Upload
daemongrec
View
230
Download
0
Embed Size (px)
Citation preview
8/14/2019 Secure Electronic Voting
1/28
SecureSecureElectronicElectronic
VotingVotingDr. Costas LambrinoudakisDr. Costas LambrinoudakisLecturer Lecturer
Dept. of Information and Communication Systems EngineeringDept. of Information and Communication Systems EngineeringUniversity of the AegeanUniversity of the Aegean
GreeceGreece
&&
ee--Vote Project, Technical Director Vote Project, Technical Director European Commission, IST ProgramEuropean Commission, IST Program
8/14/2019 Secure Electronic Voting
2/28
COMPSEC-2003 / Friday 31-10-2003 C. Lambrinoudakis
Secure Electronic Voting
2
What is electronic voting?
An electronic voting (e-voting) system is a votingsystem in which the election data is recorded, stored and
processed primarily as digital information. Network Voting System Standards ,
Voting
Paper voting E-voting
Paper ballots ...
Punchcards
Polling place
voting
Internet
voting
Precinctvoting
Kioskvoting
VoteHere, Inc., April 2002
8/14/2019 Secure Electronic Voting
3/28
COMPSEC-2003 / Friday 31-10-2003 C. Lambrinoudakis
Secure Electronic Voting
3
Do we need electronic voting systems? *
Electronic voting has been considered to be anefficient and cost effective alternative / complement of the conventional voting procedureThey could lead to increased voter turnout , thussupporting democratic process .They could give elections new potential (by providing
ballots in multiple languages, accommodating lengthy ballots, etc.) thus enhancing democratic process .They could open a new market , supporting thecommerce and the employment.
* D. Gritzalis (Ed.), Secure Electronic Voting , Kluwer Academic Publishers, USA, January 2003.
8/14/2019 Secure Electronic Voting
4/28
COMPSEC-2003 / Friday 31-10-2003 C. Lambrinoudakis
Secure Electronic Voting
4
Opportunities for electronic voting
Most countries believe that Internetvoting will occur within the next
decade.Internet voting options satisfyvoters desire for convenience.
Internet voting can satisfy therequirements of people with specialneeds.
Several countries are willing to try Internet voting for asmall scale election (local regional).The technology is available.
8/14/2019 Secure Electronic Voting
5/28
COMPSEC-2003 / Friday 31-10-2003 C. Lambrinoudakis
Secure Electronic Voting
5
Barriers to electronic voting
Lack of common voting systemstandards across nations.Time and difficulty of changingnational election laws.Time and cost of certifying a votingsystem.
Security and reliability of electronic voting.Equal access to Internet voting for all socioeconomicgroups.
The Digital Divide problem (both for electionorganisers and voters).Political risk associated with trying a new voting system.
Need for security and election experts.
8/14/2019 Secure Electronic Voting
6/28
COMPSEC-2003 / Friday 31-10-2003 C. Lambrinoudakis
Secure Electronic Voting
6
Generic voting principles
Only eligible persons can vote.
No person can vote more than once.The vote is secret.
Each (correctly cast) vote gets counted.The voters trust that their vote is counted.
Internet Policy Institute,
Report of the National Workshop on Internet Voting,
March 2001
8/14/2019 Secure Electronic Voting
7/28
COMPSEC-2003 / Friday 31-10-2003 C. Lambrinoudakis
Secure Electronic Voting
7
Identifying e-Voting Requirements
but do we really know what is the expectedfunctionality from an e-voting system ?
to which election process does it apply(General Elections, Internal Elections, Polls .) ?
Does it comply with the existing legalframework ?Is it secure ?Are the actors (users) of the system and theirroles clearly defined ?
8/14/2019 Secure Electronic Voting
8/28
COMPSEC-2003 / Friday 31-10-2003 C. Lambrinoudakis
Secure Electronic Voting
8
Identifying e-Voting Requirements
An e-voting system may be specified either
as a set of guidelines to be adopted forensuring conformance to the legislation .(State Authority point of view)
Two approaches for .. what we need:
or
in terms of the problems associated with the provision of the adequate level of security(anonymity, authentication, tractability, etc.).
