Rainbow Series

Last updated
A complete set of the US DoD Rainbow Series computer security documents Rainbow series documents.jpg
A complete set of the US DoD Rainbow Series computer security documents

The Rainbow Series (sometimes known as the Rainbow Books) is a series of computer security standards and guidelines published by the United States government in the 1980s and 1990s. They were originally published by the U.S. Department of Defense Computer Security Center, and then by the National Computer Security Center.

Contents

Objective

These standards describe a process of evaluation for trusted systems. In some cases, U.S. government entities (as well as private firms) would require formal validation of computer technology using this process as part of their procurement criteria. Many of these standards have influenced, and have been superseded by, the Common Criteria.

The books have nicknames based on the color of its cover. For example, the Trusted Computer System Evaluation Criteria was referred to as "The Orange Book." [1] In the book entitled Applied Cryptography, security expert Bruce Schneier states of NCSC-TG-021 that he "can't even begin to describe the color of [the] cover" and that some of the books in this series have "hideously colored covers." He then goes on to describe how to receive a copy of them, saying "Don't tell them I sent you." [2]

Most significant Rainbow Series books

NIST Rainbow Series
DocumentTitleDateColor
5200.28-STD DoD Trusted Computer System Evaluation Criteria August 15, 1983Orange 
CSC-STD-002-85 DoD Password Management GuidelineApril 12, 1985Green 
CSC-STD-003-85 Guidance for Applying TCSEC in Specific EnvironmentsJune 25, 1985Light Yellow 
CSC-STD-004-85 Technical Rationale Behind CSC-STD-003-85: Computer Security RequirementsJune 25, 1985Yellow 
NCSC-TG-001 A Guide to Understanding Audit in Trusted SystemsJune 1, 1988Tan 
NCSC-TG-002 Trusted Product Security Evaluation ProgramJune 22, 1990Bright Blue 
NCSC-TG-003 Discretionary Access Control in Trusted SystemsSeptember 30, 1987Neon Orange 
NCSC-TG-004 Glossary of Computer Security TermsOctober 21, 1988Teal Green 
NCSC-TG-005 Trusted Network InterpretationJuly 31, 1987Red 
NCSC-TG-006 Configuration Management in Trusted SystemsMarch 28, 1988Amber 
NCSC-TG-007 A Guide to Understanding Design Documentation in Trusted SystemsOctober 6, 1988Burgundy 
NCSC-TG-008 A Guide to Understanding Trusted Distribution in Trusted SystemsDecember 15, 1988Dark Lavender 
NCSC-TG-009 Computer Security Subsystem Interpretation of the TCSECSeptember 16, 1988Venice Blue 
NCSC-TG-010 A Guide to Understanding Security Modeling in Trusted SystemsOctober 1992Aqua 
NCSC-TG-011 Trusted Network Interpretation Environments Guideline (TNI)August 1, 1990Red 
NCSC-TG-012Trusted Database Management System Interpretation [3] April 1991 
NCSC-TG-013 RAMP Program Document1989Pink 
NCSC-TG-013 V2 RAMP Program Document version 2March 1, 1995Pink 
NCSC-TG-014 Guidelines for Formal Verification SystemsApril 1, 1989Purple 
NCSC-TG-015 Guide to Understanding Trusted Facility ManagementOctober 18, 1989Brown 
NCSC-TG-016 Guidelines for Writing Trusted Facility ManualsOctober 1992Yellow-Green 
NCSC-TG-017 Identification and Authentication in Trusted SystemsSeptember 1991Light Blue 
NCSC-TG-018 Object Reuse in Trusted SystemsJuly 1992Light Blue 
NCSC-TG-019 Trusted Product Evaluation QuestionnaireMay 2, 1992Blue 
NCSC-TG-020 Trusted UNIX Working Group (TRUSIX) Rationale for Selecting Access Control List Features for the UNIX SystemJuly 7, 1989Silver 
NCSC-TG-020-A Trusted UNIX Working Group (TRUSIX) Rationale for Selecting Access Control List Features for the UNIX (R) SystemAugust 18, 1989Grey Silver 
NCSC-TG-021 Trusted Database Management System Interpretation of the TCSEC (TDI)April 1991Purple 
NCSC-TG-022 Trusted Recovery in Trusted SystemsDecember 30, 1991Yellow 
NCSC-TG-023 Security Testing and Test Documentation in Trusted SystemsJuly 1993Bright Orange 
NCSC-TG-024 Vol. 1/4 Procurement of Trusted Systems: An Introduction to Procurement Initiators on Computer Security RequirementsDecember 1992Purple 
NCSC-TG-024 Vol. 2/4 Procurement of Trusted Systems: Language for RFP Specifications and Statements of WorkJune 30, 1993Purple 
NCSC-TG-024 Vol. 3/4 Procurement of Trusted Systems: Computer Security Contract Data Requirements List and Data Item DescriptionFebruary 28, 1994Purple 
NCSC-TG-024 Vol. 4/4Procurement of Trusted Systems: How to Evaluate a Bidder's Proposal DocumentPublication TBAPurple 
NCSC-TG-025 Guide to Understanding Data Remanence in Automated Information Systems.September 1991Forest Green 
NCSC-TG-026 Writing the Security Features User's Guide for Trusted SystemsSeptember 1991Hot Peach 
NCSC-TG-027 Information System Security Officer Responsibilities for Automated Information SystemsMay 1992Turquoise 
NCSC-TG-028 Assessing Controlled Access ProtectionMay 25, 1992Violet 
NCSC-TG-029 Certification and Accreditation ConceptsJanuary 1994Blue 
NCSC-TG-030 Covert Channel Analysis of Trusted SystemsNovember 1993Light Pink 

