1Introduction |
|
Project |
CYBERVOTE |
Contract |
IST-1999-20338 |
Client |
European Commission | ||
Reference |
CYBERVOTE:WP2:D7/V1:2001 | ||
Issue (draft) |
1.0 |
Date |
14 January 2002 |
Status |
Definitive |
Nature |
Public |
Author(s) |
Anne DE MICHELI
|
Organisation |
MATRA Systèmes & Information
|
Name |
Role |
Organisation | |
Checked by |
Sylvie BRUNESSAUX |
Deliverable Leader |
MATRA Systèmes & Information |
Approved by |
Sylvie BRUNESSAUX |
WP2 Manager |
MATRA Systèmes & Information |
Authorised by |
Stéphan BRUNESSAUX |
Project Director |
MATRA Systèmes & Information |
Distribution list | |
Name |
Organisation |
Antonis GALETSAS |
European Commission |
Stéphan BRUNESSAUX |
MATRA Systèmes & Information |
David PARKINSON |
British Telecommunications |
Antoon BOSSELAERS |
K.U.Leuven Research & Development |
Sébastien LEVY |
Mairie d'Issy-les-Moulineaux |
Karl SCHLICHTING |
Freie Hansestadt Bremen |
N. ASOKAN |
NOKIA Research Centre |
Berry SCHOENMAKERS |
Technische Universiteit Eindhoven |
Leif RYDÉN |
Kista Stadsdelsnämnd |
Synopsis
This report is the deliverable 7 of the CyberVote project. It presents the results of the mock-ups of architectures of the CyberVote system using techniques previously reviewed by deliverable 6. For each mock-up, it will include the candidate solutions used and an evaluation of the adequacy with the need expressed.
File name
MSI-WP2-D7V1-V1.0.doc
Amendment History
Version |
Date |
Description |
0.1 |
10 August 2001 |
First draft |
0.2 |
16 August 2001 |
Integration of corrections for PC scenario |
0.3 |
20 August 2001 |
Addition of iPAQ scenario |
0.4 |
21 August 2001 |
Integration of corrections for iPAQ scenario |
0.5 |
23 August 2001 |
Integration of remarks |
0.6 |
28 August 2001 |
Addition of mobile phone scenario |
0.7 |
6 September 2001 |
Complete outline of the report |
0.71 |
10 September 2001 |
Minor changes in the introduction |
0.8 |
13 November 2001 |
Integration of NOKIA's contribution, KUL's contribution. Completion of MS&I's contribution. |
0.9 |
17 December 2001 |
Integration of BT's contribution, modification of NOKIA's part according to review record comments. Conclusion. Executive summary. |
0.10 |
20 December 2001 |
Integration of comments from Nokia. Version reviewed by PD. |
1.0 |
14 January 2002 |
Final version sent to EC. |
Disclaimer
The information in this document is provided as is and no guarantee or warranty is given that the information is fit for any particular purpose. The user thereof uses the information at its sole risk and liability.
Scope of CyberVote
CyberVote, an innovative cyber voting system for internet terminals and mobile phones, is a research and development (RDT) programme being funded by the European Commission, with additional funding from the companies and organisations undertaking the work. It is part of the Information Society Technologies (IST) 1999 programme for research, technology development and demonstration under the fifth framework programme (5th PCRD). It is attached to Key Action 1 “Systems and Services for the Citizens”.
The objective of CyberVote is to demonstrate the first highly secure cyber-voting prototype using mobile and fixed internet technologies. The project will define and implement a CyberVote prototype embedding an innovative voting protocol relying upon the use of advanced cryptographic tools that will be developed to ensure integrity, privacy and authentication of the voters. The prototype will be demonstrated and evaluated on 3 trial applications.
The project is carried out by a consortium led by MATRA Systèmes & Information (FR) and grouping together: British Telecommunications (UK), NOKIA Research Centre (FI), K.U.Leuven Research & Development (BE), Technische Universiteit Eindhoven (NL), Freie Hansestadt Bremen (DE), Mairie d'Issy-les-Moulineaux (FR) and Kista Stadsdelsnämnd (SE).
The project officially started on 1 September 2000. It will end on 1 March 2003. The overall budget of the project is 3 243 629 and the total effort is 27.4 man-years.
Executive summary
This report presents the results of further investigations led about candidate solutions to CyberVote system based on the results of the review of techniques by deliverable 6 (see [8], [9], [10]).
First the realisation of the mock-up on PC, iPAQ and Nokia 9210 emphasises the importance of some issues.
· The respect of ergonomics rules and the adaptation of the HCI to the different devices must not be neglected.
· The choice of Java must be carefully considered because it could have some heavy consequences especially on the installation phase of the system and on the cryptography support in client platform.
· The installation of the system on a device is one phase when the system could be intruded. It might the most difficult step to be secured. Secure the server and the data is an important issue, but securing the clients might be the most important one.
· The architecture of the system should be quite light, for security and efficiency matters.
Second a thorough review of SSL showed the appropriateness of SSL/TLS as an additional security measure besides the CyberVote voting protocols, and as a secure communications channel whenever it is required. SSL/TLS is particularly suited to provide authentication of the different web servers that are involved in the voting system. As such, SSL/TLS can prevent that malicious parties try to masquerade as genuine voting entities.
Third Investigations on the CyberVote client software security issues concluded that code signing of applications ensures integrity and authenticity of the code. If the application is to be installed on mobile clients, then appropriate code signing methodologies have to be accounted depending on the mobile client platforms. Furthermore once the application is installed, all the subsequent parameters downloaded from an election server for a particular voting must be signed.