(System Engineer point of view)
8/14/2019 Secure Electronic Voting
9/28
COMPSEC-2003 / Friday 31-10-2003 C. Lambrinoudakis
Secure Electronic Voting
9
Identifying e-Voting Requirements
none of these approaches is complete!
Legal Requirements Abstract formulations(Laws, Principles etc)
Functional RequirementsUsability Properties
Non-Functional RequirementsSecurity and System Properties
(flexibility - efficiency etc)
8/14/2019 Secure Electronic Voting
10/28
COMPSEC-2003 / Friday 31-10-2003 C. Lambrinoudakis
Secure Electronic Voting
10
Identifying e-Voting Requirements
A third approach, proposed by the e-VOTE project *:Requirements elicitation based on a Generic Voting
Model , taking into account the :European Union legislation.Organisational details of the conventional voting processes.Opportunities offered and the constraints imposed by state-of-the-art technologies.
Aim of the developers is to express:The legal requirements.
The security (non-functional) requirements.The functional requirements.
as a User Requirements Specification document thatsets specific Design Criteria .
Consortium: Q&R (GR), Univ. of the Aegean(GR), Cryptomathic (DK), Univ. of Regensburg (D), Municipality of Amaroussion(GR), Self Governing Region of Kosice (SK)
8/14/2019 Secure Electronic Voting
11/28
COMPSEC-2003 / Friday 31-10-2003 C. Lambrinoudakis
Secure Electronic Voting
11
Design Criteria(Non-functional: Security and other System Properties)
For an electronic voting system to comply with theFor an electronic voting system to comply with theconstitutional and legal requirements, it must exhibitconstitutional and legal requirements, it must exhibitspecificspecific security propertiessecurity properties , aiming at protecting the:, aiming at protecting the:DemocracyDemocracy : Only eligible voters are allowed to vote and
each eligible voter can only cast a single vote.AccuracyAccuracy : The announced tally exactly matches the actual
outcome of the election, implying that no onecan change anyone elses vote, all valid votesare included in the final tally and no invalid voteis included in the final tally.
PrivacyPrivacy : No one should be able to determine how anyother individual voted.
IntegrityIntegrity : Votes should not be able to be modified withoutdetection.
VerifiabilityVerifiability : Mechanisms for auditing the election in order to
ensure that it has been properly conducted(Universal or IndividualUniversal or Individual ).
8/14/2019 Secure Electronic Voting
12/28
COMPSEC-2003 / Friday 31-10-2003 C. Lambrinoudakis
Secure Electronic Voting
12
Design Criteria(Non-functional: Security and other System Properties)
RobustnessRobustness : No reasonably sized coalition of voters orauthorities may disrupt the election.Protection against external threats and attacks,e.g. denial of service attacks.
Non Non --coercibilitycoercibility : Voters should not be able to convince anyother participant on what they have voted.There is no receipt proving the content oftheir vote.
Fairness:Fairness: Ensures that no one can learn the outcome ofthe election before the announcement of thetally.
Verifiable ParticipationVerifiable Participation :Ensures that it is possible to find out whethera particular voter has participated in theelection by casting a ballot or not.
TransparencyTransparency : Participants should be able to possess a
general understanding of the entire process.
8/14/2019 Secure Electronic Voting
13/28
COMPSEC-2003 / Friday 31-10-2003 C. Lambrinoudakis
Secure Electronic Voting
13
Design Criteria(Non-functional: Security and other System Properties)
FlexibilityFlexibility : Equipment should allow for a variety of ballotquestion formats, in various languages andadaptable to many types of election processes.
ConvenienceConvenience : Voters should be able to cast votes withminimal equipment and skills.
ReliabilityReliability : The system must be resistant to randomlygenerated malfunctions.
Voter MobilityVoter Mobility : There should be no restrictions on thelocation from which a voter can cast a vote.
EfficiencyEfficiency : Overall system performance (the complexityof the scheme becomes a crucial system
parameter).The time needed by a voter to cast a ballot poses an upper boundary to the number ofvoters that are allowed to participate in a
specific election ( scalabilityscalability ).
