400 likes | 403 Views
Recent Developments in Voting System Standards. Ronald L. Rivest Frontiers in Electronic Elections (Milan) September 15, 2005. Outline. Introduction and overview New proposed standards Software Distribution & Setup Validation Wireless VVPAT Future Directions IDV.
E N D
Recent Developments inVoting System Standards Ronald L. RivestFrontiers in Electronic Elections (Milan) September 15, 2005
Outline • Introduction and overview • New proposed standards • Software Distribution & Setup Validation • Wireless • VVPAT • Future Directions • IDV (Note: some slides adapted from John Wack’s presentation At EAC Standards Board Meeting in Denver 8/24/05)
Voting tech is in transition… • Voting tech follows technology: Stones Paper Levers Punch cards Op-scan Computers(??) • Punch cards “out” after Nov. ’00 • DRE’s (touch-screen) require VVPAT (voter-verified paper audit trail) in Cal. • Is technology ready for electronic (paperless) voting?
Voting is a hard problem • Voter Registration - each eligible voter votes at most once • Voter Privacy – no one can tell how any voter voted, even if voter wants it; no “receipt” for voter • Integrity – votes can’t be changed, added, or deleted; tally is accurate. • Availability – voting system is available for use when needed • Ease of Use – esp. for disabled
Voting is important • Cornerstone of our (any!) democracy • Voting security is clearly an aspect of national security. • “Those who vote determine nothing;those who count the votes determine everything.” -- Joseph Stalin
Are DRE’s trustworthy? • Diebold fiascoes..?? • Intrinsic difficulty of designing and securing complex systems • Many units (100,000’s)in field, used occasionally, and managed by the semi-trained • Certification process is “riddled with problems” (NYT editorial 5/30/04)
Voter-Verified Paper Audit Trails? • Rebecca Mercuri: Voting machine should produce “paper audit trail” that voter can inspect and approve. • VVPAT is “official ballot” in case of dispute or recounts. • David Dill (Stanford CS Prof.) initiated on-line petition that ultimately resulted in California requiring VVPAT’s on many DRE’s.
VVPAT’s controversial… • Still need to guard printed ballots. • Two-step voting procedure may be awkward for some voters (e.g. disabled). • Doesn’t catch all problems (e.g. candidate missing from slate) • Malicious voters can cause DOS by casting suspicion on voting machine • Not “end-to-end” security: • Helps ensure votes “cast as intended” • Doesn’t help ensure votes “counted as cast”.
Voting System Security is Hard • Computerization of voting systems gives us the headaches of ordinary computer security, plus • requirement that voter must not be given a receipt proving how he/she voted makes security much tougher. • Now a major research area: • NSF just awarded $7.5M to a consortium of five institutions to research voting system security.
Can Standards Help? • First Voting System Standard 1990 • Revised VSS in 2002 • HAVA (Help America Vote Act) of 2002 created EAC (Election Assistance Commision), TGDC (Technical Guidelines Development Committee), and chartered NIST to help TGDC/EAC produce new standards. • “Voluntary” – states may ignore them.
TGDC Timeline • Fall ’04: Expert testimony, initial subcommittee meetings. • Jan ’05: TGDC resolutions passed • Jan-Apr ’05: NIST+TGDC work on VVSG • April-June ’05: VVSG approved by TGDC, delivered to EAC, published by EAC for comment. • June 29—Sep 30 ’05: Comment period. (Please send in your comments!)
