The 1982 ilr Force Summer Study on Multilevel Data Management Security recommended several approaches to designing a multilevel secure database system. One of the approaches uses an untrusted database system to manage the data, and an isolated trusted filter to enforce security.The filter attaches a security classification label to each data record, computes an unforgeable cryptographic checksum over the record (including the label), and stores the checksum in the database.The checksum protects against modification to the data and its classification label.This paper discusses the implementation, security, and limitations of the approach.