Upload File

secure information technology center - austria workshop on the certification of e-voting systems...

  • Home
  • Documents
  • Secure Information Technology Center - Austria Workshop on the certification of e-voting systems Council of Europe Strasbourg, 26 November 2009 Certification
15
Secure Information Technology Center - Austria Workshop on the certification of e-voting systems Council of Europe Strasbourg, 26 November 2009 Certification of the e- voting software used at the Austrian Student Union elections 2009 Daniel Konrad

Upload: heather-king

Post on 27-Dec-2015

216 views

Category:

Documents


0 download

Report

TRANSCRIPT

Page 1: Secure Information Technology Center - Austria Workshop on the certification of e-voting systems Council of Europe Strasbourg, 26 November 2009 Certification

Secure Information Technology Center - Austria

Workshop on the certification of e-voting systems

Council of Europe

Strasbourg, 26 November 2009

Certification of the e-voting software used at the Austrian Student Union elections 2009

Daniel Konrad

Page 2: Secure Information Technology Center - Austria Workshop on the certification of e-voting systems Council of Europe Strasbourg, 26 November 2009 Certification

Strasbourg, 23 November 2009 Slide 2

About A-SIT

• Public funded non-profit association (since 1999),

• Established as competence center for IT-security

• Members– Federal Ministry of Finance – OeNB (Austrian Central Bank)– Graz University of Technology

Page 3: Secure Information Technology Center - Austria Workshop on the certification of e-voting systems Council of Europe Strasbourg, 26 November 2009 Certification

Strasbourg, 23 November 2009 Slide 3

Activities

• Technical evaluations– Confirmation body (Article 3(4) of EU-directive on el.

signatures)– Inspection body (ISO 17020)

• Advising the public sector on IT-security– e-government, e-health, …

• Observing existing and emerging technologies– Cryptography, SmartCards, e-ID, etc.

Page 4: Secure Information Technology Center - Austria Workshop on the certification of e-voting systems Council of Europe Strasbourg, 26 November 2009 Certification

Strasbourg, 23 November 2009 Slide 4

A-SIT & e-voting

• 2001: e-voting defined in laws– Austrian Student Union– Chamber of Commerce

• Laws define that a confirmation body (signature law) has to certify the compliance with security requirements

Technology observation Participation in CoE‘s multidisciplinary ad hoc group Participation in Austrian working group on legal, technical

and international aspects (Federal Ministry of Interior)

Page 5: Secure Information Technology Center - Austria Workshop on the certification of e-voting systems Council of Europe Strasbourg, 26 November 2009 Certification

Strasbourg, 23 November 2009 Slide 5

Certification Requirements

• Law (2001): – Security level equal to qual. el. signatures, – Basic requirements (secrecy, identity verification,

privacy, integrity, prevent overhasty casting of votes)

• Ordinance (issued Oct. 2008): – Client & voting-server software to be certified 60 days

before the election– Certification based on CoE Rec2004(11)– Right of access to source code & certification reports for

electoral commission & observers

Page 6: Secure Information Technology Center - Austria Workshop on the certification of e-voting systems Council of Europe Strasbourg, 26 November 2009 Certification

Strasbourg, 23 November 2009 Slide 6

The Main Players

• Federal Ministry of Science and Research– Responsible authority

• Scytl – Software (pnyx-austria)

• Federal Computing Centre– Operation, infrastructure

• INSO (research group for industrial software at Vienna University of Technology)– Security-concepts, testing, etc.

Page 7: Secure Information Technology Center - Austria Workshop on the certification of e-voting systems Council of Europe Strasbourg, 26 November 2009 Certification

Strasbourg, 23 November 2009 Slide 7

Certification Procedure

• Kick-off with main players in Dec. 2008– Definition of timetable and requirements:– existing evaluation reports – no formal CC evaluation & certification– provided documentation should follow CC

catalog – CC-based risk analysis of CoE Rec2004(11)

Page 8: Secure Information Technology Center - Austria Workshop on the certification of e-voting systems Council of Europe Strasbourg, 26 November 2009 Certification

Strasbourg, 23 November 2009 Slide 8

Provided documentation (developer evidence)

– Security Compliance• Conformance between sec. functionalities & sec. objectives

