870 likes | 990 Views
Part II : Computer Security and the VVSG. October 15-17, 2007 Barbara Guttman Nelson Hastings National Institute of Standards and Technology barbara.guttman@nist.gov nelson.hastings@nist.gov. Security Requirements Overview Review of Chapter 4: Security and Audit Architecture
E N D
Part II : Computer Security and the VVSG October 15-17, 2007 Barbara Guttman Nelson Hastings National Institute of Standards and Technology barbara.guttman@nist.govnelson.hastings@nist.gov
Security Requirements Overview Review of Chapter 4: Security and Audit Architecture Review of Chapter 5: General Security Requirements Agenda
Security Requirements Overview The security requirements of the next VVSG work together to support equipment security Difficult to understand security provided by a single requirement or set of requirements without understanding how requirements relate to each other
Security Requirements Overview For example, Cryptography section addresses how cryptography is implemented by equipment Software installation and electronic records sections address how cryptography, specifically digital signatures are use by equipment to support security
Security Requirements Overview Documentation requirements related to security Part 2: Documentation Requirements System Security Specification Section 3.5 of the Technical Data Package (TDP) Section 4.3 of the user documentation
Security Requirements Overview Section 3.5 System Security Specification (TDP) Provided to test lab to assist in the testing campaign General documentation about security including Security Architecture Security Threat Controls Security Testing and vulnerability analysis Detailed implementation specification for each security mechanism
Security Requirements Overview Section 4.3: System Security Specification (User documentation) Provided to user of the voting system including test labs How security mechanism are to be used Information needed to support a features use such as a list of software to be installed
Chapter 4: Security and Audit Architecture Section 4.2: Requirements to support auditing Section 4.3: Electronic Records Section 4.4 Independent Voter Verifiable Records (IVVR) VVPAT PCOS
Software Independence TGDC Resolution 06-06 requires software independence (SI) Software Independence means that changes must be detectable Detectable, in practice, means auditable SI = Auditable
Why Does the TGDC Want SI? With software, it is pretty easy to make a screen say one thing, but record another thing inside the computer. The hard part is making plausible, directed changes.
Auditing Records Two types of records: Electronic & Independent 4.3 address electronic records 4.4 addresses independent records
Won’t a Test Lab Catch This? No, software, especially the software that runs the user interface, is really complicated.
Famous Software that wasn’t doing what we thought it was doing Some trojan horse (or 2) NC voting example Therac 25 phishing
Therac 25 After this second Tyler accident, the ETCC physicist immediately took the machine out of service and called AECL to alert the company to this second apparent overexposure. The Tyler physicist then began his own careful investigation. He worked with the operator, who remembered exactly what she had done on this occasion. After a great deal of effort, they were eventually able to elicit the Malfunction 54 message. They determined that data-entry speed during editing was the key factor in producing the error condition: If the prescription data was edited at a fast pace (as is natural for someone who has repeated the procedure a large number of times), the overdose occurred. http://courses.cs.vt.edu/~cs3604/lib/Therac_25/Therac_2.html
How Does the VVSG Address Auditability? Requires equipment to have features that can be used for various types of audits Requires documentation NOTE – The VVSG itself does not require auditing – This is procedural and outside the scope.
4.2 Requirements for Supporting Audits Types of Audits Pollbook Audit Hand Audit of Independent Record Ballot Count and Vote Total Audit Observational Testing Note: Parallel Testing is another type of audit, but it is not included because it does not levy requirements on the equipment
Audit Records Two types of records: Electronic records Independent Voter Verifiable Records (IVVR) 4.3 address electronic records 4.4 addresses independent records
4.3 Electronic Records General Requirements Open Format Printable Digitally signed for Integrity & Authenticity
4.3 Electronic Records Information/data requirements Contain all relevant data List for Tabulator (4.3.2) List for EMS (4.3.3) Generally: Totals Read ballots Counted ballots Rejected ballots Overvotes/undervotes Write-ins
4.4 Independent Voter Verifiable Records (IVVR) What is an independent voter verifiable record? (4.4.1) Direct verification by voter Support for hand auditing Various security and operational properties (can be rejected/durable) Doesn’t this mean paper?
