Agenda:
Participants: Allan Eustis, Barbara Guttman, David Wagner, Helen Purcell, John Kelsey, John Wack, Nelson Hastings, Quynh Dang, Ron Rivest, Sharon Laskowski, Wendy Havens Administrative Updates:
Preview/Review of Draft Presentations: John Wack had suggesting rearranging topics on the agenda. The current flow of the agenda was captured as follows (discussion points that were addressed regarding each are also included):
What happens to grand-fathered systems, such as the closed box DREs? This should be discussed at beginning of meeting. It deals with all 3 subcommittees - Mark should discuss at beginning of meeting. There may be objections because people may think that what we have now in the paper machines may be the best we can do - there are lots of improvements that can be made - it needs to be built from the ground up to work appropriately. The main point of this meeting is to be able to go out and write requirements for VVSG 07. Presentations will be circulated around to STS members for vetting before meeting. Other Items:
Action Items:
************* |
Agenda:
Participants: Alicia Clay, Allan Eustis, Angela Orbaugh, Barbara Guttman, Bill Burr, David Wagner, Helen Purcell, John Kelsey, Nelson Hastings, Quynh Dang, Rene Peralta, Ron Rivest, Wendy HAvens Administrative Updates - Allan Eustis:
SW Independent/Dependent and Innovation Class Presentation Details - Bill Burr Plan to advocate developing a process where we can address an innovation class of voting machines that would include end-to-end, and possibly IV, solutions. The reason for a process instead of requirements is that (we) don't feel we're ready to write the kind of requirements that would be used for a test lab process except for very particular designs that would cut off innovation in an area that has hardly begun to develop. The discussion will be about what that process will look like and when we'll have an outline for it, and who will be responsible for organizing it. This (evaluation panel) depends on experts doing it. There will be a lot of issues how this is put together, panel members - paid, FACA? Who will be motivated to put together a credible proposal and what is our role? This will be a recommendation put forth. It is an EAC decision to implement and run the panel/group. The evaluation process demands a high level of expertise. It is important to get a good panel, and this should be discussed. The process from the vendor's point of view: is it a one shot demand to build a credible system with the new innovation or is there an introductory period to get buy-in to a general idea of a new development. Maybe this should be done as a grant process to develop the new technology. [NOTE: EAC is going to Congress to get authority for certain things like collecting money and assigning it out. Also to assign vendors to certain labs.] Innovation class evaluation models were discussed: First one looks like an AES competition followed by the FIPS module evaluation. Second model looks like FDA (clinical trial) approval. A couple of states have talked about doing pilots with new systems. There are costs for the vendors in developing new hardware; and cost for the experts evaluating them. Patents were discussed - if a vendor comes up with new technology, they may want to patent it so other vendors are not able to start with their work. Opinions were expressed that this shouldn't be a competition, but maybe it should be a qualification process. Question came up about whether there should be a competition for the cryptographic algorithm protocol that the academic could do, and then once appropriate algorithms or protocols from that competition, you let the business community pick up from there. An interesting discussion on examples, possibilities, and processes for how this would work took place, taking into account some entirely new technology and also changing existing profiles. The innovation class model may want to be done also at a minor level taking into account machines that were pre-certified but have enough new variations to warrant a review. We want to keep in mind that we created this innovation class for a specific reason. For the December meeting, we should get agreement from the TGDC that this is a good direction to proceed in and then when the standard comes up for review in four years, we can look into how to expand on the innovation class or how to expand on existing profiles. It still has to be determined if we can lay out a process for the innovation class by July. Consensus seemed to be that it could be done. We need criteria for when the project begins. We have to have barriers for people to enter the grant competition so we only get credible proposals. Systems would still have to go through ITA/VSTL for testing, but they would have to go through a special security panel to make sure they meet security requirements. There needs to be a review of the design and implementation at some time. For things where we can write testable requirements, the test labs will be able to evaluate systems. When we get into innovation class, we won't be able to write requirements that are testable, i.e., the crypto protocol or an IV system. [Testing labs hire contractors, and they should be able to hire the experts that could do the evaluations. A lot of pressure is on the manufacturers to do the testing, part of the process is getting independent reviews and tests of new systems.] For the December meeting we're looking for their approval to proceed in this direction, and we will provide them with a process in VVSG 07. Is the process specified in the standard or separate (in July as well)? There must be a path within the standard that tells you where the process is - we may have to leave some details vague. There should be no mention of possible grants. We need to start having some substantive discussions with EAC about what should be in the standards and what should be outside the standards. We're looking for buy-in from the TGDC in December and if it goes in the final for VVSG 07 it could be determined that the EAC will work with NIST to come up with the process. STS should draft a resolution for the December meeting saying that TGDC supports the innovation class and asks NIST to develop the process. STS Agenda Items for December TGDC Meeting Presenters are still being decided for each section of the agenda. #1 - Restructuring the security components of VVSG 2007 (very high level discussion) (30 min)
#2 - Position on SW dependent systems and the innovation class alternative (white paper posted) (90 min) #3 - Significant changes in requirements (60 min)
There should be good abstracts/summaries at the beginnings of all our white papers. Papers are due to Allan by Wednesday, November 22, cob. Slides to Allan by Wednesday a.m., November 29. John Wack to send email about developing standards for software IV, some NIST staff feel we could/should be doing more work, and some disagree. This issue should be discussed before meeting. Some EAC members feel we should be forthcoming with more requirements for this class. John Kelsey needs to be ready to discuss. Charter for TGDC runs through June 2007. Next meeting, Tuesday, November 28, 2006.
