Part II : Computer Security and the VVSG October 15-17, 2007 Barbara Guttman Nelson Hastings National Institute of Standards and Technology [email protected]@nist.gov

Part II : Computer Security and the VVSG

October 15-17, 2007

Barbara GuttmanNelson Hastings

National Institute of Standards and Technology

[email protected] [email protected]

mailto:[email protected]

mailto:[email protected]

Oct 15-17, 2007Next VVSG Training Page 2

Agenda Security Requirements Overview

Review of Chapter 4: Security and Audit Architecture

Review of Chapter 5: General Security Requirements


Security Requirements Overview

The security requirements of the next VVSG work together to support equipment security

Difficult to understand security provided by a single requirement or set of requirements without understanding how requirements relate to each other



For example, Cryptography section addresses how cryptography is implemented by equipment

Software installation and electronic records sections address how cryptography, specifically digital signatures are use by equipment to support security



Documentation requirements related to security Part 2: Documentation Requirements System Security Specification

Section 3.5 of the Technical Data Package (TDP)

Section 4.3 of the user documentation



Section 3.5 System Security Specification (TDP) Provided to test lab to assist in the testing campaign

General documentation about security including

Security Architecture Security Threat Controls Security Testing and vulnerability analysis

Detailed implementation specification for each security mechanism



Section 4.3: System Security Specification (User documentation) Provided to user of the voting system including test labs

How security mechanism are to be used Information needed to support a features use such as a list of software to be installed


Chapter 4: Security and Audit Architecture Section 4.2: Requirements to support auditing

Section 4.3: Electronic Records Section 4.4 Independent Voter Verifiable Records (IVVR) VVPAT PCOS


Software Independence TGDC Resolution 06-06 requires software independence (SI)

Software Independence means that changes must be detectable

Detectable, in practice, means auditable

SI = Auditable


Why Does the TGDC Want SI?

With software, it is pretty easy to make a screen say one thing, but record another thing inside the computer.

The hard part is making plausible, directed changes.


Auditing Records Two types of records: Electronic & Independent

4.3 address electronic records

4.4 addresses independent records


Won’t a Test Lab Catch This?

No, software, especially the software that runs the user interface, is really complicated.


Famous Software that wasn’t doing what we thought it was doing

Some trojan horse (or 2) NC voting example Therac 25 phishing


Therac 25 After this second Tyler accident, the ETCC physicist

immediately took the machine out of service and called AECL to alert the company to this second apparent overexposure. The Tyler physicist then began his own careful investigation. He worked with the operator, who remembered exactly what she had done on this occasion. After a great deal of effort, they were eventually able to elicit the Malfunction 54 message. They determined that data-entry speed during editing was the key factor in producing the error condition: If the prescription data was edited at a fast pace (as is natural for someone who has repeated the procedure a large number of times), the overdose occurred.

http://courses.cs.vt.edu/~cs3604/lib/Therac_25/Therac_2.html


How Does the VVSG Address Auditability?

Requires equipment to have features that can be used for various types of audits

Requires documentation NOTE – The VVSG itself does not require auditing – This is procedural and outside the scope.


4.2 Requirements for Supporting Audits

Types of Audits Pollbook Audit Hand Audit of Independent Record Ballot Count and Vote Total Audit Observational Testing

Note: Parallel Testing is another type of audit, but it is not included because it does not levy requirements on the equipment


Audit Records Two types of records:

Electronic records Independent Voter Verifiable Records (IVVR)

4.3 address electronic records 4.4 addresses independent records


4.3 Electronic Records General Requirements

Open Format Printable Digitally signed for Integrity & Authenticity


4.3 Electronic Records Information/data requirements

Contain all relevant data List for Tabulator (4.3.2) List for EMS (4.3.3) Generally:

Totals Read ballots Counted ballots Rejected ballots Overvotes/undervotes Write-ins


4.4 Independent Voter Verifiable Records

(IVVR) What is an independent voter verifiable record? (4.4.1) Direct verification by voter Support for hand auditing Various security and operational properties (can be rejected/durable)

Doesn’t this mean paper?



