802 standards, 219
A
A1-rated systems, 159
examples, 111
abstraction, in system design, 136
access control lists, 70
access controls, data, 56, 66
discretionary, 67, 116
execute, 67
file protection classes, 68
file types, 68
in networks, 222
mandatory, 72, 124
ownership, 67
passwords, 66
read, 67
self/group/public, 68
system, 56-57
to locked facility, 241
write, 67
access decisions, with discretionary access control, 67
with mandatory access control, 74
access matrix model, 109
accountability, requirements, 124
with passwords, 60
accounts, suspicious, 99
accreditation, 339
accuracy, 10
in communications, 202
in encryption, 171
acoustics, 251
acronyms, 269
add-on package, 334
Adleman, Leonard, 81, 188-189
administration, day-to-day, 96
planning, 91
security, 56, 89
system, 56, 89, 116;
in networks, 220;
roles, 100, 140
administrative security, 89
administrator, security, 100
system, 100;
functions, 100, 140;
total control, 100
AIDS virus, 82
air ducts, 242
air filter, 239
American Bankers Association (ABA), 48, 186-187
contact, 389
standards for banking, 195
American Express, 52
American National Standards Institute (ANSI), 48
contact, 390
Data Encryption Standard (DES), 181
standards for banking, 195
American Society for Industrial Security (ASIS), 52
contact, 392
publications, 398
Ampex, degaussing products, 338
AMSG 788A (TEMPEST standard), 260, 264
Anderson, James P., 30, 107
antibodies, 88
Antidote, 88
anti-static carpeting, 240
Apollo, TEMPEST, 257
Apple, AppleTalk, 209
application layer, in OSI model, 215-216
Aqua Book, 362
use in network evaluations, 332
use in subsystem evaluations, 334-335
use in Trusted Product Evaluation Program (TPEP), 326
Arms Export Control Act, 278
Arnold, Benedict, 167
ARPANET, 211
Ashton-Tate, 199
Assets Protection Publishing, publications, 397
Association for Computing Machinery (ACM), contact, 391
publications, 398
assurance, definition, 106
life-cycle, 133, 141
operational, 133-134
related to security policy, 133
requirements, 133
asymmetric key cryptography, (see public key cryptography)
AT&T, CR1 product, 244
cryptographic products, 192
protected telecommunications services, 346
SDNS, 232
Secure Telephone Unit, 196
System V/MLS, 111, 157, 162
Attanasio, C.R., 29
audit, checking security of system, 99
in networks, 220
interpretation of requirements, 362
requirements, 128
Auerbach, publications, 397
authentication, 124
arbitrated in encryption, 190, 223
by challenge-response system, 244
by password, 57, 241
by physical trait, 58, 241
by smart card, 244, 246
by token, 57, 241, 243
in encryption, 177, 185, 189
in Kerberos, 233
in networks, 218, 229
of messages, 10, 192, 222
of user, 57
profile, 62
two-factor, 243, 247
authenticity, 10
in communications, 202, 229
in encryption, 172
automatic teller machine (ATM), 58, 194, 244
availability, 10, 90
in communications, 202, 229
in encryption, 172
B
B1-rated systems, 157
examples, 111
B2-rated systems, 157
examples, 111
B3-rated systems, 158
examples, 111
back door, 85
backups, 94, 96, 141
full, 96
hints, 98
incremental, 96
bacteria, 86
badge, 244
Baker, Bruce N., 400
Balenson, David, 377
bandwidth, of covert channels, 138
banking, encryption, 194
banner page, 121
Barker, Elaine, 377
Barlow, John, 43
baseband, signal transmission, 213
Bassham, Lawrence E., 380
Bell, David, 30, 77, 108
Bell & Howell, degaussing products, 338
Bell-LaPadula model, 30, 77, 108
Beneich, Denis, 85
Best, Reba A., 400
Biba, K.J., 109
Biba integrity model, 109
Biham, Eli, 186
Bill of Rights, 286
biometric devices, 12, 58, 237, 246
acceptance, 248
effectiveness, 248
Bisbey, R., 29
BITNET, 211
BLACKER, 232
BloomBecker, J.J. Buck, 400
Boeing Aerospace, SNS, 111, 159
SNS + NM, 159
bombs, 84
books, computer security, 399
Brain virus, 7, 82
Branscomb, Anne W., 86
Branstad, Dennis K., 187, 199
breaking, Data Encryption Standard (DES), 186
encrypted messages, 170
RSA algorithm, 186
Breton, Thierry, 85
British Broadcasting Company (BBC), 254
broadband, signal transmission, 213
broadcast network, 210
Brodeur, Paul, 256
Brooks Act, 32, 180, 278
Brown Book, 366
Brunner, John, 82
brute force attack, 60
on Data Encryption Standard (DES), 186
on RSA algorithm, 186
Bulgarian Factory virus, 82
Burgundy Book, 114, 154, 364
Business Systems and Security Marketing Association (BSSMA), con-
tact, 392
C
C1-rated systems, 155
examples, 111
C2-rated systems, 156
examples, 111
Cable Communications Policy Act, 288
cabling, coaxial, 213
fiber optic, 213
network, 212
protection of, 212
twisted pair, 213
Caesar, Julius, 174
Caesar Cipher, 174
call forwarding, 207
carbon dioxide, 239
cards, access;types, 245
smart; (see smart card)
Carlstedt, J" " , 29
Carnahan, Lisa J., 378
categories, 73
ceilings, dropped, 242
CERT, (see Computer Emergency Response Team)
certification, 339
challenge-response system, 244
Cheapernet, 213
checksum, 149, 185, 193
Chomerics, TEMPEST, 265
CIAC, (see Computer Incident Advisory Capability)
cipher, (see ciphertext)
cipher alphabet, 175
Cipher Block Chaining (CBC) mode, of Data Encryption Standard
(DES), 183
Cipher Feedback (CFB) mode, of Data Encryption Standard (DES),
183
ciphertext, 169
circuit, 208
Clark, David, 109
Clark-Wilson integrity model, 109
classification, 73
clearance, 72, 90, 119
