Ricoh Pro 1107 Guide
Print Controller Design Guide for Information Security
Copyright
2010 RICOH Americas Corporation. All rights reserved. Page 1 of 8
Visit our Knowledgebase at: http://www ricoh-usa com/support/knowledgebase asp
04/23/2010
Print Controller Design Guide for
Information Security:
Product
Code GESTETNER LANIER RICOH SAVIN
G188
G189
C8140ND
C8150ND
LP540C
LP550C
SP C820DN
SP C821DN
CLP340D
CLP350D
D059
D060
D061
Pro 907EX
Pro 1107EX
Pro 1357EX
Pro 907EX
Pro 1107EX
Pro 1357EX
Pro 907EX
Pro 1107EX
Pro 1357EX
Pro 907EX
Pro 1107EX
Pro 1357EX
M002
M003
M004
Pro 907
Pro 1107
Pro 1357
Pro 907
Pro 1107
Pro 1357
Pro 907
Pro 1107
Pro 1357
Pro 907
Pro 1107
Pro 1357
D062
D063
D065
D066
MP6001
MP6001 SP
MP 7001
MP 7001SP
MP 8001
MP 8001SP
MP 9001
MP 9001SP
LD360
LD360sp
LD370
LD370sp
LD380
LD380sp
LD390
LD390sp
AFICIO MP 6001
MP 6001 SP
MP 7001
MP 7001 SP
MP 8001
MP 8001 SP
MP 9001
MP 9001 SP
9060
9060sp
9070
9070sp
9080
9080sp
9090
9090sp
M001 SP 4210N LP37N AFICIO SP4210N MLP37N
Print Controller Design Guide for Information Security
Page 2 of 8
TABLE OF CONTENTS
1 Internal System Configuration 7
1-1 Hardware Configuration 7
1-1-1 MFP 7
1-1-2 LP 9
1-2 Software Configuration 11
1-2-1 Shared Service Layers 11
1-2-2 Principal Machine Functions 12
1-3 Data Security 14
1-3-1 External I/F 14
1-3-2 Protection of Program Data from Illegal Access via an External Device 14
1-4 Protection of MFP/LP Firmware 17
1-4-1 Firmware Installation/Update 17
1-4-2 Verification of Firmware/Program Validity 20
1-5 Authentication, Access Control 21
1-5-1 Authentication 21
1-5-2 IC Card Authentication 24
1-5-3 Access Control 25
1-6 Administrator Settings 26
1-7 Data Protection 27
1-7-1 Data Erase/Overwrite 27
1-7-2 Encryption of Stored Data 29
1-7-3 Protection of Address Book Data 32
1-7-4 Document Server Documents (MFP models only) 33
1-8 Job/Access Logs 35
1-9 Capture (MFP Models Only) 39
1-9-1 Overview of Capture Operations 39
1-9-2 Operations that Generate Captured Images 39
Print Controller Design Guide for Information Security
Page 3 of 8
1-9-3 Capture Settings 41
1-9-4 Security Considerations 42
1-9-5 Captured Documents and Log Data 42
1-10 Additional Methods for Increased Security 42
2 Principal Machine Functions 43
2-1 Copier (MFP Models Only) 43
2-1-1 Overview of Copier Operations 43
2-1-2 Data Security Considerations 43
2-1-3 Protection of Copy Jobs in Progress 43
2-1-4 Protection of Document Server Documents 43
2-1-5 Protection of Copier/Document Server Features 45
2-1-6 Restricting the Available Functions for Each Individual User 45
2-1-7 Job/Access Log Data Collection 45
2-1-8 Print Backup 45
2-2 Printer 47
2-2-1 Overview of Printer Operations 47
2-2-2 Data Flow 47
2-2-3 Data Security Considerations 51
2-3 Scanner (MFP Models Only) 54
2-3-1 Overview of Scanner Operations 54
2-3-2 Data Flow Security Considerations 54
2-3-3 Protection of Data when Performing Scanning and Sending Operations 55
2-3-4 Protection of Document Server Documents 56
2-3-5 Protection of Sending Results and Status Information 57
2-3-6 Protection of the Scanner Features Settings 57
2-3-7 Data Stored in the Job Log 58
2-3-8 Terminology 58
2-4 FAX (MFP Models Only) 59
2-4-1 Overview of FAX operations 59
Print Controller Design Guide for Information Security
Page 4 of 8
2-4-2 Data Security Considerations 60
2-4-3 Protection of the Journal and Documents in Document Server Storage 61
2-4-4 Protection of FAX Transmission Operations 61
2-4-5 Protection of FAX Features Settings 62
2-4-6 The “Extended Security” Feature 62
2-4-7 Job Log 62
2-4-8 Protection of Internet FAX Transmissions using S/MIME 62
2-4-9 Preventing FAX Transmission to Unintended Destination(s) 63
2-5 NetFile (GWWS) 64
2-5-1 Overview of NetFile Operations 64