4.4 Independent Voter Verifiable Records (IVVR) Direct review (by voter & election official) Can support a hand audit Can support a recount Durable Tamper evidence Support for Privacy
4.4 Independent Voter Verifiable Records (IVVR) Public Format Sufficient Information (ballot configuration, not just selections) No codebook required Support for multiple physical media Able to be accepted or reject (per media) Non-human readable allowed (public format)
4.4 Independent Voter Verifiable Records (IVVR) Two current types of IVVR VVPAT Optical Scan
4.4.2 VVPAT VVPAT & Accessibility addressed by Sharon. Note need for observational testing Many operational requirements Paper rolls allowed
4.4.3 PCOS Few additional security requirements Allow non-human readable marks (record identifiers, batch information, integrity checks)
Chapter 5: General Security Requirements Section 5.1: Cryptography Section 5.2: Setup Inspection Section 5.3: Software Installation Section 5.4: Access Control Section 5.5: System Integrity Management Section 5.6: Communication Security Section 5.7: System Event Logging Section 5.8: Physical Security for Voting Devices
5.1 Cryptography Powerful basic security control Integrity of information Authentication of information Requirements developed to provide easy use and maintenance Use strength of existing federal standards
5.1 Cryptography Implementation of cryptography Public and Secret Key cryptography Not cryptographic voting protocols (a.k.a End-to-End voting systems) Many sections of the next VVSG leverage the security features supported by cryptography
5.1 Cryptography FIPS 140-2 validated cryptographic module A cryptographic module is hardware, firmware, and/or software that implements cryptographic functions (such as encryption, decryption, and key generation). Minimum strength of cryptography
5.1 Cryptography Signature Module A hardware cryptographic module FIPS 140-2 Level 2 (out of 4) with physical security being Level 3 Generates digital signatures Generates and stores private signature keys Permanently attached the equipment
5.1 Cryptography Types of keys within a Signature Module (SM) Device Signature Key (DSK) Associated with a device for its lifetime Signatures traceable to specific pieces of equipment Election Signature Key (ESK) Generated once per election cycle Associated with a device’s specific election cycle Signatures traceable to electronic records for a given election
5.1 Cryptography Device Signature Key (DSK) Generate using a nondeterministic random number generator Public Key certificate - self signed or CA Unique identifier on an external surface of the equipment and in certificate Signing of Election signature key certificate Election key closeout records Device signature key certificates
5.1 Cryptography Election Signature Key (ESK) Generate using a nondeterministic random number generator Used to digitally sign electronic records for an election cycle Destroyed as part of election close out Counters to keep track of the number of ESKs generated and signatures generated by a given ESK
5.1 Cryptography Election Signature Key (ESK) Certificates are signed by Device Signature Key (DSK) Signature DSK Device Signature (private) key Election Signature (Public) Key:
5.1 Cryptography Election key closeout record Electronic record Public key of Election Signature Key (ESK) (certificate or message digest/hash???) Number of signatures generated by Election Signature Key (ESK) Election Signature Key (ESK) number of the device Signed by the Device Signature Key (DSK)
5.1 Cryptography Technical Date Package (TDP) requirements Certificate fields for Device Signature Key (DSK) and Election Signature Key (ESK) Specific cryptographic algorithms used Election Closeout Record format specification
5.2 Setup Inspection Requirements related to the capabilities to inspect properties of voting devices Improves voting device management and maintenance Reflects new focus of requirements in light of software independence (SI) approach Called Setup Validation in VVSG 2005
5.2 Setup Inspection Inspections generate system event log entries Time and date Information related to the specific inspection Location of software files Component calibration Result of inspection Voting device unique identification Individual (or role) that performed inspection
5.2 Setup Inspections Software identification verification Ability to query/inspect the voting device to determine what software is installed Software integrity verification Using digital signatures and hash Designated repositories such as National Software Reference Library (NSRL) Voting Device Owner - Jurisdiction SI approach allows for internal verification NO external interface requirement like in VVSG 2005
5.2 Setup Inspection Voting device election information inspection Ability to query/inspect the storage locations containing information that changes during an election Number of ballots cast Totals for a given contest Generalized register and variable terminology from VVSG 2005 Support zero total inspections prior to use in election
5.2 Setup Inspection Inspection of properties of voting device components Backup power supply level Cabling connectivity indicator Communications operational status and on/off indicators Consumables remaining indicator Calibration determination and adjustments
5.2 Setup Inspection User documentation requirements Model setup inspection process supported by voting device Minimally includes items mentioned previously Manufacturer provided Model inspection check list of other properties supported by the voting device Manufacturer provided Risks related to not performing a given inspection
5.3 Software Installation Requirements related to the installation of software on voting devices Also covers access and modification of configuration files Uses digital signatures to provide the ability to verify the authentication and integrity of the software National Software Reference Library (NSRL) Designated repositories
5.3 Software Installation Software installation only when in pre-voting state Only individuals with an administrator or central election official role can install software Central Election Officials limited to election specific software or data files
5.3 Software Installation Digital signature verification of software before installation Externally visible alert when software installation fails Software to only be able to be installed using documented procedures
5.3 Software Installation Software installation generates system event log entries Time and date Software name and version Location of installation - directory path Digital signature verification - result and signature source Result of software installation
5.3 Software Installation Technical Data Package (TDP) requirements List of all software to be installed on voting system Name and version Manufacturer contract information Type of software Software documentation Location software is to be installed Functionality provided by the software Dependences and interactions between the software
5.3 Software Installation User documentation List of all software to be installed on voting system particularly election specific software Hardware and software need to install software
5.3 Software Installation Procedures used to perform software installation No use of compilers COTS software to be obtained via open market How to create a baseline binary image for replication Preparations of erasable media Software from unalterable media - CDs Record resulting from the installation procedure
5.4 Access Control The management of three basic elements Identification Authentication Authorization Supports the ability of the voting system to Account for users actions Limits use of resources Applies to individuals, applications, and processes of the voting system