Secure Information Technology Center - Austria Workshop on the certification of e-voting systems Council of Europe Strasbourg, 26 November 2009 Certification.

Slides:

Advertisements

Similar presentations

Launching Egyptian Root CA and Inaugurating E-Signature Dr. Sherif Hazem Nour El-Din Information Security Systems Consultant Root CA Manager, ITIDA.

Advertisements

Cloud computing security related works in ITU-T SG17

Internet Voting in Estonia Tarvi Martens Project Manager National Electoral Committee.

The Italian Academic Community’s Electronic Voting System Pierluigi Bonetti Lisbon, May 2000.

ETen E-Poll ID – Strasbourg COE meeting November, 2006 Slide 1 E-TEN E-POLL Project Electronic Polling System for Remote Operation Strasbourg.

ICT IN THE ELECTORAL PROCESS: LESSONS LEARNED Susanne Caarls International Electoral Affairs Symposium May 2012.

Welcome to ISO 9000 for Managers

German Research Center for Artificial Intelligence Protection Profile for Central Requirements for Online Voting German Research Center for Artificial.

Chancellerie fédérale Section des droits politiques Voting observation in the context of the Swiss internet voting projects Workshop on the "Observation.

Observation of e-enabled elections Jonathan Stonestreet Council of Europe Workshop Oslo, March 2010.

Security Controls – What Works

OPM Cybersecurity Competencies by Occupation (Technical Competencies) Information Technology Management Series Electronics Engineering.

© 2006 IBM Corporation Introduction to z/OS Security Lesson 9: Standards and Policies.

Stephen S. Yau CSE , Fall Security Strategies.

Copyright © Center for Systems Security and Information Assurance Lesson Eight Security Management.

Overview of NSF Standards Process and Joint Committee Formation Sustainable Water Contact Products Stakeholder Meeting October 30, 2012.

Estonia 2005 the first practice of Internet voting Epp Maaten Councillor of the Elections Department Chancellery of the Riigikogu Strasbourg, 23 November.

BUNDESMINISTERIUM FÜR INNERES, 1014 WIEN, HERRENGASSE 7, TEL.: (0) Functioning of Electoral Management Bodies – Austrian Experiences.

IT Security Policy in Japan 23 September 2002 Office of IT Security Policy Ministry of Economy, Trade and Industry JAPAN.

Giandonato CAGGIANO ENISA MANAGEMENT BOARD REPRESENTATIVE LEGAL ADVISER ON EUROPEAN AFFAIRS OF THE MINISTRY OF COMMUNICATIONS U. OF ROMA TRE LAW FACULTY.

SEC835 Database and Web application security Information Security Architecture.

An Internet Voting System Manager Yonghua Li Kansas State University October 19, 2001 MSE Project - Phase I.

"certification service provider" Electronic Signatures

Council of Europe e-voting meeting Progress Report – Austria Andreas Ehringfeld INSO - Industrial Software Institute of Computer Aided Automation | Vienna.

Evolving IT Framework Standards (Compliance and IT)

Demystifying the Independent Test Authority (ITA)

BITS Proprietary and Confidential © BITS Security and Technology Risks: Risk Mitigation Activities of US Financial Institutions John Carlson Senior.

1 PUBLIC PROCUREMENT AND USE OF FIDIC CONTRACTS IN LATVIA Procurement Monitoring Bureau 2013.

LEGAL FRAMEWORK & REGULATORY SYSTEM f or introduction of NPP into Vietnam Le Chi Dung (VARANS, Vietnam) Vienna, December 2008.

Audits of pre-accession funds in the State Audit Office of the Republic of Latvia 2000/2001 Uldis Kremers Auditor of the Audit Department of the State.

Slide 1 Smart Cards for eGovernment and Health Insurance - Status in Austria.

Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.

UNCLASSIFIED DITSCAP Primer. UNCLASSIFIED 1/18/01DITSCAP Primer.PPT 2 DITSCAP* Authority ASD/C3I Memo, 19 Aug 92 –Develop Standardized C&A Process DODI.

