airgap interface€¦ · the vdrive is used to transfer ballots as cast vote records (cvrs) between...

Airgap Interfacefor Portable Electronic Media

Technical Reference

Document number 4005-512-A02

Hart InterCivic is committed to consistently providing high quality products and services for its customers through adherence to its established Quality Management System, complying with customer, statutory and regulatory requirements, and a commitment to continual improvement.Hart InterCivic is also committed to the integrity and the security of the information used in both the product development process and by the products themselves. Management will establish and maintain an information security management system to ensure that contractual requirements are met, employees are trained in information security, and risks to information security are managed.

This DOCUMENT and the SOFTWARE, HARDWARE, and FIRMWARE to which it pertains contain confidential and proprietary information belonging exclusively to Hart InterCivic, Inc. No part of this publication may be modified, reproduced, stored in a retrieval system, or transmitted in any form, distributed by any electronic or mechanical means, photocopied, recorded, or otherwise reproduced or distributed without prior written permission of Hart InterCivic, Inc. Any person receiving this manual has a duty to take reasonable precautions preventing unauthorized disclosure of the contents.

Verity is a registered trademark of Hart InterCivic, Inc.

Verity Scan, Verity Touch, Verity Touch Writer, Verity Controller, Verity Ballot, Verity Access, Verity Key, Verity vDrive, Verity Layout, Verity Build, Verity Central, Verity Relay, and Verity Count are trademarks of Hart InterCivic, Inc.

Hart InterCivic disclaims any proprietary interest in the marks and names of others.

© 2014, Hart InterCivic, Inc.

Document number 4005-512-A02.

All rights reserved.

Hart InterCivic, Inc.P.O. Box 80649 Austin, Texas 78708 Telephone: (866) ASK-HART | (866) 275-4278URL: www.hartintercivic.com

Table of Contents

1 Verity Airgap Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5

vDrive Usage Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6

Exporting Signed Election Definitions. . . . . . . . . . . . . . . . . . . . .8

Portable Media Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9

vDrive Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10

vDrive Architecture and Design . . . . . . . . . . . . . . . . . . . . .10Physical Device 11File and Folder Organization 11vDrive Contents Written in Build 12Component Data Content 13Data Integrity and Chain of Custody 15Description Files 16Changeable Description Files 16Election Definition Folders and Files 16Custody Files 17Device Data Information File 17CVR Files 17Log Files 17Sheet Images Folder and Files 17

vDrive Usage Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .18

Creating a vDrive in Build. . . . . . . . . . . . . . . . . . . . . . . . . . .18Exporting Signed Election Definitions . . . . . . . . . . . . . . . .19

Exporting to a vDrive 19Exporting to Portable Media 20

Loading Election Definitions . . . . . . . . . . . . . . . . . . . . . . . .21Verity Devices 22Verity Application Components 22

Device Election State Changes . . . . . . . . . . . . . . . . . . . . . .23

Verity Airgap Interface Technical Reference | 3

Contents

Device Changes from a Suspended State 24Record CVRs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .24

Verity Scan 25Verity Central 25

Transferring Data. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .27Verity Count 27

CVR XML Definition. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .28Device Write Log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .30

Log Format. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .31

Log Header . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .31Log Entry Number . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .31Date and Time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .31Device ID. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .32Component. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .32User (optional) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .32ElectionID (optional) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .32Tags . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .33Event . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .34Event Data. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .34

4 | Verity Airgap Interface Technical Reference

Verity Airgap Interface

This document details the general usage and information for transferring data through the Verity Voting system, also known as the Verity Airgap Interface. A user will transfer data using portable electronic media or a Verity vDrive from one Verity component to the next Verity component.

Portable media devices are used to write the election definitions as signed exports from a Verity Build system. These signed definitions are imported, or loaded, into Verity components, including Verity Scan, Verity Touch Writer, Verity Central, and Verity Count.

The vDrive is used to transfer ballots as Cast Vote Records (CVRs) between Verity Voting components and signed exported election definitions for Verity devices. vDrives are created in Verity Build. CVRs are written to vDrives from Verity Scan and Verity Central to transport across airgaps for final tabulation in Verity Count.

In addition to recording CVRs, the vDrives also record all required information, logs, to allow for successful auditing of the election by generating audit reports in Verity Count.

