applications, but
the protocols and applications are shifted from standard ports to individual ports. Each protocol,
which is enabled because it is required for working with the MFP, still is a possible entrance for
unauthorized access. But shifting these protocols to individual ports protects the MFP against
many methods used to spy out network devices as these methods only work as long as the
corresponding protocol uses the standard port. Nevertheless, this kind of protection is considered
a weak security measure which cannot prevent targeted attacks.

The combination of the three methods introduced in this chapter allows network access to the
MFP to be limited to only the network devices and applications selected, while hiding the
protocols which are still in use.

Fig. 1: Methods to control and limit network access to MFPs

Access
denied or allowed
by IP filtering
towards
MFP
Port X disabled:
Access not possible
Standard Port Y enabled:
Access possible
Port Z enabled and set
individually: Access possible
Application A
accessing MFP
via Port X
Application B
accessing MFP
via Port Y
Application C
accessing MFP
via Port Z
19
3.2 IP Filtering
IP filtering makes it possible to allow or deny other network devices access to the MFP. These
other network devices, such as workstations of the network, are identified by their IP addresses;
by specifying the IP addresses of devices, these devices are explicitly allowed or denied to access
the MFP.
Specifying the settings for IP filtering consists of two components:
You have to choose whether the specified IP addresses should be allowed or denied to
access the MFP.
You have to specify the IP addresses or ranges of IP addresses.

The option to choose between allowing and denying access allows you to make the required
settings in a comfortable way:
Scenario 1: There are a few particular devices that should be allowed to access the MFP.
All other network devices should be denied to access the MFP. In this case, the easiest
way to make the settings is to choose Permit Access and to specify the few devices which
should be allowed to access the MFP; all the other devices are automatically denied
access. Otherwise, if you would choose Deny Access, you would have to specify the IP
addresses of all the other devices.
Scenario 2: There are a few particular devices that should be denied to access the MFP
and all other network devices should be allowed access. In this case, you would choose
Deny Access and specify the few devices which should be denied access.
Other scenarios: As you are able to specify IP address ranges, you may put together
several devices by specifying one appropriate IP address range and allow or deny the
devices of this range access to the MFP. The most useful combination of the Permit/Deny
Access option and the specified address ranges depends on the actual structure of the
network (which devices should be allowed or denied access and which IP addresses are
assigned to these devices). There are numerous possibilities and some initial
considerations may be required to find the most effective way to specify the IP filtering.
20
An example for applying IP filtering is shown in Fig. 2. There are two devices allowed to access
the MFP:
The administrators PC (1a in fig. 2)
The print server (1b in fig. 2))
All other devices such the normal users PCs are not allowed to access the MFP directly (2 in
fig. 2).
To make the corresponding settings, you may choose the Permit Access option for the IP
addresses 192.168.14.5 and 192.168.14.10. Now, the administrators PC and the print server are
allowed to access the MFP. All other devices (e.g. IP 192.168.14.16 and 192.168.14.18 of normal
users PCs) are automatically denied access to the MFP.
Note that printing from a normal users PC to the MFP is still possible by sending the print job
via the print server (3 in fig. 2).

Fig. 2: Example for applied IP filtering
Access denied or allowed
by IP filtering
Print server
192.168.14.10
Admin PC
192.168.14.5
Normal user PCs
192.168.14.16 192.168.14.18
MFP
1a
2
3 1b
21
3.3 Disabling application protocols
Based on TCP/IP, there are a number of application protocols which are used to provide
particular services. For example, these protocols are HTTP for web services, FTP for file
transfers or LDAP for particular directory services.
The application protocols are assigned to particular TCP/IP ports:

Protocol TCP/IP port number
FTP 20 (data transfer)
21 (control (login, commands etc.))
SMTP 25
HTTP 80 (default)
8080 (Alternate)
POP3 110
SNMP 161, 162
LDAP 389
HTTPS 443

Ports can also be used to get unauthorized access to network devices such as an MFP. For
example, numerous worms and trojan horses use particular ports to transmit and receive data.
Enabled ports are necessary, if a corresponding application should be used. For example, if the
MFP should be controlled or configured via a web-based application such as PageScope Web
Connection, port 80 or port 8080 must be enabled as these ports are used by HTTP.
But it is useful to disable all ports which are not required in order to raise the security level. For
example, if a function like Scan-to-email is not used, POP- and SMTP protocols are not required
and the corresponding ports 110 and 25 can be disabled. Then, these ports are no longer available
for unauthorized access.

3.4 Change of Port Settings
In the prior chapter, you learned that ports should be disabled, if the corresponding protocols and
applications are not used. These disabled ports are not available to threats like worms and trojan
horses and cannot be used to e.g. spy out the MFPs data.
You also learned that ports need to be enabled, which are required for protocols and applications
to be used. Of course, these enabled ports are also available to threats such as worms and trojan
horses, which e.g. may install some kind of spyware on the MFP. But this is an unlikely event
22
due to the utilization of the VxWorks operating system which is very rarely subject to this kind
of attacks.
Many worms and viruses use particular ports. Usually, these ports are also used by popular
protocols and applications such as FTP, POP or HTTP, as most of the computers connected to the
Internet have these ports enabled to support the corresponding applications.
To minimize the risks caused by enabled ports, the port settings can be changed. This means that
particular protocols and applications do not use the standard ports (such as port 25 for SMTP),
but some other ports. The new port numbers must be specified in the MFPs settings (usually in
the TCP/IP settings) and they must be also used by the clients that access the MFP and the
servers that the MFP accesses.
The advantage of changing port settings is that the MFP no longer uses standard ports linked to
popular applications. Instead, these applications use some individual port numbers, which are not
related to the standard ports of these applications. By this, you eliminate threats aiming at
popular standard ports.
But be aware that this measure does not protect the MFP against a targeted attack. For example,
even if standard ports are disabled and protocols and applications are shifted to individual ports,
attacker are able to find these enabled ports by using port scanner programs (see Appendix: Port
Scanners for a brief description of the working method of port scanners).

