 | This article's use of external links may not follow Wikipedia's policies or guidelines.(October 2022) |
The Rainbow Series (sometimes known as the Rainbow Books) is a series of computer security standards and guidelines published by the United States government in the 1980s and 1990s. They were originally published by the U.S. Department of Defense Computer Security Center, and then by the National Computer Security Center.
These standards describe a process of evaluation for trusted systems. In some cases, U.S. government entities (as well as private firms) would require formal validation of computer technology using this process as part of their procurement criteria. Many of these standards have influenced, and have been superseded by, the Common Criteria.
The books have nicknames based on the color of its cover. For example, the Trusted Computer System Evaluation Criteria was referred to as "The Orange Book." [1] In the book entitled Applied Cryptography, security expert Bruce Schneier states of NCSC-TG-021 that he "can't even begin to describe the color of [the] cover" and that some of the books in this series have "hideously colored covers." He then goes on to describe how to receive a copy of them, saying "Don't tell them I sent you." [2]
| Document | Title | Date | Color | |
|---|---|---|---|---|
| 5200.28-STD | DoD Trusted Computer System Evaluation Criteria | August 15, 1983 | Orange | |
| CSC-STD-002-85 | DoD Password Management Guideline | April 12, 1985 | Green | |
| CSC-STD-003-85 | Guidance for Applying TCSEC in Specific Environments | June 25, 1985 | Light Yellow | |
| CSC-STD-004-85 | Technical Rationale Behind CSC-STD-003-85: Computer Security Requirements | June 25, 1985 | Yellow | |
| NCSC-TG-001 | A Guide to Understanding Audit in Trusted Systems | June 1, 1988 | Tan | |
| NCSC-TG-002 | Trusted Product Security Evaluation Program | June 22, 1990 | Bright Blue | |
| NCSC-TG-003 | Discretionary Access Control in Trusted Systems | September 30, 1987 | Neon Orange | |
| NCSC-TG-004 | Glossary of Computer Security Terms | October 21, 1988 | Teal Green | |
| NCSC-TG-005 | Trusted Network Interpretation | July 31, 1987 | Red | |
| NCSC-TG-006 | Configuration Management in Trusted Systems | March 28, 1988 | Amber | |
| NCSC-TG-007 | A Guide to Understanding Design Documentation in Trusted Systems | October 6, 1988 | Burgundy | |
| NCSC-TG-008 | A Guide to Understanding Trusted Distribution in Trusted Systems | December 15, 1988 | Dark Lavender | |
| NCSC-TG-009 | Computer Security Subsystem Interpretation of the TCSEC | September 16, 1988 | Venice Blue | |
| NCSC-TG-010 | A Guide to Understanding Security Modeling in Trusted Systems | October 1992 | Aqua | |
| NCSC-TG-011 | Trusted Network Interpretation Environments Guideline (TNI) | August 1, 1990 | Red | |
| NCSC-TG-012 | Trusted Database Management System Interpretation [3] | April 1991 | ||
| NCSC-TG-013 | RAMP Program Document | 1989 | Pink | |
| NCSC-TG-013 V2 | RAMP Program Document version 2 | March 1, 1995 | Pink | |
| NCSC-TG-014 | Guidelines for Formal Verification Systems | April 1, 1989 | Purple | |
| NCSC-TG-015 | Guide to Understanding Trusted Facility Management | October 18, 1989 | Brown | |
| NCSC-TG-016 | Guidelines for Writing Trusted Facility Manuals | October 1992 | Yellow-Green | |
| NCSC-TG-017 | Identification and Authentication in Trusted Systems | September 1991 | Light Blue | |
| NCSC-TG-018 | Object Reuse in Trusted Systems | July 1992 | Light Blue | |
| NCSC-TG-019 | Trusted Product Evaluation Questionnaire | May 2, 1992 | Blue | |
| NCSC-TG-020 | Trusted UNIX Working Group (TRUSIX) Rationale for Selecting Access Control List Features for the UNIX System | July 7, 1989 | Silver | |
| NCSC-TG-020-A | Trusted UNIX Working Group (TRUSIX) Rationale for Selecting Access Control List Features for the UNIX (R) System | August 18, 1989 | Grey Silver | |
| NCSC-TG-021 | Trusted Database Management System Interpretation of the TCSEC (TDI) | April 1991 | Purple | |
| NCSC-TG-022 | Trusted Recovery in Trusted Systems | December 30, 1991 | Yellow | |
| NCSC-TG-023 | Security Testing and Test Documentation in Trusted Systems | July 1993 | Bright Orange | |
| NCSC-TG-024 Vol. 1/4 | Procurement of Trusted Systems: An Introduction to Procurement Initiators on Computer Security Requirements | December 1992 | Purple | |
| NCSC-TG-024 Vol. 2/4 | Procurement of Trusted Systems: Language for RFP Specifications and Statements of Work | June 30, 1993 | Purple | |
| NCSC-TG-024 Vol. 3/4 | Procurement of Trusted Systems: Computer Security Contract Data Requirements List and Data Item Description | February 28, 1994 | Purple | |
| NCSC-TG-024 Vol. 4/4 | Procurement of Trusted Systems: How to Evaluate a Bidder's Proposal Document | Publication TBA | Purple | |
| NCSC-TG-025 | Guide to Understanding Data Remanence in Automated Information Systems. | September 1991 | Forest Green | |
| NCSC-TG-026 | Writing the Security Features User's Guide for Trusted Systems | September 1991 | Hot Peach | |
| NCSC-TG-027 | Information System Security Officer Responsibilities for Automated Information Systems | May 1992 | Turquoise | |
| NCSC-TG-028 | Assessing Controlled Access Protection | May 25, 1992 | Violet | |
| NCSC-TG-029 | Certification and Accreditation Concepts | January 1994 | Blue | |
| NCSC-TG-030 | Covert Channel Analysis of Trusted Systems | November 1993 | Light Pink | |
The Advanced Encryption Standard (AES), also known by its original name Rijndael, is a specification for the encryption of electronic data established by the U.S. National Institute of Standards and Technology (NIST) in 2001.