Teleconferences from 2004, 2005, 2006 and upcoming in 2006. ********** |
Security and Transparency Subcommittee (STS) Conference Call Agenda:
Participants: Alicia Clay, Allan Eustis, Bill Burr, David Flater, David Wagner, Commissioner Donetta Davidson, Helen Purcell, John Wack, Nelson Hastings, Patrick Gannon, Quynh Dang, Rene Peralta, Ron Rivest, Santosh Chokhani, Sharon Laskowski, Steve Berger, Wendy Havens Administrative Updates:
Review of EAC/NIST/TGDC Meeting on November 13
Software Independent/Dependent Path Forward We seem to be making good progress for the December TGDC meeting. We don't support software dependent systems, so black box DREs will not be certified. But there is the innovation class if someone has something new. How do we best move forward with this thrust at the meeting? We have the paper John is revising. Do we need a resolution? Ron will be making a presentation at the meeting. We need to determine what is the best approach? John: From an engineering point of view, the DRE architecture is not something we should put forth. The threats say this is not a good architecture. In general, it was something rushed to the market and does not have an audit trail. That is the reason we should give for not going this route in VVSG 07. Not suitable for the future. Bill B: Accepting stand alone DREs is saying that security is not very relevant. The system should be designed from the ground up to be audited. If you accept these DREs as is, your avoiding the possibility of errors or the possibility of someone manipulating the code. Barbara: In the context of error, in regards to the situation in Sarasota, FL, 18,000 votes may have been lost. This is where doing forensics on the machines becomes important. After the analysis, it might be interesting to use in our presentations. Paper trails may not have helped in this situation. However, we don't know what happened. Patrick is in Sarasota. Each county designs its own ballot. Is this a software problem or a ballot design problem? What are we doing in this committee that could have helped? If it was a software glitch, definitely the stuff on software independent would; whether the setup validation should be written in a way that's useful for post election checking. John K: Is there a process in various states to look at the machines in a forensics way, take them apart? Donetta feels that could wipe out election results if they didn't know what they were doing. Need to do examination like computer/criminal forensics. States have nothing set up. What happens if L&A tests pass before election but fail after? Answer- Review of whole election. In getting back to TGDC, it looks like we can come up with good reasons why we're not writing requirements for stand-alone DREs. What are we going to do with the requirements (high-level or not) for the IV systems? Propose we have requirements to certify against or build against? If someone wants to propose a software dependent system like IV, it must go through the innovation class mechanism for evaluating. EAC is looking at this committee for leadership trying to architect approaches within the class of IV that people can build to. This may be hard for this committee to do. However, there is an expectation on this subcommittee that we try to clarify our feelings and technical issues with this area and try and position the IV system somehow so that someone could propose a system in this area and what kind of architecture fits. The innovation class is hard to design. We can not shut the door and say the paper is the way we're going to go. There are continuing problems and issues. Having it as the only thing would be bad, but having it as a check on the electronic record is very viable approach. What we're saying is right now what we know is how to write standards for are paper systems if we want them to be auditable. We would like to write them for electronic and end-to-end systems but we don't know how to do that yet. Ron thinks we can do high level for both, David for end-to-end, challenging but feasible, IV impossible. Rene Peralta disagrees, he thinks we can write specs for IV. John W: Good for December meeting to get the points across and maybe come with some high level requirements, but writing them by the meeting may be impossible. Maybe a short white paper. Alicia: If we go into the Dec. meeting with requirements for paper, and high level requirements for systems we're putting in the innovation class that we're not going to be certifying against, we will be saying people have to use paper. Ron thinks even if the requirements are high level for the innovation class , there will be a rigorous process for achieving certification. It sounds like we're saying the door is open for other systems, but not very far. It could be a 5 or 10 year process. From the time a vendor designs, builds, tests to go through our process which is probably not going to be a quick process. Donetta: Have you talked to the vendors to see about the future to see if they plan to come up with a different type of voting system at various levels of abstraction. The vendors think that VVPAT is not the way to go, that the DRE architecture is fine. We should be looking at secure system approaches to building better DREs. Not looking at other forms of IV. To build a secure system out of a functionally insecure architecture, you'd have to start from scratch. We're giving the vendors limited amounts of freedom, limiting the available options to the vendor, specifically printers, there's a lot we can do about what printing technology would hold up to this use scenario. It should be easy to do a solid audit trail - we should be able to do something that would record keystrokes off the machines. John W: Strategy was agreed at last conference call, which is what we briefed Bill Jeffrey on. Much confusion on our strategy after EAC/NIST/TGDC meeting on Monday. Innovation class versus the IV class. Certification path for the innovation class was agreed upon. Hearing agreement about IV, Ron and David feel not worth going down, others disagree. Feels there should be discussion at TGDC meeting why IV is difficult. Software dependent machines much have very strong requirements. John Kelsey would be able to discuss proof of concepts at the TGDC meeting. Bill B: If we go in with an absolute notion of software independence and an absolution notion of voter privacy and secret ballots, can we develop systems that do both? David W: YES. These things can be done, they're challenging but can be accomplished. Is it possible to get an end-to-end system certified now if you showed it couldn't be worse than a certified system? Risky. Agenda for December TGDC Meeting STS has three hours. Draft agenda as proposed after discussion: #1 - Restructuring the security components of VVSG 2007
#2 - Position on SW dependent systems and the innovation class alternative #3 - Significant changes in requirements
Meeting Concluded: 12 Noon.
