Outline Elections and their security CSci 5271 Introduction to Computer Security System security of electronic voting Electronic voting Announcements intermission Stephen McCamant University of Minnesota, Computer Science & Engineering End-to-end verification Elections as a challenge problem History of US election mechanisms For first century or so, no secrecy Elections require a tricky balance of openness and Secret ballot adopted in late 1800s secrecy Punch card ballots allowed machine counting Important to society as a whole Common by 1960s, as with computers But not a big market Still common in 2000, decline thereafter Computer security experts react to proposals that How to add more technology and still have high seem insecure security? Election integrity Secrecy, vote buying and coercion Alice’s vote can’t be matched with her name Tabulation should reflect actual votes (unlinkable anonymity) No valid votes removed No fake votes inserted Alice can’t prove to Bob who she voted for Best: attacker can’t change votes (receipt-free) Best we can do to discourage: Easier: attacker can’t change votes without getting caught Bob pays Alice $50 for voting for Charlie Bob fires Alice if she doesn’t vote for Charlie Election verifiability Politics and elections In a stable democracy, most candidates will be We can check later that the votes were tabulated “pro-election” correctly But, details differ based on political realities Alice, that her vote was correctly cast “Voting should be easy and convenient” Anyone, that the counting was accurate Especially for people likely to vote for me In paper systems, “manual recount” is a privileged “No one should vote who isn’t eligible” operation Especially if they’d vote for my opponent
Errors and Florida Precinct-count optical scan Detectable mistakes: Good current paper system, used here in MN Overvote: multiple votes in one race Voter fills in bubbles with pen Undervote: no vote in a race, also often intentional Ballot scanned in voter’s presence Undetectable mistakes: vote for wrong candidate Can reject on overvote 2000 presidential election in Florida illustrated all Paper ballot retained for auditing these, “wake-up call” Vote by mail Vote by web? An obvious next step By mail universal in Oregon and Washington Many other states have lenient absentee systems But, further multiplies the threats Some people are legitimately absent No widespread use in US yet Security perspective: makes buying/coercion easy Unusual adversarial test in D.C. thoroughly Doesn’t appear to currently be a big problem compromised by U. Michigan team DRE (touchscreen) voting Adding an audit trail “Direct-recording electronic”: basically just a VVPAT: voter-verified paper audit trail computer that presents and counts votes DRE machine prints a paper receipt that the voter In US, touchscreen is predominant interface looks at Cheaper machines may just have buttons Goal is to get the independence and verifiability of a Simple, but centralizes trust in the machine paper marking system Outline Trusted client problem Everything the voter knows is mediated by the Elections and their security machine System security of electronic voting (For Internet or DRE without VVPAT) Must trust machine to present and record accurately Announcements intermission A lot can go wrong Especially if the machine has a whole desktop OS inside End-to-end verification Or a bunch of poorly audited custom code
Should we use DRE at all? US equipment market Voting machines are low volume, pretty expensive One answer: no, that’s a bad design But jurisdictions are cost-conscious More pragmatic: maybe we can make this work Makers are mostly small companies DREs have advantages in cost, disability access One was temporarily owned by the larger Diebold If we implemented them well, they should be OK Challenge: evaluating them in advance Big market pressures: regulations, ease of administration Security ecosystem Diebold case study Major manufacturer in early 2000s Voting fraud appears to be very rare During a post-2000 purchasing boom Few elections worth stealing Since sold and renamed Important ones are watched closely Thoroughly targeted by independent researchers Stiff penalties deter in-US attackers Impolitic statement, blood in the water Downside: No feedback from real attacks Later state-authorized audits found comprehensive Main mechanism is certification, with its limitations problems Your reading: from California Physical security Buffer overflows, etc. Format string vulnerability ✧P❛❣❡ ✪❞ ♦❢ ✪❞✧ Locked case; cheap lock as in hotel mini-bar Was this audited? Device displays management menu on detected malfunction ❚❈❍❆❘ ♥❛♠❡❀ Can be triggered in booth by unspecified use of paperclip ❴st♣r✐♥t❢✭✫♥❛♠❡✱ Tamper-evident seals? Not a strong protection ❴❚✭✧❭❭❙t♦r❛❣❡ ❈❛r❞❭❭✪s✧✮✱ ❢✐♥❞❉❛t❛✳❝❋✐❧❡◆❛♠❡✮❀ Web-like vulnerabilities OpenSSL mistakes In management workstation software: Good news: they used OpenSSL SQL injection Bad news: old, buggy version Insufficient entropy in seeding PRNG Authentication logic encoded only in enabled/disabled UI elements Good interface from desktop Windows missing in WinCE E.g., buttons grayed out if not administrator Every device ships with same certificate and Not quite as obviously wrong as in web context password But still exploitable with existing tools
Election definitions Secrecy problems Integrity “protected” by unkeyed, non-crypto Limited, since the DRE doesn’t see registration checksum information Can change bounding boxes for buttons But, records timestamp and order of voting Without changing checksum! Can modify candidate names used in final report Could be correlated with hidden camera or corrupted E.g. to fix misspelling; security implication mentioned in poll worker comment Voting machine viruses Subtle ways to steal votes Change a few votes your way, revert if the voter Two-way data flow between voting and office notices machines Compare: flip coin to split lunch Hijacking vuln’s in software on both sides Control the chute for where VVPAT receipts go ✦ can write virus to propagate between machines Exchange votes between provisional and regular Leverage small amount of physical access voters Outline Note to early readers Elections and their security This is the section of the slides most likely to change System security of electronic voting in the final version If class has already happened, make sure you have Announcements intermission the latest slides for announcements End-to-end verification Outline End-to-end integrity and verification Elections and their security Tabulation cannot be 100% public System security of electronic voting But how can we still have confidence in it? Cryptography to the rescue, maybe Announcements intermission Techniques from privacy systems, others Adoption requires to be very usable End-to-end verification
Commitment to values Randomized auditing How can I prove what’s in the envelope without Two phases: commit, later open opening it? Similar to one use of envelopes ♥ envelopes, you pick one and open the rest Binding property: can only commit to a single value Chance ✶❂♥ of successful cheating Hiding property: value not revealed until opened Better protection with repetition Election mix-nets Pattern voting attack Independent election authorities similar to remailers Widely applicable against techniques that reveal Multi-encrypt ballot, each authority shuffles and whole (anonymized) ballots decrypts Even a single race, if choices have enough entropy Extra twist: prove no ballots added or removed, 3-choice IRV with 35 candidates: 15 bits without revealing permutation Buyer says: vote first for Bob, then 2nd and 3rd for Instance of “zero-knowledge proof” Kenny and Xavier Privacy preserved as long as at least one authority Chosen so ballot is unique is honest Fun tricks with paper: visual crypto Scantegrity II Want to avoid trusted client, but voters can’t do Designed as end-to-end add-on to optical scan computations by hand system Analogues to crypto primitives using physical objects Fun with paper 2: invisible ink One-time pad using transparencies: Single trusted shuffle Checked by random audits of commitments
Recommend
More recommend
