Recent Developments in Voting System Standards Ronald L. Rivest Frontiers in Electronic Elections (Milan) September 15, 2005
Outline u Introduction and overview u New proposed standards –Software Distribution & Setup Validation –Wireless –VVPAT u Future Directions –IDV (Note: some slides adapted from John Wack’s presentation At EAC Standards Board Meeting in Denver 8/24/05)
Introduction
Voting tech is in transition… u Voting tech follows technology: Stones Paper Levers Punch cards Op-scan Computers(??) u Punch cards “out” after Nov. ’00 u DRE’s (touch-screen) require VVPAT (voter-verified paper audit trail) in Cal. u Is technology ready for electronic (paperless) voting?
Voting is a hard problem u Voter Registration - each eligible voter votes at most once u Voter Privacy – no one can tell how any voter voted, even if voter wants it; no “receipt” for voter u Integrity – votes can’t be changed, added, or deleted; tally is accurate. u Availability – voting system is available for use when needed u Ease of Use – esp. for disabled
Voting is important u Cornerstone of our (any!) democracy u Voting security is clearly an aspect of national security. u “Those who vote determine nothing; those who count the votes determine everything.” -- Joseph Stalin
Are DRE’s trustworthy? u Diebold fiascoes..?? u Intrinsic difficulty of designing and securing complex systems u Many units (100,000’s) in field, used occasionally, and managed by the semi-trained u Certification process is “riddled with problems” (NYT editorial 5/30/04)
Voter-Verified Paper Audit Trails? u Rebecca Mercuri: Voting machine should produce “paper audit trail” that voter can inspect and approve. u VVPAT is “official ballot” in case of dispute or recounts. u David Dill (Stanford CS Prof.) initiated on-line petition that ultimately resulted in California requiring VVPAT’s on many DRE’s.
VVPAT’s controversial… u Still need to guard printed ballots. u Two-step voting procedure may be awkward for some voters (e.g. disabled). u Doesn’t catch all problems (e.g. candidate missing from slate) u Malicious voters can cause DOS by casting suspicion on voting machine u Not “end-to-end” security: –Helps ensure votes “cast as intended” –Doesn’t help ensure votes “counted as cast”.
Voting System Security is Hard u Computerization of voting systems gives us the headaches of ordinary computer security, plus –requirement that voter must not be given a receipt proving how he/she voted makes security much tougher. u Now a major research area: –NSF just awarded $7.5M to a consortium of five institutions to research voting system security.
Can Standards Help? u First Voting System Standard 1990 u Revised VSS in 2002 u HAVA (Help America Vote Act) of 2002 created EAC (Election Assistance Commision), TGDC (Technical Guidelines Development Committee), and chartered NIST to help TGDC/EAC produce new standards. u “Voluntary” – states may ignore them.
TGDC Timeline u Fall ’04: Expert testimony, initial subcommittee meetings. u Jan ’05: TGDC resolutions passed u Jan-Apr ’05: NIST+TGDC work on VVSG u April-June ’05: VVSG approved by TGDC, delivered to EAC, published by EAC for comment. u June 29—Sep 30 ’05: Comment period. (Please send in your comments!)
