Upload
others
View
1
Download
0
Embed Size (px)
Citation preview
Motivation Requirements Threats Approaches Case studies Conclusions
Introduction to Internet VotingInformation Security, SS10
Michael Schläpfer
Information Security GroupETH Zurich
03 June 2010
Michael Schläpfer 1 / 54
Motivation Requirements Threats Approaches Case studies Conclusions
Outline
1 MotivationWhat is voting?
2 Requirements
3 Threats
4 Approaches
5 Case studies
6 Conclusions
Michael Schläpfer 2 / 54
Motivation Requirements Threats Approaches Case studies Conclusions
What is voting?
Aspects involved
LegalSocialTechnical
Security EngineeringSystem SecurityCryptographic ProtocolsFormal Methods inInformation Security. . .
Michael Schläpfer 3 / 54
Motivation Requirements Threats Approaches Case studies Conclusions
What is voting?
The fundamental principles of democracy
Electronic voting must be embedded in and support democraticprocesses!
δημοκρατία - (demokratía) "rule of the people"Foundations
EqualityFreedom
Direct DemocracyElectionsInitiativesReferenda
Representative DemocracyElections
Michael Schläpfer 4 / 54
Motivation Requirements Threats Approaches Case studies Conclusions
What is voting?
How to capture the free will?
Poll-site based votingOpen elections(“Landsgemeinde”)Anonymous elections(voting booth)
Absentee votingVia postal mail(Switzerland)Via Internet
Michael Schläpfer 5 / 54
Motivation Requirements Threats Approaches Case studies Conclusions
What is voting?
General voting process
Figure: The phases of an election.
Michael Schläpfer 6 / 54
Motivation Requirements Threats Approaches Case studies Conclusions
What is voting?
Why electronic voting?
Example
In the 2000 election, especially in the disputed recounts in Florida, there wereissues concerning the ambiguities and uncertainties that arose frompunch-card ballots, such as the hanging chads (incompletely punched holes).In 2004, the punch-card ballots were still widely used in some states. Forexample, most Ohio voters used punch-card ballots, and more than 90,000ballots cast in Ohio were treated as not including a vote for President; this"undervote" could arise because the voter chose not to cast a vote orbecause of a hanging chad.
Improve accuracyMaximize trust
Minimize costsSpeed up the tallying
Michael Schläpfer 7 / 54
Motivation Requirements Threats Approaches Case studies Conclusions
What is voting?
Arguments for Internet voting(?)
Citizens living abroadSimplify voting processDecrease again the costsAdditional channelImprove voter turnoutBecause everything can be done over the Internet, really?
Michael Schläpfer 8 / 54
Motivation Requirements Threats Approaches Case studies Conclusions
What is voting?
Isn’t this just like eBanking?
“And, we have already secure eBanking! Yes, but . . . ”
Maybe not as secure as you might thinkBuilt-in reality checks (Statistical analysis)Account statementsInsuranceNo anonymity
A recently stated opinion:
“. . . a secure internet voting system is theoretically possible, butit would be the first secure networked application ever createdin the history of computers.”
Michael Schläpfer 9 / 54
Motivation Requirements Threats Approaches Case studies Conclusions
Outline
1 Motivation
2 RequirementsExisting requirements listsRequirements engineering
3 Threats
4 Approaches
5 Case studies
6 Conclusions
Michael Schläpfer 10 / 54
Motivation Requirements Threats Approaches Case studies Conclusions
Existing requirements lists
EU recommendations 2004
List of requirements for electronic voting systems1
Based on legal perspectiveStarting point for the development of a seriousimplementation
Fine, but . . .