23
Describe how IP filtering can be deployed to control access to the MFP via network.

How is data protected by disabling application protocols?

How is data protected by changing port settings?

24
4 Data Protection by Encryption
4.1 Introduction
Encryption is a method to protect data against unauthorized access. Actually, encryption protects
data that might be accessed, for example, in an IT environment by sniffing. By applying
encryption methods to data, that data is turned into a form that is not easy to interpret without the
decryption key. To turn encrypted data back into the original form you need to apply the
appropriate decryption method. Thus, unauthorized persons may obtain encrypted data, but if
they do not know the appropriate decryption method, they cannot access and use the original
data. Of course, authorized persons must be the only persons who have access to the required
decryption method.

Almost all encryption methods use a special parameter, the so-called key. To decrypt an
encrypted message, you need to know which encryption method was used (or which
corresponding decryption method is to be used) and additionally you need to know the correct
key to make decryption work correctly.
With modern encryption methods, the key is usually a character string of a defined length. For
example, encryption methods may use 44-bit keys, 56-bit keys, 128-bit keys or even longer keys.
The length of the key affects the security level of an encryption method. The most simple, but
also a very time consuming way to crack a key is to try out each possible combination of
characters. This method is called brute force attack. The longer the key, the more possible
combinations you have to try out. That is why short keys are cracked more quickly than long
keys. To reduce the time required to crack a key, some programs use a dictionary because most
users build their keys or passwords from real words. But the design of an encryption method also
plays an important role and some methods with shorter keys are harder to crack than other
methods using longer keys.
As computers become more and more powerful, the time required to try out a number of different
combinations decreases and approved encryption methods become obsolete after some time.

Basically, there are two kinds of encryption methods,
symmetric encryption methods and
asymmetric encryptions methods.

With symmetric encryption methods, the sender encrypts his message or data with the same
key the receiver uses to decrypt the data. The problem with symmetric encryption methods is that
25
the sender not only has to transfer the encrypted data to the receiver, but also the key which is
required to decrypt the data. The transmission of the key from the sender to the receiver requires
additional security measures.

Fig. 1: Symmetric encryption method
With asymmetric encryption methods, two kinds of keys are used, one for the encryption of
data and one for the decryption of data. Asymmetric encryption methods use a public key and a
secret key, called the private key. Both keys are related to each other as the private key is used
to generate the public key (but it is not possible to identify the private key if you just know the
public key).
Each participant of encrypted communication needs to have a public key and a private key. A
participant publishes his public key and anyone who wants to send this participant encrypted data
uses the public key of the participant to encrypt the data. The private key is kept by the
participant and he uses it to decrypt arriving data.

Fig. 2: Asymmetric encryption method
Plain
data
Encrypted
data
Plain
data
Encrypted
data
Sender Receiver
Key
Plain
data
Encrypted
data
Plain
data
Encrypted
data
Sender Receiver
Public
key
Private
key
26
Compared to symmetric encryption methods, the advantage of asymmetric methods is that
participants do not have to interchange secret keys to make communication work. With
symmetric methods, the distribution of secret keys always requires additional security measures,
because communication is no longer protected if the secret key is known by unauthorized
persons.
The public key of asymmetric methods is only used to encrypt data, but you cannot decrypt data
with a public key. Thus the public key can be known by anyone and the distribution of public
keys among the participants of a protected communication does not require any security
measures.

4.2 Encryption Algorithms: DES and AES
DES and AES are encryption methods that are used to encrypt data.
In the 1970s, DES (Data Encryption Standard) was developed in the USA by the NBS (the
National Bureau of Standards), IBM and the NSA (the National Security Agency).The aim was to
provide a powerful encryption method for civil purposes, for example, for confidential data
interchange between authorities (at that time, military encryption methods were already well
developed).
DES is a symmetric encryption method that uses a 56-bit key. This key provides 2
56
or roughly
72 quadrillion possible combinations.
In 1976, DES became the official standard for the US government. DES is also supported by the
SSL protocol (see next chapter for information about SSL). Today, DES may be still in use in the
form of 3DES (or Triple-DES). With 3DES, data is encrypted in three steps, each step using
the conventional DES method. By this, 3DES provides a 168-bit key which makes 3DES nearly
as secure as modern encryption methods that use 128-bit keys.

In the late 1990s, AES (Advanced Encryption Standard) was developed, and later theUS National
Institute of Standards and Technology (NIST, the former NBS) announced it as the successor of
DES.
There are three versions of AES, each one using either a 128-bit, 192-bit, or 256-bit key.
Accordingly, the three versions are called AES-128, AES-192, and AES-256. Like DES, AES is
a symmetric encryption method.
AES is widely used or at least supported by numerous protocols and applications, for example,
by TLS (see next chapter for information about TLS) and the IEEE 802.11i security protocol for
wireless LAN.