Fourth the analysis of cryptography support in client platform showed that currently CyberVote software client for PC requires only the basic JDK Security, which is widely supported but not in PersonalJava, which is required by iPAQ and Nokia platforms. However, because of the nature of Java, the missing packages or classes can be added to the client software package and the classes can even be modified.
Finally the review of PKI token concluded that the choice of the right device depends on the requirements of the system (i.e. strong authentication) and on the client devices that will be supported and targeted. It is advisable to use some form of token, such as smart cards holding certificates, if computers being used as operating systems do not provide an acceptable level of security for holding confidential signing information. Mobile devices usually contain a secure token already
The conclusions of this report will be useful to the next step of the project that is about the specifications of the system.
TABLE OF CONTENTS
1 Introduction 10
2 Investigations about the HCI, Web server and application server 11
2.1 Introduction 11
2.2 Scenario of the mock-up 12
2.3 Task model 13
2.4 Scenario of the mock-ups 15
2.4.1 Scenario for the PC mock-up 15
2.4.2 Scenario for the iPAQ mock-up 18
2.4.3 Scenario for the Nokia 9210 mock-up 25
2.5 Technical description of the mock-up 31
2.5.1 Architecture 31
2.5.2 Screenshots and comments 32
2.6 Conclusion 37
3 Investigations about SSL 39
3.1 SSL/TLS 39
3.1.1 History 39
3.1.2 Security service 39
3.1.3 Mechanism 39
3.1.4 SSLv2/SSLv3/TLS/WTLS: differences 40
3.1.5 Cryptographic algorithms 41
3.1.6 Current status of IETF-TLS Working Group 43
3.2 Export restriction issues 43
3.2.1 Export restrictions 43
3.2.2 Solutions 44
3.3 Trust issues 44
3.3.1 Distribution of root certificates 45
3.3.2 Application integrity 45
3.3.3 OS security 45
3.4 Support of SSL/TLS/WTLS on different platforms 45
3.4.1 PC 45
3.4.2 Mobile phone (Nokia 9210) 46
3.4.3 iPAQ Pocket PC 46
3.5 Appropriateness of SSL/TLS to the CyberVote system 46
4 Investigations on CyberVote client security issues 47
4.1 Authenticity and integrity of client side software 47
4.1.1 Code signing of Java Applet 48
4.1.2 Code signing of Application 52
4.2 Authenticity and Integrity of Election Parameters 55
4.3 Cryptography Support in Client Platforms 55
4.3.1 Java Security 55
4.3.2 Conclusion 61
4.4 Other general issues related to NOKIA 9210 61
4.4.1 Application File Builder and Icon Designer 61
4.4.2 Application installation 62
4.5 Conclusion 63
5 Investigations on PKI Tokens 64
5.1 Introduction 64
5.2 Different Types of Tokens 64
5.2.1 Software Certificate 64
5.2.2 Smart Cards 65
5.2.3 USB Tokens 67
5.2.4 Mobile phone SIMs 67
5.2.5 Non-PKI tokens (SecureID etc.) 70
5.3 Client Devices 70
5.3.1 Mobile Phones 70
5.4 Implementation 74
5.4.1 Client APIs and Interfaces 74
5.4.2 Server Side Issues 75
5.5 Layer Securities 75
5.5.1 Application layer 76
5.5.2 Transport layer 77
5.5.3 Network layer 77
5.6 Registration of Voters 77
5.6.1 Bulk Registration 78
5.6.2 Online Individual Registration 78
5.7 Conclusions – Requirements and relevant options 79
6 Conclusion 80
7 References 81
8 Abbreviations and acronyms 83
9 Points of Contact for further information 85
LIST OF FIGURES
Figure 1: Mobile devices of the mock-up: Compaq iPAQ H3600 and Nokia 9210 11
Figure 2: Task model of the HCI mock-up 14
Figure 3: Outline of the architecture of the mock-up oriented towards the HCI 31
Figure 4. The security warning of signed applet by Internet Explorer. 51
Figure 5: The WAP Architectural Model (source: WAP Forum) 69
Figure 6: Cryptographic smart card architecture in Windows 74
Figure 7: OSI vs TCP/IP Stacks 76
Figure 8: Bulk registration and issuance of smart cards 78
1 INTRODUCTION |
The deliverable 7 of the CyberVote project is a report on mock-ups of architectures and overall system architecture. It is composed of 2 volumes:
· Volume 1: "Report on mock-ups of architectures"
This report is produced by WP2.7, "Build mock-ups of architecture based on candidate solutions". It presents the results of the mock-ups of architectures using techniques reviewed by deliverable 6 (see [8], [9], [10]). Candidate solutions are introduced and the results of the evaluation of the adequacy with the need expressed are presented. The evaluation can be done via a mock-up.
· Volume 2: "Overall system architecture"
This report is produced by WP2.8, "Define preliminary system architecture". It presents a functional view of the overall system architecture of the CyberVote system that best matches the user requirements.
The present report is the volume 1 of deliverable 7.
WP2.7, which produced this volume, consisted in:
· considering several alternative technical architectures (multi-tier based on a Web server with an application server or not, traditional two tier architecture, …) based on reviewed technologies;
· building mock-ups of these architectures;
· evaluating the adequacy of each architecture with respect to the needs expressed previously by other work packages.
This report presents the results of thorough investigations and tests conducted about different technologies selected by deliverable 6. It is made-up of:
Finally a global conclusion is given regarding the suitability of the evaluated technologies to the CyberVote system.
