Security and Transparency Teleconference Meeting
Thursday, September 19, 2006 at 10:30AM

Participants: Allan Eustis, Angela Orbaugh, Bill Burr, David Flater, John Kelsey, John Wack, Helen Purcell, Nelson Hastings, Patrick Gannon, Rene Peralta, Rick Kuhn, Ron Rivest, Thelma Allen, Wendy Havens


1) Administrative Updates
2) Updated Cryptography Section;
       -No modifications to requirements but put into VVSG 2007 final format
       -Security documentation example requirements
3) Discussion of Security and Audit Architecture
4) Discussion of Threat Overview
5) Other Items

Meeting commenced at 10:30 a.m.

Administrative Updates:

  • Allan worked at the polls last week in DC. Everything went smoothly, mainly because there were no major changes in voting equipment or procedures in DC from the 2004 elections. Voters Still have choices between OpScan and Sequoia DREs. Allan sent out his trip report from his experience in WY. Allan will be going out to Washington state for post election canvassing.

  • Plans are to go to Arizona in November for L & A testing before the election.

  • Rene Peralta went to Washington state for the Logic &Accuracy test. Stated that Seattle was an eye opener. VVPAT was a special case in WA where most voting is by mail. The DREs only require VVPAT, and the DREs are only used for special accessibility. Officials looking for emergency legislation about machines because there is a possibility of confidentiality being breached if only 5 to 6 people use a certain machine.

  • John Wack worked the polls in Montgomery and had a very different experience than Allan. He has sent his comments out to wgvote and Ron Rivest. He will edit and then share with the rest of the TGDC. Voter access card was just a small part of the problem. John didn't like that every DRE has modem that could be connected. Any machine could be made into an accumulator. All the new equipment, including the electronic poll books, could be one of the reasons mistakes were made and the voter access cards weren't delivered.

  • Frederick County, and other western counties, elected not to phone in results. They decided not to do counting at the polls which seemed to cause less hassle. John feels that it might be better to do these things at a central location where election activities are less hectic.

  • John would like to discuss white papers regarding controversial issues that he wants to get in front of the TGDC.

  • Helen would like to hear more about the electronic poll books and the poor manufacturing standards. Helen said that the Arizona primaries went well. Said very few people used the Sequoia Edge DRE equipment. Most problems caused by inexperienced poll workers and problems with new equipment. They did a full hand recount (not certified) of 24 precincts just to have the experience before a general election. Things were much better than expected. All were done by hand, nothing was supplied by Sequoia for the hand count.

  • Allan and John will be attending the AEI-Brookings Election Reform Project on Friday September 22nd from 8:30am - 12:30pm, located at the Wohlstetter Conference Center in Washington D.C. Charles Steward of MIT is one of the panelists. Allan will send around URL for conference. A representative of ESI will be there and they hope to get some good information about how VVPAT systems performed.

Updated Cryptography Section - Nelson Hastings

  • Nelson did not make any changes to the text of the requirements; the main reason that he wanted this on the agenda was to show the final format (which is in question). [John - Some things may change on the format, but the structure should remain the same.] Wanted to point out that short titles have been added before requirements. We have a couple of "applies to" fields, as well as a test reference field.

  • Ron: Looks nice. Also source and impact fields? [John W: Source is basically a reference for the requirement. Impact is an internal field saying what is the impact of this requirement to existing technology and existing systems. Not sure this field is necessary.]

  • John W: Usage of glossary terms and how they should be used in the text. In the "requirements" text we should probably link each use of the glossary term to the glossary. Consistency of usage needs to be clear.

  • Nelson: The other thing is about security documentation. Wanted to look at a couple of examples in the cryptography requirements of documentation requirements and see if they meet Ron's expectation. [Ron: Do we have a definition for security services? Nelson - Section 2.1. We need to make sure how those services get used are also discussed. And also about encryption security cards.] Nelson would like Ron to look at this section and let him know if there is anything he feels is not covered in the documentation requirements.

  • Ron: We need to think about what we want the vendor to provide, everything from the declared security objective, policies for the machine, how to configure, what security mechanisms there are and how they work, and then to justify to the evaluator the architecture and the rationale for the machine.

  • Nelson: If it is determined that the security documentation provided in the cryptography document meets our needs, should they be kept in that section or pulled out separately. [Ron: A security document as part of the evaluation package is important. Ron's opinion is that all the security regulations should be done in a larger combined document and refer to other things as necessary. We need to give guidance to vendors about what can be expected as far as structure of the documentation. Not just a list of items that need to be there.]

  • John K: Should there be a section regarding the security documentation with links throughout the document where it states that it imposes this additional documentation? Sections that state what the requirements for the technical documentation are? Throughout should there be statements that say in order to meet the security documentation this is what you need to do? [Ron feels that having the security documentation together might be the right way, but this is open for discussion.]

  • David F: In the outline that we're following, within the chapter on user documentation, there is a distinct section on security documentation requirements where these types of documentation would go. [Ron: User documentation means poll workers, voters, and election officials? David: It means the customer. However it is also included in the technical data package.] With the outline, all requirements could be moved into the chapter on user documentation, and they could be cross referenced with the security requirements section. The security documentation would be a chapter within the user documentation. [Ron: There may be other things regarding security that the user doesn't see, having to do with the internal architecture and the structure of the machine.] Maybe there should be a separate section for the TDP. [John K: Seems like these would be two completely different things for the users and the test labs.] [Ron: There needs to be evaluation to make sure the user is being adequately instructed.]

