Evaluation & Certification Dr. Melanie Volkamer (TU Darmstadt) 26.11.2009 Dr. Melanie Volkamer CoE
Overview Evaluation and Certification of Security Requirements Internet Voting Voting Devices Evaluation and Certification other Types of Requirements 2
Security Requirements - Internet Voting 3
Evaluation and Certification Approach k-resilience Value ISO 27001 / IT- Grundschutz Common Criteria for voting software ISO 27001 / IT Grundschutz for operational environment Outside threats k-resilience value insider threats Existing international standards Resarch 4
Common Criteria - Overview The Common Criteria for Information Technology Security Evaluation (CC) is an international standard (ISO15408) for the evaluation and certification of security critical software. users specify security functional and assurance requirements plus the trust model vendors implement and/or make claims about the security of their products, and testing laboratories evaluate products to determine if they actually meet the claims. certification authorities observe the evaluation process & certify products after successful evaluation 5
Common Criteria Protection Profile... is a document, typically created by users/community, which identifies security functional requirements and evaluation assurance requirements plus the trust model for a class of security critical product Common Criteria Protection Profile for Basis Set of Security Requirements for Online Voting Products https://www.bsi.bund.de/cae/servlet/contentblob/480286/publicationfile/29 305/pp0037b_engl_pdf.pdf 6
Common Criteria List of Security Funcational Requirements Evaluation Assurance Requirements EAL 2+ (EAL1-7) Formal methods for EAL6/7 e.g. PI-Calculus for voting protocols ( Mark Ryan) Trust Model / Intruder s Capability Basic (basic, enhanced-basic, moderate, high) Set of Assumptions to the Organisation Environment A.ElectionServer, A.Availability, A.ServerRoom, 7
ISO 27001 / IT-Grundschutz Standard safeguards to evaluate typical organizational environment (incl. IT infrastructure) ISO 27001 / IT- Grundschutz ISO 27001 + IT-Grundschutz 8
IT-Grundschutz - Safeguards Protection of the software (A. Election Server) S 2.17: Entry regulations and controls S 1.58: Technical and organisational requirements for server rooms Availability (A.Availability) S 2.314: Use of high-availability architectures for servers Secure storage S 4.168: Selection of a suitable archive system S 1.60: Appropriate storage of archival media Assistance and training S 3.5: Training on IT security safeguards S 2.198: Making staff aware of IT security issues Personnel S 3.2: Commitment of staff members to compliance with relevant laws,. 9
k-resilience Value The k-resilience value helps to understand the power of possible insider threats; that is which people/ component needs to be trusted. k-resilience Value IT-Grundschutz (k out of N)-resilient (k 1 k m ) out of (N 1,,N m )- resilient (k 1 k m ) out of (N 1,,N m )- resilient Propositional logic term Conjunctive normal form 10
Additional Evaluations? Data protection evaluation FIPS 140-1/2 ; ISO/IEC 19790 (Security requirements for cryptographic modules) ISO/IEC 27002 (Code of practice for information security management) ISO/IEC 27005 (IT Security management) Formal protocol verification 11
Evaluation Election Pen DotVote? CC - EAL 3+ DFKI, TÜV-IT, Datenschutz Nord, BSI PTB, Baumuster -prüfung Uni Cambridge: Emission Test ULD Data Protection Test Datenschutz Nord Accreditation by Ministry of the Interior functional requirements
Security Requirements Voting Devices Common Criteria Standards Related to Physical Security (including seals) Evaluation regarding Side Channel Attacks (time, power, emission) Evaluation of the Logistic Concept If a voting protocol is in place formal proofs 13
Other Types of Requirements Usability (HCI, ISO 13407) Efficiency / Functionality More? 14
Open Questions Evaluation / Certification / Accreditation Parties Do we want to require that two independent parties must be involved one of the evaluation and one for the certification? Maybe different evaluation parties for different criteria/areas and one (?) certification authority should be required? How to accredit evaluation and/or certification authorities? How to ensure that certificates from one country are accepted in another country? Maybe involve central organization like CoE or OSCE for the certification? 15
Open Questions Transparency Do we want to require that the evaluation process and criteria must be transparent? What about the evaluation report, who should have access to this? What about the assumptions for the operational environment? Do we require making this explicit? What about the addressed threat model / attacker capability? Do we require making this explicit? What about the evaluation depth? Do we require making this explicit? 16
Open Questions CC / ISO27001 How to combine different evaluation methods? E.g. the assumptions made to the operational environment in the CC context should be addressed in the evaluation according to ISO27001? Do we want to have a common CC Protection Profile or corresponding templates for other approaches? Advantage of ISO XXX to own security audit? How to use CC in countries which have not signed the CC contract? 17
Open Questions Which of the evaluation techniques/approaches are required? What about formal proofs for the voting protocol or even more? What is part of the evaluation? E.g., what about the delivery procedure, logistic concepts,? What about re-evaluation / re-certification before each election? 18
Thank you for your attention! Questions? www.cased.de Center for Advanced Security Research Darmstadt melanie.volkamer@cased.de http://www.springer.com/computer/information+systems/ book/978-3-642-01661-5 19