E-voting DITSCAP Project

1
E-voting DITSCAP Project

• Team Samarpita Hurkute
• Kunal Bele
• Shin Nam
• Saroj Patil
• Chuck Short
• Rajshri Vispute
• Boeing Mentor POC Ismael Rodriguez
• UCCS Faculty POC Edward Chow

2
DITSCAP Overview

• DITSCAP DoD Information Technology Security
  Certification and Accreditation Process
• Purpose
• Implements policies, assigns responsibilities,
  and prescribes procedures for Certification and
  Accreditation (CA) of IT
• Creates a process for security CA of
  unclassified and classified IT

3
What is the DITSCAP?

• It is a process for certifying that a given
  system is safe to operate (security-wise) in its
  given environment.
• A process that ensures systems maintain their
  accreditation throughout their lifecycle.

4
Who has to follow DITSCAP?

• All DoD owned or controlled information systems
  that receive, process, store, display, or
  transmit DoD information regardless of
  classification or sensitivity.

5
What are the benefits of the DITSCAP?

• Ensures security vulnerabilities are addressed to
  the level deemed acceptable by the Designated
  Approving Authority (DAA).
• Certification effort can be scaled to fit the
  size and complexity of the system.
• Adaptable for any computer environment or
  mission.
• Helps identify security solutions that are
  achievable.

6
DITSCAP Phases

• Phase 1 Definition
• Understand the mission,environment and system
  architechture
• Identify threats
• Gauge Level of effort
• Identify the DAA
• Phase 2 Verification
• Verfiy compliance of the system with security
  related requirements
• Phase 3 Validation
• Evaluate the system and determine residual risks
• Phase 4 Post accreditation
• Monitor the system to preserve the residual risk

7
SSAA Overview

• SSAA System Security Authorization Agreement
• It is a document required by the DITSCAP
• What it does
• Defines operating environment of the system
• Identifies the system
• Defines risk and countermeasures
• Documents agreement among all parties involved in
  the system

8
SSAA Overview

• Consists of main document and appendices
• Main document covers
• Mission Description and System Identification
• Environment Description
• System Architectural Description
• System Security Requirements
• Organizations and Resources
• DITSCAP Plan
• The appendices are used to provide supplement
  information to the above six sections.

9
SSAA Contents

• System description along with functional diagrams
• Highlights sensitivity of data processed
• System architecture diagram with firewall
• Physical security of the E-voting system
• Threats to the E-voting system
• Mitigations Applied
• Data flow diagram
• Data security requirements

10
Project Overview

• Using the E-voting system to walk through the
  DITSCAP process/requirements to include
  penetration testing, threat/vulnerability
  assessment, and document SSAA which is to be
  approved by Boeing POC.

11
Secure E-Voting Adapted from Bretts viewgraphs
http//cs.uccs.edu/gsc/pub/master/bswilson/docs/

• Secure electronic voting
• Why?
• 2000 Florida Presidential election
• Increase participation/election visibility
• Extensive research into developing technologies
  to allow secure electronic voting
• Current methods are vulnerable
• Diebold voting machine security
• Princeton hacks
• Kohno et al. software security analysis

12
Secure E-VotingAdapted from Bretts viewgraphs
http//cs.uccs.edu/gsc/pub/master/bswilson/docs/

• E-voting Requirements
• Privacy/Anonymity, Completeness, Soundness,
  Un-reusability, Eligibility, Fairness
• Robustness, Universal Verifiability,
  Receipt-Freeness, Incoercibility

13
Related WorkBretts Master project report _at_
http//cs.uccs.edu/gsc/pub/master/bswilson/docs

• Basis for Implementation
• Sharing Decryption in the context of Voting or
  Lotteries (Fouque, Poupard, Stern, Financial
  Cryptography 2000)
• Closely related research
• A Generalization of Pailliers Public Key
  Cryptosystem with Applications to Electronic
  Voting (Damgard, Jurik, Nielson, Aarhus
  University, Dept. of Computer Science)
• Uses of Paillier Cryptography
• Electronic Voting
• Anonymous Mix Nets (due to self-blinding
  property)
• Electronic Auctions
• Electronic Lotteries

