Evaluation of Electronic Voting
Total Page:16
File Type:pdf, Size:1020Kb
Lecture Notes in Business Information Processing 30 Series Editors Wil van der Aalst Eindhoven Technical University, The Netherlands John Mylopoulos University of Trento, Italy Norman M. Sadeh Carnegie Mellon University, Pittsburgh, PA, USA Michael J. Shaw University of Illinois, Urbana-Champaign, IL, USA Clemens Szyperski Microsoft Research, Redmond, WA, USA Melanie Volkamer Evaluation of Electronic Voting Requirements and Evaluation Procedures to Support Responsible Election Authorities 13 Author Melanie Volkamer Technische Universität Darmstadt Center for Advanced Security Research Darmstadt Mornewegstraße 32, 64293 Darmstadt, Germany e-mail: [email protected] Vom Promotionsausschuss des Fachbereichs 4: Informatik der Universität Koblenz-Landau zur Verleihung des akademischen Grades Doktor der Naturwissenschaften (Dr.rer.nat) genehmigte Dissertation Vorsitzender des Promotionsausschusses: Prof. Dr. Dieter Zöbel Vorsitzender der Promotionskommission: Prof. Dr. Dieter Zöbel Berichterstatter: Prof. Dr. Rüdiger Grimm Prof. Dr. Jörg Schwenk (Ruhr-Universität, Bochum) Datum der wissenschaftlichen Aussprache: 27. Oktober 2008 Library of Congress Control Number: Applied for ACM Computing Classification (1998): J.1, K.4, D.4.6, D.2.1 ISSN 1865-1348 ISBN-10 3-642-01661-8 Springer Berlin Heidelberg New York ISBN-13 978-3-642-01661-5 Springer Berlin Heidelberg New York This work is subject to copyright. All rights are reserved, whether the whole or part of the material is concerned, specifically the rights of translation, reprinting, re-use of illustrations, recitation, broadcasting, reproduction on microfilms or in any other way, and storage in data banks. Duplication of this publication or parts thereof is permitted only under the provisions of the German Copyright Law of September 9, 1965, in its current version, and permission for use must always be obtained from Springer. Violations are liable to prosecution under the German Copyright Law. springer.com © Springer-Verlag Berlin Heidelberg 2009 Printed in Germany Typesetting: Camera-ready by author, data conversion by Markus Richter, Heidelberg Printed on acid-free paper SPIN: 12677061 06/3180 543210 Foreword Electronic voting has a young, but attractive history, both in the design of basic cryptographic methods and protocols, and in the application of commu- nities who wanted to be in the vanguard of new technologies. Even before 2000, when ICANN was elected Internet-wide by e-mail, voting machines were used in many political elections all over the world, almost without public notice or criticism. Perhaps only the conflicts over the Bush–Gore polls in Florida in 2000 made the public aware of the risks of electronic voting machines. Since then, diverging opinions on the use of information technology for voting, es- pecially on the Internet, have been expressed loudly. In 2007 the Internet was highly accepted by the voting public in Estonia. On the other hand, in 2008 the attacks on the NEDAP voting machines and the High Court procedures in The Netherlands, Ireland and Germany shed a lot of stage light on electronic voting. At the same time, the scientific community has brought forward an exten- sive understanding of the risks and prospects of electronic voting. In partic- ular, IT security is subject to research not only by computer scientists, but also by legal, social and political scientists. One of the most urgent questions is the suitable expression of security of voting systems; more precisely: how can security requirements on voting systems be specified, how can such re- quirements be evaluated, how can products be evaluated to match specified requirements? Only a few works in the recent past have investigated these questions as elaborately as this book by Melanie Volkamer on the “Evaluation of Electronic Voting,” which specifies “Requirements and Evaluation Procedures to Support Responsible Election Authorities.” It is not only a scientifically sound piece of research work, which has received a distinguished mark by my supervising university. It is also a highly educational text for anybody who wants to understand what electronic voting is about and how it can be made more secure. The reader learns that electronic voting has two branches: one branch comprises electronic voting machines in traditional precincts, which are only used for more effective counting; the other branch deals with Internet voting VI Foreword (also called remote electronic voting) to replace the paper ballots and their delivery via postal voting or physical ballot boxes. The latter seems to be more risky, more vanguard, more influential on the political atmosphere. The reader is introduced to both forms of electronic voting by concrete examples of their usage. The