  • [John W: As far at the documentation that should go to the labs, was there a questionnaire? ] Ron will dig it up and revisit it as a checklist for the vendors, making sure they extend the level of detail we're looking for. The vendor needs to know that the default for the system is insecure and it will only be deemed secured when it goes through all the requirements. The burden of proof is on the vendor for security. Ron will turn this into a better organized list. Maybe we can all generate questions we'd like the vendor to answer.

Threat Overview and Threat Tree

  • John K sent around something. We've been looking at outline to see what the components met. We weren't sure what we needed to write, so he took a stab and that is what he sent out. Part 1 is a draft threat overview.

  • We have the Brennan Center report. Is the vision here that we need more into material?

  • JK: We have two sections, the threat overview and the threat tree that are here to set the tone of how we're thinking about the threats at a high level. The big thing John wanted to do with the overview was describe the type of categories of threat we cared about, and how we think about these attacks; what we mean when we talk about an attack on a voting system, who are potential attackers and what kind of budget they have. [Ron: This is just informational for the reader, cluing in the vendor about how each of these threats can be dealt with.] The overview is not normative, neither is the threat tree. There are no "shalls" in the threat tree. [Ron: The benefit is to educate the reader about why the security requirements are there. Some of the requirements may link back to this.] John doesn't have a good intuition how this is all going to fit together.

  • John Wack thinks the introduction of the VVSG would be a good place to put controversial topics because it would be more accessible. This may be a good place to discuss these threats. We at NIST should talk about this before going further.

  • Ron: In terms of writing various security requirements, do we have a policy for tying them to particular threats or providing a justification for the requirements or to the higher level security? John Kelsey does not see the logic of tying each requirement to a threat. John Wack thinks that it might be a good idea to have the introduction state something about how the requirements might prevent certain groups or types of threats. In the discussion field we might be able to do traceability. Thinks doing the introduction this way would be very useful.

  • David F: The same things we're seeing here, could be used on the requirements for the security documentation to require vendors to explain how your system prevents each of these classes of attacks.

  • Ron: We just want to make sure that vendors explicitly considers voter attempts to subvert his own privacy.

  • John K: It's worthwhile to point out these classes of attacks and to go into a little more detail in the attack tree, but concerned about requirements that say demonstrate how you prevent the broad attack of subverting the election. Multiple requirements you want to uphold because they prevent multiple kinds of attacks.

Security and Audit Architecture

  • John K: I don't feel like I know what we need to accomplish with this section. This is just a first take to see how others felt. We need to discuss architectural profiles on the different type of voting systems to make sure each piece of the voting process can be audited.

  • David F: One of the first questions to answer is, which kinds of auditing are you concerned with? Not only that the recorded votes were counted correctly but also that the votes that were intended to be cast by the voter were recorded correctly. Some of the specific designs we have only accomplishes one or the other. If you're auditing for all the above, then that will determine your responses. [John K: should audit for the full correctness of the system, so that final vote totals are substantially correct.] Where does ballot accounting fit in? [John K. would expect that to go in this section. They assumed that the poll books were part of the auditing trail. It was disconcerting to see that both the electronic poll books and DREs were from same manufacturer.]

  • John Wack: The electronic poll book that he used wrote to the smart card that activated the ballot. [Ron - they're called voter activation systems]

  • This section is all about auditing even though we divided it into a separate section. Thought the audit section should be about audit longs and audit trails and how to accomplish the auditing technically.

Voting Activities Section:

  • David F.: In the outline for VVSG 07, there's one major chapter regarding general requirements that seem to apply globally throughout the voting process. Following is another large division of requirements by activity that goes chronologically throughout election day with requirements that are more specific to the individual activity than the voting process.

  • Ron: You need to divy up type of audit material. You need to organize the auditing section by the information you want to have available after the election to do any kind of checking. [John K: It's not enough to specify the information has to be produced, you also have to specify how its going to be used and make sure the architecture of the voting system supports that.] The high level goal here is to make sure we have some kind of coherent organization discussing the various kinds of auditing that can be done, what the information is that is produced, what the procedures are, how the audit information gets protected.

  • John K: We don't have to specify what the procedures are, but we do have to specify that what they do, like audit this against this.

  • John W: In the threat overview, you'd have to reference various type of audits as addressing some of the threats but was wondering about a section that says these requirements exists to support the following types of audits.

White Papers

  • Possibly on VVPAT. Privacy requirement in effect won't permit paper rolls. New VVPAT requirements versus old.
  • Possibly another on 8022 wireless.
  • John Kelsey has concerns that asking someone to do white papers at this point would be a bit much as everyone already has enough deadlines.
  • Group should come up with a list of major controversial items. This will be a dynamic list.

Next scheduled meeting; Tuesday, October 3rd at 10:30-11:30

Meeting adjourns at 11:45


Teleconferences from 2004, 2005, 2006 and upcoming in 2006.



Link to NIST HAVA Page

Last updated: July 25, 2007
Point of Contact

Privacy policy / security notice / accessibility statement
Disclaimer / FOIA
NIST is an agency of the U.S. Commerce Department