German Research Center for Artificial Intelligence Protection Profile for Central Requirements for...
-
Upload
pauline-caldwell -
Category
Documents
-
view
232 -
download
0
Transcript of German Research Center for Artificial Intelligence Protection Profile for Central Requirements for...
German Research Center forArtificial Intelligence
Protection Profile for Central Protection Profile for Central Requirements for Online VotingRequirements for Online Voting
German Research Center for Artificial Intelligence (DFKI GmbH)
Saarbrücken, Germany
Melanie Volkamer
Deutsches Forschungszentrum für Künstliche IntelligenzDeutsches Forschungszentrum für Künstliche Intelligenz
German Research Center forArtificial Intelligence
OverviewOverview
• Project formation
• Introduction to the Common Criteria Protection Profiles
• Project – General information (duration, statues, …)– Content (assumptions, threats, objectives, EAL, …)– Challenges
• Relation to the CoE recommendations
German Research Center forArtificial Intelligence
Project FormationProject Formation
• First online election in the GI in 2004• Development of a requirement catalogue in 2005
–Based on the CoE recommendation and the PTB catalogue–How to evaluate the system against it? By whom?
Common Criteria / Protection Profile
• Building up a PP GI group leaded by Prof. Grimm• Involving M. Weinand (BSI) – CC expertise• Project at the DFKI underwritten by the BSI
–Funding for development, evaluation and certification
German Research Center forArtificial Intelligence
Introduction to the CCIntroduction to the CC
• International standard (ISO/IEC15408) for Information Technology Security Evaluation (CC)
Australia, Canada, France, Germany, Japan, Republic of Korea, The Netherlands, New Zealand, Norway, Spain, United Kingdom, United States of America; Austria, Czech Republic, Denmark, Greece, Hungary, India, Israel Italy, Republic of Singapore, Sweden, Turkey
• Idea: confidence to IT security through actions taken during development, evaluation + operation
• 4 groups: customers, developers, evaluators, certification authority
• 3 parts: intro, security, assurance requirements• Implementation-independent statement of
security needs for a IT system/product
German Research Center forArtificial Intelligence
Protection ProfileProtection Profile
• EAL 1-7EAL 1-7• EAL-1: functional testingEAL-1: functional testing• EAL-4: methodically designed, tested and reviewedEAL-4: methodically designed, tested and reviewed• EAL-7:formaly verified design and testedEAL-7:formaly verified design and tested
German Research Center forArtificial Intelligence
General Information General Information
• Project 1: PP for Online Voting- voting period– Starting at the end of 2005, deadline Sep. 2006– Analyzing: CoE, PTB and GI catalogue– Advisory Board:
• Researchers: Koblenz, Gießen, Wien, …• User: GI, Ministry of workers & social affairs, …• Companies: Micromata, T-Systems, Scytl, …• Others: CoE, e-Voting.cc, PTB, ASIT, BSI, …
– 2 meetings and 2 annotation phases– Cooperation between BSI and GI
German Research Center forArtificial Intelligence
General Information (2)General Information (2)
• Project 2: result calculation, CC 3.1, English version– Current state:
• Extension for result calculation• Change to CC 3.1• PP is in the Evaluation process (Testing Authority: SRC)
– GI is planning to charge the certification
• Project 3: ?? PP for robust Online Voting Systems ??– More requirements to the ToE– Taking Observation into account– ….
German Research Center forArtificial Intelligence
Content - AssumptionsContent - Assumptions
• Information about intended use– Election data are properly installed on the ToE– The election committee uses only the ToE functions– Nobody is watching the vote while he votes – Voter knows how to deal with his means of identification and
authentication and is consistent in doing so
• Information about the environment– Client device (voter’s responsibility)/ election server is
trustworthy– Network and election server are available– Only the election committee has access to the election server– Storage hardware is functioning correctly.– The correct time source is available
German Research Center forArtificial Intelligence
Content ThreatsContent Threats
• Unauthorised users cast a vote • Voters use data on their clients to prove their
vote• Network attackers
– delete/add/alter msgs to change results– read msgs to break election secrecy– redirect the voter to a faked server
• Persons with access to the data stored on the ToE after the counting can – change the stored data– break election secrecy
German Research Center forArtificial Intelligence
Organizational Security PoliciesOrganizational Security Policies
• Functionality of cancelling the vote• Functionality to prevent the EC to accidentally close the poll• Functionality to prevent voters from accidentally cast a
ballot• Functionality to correct vote before casting• Functionality of a confirmation (vote was stored
successfully)• Functionality for the EC to recognise disruptions• Functionality of logging specified actions• Functionality to ensure one voter one vote principle• Functionality to accurately count all stored vote
German Research Center forArtificial Intelligence
Organizational Security Policies (2)Organizational Security Policies (2)
• No Functionality for EC to break the election secrecy • No Functionality for EC to add/remote/alter votes• No Functionality for a restart after closing the poll.• No Functionality to compute intermediate results• No Functionality to read authentication tokens
• No votes are accepted after closing the poll• Access control mechanisms support a separation of duty
German Research Center forArtificial Intelligence
EAL 2EAL 2
German Research Center forArtificial Intelligence
Relation to the CoERelation to the CoE
• Classification of CoE according different categories– Functional security Functional Security
Requirements• Security• Functionality• Usability
– Organizational Appendix B– Auditing Project 3– Assurance EAL 2
• Manufactory • Evaluator (not Source Code)
German Research Center forArtificial Intelligence
ConclusionConclusion
• Intention of certified products– Arising convenience by the voter – Why not for all kind of elections?
• Next steps?– Evaluation and certification of systems– Work in progress– More “robust” protection profile discussions about
content
• How to integrate the PP into the law?
German Research Center forArtificial Intelligence
Thank you for your attention!
General Contact [email protected]
Protection Profile as an eMail [email protected](Subject: Protection Profile in English)