1http://www.coe.int/t/dgap/democracy/Activities/Key-Texts/Recommendations/
00Rec(2004)11_rec_adopted_en.asp
Michael Schläpfer 11 / 54
Motivation Requirements Threats Approaches Case studies Conclusions
Existing requirements lists
Critics
Fine, but . . .Focussed on legal requirementsCreated by legal expertsSpecific implementations in mindPartly overspecifiedPartly underspecifiedContradictions
Examples can be found in:http://www.cs.nuim.ie/~mmcgaley/Download/evt_presentation.pdf
Michael Schläpfer 12 / 54
Motivation Requirements Threats Approaches Case studies Conclusions
Requirements engineering
Recommended procedure
Abstract high-level principlesdefined by legal expertsAbstract general requirementswhich imply the principlesConcrete security requirementsas foundations for the design andimplementation of a system
Michael Schläpfer 13 / 54
Motivation Requirements Threats Approaches Case studies Conclusions
Requirements engineering
Legal principles
Universal suffrage: Every eligible voter shall have ability tocast his free intention.Equal suffrage: Each vote shall have the same impact onthe result.Free suffrage: Voters shall be able to cast their intentionabsolutely free and without influence or pressure.Secret suffrage: Every measure shall be taken for voters’choices to remain secret.
Michael Schläpfer 14 / 54
Motivation Requirements Threats Approaches Case studies Conclusions
Requirements engineering
Developing the general requirements
Democracy: Only authorized voters can vote and onlyonce.Privacy: Voter’s choice remains secret and cannot belinked to voter (anonymity) and voter cannot prove hischoice to any third party (receipt-freeness).Fairness: At no time during the election can anyintermediary result be obtained.Accuracy: System behaves correctly, i.e. every eligiblevote is used in the tally and cannot be altered or removed.No invalid vote is counted in the tally.Verifiability: Every step in the election is reproducible andcorrectness of entire election can be checked.
Michael Schläpfer 15 / 54
Motivation Requirements Threats Approaches Case studies Conclusions
Requirements engineering
Example: Privacy refined
Secrecy: The votes remain secret, hence it is not possiblein any phase to gain information about an individual votersvote, not even for the organizing authority.Receipt-freeness: No information is given to the voter thatallows him to prove any information about his individualchoice to any third party. This includes proving what he didnot vote for or that he voted at all!. . .
Michael Schläpfer 16 / 54
Motivation Requirements Threats Approaches Case studies Conclusions
Requirements engineering
Challenging requirementsAmongst others...
Receipt-freeness: No information is given to the voter thatallows him to prove any information about his individualchoice to any third party. This includes the impossibility toprove what he did not vote for or that he voted at all.Individual verifiability: The voter is given a proof that hisvote has been recorded as intended, hence he is able tocheck this. Many researchers mention this requirement butleave open what to do when this check fails. Part of thisrequirement is also that the procedures to be taken in sucha case are defined as well.
Michael Schläpfer 17 / 54
Motivation Requirements Threats Approaches Case studies Conclusions
Outline
1 Motivation
2 Requirements
3 ThreatsOverviewSecure platform problem
4 Approaches
5 Case studies
6 Conclusions
Michael Schläpfer 18 / 54
Motivation Requirements Threats Approaches Case studies Conclusions
Overview
Sources and motivationsAmongst others
Script kiddies: Searching for the thrill and showing theirhacking skills.Political parties: Trying to improve their political influence.Criminals: Trying to influence the law for their own benefits.Foreign intelligence: Trying to control or to destabilize thepolitical system of a country.Globally operating companies: Trying to control the law fortheir own benefits and possessing multi-billion budgets.
Conclusion:
Attacker is possibly very powerful and skilled!
Michael Schläpfer 19 / 54
Motivation Requirements Threats Approaches Case studies Conclusions
Overview
Two important threats
In the following, we focus on two specific threats.
. . .Voter coercion / Vote buying (Secrecy/Privacy)Modification of votes (Integrity). . .
Michael Schläpfer 20 / 54
Motivation Requirements Threats Approaches Case studies Conclusions
Secure platform problem
An ideal world
Figure: A protocol between Alice and Bob.
Question:
Does this really reflect the Internet?
Michael Schläpfer 21 / 54
Motivation Requirements Threats Approaches Case studies Conclusions
Secure platform problem
A dangerous world
Figure: A protocol between Alice and Bob.
Possible solution:
Encrypt and authenticate messages over the insecure channel.
Michael Schläpfer 22 / 54
Motivation Requirements Threats Approaches Case studies Conclusions
Secure platform problem
Establish secure communication
Figure: A protocol between Alice and Bob.
Question:
But Alice and Bob do not communicate directly with each other,they use their computers, right?
