Upload
bryce-gibson
View
216
Download
2
Embed Size (px)
Citation preview
TGDC Meeting, July 2010
Security Considerations for Remote Electronic UOCAVA
Voting
Andrew RegenscheidNational Institute of Standards and
Technology
http://vote.nist.gov
DRAFT
TGDC Meeting, July 2010 Page 2
Overview Background on NIST UOCAVA Voting Work
2008- Threat Analysis on UOCAVA Voting Systems 2010- Information System Security Best Practices
for UOCAVA Supporting Systems 2010- Security Best Practices for the Electronic
Transmission of UOCAVA Election Materials Overview of Security Considerations for
Remote Electronic UOCAVA Voting
TGDC Meeting, July 2010
Background - 1 NISTIR 7551: A Threat Analysis on
UOCAVA Voting Systems Concluded that threats to electronic
transmission of registration materials and blank ballots can be effectively mitigated with widely deployed technology
Threats to electronic return of ballots more serious and challenging to overcome
Multi-track approach
Page 3
TGDC Meeting, July 2010
Background - 2 Registration/Ballot Return
Developed two best practices documents Information System Security Best Practices for UOCAVA
Supporting Systems Security Best Practices for the Electronic Transmission of
UOCAVA Election Materials Ballot Return
Research document framing important security issues for policymakers
Security Considerations for Remote Electronic UOCAVA Voting
Collaboration between NIST computer security and human factors experts
Page 4
TGDC Meeting, July 2010 Page 5
Report Overview - 1Security Considerations for Remote
Electronic UOCAVA Voting Report identifies:
Potential benefits Desirable security properties Major security threats Current and emerging technologies Open issues
TGDC Meeting, July 2010
Report Overview - 2Organized by security goals Confidentiality Integrity Availability Identification and Authentication
Page 6
TGDC Meeting, July 2010
Report Overview - 2 Potential Benefits Desirable Properties- Based on
properties/requirements in SERVE documentation Internet voting Common Criteria
Protection Profile Council of Europe standards
Page 7
TGDC Meeting, July 2010
Report Overview - 3 Threats
Identifies and describes major threats Based on threats identified in NISTIR
7551: A Threat Analysis on UOCAVA Voting Systems
Current and Emerging Technologies Open Issues
Page 8
TGDC Meeting, July 2010
Confidentiality - 1Potential Benefits Strong technical ballot secrecy
protections Some protection against unsophisticated
coercion attacks
Page 9
TGDC Meeting, July 2010
Confidentiality - 2Desirable Properties Ballot secrecy Protect voter registration information Incoercability Minimal storage Limited communication
Page 10
TGDC Meeting, July 2010 Page 11
Confidentiality - 3Threats Violating ballot secrecy at election office
Small-scale violations possible with mail-in/fax voting Large-scale violations possible with electronic methods
Violating ballot secrecy in-transit Generally difficult with mail-in, fax, telephone voting Possible with unencrypted email Web-based methods easy to protect
Coercion Small scale attacks via mail-in voting Attacks scale better with electronic methods
Client-side threats to email/web voting
TGDC Meeting, July 2010 Page 12
Confidentiality - 4
Mitigations for Electronic Transmission
Proper use of cryptography can provide strong protections for data in-transit against modification or interception
Cryptography, access control mechanisms, and separation of duties can protect ballots at-rest, with some trust assumptions
End-to-end cryptographic voting protocols can provide additional strong protections against modification on servers
TGDC Meeting, July 2010
Integrity - 1Potential Benefits Authenticity of electronic records Strong integrity protections in-
transit
Page 13
TGDC Meeting, July 2010
Integrity - 2Desirable Properties Data Integrity
Accuracy Auditability Verifiability Traceability Recoverability
Software Integrity
Page 14
TGDC Meeting, July 2010 Page 15
Integrity -3Threats Ballot modification after reception
Procedural protections for mail-in/fax voting Variety of potential sophisticated large-scale attacks on
electronic systems Ballot modification in-transit
Generally difficult with mail-in, fax, telephone voting Possible with unencrypted email Web-based methods easy to protect
Software-based threats server-side Software-based threats client-side
GTISC- 15% of US computers infected with botnet malware Malware kits available on the black-market for <$1000
TGDC Meeting, July 2010
Integrity - 4Mitigations for Electronic
Transmission Client side protections are very difficult
These systems are typically outside control of election officials
Antivirus/antiphishing software may not be present, update-to-date, or effective
An area with continuous research and development Emerging technologies: Trusted computing and/or
virtualization Kiosks can enforce protections
Page 16
TGDC Meeting, July 2010
Availability - 1Potential Benefits Timeliness of delivery Confirmation of receipt Flexibility of physical locaitons
Page 17
TGDC Meeting, July 2010
Availability - 2Desirable Properties Availability Reliability Recoverability Fault-Tolerance Fail-Safe Scalable
Page 18
TGDC Meeting, July 2010 Page 19
Availability - 3
Threats Transit times
Overseas mail delivery times vary (e.g., 7-12 days to Middle East)
Electronic systems have significant advantages Denial of Service attacks
Cyber attacks on e-commerce sites, Estonia (2007), Georgia (2008)
Difficult to guard against, but easy to detect Client-side disruption
Small-scale attacks with mail-in voting Large scale attacks possible with electronic methods (e.g.,
malware)
TGDC Meeting, July 2010
Availability - 4Mitigations for Electronic
Transmission Attacks on availability cannot be prevented, but
can be made more difficult Redundancy and over-provisioning Coordinating with Internet service providers for
filtering Emerging technology: Cloud computing
DoS attacks difficult to prevent, but easy to detect
TGDC Meeting, July 2010
I&A - 1Potential Benefits Automated authentication
mechanisms Strong remote authentication
Page 21
TGDC Meeting, July 2010
I&A - 2Desirable Properties Voter/Administrator/Component
I&A Non-transferable credentials
Page 22
TGDC Meeting, July 2010 Page 23
I&A - 3Threats Strength of authentication mechanisms
Mail-in, fax, and email rely on verification of hand signatures Stronger mechanisms available for web-based systems
Credential Selling Same impact as vote selling Large-scale attacks possible depending on authentication mechanism
(e.g., PIN, password) Phishing/Pharming
Major threats to web-based systems 2008 Gartner report- 5 million victims Low-tech, but highly effective attack
Malware attacks May allow theft of voters’ and administrators’ credentials
Social engineering May result in theft of administrator credentials
TGDC Meeting, July 2010
I&A - 4Mitigations for Electronic Transmission Strong authentication mechanisms exist
PINs and passwords are cheap, but comparatively easy to steal One-time password devices require deployment of physical
devices to voters Cryptographic authentication methods offer the strongest
assurances, but may be expensive to deploy Smart Card Authentication
Common Access Card already deployed to military personnel Lack of smart card readers on personally-owned computers Intended to be used by the 2004 SERVE project
In-person authentication at supervised kiosks
Page 24
TGDC Meeting, July 2010
Next Steps - 1 Best Practices documents
Use security best practices as input to updating EAC UOCAVA Best Practices
Must also bring in usability, accessibility, and election management best practices
Page 25
TGDC Meeting, July 2010
Next Steps - 2 Security research documents
Threats, mitigating security controls, and current/emerging technologies will serve as basis for draft risk management matrices
NIST will work with the voting community to fill in remaining issues
Page 26
TGDC Meeting, July 2010 Page 27
All documents will beavailable at:
http://vote.nist.gov
NIST UOCAVA Voting Documents