Recent Developments in Voting System Standards - PowerPoint PPT Presentation

1 / 40

About This Presentation

Title:

Recent Developments in Voting System Standards

Description:

Frontiers in Electronic Elections (Milan) September 15, 2005. Outline. Introduction and overview ... (Note: some s adapted from John Wack's presentation ... – PowerPoint PPT presentation

Number of Views:58

Avg rating:3.0/5.0

Slides: 41

Provided by: ronal166

Category:

more less

Transcript and Presenter's Notes

Title: Recent Developments in Voting System Standards

1
Recent Developments inVoting System Standards

Ronald L. RivestFrontiers in Electronic
Elections (Milan)
September 15, 2005

2
Outline

Introduction and overview
New proposed standards
Software Distribution Setup Validation
Wireless
VVPAT
Future Directions
IDV

(Note some slides adapted from John Wacks
presentation At EAC Standards Board Meeting in
Denver 8/24/05)
3
Introduction
4
Voting tech is in transition

Voting tech follows technology Stones ? Paper
? Levers ? Punch cards ? Op-scan ?
Computers(??)
Punch cards out after Nov. 00
DREs (touch-screen) require VVPAT
(voter-verified paper audit trail) in Cal.
Is technology ready for electronic (paperless)
voting?

5
(No Transcript)
6
(No Transcript)
7
Voting is a hard problem

Voter Registration - each eligible
voter votes at most once
Voter Privacy no one can tell how any voter
voted, even if voter wants it no receipt
for voter
Integrity votes cant be changed, added, or
deleted tally is accurate.
Availability voting system is available
for use when needed
Ease of Use esp. for disabled

8
Voting is important

Cornerstone of our (any!) democracy
Voting security is clearly an aspect of national
security.
Those who vote determine nothingthose who
count the votes determine everything.
-- Joseph Stalin

9
Are DREs trustworthy?

Diebold fiascoes..??
Intrinsic difficulty of designing and securing
complex systems
Many units (100,000s)in field, used
occasionally, and managed by the semi-trained
Certification process is riddled with problems
(NYT editorial 5/30/04)

10
Voter-Verified Paper Audit Trails?

Rebecca Mercuri Voting machine should produce
paper audit trail that voter can inspect and
approve.
VVPAT is official ballot in case of dispute or
recounts.
David Dill (Stanford CS Prof.) initiated on-line
petition that ultimately resulted in California
requiring VVPATs on many DREs.

11
VVPATs controversial

Still need to guard printed ballots.
Two-step voting procedure may be awkward for some
voters (e.g. disabled).
Doesnt catch all problems (e.g. candidate
missing from slate)
Malicious voters can cause DOS by casting
suspicion on voting machine
Not end-to-end security
Helps ensure votes cast as intended
Doesnt help ensure votes counted as cast.

12
Voting System Security is Hard

Computerization of voting systems gives us the
headaches of ordinary computer security, plus
requirement that voter must not be given a
receipt proving how he/she voted makes security
much tougher.
Now a major research area
NSF just awarded 7.5M to a consortium of five
institutions to research voting system security.

13
Can Standards Help?

First Voting System Standard 1990
Revised VSS in 2002
HAVA (Help America Vote Act) of 2002 created EAC
(Election Assistance Commision), TGDC (Technical
Guidelines Development Committee), and chartered
NIST to help TGDC/EAC produce new standards.
Voluntary states may ignore them.

14
TGDC Timeline

Fall 04 Expert testimony, initial subcommittee
meetings.
Jan 05 TGDC resolutions passed
Jan-Apr 05 NISTTGDC work on VVSG
April-June 05 VVSG approved by TGDC, delivered
to EAC, published by EAC for comment.
June 29Sep 30 05 Comment period. (Please send
in your comments!)

15
Initial Issues Considered

Wireless
VVPAT
Source code availability
Documentation requirements
Tiger team evaluations
Best practices
System logs

16
Initial Issues Considered (cont.)

COTS
Cryptography
Standardized data formats
Multiple stored ballots
Software development standards
Software distribution
Setup validation

17
Initial Issues Considered (cont.)

Remote voting
Standardized computer security evaluation
procedures
Disclosure of evaluation results
De-certification of systems
Centralized evaluation and incident database

18
TGDC passed resolutions

Resolutions reflect consensus of TGDC on
importance of various isssues, and near-term
relevance. Provide guidance to NIST.
05-04 Currently certified voting software -gt
NSRL
12-05 Voter verifiability (IV/DV)
14-05 COTS software
15-05 Software Distribution
16-05 Setup Validation
17-05 Tiger team testing

