Common Criteria Protection Profile for a Basic Set

Common Criteria Protection Profile for a Basic Set of Security Requirements for Online Voting Products Co. E Meeting 16 th October 2008, Madrid Melanie Volkamer (Research Manager) University of Passau, Innstraße 43, 94032 Passau, Germany, Tel: +49 851/509 -3021 E-Mail: melanie_volkamer@gmx. de; Webpage: http: //www. isl. uni-passau. de

Project Formation DFKI project funded by the BSI Duration Starting in January 2006 Certification in April 2008 Advisory Board: Researchers: Koblenz, Gießen, Wien, … Users: GI, Ministry of workers & social affairs, … Companies: mainly Micromata and T-Systems Others: Co. E, e-Voting. cc, PTB, ASIT, BSI, … Based on existing requirement documents: Co. E, PTB and GI catalogue Oct 16 th 2008 Co. E Meeting Madrid 2

Motivation Council of Europe Recommendations Good starting point but only lists of requirements Swiss, Austrian, German Election Regulations Austrian Election Regulations Problems: - Trust model is not defined IEEE Voting Equipment Standards - Evaluation and depth is not made explicit Voting Systemmethod Standards Network Voting System Standards No meaningful evaluation PTB requirement catalogue No comparable evaluation results …. . Oct 16 th 2008 Co. E Meeting Madrid 3

Solution: Common Criteria International standard (ISO/IEC 15408) for Information Technology Security Evaluation (CC) Australia, Canada, France, Germany, Japan, Republic of Korea, The Netherlands, New Zealand, Norway, Spain, United Kingdom, United States of America; Austria, Czech Republic, Denmark, Greece, Hungary, India, Israel, Italy, Republic of Singapore, Sweden, Turkey Protection Profile = An implementation-independent set of security requirements for a category of TOEs that meet specific consumer needs. [TOE = target of evaluation] Co. E Recommendations made first steps Oct 16 th 2008 Co. E Meeting Madrid 4

Basis Protection Profile Not „one“ general Protection Profile for Online Voting Because of different trust models and evaluation depths Depending on the election in mind (societies vs. parliamentary) Serves as basis which can be extended Takes only the voting phase and the counting phase into account. Oct 16 th 2008 Co. E Meeting Madrid 5

Protection Profile – Content Trust Model Evaluation Depth Oct 16 th 2008 Co. E Meeting Madrid 6

Content - Threats T. Unauthorised. Voter T. Proof T. Integrity. Message T. Secret. Message T. Authenticity. Server T. Archiving. Integrity T. Archiving. Secrecy. Of. Voting Oct 16 th 2008 Co. E Meeting Madrid 7

Content - Assumptions A. Election. Preparation A. Observation / A. Auth. Data/A. Election. Officers A. Vote. Casting. Device /Election. Server / Server. Room A. Availability / Data. Storage A. Authenticity. Server / Protected. Communication A. System. Time / Audit. Trail. Protection A. Archiving. Secrecy. Of. Voting A. Buffer. Ballot Oct 16 th 2008 Co. E Meeting Madrid 8

Content - OSPs P. Abort / Overhaste. Protection / Correction / ACK P. Ending. Election P. End. Of. Election / Start. Tallying P. Secrecy. Of. Voting. Election. Officer / Integrity. E. O. / Intermediate. Result / Auth. E. O. P. One. Voter. One. Vote P. Tallying P. Failure P. Audit Oct 16 th 2008 Co. E Meeting Madrid 9

Protection Profile – Content Trust Model Evaluation Depth Oct 16 th 2008 Co. E Meeting Madrid 10

Content – Evaluation Depth CC EAL scale from 1 to 7 Evaluation Assurance Level 2+ ALC_CMC. 3 (substituting ALC_CMC. 2) ALC_CMS. 3 (substituting ALC_CMS. 2) ALC_DVS. 1 ALC_LCD. 1 Assumed attacker potential: basic Oct 16 th 2008 Co. E Meeting Madrid 11

Election Authorities Does the trust model fits to your environment? Does EAL 2+ provides enough trust in the evaluation If not the PP can be extended by Shifting assumptions to threats Arising the EAL number Demand the systems in use to be certified according to this Protection Profile or an extended version Oct 16 th 2008 Co. E Meeting Madrid 12

Thank your for your attention ? Questions ? volkamer@cased. de http: //www. bsi. bund. de/zertifiz/zert/reporte/p p 0037 b_engl. pdf