Teleconferences from 2004, 2005, 2006 and upcoming in 2006. ************* |
Participants: Allan Eustis, Angela Orbach, Bill Burr, David Wagner, Helen Purcell, John Kelsey, John Wack, Nelson Hastings, Quynh Dang, Rene Peralta, Ron Rivest, Steve Berger, Wendy Havens Administrative Updates:
Priorities - Ron Rivest
Topics for December? Yes. End-to-end crypto systems as well? Maybe. Are we going to introduce resolutions for all these? Wireless - if appropriate. Security Documentation already in resolution. Setup Validation - maybe not necessary. Major confusion about deliverables and requirements that are due for VVSG 2007. We need test bases to implement standards we have more than revised standards. Committee has been operating under the assumption that July 2007 is the target date new sets of resolutions and requirements to replace 2005. Memo sent out last summer discussing purpose of TGDC. EAC wants TGDC to do what is best and will secure the election system. This is what STS has been discussing, and software dependent systems have come to the top as having extreme risk. We do not have adequate tools today to validate that the equipment being used is the same that is being certified. The certification process is incapable of ensuring there are not critical bugs. We need better information flow and coordination between state's vigorous evaluation process and federal process and requirements. Could use TGDC help, but may be out of our scope. Maybe TGDC could identify where redundant independent testing adds value and where it doesn't - especially open ended testing with security. As far as December meeting priorities, there appears to be concern with banning software dependent machines - primarily for transition. We also need to think about the public confidence message we send. We need to show them that people are working to improve the processes. If drivers of deployment are economic we may not do any better with deploying non-broken systems than last time. Some machines are easily certified within current resources, others are much more expensive. No amount of money would help us completely evaluate software dependent systems. We are trying to develop a class of systems that can be certified with the resources available. If there are no funds provided to the states from the federal government, it will be difficult for the jurisdictions to make significant improvements. Members thought we were looking at 2007 to give guidelines to vendors and officials where we were going to go. Transition plan. Current systems are grand-fathered. When buying new systems after 2010, then you'll have to choose from the ones that are certified. The TGDC was not tasked to make plans and regulations for grand-fathering systems, however, should keep that in mind when making changes. Each subcommittee will get about 3 hours to present at the December 4 and 5 TGDC meeting. An hour for resolutions will be at the end. End-to-end Systems Bill Burr had passed around a note and there has been some email discussion about this topic. If we're talking about a whole class of innovative systems, the most interesting comments were on the process. If we're talking about end-to-end systems being software independent, David's requirements has that all code had to be public to certify such systems. If we have software independence, end-to-end, Bill's not sure why we have to do this. [David: The evaluation process has to determine whether the system is indeed software independent (checking crypto protocol implement properly). Evaluation has to be done by someone, and the best way to do that is have a security evaluation panel to evaluate security issues and to make sure that panel is not structured the same as the testing labs. Ron: The current feeling of manufacturers may be reluctant to reveal their source code because of how it's written, while manufacturers that are writing newer code with more knowledge on it might be more agreeable. Fear of disclosing code because of trade secrets.] There's no logical requirement that the code be public because you're not dependent on that code. [John K disagrees. Because you have to have some way to verify that the code in the machine is actually implementing the protocol you think it's implementing, making sure it follows the rules, making sure it doesn't violate voter privacy or giving out information so an attacker can buy votes, and you have reliability issues.] Not having the source code does not mean you can't validate the election. We don't want to spend duplicate money for doing the software evaluation for end-to-end voting systems the same as you do for the closed boxed DREs. Should we be drafting separate class and requirements for that class for end-to-end systems or whether we should lump it into a larger innovation class and provide for new systems to be included in that? What else will be in the class? VVPAT, paper opscan, fraud-like opscan device. David Wagner: What are the 3 biggest things we could be doing to improve security. 