1 / 16

E-voting DITSCAP Project

This project outlines the integration of the DITSCAP (DoD Information Technology Security Certification and Accreditation Process) for a secure e-voting system. It details the purpose and procedures for security certification and accreditation, focusing on the System Security Authorization Agreement (SSAA). The project highlights risk assessments, threat and vulnerability analysis, and preliminary defenses, ensuring data confidentiality and integrity. Additionally, it covers penetration testing measures and outlines lessons learned for future enhancements in e-voting security.

axelle
Télécharger la présentation

E-voting DITSCAP Project

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. E-voting DITSCAP Project UCCS POC: Edward Chow Boeing POC: Izzy Rodriguez Team: Samarpita Hurkute Kunal Bele Shin Nam Saroj Patil Chuck Short Rajshri Vispute DITSCAP

  2. DITSCAP Overview • DITSCAP – DoD Information Technology Security Certification and Accreditation Process • Purpose • Implements policy, assigns responsibilities, and prescribes procedures for Certification and Accreditation (C&A) of IT • Creates a process for security C&A of unclassified and classified IT DITSCAP

  3. SSAA Overview • SSAA – System Security Authorization Agreement • It is a document required by the DITSCAP • What it does • Defines operating environment of the system • Identifies the “system” • Defines risk and countermeasure • Documents agreement among all parties involved in the system DITSCAP

  4. Project Overview • Using the E-voting system to walk through the DITSCAP process/requirements to include penetration testing, threat/vulnerability assessment, and document SSAA which is to be approved by Boeing POC. DITSCAP

  5. E-voting System • E-voting allows single-choice ballots • Election administrator creates election parameters with the help of PTC encryption • The administrator submits election parameters to VotingService • Voters load election parameters and cast encrypted votes • The homomorphic properties of the PTC enable the product to be decrypted to reveal the sum total of all votes DITSCAP

  6. DITSCAP

  7. DITSCAP

  8. Threat Model • Spoofing – The identity of the voter cannot be trusted • Tampering – The vote for Candidate A could be assigned to Candidate B or vice versa • Repudiation – No authorized identification of parties involved in the E-voting process. • Information Disclosure – Disclosing the tally count • Denial of service – Making the E-voting system unavailable to its intended users • Elevation of privilege – gaining system privileges thru malicious means DITSCAP

  9. Threat Scenarios • Breaking encryption – tampering with the public and private keys • Allocating observation with data • Physical access – can be used for SQL injection • The Electronic Ballot Casting Device: a ‘Trojan horse’ on the voting terminal. • The Voting Protocol – sniffing on the network. • The Electoral Server – depending on the applied voting protocol, the election servers are a vulnerability point • Other Anonymity Threats – the Voter Audit Trail could also be used to link a voter to their vote. DITSCAP

  10. Preliminary Defenses • Configure firewall • iptables rules iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE iptables -t nat -A PREROUTING -p icmp -i eth0 -d 128.198.60.139 -j DNAT --to-destination 10.0.0.2 iptables -t nat -A PREROUTING -p tcp -i eth0 -d 128.198.60.139 --dport 3389 -j DNAT --to-destination 10.0.0.2 iptables -A INPUT -p tcp --dport 25 -j DROP iptables -A FORWARD -p tcp --dport 25 -j DROP DITSCAP

  11. Vulnerability Analysis • Nessus scan • nmap scan • Metasploit DITSCAP

  12. DITSCAP

  13. SSAA Contents • System description along with functional diagrams • Highlights sensitivity of data processed • System architecture diagram with firewall • Physical security of the E-voting system • Threats to the E-voting system • Data flow diagram • Data security requirements DITSCAP

  14. Future Work DITSCAP

  15. Lessons Learned • How to make the system more secure • What is involved in creating an SSAA document • What is Concept of Operations (CONOPS) • Learned the basics of Paillier Threshold Cryptography • The security issues surrounding E-voting systems DITSCAP

  16. References • Brett Wilson, UCCS, Implementing a Paillier Threshold Cryptography Scheme as a Web Service. • http://www.nswc.navy.mil/ISSEC/COURSES/Ditscap.ppt • http://www.i-assure.com/ • http://viva.uccs.edu/ditscap/index.php/Image:DITSCAP.pdf • http://viva.uccs.edu/ditscap/index.php/Image:DITSCAP_Application_Manual.pdf • http://viva.uccs.edu/ditscap/index.php/Image:SSAA_Guidance.doc DITSCAP

More Related