(IVVR) Direct review (by voter & election official)

Can support a hand audit Can support a recount Durable Tamper evidence Support for Privacy



(IVVR) Public Format Sufficient Information (ballot configuration, not just selections)

No codebook required Support for multiple physical media Able to be accepted or reject (per media)

Non-human readable allowed (public format)



(IVVR) Two current types of IVVR

VVPAT Optical Scan


4.4.2 VVPAT VVPAT & Accessibility addressed by Sharon.

Note need for observational testing

Many operational requirements Paper rolls allowed


4.4.3 PCOS Few additional security requirements

Allow non-human readable marks (record identifiers, batch information, integrity checks)


Chapter 5: General Security Requirements

Section 5.1: Cryptography Section 5.2: Setup Inspection Section 5.3: Software Installation Section 5.4: Access Control Section 5.5: System Integrity Management Section 5.6: Communication Security Section 5.7: System Event Logging Section 5.8: Physical Security for Voting Devices


5.1 Cryptography Powerful basic security control

Integrity of information Authentication of information

Requirements developed to provide easy use and maintenance

Use strength of existing federal standards


5.1 Cryptography Implementation of cryptography

Public and Secret Key cryptography Not cryptographic voting protocols (a.k.a End-to-End voting systems)

Many sections of the next VVSG leverage the security features supported by cryptography


5.1 Cryptography FIPS 140-2 validated cryptographic module A cryptographic module is hardware, firmware, and/or software that implements cryptographic functions (such as encryption, decryption, and key generation).

Minimum strength of cryptography


5.1 Cryptography Signature Module

A hardware cryptographic module FIPS 140-2 Level 2 (out of 4) with physical security being Level 3

Generates digital signatures Generates and stores private signature keys

Permanently attached the equipment


5.1 Cryptography Types of keys within a Signature Module (SM) Device Signature Key (DSK)

Associated with a device for its lifetime Signatures traceable to specific pieces of equipment

Election Signature Key (ESK) Generated once per election cycle Associated with a device’s specific election cycle Signatures traceable to electronic records for a given election


5.1 Cryptography Device Signature Key (DSK)

Generate using a nondeterministic random number generator

Public Key certificate - self signed or CA

Unique identifier on an external surface of the equipment and in certificate

Signing of Election signature key certificate Election key closeout records Device signature key certificates


5.1 Cryptography Election Signature Key (ESK)

Generate using a nondeterministic random number generator

Used to digitally sign electronic records for an election cycle

Destroyed as part of election close out Counters to keep track of the number of ESKs generated and signatures generated by a given ESK


5.1 Cryptography Election Signature Key (ESK) Certificates are signed by Device Signature Key (DSK)

DeviceSignature

(private) key

Election Signature(Public) Key:

SignatureDSK


5.1 Cryptography Election key closeout record

Electronic record Public key of Election Signature Key (ESK) (certificate or message digest/hash???)

Number of signatures generated by Election Signature Key (ESK)

Election Signature Key (ESK) number of the device

Signed by the Device Signature Key (DSK)


5.1 Cryptography Technical Date Package (TDP) requirements Certificate fields for Device Signature Key (DSK) and Election Signature Key (ESK)

Specific cryptographic algorithms used

Election Closeout Record format specification


5.2 Setup Inspection Requirements related to the capabilities to inspect properties of voting devices Improves voting device management and maintenance

Reflects new focus of requirements in light of software independence (SI) approach Called Setup Validation in VVSG 2005


5.2 Setup Inspection Inspections generate system event log entries

Time and date Information related to the specific inspection

Location of software files Component calibration Result of inspection

Voting device unique identification Individual (or role) that performed inspection


5.2 Setup Inspections Software identification verification

Ability to query/inspect the voting device to determine what software is installed

Software integrity verification Using digital signatures and hash

Designated repositories such as National Software Reference Library (NSRL)

Voting Device Owner - Jurisdiction SI approach allows for internal verification

NO external interface requirement like in VVSG 2005


5.2 Setup Inspection Voting device election information inspection Ability to query/inspect the storage locations containing information that changes during an election