STANDARDS OVERVIEW Wednesday, April 30, 2015 KAREN RECZEK, STANDARDS COORDINATION OFFICE, NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY

UK LEADS THE ADOPTION OF E-VOTING STANDARDS John Borras Chair Election & Voter Services Technical Committee

Securing Digital Democracy Carsten Schürmann, DemTech, IT University of Copenhagen.

Training in public administration in the Czech Republic „today“ Václav Melichar, training department Institute for Public Administration Prague.

DOST and RA 9369 or the Automated Election Law. Background on RA9369  Authorizes the Comelec to implement an end to end nationwide automated election.

1 The report on the scope of e-voting in elections Marianne Riise, senior adviser Strasbourg 23 and 24 November 2006 The Ministry of Local Government and.

Seeking a National Standard for Security: Developing a Systematic Crosswalk of the Final HIPAA Security Rule, the NIST SP , NIST SP Security.

NIST and Computer Security Competencies and Resources to Support E-Voting and Security Ed Roback Chief, Computer Security Division Information Technology.

Presentation of the Head of Federal Accreditation Service Savva Shipov.

Standards for e-Enabled Elections: The work of the OASIS Election & Voter Services Technical Committee John Borras Chair Technical Committee

Electronic Signatures Implementation 1 DIAGRAM of interrelationships CERTIFICATION INFRASTRUCTURE EXAMPLE LAYOUT of a trust centre.

How and what to observe in e-enabled elections Presentation by Mats Lindberg, Election Adviser, Organisation for Security and Co-operation in Europe (OSCE)

9-Oct-03D.P.Kelsey, LCG-GDB-Security1 LCG/GDB Security (Report from the LCG Security Group) FNAL 9 October 2003 David Kelsey CCLRC/RAL, UK

A national authority's perspective on the European Citizens' Initiative.

Information Security Measures Confidentiality IntegrityAccessibility Information cannot be available or disclosed to unauthorized persons, entities or.

Council of Europe workshop on the certification of e-voting systems Strasbourg, November 2009.

TGDC Meeting, Jan 2011 Development of High Level Guidelines for UOCAVA voting systems Andrew Regenscheid National Institute of Standards and Technology.

Sicherheitsaspekte beim Betrieb von IT-Systemen Christian Leichtfried, BDE Smart Energy IBM Austria December 2011.

Information Security tools for records managers Frank Rankin.

M O N T E N E G R O Negotiating Team for the Accession of Montenegro to the European Union Working Group for Chapter 10 – Information society and media.

M O N T E N E G R O Negotiating Team for the Accession of Montenegro to the European Union Working Group for Chapter 6 – Company Law Bilateral screening:

Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.

1 Wolfgang Pointner The Austrian Central Purchasing Body - Public Procurement Agency Ltd (Bundesbeschaffung GmbH – BBG) Wolfgang Pointner Head of Legal.

CompTIA Security+ Certification Exam SY COMPTIA SECURITY+SY0-401 Q&A is a straight forward,efficient,and effective method of preparing for the new.

Vulnerability Analysis Dr. X. Computer system Design Implementation Maintenance Operation.

Observation of Internet voting: Estonian case

PRESENTATION OF MONTENEGRO

Geneva's approach to Internet voting (eVoting) certification

Election Security Best Practices

ISO/IEC 27001:2005 A brief introduction Kaushik Majumder

Election Security Best Practices

Securing free and fair European elections

The Italian Academic Community’s Electronic Voting System

Current Status and Recent Developments

Albeado - Enabling Smart Energy

CHARIOT-VESSEDIA Workshop 9 May 2019, Dublin, Ireland

Presentation transcript:

Secure Information Technology Center - Austria Workshop on the certification of e-voting systems Council of Europe Strasbourg, 26 November 2009 Certification of the e-voting software used at the Austrian Student Union elections 2009 Daniel Konrad

Strasbourg, 23 November 2009Slide 2 About A-SIT Public funded non-profit association (since 1999), Established as competence center for IT- security Members –Federal Ministry of Finance –OeNB (Austrian Central Bank) –Graz University of Technology

Strasbourg, 23 November 2009Slide 3 Activities Technical evaluations –Confirmation body (Article 3(4) of EU-directive on el. signatures) –Inspection body (ISO 17020) Advising the public sector on IT-security –e-government, e-health, … Observing existing and emerging technologies –Cryptography, SmartCards, e-ID, etc.