8/14/2019 Secure Electronic Voting
14/28
COMPSEC-2003 / Friday 31-10-2003 C. Lambrinoudakis
Secure Electronic Voting
14
Design Criteria(Functional Requirements)
Support all essential services for organizingand conducting an opinion expressing process:
PollDecision-making (e.g. Referenda)Internal election
General election
Depending on the specific process, the servicesmay include voter registration, vote casting,voter authentication, calculation of the votetally, verification of the election result, etc.
8/14/2019 Secure Electronic Voting
15/28
COMPSEC-2003 / Friday 31-10-2003 C. Lambrinoudakis
Secure Electronic Voting
15
Requirements for different typesof election processes
The General Election requirements are practically asuperset of those regarding the other election processes
General elections
Internal elections
Decision-making procedures(e.g. Referenda)
Polls
8/14/2019 Secure Electronic Voting
16/28
COMPSEC-2003 / Friday 31-10-2003 C. Lambrinoudakis
Secure Electronic Voting
16
The e-VOTE System
Provides all the necessary services for organising andconducting a voting process.
Election Set-up ; Supports election organisers to register alleligible voters, issue authentication means, ballot generation,management and specification of voting districts etc.
Election in Progress ; Offers an easy and user friendlyenvironment for the interaction of the voter with the systemthrough a conventional WWW browser.Election Concluded ; Automatic generation of the vote tally
Modular and highly flexible multi-tier architecture thatsupports a wide range of voting processes (use ofelection templates)
Its operation is independent of the geographical
coverage of the voting process and thus the number ofvoting districts and voters.
8/14/2019 Secure Electronic Voting
17/28
COMPSEC-2003 / Friday 31-10-2003 C. Lambrinoudakis
Secure Electronic Voting
17
The e-VOTE System
The Voting Protocol (Damgaard-Jurik) has been basedon a homomorphic encryption scheme known as the
Generalised Paillier encryption scheme.Instead of hiding the identity of the voters, usinganonymous voting methods, the protocol hides the
contents of the ballot itself. The ballot is submitted in atraceable manner, attached to the voter identity, so thatthe verifiability property is easily satisfied.
The vote tally can be calculated without decrypting anyof the ballots .
E (T 1) E (T 2) = E (T 1 T 2)
8/14/2019 Secure Electronic Voting
18/28
COMPSEC-2003 / Friday 31-10-2003 C. Lambrinoudakis
Secure Electronic Voting
18
The e-VOTE System
The clear text vote (M j) is encrypted, and a zero-knowledge proof that the cipher-text vote is of the formM j for j in [0,..,L-1] is produced. The encrypted vote is
the pair of the cipher text and the zero-knowledge proof.The encryption of the vote is done through a public key.
The decryption of the result is done through a private key
that has been secret-shared to the tally servers. The shareshave to be constructed w.r.t. a threshold value t so that noinformation about the private key leaks as long as t servers are corrupt. t+1 servers are needed for decrypting
the result. No competing protocols using homomorphic encryption;the ordinary ElGamal is too slow for large number of
voters and candidates.
8/14/2019 Secure Electronic Voting
19/28
COMPSEC-2003 / Friday 31-10-2003 C. Lambrinoudakis
Secure Electronic Voting
19
The e-VOTE System
Registrationclient
CA
Web browser
Webserver
Message board
Tallyserver
Tallyserver
Administrativeclient
Voter
PKCS#10/PKCS#7
Decryption shares
8/14/2019 Secure Electronic Voting
20/28
COMPSEC-2003 / Friday 31-10-2003 C. Lambrinoudakis
Secure Electronic Voting
20
Is a Secure Voting Protocol Enough ??
A lot of research effort has been spent on designingand building voting protocolsvoting protocols that can support the
voting process, while fulfilling the securityrequirements (design criteria).
However, not much attention has been paid in the
administrative partadministrative part of an electronic voting systemthat supports the actors of the system to set-up theelection.
Possible security gapssecurity gaps in the administrativeworkflow of the system may result in deterioratingthe overall security level of the system.
