1 Erik Nordin Fredrik Holgersson Emilie Barse Security assessment of the E-valg system
Agenda Evalg Introduction Technical solution Security assessment and results What happens next?
Introduction to Evalg 2011 On monday evening, September 12th 2011, experts and observers from around the world gathered in the auditorium of the government district, building R5, to witness the counting process of Norway's first electronic election for local governments. This presentation deals with project experience, technical solution, results and future...
Introduction film (7 min)
Customer Ministry of local government and regional development [Kommunal- og regionaldepartementet (KRD)] Christian Bull / responsible for security in Evalg project
Technical solution
V: voter P: voter's computer B: the ballot box R: the receipt generator D: the decryption service A: the auditor ElGamal Schnorr proof of knowledge V: party1, party2, … 4l5+&sdkjf 5648d”k(nj 8318 V: party >party OK!
Locations B Brønnøysund D Oslo R Tønsberg
Zero knowledge proof
EDB Ergogroup Developed e-voting solution via the Internet. EDB ErgoGroup SYSteam is one of the leading IT players with approximately employees and annual sales of almost SEK 16 billion. The company is listed on the Oslo Stock Exchange with headquarters in Oslo and has a significant presence in both the Norwegian and Swedish market with 135 offices in 16 countries worldwide.
Scytl Spanish company Subcontractor to EDB ErgoGroup Implementation of the security functions Scytl, worldwide leader in the development of secure solutions for electoral modernization.
Combitech Swedish IT consulting company Independent security evaluations
Security assessment Transparency vs. Secrecy? Source Code and documentation Testing Methodology/Restrictions Results
Iterative development process iteration 1iteration 2 iteration 3iteration 4iteration 5iteration 6 Actual review begins Ergo+SyctlCAB
Security review Source code review General purpose code review Verification of the implementation of cryptographic protocols Penetration tests External Internal (Log analysis) Post election/test review
Source code review The codebase ~ lines of code Java – Admin, Authentication, Vote, Counting and Cryptography Aim: Identify flaws that could lead to: stored votes being manipulated invalid votes entered voting in another persons stead removal of valid votes (selectively) breach of the secrecy of the vote manipulation of the counting process
Methods Automated – Sonar/Checkstyle/Findbugs Identify possible low hanging fruit Sql-injection, cross site scripting… Error-/Exception handling Manual – Eclipse, Understand Accessmethods Error-/Exceptionhandling Traceability/Accountability User interaction/input Database interaction (querys and connections) Implementation of the cryptographic protocol (Overall source code state – well formated, comments, structure, variable/attribute usage, …)
SQL Injection? sql = " select e.election_group_id, e.election_id, e.contest_id, v.voter_id" + " FROM voter v" + " JOIN contest_area ca ON true" + " JOIN mv_area ac ON ac.mv_area_pk = ca.mv_area_pk" + " JOIN mv_area a ON text2ltree(a.area_path) text2ltree(ac.area_path) AND a.area_level = 5" + " JOIN mv_election e ON e.election_event_pk = " + electionEventPk + " AND v.country_id::text = a.country_id::text" + " AND v.county_id::text = a.county_id::text" + " AND v.municipality_id::text = a.municipality_id::text" + " AND v.borough_id::text = a.borough_id::text" + " AND v.polling_district_id::text = a.polling_district_id::text" + " AND v.date_of_birth <= COALESCE(e.contest_end_date_of_birth, e.election_end_date_of_birth)" + " JOIN voting cv ON cv.voter_pk = v.voter_pk AND cv.election_group_pk = e.election_group_pk" + " WHERE e.election_level = 3" + " and v.election_event_pk = " + electionEventPk + " and v.municipality_id = '" + municipalityId + "'" + " and cv.approved" + " and ca.contest_pk = e.contest_pk" // order by is slow + " order by v.voter_id, e.election_id";
SQL Injection? sql = " select e.election_group_id, e.election_id, e.contest_id, v.voter_id" + " FROM voter v" + " JOIN contest_area ca ON true" + " JOIN mv_area ac ON ac.mv_area_pk = ca.mv_area_pk" + " JOIN mv_area a ON text2ltree(a.area_path) text2ltree(ac.area_path) AND a.area_level = 5" + " JOIN mv_election e ON e.election_event_pk = " + electionEventPk + " AND v.country_id::text = a.country_id::text" + " AND v.county_id::text = a.county_id::text" + " AND v.municipality_id::text = a.municipality_id::text" + " AND v.borough_id::text = a.borough_id::text" + " AND v.polling_district_id::text = a.polling_district_id::text" + " AND v.date_of_birth <= COALESCE(e.contest_end_date_of_birth, e.election_end_date_of_birth)" + " JOIN voting cv ON cv.voter_pk = v.voter_pk AND cv.election_group_pk = e.election_group_pk" + " WHERE e.election_level = 3" + " and v.election_event_pk = " + electionEventPk + " and v.municipality_id = '" + municipalityId + "'" + " and cv.approved" + " and ca.contest_pk = e.contest_pk" + " order by v.voter_id, e.election_id";
Penetration testing - logical view of network
Goal of penetration test A secure and robust production system Test applications in their final environment Identify weaknesses in the realization of the design Find forgotten test ”features” Create a check list of vulnerabilities that needs to be eliminated or mitigated … and it is always nice to get a root prompt
Penetration test Methodology OSSTMM (Open Source Security Testing Methodology Manual) Penetration testing framework ( Tools: Port scanning - Nmap Vulnerability scanning - Nessus, Openvas Web application testing - BurpSuite, Nikto, W3AF Network traffic analysis - Wireshark, TCPdump, Urlsnarf ARP spoofing - Ettercap Port redirection, File transfer - Netcat Platforms och services: Mainly Linux based system with web applications
External penetration test Port scanning Vulnerability scanning Testing the web application server and client software
Internal penetration test Two sites tested at the same time Test the separation between the sites and towards the Internet Check that no sensitive data is sent in clear text Generell security assessment – patch level, unnecessary services, … Segmentation of internal systems
Pentest – exampels of result ARP spoofing ARP spoofing – necessary to be able to sniff network traffic between servers and check that no sensitive traffic was sent in clear text IP-filters prevented direct access to some servers – sniffing made it possible to see which servers they allowed access from 101hacker.com
Kodgranskning – exempel på xss The vulnerable link which was identified during the test is the following: 7&errorCode=welcomeController.error.eeid&lang=XSS (replacing XSS with a malicious script)
XSS - description
Log analysis Splunk Collects web application logs Debugging Forensic/incident investigation
What happens next?
Election results County Percentage of voters who voted electronically Percentage of voters who voted in advance E-voters percent of voters who voted in advance Bodø29,07 %41,40 %70,21 % Bremanger20,96 %30,87 %67,89 % Hammerfest25,89 %41,44 %62,47 % Mandal19,78 %30,41 %65,04 % Radøy31,15 %38,55 %80,82 % Re22,46 %29,58 %75,92 % Sandnes27,00 %33,89 %79,68 % Tynset31,60 %39,86 %79,28 % Vefsn21,54 %33,55 %64,20 % Ålesund26,42 %37,60 %70,26 % Total26,40 %36,43 %72,48 % Norway22,20 %
More information Project web site: The source code is available on the Internet: The election system: 24/7 monitoring Christian Bull was interviewed in Computer Sweden
The future 2017: Full scale national election in Norway? Common criteria evaluation? Sweden?
Is E-valg secure?
Is E-valg more secure than current systems?
Questions?