2-5-2 Data Flow 65
2-5-3 Supplementary 65
2-5-4 Data Security Considerations 67
2-6 Web Applications 69
2-6-1 Web Server Framework 69
2-6-2 WebDocBox (MFP models only) 70
3 Optional Features 73
3-1 @Remote 73
3-1-1 Overview of @Remote Operations 73
3-1-2 Data Security Considerations 73
3-2 The “Copy Data Security” Feature 74
3-2-1 Overview of Copy Data Security Operations 74
3-2-2 Data Flow 75
4 Device SDK Applications (DSDK) 77
4-1 Overview of Operations 77
4-1-1 Installation 78
4-1-2 Overview of SDK Application Functions 79
4-2 Data Flow 80
4-2-1 Scanning Functions: Sending Data Over the Network with the Copier and Scanner
Print Controller Design Guide for Information Security
Page 5 of 8
(MFP models only) 80
4-2-2 FAX Functions (MFP models only) 80
4-2-3 Network Functions 81
4-2-4 Printer Functions 81
4-2-5 Machine Administrative Functions (MFP models only) 81
4-2-6 Authentication Functions 81
4-3 Data Security Considerations 83
4-3-1 Preventing the Installation of Illegal Applications 83
4-3-2 Authentication of SDK Applications at Installation 83
4-3-3 Prevention of Access to Address Book Data and Machine Management Data 85
4-3-4 Protection Against Attacks on Principal MFP/LP Functions, Prevention of Damage to
the System 85
4-3-5 Protection Against Attacks from External Sources 85
4-3-6 Certification of the SDK Application 86
Print Controller Design Guide for Information Security
Page of 8
Overview
This document describes the structural layout and functional operations of the hardware and software for
the multi-functional products and laser printers listed below (herein referred to as the “MFP” and “LP”,
respectively), which were designed and developed by Ricoh Co Ltd (herein referred to as Ricoh), as well
as the information security of image data and other information handled internally by Ricoh MFP/LPs
The explanations will primarily focus on the following, with particular attention to demonstrating how
unauthorized access is not possible to local network environments via FAX telecommunications lines, nor
to any of the data stored in the MFP/LP
• Operational summaries
• Data flow
• Data security considerations
Products to Which This Document Applies
This document applies to the following MFPs/LPs designed and developed by Ricoh:
Product
Code GESTETNER LANIER RICOH SAVIN
G188
G189
C8140ND
C8150ND
LP540C
LP550C
SP C820DN
SP C821DN
CLP340D
CLP350D
D059
D060
D061
Pro 907EX
Pro 1107EX
Pro 1357EX
Pro 907EX
Pro 1107EX
Pro 1357EX
Pro 907EX
Pro 1107EX
Pro 1357EX
Pro 907EX
Pro 1107EX
Pro 1357EX
M002
M003
M004
Pro 907
Pro 1107
Pro 1357
Pro 907
Pro 1107
Pro 1357
Pro 907
Pro 1107
Pro 1357
Pro 907
Pro 1107
Pro 1357
D062
D063
D065
D066
MP6001
MP6001 SP
MP 7001
MP 7001SP
MP 8001
MP 8001SP
MP 9001
MP 9001SP
LD360
LD360sp
LD370
LD370sp
LD380
LD380sp
LD390
LD390sp
AFICIO MP 6001
MP 6001 SP
MP 7001
MP 7001 SP
MP 8001
MP 8001 SP
MP 9001
MP 9001 SP
9060
9060sp
9070
9070sp
9080
9080sp
9090
9090sp
M001 SP 4210N LP37N AFICIO SP4210N MLP37N
Note: Some of the hardware (e g external I/F) and functions described in this document may not be
supported by the end user’s machine For these details, please refer to the Operating Instructions
for the specific machine in question
Print Controller Design Guide for Information Security
Page 7 of 8
1. Internal System Configuration
1-1 Hardware Configuration
1-1-1 MFP
Internet
System
Control
Flash ROM
Controller
Engine
Processing and
Control Unit
NVRAM
- Settings
- Counters
SD Card I/F
Ethernet
US
Type
US
TypeA
Parallel
Gigabit
Ethernet
Wireless
LAN
luetooth
IC Card Reader
Pict ridge
Compatible
Device
RC Gate
TPM
Operation
Panel
IEEE 1394
External Charge
Device I/F
External Charge
Device
File Format
Converter
External
Controller I/F
oard
FCU
To Public
Tel. Line
FAX comm.