Number of ballots cast Totals for a given contest

Generalized register and variable terminology from VVSG 2005

Support zero total inspections prior to use in election


5.2 Setup Inspection Inspection of properties of voting device components Backup power supply level Cabling connectivity indicator Communications operational status and on/off indicators

Consumables remaining indicator Calibration determination and adjustments


5.2 Setup Inspection User documentation requirements

Model setup inspection process supported by voting device

Minimally includes items mentioned previously Manufacturer provided

Model inspection check list of other properties supported by the voting device

Manufacturer provided Risks related to not performing a given inspection


5.3 Software Installation

Requirements related to the installation of software on voting devices Also covers access and modification of configuration files

Uses digital signatures to provide the ability to verify the authentication and integrity of the software National Software Reference Library (NSRL) Designated repositories



Software installation only when in pre-voting state

Only individuals with an administrator or central election official role can install software Central Election Officials limited to election specific software or data files



Digital signature verification of software before installation

Externally visible alert when software installation fails

Software to only be able to be installed using documented procedures



Software installation generates system event log entries Time and date Software name and version Location of installation - directory path

Digital signature verification - result and signature source

Result of software installation



Technical Data Package (TDP) requirements List of all software to be installed on voting system

Name and version Manufacturer contract information Type of software Software documentation

Location software is to be installed Functionality provided by the software Dependences and interactions between the software



User documentation List of all software to be installed on voting system particularly election specific software

Hardware and software need to install software



Procedures used to perform software installation

No use of compilers COTS software to be obtained via open market

How to create a baseline binary image for replication

Preparations of erasable media Software from unalterable media - CDs Record resulting from the installation procedure


5.4 Access Control The management of three basic elements

Identification Authentication Authorization

Supports the ability of the voting system to Account for users actions Limits use of resources

Applies to individuals, applications, and processes of the voting system


5.4 Access Control Management of identification information Creating and disabling identities or roles

Failed attempts lock out Number of failures within in a time period

Length of lockout time


5.4 Access Control Role identification

Required for voting devices and election management systems

Roles specified: Voter, Election Judge, Poll Worker, Central Election Official, and Administrator

Individual identification Required by election management systems


5.4 Access Control Management of authentication information Setting and changing authentication information

Protection of authentication data by system

Password management - strength, reuse, and expiration.


5.4 Access Control Authentication requirements by role

Voter in Section 7.5.1 Issuance of voting credentials and ballot activation

Poll Worker - N/A Election Judge and Central

Something you know Administrator

Multi-factor authentication - smartcard, biometric

Application or Process - Digital certificate or signature - ????


5.4 Access Control Authorization Management

By voting system state, time interval, or specific time

Dual person control Separation of duties Type of functionality and data accessed Explicitly allowed or disallowed Least privilege, Privilege escalation, prevent modification or tampering of software/firmware ???


5.4 Access Control Technical Date Package (TDP) requirements Descriptions and specifications of all access control mechanisms used

Descriptions and specification of all voting system mechanisms that rely on access control

Mapping of all voting system operations and default roles with permissions to perform operations


5.4 Access Control User documentation requirements

Instructions for implementing, configuring, and managing

Model access control policy Templates or instructions for custom access control policy creation

Disclosure of all default privileged roles


5.5 System Integrity Management

Security controls that do not fit into other sections of the VVSG Boot, load, and execute process protection

Removable media interface protection

Backup and recovery capabilities Malicious software protection



Boot process process protection Process used when a system is powered on

Integrity verification of software initialization components

Hardware cryptographic module - digital signature/hashes



Load and execute process protection Process used to load software into memory for execution

Integrity verification of any software before loading into memory for execution

Hardware cryptographic module - digital signature/hashes



Removable media interface protection Other than physical security mechanisms

Ability to disable removable media interfaces when not required

CDs, Flash memory, PCIMIA, etc. May only need a CDs interface to be enabled during software installation



Backup and recovery mechanisms Limited to election management systems Permitted only when not capturing votes Integrity verification information (digital signatures, hashes, MACs) created with backup information