These media devices bridge the air gaps and provide a secure hand-off of data across the Verity Voting system.

The document includes the following sections:

vDrive Usage Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

Exporting Signed Election Definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

Portable Media Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

vDrive Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

vDrive Usage Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18


vDrive Usage Model Verity Airgap Interface

vDrive Usage Model

The following image details how vDrives are used in the Verity Voting system to ultimately transfer CVRs and logs into Verity Count:

The diagram depicts the creation of vDrives, the installation of the vDrive in voting system components, and ultimately the transfer of CVRs and logs in to Count tabulation.

• Verity vDrive is created in Verity Build for the election. No CVRs or logs are on this vDrive when created in Build.

- Verity Key is also created in Verity Build for the election. Key pro-vides election specific authentication and authorization for Verity components, such as Verity Scan.

• Verity vDrives are installed in each Verity Voting device that will be used in the election.

• During the election the Verity Voting device will write CVRs, and associated audit logs are written and transferred via vDrive:


Verity Airgap Interface vDrive Usage ModelVerity A

irgap Interface

- As Verity Scan successfully scans a ballot the device will record the CVR to the vDrive, all required system and user actions are logged to the vDrive.

- As Verity Touch Writer successfully prints a ballot the device will record all required system and user actions are logged to the vDrive.

- Verity Central writes CVRs to vDrives as cast ballots are scanned by Central’s ballot scanners. Verity Central will consolidate CVRs from multiple sources and write the compiled records to vDrives for tabulation in Verity Count.

- Verity Count reads all vDrives to tabulate CVRs. Verity Count reads all log files to produce audit trails for the election.


Exporting Signed Election Definitions Verity Airgap Interface

Exporting Signed Election Definitions

Election definitions are exported from the Election Management component on a Verity Build workstation. The election must be accepted in Build prior to exporting.

vDrives provide the transfer of the signed election definition:

• The election is accepted in Verity Build. Any vDrives required for the election are created in Build.

• For Verity Central and Verity Count, a portable media is inserted into a secure USB port on the Build workstation.

• For Verity Scan and Verity Touch Writer, a vDrive is inserted into a secure USB port on the Build workstation.

- This vDrive is inserted and loaded onto the device to access the signed election definition.

• Through the Election Management component on the Build workstation, the election is exported as signed (Export Signed). The system prompts for a Verity Key password.

- This portable media is inserted into Verity Central and Verity Count.

- The signed election definition is Import Signed through the Election Management component on that workstation.


Verity Airgap Interface Portable Media OverviewVerity A

irgap Interface

Portable Media Overview

Portable media devices are commonly called thumb drives. These devices receive and transfer data on a transportable device.

The Verity Voting system supports using these devices for transferring election definitions from Verity Build to Verity Central and Verity Count. The election definitions are exported from the Election Management component on a Verity Build system.

These devices should not be used for transferring CVRs. Only vDrives are valid for transferring these records.

Hart recommends using a CTOS purchased portable media with a minimum of 4GB of space.

For details and instructions for these devices, see the following:

• Exporting to Portable Media, starting on page 20 for election definitions

• Loading Election Definitions, starting on page 21 for Verity Central and Verity Count


vDrive Overview Verity Airgap Interface

vDrive Overview

vDrives are used throughout the Verity Voting system as a portable election media device for transferring ballots (as Cast Vote Records) across the air gap between components. vDrives also provide signed election definitions for Verity Scan and Verity Touch Writer.

vDrives are created in Build for a specific election. The media can be written over through Build for subsequent usage in a new or current election. The vDrive is verified through the election data and signature files when accessed per component, ensuring security standards are upheld for every step of CVR transfer.

When saved with election data, it can only be used in that specific election until reformatted and created with data for a new election. Signature and election data saved and transferred on the vDrive set the parameters for validation through each step of the election workflow.

For details and instructions for these devices, see the following:

• vDrive Usage Model, starting on page 6• Exporting Signed Election Definitions, starting on page 8 for Verity

Scan and Verity Touch Writer• Creating a vDrive in Build, starting on page 18• Loading Election Definitions, starting on page 21 for Verity Scan and

Verity Touch Writer• Device Election State Changes, starting on page 23• Record CVRs, starting on page 24• Transferring Data, starting on page 27• Device Write Log, starting on page 30

vDrive Architecture and Design

The goal for the vDrive content and design is to support plain text transparency and file/data integrity. Most data written to the vDrive, regardless of Verity Voting application, will be stored in text and XML files. Additional file formats to be included will be audio and image files.