Clearing House Interbank Payment System (CHIPS), 194
cleartext, (see plaintext)
climate, 239
coaxial cable, 213
Code of Fair Information Practices, 287
codetext, (see ciphertext)
codewords, 160
Cohen, Fred, 81
cold sites, 93
Columbus Day virus, 7
Comite ' Consultatif Internationale Telegraphique et Telephonique
(CCITT), 48, 219
Commercial Communications Security Endorsement Program (CCEP),
192, 342
contact, 387
Commercial International Security Requirements (CISR), 52
Commercial Internet Protocol Security Option (CIPSO), 234
communications, connection-oriented, 208
equipment, 204
integrity, 228-229
interceptions, 205
protecting equipment, 202
secure, 202
security, definition, 201
Communications Act, 286
Communications Security Association (COMSEC), contact, 393
publications, 397
Communications Security (COMSEC) Board, 27
comparability, of sensitivity labels, 77
compartmented mode workstation (CMW), 127, 159
publications, 384
summary tables, 313
compartments, 73, 159
compromise protection, requirements, 230
Compromising Emanations Laboratory Test Standard, Electromagnet-
ics (U), 259
COMPUSEC, 323
contacts, 386
CompuServe, 395
Computational Logic, Gypsy Verification Environment (GVE), 145,
162, 337
Computer and Business Equipment Manufacturers Association (CBE-
MA), 48, 186
contact, 390
Computer Associates International, ACF/2/MVS, 111
Computer Emergency Response Team (CERT), 5
contact, 389
Computer Fraud and Abuse Act, 4, 40, 282
Computer Incident Advisory Capability (CIAC), 5
contact, 389
Computer Matching and Privacy Protection Act, 288
Computer Sciences Corporation, Data Encryption Standard (DES)
products, 185
computer security, 55
definition, 8
Computer Security Act, 41, 283
Computer Security Institute (CSI), 52
contact, 392
publications, 397
Computer Security Technical Vulnerability Reporting Program
(CSTVRP), contact, 386
Computer Virus Industry Association (CVIA), 7, 88
contact, 392
COMSEC, 341
contacts, 387
publications, 384
confidentiality, 9
in communications, 202, 230
in encryption, 171
configuration management, interpretation of requirements, 363
requirements, 145
containers, TEMPEST, 257
continuity of operations, requirements, 230
Control Data Corporation, Network Operating System (NOS), 157,
162
Controlled Cryptographic Item (CCI), 348
Coral Book, 147
countermeasures, 16
communications security, 17, 201
computer security, 16, 55
definition, 11
physical security, 17, 237
Courtney, Robert H, 16
covert channels, 137
analysis, 138
in networks, 138, 220, 231
storage, 137-138
timing, 137, 139
Cox, James G., 376
crabs, 86
crackers, 15
credit cards, 244
creepers, 86
crime, computer, 15;
estimate of cost, 7;
legislation, 284
cryptanalysis, 170
cryptogram, 169
cryptographic algorithms, new, 192
cryptographic products, evaluation, 341
manufacturing restrictions, 347
crytography, 170
CVIA, (see Computer Virus Industry Association)
D
Dark Green Book, 368
Dark Red Book, 332, 365
DARPA, (see Defense Advanced Research Projects Agency)
data confidentiality, requirements, 231
Data Encryption Standard (DES), 36, 175, 179
approval of, 181
breaking, 186
brute force attack on, 186
change in policy, 186
development of, 179
evaluation of products, 345
explanation of algorithm, 183
FIPS PUBs, 370
future, 185
in Kerberos, 233
in NFS, 234
investigation of, 180
modes of operation, 183
standards, 181
use in government systems, 185
variations, 188
Data General, TEMPEST, 257
data hiding, in system design, 136
data link layer, in OSI model, 217
Data Security, degaussing products, 338
databases, requirements, 367
trusted, 332
Datacrime virus, 7
Datapro, publications, 397
Davies, D.W., 399
dBASE III, 199
deciphering, (see decryption)
decryption, definition, 169
Defense Advanced Research Projects Agency (DARPA), 5, 28, 211
Defense Data Network (DDN), 211
Defense Intelligence Agency (DIA), 159, 234
Degausser Evaluation Program, 387
Degausser Products List (DPL), 338
degaussers, 97
denial of service, 10, 143, 204
in networks, 202
requirements, 229
Denning, Dorothy E.R., 166, 399
Peter J., 83, 399
des command (SunOS UNIX), 182, 198
descriptive top-level specification (DTLS), 143-144, 146, 154
design, system;(see system design)
design documentation, interpretion of requirements, 364
requirements, 153
design specification and verification, requirements, 143
device labels, requirements, 123
Dewdney, A.K., 85
Diffie, Whitfield, 188
Digital Equipment Corporation, compartmented mode workstation,
160
Data Encryption Standard (DES) products, 185
DECnet, 209
DECUS, 394
Digital Network Architecture (DNA), 209
Ethernet, 211
SDNS, 232
security kernel, 31
TEMPEST, 257, 265
VAX/VMS 4.3, 111, 157, 162
digital signature, 190, 193, 223
in new cryptographic algorithms, 192
Dinkel, Charles, 380-382
disasters, detection, 12
natural, 12, 238
planning for, 14, 93, 241
discretionary access control (DAC), 67
in networks, 219
interpretation of requirements, 363
requirements, 116
DISNet, 232
distress signal, 247
DOCKMASTER, 340, 396
contact, 386
documentation, requirements, 149
DoDIIS Network for Security Information Exchange (DNSIX), 234
downgrade of information, 76
Doyle, Sir Arthur Conan, 174
D-rated systems, 155
examples, 111
Dukakis virus, 82
dust, 239
E
earthquake, 239