27
4.3 Encrypted Transmissions: SSL and TLS
SSL (Secure Socket layer) and TLS (Transport Layer Security) are encryption protocols. SSL and
TLS belong to the TCP/IP protocol family.
In the OSI layer model, SSL and TLS are located between application protocols such as HTTP or
POP and the transport protocol TCP. The task of SSL and TLS is
to encrypt application data generated by application protocols before TCP/IP passes on
the data over the network,
to create a checksum of the data to prevent it from being altered and
to authenticate the server so that the client can be sure to actually communicate with the
desired server.

Fig. 1: SSL and TSL: Task and position in the OSI protocol stack

SSL and TLS provide the following main advantages:
Data encryption makes it possible to prevent data from being monitored and altered.
Unauthorized persons are not able to read the data transmitted via network and they are
also not able to modify and falsify the data on its way to the intended addressee.
Sender Receiver
Plain
data
Encrypted
data
Application
protocol
SSL/TLS
Transport protocol
and lower OSI layers
Plain
data
Encrypted
data
Encrypted
data
28
Server authentication makes it possible to prevent unauthorized servers from pretending
that they are the addressed server.

SSL and TLS are used in combination with application protocols which do not provide their own
security features. For example, SSL and TLS are used in combination with HTTP to protect web
data against unauthorized access. SSL and TLS are also used in combination with LDAP,
OpenAPI, SMTP, POP and IPP.
The currently used versions of SSL and TLS at the time of this writing are
SSL 2.0 and 3.0 and
TLS 1.0 and 1.1.
TLS 1.0 and 1.1 are regarded to be the successors of SSL 3.0 and may be also referred to as SSL
3.1.

For example, HTTPS connections using SSL or TLS are established in two basic steps:
1. The server transmits a certificate to the client in order to authenticate itself. The client
checks the certificate and if it is correct, client and server prepare for the encrypted data
transmission.
2. An encrypted data connection is established between server and client and data
transmission starts.

Certificates are used by SSL and TLS to ensure that a client actually connects to the desired
server. These certificates are issued by a Certificate Authority (CA) which needs to be a trusted
institution. A server uses a certificate in the same way we use our passport.
The use of certificates requires some preparations:
The CA issues and distributes its own certificate. This certificate has to be installed on
the client (or more precisely: on the clients web browser). If this certificate of the CA is
installed on the client, the client is able to recognize web servers certificates that have
been issued by the same CA.
The web server (or more precisely: the institution that runs the web server) orders a
certificate from the CA. The CA checks the required declarations and then issues a
certificate for that web server.
Now, the web server is able to authenticate itself by using the certificate issued by the CA, and
the client is able to check the web servers certificate by using the CAs own certificate that is
installed on the web browser.
29
Please note, that Konica Minolta MFPs may request a certificate from a CA, but they also may
issue a self-signed certificate. This self-signed certificate is also called private certificate (in
contrast to public certificates issued by a CA). The MFP can use both private and public
certificates to enable encrypted SSL/TLS communication. Though, if the MFP uses a private
certificate, this certificate cannot be used to authenticate the MFP as no CA guarantees for the
authentication of the MFP. Thus, the client cannot be sure to be connected to the desired MFP.
When the web servers certificate is checked by the client, the exchange of encrypted data is
ready to start. Data to be exchanged is encrypted by a symmetric encryption method; this is done
because symmetric encryption methods allow faster encryption/ decryption compared to
asymmetric encryption methods and, thus, allow faster data exchange.
The problem with symmetric methods is that both participants, client and server, need to use the
same key which has to be exchanged between them before encrypted data can actually be
exchanged (see chapter 4.1). This is why in a first step client and server exchange the required
key by using an asymmetric encryption method which allows the key to be transmitted in a
secure fashion (also see chapter 4.1). Accordingly, these are the two basic steps of data exchange
within an SSL/TLS connection:
1. The client generates a key to be used for encrypting and decrypting data during the
session. This session key is then transmitted to the server. The transmission of the session
key is encrypted by using an asymmetric encryption method which is based on the public
and private keys which are parts of the certificates.
2. When the server knows the session key, client and server are ready to start the encrypted
data transmission. This data transmission is encrypted based on a symmetric encryption
method which uses the session key.

4.4 File Encryption and Protection by Applications
4.4.1 File encryption and protection by applications used in office environments
There are several applications that provide users with the option to encrypt application files and
protect them by a password. Protected files can only be opened and/or modified if the user (or
any other user) enters the correct password.
Two popular applications used in office environments, Adobe Acrobat and Microsoft Office,
offer password protection for application files:
Microsoft Office provides password protection for files on different levels, for example:
Entire documents can be password protected against being opened and modified.
Elements of a document such as formulas in Word files or diagrams in Excel files can be
password protected against being modified.

30
Adobe Acrobat provides
password protection e.g. against unauthorized opening, modifying and printing of PDF
documents,
the possibility to define a list of a PDF documents recipients and to define individual
access options for each recipient by using digital ID certificates of the recipients.

These file encryption and protection methods are not directly related to data protection features
of MFPs, but they are in general useful in document workflows set up in office environments
which may be built up around MFPs.
Note that both encryption methods are weak and easily cracked and provide only a superficial
level of security which protects data only against the average office user, but not against targeted
attacks.