The Data Encryption Standard is a symmetric-key algorithm for the encryption of digital data. Although its short key length of 56 bits makes it too insecure for modern applications, it has been highly influential in the advancement of cryptography.
In cryptography, SHA-1 is a cryptographically broken but still widely used hash function which takes an input and produces a 160-bit (20-byte) hash value known as a message digest – typically rendered as 40 hexadecimal digits. It was designed by the United States National Security Agency, and is a U.S. Federal Information Processing Standard.
Bruce Schneier is an American cryptographer, computer security professional, privacy specialist, and writer. Schneier is a Lecturer in Public Policy at the Harvard Kennedy School and a Fellow at the Berkman Klein Center for Internet & Society as of November, 2013. He is a board member of the Electronic Frontier Foundation, Access Now, and The Tor Project; and an advisory board member of Electronic Privacy Information Center and VerifiedVoting.org. He is the author of several books on general security topics, computer security and cryptography and is a squid enthusiast.
The trusted computing base (TCB) of a computer system is the set of all hardware, firmware, and/or software components that are critical to its security, in the sense that bugs or vulnerabilities occurring inside the TCB might jeopardize the security properties of the entire system. By contrast, parts of a computer system that lie outside the TCB must not be able to misbehave in a way that would leak any more privileges than are granted to them in accordance to the system's security policy.
The Common Criteria for Information Technology Security Evaluation is an international standard for computer security certification. It is currently in version 3.1 revision 5.
Orange Book may refer to:
A cryptographic hash function (CHF) is a mathematical algorithm that maps data of an arbitrary size to a bit array of a fixed size. It is a one-way function, that is, a function for which it is practically infeasible to invert or reverse the computation. Ideally, the only way to find a message that produces a given hash is to attempt a brute-force search of possible inputs to see if they produce a match, or use a rainbow table of matched hashes. Cryptographic hash functions are a basic tool of modern cryptography.
Books on cryptography have been published sporadically and with highly variable quality for a long time. This is despite the tempting, though superficial, paradox that secrecy is of the essence in sending confidential messages — see Kerckhoffs' principle.
In cryptography, Skipjack is a block cipher—an algorithm for encryption—developed by the U.S. National Security Agency (NSA). Initially classified, it was originally intended for use in the controversial Clipper chip. Subsequently, the algorithm was declassified.
In computing, security-evaluated operating systems have achieved certification from an external security-auditing organization, the most popular evaluations are Common Criteria (CC) and FIPS 140-2.
The Federal Information Processing Standard Publication 140-2,, is a U.S. government computer security standard used to approve cryptographic modules. The title is Security Requirements for Cryptographic Modules. Initial publication was on May 25, 2001, and was last updated December 3, 2002.
In cryptography, nothing-up-my-sleeve numbers are any numbers which, by their construction, are above suspicion of hidden properties. They are used in creating cryptographic functions such as hashes and ciphers. These algorithms often need randomized constants for mixing or initialization purposes. The cryptographer may wish to pick these values in a way that demonstrates the constants were not selected for a nefarious purpose, for example, to create a backdoor to the algorithm. These fears can be allayed by using numbers created in a way that leaves little room for adjustment. An example would be the use of initial digits from the number π as the constants. Using digits of π millions of places after the decimal point would not be considered trustworthy because the algorithm designer might have selected that starting point because it created a secret weakness the designer could later exploit.
Password strength is a measure of the effectiveness of a password against guessing or brute-force attacks. In its usual form, it estimates how many trials an attacker who does not have direct access to the password would need, on average, to guess it correctly. The strength of a password is a function of length, complexity, and unpredictability.
A Protection Profile (PP) is a document used as part of the certification process according to ISO/IEC 15408 and the Common Criteria (CC). As the generic form of a Security Target (ST), it is typically created by a user or user community and provides an implementation independent specification of information assurance security requirements. A PP is a combination of threats, security objectives, assumptions, security functional requirements (SFRs), security assurance requirements (SARs) and rationales.
Cryptography, or cryptology, is the practice and study of techniques for secure communication in the presence of adversarial behavior. More generally, cryptography is about constructing and analyzing protocols that prevent third parties or the public from reading private messages. Modern cryptography exists at the intersection of the disciplines of mathematics, computer science, information security, electrical engineering, digital signal processing, physics, and others. Core concepts related to information security are also central to cryptography. Practical applications of cryptography include electronic commerce, chip-based payment cards, digital currencies, computer passwords, and military communications.
The following outline is provided as an overview of and topical guide to cryptography:
Trusted Computer System Evaluation Criteria (TCSEC) is a United States Government Department of Defense (DoD) standard that sets basic requirements for assessing the effectiveness of computer security controls built into a computer system. The TCSEC was used to evaluate, classify, and select computer systems being considered for the processing, storage, and retrieval of sensitive or classified information.
Bullrun is a clandestine, highly classified program to crack encryption of online communications and data, which is run by the United States National Security Agency (NSA). The British Government Communications Headquarters (GCHQ) has a similar program codenamed Edgehill. According to the Bullrun classification guide published by The Guardian, the program uses multiple methods including computer network exploitation, interdiction, industry relationships, collaboration with other intelligence community entities, and advanced mathematical techniques.
Security Controls for Computer Systems, commonly called the Ware report, is a 1970 text by Willis Ware that was foundational in the field of computer security.