All files are organized into folders to aid with movement of data as it transfers and is written to the system into folders, supporting a multiple and nested element structures.


Verity Airgap Interface vDrive OverviewVerity A

irgap Interface

The structure allows Verity Voting system devices and applications to write and transfer well-organized sets of CVR records, election data, and log data from multiple sources. Description files are included within the sets of data to detail the identity of the vDrive and meta-data of content.

Each of these file sets (within the vDrive structure) will contain custody files as signature files to track the chain of custody for all content data when transferred between systems. Signature files provide a clear chain of custody and ensure data integrity. The files are nested as well, referencing content per folder, up through parent files to the top most folder.

The content is validated using the Verity Key. The Key device partners with the signature files to provide non-repudiation. Both vDrive and Key are created through Verity Build for a specific election. The Key and vDrive must always match the same election definition.

The Verity Key from a previous or different election will not work with a vDrive for the current election. It must be rewritten to the current election.

Physical Device

The physical hardware of the vDrive includes a safety case over a USB media device with 4GB of space. Certified vDrives display a printed Hart Intercivic logo on the swing case protector, ensuring the product is supported for use on components.

Hart recommends purchasing multiple vDrives to properly support all election data and archiving needs. All vDrives are selected, tested, and ensured maximum read/write speeds, high performance, and reliability.

File and Folder Organization

The vDrive includes a specific file and folder organization with a signature file in each folder. The following table details the contents by level of organization.

A vDrive may have been created and written for the following types of data:

• Election definition data with an XML definition of settings and folders with files used by the election for audio to play, party images, templates used by the ballot, and custody files

• Device data with configuration information, custody files, and CVR records

• Log files for device and system performance and actions



vDrive Contents Written in Build

When you create a vDrive from Build, a set of files and folders is created on the vDrive. The parent folder for all id and configuration data for the vDrive is in the root folder. This folder contains all content that defines the vDrive and its associated election.

Writing for first time use or rewriting a vDrive for new elections will save this information with chain of custody files. The configuration data in the files and folders is validated on every usage of the vDrive.

This content includes an election definition archive containing all content for the election, custody files, and detailed records of the description (static and changeable).

If the vDrive is being re-purposed for a new election, a confirmation message displays to warn you all current settings will be replaced. The vDrive only validates and is accessible for the election definition it is written to.

Once written, the vDrive can then be used across all components for multiple purposes.Figure 1-1. Contents for vDrive Written in Build



irgap Interface

The file folders and contents include the following:

Component Data Content

As the vDrive is inserted through the Verity Voting system components, a new folder is generated per component. The contents of this folder include custody files, descriptions, and additional files as necessary.

The device data folder contains information from each component. As the vDrive is transferred from one component to another, new folders are written containing specific data for each component. For example, the first vDrive is written on Build with the election data. When the vDrive is loaded onto another component, such as Scan, the original content remains with a new folder containing scanned CVRs, logs, and custody files.

File Type Description

Root folder.sig

Parent folder that contains all settings, configurations, and the election associated for the vDrive. This content is updated and validated throughout the election process and usage across the Verity Voting system components.

Signature .sig Chain of custody file as a signature file. Every folder and zip file has a signature for the election components. The topmost signature file acts as a signature of signatures for signature mapping, validation, and better performance.The file is signed by the vDrive private key.

Description .xml File provides an identity to the vDrive. The information is written when exported by Verity Build and does not change.The file is signed by the vDrive private key.

Changeable Description

.xml File provides data that changes and updates with the election definition and device configuration.The file is signed by the vDrive private key.

Election Definition

archive The archive zip contains all files associated to the election definition and associated image, audio, and template files saved at the as-is settings when the export occurs. The file is signed by the Election private key.

.xml The XML file contains all settings for the election, including the device, contest, and ballot settings as well as associated files for the election.The file is signed by the Election private key.