4.4.2 MFP-based file encryption of scanned documents
When you are scanning a document, there are several file formats available for storing the image
data. If you select the PDF format or the Compact PDF format for storing the image, file
protection through encryption is available as an option. The available encryption settings are
the encryption level,
a password for protecting the file against unauthorized access, and
a password for protecting the authority of the file.
There are two available encryption levels, a low quality level for basic security and a high quality
level for a higher level of security.
It is an important security feature to have the option to select a file format with encryption
capabilities and to specify encryption settings before the document is actually scanned. By this,
the file is protected against unauthorized access as soon as it is initially generated through
scanning and before it is transmitted on to the network.

4.5 Encryption of Print Data Streams
The encryption of print data streams protects documents that are to be printed. For example,
when a document is to be printed, the print job is transferred from the users workstation to the
printer via network. Depending on the actual printing technology, the print data is transmitted
e.g. in the form of EMF-, PCL-, or PostScript files. These files do not protect the data they
contain. Anyone who is able to catch such a file from the network is also able to read the
document.
31
The encryption of print data streams protects print data in the case that these data are caught from
the network on the way to the printer. Basically, the encryption of print data streams requires two
components:
On the client (for example, the workstation on which a print job is triggered), a piece of
software needs to encrypt the print data and to pass the encrypted print data on to the
printer like any other print job.
On the printer, another piece of software needs to decode the encrypted print data before
they are passed on to the print engine (or, prior to that, to the required interpreter of the
original printer language, e.g. a PCL interpreter).

There are different approaches to the encryption of print data streams, depending on the
technology used to submit print jobs. Two popular solutions for encrypting print data streams are
IPP in combination with SSL/TLS and
J Scribe.

32
IPP (Internet Printing Protocol) is a member of the TCP/IP protocol family. Like other
application protocols (such as HTTP or POP), IPP can be combined with SSL/TLS in order to
protect the submitted data by encryption.
On the client, print data is generated with help of IPP. Before the print data is passed on
to the printer via network with the help of the IP and TCP protocols, the SSL or TSL
protocol is used to encrypt the print data (to use SSL/TLS, the printer port must be
created by using a printer address in the form https://<printer address>).
On the printer (or print server), the print data delivered by IP and TCP is first being
decrypted on the SSL/TLS level before they are passed on to IPP and finally to the
interpreter and print engine.

Fig. 1: Encryption of print data streams with IPP and SSL/TLS
See chapter 4.3 Encrypted Transmissions: SSL and TLS for more information about the working
method of SSL/TLS.

IPP client Printer
Plain
data
Encrypted
data
IPP
SSL/TLS
Transport protocol
and lower OSI layers
Plain
data
Encrypted
data
Encrypted
data
33
JScribe is a J avaScript-based and object-based programming language. It allows to download
and store J Scribe applications to the MFP. J Scribe is available on most bizhub products. In
addition it provides some encryption functionality:
On the client, a special port monitor is installed which encrypts the print data before it is
passed on to the network and the addressed printer in the network. Prior to the port
monitor, the print job is handled in the same way like any other print job.
On the printer, a decryption service receives the print data, decrypts it and passes it on
the interpreter and print engine.

In contrast to IPP combined with SSL/TLS, J Scribe provides some additional features:
As an additional component, J Scribe provides so-called Secure Servers which act as
print servers for J Scribe-encrypted print jobs. On the Secure Server, encrypted print data
may be stored temporarily. The Secure Server is able to automatically select J Scribe-
capable printers and pass on print data to these printers. Thus, the user does not need to
specify the target printer when he triggers the print job.
J Scribe also provides authentication functions. The printer can be told to hold back the
print job until the user arrives at the printer. Then the user has to prove his identity, for
example, by his fingerprint or by entering a PIN. Only when user authentication is
successful, the printer actually prints the print job and the user is able to directly receive
the printed document (this function can be compared to the Secure Print function which is
already installed in some Konica Minolta devices).

34
What is the difference between symmetric and asymmetric encryption methods?

How does the encryption of data transmissions by using SSL/TLS work?

Which possibilities do applications provide to encrypt files?

35
Describe the working method of print data stream encryption by using IPP in
combination with SSL/TLS.

Describe the working method of print data stream encryption by using J Scribe.

36
5 Data Protection on the HDD of MFPs and Printers
5.1 Introduction
The protection of data stored on the MFPs HDD includes several measures on hardware and
software levels:
On the hardware level, the HDD can be protected against unauthorized removal by the use
special screws and jigs as well as by the general design of the MFP (see chapter 5.2).
On the software level, there are several measures to protect the data stored on the HDD:
A HDD Lock Password prevents the data on the HDD from being accessed in the case
that the HDD was removed and installed in another device such as a PC or another MFP
(see chapter 5.3).
Data encryption on the HDD makes it difficult if not impossible to read the data on the
HDD if an unauthorized person somehow gained access the HDD (see chapter 5.4).
The safe deletion of data makes use of data overwriting. Thus, it is difficult if not
impossible to restore data which has been deleted by data overwriting methods (see
chapter 5.5).

5.2 Hardware Security
A very basic, but also very important step in protecting the data on the MFPs HDD is to prevent
unauthorized persons from removing the HDD mechanically. If such a person is not able to
remove the HDD from the MFP, the only alternative is to steal the whole MFP (which is a far
more difficult undertaking than just stealing a HDD).
Of course, it is not possible to install the HDD in a way that the HDD cannot be removed
anymore. The HDD must be removable for service purposes, for example, if the HDD has to be
replaced.
But, basically, there are two approaches to make it very difficult and time consuming to remove
the HDD:
The location of the HDD inside the MFP requires several covers and a high number of
screws to be removed first. This makes the removal of the HDD very time consuming.
Additionally, special screws and jigs can be used to install the HDD. These components
require special tools so that the HDD cannot be removed with standard tools such as allen
keys, flat spanners or crosstip screwdrivers.