Michael Schläpfer 23 / 54
Motivation Requirements Threats Approaches Case studies Conclusions
Secure platform problem
A realistic setting
Figure: A protocol between Alice’s and Bob’s Computers.
Question:
What about malware on Alice’s and Bob’s computers?
Michael Schläpfer 24 / 54
Motivation Requirements Threats Approaches Case studies Conclusions
Secure platform problem
An extremely dangerous world
Figure: A protocol between Alice’s and Bob’s Computers.
Possible solution:
Encrypt the channel just as before.
Michael Schläpfer 25 / 54
Motivation Requirements Threats Approaches Case studies Conclusions
Secure platform problem
How to establish a secure channel now?
Figure: A protocol between Alice’s and Bob’s Computers.
Questions:
What are the computing capabilities of Alice and Bob?Is this really reasonable?
Michael Schläpfer 26 / 54
Motivation Requirements Threats Approaches Case studies Conclusions
Outline
1 Motivation
2 Requirements
3 Threats
4 ApproachesIntegritySecrecy
5 Case studies
6 Conclusions
Michael Schläpfer 27 / 54
Motivation Requirements Threats Approaches Case studies Conclusions
Integrity
IntegrityVoter verifiability
Idea:
The voter can check the correctness of every single stephimself!
Individual verifiability gives the voters the opportunity toverify that their individual ballot was processed correctly.Universal verifiability gives the electorate or even the entirepublic the opportunity to verify the correctness of anoperation or protocol phase, e.g. to verify the correctnessof the vote counting in the tallying phase.When every step is verifiable, the entire election isEnd-to-End verifiable (E2E).
Michael Schläpfer 28 / 54
Motivation Requirements Threats Approaches Case studies Conclusions
Integrity
IntegrityAn overview of E2E verifiability
Individually verifiable:Cast as intendedRecorded as cast
Universally verifiable: Allother phases
Figure: Source: Ben Adida.
Michael Schläpfer 29 / 54
Motivation Requirements Threats Approaches Case studies Conclusions
Integrity
IntegrityAn overview of E2E verifiability
We will see later how voterverifiability can be achieved!
Individually verifiable:Cast as intendedRecorded as cast
Universally verifiable: Allother phases
Figure: Source: Ben Adida.
Michael Schläpfer 30 / 54
Motivation Requirements Threats Approaches Case studies Conclusions
Secrecy
Secrecy
Idea:
Trick your own platform!
Pre-encrypt all messages in advance (“mapping table”)Use a dedicated secure channel prior to the election toreceive the “mapping table”Enter pre-encrypted messages into the untrusted platformThe voter’s computing capability requirements are reducedto simply compare options in a mapping table!
We will see later how pre-encryption can be achieved in pratice!
Michael Schläpfer 31 / 54
Motivation Requirements Threats Approaches Case studies Conclusions
Outline
1 Motivation
2 Requirements
3 Threats
4 Approaches
5 Case studiesCode Voting (Secrecy)Visual cryptography (Integrity)
6 Conclusions
Michael Schläpfer 32 / 54
Motivation Requirements Threats Approaches Case studies Conclusions
Code Voting (Secrecy)
Key idea
Remember:
A secure channel from physical Alice to physical Bob!
Michael Schläpfer 33 / 54
Motivation Requirements Threats Approaches Case studies Conclusions
Code Voting (Secrecy)
Protocol functioningInitial proposal
1 Authority generates a code sheet(“mapping table”)
2 Code sheet is distributed over a dedicated(secure) channel
3 Alice chooses an option and enters thecorresponding code into her computer
4 Alice’s computer sends ballot to authority
Question:
How can Alice be sure that her vote wascorrectly received by the authority?