With every transfer between components, the new folder encapsulates the old data with updated content for that component. The new device folder of data will include the settings and content from the previous device, updated content, and custody files. The top most device data folder will always have a current or new custody file for the most recent device. Depending on the usage of the vDrive to write and transfer data, the written folders and files may be nested.

The following image is an example of a vDrive containing the original election data content and the added component data for a device “5”:Figure 2. Device Data and Election Definition Content

The additional file folders and contents include the following:

File Description

Signature .sig Chain of custody file as a signature file. Every folder and zip file has a signature for the election components. The topmost signature file acts as a signature of signatures for signature mapping, validation, and better performance.The file is signed by the vDrive private key.

CVR Archive folder Folder includes CVR content of scanned ballots, generated CVRs, and write-in content. The file is signed by the vDrive private key.



irgap Interface

Each device data folder contains the following components:

• Device data information files• Custody files

Note: Custody files are only included in a data folder if additional data folders are present. Any device transferring data will not have permissions to write over data.

• CVRs in a CVR folder and archive• Log Folder with accompanying log files per device• Additional Device Data folders and files

Data Integrity and Chain of Custody

To provide a clear chain of custody and ensure data integrity, every written file, folder, and the entire structure and content of the vDrive is digitally signed to provide tamper evidence. The signing keys will be distributed on Verity Key to satisfy non-repudiation.

Different components of the vDrive will use different keys, depending on the usage within the Verity Voting system. This ensures a vDrive, Key, and official user account cannot overstep the limits of their assigned tasks, such as election definition creation, resolving ballots, or overseeing final election result tabulation.

• File signatures are “raw signatures”, signatures computed over the contents of the file and saved in a separate file.

• Folder signatures are “signatures of signatures”, signatures computed over the contents of all the signature files, raw or otherwise, that exist within the folder.

Every signature and Key combination is organized to support only one application has to write any particular file. Once a file is written, it is signed using the appropriate private signing key. Most files only require one write of file data content and signature to the vDrive, while others may require multiple updates. Every file update triggers an update of the signature file. If content is moved between sub-folders, a new digital signature file is generated per folder.

To ensure performance of reading, validating, and writing content, signature files per folder lessen the amount of reuse and access per vDrive. The application can focus signature procedures on the specific files and folders rather than the entire vDrive and all content. A parent signature file is created in the parent folder or topmost level of the vDrive content with links and access to every signature within every folder and sub-folder, recursively enhancing performance and activity.



Description Files

The vDrive Description XML file provides an identity to the vDrive with specific meta-data corresponding to an election definition. This information does not change once it is written to the vDrive by Verity Build.

The meta-data in the file includes the following:

• vDrive Serial Number• vDrive Format Version• vDrive Type (Test or Official)• Creating Application Serial Number• Software Version of Creating Application• Creation Date and Time • Election ID• Election Date• Simple (Election) ID• Election Title

Changeable Description Files

The changeable description XML file (ChangeableDescription.xml) contains data that changes during the life of the vDrive through the election process and each stage of the Verity Voting system. The content changes and updates any time the content of the vDrive changes, written and rewritten by the application or device that owns the vDrive. It is one of the few files that changes on the vDrive after it is written.

Election Definition Folders and Files

The election definition folder contains XML files with the election definition and device configuration as well as sub-directories with audio, image, and template files that correspond to the election definition. This folder and its contents may be zipped and saved when exported to the vDrive or as an archive. This content is written to every vDrive created by the Verity Voting system.



irgap Interface

Custody Files

The custody files (Custody.sig and Custody.xml) contain information of the component that wrote the information contained within the folder. This information contains the date and time that the information was written, the serial number, and additional identifying information.

Device Data Information File

The device data information XML file (DeviceDataInformation.xml) contains information about the election-related state of the device writing the CVRs and logs. This information includes polling place and the device election state (polls open, closed, or suspended) and the state of the vDrive as Open or Closed.

CVR Files

CVR folders contain numerous files for each ballot scanned and generated by Scan and Central. These files may also contain write-in images as flagged and captured.

Log Files

Log folders and files contain information captured from each attempted, completed, and failed action logged per component in the Verity Voting system.

Sheet Images Folder and Files

The Sheet Images folder contains image files of each scanned ballot sheet that was counted as a CVR. Scanned ballot images are optional. These files are only saved if the option is selected in the device configuration section of Verity Build pr election definition.