control
Line
I/F
SAF
Scanning
Image
Processing
Image
Processing
・CPU
・
RAM
RAM
- Page memory
- Firmware
Encryption
Processor
HDD
- Image data
- Mgmt. data
Host I/F
Optional I/F:
Printing
Print Controller Design Guide for Information Security
Page 8 of 8
• Serial communication between the external charge device I/F and external coin/card-operated
devices
• External controller I/F board: Acts as the interface between the MFP and external controller
• File Format Converter: Converts the file format of image files
• RC Gate: Intermediary device connected to the MFP/LP via an Ethernet connection for performing
remote diagnostic operations including firmware updates and settings changes
• SD card I/F: Used for performing service maintenance and as an interface for firmware storage media
• RAM, HDD: Image data stored in the RAM and HDD memory undergoes compression, decompression
and other image processing
• HDD storage: Data stored on the HDD is encrypted
• TPM (Trusted Platform Module): When the MFP/LP main power is turned on, this security module
(chip) performs a verification on the validity of the software installed on the hardware platform, which
includes checking for any illegal alterations
Print Controller Design Guide for Information Security
Page 9 of 8
1-1-2 LP
Internet
System
Control
Flash ROM
Controller
Engine
Processing and
Control Unit
NVRAM
- Settings
- Counters
SD Card I/F
Ethernet
US
Type
US
TypeA
Parallel
Gigabit
Ethernet
Wireless
LAN
luetooth
IC Card Reader
Pict ridge
Compatible
Device
RC Gate
TPM
Operation
Panel
Printing
Image
Processing
・CPU
・
RAM
RAM
- Page memory
- Firmware
Encryption
Processor
HDD
- Image data
- Mgmt. data
Host I/F
Optional I/F:
Print Controller Design Guide for Information Security
Page 10 of 8
• RC Gate: Intermediary device connected to the LP via an Ethernet connection for performing remote
diagnostic operations including firmware updates and settings changes
• SD card I/F: Used for performing service maintenance and as an interface for firmware storage media
• RAM, HDD: Image data stored in the RAM and HDD memory undergoes compression, decompression
and other image processing
• HDD storage: Data stored on the HDD is encrypted
• TPM (Trusted Platform Module): When the MFP/LP main power is turned on, this security module
(chip) performs a verification on the validity of the software installed on the hardware platform, which
includes checking for any illegal alterations
Print Controller Design Guide for Information Security
Page 11 of 8
1-2 Software Configuration
S
IM
NetBSD
=-=-=-=-=-=-=-=-=-= Engine I/F =-=-=-=-=-=-=-=-=-=
Printing Engine DD ost I/F
Principal Machine
Functions Shared Service Layers
SRM
EAC
ECS MCS OCS FCS DCSNCS UCS CCS NRS MIRS
Copier Scanner FAX Web
DocBox
SDK
VAS
Printer GW WS WebSys
DESS
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
LCS SCS
libc
Scanning Engine FCU
MFP only MFP only
Software Configuration
1-2-1 Shared Service Layers
ECS (Engine Control Service) Controls engine operations for scanning and printing
MCS (Memory Control Service) Manages the memory in the Image Memory area (incl the HDD), as
well as compression/decompression
IMH (Image Memory Handler) Transfers data between the controller and engine
OCS (Operation Panel Control
Service)
Controls the panel LEDs, monitors panel keys and manages panel
objects and display messages
NCS (Network Control Service) Controls host I/F and protocol control (transport, session)
FCS (FAX Control Service) Exchanges data and commands with the FCU (FAX Control Unit),
which manages and controls FAX communication and
telecommunications lines
Print Controller Design Guide for Information Security
Page 12 of 8
SCS (System Control Service) Manages the status of all internal operations performed on or by the
system as a whole, and controls the switching of the LCD screen as
well as the operational link between SP settings and machine
operations
SRM (System Resource
Manager)
In addition to managing hardware resources, this module mediates
control of the printer engine, scanner engine and memory resources
during the image creation process
DCS (Delivery Control Service) Controls all non-FAX transmission/reception of e-mail as well ass the
forwarding of image data to servers and folders
MIRS (Machine Information
Report Service)
Controls the sending of machine configuration settings by e-mail
UCS (User Control Service) Manages the Address Book data
CCS (Certification Control
Service)
Mediates communication between the principal machine function and
