Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Erik Nordin Fredrik Holgersson Emilie Barse Security assessment.

Similar presentations


Presentation on theme: "1 Erik Nordin Fredrik Holgersson Emilie Barse Security assessment."— Presentation transcript:

1 1 Erik Nordin Fredrik Holgersson Emilie Barse Security assessment of the E-valg system

2 Agenda  Evalg Introduction  Technical solution  Security assessment and results  What happens next?

3 Introduction to Evalg 2011 On monday evening, September 12th 2011, experts and observers from around the world gathered in the auditorium of the government district, building R5, to witness the counting process of Norway's first electronic election for local governments. This presentation deals with project experience, technical solution, results and future...

4 Introduction film (7 min)

5 Customer  Ministry of local government and regional development [Kommunal- og regionaldepartementet (KRD)]  Christian Bull / responsible for security in Evalg project

6 Technical solution

7 V: voter P: voter's computer B: the ballot box R: the receipt generator D: the decryption service A: the auditor  ElGamal  Schnorr proof of knowledge V: party1, party2, … 4l5+&sdkjf 5648d”k(nj 8318 V: party >party OK!

8 Locations B Brønnøysund D Oslo R Tønsberg

9 Zero knowledge proof

10 EDB Ergogroup  Developed e-voting solution via the Internet.  EDB ErgoGroup SYSteam is one of the leading IT players with approximately employees and annual sales of almost SEK 16 billion. The company is listed on the Oslo Stock Exchange with headquarters in Oslo and has a significant presence in both the Norwegian and Swedish market with 135 offices in 16 countries worldwide. 

11 Scytl  Spanish company  Subcontractor to EDB ErgoGroup  Implementation of the security functions  Scytl, worldwide leader in the development of secure solutions for electoral modernization. 

12 Combitech  Swedish IT consulting company  Independent security evaluations 

13 Security assessment  Transparency vs. Secrecy?  Source Code and documentation  Testing Methodology/Restrictions  Results 

14 Iterative development process iteration 1iteration 2 iteration 3iteration 4iteration 5iteration 6 Actual review begins Ergo+SyctlCAB

15 Security review  Source code review  General purpose code review  Verification of the implementation of cryptographic protocols  Penetration tests  External  Internal  (Log analysis)  Post election/test review

16 Source code review The codebase ~ lines of code  Java – Admin, Authentication, Vote, Counting and Cryptography Aim: Identify flaws that could lead to:  stored votes being manipulated  invalid votes entered  voting in another persons stead  removal of valid votes (selectively)  breach of the secrecy of the vote  manipulation of the counting process

17 Methods Automated – Sonar/Checkstyle/Findbugs  Identify possible low hanging fruit  Sql-injection, cross site scripting…  Error-/Exception handling Manual – Eclipse, Understand  Accessmethods  Error-/Exceptionhandling  Traceability/Accountability  User interaction/input  Database interaction (querys and connections)  Implementation of the cryptographic protocol  (Overall source code state – well formated, comments, structure, variable/attribute usage, …)

18 SQL Injection? sql = " select e.election_group_id, e.election_id, e.contest_id, v.voter_id" + " FROM voter v" + " JOIN contest_area ca ON true" + " JOIN mv_area ac ON ac.mv_area_pk = ca.mv_area_pk" + " JOIN mv_area a ON text2ltree(a.area_path) text2ltree(ac.area_path) AND a.area_level = 5" + " JOIN mv_election e ON e.election_event_pk = " + electionEventPk + " AND v.country_id::text = a.country_id::text" + " AND v.county_id::text = a.county_id::text" + " AND v.municipality_id::text = a.municipality_id::text" + " AND v.borough_id::text = a.borough_id::text" + " AND v.polling_district_id::text = a.polling_district_id::text" + " AND v.date_of_birth <= COALESCE(e.contest_end_date_of_birth, e.election_end_date_of_birth)" + " JOIN voting cv ON cv.voter_pk = v.voter_pk AND cv.election_group_pk = e.election_group_pk" + " WHERE e.election_level = 3" + " and v.election_event_pk = " + electionEventPk + " and v.municipality_id = '" + municipalityId + "'" + " and cv.approved" + " and ca.contest_pk = e.contest_pk" // order by is slow + " order by v.voter_id, e.election_id";

