TGDC Meeting, July 2010 Security Considerations for Remote Electronic UOCAVA Voting Andrew Regenscheid National Institute of Standards and Technology

TGDC Meeting, July 2010

Security Considerations for Remote Electronic UOCAVA

Voting

Andrew RegenscheidNational Institute of Standards and

Technology

http://vote.nist.gov

DRAFT

TGDC Meeting, July 2010 Page 2

Overview Background on NIST UOCAVA Voting Work

2008- Threat Analysis on UOCAVA Voting Systems 2010- Information System Security Best Practices

for UOCAVA Supporting Systems 2010- Security Best Practices for the Electronic

Transmission of UOCAVA Election Materials Overview of Security Considerations for

Remote Electronic UOCAVA Voting


Background - 1 NISTIR 7551: A Threat Analysis on

UOCAVA Voting Systems Concluded that threats to electronic

transmission of registration materials and blank ballots can be effectively mitigated with widely deployed technology

Threats to electronic return of ballots more serious and challenging to overcome

Multi-track approach

Page 3


Background - 2 Registration/Ballot Return

Developed two best practices documents Information System Security Best Practices for UOCAVA

Supporting Systems Security Best Practices for the Electronic Transmission of

UOCAVA Election Materials Ballot Return

Research document framing important security issues for policymakers

Security Considerations for Remote Electronic UOCAVA Voting

Collaboration between NIST computer security and human factors experts

Page 4


Report Overview - 1Security Considerations for Remote

Electronic UOCAVA Voting Report identifies:

Potential benefits Desirable security properties Major security threats Current and emerging technologies Open issues


Report Overview - 2Organized by security goals Confidentiality Integrity Availability Identification and Authentication

Page 6


Report Overview - 2 Potential Benefits Desirable Properties- Based on

properties/requirements in SERVE documentation Internet voting Common Criteria

Protection Profile Council of Europe standards

Page 7


Report Overview - 3 Threats

Identifies and describes major threats Based on threats identified in NISTIR

7551: A Threat Analysis on UOCAVA Voting Systems

Current and Emerging Technologies Open Issues

Page 8


Confidentiality - 1Potential Benefits Strong technical ballot secrecy

protections Some protection against unsophisticated

coercion attacks

Page 9


Confidentiality - 2Desirable Properties Ballot secrecy Protect voter registration information Incoercability Minimal storage Limited communication

Page 10


Confidentiality - 3Threats Violating ballot secrecy at election office

Small-scale violations possible with mail-in/fax voting Large-scale violations possible with electronic methods

Violating ballot secrecy in-transit Generally difficult with mail-in, fax, telephone voting Possible with unencrypted email Web-based methods easy to protect

Coercion Small scale attacks via mail-in voting Attacks scale better with electronic methods

Client-side threats to email/web voting


Confidentiality - 4

Mitigations for Electronic Transmission

Proper use of cryptography can provide strong protections for data in-transit against modification or interception

Cryptography, access control mechanisms, and separation of duties can protect ballots at-rest, with some trust assumptions

End-to-end cryptographic voting protocols can provide additional strong protections against modification on servers


Integrity - 1Potential Benefits Authenticity of electronic records Strong integrity protections in-

transit

Page 13


Integrity - 2Desirable Properties Data Integrity

Accuracy Auditability Verifiability Traceability Recoverability

Software Integrity

Page 14


Integrity -3Threats Ballot modification after reception

Procedural protections for mail-in/fax voting Variety of potential sophisticated large-scale attacks on

electronic systems Ballot modification in-transit

Generally difficult with mail-in, fax, telephone voting Possible with unencrypted email Web-based methods easy to protect

Software-based threats server-side Software-based threats client-side

GTISC- 15% of US computers infected with botnet malware Malware kits available on the black-market for <$1000


Integrity - 4Mitigations for Electronic

Transmission Client side protections are very difficult

These systems are typically outside control of election officials

Antivirus/antiphishing software may not be present, update-to-date, or effective

An area with continuous research and development Emerging technologies: Trusted computing and/or

virtualization Kiosks can enforce protections

Page 16


Availability - 1Potential Benefits Timeliness of delivery Confirmation of receipt Flexibility of physical locaitons

Page 17


Availability - 2Desirable Properties Availability Reliability Recoverability Fault-Tolerance Fail-Safe Scalable

Page 18


Availability - 3

Threats Transit times

Overseas mail delivery times vary (e.g., 7-12 days to Middle East)

Electronic systems have significant advantages Denial of Service attacks

Cyber attacks on e-commerce sites, Estonia (2007), Georgia (2008)

Difficult to guard against, but easy to detect Client-side disruption

Small-scale attacks with mail-in voting Large scale attacks possible with electronic methods (e.g.,

malware)


Availability - 4Mitigations for Electronic

Transmission Attacks on availability cannot be prevented, but

can be made more difficult Redundancy and over-provisioning Coordinating with Internet service providers for

filtering Emerging technology: Cloud computing

DoS attacks difficult to prevent, but easy to detect


I&A - 1Potential Benefits Automated authentication

mechanisms Strong remote authentication

Page 21


I&A - 2Desirable Properties Voter/Administrator/Component

I&A Non-transferable credentials

Page 22


I&A - 3Threats Strength of authentication mechanisms

Mail-in, fax, and email rely on verification of hand signatures Stronger mechanisms available for web-based systems

Credential Selling Same impact as vote selling Large-scale attacks possible depending on authentication mechanism

(e.g., PIN, password) Phishing/Pharming

Major threats to web-based systems 2008 Gartner report- 5 million victims Low-tech, but highly effective attack

Malware attacks May allow theft of voters’ and administrators’ credentials

Social engineering May result in theft of administrator credentials


I&A - 4Mitigations for Electronic Transmission Strong authentication mechanisms exist

PINs and passwords are cheap, but comparatively easy to steal One-time password devices require deployment of physical

devices to voters Cryptographic authentication methods offer the strongest

assurances, but may be expensive to deploy Smart Card Authentication

Common Access Card already deployed to military personnel Lack of smart card readers on personally-owned computers Intended to be used by the 2004 SERVE project

In-person authentication at supervised kiosks

Page 24


Next Steps - 1 Best Practices documents

Use security best practices as input to updating EAC UOCAVA Best Practices

Must also bring in usability, accessibility, and election management best practices

Page 25


Next Steps - 2 Security research documents

Threats, mitigating security controls, and current/emerging technologies will serve as basis for draft risk management matrices

NIST will work with the voting community to fill in remaining issues

Page 26


All documents will beavailable at:

http://vote.nist.gov

NIST UOCAVA Voting Documents