external charge device during the authentication process, as well as
the charge-related processing (e g counters)
NRS (New Remote Service) Controls remote correspondence with RC Gate (e g diagnostics,
firmware update, settings changes)
LCS (Log Control Service) Controls the MFP/LP’s access logs (e g Address Book, Document
Server, MFP/LP functions)
DESS (Data Encryption Security
Service)
Controls the encryption and decryption functions
1-2-2 Principal Machine Functions
Copier Activates the scanning engine, which reads the original and then sends the data
on to the controller to be printed out from the printing engine Secondary data,
such as that used for access control, is handled from the operation panel
Printer Receives image data through the host interface, which then sends the data to the
controller Also contains a printer language processing subsystem (e g RPCS)
that converts the printer language into image data, which is then printed out from
the printing engine Secondary data is handled via the connection protocols
between the driver UI and the host I/F
Scanner Activates the scanning engine, which reads the original and then sends the data
to a PC via the host I/F Scanning can be initiated from both the operation panel
and from a PC via a TWAIN driver
FAX Activates the scanning engine, which reads the original and then sends the data
to the FCU to be sent as a FAX via a telecommunications line Also receives FAX
data and prints it out from the printing engine
Print Controller Design Guide for Information Security
Page 13 of 8
Netfile
(GWWS)
As a server, GWWS provides some MFP/LP functionality to specific
network-connected PC utilities This includes the ability to view and make
changes to user information and machine configuration settings, as well as to print
out or perform other operations on documents stored on the MFP/LP GWWS also
acts as a client to external Web services, including transferring the machine log
data to specific log data collection utilities
WebSys A Web application that allows machine configuration settings to be viewed and
changed via a Web interface
WebDocBox Allows operations to be peformed on Document Server documents stored in the
MFP (viewing, downloading, printing, deleting) via a Web interface
SDK/VAS SDK: Applications provided by third-party vendors designed to function with
MFP/LP pricipal machine functions developed by Ricoh
VAS: An MFP/LP API that standardizes the meanings of simplified commands
used by SDK applications when communicating with the MFP/LP
EAC This module controls the TCP/IP command flow between the GW-API and
external controller connected to the MFP via the Gigabit Ethernet-compatible
network I/F The EAC allows the external controller to initiate MFP operations
such as print jobs and scan jobs, as well as store Printer documents to the MFP
HDD In addition, this module also makes it possible to change some of the
internal settings of the external controller from the MFP operation panel
Note: This is only available on models capable of supporting an external
controller
Print Controller Design Guide for Information Security
Page 14 of 8
1-3 Data Security
1-3-1 External I/F
The MFP/LP is equipped with the following external interfaces:
• Serial I/F for connection of external coin/card-operated devices
• Serial I/F for connection of peripheral devices (e g DF, Finisher, LCT)
• Analog G3 FAX I/F (public telecommunications line), G4 FAX I/F (ISDN)
• Standard IEEE 1284 parallel I/F (Host I/F), which can function as a two-way parallel interface when
using a USB cable
• Standard IEEE 1394 I/F
• 100BASE-TX and 10BASE-T compatible network I/F (Host I/F)
• Gigabit Ethernet-compatible network I/F (Host I/F options, external controller I/F board)
• Standard IEEE802 11b wireless LAN network I/F (Host I/F option)
• Bluetooth I/F (Host I/F option)
• USB2 0 Type B I/F (Host I/F)
• USB2 0 Type A I/F (IC card, Pictbridge)
1-3-2 Protection of Program Data from Illegal Access via an External Device
1 All of the above principal machine functions, as well as software for all shared service layers, run on
the UNIX operating system as independent processes (data/program modules) Memory space is
allocated specifically for each module, which makes it impossible for one module to directly access the
memory space of any other
2 Data transfer between modules is Unix socket-based, whereby communication is performed along
ID-protected communication paths This ensures exclusive connections among the modules present in
