Embed Size (px)
DESCRIPTION
Internet Voting Technology and policy issues. David Wagner UC Berkeley. Introductions. I’m a computer security researcher We study attacks and countermeasures Before one can design a system that will resist attack, one must anticipate how it might be attacked. No Secrets. - PowerPoint PPT Presentation
Citation preview
Internet VotingTechnology and policy issues
David WagnerUC Berkeley
Introductions• I’m a computer security researcher
• We study attacks and countermeasures– Before one can design a system that will resist attack,
one must anticipate how it might be attacked
No Secrets
• Proactive study of attacks is generally a good thing• Mounting such attacks is not, of course
– Don’t use your super powers for evil
Selective History of Voting (US)• early 1800’s: public oral voting at County Hall• 1800’s: free-form, non-secret paper ballots popular• 1884: widespread vote fraud• 1888: adoption of Australian secret ballot• 1930’s: lever machines widely adopted• 1960’s: punchcard voting developed• 2000: butterfly ballots, chad, Florida, gack!• 2002: HAVA
Attacks on the Secret BallotRegistration fraud:• Register in multiple
jurisdictions• Graveyard voting• “Cleanse” the voter list• Districting & re-districting
Voter fraud:• Vote multiple times (ballot
box stuffing)• Multiple voting• Impersonation
Insider fraud:• Throw ballot boxes into the
bay• Stuff ballot box after polls
close• Sleight of hand• Voter intimidation• “Run out of ballots”
Tallying attacks:• Malicious talliers might
calculate wrong results• Give talliers bogus tools
Attacks on the Secret Ballot
Registration fraud:• Identity fraud
Voter fraud:• Impersonation• Vote multiple times• Vote buying, chain
voting
Insider fraud:• Ballot box stuffing• Ballot marking
Tallying attacks:• Inaccurate counts• Ballot marking• Manipulation of
challenge procedure
How Secure is the Secret Ballot?• It’s easy to forge a few fraudulent votes
• But: It’s very hard to forge a lot of fraudulent votes…
• Summary: Australian secret ballot is quite robust; a well-designed security system.
History of Internet Voting• 2000: 36,000 Arizona citizens vote in Democratic
primary over the Internet; 85 military personnel vote in November elections over the Internet
• 2000: California studies Internet voting; task force recommends against it
• 2000: NSF panel warns of security risks in Internet voting
• 2004: SERVE will accept votes over the Internet
The SERVE Project• A DoD project
for overseas voters
• Register & vote from abroad
• Vote over the Internet, using your Windows computer
Arkansas
Utah
Washington
Minnesota
Ohio
Pennsylvania
South Carolina
Florida
Hawaii
North Carolina
Key
State-wide Participation
Select county Participation
Legislation in Place
Who is eligible for SERVE? Overseas & military voters from participating jurisdictions (7 states, 51 counties)
The SERVE Architecture (1)
Internet
CitizenHTTPS
UVS Control Data Ballot Definitions
Voted Ballots(Encrypted)
LEO Processes•Voter Registration•Ballot Definition•Ballot Decryption•Ballot Tabulation•Voter History
WebServer
HTTPS, SFTP
SER
VEU
SA.g
ov
*
*
* Firewall** Identification & Authentication Process
SERVE server infrastructureElection officials
UVS Laptop
Ballot Definition
Voting Engine
Ballot Reconciliation
Voter Registration
I & A
Pro
cess
**
Voter Status CheckOverseas voters
EncryptedVoted Ballots
Ballot Def. Data
UVS Control Data
The SERVE Architecture (2)
LEO Infrastructure
UOCAVA Voting System (UVS)
Citizen
HTTPS
HTTPS
EncryptedVoted Ballots
Manual
Ballot Def. Data
UVS Control Data
Central ServerVoter History
LEO Local Workstations
LEO Local Workstations
Security Risks in SERVE (1)Software flaws:• Unintentional bugs might
enable remote attacks• Malicious code might
contain a backdoor• COTS software might be
insecure or backdoored
Insider attacks:• Votes cast could be
modified or deleted• Election officials could
learn how you voted, or count your votes incorrectly
• Sysadmins, developers could bypass security
Security Risks in SERVE (2)Attacks on the client:• Worms, viruses• Remote attacks• Malicious websites,
ActiveX
Denial of service attacks:• DDoS might render
servers unreachable• Targeted
disenfranchisement
Website spoofing:• Voters might be re-
directed to the wrong site (DNS hijacking, email)
• Spoofed site might observe or change votes
• Automated vote swapping and vote buying
Summary
• How do you know that your vote was counted?• How much security is enough?• How much security is too much?
You won the election, but I won the count.-- Somoza
Discussion?
Fighting Words• Internet voting is a danger to democracy• No voting system will ever be perfectly secure;
why worry?• Absentee vote-by-mail is already insecure; why
should Internet voting be held to a higher standard?• 30% of our military today can’t vote; a little
insecurity is worth it if it fixes the problem• The threat of extraterritorial election fraud is new,
and requires new laws
