US2023033986A1PendingUtilityA1

Security Device and Methods for End-to-End Verifiable Elections

65
Assignee: VIDALOOP INCPriority: Jul 28, 2021Filed: Jun 7, 2022Published: Feb 2, 2023
Est. expiryJul 28, 2041(~15 yrs left)· nominal 20-yr term from priority
H04L 63/08H04L 63/0442H04L 2209/64H04L 2209/463H04L 9/3263H04L 9/3234H04L 9/3247H04L 9/50H04L 9/3265G07C 13/00H04L 9/0894H04L 9/3268
65
PatentIndex Score
0
Cited by
0
References
0
Claims

Abstract

Systems and methods for provisioning and operating a primary security device in a verifiable end-to-end election system are presented herein. The security device serves as a root of trust for chains of certificates that are deployed and utilized throughout the election process. These chains of certificates, originating with the device, which acts as an intermediate certification authority, are used to create a verifiable trust chain throughout the different parts of the election process, the trust chain being traceable back to the device and to the original root of trust certificate. In various embodiments the security device includes a compute module, a security chip, a connection to an interface device, at least one lockable transfer device port, and an air-gapped main board to house the compute module, the security chip, and the lockable transfer device port.

Claims

exact text as granted — not AI-modified
What is claimed is: 
     
         1 . A method for provisioning and operating an air gapped security device for an end-to-end verifiable election, the method comprising:
 issuing a copy of a signed root certificate to an air gapped security device;   signing the certificate signing request by a root private key, producing an intermediate certificate associated to the security device, wherein the intermediate certificate is stored in the security device;   generating, by the security device, a security device private key associated with the security device, wherein the security device private key is stored in the security device; and   cryptographically locking the security device, preventing access to the stored intermediate certificate, the security device private key and the copy of the signed root certificate.   
     
     
         2 . The method of  claim 1  further comprising:
 accessing the security device with at least one individual physically present at an interface device coupled to the security device, wherein the one individual must verify their presence via the interface device, the interface device being connected to the security device. 
 
     
     
         3 . The method of  claim 2  whereby the accessing is logged and able to be audited. 
     
     
         4 . The method of  claim 1  further comprising:
 linking the security device to management system, wherein data can only be input into the security device if it is data from the linked management system. 
 
     
     
         5 . The method of  claim 4 , wherein the linking comprises the following:
 generating at least one private key and at least one certificate signing request by the management system;   transferring a data package with the at least one certificate signing request to the security device via a data transfer device;   signing the at least one certificate signing request by the security device, wherein the at least one certificate signing request becomes a signed certificate; and   transferring the signed certificate to the system via the data transfer device.   
     
     
         6 . The method of  claim 2 , further comprising:
 upon accessing the security device, enabling a lockable transfer device port on the security device;   coupling a data transfer device to the security device via the lockable transfer device port;   copying the data on the transfer device into the security device; and   disabling the lockable transfer device port.   
     
     
         7 . The method of  claim 6  further comprising:
 verifying the source of the input data as a trusted source, by verifying that it has a signed certificate traceable to the security device. 
 
     
     
         8 . The method of  claim 6  further comprising:
 rejecting an operation, upon failure of the verifying of the data content as being without error, of an accepted file type, or from a trusted source, wherein the operation may be one or more of the following: copying, receiving, transferring, or installing the data content. 
 
     
     
         9 . The method of  claim 7  further comprising:
 rejecting an operation, upon failure of the verifying of the data content as being without error, of an accepted file type, or from a trusted source, wherein the operation may be one or more of the following: copying, receiving, transferring, or installing the data content. 
 
     
     
         10 . The method of  claim 6  wherein the data content may include one or more of voter information, registration information, CVR, voter to public key mapping, registry information, blockchain node authentication data, ballots cast, type of ballot cast, type of vote cast, voter ID, social security details, driver license information, driver registration details, number of votes cast, one or more certificate signing request, one or more issued certificate, one or more signed certificates, one or more private keys, one or more public keys, one or more public-private key pairs, EMS export data, update data, tokens, token printing package data, blockchain settings data, and one or more user, and passwords. 
     
     
         11 . The method of  claim 1 , further comprising:
 generating, an individualized processed data, based on information known to an end user or entity;   generating, a random token or authentication code;   creating, a new private key by using the individualized processed data and the random token or authentication code; and   deriving a public key from the new private key, when the new private key is valid.   
     
     
         12 . The method of  claim 11 , wherein the generating of the individualized processed data comprises:
 normalizing the data information fields; and   concatenating the normalized data information fields to generate the formatted data, wherein the formatted data is a single string.   
     
     
         13 . The method of  claim 11 , wherein the creating of the new private key is done by a in a password based key derivation function, wherein the individualized processed data and the random token or authentication code are both used in the password based key derivation function. 
     
     
         14 . The method of  claim 11 , further comprising:
 seeding election settings data on a database, wherein the election settings data is associated with the new public key.   
     
     
         15 . The method of  claim 11 , further comprising:
 creating one or more export packages from the individualized processed data, the random token or authorization code, the public key and the private key; and   delivering the export package to an end-entity, wherein the end-entity may include one or more of the following: an individual, organization, business, agency, machine, system, network, printer, ledger, database, server, or computing device.   
     