(based on CoE Rec)

– Development:• Threat Analysis• Security Architecture• Functional Specification• Architectural Design

– Guidance Documents• Deployment Guide

Page 9: Secure Information Technology Center - Austria Workshop on the certification of e-voting systems Council of Europe Strasbourg, 26 November 2009 Certification

Strasbourg, 23 November 2009 Slide 9

Provided documentation (developer evidence)

– Life-Cycle Support• CMS documentation• ISO 90003 certification

– Testing• Software development testing proofs

– Vulnerability Analysis• penetration testing

– Source code– Access to Scytl‘s bugzilla-system

• Contact developers (Q&A)• View test results

Page 10: Secure Information Technology Center - Austria Workshop on the certification of e-voting systems Council of Europe Strasbourg, 26 November 2009 Certification

Strasbourg, 23 November 2009 Slide 10

Confirmation („Bescheinigung“)

• issued and published on 27 March 2009

• detailed evaluation report available for electoral commission & observers – at source-code review event (8 Mai 2009)

• one maintanance report (minor changes, issued 15 Mai 2009)

Page 11: Secure Information Technology Center - Austria Workshop on the certification of e-voting systems Council of Europe Strasbourg, 26 November 2009 Certification

Strasbourg, 23 November 2009 Slide 11

Constraints

• Configuration of keylengthes– equal to requirements for qual. signatures

• Client-PCs– free of malicious software– prevent residual information

• Voting Server Software– audited compiling & installation

• Electronic Ballot Box & Keys– handling in post-voting stage

Page 12: Secure Information Technology Center - Austria Workshop on the certification of e-voting systems Council of Europe Strasbourg, 26 November 2009 Certification

Strasbourg, 23 November 2009 Slide 12

Additional tasks

• Auditing of security relevant procedures (together with certified IT professional engineer)– compiling– deployment– key ceremonies– pre-mixing– mixing– secure data destruction

Page 13: Secure Information Technology Center - Austria Workshop on the certification of e-voting systems Council of Europe Strasbourg, 26 November 2009 Certification

Strasbourg, 23 November 2009 Slide 13

Statistics

• E-voting period: 18 May 2009 – 22 May 2009• Paper: 26 May 2009 – 28 May 2009• Eligible voters: 230.749• Votes: 58.502• „Eligible“ E-voters: ~14.000• E-Votes: 2.161

• No security incidents or hacking attacks• some „unfriendly“ activities

– „availability-check“ tool– Persiflage e-voting site

Page 14: Secure Information Technology Center - Austria Workshop on the certification of e-voting systems Council of Europe Strasbourg, 26 November 2009 Certification

Strasbourg, 23 November 2009 Slide 14

Lessons learned

• CoE Rec2004(11) provided a good basis for our confirmation

• Traceability of installation, compiling, etc. raised confidence of electoral authorities

• A reuseable and broadly accepted certification of core functionalities would be very useful

• Some residual risks could not be directly adressed (unsecure client PCs)

• Public debate in Austria was much more fundamental than technical

Page 15: Secure Information Technology Center - Austria Workshop on the certification of e-voting systems Council of Europe Strasbourg, 26 November 2009 Certification

Strasbourg, 23 November 2009 Slide 15

Thank you for your attention…

Daniel [email protected]

Secure Information Technology Center AustriaWeyringergasse 35, A-1040 Wien, www.a-sit.at


Voting System Certification Evaluation Report ES&S Version ... · Voting System Certification Evaluation Report . ES&S . Unity Voting System Version 3.0.1.1 & AutoMark Version 1.1

Voting System Certification Evaluation Report Hart

Bundeskanzlei BK Sektion Politische Rechte e-voting – the Swiss experience CoE: e-voting review meeting Strasbourg, 23-24.11.2006

Voting System Examination of Dominion Voting Systems ...€¦ · certification includes tables that describe the voting system software components, voting system platforms, and hardware

Hart InterCivic and Verity Voting 1 - eac.gov · Certification Test Report Report Number HRT-3026-CTR-01 Hart InterCivic and Verity Voting 1.0 Certification Test Report Rev 02 March