eavesdroppers, emanations, 254
Edwards, Dan, 83
EFT Certification Program for Authentication Devices, 194
Egypt, earliest ciphers, 166
electrical radiation, (see radiation, electrical)
electricity, 240
electromagnetic interference, 213-214
electromagnetic radiation, (see radiation, electromagnetic)
Electronic Codebook (ECB) mode, of Data Encryption Standard
(DES), 183
Electronic Communications Privacy Act, 45, 288
Electronic Data Systems (EDS), 52
Electronic Frontier Foundation, 43
Electronic Funds Transfer Act, 288
electronic funds transfer (EFT), 19, 194, 197
Electronic Funds Transfer (EFT) Certification Program, 388
Electronic Funds Transfer (EFT) Certification Program for Authen-
tication Devices, 346
Electronic Industries Association (EIA), 49
Elsevier, publications, 396
emanations, 13, 254
emergency sites, 93
emissions, (see emanations)
employees, security rules for, 95
training, 94
enciphering, (see encryption)
encryption, 165
algorithm, 170
definition, 169
end-to-end, 223
in banking and finance, 193
in communications, 203
in networks, 222
link, 223
off-line, 223
on modems, 206
one-way, 65
online, 223
passwords, 65
encryption key, 170, 175, 182
choosing, 170
in BLACKER, 232
in RSA algorithm, 189
in SDNS, 233
losing, 178
management and distribution, 177
one-time, 178
protecting, 170
provided by government, 186
session, 178
Endorsed Cryptographic Products List (ECPL), 345
Endorsed for Unclassified Cryptographic Item (EUCI), 348
Endorsed TEMPEST Products List (ETPL), 265, 355
Endorsed TEMPEST Products Program (ETPP), 260, 265
summary of procedures, 351
Endorsed TEMPEST Test Instrumentation List (ETTIL), 266, 357
Endorsed TEMPEST Test Instrumentation Program (ETTIP), 265
summary of procedures, 357
Endorsed TEMPEST Test Services List (ETTSL), 265, 356
Endorsed TEMPEST Test Services Program (ETTSP), 265
summary of procedures, 356
Endorsed Tools List (ETL), 337
end-to-end encryption, 223
Enigma Logic, Safeword, 162, 334
Enigma machine, 167, 174
entry point, 85
EPL, (see Evaluated Products List)
espionage, corporate, 15
foreign, 14
Ethernet, 211, 213
ETL, (see Endorsed Tools List)
ETTIL, (see Endorsed TEMPEST Test Instrumentation List)
ETTIP, (see Endorsed TEMPEST Test Instrumentation Program)
ETTSL, (see Endorsed TEMPEST Test Services List)
ETTSP, (see Endorsed TEMPEST Test Services Program)
European Computer Manufacturers Association (ECMA), 49
Evaluated Products List (EPL), 161, 331
online version, 340, 396
evaluation, of Data Encryption Standard (DES) products, 345
of database products, 332
of degaussing products, 338
of electronic funds transfer (EFT) products, 346
of formal verification tools, 336
of high-grade cryptographic products, 344
of network products, 331
of physical security devices, 237
of subsystems, 333
of TEMPEST products, 349, 351
of TEMPEST test instrumentation, 357
of TEMPEST test services, 356
of trusted systems, 326
event logging, 128
events, 128
execute, permission, 67
with discretionary access control, 67
execution domain, protected, 135
Executive Order, 12333, 280
12356, 280
Export Administration Regulations (EARs), 279
export of data, requirements, 120
to multi-level device, 120
to single-level device, 121
with mandatory access control, 74, 120
export restrictions, on cryptographic products, 197
on TEMPEST products, 260
F
Fair Credit Reporting Act, 286
Family Educational Rights and Privacy Act, 287
Faurer, Lincoln D., 29
FedWire, 194
Ferbrache, David J., 82, 400
fiber optic cable, 213
FiberCom, TEMPEST, 265
file protection classes, 68
file types, 68
Final Evaluation Report (FER), 330, 369
finance, encryption, 194
fingerd (UNIX daemon), bug, 3
fingerprint, 247, 249
FIPS PUBs, 51, 114, 369
Data Encryption Standard (DES), 181
fire, 239
extinguishers, 239
firewall, 203
Fisher, Bonnie, 376, 380
Fites, Philip E., 399
floating, in compartmented mode workstations, 161
floors, raised, 242
flow, of information between levels, 76
Flu Shot, 88
Ford Aerospace, TEMPEST, 265
Foreign Intelligence Surveillance Act, 279, 288
Forester, Tom, 400
forgery, 192
formal proof, 144
formal top-level specification (FTLS), 143, 145-146, 154
formal verification, 143
Formal Verification Systems Evaluation Program (FVSEP), 145, 162,
365
contact, 386
summary of procedures, 336
Fourth Amendment, 286
Freedom of Information Act, 286
Friday the 13th virus, 6, 84
FS222 (TEMPEST standard), 259
Fu Manchu virus, 82
G
Gait, Jason, 374
Garcia, Abel A., 399
Garfinkel, Simson, 90, 234, 399
Gasser, Morrie, 83, 109, 399
gateway, 209, 221
Gemini Computers, cryptographic products, 192
General Electric, Data Encryption Standard (DES) products, 185
Secure Telephone Unit, 196
Generally Accepted System Security Principles (GSSP), 44
Gerrold, David, 80
Gilbert, Dennis, 383
Irene E., 380
Gillen, Mark, 376
Gilligan, John, 376
glass, 239, 242
Gordian Systems, Access Key, 162, 334
Gould, UTX/32S, 111, 157
government, contacts, 385
security requirements, 18
Government Communications Headquarters (GCHQ) (United Kingdom),
260
Government Open Systems Interconnect Profile (GOSIP), 51, 217
Government Open SystemsInterconnect Profile (GOSIP), 232
Government Printing Office (GPO), contact, 360
Green Book, 114, 125, 361
Grey Book, 367
Guitian, Constance, 379
H
hackers, 15
(see also crackers.)
