Council of Europe
Group of Specialists on core technical standards for e-enabled voting
(EE-S-TS)
Security Recommendations and Best-Practices for e-enabled voting

Draft Version – 27^th June 2003

Preface: In its 1^st meeting on 10^th-11^th April 2003 the Sub-Group on core technical standards for e-enabled voting inter alia addressed security aspects of e-voting. It was suggested to develop a draft recommendation of the security aspects as a discussion basis for the 2^nd meeting in June 2003. This draft shall give “Security recommendations (security risks in the process model, and subsequently dealing with environments (kiosk, open etc.). Analysis of risks of each channel devise and options but no strict opinions on which channel(s) should be privileged”¹.

This document gives first draft recommendations. The emphasis is on a technology-neutral description of security requirements.

The document is structured into two parts:

the first part – sections “Foreword, general remarks” and “Security risks in the EML process model” – is explanatory and is assumed to not become part of the CoE recommendation.
The second part gives the actual draft security recommendations. This part of the document is aligned along the structure that has been proposed in the April meeting.

Foreword, general remarks

It is proposed to divide the security recommendations into two parts:

Core technical security standards shall describe the security requirements in a highly technology-neutral manner. This shall lead to sustainable CoE recommendations that resist rapid technological developments.
Best practices shall be given in an Annex that addresses the state-of-the-art.

These draft recommendations mainly cover the first part – the technology-neutral core security standards. The latter – the best practices – shall be developed in the next stages based on a review of the national e-voting security standards² and the reports of the pilots that have been carried out. These shall provide valuable input for the best practices.

The focus of security recommendations is to counter systematic attacks, i.e. situations that might distort the result of an election event. In several aspects of e-voting it is virtually impossible to build the technical components in a way that avoidance of single occasional errors can be guaranteed. This also holds for conventional voting systems. The level of acceptable residual risks is not specified in this document. As a general rule, the electronic method shall be at least as secure as the conventional method to vote.

Security risks in the EML process model

In this section a basic risk analysis is carried out [ed. note: the risk analysis shall assist in developing the security recommendations. The section is most likely not needed in the CoE recommendations]. The draft security recommendations are based on the EML process model. A simplified EML process model is illustrated in the following figure.

Figure 1. EML process model (simplified; from EML v3, figure 2B)

[ed. note: further security requirements that address aspects exceeding the EML process model might be needed, such as for the operational standards. This first draft security recommendations are however limited to the process model]

Given the process model shown in figure 1 the following risks can be identified³:

o In the pre-election stages:
The main assets are the election lists and the candidate lists. Tampering with these data bases or its generation including the processes of single nominations or registrations and the communication to the election stages needs to be prevented. The risks related to these process stages are:

Impersonation during voter registration or candidate nominations (both impersonating an entity eligible to nominate a candidate or impersonating a candidate accepting/declining a nomination)
Modification or destruction of the candidate list and election lists
Disclosure of the candidate or election lists to third parties (depending on whether there are confidentiality requirements for these data)
Denial of service attacks against the nomination and registration process
Disclosure, modification, or destruction of the data communicated to the voting process or denial of service attacks against it

o In the election stages:
The main assets to be protected in the election stages are maintaining the right to vote – including prevention of casting multiple votes – and the voter’s decision, entered to the system and represented in the cast vote. In unattended remote voting scenarios a superset of risks is given, as follows:

Loss of integrity or secrecy of data communicated, such as the voter’s identity and the cast vote
Loss of maintaining the cast vote an inviolable secret
Impersonation of an eligible voter during voter authentication
Casting multiple votes by either using different voting channels or multiple uses of a voting channel
Irrecoverable loss of cast votes, such as due to error stages
Denial of service attacks against the voting process

o In the post-election stages:
Again the main assets are the cast votes. Risks in these stages are:

Loss of integrity or availability the ballots
Loss of single votes or copies of single votes that cannot be detected as duplicates
Loss of maintaining the cast vote an inviolable secret
Data trails that allow to assign a single vote to a voter
Errors in the counting process

o In the auditing, maintenance and administration processes:
As these processes govern all the stages of an election event, the assets exposed to threats comprise all the assets given above. In addition to the risks addressed above, specific threats are given, as follows:

Deliberate or unintended circumvention of security measures
Deliberate or unintended affection of service availability or integrity
Establishment of the relationship between a voter and a cast vote
Loss of integrity or availability of auditing trials
Loss of the ability to detect attacks or errors

[ed. note: I encourage all of you to check whether the assets and threats given above are complete. I assume I covered most, but identifying the risks is the crucial part of our recommendations. Based on a complete asset/threat model it can be checked whether our recommendations cover all the threats. – Such a asset – threat – security objectives sequence is usual practice to define security requirements]

Taking that basic risk model, the following sections propose first draft security recommendations. The proposed structure for the CoE recommendations is used as a basic framework. In the introduction, the general considerations on the security recommendations are summarised. The glossary establishes a common terminology which is taken from generally accepted standards in the IT security area – an approach that already has been followed in the ACEEEO questionnaire. In the current state no security recommendations related to legal and organisational standards are given. Elaboration whether such recommendations are needed is pending first drafts of these sections by the EE-S-LOS group. The actual security recommendations are given in the section on technical standards – technology neutrality of these core technical standards has been aimed.