Initial Issues Considered u Wireless u VVPAT u Source code availability u Documentation requirements u “Tiger team” evaluations u Best practices u System logs
Initial Issues Considered (cont.) u COTS u Cryptography u Standardized data formats u Multiple stored ballots u Software development standards u Software distribution u Setup validation
Initial Issues Considered (cont.) u Remote voting u Standardized computer security evaluation procedures u Disclosure of evaluation results u De-certification of systems u Centralized evaluation and incident database u …
TGDC passed resolutions u Resolutions reflect consensus of TGDC on importance of various isssues, and near- term relevance. Provide guidance to NIST. u #05-04: Currently certified voting software -> NSRL u #12-05: Voter verifiability (IV/DV) u #14-05: COTS software u #15-05: Software Distribution u #16-05: Setup Validation u #17-05: “Tiger team” testing
TGDC passed resolutions u #18-05: Documentation u #21-05: Multiple ballot representations u #22-05: Federal IT security standards u #23-05: Common ballot formats u #32-05: De-certification u #35-05: Wireless
VVSG 2002 Revisions u Current VVSG revises 2002 standards, and emphasizes (wrt security): –VVPAT (EAC guidance emphasized this) –Wireless –Software distribution and setup validation
New proposed standards
u Software Distribution/Setup Validation u Wireless u VVPAT u Independent Dual Verification (informative only, indicative of possible future direction/emphasis)
Software Distribution and Setup Validation u Requirements for ensuring the secure distribution of voting systems software u Requirements for validation that the voting system is running the correct software u Geared towards what is achievable by 2006 u Future requirements would rely more on digital signature technology and ability to validate setup externally from voting system
Software Distribution and Setup Validation u Use of FIPS approved signature and hash algorithms u Use of FIPS validated cryptographic modules to perform cryptographic operations u Use NSRL as a repository for voting system software and source for binaries, hashes, and digital signatures u Documentation of all voting system software including 3rd party software such as OS, drivers, etc. u Methods used to check if software modified - binary image comparison, hash value, digital signature u Documentation of the process used to verify that no unauthorized software is present on the voting equipment and that the authorized software has not been modified
Wireless u Wireless presents opportunity for intruder access and denial of service u Important to protect data and access u TGDC resolution approved use of wireless only as necessary, avoid if at all possible u Wireless includes x, IR, Bluetooth u Typically not meant to include modem and cellular access, although these will need security requirements also
Wireless u Wireless must follow at least the requirements of the existing telecommunications section in the 2002 VSS u In some cases wireless denial of service cannot be prevented, therefore alternatives must be available or the voting system can be rendered non-functional u Authentication and encryption required u Other requirements for vendor to document whether the voting system has wireless, how to know when it is on/off, and how it is secured u Wireless prohibited during actual voting
VVPAT u EAC asked NIST to address VVPAT requirements for states considering its usage u Optional in VVSG u Assumes VVPAT system consists of DRE plus printer and verification capability
VVPAT u Based on enacted state legislation and CA standard u Codifies record formats, security, usability and accessibility concerns u Emphasizes machine/printer reliability u Emphasizes usefulness of paper record in comparisons with electronic record u Effectively prohibits consecutively stored paper records u Addresses usability for election officials when auditing paper and electronic records
Future Directions
Major Goals for Future Work u Provide complete and comprehensive guideline u Provide clear, usable requirements with associated test methods for VSTLS u Respond to future TGDC resolutions u Comprehensive threat analysis to drive overall security requirements (Workshop on October 7 th )
Future VVSG May Include: u IDV – Independent Dual Verification u “Tiger Team” testing u COTS u Cryptographic Requirements u Improved Documentation and Testing Requirements u …
IDV – Independent Dual Verification u Informative in current VVSG, part of new material in future versions u IDV voting systems produce at least two ballot records, both verifiable by the voter and one unchangeable by voting system u At least one record verifiable directly, or both verifiable by systems from different vendors u Records usable in comparisons and audits u Approach can improve resilience of voting systems to software attacks u Needed as backup to more vulnerable computer- based ballot records
IDV u Marketplace responding to IDV u Systems available today that are in the IDV ballpark: –VVPAT –DRE add-ons – Witness –Some optical scan systems –Some crypto systems can be IDV u Further work needed to specify requirements for IDV systems
“Tiger Team” testing u Give a team of experts full rein to search for security vulnerabilities. u They get full system documentation and access to system itself. u “In order to defeat an adversary, you must think like an adversary.” u Further work needed to define team composition, level of effort, criteria for evaluating results.
COTS Software u COTS software very useful, but may be buggy, produced overseas, or “black box” (no source code available for review). u Further work needed to clarify when COTS software may be included in voting system, and how it is to be evaluated.
Cryptographic Requirements u Cryptographic techniques (e.g. digital signatures and MACs) can improve system integrity and increase resistance to fraud. u Further work is needed to specify what information transfers require such cryptographic protection. u Key management standards??
Other Major Goals u Stronger requirements for system documentation, including “public” section. u Complete and comprehensive guideline with clear requirements and associated test methods for Voting System Testing Labs u Strong core security section –Hardening and auditing requirements –Robust testing requirements u Comprehensive threat analysis to drive overall security requirements (Oct 7 th workshop)
Questions for Standards Writers u How to ensure that innovation is not precluded? u How to specify “tiger team” evaluation? u How to evaluate cryptographic voting systems? u How to handle non-equipment aspects of security (aka “best practices”)?
For More Information… u Ron Rivest u John Wack – , u NIST Voting Site –Contains all NIST, TGDC documents, drafts, meetings, etc. – u Election Assistance Commission –
(The End)