The Canadian Trusted Computer Product Evaluation Criteria 3rd Ed.

CTCPEC Version 3.0e

Communications Security Establishment

Publisher: Communications Security Establishment, 1993, 208 pages

Keywords: IT Security

Last modified: April 15, 2022, 6:42 p.m.

Synopsis

This document represents the current state of development of the Canadian Trusted Computer Evaluation Criteria (CTCPEC or Canadian Criteria). The purpose of this document is to present a set of technical hardware/firmware/software criteria for trusted products which is consistent with the Security Policy of the Government of Canada, the Information Technology Security Standards under development by the Government of Canada and take into account reciprocity issues with technical criteria of other nations strategically allied with the Government of Canada. Development of the Canadian Criteria has progressed through workshops and discussions with government and industry.

Table of Contents

  • Introduction
    • Historical Perspective
    • Scope
      • Functionality
      • Assurance
      • Evaluation and Rating
    • Purpose
    • Structure of the Criteria
      • Levels of Service
      • Additional Requirements
      • Modifications
      • Letter Codes
      • Constraints
      • Appendices
    • Fundamentals
      • Trusted Computer Bases
        • Security Policy
      • Isolation, Mediation, & Audit
        • Objects
          • Object Space
          • Tagged Objects
          • TCSEC Subjects in the Canadian Criteria
        • Continuous Protection
        • Security Services & Mechanisms
      • Inclusion of New Services
      • Modularity
      • Composable Evaluations
  • Confidentiality Criteria
    • Covert Channels
      • CC-0 Non-compliant
      • CC-1 Covert Channel Analysis
      • CC-2 Auditable Covert Channels
      • CC-3 Elimination of Covert Channels
    • Discretionary Confidentiality
      • CD-0 Non-compliant
      • CD-1 Minimal Discretionary Confidentiality
      • CD-2 Basic Discretionary Confidentiality
      • CD-3 Controlled Discretionary Confidentiality
      • CD-4 Advanced Discretionary Confidentiality
    • Mandatory Confidentiality
      • CM-0 Non-compliant
      • CM-1 Minimal Mandatory Confidentiality
      • CM-2 Basic Mandatory Confidentiality
      • CM-3 Controlled Mandatory Confidentiality
      • CM-4 Advanced Mandatory Confidentiality
    • Object Reuse
      • CR-0 Non-compliant
      • CR-1 Object Reuse
  • Integrity Criteria
    • Domain Integrity
      • IB-0 Non-compliant
      • IB-1 TCB Domain Integrity
      • IB-2 Non-Circumventable TCB
    • Discretionary Integrity
      • ID-0 Non-compliant
      • ID-1 Minimal Discretionary Integrity
      • ID-2 Basic Discretionary Integrity
      • ID-3 Controlled Discretionary Integrity
      • ID-4 Advanced Discretionary Integrity
    • Mandatory Integrity
      • IM-0 Non-compliant
      • IM-1 Minimal Mandatory Integrity
      • IM-2 Basic Mandatory Integrity
      • IM-3 Complete Mandatory Integrity
      • IM-4 Advanced Mandatory Integrity
    • Physical Integrity
      • IP-0 Non-compliant
      • IP-1 Basic Physical Integrity
      • IP-2 Intermediate Physical Integrity
      • IP-3 Advanced Physical Integrity
      • IP-4 Complex Physical Integrity
    • Rollback
      • IR-0 Non-compliant
      • IR-1 Restricted Rollback
      • IR-2 Advanced Rollback
    • Separation of Duties
      • IS-0 Non-compliant
      • IS-1 Basic Separation of Duties
      • IS-2 Administrative Separation of Duties
      • IS-3 Privilege-based Separation of Duties
    • Self Testing
      • IT-0 Non-compliant
      • IT-1 Basic Self Testing
      • IT-2 Start-up Self Testing
      • IT-3 On-line Self Testing
  • Availability Criteria
    • Containment
      • AC-0 Non-compliant
      • AC-1 Quotas
      • AC-2 Denial of Service
      • AC-3 Resource Restrictions
    • Fault Tolerance
      • AF-0 Non-compliant
      • AF-1 Limited Hot Replacement
      • AF-2 Hot Replacement
    • Robustness
      • AR-0 Non-compliant
      • AR-1 Reliability under Limited Failure
      • AR-2 Reliability with Degraded Service
      • AR-3 Reliability with Full Service
    • Recovery
      • AY-0 Non-compliant
      • AY-1 Manual Recvovery
      • AY-2 Automated Recovery
      • AY-3 Selective Recovery