37
5.3 HDD Lock Password
The HDD Lock Password function protects the data on the MFPs HDD against unauthorized
access, if the HDD is removed from the original MFP and built into another device.
The HDD Lock Password function allows you to assign a password to the HDD. Actually, you
assign a password to the combination of an MFP and its HDD. The password binds the HDD to
that MFP. This password ensures that the HDD can only be used with that MFP and not with
other devices (even MFPs of the same type) unless the password is known.
The HDD Lock Password is assigned to the MFP and to its HDD. Each time the HDD is accessed
by the MFP, the passwords of the MFP and of the HDD are compared. If both devices use the
same password, the MFP is permitted to access the HDD.
It is very difficult to access a password-protected HDD, if the HDD is not installed in the original
MFP. If the HDD is installed in another device like another MFP or a PC, this device does not
provide the correct password or any password and it is not able to access the HDD and the data
on it without applying additional measures to crack the password.

5.4 Encryption of Files on HDD
In addition to the HDD Lock function, data on the MFPs HDD can also be protected by data
encryption. If data encryption is enabled, all files written to the HDD are encrypted before they
are stored on the HDD. Thus, if the HDD is removed and accessed by unauthorized persons, the
data are still protected, as there are only encrypted data on the HDD.
Data encryption can be carried out by software or hardware.
In the case of software-based encryption, an encryption program is installed on the MFP and
encrypts data that is to be stored on the HDD or respectively decrypts data that is read from the
HDD.
In the case of hardware-based encryption, an encryption board is installed ahead of the HDD.
Data that is to be written onto the HDD first passes the encryption board. On the encryption
board, the data is encrypted and then passed on to the HDD or it is decrypted on the board when
it is accessed from the MFP.
Both encryption methods, software-based and hardware-based methods, provide typical
advantages:
Software-based encryption can be realized by just adding a program to the MFP. There
is no hardware that has to be installed manually. Thus, there are no costs caused by
special hardware and by the hardware installation procedure.
Hardware-based encryption is realized by special hardware, the encryption board. This
board provides its own processing power. Thus, encryption can be carried out without
38
occupying processing power of the MFPs processor and without slowing down the MFP
as a whole (In the case of software-based encryption, the encryption program is executed
by the MFPs processor and the processor is not fully available to the original tasks of the
MFP.). Additionally, compared to software-based encryption, the encryption board is
able to provide more sophisticated encryption which is harder to crack. To maintain the
highest possible level of processing power and data security, Konica Minolta devices
exclusively use hardware-based data encryption.

5.5 Safe Deletion of Files
The safe deletion of files is far more complex than, for example, just deleting files by dragging
and dropping them into the recycle bin. What makes safe data deletion so complex is the working
method of hard disks and operating systems. The working method of safe data deletion is
described in the first section of this chapter.
On Konica Minolta MFPs, safe data deletion methods are deployed in two areas. These areas are
the safe deletion of temporary files and the secure end-of-life file deletion, which are described in
the second section.

5.5.1 Working method of safe data deletion
When data are stored to the hard disk, the data in the form of 0s and 1s are turned into
different magnetic fields on the surface of the hard disks platters. To make it possible to find
the correct data, for example, if you want to access a particular file stored on the hard disk, the
location of the data on the hard disks platters are stored in index files managed by the operating
system such as the File Allocation Table (FAT). These index files contain information that
identifies the physical and logical location of stored files. The physical location refers to the
physical sections of the hard disk where the data are stored in the form of magnetic fields; the
logical location refers to the partition and directory, a file is stored in.
If data is deleted, the corresponding magnetic fields on the hard disk are not automatically
removed. For example, if you delete a file by dragging and dropping it into the recycle bin, the
corresponding magnetic fields on the hard disk are not changed or deleted. Only the logical
location of the file is changed in the relevant index file: The file does no longer appear in its
original directory, but in the directory of the recycle bin. Finally, if you empty the recycle bin,
the file seems to be deleted completely. But this step only deletes the index files reference to the
data on the hard disk. Now there is just no reference to any logical location of the file available
and the file appears to be deleted, but the corresponding magnetic fields still exist on the hard
disk. These magnetic fields are not changed until new data is written to the corresponding
sections of the hard disks platters. As long as no new data is written to these sections, the
original file can be restored quite easily.
39
To delete data in a safe fashion, the original data on the hard disk needs to be overwritten. But
data may still be restored, if it is overwritten just once or for a few times. The reason for this is
that magnetic fields representing old data affect the new magnetic fields representing the new
data. For example, a strong magnetic field on the hard disks surface may represent a 1 and a
weak magnetic field may represent a 0. If a 1 is overwritten by a 0, the strong magnetic
field needs to be reduced, but the strength of the magnetic field is not reduced completely. The
resulting magnetic field is still slightly stronger than the field which originally represents a 0.
This small deviation can be measured with appropriate equipment and it is still possible to restore
overwritten data even after it has been overwritten repeatedly.
For this reason, different institutions developed several methods to overwrite data. Basically, all
these methods make use of overwriting data repeatedly with different patterns of data. The aim is
to generate a pattern of magnetic fields on the hard disks surface from which you cannot restore
the original data.