reader learns how the security of information technology is measured and evaluated in general. In a didactically well-organized way, the book introduces the international standardized methodology of the Common Criteria, and especially the part of the Common Criteria that deals with protection profiles of user requirements. In accordance with the German Society of Computer Scientists (Gesell- schaft f¨ur Informatik e.V.), Melanie Volkamer has succeeded in specifying a “Protection Profile for a Basic Set of Security Requirements for Online Vot- ing Products.” This profile was certified by the German Federal Office for Security in Information Technology (Bundesamt f¨ur Sicherheit in der Infor- mationstechnik - BSI) in May 2008. This book discusses the reasons that this profile was created. While promoting the protection profile, the Gesellschaft f¨ur Informatik and other communities have introduced Internet voting in their election procedures. This has stimulated the development of real products, as well as the continuous observation of the products and their usage. Thus, the book is a result of this live debate in the public. The findings of this book are, therefore, not only based on theoretical considerations, but also on a related practical experience. It is worthwhile to emphasize two more highlights (out of many) of this book. It follows the perspective of the Common Criteria especially in the important distinction between the system to be evaluated and the trust en- vironment in which such a system is used. The technical aspects of a secure system are associated with its application environment, including human and organizational aspects. One of the findings of Melanie Volkamer is that the trust model of a voting system needs to be evaluated against the degree of the separation of duty principle. The separation of duty principle requires that risky operations are carried out by more than one person, who are unlikely to collaborate. Therefore, systems need a certain robustness against the danger of unauthorized collaboration. The method of the Common Criteria has no means to express this kind of robustness. To overcome this, Melanie Volkamer suggests a “k-resilience” meassure. This approach is important not only for electronic voting, but for other Internet applications as well. Another highlight is the introduction of formal modelling. Of course, the exact method of formal modelling is not of very wide public interest, but its effect is important for everybody. Consistency and freedom of contradictions can only be ensured by formal methods. And which application in the world is more sensitive for a sound democratic life than voting? If voting does not require the highest security standard, which one does? This book takes a first step into security modelling of voting and shows how it might be continued. I am convinced that this book deals with one of the hottest topics of IT applications and that it addresses the most urgent aspects of electronic voting. Foreword VII The readers will not only learn a lot more about voting, and Internet voting in particular, but they will be stimulated in their own research and development work. I wish the book and its readers much success in this direction. February 2009 R¨udiger Grimm Preface First, I would like to gratefully acknowledge my supervisor Prof. Dr. R¨udiger Grimm, who continuously helped me during this work with his support, his motivating words and his constantly quick reactions to my numerous e-mails— particularly in the last couple of months. Second, I am indebted to Prof. Dr. J¨org Schwenk for being my second supervisor. Furthermore, I would like to thank the many people who encouraged me with technical support: Roland Vogt and Marcel Weinand for the technical discussions on the application of the Common Criteria in general but also in detailed aspects, Dieter Hutter for the very helpful comments on the formal IT security model, and Margaret McGaley for the helpful discussions during the requirement definitions for voting machines. I am grateful to the PhD students of the e-Voting seminar group for nu- merous stimulating discussions and general advice; in particular I would like to acknowledge the help of Robert Krimmer for his support and the great collaboration, which I really enjoyed. I would like to thank my former employer—the Deutsches Forschungszen- trum f¨ur K¨unstliche Intelligenz (DFKI - German Research Center of Artificial Intelligence)—in particular my boss Prof. Dr. J¨org Siekmann, who enabled me to continue my research on electronic voting. In addition, I would like to thank my colleague Dieter Hutter for introducing me to the IT security community. I thank Prof. Dr. Hermann De Meer and Prof. Dr. Dirk Heckmann from the University of Passau, who gave me the opportunity to finish my thesis, to