[Public Interpretations Database]

I-0191: Minimum Set Of Actions That Require Trusted Path

 
NUMBER:               I-0191
STATUS:               Ready to Prepare for Management/CCIMB

TITLE:                Minimum Set Of Actions That Require Trusted Path

FIRST POST:            [criteria 2355]
MOST RECENT REPOST:    [criteria 2384]

REQUIREMENT:          Trusted Path
CRITERIA CLASSES:     B3, A1
DOCUMENT(S):          <None>
RELATED TO:
     I-0302           Trusted Path Required For All Authentication

STATEMENT:

The following interprets the requirement that ``The TCB shall support a trusted communication path between itself and users for use when a positive TCB-to-user connection is required (e.g., login, change subject security level).''

The minimum set of functions for which the TCB must support a trusted communication path between itself and users is as follows:

  1. Authentication.

  2. Session establishment where identification is provided.

  3. Requests to change the subject sensitivity label.

  4. Requests to display the current subject's complete sensitivity label.

  5. Requests to assume a security administrative role.

PROJECTED IMPACT:

Negligible impact anticipated.

SUPPORT:

This interpretation defines the minimum set of actions for which a positive user-to-TCB connection is required. The set was derived from review of the TCSEC requirements that appear to call for positive user-to-TCB or TCB-to-user connection, and balancing this against the placement of the Trusted Path requirement as a subsection of the Identification and Authentication requirement. This placement is felt to be intentional. Administrative actions are excluded, as the Trusted Facility Management requirement implies that the TCB provides these functions, and the Trusted Facility Manual should direct the administrator on how to interact with the TCB to invoke those functions. However, greater assurance of a positive TCB connection is obtained if administrative actions are available through the trusted path.

The first three requirements are derived from the explicit words of the Trusted Path requirement. Session establishment corresponds to the identification portion of the login process.

The fourth requirement is derived from the Subject Sensitivity Labels requirement that that ``a terminal user shall be able to query the TCB as desired for a display of the subject's complete sensitivity label.'' The requirement specifically calls for the query to be to ``the TCB''.

The fifth requirement is derived from the Trusted Facility Management requirement that ``the ADP system administrative personnel shall only be able to perform security administrator functions after taking a distinct auditable action to assume the security administrator role on the ADP system.'' This indicates that a specific request must be made to the TCB to assume this role. The assumption of a role requires the TCB to authenticate that the user making the request for the role is authorized for the role.