270 likes | 483 Vues
Security Considerations for Remote Electronic UOCAVA Voting. Andrew Regenscheid National Institute of Standards and Technology http://vote.nist.gov. Overview. Background on NIST UOCAVA Voting Work 2008- Threat Analysis on UOCAVA Voting Systems
E N D
Security Considerations for Remote Electronic UOCAVA Voting Andrew Regenscheid National Institute of Standards and Technology http://vote.nist.gov
Overview Background on NIST UOCAVA Voting Work 2008- Threat Analysis on UOCAVA Voting Systems 2010- Information System Security Best Practices for UOCAVA Supporting Systems 2010- Security Best Practices for the Electronic Transmission of UOCAVA Election Materials Overview of Security Considerations for Remote Electronic UOCAVA Voting
Background - 1 • NISTIR 7551: A Threat Analysis on UOCAVA Voting Systems • Concluded that threats to electronic transmission of registration materials and blank ballots can be effectively mitigated with widely deployed technology • Threats to electronic return of ballots more serious and challenging to overcome Page 3
Background - 2 • Registration/Ballot Request and Ballot Delivery • Developed two best practices documents • NISTIR 7682: Information System Security Best Practices for UOCAVA Supporting Systems • NISTIR 7711: Security Best Practices for the Electronic Transmission of UOCAVA Election Materials • Ballot Return • Research document framing important security issues for policymakers • Security Considerations for Remote Electronic UOCAVA Voting • Collaboration between NIST computer security and human factors experts Page 4
Report Overview - 1 Security Considerations for Remote Electronic UOCAVA Voting Report identifies: Potential benefits Desirable security properties Major security threats Current and emerging technologies Open issues
Report Overview - 2 Organized by security goals • Confidentiality • Integrity • Availability • Identification and Authentication Page 6
Report Overview - 3 • Potential Benefits • Desirable Properties- Based on properties/requirements in • SERVE documentation • Internet voting Common Criteria Protection Profile • Council of Europe standards Page 7
Report Overview - 4 • Threats • Identifies and describes major threats • Based on threats identified in NISTIR 7551: A Threat Analysis on UOCAVA Voting Systems • Current and Emerging Technologies • Open Issues Page 8
Confidentiality - 1 Potential Benefits • Strong technical ballot secrecy protections • Some protection against unsophisticated coercion attacks Page 9
Confidentiality - 2 Desirable Properties • Ballot secrecy • Protect voter registration information • Receipt-free • Minimal storage • Limited communication Page 10
Confidentiality - 3 Threats Violating ballot secrecy at election office Violating ballot secrecy in-transit Large-scale attacks generally difficult with mail-in, fax, and telephone voting Possible with unencrypted email Web-based methods easy to protect Coercion Small scale attacks via mail-in voting Attacks scale better with electronic methods Client-side threats to email/web voting Page 11
Confidentiality - 4 Mitigations for Electronic Transmission Proper use of cryptography can provide strong protections for data in-transit against modification or interception Cryptography, access control mechanisms, and separation of duties can protect ballots on servers End-to-end cryptographic voting protocols can provide additional ballot secrecy protections Page 12
Integrity - 1 Potential Benefits • Authenticity of electronic records • Strong integrity protections in-transit Page 13
Integrity - 2 Desirable Properties • Data Integrity • Accuracy • Auditability • Verifiability • Traceability • Recoverability • Software Integrity Page 14
Integrity - 3 Threats Ballot modification after reception Ballot modification in-transit Large-scale attacks generally difficult with mail-in, fax, telephone voting Possible with unencrypted email Web-based methods easy to protect Software-based threats server-side Software-based threats client-side GTISC- 15% of US computers infected with botnet malware Malware kits available on the black-market for <$1000 Page 15
Integrity - 4 Mitigations for Electronic Transmission • Client side protections are very difficult to enforce • These systems are typically outside control of election officials • Antivirus/antiphishing software may not be present, update-to-date, or effective • An area with continuous research and development • Emerging technologies: Trusted computing and/or virtualization • Kiosks can enforce protections Page 16
Availability - 1 Potential Benefits • Timeliness of delivery • Confirmation of receipt • Flexibility of physical locations Page 17
Availability - 2 Desirable Properties • Availability • Reliability • Recoverability • Fault-Tolerance • Fail-Safe • Scalable Page 18
Availability - 3 Threats Transit times Overseas mail delivery times vary (e.g., 7-12 days to Middle East) Electronic systems have significant advantages Denial of Service attacks Cyber attacks on e-commerce sites, Estonia (2007), Georgia (2008) Difficult to guard against, but easy to detect Client-side disruption Small-scale attacks with mail-in voting Large scale attacks possible with electronic methods (e.g., malware) Page 19
Availability - 4 Mitigations for Electronic Transmission • Attacks on availability cannot be prevented, but can be made more difficult • Redundancy and over-provisioning • Coordinating with Internet service providers for filtering • Emerging technology: Cloud computing • DoS attacks difficult to prevent, but easy to detect
I&A - 1 Potential Benefits • Automated authentication mechanisms • Strong remote authentication Page 21
I&A - 2 Desirable Properties • Voter/Administrator/Component I&A • Non-transferable credentials Page 22
I&A - 3 Threats Strength of authentication mechanisms Mail-in, fax, and email rely on verification of hand signatures Stronger mechanisms available for web-based systems Credential Selling Same impact as vote selling Large-scale attacks may be possible depending on authentication mechanism (e.g., PIN, password) Phishing/Pharming Major threats to web-based systems 2008 Gartner report- 5 million victims Malware attacks Social engineering Page 23
I&A - 4 Mitigations for Electronic Transmission • Strong authentication mechanisms exist • PINs and passwords are cheap, but comparatively easy to steal • One-time password devices require deployment of physical devices to voters • Cryptographic authentication methods offer the strongest assurances, but may be expensive to deploy • Smart Card Authentication • Common Access Card already deployed to military personnel • Lack of smart card readers on personally-owned computers • Intended to be used by the 2004 SERVE project • In-person authentication at supervised kiosks Page 24
Next Steps - 1 • Best Practices documents • Solicit comments from jurisdictions and the voting community and update documents • Use these documents as input to updating EAC UOCAVA Best Practices • Must also bring in usability, accessibility, and election management best practices Page 25
Next Steps - 2 • Security research documents • Threats, mitigating security controls, and current/emerging technologies will serve as input to the risk management framework process • NIST will work with the TGDC and the voting community to fill in remaining issues Page 26
All documents will be available at: http://vote.nist.gov NIST UOCAVA Voting Documents