5.5.2 Safe Deletion of Files on Konica Minolta Devices
The operation of MFPs requires two different kinds of safe data deletion,
the safe deletion of temporary files and
the secure end-of-life data deletion.

During the operation of an MFP, temporary files are again and again generated on the MFPs
hard disks. The storage of temporary files on the HDD may be necessary for all user operations
with copying, scanning, faxing and printing. These files are temporary as they are no longer
required when the operation is completed and finished. Afterwards, the files do not need to be
available on the MFPs HDD and can be deleted.
As a security measure, the MFP provides the option to overwrite the HDD areas where temporary
files are stored (HDD Cleaning). This Temporary Data Overwrite Setting provides two modes for
overwriting data:
Mode 1: This mode overwrites data with zerofill (0fill): 0x00 (hexadecimal number).
Mode 2: This mode overwrites data in three steps, first with 0x00, then with 0xff,
and finally with 0x61 (which represents the letter a in the ASCII character set).
Mode 2 requires more processing power and HDD access, but it also provides a higher level of
data security as three data patterns are used to delete the original data. This is why Mode 2 is
mandatory when the MFP is operated in Enhanced Security Mode (compare chapter 6.3
Predefined settings of the Enhanced Security Mode).

40
To prepare the disposal of an MFP, it is useful to finally delete all data on the MFPs HDD (HDD
sanitization). In some cases this secure end-of-life data deletion is mandatory, for example, if
the MFP was operated by companies or institutions such as banks, insurance companies,
hospitals or authorities. These institutions handle sensitive information that must not be occupied
by unauthorized persons.
As a security measure, the MFP provides the option to overwrite the HDD completely before the
MFP is disposed. This Overwrite All Data Setting provides several modes, each one representing
a particular data overwriting method. The available methods include several approved standard
methods, e.g. developed by the US National Security Agency (NSA), the US Department of
Defence, the European Union and alike organizations. For example, the NSA standard requires
data to be overwritten in three steps:
1. Overwriting with random 1-byte numbers
2. Again, overwriting with random 1-byte numbers
3. Overwriting with 0x00
In some cases, the use of one of these standard methods may be mandatory according to legal
regulations.
41
How is the HDD of a Konica Minolta MFP protected against unauthorized removal?

Describe the working method of the HDD Lock Password.

What is the advantage of the encryption of the data stored on the HDD?

42
Which two basic methods do exist for the encryption of data stored on a HDD? What are
the typical advantages of both methods and why is only one of both methods used in
Konica Minolta devices?

Why is it necessary to overwrite deleted data on the HDD?

In which two cases can data overwriting be deployed in Konica Minolta devices?

43
6 Enhanced Security Mode on Konica Minolta MFPs and Printers
6.1 Introduction
The Enhanced Security Mode consists of a range of security settings in order to provide data
protection against unauthorized access. These security settings are related to different levels of
MFP settings and user operations such as
user access and authentication,
password rules,
HDD protection, and
deletion of temporary data.
The task of the Enhanced Security Mode is to bring a predefined range of settings into effect.
These settings are defined in a way that provides the highest possible level of security based on
the available settings of the MFP.
Applying the Enhanced Security Mode consists of two basic steps:
1. In the first step, you have to make a number of settings which are required as a basis of
the Enhanced Security Mode. You need to make these settings before you can set the
Enhanced Security Mode to ON. These required settings can be regarded as preparation
of the Enhanced Security Mode.
2. In the second step, you actually set the Enhanced Security mode to ON. Setting the
Enhanced Security Mode to ON means to bring the predefined range of settings into
effect.

The task of the Enhanced Security Mode is to raise the level of security and to provide the best
possible protection of data. This also means that there are less administration- and operation
options available to users and that users are forced to meet minimum security requirements (e.g.
in specifying passwords).

6.2 Preparations for the Enhanced Security Mode
Before you can set the Enhanced Security Mode to ON, you have to make particular settings
which serve as a basis for the Enhanced Security Mode. Unless these settings are brought into
effect, the Enhanced Security Mode is not available.
44
The following settings are required for the Enhanced Security Mode on current products (this list
may differ in the future e.g. when new features and functions are added):
User Authentication
SSL for OpenAPI
Administrator password
HDD lock

User authentication is a vital part of data security measures and of the Enhanced Security Mode
in particular. User authentication ensures that only authorized users are able to access and use the
MFP. That is why user authentication is a prerequisite of the Enhanced Security Mode and needs
to be set to ON before the Enhanced Security Mode itself can be set to ON. To meet the
requirements of the Enhanced Security Mode you can use both methods of user authentication,
internal authentication on the MFP or external authentication using an external network server
(see module Data Security Part 2 Authentication, chapter 2 User and Device Authentication
for details about internal and external authentication).
OpenAPI is an interface that allows applications to connect to the MFP via network. To protect
data that is transmitted via network, this data should be encrypted. If SSL (Secure Socket Layer,
see chapter 4.3 Encrypted Transmissions: SSL and TLS for details about SSL) is enabled, data
that is received and sent via the OpenAPI interface is encrypted by SSL and protected against
unauthorized access.
The administrator password must meet the password rules, as the Enhanced Security Mode
requires all passwords to follow password rules.
The Enhanced Security Mode also requires a HDD lock password being set.