Given an agreed set of core security recommendations these shall be further elaborated in an Annex by giving best-practices and state-of-the-art solutions to meet the security requirements.

I. Introduction

Appropriate security measures are indispensable preconditions when carrying out election processes with electronic means. As any technical system, an e-enabled voting system may be exposed to error, deliberate or unintended attempts to circumvent security measures. Particular attention needs to be paid to systematic attacks, as these can affect voting results. Such attacks need to be prevented and the cardinal principles of universal, equal, free, secret and direct suffrage need to be maintained. As a general rule, e-enabled voting shall be as secure as conventional means to cast votes.

The technical section of these recommendations defines core security standards in a technology neutral manner that is considered to outlast rapid technological changes. The Annex further refines the core standards by discussing implementation options and by giving best practices.

[ed. note: it probably is useful to describe the main assets to be protected based on both the cardinal principles and the process model either here in the introduction or in the section on core technical standards. Didn’t start that yet, we could probably discuss that in Strasbourg.]

II. Glossary

Access Control The prevention of unauthorized use of a resource

Authentication The provision of assurance of the claimed identity of an entity

Availability The property of being accessible and usable upon demand

Confidentiality The property that information is not made available or disclosed to unauthorized individuals, entities, or processes

Data Integrity The property that data has not been altered or destroyed in an unauthorized manner

Data Origin Authentication The corroboration that the source of data received is as claimed

Entity Authentication The corroboration that an entity is the one claimed

Non-Repudiation A service intended to protect against an entity's false denial of having participated in all or part of the communication

Secrecy See Confidentiality

User An entity that interacts with the election system as a whole or with components of the election system. This inter alia includes voters, candidates, auditors, etc. ⁴

III. Legal standards

[ed. note: beyond the scope of this document]

IV. Operational standards

[ed. note: pending the drafts of the operational standards there might be a need of amending these with security aspects]

V. Technical standards

Users shall be authenticated when interacting with the election system or components of it prior to an action is carried out. The proof of eligibility to carry out an action (e.g. to nominate a candidate or the right to cast a vote) shall be carried out before the respective action takes effect.

User authentication shall be identity-based for the voter or candidates⁵. Unique identification shall b ensured for voters and candidates. Voter authentication shall fail if the voter already has cast a vote, irrespective the election channel that has been used for the already cast vote.

Authentication data shall be protected so that unauthorized entities can not misuse, intercept, modify, or otherwise gain knowledge to authentication data or part of it.

Election lists and candidate lists that are stored by or communicated between components of the election system shall be maintained in authenticity, integrity and in availability. Election lists shall be stored and communicated encrypted, if the respective legislation lays down confidentiality requirements.

The election system shall maintain service availability throughout the voting period.

The data communicated when a vote is cast shall be encrypted along the path from the system to cast a vote to the ballot box. This shall include both the data to identify and authenticate an eligible voter and the cast vote.

The cast vote shall remain encrypted until the counting process. The election system shall ensure authenticity, availability and integrity of the cast votes until the counting process; authenticity, availability and integrity of the cast votes shall be ensured beyond the election event for the period required for re-counting purposes.

The election system shall ensure that a cast vote throughout its lifecycle can not be linked to a voter; the election system shall ensure that the voter’s decision remains an inviolable secret throughout the lifecycle of a cast vote⁶. Data for authenticating a voter shall be separated from the cast vote.

The election system shall destruct any residual information that can reveal the voter’s decision or that can establish a link between a cast vote and the voter. At the voting device the destruction of residual information or the display of the voter’s decision shall take place immediately after the vote has been cast.

The counting process shall correctly count all the cast votes. Triggering the counting process of all or part of the cast votes shall be inhibited to take place prior the desired counting event. Recounting of a subset of the cast votes shall not reveal the voter’s decisions of a single voter or a group of voters.

Auditing trails that allow for detecting errors in or attacks against the registration process, the nomination process, the voting process, or the counting process shall be established. Authenticity, availability, and integrity of the audit trial shall be ensured and disclosure of audit trails to unauthorized entities shall be prevented.

The security measures in the election system shall represent the technological state-of-the-art.

It is recommended that the compliance of security-relevant components with these recommendations are assessed by independent bodies. Sufficient assurance shall be provided that the recommendations have been fulfilled. The establishment of an appropriate scheme for supervision of providers of election services is recommended.

VI. Sustainability of Standards

[ed. note: pending the drafts of the operational standards there might be a need of amending these with security aspects]

Appendix: Best Practices

[ed. note: This section shall be drafted following an in-depth review of national security standards (e.g. Netherlands, Switzerland, and United Kingdom).]

[ed. note: I did not yet start to address different election channels. This shall be done after the technology-neutral parts are tolerably stable. Also the in-depth review of the existing work (CESG, Swiss report to the Bundesrat, … should first be made.]