19
TGDC passed resolutions

18-05 Documentation
21-05 Multiple ballot representations
22-05 Federal IT security standards
23-05 Common ballot formats
32-05 De-certification
35-05 Wireless

20
VVSG 2002 Revisions

Current VVSG revises 2002 standards, and
emphasizes (wrt security)
VVPAT (EAC guidance emphasized this)
Wireless
Software distribution and setup validation

21
New proposed standards
22
New proposed standards

Software Distribution/Setup Validation
Wireless
VVPAT
Independent Dual Verification (informative only,
indicative of possible future direction/emphasis)

23
Software Distribution andSetup Validation

Requirements for ensuring the secure distribution
of voting systems software
Requirements for validation that the voting
system is running the correct software
Geared towards what is achievable by 2006
Future requirements would rely more on digital
signature technology and ability to validate
setup externally from voting system

24
Software Distribution andSetup Validation

Use of FIPS approved signature and hash
algorithms
Use of FIPS 140-2 validated cryptographic modules
to perform cryptographic operations
Use NSRL as a repository for voting system
software and source for binaries, hashes, and
digital signatures
Documentation of all voting system software
including 3rd party software such as OS, drivers,
etc.
Methods used to check if software modified -
binary image comparison, hash value, digital
signature
Documentation of the process used to verify that
no unauthorized software is present on the voting
equipment and that the authorized software has
not been modified

25
Wireless

Wireless presents opportunity for intruder access
and denial of service
Important to protect data and access
TGDC resolution approved use of wireless only as
necessary, avoid if at all possible
Wireless includes 802.11x, IR, Bluetooth
Typically not meant to include modem and cellular
access, although these will need security
requirements also

26
Wireless

Wireless must follow at least the requirements of
the existing telecommunications section in the
2002 VSS
In some cases wireless denial of service cannot
be prevented, therefore alternatives must be
available or the voting system can be rendered
non-functional
Authentication and encryption required
Other requirements for vendor to document whether
the voting system has wireless, how to know when
it is on/off, and how it is secured
Wireless prohibited during actual voting

27
VVPAT

EAC asked NIST to address VVPAT requirements for
states considering its usage
Optional in VVSG
Assumes VVPAT system consists of DRE plus printer
and verification capability

28
VVPAT

Based on enacted state legislation and CA
standard
Codifies record formats, security, usability and
accessibility concerns
Emphasizes machine/printer reliability
Emphasizes usefulness of paper record in
comparisons with electronic record
Effectively prohibits consecutively stored paper
records
Addresses usability for election officials when
auditing paper and electronic records

29
Future Directions
30
Major Goals for Future Work

Provide complete and comprehensive guideline
Provide clear, usable requirements with
associated test methods for VSTLS
Respond to future TGDC resolutions
Comprehensive threat analysis to drive overall
security requirements (Workshop on October 7th)

31
Future VVSG May Include

IDV Independent Dual Verification
Tiger Team testing
COTS
Cryptographic Requirements
Improved Documentation and Testing Requirements

32
IDV Independent Dual Verification

Informative in current VVSG, part of new material
in future versions
IDV voting systems produce at least two ballot
records, both verifiable by the voter and one
unchangeable by voting system
At least one record verifiable directly, or both
verifiable by systems from different vendors
Records usable in comparisons and audits
Approach can improve resilience of voting systems
to software attacks
Needed as backup to more vulnerable
computer-based ballot records

33
IDV

Marketplace responding to IDV
Systems available today that are in the IDV
ballpark
VVPAT
DRE add-ons Witness
Some optical scan systems
Some crypto systems can be IDV
Further work needed to specify requirements for
IDV systems

34
Tiger Team testing

Give a team of experts full rein to search for
security vulnerabilities.
They get full system documentation and access to
system itself.
In order to defeat an adversary, you must think
like an adversary.
Further work needed to define team composition,
level of effort, criteria for evaluating results.

35
COTS Software

COTS software very useful, but may be buggy,
produced overseas, or black box (no source code
available for review).
Further work needed to clarify when COTS software
may be included in voting system, and how it is
to be evaluated.

36
Cryptographic Requirements

Cryptographic techniques (e.g. digital signatures
and MACs) can improve system integrity and
increase resistance to fraud.
Further work is needed to specify what
information transfers require such cryptographic
protection.
Key management standards??

37
Other Major Goals

Stronger requirements for system documentation,
including public section.
Complete and comprehensive guideline with clear
requirements and associated test methods for
Voting System Testing Labs
Strong core security section
Hardening and auditing requirements
Robust testing requirements
Comprehensive threat analysis to drive overall
security requirements (Oct 7th workshop)

38
Questions for Standards Writers