Initial Issues Considered • Wireless • VVPAT • Source code availability • Documentation requirements • “Tiger team” evaluations • Best practices • System logs
Initial Issues Considered (cont.) • COTS • Cryptography • Standardized data formats • Multiple stored ballots • Software development standards • Software distribution • Setup validation
Initial Issues Considered (cont.) • Remote voting • Standardized computer security evaluation procedures • Disclosure of evaluation results • De-certification of systems • Centralized evaluation and incident database • …
TGDC passed resolutions • Resolutions reflect consensus of TGDC on importance of various isssues, and near-term relevance. Provide guidance to NIST. • #05-04: Currently certified voting software -> NSRL • #12-05: Voter verifiability (IV/DV) • #14-05: COTS software • #15-05: Software Distribution • #16-05: Setup Validation • #17-05: “Tiger team” testing
TGDC passed resolutions • #18-05: Documentation • #21-05: Multiple ballot representations • #22-05: Federal IT security standards • #23-05: Common ballot formats • #32-05: De-certification • #35-05: Wireless
VVSG 2002 Revisions • Current VVSG revises 2002 standards, and emphasizes (wrt security): • VVPAT (EAC guidance emphasized this) • Wireless • Software distribution and setup validation
New proposed standards • Software Distribution/Setup Validation • Wireless • VVPAT • Independent Dual Verification (informative only, indicative of possible future direction/emphasis)
Software Distribution andSetup Validation • Requirements for ensuring the secure distribution of voting systems software • Requirements for validation that the voting system is running the correct software • Geared towards what is achievable by 2006 • Future requirements would rely more on digital signature technology and ability to validate setup externally from voting system
Software Distribution andSetup Validation • Use of FIPS approved signature and hash algorithms • Use of FIPS 140-2 validated cryptographic modules to perform cryptographic operations • Use NSRL as a repository for voting system software and source for binaries, hashes, and digital signatures • Documentation of all voting system software including 3rd party software such as OS, drivers, etc. • Methods used to check if software modified - binary image comparison, hash value, digital signature • Documentation of the process used to verify that no unauthorized software is present on the voting equipment and that the authorized software has not been modified
Wireless • Wireless presents opportunity for intruder access and denial of service • Important to protect data and access • TGDC resolution approved use of wireless only as necessary, avoid if at all possible • Wireless includes 802.11x, IR, Bluetooth • Typically not meant to include modem and cellular access, although these will need security requirements also
Wireless • Wireless must follow at least the requirements of the existing telecommunications section in the 2002 VSS • In some cases wireless denial of service cannot be prevented, therefore alternatives must be available or the voting system can be rendered non-functional • Authentication and encryption required • Other requirements for vendor to document whether the voting system has wireless, how to know when it is on/off, and how it is secured • Wireless prohibited during actual voting
VVPAT • EAC asked NIST to address VVPAT requirements for states considering its usage • Optional in VVSG • Assumes VVPAT system consists of DRE plus printer and verification capability
VVPAT • Based on enacted state legislation and CA standard • Codifies record formats, security, usability and accessibility concerns • Emphasizes machine/printer reliability • Emphasizes usefulness of paper record in comparisons with electronic record • Effectively prohibits consecutively stored paper records • Addresses usability for election officials when auditing paper and electronic records
Major Goals for Future Work • Provide complete and comprehensive guideline • Provide clear, usable requirements with associated test methods for VSTLS • Respond to future TGDC resolutions • Comprehensive threat analysis to drive overall security requirements (Workshop on October 7th)
Future VVSG May Include: • IDV – Independent Dual Verification • “Tiger Team” testing • COTS • Cryptographic Requirements • Improved Documentation and Testing Requirements • …
IDV – Independent Dual Verification • Informative in current VVSG, part of new material in future versions • IDV voting systems produce at least two ballot records, both verifiable by the voter and one unchangeable by voting system • At least one record verifiable directly, or both verifiable by systems from different vendors • Records usable in comparisons and audits • Approach can improve resilience of voting systems to software attacks • Needed as backup to more vulnerable computer-based ballot records
IDV • Marketplace responding to IDV • Systems available today that are in the IDV ballpark: • VVPAT • DRE add-ons – Witness • Some optical scan systems • Some crypto systems can be IDV • Further work needed to specify requirements for IDV systems
“Tiger Team” testing • Give a team of experts full rein to search for security vulnerabilities. • They get full system documentation and access to system itself. • “In order to defeat an adversary, you must think like an adversary.” • Further work needed to define team composition, level of effort, criteria for evaluating results.
COTS Software • COTS software very useful, but may be buggy, produced overseas, or “black box” (no source code available for review). • Further work needed to clarify when COTS software may be included in voting system, and how it is to be evaluated.
Cryptographic Requirements • Cryptographic techniques (e.g. digital signatures and MACs) can improve system integrity and increase resistance to fraud. • Further work is needed to specify what information transfers require such cryptographic protection. • Key management standards??
Other Major Goals • Stronger requirements for system documentation, including “public” section. • Complete and comprehensive guideline with clear requirements and associated test methods for Voting System Testing Labs • Strong core security section • Hardening and auditing requirements • Robust testing requirements • Comprehensive threat analysis to drive overall security requirements (Oct 7th workshop)
Questions for Standards Writers • How to ensure that innovation is not precluded? • How to specify “tiger team” evaluation? • How to evaluate cryptographic voting systems? • How to handle non-equipment aspects of security (aka “best practices”)?
For More Information… • Ron Rivest • rivest@mit.edu • John Wack • 301-975-3411, voting@nist.gov • NIST Voting Site • Contains all NIST, TGDC documents, drafts, meetings, etc. • http://vote.nist.gov • Election Assistance Commission • http://www.eac.gov