the MFP/LP, thereby preventing access by any module outside this pre-determined set For example,
incoming FAX data will only be sent to those modules designated to perform FAX data operations This
arrangement prevents illegal access to networks and internal programs from an outside line
3 All image data stored on the HDD or stored temporarily in the Image Memory is managed by a memory
control module called the MCS (Memory Control Service), which ensures that the data can only be
accessed by specified machine function(s) In addition, this arrangement prevents illegal access to this
data from an outside line
User data, such as the Address Book data stored in the HDD/flash ROM and User Code data stored in
the NV-RAM, is managed by the UCS module Access to this data is not possible by any module
except those pre-determined modules in the MFP/LP itself This arrangement ensures that the data
stored in the MFP/LP cannot be accessed illegally via an external I/F
Print Controller Design Guide for Information Security
Page 15 of 8
4 Communication between the MFP/LP and its peripherals is conducted via the peripheral I/F using
Ricoh-unique protocols These exchanges are limited to pre-determined commands and data, and only
take place after the MFP/LP has recognized the peripheral device If the MFP/LP receives illegal data
from the peripheral, it will judge that a perhiperal device failure has occurred or that the device is not
connected This prevents any illegal access to internal programs or data
5 The MFP communicates with external coin/card-operated devices through the External Charge Device
I/F in accordance with the same protocols used for its peripherals described in #4 above It is possible
to utilize such devices in tandem with the access control settings for each user, in which case the
device and MFP exchange the relevant information (e g User Code data)
6 With the @Remote function, the MFP/LP is connected via the network to a Ricoh-developed device
known as RC Gate, which is then connected to the @Remote Center, or to the @Remote Center
directly When connecting to the center directly, the MFP/LP communicates via a LAN connection over
the Internet Before transferring any data, mutual authentication is performed using digital certificates
between the MFP/LP and RC Gate or MFP/LP and @Remote Center, which ensures that the MFP/LP
cannot connect to any device other than RC Gate or to its single, pre-assigned @Remote Center
Communication between RC Gate/@Remote Center and the MFP/LP modules responsible for
@Remote operations is performed over exclusive socket-based connections, as described in #2 above
In addition, it is also possible to change the MFP/LP settings to prohibit @Remote communication
7 External controllers are connected to the MFP via the Gigabit Ethernet-compatible network I/F, and are
then routed internally through the external controller interface board The internal arrangement is
designed such that the external controller cannot gain access to the MFP internal modules until after it
has successfully cleared the device registration process
In addition to sending data for printing to the MFP, the external controller is also capable of storing
image data received from the PC inside its own memory as well as obtaining scanned data just
following an MFP scanning job It is not able to access any of the image data stored in the MFP
8 The standard IEEE1284 parallel I/F, USB I/F (Type B), and Bluetooth I/F treat all incoming data as print
data This print data can only be sent to pre-specified modules responsible for executing printing
operations In addition, using MFP/LP settings, it is possible to disable each interface individually
9 The USB I/F (Type A) only allows connection with devices that support either IC card-based
authentication or PictBridge printing functions Each function can be enabled/disabled individually
PictBridge printing functions (color MFP/LPs only):
After the identity of the connected PictBridge device is verified, the interface and device exchange only
pre-defined commands and/or data Access to data stored inside the MFP/LP is not possible In
addition, if User Authentication has been enabled, the machine will not accept commands or data from
any PictBridge functions that do not require authentication
Print Controller Design Guide for Information Security
Page 1 of 8
IC card-based authentication functions:
Authentication is mutual and encrypted, which prevents impersonation and ensures that data is
