German Research Center for Artificial Intelligence Protection Profile for Central Requirements for...

German Research Center forArtificial Intelligence

Protection Profile for Central Protection Profile for Central Requirements for Online VotingRequirements for Online Voting

German Research Center for Artificial Intelligence (DFKI GmbH)

Saarbrücken, Germany

Melanie Volkamer

Deutsches Forschungszentrum für Künstliche IntelligenzDeutsches Forschungszentrum für Künstliche Intelligenz


OverviewOverview

• Project formation

• Introduction to the Common Criteria Protection Profiles

• Project – General information (duration, statues, …)– Content (assumptions, threats, objectives, EAL, …)– Challenges

• Relation to the CoE recommendations


Project FormationProject Formation

• First online election in the GI in 2004• Development of a requirement catalogue in 2005

–Based on the CoE recommendation and the PTB catalogue–How to evaluate the system against it? By whom?

Common Criteria / Protection Profile

• Building up a PP GI group leaded by Prof. Grimm• Involving M. Weinand (BSI) – CC expertise• Project at the DFKI underwritten by the BSI

–Funding for development, evaluation and certification


Introduction to the CCIntroduction to the CC

• International standard (ISO/IEC15408) for Information Technology Security Evaluation (CC)

Australia, Canada, France, Germany, Japan, Republic of Korea, The Netherlands, New Zealand, Norway, Spain, United Kingdom, United States of America; Austria, Czech Republic, Denmark, Greece, Hungary, India, Israel Italy, Republic of Singapore, Sweden, Turkey

• Idea: confidence to IT security through actions taken during development, evaluation + operation

• 4 groups: customers, developers, evaluators, certification authority

• 3 parts: intro, security, assurance requirements• Implementation-independent statement of

security needs for a IT system/product


Protection ProfileProtection Profile

• EAL 1-7EAL 1-7• EAL-1: functional testingEAL-1: functional testing• EAL-4: methodically designed, tested and reviewedEAL-4: methodically designed, tested and reviewed• EAL-7:formaly verified design and testedEAL-7:formaly verified design and tested


General Information General Information

• Project 1: PP for Online Voting- voting period– Starting at the end of 2005, deadline Sep. 2006– Analyzing: CoE, PTB and GI catalogue– Advisory Board:

• Researchers: Koblenz, Gießen, Wien, …• User: GI, Ministry of workers & social affairs, …• Companies: Micromata, T-Systems, Scytl, …• Others: CoE, e-Voting.cc, PTB, ASIT, BSI, …

– 2 meetings and 2 annotation phases– Cooperation between BSI and GI


General Information (2)General Information (2)

• Project 2: result calculation, CC 3.1, English version– Current state:

• Extension for result calculation• Change to CC 3.1• PP is in the Evaluation process (Testing Authority: SRC)

– GI is planning to charge the certification

• Project 3: ?? PP for robust Online Voting Systems ??– More requirements to the ToE– Taking Observation into account– ….


Content - AssumptionsContent - Assumptions

• Information about intended use– Election data are properly installed on the ToE– The election committee uses only the ToE functions– Nobody is watching the vote while he votes – Voter knows how to deal with his means of identification and

authentication and is consistent in doing so

• Information about the environment– Client device (voter’s responsibility)/ election server is

trustworthy– Network and election server are available– Only the election committee has access to the election server– Storage hardware is functioning correctly.– The correct time source is available


Content ThreatsContent Threats

• Unauthorised users cast a vote • Voters use data on their clients to prove their

vote• Network attackers

– delete/add/alter msgs to change results– read msgs to break election secrecy– redirect the voter to a faked server

• Persons with access to the data stored on the ToE after the counting can – change the stored data– break election secrecy


Organizational Security PoliciesOrganizational Security Policies

• Functionality of cancelling the vote• Functionality to prevent the EC to accidentally close the poll• Functionality to prevent voters from accidentally cast a

ballot• Functionality to correct vote before casting• Functionality of a confirmation (vote was stored

successfully)• Functionality for the EC to recognise disruptions• Functionality of logging specified actions• Functionality to ensure one voter one vote principle• Functionality to accurately count all stored vote


Organizational Security Policies (2)Organizational Security Policies (2)

• No Functionality for EC to break the election secrecy • No Functionality for EC to add/remote/alter votes• No Functionality for a restart after closing the poll.• No Functionality to compute intermediate results• No Functionality to read authentication tokens

• No votes are accepted after closing the poll• Access control mechanisms support a separation of duty


EAL 2EAL 2


Relation to the CoERelation to the CoE

• Classification of CoE according different categories– Functional security Functional Security

Requirements• Security• Functionality• Usability

– Organizational Appendix B– Auditing Project 3– Assurance EAL 2

• Manufactory • Evaluator (not Source Code)


ConclusionConclusion

• Intention of certified products– Arising convenience by the voter – Why not for all kind of elections?

• Next steps?– Evaluation and certification of systems– Work in progress– More “robust” protection profile discussions about

content

• How to integrate the PP into the law?


Thank you for your attention!

General Contact [email protected]

Protection Profile as an eMail [email protected](Subject: Protection Profile in English)

German Research Center for Artificial Intelligence Protection Profile for Central Requirements for...

Documents

Transcript of German Research Center for Artificial Intelligence Protection Profile for Central Requirements for...