VVSG Links:
- Front Page
- Introduction
- Part 1: Equipment Requirements
- Chapter 1: Introduction
- Chapter 2: Conformance Clause
- Chapter 3: Usability, Accessibility, and Privacy Requirements
- Chapter 4: Security and Audit Architecture
- Chapter 5: General Security Requirements
- Chapter 6: General Core Requirements
- Chapter 7: Requirements by Voting Activity
- Chapter 8: Reference Models
- Part 2: Documentation Requirements
- Part 3: Testing Requirements
- References
- Glossary
Attention: You are viewing an archive!
- Forms will not work. Some links may not work or may be deprecated.
- Please visit the official VVSG site.
5.1 Cryptography
This section establishes general cryptography requirements for voting systems, specifies that signatures for protecting electronic voting records used in audits be generated in an embedded hardware signature module, and specifies the requirements for that module. These requirements include a key management scheme for the signature keys used by the signature cryptographic module, and requirements to help ensure that the signatures are reliable even if the voting device software has bugs or is tampered with.
Cryptography typically serves several purposes in voting systems. They include:
- Confidentiality: where necessary the confidentiality of voting records can be provided by encryption;
- Authentication: data and programs can be authenticated by a digital signature or message authentication codes (MAC), or by comparison of the cryptographic hashes of programs or data with the reliably known hash values of the program or data. If the program or data are altered, then that alteration is detected when the signature or MAC is verified, or the hash on the data or program is compared to the known hash value. Typically the programs loaded on voting systems and the ballot definitions used by voting systems are verified by the voting systems, while voting systems apply digital signatures to authenticate the critical audit data that they output; and
- Random number generation: random numbers are used for several purposes including the creation of cryptographic keys for cryptographic algorithms and methods to provide the services listed above, and as identifiers for voting records that can be used to identify or correlate the records without providing any information that could identify the voter.
This section establishes general technical requirements for the cryptographic functionality of voting systems, and some more specific requirements that certain cryptographic functions (digital signatures and key management for digital signatures) be performed in a protected hardware cryptographic module that is isolated from the voting system software, so that it is unlikely that the keys will be revealed or the cryptographic functionality compromised, even in the presence of a bug or malicious code in the other parts of the voting system and even if an adversary (possibly a corrupt insider) gains physical access to or control of the voting system for a period of time. The purpose of the signatures is to authenticate election records, and hardware cryptographic modules are not required for other cryptographic operations.
- IVVR Prevents ConfidentialityRichard Carback (Academic, Computer Science) on 01.25.08 at 4:34pmReply to this Comment