Melanie Volkamer (Research Manager)

University of Passau, Innstraße 43, 94032 Passau, Germany, Tel: +49 851/509-3021

E-Mail: melanie_volkamer@gmx.de; Webpage: http://www.isl.uni-passau.de

Common Criteria Protection Profile for

a Basic Set of Security Requirements for Online Voting Products

CoE Meeting 16th October 2008, Madrid

Project Formation

DFKI project funded by the BSI

DurationStarting in January 2006

Certification in April 2008

Advisory Board: Researchers: Koblenz, Gießen, Wien, …

Users: GI, Ministry of workers & social affairs, …

Companies: mainly Micromata and T-Systems

Others: CoE, e-Voting.cc, PTB, ASIT, BSI, …

Based on existing requirement documents:CoE, PTB and GI catalogue

Oct16th 2008 2CoE Meeting Madrid

Motivation

Oct16th 2008 3CoE Meeting Madrid

Council of Europe Recommendations

Swiss, Austrian, German Election Regulations

Austrian Election Regulations

IEEE Voting Equipment Standards

Voting System Standards

Network Voting System Standards

PTB requirement catalogue

…..

Good starting point but only lists of requirements

Problems:- Trust model is not defined- Evaluation method and depth is not made explicit

No meaningful evaluation No comparable evaluation results

Solution: Common Criteria

International standard (ISO/IEC15408) for Information Technology Security Evaluation (CC)

Australia, Canada, France, Germany, Japan, Republic of Korea, The Netherlands, New Zealand, Norway, Spain, United Kingdom, United States of America; Austria, Czech Republic, Denmark, Greece, Hungary, India, Israel, Italy, Republic of Singapore, Sweden, Turkey

Protection Profile = An implementation-independent set of security requirements for a category of TOEs that meet specific consumer needs. [TOE = target of evaluation]

CoE Recommendations made first steps

Oct16th 2008 4CoE Meeting Madrid

Basis Protection Profile

Not „one“ general Protection Profile for Online VotingBecause of different trust models and evaluation depths

Depending on the election in mind (societies vs. parliamentary)

Serves as basis which can be extended

Takes only the voting phase and the counting phase into account.

Oct16th 2008 5CoE Meeting Madrid

Protection Profile – Content

Oct16th 2008 6CoE Meeting Madrid

Trust Model

Evaluation Depth

Content - Threats

T.UnauthorisedVoter

T.Proof

T.IntegrityMessage

T.SecretMessage

T.AuthenticityServer

T.ArchivingIntegrity

T.ArchivingSecrecyOfVoting

Oct16th 2008 7CoE Meeting Madrid

Content - Assumptions

A.ElectionPreparation

A.Observation / A.AuthData/A.ElectionOfficers

A.VoteCastingDevice /ElectionServer / ServerRoom

A.Availability / DataStorage

A.AuthenticityServer / ProtectedCommunication

A.SystemTime / AuditTrailProtection

A.ArchivingSecrecyOfVoting

A.BufferBallot

Oct16th 2008 8CoE Meeting Madrid

Content - OSPs

P.Abort / OverhasteProtection / Correction / ACK

P.EndingElection

P.EndOfElection / StartTallying

P.SecrecyOfVotingElectionOfficer / IntegrityE.O./ IntermediateResult / AuthE.O.

P.OneVoterOneVote

P.Tallying

P.Failure

P.Audit

Oct16th 2008 9CoE Meeting Madrid

Protection Profile – Content

Oct16th 2008 10CoE Meeting Madrid

Trust Model

Evaluation Depth

Content – Evaluation Depth

CC EAL scale from 1 to 7

Evaluation Assurance Level 2+ALC_CMC.3 (substituting ALC_CMC.2)

ALC_CMS.3 (substituting ALC_CMS.2)

ALC_DVS.1

ALC_LCD.1

Assumed attacker potential: basic

Oct16th 2008 11CoE Meeting Madrid

Election Authorities

Does the trust model fits to your environment?

Does EAL 2+ provides enough trust in the evaluation

If not the PP can be extended byShifting assumptions to threats

Arising the EAL number

Demand the systems in use to be certified according to this Protection Profile or an extended version

Oct16th 2008 12CoE Meeting Madrid

Thank your for your attention

? Questions ?

volkamer@cased.de

http://www.bsi.bund.de/zertifiz/zert/reporte/pp0037b_engl.pdf