Halon, 239
hand geometry, 250
handling caveats, 160
handprint, 250
hardware features, 134
Harris, compartmented mode workstation, 160
cryptographic products, 192
Haykin, Martha E., 377
health, dangers of emanation , 256
Heaphy, Kathleen A., 82, 400
Heathkit, 254
Hellman, M.E., 188
Helsing, Cheryl, 379
Hewlett-Packard, degaussing products, 338
MPE V/E, 111
Project MAX, 233
TEMPEST, 257, 265
high-grade cryptographic products, 192, 196
Highland, Harold Joseph, 81
hints, backups, 98
employee security management, 95
keeping intruders out, 242
modem security, 207
network security, 212
passwords, 59
protecting against malicious code, 87
safe computing, 97
history, cryptography, 166
Enigma machine, 167
information controls, 24
network, 210
security, 23
technology changes, 25
TEMPEST, 255, 259
Hoffman, Lance J., 86, 376, 400
Home Box Office (HBO) attack, 6
Honeywell, cryptographic products, 192
Federal Systems; XTS-200, 111
Information Systems; Multics, 111, 158, 162;
Secure Communications Processor (SCOMP), 111, 159
TEMPEST, 265
hot sites, 94
Hruska, Jan, 400
human-readable output, 121
humidity, 239
Hunt, Douglas B., 376
Hupp, Jon, 82
I
IBM, compartmented mode workstation, 160
Data Encryption Standard (DES) products, 185
in World War II, 169
Lucifer encryption algorithm, 180
MVS/ESA, 111, 157
MVS/RACF, 111, 156, 334
PC, 111, 155
PC local area network, 211
SDNS, 232
Share, 394
Systems Network Architecture (SNA), 209, 211
TEMPEST, 257, 265
tiger teams, 29
Icelandic virus, 82
identification, of user, 57, 124
identification and authentication (I&A), 57
contrast with trusted path, 127
in networks, 218
related to auditing, 131
requirements, 124
IEEE, 219
immunizers, 88
import of data, with mandatory access control, 74
incomparability, of sensitivity labels, 77
Industrial TEMPEST Program (ITP), 37, 255, 349
information, as an asset, 91
danger of loss, 238
flow model, 109
labels, 160-161
legislation to protect, 278
protection of, 19, 91
security, 8
Information Systems Security Association (ISSA), 52, 393
Information Systems Security Officer (ISSO), functions, 100
Information Technology Security Evaluation Criteria (ITSEC), 46
summary tables, 318
INFOSEC, catalogue of products, 369
Initial Product Assessment Report (IPAR), 329
inoculators, 88
Institute of Electrical and Electronic Engineers (IEEE), 49
contact, 390
insurance, virus coverage, 8
integrity, 10
in communications, 202
in encryption, 171
Intel, Ethernet, 211
interference, 254
electromagnetic, 213-214
radio frequency, 214
International Association for Computer Systems Security (IACSS),
397
contact, 393
International Federation of Information Processing (IFIP), 50
International Information Security Foundation (IISF), 44
International Information Systems Security Certification Consor-
tium ((ISC)2)), contact, 393
International Standards Organization (ISO), 50, 215, 219
contact, 390
Data Encryption Standard (DES), 181
standards for banking, 196
International Traffic in Arms Regulations (ITARs), 278
internet, 209
Internet, addresses, 228
encryption service, 166
history, 211
worm, 3, 80, 204
Isaac, Irene, 376
ISSO, functions, 140
J
Johnson, Deborah G., 400
Johnston, Peter, 399
K
Kahn, David, 166-167, 173, 401
Kapor, Mitch, 43
Karger, P.A., 29
Katzke, Stuart W., 375, 378
Kerberos, 218, 233
key, encryption;(see encryption key)
server, 233
to computer room and equipment, 241
keystroke, 252
KGB, buying information from crackers, 6
Kratz, Martin P.J., 399
L
label, integrity, 120
sensitivity; (see sensitivity labels)
labeling, of printout, 121
Lainhart, John W., 376
LaMacchia, Brian, 189
LaPadula, Leonard, 30, 77, 108
Lavender Book, 148, 364
layers, in communications, 209
in OSI model, 215
in system design, 136
in trusted system, 110
Leahy, Patrick, 43
least privilege, in system administration, 100, 140
in system design, 136
Leeper, Ed, 256
Legion of Doom, 43
legislation, 38, 277
computer crime, 284
information protection, 278
privacy, 286
Lenstra, Arjen K., 191
Levitt, Karl N., 375
Levy, Steven, 401
life-cycle assurance, 133, 141
Light Blue Book, 366
Light Yellow Book, 361
lightning, 240
Lincoln, Abraham, 167
line filter, 240
linguistics, 251
link encryption, 223
local area network (LAN), 210
locks, 12, 241, 243
cryptographic, 243