14
PTC Cryptography TechniquesAdapted from Bretts
viewgraphs http//cs.uccs.edu/gsc/pub/master/bswi
lson/docs/

• Paillier Cryptography
• Trapdoor Discrete Logarithm Scheme
• Important Properties
• Homomorphic (multiply encrypt votes
  encrypt(sum(vote))!)
• E(M1 M2) E(M1) x E(M2), E(k x M) E(M)k
• Self-blinding
• Re-encryption with a different r doesnt change M

15
PTC Cryptography TechniquesAdapted from Bretts
viewgraphs http//cs.uccs.edu/gsc/pub/master/bswi
lson/docs/

• Threshold Encryption
• Public key encryption as usual
• Distribute secret key shares among i
  participants
• Decryption can only be accomplished if a
  threshold number t of the i participants
  cooperate
• Need at least one from each democratic and
  republican party representatives, and one
  election official presence to decrypt
• No information about m can be obtained with less
  than t participants cooperating

16
PTC Based E-voting PrototypeAdapted from Bretts
viewgraphs http//cs.uccs.edu/gsc/pub/master/bswi
lson/docs/

• E-voting allows single-choice ballots
• Election administrator creates election
  parameters with the help of PTC encryption
• The administrator submits election parameters to
  PTCVotingService (Web Services)
• Voters load election parameters and cast
  encrypted votes
• The homomorphic properties of the PTC enable the
  tally to be done without decrypting the vote. ?
  protect the privacy of voter.
• To decrypt the tally, require at least t
  (threshold) out of N key shared holders to
  participate to generate the key for decryption.

17
(No Transcript)
18
(No Transcript)
19
Security Technical Implementation Guide (STIGs)

• Configuration standards for DOD Information
  Assurance (IA) and IA-enabled devices/systems
• Contains instructions or procedures to verify
  compliance to a baseline level of security

20
Security Technical Implementation Guide (STIGs)

• Security (CAT) Codes A measure to assess the
  systems security related standing

CAT I Immediate access to the attacker,bypass firewall
CAT II Potential information to the intruder to gain access
CAT III Potential information gained could lead to compromise
CAT IV No direct or indirect access to high value information
21
Application Security Requirements STIG

• Defines a set of recommended security
  requirements that are common to all software
  applications
• Used as a first step to designing security into
  applications to reduce application
  vulnerabilities.
• Lists the potential vulnerabilities of the
  application systems
• Design and development related vulnerabilities
• Misconfiguration and administration related
  vulnerabilities
• Necessary non-secure standards

22
Network Infrastructure STIG

• Inbound access list filter packets before they
  enter the router
• Outbound traffic filtering rules to be applied
  to outbound traffic with an illegitimate address
• Firewalls necessary to minimize threat and
  protect the enclave
• Intrusion detection system detect unauthorized
  or malicious traffic

23
Database STIG

• Product Updates
• System and Data Backup
• Access
• Transaction auditing
• Roles and Permissions

24
Secure Remote Computing STIG

• Provides technical security policies and
  requirements to provide secure remote access to
  users in DOD.
• Discusses remote user environment and network
  site architecture
• Guide for securing DOD assets within a remote
  access environment
• Provides suggestions for redundancy and
  survivability

25
Minimal Security Activity Checklist

• Main sections include
• System Architecture Analysis
• Software, Hardware, and Firmware Design Analysis
• Network Connection Rule Compliance Analysis
• Integrity Analysis of Integrated Products
• Life-Cycle Management Analysis
• Vulnerability Assessment
• Security Test and Evaluation

26
Minimal Security Activity Checklist

• Penetration Testing
• TEMPEST and RED/BLACK Verification
• COMSEC Compliance Validation
• System Management Analysis
• Site Accreditation Survey
• Contingency Plan Evaluation
• Risk Management Review

27
Threat Model - STRIDE

• Spoofing The identity of the voter cannot be
  trusted
• Tampering The vote for Candidate A could be
  assigned to Candidate B or vice versa
• Repudiation No authorized identification of
  parties involved in the E-voting process.
• Information Disclosure Disclosing the tally
  count
• Denial of service Making the E-voting system
  unavailable to its intended users
• Elevation of privilege gaining system
  privileges through malicious means

28
Threat Scenarios

• Breaking encryption tampering with the public
  and private keys
• Allocating observation with data
• The database is not READ ONLY can be used for
  SQL injection
• The Electronic Ballot Casting Device a Trojan
  horse on the voting terminal.
• The Voting Protocol sniffing on the network.
• The Electoral Server depending on the applied
  voting protocol, the election servers are a
  vulnerability point
• Other Anonymity Threats the Voter Audit Trail
  could also be used to link a voter to their vote.