19 SQL Injection? sql = " select e.election_group_id, e.election_id, e.contest_id, v.voter_id" + " FROM voter v" + " JOIN contest_area ca ON true" + " JOIN mv_area ac ON ac.mv_area_pk = ca.mv_area_pk" + " JOIN mv_area a ON text2ltree(a.area_path) text2ltree(ac.area_path) AND a.area_level = 5" + " JOIN mv_election e ON e.election_event_pk = " + electionEventPk + " AND v.country_id::text = a.country_id::text" + " AND v.county_id::text = a.county_id::text" + " AND v.municipality_id::text = a.municipality_id::text" + " AND v.borough_id::text = a.borough_id::text" + " AND v.polling_district_id::text = a.polling_district_id::text" + " AND v.date_of_birth <= COALESCE(e.contest_end_date_of_birth, e.election_end_date_of_birth)" + " JOIN voting cv ON cv.voter_pk = v.voter_pk AND cv.election_group_pk = e.election_group_pk" + " WHERE e.election_level = 3" + " and v.election_event_pk = " + electionEventPk + " and v.municipality_id = '" + municipalityId + "'" + " and cv.approved" + " and ca.contest_pk = e.contest_pk" + " order by v.voter_id, e.election_id";

20 Penetration testing - logical view of network

21

22

23

24

25 Goal of penetration test  A secure and robust production system  Test applications in their final environment  Identify weaknesses in the realization of the design  Find forgotten test ”features”  Create a check list of vulnerabilities that needs to be eliminated or mitigated  … and it is always nice to get a root prompt

26 Penetration test  Methodology  OSSTMM (Open Source Security Testing Methodology Manual)  Penetration testing framework (http://www.vulnerabilityassessment.co.uk/)  Tools:  Port scanning - Nmap  Vulnerability scanning - Nessus, Openvas  Web application testing - BurpSuite, Nikto, W3AF  Network traffic analysis - Wireshark, TCPdump, Urlsnarf  ARP spoofing - Ettercap  Port redirection, File transfer - Netcat  Platforms och services:  Mainly Linux based system with web applications

27 External penetration test  Port scanning  Vulnerability scanning  Testing the web application server and client software

28 Internal penetration test  Two sites tested at the same time  Test the separation between the sites and towards the Internet  Check that no sensitive data is sent in clear text  Generell security assessment – patch level, unnecessary services, …  Segmentation of internal systems

29 Pentest – exampels of result ARP spoofing ARP spoofing – necessary to be able to sniff network traffic between servers and check that no sensitive traffic was sent in clear text IP-filters prevented direct access to some servers – sniffing made it possible to see which servers they allowed access from 101hacker.com

30 Kodgranskning – exempel på xss The vulnerable link which was identified during the test is the following: https:// /voting/applet/error.do?eeid=VALG200 7&errorCode=welcomeController.error.eeid&lang=XSS (replacing XSS with a malicious script)

31 XSS - description

32 Log analysis  Splunk  Collects web application logs  Debugging  Forensic/incident investigation

33 What happens next?

34 Election results County Percentage of voters who voted electronically Percentage of voters who voted in advance E-voters percent of voters who voted in advance Bodø29,07 %41,40 %70,21 % Bremanger20,96 %30,87 %67,89 % Hammerfest25,89 %41,44 %62,47 % Mandal19,78 %30,41 %65,04 % Radøy31,15 %38,55 %80,82 % Re22,46 %29,58 %75,92 % Sandnes27,00 %33,89 %79,68 % Tynset31,60 %39,86 %79,28 % Vefsn21,54 %33,55 %64,20 % Ålesund26,42 %37,60 %70,26 % Total26,40 %36,43 %72,48 % Norway22,20 %

35 More information  Project web site:  The source code is available on the Internet:  The election system:  24/7 monitoring  Christian Bull was interviewed in Computer Sweden

36 The future  2017: Full scale national election in Norway?  Common criteria evaluation?  Sweden?

37 Is E-valg secure?

38 Is E-valg more secure than current systems?

39 Questions?

40


Download ppt "1 Erik Nordin Fredrik Holgersson Emilie Barse Security assessment."

Similar presentations


Ads by Google