  • Accountability Criteria
    • Audit
      • WA-0 Non-compliant
      • WA-1 External Audit
      • WA-2 Security Audit
      • WA-3 Security Audit & Alarm
      • WA-4 Detailed Audit
      • WA-5 Advanced Detection
    • Identification and Authentication
      • WI-0 Non-compliant
      • WI-1 External I&A
      • WI-2 Individual I&A
      • WI-3 Multiple I&A
    • Trusted Path
      • WT-0 Non-compliant
      • WT-1 Basic trusted Path
      • WT-2 Advanced Trusted Path
      • WT-3 Complete Trusted Path
  • Assurance Criteria
    • T-0 — Non Compliant
    • Assurance Level T-1
      • Architecture
      • Development Environment
        • Development Process
        • Configuration Management
      • Development Evidence
        • Functional Specification
        • Architectural Design
        • Detailed Design
        • Implementation
      • Operational Environment
      • Security Documentation
        • Security Features User's guide
        • Trusted Facility Manual
      • Security Testing
    • Assurance Level T-2
      • Architecture
      • Development Environment
        • Development Process
        • Configuration Management
      • Development Evidence
        • Functional Specification
        • Architectural Design
        • Detailed Design
        • Implementation
      • Operational Environment
      • Security Documentation
        • Security Features User's guide
        • Trusted Facility Manual
      • Security Testing
    • Assurance Level T-3
      • Architecture
      • Development Environment
        • Development Process
        • Configuration Management
      • Development Evidence
        • Functional Specification
        • Architectural Design
        • Detailed Design
        • Implementation
      • Operational Environment
      • Security Documentation
        • Security Features User's guide
        • Trusted Facility Manual
      • Security Testing
    • Assurance Level T-4
      • Architecture
      • Development Environment
        • Development Process
        • Configuration Management
      • Development Evidence
        • Functional Specification
        • Architectural Design
        • Detailed Design
        • Implementation
      • Operational Environment
      • Security Documentation
        • Security Features User's guide
        • Trusted Facility Manual
      • Security Testing
    • Assurance Level T-5
      • Architecture
      • Development Environment
        • Development Process
        • Configuration Management
      • Development Evidence
        • Functional Specification
        • Architectural Design
        • Detailed Design
        • Implementation
      • Operational Environment
      • Security Documentation
        • Security Features User's guide
        • Trusted Facility Manual
      • Security Testing
    • Assurance Level T-6
      • Architecture
      • Development Environment
        • Development Process
        • Configuration Management
      • Development Evidence
        • Functional Specification
        • Architectural Design
        • Detailed Design
        • Implementation
      • Operational Environment
      • Security Documentation
        • Security Features User's guide
        • Trusted Facility Manual
      • Security Testing
    • Assurance Level T-7
      • Architecture
      • Development Environment
        • Development Process
        • Configuration Management
      • Development Evidence
        • Functional Specification
        • Architectural Design
        • Detailed Design
        • Implementation
      • Operational Environment
      • Security Documentation
        • Security Features User's guide
        • Trusted Facility Manual
      • Security Testing
  • Definitions
  • Bibliography
  • Appendices
    1. Technical Rationale
      • Introduction
        • Security Policy
        • Location of Services
        • Tags
        • Access Matrix
      • Confidentiality
        • Discretionary Confidentiality (CD)
        • Mandatory Confidentiality (CM)
        • Object Reuse (CR)
        • Covert Channels (CC)
      • Integrity
        • Domain Integrity (IB)
        • Discretionary Integrity (ID)
        • Mandatory Integrity (IM)
        • Physical Integrity (IP)
        • Rollback (IR)
        • Separation of Duties (IS)
        • Self Testing (IT)
