Georgia Electronic Voting SystemGeorgia Electronic Voting System

Testing and Security

Voting Systems Testing SummitNovember 29, 2005

Brit WilliamsBrit WilliamsKSU Center for Election SystemsKSU Center for Election Systems

bwilliam@kennesaw.eduhttp://elections.kennesaw.edu

Georgia Voting SystemGeorgia Voting System

Global Election Management System (161)

AccuVote Ballot Scanners (400+)AccuVote Voting Stations (26,000+)Voter Card Encoders (6000+)

November 2002 - PresentNovember 2002 - Present

First used in general election of 2002Used in over 2,000 state, county, and

municipal electionsThe usual glitches caused by peopleNot a single glitch attributable to the

voting system

Features and EnhancementsFeatures and Enhancements

Allows voters to vote quickly and accurately

Provides an easy user interface for elderly and infirm

Provides multiple languagesAllows visually impaired to vote

unassistedReduces under-votes by a factor of five

Responsible OrganizationsResponsible Organizations

– Election System Vendor (Diebold)– Qualified Federal Testing Laboratory

(ITA)– KSU Center for Election Systems

(State)– County Election Offices (Local)

Election System VendorElection System Vendor

• Designs and builds the Election System

• Submits the Election System to the ITA to verify compliance with Federal Voting System Standards

• After obtaining NASED/EAC qualification and receiving approval from the State, installs the System in the counties

QualifiedQualified Federal Testing LaboratoryFederal Testing Laboratory

• Reviews the System for compliance with the Federal Voting System Standards

• Issues Qualification Report to NASED/EAC on Complete System

• Submits the Qualified System to the KSU Center for Election Systems where State Certification is performed

KSU Center for Election SystemsKSU Center for Election Systems

• Reviews the System for compliance with State of Georgia Election Code and Rules

• Tests the System for the presence of any unauthorized/fraudulent code

• Develops a validation (HASH) program used to test the System installed in the counties

• Verifies that the System installed by the vendor in the county is identical to the system received from the ITA and certified by the KSU Center for Election Systems.

County Election OfficesCounty Election Offices

• Maintains, stores and protects the System

• Uses the System in accordance with Georgia law and rules to conduct elections.

Security ThreatsSecurity Threats

Election FraudElection/Precinct Disruption

– Intentional– Accidental

Layers of System SecurityLayers of System Security

• Software

• Procedural

• Physical

Software SecuritySoftware Security

• User ID’s

• Passwords

• Audit Trails

Procedural SecurityProcedural Security Qualification

Testing

Certification Testing

Acceptance Testing

System Access Who, What , When,

and Why

Logic and Accuracy Testing

Election Monitoring

Election Reconciliation

Physical SecurityPhysical Security

• Servers are always kept in locked offices

• No extraneous software installed on servers

• No network connectivity

• Physical access limited to authorized personnel

• Touch screen units secured, locked and sealed when not in use

Protecting System IntegrityProtecting System Integrity

Three distinct functions must be performed to protect the integrity of the System:

1. Verify the System at Receipt.

2. Verify the System at Installation.

3. Verify the System in Operation.

Function #1Function #1

Verify the System at Receipt.

Using the System as delivered from the ITA • Set up and conduct sample elections with

known outcomes that are representative of Georgia general and primary elections.

• Conduct high-volume tests to determine capacity limits of the System.

• Conduct tests to determine the System’s ability to recover from various types of errors.

Function #2Function #2

Verify the System at Installation.

Ensure that the System installed in the Counties is identical to the System received from the ITA and certified by the State.

• Prepare a validation program that will detect any changes to the System installed in the Counties.

• Run the validation program against the System installed in the County (after vendor installation).

• Provide the County with a copy of the validation program.

Function #3Function #3

Verify the System in Operation.

Ensure that the System is performing properly, that all precinct ballots are correct and that the System has not been modified in any way.

• Logic and Accuracy Tests are performed prior to each election.

• Performance of all System components is verified.

• Specific ballot information for each memory card in each precinct is verified.

• Touch screen units are set for election, locked, and sealed.

• Validation program is run after any suspicious event.

Overview of Security RelationshipsOverview of Security Relationships

Election System Vendor

Qualified Federal Testing Laboratory

CountiesKSU Center

for Election Systems

Function #1Function #2

Trusted Organizations

Function #3

Validation Program (Hash)Validation Program (Hash)

• Based on NIST standards contained in FIPS 180-2, established in August 2002.

• Run ‘hash’ on the System certified by the KSU Center for Election Systems. This creates File 1.

• Run ‘hash-cmp’ to compare File 1 with a new ‘hash’ on the System in the County.

• They must be identical.

Hash Program DetailsHash Program Details

Based on NIST certified SHA-1 contained in FIPS 180-2, August 2002.

Computes:32 bit CRC128 bit MD 5 Hash160 bit SHA-1 Hash

The probability that this hash would not detect a program modification is estimated to be 1 in 1,000,000,000