8/14/2019 Secure Electronic Voting
21/28
COMPSEC-2003 / Friday 31-10-2003 C. Lambrinoudakis
Secure Electronic Voting
21
Workflow
8/14/2019 Secure Electronic Voting
22/28
COMPSEC-2003 / Friday 31-10-2003 C. Lambrinoudakis
Secure Electronic Voting
22
Identified System Actors
Actors Description
Election OrganizersPeople responsible for organizing the election processand ensuring that it is properly conducted.
Election Personnel People actually performing the system use-cases, underthe supervision of Election Organizers.
Judicial Officers People responsible for monitoring the election process
and ensuring that it is carried out in a legal way.Party Representatives People appointed by parties to monitor the election process.
Independent ThirdParties
People neutral from participating parties, responsiblefor monitoring the election process and for providing
reasonable assurance with regard to the integrity of it.Voters People eligible to participate in the voting process.
Actors participation in e voting:
8/14/2019 Secure Electronic Voting
23/28
COMPSEC-2003 / Friday 31-10-2003 C. Lambrinoudakis
Secure Electronic Voting
23
Actors participation in e-voting: Authorization and Validation
Use cases can only be performed byauthorized actorsauthorized actors ("roles")
An additional validation phasevalidation phase is employed
before committing the outcome of a use caseThe validation phase is implemented through aseparate use case, namely the "Validate Action"
8/14/2019 Secure Electronic Voting
24/28
COMPSEC-2003 / Friday 31-10-2003 C. Lambrinoudakis
Secure Electronic Voting
24
Actors participation in e-voting
Use Case ValidateAction
Use Caseactivation
Participating Roles
Election
Organizer
Party
Representative
Election
Personnel
Voter Judicial
Officer
Independent
Third Party
AuthenticateActor
A A A A A A
Validate Action N/A A A A A
Modify SystemState
A V V
ManageElectionDistricts
V A
ProvideElection
SystemParameters
V A V
8/14/2019 Secure Electronic Voting
25/28
COMPSEC-2003 / Friday 31-10-2003 C. Lambrinoudakis
Secure Electronic Voting
25
Actors participation in e-votingUse Case Validate
ActionUse Caseactivation
Participating Roles
ElectionOrganizer
PartyRepresentative
ElectionPersonnel
Voter JudicialOfficer
IndependentThird Party
Manage Voters V A
ProvideAuthenticationMeans
V A
Manage Parties V A
ManageCandidates
V A
Preview Ballots A A A
Cast Vote A
Tally Votes A V V V
Verify ResultIntegrity
A V V
(Secure) Electronic voting:
8/14/2019 Secure Electronic Voting
26/28
COMPSEC-2003 / Friday 31-10-2003 C. Lambrinoudakis
Secure Electronic Voting
26
(Secure) Electronic voting:(instead of) Conclusions
Description of actor roles together withclear indication of what each actor isallowed to do with the system, formulate anoperational framework operational framework that complements thetechnological security features of the system
Rapidly emerging issue...
Of a socio-technical nature...
Contradicting views...Further experimentation is needed
in the meantime, as complementary only!in the meantime, as complementary only!
8/14/2019 Secure Electronic Voting
27/28
COMPSEC-2003 / Friday 31-10-2003 C. Lambrinoudakis
Secure Electronic Voting
27
The debate is still going on...
The shining lure of this hype-tech voting schemes is only atechnological fools gold that will create new problems far moreintractable than those they claim to solve.
P. Newmann (SRI) (2002)
An Internet voting system would be the first secure networkedapplication ever created in the history of computers.
B. Schneier (Counterpane) (2002)
At least a decade of further research and development on thesecurity of home computers is required before Internet voting fromhome should be contemplated .
Ron Rivest (MIT) (2001)
8/14/2019 Secure Electronic Voting
28/28
COMPSEC-2003 / Friday 31-10-2003 C. Lambrinoudakis
Secure Electronic Voting
28
Something like a moto...
Electronic voting:Electronic voting:BetweenBetween pessimism pessimism (bureaucracy)(bureaucracy)
andand optimismoptimism (technology)(technology) we choose we choose realismrealism (democracy)(democracy) !!