Part II : Computer Security and the VVSG - PowerPoint PPT Presentation

About This Presentation
Title:

Part II : Computer Security and the VVSG

Description:

Title: Slide 1 Author: allan eustis Last modified by: NIST User Created Date: 4/1/2005 1:55:36 PM Document presentation format: On-screen Show Company – PowerPoint PPT presentation

Number of Views:178
Avg rating:3.0/5.0
Slides: 87
Provided by: allane
Learn more at: http://www.itl.nist.gov
Category:

less

Transcript and Presenter's Notes

Title: Part II : Computer Security and the VVSG


1
Part II Computer Security and the VVSG
  • October 15-17, 2007
  • Barbara Guttman
  • Nelson Hastings
  • National Institute of Standards and Technology
  • barbara.guttman_at_nist.gov nelson.hastings_at_nist.gov

2
Agenda
  • Security Requirements Overview
  • Review of Chapter 4 Security and Audit
    Architecture
  • Review of Chapter 5 General Security Requirements

3
Security Requirements Overview
  • The security requirements of the next VVSG work
    together to support equipment security
  • Difficult to understand security provided by a
    single requirement or set of requirements without
    understanding how requirements relate to each
    other

4
Security Requirements Overview
  • For example,
  • Cryptography section addresses how cryptography
    is implemented by equipment
  • Software installation and electronic records
    sections address how cryptography, specifically
    digital signatures are use by equipment to
    support security

5
Security Requirements Overview
  • Documentation requirements related to security
  • Part 2 Documentation Requirements
  • System Security Specification
  • Section 3.5 of the Technical Data Package (TDP)
  • Section 4.3 of the user documentation

6
Security Requirements Overview
  • Section 3.5 System Security Specification (TDP)
  • Provided to test lab to assist in the testing
    campaign
  • General documentation about security including
  • Security Architecture
  • Security Threat Controls
  • Security Testing and vulnerability analysis
  • Detailed implementation specification for each
    security mechanism

7
Security Requirements Overview
  • Section 4.3 System Security Specification (User
    documentation)
  • Provided to user of the voting system including
    test labs
  • How security mechanism are to be used
  • Information needed to support a features use such
    as a list of software to be installed

8
Chapter 4 Security and Audit Architecture
  • Section 4.2 Requirements to support auditing
  • Section 4.3 Electronic Records
  • Section 4.4 Independent Voter Verifiable Records
    (IVVR)
  • VVPAT
  • PCOS

9
Software Independence
  • TGDC Resolution 06-06 requires software
    independence (SI)
  • Software Independence means that changes must be
    detectable
  • Detectable, in practice, means auditable
  • SI Auditable

10
Why Does the TGDC Want SI?
  • With software, it is pretty easy to make a screen
    say one thing, but record another thing inside
    the computer.
  • The hard part is making plausible, directed
    changes.

11
Auditing Records
  • Two types of records Electronic Independent
  • 4.3 address electronic records
  • 4.4 addresses independent records

12
Wont a Test Lab Catch This?
  • No, software, especially the software that runs
    the user interface, is really complicated.

13
Famous Software that wasnt doing what we thought
it was doing
  • Some trojan horse (or 2)
  • NC voting example
  • Therac 25
  • phishing

14
Therac 25
  • After this second Tyler accident, the ETCC
    physicist immediately took the machine out of
    service and called AECL to alert the company to
    this second apparent overexposure. The Tyler
    physicist then began his own careful
    investigation. He worked with the operator, who
    remembered exactly what she had done on this
    occasion. After a great deal of effort, they were
    eventually able to elicit the Malfunction 54
    message. They determined that data-entry speed
    during editing was the key factor in producing
    the error condition If the prescription data was
    edited at a fast pace (as is natural for someone
    who has repeated the procedure a large number of
    times), the overdose occurred.
  • http//courses.cs.vt.edu/cs3604/lib/Therac_25/The
    rac_2.html

15
How Does the VVSG Address Auditability?
  • Requires equipment to have features that can be
    used for various types of audits
  • Requires documentation
  • NOTE The VVSG itself does not require auditing
    This is procedural and outside the scope.

