1 / 27

Security Considerations for Remote Electronic UOCAVA Voting

Security Considerations for Remote Electronic UOCAVA Voting. Andrew Regenscheid National Institute of Standards and Technology http://vote.nist.gov. Overview. Background on NIST UOCAVA Voting Work 2008- Threat Analysis on UOCAVA Voting Systems

Leo
Télécharger la présentation

Security Considerations for Remote Electronic UOCAVA Voting

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Security Considerations for Remote Electronic UOCAVA Voting Andrew Regenscheid National Institute of Standards and Technology http://vote.nist.gov

  2. Overview Background on NIST UOCAVA Voting Work 2008- Threat Analysis on UOCAVA Voting Systems 2010- Information System Security Best Practices for UOCAVA Supporting Systems 2010- Security Best Practices for the Electronic Transmission of UOCAVA Election Materials Overview of Security Considerations for Remote Electronic UOCAVA Voting

  3. Background - 1 • NISTIR 7551: A Threat Analysis on UOCAVA Voting Systems • Concluded that threats to electronic transmission of registration materials and blank ballots can be effectively mitigated with widely deployed technology • Threats to electronic return of ballots more serious and challenging to overcome Page 3

  4. Background - 2 • Registration/Ballot Request and Ballot Delivery • Developed two best practices documents • NISTIR 7682: Information System Security Best Practices for UOCAVA Supporting Systems • NISTIR 7711: Security Best Practices for the Electronic Transmission of UOCAVA Election Materials • Ballot Return • Research document framing important security issues for policymakers • Security Considerations for Remote Electronic UOCAVA Voting • Collaboration between NIST computer security and human factors experts Page 4

  5. Report Overview - 1 Security Considerations for Remote Electronic UOCAVA Voting Report identifies: Potential benefits Desirable security properties Major security threats Current and emerging technologies Open issues

  6. Report Overview - 2 Organized by security goals • Confidentiality • Integrity • Availability • Identification and Authentication Page 6

  7. Report Overview - 3 • Potential Benefits • Desirable Properties- Based on properties/requirements in • SERVE documentation • Internet voting Common Criteria Protection Profile • Council of Europe standards Page 7

  8. Report Overview - 4 • Threats • Identifies and describes major threats • Based on threats identified in NISTIR 7551: A Threat Analysis on UOCAVA Voting Systems • Current and Emerging Technologies • Open Issues Page 8

  9. Confidentiality - 1 Potential Benefits • Strong technical ballot secrecy protections • Some protection against unsophisticated coercion attacks Page 9

  10. Confidentiality - 2 Desirable Properties • Ballot secrecy • Protect voter registration information • Receipt-free • Minimal storage • Limited communication Page 10

  11. Confidentiality - 3 Threats Violating ballot secrecy at election office Violating ballot secrecy in-transit Large-scale attacks generally difficult with mail-in, fax, and telephone voting Possible with unencrypted email Web-based methods easy to protect Coercion Small scale attacks via mail-in voting Attacks scale better with electronic methods Client-side threats to email/web voting Page 11

  12. Confidentiality - 4 Mitigations for Electronic Transmission Proper use of cryptography can provide strong protections for data in-transit against modification or interception Cryptography, access control mechanisms, and separation of duties can protect ballots on servers End-to-end cryptographic voting protocols can provide additional ballot secrecy protections Page 12

  13. Integrity - 1 Potential Benefits • Authenticity of electronic records • Strong integrity protections in-transit Page 13

  14. Integrity - 2 Desirable Properties • Data Integrity • Accuracy • Auditability • Verifiability • Traceability • Recoverability • Software Integrity Page 14

  15. Integrity - 3 Threats Ballot modification after reception Ballot modification in-transit Large-scale attacks generally difficult with mail-in, fax, telephone voting Possible with unencrypted email Web-based methods easy to protect Software-based threats server-side Software-based threats client-side GTISC- 15% of US computers infected with botnet malware Malware kits available on the black-market for <$1000 Page 15

  16. Integrity - 4 Mitigations for Electronic Transmission • Client side protections are very difficult to enforce • These systems are typically outside control of election officials • Antivirus/antiphishing software may not be present, update-to-date, or effective • An area with continuous research and development • Emerging technologies: Trusted computing and/or virtualization • Kiosks can enforce protections Page 16

  17. Availability - 1 Potential Benefits • Timeliness of delivery • Confirmation of receipt • Flexibility of physical locations Page 17

  18. Availability - 2 Desirable Properties • Availability • Reliability • Recoverability • Fault-Tolerance • Fail-Safe • Scalable Page 18

  19. Availability - 3 Threats Transit times Overseas mail delivery times vary (e.g., 7-12 days to Middle East) Electronic systems have significant advantages Denial of Service attacks Cyber attacks on e-commerce sites, Estonia (2007), Georgia (2008) Difficult to guard against, but easy to detect Client-side disruption Small-scale attacks with mail-in voting Large scale attacks possible with electronic methods (e.g., malware) Page 19

  20. Availability - 4 Mitigations for Electronic Transmission • Attacks on availability cannot be prevented, but can be made more difficult • Redundancy and over-provisioning • Coordinating with Internet service providers for filtering • Emerging technology: Cloud computing • DoS attacks difficult to prevent, but easy to detect

  21. I&A - 1 Potential Benefits • Automated authentication mechanisms • Strong remote authentication Page 21

  22. I&A - 2 Desirable Properties • Voter/Administrator/Component I&A • Non-transferable credentials Page 22

  23. I&A - 3 Threats Strength of authentication mechanisms Mail-in, fax, and email rely on verification of hand signatures Stronger mechanisms available for web-based systems Credential Selling Same impact as vote selling Large-scale attacks may be possible depending on authentication mechanism (e.g., PIN, password) Phishing/Pharming Major threats to web-based systems 2008 Gartner report- 5 million victims Malware attacks Social engineering Page 23

  24. I&A - 4 Mitigations for Electronic Transmission • Strong authentication mechanisms exist • PINs and passwords are cheap, but comparatively easy to steal • One-time password devices require deployment of physical devices to voters • Cryptographic authentication methods offer the strongest assurances, but may be expensive to deploy • Smart Card Authentication • Common Access Card already deployed to military personnel • Lack of smart card readers on personally-owned computers • Intended to be used by the 2004 SERVE project • In-person authentication at supervised kiosks Page 24

  25. Next Steps - 1 • Best Practices documents • Solicit comments from jurisdictions and the voting community and update documents • Use these documents as input to updating EAC UOCAVA Best Practices • Must also bring in usability, accessibility, and election management best practices Page 25

  26. Next Steps - 2 • Security research documents • Threats, mitigating security controls, and current/emerging technologies will serve as input to the risk management framework process • NIST will work with the TGDC and the voting community to fill in remaining issues Page 26

  27. All documents will be available at: http://vote.nist.gov NIST UOCAVA Voting Documents

More Related