disk, 243
equipment, 243
logic bomb, 84
logins, attempts, 63
controls, 63
IDs, 62
messages, 63
time limits, 63
Lotus Notes, 189
Lucifer encryption algorithm, 180
M
Macintosh, 111, 155
magnetic remanence, (see remanence, magnetic)
malicious code, 79
malpractice, computer, 20
Manasse, Mark, 191
mandatory access control (MAC), 72
in networks, 220
requirements, 124
mantrap, 242
Manufacturing Automation Protocol/Technical Office Protocol
(MAP/TOP), 51
market, security, 17
TEMPEST, 261
Markstein, P.W., 29
Mary Queen of Scots, 167
masquerade, 86, 204, 229
MaxSix, 234
MCI, protected telecommunications services, 346
media, network, 212;
coaxial cable, 213;
fiber optic cable, 213;
microwave, 214;
satellite, 214;
twisted pair cable, 213
Medium Blue Book, 366
Merkle, R., 188
message authentication, 10, 192, 222
code, 148, 185, 193, 222
messages, definition, 207
flooding, 205, 230
forging, 192
in networks, 203
login, 63
system, 63
metropolitan area network (MAN), 210
microwave, 214
MILNET, 211
minutiae, 249
Mitek, TEMPEST, 265
Mitre, compartmented mode workstation research, 159
DNSix, 234
security kernel, 31
model, protocol;(see protocol model)
modems, 205
callback, 206-207
dial-back, 206
encryption, 206
password, 206
silent, 206
Morris, Robert T., 4
Morrison, Perry, 400
Motorola, cryptographic products, 192
Data Encryption Standard (DES) products, 185
Secure Telephone Unit, 196
Multics, 31, 111, 158, 162
multi-level, communications channel, 120
device, 120, 123
security, 72-73, 108;
in networks, 221
Munson, Judge Howard, 4
N
NACSEM 5100 (TEMPEST standard), 259
NACSI 5004 (TEMPEST standard), 259, 281
NACSI 6002, 281
NACSIM 5100A (TEMPEST standard), 259
NAG1A (TEMPEST standard), 259
National Bureau of Standards, (see National Institute of Stan-
dards and Technology)
National Center for Computer Crime Data (NCCCD), 396
contact, 394
National Communications Security Committee Directive 4, 259
National Communications Security Council Policy 10, 280
National Communications Security Council Policy 11, 281
National Communications Security Information Memorandum 5100, 259
National Communications Security Instruction 5004, 281
National Communications Security Instruction 6002, 281
National Computer Security Association (NCSA), contact, 394
National Computer Security Center (NCSC), 34, 51
DOCKMASTER, 396
evaluations, 161
publications, 360
role in security, 324
National Computer System Laboratory (CSL), role in security, 325
National Data Bank, 44
National Institute of Standards and Technology (NIST), 32, 51
development of cryptography standard, 180
electronic bulletin board, 396
evaluation of cryptographic products, 197
publications, 369
response to crises, 5
role in security, 325
support of Data Encryption Standard (DES), 187
working with NSA on cryptography, 192
National Policy on Control of Compromising Emanations, 259, 280
National Research Council, 199, 401
National Security Agency (NSA), evaluation of cryptographic pro-
ducts, 196
response to crises, 5
working with NIST on cryptography, 192
National Security Decision Directive 145, 39, 281
National Security Decision Directive 189, 282
National Security Directive 42, 42, 283
National Technical Information Service (NTIS), contact, 360
National Telecom Board (West Germany), 260
National Telecommunication and Information Systems Security Pub-
lication 2, 39
National Telecommunications and Information System Security In-
struction 400, 282
National Telecommunications and Information Systems Security Pub-
lication 2, 282
National Telecommunications and Information Systems Security Pub-
lication 200, 283
NATO Recommended Products List (NRPL), 260
natural disasters, (see disasters, natural)
Nazario, Noel, 380, 382
NBS, (see National Institute of Standards and Technology)
need to know, 74, 116
negotiation, in communications, 208
Neon Orange Book, 363
Neon Yellow Book, 367
Network File System (NFS), 189, 233
security, 234
network layer, in OSI model, 217
Network Trusted Computing Base (NTCB), 227
networks, 207
broadcast, 210
connections, 242
definition, 207
government evaluations, 227
history, 210
interpretation of requirements, 363, 365
local area, 210
management requirements, 230
media, 212;
vulnerabilities, 204;
(see also media, network.)
