1 / 40

Recent Developments in Voting System Standards

Recent Developments in Voting System Standards. Ronald L. Rivest Frontiers in Electronic Elections (Milan) September 15, 2005. Outline. Introduction and overview New proposed standards Software Distribution & Setup Validation Wireless VVPAT Future Directions IDV.

epollack
Download Presentation

Recent Developments in Voting System Standards

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Recent Developments inVoting System Standards Ronald L. RivestFrontiers in Electronic Elections (Milan) September 15, 2005

  2. Outline • Introduction and overview • New proposed standards • Software Distribution & Setup Validation • Wireless • VVPAT • Future Directions • IDV (Note: some slides adapted from John Wack’s presentation At EAC Standards Board Meeting in Denver 8/24/05)

  3. Introduction

  4. Voting tech is in transition… • Voting tech follows technology: Stones  Paper  Levers  Punch cards  Op-scan  Computers(??) • Punch cards “out” after Nov. ’00 • DRE’s (touch-screen) require VVPAT (voter-verified paper audit trail) in Cal. • Is technology ready for electronic (paperless) voting?

  5. Voting is a hard problem • Voter Registration - each eligible voter votes at most once • Voter Privacy – no one can tell how any voter voted, even if voter wants it; no “receipt” for voter • Integrity – votes can’t be changed, added, or deleted; tally is accurate. • Availability – voting system is available for use when needed • Ease of Use – esp. for disabled

  6. Voting is important • Cornerstone of our (any!) democracy • Voting security is clearly an aspect of national security. • “Those who vote determine nothing;those who count the votes determine everything.” -- Joseph Stalin

  7. Are DRE’s trustworthy? • Diebold fiascoes..?? • Intrinsic difficulty of designing and securing complex systems • Many units (100,000’s)in field, used occasionally, and managed by the semi-trained • Certification process is “riddled with problems” (NYT editorial 5/30/04)

  8. Voter-Verified Paper Audit Trails? • Rebecca Mercuri: Voting machine should produce “paper audit trail” that voter can inspect and approve. • VVPAT is “official ballot” in case of dispute or recounts. • David Dill (Stanford CS Prof.) initiated on-line petition that ultimately resulted in California requiring VVPAT’s on many DRE’s.

  9. VVPAT’s controversial… • Still need to guard printed ballots. • Two-step voting procedure may be awkward for some voters (e.g. disabled). • Doesn’t catch all problems (e.g. candidate missing from slate) • Malicious voters can cause DOS by casting suspicion on voting machine • Not “end-to-end” security: • Helps ensure votes “cast as intended” • Doesn’t help ensure votes “counted as cast”.

  10. Voting System Security is Hard • Computerization of voting systems gives us the headaches of ordinary computer security, plus • requirement that voter must not be given a receipt proving how he/she voted makes security much tougher. • Now a major research area: • NSF just awarded $7.5M to a consortium of five institutions to research voting system security.

  11. Can Standards Help? • First Voting System Standard 1990 • Revised VSS in 2002 • HAVA (Help America Vote Act) of 2002 created EAC (Election Assistance Commision), TGDC (Technical Guidelines Development Committee), and chartered NIST to help TGDC/EAC produce new standards. • “Voluntary” – states may ignore them.

  12. TGDC Timeline • Fall ’04: Expert testimony, initial subcommittee meetings. • Jan ’05: TGDC resolutions passed • Jan-Apr ’05: NIST+TGDC work on VVSG • April-June ’05: VVSG approved by TGDC, delivered to EAC, published by EAC for comment. • June 29—Sep 30 ’05: Comment period. (Please send in your comments!)

  13. Initial Issues Considered • Wireless • VVPAT • Source code availability • Documentation requirements • “Tiger team” evaluations • Best practices • System logs

  14. Initial Issues Considered (cont.) • COTS • Cryptography • Standardized data formats • Multiple stored ballots • Software development standards • Software distribution • Setup validation

  15. Initial Issues Considered (cont.) • Remote voting • Standardized computer security evaluation procedures • Disclosure of evaluation results • De-certification of systems • Centralized evaluation and incident database • …

  16. TGDC passed resolutions • Resolutions reflect consensus of TGDC on importance of various isssues, and near-term relevance. Provide guidance to NIST. • #05-04: Currently certified voting software -> NSRL • #12-05: Voter verifiability (IV/DV) • #14-05: COTS software • #15-05: Software Distribution • #16-05: Setup Validation • #17-05: “Tiger team” testing

  17. TGDC passed resolutions • #18-05: Documentation • #21-05: Multiple ballot representations • #22-05: Federal IT security standards • #23-05: Common ballot formats • #32-05: De-certification • #35-05: Wireless

  18. VVSG 2002 Revisions • Current VVSG revises 2002 standards, and emphasizes (wrt security): • VVPAT (EAC guidance emphasized this) • Wireless • Software distribution and setup validation