1) Mandating software and hardware independent voting systems (banning ones that are software dependent), 2) instituting some kind of security evaluation process, and 3) source code disclosure. Those are in priority order, so the first one is the one I would want most. Bill's paper was meant to be a short introduction, to sell the concept. Would like to have Bill Jeffrey read this as well as the 3 ballot paper. David Wagner agrees with model, just suggests changes in the evaluation process. Bill: How do we cope with the new public crypto key systems that are being pushed for federal use? A lot of process things we need answers to. A paring based crypto system. It's not obvious that using a government approved crypto system is so important. Technology is evolving and we'd like to have some kind of strong evaluation process. Innovation class is open. If someone can make software dependent systems work, we'll listen to them. The evaluation process only validates that the systems are certifiable at some high level of security. With the new innovation classes, we need to provide a lot of publicly disclosed information. New innovation class would definitely have a generic high level state of requirements. More specific requirements would be architecture dependent. HAVA requires that standards be examined every four years. There needs to be some sort of change process for adding modules. Maybe we should mention this at the December meeting. We may need to update the VVSG on a continuing basis. Under new model, the way to have an IDV system certified is to go through the new innovation process we're discussing. We need to get the high level requirements right, and then the vendor could design something and bring it to the table. We need manufacturer push instead of NIST pull on this stuff. States should ask if there are classes that are not currently on the market that they would like to see. Bill needs to write section at the end to invite vendors to write proposals and that the burden would be on them. We need to have a budget set aside to support innovation. For either evaluation process or for people designing new innovations. NIST needs to stay away for designing. We should be looking at the evaluation process. We need to have as much discussion as possible with the TGDC before the December meeting. Will there be an issue about whether or not we need to write VVSG 07 or whether we should be looking at other testing issues instead? Steve believes that will be the case, and thought that was already settled. Steve please send out his last summer memo regarding this issue. When you talk about TGDC not doing design work, I agree. But please elaborate exactly what you mean. When talking about design election mark up language for IDV or the protocol between devices, or pairing classes is inappropriate for this committee. Steve things that when discussing interfaces that work reliably, not doing a complete system. This should be a continuing discussion about interfaces. This also goes to software, and better firewalls. This is a huge issue if the TGDC members decide to do something besides the VVSG 2007. We need to discuss this! Next meeting is Thursday, November 9, 2006. Teleconferences from 2004, 2005, 2006 and upcoming in 2006. ************ |
Security and Transparency Subcommittee (STS) Teleconference Tuesday, October 17, 2006 Participants: Alicia Clay, Allan Eustis, Barbara Guttman, Bill Burr, David Flater, David Wagner, Rene Peralta, Helen Purcell, John Kelsey, John Wack, Nelson Hastings, Patrick Gannon, Quin Dang, Ron Rivest, Wendy Havins Agenda: 1) Administrative Updates 2) Summary of October 7th administrative meeting 3) Discussion of proposal for voting system key management 4) Other Items 5) Next call Tuesday, October 31, 2006 at 10:30AM. Administrative Updates:
Summary of October 7th Meeting
Discussion of proposal for voting system key management Proposal from Bill Burr on key management and crypto models. The module uses or generates the following data elements:
David Wagner points out that we haven't dealt accurately with the threats that this is intended to meet. That's because Bill thought the overall threat discussion belonged a level above this proposal. How much overall responsibility is the crypto module and how much is the machine that houses it and the overall structure? The write-up was written to apply to a whole family of voting machines. Suggestion from David Wagner: Append a nonce to each signature. That implies that the whole record to be signed into the crypto module and let it generate the hash with the random number and sign the whole quantity. This would encapsulate more of the security protections in the crypto module. David Wagner's comments, which were shared among the STS subcommittee were discussed. David W: This is a good idea. A lot of our machines depend on use procedures and physical security handling procedures to ensure chain of custody and this would help reduce the amount of dependence on that. On the spectrum between specifying requirements and specifying a particular design this may reduce flexibility if we standardize on this one particular scheme. [Ron feels that for crypto, we may want to be more specific on the performance requirements than the design requirements, although it's very hard to get the crypto designs right.] While performance requirements are better, they are harder to write and much harder to test. While we're building, we should use design requirements. Hopes that exact formal specifications for the bits that the crypto module generates should be standardized. Threat models - missing a clear statement to what the threat model you're trying to defend against and what are the security goals that you are trying to guarantee. There's a broad level of ambition, it needs to be thought through clearly. This scheme will defend against some, not other, so we need to know what we're trying to defend against. Once we have electronic records and electronic signatures, this should be an easily solved problem. No matter what else we do, we need to solve threats one and two, to make sure the records are safe from the time they leave the voting machine til they’re reported in the final total. This would get us closer to a requirement oriented spec, the requirement being that the mechanism needs to defeat all those threats. [Ron noted that the draft did not say anything about verifying signatures -- that needs to be clarified.] [John K to send out a paper which covers this topic.] These threats s should be in a suitable format for web posting should laws and other considerations allow it; trying to push for a publication in general is outside our mandate. Question about requirement to export electronic cast vote records in