Backup information authentication and integrity verification before used for recovery



Malicious software protection Limited to election management systems

Use of malware detection software Ability to update as new threats appear over time

Executed at least once every 24 hours and before loading and execution of software

Executed against removable media



Technical Date Package (TDP) requirements List of all software required to be executed


5.6 Communication Security

Protection of voting system communications Transmission of information Communications based threats

No use of wireless technology Except for infrared technology



No remote communication to voting devices during election day Exceptions for devices used to transmit end of day results and communication with voter registration databases

However, these devices cannot be connected to other polling place devices



Polling Place Remote Locations

Registration Database

ElectronicPoll Book

Central Count

VotingDevices

Accumulator



Network interface protection Ability to disable physical network interfaces when not required

Prohibit flow of network traffic from one interface to another on multiple interface devices

Unique physical identifier (address) for each interface



Limit communications to only devices that are required to communicate with each other

Integrity information for data Generate integrity information for data sent

Verify integrity information for data received

Digital signature, hashes, MACs



Mutual authentication between devices before exchange of information Part of connection establishment Unique identifier for devices Limit amount of information needed for authentication

Limit devices to only required network ports, active shares, and services



Monitor network interfaces for evidence of attack When attacks are detected, devices need to respond to stop attack

Shutting down network interface



Documentation requirements List of all network communication processes and applications required for proper operation

List of all network ports, shares, services, and protocols used


5.7 System Event Logging

Provides accountability and supports the ability to reconstruct events and detect intrusions

Electronic audit trail Information to be generated Integrity protection of the information

Management of system event log



Log information must maintain voter privacy and ballot secrecy

Basic log entry information System Identifier Event Identifier Time Stamp Result of event When applicable, user that triggered event and requested resource



Time Stamp requirements Clock drift - 1 minute within 15 hours

Format of time stamp - give example ISO 8601 Date Time - hours, minutes, and seconds

Administrator role required to adjust clock



Minimum list of events to be logged General system functions events

Changes to configuration Device startup and shutdown Addition and deletion files System readiness results

Authentication and access control events Logon attempts Logout events Attempts to access system resources



Software events Installation, upgrades, and patches Changes to configuration settings Connection attempts to databases

Cryptographic events Changes to cryptographic keys

Voting events Opening and closing of polls Cast ballot Ballot definition and modification



Management of system event log Default setting of system event log Storage of log information in a publicly documented format such as XML

Event logs separable on an election and device basis

Retention of event log data from previous elections



Export of log information with digital signature

Rotation of log information internally

From primary file to new file Log capacity management

Alert as it reaches configurable intervals

Suspension of vote capturing when logs capacity reached



Ability to view, analyze, and search system event log while on device

Halt vote capturing when system log malfunctions or is disabled

Administrator role required to configure system event log and clear previous election event logs prior to new election cycle



Protection of log information Unauthorized access

Read only for administrator roles Write or append only for processes

Unauthorized modification Use of cryptography, append only media, operating system

Unauthorized Deletion Integrity and [[availability]] protection of archived log information


5.8 Physical Security for Voting Devices

Prevent undetected, unauthorized physical access Must be able to differentiate authorized from unauthorized access

Unauthorized access must leave physical evidence

Requirements recognize use of a combination of procedures and physical countermeasures without prescribing either



Unauthorized physical access must leave physical evidence

Physical port access and least functionality Essential to operations, testing and auditing

Boundary protection Broken connection → port automatically

disabled, alarm, event log, authorization to re-enable



Information flow Restricted access to ports with removable media

Tamper evidence Manually disable

Door covers and panels Monitor access

Ballot boxes Tamper evident



Secure physical locks and keys Meet UL standards and be tamper evident Keyed per System Owner’s preference

Physical encasement locks (fasteners) Must not compromise security

Power supplies If the power goes out, physical countermeasures should not fail


Questions

End of Day One???

Documents

Part II : Computer Security and the VVSG October 15-17, 2007 Barbara Guttman Nelson Hastings National Institute of Standards and Technology [email protected]@nist.gov