Strasbourg, 23 November 2009Slide 4 A-SIT & e-voting 2001: e-voting defined in laws –Austrian Student Union –Chamber of Commerce Laws define that a confirmation body (signature law) has to certify the compliance with security requirements  Technology observation  Participation in CoE‘s multidisciplinary ad hoc group  Participation in Austrian working group on legal, technical and international aspects (Federal Ministry of Interior)

Strasbourg, 23 November 2009Slide 5 Certification Requirements Law (2001): –Security level equal to qual. el. signatures, –Basic requirements (secrecy, identity verification, privacy, integrity, prevent overhasty casting of votes) Ordinance (issued Oct. 2008): –Client & voting-server software to be certified 60 days before the election –Certification based on CoE Rec2004(11) –Right of access to source code & certification reports for electoral commission & observers

Strasbourg, 23 November 2009Slide 6 The Main Players Federal Ministry of Science and Research –Responsible authority Scytl –Software (pnyx-austria) Federal Computing Centre –Operation, infrastructure INSO (research group for industrial software at Vienna University of Technology) –Security-concepts, testing, etc.

Strasbourg, 23 November 2009Slide 7 Certification Procedure Kick-off with main players in Dec –Definition of timetable and requirements: –existing evaluation reports –no formal CC evaluation & certification –provided documentation should follow CC catalog –CC-based risk analysis of CoE Rec2004(11)

Strasbourg, 23 November 2009Slide 8 Provided documentation (developer evidence) –Security Compliance Conformance between sec. functionalities & sec. objectives (based on CoE Rec) –Development: Threat Analysis Security Architecture Functional Specification Architectural Design –Guidance Documents Deployment Guide

Strasbourg, 23 November 2009Slide 9 Provided documentation (developer evidence) –Life-Cycle Support CMS documentation ISO certification –Testing Software development testing proofs –Vulnerability Analysis penetration testing –Source code –Access to Scytl‘s bugzilla-system Contact developers (Q&A) View test results

Strasbourg, 23 November 2009Slide 10 Confirmation („Bescheinigung“) issued and published on 27 March 2009 detailed evaluation report available for electoral commission & observers –at source-code review event (8 Mai 2009) one maintanance report (minor changes, issued 15 Mai 2009)

Strasbourg, 23 November 2009Slide 11 Constraints Configuration of keylengthes –equal to requirements for qual. signatures Client-PCs –free of malicious software –prevent residual information Voting Server Software –audited compiling & installation Electronic Ballot Box & Keys –handling in post-voting stage

Strasbourg, 23 November 2009Slide 12 Additional tasks Auditing of security relevant procedures (together with certified IT professional engineer) –compiling –deployment –key ceremonies –pre-mixing –mixing –secure data destruction

Strasbourg, 23 November 2009Slide 13 Statistics E-voting period: 18 May 2009 – 22 May 2009 Paper: 26 May 2009 – 28 May 2009 Eligible voters: Votes: „Eligible“ E-voters: ~ E-Votes: No security incidents or hacking attacks some „unfriendly“ activities –„availability-check“ tool –Persiflage e-voting site

Strasbourg, 23 November 2009Slide 14 Lessons learned CoE Rec2004(11) provided a good basis for our confirmation Traceability of installation, compiling, etc. raised confidence of electoral authorities A reuseable and broadly accepted certification of core functionalities would be very useful Some residual risks could not be directly adressed (unsecure client PCs) Public debate in Austria was much more fundamental than technical

Strasbourg, 23 November 2009Slide 15 Thank you for your attention… Daniel Konrad Secure Information Technology Center Austria Weyringergasse 35, A-1040 Wien,