German Research Center for Artificial Intelligence Protection Profile for Central Requirements for Online Voting German Research Center for Artificial Intelligence (DFKI GmbH) Saarbrücken, Germany Melanie Volkamer Deutsches Forschungszentrum für Künstliche Intelligenz

German Research Center for Artificial IntelligenceOverview Project formation Introduction to the Common Criteria  Protection Profiles Project –General information (duration, statues, …) –Content (assumptions, threats, objectives, EAL, …) –Challenges Relation to the CoE recommendations

German Research Center for Artificial Intelligence Project Formation First online election in the GI in 2004 Development of a requirement catalogue in 2005 –Based on the CoE recommendation and the PTB catalogue –How to evaluate the system against it? By whom?  Common Criteria / Protection Profile Building up a PP GI group leaded by Prof. Grimm Involving M. Weinand (BSI) – CC expertise Project at the DFKI underwritten by the BSI –Funding for development, evaluation and certification

German Research Center for Artificial Intelligence Introduction to the CC International standard (ISO/IEC15408) for Information Technology Security Evaluation (CC) Australia, Canada, France, Germany, Japan, Republic of Korea, The Netherlands, New Zealand, Norway, Spain, United Kingdom, United States of America; Austria, Czech Republic, Denmark, Greece, Hungary, India, Israel Italy, Republic of Singapore, Sweden, Turkey Idea: confidence to IT security through actions taken during development, evaluation + operation 4 groups: customers, developers, evaluators, certification authority 3 parts: intro, security, assurance requirements Implementation-independent statement of security needs for a IT system/product

German Research Center for Artificial Intelligence Protection Profile EAL 1-7 EAL 1-7 EAL-1: functional testing EAL-1: functional testing EAL-4: methodically designed, tested and reviewed EAL-4: methodically designed, tested and reviewed EAL-7:formaly verified design and tested EAL-7:formaly verified design and tested

German Research Center for Artificial Intelligence General Information Project 1: PP for Online Voting- voting period –Starting at the end of 2005, deadline Sep –Analyzing: CoE, PTB and GI catalogue –Advisory Board: Researchers: Koblenz, Gießen, Wien, … User: GI, Ministry of workers & social affairs, … Companies: Micromata, T-Systems, Scytl, … Others: CoE, e-Voting.cc, PTB, ASIT, BSI, … –2 meetings and 2 annotation phases –Cooperation between BSI and GI

German Research Center for Artificial Intelligence General Information (2) Project 2: result calculation, CC 3.1, English version –Current state: Extension for result calculation Change to CC 3.1 PP is in the Evaluation process (Testing Authority: SRC) –GI is planning to charge the certification Project 3: ?? PP for robust Online Voting Systems ?? –More requirements to the ToE –Taking Observation into account –….

German Research Center for Artificial Intelligence Content - Assumptions Information about intended use –Election data are properly installed on the ToE –The election committee uses only the ToE functions –Nobody is watching the vote while he votes –Voter knows how to deal with his means of identification and authentication and is consistent in doing so Information about the environment –Client device (voter’s responsibility)/ election server is trustworthy –Network and election server are available –Only the election committee has access to the election server –Storage hardware is functioning correctly. –The correct time source is available

German Research Center for Artificial Intelligence Content Threats Unauthorised users cast a vote Voters use data on their clients to prove their vote Network attackers –delete/add/alter msgs to change results –read msgs to break election secrecy –redirect the voter to a faked server Persons with access to the data stored on the ToE after the counting can –change the stored data –break election secrecy

German Research Center for Artificial Intelligence Organizational Security Policies Functionality of cancelling the vote Functionality to prevent the EC to accidentally close the poll Functionality to prevent voters from accidentally cast a ballot Functionality to correct vote before casting Functionality of a confirmation (vote was stored successfully) Functionality for the EC to recognise disruptions Functionality of logging specified actions Functionality to ensure one voter one vote principle Functionality to accurately count all stored vote

German Research Center for Artificial Intelligence Organizational Security Policies (2) No Functionality for EC to break the election secrecy No Functionality for EC to add/remote/alter votes No Functionality for a restart after closing the poll. No Functionality to compute intermediate results No Functionality to read authentication tokens No votes are accepted after closing the poll Access control mechanisms support a separation of duty

German Research Center for Artificial Intelligence EAL 2

German Research Center for Artificial Intelligence Relation to the CoE Classification of CoE according different categories –Functional security  Functional Security Requirements Security Functionality Usability –Organizational  Appendix B –Auditing  Project 3 –Assurance  EAL 2 Manufactory Evaluator (not Source Code)

German Research Center for Artificial IntelligenceConclusion Intention of certified products –Arising convenience by the voter –Why not for all kind of elections? Next steps? –Evaluation and certification of systems –Work in progress –More “robust” protection profile  discussions about content How to integrate the PP into the law?

German Research Center for Artificial Intelligence Thank you for your attention! General Contact Protection Profile as an (Subject: Protection Profile in English)