Mexico’s Land Certification Program: Rollout and Impact on Voting Behavior

Analysing the Prisoner Voting Saga and the British ... · Analysing the Prisoner Voting Saga and the British Challenge to Strasbourg Ed Bates* Senior Lecturer in Law, University of

EAC Manufacturer Registration Application · Form EAC 001C . Page 3 of 4 . 8. Manufacturer Certification Agreement: To maintain a voting system certification under the Election Assistance

Voting System Qualification Test Report Dominion Voting ......On August 2, 2013, Dominion Voting Systems, Inc. contacted the Bureau of Voting System Certification (BVSC) to request

Election Assistance Commission Voting System Certification ... · precise plan describing the test elements required to ensure effective Certification testing. This test plan: •

DEPARTMENT OF STATE VOTING SYSTEM … · report no. 2014-181 march 2014 department of state voting system standards and certification and prior audit follow-up operational audit

Voluntary Voting System Guidelines Table of Contents · Voluntary Voting System Guidelines Table of Contents Volume II Section 1 National Certification Testing Guidelines Section

Voting System Certification Evaluation Report … Prepared for the Texas Secretary of State Elections Division Voting System Certification Evaluation Report Election Systems and Software

Voting System Certification - Election Assistance Commission

La Certification intermédiaire Académie de Strasbourg. Lettres en LP Décembre 2009

Florida Voting System Standards · for voting system certification and provisional certification. Section 101.015, Florida Statutes requires the Department of State, Division of Elections

VOTING SYSTEMS CERTIFICATION...applicable to that voting system. Any portion of the report containing specific information related to any trade secret as designated pursuant to G.S

(Strasbourg, 23 December 2008) STANDING COMMITTEE … · The underlying information ... to observe the new electronic voting ... Plenary Session.2 The five main principles underlying

State Requirements and the Federal Voting System Testing ... · Thus, the EAC’s Testing and Certification Program provides (1) voluntary voting system standards, (2) voting system

Changes Ahead: A Look At Voting System ... - Verified Voting · 8" Changes"Ahead:"ALookAt"Voting"System"Testing"and"Certification"! Statesalsodotheirowncheckingtoensurethecorrectversionofsoftwareisbeingused,

ELECTION LAW VOTING CERTIFICATION OF RESULTS … and overseas voters... · ELECTION LAW VOTING ... outlines the steps that states take to certify results. Table 1: ... review begins

Test Report for EAC 2005 VVSG Certification Testing Performed on Dominion Voting ... · 2017. 2. 24. · forth for Voting Systems in the U.S. Election Assistance Commission (EAC)

Voting Systems Assessment Project · 2015-11-20  · and certification of the new voting system and its components. Objective: Phase III of the project will identify the development

Voting System Certification Evaluation Report...Evaluation Report Hart InterCivic (Hart) Verity Voting System 2.0 Introduction The Hart Verity Voting System 2.0 was evaluated for certification

Voting System Certification - Election Assistance … Start Guide - Voting System... · Quick Start Management Guide for Voting System Certification National Association of State

Voting System Testing & Certification - California · State Voting Systems Currently in Use Testing & Certification Process4 Alabama Ala. Code §17-7-23, §17-2-4 Requires testing

VOTING SYSTEM CERTIFICATION TES TIN G & CYBERSECURITY … · 2018-10-29 · practices, and voting system industry standards assures your test engagement receives the high-quali ty

Strasbourg in the Dock: Prisoner Voting, Human Rights & the Case for Democracy

Voting System Testing and Certification Program Manual

Académie de Strasbourg - académie de Strasbourg

Voting System Qualification Test Report Election Systems ......Volume testing of any voting machines or marking devices is considered to be outside the scope of this certification

Certification Test Report...Dominion Voting Systems Assure 1.3 Certification Test Report EAC Certification Report Report Number: DVS-CPVS11DOMINI003-CTR-01 Saved date 3/2/2012 12:19:00

RAPPORT DE CERTIFICATION RHENA - CLINIQUE DE STRASBOURG · 10 rue francois epailly cs 50003 67016 strasbourg juillet 2019 rapport de certification. sommaire introduction 2 1. les

Workshop on the certification of e-voting systems Council of Europe Strasbourg, 26 November 2009

CoE Strasbourg 16/11-2010 Open Source Remote Electronic Voting in Norway