some form of interoperable format, we've talked about EML; if they're signed, is there any way to do that and preserve the validity of the signature? Yes. Should we standardize, it would be simpler? The format of all the data signed should be disclosed by the vendor. We could say that vendors had to use a defined interoperable format. Or the specs could be published in specific detail so that someone could re-implement something to parse those records to understand what they mean, and one way is to have the vendor provide a translator from their internal format to EML. John Kelsey is to send questions to Patrick Gannon in regards to what specifically we can do with EML. Patrick will forward and to elections committee that worked on EML and get back to John. In addition for the cast vote records, format for audit log information plus zero tape and summary tape contents should be signed. All information coming out of the voting machine to produce an audit should be in a public format – you should not have to use vendor software to audit vendor software. A certificate chain (of custody) needs to be incorporated and checkable because the machine will be signing off on the election key and the election key is signing off on the records. Question to David about whether all the information in the proposal is good, but maybe it need to be a "should" requirement. One argument for this being a "should" is that this isn't necessary for the security of the machine - it would improve it by reducing the dependence on the chain of custody and physical security. Our goal in VVSG 07 is to have a set of minimum requirements -- and those should be “shalls”. All we can say is how the equipment shall be built – we can not tell election officials how to run their elections. Signatures provide a security measure when used on both paper and electronic because there is s a check factor between the two. Digital signatures are a low cost added security feature. [Ron want to push for digital signature and signature verification.] Should be push for signatures to be a “should” in hardware? Protection should be on the signing key. Without putting the hardware security there, it would be too easy for them to be compromised. We have a patches issues, any software that's put on the machines should be signed as well. This should be discussed further via email and then debate again about shoulds and shalls. Should we append a random number to each signature? It should be provided at the hardware level. Next meeting Tuesday, October 24, 2006 at 10:30 a.m. Teleconferences from 2004, 2005, 2006 and upcoming in 2006. ******************* |
STS Teleconference The meeting commenced at 10:00 a.m. Agenda:
Participants: Alicia Clay, Allan Eustis, Anoop Singhal, Barbara Guttman, Bill Burr, David Wagner, Helen Purcell, John Kelsey, John Wack, Nelson Hastings, Patrick Gannon, Quin Dang, Rene Peralta, Ron Rivest, Thelma Allen, Wendy Havens, David Flater Administrative Updates:
Discussion of paper on VVPAT and Paper Based Voting System Requirements Relating to Usability and Auditability of the Records - John Wack
The meeting adjourned at 11:30 a.m. Teleconferences from 2004, 2005, 2006 and upcoming in 2006. ************ |
Security and Transparency Teleconference Meeting Participants: Allan Eustis, Angela Orbaugh, Bill Burr, David Flater, John Kelsey, John Wack, Helen Purcell, Nelson Hastings, Patrick Gannon, Rene Peralta, Rick Kuhn, Ron Rivest, Thelma Allen, Wendy Havens Agenda:
Administrative Updates:
Updated Cryptography Section - Nelson Hastings
Threat Overview and Threat Tree
Security and Audit Architecture
Voting Activities Section:
White Papers
Next scheduled meeting; Tuesday, October 3rd at 10:30-11:30 Meeting adjourns at 11:45 Teleconferences from 2004, 2005, 2006 and upcoming in 2006. ************** |
Security and Transparency Teleconference Meeting Agenda:
Meeting commenced at 10:30 a.m. Participants: Alicia Clay, Allan Eustis, Anoop Singhal, Bill Burr, David Flater, John Kelsy, John Wack, Nelson Hastings, Quynh Dang, Rick Kuhn, Ron Rivest, Sharon Laskowski, Steve Quinn, Thelma Allen, Wendy Havens, Wendy Orbaugh, Rene Peralta Administrative Updates:
STS Priorities: Looking at the overall package of what needs to be done for December meeting. Need to identify what will have the most qualitative improvements in the voting system. The following 3 items are things for discussion that might/should be at the top of the list:
Security documentation is good place to start since we already have a framework in place. Security evaluation process shouldn't be put together from bits from vendors. Requirements, mechanisms, policy need to be articulated by the vendor and why they think is sufficient to support the security objectives listed. Good place to push forward, doesn't require any changes in the systems being sold. Makes the evaluation system for security more robust and reliable. Qualitative improvement should be high. JW: If voting standards have general statements, you get the least amount possible, so we might want to be more specific with possibly an outline, details about what we expect from the vendor. Our challenge will be to right the specs. JK: Links to open-ended testing is where there's a requirement statement; there should be a statement saying "how" you are meeting this requirement and point you to where it can be reviewed to verify. Proposed as a high priority item, should it be? Seems like it should be a part of every other component. JK: Documentation requirements should be included where helpful to the evaluator to judge where it passes/fails. JW: Two audiences - testing lab and users. Some effort should be put forward to identify each aspect of the system that requires procedures. SQ: It doesn't have to be human-readable in order to make it into the standard. AE: VVSG primary users are the testing labs. JW: We started out in relation