Michael Schläpfer 34 / 54
Motivation Requirements Threats Approaches Case studies Conclusions
Code Voting (Secrecy)
Protocol functioningRefined proposal
1 Authority generates a code sheet(“extended mapping table”)
2 Code sheet is distributed over a dedicated(secure) channel
3 Alice chooses an option and enters thecorresponding code into her computer
4 Alice’s computer sends ballot to authority
5 The authority sends back thecorresponding confirmation code
6 Alice compares the received confirmationcode with expected one
Michael Schläpfer 35 / 54
Motivation Requirements Threats Approaches Case studies Conclusions
Code Voting (Secrecy)
Security properties
E.g. 5-digit-codes(26 letters and numbers 1 to 9) result incode space size of 355 = 52′521′875 different codesAttacker can only guess what the code could stand for andis successful with a probability of 1
#options , but he cannotverify his guess anywayAssume the voter can choose from 10 options(candidates), then the attacker’s probability to correctlyguess another valid code is: 9
52′521′874
Ballot casting assurance possible through the use ofconfirmation codesVoter has to trust the authority (There are ways to minimizethe affordable trust!)
Michael Schläpfer 36 / 54
Motivation Requirements Threats Approaches Case studies Conclusions
Code Voting (Secrecy)
Open issuesUsability
Security increases with the number of digits of the codesAt the same time usability decreases with the number ofdigits of the codesMeaningful tradeoff has to be foundFor elections, voters in Zurich can choose 34 candidatesout of hundreds: This leads to voter entering around 150digits in order to elect!There are ideas to improve usability (e.g. barcodes)
Michael Schläpfer 37 / 54
Motivation Requirements Threats Approaches Case studies Conclusions
Visual cryptography (Integrity)
Outline
1 Motivation
2 Requirements
3 Threats
4 Approaches
5 Case studiesCode Voting (Secrecy)Visual cryptography (Integrity)
6 Conclusions
Michael Schläpfer 38 / 54
Motivation Requirements Threats Approaches Case studies Conclusions
Visual cryptography (Integrity)
Overview
A Voter enters choice and getstwo receipts for which she isable to verify the correctnessof the encryption visually
B Voter chooses one receiptrandomly. This receipt ispublished on a bulletin board
C Talliers decrypt and mix theencrypted receipts
Michael Schläpfer 39 / 54
Motivation Requirements Threats Approaches Case studies Conclusions
Visual cryptography (Integrity)
Key idea
Let = 1 and = 0Then we define a visualxor operation ⊕v such that:
1⊕v 1 = 00⊕v 0 = 01⊕v 0 = 10⊕v 1 = 1
Represent voter’s choiceas matrix of parity cells(visual representation of abit string)
Figure: Parity cells. (Source: David Chaum)
Figure: An example. (Source: David Chaum)
Michael Schläpfer 40 / 54
Motivation Requirements Threats Approaches Case studies Conclusions
Visual cryptography (Integrity)
Protocol functioningPreliminaries
Controlled voting booth used
Voting machine holds threekeys for:
Signing BSN (bottom)Signing BSN (top)Overall signing theentire receipt
There exist two hashfunctions h and h′, where h ispublic and h′ (keyed) is onlyknown to authority and officialauditors (e.g. political parties)
Every tallier holds a privatekey and the correspondingpublic key is public
Michael Schläpfer 41 / 54
Motivation Requirements Threats Approaches Case studies Conclusions
Visual cryptography (Integrity)
Protocol functioningEncryption
1 Voter’s choice representedas m × n-matrix BB is "checkerboarded" tobitstrings Bt and Bb oflength mn
2
Michael Schläpfer 42 / 54
Motivation Requirements Threats Approaches Case studies Conclusions
Visual cryptography (Integrity)
Protocol functioningEncryption
2 2k pseudo random hash values v ti
and vbi of length mn
2 are generatedfrom the signed BSN (BallotSequence Number) using h
d ti = h′(v t
i ) and dbi = h′(vb
i )
W t :=⊕
16i6kd t
i and
W b :=⊕
16i6kdb
i
In parallel, the top doll Dt andthe bottom doll Db are createdfor later decryption.Dt :={v t
k , {· · · {vt2, {v
t1}pk1}pk2 · · · }pkk−1}pkk
Michael Schläpfer 43 / 54
Motivation Requirements Threats Approaches Case studies Conclusions
Visual cryptography (Integrity)
Protocol functioningEncryption
