Secure Data Export and Auditing Using Data Diodes

Data diodes, that is, devices which permit only one-way communication, without even a reverse channel for acknowledgment, have many potential uses within voting systems. A practical design for a data diode is presented that is simpler and more nearly self-evident than previously published designs. Communication protocols appropriate for use in the voting context are described. Throughout, we emphasize designs that permit a relatively naïve observer to determine that it meets key security constraints. The Problem The results of any election must be published, for example, in newspapers or on the Internet. This generally requires communication from the election management system used for canvassing the election to any of a variety of systems outside the election administration security domain. At the same time, the election management system must be protected against intrusion from the outside. Many election officials deny that their systems are vulnerable to attack, flatly stating that their election management system has no public network connections. This denial cannot be taken at face value if the election management system provides up-to-date election results on a public server. In one system we examined, we have found a remarkably baroque data export path best characterized as security through extreme obscurity. In other cases, vendors recommend using an air gap with " sneakernet technology " to carry data across this gap Just because the electronic media are hand-carried across an air-gap does not imply that there is no reverse channel! One can easily imagine hand-carrying data back and forth in a thumb drive or any other reusable medium in such a way that contagion is carried into the election management system with each shuttle across the air gap. Data export on write-once disposable media such as ink on paper or recordable CD-ROMs is safe, but this may be just cumbersome enough that many jurisdictions will cheat. This moved us to develop an easily audited one-way on-line data connection for use between election servers and systems connected to public data networks. The basic idea we exploited was an electro-optical data-diode. This is not a new idea; it has even been patented. The patent explicitly limits itself to transmission from an unsecured computer to a secured computer, exactly the opposite direction from the data transfers that concern us here. In every case we discuss, data is exported from a secure environment to an insecure environment containing potential threats. Another class of similar devices are …