Trusted Computer System Evaluation Criteria

from Wikipedia, the free encyclopedia

TCSEC ( T rusted C omputer S ystem E valuation C riteria ; generally regarded as the Orange Book called) was one of the US out due -Regierung standard for the evaluation and certification of the security of computer systems .

In 1983 the Department of Defense (DoD) Computer Security Center (CSC) published its first evaluation criteria . The work was named Department of Defense Trusted Computer System Evaluation Criteria . Two years later, after a few minor changes, the book became the DoD standard TCSEC (DoD 5200.28-STD). TCSEC was mainly used in the USA , in Canada CTCPEC had been widespread since 1989 . In West Germany, France and Great Britain, first of all, own criteria were developed around 1989, for example the ITSK . In 1990 Germany, France, the Netherlands and Great Britain introduced a common standard, the Information Technology Security Evaluation Criteria (ITSEC). All of these standards were incorporated into a new, international standard in 1996, the Common Criteria .


TCSEC categorizes the security of computer systems into a hierarchical system with four main levels: A, B, C and D.

Most Unix systems meet C1, but can easily be configured so that C2 is also fulfilled.

TCSEC meaning ITSK
D. insecure system not suitable
C. simple protection with user login .
C1 Login required Discretionary Access Control , this can also be a group account. Cooperative users are assumed. For example the HRU (Access Control Matrix) model. F1 medium strength
C2 requires an individual login with password and authentication mechanism . Data from different users are separated from each other, security-relevant processes are logged . ( Controlled Access Protection ) F2
B. Access rights according to protection level , security model
B1 Informal security model, data (especially exported) in protection levels ( labeled security protection ) and mandatory access control . For example Bell-LaPadula . F3 strong
B2 formal model ( security policy ) of the security system, well-defined interface ( structured protection ) and a covert channels analysis F4
B3 additionally requires reference monitor property and clarity of the system, as well as secure mechanisms for logging and for the rollback of damage. ( security domains ) F5 very strong
A. like B3, but the overall system must be formally verifiable , i.e. mathematically provable .

See also


  1. ^ Richard A. Kemmerer: Computer Security. (PDF; 135 kB) 2001, accessed on June 13, 2013 (English).