to security systems and how they are presented to labs and how they are used by vendors but we've discovered as time goes on that usability and security is important for users and election officials. A lot of the problems we are seeing now are because systems are not well documented and people are not appropriately trained. One of the tests should be whether or not procedures are plausible and can be followed. We realize for 2007 that we are not going to be able to do as good a job for security for poll workers as we would like. Procedures for IT systems needs to be present in order for the security goals of the IT system to be effective - what the labs need to evaluate is the system and its documentation. Vendors must be specific about what operating systems they are using, and what off-the-shelf software they are using. IDV Related Requirements. Definitional proposal - software independence is a useful term to help us characterize what IDV is all about and what kind of testing we want. System is software dependent if correctness of the election results depends on the correctness of the software, that is to say if an undetected error in the software could cause an undetected error in the election results. CSD is willing to accept this proposal as the framework. The character of the testing we do should depend on whether the system is software dependent or not. JK: The first question we have to ask is are we in the VVSG 2007 certifying closed box DREs. JW: Opinion is no, IDV with two sets of records should be way to go. Not discussed with TDGC as a whole. Issues may arise because some states are invested in black box DREs and what happens to them, issue which should be handled by EAC, especially if we go a different direction and those are no longer certifiable. The other issue is the debate on VVPAT systems as one of the major types of software independent systems as to whether or not they actually achieve their goals in providing the detectability and auditability that we want. The current round of VVPAT has some issues. The proposal that IDV systems be the only ones that are certifiable is a good place to start from. If we do not write requirements for closed box DREs and we are overwritten, the security holes will continue to exist and we will do nothing to make it better. If black box DREs are allowable, then a vendor proposing software dependent system needs to go to extraordinary lengths to prove that the software in reliable, this may require formal proofs that other systems do not require. If NIST decides to take this approach, it must be organizationally backed. A fairly simple white paper needs to be put out ahead of December TDGC meeting discussing this approach and framing this issue. If we are not going to support black box DREs, then we need to give alternatives. Make sure that TDGC does not think they're only course of action is to throw out current DREs. We are not talking only about existing systems, but new systems down the road. VVSG 2007 certified systems will not be available until 2012. Based on a 10 year system lifetime, they do not want people to think they have to throw out of the systems that don't meet the 2007 standards. IDV spans both categories - dependent and independent. ACTION: Paper that Ron did on software dependence needs to be warped into a white paper that STS recommends for review by TGDC members. See John Kelsy's email for possible plausible strategies. Email conversations to follow. Move forward with proposal that black box DREs are not going to be supported. One of HFP's goal is to increase universal accessibility over several years. HFP wants comparable functionality. Paper is not accessible, but when used with voting system with accessible functionality, it is OK. Open Ended Vulnerability Testing. Ron feels this is something that can provide major qualitative improvement in the security of voting systems. If we can get this up and flying by December, it will be a major milestone. At the monthly meetings between EAC and NIST, it keeps coming up about what can be done now to improve voting systems. Open ended vulnerability testing keeps coming up. This should be a high priority because we may need to provide material on this before the July timeframe. Some skepticism that open ended vulnerability testing will improve the security of the systems. Might be another matter for the TDGC to take on as a whole. If we are trying to test existing systems, the penetration testing has a lot less appeal than if you were testing future systems. The goal is for certification of new systems primarily, not as important for older systems. ACTION: Meet internally to discuss options and resources. OTHER:
Next meeting September 19, 2006. Meeting adjourned at 11:55 a.m. John Kelsey e-mail: Some Notes on Alternatives for Audit Architecture Strategy 1 Introduction In the last couple of months, we've had a couple apparent changes of direction with respect to what I'll call the architectural requirements for allowing auditing in voting systems. We need to make some decisions about the direction we're going to take, given the time and resources we have available and what we think will actually be used. a. The impossibility of meaningful audit of DRE results, and the resulting requirement to trust the in operation of software and hardware. b. Implementation or design flaws that make the DREs less secure than they have to be. 1.1 IDV Our original goal was to address (a) with IDV. That is, we could write standards for pure-electronic systems that were designed to be meaningfully auditable. This centered around the idea of some independent piece of software or hardware which could be used to audit the correct recording of the interaction between the voter and the voting machine. (This should sound a bit like Chaum's observer chips.) The good thing about this is that while there are no IDV