Only Verity Voting system components (such as Scan and Central) with attached scanners can create images.


vDrive Usage Profiles Verity Airgap Interface

vDrive Usage Profiles

Each vDrive is formatted and written with specific data files per component and step of the election process within the Verity Voting system. Only specific components can create vDrives, for specific usage and transferring data files. All Verity components can use the vDrives to read data, transfer election definitions, tabulate voting results, and generate reports.

This sections provides details on the specific content generated by Verity Voting components:

• Creating a vDrive in Build• Exporting Signed Election Definitions• Loading Election Definitions• Device Election State Changes• Record CVRs• Transferring Data• Device Write Log

Creating a vDrive in Build

Verity Build writes election data to a vDrive, formatting the device for use in this specific election. Verity components that write to the vDrive validate the election meta-data written with the open election. The Verity Key may also be required to complete write processes.

When writing a new vDrive, the contents strictly link this vDrive to the election. These vDrives can be used for:

• Transferring CVRs across the airgap for Verity Scan and Verity Central.

• Providing a signed election definition to Verity Scan and Verity Touch Writer.

You may want to create a number of vDrives prior to an election. These vDrives can be created at any time if you need additional devices. You can purchase multiple vDrives from Hart.


Verity Airgap Interface vDrive Usage ProfilesVerity A

irgap Interface

The system validates the following prior to using an inserted vDrive:

1. vDrive is inserted into a USB port in the Verity Build system.

2. If the vDrive has data currently, the component prompts you for per-mission to erase the data.

3. If the vDrive is formatted for another election, the component prompts you for permission to erase the vDrive.

4. If the vDrive is formatted for the current election, the component notifies you and does not alter the vDrive.

5. If the vDrive is removed prior to saving content, the component warns you that the vDrive has been removed and that the creation failed.

6. If the creation or verification failed, the component notifies you. On success, the vDrive has created (in Build) or has received all data.

Exporting Signed Election Definitions

Verity Build allows you to review and create elections, proofing ballots, and finalizing an election definition. Once accepted, it is locked for voting and able to be exported through the Election Management component on a Verity Build system.

Exporting to a vDrive

These instructions are used for Verity Scan and Verity Touch Writer. Only these Verity Voting components use vDrive election definitions.

To export the signed election definition to the vDrive, the following is completed:

1. Create the vDrive in Build.

2. Insert the vDrive into a USB port in the Verity Build system.

3. Insert the Verity Key into a secure USB compartment on the device.

4. Log in to the Verity Voting system.



5. Click the Manage tile to open the Election Management component on the Verity Build system.

6. Select an election.

7. Click the Actions drop-down menu and select Export Signed.

8. A Verity Key password may be required.

The exported election can be loaded into Verity Scan and Verity Touch Writer. For details, see Loading Election Definitions, starting on page 21.

Exporting to Portable Media

These instructions are used for Verity Central and Verity Count. Only these Verity Voting components use portable media.

To export the signed election definition to the vDrive, the following is completed:

1. Insert the portable media into a USB port in the Verity Build system.


3. Log in to the Verity Voting system.



irgap Interface


5. Select an election.

6. Click the Actions drop-down menu and select Export Signed.

7. A Verity Key password may be required.

The exported election can be imported as signed (Signed Import) into Verity Central and Verity Count. For details, see Loading Election Definitions, starting on page 21.

Loading Election Definitions

Signed elections are loaded into Verity Voting system components in one of two ways.

• Verity Devices: For Verity Scan and Verity Touch Writer, the vDrive is inserted into the device and loaded at booting.

• Verity Application Components: For Verity Central and Verity Count, the election is imported through the Election Management component from the inserted portable media.



Verity Devices

These instructions are used for Verity Scan and Verity Touch Writer. Only these Verity Voting components use vDrive election definitions.

Elections are validated and loaded onto the devices at boot up when turned on.

To load an election onto a device, the following occurs:

1. Insert the vDrive into a secure USB compartment on the device.


3. Power on the device. Depending on the device, the Scan or Touch Writer application loads.

4. The poll-worker is prompted for a password for Verity Key to load the election.

5. On success, a message displays “Loading Election” on the device screen.

6. The device transitions into the operational state once the election is loaded.

Verity Application Components

These instructions are used for Verity Central and Verity Count. Only these Verity Voting components use portable media.

