Abstract
The ECA is an embedded computing device that processes message traffic for a network that must enforce end-to-end user message confidentiality. The ECA uses a commercial, off-the-shelf cryptographic device to transform sensitive data from the Red Domain of the network so that it can be transmitted over the untrusted communication links of the Black Domain. For transmission purposes, certain parts of a message, namely the message header, must be bypassed around the cryptographic device. The primary critical requirement for the ECA, Restricted Red-to-Black Flow (RRTBF), requires that the bypassed portion of each message must satisfy certain format restrictions, and that the rate of bypass must be constrained. In this report, we present an informal model of the ECA’s critical requirements together with the assumptions under which the model was constructed. We than formalize this model by using the CSP Trace Model of computation.