4.9. Reflection Checkpoint

Key Takeaways

• Design principles (least privilege, SoD, defense in depth, fail secure, zero trust) are a connected philosophy — each addresses a different failure mode. Apply them together, not in isolation.
• TCB minimization is a security design goal — every component in the TCB is a potential failure point. Smaller TCB = smaller attack surface = easier to verify.
• BLP protects confidentiality (no read up / no write down); Biba protects integrity (no read down / no write up). They address opposite threats with opposing rules.
• Clark-Wilson is for commercial integrity: CDIs modified only through authorized TPs, with audit trails. This is what banking and healthcare systems actually implement.
• AES-GCM for symmetric; ECDHE for key exchange; SHA-256+ for hashing. Deprecated: DES, 3DES, MD5, SHA-1, RC4, RSA-1024, TLS 1.0/1.1.
• Hybrid encryption: asymmetric for key exchange (solves distribution), symmetric for bulk data (solves speed). TLS is the canonical example.
• Digital signatures = integrity + authentication + nonrepudiation. HMAC = integrity + authentication only. Neither provides confidentiality without separate encryption.
• Physical security is defense in depth from perimeter inward. Physical access defeats logical controls; physical security must be equal in rigor to logical security.
• CO2 suppression: evacuate before discharge. Clean agents (FM-200, Novec 1230): safe for electronics and people at design concentrations.

Connecting Forward

Phase 5 (Domain 4 — Communication and Network Security) applies the cryptographic protocols from Phase 4 (TLS, IPsec) to network architecture contexts. The secure design principles (defense in depth, segmentation, least privilege) from Section 4.1 become the architectural principles behind firewall placement, VLAN design, and network access control. The formal models from Section 4.2 inform how access control decisions in Domain 5's network devices are structured.

Self-Check Questions

• A developer argues that their application stores passwords using MD5 hashes and that this is "fine because it's just a hash, not encryption." Construct a technical response explaining why MD5 is unsuitable for password storage and what should be used instead (the answer goes beyond simply "use SHA-256").
• You are designing a new financial transaction processing system. You need to ensure (1) only authorized procedures can modify transaction records, (2) all modifications are auditable, and (3) unauthorized integrity-level subjects cannot contaminate the transaction data. Which formal security model applies to requirements 1 and 2? Which applies to requirement 3? Can both be implemented in the same system?