systems (other than VVPAT) on the market, there's nothing all that hard about building one from available technology. While using an IDV system still leaves us trusting some software and hardware, we only end up trusting that one of two systems hasn't been tampered with. My sense is that if we have standards for IDV (assuming we can write meaningful ones), we may be able to exclude pure, closed-box DREs. This would be a really good thing, and getting people from unauditable black boxes to pairs of black boxes that audit each other seems like a pretty big win. (We still need to address (b), which is where all the headline-grabbing attacks have happened.) I'm not sure this is possible, but it might be. The downside of all this is that IDV gives you some audit, but not a really strong audit. It's like the difference between having two different accountants who work in the same office checking each other's work, and having a completely independent auditor come in and go over the books and all the supporting records. It's very easy to imagine that the two different modules in the IDV system will be corrupted at the same time--they'll be stored under the control of the same person, they'll likely have some software in common, they'll be sold by a consolidator who buys the individual components and hooks them together into full systems, etc. What I see as the big problem with IDV is that it pushes us toward a future that is still software-dependent. The clever attacker has to take over two machines, or three, or ten, but then he gets to fix the election. 1.2 Paper (Direct Verification) John and Ron's software independence paper basically pushed us toward a different direction--not allowing any voting machines which can't be meaningfully audited in a way that doesn't depend on any software or hardware operating correctly. Excluding crypto (which does rely on software correctness, but allows a skeptic to write his own software, and which is not at all ready for standardization), this means we accept only paper systems right now. My concern with this is that I don't think it addresses the DRE question in a way that's actually workable. I'd love to see us say "DREs are no longer going to be part of the standard," and if we can do that, we should. But I think if we write that kind of standard, the TGDC won't accept it, and the EAC will ignore it and keep allowing DREs, and we will be left with no meaningful improvement in the security of the existing crop of DREs, because we won't have written meaningful standards for them. 1.3 End-to-End Crypto I'm pretty convinced that some kind of crypto voting scheme, like those pushed by VoteHere and David Chaum, is where we'd like to end up. I think there are still some pretty big issues to hash out about them, and we need some kind of operational experience running small elections--I know David Chaum is working on this with the student election competition. I've heard that some states have provisions for the use of experimental voting technology, which is a potential starting point for this stuff. (I keep thinking one of David's all-paper schemes might make a good absentee ballot scheme.) The biggest issue with these is how we standardize the cryptographic protocols. We can describe this class of systems at a high level, and do a Brennan-center type threat analysis of them, but the process of deciding that a proposed voting protocol is secure is going to be harder to deal with. To my mind, protocols are much harder to get right than cryptographic mechanisms like hash functions or block ciphers, but NIST took many years to settle on one acceptable block cipher, and we'll likely do the same with a hash function. It's hard for me to visualize us or anyone else being able to confidently approve a whole proposed voting protocol in much less time. 2 So, What About DREs? The elephant hiding under the rug (I love mixed metaphors) is what we do about DREs. I see a few plausible strategies, and I'd like to discuss which of them makes sense, both in terms of technology and in terms of what will actually get accepted. (I don't know about you guys, but I'm not really interested in writing standards that get ignored. Life's too short.) 2.1 No DREs in the VVSG2007, Software Independence We could get rid of any support for DREs in the next version of the standard. Just say no! But then we have to decide what to do about the present and the future. If we go with the software independence notion from John and Ron as a requirement, along with allowing crypto when it's ready, we get a path like: If we want to do this, I'll be very happy. In that case, we could really try to push the crypto stuff forward, with the hope that existing DREs slowly die off and ultimately are replaced with some kind of end-to-end crypto scheme. But we're a long way from being able to standardize on a crypto scheme, so for the next 10 years or so, probably only paper-based systems would be certified. In security terms, this is probably the best we could do, if it is followed. If we end up certifying DREs anyway, we lose our chance to address some of the huge security problems with them. (DREs could be made very hard to attack for outsiders, though probably not for insiders.) We could also not certify any pure closed-box DREs in the VVSG2007, but write a somewhat theoretical standard (since we have no operational experience, only a few prototypes) for IDV systems. The advantage of this is that some vendor could build a system of this kind from existing components in a couple of years. This would require writing some pretty extensive requirements for IDV, a lot more than just requiring an audit port on the side of the DRE. One downside here is that we could end up pushing people toward IDV, and thus ultimately away from crypto. Since crypto has the potential to be a lot more secure than IDV, that's a little troubling.