properly protected
Print Controller Design Guide for Information Security
Page 17 of 8
1-4 Protection of MFP/LP Firmware
1-4-1 Firmware Installation/Update
It is possible to update the firmware stored on the MFP/LP using an SD card or via a remote connection
The following process is used to verify the validity of all firmware introduced into the MFP/LP in the field
This applies to firmware updates as well as to new installations of MFP/LP options
Firmware Installation/Update Using an SD Card
Since SD cards themselves are generic items that are widely available for purchase in the field, the
following process is used to prevent the illegal introduction of firmware into the MFP/LP via this storage
media Briefly stated, a license server assigns a digital signature to the firmware, which the MFP/LP
then uses to authenticate the firmware when it is introduced in the field
1 The Ricoh license server applies the SHA-1 algorithm (Secure Hash Algorithm 1) to the program to
generate the value MD1 A private key is used to encrypt this value, which is then used as the
firmware’s digital signature
2 The firmware in the SD card is introduced into the MFP/LP via the SD card slot
3 The MFP/LP checks the firmware to identify the type (e g System, Printer, FAX, LCD) It then
verifies that the model name is the same as its own, and in the case of a firmware update, that the
firmware version is newer that the one already installed
4 The MFP/LP then applies SHA-1 to the program to generate MD1, after which it uses a public key
to decrypt the digital signature to generate MD2
5 If MD1 = MD2, the firmware update process begins
Using a public key to decrypt the digital signature allows the MFP/LP to verify that the firmware has not
been altered since it was assigned the digital signature by the license server
The basic identifying information of the firmware (version, type, etc ) is stored in the MFP/LP as the
update is being performed Therefore, the update can be reinitiated using the same SD card in the
event that it is interrupted by a sudden loss of power or other cause After recovery is initiated, the
MFP/LP checks to see that the data in the SD card has not been altered, and then resumes the
update
Digital
signature
Program
3. Generate MD1
using S A-1
MD1
MD2
Public key
4. Decryption
5. Compare MD1
and MD2
If MD1 ≠ MD2
Update process is cancelled
and new firmware is not
installed
If MD1 = MD2
2. Verification of firmware version
6. Firmware is overwritten
with new files
1. Verification of model and target
machine functions (Copier, Printer,
etc.)
Ricoh License Server
Digital signature
2. Generate
digital signature
Program
1. Generate MD
using S A-1 MD
3. Files are sent
Private key
SDSD
6464 MBMB
SDSD
6464 MBMB
SD card
"MD": Message Digest
Firmware Update Using an SD Card
Print Controller Design Guide for Information Security
Page 18 of 8
Remote Firmware Update
In addition to using an SD card, it is also possible to update the firmware by transmitting the firmware
files to the MFP/LP via a remote connection Since these files are transmitted over public Internet
communication paths in some cases, routed through multiple servers before reaching their destination,
it is necessary to use the authentication process described above for remote updates as well The
process for remote updates is virtually the same as that for the SD card-based update described
above, with the following differences:
Remote headers are attached to the digital signature before the files are sent to the MFP/LP
If the update is interrupted for some reason, it is possible to retry the update by resending the file
There are three main scenarios in which a remote firmware update is performed, the process for which
is the same as described above (see illustrations below) In each scenario, all of the security features
described above are employed
The update is performed by a field engineer in the field via a PC
The update is performed using the @Remote function, normally by an individual with access rights
to the @Remote Center GUI
The update is performed via Web SmartDeviceMonitor Professional IS, usually by the end user
Digital
signature
Program
5. Generate MD1
using S A-1
MD1
MD2
Public key
6. Decryption
7. Compare
MD and MD2
If MD1 ≠ MD2
Update process is cancelled and
new firmware is not installed
If MD1 = MD2
3. Verification of firmware version
8. Firmware is overwritten
with new files
2. Verification of model and target
machine functions (Copier, Printer, etc.)