16
4.2 Requirements for Supporting Audits
  • Types of Audits
  • Pollbook Audit
  • Hand Audit of Independent Record
  • Ballot Count and Vote Total Audit
  • Observational Testing
  • Note Parallel Testing is another type of audit,
    but it is not included because it does not levy
    requirements on the equipment

17
Audit Records
  • Two types of records
  • Electronic records
  • Independent Voter Verifiable Records (IVVR)
  • 4.3 address electronic records
  • 4.4 addresses independent records

18
4.3 Electronic Records
  • General Requirements
  • Open Format
  • Printable
  • Digitally signed for Integrity Authenticity

19
4.3 Electronic Records
  • Information/data requirements
  • Contain all relevant data
  • List for Tabulator (4.3.2)
  • List for EMS (4.3.3)
  • Generally
  • Totals
  • Read ballots
  • Counted ballots
  • Rejected ballots
  • Overvotes/undervotes
  • Write-ins

20
4.4 Independent Voter Verifiable Records (IVVR)
  • What is an independent voter verifiable record?
    (4.4.1)
  • Direct verification by voter
  • Support for hand auditing
  • Various security and operational properties (can
    be rejected/durable)
  • Doesnt this mean paper?

21
4.4 Independent Voter Verifiable Records (IVVR)
  • Direct review (by voter election official)
  • Can support a hand audit
  • Can support a recount
  • Durable
  • Tamper evidence
  • Support for Privacy

22
4.4 Independent Voter Verifiable Records (IVVR)
  • Public Format
  • Sufficient Information (ballot configuration, not
    just selections)
  • No codebook required
  • Support for multiple physical media
  • Able to be accepted or reject (per media)
  • Non-human readable allowed (public format)

23
4.4 Independent Voter Verifiable Records (IVVR)
  • Two current types of IVVR
  • VVPAT
  • Optical Scan

24
4.4.2 VVPAT
  • VVPAT Accessibility addressed by Sharon.
  • Note need for observational testing
  • Many operational requirements
  • Paper rolls allowed

25
4.4.3 PCOS
  • Few additional security requirements
  • Allow non-human readable marks (record
    identifiers, batch information, integrity checks)

26
Chapter 5 General Security Requirements
  • Section 5.1 Cryptography
  • Section 5.2 Setup Inspection
  • Section 5.3 Software Installation
  • Section 5.4 Access Control
  • Section 5.5 System Integrity Management
  • Section 5.6 Communication Security
  • Section 5.7 System Event Logging
  • Section 5.8 Physical Security for Voting Devices

27
5.1 Cryptography
  • Powerful basic security control
  • Integrity of information
  • Authentication of information
  • Requirements developed to provide easy use and
    maintenance
  • Use strength of existing federal standards

28
5.1 Cryptography
  • Implementation of cryptography
  • Public and Secret Key cryptography
  • Not cryptographic voting protocols (a.k.a
    End-to-End voting systems)
  • Many sections of the next VVSG leverage the
    security features supported by cryptography

29
5.1 Cryptography
  • FIPS 140-2 validated cryptographic module
  • A cryptographic module is hardware, firmware,
    and/or software that implements cryptographic
    functions (such as encryption, decryption, and
    key generation).
  • Minimum strength of cryptography

30
5.1 Cryptography
  • Signature Module
  • A hardware cryptographic module
  • FIPS 140-2 Level 2 (out of 4) with physical
    security being Level 3
  • Generates digital signatures
  • Generates and stores private signature keys
  • Permanently attached the equipment

31
5.1 Cryptography
  • Types of keys within a Signature Module (SM)
  • Device Signature Key (DSK)
  • Associated with a device for its lifetime
  • Signatures traceable to specific pieces of
    equipment
  • Election Signature Key (ESK)
  • Generated once per election cycle
  • Associated with a devices specific election
    cycle
  • Signatures traceable to electronic records for a
    given election

32
5.1 Cryptography
  • Device Signature Key (DSK)
  • Generate using a nondeterministic random number
    generator
  • Public Key certificate - self signed or CA
  • Unique identifier on an external surface of the
    equipment and in certificate
  • Signing of
  • Election signature key certificate
  • Election key closeout records
  • Device signature key certificates

33
5.1 Cryptography
  • Election Signature Key (ESK)
  • Generate using a nondeterministic random number
    generator
  • Used to digitally sign electronic records for an
    election cycle
  • Destroyed as part of election close out
  • Counters to keep track of the number of ESKs
    generated and signatures generated by a given ESK

