VxSuite TDP - v4
  • System Overview
    • Election Package
      • VxSuite Election Definition
      • Ballot Definition CDF
    • Hand Marked Ballots
    • Machine Marked Ballots
    • Cast Vote Records
    • VxScan Polls Reports
    • VxAdmin Results Exports
      • Tally Reports
      • Ballot Count Reports
      • CSV Exports
      • Write-In Adjudication Report
      • CDF ERR Export
    • Software Overview
    • User Roles
    • VxAdmin Function
    • VxCentralScan Function
    • VxAdmin & VxCentralScan Hardware
    • VxScan Function
    • VxScan Hardware
    • VxMark Function
    • VxMark Hardware
    • Ballot Interpretation
    • Diagnostics
    • Signed Hash Validation
  • System Performance & Specifications
    • Supported Voting Variations & Languages
    • System Limits
      • Maximum Tabulation Rate
    • Paper Ballot Specifications
    • Reliably Detectable Marks
    • Processing Capabilities
  • System Security, Auditing & Logging
    • System Security Architecture
      • Access Control
      • Artifact Authentication
        • Hashing of Continuously Exported Cast Vote Records
        • Preserving Voter Privacy
      • System Integrity
      • Networking
      • Password and Credential Policies
      • Defense-in-Depth and Least Privilege
      • Cryptography
    • Physical Security
    • Procedural and Operational Security
    • Audit Procedure
    • Logging
    • Vulnerability Management
    • Risk Assessment
    • Hardware Criticality and Supplier Analysis
  • Software Installation
    • Trusted Build
      • Build Machine Configuration
        • Installing Debian 12 on VxBuild
      • Online Phase
      • Offline Phase
      • Final Configuration
        • Secure Boot Signing
      • Hash/Checksum Verification of Dependencies
      • Virt Manager - Network Access & Troubleshooting
    • Imaging Machines
      • Preparing USB Drives for Imaging
      • Imaging
      • Basic Configuration Wizard
      • Verifying the Image Installed on a Machine
      • Software Installation Record Creation
  • System Operations & Training Manual
  • System Inspection & Logic and Accuracy Testing
  • System Maintenance Manual
  • Usability & Accessibility
  • Audio Visual & Display Screen Settings
  • Quality Assurance Manual
  • Warranty Model
  • Public Documents
Powered by GitBook
On this page
  • Cryptographic Modules
  • Smart Cards
  • VxAdmin / VxCentralScan TPM
  • VxMark TPM
  • VxScan TPM
  • OpenSSL
  • Authentication vs. Encryption
  • Cryptographic Keying Material
Export as PDF
  1. System Security, Auditing & Logging
  2. System Security Architecture

Cryptography

PreviousDefense-in-Depth and Least PrivilegeNextPhysical Security

Last updated 2 months ago

Cryptographic Modules

VxSuite v4 contains four distinct cryptographic modules:

  • Smart cards

  • VxAdmin / VxCentralScan TPM (same underlying hardware)

  • VxMark TPM

  • VxScan TPM

  • OpenSSL software

All of the above are FIPS-compliant.

Smart Cards

VxSuite v4 uses NXP JCOP 4 Java Cards, specifically this model: .

These smart cards are FIPS140-2-certified: .

The applet that we run on the cards, , is an implementation of the NIST 201 PIV protocol, which sits on top of FIPS140 cryptography. In the applet, all cryptographic operations are handled by the Java Card operating system, implemented by the NXP JCOP 4 card.

VxAdmin / VxCentralScan TPM

The VxAdmin / VxCentralScan HP uses an NPCT75x TPM 2.0 chip by Nuovoton.

This chip is FIPS140-2-certified: .

VxMark TPM

The VxMark board uses an SLB 9665 TPM 2.0 chip by Infineon.

VxScan TPM

The VxScan board uses an SLB 9670 TPM 2.0 chip by Infineon.

OpenSSL

FIPS-compliance of all OpenSSL operations is guaranteed as follows:

  • FIPS compliance via hardware modules: For relevant operations, OpenSSL outsources cryptographic operations to the TPM 2.0 chip, and as noted above, all of our TPM 2.0 chips are FIPS-compliant.

Authentication vs. Encryption

VxSuite does not use encryption to secure data (election definitions, CVRs) while in transit on USB drives because that data does not need to be confidential – and in fact trust in a voting system is better achieved by transparency of this data. In particular, CVRs stored on USB drives are not encrypted so that they can be viewed using any computer. This is by design.

On the other hand, VxSuite strongly authenticates all data, which is critical. Thus, election definitions and CVRs are in plaintext on the USB drives that transfer them, accompanied by strong digital signatures, generated by signing keys stored in hardware TPMs.

Cryptographic Keying Material

All digital signatures for authenticating election definitions and CVRs are generated using ECC 256-bit keys, that further use the NIST standard P-256 curve.

All hashes – for generating election IDs, digesting data before signing, constructing the Merkle-tree hash for CVRs, and constructing the dm-verity system integrity hash – are generated using the NIST standard SHA-256.

Encryption of disk partitions is done using AES with 256-bit keys in XTS mode.

Secure Boot code signing uses RSA 4096-bit keys.

This chip is FIPS140-2-certified: .

This chip is FIPS140-2-certified: .

We use OpenSSL 3.0.9 and install the FIPS provider, per . In the basic configuration wizard run on first boot after imaging, we run the mandatory openssl fipsinstall command to ensure that the FIPS provider is configured correctly and OpenSSL is running in FIPS mode.

This provider is FIPS140-2-certified: .

FIPS compliance via software modules: For all other operations, OpenSSL uses the FIPS provider. Our guarantees this.

VxSuite does encrypt data at rest on machines' internal drives, specifically their /var partitions, per .

https://www.cardlogix.com/product/nxp-jcop-4-java-card-3-0-5-classic
https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/3746
OpenFIPS201
https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/4411
https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/2959
https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/3492
these instructions
https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/4282
OpenSSL config
Protecting Critical Read-Write Data