Related Research Articles

<span class="mw-page-title-main">Advanced Encryption Standard</span> Standard for the encryption of electronic data

The Advanced Encryption Standard (AES), also known by its original name Rijndael, is a specification for the encryption of electronic data established by the U.S. National Institute of Standards and Technology (NIST) in 2001.

<span class="mw-page-title-main">Data Encryption Standard</span> Early unclassified symmetric-key block cipher

The Data Encryption Standard is a symmetric-key algorithm for the encryption of digital data. Although its short key length of 56 bits makes it too insecure for modern applications, it has been highly influential in the advancement of cryptography.

In cryptography, SHA-1 is a hash function which takes an input and produces a 160-bit (20-byte) hash value known as a message digest – typically rendered as 40 hexadecimal digits. It was designed by the United States National Security Agency, and is a U.S. Federal Information Processing Standard. The algorithm has been cryptographically broken but is still widely used.

<span class="mw-page-title-main">Bruce Schneier</span> American computer scientist (born 1963)

Bruce Schneier is an American cryptographer, computer security professional, privacy specialist, and writer. Schneier is an Adjunct Lecturer in Public Policy at the Harvard Kennedy School and a Fellow at the Berkman Klein Center for Internet & Society as of November, 2013. He is a board member of the Electronic Frontier Foundation, Access Now, and The Tor Project; and an advisory board member of Electronic Privacy Information Center and VerifiedVoting.org. He is the author of several books on general security topics, computer security and cryptography and is a squid enthusiast.

A cypherpunk is any individual advocating widespread use of strong cryptography and privacy-enhancing technologies as a route to social and political change. Originally communicating through the Cypherpunks electronic mailing list, informal groups aimed to achieve privacy and security through proactive use of cryptography. Cypherpunks have been engaged in an active movement since at least the late 1980s and early 1990s.

The trusted computing base (TCB) of a computer system is the set of all hardware, firmware, and/or software components that are critical to its security, in the sense that bugs or vulnerabilities occurring inside the TCB might jeopardize the security properties of the entire system. By contrast, parts of a computer system that lie outside the TCB must not be able to misbehave in a way that would leak any more privileges than are granted to them in accordance to the system's security policy.