34
5.1 Cryptography
  • Election Signature Key (ESK) Certificates are
    signed by Device Signature Key (DSK)

Device Signature (private) key
Election Signature (Public) Key
35
5.1 Cryptography
  • Election key closeout record
  • Electronic record
  • Public key of Election Signature Key (ESK)
    (certificate or message digest/hash???)
  • Number of signatures generated by Election
    Signature Key (ESK)
  • Election Signature Key (ESK) number of the device
  • Signed by the Device Signature Key (DSK)

36
5.1 Cryptography
  • Technical Date Package (TDP) requirements
  • Certificate fields for Device Signature Key (DSK)
    and Election Signature Key (ESK)
  • Specific cryptographic algorithms used
  • Election Closeout Record format specification

37
5.2 Setup Inspection
  • Requirements related to the capabilities to
    inspect properties of voting devices
  • Improves voting device management and maintenance
  • Reflects new focus of requirements in light of
    software independence (SI) approach
  • Called Setup Validation in VVSG 2005

38
5.2 Setup Inspection
  • Inspections generate system event log entries
  • Time and date
  • Information related to the specific inspection
  • Location of software files
  • Component calibration
  • Result of inspection
  • Voting device unique identification
  • Individual (or role) that performed inspection

39
5.2 Setup Inspections
  • Software identification verification
  • Ability to query/inspect the voting device to
    determine what software is installed
  • Software integrity verification
  • Using digital signatures and hash
  • Designated repositories such as National Software
    Reference Library (NSRL)
  • Voting Device Owner - Jurisdiction
  • SI approach allows for internal verification
  • NO external interface requirement like in VVSG
    2005

40
5.2 Setup Inspection
  • Voting device election information inspection
  • Ability to query/inspect the storage locations
    containing information that changes during an
    election
  • Number of ballots cast
  • Totals for a given contest
  • Generalized register and variable terminology
    from VVSG 2005
  • Support zero total inspections prior to use in
    election

41
5.2 Setup Inspection
  • Inspection of properties of voting device
    components
  • Backup power supply level
  • Cabling connectivity indicator
  • Communications operational status and on/off
    indicators
  • Consumables remaining indicator
  • Calibration determination and adjustments

42
5.2 Setup Inspection
  • User documentation requirements
  • Model setup inspection process supported by
    voting device
  • Minimally includes items mentioned previously
  • Manufacturer provided
  • Model inspection check list of other properties
    supported by the voting device
  • Manufacturer provided
  • Risks related to not performing a given inspection

43
5.3 Software Installation
  • Requirements related to the installation of
    software on voting devices
  • Also covers access and modification of
    configuration files
  • Uses digital signatures to provide the ability to
    verify the authentication and integrity of the
    software
  • National Software Reference Library (NSRL)
  • Designated repositories

44
5.3 Software Installation
  • Software installation only when in pre-voting
    state
  • Only individuals with an administrator or central
    election official role can install software
  • Central Election Officials limited to election
    specific software or data files

45
5.3 Software Installation
  • Digital signature verification of software before
    installation
  • Externally visible alert when software
    installation fails
  • Software to only be able to be installed using
    documented procedures

46
5.3 Software Installation
  • Software installation generates system event log
    entries
  • Time and date
  • Software name and version
  • Location of installation - directory path
  • Digital signature verification - result and
    signature source
  • Result of software installation

47
5.3 Software Installation
  • Technical Data Package (TDP) requirements
  • List of all software to be installed on voting
    system
  • Name and version
  • Manufacturer contract information
  • Type of software
  • Software documentation
  • Location software is to be installed
  • Functionality provided by the software
  • Dependences and interactions between the software

48
5.3 Software Installation
  • User documentation
  • List of all software to be installed on voting
    system particularly election specific software
  • Hardware and software need to install software

49
5.3 Software Installation
  • Procedures used to perform software installation
  • No use of compilers
  • COTS software to be obtained via open market
  • How to create a baseline binary image for
    replication
  • Preparations of erasable media
  • Software from unalterable media - CDs
  • Record resulting from the installation procedure