metropolitan area, 210
secure configurations, 203
security, 201, 218
services, 228
terms, 207
trusted, 218
wide area, 210
Neugent, William, 375-376
Neumann, Peter G., 375, 395
NFSNET, 211
Nibaldi, G.H., 35
NIST, (see National Institute of Standards and Technology)
node, 207
noise, in networks, 230
noninterference model, 109
nonrepudiation, requirements, 229
North, Oliver, 7
no-smoking policies, 239
notary, 190, 223
NSA, (see National Security Agency)
NSA Endorsed Data Encryption Standard (DES) Products List
(NEDESPL), 185, 345
NSA Government Endorsed Data Encryption Standard (DES) Equipment
Program (NEDESEP), 197
NSD 42, 42, 283
NSDD 145, 39, 281
NSDD 189, 282
NTISSI 4001, 282
NTISSP 2, 39, 282
NTISSP 200, 283
O
object, definition, 108
in reference monitor, 107
with discretionary access control, 72
object reuse, in networks, 220
requirements, 118
Odlyzko, Andrew, 186, 189
Office of Technology Assessment, publications, 385
Off-line Systems List (OLSL), 347
OMB Circular, A-123, 279
A-127, 281
A-130, 282
A-71, 279
Omnibus Crime Control and Safe Streets Act, 286
one-time pad, 170, 178
Open Software Foundation, OSF/1, 157, 233
Operation Sun Devil, 43
operational assurance, 133-134
operator, functions, 101, 140
Orange Book, 35, 103, 361, 363
classes, 104;
summary, 112
complaints about, 112
criteria, 104
gaps relating to networks, 226
purpose, 104
summary tables, 289
use in Trusted Product Evaluation Program (TPEP), 324
Organick, Elliot, 31
OSI (Open Systems Interconnection) model, 209, 211, 215, 232
output, human-readable, 121
Output Feedback (OFB) mode, of Data Encryption Standard (DES),
183
owner of files, 67
P
Pacific Bell, protected telecommunications services, 346
packets, 208
switching, 208, 211, 217
Paperwork Reduction Act, 279
parity check, 193
Parker, Donn B., 83, 400
passwords, 58
access controls, 66
aging, 64
changing, 59
dial-in, 65
dictionary, 3
encryption, 65, 166
expiration, 64
for authentication, 57
government guidelines, 361, 372
hints, 59
locks, 65
minimum length, 64
on modems, 206
picking, 61
primary, 65
protecting, 59;
in storage, 65;
on entry, 63
secondary, 65
system, 65
user-changeable, 64
with biometric devices, 241, 247
with tokens, 241, 243
Peace virus, 82
Peloponnesian War, 173
penetration index, 264
pen-in-air movements, 251
perimeter, security;(see security perimeter)
periodicals, computer security, 396
permissions for files, execute, 67
read, 67
write, 67
permutation cipher, 172
Perry, William E., 376
Pfleeger, Charles P., 399
Phillips, R.J., 29
physical layer, in OSI model, 217
physical security, 237
Pink Book, 339, 365
plaintext, 169
playback, 204, 229
Plutarch, 173
Poe, Edward Allen, 174
policy, multi-level security, 72-73, 108
Polk, William T., 379
Popek, G., 29, 31
Portable Operating System Interface for Computer Environments
(POSIX), 49
Potential Endorsed TEMPEST Products List (PETPL), 265, 354
Preferred Products List (PPL), 265-266, 349
presentation layer, in OSI model, 216
Presidential Directive/National Security Council-24, 279
preventable loss, 20
Price, W.L., 399
Prime, Primos, 157
prime numbers, use in encryption, 189, 191
printout, labeling, 121
privacy, legislation, 44, 286
Privacy Act, 45, 287
FIPS PUB, 370
Privacy Protection Study Commission, 287
Privacy Study, 286
private key, 175, 182
in Kerberos, 233
in private key cryptography, 175, 182
in public key cryptography, 176
in RSA algorithm, 189
proceedings, conferences, 399
process isolation, 135
programmed threats, 79
Project Athena, 233
Project MAX, 233
Protected Network Services List (PNSL), 346
protection, of information, 19, 91
of memory, 135
of resources, 135
with trusted distribution, 147
protocol, 209
family, 209
model, 209
suite, 209
protocol-based protection, requirements, 230
public domain, 87-88
public key, cryptography;(see public key cryptography)
in RSA algorithm, 189
public key cryptography, 176, 188
in NFS, 234
Purple Book, 114, 145, 337, 365
Purple project, 169
R
rabbits, 86
Racal Milgo, Data Encryption Standard (DES) products, 185
radiation, AC, 256
electrical, 254
electromagnetic, 254
extremely low frequency (ELF), 256
very-low-frequency (VLF), 256
radio frequency interference, 214
Rainbow Series, 114, 360
Rating Maintenance Phase (RAMP), 331, 365
summary of procedures, 338
read, permission, 67
with discretionary access control, 67
with mandatory access control, 76
reasonable safeguards, 20
reconstruction, in auditing, 129
Red Book, 114, 217, 226-227, 332, 363
reference monitor, 107
Rejewski, Marian, 169
reliability, in communications, 208
remanence, magnetic, 12, 368
replay, 192, 204, 229-230
repudiation, 204, 223
retina, 248, 250
Revision Control System (RCS), 146
Right of Financial Privacy Act, 288
risk analysis, 91, 241
risk index, 361
Ritchie, Dennis M., 83
Rivest, Ronald, 188-189