The Common Criteria for Information Technology Security Evaluation is an international standard for computer security certification. It is currently in version 3.1 revision 5.

Orange Book may refer to:

In computer security, a covert channel is a type of attack that creates a capability to transfer information objects between processes that are not supposed to be allowed to communicate by the computer security policy. The term, originated in 1973 by Butler Lampson, is defined as channels "not intended for information transfer at all, such as the service program's effect on system load," to distinguish it from legitimate channels that are subjected to access controls by COMPUSEC.

<span class="mw-page-title-main">Cryptographic hash function</span> Hash function that is suitable for use in cryptography

A cryptographic hash function (CHF) is a hash algorithm that has special properties desirable for a cryptographic application:

<span class="mw-page-title-main">Bibliography of cryptography</span>

Books on cryptography have been published sporadically and with highly variable quality for a long time. This is despite the tempting, though superficial, paradox that secrecy is of the essence in sending confidential messages – see Kerckhoffs' principle.

In cryptography, Skipjack is a block cipher—an algorithm for encryption—developed by the U.S. National Security Agency (NSA). Initially classified, it was originally intended for use in the controversial Clipper chip. Subsequently, the algorithm was declassified.

Multilevel security or multiple levels of security (MLS) is the application of a computer system to process information with incompatible classifications, permit access by users with different security clearances and needs-to-know, and prevent users from obtaining access to information for which they lack authorization. There are two contexts for the use of multilevel security.

<span class="mw-page-title-main">Password strength</span> Resistance of a password to being guessed

Password strength is a measure of the effectiveness of a password against guessing or brute-force attacks. In its usual form, it estimates how many trials an attacker who does not have direct access to the password would need, on average, to guess it correctly. The strength of a password is a function of length, complexity, and unpredictability.

A Protection Profile (PP) is a document used as part of the certification process according to ISO/IEC 15408 and the Common Criteria (CC). As the generic form of a Security Target (ST), it is typically created by a user or user community and provides an implementation independent specification of information assurance security requirements. A PP is a combination of threats, security objectives, assumptions, security functional requirements (SFRs), security assurance requirements (SARs) and rationales.

Cryptographic Module Testing Laboratory (CMTL) is an information technology (IT) computer security testing laboratory that is accredited to conduct cryptographic module evaluations for conformance to the FIPS 140-2 U.S. Government standard.

The following outline is provided as an overview of and topical guide to cryptography:

<span class="mw-page-title-main">Trusted Computer System Evaluation Criteria</span>

Trusted Computer System Evaluation Criteria (TCSEC) is a United States Government Department of Defense (DoD) standard that sets basic requirements for assessing the effectiveness of computer security controls built into a computer system. The TCSEC was used to evaluate, classify, and select computer systems being considered for the processing, storage, and retrieval of sensitive or classified information.

<span class="mw-page-title-main">Bullrun (decryption program)</span> Code name of a decryption program run by the NSA

Bullrun is a clandestine, highly classified program to crack encryption of online communications and data, which is run by the United States National Security Agency (NSA). The British Government Communications Headquarters (GCHQ) has a similar program codenamed Edgehill. According to the Bullrun classification guide published by The Guardian, the program uses multiple methods including computer network exploitation, interdiction, industry relationships, collaboration with other intelligence community entities, and advanced mathematical techniques.

Security Controls for Computer Systems, commonly called the Ware report, is a 1970 text by Willis Ware that was foundational in the field of computer security.

References

  1. Steve Lipner, "The Birth and Death of the Orange Book" IEEE Annals of the History of Computing 37 no. 2 (2015): 19-31 at DOI
  2. Schneier, Bruce (1996), Applied Cryptography (2nd ed.), New York, NY: John Wiley and Sons, ISBN   978-0-471-11709-4
  3. "DITSCAP Application Manual" (PDF). DoD. July 31, 2000. Archived from the original (PDF) on Aug 30, 2004.