We could write requirements for DREs in VVSG2007 and allow them to continue to be certified, subject to some much tougher testing and security requirements. This is where both the audit port and the OEVT stuff come in. We could then require software independence for VVPAT and Opscan systems (which basically means specifying how they must be audited). We could also write some theoretical discussions of crypto for the future. This seems like where we're headed right now. We certify DREs for now with tighter requirements, but try to ultimately push software independence where we can. We encourage the eventual move to crypto. 2.4 DREs in VVSG2007, IDV Finally, we could both allow new DREs with tighter requirements, and also push IDV architecture as a future alternative. I think this doesn't make much sense. 3 My Ideas I'd like to see us do one of the following: a. Move to IDV for DREs now, and push toward crypto in the future. (This probably requires more work than we'll be able to get done in the available time.) Don't support DREs anymore. b. Don't support DREs anymore. Move to paper now, and push toward crypto in the future. What I think we'll end up doing, in practice, is: c. Allow DREs with tightened security requirements and no IDV, and make some vague handwaves about how we would like to see crypto systems in the future. Also make some vague comments about how software independence is worthwhile. I suspect that (a) is politically possible but pretty hard to actually write, and that (b) is much easier to write but probably will either be changed or ignored by the EAC. That lets us keep relatively clean hands, but it does mean that the current security problems with DREs don't get addressed in any comprehensive way in the standard. 3.1 Timetable Anything we do with a full IDV spec is going to be a pretty theoretical standard (we'll be standardizing stuff that exists only in prototype form right now), and will take some serious time. However, a lot of that time is going to come from the requirements for OEVT is going to take another year anyway. So maybe making IDV take that long, and getting down to specific testable requirements then is okay. I'd love to hear some discussion of this. Comments? --John Teleconferences from 2004, 2005, 2006 and upcoming in 2006. ************** |
Participants: Alicia Clay, Allen Eustis, Angela, David Flater, Helen Purcell, Nelson Hastings, Patrick Gannon, Philip Pearce, Ron Rivest, Sharon Laskowski, Thelma Allen, Wendy Haven The meeting was called to order at 10:33 a.m. Administrative Updates:
Basic Assumptions:
Meeting adjourned at 11:45 a.m. Next teleconference, Thursday, September 7 at 10:30. Teleconferences from 2004, 2005, 2006 and upcoming in 2006. *************** |
Agenda:
Administrative Updates: AE-while away on vacation, inadvertently two meetings were not recorded because of a low battery level in the audio recording device. The minutes of these teleconferences are available for public review on the web site (http://vote.nist.gov/subcomm_2006.htm). We can fill in past discussion item details when discussing items during this conference call. AE-informed everyone Paul Craft of the TGDC has recently resigned from the TGDC. Letter of appreciation to Paul and recognition of service will be available soon from Dr. William Jeffrey. His NASED Replacement nominee is Paul Miller who is with the State of Washington's secretary of State's office. The vetting process for his appointment should be completed shortly.
JW- Noted effort to look at security standards in gaming industry. AE will research security experts in the gambling security area (States of Nevada and New Jersey) and forward names to STS mailing list.
NH-summarizes the workshop he attended in Vancouver;
Software-independence: JK-after looking at relevant memo (below), concern of "what problem" is trying to be solved.
JW-will send out useful overlap VVSG areas in which "gaming" requirements might be informative (FIPs modules, etc.)
Wednesday, August 23, 2006 at 10:30 AM EST
First, I'll address some terminology. I believe that the acronym VVPAT has become associated with today's VVPAT systems, which, I also believe, are not especially usable Overall Presentation Structure The VVPAT requirements section in VVSG 2005 started out as a self-contained standard. It was subsequently modified so as to reference usability and accessibility requirements in the HFP section, but otherwise, it still contains many workmanship, reliability, interoperability, security, and cryptography requirements that logically would belong in other sections of the VVSG 07. I recommend that the requirements be better integrated into the VVSG, that is, the VVPAT section should contain only those requirements that pertain specifically to I recommend using the class structure and the appropriate 'applies to' fields in requirements as the preferred way of doing this. Overall, I recommend that Software Independent Approaches be the highest-level category of acceptable voting systems, with IV being one of the approaches. DREVVPR is one example of IV. Another example is Op Scan-VVPR. Privacy I recommend that VVPAT not violate privacy: paper audit trails shall not store voter's cast ballot records sequentially. This was the TGDC's direction in VVSG 2005 but the EAC subsequently decided to permit sequential storage and require stronger procedures for safeguarding the paper rolls (an un-testable and unenforceable requirement). Bar Codes I recommend that bar codes to contain cast ballot records no longer be permitted. I believe the bar codes came about because of the recognition that paper rolls are difficult at best to use in audits and therefore use of a bar code would permit relatively simple and
************* |