Roback, Edward, 382-383
Robinson, Lawrence, 375
Rockwell International, cryptographic products, 192
rogue programs, 79
role, administrator, 100, 140
of user in system, 62
Rosenthal, Lynne S., 376
Robert, 380
router, 221
RSA algorithm, 176, 188-189
brute force attack on, 186
Ruthberg, Zella G., 374-376, 378-380
S
salamis, 86
Salmon Book, 117, 368
Saltman, Roy G., 377
S-boxes, in Data Encryption Standard, 180
Schell, Roger, 29, 109
Scherbius, Arthur, 167
Schiller, W.L., 31
Schmidt, Hans-Thilo, 169
Schoch, John, 82
SDNS, (see Secure Data Network System)
secrecy, 9
in communications, 202, 230
in encryption, 171
secret key cryptography, (see private key cryptography)
Secure Data Network System (SDNS), 232
contact, 388
Secure Telephone Unit (STU-III), 178, 196
SecureWare, access control lists, 70
compartmented mode workstation (CMW+), 111, 157, 160
example of banner page, 121
Project MAX, 233
trusted path, 127
security, books, 399
communications, 201
computer system, 55
computer; definition, 8
information, 8
market, 17
network, 201, 218
other sources, 399
periodicals, 396
physical, 237
quantifying, 103
user responsibilities, 20
security audit, 99
Security Dynamics, 246
Security Features User's Guide (SFUG), requirements, 150, 368
security kernel, 31, 109, 135
security model, 30, 108
access matrix model, 109
Bell-LaPadula model, 108
Biba integrity model, 109
information flow model, 109
noninterference model, 109
state-machine model, 108
security perimeter, 110
in networks, 221
security policy, definition, 106, 108
formal proof, 144-145
human side, 89
organization, 94
requirements, 115
security profile, 62
security testing, requirements, 142
segmentation, 136
selective, collection, in auditing, 131
reduction, in auditing, 131
routing, 231
self/group/public controls, 68
sendmail (UNIX facility), bug, 3
sensitive, information, 19
sensitive compartmented intelligence, 72
sensitivity labels, 72
comparability, 77
definition, 73
differences from information labels, 161
in networks, 220
of devices, 123
of user, 123
on devices, 120-121
on exported information, 221
on imported information, 221
on output, 121
requirements, 119
setting on login, 125
subject, 123
separation of duties, 100, 140
session, 208
session layer, in OSI model, 216
Shamir, Adi, 186, 188-189
shareware, 87
Shaw, James K., 375
shield, TEMPEST, 257
signature, biometric devices, 248, 251
digital, 190, 192-193, 223
simple security condition, 77
single-key cryptography, (see private key cryptography)
single-level, communications channel, 121
device, 121, 123
site validation, with trusted distribution, 148
skytale, 173
Smart Card Industry Association (SCIA), contact, 394
publications, 398
smart cards, 57, 244
Smid, Miles E., 187, 199, 374, 377
smoke, 239
Snapper, John W., 400
Society for Worldwide Interbank Financial Telecommunications
(SWIFT), 194
Source, the, 395
Source Code Control System (SCCS), 146
source suppression, TEMPEST, 258
Spafford, Eugene H., 80-82, 90, 234, 399-400
Spartans, 173
SPEC PUBs, 373
spoofs, 86, 127
standard of due care, 8, 20
standards, 47
802, 219
ANSI, 195
Data Encryption Standard (DES), 181
ISO, 196
TEMPEST, 259
X.25, 217
X3, 195
X.400, 219
X.500, 219
X9, 195
Stang, David J., 400
star (x) property, 77
State Department, restrictions on cryptographic products, 198
restrictions on TEMPEST, 261
state-machine model, 108
Steinauer, Dennis D., 93, 375
Stoll, Cliff, 5, 132, 401
storage channels, (see covert channels, storage)
strength, of encryption, 170
subject, definition, 108
in reference monitor, 107
sensitivity labels, 123
with mandatory access control, 72
substitution cipher, 172
subsystem, 334
Subsystem Evaluation Report (SER), 336
subversion, 148
Sun Microsystems, 233-234
compartmented mode workstation, 160
Customer Warning System, 5
des command, 182, 198
Project MAX, 233
public key algorithm, 189
Sun Expo, 394
surge protector, 240
surveillance, in auditing, 129
physical security, 242
Swanson, Marianne, 379
Swope, Susan, 400
symmetric key cryptography, (see private key cryptography)
system, administration;(see administration, system)
administrator; (see admininistrator, system)
architecture; requirements, 134
design, 56, 134
failure, 141
high policy, 72
high workstation (SHW), 160;
summary tables, 315
integrity; requirements, 136
messages, 63
T
Tan Book, 114, 132, 362
taps, active, 205
passive, 205
TCP/IP (Transmission Control Protocol/Internet Protocol), 211,
217
Teal Green Book, 363
Technical Assessment Report (TAR), 337
Technical Review Board (TRB), 329
Technical Vulnerability Reporting Program, 341
telephone, vulnerabilities, 204-205
temperature, 239
TEMPEST, 17, 37, 253
contact, 388
design of product, 258
export restrictions, 260
history, 255, 259
how products are built, 257
market, 261
publications, 384
