VVSG 1.1, Vol 1, Requirement 7.7.1: Controlling Usage
a. If wireless communications are used in a voting system, then the manufacturer shall supply documentation describing how to use all aspects of wireless communications in a secure manner. This documentation shall include:
Discussion: In general, convenience is not a sufficiently compelling reason, on its own, to justify the inclusion of wireless communications in a voting system. Convenience must be balanced against the difficulty of working with cryptographic keys.
b. The details of all cryptographic protocols used for wireless communications, including the specific features and data, shall be documented.
c. The wireless documentation shall be closely reviewed for accuracy, completeness, and correctness.
d. There shall be no undocumented use of the wireless capability, nor any use of the wireless capability that is not entirely controlled by an election official.
Discussion: This can be tested by reviewing all of the software, hardware, and documentation, and by testing the status of wireless activity during all phases of testing.
e. If a voting system includes wireless capabilities, then the voting system shall be able to accomplish the same function if wireless capabilities are not available due to an error or no service.
f. The system shall be designed and configured so it is not vulnerable to a single point of failure using wireless communications that causes a total loss of any voting capabilities.
g. If a voting system includes wireless capabilities, then the system shall have the ability to turn on the wireless capability when it is to be used and to turn off the wireless capability when the wireless capability is not in use.
h. If a voting system includes wireless capabilities, then the system shall not activate the wireless capabilities without confirmation from an elections official.
Test Assertions
TA771a-1: IF a voting system uses wireless communications THEN then the manufacturer SHALL supply documentation, in the TDP, describing how to use all aspects of wireless communications in a secure manner. This documentation SHALL include, but not be limited to:
TA771ai-1: This documentation SHALL include, but not be limited to, a complete description of the uses of wireless in the voting system.
TA771ai-1-1: This documentation SHALL include, but not be limited to, a complete description of the uses of wireless in the voting system SHALL include descriptions of the data elements that are to be carried by the wireless mechanism.
TA771ai-1-2: This documentation SHALL include, but not be limited to, a complete description of the uses of wireless in the voting system SHALL include descriptions of the control signals and/or commands that are to be carried by the wireless mechanism.
TA771aii-1: This documentation SHALL include, but not be limited to, a complete description of the vulnerabilities associated with this proposed use of wireless.
TA771aii-1-1: These vulnerabilities SHALL include, but not be limited to, vulnerabilities deriving from the insertion of wireless messages.
TA771aii-1-2: These vulnerabilities SHALL include, but not be limited to, vulnerabilities deriving from the deletion of wireless messages.
TA771aii-1-3: These vulnerabilities SHALL include, but not be limited to, vulnerabilities deriving from the modification of wireless messages.
TA771aii-1-4: These vulnerabilities SHALL include, but not be limited to, vulnerabilities deriving from the capture of wireless messages.
TA771aii-1-5: These vulnerabilities SHALL include, but not be limited to, vulnerabilities deriving from the suppression of wireless messages.
TA771aiii-1: This documentation SHALL include, but not be limited to, a complete description of the techniques used to mitigate the risks associated with the described vulnerabilities.
TA771aiii-1-1: These techniques SHALL include, but not be limited to, techniques used by the manufacturer to ensure that wireless cannot send messages other than IN those situations specified in the documentation.
TA771aiii-1-2: These techniques SHALL include, but not be limited to, techniques used by the manufacturer to ensure that wireless cannot receive messages other than IN those situations specified in the documentation.
TA771aiii-2: ALL cryptographic techniques SHALL be comprehensively described in the TDP.
TA771aiii-3: This documentation SHALL include, but not be limited to, a complete description of the basis of the technique with respect to:
TA771aiii-3-1: Cryptographic techniques SHALL include, but not be limited to, a description of cryptographic key generation.
TA771aiii-3-2: Cryptographic techniques SHALL include, but not be limited to, a description of cryptographic key management.
TA771aiii-3-3: Cryptographic techniques SHALL include, but not be limited to, a description of cryptographic key use.
TA771aiii-3-4: Cryptographic techniques SHALL include, but not be limited to, a description of cryptographic key certification.
TA771aiii-3-5: Cryptographic techniques SHALL include, but not be limited to, a description of cryptographic key destruction.
TA771aiv-1: All rationale for the inclusion of wireless in the proposed voting system SHALL be comprehensively described in the TDP.
TA771aiv-1-1: This documentation SHALL include descriptions of the basis of the rationale with respect to:
TA771aiv-1-2: This rationale SHALL be based on a comprehensive description of the perceived advantages and disadvantages of using wireless for the documented uses compared to using non-wireless approaches.
TA771b-1: IF a cryptographic protocol is used for wireless communications THEN its details SHALL be documented.
TA771b-1-1: These details SHALL include, but not be limited to, what the protocol is (cite or provide the relevant standard or specification that describes this protocol).
TA771b-1-2: These details SHALL include, but not be limited to, how the protocol is used.
TA771b-1-3: These details SHALL include, but not be limited to, any optional features or “protocol extensions” implemented by the voting system’s use of the protocol.
TA771b-1-4: These details SHALL include, but not be limited to, specific data implemented by the voting system’s use of the protocol.
TA771c: NOTE: This is not a manufacturer requirement. Therefore, there are no related assertions.
TA771d-1: All usage of the wireless capability SHALL be documented in the TDP.
TA771d-2: Voting systems SHALL allow election officials to control any use of wireless communications.
TA771e-1: IF a voting system includes wireless capabilities AND wireless capabilities are not available due to an error OR wireless capabilities are not available due to not having service THEN the voting system SHALL be able to accomplish the same function that was being accomplished by wireless capabilities.
TA771ei-1: For all functions that are carried out by wireless capabilities, the manufacturer SHALL provide documentation, in the TDP, that explains how to accomplish these functions when wireless is not available.
TA771f-1: The voting system SHALL be designed so that when using wireless communications it is not vulnerable to a single point of failure that causes a total loss of any voting capabilities.
TA771f-2: The voting system SHALL be configured so that when using wireless communications it is not vulnerable to a single point of failure that causes a total loss of any voting capabilities.
TA771g-1: IF a voting system includes wireless capabilities THEN that system SHALL have the ability to turn on the wireless capability when the wireless capability is to be used.
TA771g-2: IF a voting system includes wireless capabilities THEN that system SHALL have the ability to turn off the wireless capability when the wireless capability is not in use.
TA771h-1: IF a voting system includes wireless capabilities THEN that system SHALL ONLY activate the wireless capabilities by obtaining confirmation from an elections official.