What are Common Criteria (CC)?
The Common Criteria are a standardized, international consortium that agrees on international standards for testing and assessing the functionality and trustworthiness of IT products. The process is standardized and recognized worldwide by the ISO/IEC 15408 standard. Verification is conducted by an external test center…
What certificates does POLYAS hold?
The online voting product POLYAS CORE Version 2.5.0 has been certified according to the protection profile BSI-CC-PP-0037-2008 since March 10, 2016. Our certificate is titled “BSI-DSZ-CC-0862-2016”.
What does it mean to “seal the election”?
After you have created your election in the Online Voting System, it will be sealed by the system after you have confirmed that it should do so. Once the election is sealed, all security parameters are activated and the data is distributed between the ballot box, electoral roll, validator, and election administration…
What external reviews have been performed?
In addition to the review by the German Research Center for Artificial Intelligence and certification by the BSI (German Federal Office for Information Security) according to Common Criteria, we perform penetration tests with external partners every year.
What is rate limiting?
Rate limiting restricts the requests per second and per IP address to the Online Voting System. POLYAS applies the following limits: One request per second and IP address is permitted, whereby a total of just ten requests can be made in a short period before the process is blocked.
What is the difference between the token and the session cookie?
The token is used to maintain voting secrecy and to prevent double voting, whereas the session cookie ensures that the system recognizes the voter’s browser session.
What measures does POLYAS take to identify and eliminate security threats?
POLYAS prevents what are known as brute force attacks by limiting the number of accesses per unit time and IP address. Through regular hacker tests (penetration tests) and security audits, we identify security vulnerabilities in the system and close them immediately.
Which encryption and signature methods are supported when sending voter credentials by e-mail?
If you have chosen to send voter credentials for the voting project via e-mail, eligible voters and nominators will receive a signed e-mail from the sender “POLYAS GmbH” or “voting.polyas.de”. This is based on the S/MIME standard and the signature method SHA256withRSA. The transport route to the recipient's mail server is…
Which SSL version is used?
The POLYAS voting system only uses the very latest SSL versions. In keeping with BSI (German Federal Office for Information Security) technical guideline TR-02102-2, we use SSL Class 3 and the cipher suite TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256.
Which threat scenarios does POLYAS take into account?
Possible threat scenarios are described in detail in the security requirements for the online voting product POLYAS CORE. The document is based on the “Common Criteria Protection Profile for the Basic Set of Security Requirements for Online Voting Products” (BSI-CC-PP-0037 Version 1.0, April 18, 2008). We would be happy to…