3 Bt and Bb are encrypted bybitwise xor-ing with thecorresponding W :
Rt := Bt ⊕W t
Rb := Bb ⊕W b
Michael Schläpfer 44 / 54
Motivation Requirements Threats Approaches Case studies Conclusions
Visual cryptography (Integrity)
Protocol functioningEncryption
4 Reverse "checkerboard" Bt
with W b and Bb with W t tothe top layer Lt and thebottom layer Lb
Represent the layers withvisual parity cells
Michael Schläpfer 45 / 54
Motivation Requirements Threats Approaches Case studies Conclusions
Visual cryptography (Integrity)
Overview
A Voter enters choice and getstwo receipts for which she isable to verify the correctnessof the encryption visually
B Voter chooses one receiptrandomly. This receipt ispublished on a bulletin board
C Talliers decrypt and mix theencrypted receipts
Michael Schläpfer 46 / 54
Motivation Requirements Threats Approaches Case studies Conclusions
Visual cryptography (Integrity)
Protocol functioningVote casting
Voter chooses layer randomly
Voting machine signs BSNwith the correspondingsigning key
Voting machine prints all thisinformation on the chosenlayer’s receipt
Voting machine signs withoverall signing key:
Chosen layer Lx
BSNSigned BSNDolls Dt and Db
Chosen receipt is scannedand published
Michael Schläpfer 47 / 54
Motivation Requirements Threats Approaches Case studies Conclusions
Visual cryptography (Integrity)
Overview
A Voter enters choice and getstwo receipts for which she isable to verify the correctnessof the encryption visually
B Voter chooses one receiptrandomly. This receipt ispublished on a bulletin board
C Talliers decrypt and mix theencrypted receipts
Michael Schläpfer 48 / 54
Motivation Requirements Threats Approaches Case studies Conclusions
Visual cryptography (Integrity)
Protocol functioningTallying
Remember:
D := {vk , {· · · {v2, {v1}pk1}pk2 · · · }pkk−1}pkk
h′ known to authority (talliers) and W :=⊕
16i6kh′(vi)
Michael Schläpfer 49 / 54
Motivation Requirements Threats Approaches Case studies Conclusions
Visual cryptography (Integrity)
Security properties
Voter is able to:
Check the correctness of all thesignatures printed on receipt
Generate the k hash values vxi from
the signed BSN
Check the correctness of the doll Dx
printed on his layer by sequentiallyencrypting hash values vx
i with thepublic keys of the respective tallier i
Check that the published receiptindeed corresponds to his receipt
The tallying phase can be madeuniversally verifiable
Michael Schläpfer 50 / 54
Motivation Requirements Threats Approaches Case studies Conclusions
Visual cryptography (Integrity)
Adaption to Internet voting
Voter needs an accurate printer that can print ontransparent foilsVoter needs a scannerComplicated procedure for home useUser is in possession of the entire receipt (both layers!)
Conclusion:
Not applicable for Internet voting!
Michael Schläpfer 51 / 54
Motivation Requirements Threats Approaches Case studies Conclusions
Outline
1 Motivation
2 Requirements
3 Threats
4 Approaches
5 Case studies
6 ConclusionsFuture work
Michael Schläpfer 52 / 54
Motivation Requirements Threats Approaches Case studies Conclusions
Future work
Conclusions
There are many open issues!
Future work involves:Analysis of latest proposalsFormal model of Internet voting protocols (withcompromising adversary)Finding attacks on existing protocolsImproving existing protocols (e.g. usability in code voting)Defining new modular proposals w.r.t the securityrequirements mentioned before
Michael Schläpfer 53 / 54
Motivation Requirements Threats Approaches Case studies Conclusions
Future work
Further readings
D. Chaum. Secret-ballot receipts: True voter-verifiable elections.IEEE Security & Privacy Magazine, Citeseer,2004.http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.123.7870&rep=rep1&type=pdf
R. Oppliger. How to address the secure platform problem forremote internet voting. Sicherheit in Informationssystemen, vdfHochschulverlag AG,2002.http://pubs.esecurity.ch/sis_2002.pdf
J. Bryans and P. Ryan. A dependability analysis of the Chaumdigital voting scheme. University of Newcastle upon TyneTechnical Report Series CS-TR-809, 2003.http://www.cs.ncl.ac.uk/research/pubs/trs/papers/809.pdf
Michael Schläpfer 54 / 54