45
6.3 Predefined settings of the Enhanced Security Mode
When the Enhanced Security Mode is set to ON, a defined range of settings is brought into effect.
This may vary with the product. For example, for the bizhub C450 these settings currently
include:

Affected MFP setting Set to value
1 Registering and Changing Address Restrict
2 Public User Access Restrict
3 User Name List OFF
4 Print Without Authentication Restrict
5 User Box Admin. Setting Restrict
6 Password Rules ON
7 Prohibit Functions When Auth. Error Set to Mode 2 and three times or less for changing
8 Secure Document Access Method Set to Mode 2
9 Temporary Data Overwrite Setting Set to Mode 2

These settings cause the following effects (and partly also some limitations to user operations):
1. Registering and Changing Address: By restricting this setting, the user is no longer able
to change the address of a jobs recipient or to register the address of a recipient. This
restriction prevents jobs from being sent to undesired destination, for example,
destinations outside the company.
2. Public User Access: By restricting this setting, all unregistered users are automatically
unauthorized persons who are not allowed to access or use the MFP.
3. User Name List: By turning this function off, registered users are no longer displayed in
the authentication screen. By this, unauthorized persons are not able to choose a valid
user account when trying to log on.
4. Print Without Authentication: By restricting this setting, all users are forced to
authenticate themselves even if they just want to use the MFP for printing.
5. User Box Admin. Setting: By restricting this function, there is no longer a possibility to
set up a box administrator who has access to all user boxes. By this, there is no
possibility for unauthorized persons to get access to all user boxes by just discovering the
corresponding password.
6. Password Rules: By turning this function ON, passwords need to be specified in a form
which makes cracking them more difficult.
46
7. Prohibit Functions When Auth. Error: This setting is set to Mode 2 which provides
tougher restrictions than Mode 1. Users are able to enter their correct authentication three
times at most; after the last possible incorrect attempt, operation of this function is
restricted. This function makes it harder for unauthorized persons to gain access to the
MFP by just guessing user names and passwords.
8. Secure Document Access Method: This setting is set to Mode 2 automatically, if the
Prohibit Functions when Auth. Error setting is set to Mode 2. In Mode 1 you are first
asked to type in the ID and password for a confidential document and then you can select
the document. In Mode 2, which is automatically set, you first type in the ID of the
document; then you have to type in the password after the document is selected.
9. Temporary Data Overwrite Setting: This setting is set Mode 2 which provides a more
powerful data overwrite method than Mode 1.

47
What is the task of the Enhanced Security Mode?

What are the two basic steps of applying the Enhanced Security Mode?

In which way does the Enhanced Security Mode affect user operations?

48
7 Monitoring Data Security
7.1 Introduction
Data security is not only a question of making the appropriate initial settings. To maintain a high
level of data security, operations on an MFP have to be monitored continuously.
Basically, data security can be monitored on MFPs with the help of two different technical
approaches, depending on the equipment and technology provided by the device or system that
has to be monitored:
Alert functions
Logs or log files

Alert functions provide immediate response to critical situations or conditions. In MFPs, alert
functions are already implemented to monitor the condition of the MFP on the operational level,
for example, in terms of toner- or paper shortage. These critical conditions are indicated by
corresponding messages on the control panel or by automatic e-mail messages which are sent to
predefined addresses such as the administrators or service technicians email accounts. Alert
functions may also be provided by third-party solutions or protocols supported and used by the
MFP, such as the TRAP message provided by SNMP (see Data Security Part 2
Authentication, chapter 5).
Logs or log files provide an automatic archiving function for particular events or related
messages. Events are detected automatically and corresponding messages are reported to a log
and/or written into a log file. Log and log file are continuously updated and they are available for
analyzing the recorded data. Logs and log files are already available on MFPs. Future generations
of MFPs may provide more advanced logging functions, for example, by implementing
technology such as syslog protocols and applications which are already used in computers and IT
environments.

7.2 Log Files
There are several logs available for an MFP and the operations carried out on it. These logs can
be used to detect security-related events. Thus, analyzing log files is the most important task in
order to monitor the data security on MFPs.
Basically, there are two types of logs or log files available on MFPs:
Operational logs such as the job log or the scanner transmission log
The audit log of the Enhanced Security Mode
49
The task of operational logs such as the job log is not to support data security or data security
monitoring. Nevertheless, these logs can be used to gain information about particular events
which may be related to data security.
For example, the operational logs may contain information about the destination of scan jobs and
allow to detect if data is transmitted to unknown and possibly unauthorized recipients. Or they
provide the user name and the document name of a print job and allow to detect which user
printed a particular document.
The most important log for data security monitoring is the audit log, which is active when the
MFP is operated in Enhanced Security Mode. This log records security-related events in terms of
the date and time at which the event occurs,
the user who triggered that event or the subject for security protection such as box
number,
the event itself (or the operation performed by that user), and
the result of that event or operation.

Please note, that the audit log is currently only available on particular MFPs such as the
7222,7228 or 7235.
The following table shows the events/operations which are recorded by the audit log. Each type
of operation is represented in the audit log by the corresponding
ID (indicating the user or subject for security protection),
Action ID (indicating the type of operation), and
result (usually indicated by OK for all operations; only failed authentication is
indicated by NG).