reassessment, 263
standards, 259
terrorism, 15
test documentation, requirements, 152
test word, 193
testing, interface, 142
mechanism, 142
security, 142
Thomas, Bob, 86
Thompson, Kenneth, 15, 81
threats, definition, 11
from insiders, 15
from outsiders, 14
in networks, 204
in risk analysis, 91
intentional, 14
natural disasters, 14
unintentional, 14
Thucydides, 173
ticket, 233
for authentication, 218
tiger teams, 29
time bomb, 84
timing channels, (see covert channels, timing)
Todd, Mary Anne, 379
token, 243
Tomlinson, Ray, 86
topology, of network, 209
Tower Commission, 7
traffic analysis, 231
traffic flow confidentiality, requirements, 231
training users, 94
transport layer, in OSI model, 216
transposition cipher, 172
trap door, 85
Treasury Department, Data Encryption Standard (DES), 187, 194
Electronic Funds Transfer (EFT) Certification Program for
Authentication Devices, 197, 346
Trojan horse, 81, 83, 127
with covert channels, 139
Trojan mule, 84
Troy, Eugene F., 376
trust, in networks, 203, 218
measuring, 103, 106
related to assurance, 133
trusted, application, 333
distribution; interpretation of requirements, 364;
requirements, 147
facility management; interpretion of requirements, 366;
requirements, 139
host (UNIX facility), 4
interface unit (TIU), 221
path, 126;
contrast with identification and authentication (I&A),
127
Trusted Computer System Evaluation Criteria, (see Orange Book)
Trusted Computing Base (TCB), 107, 109, 135
modularity, 136
Trusted Database Management System Interpretation (TDI), 332
Trusted Facility Manual (TFM), requirements, 151
Trusted Information Systems, Trusted XENIX, 111, 158
Trusted Network Interpretation, (see Red Book)
Trusted Product Evaluation Program (TPEP), 115, 362
contact, 386
database evaluations, 162, 332
network evaluations, 162, 227;
summary of procedures, 331
operating, 326
operating system; summary of procedures, 162
subsystem evaluation, 364
subsystem evaluations, 162;
summary of procedures, 333
trusted recovery, requirements, 140, 367
trusted systems, definition, 105
evaluations, 161
Trusted Systems Interoperability Group (TSIG), 234
Trusted UNIX Organization (TRUSIX), 51
Trusted UNIX Working Group (TRUSIX), 367
Turing, Alan, 169
Turn, Rein, 380
twisted pair cable, 213
two-factor authentication, (see authentication, two-factor)
two-key cryptography, (see public key cryptography)
two-man control, 101
typing, 252
U
Ultra project, 169
uninterruptible power supply (UPS), 240
UNISYS Corporation, BLACKER, 232
Formal Development Methodology (FDM), 145, 162, 337
OS 1100, 111, 157
TEMPEST, 257
UNIX, configuration management tools, 146
encryption of passwords, 166
evaluations, 110
login, 58
NFS in, 234
systems; probable rating, 111
USENIX, 394
user/group/other (UGO) controls, 68
unreliability, in communications, 208
upgrade of information, 76
U.S. Constitution, 286
U.S. Sprint, protected telecommunications services, 346
USENET, 211, 395
user, security responsibilities, 20
user list, 62
user/group/other controls, 68, 156
users, training, 94
V
vaccinators, 88
van Eck, Wim, 254
van Wyk, Ken, 395
vandalism, 11
vandalware, 79
VAX VMS Version 4.3, trusted path, 127
Venice Blue Book, 364
use in subsystem evaluations, 333
Verdix, VSLAN, 162
Versitron, TEMPEST, 265
vibration, 239
virus, 79
AIDS, 82
Brain, 7, 82
Bulgarian Factory, 82
Columbus Day, 7
contrast with worm, 80, 82
Cyberaids, 81
Datacrime, 7
Dukakis, 82
Festering Hate, 81
Friday the 13th, 6, 84
Fu Manchu, 82
Icelandic, 82
insurance coverage, 8
Peace, 82
protecting against, 87
Virus Bulletin, 398
voice, 251
voltage spike, 240
vulnerabilities, communications, 13, 204
definition, 11
emanations, 13
hardware, 12
in communications, 204
in risk analysis, 91
integration, 12
media, 12
natural, 12
network, 202
physical, 11
software, 12
telephone, 204-205
W
Wack, John P., 378
Wang Laboratories, cryptographic products, 192
MicroControl, 162, 334
SVS/OS CAP 1.0, 111, 157
SVS/OS CAP 1.0 audit log, 129
SVS/OS CAP 1.0 file protection classes, 68
TEMPEST, 265
War Games, 85, 205
Ware, Willis H., 28
Warner, Robert B.J., 377
Warner Amendment, 280
water, 240
Wertheimer, Nancy, 256
White Book, 46
White House computer attack, 7
Whitmore, J.C., 31
wide area network (WAN), 210
Wilson, David, 109
windows, 239
wiretapping, 205-206
Wood, Charles Cresson, 399
Woodward, J.P.L., 384
worm, 82
contrast with virus, 80, 82
Internet, 3, 80, 204
write, permission, 67, 257
with discretionary access control, 67
with mandatory access control, 76
write-down of information, 76
X
X.25 protocol, 217
X.400 standards, 219
X.500 standards, 219
Xenophon, 173
Xerox, cryptographic products, 192
TEMPEST, 257
Xerox Network System (XNS), 209, 211
X/Open, 52
contact, 391
XOR, use in encryption, 178
Y
Yellow Book, 362
yellow cable, 213
Z
zoning concept, 263