  19. New proposed standards

  20. New proposed standards • Software Distribution/Setup Validation • Wireless • VVPAT • Independent Dual Verification (informative only, indicative of possible future direction/emphasis)

  21. Software Distribution andSetup Validation • Requirements for ensuring the secure distribution of voting systems software • Requirements for validation that the voting system is running the correct software • Geared towards what is achievable by 2006 • Future requirements would rely more on digital signature technology and ability to validate setup externally from voting system

  22. Software Distribution andSetup Validation • Use of FIPS approved signature and hash algorithms • Use of FIPS 140-2 validated cryptographic modules to perform cryptographic operations • Use NSRL as a repository for voting system software and source for binaries, hashes, and digital signatures • Documentation of all voting system software including 3rd party software such as OS, drivers, etc. • Methods used to check if software modified - binary image comparison, hash value, digital signature • Documentation of the process used to verify that no unauthorized software is present on the voting equipment and that the authorized software has not been modified

  23. Wireless • Wireless presents opportunity for intruder access and denial of service • Important to protect data and access • TGDC resolution approved use of wireless only as necessary, avoid if at all possible • Wireless includes 802.11x, IR, Bluetooth • Typically not meant to include modem and cellular access, although these will need security requirements also

  24. Wireless • Wireless must follow at least the requirements of the existing telecommunications section in the 2002 VSS • In some cases wireless denial of service cannot be prevented, therefore alternatives must be available or the voting system can be rendered non-functional • Authentication and encryption required • Other requirements for vendor to document whether the voting system has wireless, how to know when it is on/off, and how it is secured • Wireless prohibited during actual voting

  25. VVPAT • EAC asked NIST to address VVPAT requirements for states considering its usage • Optional in VVSG • Assumes VVPAT system consists of DRE plus printer and verification capability

  26. VVPAT • Based on enacted state legislation and CA standard • Codifies record formats, security, usability and accessibility concerns • Emphasizes machine/printer reliability • Emphasizes usefulness of paper record in comparisons with electronic record • Effectively prohibits consecutively stored paper records • Addresses usability for election officials when auditing paper and electronic records

  27. Future Directions

  28. Major Goals for Future Work • Provide complete and comprehensive guideline • Provide clear, usable requirements with associated test methods for VSTLS • Respond to future TGDC resolutions • Comprehensive threat analysis to drive overall security requirements (Workshop on October 7th)

  29. Future VVSG May Include: • IDV – Independent Dual Verification • “Tiger Team” testing • COTS • Cryptographic Requirements • Improved Documentation and Testing Requirements • …

  30. IDV – Independent Dual Verification • Informative in current VVSG, part of new material in future versions • IDV voting systems produce at least two ballot records, both verifiable by the voter and one unchangeable by voting system • At least one record verifiable directly, or both verifiable by systems from different vendors • Records usable in comparisons and audits • Approach can improve resilience of voting systems to software attacks • Needed as backup to more vulnerable computer-based ballot records

  31. IDV • Marketplace responding to IDV • Systems available today that are in the IDV ballpark: • VVPAT • DRE add-ons – Witness • Some optical scan systems • Some crypto systems can be IDV • Further work needed to specify requirements for IDV systems

  32. “Tiger Team” testing • Give a team of experts full rein to search for security vulnerabilities. • They get full system documentation and access to system itself. • “In order to defeat an adversary, you must think like an adversary.” • Further work needed to define team composition, level of effort, criteria for evaluating results.

  33. COTS Software • COTS software very useful, but may be buggy, produced overseas, or “black box” (no source code available for review). • Further work needed to clarify when COTS software may be included in voting system, and how it is to be evaluated.

  34. Cryptographic Requirements • Cryptographic techniques (e.g. digital signatures and MACs) can improve system integrity and increase resistance to fraud. • Further work is needed to specify what information transfers require such cryptographic protection. • Key management standards??

  35. Other Major Goals • Stronger requirements for system documentation, including “public” section. • Complete and comprehensive guideline with clear requirements and associated test methods for Voting System Testing Labs • Strong core security section • Hardening and auditing requirements • Robust testing requirements • Comprehensive threat analysis to drive overall security requirements (Oct 7th workshop)

  36. Questions for Standards Writers • How to ensure that innovation is not precluded? • How to specify “tiger team” evaluation? • How to evaluate cryptographic voting systems? • How to handle non-equipment aspects of security (aka “best practices”)?

  37. For More Information… • Ron Rivest • rivest@mit.edu • John Wack • 301-975-3411, voting@nist.gov • NIST Voting Site • Contains all NIST, TGDC documents, drafts, meetings, etc. • http://vote.nist.gov • Election Assistance Commission • http://www.eac.gov

  38. (The End)

More Related