Type of operation ID Action ID Result
CE* authentication CE ID 01 OK/NG
Key operator* authentication Key operator ID 02 OK/NG
Set/change Enhanced Security Mode Key operator ID 03 OK
Print audit log Key operator ID 04 OK
Change/register CE password CE ID 05 OK
Change/register Key Operator password CE ID 06 OK
Create User Box Box No. 07 OK
Change/register box password by Key Operator Box No. 08 OK
50
Type of operation ID Action ID Result
Delete User Box Box No. 09 OK
Change attributes of user box Box No. 10 OK
Password authentication for user box Box No. 11 OK/NG
* CE: Service representative; Key operator: The key operator manages the MFP in order to provide users
with a safe operating environment

Operation ID Action ID Result
Change attributes of user box by user Box No. 12 OK
Access to document Box No. 13 OK
Delete document Box No. 14 OK
Change attribute of document Box No. 15 OK
Password authentication for confidential printing Confidential user ID 16 OK/NG
Password authentication for fax confidential printing Confidential box No. 17 OK/NG
Access to confidential print document Confidential user ID 18 OK
Delete confidential print document Confidential user ID 19 OK
Create fax confidential inbox Confidential box No. 20 OK
Change password for confidential inbox Confidential box No. 21 OK
Change attribute of fax confidential inbox Confidential box No. 22 OK
Access to document in fax confidential inbox Confidential box No. 23 OK
Delete document in fax confidential inbox Confidential box No. 24 OK

The following table shows an audit log with a single line:
Date ID Action ID RESULT
06/03/15 15:35:51 -2 02 NG
This line indicates that authentication of the key operator failed (ID =-2: Operation by the key
operator; Action ID =2: Key operator authentication, RESULT =NG: Authentication failed).

Analyzing the audit log helps to detect data security threats and to launch the appropriate
countermeasures. For example, a number of failed authentication attempts indicates that an
unauthorized user tried to guess the required password.

51
How can you maintain a high level of data security by monitoring?

Which kinds of logs or log files are available on Konica Minolta MFPs for data security
monitoring purposes?

Which kind of information does the audit log provide?

52
8 Review questions
Which are the three main areas, unauthorized data access attempts can be divided into?
What does sniffing mean?
How can sniffing programs be used to access data?
What is the Common Criteria used for?
stored on an MFPs hard disk drive?
that is transmitted via network?
Which authentication measures are deployed on Konica Minolta devices?
Describe how IP filtering can be deployed to control access to the MFP via network.
How is data protected by disabling application protocols?
How is data protected by changing port settings?
What is the difference between symmetric and asymmetric encryption methods?
How does the encryption of data transmissions by using SSL/TLS work?
Which possibilities do applications provide to encrypt files?
Describe the working method of print data stream encryption by using IPP in
combination with SSL/TLS.
Describe the working method of print data stream encryption by using J Scribe.
How is the HDD of a Konica Minolta MFP protected against unauthorized removal?
Describe the working method of the HDD Lock Password.
What is the advantage of the encryption of the data stored on the HDD?
Which two basic methods do exist for the encryption of data stored on a HDD? What are
the typical advantages of both methods and why is only one of both methods used in
Konica Minolta devices?
Why is it necessary to overwrite deleted data on the HDD?
In which two cases can data overwriting be deployed in Konica Minolta devices?
What is the task of the Enhanced Security Mode?
53
What are the two basic steps of applying the Enhanced Security Mode?
In which way does the Enhanced Security Mode affect user operations?
How can you maintain a high level of data security by monitoring?
Which kinds of logs or log files are available on Konica Minolta MFPs for data security
monitoring purposes?
Which kind of information does the audit log provide?

54
9 Appendix: Port scanners
A port scanner is a piece of software used to detect if particular ports of a host (e.g. an MFP) are
enabled (open) or disabled (closed). System or network administrators use port scanners to
check the security of a network. But port scanners can also be used by unauthorized persons to
find open ports which can be used to access a system and its data.
For example, port scanners make use of handshake messages as they are defined by network
protocols such as TCP or UDP. If the port scanner sends a particular message to the host on
which it searches for open ports, the host sends a particular reply as it is defined by the protocol.
Even if no reply is sent, the port scanner may draw a conclusion from that:
The host sends a reply corresponding to the message sent by the port scanner. This kind
of reply indicates that the port is open and a service is running on the host and can be
accessed.
The host sends an error message or a corresponding reply that indicates a closed port.
The host sends no reply at all. Usually, this indicates that the port is somehow blocked or
filtered.
Open ports present the highest risks as they offer potential attackers the opportunity to attack the
services and applications associated with open ports as well as the operating system of the host.

There are different types of port scans associated with particular protocols and particular
messages which are part of a protocol. For example, the TCP SYN scan method makes use of the
SYN message. Normally, this message is sent as part of the initial handshake, if another host
wants to establish a connection. The TCP SYN scan method consists of the following steps:
1. The port scanner sends a SYN message to a port of the host.
2. If the port is closed, the host sends an RST message.
If the port is open, the host sends a SYN/ACK message.
If the port is filtered, the host sends no reply at all.
3. When the port scanner receives the SYN/ACK message, it replies by sending an RST
message. This message breaks off the handshake.
55
From the attackers point of view, the advantage of this method is that actually no connection is
established as the port scan is carried out on the handshake level. Accordingly, there will be no
entry in the log of the corresponding service. Though, many firewalls are able to detect this kind
of s port scan.

Fig: Steps of a TCP SYN port scan
1. SYN
Host running a port
scanner
Host to be scanned
2. SYN/ACK
3. RST

DataSec1 v1

Încărcat de

Informații document

Titlu original

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

DataSec1 v1

Încărcat de

Drepturi de autor:

Formate disponibile

Data Security Part 1 v1

S-ar putea să vă placă și