Modern Internet voting systems promise to be of great use for a wide variety of application scenarios. They allow convenient vote casting from home or office and speed up the tallying process. This is in particular attractive for non parliamentary elections like the election of a works council in a company. Such companies would like to save money by implementing Internet voting systems. However, setup and operation of an Internet voting system are highly security critical and complex tasks. They require special voting system equipment, a secure operational environment, specialist knowledge and skilled personnel. This is complex and expensive thereby reducing the potential advantages of electronic elections. Considering these necessary efforts, many companies would not switch to Internet voting. Recently the concept of a Voting Service Provider (VSP) was introduced1 in order to find a new approach to solve this problem. The VSP is a professional and qualified trusted third party which technically carries out an electronic election on behalf of the election host, i.e. the party which wants to do an election. The VSP provides the secure hardware and software, the expertise and the skilled personnel which is necessary to implement an Internet election securely. Thereby the VSP concept reduces effort and costs for the election host and makes Internet elections practicable and secure at the same time.
It is essential to establish trust in the VSP. The security of the VSP and its election services must be ensured. To this end, a legal framework has been introduced2 . It regulates the operation and supervision of VSPs. The legal regulation demands an evaluation of the VSPs to prove their security. Since the VSP concept centralizes voting system and operational environment it facilitates evaluation. For this purpose, the VSPs are required to provide a ‘security concept’ in which they describe the safeguards they implement in order to satisfy the requirements of the legal framework. The legal regulation designates an independent authority for evaluating VSPs based on their security concept.
So far evaluation of e-voting systems concentrated on the voting protocols. The German Federal Office for Information Security (BSI) recently released a “Common Criteria Protection Profile for Basic set of security requirements for Online Voting Products”3 intended for the evaluation of Internet voting systems. But the security of the operational environment in which the voting system is operated has to be considered as well4 : Schmidt et al. analyzed several sources including voting protocols, Protection Profiles and the recommendations of the Council of Europe5 in order to determine the security requirements for the operational environment of electronic elections. The mentioned Protection Profile, too, contains assumptions which have to be fulfilled by the operational environment in order to ensure the security of the voting system. Consequently the security concept shall include all legal, technical and organizational requirements regarding the voting system and the operational environment of the VSP. However, it is an open question how such requirements should be noted and how VSPs can be evaluated based on such security concepts. For the purpose of generating technical requirements from legal regulation, the KORA6 methodology seems appropriate. Considering the evaluation, we propose an approach based on combining approved evaluation methods. The voting system software and consequently the related requirements contained in the security concept should be evaluated according to the mentioned Common Criteria Protection Profile since at this time it represents the most sophisticated evaluation approach for Internet voting systems. For the operational environment we propose that the “IT-Grundschutz-Catalogues”7 of the BSI are a plausible approach since IT-Grundschutz provides an approved evaluation methodology as well as a catalogue of safeguards intended to secure complex IT environments including technical and organizational aspects. The methodology therefore provides modules to specify IT systems and the environment. These modules then are mapped to safeguards based on the threat level in order to secure the system appropriately. If specific requirements from the e-voting scenario cannot be fulfilled by IT-Grundschutz safeguards the methodology allows for adding appropriate modules and safeguards based on a risk analysis, thereby ensuring completeness. This combined evaluation approach has many advantages. Common Criteria8 as well as IT-Grundschutz are approved evaluation methodologies which are widely accepted. Moreover VSPs which already have a Common Criteria certificate for their voting system or an IT-Grundschutz certificate for their operational environment can thereby significantly reduce the effort for the evaluation since many of the requirements probably have already been evaluated and certified. This simplifies the evaluation process of VSPs and can help reduce costs and efforts.
Axel Schmidt, Melanie Volkamer, Johannes Buchmann, CASED – Center of Advanced Security Research Darmstadt, Mornewegstraße 32, 64293 Darmstadt DE
{axel, buchmann}@cdc.informatik.tu-darmstadt.de, volkamer@cased.de
- 1 Langer, L., Schmidt, A., Buchmann, J., Secure and Practical Online Elections via Voting Service Provider. In: Proceedings of ICEG 2008, pp 255-262, Academic Publishing, UK (2008).
- 2 Schmidt, A., Heinson, D., Langer, L., Opitz-Talidou, Z., Richter, P., Volkamer, M., Buchmann, J. , Developing a legal framework for remote electronic voting. In: E-Voting and Identity, Proceedings of VOTE-ID 2009, LNCS 5767, Luxembourg (2009).
- 3 German Federal Office for Information Security, Common Criteria Protection Profile for Basic set of security requirements for Online Voting Products,https://www.bsi.bund.de/cae/servlet/contentblob/480286/ publicationFile/29585/pp0037b_engl_pdf.pdf , (2008), last checked 19.01.2010.
- 4 Schmidt, A., Volkamer, M., Langer, L., Buchmann, J. , Towards the impact of the operational environment on the security of e-voting. In: Proceedings of INFORMATIK 2009, LNI 154, pp. 1814-1826, GI, (2009).
- 5 Council of Europe , Legal, Operational and Technical Standards for E-voting, Recommendation Rec(2004)11. Council of Europe Publishing, ISBN 92-871-5635-2, (2005).
- 6 Hammer, V. Pordesch, U., and Roßnagel, A. , KORA - eine Methode zur Konkretisierung rechtlicher Anforderungen zu technischen Gestaltungsvorschlägen für Informations- und Kommunikationssysteme. Arbeitspapier 100, provet, Darmstadt (1992).
-
7
German Federal Office for Information Security , IT–Grundschutz Catalogues,https://www.bsi.bund.de/cln_174/EN/topics/ITGrundschutz/ITGrundschutz
Catalogues/itgrundschutzcatalogues_node.html , (2005), last checked 19.01.2010. - 8 The Common Criteria Portal ,www.commoncriteriaportal.org/ , last checked 19.01.2010.