Election definitions are imported through the Election Management component available after logging into the system.

The system validates and performs the following when loading an election:

1. Insert the portable media into a secure USB compartment on the device.


3. Log into the Verity Voting system.




irgap Interface

5. Click the Actions drop-down menu and select Import Signed. A window opens to locate the election from the portable media.

6. The component validates a Verity Key is inserted, prompts for a password, and verifies the election definition and Key match.

- If the Key and election definition do not match, the component warns you and does not attempt importing the election.

- If all content matches and completes validation, the election imports and displays on the screen.

7. You can continue using additional Verity Voting components installed on the workstation.

Device Election State Changes

This information is for Verity Scan and Verity Touch Writer.

When the state changes for the election (such as Open Polls or Suspend Polls), the change is updated on the vDrive. These state changes include election state for open, suspended, and closed polls and selecting the polling place.

To update a state change to the election, the vDrive should be inserted into a USB port on the workstation. The content can be written to the vDrive using the Verity Voting system components.



The system validates the following against vDrive drive prior to writing content:

• A change of state occurs for the election definition.• The election ID matches with the one on the vDrive.• Security information and the Verity Key used are valid and match.• The vDrive device is running correctly, without fault or error.• All data created to the vDrive writes and saves without error.

When the vDrive is entered and a change of state occurs, all validation is performed. When completed the state, log, and custody files are updated.

Device Changes from a Suspended State

When a device returns from a suspended state after powering on, the following is validated and performed:

• The component checks for the inserted vDrive on the system. • The component verifies if a valid vDrive is inserted prior to updating

any content. • The component verifies the inserted Verity Key and election

definition data.• Once verified, the current state of the vDrive is checked and

provided to the Verity Voting system component.• The system provides prompts if the vDrive is closed, invalid, or not

found and if the election IDs do not match.• After all information validates, the state is updated.

Record CVRs

CVR records are recorded on Verity Scan and Verity Central through scanning ballots. To record a CVR, the components validate the following:

• A valid vDrive is inserted into a USB port on the workstation. • The Verity Key is validated, a password may be requested.• A voting session must be loaded, active, with the state to Polls Open. • Verifies all updates complete without errors for the CVR, logs, and

election state



irgap Interface

The following sections detail how Verity components verify devices and data and writes CVRs:

• Verity Scan• Verity Central• Device Write Log

Verity Scan

When the CVR is written to a vDrive on Scan, the following occurs:

1. The polls are opened.

2. The Verity Key is validated, a password may be requested.

3. The system verifies the vDrive is secure.

4. Once verified, the ballot is scanned and a CVR is written to the vDrive. The ballot image is saved, if the option is enabled.

5. A log entry is entered for the written CVR action.

6. The election state and the private counter are updated.

7. The log and signatures are updated with MACE times adjusted.

8. Once complete, the voter is notified that the vote is recorded.

9. If the election is complete, the polls are closed. When closed, all data is updated and a log entry created.

Verity Central

To write data in Central after an election, a vDrive will need to be created for that election through Verity Build. A Key and vDrive for the completed election are required for this step to write a vDrive.

Verity Central writes batches of scanned ballots as CVRs to the created vDrive. All batches, the election definition, and additional files, folders, and updated data are written to a vDrive. To create a vDrive in Central, the batches should be scanned, completed per the options selected in Central, within an election.



The system validates the following against the USB drive prior to writing to the drive:

• The vDrive is inserted into a USB port on the Verity Central workstation. If the USB drive is a vDrive from another election, the component informs you the vDrive cannot be used.

• If the USB drive is a vDrive from the current election, the component creates a new data definition folder with appropriate contents, without altering the original election data.

• If the USB drive is removed prior to saving content, the component warns you that the USB drive has been removed and that the creation failed.

• If the creation or verification failed, the component notifies you. On success, the vDrive will contain the election data and CVR batches.

When CVR batches are written to a vDrive through Verity Central, the following occurs:

1. Stacks of ballots are scanned into Verity Central.

2. When ready, batches of scanned ballots are selected and written to the vDrive.

- The Verity Key is validated, a password may be requested. A log entry is created.

