Security Considerations for Remote Electronic UOCAVA Voting

1
Security Considerations for Remote Electronic
UOCAVA Voting

• Andrew Regenscheid
• National Institute of Standards and Technology
• http//vote.nist.gov

2
Overview

• Background on NIST UOCAVA Voting Work
• 2008- Threat Analysis on UOCAVA Voting Systems
• 2010- Information System Security Best Practices
  for UOCAVA Supporting Systems
• 2010- Security Best Practices for the Electronic
  Transmission of UOCAVA Election Materials
• Overview of Security Considerations for Remote
  Electronic UOCAVA Voting

3
Background - 1

• NISTIR 7551 A Threat Analysis on UOCAVA Voting
  Systems
• Concluded that threats to electronic transmission
  of registration materials and blank ballots can
  be effectively mitigated with widely deployed
  technology
• Threats to electronic return of ballots more
  serious and challenging to overcome

Page 3
4
Background - 2

• Registration/Ballot Request and Ballot Delivery
• Developed two best practices documents
• NISTIR 7682 Information System Security Best
  Practices for UOCAVA Supporting Systems
• NISTIR 7711 Security Best Practices for the
  Electronic Transmission of UOCAVA Election
  Materials
• Ballot Return
• Research document framing important security
  issues for policymakers
• Security Considerations for Remote Electronic
  UOCAVA Voting
• Collaboration between NIST computer security and
  human factors experts

Page 4
5
Report Overview - 1

• Security Considerations for Remote Electronic
  UOCAVA Voting
• Report identifies
• Potential benefits
• Desirable security properties
• Major security threats
• Current and emerging technologies
• Open issues

6
Report Overview - 2

• Organized by security goals
• Confidentiality
• Integrity
• Availability
• Identification and Authentication

Page 6
7
Report Overview - 3

• Potential Benefits
• Desirable Properties- Based on properties/requirem
  ents in
• SERVE documentation
• Internet voting Common Criteria Protection
  Profile
• Council of Europe standards

Page 7
8
Report Overview - 4

• Threats
• Identifies and describes major threats
• Based on threats identified in NISTIR 7551 A
  Threat Analysis on UOCAVA Voting Systems
• Current and Emerging Technologies
• Open Issues

Page 8
9
Confidentiality - 1

• Potential Benefits
• Strong technical ballot secrecy protections
• Some protection against unsophisticated coercion
  attacks

Page 9
10
Confidentiality - 2

• Desirable Properties
• Ballot secrecy
• Protect voter registration information
• Receipt-free
• Minimal storage
• Limited communication

Page 10
11
Confidentiality - 3

• Threats
• Violating ballot secrecy at election office
• Violating ballot secrecy in-transit
• Large-scale attacks generally difficult with
  mail-in, fax, and telephone voting
• Possible with unencrypted email
• Web-based methods easy to protect
• Coercion
• Small scale attacks via mail-in voting
• Attacks scale better with electronic methods
• Client-side threats to email/web voting

Page 11
12
Confidentiality - 4

• Mitigations for Electronic Transmission
• Proper use of cryptography can provide strong
  protections for data in-transit against
  modification or interception
• Cryptography, access control mechanisms, and
  separation of duties can protect ballots on
  servers
• End-to-end cryptographic voting protocols can
  provide additional ballot secrecy protections

Page 12
13
Integrity - 1

• Potential Benefits
• Authenticity of electronic records
• Strong integrity protections in-transit

Page 13
14
Integrity - 2

• Desirable Properties
• Data Integrity
• Accuracy
• Auditability
• Verifiability
• Traceability
• Recoverability
• Software Integrity

Page 14
15
Integrity - 3

• Threats
• Ballot modification after reception
• Ballot modification in-transit
• Large-scale attacks generally difficult with
  mail-in, fax, telephone voting
• Possible with unencrypted email
• Web-based methods easy to protect
• Software-based threats server-side
• Software-based threats client-side
• GTISC- 15 of US computers infected with botnet
  malware
• Malware kits available on the black-market for
  lt1000

Page 15
16
Integrity - 4

• Mitigations for Electronic Transmission
• Client side protections are very difficult to
  enforce
• These systems are typically outside control of
  election officials
• Antivirus/antiphishing software may not be
  present, update-to-date, or effective
• An area with continuous research and development
• Emerging technologies Trusted computing and/or
  virtualization
• Kiosks can enforce protections

Page 16
17
Availability - 1

• Potential Benefits
• Timeliness of delivery
• Confirmation of receipt
• Flexibility of physical locations

Page 17
18
Availability - 2

• Desirable Properties
• Availability
• Reliability
• Recoverability
• Fault-Tolerance
• Fail-Safe
• Scalable

Page 18
19
Availability - 3

• Threats
• Transit times
• Overseas mail delivery times vary (e.g., 7-12
  days to Middle East)
• Electronic systems have significant advantages
• Denial of Service attacks
• Cyber attacks on e-commerce sites, Estonia
  (2007), Georgia (2008)
• Difficult to guard against, but easy to detect
• Client-side disruption
• Small-scale attacks with mail-in voting
• Large scale attacks possible with electronic
  methods (e.g., malware)

Page 19
20
Availability - 4

• Mitigations for Electronic Transmission
• Attacks on availability cannot be prevented, but
  can be made more difficult
• Redundancy and over-provisioning
• Coordinating with Internet service providers for
  filtering
• Emerging technology Cloud computing
• DoS attacks difficult to prevent, but easy to
  detect

21
IA - 1

• Potential Benefits
• Automated authentication mechanisms
• Strong remote authentication

Page 21
22
IA - 2

• Desirable Properties
• Voter/Administrator/Component IA
• Non-transferable credentials

Page 22
23
IA - 3

• Threats
• Strength of authentication mechanisms
• Mail-in, fax, and email rely on verification of
  hand signatures
• Stronger mechanisms available for web-based
  systems
• Credential Selling
• Same impact as vote selling
• Large-scale attacks may be possible depending on
  authentication mechanism (e.g., PIN, password)
• Phishing/Pharming
• Major threats to web-based systems
• 2008 Gartner report- 5 million victims
• Malware attacks
• Social engineering

Page 23
24
IA - 4

• Mitigations for Electronic Transmission
• Strong authentication mechanisms exist
• PINs and passwords are cheap, but comparatively
  easy to steal
• One-time password devices require deployment of
  physical devices to voters
• Cryptographic authentication methods offer the
  strongest assurances, but may be expensive to
  deploy
• Smart Card Authentication
• Common Access Card already deployed to military
  personnel
• Lack of smart card readers on personally-owned
  computers
• Intended to be used by the 2004 SERVE project
• In-person authentication at supervised kiosks

Page 24
25
Next Steps - 1

• Best Practices documents
• Solicit comments from jurisdictions and the
  voting community and update documents
• Use these documents as input to updating EAC
  UOCAVA Best Practices
• Must also bring in usability, accessibility, and
  election management best practices

Page 25
26
Next Steps - 2

• Security research documents
• Threats, mitigating security controls, and
  current/emerging technologies will serve as input
  to the risk management framework process
• NIST will work with the TGDC and the voting
  community to fill in remaining issues

Page 26
27
NIST UOCAVA Voting Documents

• All documents will be
• available at
• http//vote.nist.gov