Melanie Volkamer (Research Manager) University of Passau, Innstraße 43, Passau, Germany, Tel: / Webpage: Common Criteria Protection Profile for a Basic Set of Security Requirements for Online Voting Products CoE Meeting 16th October 2008, Madrid

Project Formation DFKI project funded by the BSI Duration Starting in January 2006 Certification in April 2008 Advisory Board: Researchers: Koblenz, Gießen, Wien, … Users: GI, Ministry of workers & social affairs, … Companies: mainly Micromata and T-Systems Others: CoE, e-Voting.cc, PTB, ASIT, BSI, … Based on existing requirement documents: CoE, PTB and GI catalogue Oct16th 20082CoE Meeting Madrid

Motivation Oct16 th 20083CoE Meeting Madrid Council of Europe Recommendations Swiss, Austrian, German Election Regulations Austrian Election Regulations IEEE Voting Equipment Standards Voting System Standards Network Voting System Standards PTB requirement catalogue ….. Good starting point but only lists of requirements  Problems: - Trust model is not defined - Evaluation method and depth is not made explicit  No meaningful evaluation  No comparable evaluation results

Solution: Common Criteria International standard (ISO/IEC15408) for Information Technology Security Evaluation (CC) Australia, Canada, France, Germany, Japan, Republic of Korea, The Netherlands, New Zealand, Norway, Spain, United Kingdom, United States of America; Austria, Czech Republic, Denmark, Greece, Hungary, India, Israel, Italy, Republic of Singapore, Sweden, Turkey Protection Profile = An implementation-independent set of security requirements for a category of TOEs that meet specific consumer needs. [TOE = target of evaluation] CoE Recommendations made first steps Oct16th 20084CoE Meeting Madrid

Basis Protection Profile Not „one“ general Protection Profile for Online Voting Because of different trust models and evaluation depths Depending on the election in mind (societies vs. parliamentary) Serves as basis which can be extended Takes only the voting phase and the counting phase into account. Oct16th 20085CoE Meeting Madrid

Protection Profile – Content Oct16th 20086CoE Meeting Madrid Trust Model Evaluation Depth

Content - Threats T.UnauthorisedVoter T.Proof T.IntegrityMessage T.SecretMessage T.AuthenticityServer T.ArchivingIntegrity T.ArchivingSecrecyOfVoting Oct16th 20087CoE Meeting Madrid

Content - Assumptions A.ElectionPreparation A.Observation / A.AuthData/A.ElectionOfficers A.VoteCastingDevice /ElectionServer / ServerRoom A.Availability / DataStorage A.AuthenticityServer / ProtectedCommunication A.SystemTime / AuditTrailProtection A.ArchivingSecrecyOfVoting A.BufferBallot Oct16th 20088CoE Meeting Madrid

Content - OSPs P.Abort / OverhasteProtection / Correction / ACK P.EndingElection P.EndOfElection / StartTallying P.SecrecyOfVotingElectionOfficer / IntegrityE.O./ IntermediateResult / AuthE.O. P.OneVoterOneVote P.Tallying P.Failure P.Audit Oct16th 20089CoE Meeting Madrid

Protection Profile – Content Oct16th CoE Meeting Madrid Trust Model Evaluation Depth

Content – Evaluation Depth CC EAL scale from 1 to 7 Evaluation Assurance Level 2+ ALC_CMC.3 (substituting ALC_CMC.2) ALC_CMS.3 (substituting ALC_CMS.2) ALC_DVS.1 ALC_LCD.1  Assumed attacker potential: basic Oct16th CoE Meeting Madrid

Election Authorities Does the trust model fits to your environment? Does EAL 2+ provides enough trust in the evaluation If not the PP can be extended by Shifting assumptions to threats Arising the EAL number Demand the systems in use to be certified according to this Protection Profile or an extended version Oct16th CoE Meeting Madrid

Thank your for your attention ? Questions ? p0037b_engl.pdf