Ricoh license server
Digital signature
2. Generate
digital signature
Program
1. Generate MD
using S A-1 MD
Private key
3. Download
1. Check remote headers to confirm that a
remote update is being requested
Ricoh distribution server
Client PC
4. Files are sent
Program + digital
signature
Digital
signature
Remote Firmware Installation Performed by a Field Technician
(from a client PC
Print Controller Design Guide for Information Security
Page 19 of 8
RC-Gate
Installation
via RC-Gate
Ricoh Licenese Server
Download Digital signature
Program +
digital signature
@Remote Center
Installation directly from
@Remote Center
Remote Firmware Installation using @Remote
Client PC
Ricoh license server
Download
Ricoh distribution server
Digital signature
Remote installation
Update performed using Web Smart Device Monitor V2
(device management utility)
Program +
digital signature
Ridoc IO OperationServer
Update
commands issued
Remote Firmware Installation via Web SmartDeviceMonitor Professional IS
(performed by the end user
Print Controller Design Guide for Information Security
Page 20 of 8
1-4-2 Verification of Firmware/Program Validity
Overview
In order to continually ensure the validity of all controller core programs and application firmware
installed on the MFP/LP at the time of product shipment, as well as those that are newly installed as
updates through the process explained in section 1 4 1 above, the MFP/LP performs a validation
process known as Trusted Boot every time the main system is booted up Covering the range of
software from boot programs to end-point functions and applications, the Trusted Boot validation
process provides comprehensive, TPM-based security
The MFP/LP uses the unique digital signature assigned to each program/firmware in order to judge its
validity The public key used for this verification is stored in an overwrite-protected, non-volatile region
of the TPM, which makes it extremely difficult for the key itself to be altered in any way, providing
additional protection of the programs/firmware
Trusted Boot employs two methods to verify the validity of the programs/firmware mentioned above:
RTM (Root Trust of Measurement) is used to validate the controller core programs, which include
the MFP/LP operating system, BIOS, and boot loader Using the TPM, this method is capable of
detecting any alterations made to these programs
The same digital signature-based verification process explained in section 1 4 1 is used to
validate the application firmware
Trusted Boot is integrated with the protection of the user’s encryption keys (see section 1 8 for details),
ensuring that only valid programs are given access to these keys
Note: Produced by STMicroelectronics, TPM is a product of the ST19WP18 family, which has earned
Common Criteria certification (EAL5+)
Other manuals for Pro 1107
1
This manual suits for next models
47
Other Ricoh Controllers manuals
Ricoh
Ricoh E-7100 Guide
Ricoh
Ricoh Pro C5100S Reference manual
Ricoh
Ricoh Interactive Whiteboard Controller Type 1 Manual
Ricoh
Ricoh Y406 Quick start guide
Ricoh
Ricoh AFICIO 1055 User manual
Ricoh
Ricoh Prinect DFE Quick start guide
Ricoh
Ricoh Interactive Whiteboard Controller Type 2 User manual
Ricoh
Ricoh Fiery E-820 User manual
Ricoh
Ricoh Stinger-C1 B305 User manual
Ricoh
Ricoh RV5VH Instructions for use
Popular Controllers manuals by other brands
Knightsbridge
Knightsbridge LEDFR6 Installation & maintenance manual
Texas Instruments
Texas Instruments AM335 Series quick start guide
ZEG-ENERGETYKA
ZEG-ENERGETYKA ATS-9 operating manual
EpiSensor
EpiSensor ZDR-16 Install Sheet
Carel
Carel AT-th Tune manual
Rinnai
Rinnai Demand Duo Operation & installation manual