29
Vulnerabilities-Mitigations
Threat Security Code Scenario How does it affect Mitigation
Spoofing CAT II CAT III Voter form user interface, Access control of database objects, Access control of applications host. Integrity, Access Control, Accountability Personalization methods, passwords Cryptographic or hardware token Eg.Memory Card, Smart Card, Common Access Card (CAC)
Tampering CAT I, CAT II Physical access Confidentiality, Accountability Firewall,Intrusion Detection Systems
30
Vulnerabilities-Mitigations
Threat Security Code Scenario How does it affect Mitigation
Repudiation CAT I CAT II Voter form user interface, Trojan Horse, Packet Sniffing, SQL Injection, Internet Integrity, Confidentiality, Access Control, Accountability Firewall,PKI SNORT, Virus checker, Log security related events
Information Disclosure CAT IV Voter Audit Trail, Weak key DS-40 bit Integrity, Confidentiality Firewall, Key size larger than 1024, password protection
31
Vulnerabilities-Mitigations
Threat Security Code Scenario How does it affect Mitigation
Denial of Service CAT III Botnet, Stacheldraht, Excess requests, Forced reset, ICMP exploits, Availability Alternative Routing, Secure Collective Network Defense
Elevation of privilege CAT II CAT III Gaining Administrator password Confidentiality Data Integrity, Accountability X.509 certificates
32
Residual Risks

• Natural and man made threat
• Eg.fire, flooding, water, wind,electrical
  disturbances
• External or internal threat agents
• Eg.espionage services, terrorists,
• Shared Passwords
• Accidental human action which compromises the
  system
• Human negligence

33
Future Work

• Separate web services and UI for Administrator,
  Voters, and Key Share Owners.
• Encrypted UI connections using HTTPS.
• Administrator, Voter, and Key Share Owner
  identity verification using both X.509
  certificates and username/password.
• Additional firewall layer with IDS for
  certificate generation, application
  functionality, data storage, and tabulation of
  election results.
• Encrypted Web service to Web Service interface
  for inner firewall traversal.

34
Future Work
35
Lessons Learned

• Problems faced
• Not sure what could be the vulnerabilities of the
  system
• The DITSCAP was a big confusing concept
• CONOPS was something complicated at first sight
• How we solved them
• The DITSCAP Application Manual provided easy
  reference to each section in the SSAA
• Complexities solved by Izzy and Dr. Chow
• STIGS was a great help
• Vulnerability-Mitigation Mapping
• Learned the basics of Paillier Threshold
  Cryptography
• The security issues surrounding E-voting systems

36
Conclusion

• DITSCAP Overview
• SSAA Overview
• Project Overview
• Secure E-voting System
• Threats and Mitigations
• Future Work
• Project information can be found at
  http//viva.uccs.edu/ditscap/

37
References

• Brett Wilson, UCCS, Implementing a Paillier
  Threshold Cryptography Scheme as a Web Service.
• http//www.nswc.navy.mil/ISSEC/COURSES/Ditscap.ppt
  
• http//www.i-assure.com/
• http//viva.uccs.edu/ditscap/index.php/ImageDITSC
  AP.pdf
• http//viva.uccs.edu/ditscap/index.php/ImageDITSC
  AP_Application_Manual.pdf
• http//viva.uccs.edu/ditscap/index.php/ImageSSAA_
  Guidance.doc
• http//iase.disa.mil/stigs/stig/database-stig-v7r2
  .pdfhttp//iase.disa.mil/stigs/stig/network-stig-
  v6r4.pdfhttp//iase.disa.mil/stigs/stig/src-stig-
  v1r2.pdfhttp//iase.disa.mil/stigs/stig/applicati
  onsecurityrequirements.pdf