     
         16 . The method of  claim 11 , wherein the export package may include one or more of voter information, registration information, CVR, voter to public key mapping, registry information, blockchain node authentication data, ballots cast, type of ballot cast, type of vote cast, voter ID, social security details, driver license information, driver registration details, number of votes cast, one or more certificate signing request, one or more issued certificate, one or more signed certificates, one or more private keys, one or more public keys, one or more public-private key pairs, EMS export data, update data, tokens, token printing package data, blockchain settings data, and one or more user, and passwords. 
     
     
         17 . A security device for providing secure data storage, transmission, processing and certification in an end-to-end verifiable election, the security device comprising:
 a compute module; and   a security chip, coupled to the compute module and configured to:
 storing a copy of a signed root certificate; 
 generating a certificate signing request, wherein the certificate signing request is signed by a root private key, producing an intermediate certificate associated to the security chip, wherein the intermediate certificate is stored in the security chip; 
 generating, a security device private key associated with the security chip, wherein the security device private key is stored in the security chip; and 
 locking the security chip cryptographically, preventing access to the stored intermediate certificate, the security device private key and the copy of the signed root certificate. 
   
     
     
         18 . The security device of  claim 17 , further comprising:
 the compute module, further configured to:
 linking the security device to management system, wherein data can only be input into the security device if it is data from the linked management system. 
   
     
     
         19 . The security device of  claim 17 , further comprising:
 an interface display device, that includes a predefined limited functionality user interface that does not allow direct interaction with the rest of the security device, wherein the interface display device is connected serially to the security device.   
     
     
         20 . The security device of  claim 17 , further comprising:
 at least one lockable data transfer device port, in a default disabled state; and   a main board to house the compute module, the security chip, the at least one lockable data transfer device port and an at least one switch to enable or disable any of the at least one lockable data transfer device port.   
     
     
         21 . The security device of  claim 19 , further comprising:
 accessing the security device with at least one individual physically present at the limited functionality human interface display device, wherein the at least one individual must verify their presence via the interface display device.   
     
     
         22 . The security device of  claim 21 , further comprising:
 the at least one lockable data transfer device port configured to:
 being enabled after the security device is successfully accessed by the at least two individuals; and 
 coupling with a data transfer device; 
   the security chip, further configured to:
 receiving at least one certificate signing request from an election management system via the coupled data transfer device; 
 signing the certificate signing request, producing a signed certificate; and 
   the compute module, configured to:
 receiving a management system package via the coupled data transfer device; and 
 registering the management system with the security device. 
   
     
     
         23 . The security device of  claim 21 , further comprising:
 the at least one lockable data transfer device port configured to:
 being enabled after the security device is successfully accessed by the at least one individual; and 
 coupling with a data transfer device; 
   the security chip, further configured to:
 decrypting the copied data content; and 
   the compute module, configured to:
 copying the data on the data transfer device to the compute module; 
 disabling the lockable port; and 
 verifying the data content as being without error and of an accepted file type. 
   
     
     
         24 . The security device of  claim 22 , further comprising:
 the compute module, configured to:
 rejecting an operation, upon failure of the verifying of the data content as being without error or of an accepted file type, wherein the operation may be one or more of the following: copying, receiving, transferring, or installing the data content. 
   
     
     
         25 . The security device of  claim 23 , further comprising:
 the compute module, configured to:
 rejecting an operation, upon failure of the verifying of the data content as being without error or of an accepted file type, wherein the operation may be one or more of the following: copying, receiving, transferring, or installing the data content. 
   
     
     
         26 . The security device of  claim 23 , wherein the data content includes one or more of: voter information, registration information, CVR, voter to public key mapping, registry information, blockchain node authentication data, ballots cast, type of ballot cast, type of vote cast, voter ID, social security details, driver license information, driver registration details, personal voter information, number of votes cast, one or more certificate signing requests, one or more issued certificates, one or more signed certificates, one or more private keys, one or more public keys, one or more public-private key pairs, EMS export data, update data, tokens, token printing package data, blockchain settings data, signed certificates, certificate signing requests, and one or more user names, and user passwords, user details, voter registration information, and driver license information. 
     
     
         27 . The security device of  claim 17 , further comprising:
 The security chip, further configured to:
 generating, an individualized processed data, based on information known to an end user or entity; 
 generating, a random token or authentication code; 
 creating, a new private key by using the individualized processed data and the random token or authentication code; and 
 deriving a public key from the new private key, when the new private key is valid. 
   
     
     
         28 . The security device of  claim 27 , further comprising:
 creating one or more export packages from the individualized processed data, the random token or authorization code, the public key and the private key.   
     
     
         29 . The security device of  claim 28 , wherein the security device export package may include one or more of: voter information, registration information, CVR, voter to public key mapping, registry information, blockchain node authentication data, ballots cast, type of ballot cast, type of vote cast, voter ID, social security details, driver license information, driver registration details, personal voter information, number of votes cast, one or more certificate signing requests, one or more issued certificates, one or more signed certificates, one or more private keys, one or more public keys, one or more public-private key pairs, EMS export data, update data, tokens, token printing package data, blockchain settings data, signed certificates, certificate signing requests, and one or more user names, and user passwords, user details, voter registration information, and driver license information. 
     
     
         30 . The security device of  claim 17 , wherein the security device is air gapped.

Cited by (0)

No later patents cite this yet.

References (0)

No backward citations on record.