Secure Information Technology Center - Austria
Workshop on the certification of e-voting systems
Council of Europe
Strasbourg, 26 November 2009
Certification of the e-voting software used at the Austrian Student Union elections 2009
Daniel Konrad
Strasbourg, 23 November 2009 Slide 2
About A-SIT
• Public funded non-profit association (since 1999),
• Established as competence center for IT-security
• Members– Federal Ministry of Finance – OeNB (Austrian Central Bank)– Graz University of Technology
Strasbourg, 23 November 2009 Slide 3
Activities
• Technical evaluations– Confirmation body (Article 3(4) of EU-directive on el.
signatures)– Inspection body (ISO 17020)
• Advising the public sector on IT-security– e-government, e-health, …
• Observing existing and emerging technologies– Cryptography, SmartCards, e-ID, etc.
Strasbourg, 23 November 2009 Slide 4
A-SIT & e-voting
• 2001: e-voting defined in laws– Austrian Student Union– Chamber of Commerce
• Laws define that a confirmation body (signature law) has to certify the compliance with security requirements
Technology observation Participation in CoE‘s multidisciplinary ad hoc group Participation in Austrian working group on legal, technical
and international aspects (Federal Ministry of Interior)
Strasbourg, 23 November 2009 Slide 5
Certification Requirements
• Law (2001): – Security level equal to qual. el. signatures, – Basic requirements (secrecy, identity verification,
privacy, integrity, prevent overhasty casting of votes)
• Ordinance (issued Oct. 2008): – Client & voting-server software to be certified 60 days
before the election– Certification based on CoE Rec2004(11)– Right of access to source code & certification reports for
electoral commission & observers
Strasbourg, 23 November 2009 Slide 6
The Main Players
• Federal Ministry of Science and Research– Responsible authority
• Scytl – Software (pnyx-austria)
• Federal Computing Centre– Operation, infrastructure
• INSO (research group for industrial software at Vienna University of Technology)– Security-concepts, testing, etc.
Strasbourg, 23 November 2009 Slide 7
Certification Procedure
• Kick-off with main players in Dec. 2008– Definition of timetable and requirements:– existing evaluation reports – no formal CC evaluation & certification– provided documentation should follow CC
catalog – CC-based risk analysis of CoE Rec2004(11)
Strasbourg, 23 November 2009 Slide 8
Provided documentation (developer evidence)
– Security Compliance• Conformance between sec. functionalities & sec. objectives
(based on CoE Rec)
– Development:• Threat Analysis• Security Architecture• Functional Specification• Architectural Design
– Guidance Documents• Deployment Guide
Strasbourg, 23 November 2009 Slide 9
Provided documentation (developer evidence)
– Life-Cycle Support• CMS documentation• ISO 90003 certification
– Testing• Software development testing proofs
– Vulnerability Analysis• penetration testing
– Source code– Access to Scytl‘s bugzilla-system
• Contact developers (Q&A)• View test results
Strasbourg, 23 November 2009 Slide 10
Confirmation („Bescheinigung“)
• issued and published on 27 March 2009
• detailed evaluation report available for electoral commission & observers – at source-code review event (8 Mai 2009)
• one maintanance report (minor changes, issued 15 Mai 2009)
Strasbourg, 23 November 2009 Slide 11
Constraints
• Configuration of keylengthes– equal to requirements for qual. signatures
• Client-PCs– free of malicious software– prevent residual information
• Voting Server Software– audited compiling & installation
• Electronic Ballot Box & Keys– handling in post-voting stage
Strasbourg, 23 November 2009 Slide 12
Additional tasks
• Auditing of security relevant procedures (together with certified IT professional engineer)– compiling– deployment– key ceremonies– pre-mixing– mixing– secure data destruction
Strasbourg, 23 November 2009 Slide 13
Statistics
• E-voting period: 18 May 2009 – 22 May 2009• Paper: 26 May 2009 – 28 May 2009• Eligible voters: 230.749• Votes: 58.502• „Eligible“ E-voters: ~14.000• E-Votes: 2.161
• No security incidents or hacking attacks• some „unfriendly“ activities
– „availability-check“ tool– Persiflage e-voting site
Strasbourg, 23 November 2009 Slide 14
Lessons learned
• CoE Rec2004(11) provided a good basis for our confirmation
• Traceability of installation, compiling, etc. raised confidence of electoral authorities
• A reuseable and broadly accepted certification of core functionalities would be very useful
• Some residual risks could not be directly adressed (unsecure client PCs)
• Public debate in Austria was much more fundamental than technical
Strasbourg, 23 November 2009 Slide 15
Thank you for your attention…
Daniel [email protected]
Secure Information Technology Center AustriaWeyringergasse 35, A-1040 Wien, www.a-sit.at