      • Availability
        • Containment (AC)
        • Fault Tolerance (AF)
        • Robustness (AR)
        • Recovery (AY)
      • Accountability
        • Audit (WA)
        • Identification and Authentication (WI)
        • Trusted Path (WT)
      • Assurance
    2. Constraints
      • Introduction
      • Scope
      • Covert Channels
      • Discretionary Confidentiality
      • Mandatory Confidentiality
      • Discretionary Integrity
      • Mandatory Integrity
      • Rollback
      • Separation of Duties
      • Containment
      • Fault Tolerance
      • Robustness
      • Recovery
      • Audit
      • Trusted Path
    3. Fundamentals
      • Introduction
      • Scope
      • Perspectives
        • Objects
        • Control Over Processes
      • The Reference Monitor
        • Classic View
    4. Concepts
      • introduction
      • Scope
      • The Reference Monitor
        • Encapsulated View
      • Modularity
        • The Overall System
        • The TCB
        • Non-Monolithic Products
    5. A Guide to Object Mediation
      • Introduction
      • Scope
      • Tags
      • Discretionary and Mandatory Mediation
        • Accuracy of Tags
        • Creation of New Objects
        • Export and Import of Objects
      • References
    6. A Guide to Confidentiality
      • Introduction
      • Scope
      • Overview of Confidentiality
      • Covert Channels
        • Covert Channel Bandwidths
        • Storage and Timing Channels
        • Aggregate Covert Channels
        • Security Policy
        • Meeting the Criteria
          • CC-1: Covert Channel Analysis
          • CC-2: Auditable Covert Channels
          • CC-3: Elimination of Covert Channels
      • Discretionary Confidentiality
        • Security Policy
        • Meeting the Criteria
          • CD-1: Minimal Discretionary Confidentiality
          • CD-2: Basic Discretionary Confidentiality
          • CD-3: Controlled Discretionary Confidentiality
          • CD-4: Advanced Discretionary Confidentiality
      • Mandatory Confidentiality
        • Security Policy
        • Meeting the Criteria
          • CM-1: Minimal Mandatory Confidentiality
          • CM-2: Basic Mandatory Confidentiality
          • CM-3: Controlled Mandatory Confidentiality
          • CM-4: Advanced Mandatory Confidentiality
      • Object Reuse
        • Security Policy
        • Meeting the Criteria
          • CR-1: Object Reuse
      • References
    7. A Guide to Integrity
      • Introduction
      • Scope
      • Overview
      • Domain Integrity
        • Security Policy
        • Meeting the Criteria
          • IB-0: Non-compliant
          • IB-1: TCB Domain Integrity
          • IB-2: Non-circumventable TCB
      • Discretionary Integrity
        • Security Policy
        • Meeting the Criteria
          • ID-1: Minimal Discretionary Integrity
          • ID-2: Basic Discretionary Integrity
          • ID-3: Controlled Discretionary Integrity
          • ID-4: Advanced Discretionary Integrity
      • Mandatory Integrity
        • Security Policy
        • Meeting the Criteria
          • IM-1: Minimal Mandatory Integrity
          • IM-2: Basic Mandatory Integrity
          • IM-3: Complete Mandatory Integrity
          • IM-4: Advanced Mandatory Integrity
      • Physical Integrity
        • Security Policy
        • Meeting the Criteria
          • IP-1: Basic Physical Integrity
          • IP-2: Intermediate Physical Integrity
          • IP-3: Advanced Physical Integrity
          • IP-4: Complete Physical Integrity
      • Rollback
        • Security Policy
        • Meeting the Criteria
          • IR-1: Restricted Rollback
          • IR-2: Advanced Rollback
      • Separation of Duties
        • Security Policy
        • Meeting the Criteria
          • IS-1: Basic Separation of Duties
          • IS-2: Administrative Separation of Duties
          • IS-3: Privilege-based Separation of Duties
      • Self Testing
        • Security Policy
        • Meeting the Criteria
          • IT-1: Basic Self Testing
          • IT-2: Start-up Self Testing
          • IT-3: On-line Self Testing
      • References
    8. A Guide to Availability
      • Introduction
        • Availability Control Objective
      • Scope
      • Requirements for Availability