- The system verifies the vDrive is secure. - The CVR batches and associated logs, the election state, and the

private counter are written and updated on the vDrive.3. A copy of the written content is saved on the Central component for

restoration as needed.

4. The log and custody files are updated.

Verity Central also supports writing restoration copies of the batches to a vDrive if the original is lost or damaged. The system validates the vDrive then writes the selected restoration copy to the vDrive. At completion, a prompt informs the voter to remove the media.



irgap Interface

Transferring Data

vDrives support transferring CVRs and logs to and from the vDrive into Verity Voting components such as Verity Count.

A Verity Key created for the election definition must be inserted into a USB drive on the workstation. The Key codes and data must match the election definition loaded into the component, safeguarding data access and security.

The following sections detail how Verity components transfer data:

• Verity Count

Verity Count

Verity Count reads CVR data from vDrives transferred from Verity Scan, Verity Central. The component automatically validates, reads, and stores all content when a vDrive is inserted.

When CVRs are read from a vDrive into Verity Count, the following occurs:

1. The Verity Key is validated, a password may be requested. A log entry is created.

2. Open an election in Count and navigate to the Read chevron.

3. A vDrive with a matching election ID is inserted into a USB port on the workstation.

4. Count validates the vDrive as valid. A password is requested for the Verity Key. The vDrive is accessed and read.

5. If the CVRs have not been read, the component reads the CVRs and updates all counters and logs accordingly. CVRs can then be tabu-lated into the election results.

6. If the CVRs have been read previously, a message is displayed with-out updating information or saving data.

7. The system changes to Ready for additional vDrives.



CVR XML Definition

The vDrives written to by Verity Scan and Verity Central are updated when a ballot is successfully cast; each successfully cast vote adds a Cast Vote Record (CVR) file and the CVR files associated signature file to the vDrive. The CVR definition shows all possible data elements that may be recorded in a record, the actual CVR file may contain a subset of these elements as the Cast Vote Record will only record the marked voting positions based on the election type and election settings.

It is important to note that the CVR definition only shows place holders for Contest and Option elements, this allows for multiple Contests and with multiple Options to be recorded for a given cast vote.



irgap Interface

The table below provides node/element names and descriptions of the elements election attribute or cast vote attribute.

Element Name Description

Contests Parent node that contains all Contest related elements

Contest A node of information for each contest in a given election.

Name Name of the Contest

Id Unique Identifier for the contest, guid format

Options A node of voting position information for a given contest.

Option A (node of voting position information for a given contest.

Name Name associated with an option

Id Unique Identifier for the option, guid format

value A value associated with the cast vote.

WriteIn A node of write-in data for a given contest

ImageId Unique Identifier for the image file captured, guid format.

WriteInDataStatus The status of the write-in vote will be text if entered on Touch Writer, otherwise null.

RankedChoice A value indicating that the contest was a ranked choice voting rules apply.

Undervotes A non-zero value indicates the contest had no voting position marked,

Overvotes A non-zero value indicates the contest was overvoted,

StraightParty A non-zero value indicates the contest was marked as straight party

NoVote Applicable to open primaries only. A non-zero value indicates that all party contests were cast for a single party and that “no votes” were marked for any opposing party

InvalidVote Applicable to open primaries only. A non-zero value indicates there was at least one voting position marked for an opposing party in a contest, instead of a straight party vote

SheetNumber A value indicating the number of sheets scanned for a given scanned ballot.



Device Write Log

The vDrive receives updated information when a log event occurs. These events trigger an update and writing of logs to the vDrive. To update these records, a secure vDrive for the current election is loaded into the device.

The system validates the following to update the logs:

• Verifies the loaded election in the application matches the election ID on the inserted vDrive

• An action occurs that would update a log

When the log updates, it writes a log entry, updates the tree structure of custody files, and verifies the vDrive and content updated. The system responds if the log or vDrive updates.

PrecinctSplit A node PrecinctSplit information for a given election.

Name Name associated with an PrecinctSplit

Id Unique Identifier for the PrecinctSplit, guid format

Party A node Party information for a given election.