50
5.4 Access Control
  • The management of three basic elements
  • Identification
  • Authentication
  • Authorization
  • Supports the ability of the voting system to
  • Account for users actions
  • Limits use of resources
  • Applies to individuals, applications, and
    processes of the voting system

51
5.4 Access Control
  • Management of identification information
  • Creating and disabling identities or roles
  • Failed attempts lock out
  • Number of failures within in a time period
  • Length of lockout time

52
5.4 Access Control
  • Role identification
  • Required for voting devices and election
    management systems
  • Roles specified Voter, Election Judge, Poll
    Worker, Central Election Official, and
    Administrator
  • Individual identification
  • Required by election management systems

53
5.4 Access Control
  • Management of authentication information
  • Setting and changing authentication information
  • Protection of authentication data by system
  • Password management - strength, reuse, and
    expiration.

54
5.4 Access Control
  • Authentication requirements by role
  • Voter in Section 7.5.1 Issuance of voting
    credentials and ballot activation
  • Poll Worker - N/A
  • Election Judge and Central
  • Something you know
  • Administrator
  • Multi-factor authentication - smartcard,
    biometric
  • Application or Process - Digital certificate or
    signature - ????

55
5.4 Access Control
  • Authorization Management
  • By voting system state, time interval, or
    specific time
  • Dual person control
  • Separation of duties
  • Type of functionality and data accessed
  • Explicitly allowed or disallowed
  • Least privilege, Privilege escalation, prevent
    modification or tampering of software/firmware
    ???

56
5.4 Access Control
  • Technical Date Package (TDP) requirements
  • Descriptions and specifications of all access
    control mechanisms used
  • Descriptions and specification of all voting
    system mechanisms that rely on access control
  • Mapping of all voting system operations and
    default roles with permissions to perform
    operations

57
5.4 Access Control
  • User documentation requirements
  • Instructions for implementing, configuring, and
    managing
  • Model access control policy
  • Templates or instructions for custom access
    control policy creation
  • Disclosure of all default privileged roles

58
5.5 System Integrity Management
  • Security controls that do not fit into other
    sections of the VVSG
  • Boot, load, and execute process protection
  • Removable media interface protection
  • Backup and recovery capabilities
  • Malicious software protection

59
5.5 System Integrity Management
  • Boot process process protection
  • Process used when a system is powered on
  • Integrity verification of software initialization
    components
  • Hardware cryptographic module - digital
    signature/hashes

60
5.5 System Integrity Management
  • Load and execute process protection
  • Process used to load software into memory for
    execution
  • Integrity verification of any software before
    loading into memory for execution
  • Hardware cryptographic module - digital
    signature/hashes

61
5.5 System Integrity Management
  • Removable media interface protection
  • Other than physical security mechanisms
  • Ability to disable removable media interfaces
    when not required
  • CDs, Flash memory, PCIMIA, etc.
  • May only need a CDs interface to be enabled
    during software installation

62
5.5 System Integrity Management
  • Backup and recovery mechanisms
  • Limited to election management systems
  • Permitted only when not capturing votes
  • Integrity verification information (digital
    signatures, hashes, MACs) created with backup
    information
  • Backup information authentication and integrity
    verification before used for recovery

63
5.5 System Integrity Management
  • Malicious software protection
  • Limited to election management systems
  • Use of malware detection software
  • Ability to update as new threats appear over time
  • Executed at least once every 24 hours and before
    loading and execution of software
  • Executed against removable media

64
5.5 System Integrity Management
  • Technical Date Package (TDP) requirements
  • List of all software required to be executed

65
5.6 Communication Security
  • Protection of voting system communications
  • Transmission of information
  • Communications based threats
  • No use of wireless technology
  • Except for infrared technology

66
5.6 Communication Security
  • No remote communication to voting devices during
    election day
  • Exceptions for devices used to transmit end of
    day results and communication with voter
    registration databases
  • However, these devices cannot be connected to
    other polling place devices

67
5.6 Communication Security
Remote Locations
Polling Place
Accumulator
68
5.6 Communication Security
  • Network interface protection
  • Ability to disable physical network interfaces
    when not required
  • Prohibit flow of network traffic from one
    interface to another on multiple interface
    devices
  • Unique physical identifier (address) for each
    interface