      • Policies & Issues
      • Models
        • Amoroso Model
        • Yu-Gligor Model
        • Quota System
        • Telephone System
          • Perceived Availability
          • Conditioning
          • Testing and Monitoring
      • Common Elements Of The Models
        • Fault Tolerance
      • Containment
        • Security Policy
        • Meeting the Criteria
          • AC-1: Quotas
          • AC-2: Denial of Service
          • AC-3: Resource Restrictions
      • Fault Tolerance
        • Security Policy
        • Meeting the Criteria
          • AF-1: Limited Hot Replacement
          • AF-2: Hot Replacement
      • Robustness
        • Security Policy
        • Meeting the Criteria
          • AR-1: Reliability under Limited Failure
          • AR-2: Reliability with Degraded Service
          • AR-3: Reliability with Full Service
      • Recovery
        • Security Policy
        • Meeting the Criteria
          • AY-1: Manual recovery
          • AY-2: Automated Recovery
          • AY-3: Selective Recovery
      • References
    9. A Guide to Accountability
      • Introduction
      • Scope
      • Audit
        • Overview
          • Effective Auditing
          • Physical Storage of Audit Data
          • Audit Granularity
          • Audit File Analysis
          • Selection of Audit Events
          • Active Monitoring
        • Auditable Events
        • Security Policy
        • Meeting the Criteria
          • WA-1: External Audit
          • WA-2: Security Audit
          • WA-3: Security Audit Alarm
          • WA-4: Detailed Audit
          • WA-5: Advanced Audit
      • Identification and Authentication
        • Authentication
          • "Something you know"
          • "Something you have"
          • "Something you are"
        • Security Policy
        • Meeting the Criteria
          • WI-1: External Identification and Authentication
          • WI-2: Individual Identification and Authentication
          • WI-3: Multiple Identification and Authentication
      • Trusted Path
        • Security Policy
        • Meeting the Criteria
          • WT-1: Basic Trusted Path
          • WT-2: Advanced Trusted Path
          • WT-3: Complete Trusted Path
      • References
    10. A Guide to Assurance
      • Introduction
      • Scope
      • Architecture
      • Development Environment
        • Development Process
        • Configuration Management
          • Basic Principles
          • Planning A Configuration Management System
          • Meeting the Criteria
      • Development Evidence
        • Specification Style
        • Mapping Requirements
        • Functional Specification
        • Architectural Design
        • Detailed Design
        • Implementation
      • Operational Environment
      • Security Documentation
      • Security Testing
      • References
    11. Implementing Services via Cryptography
      • Introduction
      • Scope
      • Functional Security Objectives
      • Implementing Services
        • Discretionary Confidentiality
        • Mandatory Confidentiality
        • Object Reuse
        • Identification & Authentication
        • Trusted Path
        • Discretionary Integrity
        • Mandatory Integrity
        • Separation of Duties
      • Integration
      • References
    12. Government Security Policy and Standards
      • Introduction
      • Objectives & Scope
      • Security Policy Considerations
      • Accountability, Risk, and Guidance
      • Applying the policy (In Brief)
    13. Security Functionality Profiles
      • Introduction
      • Scope
      • Equivalency & Other Criteria
      • Creation of Profiles
      • Profile Semantics
      • Predefined profiles
        • The TCSEC Profiles
        • Embedded product profiles
        • Service Specific Architectures
      • The Infinite Nature of Profiles

Reviews

The Canadian Trusted Computer Product Evaluation Criteria

Reviewed by Roland Buresund

Excellent ********** (10 out of 10)

Last modified: April 15, 2022, 6:44 p.m.

Opinion

One of the best security criteria that has ever been written. Very few know about it, but has been heavily influential inside security circles.

Comments

There are currently no comments

New Comment

required

required (not published)

optional

required

captcha

required