Name Name associated with a Party

Id Unique Identifier for the Party, guid format

BatchNumber This element is only generated by Central scans.A value indicating the number associated with the group, aka batch, of ballots scanned by Central

DeviceSerialNumber This element is only generated by Central scans.A value indicating the Verity Central workstation that scanned the ballots.

Element Name Description


Verity Airgap Interface Log FormatVerity A

irgap Interface

Log Format

This section describes the logging format for log files. The first line of each log file will hold the column headers which are pipe-delimited (“|”).

After the header, there is one log entry per line with the fields pipe delimited (‘|’). The fields are in the following order:

All pipes in each field must be HTML-escaped (|). All fields required unless listed as optional. Optional fields will contain ‘N/A’ in the event there is no information to include.

Log Header

The first line of the log file will have a pipe-delimited list of the field names for all the following log entries.Datetime|DeviceID|Component|User|ElectionID|Tags|Event|EventData

Log Entry Number

Log entry number is a sequential number starting at zero and incrementing with each log entry

Date and Time

Date and time are in the format: yyyy-mm-dd<sp>hh:mm:ss

Order Header De

1. Date and Time

2. Device ID

3. Component

4. User

5. Election ID

6. Tags

7. Event

8. Event Data


Log Format Verity Airgap Interface

Device ID

Device applications use the device serial number as the Device ID.

PC applications use the user assigned Verity workstation name as the Device ID if available.

Component

The logging application includes its full name and version number in this field (i.e. Layout 1.0.0.2305, Scan 1.0.0.354, etc.).

User (optional)

The Verity user name for the individual responsible for the event. When the user is not applicable it will be “” or “system”

ElectionID (optional)

This field contains election ID for the currently loaded election (specifically NOT the election GUID). When the election id is not applicable, such as in the system log, it will be “0”.


Verity Airgap Interface Log FormatVerity A

irgap Interface

Tags

Tags represent general groupings of data which help the auditor quickly find the entries they’re currently interested in reviewing. Though some tags are mutually exclusive, it is not a requirement. This allows each log entry to be associated with all relevant tags. The list of tags for a particular log entry are single-colon separated (‘:’).

Tag Description

INFOWARNINGERRORFATAL

All log entry will have one of these tags:INFO – event completed as expectedWARNING – event completed, but not as expected. Continued system operation is unaffectedERROR – event failed to complete, but the system is able to recover and continue normal operationFATAL – event failed to complete and the system is unable to recover and continue normal operation

EXCEPTION Any event that generates an exception. The exception is included in the event details section

AUTHENTICATION all events associated with authenticating a system or individual, also includes user creation and deletion

AUTHORIZATION all events associated with authorization or setting the authorization levels of a system or individual

HW all events reporting information about hardware behavior

SYSTEM all election independent events

NETWORK all events associated with network management and use

ELECTION_SEC all events associated with managing election security (Verity Key Read/Write/Erase, Certificate creation/validation, signature creation/update/validation, etc.)

ELECTION_DATA all events associated with adding, changing or deleting individual pieces of election information

ELECTION_MGMT all events associated with management of the election as a whole: creating, archiving, restoring, deleting, loading etc.

ELECTION_OPS all events associated with running an election: election definition acceptance, open/close polls, ballot printing, counter increments, etc.

VOTING all events associated with the act of capturing a vote (both individual and batch). Includes scanning, rejecting, casting and spoiling of ballots, as well as second chance voting activities.


Log Format Verity Airgap Interface

Event

Plain English description of the event being logged “Printing Report”, “User Authentication”, “Precinct Added”, “Candidate Rotation Changed”, etc.

Event Data

This field contains the data associated with the event. For example, the report name if a report is printed. Or, the before and after state if an election rule is toggled for a given election definition. May include stack traces and exception messages in the case of an error

VOTE_MGMT all events related to managing votes and vote totals: reconciliation, over/under vote disposition, manual vote adjustment, etc.

REPORT all events associated with generating and printing a report

DATA_EXCHANGE all events associated with data transfer (import, export, etc.)

STARTUP all startup and initialization events for the system: HW/SW self-tests, hash code checks, etc

UI all events associated with UI navigation: buttons pushed, screens viewed, etc.

Tag Description


airgap interface€¦ · the vdrive is used to transfer ballots as cast vote records (cvrs) between...

Documents