69
5.6 Communication Security
  • Limit communications to only devices that are
    required to communicate with each other
  • Integrity information for data
  • Generate integrity information for data sent
  • Verify integrity information for data received
  • Digital signature, hashes, MACs

70
5.6 Communication Security
  • Mutual authentication between devices before
    exchange of information
  • Part of connection establishment
  • Unique identifier for devices
  • Limit amount of information needed for
    authentication
  • Limit devices to only required network ports,
    active shares, and services

71
5.6 Communication Security
  • Monitor network interfaces for evidence of attack
  • When attacks are detected, devices need to
    respond to stop attack
  • Shutting down network interface

72
5.6 Communication Security
  • Documentation requirements
  • List of all network communication processes and
    applications required for proper operation
  • List of all network ports, shares, services, and
    protocols used

73
5.7 System Event Logging
  • Provides accountability and supports the ability
    to reconstruct events and detect intrusions
  • Electronic audit trail
  • Information to be generated
  • Integrity protection of the information
  • Management of system event log

74
5.7 System Event Logging
  • Log information must maintain voter privacy and
    ballot secrecy
  • Basic log entry information
  • System Identifier
  • Event Identifier
  • Time Stamp
  • Result of event
  • When applicable, user that triggered event and
    requested resource

75
5.7 System Event Logging
  • Time Stamp requirements
  • Clock drift - 1 minute within 15 hours
  • Format of time stamp - give example
  • ISO 8601
  • Date
  • Time - hours, minutes, and seconds
  • Administrator role required to adjust clock

76
5.7 System Event Logging
  • Minimum list of events to be logged
  • General system functions events
  • Changes to configuration
  • Device startup and shutdown
  • Addition and deletion files
  • System readiness results
  • Authentication and access control events
  • Logon attempts
  • Logout events
  • Attempts to access system resources

77
5.7 System Event Logging
  • Software events
  • Installation, upgrades, and patches
  • Changes to configuration settings
  • Connection attempts to databases
  • Cryptographic events
  • Changes to cryptographic keys
  • Voting events
  • Opening and closing of polls
  • Cast ballot
  • Ballot definition and modification

78
5.7 System Event Logging
  • Management of system event log
  • Default setting of system event log
  • Storage of log information in a publicly
    documented format such as XML
  • Event logs separable on an election and device
    basis
  • Retention of event log data from previous
    elections

79
5.7 System Event Logging
  • Export of log information with digital signature
  • Rotation of log information internally
  • From primary file to new file
  • Log capacity management
  • Alert as it reaches configurable intervals
  • Suspension of vote capturing when logs capacity
    reached

80
5.7 System Event Logging
  • Ability to view, analyze, and search system event
    log while on device
  • Halt vote capturing when system log malfunctions
    or is disabled
  • Administrator role required to configure system
    event log and clear previous election event logs
    prior to new election cycle

81
5.7 System Event Logging
  • Protection of log information
  • Unauthorized access
  • Read only for administrator roles
  • Write or append only for processes
  • Unauthorized modification
  • Use of cryptography, append only media, operating
    system
  • Unauthorized Deletion
  • Integrity and availability protection of
    archived log information

82
5.8 Physical Security for Voting Devices
  • Prevent undetected, unauthorized physical access
  • Must be able to differentiate authorized from
    unauthorized access
  • Unauthorized access must leave physical evidence
  • Requirements recognize use of a combination of
    procedures and physical countermeasures without
    prescribing either

83
5.8 Physical Security for Voting Devices
  • Unauthorized physical access must leave physical
    evidence
  • Physical port access and least functionality
  • Essential to operations, testing and auditing
  • Boundary protection
  • Broken connection ? port automatically disabled,
    alarm, event log, authorization to re-enable

84
5.8 Physical Security for Voting Devices
  • Information flow
  • Restricted access to ports with removable media
  • Tamper evidence
  • Manually disable
  • Door covers and panels
  • Monitor access
  • Ballot boxes
  • Tamper evident

85
5.8 Physical Security for Voting Devices
  • Secure physical locks and keys
  • Meet UL standards and be tamper evident
  • Keyed per System Owners preference
  • Physical encasement locks (fasteners)
  • Must not compromise security
  • Power supplies
  • If the power goes out, physical countermeasures
    should not fail

86
Questions
End of Day One???
Write a Comment
User Comments (0)
About PowerShow.com